“Success in culture supervision would involve:
- Identifying firms with cultures that pose risks to safety and soundness;
- having effective supervisory techniques to diagnose the specific problem behaviours accurately;
- persuading senior management that the firm has a problem and overseeing an effective program by the firm to tackle it; while, in the meantime,
- requiring additional financial resources against the higher risk.
All of these elements are very hard to achieve. An open question for me is whether the cost/benefit of putting more resources into this aspect of supervision is worth it in a world of limited supervisory resources and limited political capital.”
“[Post GFC], the FSB’s work moved from risk governance to risk appetite and then on to risk culture, getting at the link between incentives and risk-taking: inadequate controls, inadequate capital, and so on. ‘Culture’ became a convenient wrapper for describing that ecosystem of risk control.
But walking into an institution and saying — even with common terminology — ‘we think there are problems with your culture’ is tough. It’s even tougher to explain what effective remediation looks like for situations that are highly subjective.
It’s case- and situation-dependent; it’s about how behaviors shape decisions and the circumstances under which these are affected. Sometimes command-and-control behaviors might be necessary given the operating environment, even if they create other risks.
So, this isn’t work for the inexperienced supervisor or the ill-informed — and even for the experienced and informed, it’s a minefield of difficult decisions that are hard to make practical and [ultimately] enforceable.
I’m not sure what effective culture supervision really looks like. Incentive work matters. Remuneration reforms started and then stalled. Clawbacks and deferrals attracted workarounds — maybe they weren’t as meaningful as intended in ’08-’09. Accountability regimes get closer to the nub of the issue — ensuring people own and understand the consequences of risks they take — but that still leaves supervisors opining on individual performance and accountability. How objective can that be, and do we even want the moral hazard of stepping into those decisions?”
“For us, in the guidance that we give to firms, we talk about things like norms, attitudes, and behaviors related to risk awareness, risk-taking, and risk management. We also look at the controls around how decisions are made. We believe risk culture influences the decisions made by employees and management in individual firms. While that may sound hard to pin down, it goes to the fundamental idea that these norms, behaviors, and attitudes inform decision-making and risk-taking. Since we are concerned with decision making and risk-taking, we should be concerned with these norms.
We directly supervise over 100 so-called significant institutions — the largest banks in Europe. The ECB also oversees the supervision of many thousands of other firms, the less-significant institutions supervised by national competent authorities. These issues of governance, risk management, and culture, of course, prevail across all these banks. We must find a way to put a framework around them and think about these issues.”
“Supervision has to be judged against its objectives. For the PRA, our primary objective is the safety and soundness of supervised institutions. That doesn’t mean firms won’t fail; it means we’ll have analytical framework and mechanisms to ensure we can identify which firms pose risks to our objectives, including that they may fail, so we can ensure they can fail without threatening the system.
Good supervision involves: individuals or teams with the knowledge, empowerment, and tools to assess a firm against a defined supervisory framework at the firm level; who can judge whether the firm meets requirements and benchmark it against peers; who can form judgments about where risks of falling short may come from; and who can communicate those judgments effectively to the firm in a way that’s understood and actionable.”
“APRA’s supervisory risk assessment process considers: governance, culture, remuneration and accountability risk for every entity, alongside more traditional risk types, with more detailed assessment for the largest entities.”
“The supervision of risk culture has been an elevated area of strategic focus for APRA in recent years and is a key part of APRA’s ‘transforming governance, risk culture, remuneration and accountability’ community outcome outlined in its Corporate Plan.
As supervising risk culture requires different skillsets and approaches compared to traditional areas of prudential regulatory focus, APRA has established a specialist Risk Culture team which has enabled APRA to enhance its focus on risk culture through a broad range of activities.
These activities include: the development of a risk culture framework, the roll-out of a risk culture benchmarking survey, the completion of a number of deep dive reviews of entities, and the up-skilling of supervisors in how to assess an entity’s risk culture.
The team has also harnessed a range of innovative tools such as natural language processing and developed a risk culture transformation toolkit to help embed risk culture change in the long-term.”
