At our recent Risk Management conference, we invited Cathy Hampson, author of “An Introduction to Behavioural Risk” to talk about her work and experience in looking at people’s behaviour as it relates to Operational Risk in Financial Services organisations. Cathy provided useful insights as to why people might behave in the way they do and some considerations for any operational risk managers. In this article, we have summarised her thoughts.
The high-profile events that have dogged the reputation of Financial Services markets within the last ten years, from mis-selling of PPI to rate fixing, have been created in part by the rogue behaviour of people.
Cathy Hampson’s opening remarks in her presentation included: “The reasons that things go wrong is that companies are made up of people, people have behaviours, and behaviours have impacts”
“If you want to understand behaviour and culture then you need to understand the relevant human actions or even inactions of people, because it may not be malfeasance or it may not be anything bad at all but, despite all good intentions, people can and do destroy value and even whole firms”Cathy’s central point is that although understanding culture and behaviour can be challenging, the knowledge of motivations can provide early warning signs and enable action to be taken, thus reducing the risk of these high-profile incidents occurring.
Since 2008, business culture and people behaviour has also been a central thrust in the FCA’s regulatory policy. Peter Andrews, Chief Economist, FCA speaking in October 2017 stated “culture is a priority for the FCA, one of our seven business plan priorities for 2016/17. We believe that poor culture played a significant part in the financial crisis and that it is a root cause of many failings at firms. Thus, culture is both a major driver and potential mitigant of risk. Our ambition is that firms’ senior management lead and foster a culture that has the fair treatment of customers and market integrity at its core.”
What is Behavioural Risk?
Behavioural risk is concerned with how the behaviour of an individual or groups of individuals could cause harm to a firm. The challenge is that trying to determine the causes of certain behaviours and resulting cultures can be difficult and complex.
As Cathy describes it: “Behavioural risk is multifaceted; it isn't one discipline (rather) it consists of individual psychology, group dynamic theory, as well as elements of sociology, political and socio-economic theory. How people respond to the environment around them is also important, as well as what goes on in a firm.”
What is Business Culture?
Culture is often described as: “It’s how we do things around here”. Cathy draws on an example of how this is witnessed in practice:
You have recently started work in a new company and you arrive five minutes late for your first meeting. You may be faced with a few different responses:
- Fewer than half of the attendees have arrived and there is chit-chat amongst those already there, which continues until the last person arrives. No mention is made of lateness.
- You are the last but one to arrive, the meeting is underway but people do acknowledge your presence with friendly smiles or words of welcome.
- The meeting is already underway and you endure harsh stares from participants who do not even pause to acknowledge you, so you feel embarrassed.
This is just one small example that many people will have experienced, but it is how each of these small interactions every day, and how people respond to such circumstances that, in aggregate, form the organisational culture. Some interactions are risk-based, and some are not, but all contribute to a unique cultural profile.
As with behaviours, business culture is complex and consists of a mixture of instilled beliefs, attitudes, norms, role models, rewards and punishments as well as variation in the way people are treated when a risk event occurs. The important point is that culture is influenced, created and sustained by the actions of its leaders and managers; whether intentionally devised or as an unintended consequence. As Cathy illustrates, it is not the stated policies of the business that create the culture, but the reality of what happens in practice within the business on a day-to-day basis.
Let’s consider the following example: A major risk event occurs for a second time in a month, (within a firm that prides itself on having a “no blame” culture). It is the result of human error caused by one person who was meant to be supervised by another. People observe three different responses:
- The company prides itself on a “no blame” culture to ensure people raise errors quickly, therefore, training takes place after the event and no one is reprimanded.
- The company takes a “no blame” approach but the two individuals are closely monitored from that point onwards and need to prove themselves again in the future.
- The company takes a “no blame” approach on a first offence or says it does, but it can't tolerate repetitions and so looks to remove the person and supervisor from their duties.
On paper, these three responses all occur with a stated “no-blame” culture, but it is what people observe happening ‘on the ground’ that creates and defines the culture, as they can see for themselves where the actions and words match and where they do not.
So How Do Things Go Wrong?
Cathy suggests that people are not split into ‘good’ and ‘bad’, rather there is a spectrum of behaviours from people who can make mistakes through ignorance, confusion or a moment of weakness and those who deliberately choose to do harm.
