Risk governance, structures, culture, and behavior: A view from the inside

• Date: 01 January 2018
• Author: Elizabeth Sheedy,Barbara Griffin
• DOI: http://doi.org/10.1111/corg.12200
• Published date: 01 January 2018

ORIGINAL ARTICLE

Risk governance, structures, culture, and behavior: A view from

the inside

Elizabeth Sheedy

1

|Barbara Griffin

2

1

Applied Finance Centre, Faculty of Business

and Economics, Macquarie University,

Australia

2

Department of Psychology, Faculty of

Human Sciences, Macquarie University,

Australia

Correspondence

Elizabeth Sheedy, Applied Finance Centre,

Faculty of Business and Economics, Macquarie

University, Eastern Road, North Ryde, NSW

2109, Australia.

Email: esheedy@mafc.mq.edu.au

Funding information

Centre for International Finance and Regula-

tion, Grant/Award Number: E039.

Abstract

Manuscript Type Empirical

Research Questions/Issues Risk governance (emphasizing internal structures and risk cul-

ture) is a relatively new approach to the governance of financial institutions that is being widely

adopted in the industry. Due to obvious assessment challenges, to date no evidence exists

regarding the effectiveness of risk structures nor the status of risk culture in financial institutions.

We therefore investigate the extent to which bank employees view risk structures as effective

and risk culture as favorable. We also investigate how risk structures and risk culture together

influence risk behavior.

Research Findings/Insights Risk structures were typically rated as effective with the

exception of remuneration. Risk culture varied at the business unit level as well as by firm and

country. Senior leaders tended to have a rosier perception of risk culture than staff generally.

Favorable risk culture together with effective risk structures was associated with high levels of

desirable and low levels of undesirable risk behavior.

Theoretical/Academic Implications The study provides a window into internal bank gov-

ernance using a novel survey methodology. Many governance papers rely exclusively on external

measures of governance; these do not guarantee effective internal risk governance.

Practitioner/Policy Implications Further managerial and supervisory attention should be

paid to ensure that culture and remuneration structures support risk management in financial

institutions. As risk culture varies at the local level, it should be measured and managed at the

local level. Senior leaders cannot rely on their own perceptions but should rely instead on inde-

pendent assessments of risk culture.

KEYWORDS

Corporate Governance, Split‐share Structure, Non‐tradable Shares, Stock Price CrashRisk,

Principal‐Principal Agency Problems

1|INTRODUCTION

In the post‐crisis period the banking industry has experienced a revo-

lution in the governance of risk. The scope of this revolution extends

beyond the governance mechanisms that can typically be observed

externally such as board independence and board committees. It

extends to the resourcing and independence of the risk management

function, the effectiveness of risk policies and systems, staff remuner-

ation and performance measurement and indeed to the culture of the

organization (i.e. values, priorities and assumptions). To date little is

known about the status of these internal governance elements nor

their behavioral outcomes, a gap which this study aims to partially

address.

Investigation of internal risk governance is challenging as such

information is not typically disclosed publicly. The effectiveness of risk

governance relies not just on the existence of structures and policies

but in the way they are implemented, so any evaluation must inevitably

have a subjective element. The problem is compounded by the role of

“risk culture,”defined as the shared perceptions among employees of the

relative priority given to risk management, including perceptions of the

risk‐related practices and behaviors that are expected, valued and sup-

ported (see Sheedy, Griffin, & Barbour, 2017). An unfavorable risk

Received: 12 May 2016 Revised: 21 December 2016 Accepted: 28 January 2017

DOI: 10.1111/corg.12200

4© 2017 John Wiley & Sons Ltd Corp Govern Int Rev. 2018;26:4–22.wileyonlinelibrary.com/journal/corg

culture is likely to render the risk structures less effective, and so plays

a potentially crucial role. As highlighted by Srivastav and Hagendorff

(2016), little is currently known about risk culture in banks and how

it influences risk management practices or employee behavior.

Evaluating the risk structures and culture of a large financial insti-

tution (FI) presents a major challenge for senior leaders and regulators.

For outsiders such as creditors and depositors, the challenge is even

greater. One approach might be to judge on the basis of organizational

outcomes, but the outcomes of effective risk management are seen in

long‐term sustainability, few surprises, and enhanced risk‐adjusted

performance –outcomes observed over decades rather than months

or years. Since risk management by definition deals in tail events, we

need long time lags in order to distinguish management skill and/or

robust culture from mere luck. By the time conclusions can be drawn

from such measures, the opportunity for intervention would be long

gone.

