A lot of what we believe about management comes from the military.
Organization charts display hierarchy. Boards have authority and ultimate responsibility but they cannot accomplish their mission by issuing orders.
In creating boards, and judging boards, we are interested in soft issues as well as hard.
We care about culture.
I want to share with you an address I gave to APRA leadership in governance and why when it comes to leadership, we must care about culture.
I hope you enjoy it and I’d love to hear your views.
Boards, risk management & culture
First of all, thank you for inviting me to address you. It’s an honour – and for two reasons. One is that APRA has done its job very well. The other is that the matters you’ve asked me to talk about are quite important. The notion that I might have something useful to say is flattering.
There now seems to be a global consensus that boards matter. As Dr. Laker pointed out in a speech eight months ago, this was one of the lessons from the GFC. Prudential supervisors therefore want to ensure that banks have good boards – and APRA has already been thoughtful on this topic. I take it my assignment is to stimulate your thinking further.
Let me start with the observation that boards are strange entities. They consist primarily of non-specialist part-timers who are vested with ultimate authority but are explicitly warned to keep their hands off the wheel. Why would you do things that way?
One reason public companies have non-executive boards is that directors who are employees might pay themselves too much. But something else is going on here – and especially so with banks.
We seem to have concluded that risk management significantly benefits from the involvement of people who aren’t too close to the problem, who have a degree of financial, emotional and intellectual independence, who bring broad perspective to complement management’s focused expertise.
If we are right about that, then deciding what makes a board effective requires you to take off the command-and-control goggles though which we view most organizations. A lot of what we believe about management comes from the military. Organization charts primarily display hierarchy. Boards have authority, as I said, and ultimate responsibility. But they cannot accomplish their mission solely by issuing orders. In creating boards, and judging boards, we are interested in soft issues as well as hard. We care about culture. We are interested in a board’s capacity to be both attentive and detached.
We do also care about a board’s capacity to understand. Does the board, in the aggregate, know enough about financial services? That’s a valid question. But I make a starting assumption that bank boards are not supposed to be an additional layer of management, that there is folk wisdom imbedded in the tradition of having non-specialist directors. My remarks today represent my “take” on that folk wisdom.
So what makes a good board? A board is a team, but I’ll talk first about the raw material – the characteristics every individual director should have.
Directors need to be of good character, instinctively honest. The business world is full of clever people. Not all of them would be ideal directors of banks. You know that, but let me sharpen the point.
Directors have to be candid with their board colleagues and with management, proactive in disclosing potential conflicts and admitting to biases. One of the characteristics of a good risk culture, as discussed later, is that bad news gets reported very quickly. Directors have to model good behaviour in this regard. So a question one might ask about any current or prospective director would be the following: If he or she accidently had a conversation with a customer, or a journalist, or one of the CEO’s direct reports, that in retrospect they sort of wished they hadn’t, would they tell the Chairman about it right away?
Directors also ought to call out good behaviour when another director, or an executive, escalates an issue properly.
Good directors will be mature, have common sense, have good manners. They must be able to work effectively with their board colleagues. This means listening more than they speak, being able to accept consensus decisions. Effective boards don’t very often put things to a formal vote. Effective directors rarely dissent.
At the same time, a good director will have plenty of backbone. One assumes it won’t happen all the time, but a director must be willing to ask the second and third follow-up questions if he believes an important issue is being overlooked. The following statement would be a strong recommendation of a director: “She doesn’t speak that often, but when she does, we pay attention.”
Another manifestation of backbone is insisting on clear presentations and being willing to admit it when they don’t make sense to you – refusing, in fact, to enter into transactions you don’t understand. A central lesson of the GFC was the importance of directors doing just that.
Refusing to enter into transactions you don’t understand can be difficult for non-specialists. I think what happened in the lead-up to the GFC was that directors who had never been bankers felt awkward about challenging management, felt guilty even, that they didn’t understand how collateralized mortgage obligations worked.
And then they let themselves off the hook with the thought that what I’ll call the “Basel Enterprise” had everything figured out. There was that lovely graph with the long tail on the right. There were all these new concepts and Greek letters. It was rocket science. We believe in rocket science. Satellites stay up, they told themselves, even if most of us can’t do the math.
Along with honesty, maturity and backbone, directors need energy and application. Just getting through the papers will obliterate a weekend every month. Being a director of a major bank is an honour, which some might be tempted to accept without an adequate commitment to the work involved.
