Control needs a strong framework, but without a strong culture of ownership and conduct, that framework will crumble. So how do you instill the right values and measure progress?
Société Générale’s Ian Fisher knows a few things about risk culture. Holding a distinguished career at Société Générale, Fisher took a series of senior management roles in capital markets before becoming global head of syndicate in 2007. In 2009 he became group country head for the UK, and in 2016 he took up his current role as group programme director for conduct and culture. Given the breadth of his experience, 1LoD felt he was ideally placed to answer our questions on the challenges and benefits of building an effective risk culture.
Building an objective risk framework, with appropriate controls and mechanisms, is only half the battle. Building a culture is necessarily more nuanced and subjective. What did you use as your guide?
If you look at what occurred in the crisis and thereafter in our industry, in terms of misconduct and misbehaviour – much of what happened was the result of poor culture and weak organisation. A very important report in the post-crisis world was the G30 Banking Conduct and Culture Report of July 2015. This is a seminal document. We used this as a framework to construct our own Culture & Conduct Programme. It established five core principles and the first of those was for a fundamental reassessment of culture. The others are for proper governance and accountability, to ensure proper performance management and incentives, to ensure strong processes for training and development and, finally, to have in place a three lines of defence model. Key to the latter is for the first line to have ownership of culture and conduct as well as business risk.
Control is about having the right framework but more important is having the right culture and right governance, because if you don’t have the right culture and governance, it doesn’t matter what framework you have because you will fail.
Based on the principles of the G30 report, we have developed our own unique and very comprehensive programme, covering all our businesses across 65 countries and our 140,000 employees. It covers governance, all aspects of human resources, communication, conduct and cultural change. The G30 report sets out the guidelines but it’s up to each bank to determine how it wants to implement its own programme.
What are some of the challenges?
Changing an organisation is relatively simple. Changing behaviour built up over years is more challenging and people need to understand the purpose and what you are trying to achieve. So you have to have clear messaging, and communicate that message consistently and persistently, as well as ensuring your performance evaluation and other HR processes support that objective. It takes time, so you have to be patient too and recognise cultural change is not something you can achieve overnight. Anchoring a culture of responsibility, shared by all our staff members, is a priority at the heart of our 2020 strategic plan ‘Transform to Grow’.
Another big challenge is how to measure progress. It’s not as if this is measurable in the same way as a breach of compliance regulation. You have to look at conduct. Conduct is the visible evidence of culture, the bit of the iceberg above the water. So, you look to see: do people perform the controls? Are the controls respected? Is there appropriate sanctioning? Do people respect mandatory training? Are audit report recommendations dealt with in a timely manner? Do people ‘walk the talk as well as ‘talk the talk’?
You can also find out what staff are thinking through internal surveys and external consultants. We look at feedback from stakeholders, employees, clients and investors. But it is a challenge to provide evidence or to measure culture.
What are the benefits of a better risk culture?
There are multiple benefits. We want to make our culture a factor of differentiation, in terms of the attractiveness of our firm both as a place to work and how we deliver to clients. This is different to a pure culture of compliance, which is a regulatory requirement.
If you succeed in building a better culture, you’ll have a more engaged workforce, which will provide a much higher performance for the company and deliver higher quality service to our clients. That is our ultimate objective. We want to be the reference bank for our clients.
Do you encourage staff to inform management if they see or hear breaches of core values?
Well, there is a formal, whistle-blowing process mandated by law to be followed if people see a breach of a regulation or a law.
But we also want to encourage an environment where people feel free to speak up. If people feel free to talk and that they will be listened to then you will discover things you won’t in an atmosphere of fear. So, yes, we encourage people to exercise their responsibility to protect the firm and our business. You also have to make sure misbehaviour is appropriately sanctioned; otherwise you’re saying implicitly it isn’t important.
It’s very important that managers know their role here. Management is changing a lot these days and you see a less hierarchical, flatter structure, in which managers are more like player/coaches and are there to assist their staff. A closer proximity between manager and managed creates the environment where people feel free to speak up.
Isn’t there a danger that this creates an unpleasant working environment where people don’t feel free to be themselves and crack jokes etc?
On the contrary, you want people to be themselves, but you want an environment where there is respect. Respect for people, and for diversity. That’s very important. Training is also part of this, because what might be lighthearted banter to some people is perceived as harassment by another. So you need good education and training to make sure people know where the line is, what is appropriate to say and what the impact on others might be.
Does change have to come from the top?
Yes, it absolutely only works if it is carried out by top management and they live by those principles. If people see that there is a difference between what is said and what is done, they will take their lead from that. We put a great deal of emphasis in our programme upon exemplarity. Every senior manager must understand that every member of his team will listen closely to what he says but they’ll look even more closely at what he does. If you have a disconnect here, you’ve got a problem.
Is a Jerome Kerviel type experience much less likely now?
Yes. When you build a culture where people understand the values, ethical standards and integrity that are required, and you combine that with a strong compliance, culture and control framework, then you substantially reduce the risks of those types of events and we have taken all necessary actions to ensure a fraud of this magnitude could not happen in the future. Banks do learn from mistakes but at the same time you cannot be complacent and think that it will never happen again. Because that is when you will be at risk.