Head of Enterprise Risk Management at Martin Currie, Neil Hutchison talks to the Center for Financial Professionals on how to measure and understand what is defined as good risk culture. Neil will be presenting at our New Generation Operational Risk Summit in London, 15-16 March
Neil, can you tell the Center for Financial Professionals’ readers about yourself and your professional experience?
I am the Head of Enterprise Risk at Martin Currie, an Edinburgh-based affiliate of the Legg Mason investment management group. Prior to joining Martin Currie in 2008, I worked at Deloitte in the Enterprise Risk Services practice, advising clients in a broad range of industry sectors.
The nature and scale of Martin Currie’s business requires the Enterprise Risk team to cover all aspects of the risk framework, from the development and maintenance of risk policies and processes, to the provision of assurance to management and the Board, via the operation of a range of risk management activities, including BCP, error management and risk identification and assessment. The team is also responsible for the promotion of a positive and constructive risk culture across the enterprise.
What internal and external factors must an organisation have to reflect a good risk culture?
For genuine cultural change to take effect, there needs to be more than just the ‘push’ factor of greater interest in the subject from regulators. Of course, if regulators make a point of calling out ‘poor risk culture’ as a contributing factor in enforcement cases, then firms will eventually grind into action and put in place the policies and the public pronouncements that support a ‘good risk culture’. But this will do very little to effect real change in the organisation if this ‘tone at the top’ does not filter down through the layers of management to the risk takers themselves.
So there needs to be a ‘pull’ factor from the other stakeholders in the business, not least the Board. The case for the benefit of a good risk culture needs to be made, and won, with the management of the firm at a level below the Executive. Otherwise, the carefully drafted words from the C-suite will burn up on entry to the business.
What difficulties are faced when distinguishing and changing a company’s risk culture?
The main challenge in changing a company’s risk culture is that it is inherently intangible in nature. We all have a feeling of what a ‘good’ risk culture might look like (and certainly what a ‘bad’ culture is), but we might not be able to put our finger on what the root causes are or how to measure it. Operational risk professionals are drawn to the tangible, to the measurable and to the visible. Arguably culture is none of these and so analysis is difficult for an industry brought up on a diet of internal controls and processes.
Change is difficult, full stop. Ask anyone who has been through a significant corporate restructure or system implementation. But this is doubly true when you are talking about changing behaviours and views, sometimes deeply held. This requires a subtlety of approach not necessarily inside of the comfort zone of the typical operational risk professional, who may be required to apply techniques beyond their familiar toolkit.
Do you believe the assessment of risk culture is possible, can this really be measured?
There is no doubt that the measurement of risk culture is challenging. Operational risk professionals may be required to move their thinking on from absolute risk indicator thresholds and the traditional ‘death by RAG-rating’ method of presentation.
But, at the risk of sounding evangelical, I have to believe that it is possible. My view is that before culture can be measured, one has to identify the key drivers of risk culture (both good and bad) and then continue to drill down until something emerges that can be assessed and, hopefully, measured in an empirical way. We have made a start with data that already exists in the business, such as error / breach rates, complaint volumes, mandatory CBT completion, etc.
This then needs to be overlaid with the ethereal question of ‘how do we feel about the risk culture in the organisation?’ We have found that people are very happy to offer an opinion in response to this question, even if they don’t necessarily understand the question they are answering!
So, in short, yes, I do believe this but, no, I have not cracked it yet.
How do you see the role of the Operational Risk Professional changing over the next 6-12 months?
There is no doubt that the increasing importance of a strong risk culture and the regulatory focus on individual conduct will require an expansion of the traditional operational risk management skillset. Banking and insurance may be further down this road, but in the asset management sector we are still adapting to the transition from ‘treating customers fairly’ to a more behaviourally-driven conduct risk framework.
At Martin Currie, we are working closely with our colleagues in HR (who are themselves being challenged to extent their skills beyond the traditional) to introduce changes to the ‘system’ of risk culture, as well as the ‘nudges’ towards a more positive and constructive risk culture. We see this as a long journey down a continuum, rather than a project with a defined end point. This will require an open mind from all areas of the business, not least the Enterprise Risk function ourselves.
