By Dr Simon Ashby, Professor of Financial Services at Vlerick Business School and Author of Fundamentals of Operational Risk Management
The renowned management scholar Peter Drucker once said that “culture eats strategy for breakfast”. He meant that organisational culture influenced human factors like employee attitudes, beliefs, and behaviours, matter more than a clever strategy when determining success or failure in business. I believe the same is true when comparing an organisation’s risk culture to more formalised operational risk management, especially during a crisis. Granted formal processes and procedures for the management of operational risk are necessary. Especially in heavily regulated sectors like banking and insurance. However, the human factors that characterise an organisation’s risk culture are more important. Like the passengers and crew of the Titanic I have witnessed financial services organisations with seemingly unsinkable operational risk management tools fall victim to perilous environments because of cultural weaknesses. Take, for example, Halifax Bank of Scotland (HBOS). In the early 2000’s, when I worked at the UK Financial Services Authority, writing and advising on operational risk policy, I was part of a regulatory delegation that visited HBOS to learn about its operational risk management framework. From a technical design perspective, the tools HBOS had developed as part of this framework were considered to be best practice at the time (just like the double hull of the Titanic). Little did we know then about the issues embedded within the risk culture of HBOS that played a major role in its demise during the global financial crisis. The joint PRA and FCA report into the failure of HBOS mentions culture 155 times[i].
Why then is risk culture so important in a crisis? Why does risk culture eat formal operational risk management tools like risk and control self assessments, business continuity plans, or key risk indicator reports for breakfast, lunch and dinner? The answer is that with an inappropriate risk culture these tools are build on foundations of sand. When tested, especially in more extreme crisis situations, they will fail, helping to sink the organisation without trace. Worse still, organisations with an inappropriate risk culture are much more likely to experience operational risk events escalating into crises. Often this is less to do with the initial severity of the event that has occurred and more about the human reaction to the event, especially the reactions of the top-level leadership.
Take, for example, the occurrence of employee misconduct. True this may be due to an internal management failure, but few organisations are perfect, especially in complex environments like financial services. The leaders of some financial organisations may be open to outsiders about employee misconduct events, quick to apologise and eager to learn lessons. Others may seek to cover up misconduct, as in the case of the LIBOR (London Interbank Offer Rate), or the UK Post Office Horizon accounting system scandals. Often these cover ups result in an operational risk event that is far more damaging than it needs to be, sometimes escalating such events into full-blown organisational crisis, as in the case of the LIBOR fixing and Horizon scandals. Yet, because of various cultural failings (e.g., over-confidence or a misguided sense of personal loyalty at the expense of others) financial organisations have in the past, and no doubt will do so again in the future, attempt to hide the truth.
Equally financial organisations may be an innocent victim of an external crisis event, such as the COVID-19 pandemic or the global financial crisis of 2007-8 but react in ways that worsen the impact. For example, there may be a reluctance to escalate bad news, a denial of the significance of the event, or a tendency to believe that the organisation is better able to cope with an external crisis event than it actually is. Returning to HBOS, the PRA and FCA report into its failure notes that throughout 2007 commercial and international lending volumes exceeded planned levels, especially to new customers. Lending that was concentrated in property and sub-investment grade customers. The bank also continued to lend large amounts to retail borrowers, including the now infamous self-certification mortgages, which allowed retail mortgage customers to inflate their incomes to help them borrow more.
Risk culture has for some years been an area of focus in the financial services sector and a hot topic for operational risk functions, auditors, risk committees, boards and regulators. However, I wonder how many spend time considering the importance of risk culture in a crisis? Granted there is plenty of discussion on operational resilience, but few connections are made between this and risk culture. Look at the recent FCA and PRA consultation process on operational resilience[ii]. Reading the various documents, I could find no references to risk culture and only a very few to culture in the original discussion paper. At no point was it explained why culture or risk culture is important from a resilience perspective. It would seem, therefore that the current focus is on what I would term routine risk culture. Meaning measures taken to assess and influence run-of-the-mill (higher probability, lower impact) operational risk events. Rather than the much more extreme crisis events that are located in the tail of the operational risk distribution.
Having highlighted a gap in current thinking on crises and risk culture, the least I can now do is suggest some ways in which financial organisations can close this gap. Operational resilience and crisis management more generally is about much more than strategies and systems for impact tolerance or scenario analysis. Of course, strategies and tools matter in a crisis, but even more important are the people using these tools and the information they provide to make decisions. Without the right risk culture these people are much more likely to reach the wrong conclusions and make poor or delayed decisions. How then to strengthen the human factor and ensure that people do act appropriately?
