Consider the sad story of UBS. In 2007 it suffered $38 billion in losses on mortgage back securities, requiring a $60 billion capital infusion from the Swiss government to keep from going under.
In 2008 it paid out $19 billion to clients it had duped into buying worthless auction-rate securities. In 2009 it had to pay the U.S. government a $781 million fine for helping wealthy Americans evade taxes. In 2011 it took $2.3 billion in losses on a $12 billion trading position built up without authorization by one trader, who hid it by booking fictitious hedges.
This is more than a series of unfortunate incidents. It’s a pattern that points to terrible problems with risk and controls at one of the world’s largest and (formerly) most prestigious financial institutions. How could things go so wrong for so long at UBS?
Critics were quick to attack the firm’s risk culture: “At UBS, It’s the Culture That’s Rogue” by James B. Stewart and “Questions Arise About UBS Risk Controls” by Alistair MacDonald and Deborah Ball. Even the company acknowledged it had to improve its risk culture: “UBS 2007 Annual Report (page 10).”
And the problem ran deep. “The problem isn’t the culture,” one investment banker said, “The problem is that there wasn’t any culture. There are silos. Everyone is separate…People cut their own deals, and it’s every man for himself…People thought of themselves first, and then maybe the bank, if they thought about it at all.”
Too deep for management to fix. Sergio Ermotti, the CEO brought in to fix risk at UBS after the 2011 trading crisis, has decided on radical surgery. Over the next three years, he’s going to wind down most of the investment bank trading operations.
Of course, UBS isn’t the only firm with risk culture problems. Lehman Brothers, Citigroup, AIG, and many others have been accused of having weak risk cultures. It’s been cited as a factor in any number of financial disasters, but, strangely enough, it’s rarely been well defined.
We think the best definition of risk culture is based on one from McKinsey’s “Taking Control of Organizational Risk Culture” by Cindy Levy, Eric Lamarre, and James Twining: the norms of behavior that determine how an organization understands and acts on risk.
In a strong risk culture, the degree of risk and the appetite for it are subjected to rigorous analysis and continuous debate. Everyone from the board and the CEO to bankers and support staff takes risk very seriously and is involved in managing it. There are rewards for managing risk well, including for escalating serious risk concerns.
That’s a simple way to describe a complex topic. Risk itself is intricate and changeable. Risk culture is subtle and elusive: it’s the way people behave about risk. Perhaps the best way to explain it is to describe is through examples. We’ll do that in our next post, and discuss ways to evaluate risk culture.