2.2.1a Participants discuss how the relationship between governance and culture risk presents unique challenges for supervision.
“All institutions have cultures. Culture comes from history and leadership. Sometimes you need to reinforce it. Sometimes you need to change it to achieve different outcomes.
Culture risk, as we see it, has two parts. First, the board or senior management might define the wrong culture — one that doesn’t align with the institution’s goals. They misdirect the organization. Second, they might define a good culture, but fail to pursue it properly. They let it drift. They fail to embed it.
So boards, in our view, need to find ways to assure that culture is aligned and sustained. We don’t supervise for outcomes — we supervise for process. Are you overtly thinking about culture? Have you reflected on how your values support your mission? Have you reviewed this more than once in the last decade? Are you checking annually — maybe even quarterly — how well the organization is living those values?
If boards are doing that, and taking steps to measure it, regulators shouldn’t give them grief. The risk again is, if we push beyond that — we become overreaching. We diminish our supervisory legitimacy.”
“If the last decade of bank supervision was about designing rules that lead to more resilient bank balance sheets, the next will be about designing supervisory tools and strategies that lead to more resilient bank cultures.
And the goal in the decade ahead must be for banks to improve their risk culture and operational resilience by at least the same margin as they have improved their financial resilience in the decade past.”
“Think of supervision as a feedback mechanism. Banks, left to market forces alone, will sometimes drift into unsafe/unsound practices. Supervisors provide corrective feedback.”
“In practice, culture is how governance is made real.
Firms exhibiting poor culture aren’t necessarily the ones with formal governance deficits. Supervisors like a formal framework that you can check or audit against — ‘to what extent are you compliant?’ — but the ‘software’ aspect of culture doesn’t lend itself to that kind of supervision or auditability. That’s what makes it tricky.
Culture has historic aspects, moves slowly, and is driven by leadership which brings you close to governance. I consider fit and proper assessments as part of effective governance, for example. That’s heavily regulated, telling you what kinds of people are appropriate for positions or combinations of people appropriate for a corporate body. And that’s where culture starts.”
“I’ve seen situations where changes in a few key positions can really change the operations and performance of a supervised institution. So I think there is clearly a lever that we can use. We take our fit and proper test very seriously.”
“So why have regulatory reforms to date failed to prevent governance failures?
One possible explanation is that supervisors and regulators have been too focused on technical measures, such as capital requirements and risk management practices. Capital, liquidity, and related standards are essential to a stable financial system. Compliance and risk management processes are necessary but not sufficient.
Values and culture are keystones of governance as they drive behaviours of people throughout the organisation and the ultimate effectiveness of its governance arrangements. Governance is not a fixed set of guidelines and procedures. Rather it is about behaviours and ongoing processes by which decisions are made. A focus on right behaviours would mean a shift from the focus on structures and procedures to organisational culture and values that drive behaviours.
Supervisory approaches that focus primarily on compliance and do not give proper weight to culture and governance cannot keep pace with changes in finance. Supervisors need to broaden their perspectives to include strategy, people and culture and need to understand how desired cultures can best be supported and reinforced.”
“Regulators should set the expectations. Regulators should say, ‘Here's what we require. We will leave it largely to you as to how you get there, except for some major staging posts such as you must have a proper risk management framework, you must have a proper compliance framework,’ but leave it to the institution as to just what that looks like. And then if they don't get that right, if the behavior is wrong and something happens, well, we hold them accountable.
So I think it's right for regulators to set the broad expectations and requirements for governance. To illustrate the point, I think it's right to say institutions need to have the right compliance framework, but I don't think the regulator should be saying, ‘And that means you must have X number of compliance officers, and you must have this hierarchy.’ I don't think regulators should do that, and I think it's a mistake to do that. So, I'm much more in favor of a principles-based approach there, which puts the onus on the industry to then manage the structures to get to the right end.”
“I see the role of the supervisor here as providing input into the bilateral discussions with the firm's senior management, where you're trying to inform and improve the firm's own risk management framework.”
“If we see the same thing happening repeatedly within one firm, where it's not just one advisor but a whole lot of them, we would then look further up the chain. We would prosecute the company as a whole for enabling a culture where the individual advisors were not properly supervised.
There's a culture of willful ignorance about what's going on. So when you've got a poor culture, you probably have to start at the top and see whether the board and management are actually the issue enabling everything else.
Who you appoint as a CEO and what your values are — those are pretty good tools. Upholding the company's values and using them as a basis for sacking someone is a good thing. It says, ‘Look, what you're doing may not be illegal, but it's not consistent with our values as a company.’
At one point, APRA and ASIC had people observing boards and their dynamics because they went to boards where the directors said nothing; it was just the CEO and the chair dominating.
The problem, as I’d summarize it, is that often it's not a whole lot of ‘bad Indians’, but the ‘chief.’ It's the tree that's the problem, not a few bad apples. We realized that was what culture was; it was driving poor conduct.”
“You have to start with facts. Complaints, arbitrations, disciplinary records — these are imperfect data but predictive. FINRA tried to quantify them at both the individual and firm level. It’s not about declaring someone a ‘bad person,’ but about recognizing patterns. Firms also need to be honest in hiring. Too often, they ignore warning signs. Regulators should focus on whether firms are systematically overlooking facts that suggest control problems.”
“I think there's a real difference in conduct supervision between what you define as a bad culture or one likely to lead to misconduct, which may be intended or unintended. If misconduct is unintended, for example through lack of appropriate investment or capability, it can be understood as much through dialogue and conversation, as through analytics and metrics.
After analyzing the firm's finances and macro environment, engage in dialogue at the governance level: 'Talk to us about your strategy. What are you trying to achieve?' It's about asking key questions: 'How will this serve your customers better? How do you know that? What will your approach to managing the risks and your assurance be?’ Finally, it's about getting into the practicalities: don't just tell us it'll be fine; show us.
We need to get deeper into the firm to see what's happening in practice, how they're testing, and how controls are ultimately working. We talk about leading and lagging indicators of risk and how often they are monitored.
Then, of course, you have 'bad actors' — people genuinely trying to rip off customers. Ultimately, we try to prevent such firms from entering the market in the first place. But supervision also means finding those already in the market and ensuring they're either removed or understand that such a business model won't be tolerated within our regime.”
“I favor a two-track approach: introducing sensible rules that seek to prohibit/restrain excessive risk taking or behavior that would jeopardize the interests of the customers, alongside with efforts that cultivate the appropriate cultural values within the bank from top down.”
“On the prudential side, MAS ran its annual comprehensive risk assessment of financial institutions — what we called the ‘CRAFT’ assessment. We’d engage boards with supervisory ratings across AML, conduct, risk management, capital, and so on.
Peer institutions often produced different ratings. Why did some fare better or worse than others? Was there a link to the incidence of enforcement? Not always directly — but the propensity to ‘do the wrong thing’ seemed more likely in some places.
So we asked: what distinguishes a ‘good’ from a ‘not-so-good’ bank? Leadership? Vertical communication? That led us to culture — the organization’s attitudes toward risk, misconduct, fraud, and whether managers pursue KPIs at the expense of other priorities. All the conduct related issues — balanced scorecards, incentives — were attempts to shape behavior and steer culture at both management and working levels.
Looking back, we were trying to pin what we couldn’t otherwise explain on ‘poor culture,’ without fully defining it. Still, we decided supervisors should engage bank boards on our sense of their culture and risk culture. We had an internal document on supervising for culture — but theory and practice diverge.”
Thank you!
Your submission has been received.