Resilience under pressure - RiskMinds Q4 2019 eMagazine
Last year we celebrated 25 years of RiskMinds International, but this year is no less extraordinary. We're delighted to be joined by even more risk...
Resilience under pressure
Meet the challenges of the new decade
Live from RiskMinds International
Last year we celebrated 25 years of RiskMinds International, but this year is no less extraordinary. We're delighted to be joined by even more risk leaders and experts. Great RiskMinds don't think alike, which is why it's so special to us that over 750 members of the risk management community are present. Together we can meet the challenges of the next decade.
We wanted to celebrate excellence and recognise leadership, innovation, and cultural change in risk management. That's what Tuesday's RiskMinds Awards is all about.
With this magazine, we wanted to provide you with guidance on what is happening at RiskMinds International at all times. We would hereby like to thank the members of the RiskMinds community who shared their comments and expertise with us - not only in this magazine, but throughout the year on RiskMinds365.com. On the next page, you will find the results of our annual CRO survey, and we hope that the articles will provide you with new insights and help you get the most out of RiskMinds International.
Enjoy the conference and remember to visit RiskMinds365.com for year-round thought leadership in risk management.
Vincent Beard, Editor, RiskMinds International
7 risks that keep CROs up at night
A 4-step formula to enhance your risk defences
by JF Bureau, Senior Vice President and Chief Risk Officer, PSP Investments
Transforming risk efficiency and effectiveness
Ethics & AI: Knowing the boundaries
by Lisa Bechtold, Head of Data Risk & Digital Policy, Zurich Insurance Group
Reflections on climate financial scenario analysis
by Gaurav Ganguly, Head, Group Risk Economics, HSBC
Revisiting risk culture in financial institutions
by Elizabeth Sheedy, Professor, Macquarie University Business School
7 risks that keep CROs up at night
The results of our annual CRO survey
Which risks are the riskiest of them all? We asked CROs what keeps them up at night, and the results are in!
The job of the Chief Risk Officer is unique, and thus uniquely challenging. Not only do CROs need to be proactive in identifying new risks, but the role requires CROs to be credible business partners with considerable influence over the board and C-suites while also embodying a walking lexicon of all risks.
“Leading the risk function in a business with a significant year on year growth trajectory and rapidly expanding geographic business model and product diversity is very exciting”, a CRO told us. “But it brings the continuous challenge of identifying, evaluating and mitigating or accepting material, and often new risks.”
So when we asked CROs what keeps them up at night, naturally, they had a hard time picking just one. However, key issues have emerged, and here’s what CROs had to say about them.
More than half of the CROs we spoke to are concerned about cyber risk – “high probability, high impact risk that remains difficult to manage”.
Large parts of banks’ IT systems are legacy old or provided by third party providers, which increases their vulnerability to cyber risk. Recent events on high profile data breaches, ransom demands, DDoS attacks and other hacks threatened some banks’ operations, customer and bank details, and questioned the banking industry’s readiness to cope with the new digital agenda. Cyber risk can result in significant costs or reputational losses for banks and can even have systemic consequences.
“Economies are very interconnected”, a CRO reminded us, which is why so many Chief Risk Officers are worried about the changing landscape.
We cannot assume the same underlying processes as we always have. While there may be opportunities, currently there is great uncertainty about what new paradigm or equilibrium will be established – if at all –, and when. In the intervening period of disruption and disequilibrium, things are very unstable.
“This influences all other forms of risk in the end, and we have seen that states are more and more inclined to implement policies that may help (part of) their industry but may not play out well for other countries. Think of regulatory race to the bottom, unsustainably low interest rates, or supportive policies that distort competition. All this helps to raise the geopolitical risk. Any disruption to the existing multilateral framework will not go without friction, but we see that this order is challenged on multiple fronts. Enough reason for concern.”
The rise of populism signals clearly that “people’s aspirations have altered fundamentally”, and socioeconomic risk in certain markets is a big challenge for CROs.
