Fostering a Strong Culture to Better Manage Risk

When it comes to targeting risks at a financial institution, the enemy sometimes is within. Employee misconduct and ethical lapses—intentional or not—can seriously damage a bank’s reputation and lead to regulatory and workforce issues organizations could otherwise do without. That’s why many in the industry have increased their focus on building company culture as a foundation for better risk management.    

During a panel discussion at RMA’s Governance, Compliance and Operational Resiliency Conference, members of the association’s culture and conduct committee discussed their strategies for infusing ethics into their organizations through culture-building initiatives.

It starts, they say, when potential talent walks through the door. Discussing company culture and ethics from the very first job interview makes expectations clear, said Tracy Saale, corporate responsibility officer and head of the conduct risk management program at Charles Schwab. When she interviewed for her current job, the eight people she spoke with all talked about the firm’s strong and ethical culture, she said. Her response?  “OK, this is the place for me.”

While companies should evaluate job interviewees for their skills and experience, they also need to consider candidates’ cultural fit for the position, said Will Ellis, head of conduct and reputation risk management at Ally Financial. “There has to be a healthy cultural ecosystem that ties back to your company’s culture and values, and considers who are you hiring? How are you onboarding? How are you creating an environment for success?” he said.

Once through the door, employees should begin ethics training at onboarding, continue with updates regularly every year, and repeat when they assume new leadership responsibilities, Saale said. Companies can reinforce this training by a culture where employees feel comfortable to speak up and managers listen and act upon employee reporting. Employee surveys are another good way of listening to your workforce.

Executives, meanwhile, can set the cultural tone for the organization by communicating what’s expected and backing it up with a clear code of conduct that plainly expresses acceptable and unacceptable behaviors. If certain acts warrant “zero tolerance,” for example, then the company needs to respond accordingly and consistently. “If you have a top performer who maybe can get away with misconduct when others can't, that really can deteriorate your culture very quickly,” Saale said.

The most practical move for making ethical expectations clear? “Keep it simple,” said Doug Seefus, head of conduct risk at First Citizens Bank. “A lot of times we are required by regulations and other reasons to create policies and procedures that can be so complicated, and it’s hard for our employees to follow,” he said. “In many cases, our employees want to do the right thing, but our policies and procedures make it difficult for them to understand and comply with our expectations.”

Wrapping conduct concepts into existing risk management programs and third-party risk assessments also helps to embed an awareness in the culture, he added.

Keeping an Eye on Ethics

Monitoring, of course, is essential. In the age of social media, an employee’s external posts might reveal unethical disclosures or sentiments that pose reputational risk to the institution. Tracking disciplinary actions or teams with unusually high rates of termination might also indicate areas where additional training and policies are necessary.

“We can’t report every single thing that every single person does, just like you can’t put a police car on every corner,” Ellis said, suggesting that setting up conduct checkpoints is one approach to oversight.

Determining the level of conduct risk and its impacts is important. Risk managers first must establish whether there was harm, and to whom (i.e. another employee, a customer, the organization/brand, shareholders or others), Ellis said. Then they need to examine how much harm was done.  Some have begun assessing misconduct materiality by levels of intention, he said: Gross misconduct denotes willful intent; Negligence means the person could have or should have reasonably known that harm could occur; and accidental human error fits neither of the other two categories (generally reported under Operational Risk).

Creating a feedback loop between conduct risk management and a company’s business is essential, Saale said. The business needs to know when unintentional misconduct is identified, for example, which could mean a policy is unclear or more training is needed in a certain area.

Companies need to equip middle managers with problem-solving techniques and other practical guidance on how to promote ethical behavior within business units, Saale said. Middle managers can also prompt employees to talk more about ethics, even if it’s only a one-minute discussion at the end of a weekly meeting. They can also help manage through times of organizational change, like a merger, to avoid any ethical lapses. “In the conduct and ethics world, we’re always very wary of increased risk during periods of change,” Saale said.

Speaking Up

Companies can make it clear that everyone is responsible for conduct and culture risk management by adopting an organization-wide “see something, say something” approach. “This is not one team’s job to manage,” Seefus said. “Every employee has a role to play in it and we expect them to speak up when they witness inappropriate conduct.”

At a bare minimum, institutions should offer hotlines or websites where employees can anonymously report ethics problems without fear of retaliation, Ellis says. And when people raise concerns with managers, they need to feel safe. “It's really, really important that if somebody finds the courage to speak up, we don’t shut them down, dismiss them or try to rationalize it away,” he said.

If senior leadership creates a culture where people are afraid to speak out, when problems are ultimately revealed the reputational damage can spread like wildfire, Seefus said. “We’ve all seen culture that goes bad. It can get ugly, fast. You can spend years building up your reputation as an organization, but it can be torn down in a matter of days.”