Home / Featured / Fostering a Culture of Risk Management

Fostering a Culture of Risk Management

by Clifford Rossi

In all the years I’ve worked in the finance industry, I’ve seen a number of banks and mortgage banking firms repeat the same major mistake over and over: approaching risk management as a distinct, “solvable” issue rather than an attitude that should be embedded within the makeup of the organization.

Before going any further, let’s make something clear: Risk culture is a separate idea from risk infrastructure or expertise. Your firm can invest lavishly in risk management—and some of the businesses I’ve worked for did just that—but still have no ability to embed risk management principles across the company as long as there is no focus on “risk culture.”

It is my belief that had the financial sector embraced the concept of risk culture entirely, the financial crisis of the last decade would have been substantially muted as an event. Excessive risk-taking in nontraditional (and oftentimes questionable) products could been severely limited by the industry. Unfortunately, that lack of culture and risk discipline continues to haunt the industry to this day.

Consider some of the companies and agencies that are commonly linked to the financial crisis. What do those firms have in common, aside from their sullied reputations in the wake of the crash? Those companies, along with some of the organizations I worked for in the years leading up to the meltdown, were some of the best-recognized names in the business—and yet, each one lacked a strong risk culture. That common link was central to their eventual demise.

Causes …

Before getting into what risk culture is (or should be, at least), let’s take a look at what it isn’t. In order to do that, we need to learn from the past—in particular, the 2004-2007 boom period—and examine the specific contributing factors leading to the demise of those firms that used to be household names in the financial services industry.

In painting a picture of what it was like to serve as chief risk officer at some of those businesses that abandoned risk culture in favor of short-term (but illusory) profits, I’m reminded of an ad that, ironically enough, premiered during the 2007 Super Bowl. In that ad, a group of monkeys in suits are looking at a sales chart that’s going through the roof, and the party is in full force—monkeys smoking cigars, burning money, and so on—until a human walks in and reveals that the sales chart is actually upside-down. The party comes to a quick stop until one of the chimps turns it back to its original position. Funny, but it really does sum up my life as a CRO.

What are some of the signs of a flawed risk culture? A few years ago, I conducted a study for the Office of Financial Research on a theory of risk governance at financial institutions, which led to the creation of a theoretical model explaining lapses in risk governance. Without getting into all of the technical details, I attributed risk management failures to a combination of cognitive biases, captive boards, and short-term focused executive compensation structures that did not sufficiently take risk outcomes into account.

There are a few types of cognitive biases that can drive the executive management or the board at a mortgage firm to take potentially business-ending risks. One of these is “recency bias,” which is demonstrated when the decision maker places a higher weight on recent outcomes in forming views about current or future outcomes. Back in 2004, this type of bias would manifest in board meetings, where CROs presenting views on the likelihood of a potential decline in home prices would be challenged (and ultimately overruled) in their analysis by management who were paying more attention to the recent climb in prices.

Compounding the effect of recency bias is “ambiguity bias,” where uncertain outcomes—like those often presented by a firm’s risk group—are cast more in doubt by the management team than their own strongly held beliefs. Risk managers’ jobs often involve understanding and conveying risk outcomes in a probabilistic manner, and that presents challenges when dealing with business partners who embrace a more tangible set of metrics for their decision-making.

That relates to a third management bias, which we call “confirmation bias”: the thinking that occurs when someone interprets findings in a manner consistent with their own views or experience and discounts alternative explanations or results. For example, the fact that home prices are increasing at a rapid, perhaps even unsustainable, pace might not alarm someone if they believe that the market and economic conditions remain strong.

Finally, the last major bias is “herd mentality.” This was plainly in evidence during the bubble era as lenders engaged in a form of mutually assured destruction by competing on product guidelines. One aspect of herd mentality that makes it so troublesome is that there is an information asymmetry issue where management observes a competitor’s product offering and assumes that the other firm must have better information. As a result, it reinforces the tendency to mimic the competition, particularly as companies fight for market share.

… And Symptoms

So now that we’ve covered some of the causal factors contributing to poor risk governance, what are some of the symptoms of this in terms of risk culture?

