Risk Culture – a regulator’s view | KPMG | IE
Share with your friends

Risk Culture – a regulator’s view

Risk Culture – a regulator’s view

Why is the cultural agenda so important?



KPMG in Ireland


Also on KPMG.com

A key to unlocking why things go wrong in financial institutions similar to all organisations is to understand the norms and the expectations within organisations as to what is normal. Over the past year, the Central Bank, along with other supervisory agencies worldwide, has been focusing on cultural awareness as part of its normal supervisory activity, including a consideration of an institution’s risk culture through continuous assessment meetings, risk management and governance reviews and inspections. Indeed, the Central Bank has recently conducted themed inspections examining “behaviour and culture” at local banks, along with actively inspecting banks’ compliance with the internal governance guidelines set out by the European Banking Authority in its GL44 paper.

“Culture” within an organization relates to its people, its performance, individual beliefs within the organization and its leadership. It encompasses risk culture which addresses the articulation, communication, measurement and management of risk. But it also separately takes into account conduct risk which seeks to identify and address risk in product design, sales practices and behaviour which may have an impact on customers. 

There is a recognition now that culture is integral to everything. The financial crisis of recent years highlighted poor risk management practices and clear weaknesses in internal control structures, but it also highlighted deficiencies in many financial institutions’ attitudes towards risk. An assessment of risk culture is thus a core component of the cultural awareness agenda.

How do regulators assess risk culture?

Financial Stability Board (FSB)

The global regulatory body, FSB, was the first agency to draw attention to this topic. It defines risk culture as “an institution’s norms, attitudes and behaviours related to risk awareness, risk taking and risk management, or the institution’s risk culture.” The FSB articulate the view thatb risk culture shapes the values and beliefs which govern how individuals within an institution behave, how they perform their roles, how they take decisions, how they assess risk and do the ethical thing to ensure they operate in a safe and sound manner, and as such is bespoke to each organization.

From a supervisory perspective, the FSB’s Guidance on Supervisory Interaction with Financial Institutions on Risk Culture - A Framework for Assessing Risk Culture published in April 2014 is the main reference document. The FSB states that a sound risk culture will support appropriate risk awareness, behaviour and judgments about risk taking. The FSB does not define a target risk culture but rather gives regulators guidance on how to identify the risk culture within an institution.

The FSB indicates that a sound risk culture is one that:

  • has an appropriate risk/reward balance consistent with risk appetite when taking decisions
  • has an effective control environment
  • allows the quality of the risk models, data accuracy etc to be challenged
  • ensures all risk breaches are followed up with proportionate disciplinary actions

European Central Bank (ECB)

The idea of an appropriate risk culture in banks is also a theme with the ECB and its approach to this topic is hugely informed by the FSB’s framework paper. Risk culturefeatures prominently in its document ‘SSM supervisory statement on governance and risk appetite’ published in June 2016, which states that expectations are that a strong risk appetite framework will help build a sound risk culture.

The ECB focuses on four main areas:

  • Board and senior management: acting with integrity should be promoted from the very top level of management, core values should be defined and the organisation should develop an openness to challenge as well as a consistent tone throughout the bank
  • Staff accountability: the bank must ensure staff are capable and it is clear who is individually accountable for their actions with respect to the bank’s risk profile. There must be clear delineation of roles and responsibilities for the control functions versus the business lines;
  • Communication: is the bank encouraging open communication and adequate challenge? This should be evidenced in board minutes. Is there evidence of adequate horizontal and vertical sharing of information? Do appropriate whistleblowing procedures exist without unfair reprisals on employees?
  • Remuneration and incentives: do annual performance reviews, remuneration and career paths reflect an appreciation and active promotion of the bank’s core values and risk culture?

Central Bank of Ireland

In June 2016, the Central Bank’s Head of Credit Institutions Supervision, Ed Sibley, referred to the cutting edge techniques of the Dutch regulator in assessing culture and indicated that the Central Bank , in its behaviour and culture inspections’ of banks, would be seeking answers in relation to;

  • What influence, positive or negative, do individual actions and group dynamics have on the financial performance, integrity and reputation of an institution? 
  • Which facilitating or restraining role does the institution’s prevailing culture play? 
  • Which measures are necessary to mitigate the risks related to human behaviour as much as possible?

In essence the risk culture allows regulators to assess the soft side of the risk management framework while the risk appetite framework provides the metrics and more quantitative evidence of the firm’s approach to risk taking. Regulators are trying to ensure that risk culture is a driver of the strategy and not the other way round.

What do financial institutions need to consider?

The problem facing financial institutions across the various sectors is that “culture” is a nebulous concept, not to mention a subjective one, far removed from concrete regulatory issues such as solvency, credit risk modeling and risk weightings.

Any culture is a mixture of formal and informal practices so the question arises, how can a financial institution embed a risk culture and how can it assure itself that its risk culture is adequate? Ultimately boards will need to embrace this concept and ensure that the correct tone from the top is set. Understanding supervisory expectations and turning this into concrete metrics or deliverables is the challenge. Risk and compliance functions, along with senior and middle management, will need to drive this agenda to ensure that it meets supervisory expectations and that the risk culture is deemed adequate and supportive with internal audit playing a role in continuous assessment.

Previous articles

Connect with us


Request for proposal