The German Federal Financial Supervisory Authority’s (BaFin) recent amendments to the Minimum Requirements for Risk Management (MaRisk) reinforce the importance of risk culture for banks and financial services institutions. Firms need to find a balance between rules and freedom for their employees. 

The Basel Committee on Banking Supervision (BCBS) defines risk culture as "a bank’s norms, attitudes and behaviours related to risk awareness, risk-taking and risk management, and controls that shape decisions on risks. Risk culture influences the decisions of management and employees during day-to-day activities and has an impact on the risks they assume"¹. 

The draft version of the amendments to the MaRisk reinforces the importance of the topic. In line with AT 3.1, business managers are responsible for developing, promoting, integrating and monitoring an appropriate risk culture at all levels within an institution. Compared to the current version of the MaRisk, the amended version details that: 

1. Employees must be held accountable for their risk behaviour.
2. Institutions must establish procedures to monitor whether employees are complying with the risk culture.
3. Deficiencies need to be identified and effective control measures implemented immediately.²

As a result, financial institutions are tasked with implementing a governance cycle that defines, manages and monitors a financial institution’s risk culture, aligned to existing risk management cycles and thereby avoiding excessive risk. 

The challenge 

This development requires financial institutions to clearly define their risk culture as part of either compliance or company culture and establish concrete expectations towards all employees to support adherence along all three lines of defense. In addition, financial institutions should actively promote a speak-up culture to encourage employees to report breaches and at the same time focus on the enforceability of breaches.  It is crucial to establish a balance between formalization to ensure a clear set of rules and degrees of freedom to avoid limiting decision making. 

The solution

BCBS defined four key criteria for an appropriate risk culture: 

1. Tone from the top. Management board members and senior management must take responsibility to develop and actively promote risk culture and the risk function. The management should behave as a role model and adhere to the value system and risk appetite of a financial institution. 
   This can be achieved by proactive communication of the desired risk culture by the top management, as well as advocating the integration of risk culture into the corporate culture. 
   
2. Accountability promotes enforceability. All employees should be held responsible for their own behavior and decisions must always consider the defined risk appetite. 
   A principle-based and easily accessible code of conduct that clearly defines consequences of non-compliance needs to be created and implemented. Further, to raise awareness and monitor adherence to risk culture, KPI-based monitoring as a combination of metrics (surveys, NFR, HR, etc.) can be used to better understand the level of compliance and overall awareness of risk culture among employees.
3. Effective communication. A speak-up culture and the active promotion of an open dialogue between employees and the management and between the three lines of defense are essential. 
   Regular training and workshops can help promote the idea of joint responsibility and to communicate that mistakes need to be accepted and learned from rather than punished. Regular exchange between the lines of defense is crucial to ensure a cross-functional understanding of an institution’s risk culture.  
4. Incentives to motivate employees. Adherence to risk culture can be encouraged through a range of material and non-material incentives.³
   The incentives should be precise and well-defined to increase the consciousness of all employees and strengthen risk culture in a targeted manner.

In addition to the above four key criteria, the Frankfurt Institute for Risk Management and Regulation emphasizes that a financial institution needs to continuously seek improvements, for example by conducting annual employee surveys, analyzing lessons learned and providing regular training to employees. In addition, clear targets and guidelines help manifest the key principles of risk strategy and culture.⁴

Conclusion

Risk culture is not a new concept, however its relevance today continues to increase, putting pressure on financial institutions to revise and improve their existing risk strategy and governance. A robust risk culture is key to promoting a speak-up culture and contributes to reducing several non-financial risk types. Financial institutions must integrate risk culture into their overall business culture, improving internal communication and defining clear rules to incentivize compliance. 

Capco has a strong and varied record of supporting clients with change, spanning a wide range of business and regulatory requirements, processes and data and IT implementations. We have developed an approach for integrating risk culture into the company culture and creating a robust non-financial risk framework. Contact us to learn more about how we can help your institution on its journey to change and give you an edge over your competition.   


References 

¹Basel Committee on Banking Supervision – Corporate Governance Principles for banks, Glossary - January 2015 
²Rundschreiben 05/2023 (BA) - Mindestanforderungen an das Risikomanagement, AT 3 – June 2023
³Basel Committee on Banking Supervision – Corporate Governance Principles for banks, Principle 1,6,8,11 - January 2015 
⁴The Frankfurt Institute for Risk Management and Regulation, Positionspapier Nr.1- November 2022