John Thackeray (Author)

John Thackeray is a risk & compliance practitioner and an acknowledged writer. As a
former senior risk executive at Citigroup, Deutsche AG and Société Générale, he has had
a first-hand engagement with US and European regulators. John holds an MBA from the
Chartered Institute of Bankers and was a Lecturer in Banking, Economics and Law.

He is a frequent contributor, thought leader and speaker on risk industry insights and has published
risk articles and white papers for the Professional Risk Managers’ International Association, the Global
Association of Risk Professionals, the Risk Management Association, the Association of Certified Fraud
Examiners, the Association of Certified Anti-Money Laundering Specialists, and the Chief Financial Officers

Blog full content this way


Climate risk is the defining issue of our generation, but it is the velocity of climate change which will have the greatest and most profound impact upon our lives. Climate risk is a long-term science-based, non-diversifiable risk, impacting and affecting all industries. To the corporate world, climate risk is a balance sheet risk, a profit and loss risk and more importantly a reputational risk. The risk requires firms to think about assigning a set of comprehensive roles and social responsibilities/values that can be measured up and be accountable to mitigate the challenges posed. Through climate change, one sees the interconnectedness of emerging risks, with the current pandemic, a manifestation of both the velocity and acceleration of this risk, ushering in a change transformation of both thought, word and deed.

Business Model Changes

COVID 19 is a dress rehearsal for climate change, a harbinger and abstract of what is in store down the road. The current pandemic is an agent of change, causing disruption and requiring firms to adapt their business models to accommodate these changing circumstances. Such a change can be seen in the realm of stress testing and scenario design, (which are the common tools used to identify, measure, quantify and review enterprise risks both known and unknown), with the data provided by COVID 19 adding more realistic data and testing parameters to the emergence of climate change. Stress testing and scenario design have been around for a while but what has changed in this pandemic is the need to repurpose/enhance existing models, whilst at the same time, overlaying and incorporating new thinking and parameters. Common issues such as data quality, information technology and risk management have had to be structurally addressed to ensure that the resultant output of these test results is both meaningful and transparent to its many users. The pandemic has asked questions on the gathering, collection and frequency of data utilized, requiring, and enhancing data sets which can be introduced and populated for climate change modelling.

Business/Government Leadership

COVID 19 has ignited and obfuscated the current climate change debate, with politicians from all walks of life, trying to distract and manipulate the debate for short term considerations .This political uncertainty is amplified by the fact that firms operating in multi jurisdictions , will have to cater to the differing lenses and perspectives of a constantly changing central government policy. If the way out of the current pandemic comes in the form of a green viral, it may be that the corporate world needs to take the initiative, striving to do what is right, leading to greener pastures.


Firms have now been forced to plan to include climate risk within their portfolio of risks, with a framework that includes the five pillars of governance, risk management, strategy, pricing and metrics. The lynchpin of this framework, is governance and this is evidenced by company boards driving and dictating the change, rather than senior management; setting a whole new sense of social and commercial responsibility, the likes of which have never been seen before. Moreover, boards now have had to educated at short order with many turning to colleagues from the insurance industry who have a wealth of experience in forecasting and dealing with the long-term implications of climate. It is becoming self-evident to boards that firms very existence is wrapped up in the way they approach climate risk and the efforts needed to improve their continuing viability, sustainability and resilience. This Climate change DNA is invoking for the few who walk this path, a strong culture of compliance and governance focusing on quality returns and maximizing the customer experience.


Many firms have been forced to disclosure their efforts by means of written narrative in their financial reporting. The quality of their disclosures will be under the microscope with stakeholders alike, looking to see that the words have been translated into concrete actions. Boards and senior management will be watched with eagle eyes on how they behave with any discrepancies, the subject of litigation and social media scrutiny. The messaging will be all important and could be part of the sustainable company brand. The requirements need to comply with the above measures are exacting, with financial institutions now needing to monitor their customers green efforts and behavior by means of covenants and warranties. The covenants and warranties are far reaching extending to both funding and investment decisions, in terms of research and development and capital expenditure. Lending firms are becoming more closely identified with their customers and their borrowing policies, a reflection of their climate corporate governance. This gives the opportunity for lending firms to position themselves as “green” role models and brand their lending accordingly. The more astute firms will take this onboard with performance tables being designed and produced indicating the applicability of climate risk standards, enabling the corporate world to be benchmarked against one another.