Emerging risk: climate change
The World Economic Forum’s 14th Edition of The Global Risks Report 2019 puts 5 different types of environmental risks into its top 10 list in terms of likelihood and in terms of impact, so it’s no wonder why climate risk, “the least understood risk”, is so high on CRO’s agenda.
The risks of climate change have the potential to truly alter the world and therefore pose a significant risk to all businesses. The risks from our direct impact on the environment as a business are more easily managed as they are more visible and easier to measure. The risks associated with a collective response, or lack of response, are far more concerning.
As the environment in which we work in is becoming destabilised, operational risk is rising.
A multitude of factors here are converging: digital adoption is well underway, changing key processes and customer journeys, and the marriage of new systems to legacy ones. Meanwhile we are using more 3rd parties than ever before, which increases IT resilience, data and conduct risks. Lower rates for longer means the cost reduction agenda is stronger than ever, which adds to the risk that the control environment is weakened.
Relating to operational risk, some CROs are also concerned about strategic risks: the sustainability of the current business model, and the safe and successful adoption of new technologies.
Although not at the forefront of CROs’ concern, credit risk remains challenging “given deteriorating local and global economic conditions”.
As a CRO of corporate business I don’t stop thinking about credit risk day or night. Tough competition in the corporate lending market and declining margins lead to the desire and willingness of our business team to work with riskier clients and projects. For the risk management team, maintaining business within the limits of the bank’s risk appetite becomes a more and more difficult task every day.
Business and market risk
Like credit risk, business risk is also amplified by the geopolitical tensions. The show must go on though, and the focus on profitability has not changed.
"We are currently seeing the widespread mispricing of assets and misallocation of resources across global financial markets as a result of persistent negative interest rates. Those are a result of monetary policy running out of steam as an economic stimulant. The various non-standard measures by central banks (e.g. quantitative easing) have mostly limited the damage rather than stimulated growth. The economic malaise that afflicted Japan for decades now seems to be developing across many other advanced economies.
These effects, coupled with highly skewed distributions of wealth, are causing some commentators and politicians to question the fundamental stability of the capitalist model itself, and ideas like “Modern Monetary Theory” seem to be gaining political traction."
The European Central Bank’s move (further) into negative rates also hinder the cause, while operations are becoming more expensive.
Large amounts of dry powder in the private equity (PE) market create a competitive environment, resulting in high prices, characterised by elevated multiples, applied to EBITDA with significant adjustments. Although there appears to be sufficient equity cushion in deal structures, said cushion may not be there should valuation metrics (EBITDA adjustments and/ or multiple) be reduced to historical levels. Furthermore, to generate expected equity returns, investors paying an elevated price need to utilise high levels of leverage. As such, the leveraged loan market has increased significantly in recent years and is another driving force of the competitive environment.
The pressure to digitise is very real, and while banks and financial institutions are adapting, they tend to do so “without necessarily understanding the new risk paradigms”.
The lack of investment will likely be punished severely in the future, as the speed of service delivery or cost inefficiencies lead to continued pressure on market share and revenues.
This gets even more complicated when we throw in fintech companies into the mix.
Right now, what keeps me awake at night is the constant stream of start-ups who claim that they have “solved” the problem of assessing credit risk with data. With technology and a “secret sauce” they can now lend further down the risk curve without worries of bad outcomes for customers or financial losses for lenders. The benign economy over the past decade and the potential changes to that position is looming on the horizon, and even the most short-sighted seem to overlook that.
There’s even more competition from the big tech companies, in particular Facebook which is entering the world of finance with Libra.
This is only a snapshot of what even goes on in CROs minds at one point in time, but truly understanding the connections between these risks is the key challenge that CROs face on a daily basis.
A 4-step formula to enhance your risk defences
JF Bureau, Senior Vice President and Chief Risk Officer, PSP Investments
Most organisations strike a balance between their first line of defence and the second line of defence. However, we should be wary not to overlook the relationships between these groups and their contributions to a strong risk management framework. In this article, JF Bureau, Senior Vice President and Chief Risk Officer, PSP Investments, explores the four elements that are key to a more integrated approach for managing risks.