One symptom that was apparent at a number of firms before the crisis was the “captive board syndrome.” A particularly strong and influential CEO or chair can turn a normally vigilant board into a passive one. Some leaders also like to stack boards with friends or ex-colleagues, ensuring a group think scenario that is driven predominantly from the CEO’s perspective. This is clearly not the tone from the top that is supposed to set the risk culture for the firm.

In such cases, you have an environment providing little “air cover” to risk officers. CROs must be unencumbered to speak objectively about risk across the organization. There are too many pre-crisis examples of effective CROs being replaced due to views that were perceived as “impeding the business strategy.” In my opinion, decisions regarding a CRO’s tenure should be left to the risk committee of the board rather than being left to a single executive. We don’t fire umpires for making unpopular (but correct) calls in the major leagues, and there’s far more at stake in mortgage banking.

Going hand-in-hand with the previous point: Another symptom of bad risk culture is the attitude of the organization toward risk professionals. At one firm, it was characteristic of the president of the company to announce my arrival as the chief credit officer to the executive committee meeting by saying, “Here comes the Business Prevention Unit!”

As another classic example during the boom: In a quest for cost savings, the business would hold quarterly review meetings with corporate risk senior management over the risk budget, which was viewed as a “tax” on the business. While this and the above paragraph seem like extreme examples, they did occur at some of the largest financial institutions at the time and are a reminder that risk culture is only as good as the people running the company.

A subtler symptom of poor risk culture would be a pervasive inattention to risk by the business units rather than a fervent commitment to owning risk outcomes and proactively working to remediate process and control deficiencies.

Finally, the vast majority of firms lacking risk culture do not adequately build in financial incentives to management and staff for the effects of long-term risk-taking on the firm’s performance.

Risk Roles

With a firm example of what does NOT make for a good risk culture in mind, let’s turn our attention to what employees and leadership should be doing to cultivate a strong culture.

  • The risk DNA of a firm emanates from its board and CEO. To put it simply, without that, the firm cannot realize an effective risk culture. For the board, this means having a fiduciary responsibility to challenge the business on risk issues, and that implies having a certain level of knowledge to ask important questions about risk-taking. Further, board members must not become captive to CEOs, and they must hold productive executive sessions with CROs. Board compensation committees need to create incentive contracts that reward risk management in conjunction with long-term financial performance. Finally, establishing a clear risk appetite that can be cascaded across the organization is essential.
  • For the CEO, it is critical to keep a long-run view in mind. With that vision comes the need for strong risk management. On this dimension, what I’m seen work well at companies exhibiting a strong risk culture is when the CRO is recognized as a major voice on the executive committee. For risk management to have stature within the organization, it must have a seat at the table among the business heads and CFO—and more importantly, it must have the imprimatur of the CEO.
  • As for the CRO him or herself, their stature in the organization (along with that of their team) must be earned. This does not come easily. I’ve seen very positive CEO/executive committee/CRO interactions take place in firms where a strong, well-respected business leader is in charge of the risk area. However, this is not to say that the home-grown risk manager cannot be an effective risk champion. On the contrary, demonstrated performance in managing risk and return over time provides an immediate improvement in risk culture.
  • Staff take their cues from management, so demonstrated support for risk coming from key leaders outside the risk management organization brings awareness of risk to the entire team. Such support also mutes any doubts about the risk organization as a player in the success of the firm. The CEO and the rest of the executive committee can greatly accelerate the fostering of a risk culture by reinforcing the messaging about risk management coming from the CRO.

This discussion leads us to the role that of the risk management organization in cultivating a healthy risk culture.

One time, while working as CRO at a bank, I had a memorable exchange with the CEO. Discussing a new lending program that the business wanted to do (but was being downsized by risk), I blurted out in a moment of exasperation: “I need to know what you want—a watchdog or a lapdog?” Once I overcame my own shock at making such a statement, I quickly followed up by saying that it was a rhetorical question and that neither answer, in my opinion, was correct.