 Above all, climate risk must be thought of as a commercial risk, the institutions that embrace these changes and adopt, reinforce corporate values which can be a game changer in terms of reputation and culture. Those institutions that adopt a higher purpose with a climate moral compass are likely to experience anecdotally a more coherent and collective culture. This culture change can be seen as a competitive advantage, but it must be remembered that there are costs associated with the introduction of this climate change vision. Embedding this change transformation requires a sustainable reengineering in terms of business practice and models, demanding investment in different skills sets and training.

Mankind is watching and the question is, do you want to be the shepherd or the sheep, the choice is yours?

John Thackeray

To regain public trust, the boards of directors at banks must take proactive steps to court complaints and encourage whistleblowing about employees’ malfeasance.

By John Thackeray

Public perception that financial institutions are driven by greed and wilful blindness has recently been reinforced by a seemingly never-ending litany of scandals. This impression of failure is a damming condemnation of both management and boards of directors to communicate clear messaging and to implement and maintain effective conduct-risk plans.  

To inform and reinforce ethical behavior, a firm needs more than, say, a 150-page employee handbook. Indeed, the pressure is now greater than ever for boards to provide sustainable, ethical governance and oversight – independently and proactively.

The question facing banks’ boards is how to ensure that the character and values they preach are actually practiced by their employees. Board members who place their faith in senior management need a multitude of mechanisms to verify this fidelity. 

Let’s now take a look at three steps every bank can take to mitigate conduct risk:

1. Proactively court complaints.

Create a department that is responsible for categorizing employee complaints and discovering the root cause of misconduct. Complaints should be risk ranked and be readily communicated to the board. Moreover, employees should be actively encouraged with reimbursement for their time and effort. The idea, of course, is not to exonerate bad behavior and bad practices, but, rather, to better understand their underlying causes.

2. Employ secret bankers to act as a company’s eyes and ears, reporting independently to the board.

Much like the concept of secret shoppers within retail, these specialized bankers can be parachuted into areas of concern – including high-profit groups. They should be trained to observe whether existing working practices are compatible with a bank’s ethics policies and must use all the tools at their disposal to understand behavioral drivers and the underlying pressures that employees are facing.

3. Reward whistleblowing.

Instead of relying on regulators to reward whistleblowers, banks themselves should offer a monetary incentive for employees to report conduct violations. Since whistleblowing is often perceived as a career-ending event, the compensation should be significant. This policy will set the tone from the top, encouraging employees to challenge bad behavior, without being stigmatized and without enduring major financial losses.

Parting Thoughts

All three of these measures are proactive and require very little implementation cost. A change in mindset, above all else, is what’s needed to deploy these measures effectively.

The goal should be to encourage employees to “actively rush toward the fire,” with a plan on to extinguish it. But for that to happen, banks must implement clear conduct standards, while also taking action to better understand employee behaviors.

John Thackeray is a risk and compliance practitioner and writer. His firm, RiskInk, helps businesses control their risks by writing policies and procedures to mitigate them. As a former senior risk executive at Citigroup, Deutsche Bank AG and Société Générale, he has had firsthand engagement with U.S. and European regulators.

The defining issue and top global emerging risk of 2020 is climate risk, which has been gaining a sense of urgency with major implications for financial institutions. Climate change can no longer be viewed in isolation as a reputational risk bust must be seen and addressed as a financial risk that needs to be integrated into existing risk management frameworks. Climate risk is a “transverse” risk that can extend its reach into existing risk stripes. As climate risk manifests itself through existing risk stripes, climate change can also heighten credit risks for banks, as demonstrated by the recent PG&E bankruptcy. Banks need to consider how climate-driven financial risks can be embedded into current financial risk management frameworks.

Regulators have been influenced by increasing interest in both the impact and implications of climate change as a result of public awareness and the failure of governments and the United Nations to reach substantive and collective agreement. In this vacuum, central banks are starting to lead by example by including climate-related risks in their evaluations, leading to an escalation of policy pronouncements which are likely to adjust more rapidly with an intensification in the climate change debate. Increased cooperation is evidenced by The Network of Central Banks and Supervisors for Greening the Financial System (NGFS), an international cooperation and collaboration between central banks and regulators with a main aim to address the financial sector’s attempts to achieve the Paris climate goals.

