The procedural challenges in managing reputation risk

There is little doubt much has been done on the risk and regulation front since the financial crisis of 2008. Nor is there any lack of debate about how effective the measures have been. The to-and-fro over capital, ‘too-big-to-fail’, acceptable profits, culture and remuneration continue.

In general though it is difficult to disagree with the latest IIF/EY Annual Risk Management Survey when it says “since 2008, banks have materially strengthened their risk management approach”.

"What is clear from recent developments … is politicians are responding to community pressure, ill-defined as it may be, around bank culture and purpose."
Andrew Cornell, BlueNotes managing editor

They have, at the very least, thought long and hard about it and implemented change.

“From the board level down, significant investments have been made to risk, compliance and controls,” the survey says. “Headcount in control functions has increased considerably, as has the seniority and scope of the risk and compliance functions.”

Yet on top of the roughly $US400 billion in fines imposed upon banks around the world for conduct issues since the crisis we have just had one of the most profound and pervasive scandals involving the one-time golden child of banking, Wells Fargo, over the systemic falsification of accounts.

The IIf/EY survey notes banks are now asking three broad questions:

  • What is the best design of control responsibilities across the first and second lines of defence?
  • What is the best way to identify and manage non-financial risks and approach them as separate risk types?
  • How do banks move to a sustainable business model?

Click image to zoom Tap image to zoom

The big question is whether these questions are sufficient in the light of not just the Wells Fargo issue but scandals with seemingly similar attributes such as Samsung’s fire prone batteries or Volkswagen’s industrial-scale cheating of environmental controls.

From what has been uncovered so far with these scandals, it seems they are cultural in the broadest possible sense rather than simply examples of where cultural ambitions have been thwarted – for example with the Libor scandal or misssold mortgages. These latest scandals indicate bad orchards not just bad apples.

With Volkswagen and Samsung the evidence suggests the corporate culture of these institutions was very hierarchical, with advancement reliant on senior patronage, thereby choking off the transmission of bad news or practices up to senior levels.

Indeed with both companies employees have said senior management only wanted to see targets hit and didn’t want to hear about what was done to achieve them.

As one American politician on a California Assembly Committee hearing into Wells Fargo told a Wells executive, "It shocks me that you never met one client of yours that had a fraudulent account opened or seen one incident that you deemed was wrong.”

“There were still thousands of employees that engaged in this behaviour based on sales goals. They engaged in fraudulent activities millions of times."


In the light of these scandals, the IIF/EY survey may seem prosaic or rarefied even when it says “banks have to manage non-financial risks more effectively”.

But this is right. All these scandals and other ‘non-financial’ issues such as diversity, sustainability, purpose can become financial with a vengeance.

It wasn’t that long ago that governance was considered ‘non-financial’ until more and more research emerged showing better governance delivered better and more sustainable financial returns.

The challenge for Wells, for Volkswagen, for Samsung is not just that governance and cultural issues have now manifested themselves in financial disasters but that they are so fundamental, they go to the heart of the agent-principal fiduciary arrangement where the board of a company is the agent for its owners, the shareholders.

It’s not a matter of changing systems or even remuneration but of creating a radically different culture.

Yet one of the most telling findings of the IIF/EY survey is how the respondents – chief risk officers and their ilk – are so focussed on process and implementation of regulation.

Obviously, as a CRO one is clearly pre-occupied with “implementation of new regulatory rules and supervisory expectations” – ranked top risk area by 50 per cent of respondents – and “cybersecurity” – 48 per cent – along with “risk appetite” – 37 per cent.

But in this climate should reputational risk be right down the bottom with 5 per cent? When surveyed on the “top five issues requiring the most attention from CROs in the next 12 months” reputation fared only marginal better at 8 per cent.

There is recognition culture is important.

“Banks recognise that to achieve a strong risk culture – only a quarter of banks claim to have done so – means embedding behavioural criteria into performance evaluations and compensation assessments,” the survey says.

“As such, beyond implementing regulatory requirements on deferrals, claw backs, and (in most regions) risk-adjusted, performance-based pay, banks are advancing their approach to embed ethics and control issues into employee pay and performance decisions.”

Such actions are necessary but not sufficient.

Click image to zoom Tap image to zoom

What is clear from recent developments, not just in the US with Wells but in Europe and Australia, is politicians are responding to community pressure, ill-defined as it may be, around bank culture and purpose.

It’s a clear and present risk for the industry.

But nor is it necessarily bad news. Company responses to problems – whether in regard to particular customers or more broadly – can be an opportunity for deeper engagement.

ANZ Wealth and Digital chief risk officer Kylie Rixon made a clear economic case for remediation on BlueNotes recently. Others have contrasted the issues at VW and Samsung in failing to acknowledge the extent of their problems with what is considered a case study of rapid and appropriate response: that of drug company Johnson & Johnson after one of its flagship drugs Tylenol was tampered with resulting in seven deaths.

Even though the tampering was by an external party, J&J recognised it was the company’s obligation to take responsibility rapidly and in its business interest to protect its reputation.

Compliance with regulation is essential in this world but it’s not enough to sustain a reputation.

Andrew Cornell is managing editor at ANZ

The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.

editor's picks

17 Oct 2016

Getting a Handel on paying bankers to help customers

Steve Worthington | Professor at Swinburne University

It was, with hindsight, inevitable Wells Fargo chairman and chief executive John Stumpf would resign, to be replaced not just by a new chief executive but a quasi-independent chairman.

13 Oct 2016

Are banks still relevant?

Rob Colwell | Banking Customer Leader, EY Oceania

Banks have traditionally played an important part in people’s lives. But it’s clear the financial services landscape is changing rapidly, with customers able to access an ever-increasing number of alternative options to manage their financial needs.

10 Dec 2016

Shining a spotlight on risky business

Mark Evans | Managing Director Transaction Banking, ANZ

If you are selling chocolate bars, the need for controls on food safety is obvious. If you are flying planes, safety checks are critical. But when it comes to financial services, the case for risk controls hasn’t always been so well understood.