Good McKinsey article about how to create a powerful risk culture without turning the organization upside down, and some related thoughts by Chris Skinner.
Managing the people side of risk:
The most effective risk managers we have observed act quickly to move risk issues up the chain of command as they emerge, breaking through rigid governance mechanisms to get the right experts involved whether or not, for example, they sit on a formal risk-management committee. They can respond to risk adroitly because they have fostered a culture that acknowledges risks for what they are, for better or for worse; they have encouraged transparency, making early signs of unexpected events more visible; and they have reinforced respect for internal controls, both in designing them and in adhering to them.
Changing a bank’s culture needs actions not words:
The values and culture need to focus back upon doing what’s right for the customer and society, being ethical and moral, open and transparent, trusted and secure.
These are all things that banks used to be, some say, and should be again. In particular, like lawyers and doctors, banks should have a code of conduct that they adhere to and that, if broken, would result in being struck-off.
Now these are things that some feel are already there.
We do have an industry code of conduct regulated by our Chartered Institute of Bankers and Institute of Financial Services. However, these are nowhere near as formalised or respected as the Law Society or the Medical Council in the legal and healthcare services, so being struck off by the Chartered Institute of Bankers does not strike fear into our hearts.