On Risk Culture: Making Friends with 220 dot 13b

This piece also appeared in the Australian Financial Review.

I was in a crowded restaurant the other day, discussing CPS 220 with a friend.  The woman at the next table decided to join our conversation.  “I don’t know about you,” she said, “but I love the new robot.  He’s small and determined, but more expressive than R2D2.  The story, though – it’s pretty much same old same old.”

I explained that we were talking about bank regulation.

“God help you,” she said, and went back to her magazine.

I repeated her criticism of the new Star Wars film to a professor friend of mine.

Every story is a version of its predecessors,” he told me.  “There aren’t that many plots.  The main difference is wardrobe.”

Or a new robot, evidently.

What has any of this to do with the governance of banks?  Quite a lot, actually – which is why I tell the story.  The Star Wars cycle plays out a battle between hubris and virtue that is destined to repeat itself again and again.  Is that so “far, far away” from financial history as we know it?  Speaking at this forum last year, I described a healthy risk culture as “an invisible friend who tugs on your sleeve when you are about to do something stupid.”  I probably did have a Yoda-like being in mind.

Risk culture is a form of wisdom.  So is mastery of the Force.  If the Force is the invisible glue that holds the universe together, risk culture is part of the magic that makes banking work.

Returning to our home planet – and turning off the music – everyone seems to be talking about culture.  Personally, I’m happy with that.  Piloting a bank is not an engineering problem, even if we try to make it look like one.  Good fortune makes us overconfident, which makes banks and markets unstable.  Maintaining equilibrium is a matter of understanding our own design flaws.  Culture helps us do that.

Culture cares more about tradition than logic.  It shows us a path, an approach that has worked in the past.  If you’ll pardon the mixed metaphors, culture is a back-pack you carry everywhere, full of proverbs and habits and the memory of past adventures.

Rules people obey because “that’s the way we do things here” have remarkable power.   Economics offers less insight into such matters than its sister disciplines do.  So we’re all anthropologists now, studying ritual and language and patterns of thought.

Risk culture cannot be installed by regulatory fiat.  Boards must nurture it.   Supervisors eager to see that happen are increasing their engagement with boards.  This could change supervision.

In the next twenty minutes I want to offer some thoughts on how directors might approach their duty of care regarding risk culture.  Along the way, I’ll make some comments about ethics – a very important subject but not my main focus today.   I’ll conclude with an endorsement of a richer dialogue between bankers and officials.


A bit of clarification at the outset.  When people talk about bank culture these days, there are generally three conversations going on.  The first is invective regarding the idiots who brought the global financial system to a standstill and walked away wealthy.  It sees banks and bankers as ethically challenged – and possibly evil.

The second conversation has to do with risk culture.  It views banking as a discipline.

The third conversation is about ethics – or ethics and values, or good citizenship, or whatever words you use to refer to how banks and bankers ought to behave.  Banks and bankers have moral obligations to their customers, especially the less sophisticated ones, because their power positions are so unequal.  Banks and bankers have an obligation not to endanger the financial system.   And they’d be smart to support the local netball team.  Looking out for the welfare of the community – in large ways and small – is part of banking’s business model.

The way people within a bank think and talk about moral choices, the imagination they bring to its charitable initiatives, the restraint they exercise (or don’t) within the bounds of what’s legal, and the way the organization responds when there’s a screw-up that hurts customers – taken together these things constitute an important aspect of the institution’s overall culture.  If we need a name for that aspect, “fiduciary culture” might be a good one.

These three conversations tend to get conflated, which can derail the discussions APRA seeks to promote.  The GFC made a lot of people angry – with good reason.  But we mustn’t let outrage drown out useful reflection.

A constructive way to view conversation number one, if you can get past the anger, is as an examination of entrepreneurship in the financial sector.  An economy needs banks with a dash of the “animal spirits” Keynes wrote about.  But only a dash.  And you have to get the incentives and governance right.  Conversation number one doesn’t teach us much about ethics, or tell us what a healthy risk culture looks like.  But it does remind us what culture must protect us from.

When people talk dispassionately about banking culture – meaning conversations two and three – they tend to wind up talking about fiduciary culture.  This is not surprising.  Ethical dilemmas are dramatic.  Risk management can be dry.  Try fascinating your dinner companions with an account of the net stable funding ratio.  Once again, risk culture gets overshadowed.

As I see it, risk culture and fiduciary culture are complementary.  To echo the Banking and Finance Oath, our profession is built on trust.  Institutions that treat customers badly will have little to fall back on when it’s their turn to be unlucky, and will in consequence be less resilient.  All stakeholders suffer when a bank fails, and only some of them deserve to.  So mastering the craft is an ethical requirement.

