Risk culture: banks fall short in eyes of staff

Many risk managers believe their banks have work to do on understanding, measurement and management of risk culture

Photo of dollar chain

  • Risk culture is perceived as important, but there are still widespread weaknesses in the way banks address it, according to our survey.
  • Less than half of respondents say their employer understands risk culture well; less than 40% rewards it well; less than 30% measures it well.
  • Nearly three-quarters of respondents say the risk function in their organisation is accountable for risk culture. Only one-third have made the business lines accountable.
  • Experts say the business has to take the responsibility: “It should be unequivocally the first line,” says Alan Smith at HSBC.
  • Taking this step requires a bank to stake out common ground, including a shared set of metrics. Standards are yet to emerge, practitioners say.
  • Regulators are pushing a greater focus on culture. “It’s not stagnant, nor is it something you write on paper. It’s something you live,” says one senior US supervisor.

A new survey has revealed widespread failings in the way banks approach risk culture, despite general agreement that a firm’s culture is a crucial part of risk management.

In the survey of more than 130 risk managers by Risk.net and advisory firm Catalyst, 87% of respondents say risk culture is key to the understanding of risk. Yet only 57% say it is well defined at their employer, and even smaller percentages say it is well understood (45%), well measured (27%) and well recognised and rewarded (38%).

The survey hints at the reason for this disconnect. Almost three-quarters of respondents say accountability for risk culture at their firm lies with the risk function (72%) while only 28% say it is the job of the business lines and other corporate functions. Practitioners that spoke for this article find it startling that a second-line team is being expected to take responsibility for risk culture when most risks arise within the first line.

“I would have answered differently,” says Alan Smith, global head of risk strategy and senior executive officer for global risk at HSBC. “The first line should be primarily responsible for the implementation of risk culture. It should be unequivocally the first line.”

Culture has become a focus for banks and regulators in the years since the crisis – a catch-all term for the disparate failings in attitude and conduct that allowed huge concentrations of securitised mortgage risk to build up in the years prior to 2007, and which also lie at the heart of a slew of post-crisis scandals, from the rigging of the Libor interest rate benchmark and foreign exchange markets, to misselling and violations of sanctions and money laundering rules.

Identifying the source of the problem is the easy bit, however. The Risk/Catalyst survey suggests the industry is still grappling with definitional and organisational questions – and many of the 13 practitioners who spoke for this article agree.

The Financial Stability Board, in 2014 guidance for supervisors for assessing risk culture, noted no single definition of risk culture exists, but pointed to a 2009 report from the International Institute of Finance (IIF) that defines risk culture as “the norms and traditions of behaviour of individuals and of groups within an organisation that determine the way in which they identify, understand, discuss, and act on the risks the organisation confronts and the risks it takes”.

Banks recognise that risk culture is not stagnant, nor is it something you write on paper. It’s something you live

Senior US supervisor

This is what makes it such a slippery concept, senior risk managers say. Other aspects of risk management affect the way individuals and groups behave – such as risk appetite, risk limits, governance, and controls – but do not try to express, track and police behaviour itself.

“Risk has a well-defined set of expectations that are typically quantitative,” says Colin Church, chief risk officer for Europe, the Middle East and Africa at Citi. “The further you shift into qualitative, the more challenging it becomes. A lot of this goes in the category of you know it when you see it, but how do you quantify it?”

Faced with these challenges, many banks have traditionally put more emphasis on the elements of risk management that can be measured, reported and controlled via standardised, quantitative metrics. Risk culture has historically been seen as a squishier part of the discipline, and one that can be left to look after itself as long as harder controls are doing their job.

That is starting to change as a result of the heavy fines and penalties banks have incurred since the financial crisis, and the emphasis on individual firms’ risk culture that underpins new rules and regulation such as the Senior Managers and Certification Regime (SMCR) introduced by the UK’s Financial Conduct Authority in 2016.

And the regulatory drumbeat grew louder in November last year when the Bank of England governor, Mark Carney, said the SMCR regime was helping the FCA and BoE assess whether a firm “has the appropriate culture and is encouraging the necessary changes”. Those with “widespread or consistent shortcomings” may be instructed to hold more operational risk capital, Carney warned.

One senior US supervisor says banks are listening: “Risk culture is slowly becoming embedded into overall corporate culture. Banks recognise it’s not stagnant, nor is it something you write on paper. It’s something you live.”

“There’s real clarity that risk culture is important,” says Roger Noon, an independent risk culture consultant who has worked with a number of banks. “There’s a good understanding now of why it’s important and how it helps improve risk management.”

So, how much progress has been made? And where is further work needed? The survey provides some insight.

