Let’s start with a question. ‘Does a trader from a Swiss bank on a trading floor in Tokyo have more in common with a trader in the same market in a different bank in London or New York than (say) a teller in a branch in their bank in Switzerland?’
And another question. ‘Does an engineer working for BP have more in common with an engineer from another company working on the same project than (say) an accountant from BP in London?’.
The answer to the first question is Yes, as the LIBOR and FX manipulation scandals illustrated. And also Yes to the second as the Deepwater disaster in the Gulf of Mexico, showed.
People in the ‘same game’ share common perceptions, values and practical experiences not only about the rules for doing their day to day jobs but also about the risks involved in those jobs.
Much of the debate today on risk and culture concentrates on the role of so-called ‘organizational culture’, but people are not driven solely by the rules of their current employer but by their education, professional networks and personal experiences.
Edgar Schein, the guru of Organizational Culture [1], identified not one but multiple categories of ‘cultures’:
- Macro Cultures – Nations, ethnic and religious groups, and occupations that exist globally;
- Organizational Cultures – Private (corporate), public, non-profit, government organizations;
- Sub-cultures – Occupational groups within organizations; and
- Micro-cultures – Micro-systems within or outside organizations.
As an example if we take ‘accountants’, then the accounting ‘profession’ (e.g. CA and CPA) is a macro culture, which has standards that transcend individual firms; the accounting department (headed by CFO) is an organizational construct, with internal corporate standards; cost accountants, might be a sub culture within an accounting department; and forensic accountants might be considered a micro-culture with close links to other departments, such as Fraud and Investigations.
What makes a ‘culture’?
Summarizing Schein’s comprehensive definition [1], a ‘culture’ is about people ‘sharing’ three experiences, specifically Shared Assumptions, Shared Operational Models and Shared Education.
For example, accountants share common assumptions (i.e. IASB definitions), operational models (e.g. IFRS standards) and education (CPA, ACCA certification etc.). With the result that an accountant in a manufacturing firm operates much like (but not identical to) an accountant in a bank and could interchange without too much difficulty, because their training and standards are deliberately transferable.
Before moving on, the ISO 31000 standard might be considered to be an attempt to create a risk management ‘macro-culture’ that transcends individual organizations; firm-wide risk management departments; specializations such as credit risk managers; and micro-cultures such as risk modellers.
A key question is whether ‘macro-cultures’ exist outside of the recognized professions?
The classic case of risks arising from an identifiable macro-culture is that of the LIBOR and FX benchmark manipulation scandals, where the traders and brokers knew (or knew of) each other because they had worked together in the past and used their market knowledge to conspire to cheat the customers of their employers [2]. Their loyalty was to each other rather than the firms that employed them.
In looking at misselling of products in UK retail banking, Spicer et al [3] identified a ‘sales’ macro- culture that pervaded the sector. They noted that “what was striking about this sales culture was that it was not just limited to one organization. Instead it was replete throughout the industry. It is therefore more accurate to call it a ‘macro-culture’ that cut across the entire industry”.
Another example of risks arising from an identifiable macro-culture is that of the collapse of the Irish banking system, where, only a few months prior, the main banks had been judged to be viable by their external auditors (the Big 4/5). In parliamentary inquiries, auditor after auditor fronted up and admitted that something had been up, but they were unable to say anything about it because of the prevailing accounting standards – in other words the IRFS made me do it [4].
In the debate on ‘risk’ and ‘culture’ then, analysis of ‘organizational culture’ can be seen as being necessary but not sufficient for identifying and managing risks to a firm AND importantly the system [5]. There is a need therefore to research the impact of cultures other than ‘organizational’ on risk management.
Unfortunately, many of our current risk management models, such as COSO, IRM and ISO 31000 operate only at the level of the organization, assuming that risks are idiosyncratic to the firm, which they clearly are not in some cases!
References
[1] Schein, E. J., 2010, Organizational Culture and Leadership San Francisco, CA: John Wiley
[2] McConnell, P. J., 2013, “Systemic Operational Risk – The LIBOR Scandal”, Journal of Operational Risk, 8(3), Fall
[3] Spicer, A., J. P. Gond, K. Patel, D. Lindley, F. Fleming, S. Mosonyi, C. Benoit and S. Parker, 2014, “A Report on the Culture of British Retail Banking”, New City Agenda and Cass Business School, London http://newcityagenda.co.uk/wp-content/uploads/ 2014/11/Online-version.pdf
[4] Nyberg, P., 2011, “Misjudging Risk: Causes of the Systemic Banking Crisis in Ireland”, Ministry of Finance, Dublin
[5] McConnell P. J., 2015, Systemic Operational Risk, Risk Books, London
People Risk Management 