One solution is to read my new book: Fundamentals of Operational Risk, published by Kogan Page. In addition to a dedicated chapter on risk culture, the book discusses operational resilience and the importance of combining formal operational risk management tools with informal human/cultural factors. One technique that can help to strengthen the human/cultural side of operational resilience is distributed governance, where staff are empowered to develop bottom-up solutions to operational problems, rather than relying on a slower and less flexible top-down response. I am a strong believer in facilitating grass-roots decision making to strengthen an organisation’s crisis management response. Top-down management can work well in routine situations where strong internal governance and control is necessary to manage compliance and conduct risk. However, the flip side is that staff lose their ability to think and act independently. In a crisis situation it is often those closest to the crisis event that are best placed to make decisions. Rarely are these people the top-level management team.
I accept that there is a delicate balancing act to maintain, between routine control and effective decision making in times of crisis. However, I am concerned that the pendulum has swung to far towards top-down control in the financial services sector. Our desire to centralise and systemise key processes (e.g., account management, credit approval, procurement, payments, etc.) means that many staff on the front line are ill-prepared to think for themselves and make decisions on behalf of their organisation. Through the use of things like staff development training, modern employee monitoring technology and supportive, rather than punitive, performance management, greater levels of decision making could be delegated once again. Like the Bank Manager of old, who ran their branch with much greater levels of autonomy, allowing them to adapt to local conditions, something that is essential in a crisis.
Another important cultural factor in times of crisis is the strength of the social network in an organisation. Strong social networks are vital to ensure that information is communicated quickly, honestly and comprehensively. They also build trust, helping to ensure that information is accepted and facilitating rapid, but collegiate, decision making. Again, this can be a challenging area for financial organisations, used to the segregation of duties and routine control oriented governance frameworks like the three lines of defence. When I worked in operational risk in the banking sector I was frequently located away from other business areas, except compliance, audit and occasionally finance. In some cases, staff outside of the second and third lines were prevented from accessing my workspace for fear of collusion or access to sensitive information. I know some financial organisations where this practice continues even to this day. The problem with such segregation is that it weakens social networks slowing down decision making in crisis situations. Properly managed, with clear lines of accountability and control, strong social networks need not lead to a collapse in routine governance and internal control.
Finally, I want to talk about the importance of ‘situation-awareness’ (also called situational awareness) a cultural factor that is essential for the successful management of crisis situations. Situation awareness is similar to emotional intelligence. It is about being aware of the world around you, perceiving (beneficial or damaging) change and understanding the bigger picture, i.e., what this change means for your organisation and its stakeholders both now and in the future.
A lack of situation-awareness can prevent organisations from perceiving and reacting to crises in a timely and or effective fashion. This could manifest in a variety of ways, for example a failure to make proper financial provision for future losses (a claim levelled against HBOS), not purchasing sufficient personal protective equipment before COVID-19 spread out of China or failing to make proper provision for homeworking to help combat the effects of lockdowns. Rarely in the financial services sector will failures in situation awareness lead to a loss of life, however the financial and reputational consequences can be considerable. Financial services is now a 24-7 industry. Delayed reactions will not be tolerated, even if the crisis in question is due to external events.
In conclusion, to err is human, to forgive is divine. However well controlled they are financial organisations will continue to experience large scale operational risk events and occasionally crises. Sometimes this will be their fault. Often it will be due to non-preventable external events. We can forgive financial organisations for this. What we cannot forgive is where inappropriate risk cultures result in human factor weaknesses that make such events more damaging than they need to be or prevent financial organisations from learning the lessons of the past. The time has come for financial organisations and their regulators to recognise that resilience in the face of crises is as much to do with risk culture as having a technically robust crisis management and business continuity strategy. How effective is your risk culture during times of crisis? Are your people situation aware, empowered to make decisions and socially networked rather than divided?
[i] The Failure of HBOS plc (HBOS) A Report by the Financial Conduct Authority (FCA) and Prudential Regulatory Authority (PRA), www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/publication/hbos-complete-report.
[ii] See: www.fca.org.uk/publications/policy-statements/ps21-3-building-operational-resilience and www.bankofengland.co.uk/prudential-regulation/publication/2018/building-the-uk-financial-sectors-operational-resilience-discussion-paper.