Despite significant regulatory change following the financial crisis, organizations have continued to be victims of fraud and other forms of ethical wrongdoing. As a result, they paid more than $400 billion in fines by 2020. Fortune 500 organizations suffer more than two incidents of internally proven wrongdoing every week.
Many risk management specialists are increasingly convinced that the conventional method of avoiding business wrongdoing cannot safeguard the company on its own. So financial institutions are adopting an additional strategy that includes a behavioral dimension. This method recognizes that people’s work behavior is influenced by and influenced by aspects in their professional setting, such as the teams they work on, the goals they must achieve, the direct leadership they get, and the processes they use.
Behavioral risk management entails recognizing behavioral drivers and managing them by altering processes or organizational environments. These can take the form of “nudges,” which may appear insignificant but have meaningful behavioral consequences.
Behavioral Risk Management: What’s New?
Standard risk management techniques, such as enterprise risk management (ERM), presume rational agents. That assumption is dubious. Human judgment is strongly biased by biases, according to behavioral science studies. People frequently overestimate the value of recent evidence that validates their past opinions.
Another problem is that traditional risk management has its hazards. When individuals believe that their mistakes, even well-intentioned ones, will be blamed and punished, they prefer to conceal them. This inclination intensifies when they think they are being watched. Employees interpret punitive rules as a signal that they aren’t trusted. Research shows that a culture of distrust encourages rule disobedience.
Managers using a behavioral approach to risk management analyze processes and organizational structures to find the variables that cause risky behavior. Assume we are examining a securities trading group. Let’s assume it’s primarily made up of overconfident pros (typically men, who are more likely than women to hold unrealistic beliefs about future financial performance). Team members are more prone to wander ethically if the team is led by a boss with poor ethical standards. If individual sales objectives are rewarded, team members are more likely to feel envious, which makes them more inclined to rationalize unethical behavior. This type of team may also have a strong sense of group identification, which contributes to a morally loose environment.
The usual approach to managing this team’s conduct would be to establish a set of rules, require frequent training, and then rely on supervision (such as recorded phone lines) and other methods (such as anonymous whistleblower hotlines) to guarantee that everyone adheres to the rules. The difficulty is that those activities do little to address the team members’ behavioral profiles or their motivations for dangerous activity. Any team with the qualities of the securities trading team just described is extremely likely to participate in a dangerous activity, regardless of the laws in place, according to a behavioral scientist, and surveillance may only make matters worse. Even well-intentioned workers may show high-risk behaviors when working with systems that favor certain behaviors or in teams where culture and environment drive behavior in a bad direction.
Several prominent financial organizations have adopted behavioral risk management strategies. These include forming teams to investigate the core reasons for dangerous behavior. Researchers have seen that most financial services businesses apply behavioral risk management in two steps.
Recognize and analyze the hotspots
The first step is to identify the processes and units that are most likely to result in negative employee behavior. Good places to start include looking at statistics like employee engagement survey results, client satisfaction ratings, team cultures, and the number of policy violations that have been reported.
Behavioral insights scans are one of the processes. These scans assist managers in identifying what is impeding smart decision-making. Multiple in-depth interviews with key stakeholders across a specified process, as well as observations of work scenarios, are all part of the process.
A bank created a procedure allowing a subset of its risk managers to assess the maturity of their units’ risk management. This included areas like cybersecurity, climate, operations, and money laundering. Managers were asked to provide a maturity rating. After that, another subset of risk managers evaluated the work of the prior group. In the event of a dispute, the business risk manager was required to re-evaluate the situation. The bank wanted to discover if the process’s design—specifically, the two levels of scoring—helped the business risk managers’ evaluations to be more accurate.
Consultants performed 16 interviews with all involved over two months. They asked questions like, “Who demonstrates ownership of this process?” and “When was the last time working with the method was difficult?” “What occurred, and why?”
The analysis revealed two elements that might skew managers’ views of risk management. The obligation to provide a score after the procedure, for starters, generated an implicit aim of attaining the greatest possible score. As a result, managers neglect to report significant negative material or show it so supervisors dismiss it. Our ambition to attain a quantitative goal often leads us to disregard compliance requirements stated as qualitative goals.
Second, the managers disengaged from the process because their supervisors were peering over their shoulders (and rescoring their work). This impact was most likely increased by a “not invented here” perspective of the process and in-group–out-group prejudice, both of which have been shown to favor noncooperative conduct. One person said, “Not once has the second line come to us, recognized how we operate the firm,” one business risk manager said. They have no idea what to concentrate on, therefore the procedure is a complete waste of our time.”