Our craft has some hard edges.  Risk managers need to be realists.  Moral reasoning requires mental toughness.  Clarity and candor regarding ethical issues teach us to be honest with ourselves, which makes us better bankers.  You are unlikely to find a strong risk culture in an institution with a weak fiduciary culture.


My remarks today belong to the second conversation.  I want to focus on risk culture in its own right – with anger and ethics acknowledged but kept in the background.

APRA’s opening contribution is paragraph 13b of Prudential Standard 220.  It specifies that a bank board “must ensure that … it forms a view of the risk culture in the institution, and the extent to which that culture supports the ability of the institution to operate consistently within its risk appetite, identifies any desirable changes to the risk culture and ensures the institution takes steps to address those changes….”

CPS 220 doesn’t define “risk culture.”  And the open-ended injunction to form a view is an intriguing surprise.  APRA knows risk culture matters.  They want boards to pay attention to it.  But they are strikingly non-prescriptive.  As I’ll explain later on, I see that as both clever and significant.

My own thinking about risk culture starts with the observation that banks are complex and delicate machines – and becoming more so.  They don’t have to do anything at all to screw up.  Entropy will see to that.  Because order has a natural propensity to disintegrate, a meaningful portion of the risk banks bear is involuntary.

My Year Ten science teacher explained entropy this way.  “If you line up twenty-five folding chairs in five neat rows facing a lectern and come back a week later, there is a high likelihood that someone or something will have moved at least a couple of the chairs, and there is a decent chance the whole arrangement will have been disturbed.  If you leave a pile of chairs in a classroom, and come back a week later, it is very unlikely you will find them set up in five neat rows.  That’s how the universe works.”

We fifteen-year-olds were intrigued by this new concept and tried it on our history teacher.  “Yes,” he said slowly, “unless there is a tradition that classrooms should always be ready for a lecture – or that chairs have spirits that must be respected.  That would make it likely that someone peeking in and seeing a mess would feel compelled to organize the chairs.”

“Hmm,” we said.

Being a good teacher, he waited for the principle to sink in.  One of my classmates got there first.  “So culture fights entropy,” he said.  “My father was in the Navy and he says it has a culture of never leaving anything in a jumble – especially ropes, only they call them ‘lines.’  The Navy has its own words for lots of things.  And it definitely doesn’t like entropy.”

“I think you will find,” said our history teacher, “that a strong culture celebrates our successes and confronts our weaknesses.  In the case of the chairs, the weakness is laziness.  Laziness and entropy are natural allies.”

So much for the universe.  What other human frailties does risk culture need to counteract?  High on my list is the Minsky phenomenon, as I call it.  Minsky was an economist who focused on the dark side of Keynes’s animal spirits – pointing out how a run of good luck makes human beings less risk-averse.  Any risk culture worth the name wages permanent war on overconfidence.  One way directors might begin to form a view regarding risk culture is to articulate their bank’s strategy for that war.

A strong risk culture also dislikes timidityUp and down the organization chart, fearful people are dangerous.  This is just as true in an office as on a warship.  A frightened clerk will fail to speak up about small limits breaches or suspicious payments.  An insecure chief executive hides behind hierarchy, silos the kingdom so that his barons can never talk to each other, and doesn’t want bad news.  A wise board will ensure that fear is not the bank’s primary motivational tool.

But what positive steps can a bank take?  Fear is normal.  You can’t ban it.  Listen to my history teacher again.  “Another human weakness is cowardice,” he reminded my classmate.  “I expect your father has told you about traditions that help a person overcome fear.”

A different boy spoke up.  “My cousin is in the United States Marine Corps, and he says shining your shoes make you brave.  He says the Marines have a culture of personal neatness and that’s why.  I don’t understand, but that’s what he says.  And I don’t see how calling stairs ‘ladders’ and right ‘starboard‘ achieves anything.”

“My father says using special names for things makes sailors feel special,” said the first boy.  “And that makes them do a better job.”

“Bingo,” said our history teacher.

A sense of belonging makes people braver and organizations stronger.  Culture gives you that sense.  If our frightened clerk had a familiar maxim in his back-pack – perhaps “Bankers ask questions” – he might have the confidence to call out a rogue trader.  “Bankers ask questions” not only tells the clerk what to do.  It makes doing it a badge of membership.

What about greed?  One cause of the Global Financial Crisis was compensation systems that rewarded successful risk-taking but imposed minimal penalties for losses.

Hello, conversation number one.  Let’s be clear.  Executives who knowingly create such systems for themselves abrogate their duties to the other stakeholders.  That’s bad ethics.  Boards not noticing the asymmetry is a blind spot in the risk culture.

