Your weakest link? Is a flabby risk culture undermining robust risk management in your business?
A strong risk culture is increasingly a regulatory requirement. But how well does your organisation measure up? Discover key steps for building better risk management behaviour across your business.
Is your organisation the type of place where people only want to hear good news? If so, that’s bad news for your business. Firms that are unwilling to identify or escalate issues around risk ultimately leave themselves open to dangerous blind spots occurring.
A robust risk culture is no longer a ‘nice to have’ with many regulators now insisting on it – with the buck stopping with the boards. After all, a good risk and conduct culture doesn’t maintain itself. If your board and senior management cannot adequately answer thee following four questions, you need to take action, fast.
Many firms struggle with spelling out exactly what’s expected of people on the front line. At the same time, meaningful data about risk culture performance may end up not being escalated. All executive committees and boards should therefore ensure people throughout the firm know exactly what they should be doing and how, through regular communication and a constant review of management information about the organisation’s risk culture.
Poor compliance training and a lack of behavioural controls can create blind spots. You need a behavioural policy framework, supported by a clear steer on what is and is not acceptable, sophisticated training and a visible link to performance and reward.
Senior managers may well tell a good news story about their values and culture, but this may be directly contradicted by logs showing front line behavioural breaches and a growing number of customer complaints. If you see a pattern emerging in terms of behavioural problems and this type of customer complaint, it is a strong warning signal that your firm lacks sufficient risk controls – or even that certain types of behaviour are being rewarded.
It’s vital your employees understand what risk-laden behaviour is and how best to respond. This is particularly important for new areas such as technology risk, from business continuity to cyber-crime. All too often, compliance and risk functions are just fire-fighting, rather than scanning the horizon to understand any major new risks emerging. Firms should, for example, help their technology teams become risk-aware and able manage risks. Many heads of technology do not have deep risk management skills; firms therefore need to take a hard look at their competency framework, recruiting strategy and performance management.
Scroll down to continue reading...
It’s no longer possible – or acceptable to regulators – to say, ‘it’s impossible to measure culture’. On the contrary, many firms are now coming up with frameworks to assess, measure and challenge their existing culture. They do this by referring to conduct data, customer feedback and behavioural policy compliance.
They’re also moving beyond the old qualitative engagement scores that came out of staff surveys and on to the use of sophisticated people analytics. That allows them to look at everything from adjusting reward to reflect behaviour, to what they know about predictors of major behavioural events like rogue trading.
There’s a fine balance to strike between a control culture that stifles innovation and one which supports the right decisions in ethically ambiguous territory.
But, the focus on culture and risk management isn’t going away. Firms that adapt fast will be far better placed than those who haven’t yet woken up to the urgency of these issues.
The answer? To be unequivocal and unrelenting in terms of your behavioural expectations of staff, so that an effective risk culture becomes second nature throughout your entire organisation.
If your board and senior management cannot adequately answer these four questions, you need to take action, fast.
© 2020 KPMG LLP, a UK limited liability partnership, and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
KPMG International Cooperative (“KPMG International”) is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.