1. Risk culture

2. 3 Risk culture

3. 1Risk culture
Concerns about risk culture have arisen from the risk taking pre crisis and even more
from the disclosures of conduct failures globally. This has led to a focus from boards
and regulators on how to ensure that culture is appropriate.
The enhanced regulatory focus is underlined by papers from the Financial Stability
Board and by changes in approach of many individual regulators including both the PRA
and FCA in the UK, and the OCC in the US.
►► This is reflected in a focus on a range of areas including tone from the top, approach
to conduct issues and customers, quality of risk controls, embedding of risk appetite,
true accountability of the front office and HR policies and incentives
►► Banks and insurers can expect questions about culture and improvement enablers
as part of the usual supervisory process
►► Boards and senior management of financial institutions are expected to hold
all levels of the organization accountable for their behavior and to monitor
ongoing behavior
►► Boards are now asking whether management are fostering a sound risk culture
which supports their strategic thinking, specifically asking:
►► “What behaviors do we want to see exhibited in the institution?”
►► “How do we find out what the institutions’ risk culture is like today?”
►► “How do we move risk culture to where we want it to be?”
►► “Once we have attained the desired risk culture, how will it be sustained?”
While progress has been made by many financial institutions, embedding risk culture
throughout the institution will remain a key challenge for many years to
come — cultural change does not happen overnight.
Why now?

4. 2 Risk culture
Frequent errors in risk culture
improvement programs
►► Believing there is only one “correct” answer
►► Failure to sufficiently understand impact of variances
in national cultures
►► Time lost contemplating in the abstract. This results
in scope and concentration “drift”
►► Overlooking the power of “tone from the middle”
►► Not recognizing the connectivity between risk culture
and related organizational initiatives — e.g., risk appetite,
consequence management, control embeddedness.
What are the key
questions you should be
asking yourself?
Financial institutions face three simple questions when addressing
risk culture:
►► What is our risk culture?
►► How do we assess risk culture?
►► What are we doing to sustain and/or change our risk culture?
Addressing the key questions
Firms should consider the following actions …
►► Understand emerging regulatory expectations
►► Define the institution’s framework for risk culture with risk
appetite and governance as its foundations
►► Define what a sound risk culture means for the institution
►► Determine how culture is supported and enabled by existing
risk frameworks (e.g., embedding risk appetite), human
resources (e.g., performance management) and operating
model (e.g., delegation of authority) activities within the firm
►► Clearly define roles and responsibilities across the institution,
e.g., the three lines of defence model
►► Conduct an “as-is” analysis to highlight the “good” elements
of the firm’s risk culture and identify the “vulnerable” areas
►► Develop an action plan to remediate the vulnerable areas
and monitor culture on an on-going basis to show progress
►► Develop a clear, consistent and sustainable approach
to monitoring and assessing behaviors going forward
►► Report to Management and the Board for improvement
endorsements.

5. 3Risk culture
Reasons firms engage in risk
culture initiatives
►► Recognise the contribution of attitudes and behaviors towards
risk outcomes
►► Develop tangible fact-based evidence from which to prioritize
and assess differential investments
►► Establish an internal reference point for longitudinal
comparison across time, geographies and business units
►► Facilitate smoother regulatory engagements
►► Meet Board’s expectations to define and evidence risk culture
►► Contribute to a defendable position being established.
Our EY approach
We can help clients in building a sustainable end-to-
end risk culture program, incorporating behavioral
framework development, assessment, prioritization and
implementation of cultural change initiatives, and the
development of ongoing monitoring/assurance programs
for sustainability. We recognize that our clients may have
differing degrees of maturity on their culture programs.
We can assess their program, build their program or assist
in part of their program.
We have developed a suite of frameworks and tools to
assess, build and deliver culture frameworks.
Features of our approach
►► We believe that risk culture should be viewed from
a number of angles and effective review needs to take
into account HR aspects as well as risk governance,
tone from the top, accountability and other elements
►► We will provide a team with all the requisite skills to assess
all these elements and the experience to organize a
targeted interview approach to substitute or complement
wider surveys/assessments
►► Our framework is our starting point — we work with our
clients to tailor this to their specific organization and
needs, we can deploy a range of assessment approaches
to suit clients’ needs, leaving a bespoke framework,
repeatable process and skills to facilitate future
assessment of risk culture over time
►► Our assessment is focused on reviewing and
assessing three elements of each mechanism design,
execution, outcome
►► We build upon existing, available data and information
without “boiling the ocean”
►► We can tailor a survey which can be quickly and
cost-efficiently rolled out to parts of, or the whole
of an organization
►► We leverage and synthesize a firm’s existing risk culture
data into a framework for a phased assessment
►► Our approach is designed to be a robust, repeatable
process which is based on both quantitative and qualitative
analysis reducing bias and subjectivity
►► The outputs of our work are designed to be applicable
and usable for different audiences such as Board,
executive, shareholders and regulators
►► We truncate time frames and scale investment because
our assessment is risk based
►► The assessment is only one element of a risk culture
program. We can undertake an end-to-end program,
define risk culture, build a behavioral-based framework,
assess, develop and implement prioritized initiatives
to change behaviors and develop sustainable, ongoing
monitoring/assurance programs
►► We can also help you to move on from assessment
to effective change of culture by harnessing our wide
experience of different programs to ensure an approach
which will deliver results.