Since climate change continues to have huge economic and political implications, regulators are pushing financial institutions to take climate risk issues in their analyses of country risk and sovereign ratings which will filter down into individual counterparty ratings.

The IMF’s new chief, Kristalina Georgieva, pioneered green bonds in 2008 while at the World Bank. She is discussing whether assigning different risk weightings to assets that are more or less green is fostering an important discussion that engages the financial community. Recently the US Democratic Senator Brian Schatz of Hawaii introduced a bill that would direct the Federal Reserve to subject large banks to do stress tests measuring their resilience to climate-related financial risks. The proposed Climate Change Financial Risk Act of 2019 underscores worries among policy makers over the risk posed by the financial system by the continuous and sustainable weather events which continue to plague the continental United States.

Accountability has become the weapon of choice, with financial institutions having signed up to laudable climate principles (i.e. the Equator principles); they will need to demonstrate with actionable examples how they are adhering to such principles. Shareholder and social media will apply a lens which may mean Boards will need to become climate literate at a faster pace.

The need for disclosure is paramount and this process will escalate initiatives led by the Task Force on Climate-Related Financial Disclosures of the Financial Stability Board. As an example, the Task Force is recommending that companies make their climate-related risks known to lenders and other stakeholders.

Board members are increasingly being viewed as fiduciary custodians by their stakeholders and as such there has been a need to include representation from climate science on the Board. Moreover, some Boards are openly demanding the need for organizational structural change by means of a Sustainability Committee reporting directly to them to enhance Board comfort around the climate challenges.

call to action

A call to action seems to have resonated with all stakeholders within the community as evidenced below: • The UK’s regulators — the Prudential Regulation Authority became the first regulator in the world to publish supervisory expectations that explain how financial institutions need to develop a methodology, framework and approach to managing financial risks emanating from climate change.

The Bank of England is insisting that there is a senior manager in each major financial institution responsible for managing climate risk, who can be liable for fines or a ban if there is ineffective governance and oversight.

Barclays has joined sixteen other leading banks, the UN Environment Finance Initiative (UNEP FI) and Acclimatise, in publication of new methodologies that help banks understand how the physical risks and opportunities of a changing climate might affect their loan portfolios.

HSBC has set-up its Climate Change Centre of Excellence which analyzes the commercial implications of climate change for HSBC Group businesses and clients.

French banks such as BNP, Societe Générale, Natixis and Credit Agricole have retreated and stopped lending focused on oil and gas from shale and tar sands. These banks are pioneering in the climate space driven mainly due to France’s Energy Transition Law, which was introduced in 2015 and requires financial institutions to report on their carbon risks.

The European Union is to stop funding oil, gas and coal projects at the end of 2021. The European Investment Bank (EIB), the EU’s financing department, will bar funding for most fossil fuel projects.

Sweden’s central bank has ditched bonds issued by Australian and Canadian regions on the grounds that their carbon emissions are too high.

A shareholder in Australia filed suit against the Commonwealth Bank of Australia for failing adequately to disclose climate risk. The case was dropped after the bank released new reporting that recognized climate change as a financial risk.

A retreat from lending to companies with large carbon footprints has left some financial institutions with large industrial exposures that they had not planned or been prepared to hold.

Spanish energy company Repsol SA is cutting the value of its assets by billions of dollars because the global transition to a lower carbon economy is weakening the outlook for energy prices.

Up until now, these climate risks largely have been absent from investors’ models, but the rating agencies are at least thinking about changing their methodology and methods in assigning ratings, to incorporate climate risk.

Investment funds are now being held to a higher standard when it comes to their portfolio restrictions and guiding principles on climate-related investments.

risk identification

Financial risks stemming from climate change look at those risks as arising through three main channels: physical risk, transition risk and liability risk. Physical risks arise from climate- and weather-related events. These changes in the physical environment will create physical risks that will impact individuals, businesses and economies, consequently affecting a variety of financial transactions. Transition risks arise from the process of adjusting toward a lower-carbon economy. Policy, technology and laws relating to climate change could be accelerated, prompting a reassessment of the value of a large range of assets as costs and opportunities become apparent. This reassessment could modify the value of assets and liabilities, thereby altering the risk profile of financial institutions. As the opportunity to take voluntary steps lessens and the more immediate and demanding government requirements may become, the higher the velocity at which the transition occurs will affect the scale of disruption for affected industries.

