For over a decade, behavior and culture have been on the regulatory agenda and the recent developments in the United States’ banking sector tell us it should remain a priority on that agenda.
Consider Silicon Valley Bank. Thinking you can run a bank without a Chief Risk Officer for eight months is a good example of what Nobel-prize winner Daniel Kahneman named the most significant of the cognitive biases: “overconfidence bias”. Other behavioral risks played a role as well, as recently described by Filabi in “Was SVB’s collapse a failure of ethics, or just mismanagement“.
External supervisors need to stay on top of this important topic and it seems timely to reflect on the several supervisory approaches to address behavior and culture that have emerged in the last decade.
I want to distinguish between two dimensions of supervisory efforts on behavior and culture, namely, supervisory activity and supervisory focus.
The collection of supervisory insights and data may be done via off-site risk identification or on-site risk assessment. Off-site risk identification consists of collection and interpretation of regular reporting returns and other statistical data. It serves as an early-warning system to detect emerging financial problems. On-site supervisory inspections are often defined as in-depth investigations of risk, risk controls and governance.
It is important to note that on-site assessments of behavior and culture usually involve activities such as interviews, behavioral observations and focus groups. This distinguishes them from the traditional on-site assessments of capital requirements, liquidity ratio or internal controls. Assessing behavior and culture requires a willingness and capacity of supervisors to be “up close and personal” in their regulatory approach and to dig deep enough to fully understand behavioral root causes.
In the last decade, a majority of supervisors have adopted a focus on behaviors such as leadership, decision-making and escalation. In order to manage behavioral risks and change undesired behaviors, one needs to dig deeper to be able to understand why people behave in a certain way — for example, what drives them.
A distinction between supervisory approaches can be made, whether the focus is on (1) formal drivers and/or (2) informal drivers of behavior.
Formal drivers refer to the “tangible” side of the organisation — for example, how it is “set out on paper”. These include the more structural elements such as those reflected in organisational charts, job descriptions, hierarchical reporting lines, standard operating procedures and incentive schemes. Informal drivers refer to the “intangible” side of an organisation, that which is not written down on paper or openly voiced. It is often referred to as the unwritten, unspoken rules of an organisation.
Informal drivers include, for example, social relationships, perceptions of the work climate, and the beliefs and values that people hold.5 Formal drivers are more tangible and more easily accessed by supervisors. They therefore require less specific expertise from supervisors than that which is necessary to gain systematic insights into the informal drivers of behavior.
Combining the two dimensions of supervisory activity and supervisory focus leads to four quadrants as shown in the graphic below. It attempts to categorise the supervisory approaches to behavior and culture risk supervision seen executed across the globe.
- Selective (quadrant 1): an on-site approach focused on formal drivers of behavior, such as governance and roles and responsibilities or renumeration arrangements. On the border with the below left quadrant I have positioned accountability regimes, as the data for these regimes can be gathered through either off-or on-site activities.
I have categorised them as primarily focused on the formal drivers of behavior as they rely on tangible data to determine whether a financial institution is compliant. From a legal perspective, it is undesirable to take regulatory measures based solely on qualitative data regarding informal drivers of behaviour.
- Detecting (quadrant 2): an off-site approach focused on formal drivers of behavior, such as integrating certain risk behaviors into supervisory risk identification frameworks. Behavior and culture information is taken into account when regulators determine the firm’s risk profile in light of the regulatory regime. A specific regulatory activity mentioned here is conferences: some regulators convene these events in hope of influencing industry thinking and activity.
Depending on the topics prioritised in conference discussions, this activity may fall into quadrant 3 (when it addresses formal mechanisms such as incentive schemes or governance processes) or quadrant 4 (when it addresses the role of psychological safety and trust). Another regulatory activity that can jump either way is off-site reviews, and so these too can be categorized in the same way as we treat conferences here.
We rely on interaction with other people for “social proof” that our behavior is “normal”.
- Mixed (quadrant 3): describes off-site activities that have the informal side of financial institutions in scope. Illustrative activities include industry-wide surveys, such as those that have been conducted by the UK’s Financial Services Culture Board, or requests for self-assessment to address formal and informal drivers of behaviour, such as those which have been mandated in recent years by the Australian Prudential Regulation Authority. An interesting effort made in this regard is the introduction of an unobtrusive indicator of culture.
