Are Australia’s Financial Institutions in Denial about Risk Management?

Table of Contents Written by

Mark Jackson
Managing Director, BTS Australia

Why traditional approaches to managing risk are not working – and will not work in the future - and what to do about it.

The last few months have seen the media saturated with articles on misconduct and unethical practice by major financial institutions. What has emerged is an environment rife with political divisions, accusations and regulatory reviews by the Australian Prudential Regulation Authority (APRA) and Australian Securities and Investment Commission (ASIC). Claims of cultural inadequacies have been made, opinion polls showcasing widespread public discontent with bank conduct have emerged and we now wait to see the outcome of the 2 July election and whether a Royal Commission into banking conduct will occur.

Thus, after a sorry succession of scandals over recent years, and with a Federal election looming on 2 July, banks and other financial institutions in Australia have seldom been under greater scrutiny – from the public, politicians and regulators. This level of scrutiny covers a wide range of topics – remuneration plans, vertically integrated structures, whistleblowing, complaint handling and the like – but mostly has centred on the need to improve culture, behaviour and ethical decision making.

APRA has been very explicit about the problem. In a recent speech, Chairman Wayne Byres warned that all the efforts to build bigger capital buffers in banks would be undermined if they are not accompanied by changes in behaviour in banks. “Culture is a nebulous concept, much more difficult to define and observe than capital adequacy. But strengthening culture, like strengthening capital, is critical to long-run stability,” Byres said. “For an industry that is ultimately founded on trust, something serious is amiss, and strong and ethical leadership within financial firms is needed to set this right.”

Culture, and in particular the culture of risk management, has been pinpointed as a key source and driver of ethical conduct.

ASIC Commissioner Greg Tanzer recently made similar comments, noting that while he could not speak for APRA, it was possible that banks that do not properly reform their cultures could be forced to carry higher levels of capital.

Given that Australia’s banks are now, more than ever before, under the microscope, the banking industry is now, somewhat belatedly, seeking to get on the front foot. The Australian Bankers’ Association recently announced Australia’s banks would immediately begin to implement comprehensive new measures to protect consumer interests, increase transparency and accountability and build trust and confidence in banks.

“This package aims to address consumer concerns about remuneration, the protection of whistleblowers, the handling of customer complaints and dealing with poor conduct,” Australian Bankers’ Association Chief Executive Steven Münchenberg said. “Customers expect banks to keep working hard to make sure they have the right culture, the right practices and the right behaviours in place.”

So, where does this take us?

There is no doubt that the series of scandals and pressure from the public, politicians and regulators has spurred the industry and individual financial institutions into action. But this raises a number of key questions: Are Australia’s financial institutions in denial about the extent of the problem? Are the proposed changes the right ones? Will the changes work? And crucially, is the corporate will sufficient (and are resources available) to make a real improvement to the current situation?

Based on research and BTS’ extensive work with financial institutions globally, our view is that whilst the debate and proposed changes are undeniably positive, and should deliver some positive outcomes, they continue to underestimate the true magnitude of the task. Most importantly, the discussed changes largely fail to tackle head-on the biggest and most central challenge: changing the existing risk cultures that exist in our large financial institutions.

The empirical evidence

But don’t just take our word on this.

If there was ever any doubt about the significance of risk culture in financial institutions, you need look no further than the recent extensive research by Macquarie University associate professor (and former banker) Elizabeth Sheedy and psychologist Barbara Griffin (Risk Governance, Structures, Culture and Behaviour in Banks: A View from the Inside). During 2014 & 2015 this study anonymously surveyed over 30,000 employees in 271 business units from seven major banks in Australia and Canada (three in Australia and four in Canada), countries that are highly regarded for the quality of regulation and prudential supervision. All seven banks believed they had adopted “best practice” risk governance.

The study uncovered deep problems with a culture of ‘avoidance’. This manifests in actions, or the lack of action, when staff choose not to pass on bad news to relevant people or turn a blind eye to bad behaviour. The study found that this culture of ‘avoidance’ or the covering up of bad news was a strong predictor of bad behaviour and conduct within the banks.

The study clearly established the critical role of risk culture (which is defined as ‘the relative priority given to risk management as perceived by employees’), over and above risk structures, for explaining risk behaviours in large banks. The study concluded that favourable risk governance and structures do not guarantee that risk management will be effective if risk culture is unfavourable.

