Imagine the scene. The most senior supervisor of a FTSE 100 financial institution is sitting down with the chair of the Board to embark on this year's formal risk assessment exercise. "Tell me what the risk culture is like in your firm," the supervisor asks. "Tell me how you assess risk culture here and what methods and measures you've developed to do so. Tell me what deficiencies you have found in your risk culture and how you are addressing them. And for good measure, show me the documentation that proves you are assessing risk culture on a systematic basis."

These are the kinds of questions the Financial Stability Board (FSB) is proposing that supervisors ask the people who run our banks and insurance companies. This is new – and will come as a blow to the sceptics who thought this cultural stuff was just a flash in the pan.

In its latest consultation paper, Guidance on Supervisory Interaction with Financial Institutions on Risk Culture(comments requested by January 2014), the FSB has put flesh on the bones of many a recent speech by regulators and placed risk culture fairly and squarely on the reform agenda. Culture in the industry has been under increasing scrutiny and the FSB doesn't mince its words: "failures in risk culture are often considered a root cause of the financial crisis". However, what's particularly significant about the paper is the green light it would give to national regulators to demand that firms do more to assess and improve their risk culture. This is clearly intended to be an on-going feature of the regulatory landscape, not just a once-off brush-up.

So far, the FSB's paper is relatively high level, with little specification of what risk culture means or how it can or should be assessed. The four indicators of risk culture mentioned are: tone from the top, accountability, effective challenge and incentives. These are good places to start, although we suspect firms will need to go into a lot more detail on their methodology for defining what kind of risk culture they require and then compare it with what they've got. Employee surveys and Internal Audit findings can only be the start of this journey.

Our experience with helping financial firms improve risk culture suggests that a lot can be done to shape the behaviours and attitudes of people who take risks on behalf of their employers. Firstly, to understand a corporate culture of risk taking you need to understand the function of such a culture for individuals and how cultural themes develop. We write more about this in our recent report, Culture for Sceptics: the catalyst for strategy. Secondly, four broad indicators might not be enough to assess something as broad as risk culture. We typically help firms by starting with a more granular and wider suite of indicators that are then shaped to their particular needs. Thirdly, we see risk culture as a kind of 'cement' that holds in place the other vital building blocks of a successful risk strategy, such as risk appetite and infrastructure, risk-adjusted remuneration and risk governance.

Banks and insurers used to show their cultural credentials by sponsoring art exhibitions. Not anymore. 

Dan Oakey – Associate Director, Deloitte's Risk and Regulation Practice
Dan has 15 years' experience in risk, communication and corporate governance, helping firms improve the way they 'tell the truth to themselves' about risks and financial performance. Dan's current focus is on the wider reform arena, in particular how regulators are looking beyond the rule book at culture, risk appetite and incentive structures to influence risk-taking behaviours in financial institutions. LinkedIn

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.