At the Public Sector Pension Investment Board (PSP Investments), we devised a four-step formula that has strengthened the relationships between our first and second lines of defence to ensure an integrated approach to managing the full spectrum of risks. It contains four tenets which can be applicable to any organisation: the human factor, the “X” factor, a strong corporate culture, and a data filter function.
The human factor
Our employees, in conjunction with management, are our first and main line of defence for a reason. With the right training on how to identify and escalate risks, and a workplace culture that supports speaking out, they are likely to be the first to identify an issue.
An important factor is clear communication to the first line of their role within the three lines of defence model and in managing risks. Additionally, establishing a clear process to escalate issues allows for rapid identification and management. It also ensures the relevant groups and management are aware of issues in a timely manner, leading to greater transparency and faster analysis and response. An additional benefit is that employees who feel empowered to identify and escalate issues have a sense of accountability where risk management becomes imbedded in their daily activities. Validate employees who escalate information. Organisations who do so create a workplace environment where people feel comfortable and naturally inclined to report and escalate risks.
The culture club
The role of workplace culture is pivotal in empowering our first line and ultimately in reducing risk. At PSP Investments, we work hard to ensure our employees feel ownership when interacting with risk management. Fostering a sense of personal investment between our people—not just in their jobs, but in the organisation as a whole—ultimately creates a greater inclination towards escalating and reporting. Key contributors to their integration in the model include an understanding of the processes they participate in and of the types of issues and events they are expected to report on and escalate. When they have an understanding and appreciation of their critical role, they become active participants in identifying emerging and real risk trends and collaborating with the second line of defence.
There are numerous tools a risk team can leverage to strengthen risk culture and nurture the relationship between the first and second lines of defence. These include strong and regular communication, establishing best practices internally, building communities of practice, and more.
The X(pert) factor
Like other risk-focused organisations, our second line of defence includes the many groups that provide internal monitoring and oversight such as cyber security, compliance, and risk. They work not as mere control functions, but as our internal business partners in ensuring that we remain within the risk tolerances established by PSP Investments’ management and Board of Directors.
Traditionally, the second line of defence has primarily included risk generalists with access to first-rate tools, procedures, processes and oversight. However, we recognise that the complexity and depth of risks continue to develop. To meet these changing needs, it is increasingly important to have in-house speciality teams and experts in areas like cyber risk management and privacy. These employees are not only experts in their respective fields, but are able to customise their specialisation to their organisation’s specific area of business, lending to a tangible difference in the successful mitigation of industry-specific risks. Their contributions to risk mitigation practices and solutions are a key pillar in a holistic and effective risk management framework.
A powerful data filter
Globally, data has been increasing at a spectacular rate. To separate value creating data from insight, organisations need a top-of-the-line data filter to ensure that key information is accessed and actioned appropriately.
At PSP Investments, we have been strengthening our data capture, analysis and reporting function to cut through the noise and capture the most essential data available. For example, we are currently investigating how to best use natural language processing and artificial intelligence to source key information and developments inherent to our risk areas.
A defence that’s within reach
While most organisations have already established the necessary baseline elements to mitigate risk, industry leaders will stand out among the crowd and boost their defences by focusing on the intersection where monitoring, protocols and culture meet. When these individual lines work together openly, transparently, and in sync, they facilitate the proactive identification and management of new and emerging risks.
By creating this nexus and working carefully to ensure the strongest possible relationship between the first and second lines of defence, organisations can bolster and multiply their individual strengths. This effectively creates a critical, unified force that will help to protect the assets and people within our quickly evolving risk landscape.
