written by Josh Beaird
The culture at Wells Fargo Bank has received a lot of attention in the press since the fake accounts scandal broke in 2016. The press has heavily reported the details of how bank employees opened fraudulent customer accounts, due largely to intense pressure they felt to meet aggressive sales goals.
This scandal highlights an issue that all banks, regardless of size, should make a top priority: Cultivating the appropriate risk culture within the bank.
Risk Appetite + Risk Tolerance = Risk Culture
Risk culture is derived from a bank’s risk appetite and risk tolerance. A disconnect in this risk continuum can cause problems, as happened at Wells Fargo and among many subprime lenders before the financial crisis.
Banks often think of risk within the context of credit risk. However, risk should be viewed from a much broader perspective, including liquidity, market, compliance operations, and reputational risk. Furthermore, the COSO Internal Control – Integrated Framework starts with the Control Environment, which includes demonstrating a commitment to integrity and ethical values, proper oversight by the board of directors, and appropriately designed structures, reporting lines and responsibilities in the pursuit of organizational objectives.
A good place to start is by drafting a risk appetite statement, similar to your organization’s mission statement. This is a formal document that forms the foundation of your bank’s risk management program. It should be closely integrated with your bank’s overall strategy and clearly communicated to all bank employees, enlightening them to their role in risk management and organizational success.
Regulators expect banks to draft a formal risk appetite statement that spells out their level of risk tolerance. Specifically, Enhancements to the Basel II Framework states that “it is the responsibility of the board of directors and senior management to define the institution’s risk appetite and to ensure that the bank’s risk management framework includes detailed policies that set specific firm-wide prudential limits on the bank’s activities which are consistent with its risk-taking appetite and capacity.”
Culture Above All
Your risk appetite statement will help you develop risk assessments, establish control activities, enhance communication, and implement monitoring activities designed to manage risk within your defined parameters. If your risk appetite and risk tolerance don’t translate into a sound risk culture, all your efforts could be for naught — because culture usually trumps everything else.
For example, if a bank’s risk culture encourages cutting corners to boost new account openings and sales, employees will likely find ways around policies, procedures and controls to accomplish this. Boards and Executive Officers also need to be aware of powerful managers who can create subcultures that are out of line with accepted bank practices.
The Financial Accounting Standards Board (FASB) has specified several different indicators of a sound risk culture, including the following:
• It starts at the top with bank management and the board of directors and flows down from there.
• Employees are held accountable for understanding the risk culture and how their actions impact it.
• Challenges and feedback to the risk culture are welcome and encouraged from employees at all levels.
• Employees are incented financially for exhibiting desired risk behaviors.
• The risk culture message is continually reinforced, as are policy and portfolio limits designed to manage line of business growth prudently.
What did your mother tell you?
As you strive to create the right kind of risk culture within your bank, try to remember the “do right” rule. Does your risk culture encourage and incentivize employees to do the right thing for stakeholders every time? Stakeholders include your customers, community, shareholders, vendors and other employees.
The “do right” rule should lie at the heart of how your bank conducts business. Make it the foundation of your risk culture as well.
Give us a call if you’d like to discuss cultivating the appropriate risk culture at your bank 417-881-0145.