Good bankers take a skeptical view of incentives to increase risk.  The men who taught me banking in the early ‘70s were skeptical about money full stop.  So long as your salary puts dinner on the table, they would tell you, the right reward for bankers is the regard of their peers.  If you create a compensation system in which it is possible for a thirty-year-old to get paid five million dollars a year, you’ll get the wrong thirty-year-olds.

By now you may be asking yourself why I am so determined to focus on human weakness.  My answer would be that if you give yourself a box to tick, you will find a way to tick it.  Do we have a sensible compensation system?  Yes.  How do we keep compensation from being all our bankers think about?  Hmmm.  Acknowledging weakness frames questions that require thought.

The last human failing I’ll mention is complacency, which I define as a mixture of laziness and self-delusion.  You may tell yourself, for example, that you haven’t been to the dentist for a check-up because doing so would be inconvenient – and a waste of money really, because your teeth are fine – but you also haven’t made an appointment because you don’t really want to know if you have a cavity.

Operational risk may be the area where complacency is the greatest threat.  Banks have legacy systems that fail from time to time.  Thanks to social media, the franchise damage can be significant.  In fact, banks have layers of systems, created ad hoc to deliver specific products, which don’t communicate with each other well.  They were designed by people no longer working at the bank.  Some processes were outsourced years ago to vendors who now wish they could cancel the contract.  In short, banks have in their back offices the digital equivalent of that jumble of ropes all navies fear.

Bringing order to jumble requires immense effort – and a risk culture that despises “good enough.”   It is possible to make progress, but only if a bank is passionate about simplicity and reliability – and about the productivity increases that make them affordable.  Passion is cultural.

As we make machines and devices “smart,” more and more flows are triggered without human intervention.  This reduces the error rate but can create a cascade of problems when a small change in product or regulation is implemented incorrectly, or a cyber-terrorist introduces a bug.  Operational snafus have traditionally been seen as a cost of doing business.  They are becoming significant threats.  Bank executives will need to acquire an instinctive understanding of the non-linear hazards of our digital future, just as commercial lending officers have an instinctive understanding of the dangers of rapid credit growth and unfamiliar markets.  Instinctive understanding is cultural.


The Institute of International Finance produced a definition of risk culture in 2009 that works pretty well for me: “…the norms and traditions of behavior of individuals and groups within an organization that determine the way in which they identify, understand, discuss and act on the risks the organization confronts and the risks it takes.”[3]

This presents risk culture as abstract – the “norms and traditions” that determine behavior rather than the behavior itself.  A person might take issue with that, on the grounds that culture is accretive, a function of historical accident and hard to reduce to an essence.

On the other hand, hunting for essence is a form of root cause analysis, and valuable as such.  Organizations resist self-examination.  “The way we do things here” is a way of saying “It’s good because it’s ours.”  Formulating and testing generalizations about your risk culture requires you to look at the evidence.

By “evidence” I mean factoids and artifacts that might be relevant.  And when I say the evidence, I really mean some.  You can never look at everything.  If directors need a selection criterion, they should be magpies.  Collect whatever attracts your attention.  This might include the format of credit memos, the way new recruits are inducted, what behavior gets a person in trouble, which committee meetings people never skip, what follow-up analysis gets done on significant losses and near misses, ambiguities in the official organization chart – and are there any maxims?   You’ll know when you’ve got enough.

Don’t let concern with “norms” steer you toward formal policies and structures and away from examining your bank’s popular risk culture.  I assume everyone knows what popular culture is.  Melbourne’s devotion to good coffee and New York’s infatuation with itself would be examples.  Critics like to distinguish high culture from popular culture.  Henry James’s novels are high culture.  If there is a “high” branch of risk culture, it presumably includes the scholarly papers produced in Basel, and the magisterial prose of strategic plans, both of which might be described as official versions of reality.   We’re looking for the unofficial version – for unremarked behaviors that hold entropy, laziness, overconfidence, timidity, greed and complacency at bay.  Or don’t.

I’ve spent most of my career working for and advising banks.  The best have style – a mixture of self-confidence and idiosyncrasies that define and anchor them.  When I started at Morgan Stanley in 1975, the firm reveled in its idiosyncrasies.  We printed prospectuses in blue ink.  We insisted that “long-term” is a hyphenated word and that only the “L” could be capitalized.   We’d hold up a drafting session to make that clear.  Our competitors thought we were mad.  We thought we were superior beings.  We were certainly good at attention to detail.

Quite vibrant aspects of popular culture can be dysfunctional.  Walter Wriston ran Citibank for 17 years, ending in 1984.  His dictum that “countries can’t go bankrupt” underpinned the institution’s rise.  It was both a strategic principle and a slogan.  It was technically true but misleading.  It made the bank complacent about the risks of sovereign lending.

