Organizational culture: How an alliance between HR and Risk can manage risks and drive long-term value

In the wake of the 2008 financial crisis, regulatory bodies fortified frameworks to safeguard financial stability and protect the people, companies and organizations that shape the economy. Despite these advancements, a glaring vulnerability remains: the pervasive issue of poor corporate culture. High-profile scandals continue to emerge, revealing that traditional approaches to managing risks related to corporate culture — primarily focused on misconduct — are insufficient.

These cases underscore the urgent need for financial institutions to manage their organizational culture broadly, both delivering long-term stakeholder value and protecting the organization from harmful behaviour patterns.

As regulatory scrutiny intensifies, the ability to proactively manage and oversee risks related to organizational culture is becoming a critical component of financial institutions' risk management strategies. The question is no longer if, but how financial institutions should improve culture management capabilities and transform their culture into a strategic asset, one that’s capable of creating and protecting value.

Forget about risk culture: integrate risk into your overall approach to managing organizational culture

Culture refers to the commonly held values, mindsets, beliefs and assumptions that guide what’s important to the organization and how people should behave. It serves as both a performance driver and a shield against vulnerabilities. On the one hand, culture enables value creation by fostering innovation, collaboration and alignment with an institution’s mission and strategic goals. On the other, it can prevent organizations from realizing the full potential of their employees and the operating collective, inviting additional risks and eroding value. Targeted behaviours are at the core of this dual imperative.

Financial institutions should no longer view risk culture as a self-sufficient, standalone concept. While a risk culture program effectively addresses misconduct associated with fundamental principles such as integrity, fairness, accountability and transparency, it does not encompass the full spectrum of harmful behavioral patterns that may exist in the institution. The scope of culture risks extends far beyond these foundational elements. Furthermore, tackling the risk dimension of your culture in isolation may lead to inconsistencies with other goals, including performance, stakeholder satisfaction and employee engagement.

Taking a broad-based approach to embody a performing culture is essential to embed alignment and efficiency. Institutions must embrace risk as an essential component of managing organizational culture. As senior management articulates the desired culture to support the institution’s mission and strategic goals, leaders should also consider related risks. These risks should be evaluated and monitored alongside other dimensions to provide a holistic view of the organizational culture evolution over time and, if relevant, per geography or business entity.

Institutions that overlook culture risks may face crises that require rushed and costly interventions, undermining stability and progress, derailing plans for growth — sometimes even leading to discontinuation of operations or bankruptcy. In contrast, proactively managing risk as part of the organizational culture fosters an environment where individuals are empowered to act ethically, hire others who are aligned to the organization’s values and draw on the culture to shape business decisions and positive outcomes to better enable business imperatives.

OSFI's expectation is clear: culture risk should be an integral part of the enterprise risk management (ERM) framework

As 2024 wound down, the Office of the Superintendent of Financial Institutions (OSFI) issued a regulatory notice on culture risk management.¹

What does that mean for your financial services organization now?

OSFI defines culture risk as all behavioural patterns that do not reflect the expected behaviours or support the desired organizational culture and may prevent an institution from achieving its objectives. This recent OSFI notice lays out clear expectations for how federally regulated financial institutions (FRFIs) should manage culture risk, underscoring the importance of aligning corporate culture with strategic objectives and effective risk management.

The notice spans three fundamental areas:

Governance: The board is responsible for the institution’s culture and should promote a risk culture that stresses integrity and effective risk management. Senior management is responsible for defining, promoting, embedding and managing the desired organizational culture to achieve the institution's mission and strategy and effectively manage risk. This includes aligning policies, processes, practices and people to support the desired culture.

Fostering desired culture: Institutions are expected to deliberately shape, evaluate and maintain their culture through effective leadership, talent and performance management, compensation, rewards and recognition, incentives and accountability practices. Senior management sets the tone from the top for the desired culture by modelling and reinforcing it through their words, actions and decisions, while holding themselves and others accountable to behaviours consistent with that culture.

Managing culture risks: Proactive management of culture risks involves developing measures to identify and assess these risks in the context of the organizational culture, understanding their root causes and potential impacts, as well as integrating culture risk management in the enterprise-wide risk management program. 

Organizations that recognize the strategic asset behind these expectations and are willing to invest beyond regulatory compliance alone can build a competitive advantage by decreasing risk management costs and establishing sustainable business growth.

Unlock your potential: Take full control of your organizational culture

Organizational culture is about how people collectively behave in an organization. For example, how people collaborate, how decisions are made or how value is created.  Employee behaviours can foster an environment that is conducive to the emergence of nonfinancial risks by increasing the prevalence of causes leading to risk events. That’s why it must be managed as a distinct source of risk that can impact your organization.

At EY Canada, we advocate for financial institutions to integrate a culture risk management approach into a deeply integrated organizational culture management program in line with the enterprise risk management (ERM) framework requirements. To initiate this process, we recommend taking the following steps²:

1. Understand your current-state organizational culture to get a sense of where you’re starting from. You need both top-down and bottom-up perspectives to identify behaviours and traits to stop, start and continue for value creation and protection. Identify the systemic levers that are enabling your desired culture and those that are impeding it. Be sure to include viewpoints from people at all levels of the organization in this initial, information-gathering stage.

2. Define your desired organizational culture and identify the associated risks. While expected behaviours can help achieve specific goals, they may also be the underlying cause of non-financial risks. Effectively shaping your desired culture necessitates an informed understanding of the “risk versus reward” dynamic. Overall, the desired culture should foster engagement of all to better unleash your employees’ potential.

3. Monitor organizational culture continuously to maintain alignment with the institution’s goals. Staying on track requires financial institutions to set and monitor key behavioural indicators (KBIs) as well as key performance indicators (KPIs). This cannot be an add-on or afterthought. Rather, it’s part and parcel of defining the desired organizational culture. Through data analytics, financial institutions gain critical insight to make changes and improvements along the way.

4. Revise your governance model to support a broad-based, cross-functional approach to managing organizational culture, incorporating the risk dimension. Your governance framework should facilitate integration by dismantling internal silos and promoting collaboration across corporate functions and the business. Culture risk management itself should bring together representatives from the business, HR, legal, compliance and risk functions with clearly defined roles and responsibilities.

5. Consolidate existing risk and compliance culture programs under the culture risk management umbrella to create synergies and broadly cover culture risks. The frameworks, policies and processes supporting your current conduct, risk and compliance culture programs will serve as the foundation for a culture risk program that addresses a wider array of risks associated with your organizational culture.

6. Align your operating model and environment to foster the desired organizational culture and mitigate risks related to it. For culture to take hold, organizational levers and influencers must encourage expected behaviours. Making sure areas like talent and performance management, compensation, accountability practices and more reinforce the culture you’re trying to create and the risks you’re working to mitigate. That lends gravitas to this shift.

Key takeaways for HR and Risk professionals

It’s increasingly important for FRFIs to recognize the importance of proactively and effectively managing culture risk. Evolving OSFI regulations are raising the bar on this requirement. More broadly, though, embracing culture risk management as a strategic asset can help you build a competitive advantage, decrease costs and cultivate sustainable business growth. That’s an opportunity no institution wants to miss.