This might be a good place to talk generally about the work of the board. First and foremost it includes determining the bank’s strategy and risk appetite. A few comments on that subject.
First, strategy and risk appetite are interdependent. Neither can be talked about without reference to the other. Non-executive directors must understand that.
Second, banks exist to take calculated risks – and get paid for doing so. Risk appetite cannot just mean risk avoidance. A risk appetite statement appropriately enumerates things the bank is intolerant of, such as – to pick examples at random – storage of data that is not subject to rigorous controls, or compensation arrangements that focus exclusively on short-term results. But a bank cannot be intolerant of loan losses.
Third, I speak of determining strategy and appetite not only in the sense of setting limits and directions, but also in the sense of discovering what feels right. Discovery requires the board to wrestle with the question. When this happens, the process of creating a risk appetite statement is probably more valuable than the document itself. A board must therefore not allow itself to delegate the exercise to management and simply sign off on a recommendation.
It can only wrestle for so long, of course, and management should frame the issues. But as stated earlier, a hierarchical command-and- control paradigm is inappropriate.
For non-specialist directors, the discovery process starts with understanding the inherent risks of the business model. This is important. You need to think about what the risks are before you try to decide how much you want to take. Specialists often jump to the second step too quickly. They occupy themselves with technical measurement issues. They tend to assume they know what the risks are. And they may – or may have a few years ago. But the world changes. Having to answer a non-specialist’s plaintive “What are we talking about here?” can be a really valuable corrective.
Directors need IQ but also EQ. The second piece of the work of a board is making judgments about people. This is not just a matter of appointing and paying a chief executive, or planning for succession. A board needs to be comfortable with the CFO, the CRO, and other key executives as well. It needs to be comfortable with the mix of executives. It needs to know all the CEO’s direct reports, and have significant exposure to the most promising employees below that level.
There are two basic reasons for this. First, people are a bank’s principal asset. A board needs to know the status of the talent pool in the same way that the board of an oil company must understand the reserve report. Second, organizational culture is a bank’s ultimate defence. A board cannot assess the culture without knowing the people who embody it.
We all can think of effective executives who, to be fair, are not great people people. They have other strengths. I find it hard to envisage an effective director who is tone deaf about people, however.
A further thought on exposure to executives. The GFC has taught us that siloed organizations are riskier than banks managed more like partnerships. This is not intuitively obvious. Banks have gotten big and complex. Focus and accountability are important. “Management by committee” can waste time and dilute responsibility. But senior supervisors in major economies are fairly convinced. When silos exist, concentrations too often go under-recognized. When executives deal exclusively with the CEO, and run their divisions out of sight of their colleagues, they sacrifice too much insight.
There is no bright line, of course, separating siloed from integrated organizations. Executives don’t wear tee shirts that proclaim their devotion to fiefdoms or to sharing. And the CEO’s view is by definition integrated. The only way for a board to judge the style and associated vulnerabilities of their bank is to interact with a number of the CEO’s direct reports.
The third aspect of the work of the board is challenge and monitoring. In order to do that work, each director must bring some of the skills and experiences the board as a whole requires.
Most of us have seen the kind of “skills matrix” that is typically drawn up when it is time to find new directors. There need to be some people with the financial sophistication to serve on the audit committee. Risk, IT, HR and marketing are typically also included. Most large banks want some of their directors to have lived and worked outside the bank’s home base. Most companies (including banks) want a few former chief executives of public companies, who presumably have coped with some of the challenges public company CEOs uniquely confront.
A bank will probably want more skills than it has seats at the table. So directors need to tick several boxes.
The work of the board also includes support and guidance. This makes it important not to be trapped in an “expertise” paradigm but to think broadly about experience. For example, it could be valuable to have someone in the room who had lived through a public relations crisis, or a market collapse, or a painful downsizing, or negotiated with a government, or made heavy use of the capital markets, or made a bad acquisition, or fired a CEO. You wouldn’t try to list these things in a skills matrix, but as a board considers alternative candidates, life experiences are relevant.
I mentioned the issue of what size the board should be. Social psychologists will tell you that groups of 5 to 9 work best. Experienced directors often find that when a board shrinks from 12 or more to 8 or 9, conversations become mysteriously easier. The demand for specific skills and experiences tends to push the number up. Where any particular board comes out will be a compromise.