Transforming risk efficiency and effectiveness
Since the financial crisis of 2008–09, financial institutions have significantly expanded their risk and compliance functions. And with increased headcount came increased complexity. Many institutions grew rapidly and piecemeal, often scrambling to respond to regulatory feedback or indirect pressures. Most banks today are consequently looking to improve productivity. Risk management, however, has often been off-limits for cost reductions. Actions to reduce cost required cutting through the complexity and therefore were viewed as hazardous, given the nature of risk and the expectations of regulators. Faulty moves to make risk management more efficient can in fact cost an institution significantly more than they save.
In our experience working with leading banks, the most potent levers for increasing risk-management effectiveness, if applied in careful sequence, also improve efficiency. A well-executed, end-to-end risk-function transformation can decrease costs by up to 20 percent while improving effectiveness, transparency, accountability, and employee and customer experience.
A sequential journey
Banks looking to transform risk management can focus on four mutually reinforcing areas: organisation, governance, processes, and digitisation and advanced analytics. While enhancements isolated in each area can boost both effectiveness and efficiency, the true potential comes from tackling them in sequential order. Organisational optimisation facilitates governance rationalisation, which facilitates effective streamlining of processes, which enables digitisation and advanced analytics to yield maximal benefit.
- By optimising the organisation, institutions can gain effectiveness, clarifying responsibilities, increasing accountability, and matching talent to jobs. Changes achieved by optimising the organisation promote efficiency by reducing redundancy in activities across the first and second lines of defense. Perhaps most important, organisational improvements lay a necessary foundation for rationalising governance, streamlining processes, and digitisation. For example, banks can begin an efficiency transformation by making sure that responsibilities for risk assessment, quality control and testing are well-defined and that talent requirements for each role are clearly articulated.
- By rationalising governance, banks can focus attention on what matters most and remove pain points for the business. Eliminating unneeded activities frees up a scarce and precious resource—management bandwidth—while yielding some direct efficiency benefits. Most critically, rationalised governance sets the foundation for streamlining processes as well as for digitisation. For example, some institutions have reduced as many as 30 percent of their policies while improving the quality of the remainder and clarifying the constraints that updated processes must meet.
- By streamlining and strengthening processes, institutions can take dramatic steps on the efficiency–effectiveness curve while creating better employee and customer experiences. Streamlined processes are also easier to digitise, either in targeted ways or in full. For example, banks that have mapped their credit-underwriting and adjudication process have discovered efficiency-improvement opportunities leading to freeing up underwriter capacity by more than 20 percent and credit-officer capacity by more than 10 percent. Some institutions have used such process simplification as a first step toward digitisation.
- Finally, digitisation and advanced analytics augment and magnify the effect of process redesign, allowing for full impact to both risk-management effectiveness and efficiency. Appropriately automated processes are less error prone and less costly. Perhaps even more important, digitisation permits institutions to embed automated real-time (or near-real-time) risk controls within core processes. This reduces control failures and makes far more efficient use of resources. These changes rely on effective data management, which also directly boosts efficiency by eliminating time wasted on data consolidation and reconciliation. For example, many banks are automating retail and SME credit processes, automating decisioning and embedding real-time KYC controls into onboarding.
Secrets of transformative success
End-to-end risk transformations can reduce the cost base while meaningfully improving the quality of risk management. Four initial steps are essential to success.
A well-executed, end-to-end risk-function transformation can decrease costs by up to 20 percent while improving effectiveness, transparency, accountability, and employee and customer experience.
- Define the scope of transformation. Banks seeking to improve productivity face a choice between a risk-focused transformation or a broader enterprise-wide transformation which includes the risk function. Given the enterprise-wide nature of risk management, this broader approach tends to create greater value, both throughout the enterprise and within the risk function.
- Set the ambition. In this step, banks determine the size of the available opportunity. An effective transformation plan requires both a detailed current state baseline and a clear view of target state potential. Success also demands determined leadership, with commitment to capture the full potential. The executive team should discuss any trade-offs beforehand, to ensure alignment.