While many financial institutions understandably espouse a commitment to risk management, the priority that employees see is more likely to be short-term maximisation of Return on Equity or share price. This gap between what is formally espoused by leaders and what is actually enacted on a daily basis as the business goes about execution explains how culture develops and is experienced. In other words, “Culture eats strategy for breakfast” (as attributed to famed management guru Peter Drucker).

Griffin and Sheedy’s study proposed that risk culture is not risk governance or structures, per se, but rather the meaning and priority that is attached to those structures by staff. In the best case, the culture will give those structures their power, but in other cases culture can render them ineffectual. When staff perceive that breaches of risk policy are not taken seriously, then similar breaches will multiply as employees form the opinion that other objectives (such as high short-term returns) are the true priority.

Ultimately, culture determines how staff behave when they are under pressure and have to act instinctively when there is no opportunity to review the rule book. Culture also guides employees in how to balance competing objectives when, as usual, there are multiple valid actions possible.

For all these reasons a strong and favourable risk culture (where staff agree that risk management is prioritised relative to other competing objectives) is necessary beyond structure and process alone in promoting desirable behaviour and thus ensuring that the organisation’s objectives are reached.

Griffin and Sheedy also made a number of other important findings. Interestingly, Canadian banks enjoy a more favourable risk culture than their Australian counterparts – a telling finding given that Australia banks like to pride themselves with being amongst the best in the world. Generally, employees in the Canadian banks had significantly more favourable perceptions of risk structures than the perceptions of the employees in the Australian banks. Something is going on here.

In another key finding, the study also found that there are significant differences in risk factors between different business units even within the same bank. This suggests that risk culture exists at a local level as staff interact with one another and look to local leadership for guidance. The clear implication is that although “top down” initiatives and messaging are important, risk culture needs to be measured and managed at the business unit level or below. This need to proactively manage risk culture at a local level adds to the challenge – a “one size fits all” approach won’t work, and the quality of local leadership is of critical importance.

Perhaps most significantly, risk structures were perceived favourably by employees, with the notable exception of remuneration. The study measured perceptions regarding the consistency of remuneration and performance measurement systems with prudent risk taking. A significant number of staff perceive that remuneration systems encourage a short-term focus and even unacceptable behaviour. This is a key finding that needs to be directly addressed.

Well-known Australian and international cases such as NAB (Australian Prudential Regulation Authority, 2004), HBOS (Parliamentary Commission on Banking Standards, 2013), JP Morgan Chase (Permanent Subcommittee on Investigations, 2013), Royal Bank of Scotland (Financial Services Authority, 2011) and Lehman Brothers (United States Bankruptcy Court, 2010) all provide ample anecdotal support for the proposal that undesirable risk behaviour flourishes and spreads when the organisational culture permits it or encourages it. In every one of those cases, risk culture was identified as an underlying causal factor. However, until the Macquarie University study there has been little, if any, empirical support for the importance of risk culture.

The significance of risk culture in financial institutions is intuitively well-known by executives, if under appreciated. According to the global industry association, the Institute of International Finance (IIF), ‘It is critical for governance to embed a firm-wide focus on risk. The recent market turbulence has provided clear evidence that effective cultivation of a consistent “risk culture” throughout firms is the main enabling tool in risk management.’ (IIF, 2008; p. 11). Regulatory statements since the crisis of 2008 have repeatedly referred to risk culture as an area of focus in the post-crisis environment (see Basel Committee on Banking Supervision, 2010; 2011; 2015).

It is fair to say that most, if not all, major financial institutions have a degree of appreciation of the importance of creating the right risk culture and behaviours. However, our experience – and the recurrent risk events – clearly demonstrate that the challenge in creating the right culture is routinely underestimated, under-resourced and that current approaches are only partly effective at best. Beyond that, many financial institutions are not sure of how to create the cultural change needed, or set about it in ways that simply do not work as intended.

So, how do financial institutions move the needle?

In addressing risk management culture, the Harvard Business Review (Risk Management: How to live with risks, July-August 2015) recently observed that decisions do not make themselves – people make them, and there is not always a chief risk officer present when they do. Recognising this, the best companies work to improve employees’ ability to incorporate appropriate levels of risk when making choices. Given this, how should financial institutions go about making employees the first line of defence and creating stronger risk cultures?