When consultants reported their findings to the chief risk officer, he expressed surprise that the process’s design had resulted in these unforeseen and undesirable actions and views.
Behavioral risk assessments of the units. These analyses provide deep insights into behavioral patterns and variables that might contribute to future issues in high-risk business units or teams. One major financial services organization serves as an excellent illustration. As a result of repeated unethical and unlawful conduct in its capital markets business section, the firm was subjected to increased regulatory scrutiny. Clear rule communication, a tight control environment, and increased disciplinary actions have all failed to reduce the occurrence of wrongdoing.
Consultants held confidential talks with employees from various teams in the unit. They also spoke with employees who worked with or supported the teams in the area. The purpose was to hear how individuals reacted to their professional surroundings instead of how they rated them. For example, instead of evaluating the success of management, they asked traders to describe in detail how their managers responded to mistakes made in real-life scenarios.
When failures are viewed as the fault of individual employees, the associated insecurity diminishes people’s motivation to follow company rules.
They asked all employees in the unit to take a brief online survey, observed two teams at work for three hours, and evaluated management data and policies, in addition to those one-on-one interviews. The study identified several flaws that caused employees to behave unethically. Consultants noticed that when things went unintentionally wrong, managers responded by harshly criticizing individuals without properly analyzing motive and context. When a customer called off an arrangement owing to the client’s unforeseen financial troubles, the employee who negotiated it was marked down and “named and shamed” at a team meeting, with no mention that the reason was outside the employee’s control. This kind of feeling can lead to dangerous behavior: When failures are publicly blamed on individual workers, the resulting fear reduces people’s desire to obey company rules.
Second, employees saw promotion decisions and procedures as unexpected and inconsistent, claiming little or no control over the outcome. Some employees said “I see individuals getting promoted who aren’t performing. I believe it’s arbitrary.” Perceived unfairness is a motivator of misbehavior in and of itself. It evokes many dysfunctional workplace behaviors, including revenge and refusing to follow company policies, according to research.
The company implemented a plan focusing on the individual causes that needed to be improved. It established separate categories of bad behavior, contextualized them, and assigned appropriate penalties to each. An employee who fails to attend an online training session, for example, might first receive a warning rather than a punishment (which would previously have been the result). Small modifications like this served to convince employees that their supervisors would treat them properly. Meanwhile, senior executives received training to improve their ability to deal with perceived injustice and respond to adverse outcomes.
Look for solutions.
The next way to modify certain behaviors is to identify nudges. These workshops, also known as nudge labs, are a mainstay of behavioral research and consulting and include a variety of traditional brainstorming and tasks.
An example from ING Group illustrates this approach: a behavioral insights scan indicated a lack of common goals and shared identity across teams aiming to reduce the risk of financial crime. Employees worked in the following session to build nudges that promoted the desired actions. Their concept was based on principles like reciprocity and shared goals, which motivate individuals to “keep playing” and participate voluntarily—in this case, to keep following the financial crime risk mitigation procedure.
The ING team, for example, created an interactive email signature banner to foster a feeling of shared identity among everyone involved in the process. The names, profile photographs, and titles of people participating in a customer file were integrated into the banner. The intervention was subsequently put to the test in a multi-week pilot by ING. The outcomes were encouraging: According to a quick questionnaire, using the email signature increased employee confidence and reduced the number of needless emails. The nudge created in this example is now being implemented across the company.
Sessions called “system-in-the-room” are another useful intervention. These are interactive seminars for senior executives to establish a common and comprehensive understanding of the problems associated with managing recognized behavioral risks from all stakeholders’ viewpoints. The team may then build solutions based on this knowledge. These sessions involve people from every department. With everyone present, it’s tough to point fingers and compels participants to consider the impact of their actions on other teams. The sessions are part of the solution: they result in a stronger and longer-lasting sense of connectedness and belonging, as well as a sense of ownership and effective cooperation around the process.
Behavioral risk management is proactive and uses data to uncover complicated facts and workplace realities. It’s also difficult to provide conclusive proof of its success since it takes a root-cause approach, targeting high-risk behaviors before they become issues. But changes in employee behavior will result from a well-structured behavioral-risk-management project, significantly lowering the chance of risky behavior.