Divergent approaches

The idea for the survey came from a roundtable held by Catalyst in June with a group of banks on risk culture, where striking differences between the quantitative and qualitative approaches to the topic became apparent. “They were quite divorced,” says Paul Butler, managing consultant in organisational development at Catalyst. “You had this vague, high-level cultural angle, but then you had the prescriptive, numbers focus of the trading risk management mentality.”

The first step in bridging this gulf is a definition of risk culture – something that explains how the ‘fluff’ of attitudes, behaviour and conduct, fits with the harder edges of traditional risk management.

One of the challenges banks face here is finding a way to separate risk culture from broader, existing programmes focusing on culture and values. Both attempt to set expectations around staff attitudes and behaviour, but risk culture is more specific; in this case, the attitudes and behaviour relate specifically to risk management. Banks have sought to make that clear in their definitions.

Kariann Dale, vice-president of risk conduct at Royal Bank of Canada, highlights the issue. “People know risk culture is important, but in practice, while many institutions including RBC already have approaches to assess, measure and strengthen risk culture, they are all continuing to enhance these approaches. There can be confusion, because the attributes of risk culture are a subset of organisational culture,” she says (see box, Risk culture at RBC).

HSBC defines risk culture as the norms, attitudes and behaviours related to risk awareness, risk taking and risk management (see box, Risk culture at HSBC). Again, the bank has sought to make it clear that this is a more focused issue than the broader debate around culture.

“One thing we don’t do well as an industry is make a distinction between risk culture and culture generally,” says Smith. “In our case, we were very clear about getting a concise definition of what risk culture is. You can’t manage what you can’t define.”

The definitions used at HSBC and RBC are similar to the IIF’s 2009 take: broadly, all three establish risk culture as the behavioural norms that relate specifically to the identification and management of risk. And the survey suggests the industry as a whole is making relatively solid progress: 39% agree their firm has defined risk culture well, and 18% strongly agree, with only 20% and 3% disagreeing and strongly disagreeing, respectively. A fifth sit on the fence.


A definition may be a necessary condition for a bank to address risk culture, but on its own it clearly isn’t sufficient. The next question is whether the definition has taken root: is there a common understanding across the bank? The survey responses were less positive on this front, with lower proportions saying risk culture is well understood and higher proportions saying it is not. More respondents also hedge their bets, neither agreeing nor disagreeing (26%).


Given these shaky foundations, it’s no surprise the survey’s questions about the measurement and management of risk culture generate even lower scores – and evidence of divergent practice. Practitioners are not surprised, citing the wide variety of methods that can be used to monitor attitudes and behaviour.

“There’s the notion of not only do you understand risk culture, but is it strong and how do you evidence that?” says Jeffery Weaver, head of qualitative risk assessment at Key Bank, the Cleveland-headquartered US regional lender. “Do you do it with key risk indicators, value statements, or a clearly stated risk appetite, qualitatively and quantitatively articulated? That’s when it begins to diffuse.”

In part, this is a natural result of the discipline’s immaturity, says Jason Forrester, managing director for enterprise and operational risk management at Credit Suisse: “There’s a difference in the level of embeddedness of risk culture, where that same rigour of identification, appetite, and monitoring has been in place for a shorter period of time for non-financial risks than for market and credit risk.”

Methods of measurement

Survey respondents were asked to specify the metrics used for risk culture at their firm (see table). The 85 answers were almost all different – ranging from financial ratios and levels of fines, to incident tracking, key risk indicators, risk appetite frameworks and internal audit or compliance sweeps. A handful of firms said they track a variety of metrics via a dashboard, while others said they were not aware of the metrics used, or that no specific metrics were in place. One joked: “I’d like to know, too”.

The resulting list can be grouped into two broad categories: “big” risk culture measures, and “small” ones, says Forrester. Big risk culture metrics such as financial ratios and risk appetite provide a view of the organisation as a whole, while small risk culture metrics such as incidents and limit breaches provide insight into how well risk culture is ingrained at the individual employee level.

What metrics do you use in assessing risk culture?

Selected responses:
• Control breaches, operational loss trending, audit performance
• Don’t know – dashboard is not shared below board level
• Incident/breach reporting (policies, limits, regulations; op losses; intentional vs unintentional; new vs recurring)
• Interviews based on a checklist of points that are linked to elements of a risk culture framework
• Key control indicators, control sample tests, key risk indicators
• Loss event reporting
• Multiple metrics on a dashboard
• No metrics: qualitative risk culture survey
• Not consistently measured
• Qualitative and expert views
• Risk appetite and limits
• Risk control self-assessment
• Survey of behaviours and knowledge of risk framework and policies

“When people are talking about small risk culture, ie, the individual view the traders have of risk – these are all things I would expect a firm to be monitoring,” says Forrester. “When people are talking financial ratios, liquidity ratios and credit quality, they’re talking bigger risk culture, where you’re looking at the entire limit framework and cascading the risk appetite downwards.”