- Establish appropriate governance and focus. The potential value in the transformation requires clear roles and responsibilities. A transformation officer should draw together the threads of the transformation and keep things moving. This is a senior, strategic role, not a project manager. Next, initiative owners design the initiatives, including the financial case, implementation timeline and resourcing, and impact on risk effectiveness. Finally, executive involvement is a must to maintain organisational discipline. Executives, the transformation officer, and initiative owners meet weekly to understand progress, remove obstructions, and ensure the transformation stays on track.
- Communicate a transformational narrative. Risk transformations, like any major change effort, require broad organisational buy-in. Both the risk function and the business play a critical role in success.
Former Monzo CRO Ruth Doubleday: "we are not constrained by technology"
Transformations involve significant behavioural shifts. Addressing new demands and building new skills requires careful change management and patient leadership sustained over a multiyear time horizon. Successfully transformed organisations know, however, that the rewards—greater risk-management effectiveness at lower cost—are well worth the challenge.
This article is an excerpt from the McKinsey on Risk article, Transforming risk efficiency and effectiveness.
Ethics & AI: Knowing the boundaries
Lisa Bechtold, Head of Data Risk & Digital Policy, Zurich Insurance Group
The arrival and indeed the applications of technology ignited some of the most critical discourse on our emotional wellness, our future job security, and our definition of ourselves as human beings. There is still a lot that need to be addressed, particularly around the ethical use of AI. In this article, Elisabeth Bechtold, Head of Data Risk & Digital Policy, Zurich Insurance Group, explores key issues around the current use of AI and raises some imperative questions that the industry needs to consider during the applications of AI.
There is a lot of talk about AI these days and, while we tend to associate it with something that will be around in the future, it is here already. It is in personal assistants like Siri and Alexa, in medicine, autonomous driving, and even facial recognition used in a whole host of applications that are relevant to us and to our organisations. We are living in a data- and technology-driven world and the responsible use of AI and other methods of advanced analytics is getting increasingly relevant.
Why is the responsible, trustworthy, or ethical use of these technologies so important? Just think about how much data and data analytics has impacted your organisation and your industry. Also note that more data was created in 2018 than in the last 5,000 years combined, but we mere humans have only been able to assess 0.5% of it.
What happens when an AI model has the intelligence, power and application to analyse it all, in multiple ways, running multiple scenarios and choosing the optimal action?
The opportunities for social and economic advancement through AI seem endless. But it clearly leads to the question who decides what’s right and wrong, what’s just and unjust, and who gets what? Who decides about the data that’s being fed into those algorithms? Who ensures that data isn’t prejudicial, xenophobic, racially selective, or simply… wrong? Who defines ethical standards, who is setting ethical boundaries…? And who is to regulate all this?
As a responsible organisation, we need a strong commitment to align, foster, and scale values-led decision-making which builds trust and inspires confidence with both internal and external stakeholders.
Elisabeth Bechtold, Head of Data Risk & Digital Policy, Zurich Insurance Group
In the past years, private companies, research institutions, governments and international standard setters such as the G20, OECD or institutions such as the European Union issued principles and guidelines for trustworthy AI. While it is broadly consented that AI should be ‘ethical’, views differ as to both what constitutes ‘ethical AI’ and which ethical requirements, technical standards and best practices are needed to live up to the aspiration of ethical AI. In April 2019, the European Commission’ High-Level Expert Group proposed a framework for trustworthy AI, based on the following three components:
- “It should be lawful, complying with all applicable laws and regulations
- It should be ethical, ensuring adherence to ethical principles and values; and
- It should be robust, both from a technical and social perspective since, even with good intentions, AI systems can cause unintentional harm.”
Research has shown a global consensus emerging around five ethical principles (transparency, justice and fairness, non-maleficence, responsibility and privacy). However, perspectives vary substantially as to the exact interpretation and implementation of these principles. The EU continues taking on a progressive stance on trustworthy AI as we could see from the new EU Commission’s president Ursula von der Leyen announcing to propose AI regulation during her first 100 days of office. But due to the difficulties to regulate this rapidly evolving field, today only very few binding laws and regulations provide clarity on the ground rules of deploying AI.
