June 2014

Global Regulatory Network Executive Briefing

Americas Ted Price ted.price@ey.com Marc Saidenberg marc.saidenberg@ey.com Don Vangel donald.vangel@ey.com

Asia-Pacific Keith Pogson keith.pogson@hk.ey.com Philip Rodd philip.rodd@hk.ey.com David Scott david.scott@hk.ey.com Judy Vas judy.vas@hk.ey.com

EMEIA Urs Bischof urs.bischof@ch.ey.com Marie-Hélène Fortesa marie.helene.fortesa@fr.ey.com Tom Huertas thuertas@uk.ey.com Patricia Jackson pjackson@uk.ey.com Colin Lawrence clawrence@uk.ey.com John Liver jliver1@uk.ey.com Sheila Nicoll snicoll@uk.ey.com

Japan Hidekatsu Koishihara koishihara-hdkts@shinnihon.or.jp

Risk culture

Meeting regulatory expectations and assessing culture

“Culture counts. A sound risk culture is likely to lead to the right risk outcomes, while a weak risk culture may promote the wrong outcomes — for customers and/or the financial institution itself.”

That is, in a nutshell, the message from the Financial Stability Board (FSB) and key supervisors around the world.1 But what makes a risk culture “sound,” and how can firms create a sound risk culture?

What makes a risk culture sound? The FSB notes that risk culture is the institution’s norms, attitudes and behaviors related to risk awareness, risk-taking and risk management. This places risk culture at the intersection of behavior and risk management. According to the FSB, the right risk culture bolsters effective risk management; promotes sound risk-taking; and ensures that emerging risks and excessive risk-taking activities are assessed, escalated and addressed in a timely manner.

1 “Guidance on Supervisory Interaction with Financial Institutions on Risk Culture (A Framework for Assessing Risk Culture),” Financial Stability Board,

April 2014.

Global Regulatory Network Executive Briefing 1 © 2014 EYGM Limited. All Rights Reserved.

The right risk culture rests on three foundation blocks:

► Risk governance — practices that are clearly articulated and well understood; roles that are well-defined for the board, the chief risk officer and the risk management function; and frameworks that are independently assessed

► Risk appetite — a framework that is board-approved and embedded in business decisions through the organization

► Compensation — practices that are aligned with effective risk management

The FSB has asked supervisors to review banks’ risk culture and to consider whether the risk culture is appropriate for the scale, complexity and nature of a firm’s business. Indicators of a sound risk culture include:

► Tone from the top — The board and executive management are responsible for defining and articulating the institution’s values that underpin risk culture, “walking the walk,” holding all employees accountable for their behavior, promoting an environment that encourages challenge, and establishing and adhering to the institution’s risk appetite.

► Accountability — Employees at all levels need to understand the core values of the organization, the firm’s approach to risk, and the fact that they will be held accountable for their actions and risk-taking behavior. In addition, the business lines, the risk management function, compliance and internal audit should have clearly delineated responsibilities for the identification, management and escalation of risks.

► Effective communication and challenge — The environment needs open communication and constructive and effective challenge. This includes transparent decision-making, incorporating a range of views and testing current practices.

► Incentives — Compensation, performance management and career development should be geared toward the long-term interests of the institution and linked to risk management, conduct and compliance. Incentives should reinforce an organization’s core values and risk management practices.

How to create a “sound” risk culture While the FSB paper provides insight into the desired behaviors, it sets aside the more difficult issue of how firms can assess and change their culture, recognizing there are many approaches. Building on the FSB paper and our work with firms, EY has developed a model to assist firms in assessing, changing and sustaining their risk culture.

The EY model (see Figure 1) incorporates four fundamental elements that influence and help to determine a sound risk culture: leadership, organization, risk framework and incentives. Each is tied to control mechanisms that need to be in place and work effectively.

Leadership — communicating the right message: combines the identification of desired behaviors with the tone from the top and middle of the organization

Global Regulatory Network Executive Briefing 2 © 2014 EYGM Limited. All Rights Reserved.

Organization — establishing the right environment: combines the way that risks are managed (roles, responsibilities and accountabilities) with the quality of risk governance

Risk framework — taking the right risks: includes risk appetite (the way it is set, embedded and monitored) and risk transparency, including the general openness of the organization to different viewpoints

Incentives — providing the right motivations: includes the employee life cycle from recruitment through training and management, with compensation and other reward mechanisms

Figure 1: EY attributes of a sound risk culture

In assessing, changing and sustaining a sound risk culture, firms need to approach each of the eight segments and “move the dial” by assessing the current state, the desired state and gaps; implementing and managing change; and, once the desired state is achieved, implementing sustainability programs.