“I think the significance of culture is that it's become a very useful compendious concept to help us understand what's going on in organizations and how to improve them. Historically, what's probably happened is that we underestimated the importance of culture. And what we've learned is that it's actually really important. What we're grappling with now is how to integrate that into our whole approach to supervision.”
“Markets work best when investors and participants trust that the rules are clear, that misconduct will be addressed, and that outcomes are not skewed by asymmetric information or unmanaged conflicts of interest. IOSCO enables this trust by fostering consistency in regulatory standards, supporting supervisory and enforcement cooperation, and encouraging compliance with high conduct expectations.
Since the global financial crisis, regulators have increasingly focused on organisational culture as a critical area of interest. Culture drives behaviour, and behaviour determines outcomes — not only for individual firms but for the integrity of markets overall.
Regulators are not in the business of prescribing corporate culture. However, we do have a role in assessing whether firms are actively managing culture in ways that reduce conduct risk and promote good outcomes.”
“Culture isn't a theoretical, philosophical topic. It's a hard reality, an obvious reality that needs to be examined from a regulatory lens. And the conduct rules can serve as the conduit to hardwire culture within the regulatory framework as they are the things that are enforceable when things go wrong. They're the things that can create a structural framework within a firm that a firm itself can apply to its own conduct and its own values.
Integrity is also an obligation and a value that people need to demonstrate and express in some tangible way. It's something that firms need to be able to examine and assess by asking themselves the following set of questions: Do we have the integrity that we're meant to have? Do our staff have the integrity they're meant to have? And how do we know that? What assurance do we have? Is negative assurance enough, or do we need more positive evidence that the people that we trust in these positions of responsibility actually have the integrity that they need to have?”
“During my time at the FCA, we used a useful tool in supervising banks that approached this challenge in a useful way: the Five Conduct Questions. The questions were extremely simple and powerful ways in which firms could interrogate themselves in a way that then allowed them to provide helpful information to the regulator.
The FCA produced a report every year about how these questions had been answered by firms. Looking at each of those reports in succession, they start off talking about tone from the top as the way in which firms were proactively implementing this kind of approach. Then they started talking about the tone from above, which is the tone from your immediate line manager. And then finally, they started talking about the tone from within. And this is starting to really get to grips with the culture within the firm.
It's one thing to have an idea about how your CEO or line manager might respond in a situation. It's another to be clear about how you might respond on your own and why. Whether stated directly or not, the development of tone from within via training, self-reflection, and self-challenge can be a precursor to wider corporate change. Now I think that's starting to create something really specific, tangible, and real within a firm that's valuable not only to the firm, but to the regulator as well.
Good supervision should be in the interrogative mood, to use a grammatical term. It's not an interrogation in the sense that it's like a cross-examination, but it is an interrogation in the sense that supervisors need to be on the front foot asking questions. And the five conduct questions are exactly that. And they're a useful tool for firms to use to start to build some evidence about what sort of culture they really have.”
“[O]ne area we should explore is operational resilience. As the pandemic unfolded, global regulators significantly increased their scrutiny of operational resilience. A next step would be to consider tools, like stress testing, that would allow for a more systematic assessment of operational resilience — and allow us to ‘test’ resilience across the different constituent elements beyond financial resilience — to include areas like operational resilience and organizational resilience.
It’s this last piece — organizational resilience — where I see the opportunity to draw the linkage between operational and organizational resilience, and more specifically to conduct and culture — and to consider questions like:
- Is your organization — your workforce/your people — resilient to the next crisis? How will the organization react to the next event — and will your organization be able to ensure that critical operations and activities continue to run as expected?
- Is your culture strong enough to withstand the types of changes that could come in the next type of crisis? What are the critical aspects of your culture that ensure that your organization can adapt — and what are the ways that you can reinforce and build that now?
In the same way that regulators were able to identify weaknesses in financial resilience — both quantitatively and qualitatively — and ensure that financial capacity was reinforced to withstand the stresses over the past couple of years, now would be a good time to focus attention on a similar approach to non-financial risks (e.g., operational, operational resilience, etc.).“
“In 2019, [the FCA] set up a working group to explore the concept of purpose and consider the business case for purposeful cultures. The working group was made up of representatives from firms and professional bodies, as well as academics and subject matter experts.
