A Better Approach to Avoiding Misconduct

Despite substantial regulatory reform in the aftermath of the 2008 financial crisis, financial firms have continued to suffer from fraud and other types of ethical misconduct. As a result, by 2020 they had collectively paid out more than $400 billion in fines. One 2019 Harvard Business School study of Fortune 500 companies—based on a sample of firms on that list—found that on average, they experience more than two instances of internally substantiated misconduct each week.

It’s becoming increasingly clear to many experts in risk management that the traditional approach to preventing wrongdoing in companies—imposing formal rules and investing in a strong compliance function to ensure that institutions, managers, and employees adhere to them—cannot by itself protect firms. That is why over recent years—spurred by regulators, including the Federal Reserve Bank of New York—financial institutions have begun adopting a complementary approach that embraces a behavioral dimension. This approach, sometimes known as behavioral risk management, acknowledges that behavior in the workplace is driven by and factors in people’s professional context—such as the teams employees work on, the goals they have to achieve, the direct leadership they receive, and the processes they work with.

As we will demonstrate, behavioral risk management involves identifying behavioral drivers and addressing them by making changes in processes or organizational contexts. These can take the shape of “nudges” (a term coined by the behavioral economists Richard Thaler and Cass Sunstein), which may seem small or even trivial but can have profound effects on behavior.

What’s New About Behavioral Risk Management?

Standard approaches to managing risk, such as enterprise risk management (ERM), assume that actors are rational. That assumption is certainly questionable: A considerable body of behavioral science research has demonstrated that human judgment is heavily skewed by biases. For example, people routinely overweight the importance of data that is recent or that confirms their prior beliefs.

Another flaw, perhaps more troubling, is that the traditional approaches create risks of their own. When people feel that mistakes, even well-intentioned ones, will be met with blame and punishment, they tend to cover up their errors—a behavior that is exacerbated if they sense that they are under surveillance. Employees see punitive policies as a signal that they are not trusted, and research has shown that an atmosphere of distrust increases rule breaking.

In a behavioral approach to managing risk, managers analyze processes and organizational structures to identify the elements that trigger risky behaviors. Consider, for instance, a securities trading team. Let’s suppose that it is composed mostly of overconfident professionals (typically men, who are more likely than women to hold unrealistic beliefs about future financial performance). If the team is headed by a manager with low ethical standards, team members are more likely to morally stray. And if the compensation system rewards individual sales targets, team members are likely to feel envy, which will make them more likely to justify unethical behavior. Such a team may also have a strong group identity, contributing further to a climate of moral laxness.

The traditional way to manage the behavior of this team would be to institute a set of rules, mandate periodic training, and then rely on oversight (such as recorded phone lines) and other mechanisms (such as anonymous whistleblower hotlines) to ensure that people follow the rules. The problem is that those actions do nothing to address the behavioral profile of the team members or their incentives for behaving in risky ways. A behavioral scientist would tell you that any team with the characteristics of the securities trading team just described is highly likely to engage in risky behavior, no matter what rules are imposed, and that surveillance may only make matters worse. Even well-intentioned employees may show undesired or high-risk behaviors when they work with processes that encourage those behaviors or in areas where culture and context push behavior in a negative direction.

Several major European financial institutions—NatWest Group (formerly RBS), ING Group, and ABN AMRO, to name a few—have implemented behavioral approaches to managing risk, primarily by creating teams that analyze the root causes of risky behaviors. In recent years non-European institutions, including HSBC, Standard Chartered, and Royal Bank of Canada, have followed suit. In our work advising these and other institutions, we’ve found that most financial services firms take a two-step approach to implementing behavioral risk management.

Identify and Understand the Hot Spots

The first step is to identify the processes and units in the organization where negative outcomes of employee behavior are most likely to occur. Companies can begin by exploring available data such as employee engagement survey results, client satisfaction scores, and the number of registered policy breaches. They can supplement that information by generating new comparative data on, for instance, team cultures, to further refine their search.

Processes: behavioral insights scans. These scans help managers identify what is getting in the way of good decision-making. They involve multiple in-depth interviews with key players across a selected process, along with observations of work situations. Let’s look now at how one worked at a European banking organization that was a client of ours.

