Risk Culture: Measuring the Qualitative

4th November 2015

Jane WalsheHead of Compliance Curriculum, Moody’s Analytics &Director, Compass Compliance

2

Agenda

» What do regulators mean when they talk about ‘culture’?

» Risk Culture: good and bad

» Identification, measurement and mitigation

3

What is Culture?

What do regulators mean when they talk about “culture”?

» The global drive towards good conduct

» Fair customer outcomes

» Market integrity

4

Tone from the top

A firm's leadership should promote, monitor and assess risk culture, consider its impact on safety and soundness and make changes where necessary. Board and senior management should make clear staff expected to act with integrity; non-compliance within or outside the organization should be promptly escalated.

Accountability

Relevant employees at all levels understand the core values of the institution and its approach to risk, are capable of performing their prescribed roles, and are aware that they are held accountable for their actions in relation to the institution's risk-taking behavior. Staff acceptance of risk-related goals and related values is essential

Effective communication and challenge

A sound risk culture promotes an environment of open communication and effective challenge in which decision-making processes encourage a range of views; allow for testing of current practices; stimulate a positive, critical attitude among employees; and promote an environment of open and constructive engagement.

Incentives

Performance and talent management encourage and reinforce maintenance of the financial institution's desired risk management behavior. Financial and non-financial incentives support the core values and risk culture at all levels of the institution.

Financial Stability Board

5

Conduct Regulation

'the lessons of the last few years illustrate clearly thatfirms need to take proactive steps to improve conduct.Without a firm foundation in identifying the conduct risksinherent in your businesses, it will be hard to manageconduct, let alone show us and others that it is beingmanaged.

We know that most firms now understand the value in getting it right and not simply the cost of getting it wrong, and the benefit of good conduct in terms of building customer trust and analyst confidence. However, there is a long way to go, and it will not happen by regulatory osmosis. Firms and individuals need to take responsibility for their own actions.'

Tracy McDermott, acting CEO of the FCA, July 2015, Wholesale Conduct Risk

6

5 Conduct Questions for Firms

1. How are the conduct risks inherent within the business identified?

2. Who is responsible for managing the conduct of the business?

3. What support mechanisms does the business have to enable people to improve the conduct of their business or function?

4. How do the board and executive committees gain oversight of the conduct of the organisation?

5. Finally, do firms have any perverse incentives or other activities that may undermine any strategies put in place to answer the first four questions?

Tracy McDermott, July 2015

7

How the FCA Assess Conduct

» Having a culture which puts customers and market integrity at the heart of the firm's business is an important component of conduct risk.

» No specific definition: FCA said it will be assessed by "joining the dots“ – looking at:

» how a firm responds to, and deals with, regulatory issues;

» what customers are actually experiencing when they buy a product or service from front-line staff;

» how a firm runs its product approval process and what factors it takes into account;

» the manner in which decisions are made or escalated;

» the behaviour of that firm in certain markets; and even

» the remuneration structures.

8

Evaluating a Firm’s Risk Culture

» Is there a conduct risk management culture at all levels of the business?

» Are there clear reporting lines?

» Do managers feel they can raise risk-related issues?

» Do staff feel that they can raise risk related issues?

» Are managers’ ideas supported?

» Do they feel that concerns raised will be considered and/or acted upon?

» Are staff comfortable questioning existing practices and suggesting more effective ways of doing things?

» Are managers authorized to identify opportunities that reinforce, and issues that destabilize their risk appetite?

» Do existing monitoring and reporting systems ensure that action will be taken when issues are raised?

» Can the board demonstrate an effective “tone at the top”?

» Is conduct risk management part of the established way of planning and executing departmental activities?

9

Warning Signs on Risk Control & Culture I

Effectiveness of the Risk Management and Internal Control System

Managers who might not see the need for the more formal processes that the

board needs if its oversight is to be effective

Unclear lines of accountability

Defective internal communication flows Mechanical and static processes

Organizational complexityRisks associated with major

transactions or projects not adequately assessed or discussed at board level

10

Warning Signs on Risk Control & Culture II

The Right Culture

A culture where people are reluctant to admit mistakes and do not welcome challenge

Failure to communicate a consistent attitude to risk and mitigation

Inability to assess if employees are listening to or understanding what the board is saying

Senior management does not give a clear lead on risk management nor visibly support

the risk and internal audit functions

Misaligned incentives that encourage either inappropriate risk-taking or excessive risk

aversion

Risk managers and internal auditors are prevented from addressing risks emanating

from the upper echelons of the company

An inability to stop bad projects once they have gathered momentum Significant regulatory problems

11

Warning Signs on Risk Control & Culture III

Effectiveness of the Board and Committees

Insufficient breadth of experience and expertise in the board or board

committee

Delegating too much responsibility to board committees so that some

directors are not involved

Lack of clarity about which board committee is responsible for ensuring reward schemes reflect the company’s

approach to risk

Non-executive directors are not getting out and about enough to really

understand the business and its people

Board papers and processes that cause time to be used unproductively

A lack of understanding of the risks inherent in the company’s business

model

12

Three Lines of Defence to Address IT Risk – Failings

FIRST LINE:

Technology

Services Risk

Had a culture of reacting to events, and a team with insufficient experience and skills