The HBR article observed that many employees still associate risk management with compliance-driven busywork and such exercises might not actually reduce risk. In order to combat this, risk managers are turning to tools and training that help employees assess risk in addition to relying on paperwork and processes. It is important they not seek to reduce risk to solely standardised processes that employees blindly follow, but rather empower employees to be the first line of defence. Risk management skills need to be fostered and developed both by and from within the organisation. The HBR article goes on to say, ‘Smart companies work to improve employee’s ability to incorporate appropriate levels of risk when making choices’. In other words, increasing risk aptitude is a priority.

In turn, promotion of customer protection as its own incentive needs to be driven from the organisation to the employees. Success in management of customer risk in a short, medium and long-term environment needs to become its own incentivised metric.

A key area of this change is ascertaining what risk-based decisions need to be made to serve both short and long-term goals. In the case of our major financial institutions, a focus on short-term goals, and the perceived priority at times given to shareholders over customers and a culture of ‘avoidance’, has been oft cited as a reason for poor decision-making. Had better risk management and better consideration of longer-term goals been implemented in these situations, such types of decisions may not have been made.

Upon identifying the need to nurture and promote both short and long-term risk management across an organisation, how does an organisation operationalise this need? The ability to quantify current risk culture and reduce it to a cultural profile that can collect and analyse risk attitudes and behaviours across an organisation is often desirable. However, this process is likely to overlook the richness and multi-dimensional elements that encompass the totality of risk. This effort of profiling is also likely to simplify risk to a ‘one size fits all’ policy that will overlook its dynamism across different situations.

A tailored approach that examines how an organisation thinks about risk culture and how it manifests each day in employee attitudes and behaviours in each business area is the first step in creating a framework that will allow an organisation to operationalise, address and implement a risk management solution that results in an appropriate culture. Interweaving proven effective risk management practices with a specific organisation’s strategy, capabilities and goals will create the foundation for a risk-intelligent culture. A “one size fits all” strategy will miss the nuances of each organisation; it is only through understanding these specifics that an organisation’s unique map towards successful implementation can be found.

In the HBR article referred to earlier, IBM’s chief risk officer, Luis Custodio, spoke of the importance of risk management being centred in the businesses. Custodio’s view is that risk management is the responsibility of every IBMer. The role of the enterprise risk management function is to support leaders and all employees with targeted resources, education and training. Significantly, IBM has added gamification, so that employees find it fun and engaging. Many leading companies like IBM are focusing training less on risk awareness and more on simulations or scenarios that let employees practice decision making in risky situations.

When delivering a new risk management strategy across an organisation, a key barrier to uptake is understanding. The reasons behind why this risk initiative is being implemented and how it will unfold must be grasped and understood for it to be truly adopted. Creating a real-life environment to unveil the strategy allows the connection between process and action to be made and for behaviour change to occur. A simulated environment provides a safe forum in which to test thoughts and actions providing experiences which can then be taken and applied to everyday situations in the workplace, and bring the risk strategy to life.

An approach for the future

To change a culture and behaviour is no simple endeavour. It takes smart, sustained and highly effective effort over time – years, not months.

Our point of view is that there are three key elements to designing development experiences that truly move the needle.

  1. “Great” risk behaviour is relentlessly contextual
  2. We believe that displaying the right risk behaviours, such as ethical decision making, is relentlessly contextual. We know that people need to see, experience and try out new ideas, skills and mindsets before they believe in and master them. These experiences need to be a close approximation of real life - an experience that allows employees to practice performing in their role or a different, bigger role in their company. To enable this, we capture, codify and democratise the risk-related capabilities, actions and mindset of your “great” employees, scaling “great” across the organisation. These behaviours can then be turned into extremely realistic, rich scenarios which the employee can then be asked to respond to in a risk behaviour simulation.

    Much the way a pilot learns how to perform a complex landing on water first in a flight simulator, an employee can learn the most appropriate response in a crucial situation by practicing first in a simulation. In the simulation, the risk associated with trial and error is removed. Like the pilot, the employee can crash in her first few attempts without having any real-life adverse impact.

    Another advantage of the risk behaviour simulation is the condensed timeframe; we can close the time gap between action and consequence. In real life, it may take months or - especially in the context of risk - years to see the impact of decisions. This is part of the problem when managing risk – the tail of risk events is temporally far-removed from the root cause. In a behavioural simulation, the consequence of decisions is immediate and, as a result, we can accelerate time to insight and capability.

    Highly customised to each company’s business, simulations have the potential to condense and accelerate years of business experience and affect real behaviour change.