In other words, “balance” is the watchword for good risk management. The role of CRO requires an objective-based assessment of risk that both ensures prudent risks are being taken and management and also demonstrates the value of risk management as a partner to the business.

Another area that requires some introspection by risk professionals is the balance that must be sought between the art and science of risk management. Although my own career benefitted from it directly, the risk profession has steered more toward being an actuarial science in the last 15 or so years. I have no quibble with those associations that want to provide quantitative risk training to companies, but my fear is that we expose ourselves to a potential bias toward elegant analytical solutions.

While models are an essential part of our risk infrastructure, there is no substitute for informed judgment and experience. During the mortgage boom, I observed many instances where long-time underwriters were scratching their heads, trying to understand how statistically-based estimates of 60 percent debt-to-income ratios contributed “negligible” default risk. Truth comes in many forms, and sometimes experience supersedes an empirical estimate drawn from historical data. In other words, we do ourselves a disservice not to harmonize the qualitative and quantitative side of risk management. Striking the proper balance between both is an important part of instilling a good risk culture driven by logic and reason and not blindly by statistics.

A perennial issue for risk managers is role clarity among the business and audit functions. With the emergence of the “Three Lines of Defense,” organizations have been thinking about this with greater energy than in years past. There is a lot of gray space between these organizations, with great potential for skirmishes or dropped balls if we are not careful in describing clearly what each group does. Although much has changed in recent years, there remains a need to educate the business areas on what risk management does and how it differs from an audit function.

Policing Ourselves

True, risk management is fairly new to the mortgage banking industry, but due to the CFPB and its rules, mortgage banking firms are going to have to come up to speed very quickly. One final necessary point to make is that we engage in risk management first for our institutions, not for the regulators. The sure sign of a healthy risk culture is a firm that proactively strives to inculcate an enterprise-wide awareness of risk.

You cannot mandate good risk culture any more than you can mandate good driving habits. A 55 MPH speed limit is helpful, but when the police aren’t around, you can be sure that it will be broken. Drivers who learn good habits early on tend to avoid trouble later in their lives, and the situation is really not so different for banks and mortgage companies.

So where can you go from here? What can you actually do to make a difference in fostering a risk culture at your mortgage bank?

First, conduct a self-assessment and ask yourself deep down: Does your firm have the positive kind of risk culture you’ve read about here? If not, what needs improvement? Discuss the issue with the CEO and work with the executive committee to bring more awareness, acceptance, clarity, and balance to ensuring your organization has the right culture.

A poor risk culture may not manifest its deficiencies when times are good, but when the next crisis hits, a lacking risk culture will betray the firm when it counts. I’ve seen too many otherwise good franchises relegated to the history books because their risk culture let them down. The good news is that we know what effective risk culture looks like, and making an investment to create that environment ensures your firm is able to weather whatever financial storm comes its way.

What are the building blocks of risk culture?

The ones that come to mind for me are:

  • Awareness – Making sure everyone in the organization understands the importance and role of risk management.
  • Acceptance – Embracing risk management principles fully and internalizing them in your day to day job.
  • Incentives – Behavior can be shaped by establishing compensation plans across the organization that balances medium and long-term risks with short-term financial performance.
  • Bias – Management bias must be reduced to strengthen risk culture.
  • Temperament – The CRO and their staff must reflect objectivity and coolness under fire in order to establish and maintain credibility.


Cliff Rossi
Cliff Rossi

Dr. Clifford Rossi is Professor-of-the-Practice and Executive-in-Residence at the Robert H. Smith School of Business, University of Maryland. Prior to entering academia, he spent nearly 25 years in banking and government, holding several senior executive roles in risk management. He can be reached at CRossi@RHSmith.UMD.edu


Be Sociable, Share!

Check Also

The CFPB’s Five-Year Mortgage-Rule Review: An Opportunity to Improve the Regulatory Landscape?

By Joseph Yenouskas  & Lindsay Raffetto n March, Chris D’Angelo, the Associate Director for Supervision, …

Leave a Reply

Your email address will not be published. Required fields are marked *