So how to proceed from a risk management perspective at a time of uncertainty? How to navigate successfully in today’s digital transformation at a time where we need to explore the business opportunities of AI and other advanced technologies but don’t have an established legal and/or regulatory framework to rely on?
As a risk manager it is incumbent on us to look at the risks associated with the (un)ethical use of AI, to understand them and to find ways how to mitigate against them. Using AI in a flawed and unethical fashion triggers the risk of biased or simply wrong outcomes. Overall, the use of advanced technologies triggers a broad range of risks and governance challenges such as understanding and controlling automated decision-making processes with algorithms often perceived as a “black box”. If not deployed in a correct and ethically sound fashion the potential benefits of AI for business are considerably reduced. Distorted and unethical AI outcomes may also have harmful societal effects by encouraging mistrust and, importantly, may have far-reaching reputational consequences. In short, from a risk manager perspective we need to ensure that we deploy AI systems and other advanced technologies in a very diligent way and line with our business strategy and our corporate values.
When trying to do the right thing, however, we also have to acknowledge the challenges of how to define such ethical standards for our own organisations and how to implement them into our business operations. We need to make sure that our use of AI is, first and foremost, responsible, ethically sound and complies with applicable laws and regulations. Secondly, the use of AI needs to be underpinned by a robust and holistic governance and assurance framework that provides for appropriate risk and compliance assessments, effective monitoring and implementation (end-to-end). Key considerations to be addressed by such governance and assurance framework include, in particular, fairness (to avoid bias), transparency, interpretability and explainability, as well as robustness and security. It may also be considered to create an “Ethics Committee” that could act as a sounding board and provide for a roadmap and direction on the alignment of business strategy, corporate values and the responsible use of AI.
We need to make sure that our use of AI is, first and foremost, responsible, ethically sound and complies with applicable laws and regulations. Secondly, the use of AI needs to be underpinned by a robust and holistic governance and assurance framework that provides for appropriate risk and compliance assessments, effective monitoring and implementation.
Elisabeth Bechtold, Head of Data Risk & Digital Policy, Zurich Insurance Group
As a responsible organisation, we need a strong commitment to align, foster, and scale values-led decision-making which builds trust and inspires confidence with both internal and external stakeholders. In today’s digital age, gaining and maintaining such trust based on the responsible use of advanced technologies is likely to be key success factor for the corporate world.
Reflections on climate financial scenario analysis
Gaurav Ganguly, Head, Group Risk Economics, HSBC
“Environment-related risks account for three of the top five risks by likelihood and four by impact”, the World Economic Forum’s Global Risk Report 2019 said. The severity of the impact is clear but how financial institutions might put that into a model is less clear. In this article, Gaurav Ganguly, Head, Group Risk Economics, HSBC, outlines what banks should expect from climate financial scenario analysis, what such analysis should be able to tell you, and why it’s important to start building it now.
Banks are increasingly turning to scenario analysis to gauge climate risks in their portfolios and to deepen their understanding of the impact of climate change on the financial system. Climate financial scenario analysis in banks is a relatively new and fast-growing discipline and while it seeks to rely on existing risk management frameworks, understanding the impact of climate change and associated policies on the financial system creates several new challenges. These challenges are significant and are related to the unprecedented nature of climate change, the uncertainty associated with making climate related predictions, and their transmission through the financial system.
We expect scenarios to measure the economic and financial consequences of climate risks in order to help banks take risk-based decisions and aid their disclosure, while at the same time, close gaps in data and knowledge. This is a hefty ask, so what should we reasonably expect from climate financial scenario analysis?
Climate scenarios need to aid measurement of risk factors.
