Blog Home Topics Authors

Quantifying risk culture

KPMG UK Blog › Quantifying risk culture

Is it possible?
Daria Ovcharenko, Assistant Manager | Tim Payne, Partner |
Rosanna Ravey, Director | 9 August 2023
6 min read

In the current environment, risk management is more important than ever for
banks. And risk culture is at the heart of effective risk management.

Risk culture is a key part of a bank’s Daria Ovcharenko

"Having the appropriate risk culture is
overall culture and can be defined paramount in ensuring that firms can Assistant Manager,
as the collective set of behaviours identify emerging risks but also People Consulting
minimise the likelihood of any existing
and actions that drive an risks crystallising, in an ever-changing
organisation’s response to operating environment."  Blog articles
identifying, assessing, and Bank of England
managing risk.  Email me

 LinkedIn Profile

Poor risk culture has been cited as the root cause of major conduct failings (Bank
of England Staff Working Paper No. 912). On the flip side, a strong risk culture
plays a crucial role in supporting an organisation’s financial and operational
resilience, can drive good risk decision-making, and reduces the risk of
misconduct and regulatory action. Recent research by the Bank of England has
even shown a direct correlation between good risk behaviours and positive risk
outcomes , which ultimately can improve financial performance and drive good
customer outcomes and support market integrity.

Tim Payne
"If culture is so crucial, then it needs to The question then becomes, how do
be managed. If it needs to be managed you know if you have a ”good risk Partner, People
then it needs to be measured." culture”? Organisations have always Consulting, Financial
Financial Conduct Authority struggled to quantify a ‘soft’ concept Services
like risk culture. However, measuring
it is beneficial, as it helps expose any  Blog articles
warning signs and identify where  Email me
issues may lie.
 LinkedIn Profile
 By proactively identifying weaknesses, banks can take action to transform their  KPMG Profile
culture. Regulators are also increasingly expressing interest in this area. For
example, the Australian Prudential Regulation Authority (APRA) has defined an
approach to assessing risk culture and set regulatory expectations.

What are some of the things to get right when setting up an approach to
assessing risk culture? We’d like to share some of our observations from working
with a range of banks in defining their risk culture assessment approaches.

1. Align your cultural agendas

Rosanna Ravey
To ensure a cohesive view of risk culture, align the cultural agendas led by HR, Director, People
Risk, Compliance, and Audit. Your risk culture definition should be consistent Consulting
with the firmwide culture and strategy. Risk culture is not something separate or
standalone, it should be seen as a component part of overall organisational  Blog articles
culture. How can you achieve this? Have consistent behavioural frameworks,
data points, and assessment approaches across departments. In our experience,  Email me
data points from Compliance and HR dashboards can be identified and used in a  LinkedIn Profile
risk culture assessment. The outputs of these assessments were then integrated
into overall HR cultural plans. Findings from risk culture assessments can also
serve as artifacts in culture audits. This coordination and consistency minimises
duplication of efforts. Refer to figure 1 to understand how we see the  Tags:
coordination between HR, Risk, Compliance, and Audit.
Banking

Business
performance

People and
Change

Risk Management

United Kingdom
Figure 1. Connections between Risk, HR, Compliance and Audit culture
related activities

Ownership of risk culture should also be clearly established within the

organisation. While the first line of defense has ultimate ownership of the bank's
culture (including risk); centralised ownership for its assessment should be
defined. Based on our observations across the financial services industry, this
responsibility can sit with enterprise risk management, COO functions, or HR.

2. Use unobtrusive indicators

Most banks use self-report methods (employee surveys and interviews) to

measure risk culture. However, we have observed a clear trend toward collecting
more unobtrusive metrics.

Unobtrusive indicators measure culture by collecting data without directly

involving employees (Bank of England Staff Working Paper No. 912). For
instance, metrics related to the timeliness of escalations, the number and size of
unauthorized limit breaches, a reduction in the impact and/or likelihood of risk
events occurring post remediation are all examples of metrics we have seen
monitored over time.

Why are unobtrusive metrics so beneficial? Employee surveys can be biased.

Employees tend to respond favorably to surveys. They also perceive their own
cultural context as normal, even if it leads to poor conduct outcomes, making it
difficult to identify weaknesses. Using unobtrusive indicators also reduces
resource burden (which is true especially for qualitative methods) and provides a
real-time view of risk culture.

While self-report methods have biases, so do all assessment approaches. Instead

of replacing self-report methods entirely, we suggest complementing them with
unobtrusive data. Identify data points that map to your risk culture definition –
they may already exist in your Conduct and HR dashboards.

3. Move from reporting into action

A common challenge we are seeing in the banking sector is the focus of attention
solely on the assessment and reporting of risk culture. Instead of being
consumed by manual data collection and analysis, banks should focus on using
the assessment outputs to identify behavioral interventions. Make sure to feed
these into your overall HR culture plans.

To create meaningful and lasting changes in risk culture, leaders can concentrate
on behavioral interventions. Let's explore a few behavioural interventions in
relation to 'safety to speak up.' For instance, a communications campaign may
effectively raise awareness of escalation channels, while a leadership
development programme can effectively build the necessary psychological safety
for individuals to feel safe to speak up.

However, sometimes behavioral interventions alone won't be enough. Changing

organisational systems and processes will be necessary. In our ‘speaking up’
example, implementing an anonymous escalation system can create a safe
environment for employees to speak up without fear of retaliation. You should
strike a balance between interventions that have the most impact and those that
are more achievable in the short term.

Measuring the impact of interventions is crucial. Running regular risk culture

assessments help identify trends and evaluate the effectiveness of behavioral
change initiatives. If the interventions are not ‘turning up the dial’ on your risk
culture, it is necessary to make appropriate adjustments.

Conclusions and next steps

To establish and maintain a robust risk culture, it is crucial to take proactive

measures. Risk culture assessments can help identify issues and prioritise areas
which require intervention.

There is no ‘one size fits all’ in terms of measuring and assessing risk culture. It
will vary based on the analytics capability, size and global reach of the
organisation. However, to ensure that you are staying ahead of regulatory
requirements, you can:
1. Define what risk culture means for your organisation, making sure your
definition is aligned to existing cultural agendas;
2. Establish an identification and assessment methodology, leveraging existing
culture assessment practices within your organisation and unobtrusive data
points;
3. Move your attention from assessment into action.

Stay tuned for more updates on quantifying risk culture. In our next issue, we will
share an insight into what leading institutions are focussing on and some of their
challenges in setting up approaches to risk culture assessment.

How can KPMG support?

If you would like to connect with one of our experts to discuss the topic of risk
culture further, please do reach out to us. We are here to help.

Related Insights

Risk transformation People consulting

Turn risks into opportunities by KPMG’s people consulting

preparing for the future now. services help you transform
your workforce, learning and HR
functions for a better tomorrow.

Interesting

Related posts

9 November | 1 min 2 February | 4 min 2 February | 4 min

2023 read 2024 read 2024 read

Assessing risk culture: 2024 - what’s on the A summary of the

Insights from the... horizon for founders... Labour Party’s plan...

Risk Culture Part 2 The trends to watch in 2024

 A continuation of innovation
and improvement, with a
focus on plugging gaps


Legal Privacy
Accessibility Sitemap
Help Glossary
Modern Slavery Statement Contact
Offices Suppliers
Whistle-blowing / Speaking Up Media
Latest press releases Alumni
Advisory Audit
Consulting ESG

© 2024 KPMG LLP a UK limited liability partnership and a member firm of the KPMG global organisation of independent member firms
affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
For more detail about the structure of the KPMG global organisation please visit https://kpmg.com/governance.