BaFin - Navigation & Service

Erscheinung:01.09.2015 | Topic Governance Ira Steinbrecher, BaFin

Risk culture: Requirements of responsible corporate governance

The development and promotion of an appropriate risk culture is a primary task of the management of any company.

For financial institutions, it is particularly important, since there is international agreement that deficiencies in corporate governance in a number of banks contributed to the taking of excessively high risks in the past. This led to the failure of individual institutions and to stability problems worldwide.1)

For this reason, in recital 54 of the Capital Requirements Directive IV (CRD IV), the European legislators require EU Member States to introduce principles and standards to ensure effective oversight of risks by the management bodies of credit institutions and investment firms. As part of an effective risk management system, they should promote a sound risk culture at all levels of the company.

Studies and publications on the issue
The term "risk culture" is not a new issue or even a new approach to risk management. In international working groups and in the relevant literature, risk culture has already been regarded as an integral part of responsible corporate governance for some years now, and not just with regard to the financial sector. As far back as 2011, there were over 50 studies discussing the issue of (corporate) culture. In addition, there are numerous publications from international institutions such as the International Monetary Fund, the Institute of International Finance – a global association of financial institutions – and the British Centre for Analysis of Risk and Regulation on this topic area.
The issue will continue to occupy international standard-setters, and European and German legislators, as illustrated by a 2014 study from the University of Zurich on business culture and dishonesty in the banking industry. The researchers found that the business culture prevalent among at least some actors in the banking industry favours dishonest behaviour by employees.

Requirements of international standard-setters

The Basel Committee on Banking Supervision (BCBS), one of the most important standard-setters for banks, has also addressed the issue of risk culture. In July 2015, it published its revised corporate governance principles for banks. The principles now also define the term risk culture as "a bank’s norms, attitudes and behaviours related to risk awareness, risk-taking and risk management, and controls that shape decisions on risks. Risk culture influences the decisions of management and employees during the day-to-day activities and has an impact on the risks they assume".

Up to now, there have been various definitions of risk culture, so institutions and supervisors have not had a globally shared understanding of the meaning and importance of the term. The definition of the BCBS may be able to create this.

The issue of risk culture was a central focus for the Financial Stability Board (FSB) last year. In April 2014, it published its guidance on supervisory interaction with financial institutions on risk culture. This gives supervisors a framework for assessing the reliability and effectiveness of the risk culture in institutions and working to ensure that they introduce an appropriate risk culture.

Four indicators

The guidance mentions four indicators for an appropriate risk culture, although these are not exhaustive and do not represent a checklist for supervisory review. They may also be found in the Basel principles:

  1. Tone from the top
  2. Accountability
  3. Effective communication and challenge
  4. Incentives

"Tone from the top" refers to the behaviour of the management board members. Members of the management board (Geschäftsleitung) have a role model function; their behaviour should reflect the system of values they have defined, which is supposed to form the basis for the behaviour of employees and the risk culture. They must develop a code of conduct which defines what sort of behaviour is acceptable and what is not. The code of conduct should make clear that management expects ethically sound behaviour from its employees, not just influenced by statutory requirements but to a considerable extent also by social expectations, and that management explicitly disapproves of illegal activities. Management board also has the task of ensuring that the system of values is communicated within the institution, paid attention to when assuming risks and linked to the risk management system and internal controls.

Apart from the behaviour of the management board members, that of other senior staff is also important. They act as a link between management bodies and the various business units or departments and subdepartments. They therefore have the task of transporting the value system and risk culture and communicating them to these. Moreover, they should identify risks within their areas of responsibility, assess and monitor these and bear in mind the risk limits and the institution's value system while doing so.

Both management board members and employees should base their behaviour on the value system, on the defined risk appetite and on the existing risk limits. For this, each person is held accountable (accountability). They should be aware of the possible consequences which could be incurred if they do not meet the standards of behaviour expected of them, for example by taking on excessive or undesirable risks or by developing business activities and practices which are not to be tolerated. These consequences could include disciplinary measures such as cuts to bonuses, warnings, and in extreme cases even dismissals.

To promote and communicate the desired risk culture within a company, to ensure that it is adhered to and to avoid undesirable behaviour, transparency and a dialogue which is as open as possible between the management board and the administrative/supervisory body as well as between the management board members or other senior staff and employees are necessary at all levels of the organisation and at all times. Alternative points of view, constructive suggestions and criticism must be communicated openly (effective communication and challenge). This includes employees being able to express their concerns about practices which they consider to be illegal, unethical or at least questionable in confidence and without fear of reprisals. First and foremost, an appropriate risk culture also presents a major challenge in personnel management. Ideally, it requires an open and collegial leadership concept.