Diversity is also important, and should be thought about on several dimensions. Skipping over a lot of valid and useful statements that could be made on this topic, let me simply observe that, in terms of group dynamics, two women on a board is vastly better than one, and three is significantly better than two.
Every board develops its own culture. This is not the same as the risk culture of the bank, though it should be aligned with it. A good board will have traditions of discipline, courtesy and tolerance. Meetings will start on time. Interesting but unimportant rabbit-holes will be left unexplored. Discussion will be robust but respectful. There will be a regular process of self-evaluation and renewal.
The effectiveness of a board greatly depends on the chairman. There is a wide range of successful styles, so it would be a mistake to be prescriptive. But a prudential supervisor who wishes to form a view about a board needs to understand the chairman’s personal style. In this regard, the small informal meetings APRA has begun to have with board and committee chairs strike me as a very good idea.
Effective interaction between board and management heavily depends on the relationship between the chairman and the CEO. There is interesting literature on this topic, which might be summarized as follows. While a chairman and chief executive mustn’t be adversaries, they shouldn’t be buddies either. They should be candid and comfortable with each other, but mindful of their different roles. They should typically have a conversation every week “even if there is nothing to talk about” – and within hours when there is. A prudential supervisor with magical powers – which sadly I assume you don’t have – could have no better insight into bank governance than to listen in on the conversations between those two individuals outside of board meetings.
Looking at the issue more broadly, what characterizes a good relationship between a board and management? Mutual respect and an acceptance of their different but complementary roles is a good foundation. But the main requirement is openness. This calls for constant attention.
Rapid escalation of bad news to the board room builds trust and reduces risk. To make accelerated delivery of bad news part of the organization’s culture, directors must model the behaviour they hope to inculcate. This isn’t just a matter of “not shooting the messenger.” The way directors respond to business-as-usual management reports matters too. Tiny bits of body language can trigger alarms. Even if someone cannot be blamed for a screw-up, he or she will be reluctant to report a problem if “being negative” is frowned upon.
Non-judgmental listening and inquiry become more natural when a board recognizes that risk oversight is less about finding bad guys than finding organizational blind spots. An important cause of blind spots is staff being afraid to speak up. Another important lesson of the GFC – and of disasters like the London Whale, the manipulation of LIBOR and major AML and sanctions violations – is that there were always people within the bank who knew what was going on. That’s why there are email trails. But people must feel it is safe to raise a red flag.
Transparency is not only a question of what gets reported, but how it gets reported. How voluminous are the reports? Are they easy to navigate? Are they silted up with acronyms? Are they consistent, month to month? Clarity and succinctness of risk reporting are crucial for non- executive directors. They can also tell you something about the relationship between board and management. Prolix, sloppy risk papers suggest a lack of respect.
Bank boards typically need to spend a lot of time educating themselves. The care management takes in prioritizing topics and preparing education sessions is a similar indicator of the regard in which the board is held.
Running a bank is not easy. A board needs to find a way to support as well as challenge management. It needs to celebrate achievements. It needs to empathize. From time to time, the most useful thing a board can do is back off and let management do its job.
By the same token, management needs to help non-executives do their job by highlighting strategic assumptions and alerting them to shifts in the operating environment that may call for a rethink. From time to time, management must tell the board, “We need to be talking about this now, not that.”
Banking is an asymmetrical business. There is a lot more downside than upside. One of the most valuable attributes of a bank director, therefore – of for that matter of a banker – is an ability to sense trouble coming, to see around corners, to connect the dots, to smell smoke.
In this regard, detachment is helpful, but anecdotal evidence is essential. A productive dialogue between the board and management of a bank will include a trickle of “stories that may not mean anything.” Like: “We just lost an employee who had a lot of potential and he doesn’t seem to want to tell us why he quit.” This kind of information only gets to directors if board and management are partners.
And if they have time for it.
This brings me to the delicate issue of regulatory burden. It seems to be growing. I know you know that. Please be assured that responsible directors understand why that is so, and do not wish to whinge. But let me give you a few thoughts.
Directors only have a few days a month to be face-to-face with management and with each other. The best use of this time is to do the work their independence and perspective equips them for. Sometimes this work involves high-level strategic discussions. Sometimes it involves digging into the detail, looking for patterns, teasing out unstated assumptions. In all cases it means challenging management – and listening thoughtfully to their responses.