Transition risk is likely to be the biggest area of influence on asset values in the shorter term, whereas the physical effects are likely to be the driving factors influencing asset values and economic performance in the medium to longer term.

In jurisdictions such as the US or Europe, lenders are unlikely to be held directly liable for the activities of the companies that they lend to; however, this may soon change due to increased political and social pressure. Banks acting as underwriters of bonds should assess the materiality of climate risks to an issuer’s business when drafting risk factors in the offering documents. For Board members, there is a real risk of being sued for not disclosing and alternatively being sued for making forward looking statements about climate change which prove to be incorrect.

Given the uncertainty around the future path of emissions, and their associated economic and financial impacts, a natural tool for analyzing these risks is scenario analysis. There are two primary types of scenarios fit for this purpose: climate-impact (physical risk) scenarios and transition scenarios. Climate-impact scenarios investigate the effects climate change could have on economies, societies and ecosystems,

given an assumed level of emissions; transition scenarios model how economies might adjust given a temperature target and government policy. While existing scenario analysis or stress testing frameworks can be leveraged, climate risk scenario analysis differs from the traditional use of these with longer time horizons, description of physical variables and generally the non-inclusion of specific economic parameters. The Bank of England is asking British insurers and lenders to gauge to what extent global warming might impact the value of their investments and balance sheets — and its potential to destabilize the financial markets. The three climate scenarios promulgated by the bank’s Prudential Regulation Authority are “exploratory” in nature. The hypothetical narratives are designed in a way to pinpoint risks and exposures with no pass or fail and a publication of results in aggregate without naming institutions.

how climate risk impacts existing risk types

There is a need to examine existing risk types and consider whether climate risk is sufficiently material to be incorporated and embedded into established risk frameworks. Financial risks will typically be greater for long-lived assets and liabilities (e.g., infrastructure, pensions) than short-term contracts, where risks and pricing can be more readily adjusted. There may also be consequential risks, such as concentration risk and asset-liability mismatches. The more that these types of transverse considerations are embedded into firms’ day-to-day governance and risk management processes the better firms will be able to manage and mitigate the financial risks of climate change. The risks relate to a firm’s clients, counterparties, and their own internal operations.

Moreover, credit analysis will also have to change as illustrated below to meet the climate risk challenge.

Climate change may affect the comparative market competitiveness and performance of the firm, i.e. the writing down of carbon asset values on the balance sheet.

Differential pricing and returns may have to be incorporated with the credit proposal emphasizing the basis for carbon free projects

Noncompliance with environmental regulations could result in various and different forms of liability for the project and its stakeholders as well as unwarranted publicity.

The client’s ability to refinance may be compromised once awareness of climate risks have increased, making it more difficult for a current investor to exit.

Repayment sources may be affected as income from the sale of assets or equity by clients may be diminished, as climate change will affect market values.

The cost of insurance for clients may increase, and exclusion clauses may become more onerous. Insurance cover may no longer be available, forcing companies to self-insure, which would require them to make financial provisions to cover future losses, affecting their financial capacity.

passing thoughts

Now is the time to act on greening the financial system in order to move away from a verbal undertaking of corporate responsibility to one of sustainable leadership. The world is watching to see which financial institutions have the vision and leadership that define their role in the social and economic fabric of climate change.

This article was published on issuu

Whistleblowers across the European Union (EU) have won greater protection under landmark legislation aimed at encouraging reports of wrongdoing. According to the BBC, “The new law, approved by the European Parliament, shields whistleblowers from retaliation” and creates “safe channels” to allow them to report breaches of EU law. It is the first-time whistleblowers have been given EU-wide protection.

Also under the new law, “If no appropriate action is taken or in cases where reporting to the authorities would not work, whistleblowers are permitted to make a public disclosure — including speaking to the media.” The law “protects whistleblowers against dismissal, demotion and other forms of punishment. National authorities are required to train officials in how to deal with whistleblowers under the legislation.

If member states fail to properly implement the law, the European Commission can take formal disciplinary steps against the country and could ultimately refer the case to the European Court of Justice.

