The culture inside a bank has received renewed discussion in various forums over the course of the last year. The regulators are now moving from crisis and reaction to root cause analysis of the financial crisis. Regulators have expressed concern that despite the array of new rules, guidance, and enforcement actions brought in the wake of the financial crisis and the Dodd Frank Act, banks just seem to keep turning up problems. Fair or not, and whether you think that this concern is really attributable to the largest financial institutions, the regulators’ signals merit attention for any bank.
Bank regulators, notably the Federal Reserve and the Office of the Comptroller of the Currency (OCC), have contrasted two broad categories of banks: those that adopt an approach of mere compliance with regulation, where compliance concerns are background noise to be silenced; and those that embrace risk management and compliance programs as an important part of cultural norms. The signal from the regulators is that they look for, and can sense whether the bank is in one or the other of these camps. Supervisory judgment calls are informed by those perceptions.
What is culture? William Dudley, president of the New York Fed, recently stated: “Like a gentle breeze, culture may be hard to see, but you can feel it.” Culture is the norms of behavior that drive the business, including ethical standards above and beyond the rules. This is attributable to the tone at the top set by directors and top executives, but it is manifested (or not) in behaviors throughout the organization. What incentives (compensation and otherwise) drive what kinds of performance throughout the organization? To what degree do risk management concerns get air time alongside financial performance in the board room? Do the board and senior management discuss risk management and compliance in terms of “regulatory burden?” Worse, do you talk openly about your talented risk and compliance staff as a “burden” weighing on the bottom line?
Increasingly, bank supervisors are beginning to mandate cultural norms. Internationally, the Basel Committee on Banking Supervision has set forth corporate governance principles to assess whether a bank’s board and senior management perform their risk governance responsibilities and establish an appropriate organizational risk culture. The OCC’s heightened expectations for enterprise risk management by the largest banks have emphasized the need for a board to provide what’s known as an “effective challenge” of management, and this has become the gold standard for all banks. The OCC has had open debate with the industry over whether directors must “ensure” rather than only “validate” the effectiveness of a risk management and compliance program. All of the regulators, including the Consumer Financial Protection Bureau, have sent strong signals in the form of enforcement actions, guidance and examination messages.
A key cultural norm is how the bank thinks of its customers. Thomas Watson, legendary leader of IBM, famously said: “The essence of trust building is to emphasize the similarities between you and the customer.” Does your bank consider borrowers as counterparties in a contract, or customers for whom the bank has a shared (fiduciary-like) interest in their success?
Moreover, once a strategic decision is made by the top leaders of the organization, does the company do a good job of challenging the decision when evidence arises that it was wrong-headed, or does the company suffer from confirmation bias, collectively seeking only the evidence that justifies the strategy? Institutional groupthink can result in hidden problems for a bank, whether they are credit concerns, compliance concerns, or lost market opportunities, for example. Does the organization value diverse views that can positively challenge norms?
Examiners assess culture by looking for patterns of behavior, rather than individual instances, just as they focus less on specific loans than on concentrations of credit risk. Distinctions between policies and actual behavior are measurable; exceptions to policy are measurable; meaningfully reviewable management reports should allow detection of patterns. In this sense, examiners and directors are aligned and can be complementary of each other.
Undoubtedly, the audit of risk management or compliance culture is subjective. Are we on the verge of bank supervisors becoming culture police? There is a real concern that supervisors could also suffer from confirmation bias and thereby feed a concentration of cultural norms and fail to appreciate the idiosyncratic nature of institutions and the value of their diversity. Nevertheless, it behooves all boards of directors to look inward and take heed of the bank regulators’ messaging about culture.