But lighter supervision might result in a heightened conduct risk: It is highly likely that increases in opportunistic crime will be spurred by economic anxiety. With many working remotely, outside the scope of standard internal risk controls and systems, things could turn sour quickly. Banks must therefore exercise added vigilance if they are to avoid future scandal and regulator wrath. 

A rules-based approach to risk and compliance governance has failed to prevent misconduct in the past, and such an approach is to be avoided now. Rather, what is called for are principles-based policies aimed at encouraging responsible corporate cultures. Commodity Futures Trading Commission Chairman (CFTC) Heath Tarbert made a related argument in a recent article in the Harvard Business Law Review  in which he characterized effective principles-based supervision as follows:

• Principles are drafted at a high level of generality to maximize flexibility and breadth of application;

• Principles focus on objectives or outcomes, not specific conduct;

•  Principles contain terms that are qualitative rather than quantitative; and

•  Principles can be fleshed out by rules or other forms of guidance (both formal and informal) as appropriate.

What is true for regulators is true for risk managers within firms: A rules-based approach is likely to be either underinclusive or overinclusive, inadvertently permitting what should be forbidden, and vice versa. This is a particular concern in the context of culture and conduct risk management: Firms have not done well in anticipating misbehavior, in part because their leaders overweighted the impact of setting the right “tone at the top,” when it is actually the “echo from the bottom” that matters more. It is here that we find firm culture shaping staff behavior and driving company performance outcomes.

Recognizing this, many regulators have enacted or are now contemplating supervisory measures aimed at inquiring into firm culture as a principal source of conduct risk. And risk managers within firms are increasingly aware that firm culture must be viewed in terms of operational risk management capabilities. The Basel Committee on Banking Supervision defines this as “risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.” But as past scandals make evident, systems and processes for risk mitigation are insufficient without adequate attention to the relational dynamics and behavioral norms that prevail among networks of trusted peers within any organization.

Behavioral science has shown that informal influences on staff conduct are often far more powerful than any formal rules. Rather than mission statements, management directives, or corporate values printed on placards, organizational behavior is driven by peer pressure and behavioral norms that spread, like pathogens, through organizations. Such behavioral “contagion” can even be tracked and mapped.

For most of us, most of the time, it is our personal relationships of trust, our desire for acceptance, and the actions we witness around us that have the greatest influence on our behavior. Risk management efforts that neglect this reality have proven inadequate: New approaches and tools are called for. Helpfully, advances in computational social science make it possible to move beyond staff surveys and manual risk oversight to probe culture-and-conduct risk factors as they operate in real time. 

Forewarned is forearmed: Equipped with continuous assessments across their operations, managers may allocate time and other scarce resources in order to address gaps before problems appear. 

In work that we have done with a major global bank, for instance, we were able to identify signals within standard and nonsensitive company data sets that correlated with poor risk management outcomes. This capability now permits for proactive identification and mitigation of risk. By facilitating a more timely, efficient, and effective application of scarce risk management resources, such tools also create opportunity for cost cutting, where existing processes and systems have proven ineffective. 

Culture, and conduct risk, are key governance considerations and increasingly seen as material factors that directly impact firm value. Still, some may argue that culture and conduct concerns are too “squishy” to worry about when near-term economic outlooks are so uncertain. We would argue that this view is shortsighted. If the financial industry is to avoid renewed public and regulator ire, firms should act now, as current circumstances are likely to be nurturing undetected risk exposures.

Bankers deserve credit for working to avert disaster on Main Street in the course of COVID-19 relief efforts. They may even deserve a continued respite from the past decade’s bloody-mindedness toward banks and bankers—something that may be especially welcome given a recent emphasis on “accountability regimes” that hold executives personally liable for misconduct that takes place on their watch. New tools for the management of nonfinancial risks can keep invisible threats from becoming existential crises. They should be embraced by principles-based regulators and firms alike.

Gary Cohn served as director of the National Economic Council from 2017–18 and is past president and COO of Goldman Sachs.

Stephen Scott is a risk management expert and CEO of Starling, a regulatory technology company.

Mark Cooke is former group head of operational risk at HSBC and current chairman of ORX, the financial services industry association for operational risk management.