- Intensive (quadrant 4): combines an on-site approach with an explicit focus on informal drivers of behaviour. Examples are behaviour and culture reviews or behavioural risk assessments. The Dutch Central Bank (DNB) was the trailblazer in this regard with the introduction of their Supervision of Behaviour and Culture — also known as “the Dutch Approach.” Many banks have followed suit in their own internal risk governance, adopting a complementary approach that embraces behavioral science.
Immediately evident is the fact that a majority of activities are skewed towards the left side quadrants: supervisory focus is on the formal drivers of behavior. In addition, there is an emphasis on the bottom quadrant, off-site risk identification. This may, in part, reflect Covid-driven realities of the most recent years, but it seems that supervisors prefer to focus on the tangible side of banks, operating from a distance.
We can question whether this is sufficient to identify and address behavioral risks in a way that avoids stakeholder harm. Or as the Group of Thirty states so eloquently: “well implemented governance structures and processes are important, but whether and how well they function are the essential questions.”
In my view, it is almost impossible to assess the informal drivers of behavior based solely on tangible information such as frameworks, policies or controls via off site activity. Conduct – and misconduct – follow partly from formal systems, such as incentive schemes and “tone from the top,” but far more powerfully so from informal influences obtained by observing “what actually happens” among close colleagues.
We rely on interaction with other people for “social proof” that our behavior is “normal” – that is, in keeping with group norms. These norms shape our individual and collective identities, setting and re-setting what we see as boundaries of acceptable and expected behavior. Employees in a firm experience the same standard-setting of norms for the workplace. (See book: In Culture audit in financial services. Reporting on behaviour to conduct by regulators by Raaijmakers, M., Miles, R. & Scott, S. (2021).)
Managing behavioral risk
Supervisors should move the needle towards an intense approach that addresses behavior and culture with onsite activities, making sure that informal drivers are in sight. This doesn’t mean that supervisors should assume governance responsibilities that rightly belong with board directors. Bank leaders remain responsible for the culture of their firms, the behavior it encourages, and the management of behavioral risks. But supervisors should take the following three next steps going forward:
- Build an independent, internal, expert capability to make informed behavioral risk assessments. This necessitates a core expertise, sitting at the nexus of behavioral science, data-science, organizational development, and risk management.
- Strengthen basic capabilities amongst supervisory staff, equipping them to recognize and respond to behavioral risk proactively — before risk management failures make such risks evident.
- Adopt new technologies. Supervisors should make use of machine learning tools, developed and trained in a manner that incorporates behavioral science. These technologies produce actionable insights by sifting through existing data sets, found within: audit systems, accounting records, internal policies, and external regulatory compliance reports, and the multitude of “digital artifacts” produced by employees in the course of their daily routines.
Marrying behavioral science, network analysis, and complexity theory, and fuelled by data reflecting both the formal and informal interactions within organisations, such AI-driven tools offer a scalable and automated means by which supervisors may identify behavioral risk profiles consistently across the industry, allowing for proactive horizontal peer review. These tools transform supervisory capabilities and allow us to act on leading indicators of risk.
There is hope. De Nederlandsche Bank has been at the forefront of addressing behavior and culture issues in its supervision. The DNB has stated that the financial industry made progress with respect to behaviour and culture risk management, as compared to what was seen in the 2010-2015 period. For instance, banks’ behavior and culture is on the agenda of executive and supervisory boards; some banks have set up departments to monitor and actively influence the institution’s culture and behaviour; and the quality of the decision-making process has improved. It is time for the supervisory community to follow suit on a global scale.
This article originally appeared in UK Parliamentary Commission on Banking Standards: A Global 10-Year Look-Back, in collaboration with the UK Chartered Banker Institute. Please visit Starling Insights to read the fully annotated report.
Mirea Raaijmakers, is former Managing Director/Global Head of Behavioural Risk Management at ING and previously led the Dutch Central Bank (DNB)’s supervision programme for Behaviour and Culture.
Starling Insights publishes original research and covers events related to the governance and supervision of cultural, behavioral, and other non-financial risks and performance outcomes.