Your InFinance Publication

FINSIA’s InFinance keeps you up-to-date and in-the-know. 

Risk culture gaps identified: Macquarie University

by Robin Christie | 02 Dec 2014

New research suggests that, while most financial institutions’ business units have a perception of risk culture, their interpretation of the rules of engagement may be causing more harm than good.

Elizabeth Sheedy, financial risk expert at Macquarie Applied Finance Centre and Macquarie University’s Faculty of Business and Economics, explained that 95 per cent of the three major banks' 113 business units that her team has examined had some form of risk culture.

However, when it came to scoring the risk culture of each unit, the Macquarie University Risk Culture Scale found revealed a variance in scores between business units within each bank — even among those units that are in the same business line.

This suggests risk culture is a quality of local business units, rather than something that filters down from the top level of the organisation.

"What tends to happen with risk management is that you've got certain risks that are very well known and pretty well understood," said Sheedy. "For banks that would be things like credit risk and market risk, and with those risks there's lots of data and we can do a tonne of analysis, and it's pretty easy to understand."

However, she explained that banks tend to get caught out in managing some of the more subtle, less obvious, risks. These tend to be operational in nature, such as misconduct, reputational risk, and miss-selling or fiduciary risk.

Strong risk culture needed

With most financial services organisations having to rely to a large extent on their staff to identify these risks, Sheedy said that this process will only work effectively if there's a strong risk culture.

Risk isn't necessarily a bad thing, she explained. It's part of being in business and it simply isn't feasible to eliminate all risks. "But you don't want to be taking risks in ignorance."

"Having a strong risk culture is a way of making sure that banks, and any financial institutions don't get caught out unawares," she added.

Sheedy's research has found that risk cultures are categorised by several key components. These include being proactive — making sure that risk issues and events are proactively identified and addressed. Naturally, business units will want to have a high score on this front, and conversely they'd do well to avoid scoring highly for avoidance — risk issues and policy breaches getting ignored, downplayed or excused.

"One of the most important lessons we've learned from the research so far is that the senior leaders tend to have quite a rosy view of culture compared to the rest of the staff. In other words they think they're more proactive and less avoidance," she said. "Probably the reason for that is that a lot of the bad stuff tends to get hidden from senior leaders."

All of which means an independent culture assessment can prove to be invaluable in preventing disastrous reputational risk, she explained, particularly if the staff are confident that their anonymity will be preserved.

"Issues can come to light that wouldn't come to light in the normal course of business," she said. "Some of these more subtle risks are more likely to be discovered early when they can still be acted upon."

Recognising the problem

She expressed cautious optimism that more open and accountable risk cultures can be developed. But added that, with many senior leaders leaving their "head in the sand", few will recognise that there are risk culture problems that need addressing.

Having looked at more than 30 business units within each of three major banks studied, covering areas such as wealth management and institutional banking, she said that no bank has a risk culture that is completely uniform.

There will be pockets of exceptionally strong and weak risk culture, she said, and identifying where these pockets are allows for a "targeted intervention" to take place.

"Culture is very much at a local level. You often hear people talk about this theory of one bad apple. I'm very sceptical of that notion. I don't buy it," she said. "I think what happens is that the culture develops in such a way that that sort of behaviour becomes acceptable."

Two different wealth management businesses in the same bank, for example, can have very different risk cultures. And, while Sheedy believes that there's an element of truth in the notion that risk culture is set from the top, she believes that the fact that two business units in the same line with the same senior management can have quite different risk cultures tells us that culture is a "local construct" of the immediate management and staff — and their interpretation of the bank's policies.

The research is ongoing, and fully funded, meaning organisations that meet the research criteria can receive a free risk culture assessment by visiting


Share this