Risk Culture vs. Compliance Culture: What’s the Difference?
Risk culture and culture of compliance are common buzzwords these days. What’s the difference and what does that mean for your institution? Read on to find out.
What is compliance?
Compliance is the act of ensuring that no one at your institution (or working on behalf of your institution) knowingly or accidentally violates a law, regulation, rule, or an institution’s own internal policies.
By extension, a culture of compliance is creating an institution where compliance is a high priority and baked into every action and decision—and is not just an afterthought. While a great deal of strategy can go into how to interpret regulation and finding ways to make compliance a competitive advantage, it’s also a structured and regimented task-focused heavily on execution.
What is compliance culture?
As a result, the building blocks of a compliance culture are focused on ensuring a financial institution has the tools to complete compliance tasks unencumbered. They include:
- Leadership that actively supports and understands compliance. Both the board and management should be familiar with the institution’s compliance responsibilities and be proactive and public in demonstrating support for maintaining compliance.
- Authority and autonomy. Compliance should have sufficient authority and autonomy to implement a successful compliance management program. Efforts to manage and mitigate compliance deficiencies and risks should be supported by internal policies, not undermined by conflicting priorities. For example, financial incentives should align with compliance goals and not conflict with them.
- Information and communication. Compliance should have access to relevant information required to comply with regulatory compliance regulations. That doesn’t mean just giving it access to information about regulatory change. It also needs to know what’s going on internally. Other departments and business lines should be sharing relevant information.
- Adequate resources. Based on the organization’s size and complexity, financial institutions should be prepared to adjust resources to reasonably manage policies, procedures, reporting, risk assessments, due diligence, etc. This includes a compliance management system.
- Independent audit. Transparency requires double-checking work. Compliance should be tested by an independent and competent party (whether internal or external) to identify deficiencies and show where corrective action is needed.
- Clear reporting. The board is responsible for overseeing compliance, so it needs accurate, transparent information on how compliance is performing. While the board doesn’t need the nitty-gritty details, it does need to know what changes have been made, how it impacts the institution (products and business lines, additional resources needed, the risk of non-compliance, etc.), and how compliance plans to implement and monitor compliance.
- Staff training. Staff should be trained in all policies and procedures relevant to their job. The greater the risk of non-compliance, the more often training should be refreshed. Training should go beyond the how and explain the why—specifically why the policies and procedures exist and the potential consequence to the consumer, the institution, and the individual employee (and their career) if a policy is violated.
What is risk management?
Risk management is the process of identifying, assessing, measuring, mitigating, and monitoring risk—including both potential threats and opportunities. (Compliance risk, or the risk of failing to comply, is just one of many risks a financial institution faces.)
Enterprise risk management (ERM) takes risk management to the next level by fully integrating risk management into strategy starting at the very top of the organization. It’s defined as “the culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with the purpose of managing risk in creating, preserving, and realizing value,” according to Enterprise Risk Management—Integrating with Strategy and Performance, a voluntary framework with best practices for ERM published by COSO.
Notice that the word culture is literally ingrained in the definition of ERM. It’s not an add-on or a nice-to-have. It’s a must-have.
What is risk culture?
What does a culture of risk management look like? A culture of risk management is a commitment to the core values of an institution. It is both a top-down exercise in developing policies, procedures, messaging, and compensation that supports the institution’s long-term goals, but also one where front-line employees take an active role in managing risk.
Some institutions are risk-averse while others take a more aggressive stance. Neither is necessarily right nor wrong as long as the institution has carefully considered the potential impact of its decision. What’s important is that the institution has carefully aligned its goals, mission, and vision with its risk tolerance for long-term success.
In its enterprise risk management framework, COSO suggests several qualities are needed in a risk-aware culture, one where accountability, behavior, and action all support the bank’s core values. They include:
- Definition of culture. These are the fundamental beliefs and ideals of the institution that serve as a guidepost to help the institution determine what is right or wrong when making both big picture and everyday decisions.
- Strong leadership. Leaders need the knowledge, experience, and insight into the institution’s risk tolerance to make decisions efficiently, particularly in crisis situations.
- Risk tolerance. The board should determine the financial institution’s risk tolerance. This should influence how an institution approaches everything from setting strategy and identifying risks to deploying resources and responding to changing conditions. It should be an intrinsic part of every strategic decision.
- Employee involvement. Employees should be a part of the risk management process. They should know how to manage risks relevant to their jobs, understand risk tolerances, and consider them in decision making.
- Responsive. Institutions should be responsive and non-punitive when someone points out a problem. There must be policies and standards as well as clear accountability and timely consequence for falling short.
- Communication. All levels, including the front-line, mid-level, management, and the board needs complete and accurate information to make risk-appropriate decisions.
- Human capital. Ability to attract, develop, and retain capable individuals. Judgment skills and risk management experience should be an important factor when hiring for the C-level. For mid- and lower-level positions, institutions can seek out candidates who aren’t just competent but have a background and personality traits that suggest they work collaboratively and are open-minded and inquisitive.
- Training. Training should reinforce procedures, positive behaviors, and values while mentoring should focus on how their skills fit within the organization. Measure their performance and provide retention incentives that align with the institution’s long-term goals and objectives.
Can one exist without the other?
While risk culture and compliance culture have many similarities, there are key differences between the two. Compliance is an area that involves fulfilling specific requirements on a regular basis. That makes the culture of compliance focus largely on task competition. Risk management culture is more broadly strategic. While there are tasks that must be regularly completed like in compliance, it then takes the results of all those actions to inform strategy.
Resilient banks should have both a compliance culture and a risk culture—but can you have one without the other? Maybe.
You can’t have a risk management culture without also having a compliance culture. Compliance is a high-risk area. Deficiencies can result in reputational damage, lawsuits, enforcement actions, civil money penalties, and any other number of expensive problems. Any risk management culture worth having would allocate resources to compliance and ensure compliance risk was properly managed.
Could you have a compliance culture without a risk management culture? I suppose it’s possible. If a bank had a strong compliance team that managed to get the buy-in of the board and management to build a good compliance program and ensure employees were involved in attaining compliance, it would have the building blocks of a compliance culture even if its overall risk management culture was lackluster.
But the benefits of the compliance culture would be limited. Compliance should be able to feed its results upwards, giving the board a piece of the puzzle that helps the board understand the financial institution’s overall risk exposure and where it fits in terms of its risk tolerance. Without a risk management culture, that information isn’t leveraged nearly as much as it should be.
Is your ERM program based on a strong risk culture? Does it build on the work of compliance, audit, and other areas to inform strategy? To learn more about how these areas can work together to create a more cohesive institution, download our whitepaper Kumbaya: Bringing Together Risk & Compliance.