Whistleblowing in practice
Whistleblowing should be an essential component of strong corporate governance and should be embraced at the top of an organization. It exposes and shines light on wrongdoing and bad culture. However, far too few boards see it as a reflection on them and as an unnecessary evil that provokes an outcrying of emotion rather than objectivity.

There is a target-rich environment, as many firms, especially in the U.S., have been taken to task over their culture. Some rewards are simply enormous. For example, “Two whistleblowers received a total of $50 million for providing information that helped the Securities and Exchange Commission pursue a case of corporate wrongdoing against JP Morgan Chase,” the SEC said last month. Given that this is between 10-30% of the total proceeds, the SEC walked away with a substantial tax-free amount.

The SEC whistleblower program received a record 5,282 tips during 2018, an increase of 18% from a year earlier, according to a report submitted by the securities regulator to U.S. Congress. Tips have nearly doubled since 2012. I remember a pertinent fact that when studying for the CFE Exam that around that 40% of all fraud investigations are derived from tips, according to the ACFE’s most recent Report to the Nations.

The increase in tips has put the onus on whistleblowers and their attorneys to present better evidence of their claims at the outset, since the regulators, given their limited resources, only investigate the most robust and profitable cases.

If regulatory agencies begin talking to each other and are willing to share the rewards, and upsize their surveillance with the latest technology, the fines alone would probably pay for the organization budgets. With an abundance of riches, prescient regulatory agencies and enhanced protection, there seems to be no better time to be a whistleblower.

This article was published on ACFE Insights

As Warren Buffett once said, “It takes 20 years to build a reputation and five minutes to ruin it.” This rings especially true today, as high-profile crises – including cyberattacks, product recalls and damaging social media posts – become more prevalent.

Joh Thackeray Headshot
John Thackeray

Reputation represents an interpretation or perception of an organization’s trustworthiness or integrity. Reputation equals integrity and integrity equals social responsibility – i.e., sustaining the “social license to operate” and ensuring that business practices, operating procedures and corporate behaviors are acceptable to employees, stakeholders and the public.

Reputational risk is the current and prospective impact on earnings and enterprise value arising from stakeholder opinion. To understand and address reputational risks, and to create a sustainable plan for mitigating them, an organization must first identify and assign ownership for each of its risks and then determine its appetite for risk/reward.

Management of reputational risk can then be addressed via the three lines of defense, which include strategic alignment, cultural alignment and operational focus.

Strategic Alignment

Create effective board oversight.

Reputational risk management starts at the top. Matters of strategy, policy, execution and transparency (particularly with respect to reporting) must be closely overseen by the board. Indeed, these issues are vital to effective corporate governance, which plays a huge role in sustaining reputation.

Managing reputational risk doesn’t typically fit neatly into a single function. Ultimately governed by the board, it requires clear accountability, leadership and engagement across numerous teams.

Integrate risk into strategy setting and business planning.

The board and executive management must ensure that risk is not an afterthought to strategy setting and business planning. Reputational risk must be identified as both a material risk and a strategic risk, and should be inextricably linked to the company’s risk management and crisis management disciplines.

Board and senior management should also ensure that there is adequate focus on the critical enterprise risks that could impair the firm’s reputation. What’s more, a process for identifying emerging risks on a timely basis must be established, and the company’s risk profile must be continuously appraised.

Emphasize effective communications, image and brand building.

Building brand recognition unique to a business is vital to market success and, when all else is working well, augments reputation. A good story is easy to tell. Typically, though, the best companies (1) develop powerful and distinctive messaging; (2) establish accountability for results with metrics and monitoring; (3) work social media effectively; and (4) passionately live up to their values every day.

Pay close attention to crisis planning and operational resilience.

Successful management of a crisis event can mitigate potential reputational damage. Through an effective crisis management framework, an organization can integrate the right processes, roles and governance into existing contingency plans.

Of course, it often takes practice to know when to mobilize a crisis response, what information to communicate to which stakeholders and how to coordinate communications across different teams. Companies can test processes and gain experience by running crisis simulation rehearsals based on the most critical reputational risks.

Collaborate with stakeholders.

The executive team and board of directors should interact more with customers, employees, suppliers, regulators and shareholders. News about risks, business operations and branding should be communicated proactively.