The bank had designed and implemented a process to enable its business risk managers, positioned on the first line of defense, to assess the maturity of their units’ nonfinancial risk management in areas such as cybersecurity, climate, operations, and money laundering. The managers were asked to give their units a maturity score. Next colleagues from the risk division, the bank’s second line of defense, assessed the work of the business risk managers and agreed or disagreed with their scoring. In any case of disagreement, the business risk manager had to revisit the analysis. The bank wanted to know whether the design of the process—in particular, the two levels of scoring—contributed to the accuracy of the business risk managers’ assessments. Our firm was brought in to answer that question.

Over an eight-week period we conducted 16 semistructured interviews with business risk managers, second-line reviewers, and management. We asked questions such as “Who shows ownership of this process in reality?” and “When was the last time it was difficult to work in accordance with the process? Why, and what happened?” The findings from those interviews were supplemented by a desktop review of documentation on the assessment process and research on the validity of self-assessments. We also conducted two shadowing sessions during which a business risk manager detailed all the steps in the assessment process through screen sharing, and observed two management meetings at which the results of the assessments were discussed.

The scan revealed two factors that might bias managers’ assessments of the quality of their nonfinancial risk management. First, the requirement to assign a score at the end of the process created an implicit goal of achieving the highest score possible. As a result, managers might fail to report key negative evidence or at least present it in such a way that the risk-division supervisors would discount it. A large body of behavioral research shows that people’s desire to achieve a quantitative goal can cause them to ignore compliance or integrity standards expressed as qualitative goals.

Second, because the risk-division supervisors were looking over their shoulders (and in some cases rescoring their work), the business managers had disengaged from the process. This effect was most likely exacerbated by a “not invented here” perception of the process and in-group–out-group bias, which is well-known to encourage noncooperative behaviors. As one business risk manager commented, “Not once has the second line come to us, appreciated how we run the business. They have no clue what to focus on, and hence the process is a total waste of our valuable time.”

When our report was presented to the chief risk officer, he indicated that he had been unaware that the design of the process elicited these unintended and undesired behaviors and perceptions.

Units: behavioral risk reviews. These reviews produce granular insights into behavioral patterns and drivers that may lead to future problems in high-risk business teams or units. A good example is provided by one global financial-services firm we advised. The firm was under heightened regulatory scrutiny as a result of reoccurring unethical and illegal actions in its capital markets business unit. Clear communication of the rules, a strong control environment, and enhanced disciplinary measures had proved ineffective at reducing the incidence of misconduct.

Over a period of three weeks we had about 50 one-hour confidential conversations with employees across the various teams in the unit (a randomized sample that included 20% of the total staff) and with employees who dealt with or supported the teams in the area and provided an outside-in perspective. Our goal in those conversations was not to understand how employees evaluated their professional context but, rather, to hear descriptions of how they reacted to that context. For example, we asked traders to describe in detail how their desk heads responded to mistakes made in real-life situations—not to evaluate the effectiveness of the desk heads’ management.

When mistakes are seen as the responsibility of individual workers, the resulting anxiety reduces people’s willingness to comply with organizational regulations.

Alongside those one-on-one conversations, we asked all employees in the unit to complete a short online survey containing 20 statements; observed two teams at work for three hours; and reviewed management data (such as performance, risk, and HR information) and policy documents (on strategy, governance, performance management, consequence management, and codes of conduct). We tested the qualitative and quantitative data against each other and against research findings.

The review revealed a number of factors that were causing employees to act unethically or illegally. To begin with, we found that direct line managers responded to situations in which things had unintentionally gone wrong by severely blaming individuals without taking context and motivation sufficiently into account. For example, when one deal was called off by a client owing to unexpected financial problems on the client’s side, the employee who had negotiated it was marked down and “named and shamed” in a team meeting, with no mention of the relevant circumstances. That kind of reaction can drive behavioral risk: When mistakes are seen as the responsibility of individual workers, the resulting anxiety reduces people’s willingness to comply with organizational regulations.

Second, employees perceived the decisions and procedures regarding promotions as unpredictable and inconsistent, saying that they felt they had little or no influence on the outcome: I see people getting promoted who are not performing; I feel it is completely random. To be sure, the randomness did mean that people might be less likely to break rules to boost their performance figures, but perceived unfairness is itself a driver of misconduct. Research demonstrates that it elicits a variety of dysfunctional workplace behaviors, including retaliation and noncompliance with guidelines.

The granularity of the insights allowed our client to adopt a targeted mitigation strategy, directly addressing the specific drivers that needed improvement rather than seeking to improve the culture of the business unit in a broader sense. It defined distinct categories of undesirable behavior, put them in context, and assigned appropriate sanctions to each. For example, an employee who failed to attend an online training session would initially receive a warning instead of a penalty (which would previously have been the result). Small changes of that sort helped reassure employees that they would be fairly treated by their managers. Meanwhile, senior managers went through training to increase their capabilities in dealing with perceived unfairness and responding to negative outcomes.