EY’s approach incorporates the “softer” elements of behavior with the “harder” elements of risk management. Ultimately, such a program will create the right risk culture, one where strong control mechanisms reinforce the propensity of people to behave properly. That culture is sustainable. Other combinations of behavior and controls either produce variable outcomes or bad outcomes (see Figure 2).

Figure 2: Good outcomes result when proper behavior is reinforced by strong controls

Firms’ behaviors

Proper Improper

Controls Strong Good outcomes Variable outcomes

Weak Variable outcomes Bad outcomes

Risk behaviorstandards

Roles and responsibilities

Risk governance

Risk appetite

Risk transparency

Rewards

Employee life cycle

Tone from the top

Behaviorsoutcomes

Providing the right motivations

Incentives

Communicating the right message

Leadership

Establishing the right environment

Organization

Taking the right risks

Risk framework

To deliver an appropriate risk

culture, a variety of mechanisms need to be in place and be

effective

Attributes of a sound risk culture

Leadership — Tone from the middle is aligned with tone from the top, and desired risk behaviors are established.

Organization — Governance and business model support the delivery of desired risk behaviorsand enable strong accountability and effective challenge.

Risk framework — Risk management framework is embedded in the way the business manages risk and enables effective challenge.

Incentives — Employee life cycle and incentives support the delivery of desired risk behaviors.

Global Regulatory Network Executive Briefing 3 © 2014 EYGM Limited. All Rights Reserved.

Where to begin — risk culture hotspots Firms are often faced with the daunting challenge of where to begin. From an analysis of historical market failures, we have identified a number of risk culture “hotspots” that can serve as early-warning indicators. In many cases these develop in new businesses, complex products or remote locations.

Table 1: EY risk culture hotspots

a. Risk-taking and reporting lack transparency, especially at board level. b. Risk appetite is not embedded in business decision-making, leading to inadequate control over risk, risk

creep and strategic drift. c. Behavior is compliance-focused or control-reliant, rather than focused on the risk that the controls

might break and that there might be intrinsic risk in activities. d. Incentive structures are driving poor behaviors, in particular a sales-driven culture. e. The front office lacks risk ownership, including for nonfinancial risk, making the risk organization or

compliance the de facto first line of defense. f. Effective control structures are lacking — breaches of controls do not always have consequences. g. There is poor control of high-risk areas, which could cause reputation damage. h. The complexity in operations is undermining risk frameworks and controls. i. Capacity, complexity and resourcing within risk functions have led to teams being too widely stretched,

not having the right skills, or not keeping up with changes in the institution’s development. j. There is a lack of oversight from the board on risk issues. k. The presence of multiple cultures within one organization results in conflicting messages and different

“tones from the middle.”

The way forward All financial institutions should take actions to assess risk culture and make it more robust. These include:

► Identifying the key aspects of a sound risk culture and reviewing the current culture against them

► Ensuring that risk appetite covers financial and nonfinancial risks and is embedded in business decisions

► Reviewing risk governance processes to ensure that responsibilities are clear, the framework is effective and the front office owns all the risk

► Reviewing people processes and reward mechanisms to ensure that these are aligned with the targeted risk culture

For additional information, please contact: Americas Thomas F. Campanile Jr. Partner, Financial Services thomas.campanile@ey.com Ted Price Advisor, Risk Governance ted.price@ey.com

EMEIA Patricia Jackson EMEIA Head of Financial Regulatory Advice pjackson@uk.ey.com David Gallet Executive Director, Financial Services david.gallet@ey.com

Asia-Pacific Rob Walsh Partner, Financial Services rob.walsh@au.ey.com Caroline McCombe Senior Manager, Financial Services caroline.mccombe@au.ey.com

EY Global Regulatory Network Executive Team

Urs Bischof is the former Head of Risk Management of the Extended Executive Board of the Swiss Financial Market Supervisory Authority. His responsibilities included risk management supervision and oversight, prudential regulations and leadership roles with respect to Basel III, systemically important financial institution (SIFI) regulations, payments and clearing.

Marie-Hélène Fortesa has extensive regulatory experience, including leadership roles at the Autorité de Contrôle Prudentiel (French Prudential Supervisory Authority), Association Française des Banques (French Banking Association), French National Institute for Statistics and Economic Studies and senior roles at a leading investment bank.

Dr. Tom Huertas is a former member of the Financial Services Authority’s Executive Committee. He also served as alternate chair of the European Banking Authority, as a member of the Basel Committee on Banking Supervision and as a member of the Resolution Steering Committee at the Financial Stability Board.