No organization or brand will be able to succeed without doing good and doing well — i.e., delivering financial performance while also making a positive contribution to society. Social purpose needs to be embedded into the very fabric and heart of the enterprise.

Cultural Alignment

Establish strong corporate values, supported by appropriate performance incentives.

Boards need to ensure that executive management implements a strong tone at the top, a variety of effective escalatory processes and periodic assessments of the tone in the middle and tone at the bottom. To shape and influence the corporate culture from end-to-end, the executive team must align performance incentives with corporate values.

Moreover, executives and directors need to pay attention to the warning signs posted by the independent risk management function and to audit reports that offer evidence of possible dysfunctional behavior.

Comply with laws, regulations and internal policies.

Few incidents undermine reputation more than serious compliance violations. The accompanying media headlines can drag a company’s brand through the mud. Senior executives, with board oversight, should take steps to implement effective, compliance-driven internal controls.

Operational Focus

Build a strong control environment.

Embarrassing control breakdowns, especially in the arena of public reporting, can tarnish reputation. Every board should therefore expect and demand a strong control environment that not only signals management’s commitment to integrity and ethics but also lays the foundation for a risk-aware culture.

Develop an early warning system.

Embedding risk sensing into an organization’s risk governance program enables the continual identification of emerging threats. To spot potential risks, many leading companies perform 24/7 monitoring of traditional and social media outlets and internal data sources.

Monitoring teams can support both daily reputational threat sensing and crisis management response. Companies with strong monitoring capabilities can more effectively analyze and interpret data, leading to better, more-informed business decisions.

Parting Thoughts

Reputation is everything, and financial institutions must therefore do everything in their power to better measure and mitigate reputational risk. This is a challenging task, but a strong risk culture, a proactive board and a comprehensive framework for operational resilience are excellent starting points. To be effective, they must all act in harmony with each other; this is not the place for compromise or shortcuts.

This article was published on Global Association of Risk Professionals

Basel’s Principles for the Sound Management of Operational Risk defines risk culture as “the combined set of individual and corporate values, attitudes, competencies and behavior that determine a firm’s commitment to and style of operational risk management.” It is no coincidence that — of the 11 principles Basel cites — risk culture is at the core of the very first principle: Strong risk culture is ONLY achievable in concert with strong firm-wide culture.

I believe that there are three key ingredients to this as follows:

  1. Tone at the top
    While it starts with the board of directors (who should influence the C-suite), it is the C-suite and senior management who establish the tone for risk management culture. The underpinning of this culture must be derived from the top through a comprehensive risk appetite framework.” Risk appetite is ‘the amount and type of risk that an organization is willing to take in order to meet their strategic objectives.” It forms a foundation on which all can be attributable to, following a principled approach that:
    • Aligns strategy with risk appetite.
    • Reflects the entity’s risk management philosophy, and influences the culture and operating style.
    • Guides resource allocation and aligns the organization, people, process and infrastructure.
  2. Governance
    A strong risk culture has a strong effective governance structure which is fit for the needs of the organization. It will be featured in many of the organizations business functions and be an integral part of the decision-making process. The structure will have a clear pathway which shows the hierarchy of this decision making by dedicated risk teams and committees. The structure will be transparent and open to both challenge and review. The information on risk activities, standards and protocols will be easily accessible internally and externally.
  3. Living pulse
    The above factors must be translated into a living and breathing risk culture evidenced by human interaction within the organization containing a sample of the elements below:
    • Risk management inclusion in end-of-year performance evaluations.
    • A whistleblower program or anonymous complaint tracking system.
    • Anonymous surveys to gauge employee views on the risk culture of the firm.
    • Metrics used to gauge the adequacy and effectiveness of the risk culture.

Proof in the pudding
These three ingredients then transfer into the seven hallmarks below:

  1. Clear communication of risk appetite and risk disclosures to all internal and external stakeholders.
  2. The risk culture is transparent and clearly defined through training, education and a common language.
  3. A standard risk/control/compliance taxonomy backup is created by written policies which represent the risk appetite of the organization.
  4. Roles and responsibilities are clearly articulated and a governance structure is all inclusive.
  5. A strong risk analytics program is established to include scenario and stress testing models to capture correlated and unknown risks.
  6. Evidence of risk-adjusted pricing is reflected in risk transfer pricing, risk capital and risk-based product pricing.
  7. Risk management is integrated in strategic planning, performance measurement, budgeting, projects and operational activities.

