How to improve the risk cultures of financial institutions

Impact Case series — Research Excellence Framework (REF)

What is risk culture? Can it be defined, audited, and managed? Risk culture is a rather amorphous kind of thing. If practitioners are suddenly told one day that they’ve got to improve it, many will scratch their heads, asking, “What do we do?”

Within one organisation there may be different risk cultures operating, with dynamics that shift over time. Therefore, rather than designing a single model of good practice, or a set of tools for managing risk, we investigated risk culture “from the bottom up”, by engaging with the organisational actors charged with operationalising and reporting on it.

Over several years of observation in the field, we interviewed numerous key people working within UK financial institutions, mostly involved in managing risk culture change programmes, plus senior managers in the safety department of a large airline by way of comparison. From this work, we identified common themes from which we developed a framework for understanding the trade-offs that define the boundaries of cultures of risk-taking and control.

The swing towards centralisation and measurement

We identified two broad types of approaches to risk culture change: an “engineered” approach, which relies on formal regulatory structures and external advisers, with highly visible toolkits and documentation; and a more informal or “organic” approach, which emphasises developing networks within the organisation, joining the dots between existing internal practices and ethics-based motivations “to do the right thing”.

In the aftermath of the financial crisis, we found that initially organic, informal approaches to changing culture were often favoured by organisational working groups. However, given increased regulatory demands to demonstrate change, there was then a clear shift towards centralising risk functions, and implementing more formal oversight structures.

Over time, organisations and the people we spoke to found that these approaches were less satisfactory to boards and regulators, who wanted proof, measurable proof, that something was being done, and something was being changed. There was this transition from an initial attraction to anthropological approaches to culture and then that drifted away to the harder, measurable end of accounting for culture.

“We want societies to take risk, that’s how they thrive and develop, but if those risks are uncontrolled or reckless, then the damage caused by very, very large organisations is immense.”

Managing risk culture trade-offs

These two categories – the “organic” and the “engineered” – are ideal types but they helped us classify risk culture workstreams in financial organisations, as well as map organisational dynamics, such as the shift from informal approaches to more centralised and metrics-centred approaches.

Below this high-level categorisation, we also organised our detailed field observations in terms of recurrent tensions or trade-offs, showing how organisations either consciously or unconsciously adopt certain positions within them. For example, organisational actors confront decisions such as: how to balance an ambition for gradual internal change with the use of external advisers and their diagnostic toolkits; how to balance formal organisational arrangements with interactive, inter-personal approaches to risk management and communication; and how to balance a focus on ethical renewal and the re-articulation of mission statements with the use of remuneration and incentives systems as levers over behavioural change.

In so doing, we show that risk culture, however operationalised, is not a fixed ideal equilibrium for any organisation. It is inevitably dynamic and changing, subject to many different forces. There are risks and drawbacks to leaning too heavily on one approach over the other.

For example, if you look at the interactions between your risk function and frontline management, you might have an assumption that a lot of interaction is a good thing, and [this] is something that scores quite high in toolkits provided by advisers, but if you have a lot of interaction, that can lead to some problems. You might have a loss of independence of the risk function. You might have too much interaction that might be a problem in terms of achieving a decision.

To stress how too much interaction might counter-intuitively be a symptom of cultural problems, we draw on the lived experience of one senior manager. One of our interviewees nicely put it that if you don’t want to make a decision then the best way forward would be to put people in a room and have a meeting, and then you have another meeting, and then you have another meeting…up to a point where people forget what they were supposed to decide, and you lose accountability.

Asking the right questions to provide clarity about trade-offs

Given these trade-offs and tensions, which are inherent in any risk culture, we don’t recommend a single model of risk management. Each approach has its merits and drawbacks. But the research provides a conceptual map of risk culture change programmes that can be useful in highlighting some of the design choices that financial organisations must face.

To improve clarity about these design choices and their challenges, we developed a series of “smart questions” for each set of trade-offs for chief risk officers, chief executives, and boards to ask themselves when evaluating their approach to risk. The overarching goal is to help organisations develop a greater awareness of how much risk they are prepared to take, and specifically monitor the trade-offs inherent in any attempt to manage and change risk culture, making explicit decisions about them rather than allowing them simply to happen to the organisation.

One of the big implications for society is the whole idea of risk awareness, of being fully aware of the risk appetite in organisations. In other words, how much risk are you prepared to take as an organisation, and what controls are you putting in place to manage that risk? That is a much more mature and explicit discussion.

We want societies to take risk, that’s how they thrive and develop, but if those risks are uncontrolled or reckless, then the damage caused by very, very large organisations is immense. And so, it really matters to society that there are mature risk cultures at the centre of which there is knowledgeable and aware risk-taking. These are not just technical issues that sit in the financial services sector. This whole question of risk culture is society wide.

* The authors gratefully acknowledge the financial support of the Economic and Social Research Council (ESRC), the Chartered Insurance Institute (CII), the Chartered Institute of Management Accountants (CIMA) and the Lighthill Risk Network.

Michael Power

Michael Power is a Professor of Accounting at LSE. He is a fellow of the British Academy and Academic Governor of the LSE. Professor Power is a former director of the Centre for the Analysis of Risk and Regulation (CARR) at LSE and a holder of a number of advisory and external non-executive roles in the financial services sector.

Simon Ashby

Simon Ashby is an Associate Professor of Financial Services at Vlerick Business School. He is a financial regulator turned academic and has published numerous papers and reports on risk management, financial services regulation, banking, and insurance.

Tommaso Palermo

Tommaso Palermo is an Assistant Professor of Accounting at LSE. His main research interests include the design and use of enterprise risk management and performance management systems, risk culture in financial sector organisations and risk reporting and analysis in the aviation sector. Tommaso’s more recent work focuses on accounting and risk regulation in new markets for contested commodities, such as recreational cannabis in Colorado. Email:

This article was first published in LSE Business Review

CultureFinancial Services Technologyrisk culturerisk in agriculture