Patricia Jackson was the Head of the Financial Industry and Regulation Division of the Bank of England from 1995 to 2003. From 1997 to 2004, she was also a member of the Basel Committee, where she led the development of Basel II and chaired the Global Quantitative Impact Studies committee and the Basel II calibration subgroup.

Hidekatsu Koishihara is a former chief inspector and inspection administrator for the Japan Financial Services Agency. He also worked at the Ministry of Finance (MOF) of Japan, Japan’s former financial regulator, serving as the financial inspector at the Bank Bureau of MOF and Financial Inspection Division, and Minister’s Secretariat of MOF.

Dr. Colin Lawrence was Director of Risk Specialists at the Financial Services Authority (FSA), where he was one of the senior executives responsible for running the stress tests and recapitalization of the UK banks. He was a member of the senior management and transition committee in the formation of the Prudential Regulatory Authority and became Senior Risk Strategist to the Deputy Governor, Bank of England. Prior to joining FSA, he held senior executive positions at major universal banks in Europe and the US.

John Liver has held regulatory roles with leading investment banks, the UK Financial Services Authority and its predecessors. His roles include leading the thematic supervision in the Investment Firms Division; leading the Personal Investment Authority Supervision, where he oversaw the sales regulation of the life and pensions industry; and management roles in the Investment Management Regulatory Organization’s Enforcement and Supervision Departments.

Sheila Nicoll has held senior positions at the Financial Services Authority, the Investment Management Association and the London Stock Exchange since 1982. During the financial crisis, she supervised numerous mid-sized financial services institutions, before becoming Director of Conduct Policy and part of the leadership team which created the UK’s Financial Conduct Authority.

Keith Pogson has more than 20 years of experience advising governments and regulators across Asia-Pacific on banking reform. His expertise includes acquisitions, market entry strategy and due diligence across banking, asset management and securities. He is the Immediate Past President of the Hong Kong Institute of Certified Practising Accountants.

Ted Price was Deputy Superintendent and a member of the Executive Committee at the Office of the Superintendent of Financial Institutions, Canada, serving on the Senior Supervisors’ Group and the Financial Stability Board Supervisory Intensity and Effectiveness Working Group. Ted previously held senior roles at a global investment bank.

Philip Rodd has more than 23 years of experience in accounting and risk management, including 13 years in the Asia-Pacific region. He assists clients in assessing the impact of regulatory change, implementing compliance initiatives and responding to regulatory findings.

Marc Saidenberg was a senior vice president and director of supervisory policy at the Federal Reserve Bank of New York, representing the bank on the Basel Committee, and served as co-chair of the committee’s Working Group on Liquidity. He was actively involved in the development of the Basel III capital and liquidity standards, supervisory expectations for capital planning, liquidity risk management and recovery and resolution plans.

David Scott has spent 14 years working with a number of large global institutions, most recently on the implementation of the global financial regulatory reform agenda. He is involved in addressing emerging regulatory and legislative initiatives and engaging in dialogue with regulators and supervisors on emerging issues.

Don Vangel, Regulatory Advisor to the Office of the Chairman, joined EY after a 17-year career at the Federal Reserve Bank of New York, where he ultimately served as a senior vice president for bank supervision.

Judy Vas spent 16 years at Goldman Sachs as a managing director, Head of Regulatory Affairs and Head of Compliance for Asia (excluding Japan). Prior to this, she spent seven years in a senior role at the Securities and Futures Commission in Hong Kong. She sits on the Hong Kong Takeovers Panel, Takeovers Appeals Committee and the Hong Kong Securities & Investment Institute Examination Committee.

EY |Assurance | Tax | Transactions | Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

About the EY Global Regulatory Network EY’s Global Regulatory Network helps our clients find solutions to their regulatory challenges, providing extensive experience, leadership and strategic insights on financial regulation. Led by Dr. Tom Huertas, former Alternate Chair of the European Banking Authority, the network comprises more than 100 former regulators throughout the Americas, Asia and Europe, many with senior regulatory experience, including membership in the Basel Committee, the Financial Stability Board, the European Banking Authority, the Federal Reserve Bank of New York and the Japanese Financial Services Agency. The network enables our clients to understand and adapt to the impact of the changing regulatory landscape, advising on such topics as: ► Capital and liquidity ► Recovery and resolution ► Governance ► Risk culture ► Structure ► Conduct Learn more at ey.com/financialreform © 2014 EYGM Limited All Rights Reserved.

EYG no. EK0293 BSC No. 1406-1273197 ED none

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice. ey.com