A strong risk culture will always be a winner of the marathon, with staying power and stamina, if the organization is willing to take it on.

This article was published on ACFE Insights

Toxic culture and its consequences represent one of the latest types of rapidly emerging risks. The finance industry has been badly shaken by high-profile cases featuring, among other firms, Wells FargoBNP Paribas and, more recently, the Commonwealth Bank of Australia.

John Thackeray Headshot
John Thackeray

The U.K.’s Financial Conduct Authority and the U.S.’s Financial Industry Regulatory Authority have designated culture, and how it is reinforced, as a priority in their oversight of firms. Against this backdrop comes the need to audit and evaluate culture risk independently. To meet the requirements of regulators and to address their concerns, firms must ask the right questions about culture risk, with no bias or subjectivity.

Let me explain.

Internal and external data — gained through observation, questions, communication and documentation — can help each firm rank and weight its culture risk by means of a scorecard. While a scorecard can enable an organization to gauge its culture risk and implement improvements and controls (before the culture turns toxic), it is just a tool. Every employee, regardless of stature, should understand his or her role with respect to culture risk — and, what’s more, those responsibilities should be evidenced by their interactions with one another and the outside world.

Risk should be owned and included within each firm’s the enterprise risk framework. Let’s now look at the key components of an effective culture risk framework:


Culture risk should be incorporated in both the risk taxonomy and risk appetite statement, with the latter aligned to the corporate values of the organization. The corporate values should not only be the moral compass of an organization but also dictate its behavioral patterns. Moreover, the values should be articulated and evidenced (both internally and externally), as well as aligned with the corporate objectives.

Reinforcement of these values should be promoted both inside and outside the work environment — reflected internally, for example, in incentive and reward policies, and externally through contracts with third parties. Policies and procedures should encourage employees to provide honest, unbiased feedback about the organization’s corporate values, as well as their effectiveness. Moreover, they should be regularly evaluated and should deliver the proper message to employees.


Culture risk should have well-thought-out metrics that make organizational sense. Human resources (HR) need to be the custodians of these corporate values and metrics. Making sure that the organization’s policies and procedures align with such metrics is one of the responsibilities of HR, which also must ensure that working conditions (e.g., tools and equipment) are reflective of corporate values and that the organization promotes change and innovation through cultural training and education.

To ensure compliance, business and control groups must collaborate, and audit must play a key role in reinforcing corporate values. The mandate of the audit team involves finding evidence to determine (1) how information is shared and disseminated within the organization; (2) how robust the review and challenge is for both decisions and decision makers; and (3) how active participation in meetings is both encouraged and respected. Audit should also evaluate the competency and the control structure of compliance and risk management, with a view toward understanding if these control functions are furthering corporate values.

Moreover, audit should discuss and evaluate the cultural risk mitigants — e.g., active leadership, knowledge management and employee commitment — currently being employed. A great deal of thought should also be given to an independent evaluation from an outside audit service, which can perhaps act as an overlay to the existing (internal) audit function.


The process for gathering, distilling, analyzing and interpreting sensitive information should be outlined in the policy and procedures manual. More specifically, HR should gather and collate information derived from questionnaires, surveys, social media platforms, regulatory findings, outside audits, customer complaints and resolutions.

The evaluation process should include analysis of (1) a company’s hotline activity; (2) turnover and retention; (3) incident reporting; and (4) the consistency of discipline when things go wrong. To understand how values are being communicated (with respect to dispute, collaboration and cooperation), behavioral analysis of internal email traffic should also be performed.

All this information should be given to an outside auditor, who can rank and weight this data by means of a scorecard.


Senior management will be in a better position to understand the cultural pulse of the organization when it receives the results of the scorecard and an outside audit opinion. Monitoring how quickly the organization effects and reacts to change — particularly with respect to escalation and incident reporting — is one of the key responsibilities of senior managers.

Contingency planning (e.g., assessing various scenarios of cultural threats) also falls under the auspices of senior management, whose performance should be at least partly evaluated based on their effectiveness in dealing with real-world cultural incidents.

Parting Thoughts

Culture is everything — it is the lifeblood of the organization and is manifest in every decision and action. Ignore it at your peril.

This article was published on Global Association of Risk Professionals