Scenarios of emissions or of weather are not constructed to directly enable financial risk assessment and significant further work is necessary to extend the analysis. Climate financial scenario analysis is typically split between transition and physical risk. The financial system faces the former as a result of policy measures that accelerate the shift to a low emissions economy while the latter arise from damages due to changes in the climate system. Scenarios need to start by mapping these two climate related risks to their corresponding economic and financial effects. Transition scenarios will need to translate policy action and emissions reductions into economic drivers that can help measure standard risk factors such as credit or market risk i.e. the risk of default and/or the risk of abrupt re-pricing. Physical scenarios will need to work in a similar way by linking weather events to economic and hence financial loss. This may seem obvious but the complexity of linking climate models and the economic effects to standard drivers of financial risk should not be underestimated.
Scenarios should test our understanding of climate risks.
Mitigation, adaptation, and climate change will affect the allocation of capital within and across sectors and will alter returns to certain types of economic activity across locations. Despite our best efforts to capture such re-configuration through models, economic changes may occur in unanticipated ways and there may be risks and opportunities that current models and assumptions are unable to fully recognise. As our knowledge of financial transmission improves, we are likely to find ourselves revisiting our models and our scenarios. In this context, helpful scenarios are those that make the appropriate macro-financial linkages based on current understanding, while at the same time, are transparent on the challenges that remain. At this stage of development, good climate financial scenarios are those that lead to more questions rather than answers!
Climate scenarios need to examine multiple pathways.
Scenarios should serve as an exploratory tool for tackling the uncertainty embedded in climate financial decision-making. Banks will find it helpful to consider a range of outcomes rather than rely on a single scenario and possibly even over different time horizons. To examine a full range of outcomes, including the more extreme, banks will need to create scenarios that probe very different types of economic consequences of climate. These might include scenarios that examine the consequences of political and social change, changes in economic management mechanisms or changes in financial expectations. This suggests the need for a very engaged approach whereby banks bring the insights of different models, assumptions and even different disciplines into scenario analysis.
Climate financial scenarios need to reflect economic reality.
Climate scenarios, if they are to make useful predictions of future changes, need to start with an understanding of the current shape of the global economy and its vulnerabilities. In addition, historical economic analysis is likely to be useful when examining financial tail risks related to climate. Banks frequently use scenario analysis to model tails i.e. to probe the impact of fundamental changes in economic structures and/or market disruption and negative spillovers. Banks are guided in such analysis through examination of past events e.g. institutional changes such as trade agreements or exchange rate regimes, build-up of speculative bubbles and their subsequent correction, episodes of sovereign default, high vs low-inflation regimes and so on. While climate scenarios require making predictions outside the range of historical experience, this still needs to be based in an understanding of the economy today and, in the case of more extreme tail scenarios, may be usefully informed by past analysis of financial disruption.
Building climate financial scenarios is an iterative process.
Scenarios we build today will take large steps forward despite limitations in data and understanding. Models will improve as understanding of the financial transmission mechanism of climate change increases and as data gaps are closed. Financial institutions need to consider a road-map that acknowledges the improvements required and create an appropriate programme for scenario development that can enable financial decision making and aid disclosure.
Revisiting risk culture in financial institutions
Elizabeth Sheedy, Professor, Macquarie University Business School
The importance of risk culture has been emphasised in the recent past, but is strong risk culture effective in preventing misconduct? In this article, Elizabeth Sheedy, Professor, Macquarie University Business School, takes a deeper look at unethical pro-organisational behaviour – actions that can be justified as for the benefit of the company – and finds support for a new theory of conduct and culture.
Since the global financial crisis, financial institutions have worked to implement a strong ‘risk culture’. But despite poor risk outcomes, including legal costs, fines, and customer remediation, misconduct toward customers continues to occur. Does this mean that risk culture is the wrong way to approach misconduct? Or is it that attempts to create a risk culture have just not worked? New research from Macquarie Business School in Sydney sheds new light on this problem, identifying the kind of organisational culture that is most likely to reduce misconduct toward customers.
This new multi-disciplinary research is co-authored with organisational psychologists Patrick Garcia and Denise Jepsen, also from the Macquarie Business School. It is currently under review with an international journal.