State Street uses a dashboard to track what it calls “risk excellence culture” across its business units, but Kim Newell Chebator, the bank’s chief administrative officer for Europe, the Middle East and Africa, concedes it is tough to find measures that work.

“Measuring risk culture is notoriously hard. It is difficult to identify a meaningful metric to measure a specific behaviour. At best, metrics can identify risks and trends in behaviours,” she says.

Even if a bank is measuring the right things, little will change unless the right bits of the organisation are held accountable, practitioners say. For many, this was the most worrying aspect of the survey. Almost three-quarters of respondents said the risk function was accountable for risk culture at their firm, followed by the board, which was named by 52% of respondents, the executive committee (33%), compliance (30%) and the business lines (28%). The percentages add up to more than 100 because respondents could choose more than one option.


Although the risk function was identified in the survey as being the most accountable for risk culture, risk managers argue the responsibility should reside primarily with the business lines. Risk culture is more likely to be effective when the first and second lines work in partnership, they argue – with the first line setting risk appetite and conduct standards, and the second line providing oversight through monitoring, surveillance and key risk indicators.

Some banks do operate in this way, says Sarah Dahlgren, a partner in the risk practice at McKinsey and former head of supervision at the Federal Reserve Bank of New York: “There are organisations that recognise risk culture is embedded in the businesses, with the second line providing an oversight function.”

The low number assigned to the business lines and the high number assigned to the risk function should be reversed, according to several people. “Risk culture, according to this data, is imposed by specialists,” says Adrian Docherty, head of financial institutions advisory at BNP Paribas. “The 28% figure I thought was quite low.”

Regulators and supervisors also have a part to play, but while 60% of survey respondents acknowledged the role of watchdogs, there is no clear consensus on what that role is.

“Risk culture is not something you regulate,” says the senior US supervisor. “But for the regulations that do exist, ensuring you follow those and comply with the spirit and intent will be part of a sound risk culture and a sound corporate culture.”



Risk culture plays a part, explicitly or implicitly, in many of the regulations enacted in the post-crisis years. There is a perception that European regulators, particularly in the UK, have been more actively promoting risk culture – perhaps because they have traditionally been more comfortable with a principles-based approach to regulating, versus the more legalistic approach associated with the US.

But while these rules may signal a regulator’s priorities, they deliberately do not give banks a blueprint for how to respond.

Prior to joining Catalyst, Butler was a managing director at Royal Bank of Scotland, where he was involved in implementing the SMCR. One of the sticking points was the regime’s use of the term ‘fit and proper’, which firms were initially left to define for themselves.

“The FCA said, ‘You need to assure executives are fit and proper to do the job. We’re not going to tell you what fit and proper means aside from the fact that they have no criminal record. We’ll audit you, and if we don’t like it we’ll tell you’,” Butler says.

He adds: “The FCA has been quite visionary because it has realised you can just keep piling on rules, and smart people will figure out a way around them. A lot of banks in the UK are now focusing heavily on values, and they’re incorporating them in annual performance reviews. It’s not just what you’ve done, but how you’ve done it.”

Carrot and stick

To close the gap between risk culture’s perceived importance and its patchy implementation, banks should tie it to things that people care about – such as compensation or their chances for promotion, say some practitioners.

Credit Suisse, for example, conducts an annual survey of managers to gauge adherence to risk culture. Those who score well are rewarded, and those who don’t are offered remedial help, and if that fails, are subject to more punitive measures.

What one thing could the industry do more of to promote and enhance risk culture?

Selected responses:
• Acknowledge that risk culture has to be embedded consistently across the organisation
• Awareness and training interventions
• Better sharing of information on “bad apples”
• Consistent definition and common reporting metrics
• Continue to promote tone at the top awareness
• Developing professional standards
• Education, education, education
• Fundamentally change bonus structures
• Have consensus on metrics and common standards
• Incentivise and reward it
• Integrate risk thinking in business execution
• Make Basel set standards
• More regulatory oversight
• More transparency
• Provide explicit examples where risk culture not followed
• Reduce the number of risk managers – make everyone a risk manager!
• Stop calling it ‘risk culture’ and integrate it with ‘company culture’

“It’s important for people to see there’s a carrot as well as a stick, which helps to amplify the benefits of getting it right,” says Forrester.

Something similar is true at State Street and at HSBC. For the latter, employees are rated on their adherence to the bank’s values during the year. Bonuses are blocked for employees with an unacceptable rating, while those who “exhibit exceptional conduct” get paid more. And Citi revealed in October that it had overhauled its bonus system so profitability and conduct scores could no longer be averaged – which in theory could have allowed a high-earning trader to behave poorly and still receive a bonus.

