From Macquarie City Campus, you can see clear through the financial centres of Sydney to the Opera House. From the reception, a crane can be seen next to a few office buildings, indicating the undertaking of a work-in-progress.
The understanding of risk culture and conduct risk is another such work-in-progress.
Understanding risk culture in financial institutions is critical and a focus for Elizabeth Sheedy, Associate Professor at Macquarie Applied Finance Centre.
Sheedy’s interest in risk started with the quantitative angle. However, in the mid-90s, evaluating risk was still something new. Nonetheless, it was something that caught her attention.
“In fact, I did my Ph.D. looking at some of the newer quantitative methods for assessing risk, and for a long, while that fascinated me,” Sheedy explained.
Yet something was missing. Over time, Sheedy realised that it was the human element of risk management that captured her interest.
Her role as an educator has helped facilitate this. In her program—the Masters in Applied Finance—there is a compulsory unit called financial risk management.
“We do quite a lot of case study work, and the more I taught cases, the more it became obvious to me that the real risk management problems were not technical,” Sheedy said.
“Particularly after the GFC, I think it caused everybody who is interested in risk to really re-evaluate our approach to risk management and to become passionate about exploring this human dimension. So, I think there was growing interest in this element of risk culture going back to 2012.”
At the time, there was no real way to measure risk culture at the human level; there was, however, a growing interest in the space, and Sheedy saw the opportunity to make a major contribution.
Organisations don’t quite get risk culture yet
According to Sheedy, there is lot more understanding than there was when discussions first started. Yet there is, however, still a lot of confusion about what it all means and about what financial institutions need to do.
“I think one of the issues I see is that people still confuse culture with the underlying risk management structures,” she explained. “This applies particularly when we think about some of the risk policies, risk training programs, governance structures, remuneration structures. All those things are important, but they are not the same thing as culture.”
She added that there is also confusion between risk culture and behaviour. For Sheedy, behaviour is the manifestation of the underlying cultural values of an organisation.
Perception is key
The question of establishing risk culture within an organisation is one that centres around establishing the perception that risk management is taken seriously. That everyone has an important role to play in that process.
One issue inherent here, however, is that few in business have a formal background in psychology. Without this grounding, there is a risk of organisations setting up structures to combat risk that act on a very superficial understanding of culture.
This leads on to Sheedy’s concerns surrounding what she defines as ‘poor practices’ when it comes to the measurement of risk culture. If culture is about perceptions, then she believes that there must be a way of measuring those perceptions accurately.
“It’s a perception about ‘what does this organisation really value?’” Sheedy said. “These days, all financial institutions will espouse a commitment to risk management, but employees will begin to try to figure out how serious it really is.”
Thus, if there is a sense that policies are not meant to be lived or have been set up just for the benefit of the regulator, then they will likely be ignored.
“The research that we have done is grounded heavily in the literature about safety culture, and all the research in that area suggests that it is the perceptions about the importance of the policies that drive behaviour.”
The role of regulators in culture
Regulators have a crucial role to play but if risk management is done just to satisfy regulatory requirements, that suggests that a true risk culture does not exist. It's only when the organisation is committed to risk management for its own sake that a true risk culture can be said to exist. The problem with a regulatory-driven approach to risk culture, for Sheedy, is that it is not about risk culture at all and instead tends to break down into a box-ticking exercise.
“It concerns me when people are so reliant on the regulators to tell them how to run their business.”
Despite her reservations about culture being driven by regulators, Sheedy is quite hopeful that the Australian Prudential Regulation Authority’s (APRA) role in the Banking Executive Accountability Regime will have an impact on organisations.
“It’s one of the initiatives that seem to be most potentially useful, but again it’s something that we have no current research on.”
What Sheedy would like to see is some careful analyses conducted on how this regulation would impact business.
What happens after the cultural perception is identified?
Of course, the problems don’t stop after the risk culture has been assessed. For Sheedy, however, it then becomes a question of how organisations can change their culture.
“Many consultants out there claim they have the solution, but there is never any rigorous evidence.”
Sheedy is looking forward to doing a lot more research in this area because, to date, there has not been a concrete answer on how solutions can be sought and implemented in an effective and sustainable manner.
Looking beyond risk culture and considering the concept of organisational change generally, Sheedy said that 80 per cent of change programs fail. This represents money being wasted in these change programs, yet there has been no great move by consultants of such programs to discover what works. What this means is that independent assessments need to be conducted on whether these change programs are effective.
Some quick tips on changing the culture in your organisation:
Assess culture with a valid scale.
When changes are being made, ensure you have a treatment group and a control group to see if the change has been effective.
Risks culture assessments should not be part of employee engagement surveys and must be anonymous.