Find Solutions

We help companies address the problems revealed through behavioral insights scans or risk reviews in two ways. The first is a workshop in which we lead employees who are working in specific areas or processes to identify simple nudges that would change their handling of specific behaviors. Often referred to as nudge labs, these workshops are a staple of behavioral research and consulting and involve various standard brainstorming and gaming exercises. (For an extended description of nudge labs, see “Lessons from the Front Line of Corporate Nudging,” by Anna Güntner, Konstantin Lucks, and Julia Sperling-Magro, in the McKinsey Quarterly online.)

We can illustrate this approach with an example from ING Group, where a behavioral insights scan revealed a lack of common goals and collective identity across teams working to mitigate the risk of financial crime. During a subsequent nudge-lab session, employees, behavioral scientists, and game experts collaborated to develop nudges that stimulated the desired behaviors. Their design drew on basic gaming principles such as reciprocity and shared goals, which encourage people to “keep playing” and collaborate voluntarily—in this case, to keep following the process for mitigating financial crime risk.

For instance, the ING team developed an interactive email-signature banner, aimed at generating a sense of shared identity among the people working across the process. The banner combined the names, profile pictures, and titles of those involved in a customer file. ING then tested the intervention in a pilot that lasted several weeks. The results were promising: Using the email signature improved the level of trust among the employees involved, as determined by a brief questionnaire, and also reduced the number of unnecessary emails. The nudge developed in this example is currently being scaled up across the organization.

Another effective intervention is what we call system-in-the-room sessions. These are interactive workshops designed for senior leaders, with the aim of creating a shared and complete understanding of the challenges involved in managing identified behavioral risks from the perspectives of all stakeholders. With that understanding, the team can design effective solutions accordingly. Typically we hold two or three one-day sessions that bring together everyone who is involved in a process that needs improving. We usually get up to 25 people in the room, ranging from executives, country heads, global process owners, and tech experts to frontline staff. Having everyone in the room makes it difficult to point fingers and forces people to acknowledge the effect of their own actions on other teams.

Take the case of one of our clients, another global financial-services firm. The client had undertaken a behavioral risk review, which revealed that a lack of ownership and insufficient collaboration across units and functions were key risk drivers for financial crime. We led the client through brainstorming steps that moved from defining problems to identifying solutions with a series of “What if?” questions. This approach, inspired by design thinking, is very effectively used in many business processes, from product development to strategy making. (See, for example, “Bringing Science to the Art of Strategy,” by A.G. Lafley, Roger L. Martin, Jan W. Rivkin, and Nicolaj Siggelkow, HBR, September 2012.)

One fix we identified was the introduction of weekly 10-minute system-update sessions between the risk management team and senior leaders, akin to total quality management circles. The updates were tacked on to regular meetings and thus did not disrupt anyone’s schedule, but they have proved a useful forum for flagging behavioral problems early in the risk management process.

The sessions were themselves part of the solution: They resulted in an increased and lasting feeling of interconnection and belonging, contributing to a sense of ownership and effective collaboration around the process involved. As one senior manager put it, “The session is an excellent way to get to know each other better and to connect different perspectives. This increases the willingness to work together constructively and to find great solutions which are actionable and ask little effort whilst having high expected impact.”
. . .

A forward-looking risk approach that informs the dialogue between financial institutions and regulators is highly appealing. For behavioral risk management to succeed, however, courageous leadership is required, in part because the approach goes against the grain of the numbers-driven financial sector. This is an industry where regulators embrace a “show me proof” mindset, encouraging financial institutions to put forward evidence demonstrating that they are in control of risk.

Behavioral risk management, in contrast, is preventive in nature and reveals uncomfortable truths and working-floor realities using qualitative as well as quantitative data. And because it takes a root-cause approach, addressing high-risk behaviors before problems arise, providing incontrovertible evidence of its effectiveness is challenging. But what emerges from a well-structured behavioral-risk-management initiative will unquestionably be improvements in employee behavior that considerably reduce the probability of distress or government sanction. For organizations that live by trading off risk and return, such a simple exercise in optimization should be a no-brainer.

Copyright 2022 Harvard Business School Publishing Corporation. Distributed by The New York Times Syndicate.