6. 4 Risk culture
Considerations for strengthening risk culture: embedding
a risk culture program
Financial institutions should consider the steps below to strengthen and sustain a sound risk culture. Indicators should be defined to
allow for assessment, benchmarking, reporting and on-going monitoring. Regular assessments along with a related monitoring and
assurance process would help identify and prioritize areas where changes to risk behaviors are required.
Define and assess risk culture Strengthen and sustain risk culture
1 2 3 4Framework definition Change initiatives
On-going monitoring/
assurance
Assessment
►► Define objectives
of framework
►► Define risk values and
related risk behaviors
►► Identify mechanisms
which influence risk
behaviors
►► Define risk culture roles
and responsibilities across
the three lines
of defence
►► Alignment of risk values
with day to day behaviors
►► Mechanism framework
identifying the areas of
impact on risk culture
►► Defined roles and
responsibilities for risk
culture
►► Identification and
prioritization of key
initiatives to change
culture:
►► Organizational
e.g., TOM, governance
arrangements, 3LoD,
control framework
►► Risk e.g., risk appetite,
risk information,
stress testing
►► HR e.g., incentive
programs,
performance
management,
leadership
►► Operations e.g., IT,
operating model
►► Practical and prioritized
initiatives to drive the
greatest impact to change
risk culture, linking in with
wider initiatives such as
Conduct Risk, Governance,
Behavior Economics,
Reward
►► Conduct fieldwork and
analysis e.g.,:
►► Survey based approach
including leadership
perceptions
►► Process based
approaches (qualitative
and quantitative)
►► Customer experience
approaches
►► Benchmarking and
reporting
►► Robust analysis of the
“as is” risk culture through
mechanism assessments
►► Provides clear evidence of
“as is” culture
►► Early identification of
culture “hot spots” across
the business through
identifying undesirable risk
culture outcomes
►► Risk culture indicators for
ongoing monitoring
►► Triggers for action
►► On-going risk
culture assessment,
benchmarking and
reporting
►► Tracking risk culture
change
►► Audit of risk and control
culture, e.g., within each
audit, targeted audits
of high-risk areas
►► Ongoing monitoring
tools to monitor progress
independently
►► Sustainable assurance
methodology

7. 5Risk culture
Our market
leading expertise
►► We have experience in delivery of culture projects and
subsequent change projects
►► Working on behalf of IFRI, we developed a market leading
paper on risk culture practices. We combined our insights
of industry practices on risk culture with the 27 Global
CRO IFRI members, presenting our report in New York
in May 2014
►► We have surveyed the industry to understand challenges
and actions taken
►► Extensive information on progress and approach in 50
or more major international banks from our EY/IIF Risk
Governance surveys
►► Close working relationships with regulators across
regions
►► Sought input from academics on methodology
►► Provided input on the new IIA code in the UK
►► A member of the group who wrote the FSB paper
recently joined EY
►► We are working closely with Tapestry Networks on risk
culture initiatives, e.g., how to demonstrate, assess and
instil a strong risk culture
►► 2013/14 initiative with the Bank Governance
Leadership Network
►► One-to-one discussions with CROs of the top 15–20
global banks
►► Roundtables with CROs and NEDs (New York, London)
►► We have an established global risk culture working team
►► We have developed our risk culture solutions,
leveraging cross-service line skills and experience
across EY
►► We have joined up our client offerings across wider
propositions such as risk appetite, conduct risk,
behavioral economics, corporate ethics, etc.
Key UK contacts
Clive Martin
T: + 44 20 7951 1850
E: cmartin1@uk.ey.com
Patricia Jackson
T: + 44 20 7951 7564
E: pjackson@uk.ey.com
Gayle Sparkes
T: + 44 20 7951 9704
E: gsparkes@uk.ey.com
Neal Writer
T: + 44 20 795 17028
E: nwriter@uk.ey.com
Stuart Steele
T: + 44 (0) 207 9518 405
E: ssteele1@uk.ey.com
Vishal Khosla
T: + 44 207 951 5402
E: vkhosla@uk.ey.com
Andrew Deveney
T: + 44 207 197 9313
E: adeveney@uk.ey.com

8. EY | Assurance | Tax | Transactions | Advisory
About EY
EY is a global leader in assurance, tax, transaction and advisory services.
The insights and quality services we deliver help build trust and confidence
in the capital markets and in economies the world over. We develop
outstanding leaders who team to deliver on our promises to all of
our stakeholders. In so doing, we play a critical role in building a better
working world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of
the member firms of Ernst & Young Global Limited, each of which is a
separate legal entity. Ernst & Young Global Limited, a UK company limited
by guarantee, does not provide services to clients. For more information
about our organization, please visit ey.com.
© 2014 EYGM Limited.
All Rights Reserved.
EYG No. XX0000
1488310.indd (UK) 09/14. Artwork by Creative Services Group Design.
ED None
In line with EY’s commitment to minimize its impact on the environment, this document
has been printed on paper with a high recycled content.
This material has been prepared for general informational purposes only and is not intended to
be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for
specific advice.
ey.com