When we launched our Transforming Culture initiative, it was rare to hear the concept of ‘purposeful cultures’ discussed in the same sentence as financial services. But, during the time since, there has been a huge increase in attention to the topic and, now, it is rare not to hear it discussed when considering the elements needed to drive a healthy culture.
The purpose of a firm sits at the heart of its business model, strategy and culture. There can be a tendency to determine business model and strategy first, and to then try and retro-fit purpose. But this is the wrong way around. Organisations need to ask themselves what their purpose is, and then determine a business model and strategy that aligns with it.
At the FCA, we describe purpose as ‘what a firm is trying to achieve — the definition of what constitutes success’. A firm’s purpose is its own responsibility, and should not be prescribed by a regulator, but we want firms to recognise its importance in driving behaviour and the culture of an organisation. Firms and leaders who don’t recognise the importance of purpose may be more likely to drive behaviours in their organisations that could lead to misconduct.
So, purpose is one of four drivers of culture upon which we focus in our supervision of firms, alongside leadership, approach to people, and governance. To understand culture, we assess the effectiveness of these four drivers in reducing the potential for harm that could arise from a firm’s business model or strategy. When considering the effectiveness of purpose, we look at: how a firm describes its aims through its narratives; how these are understood by staff and whether they are aligned with good outcomes; how purpose is reinforced, communicated and demonstrated by leaders; and the extent to which a firm acts as a good market participant.
If a firm’s purpose and associated business model, strategy or activity is contributing to — or exacerbating — the risk of potential harm, then firms can expect increased supervisory scrutiny.”
“We should be talking about governance with firms in a way that asks — quarterly and annually: is your culture consistent with your stated values? And what do we think needs to change about you leading the firm to ensure that alignment? As regulators, we should ensure that discipline is happening. But it’s the board’s responsibility to handle the substance.
We should ask: have you explicitly articulated your institution’s core cultural values? Have you documented them? How do they relate to creating shareholder value? Are you actually monitoring whether those values are lived throughout the organization? What’s your review process? Do you assess compliance annually? Do you examine how your values contribute to performance?
Now, there’s an element of faith in this. We have to believe that if we focus on the discipline of governance, and make sure culture is being examined regularly, the desired outcomes will follow.
That’s not a guaranteed link — but I’d rather take that leap of faith than try to define culture for every institution. That’s a slippery slope. Suddenly we become the cultural overlords — defining corporate culture across the financial system. That’s not our mandate.
Shareholder value and financial stability are tightly aligned. Our job is to focus on the discipline of process, not to pass judgment on outcomes. As a board, are you ensuring your values are being carried through the organization? If you are — and if it’s credible and reasonable to us — you don’t have a problem. And if, despite that, something goes wrong, we’ll deal with it. But we’re not going to over-engineer our involvement just to prevent a black swan event. That’s not our role.
Let me give a related example: CEO or Board Chair succession. Don’t tell us who you’re appointing — we don’t need to know. But show us that you ran a principled process. Did you define the role’s requirements? Did you consider a slate of candidates? Did you engage stakeholders — shareholders and employees? If that process is there, we’re satisfied.
And it’s the same with culture. We don’t dictate outcomes — we ensure there’s a credible, disciplined process in place.”
“If avoided persistently, the ethical dimensions of problems become less recognizable. When a truly serious ethical dilemma arises, employees will have little preparation for identifying it, much less resolving it. That concern motivated the New York Fed to launch the Education and Industry Forum’s case study project. Ethics is a skill and should be a habit. Like playing the piano or hitting a curveball, it requires sustained practice to maintain any facility and acquire some degree of mastery.”
“Across regulators and firms, we’re moving to a more holistic, sophisticated approach that balances qualitative insights with data — skills, governance, autonomy, reporting lines, and legal dynamics. That allows better judgment about collaboration norms, stakeholder engagement, including with regulators.
ESG has also helped. The ‘E, S, and G’ inherently involve culture — respect, trust, integrity, looking beyond dollars and cents. ESG has accelerated focus on culture.
In insurance, for example, advisors’ conduct, incentives, and reward systems loom large. My general sense is that focus has stepped up — in firms as much as among supervisors.”
Thank you!
Your submission has been received.