In the last 10 years, academic researchers have identified the concept of unethical pro-organisational behaviour or UPB. It’s helpful to divide unethical behaviour into two broad categories. On the left-hand side, we have behaviours like fraud and bullying – behaviours that are unambiguously ‘bad’ because they hurt the organisation. On the right-hand side of the table, the behaviours are much more complex. If staff lie to customers or regulators, this clearly contravenes societal notions of ethical conduct, but lying has a benefit to the organisation, at least in the short-term. Higher sales and avoiding fines will boost short-term profits, so staff might do this out of a false sense of loyalty to the firm. Mixed up in this is self-interest. High short-term profits could help you get a bonus or a promotion or just make everyone think you’re great. So UPB, or unethical pro-organisational behaviour, is a very interesting concept. You could say that a lot of the problematic misconduct in financial institutions falls into this category. We need to understand more about it and the culture that enables it.
In this study we asked participants to self-report UPB. An example item is “If it would help my organisation, I would misrepresent the truth to make my organisation look good”. Sometimes survey research is criticised because of concerns about biased reporting. These items for UPB actually work quite well from the viewpoint of social-desirability bias, because there’s a justification built into the item. People might feel more able to admit to lying for the benefit of the organisation. In addition, we controlled for Impression Management – the tendency for some people, consciously or not, to try to make others think well of them.
Risk culture, if it was effective, would attack the long-term consequences.
Elizabeth Sheedy, Professor, Macquarie University Business School
A theory of culture and conduct risk
Using survey data collected from staff in three Australian financial institutions, the team examined both risk culture and ethical culture, to see their relative importance for addressing misconduct. Suppose that misconduct is occurring e.g. selling credit card insurance to unemployed people who are ineligible to claim. In the short-term this produces profits for the firm but customers are harmed. They pay premiums for a product they can’t use. In the long-term, the firm might experience consequences like fines, legal costs, more regulation etc. Risk culture, if it was effective, would attack the long-term consequences. People would be raising concerns, highlighting these long-term consequences, and business practices would be modified.
Ethical culture is likely to influence how the firm responds to the more short-term issue of customer harm. In a strong ethical culture, staff would be likely to raise issues about the adverse impact of the practices on customers themselves. Customer outcomes would be seen as an end in themselves, not just because of the long-term consequences to the firm.
The study finds that risk culture alone cannot solve the problem of misconduct. The strongest predictor of misconduct is (un)ethical culture; more self-interested culture is associated with increased misconduct. Interestingly, a self-interested or unethical culture moderates the relationship between risk culture and misconduct. When the culture is high in self-interest, risk culture loses its potency with regard to misconduct. In other words, it’s not possible to have an effective risk culture and reduce misconduct when the culture is self-interested. Where the culture is unethical (self-interested), then risk culture becomes impotent and misconduct can proliferate. The optimal environment for reducing misconduct is a combination of low self-interest and a favourable risk culture. This represents a challenge to financial institutions where high-stakes pay-for-performance can lead to a self-interested workplace environment. Institutions need to find ways to address this problem if they want to reduce misconduct.
Tom Hardin, aka Tipper X, on risk culture: "the industry still has work to do"
The results of this study suggest that senior leaders, with appropriate encouragement from regulators, should revisit workplace culture initiatives. A multi-pronged approach is needed to grapple with the hitherto intractable issue of misconduct. The four key messages from this study are the need to promote concern for multiple stakeholders such as customers, rather than self-interest; ensure that risk issues and policy breaches are never tolerated, ignored or downplayed; inculcate proactive behavioural norms for identifying, reporting, analysing, discussing, escalating and resolving issues of concern; and ensure that managers throughout the organisation are effective role models and advocates both for the customer and for risk management. The findings have implications for performance measurement and reward mechanisms, for employee/ manager training programmes, for resourcing of the risk function, and for organisational communications including statements of organisational values.