In trying to understand this spectrum of behaviours, warning signs and actions, Risk Managers can refer to at least the three key behavioural theories that Cathy covered:
- Cognitive Dissonance
- Motivational Rewards
- The Segregation of Duties and the “Four Eyed Principle”
Cognitive Dissonance and Changing Norms of Behaviour
Cognitive Dissonance theory suggests that it is difficult for people to hold two competing thoughts that conflict with each other and so they look for ways to reduce that conflict or dissonance. So, for instance, engaging in a particular business activity may go against an individual’s beliefs. To bring their beliefs and actions back in harmony with each other, they will need to either change their beliefs about the activity, or change their behaviour to bring the two into line. An example might be in a call centre where operatives believe that they are well-treated relative to their pay and not given enough breaks. To create a greater sense of ‘fairness’, they might create techniques as a group to override the system to achieve more breaks. This then becomes a norm of behaviour for the whole team and helps restore a sense of balance of work required versus pay given.
This is clearly an important theory to understand when considering the effectiveness of your controls, if policies are being continually undermined.
Some actions worth considering:
Be aware of shifting norms and be aware that they could change slowly over time and you might not notice them. So, in what ways could you identify a change to the norm?
- Ask new people about their perceptions
- Ask leavers what has changed since they joined
- Get a regular independent culture audit or review
Motivation and Rewards
In the Financial Services’ industry we often use money as a major motivator. The approach, if not carefully planned and tested, can be flawed for two reasons. Money may not be the major motivator for many individuals (a good boss might be more important for example). So, it might not drive the desired behaviours anyway. If unduly enriched, the cognitive dissonance effect could ‘rear its head’ and an excessive bonus on offer could, in theory, provide that individual with a cognitive rationale for doing ‘all that it takes’ to achieve that prize, regardless of how the individual might truly feel if doing the same task for a fixed salary. The ‘end justifying the means’.
Some actions worth considering:
- Find out the reason(s) why people are not complying with company policy (for example not using their systems correctly), in order to determine more appropriate rewards for good risk behaviour.
- Plan carefully high rewards within your organisation, which might not motivate towards the desired outcomes and could even provide your employees with a rationale for doing something outside of normal bounds.
Segregation and Four Eyes Principles
This theory is interested in the act of one person checking the work of another. There is a general assumption that this practice is one of the most effective methods of internal error control, however Cathy suggests that there are dangers in over-reliance on this aspect:
“We often ask people in organisations to cross-train between jobs, which is good for reducing key person dependency and good for them personally. We move people between departments for career development, we team build, we have cake-making competitions! All this is aimed at trying to build trust and foster closer relationships, which is obviously a good contributor to a company’s culture. But at the same time, we want people to be goal-oriented, to ‘have fun but get the work done’ and have a ‘can-do’ attitude. However, in doing so we are creating possible dissonance; we are asking them to be the controls and checks on each other and at the same time (asking them to) be the best of ‘friends/colleagues’ and share knowledge widely. This is true in many firms, including highly regulated Financial Services organisations.”
Some actions and considerations with regards to the segregation of duties:
- When requesting information on risks or controls ask for an affirmative note rather than just a ‘box tick’ i.e. write explicitly what actions you took as your control or as the result of an incident.
- Grant the ability to miss deadlines and goals when risk is a higher priority and be careful that deadlines therefore do not drive unwanted behaviour.
- Allow people to have the ability to ‘put their hand up’ and say ‘this does not make sense!’. Unchallenged following of flawed established practices does not make a good risk culture.
- Be aware of ‘system access creep’ especially where job rotations occur and/or where people gain additional access through different roles. Over time, their access can accumulate additional system permissions that, collectively, create a ‘toxic mix’, so regular spot checks and the building of monitoring tools will help to minimise this risk.
- Use people with a broader knowledge of systems and procedures to overtly find and report flaws. Ask them to help you build dangerous scenarios that they can envisage because of their unique system and procedural flaw knowledge.
- Be aware of encouraging partnerships which consist of a dominant influencer and a passive partner. Having a dominant person making decisions or taking actions without the effective control envisaged by the partnership could have a negative impact. The passivity of the subservient person could render that control as useless, but comfort is being gained from the fact that there is a ‘maker’ and ‘checker’ involved.
Cathy concluded with a thought regarding marrying future technology with today’s behavioural risk challenges. An example being to consider the use of Robotic Process Automation (RPA) for at least part of a segregation of duties process, as it both removes the human error and the conflicting emotions of ‘friendship/collegiality’ versus acting as a control on other people.