Digging and teasing out and listening thoughtfully take time. A board has to make that time, and for two reasons. The first is that slowing down allows you to pick up signs of trouble ahead. Less obvious, but equally important, is the impact measured conversation has on the culture of openness boards want. If the agenda is tight and the chairman necessarily impatient, those “stories that may not mean anything” will never get told, and problems for which there isn’t a solution yet will never be put on the table.
Let me give you an analogy. In the U.K., the FSA originally had two roles: conduct regulator and prudential supervisor. Conduct is concrete. Policing it is straight-forward. Prudence is harder to judge, especially in good times. The GFC demonstrated how easily giving out traffic tickets can crowd out reflection on what the speed limits should be. We know what that led to.
Australia’s “twin peaks” model was clearly superior. The FSA has now been split into the PRA and the FCA. Bank boards cannot split themselves in two. They have both kinds of obligations. They must comply and they must ponder. And they must keep these two roles in balance.
Keeping their roles in balance means deciding how to spend their time. It increasingly feels like that decision is being made for us, with directors required to sign off on matters, or even do things, we might otherwise chose to delegate. While each individual requirement may be reasonable, the aggregate impact is worrying.
At the risk of getting myself into trouble, let me draw your attention to the draft language of CPS 220. It stipulates that a board must “ensure” a number of things. To cite but three, it must ensure that “a sound risk culture is established and maintained,” that “senior management take the necessary steps to monitor and manage all material risks,” and my personal favourite, that “uncertainties attached to risk measurement are recognized, and the limitations and uncertainties relating to the output of models used to measure components of risk are well understood.”
Now these are worthy objectives, but the way they are stated makes some directors feel they are being asked to do management’s job. And what exactly does the word, “ensure,” mean?
Reading that particular passage reminds me of the drawing that can be either a pretty girl or an old lady, depending on how you brain organizes what you see. Everything we are being asked to “ensure” is important, but wait a minute, how do non-executives do it?
Enough on that for now. It would be a very good topic for one of those informal meetings APRA has begun to have with board and committee chairmen.
So if you have the right people, the right chairman, the right chemistry, enough time and good relationships with management, how does the board help engender an appropriate risk culture? Part of the answer is obvious. The Board needs to know what risk culture is, believe it matters and say so. There should be an agreed definition included in the risk appetite statement. Talent reviews should assess employees as culture carriers. Business heads should include the topic in their annual strategy-and-risk presentations. Staff surveys should include questions designed to shed light on the topic. HR should be alert to any useful metrics that might emerge in professional literature.
I would suggest that a board must also find ways to stir the pot, to engage its own imagination, remembering that imagination is what allows you to see around corners. Risk culture, let’s admit it, is kind of abstract. The words we use to talk about it gradually lose their bite. Successful organizations get pleased with themselves. If nothing goes smash for a couple of years, we assume the risk culture is fine. Someone needs to accumulate adverse indicators – the culture equivalent of operational near misses – and equip the board to have an unstructured discussion of the topic at least once a year.
I’ll stop here. I hope I’ve given you a sense of what life looks like from inside a board. You asked about “key lessons from the GFC.” I’ve mentioned a few already. I’ll pass out a longer list, but I won’t read it out. I’d be happy to take questions, however, on the list or on anything else.
Some Lessons From the GFC – Harrison’s View
- Financial systems have an innate tendency to become less stable as past crises get forgotten and risk aversion declines, so the best run banks should instinctively lean against the prevailing wind.
- Systemic stability depends on inertia. It does not necessarily result from every bank seeking safety.
- Market forces cannot be relied upon to deliver sound practices or resilient infrastructure.
- Compensating bankers for revenue without adequate regard for risk will lead to big trouble.
- Compensating bankers so well that the most ambitious people in the world want to be bankers probably means that the wrong people will run a lot of banks.
- Complexity destroys value.
- Liquidity risk matters.
- There was way too little capital in the system, given the risks thathad accumulated.
- Risk naturally accumulates in entities designed to escape prudentialconstraints.
- The interrelationship of financial markets raises questions aboutthe efficacy of ring-fencing (in its various manifestations).
- Banks are global in life but national in death.
- Too Big to Fail isn’t a problem; it’s a fact.
- Many directors did not have an adequate understanding of theirbank’s business model or its inherent risks.
- It is hard to prove that an independent chairman makes a bank safer– but it probably does.
- In retrospect, it is hard to believe that some boards andmanagements were as foolish as they were, but…
- …human nature suggests we could make the same mistakes again,so beware of hubris.