SECOND LINE: Busines

s Services

Risk

Had limited IT skills

THIRD LINE:Group

Internal Audit

Poor Culture in Practice

Responsible for identifying and managing IT risk across the Banks. Challenged by

Devote sufficient time and attention to specific risk management activity, instead reporting risk upward to obtain “sign-off” instead of understanding and managing IT risk

Did not take the initiative to identify risks, instead reacting and responding to incidents

WE

AK

NE

SS

ES

IN

CO

MM

UN

ICA

TIO

N B

ET

WE

EN

AL

L

TH

RE

E L

INE

S

FAILED TO AND

Responsible for challenging First Line

Appropriately challenge the completeness and depth of the First Line of Defence’s coverage of IT risk

Did not focus enough on understanding IT risk, instead focusing too much on systems and processes

FAILED TO

Did not understand the breadth and depth of its work because it concentrated on collating and reporting of risk information

Independent assessment & review of IT risks including IT infrastructure and systems risks

Explain its different view of IT Risk to the First and Second Lines of Defence

Did not explain in its final audit report that it had lacked the documentation it needed to test fully the controls for backing out the batch scheduler software

FAILED TO

Did not close IT audit issues in a timely fashion, instead it brought forward incomplete IT audit plans from previous years

13

Tone from the Top, Middle and Bottom

“Ultimately this is also about creating what we sometimescall a culture of appropriate escalation, where people canspeak up when they observe poor behaviour or areunsure about what to do. Too often people are unwillingto do this, or are penalised if they do.”

Tracy McDermott, July 2015

14

Tone from the Top, Middle and Bottom

“is for the boards of banks to take responsibility for how the business delivers within this regulatory framework.

And it is, more subtly, the responsibility of the board to influence the culture of the whole business – the famous "tone from the top" - AND to take responsibility for making sure that this is both understood and acted on in all parts of the business, from the committed top, through the middle and right across the front line.

Moving from "tone at the top" through "action in the middle".

By the middle, I mean those hard to reach parts, which are found in any business, not just banking, where messages get lost, communication falters, and "tone from the top" can seem utterly remote from what people are actually doing.”

BSB chair Dame Colette Bowe, June 2015

15

© 2015 Moody’s Analytics, Inc. and/or its licensors and affiliates (collectively, “MOODY’S”). All rights reserved.

ALL INFORMATION CONTAINED HEREIN IS PROTECTED BY LAW, INCLUDING BUT NOT LIMITED TO, COPYRIGHT LAW, AND NONE OF SUCH INFORMATION MAY BE COPIED OR OTHERWISE REPRODUCED, REPACKAGED, FURTHER TRANSMITTED, TRANSFERRED, DISSEMINATED, REDISTRIBUTED OR RESOLD, OR STORED FOR SUBSEQUENT USE FOR ANY SUCH PURPOSE, IN WHOLE OR IN PART, IN ANY FORM OR MANNER OR BY ANY MEANS WHATSOEVER, BY ANY PERSON WITHOUT MOODY’S PRIOR WRITTEN CONSENT.

All information contained herein is obtained by MOODY’S from sources believed by it to be accurate and reliable. Because of the possibility of human or mechanical error as well as other factors, however, all information contained herein is provided “AS IS” without warranty of any kind. Under no circumstances shall MOODY’S have any liability to any person or entity for (a) any loss or damage in whole or in part caused by, resulting from, or relating to, any error (negligent or otherwise) or other circumstance or contingency within or outside the control of MOODY’S or any of its directors, officers, employees or agents in connection with the procurement, collection, compilation, analysis, interpretation, communication, publication or delivery of any such information, or (b) any direct, indirect, special, consequential, compensatory or incidental damages whatsoever (including without limitation, lost profits), even if MOODY’S is advised in advance of the possibility of such damages, resulting from the use of or inability to use, any such information. The ratings, financial reporting analysis, projections, and other observations, if any, constituting part of the information contained herein are, and must be construed solely as, statements of opinion and not statements of fact or recommendations to purchase, sell or hold any securities.

NO WARRANTY, EXPRESS OR IMPLIED, AS TO THE ACCURACY, TIMELINESS, COMPLETENESS, MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OF ANY SUCH RATING OR OTHER OPINION OR INFORMATION IS GIVEN OR MADE BY MOODY’S IN ANY FORM OR MANNER WHATSOEVER.

Each rating or other opinion must be weighed solely as one factor in any investment decision made by or on behalf of any user of the information contained herein, and each such user must accordingly make its own study and evaluation of each security and of each issuer and guarantor of, and each provider of credit support for, each security that it may consider purchasing, holding, or selling.

Any publication into Australia of this document is pursuant to the Australian Financial Services License of Moody’s Analytics Australia Pty Ltd ABN 94 105 136 972 AFSL 383569. This document is intended to be provided only to “wholesale clients” within the meaning of section 761G of the Corporations Act 2001. By continuing to access this document from within Australia, you represent to MOODY’S that you are, or are accessing the document as a representative of, a “wholesale client” and that neither you nor the entity you represent will directly or indirectly disseminate this document or its contents to “retail clients” within the meaning of section 761G of the Corporations Act 2001.