The latest series of corporate governance failings that have been highlighted by the financial crisis and regulatory censure on both sides of the Atlantic have shown that “the tone at the top” of financial services companies is not always being well communicated or followed.

The governance and reporting processes may be in place to demonstrate to regulators that the management teams in these companies are discharging their responsibilities, according to Peter Richardson, managing director at risk consultancy Protiviti in the UK, but it’s clear that following the correct procedures “is not always embedded in the fabric of our banking institutions”.

He adds: “It is the responsibility of leaders to set the tone at the top that defines how their employees should act. Even if the teams involved in the latest round of inappropriate business practices were able to show evidence that their own mandatory responsibilities were adhered to, they would merely have achieved a tick in the box. More important is the spirit in which those rules were designed, and this speaks to the culture in those teams and their appreciation of their moral duties.”

Richardson has some tips for boards wishing to establish a strong risk management culture in their organisations. 

These are as follows:

1. Focus more on the dynamics (the unseen behaviour) than on the mechanics (governance and rules).
   
2. Consciously manage culture rather than going with the flow. Only by being aware of the culture in which they operate can leaders harness the potential that culture presents, as well as mitigating some of the challenges.
   
3. It’s not only about the tone at the top of the organisation. It’s also about tone in the middle and at the bottom, so this needs to be monitored at all levels.
   
4. Changing culture will not happen over night. You must be in it for the long haul.
   
5. Managing culture change requires alignment with wider initiatives, such as employee engagement and the wider HR strategy.
   
6. Provide training and support for managers and leaders on determining what’s important and what is not. This type of thinking does not come automatically to everyone.
   
7. Don’t shoot the messenger (or whistle-blower) who identifies inappropriate behaviour. Support and encourage them and, more crucially, act on the issues they have raised.
   
8. Use appropriate reward systems and demolish inappropriate ones. Don’t assume that people are motivated to take the most desirable course of action in the organisation’s interests through the application of carrots and sticks alone.
   
9. Engage the board and executive management jointly and severally in agreeing the appetite for risk. Don’t assume that this appetite is static – it needs to be aligned to the business strategy.
   
10. Recognise that regulations can go only so far in protecting the organisation and may become counterproductive when applied without judgment. So give staff the autonomy to act and allow them to apply their wisdom.
    

But Richardson adds a note of caution. “Underlying all of these is the presumption that executive management is ‘walking the talk’,” he says. “If that isn’t happening, none of the above points matters.”