For an appropriate risk culture, it is essential to motivate employees to behave in line with the value system and the code of conduct and to act within the defined risk tolerance limits. Material and immaterial incentives may be useful in this context. However, it is also essential to get staff in the institution on side. Ethical and economically desirable behaviour should not be motivated only by the pay slip.

National requirements

BaFin will integrate the requirements detailed by the BCBS in the national requirements, in particular in the Minimum Requirements for Risk Management (Mindestanforderungen an das RisikomanagementMaRisk).2) The MaRisk, the German Banking Act (KreditwesengesetzKWG) and the Remuneration Ordinance for Institutions (InstitutsvergütungsverordnungInstitutsVergV) already contain numerous requirements of banks regarding corporate governance which are essential to meet the abovementioned indicators of an appropriate risk culture.

Section 25c of the KWG specifies a series of requirements which are beneficial for the risk culture in companies. For example, members of the management board have to determine the principles of proper management which ensure the necessary care in the institution's corporate governance. The risk culture should already be reflected in these. Moreover, the management board members have to ensure an appropriate corporate culture which is based on the company's strategies and takes into account the transparency in the institution's business activities necessary for effective risk management as well as monitoring the processes for disclosure and communications. They also have to make sure that the business strategy is focused on the sustainable development of the institution and that the risk strategy is consistent with this.

Risk appetite and risk strategy
By defining its risk appetite, management board makes a conscious decision as to how far the institution is prepared to take risks to achieve its strategic goals. The institution must define its risk appetite for all major risks.
This makes the risk appetite part of the risk strategy, which describes how the risks arising from the business strategy are dealt with. It should therefore be consistent with the business strategy (AT 4.2, Tz. 2 of the MaRisk).

Section 25a of the KWG requires that as part of their proper business organisation, institutions set up an internal control system encompassing in particular rules on the organisational and operational structure with clear delineation of competencies as well as processes for identifying, assessing, monitoring and reporting of risks. Moreover, the remuneration systems for the management board members and employees should be designed so that they are appropriate, transparent, and contribute to the sustainable development of the institution. The InstitutsVergV substantiates these requirements. In addition, section 25a of the KWG stipulates the setting up of a process which enables employees, while ensuring that their identity is kept confidential, to report breaches of the law and criminal activity within the company to an appropriate body.

The MaRisk substantiates the requirements of section 25a of the KWG for effective risk management and also includes provisions which tie in with the indicators of an appropriate risk culture. For example, pursuant to AT 4.2 of the MaRisk the management board has to determine a risk strategy which is consistent with the business strategy. In so doing, the management board has to set risk tolerance limits for all material risks. It therefore has to decide to which extent it is prepared to assume risk. Ideally, this decision should reflect the values of the management board and the institution. Moreover, according to AT 5 of the MaRisk, the institution has to ensure that business activities are conducted on the basis of organisational guidelines. These could be manuals, work instructions or workflow descriptions, for example. These guidelines should define a framework for how the institution deals with certain situations internally. Nevertheless, the definition, promotion and communication of the desired risk culture goes a step further than this and cannot be reduced to the preparation of work instructions, manuals, etc.

New provisions planned

Regardless of the abovementioned regulations, there has thus far been a lack of an explicit framework for an appropriate risk culture. This is why the MaRisk will in future require the management board members to develop, promote and integrate one. The aim of this is to firmly root risk management in the institution's corporate culture and to create a risk awareness which infuses everyday ways of thinking and acting among both managers and employees. The risk culture should make it clear to employees what sort of behaviour is desirable and what is not, and consequently what sort of risks the institution can take on and what it cannot. In this context, institutions should be required to develop a code of conduct for their employees.

These and other planned changes – such as more extensive reporting requirements which are intended to facilitate the establishment, promotion and integration of a risk culture as well as adherence to it – are sensible and necessary to ensure effective controls by the management body and promote a sound risk culture at all levels of credit institutions and investment firms.

Supervision

The issue of risk culture is undoubtedly one which is relatively difficult to grasp for both supervisors and for institutions, since it cannot readily be examined in isolation.

However, BaFin and the Bundesbank will in future look closely at how the supervised institutions meet this challenge. Their main focus will be on the specific measures which the larger, more complex institutions in particular take to meet the expectations of the supervisors.

Footnotes:

1) See recital 53 of the European Capital Requirements Directive IV.

2) On the planned amendments to the MaRisk, see also BaFin Annual Report 2014, p. 98 ff.

Additional information

Did you find this article helpful?

We appreciate your feedback

Your feedback helps us to continuously improve the website and to keep it up to date. If you have any questions and would like us to contact you, please use our contact form. Please send any disclosures about actual or suspected violations of supervisory provisions to our contact point for whistleblowers.

We appreciate your feedback

* Mandatory field