    In line with the findings of the Macquarie University study discussed earlier, simulations should ideally be created for each unique business area, as different parts of the same financial institution will most likely have quite distinct risk cultures.

  3. Designed practice builds skills more effectively
  4. By now, “practice makes perfect” is a widely embraced and cited adage - Malcolm Gladwell’s “10,000 hours of practice to achieve mastery” echoes across business. Geoff Colvin in his book Talent Is Overrated cites the importance of “deliberate practice,” which is not just about a lot of practice but about expert practice that is consistent and thoughtful. As retired Air Force General Lance W. Lord contends, “Perfect practice makes perfect.” How often do development programs require “deliberate practice” that comes with expert feedback, course correction, more assessment and more targeted practice? It’s intense and iterative. And it’s mostly missing from development designs, as companies seek quick fixes and process and system solutions rather than relentlessly driving for real behavioural change.

    Exceptional behavioural change programs - like perfect practice - must replicate real-world experience and design practice that will lead to mastery. Development programs must move beyond high-level, abstract discussions and engage employees in the actual capabilities and behaviours most needed to benefit them and the company.

  5. Mindset rules
  6. Mindset powerfully drives the actions and results in every company. At no other time is the power of past experiences and formed beliefs more powerful than when the employees of a company are faced with a new future state that will require them and the entire company to make major changes in behaviours. At the root of this challenge is mindset. Each employee’s individual beliefs were formed by what made them successful to date, and it’s many of those same beliefs that will stop them from being able to embrace the new and the new way of working successfully.

    In order for employees to change, they have to have new experiences that start to shift their mindset and build their confidence around the beliefs and behaviours that will drive future success. The most effective and impactful method of doing this that we have seen is creating an experience, or series of experiences, where employees can practice decision making and confront changes within this safe, simulated space. During this experience, new insights happen, wide perspectives build, and new beliefs are shaped around what is changing in the market and how they need to behave differently. This mindset shift and alignment to strategy is what is needed to do the nearly impossible task of changing the deeply rooted beliefs formed from past behaviours.

Case Study: From Scandal to Success - Creating a Healthy Risk Culture

To bring all this to life, let’s take a closer look of how one major financial institution in Australia successfully overcame a number of scandals and missteps and created a healthier risk culture by shifting mindsets through a simulation designed to change risk management behaviours.

The Challenge

Following a number of scandals and an investigation by APRA, a high profile business unit at one of Australia’s major banks needed to create a strong and healthy risk management culture. On the flipside, whilst the organisation had suffered as a result of the scandals and inappropriate risk behaviours, some other employees were unnecessarily risk averse and avoided taking accountability and making important risk-weighted decisions.

In order to create their desired risk culture, the company set about measuring the current culture, defining the aspirational culture and developing a new risk strategy. BTS was engaged to align the entire 2,500-person global workforce around this new culture and strategy.

Given that the business unit’s activities are closely tied to quickly moving markets, so decisions need to be made rapidly, the organisation’s people needed to be able to think and act independently and make appropriate judgements in difficult circumstances. This required a culture based on principles and not just procedure, which empowered people to take swift decisions whilst providing the ethical foundation on which to base those decisions.

In order to bring this to life successfully, it was critical to create a culture of trust, collaboration and accountability - otherwise, the enabling independence of such an environment could allow for the abuse of authority. This required creating a strong risk management and compliance culture with alignment around principles-based decision-making, because a sense of “it is the way we do things around here” would drive better outcomes than “because the rules say so.”

The Solution

BTS created a highly realistic and rich scenario simulation that focused participants on addressing a wide range of detailed scenarios against a backdrop of potential operational and bank risks. These scenarios included dealing with issues concerning payments, credit risk exposures, delegated credit authorities, fraudulent cash flow transactions, currency settlements, reporting and compliance issues, resignation of key employees, the challenges posed by major projects and balancing operational needs with client needs.

The formal learning objectives were to:

  1. Gain a shared understanding of how to manage risk within the organisation – both the role of the individual and bank
  2. Reinforce a principles-based approach to decision making, building deep appreciation of the desired culture and risk management strategy
  3. Gain acceptance that risk management is everyone’s responsibility
  4. Use scenario-based learning to face the business’ challenges and create a healthy level of discomfort (and deep thought) whilst doing so.