A contribution of this study is therefore to assess risk governance

using a different strategy: through the eyes of employees using survey

instruments. It is likely that those internal to the organization will be

best able to assess the effectiveness of risk structures and ascertain

the true priority accorded to risk management. As explained in the next

section, prior literature suggests that when culture is assessed using

properly validated survey instruments, it predicts staff behavior and

organizational outcomes, thus providing useful insight. Of even greater

value is the opportunity for early identification of cultural weakness

afforded by the survey methodology, and hence the opportunity for

intervention.

The research methodology prevents us from analyzing a large

number of FIs so we focus on seven large Australian and Canadian

banks that are relatively homogeneous with regard to externally

observed governance and other factors. Even in large and apparently

well‐governed FIs, we observe significant differences in internal risk

governance and culture. The research design allows us to investigate

how risk structures and culture vary at a national, firm, and business

unit level. It also provides an opportunity to better understand the rel-

ative importance of risk structures and risk culture in explaining (self‐

reported) behavior. We note, however, that no causal relationship

can be proven as our measures are all contemporaneous.

The study has a number of policy implications. It highlights that

further work may be needed to address remuneration and perfor-

mance measurement systems to ensure their consistency with risk

management objectives. It suggests a crucial role of risk culture for

behavioral outcomes and thus supports regulator and industry initia-

tives in this regard. The study highlights Avoidance (the perception

among staff that risk issues and policy breaches are ignored,

downplayed, or excused) as the dimension of risk culture needing most

attention. Senior leaders typically are not aware of the extent of this

issue, suggesting that canvassing employee opinions with independent

and anonymous surveys is a worthwhile endeavor.

2|LITERATURE

“Risk governance”emerged from the financial crisis of 2008–9 and the

observation that traditional approaches to corporate governance had

failed in FIs (Beltratti & Stulz, 2012; Erkens, Hung, & Matos, 2012).

FIs are unique corporations that arguably require different governance

mechanisms, placing greater emphasis on risk management for the

benefit of customers and the wider community. According to the

Financial Stability Board (FSB, 2013), the crucial elements of risk gov-

ernance are: (a) a board that can analyze the firm's risk exposures and is

able to constructively challenge executive decisions; (b) an indepen-

dent, effective, and well‐resourced firm‐wide risk management func-

tion; (c) independent assessment of the risk management framework

through internal audit and external parties; and (d) a culture that prior-

itizes risk management.

Consistent with FSB (2013), new regulatory guidance in relation

to bank governance was provided by the Basel Committee in 2010

and further updated in 2015 (Basel Committee on Banking Supervi-

sion, 2010, 2015). These documents emphasize the accountability

for risk management of all staff (first line of defense), an independent

risk function (second line of defense), assurance (third line of

defense), risk appetite, compliance systems, and controls. Risk culture

is specifically highlighted in regulatory guidance as a crucial element

in the success of risk management. Yet at the same time regulators

acknowledge the difficulty of assessing risk governance (e.g. FSB,

2014a and FSB, 2014b).

Given the difficulty of assessing elements of risk governance that

can only be judged by insiders, governance scholars typically use

imperfect proxies that can be assessed externally. For example, the

existence of a board risk committee with independent directors having

financial services industry experience is used as a proxy for a board

that is able to constructively challenge the executive with regard to

risk management. The presence of a well‐paid Chief Risk Officer

(CRO) on the executive committee might be used as a proxy for an

independent and well‐resourced risk management function.

Several recent studies have linked such risk governance proxies to

improved crisis performance. Ellul and Yerramilli (2013) produced a

Risk Management Index based on characteristics of the senior execu-

tive and the board risk committee. It includes the presence of a CRO

with status and authority (evidenced by CRO remuneration relative

to other senior executives) and participation in the most senior execu-

tive committee. In a study of North American banks, Aebi, Sabato, and

Schmid (2012) investigate the presence of a CRO, CRO access to

board, existence of a board risk committee, independent directors,

director experience and risk committee activity.

As these proxies are imperfect measures of risk governance, there

is a danger that firms might appear (on the basis of external gover-

nance measures) to have stronger risk governance than is in fact the

case. The mere existence of a well‐paid CRO does not guarantee an

effective risk management function nor a culture that prioritizes risk

management. This is particularly true if the CRO has been appointed

to satisfy regulatory requirements

1

and with no genuine commitment

to risk management. Indeed, some case study evidence emerged from

the crisis to support the notion that these externally observed mecha-

nisms can be ineffective in some circumstances.

2

This study therefore investigates the effectiveness of the internal

risk structures and the risk culture in a group of banks that, according

to external measures, have adopted best practice risk governance. The

risk structures explicitly included in the present study are: training,

SHEEDY AND GRIFFIN 5