Pub. 2 2014 Issue 4

fall 2014 9 While it’s hard to change these long-held beliefs, leaders are making headway by focusing on relationship skills and de- veloping stronger knowledge of business operations on their risk teams. Embedding risk into business decisions. Executives and regulators are asking their business units to take a more active role as the first line of defense against risk. This involves clarifying risk roles and responsibilities, identifying risk triggers, and seeking risk counsel as part of key business decisions—not as an afterthought. Reviewing reporting relationships. The OCC’s risk governance framework, finalized in September 2014, seeks to elevate the stature of CROs (or the mul- tiple Chief Risk Executives that fill the role of the CRO at some banks). Leaders are taking a look at where Risk sits on the org chart and creating direct lines of communication for the CRO to the CEO and board. Establish a walk-the-talk risk culture—from top to bottom. Nearly 90% of survey participants agree or strongly agree that leadership pro- motes “core values” over growing the bottom line. However, 30% of respon- dents do not agree that management actions consistently align with their communications regarding risk manage- ment. In our view, this likely reflects a disconnect between the tone at the top and how middle management executes on risk policies. Leading financial institutions see risk culture as a multidimensional issue that needs to be supported by a combination of people skills, policies, and tools. We see leading banks: • Developing clear protocols for what good risk management looks like. • Opening channels for escalating risk issues. • Underscoring a zero-tolerance policy for retaliation. • Finding new and better ways to attract talent with the right risk mentality. • Building risk-savvy approaches into the institutions’ training policies and development programs. For example, some banks are requiring employees to participate in risk-related projects as part of their annual goals. These efforts are paving the way for stronger, more sustainable risk cultures going forward. Make change stick through better incentives and consequences. Regulators are pushing banks to change their incentive structures, including com- pensation, development opportunities, and recognition. Leaders have started to take the following steps: Dealing with compliance viola- tions quickly and consistently. By holding themselves and employees accountable for demonstrating the right behaviors, bank executives send a clear message about the importance of risk management and compliance. Aligning incentives with desired risk behaviors. By integrating risk metrics into how employees are compen- sated, assessed, and developed, leaders are demonstrating their commitment to promoting “good” risk behaviors over short-term profits. Maintaining ongoing communi- cation. Leaders are communicating frequently with regulators, shareholders, recruiting candidates, and employees to reiterate their commitment to risk culture and the behavioral expectations that come with it. Create more integrated, real-time reporting. While 80% of survey respondents agree or strongly agree that adequate controls are in place to identify potential risk vio- lations, institutions continue to struggle in their efforts to identify emerging risks across business units and geographical regions. Most risk systems function in silos that formed as business units responded to one-off risk requirements. What’s more, today’s systems often lack the ability to access highly granular levels of data—a demand that could not have been foreseen when these systems were being devel- oped. The result? Executives are unable to get the single view of risk that they need to see how risks taken across the organiza- tion are correlated—and their cumulative impact on the organizational risk profile.  Common Culture — continued on page 10 Nearly 90% of survey participants agree or strongly agree that leadership promotes “core values” over growing the bottom line. However, 30% of respondents do not agree that management actions consistently align with their communications regarding risk management.