All of the rich scenarios were based on real-life occurrences and developed in close consultation with the key stakeholders. The scenarios were carefully designed to bring to life the key behaviours required to deliver the desired risk culture – defined as Collaboration, Accountability, Entrepreneurship, Adaptability & Flexibility, and Customer & People Focus.

Over the course of one day, participants worked in cross-functional table teams to make decisions in multiple, complex scenarios. These complex scenarios branched into multiple paths depending on the decisions taken. The scenarios were delivered using a laptop-based simulation which required participants to also respond in the moment to phone calls and emails, as if in a real-life office environment. After vigorous discussion at each decision point, the team’s decisions drove a score for each of the desired cultural attributes and risk, as well as real life business metrics such as revenue and customer satisfaction. The table teams competed with each other to see who could create the best risk culture and the most successful company, further driving deep engagement with the issues and learning.

Significantly, each program was co-facilitated by BTS with two senior leaders from the business, who coached teams during decision making and then assisted with debriefing the scenarios to bring them to life and reinforce key messages. This facilitated rich, authentic discussions between the senior leaders and participants, which would very likely otherwise never occur.

This process of creating visceral and rich scenarios with clear decision points and then having them discussed by a mixed team forces the sharing of diverse perspectives. Requiring a decision to be made under time pressure (as in real life), and in a competitive environment where the impacts of decisions are being measured by multiple dimensions, drives extremely deep engagement with the issues explored and the implications of different courses of action. Immediately seeing the impact on the desired culture and real-life business metrics, and then debriefing with senior leaders, links the scenarios to the real-life situations on which they are based and further strengthens their influence. This carefully designed experience thus creates the best possible conditions for achieving the mindset, behavioural and cultural shifts required.

The result? Significant measurable improvements in employees’ perceptions as to the how the business manages risk and hence the organisation’s risk culture. As Griffin and Sheedy’s study establishes, risk culture is not risk governance and structures per se, but rather the meaning and priority that is attached to those things by employees.


A significant number of risk events continue to occur in Australian financial institutions, creating a somewhat toxic atmosphere with the public and regulators that is eroding trust. This is despite substantial expertise, resources and focus being devoted to risk management over many years. Given this, it is self-evident that established approaches are not working as intended.

Years of anecdotal experience from around the world has pointed to the significance of risk culture as a critical factor in preventing risk events. This anecdotal experience is now backed up with clear empirical evidence. Risk culture, over and above risk governance and structures, affects risk behaviour in financial institutions. Risk culture is a significant predictor of risk behaviour and hence risk events.

It is clear that improving risk culture is of critical importance in promoting good risk behaviours, reducing risk events and restoring trust in financial institutions. Better risk management, and a better risk culture, is good business. Hence, greater leadership attention needs to be paid to risk culture in financial institutions.

The good news is that the Australian financial services industry and individual financial institutions are now on the front foot and taking proactive steps to address this - by reviewing remuneration plans, vertically integrated structures, whistleblowing, complaint handling and the like. However, from public pronouncements it is not yet apparent that individual financial institutions have fully recognised the critical importance of risk culture and may well be in denial about the extent of the challenge they face.

Every financial institution – and every business unit within each financial institution – has its own unique risk culture. To be successful, financial institutions must not just let culture emerge as a by-product of other risk management activities. Instead, they must proactively define and shape the desired risk culture, and drive deep understanding and mindset and behavioural change through leaders and employees in all parts and at all levels of the organisation. Doing so will require substantial focus, expertise and resources over time.

Creating lasting mindset and behavioural shifts requires carefully designed and customised learning experiences that provoke deep thinking, facilitate rich conversations and enable employees to practice ethical decision making (and force them to confront the consequences of their decisions) in a safe, simulated environment.

Only through a concerted effort over time to address all of the elements of risk management, and by directly shaping their risk culture, can Australia’s financial institutions be confident of reducing risk events, protecting customers, restoring trust in the industry and improving sustainability.

About BTS

BTS focuses on the people side of strategy, working with leaders at all levels to help them make better decisions, convert those decisions to actions and deliver results. At our core, we believe people learn best by doing. For 30 years, we’ve been designing fun, powerful experiences™ that have profound and lasting impact on people and their careers. We inspire new ways of thinking, build critical capabilities and unleash business success.
It’s strategy made personal.

Contact Us to Learn More

BTS is a public company traded at the OMX Nordic Exchange Stockholm under the symbol BTS b
© BTS All Rights Reserved