The 2008 crisis revealed new ways that the financial industry contributes to economic instability. Weaknesses in corporate governance increased the severity of the financial crisis. Therefore, priority has to be given to knowing, planning, and managing enterprise risk through the inherent cycles of market economies. Further regulations that are now directed at financial firms are manifestations of the recognition that recovering trust is vital to maintaining stability and preserving liquidity. Such trust is critical to the basis of banking—that is, the careful risk taking necessary for sustainable, profitable operations—and will build resiliency and empower the banking sector to cope with serious economic downturns.

Proper governance and its diffusion through leadership behavior into firm culture can lead to the restoration of trust. The author suggests ways to continuously work toward these goals.

Although financial markets have recovered from the recent crisis, enforcement actions continue, which raises the question of whether lessons learned from the crisis have resulted in improvements in governance and culture. Initially, quantitative enhancements were thought to be the panacea, but after continued transgressions, regulators decided that the underlying culture had to change. Key in this regard is a sound risk management program underpinned by a framework of three lines of defense, which installs a series of checks and balances from independent groups to oversee credit, market, and operational risk.

Regulators in the United Kingdom and the United States have assumed leadership roles in improving banks’ culture, which has influenced the industry globally. Both countries’ regulations intensify the scrutiny of senior employees and expectations of boards of directors, but the UK model is principles based and the US model is more rules based. Perhaps the most important change for both countries is a reordering of the interests of corporate stakeholders to prioritize clients over all others—notably, shareholders.

The author also devises 15 “golden rules” that can provide material for qualitative testing beyond the quantitative financial criteria underlying preparedness for deep economic downturns. The rules cover the approach to risk assessments taken by top management and boards, feedback and data analysis from frontline operations, risk control procedures, and the effects of actions in the industry for firms.

Concerning culture, the author’s rules include a discussion on whether there is a set of values prioritized by leadership to which everyone adheres. Is the enterprise risk management system pervasive so that there is awareness of specific risk elements? Do rewards, penalties, and reviews reflect the expressed values? Are there methods in place to routinely learn from experiences, measure progress, and perform surveys on the embedding of enterprise risk practice?

Regarding board composition, the author notes that a range of experiences is required so that emerging issues affecting the firm can be addressed. Also, women bring different approaches at the board level, enriching discussions so that the board can more fully examine the potential effects of decisions. Studies by industry specialists show positive results for public companies with women on their boards, including higher returns and lower stock price volatility.

How the board performs its oversight of enterprise risk management by understanding the risk factors inherent in firm strategy is particularly important now. Successful oversight is dependent on the board obtaining the necessary skills and unleashing its potential via dialogue internally and with senior management.

In the stream of regulatory and enforcement actions since 2008, the author finds more than $100 billion in fines levied on large US banks related to fraudulent securitization, misleading selling practices, and assistance in tax fraud. In some cases, the fines are applied to banks that acquired companies that perpetrated the claimed delinquencies. Among the six that were fined, four international banks admitted criminal manipulation of currencies. BNP Paribas settled for $8.9 billion, pleading guilty to trade sanction violations. Unfortunately, settlements do not establish legal precedent. The proceeds from the fines appear to be distributed in somewhat arbitrary ways, and benefits for taxpayers harmed by bank behavior and by the financial crises are unclear.

The author thoroughly reviews the development of the regulatory measures created as a result of the serious infractions. She finds that the OECD is concerned that large risk exposures are unclear, there is inattention to off-balance-sheet entities, global cash flow planning is inadequate, regulations are only noted, incentives reward traders instead of banking practitioners, and non-executive directors do not have appropriate financial understanding. UK regulators fight the deceptive selling of financial products and propose a framework and guidelines to assess and continuously improve risk culture. Accountability measures go beyond certifications to the provision of penalties for failure to oversee key risk controls. The US Office of the Comptroller of the Currency requires a three-year strategic plan with a risk governance framework that includes core values for day-to-day operations. Oversight of risk at the board level is to be scrutinized.

The author reviews surveys by leading consulting groups, including McKinsey and Company, on the composition and practices of boards of financial firms.

In the 2008 crisis, not all banking systems suffered the same magnitude of risk, corruption, and failure. Valuable information may be obtained by studying the culture of the banks in certain countries—in particular, Canada and Japan.