SYDNEY: 26 March 2014 - Financial services organisations need to move beyond their traditional focus on "metrics" and instead factor in organisational culture as an essential part of their operational risk framework.

A group of industry practitioners and regulators have told the Australian Securities and Investments Commission's (ASIC) Annual Forum in Sydney that the new and more challenging risk environment has demanded a different focus from compliance and risk teams. They said this new reality had quickly flowed through to regulators, which were now looking for evidence of "soft skills", such as developing and embedding an organisational risk culture, when conducting supervision visits.

A senior regulator from the Australian Prudential Regulation Authority (APRA) told the conference that his agency was taking a more nuanced approach to assessing risk culture in the wake of the financial crisis. He said one of the most important factors was to ensure that a firm's corporate culture was consistent and was embedded successfully across the organisation.

Keith Chapman, executive general manager at APRA, said the regulator would increasingly be looking beyond risk metrics to assess how risk practices were actually being expressed in organisational behaviour. He said the regulator took the view that ultimate responsibility for setting an organisational culture rested with the board, not just with senior management.

"It's got to start from the top. So, unashamedly, we put a lot of emphasis on the boards to be responsible for how organisations run. They don't have to run the organisation, that's senior management's job, but they've got to set the tone. They've got to make it clear what they expect because they're the balance between management, the business and shareholders," he said.

The in terms of communicating culture, Chapman said that the "tone at the top" was crucial to the success of an organisation's risk management framework. He said taking a "clear and consistent" approach was also one of the best ways to develop a successful risk culture, and APRA's supervision visits were increasingly looking for evidence of these types of soft skills.

"We see that very much as the foundation. As we walk around and we talk to boards and organisations, people have differing views about what culture is and what the culture of their organisation should be," Chapman said.

"Tone from the middle"

Chapman said it was important for organisations to ensure that a consistent message was being communicated to staff and expressed in organisational behaviour. In terms of what constituted good organisational culture, Chapman said APRA was more interested in starting a dialogue than setting out a prescriptive formula for operational risk management.

"We don't pretend we have the answers, we see our job much more as a catalyst to get people thinking about it," Chapman said. "It doesn't matter what the culture is, as long as it's strong and clear. Really that's the point. If we know what the culture is and you know what the culture is that you have within your organisation, we are all working from the point of knowledge about what we can see and what we can expect to happen."Rob Walsh, a financial services and risk partner at Ernst & Young, said that although the tone at the top was critical, many organisations overlooked the importance of what he called the "tone from the middle". Walsh said the tone set by middle management was a critical element in the successful dissemination of any risk management framework.

"While much is said about the tone from the top, there is something definitely to be said about the tone from the middle: that middle level of management relative to the top table. That [level of management] arguably has more proximity and visibility, and influence with more people across the organisation on a day-to-day basis," Walsh said.

"Organisational drift"

Alden Toevs, group chief risk officer at the Commonwealth Bank of Australia, said "organisational drift" was always a significant source of operational risk for large organisations. He said many compliance and risk teams put systems and controls in place but failed to monitor whether these controls were "drifting", or becoming less effective and less appropriate, over time.

Toevs also said that good communication was essential if this aspect of organisational culture and operational risk were to be managed effectively. "You start with something that is reasonably well-designed; it's put into place, it's operationalised and so forth. But over time small changes around the edges begin to take over," Toevs said. "These small incremental changes are really at the heart of many classic examples of operational risk failures."

Toevs said a topical example was a rogue trader who made a "little bit of a mistake" and then tried to conduct illicit trades to recover from that mistake and to disguise any misconduct. "There is an operational 'mental drift' here: 'If I just work my way out of it, no one will ever know'," he said.

The high-profile international cases involving Libor and foreign exchange manipulation are also examples of this gradual "drift" or degradation of once-effective risk management and compliance controls.

Toevs said these examples showed that traditional risk metrics were not particularly effective at capturing or identifying these types of risks. He said the logical solution was for compliance and risk managers, as well as the board and senior management, to focus on developing the right organisational culture. Once the right culture had been embedded across an organisation this would inevitably show up in the metrics, he said, but to put metrics before culture was an example of focusing on the outcome rather than the process.

"Measurement of risk culture is useful, but primarily to look at the places where you want to change your management of risk culture," he said. "Culture needs to be managed. Measurement helps to support it but metrics are by no means the critical underpinning success factor."

Cultural shifts

Chapman said the importance of culture in this respect was well-established. He said cultural failures had been identified across a broad spectrum of industries and organisations where operational risk issues had arisen in recent years. He said that APRA, in its capacity as a prudential supervisor, was in a good position to look across a large number of organisations and to identify the success factors that were common to the best risk managers.

He also said APRA was working to communicate these lessons with the organisations it supervised. "Because we see right across the board ... we can say 'You can do better. We've seen these sorts of experiences elsewhere'," Chapman said.

At a practical level, Chapman said that different industry sectors had differing levels of proficiency when it came to managing operational risk. He said the insurance and banking industries, for example, had very different areas of vulnerability, and that APRA was attempting to point out these shortcomings and to bridge the skills gap between organisations as part of it supervisory work.

As an example, he said that insurers were generally better than banks at developing risk appetite statements. The banks, on the other hand, were generally better at introducing a broad range of control measures into their risk appetite frameworks. Chapman said APRA was trying to "bridge this gap" by encouraging insurers to use more metrics and pushing the banks to have more qualitative measures.

"Somewhere we've got to get the balance right between the two because [at the moment] neither is entirely right," he said.

Risk and resilience

Mike Ritchie, partner in financial risk management at KPMG, said organisations also needed to take a step back and look at the broader conceptual framework and assumptions that underpinned their risk culture. Ritchie said risk and compliance practitioners often made the mistake of focusing too heavily on eliminating risks, rather than managing them. Regulators could also fall for the illusion that risk was something to be eliminated, he said.

Ritchie said that regulators and organisations would be better off striking a balance between the level of effort and resources that they allocated towards preventing disasters and the amount that they invested in developing resilience. He said a static culture based on risk elimination would not put organisations in a good position to handle the myriad potential risks that had not yet been identified.

"I think it feeds back into the culture," Ritchie said. "We need to build capability within the organisation to respond to things as they do go wrong, as they inevitably will. Millions and millions of dollars have been spent on the likes of FATCA [the U.S. Foreign Account Tax Compliance Act], the likes of FOFA [the Future of Financial Advice legislation], privacy, new risk systems, etcetera. You have executives and risk staff who have basically staked their careers on the success of these changes and on the success of these systems and processes that they put into place."

Ritchie said that many firms had inadvertently invested in systems and processes that were too rigid and only prepared the organisation for a known set of risks. Instead, he suggested organisations should focus on developing a level of capability and flexibility that would enable them to respond quickly and appropriately when these things did go wrong.

"I think we need to be focusing more on an approach where risk management takes us to the point where we are ready for anything," Ritchie said. "It requires a little bit of vulnerability and an acknowledgement that things will go wrong. That's a difficult thing to do in many instances for an organisation."

Ritchie said it was better to build a system that had a level of tolerance for failure, rather than assuming that "nothing can go wrong". This ultimately came back to developing an effective and resilient organisational culture.

"We haven't yet imagined all the things that could happen, so I think that's more likely to be a successful approach," he said.

This article was first published by the Regulatory Intelligence service of Thomson Reuters Accelus. Regulatory Intelligence (http://accelus.thomsonreuters.com) provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 230 regulators and exchanges.