“Not this year,” Citi’s chief compliance officer, Mark Carawan, told a Risk.net conference. “If there are behaviours that have been inappropriate, such as not reducing [a position], or taking a position that wasn’t authorised, that’s a zero bonus.”

These are efforts to close the loop, making front-line risk-takers accept responsibility for risk culture. And it’s where the foundations laid by the industry matter: if individual employees are going to be impacted by their contribution to cultural success or failure, then they, their managers, the senior executives and the board, all need to agree that risk culture matters, share a common definition and understanding, and select appropriate metrics.

“To me, culture is a scientific set of processes, and those processes include strategic objectives, performance management, and compensation,” says Docherty at BNP Paribas. “You can define and measure those. But other people’s understanding of risk culture may be a bit more vague. Therefore, they might have a less clear definition of what risk culture means.”

The survey suggests many banks still have a lot of work to do on the basics.



Risk culture at RBC

This is an edited version of a statement provided by the bank.

Royal Bank of Canada saw the need to supplement its enterprise risk appetite framework with an expression of principles and approach to conduct risk and risk culture.  This led to development of an enterprise-level risk conduct and culture framework, which has been in place since 2013. Risk appetite encompasses what risks RBC is able and willing to take, while risk conduct and culture articulates how it expects to take those risks.

“We consider risk culture and conduct a topic, not a type of risk,” says Kariann Dale at RBC. “The term is defined as a shared set of behavioural norms that sustains our core values and enables us to proactively identify, understand and act upon our risks, thereby protecting our clients, safeguarding our shareholders’ value, and supporting the integrity, soundness and resilience of financial markets.”

RBC has adopted the Financial Stability Board’s four fundamental practices as foundational to effective risk conduct and culture in order to enable and reward the desired risk behaviours and outcomes, namely:

• Tone from above;
• Accountability;
• Effective communication and challenge; and
• Incentives that reinforce desired risk management behaviours.

Desired outcomes from effective risk conduct and culture practices align with RBC’s values and support its risk appetite statements, namely:

• Products and services are suitable for clients to protect their interests;
• Standard of market practice safeguards the effectiveness and fairness of the market;
• Reputation aligns with values; and
• Avoid misconduct.

Regular monitoring is fulfilled through qualitative and quantitative indicators of effective practices and outcomes, which are aggregated into dashboards. Accountability for the first line of defence to sustain and strengthen risk conduct and culture is made clear through individual mandates and performance objectives.

Areas where RBC is now focused include enhancing communication and awareness, and recognising employees who strengthen risk conduct.

Source: Royal Bank of Canada

HSBC HQ in London

Risk culture at HSBC

This is an edited version of a statement provided by the bank.

In recent years, HSBC has focused on how risk culture is defined, promoted, and measured – in line with a broader shift across the industry since the global financial crisis. 

HSBC defines risk culture as the norms, attitudes and behaviours related to risk awareness, risk taking and risk management. To support this, it has identified five drivers of a strong risk culture:

• Tone from the top: The board and senior management are the starting point for setting core values and expectations for the firm’s risk culture – reflected in HSBC’s risk appetite framework.

• Accountability: Ensuring relevant employees understand the firm’s core values and approach to risk; perform their prescribed roles in the HSBC three lines of defence framework; and are held accountable for their actions in relation to risk ownership and stewardship. 

• Effective communication and challenge: Considering a range of views in decision-making processes; challenging current practices; and fostering an environment of open and constructive engagement. 

• Incentives: Using performance and talent management to reinforce desired risk management behaviour so individual performance is judged both on what is achieved and how.

• Competency: Both in terms of the status, resources and empowerment of the risk function, and the embedding of risk attitudes and behaviours across the firm – supported by values-based assessments for new joiners and training for staff.

Risk culture is measured in several ways through operational risk and internal audit reviews, and employee surveys, which provide insight on important areas of accountability, good judgement and speaking up.

“Embedding risk culture across a large organisation is a journey of continuous improvement,” says Alan Smith at HSBC. “The importance of a strong risk culture is widely understood; the challenge is to ensure this understanding is refreshed and reinforced. The bank focuses on embedding through communications, training and performance management to underpin effective risk management across the firm.”

Source: HSBC

About the survey

The survey was conducted between October 17 and November 3 last year. Participants were sourced via an email campaign targeting risk managers at big and small banks around the world. They answered the survey questions online.

A total of 134 individuals participated – more than 100 completing all 14 questions – with 17% self-identifying as C-suite or board level, 39% as heads of department, and 24% as senior managers. A third of the respondents came from Tier 1 banks. By geography, just over half of the respondents were based in Europe, the Middle East and Africa, with 25% in Asia-Pacific and 22% in the US.

  • LinkedIn  
  • Save this article
  • Print this page  

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact [email protected] or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact [email protected] to find out more.

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here: