Building a Healthy Risk Culture: A Q&A With Clifford Rossi

When a financial institution fails and its postmortem is written, the focus inevitably turns to culture. For banks, beyond the corporate approach, risk culture is especially important.

What does it mean to have a healthy risk culture? What signs should aspiring and early-career risk managers be looking for to establish that an employer (or a prospective employer) has strong risk management values? And what skills do they need to bring to the table to make an impression on a CRO seeking to establish a proper culture?

Clifford Rossi, Director of the Smith Enterprise Risk Consortium at the University of Maryland (UMD) and a Professor-of-the-Practice and Executive-in-Residence at UMD’s Robert H. Smith School of Business, has had a front-row seat for the growth of risk management over the past two-and-a-half decades. Having lived through and managed multiple crises, he has a strong understanding of what it takes to build and maintain a healthy risk culture.

Clifford Rossi, University of Maryland

Before joining academia, Rossi spent more than 25 years as both a C-level risk executive at major financial institutions and a federal banking regulator. He is the former CRO of Citigroup’s Consumer Lending Group.

Rossi defines culture as a shared set of attitudes, values, goals and practices at an institution. From a risk management standpoint, he observes, culture is the glue that binds risk appetite with business strategy.

Any firm that wants to establish a successful risk culture must find ways to balance the three lines of defense model. Normally, the second line (risk management) dominating the first line (business) would result in an overly cautious and underperforming firm – but an unchecked first line will likely contribute to a culture of recklessness, with decisions made for the short-term benefit of management at the expense of long-term shareholder value.

Rossi says deficiencies in risk culture have been the catalysts for poor governance, poor risk management or excessive risk taking behind every financial crisis or disaster — from the 1980s U.S. savings & loan crisis to the 2008 subprime crisis to this year’s regional bank failures.

Recently, he spoke with Risk Intelligence about the qualities of an effective risk culture, the skills that CROs should be seeking as they set out to find risk managers to build such a culture, and the role of the board of directors in establishing firmwide risk management values.

If you were a bank’s newly hired CRO, what steps would you take to establish and maintain a healthy risk culture?

Communication is key. I would go directly to senior management and the heads of each of the lines of business and lay out a vision for risk management and the culture we want to establish.

Risk management is everybody's job. Messaging is crucial, not only from the CEO but also from the heads of the business around risk. When a senior business leader is observed side-by-side with the senior risk officer talking about the importance of balanced risk and return, that goes a long way to building the image of what a healthy risk culture should look like.

Regarding sustaining a healthy culture, there's no substitute for incentives. One incentive would be that we build risk culture and attitudes into the organization's employee scorecards, so that employees understand this isn’t just lip service. We want them to embrace this culture, and to understand they will be rewarded for doing so. People respond to the tone from leadership.

Job rotations between first, second and third lines (auditing) are a good idea. You will develop an appreciation for the other groups after you spend some time doing their jobs.

AI/ML technology, moreover, is promising. You might, for example, use an algorithm to go through company emails and documents to search for both positive and negative sentiment associated with risk management. You’re looking for instances where discussions are very tilted in favor of business and away from risk management – or the reverse. Tools like this may help with early intervention, enabling the risk team to identify instances where the firm may be moving away from an optimal risk strategy, before it’s too late to correct course.

What type of risk manager hires would you be looking for to fit in with a firm’s healthy culture? 

You always start out with the hard skills required to do the job. These could be finance skills, modeling, data management, or others. Then I like to see acumen related to the firm – i.e., risk managers who understand what the business side does.

I've had CROs confide in me that their risk managers really don't understand the first-line business. That puts them in an awkward position for having engaging conversations with the first line on various risks and earning credibility as value added partners at the firm.

People who can communicate technically difficult concepts to non-technical audiences, like business executives, are also desirable. That's a skill set that's acquired. You don't pick it up at school, and not everyone can learn it.

Another thing I look for is teamwork. I used to tell my folks I will gladly hire somebody with good grades who is a team player and willing to roll up their sleeves and work alongside anybody over a prima donna with a 4.0 GPA. I don't need to deal with the drama. I want team players with a sense of urgency. When we have a deadline, expect to do whatever it takes to meet it. That was extremely important in my own career.

And don’t be fixated on the last infinitesimal amount of finishing some project; know when it's good enough to be able to move forward. I used to joke with people that I'm an 80/20 guy. I get you 80% of the way there quickly. We'll clean up the other 20% as we go along.

That's important in a fast-paced business environment. You need that sense of urgency and ability to get things done without worrying about perfection. We strive for perfection but realize we're not going to achieve it in the day-to-day business environment.

How can early career risk managers demonstrate they fit in with the type of culture that you want to establish? And what should they do if they discover their firm has a toxic culture?

The skills that get you in the door are not necessarily what will carry you up the ladder. You may arrive with domain expertise, modeling skills or a risk specialty. When you start to move up and manage a small team, you’ve got to worry about interacting with your peers, higher ups and your staff. If you're coming into this early on and you're trying to navigate the risk culture — and you’re fortunate to be in an organization with a good risk culture — that’s going to come naturally.

Risk managers can’t be viewed either as “Dr. No” or as a “yes” person who goes along with everything. There are a lot of benefits from demonstrating balance. It helps build partnership, trust and credibility, which you’ll need for a healthy risk culture. And when you're saying “no,” give them a legitimate reason why.

Articulate your decisions and be as fact-based as possible with your conclusions. The first line won’t always agree with you, but you’ll earn their respect by being thoughtful and methodical with your analysis.

People might tell you what you can and can’t say. My suggestion is if that's the environment you're in, it’s probably best to start looking for another job, because that’s not a healthy long-term proposition.

How important is the board's role in establishing and maintaining a healthy risk culture?

It’s huge. The board's role is to safeguard the long-term interests of shareholders. Part of that is credible challenge. They should play devil's advocate and ask management what they are doing to cultivate a healthy risk culture. I've seen plenty of boards that didn’t seem to care. They were just going through the motions. Some were friends of the CEO, and that just creates a toxic environment.

If the executive team believes the board is detached, then they probably won’t worry about culture. But I guarantee if the risk committee of a big bank’s board were to press management after an alarming report from the CRO about organizational culture issues, management would address the problem.

The board must have a line of communications open with management about managing risk. Ask how they are building sound risk practices through the culture of their organization. If management offers fluff in response and the board accepts it, then the firm is in trouble.

To ensure there’s a healthy culture, the board must be assertive. It’s hard to escape the conclusion from some of this year’s bank failures that boards were not doing their jobs.

On the risk committees in particular — which are supposed to be putting these organizations through their paces — few companies have people with real expertise. For example, there aren’t many former CROs sitting on bank boards. There are ex-regulators, CEOs and CFOs, so they have some understanding. But they haven’t managed risk. A regulator who oversaw risk is not the same as somebody who's managed it.

What is the main barrier you'd expect to face in implementing your plans to develop a healthy culture?

Recency bias, where you tend to overweight recent performance compared to historical results, can throw an organization's culture off track. Under such a scenario, leadership and business heads are focused on short-term earnings, which can lead to risk myopia and create tunnel vision.

If companies are overly focused on short-term earnings pressures rather than longer term financial viability, that will detract from risk culture and create an “us versus them” mentality. I've seen many cases where the first line bullies its way through the second- and third-line folks, because they see them as an annoyance or hindrance to their goals.

Boards that lack a credible challenge to management – or that give free rein to, say, a domineering CEO with a strong company performance track record – can steer the ship away from good risk management practices and healthy culture.

Tod Ginnis is a content specialist at GARP. He is the author of a GARP blog that is aimed at early-career risk managers and professionals aspiring to earn their Financial Risk Manager (FRM) certification.