Bad news tends to come in waves. I remember giving a presentation in the early 2000s, listing the company names and corporate scandals that gave rise to the Sarbanes-Oxley Act of 2002, which came into force a few years later seeking to protect investors from companies' fraudulent accounting practices. WorldCom, Enron and others pointed to problems at the top that led to their respective downfalls.
In 2007 and 2008, the financial crisis spawned new troubles for some financial institutions with poor mortgage lending practices, contributing to the world-wide economic disaster we now call the Great Recession. Now, in the middle of a long recovery, new names are hitting the headlines, with scandals, fraud, failure of controls and regulatory breaches at sophisticated global financial services organizations.
So the question that plagued large corporates in the late 1990s and during the financial crisis now seem to be relevant again for financial institutions: “How could this happen to us?”
Understanding the risk drivers
We’re only human, and we're susceptible to a number of psychological drivers that make us occasionally, and perhaps habitually, do bad things. Sociological drivers allow those things to amplify until they become real problems. The need to conform can cause bad behavior to spread from small teams across departments and divisions, creating a toxic effect.
In some cases, management allows small breaches of ethics, creating a culture where larger breaches might be acceptable, also known as "the broken window effect." Institutions must spot toxic areas early enough to take appropriate action and avoid bad culture growth that can put them at risk.
As a result of recent breaches and driven by increased regulatory focus, institutions should carefully assess their corporate culture. In addition, the level of expectation of internal audit has significantly increased. Internal auditors are being asked by boards and audit committees to add a cultural component to their assessment of controls and risk.
As internal functions begin to look at how their organizations are managing this risk, three main challenges are emerging:
- Subjectivity: Risk culture is highly subjective and somewhat nebulous.
- Credibility: The institution’s risk appetite, philosophy around risk, enforcement of ethical conduct and tone at the top are likely all to have been assessed as effective previously.
- Recovery: Pointing to tangible improvement is difficult, perhaps because of the subjective, hard-to-measure nature of risk culture.
Changing the perspective on risk culture
Three objectives can help institutions overcome common challenges when assessing risk and form the background to the development of a new, data-driven, predictive risk culture model:
- Culture is as culture does: Rather than trying to assess culture using the framework to look into it from the outside, institutions should take a more practical approach. Instead of trying to define the culture, look at it through the impact that it has across things that can be measured. This means looking at culture through observable failures in processes and controls and systems related to internal audit.
- Tone on the ground: Typically, institutions assess the tone at the top and how it permeates into the lower levels of the organization, or even the tone in the middle which drives unit behavior. However, a more relevant approach to identifying toxic culture is to look on the ground. Internal audit typically defines auditable entities. Auditable entities can and do have unique cultures that can be assessed as part of an audit.
- Seeing the needle: To measure progress and compare cultures across different parts of the institution, some scoring mechanism is needed. The mechanism must be based on objective and available business data and information.
Just as a doctor can read signs to predict a patient’s health, an institution can find clues in day-to-day data to predict cultural health and associated risk across an organization. Like the experience borne out of years of training and practice, developments in machine learning can allow a model to learn from its digital experience, comparing prediction to outcome and improving its accuracy each time.
For this learning to take place, both prediction and outcome must be measurable. Machine learning works out how to predict risk failure accurately, compares this to actual experience and figures out what must be tweaked to correct the model going forward.
Internal audit is ideally placed to provide this feedback. This function regularly visits teams and assesses how well controls are functioning. By tweaking the methodology and training, the internal audit team can assess risk culture on the ground to allow comparison with the prediction.
Developing a prediction mechanism is not a means to an end, as the goal is to improve risk culture, not just predict it. However, a combination of risk assessment using prediction — actual internal audit work focused on culture as root cause for control failure — together with focused improvement initiatives can and will help reduce the number of unwanted and embarrassing headlines.
Peter Brady is a principal and leader of the risk advisory services at RSM US LLP, an audit, tax and consulting firm, focused on the middle market in the United States.
The views expressed by contributors are their own and not the views of The Hill.