History has been kinder to another Citibank maxim – that “front office loans are the worst loans.”  It reinforced the bank’s approach to corporate lending, which was that significant decisions required the approval of two “senior credit officers.”  These were veteran bankers three levels down from the chief executive.  They took pride in having their credit acuity recognized.  Up to a point, they didn’t care what the chief executive thought about a borrower.

Cultural aversion to front office loans would have saved Citibank a lot of money had it been recognized that a loan to Brazil pretty much has to be a front office loan.   Finance ministers insist on seeing the boss – and the boss likes knowing finance ministers.  This blind spot was a weakness in Citibank’s risk culture at the time.

Identifying idiosyncrasies is fun.  This is helpful because boards should defer judgment as long as possible.  It is almost a law of nature that directors standing on the edge of a precipice believe their bank’s risk culture is fine.  And even if they have niggling worries, they will tell each other it’s fine, because to say otherwise, even in private, would compel them to take painful action.  Collecting evidence yields insights, but it also gives you time to notice what’s in front of your face.

Popular culture isn’t perfect, but it’s candid.  That makes it a good place to look for blind spots.  What do your people care about?  What do they believe?  When they repeat the organization’s maxims, do they sound proud or cynical?  Focus on middle managers as you ask those questions – men and women who have been in their jobs for a decade and are unlikely ever to be promoted again.   At least some of them will be desperate to tell you the unvarnished truth.

What a board ultimately needs to discover is whether risk is being talked about at all, what risks don’t get mentioned, and why?  It may be that there is too much pressure on results.  Or perhaps the bank is taking risks it doesn’t understand and no one wants to display ignorance by asking questions.  In any event, once the blockage is identified and removed, evidence and insight will flood in.


That lady in the restaurant who thought “220 dot 13b” was the name of the new robot was unknowingly witty.  The movie robot doesn’t say much but he makes his intentions clear.  220 dot 13b (the regulation) does the same thing.  Form a view, he tells us, but then he shuts up.  By leaving it to the board to decide how to go about it, and leaving risk culture undefined, APRA effectively compels the board to have a conversation.

I see this gambit as a continuation of the strategy behind requiring a risk appetite statement.  To come up with one, a board must ask itself a number of questions.  What is the business model?  What are the inherent risks of that model?  How are those risks measured, mitigated and managed?  What quantitative limits and qualitative statements best communicate the amount of risk we want to take?

One benefit of discussing how appetite should be expressed is that it surfaces the issue of which shareholders take priority.  Do you care more about those who want a reliable yield, or those who focus on the price of the shares?  What combination of stability and innovation does stewardship of the institution demand?

But the main benefit of the conversation is that it’s a conversation.  Conversation is how you harness a board’s diverse perspectives.  Conversation is risk management.  The value of a risk appetite statement is not the document but the process that produced it.

I assume that when regulators began requiring banks to “have and maintain” a risk appetite statement, they envisaged spirited debates at board meetings.  We know by now that a fine looking risk appetite statement can be generated by management.  All directors have to do is assent.  I doubt APRA likes that.  So 220 dot 13b requires engagement.  You have to make friends with the robot.

The relationship between banks and regulators tends to be adversarial.  In the immediate aftermath of the GFC, nothing else seemed appropriate.  But a more collaborative relationship could lead to better outcomes.  The non-prescriptive drafting of 220 dot 13b suggests movement in that direction.

CPS 220 was issued more than a year ago.  APRA will soon be asking boards what view they have formed, what cultural adjustments they favor and how they propose to effect them.  There are no right answers to those questions.  But the prudential supervisor is entitled to insist on a thoughtful response.

Supervisors have been inside a lot of banks.  They have valuable insights.  Such insights are best imparted in the course of a candid, informal conversation.  Bank chairmen are entitled to insist on such conversations.  Some are already occurring.

We Australians are justifiably proud of APRA.  It has taken a sensible if conservative view of the inherent risks of banking.  Australia came through the GFC quite well, for which APRA deserves a share of the credit.  And not to be forgotten, APRA’s chairman has a light sabre.  Having spent three years as Secretary General of the Basel Committee, he has a deep understanding of the regulatory debates that affect us.

All of which is to say that the dialogue APRA and Australia’s banks are starting to have regarding risk culture could set an example for the rest of the galaxy.   Let’s make it so.

My thanks to the Australian Financial Review for inviting me back to its Banking and Wealth Summit.  And thank you all for listening.

[1] Address at the Australian Financial Review Banking and Wealth Summit in Sydney on 5 April 2016.

[2] Mr Young is a retired banker, a former regulator and a non-executive director of Commonwealth Bank of Australia.  The opinions expressed are his own.

[3] Reform in the Financial Services Industry: Strengthening Practices for a More Stable System, page 2 of Appendix III, December 2009.

Leave a Reply

Your email address will not be published. Required fields are marked *