1. Introduction
The Basel Committee on Banking Supervision (BCBS) of the Bank for International Settlements (BIS) released the Basel III international regulatory framework for banks in 2010, which had been primarily designed for internationally active banking institutions, instead of smaller or less sophisticated banks (
BIS 2014). The Basel III regulatory framework requires banks to manage their Operational, Market, and Credit Risks by improving their liquidity base and enhancing the risk management practices of banking institutions. This requirement aims to enhance the financial stability and sustainability of banks under the supervision of central banks that are members of the BCBS (
Gomes and Khan 2011).
After Ghana gained independence from Britain on 6 March 1957, Ghana’s central bank, the Bank of Ghana (BoG), was established with the directive to protect depositors’ interests and ensure the Ghanaian financial system’s safety, soundness, and stability (
BoG 2018,
2023;
Dwamena and Yusoff 2022). Despite the BoG’s international orientation and receptiveness to international banking standards, the pre-2001 Ghanaian banks were more domestically orientated, with little appetite to adopt the Basel regulatory framework (
Jones 2022). Only when the New Patriotic Party (NPP) came into power between 2001 and 2008 were sustained efforts made by politicians and senior banking officials in the BoG to implement the Basel regulatory framework by creating a financial service hub which consisted of an offshore banking facility that served as the foundation of their development strategy (
Jones 2022).
However, from 2009 to 2016, the National Democratic Congress (NDC) political party was in office, and they championed a nationalist tradition that did not include prioritising the financial service hub. Most senior banking officials who advocated for implementing the Basel regulatory framework left the BoG, depriving it of the drive to continue with the implementation process (
Jones 2022). Implementation of the Basel regulatory framework resumed only after the NNP political party regained power at the end of 2016—with the objective of positioning Ghana as an international financial services centre (
BoG 2018,
2021;
Jones 2022;
Adjei 2018). Although the Ghanaian banking sector has indicated significant growth since 2018, measured in terms of the total assets under management, the money supply-to-GDP (gross domestic product) ratio, the deposit-to-GDP ratio, and the bank credit-to-GDP ratio, the sector is still regarded as unstable, inefficient, and inexperienced (
BoG 2020;
Dwamena and Yusoff 2022;
Torku and Laryea 2021). According to
Amponsah-Mensah (
2021), the BoG should specifically focus on implementing the supervisory and regulatory requirements of the Basel III international regulatory framework to ensure the safety, soundness, and stability of Ghanaian banks. To sustain financial performance, Ghanaian banks must keep abreast of the regulatory developments in the global banking industry as directed by the Basel III regulatory framework, with a specific focus on operational risk management (
Amponsah-Mensah 2021).
Furthermore,
Arhenful et al. (
2019) stated that the ineffective management of operational risk has a negative impact on the financial performance and sustainability of commercial banks operating in Ghana. This was also confirmed by
Gadzo et al. (
2019), who stated that the risk culture, risk governance, and operational risk management practices of Ghanaian banks are not effective and need to be improved as they directly impact the financial performance and competitiveness of Ghanaian banks (
Ozili 2019).
Amenu-Tekaa (
2022) concurred with the findings of
Gadzo et al. (
2019) and stated that complying with the requirements of the Basel regulatory framework will assist in building a resilient Ghanaian banking sector and position Ghanaian banks to meet the various banking and capital investment needs of the country’s economy.
In 2021, the BoG announced that it had joined the Basel Consultative Group (BCG) of the BCBS with a view to facilitating dialogue and cooperation in relation to banking supervision, supervisory standards, and best practices (
BoG 2021a). The Ghanaian banking sector has experienced a sharp increase in the digitisation of its banking services since the onset of the COVID-19 pandemic, and this has been accompanied by an increase in cyberattacks, mobile money, and ATM fraud in Ghana (
Addison 2021). The BoG has nevertheless stepped up its leadership role in providing guidance to Ghanaian banks by publishing a Risk Management Directive in November 2021 (
BoG 2021b). This directive requires Ghanaian banks to adopt an appropriate risk culture that promotes the implementation of the risk management requirements prescribed by the Basel III international regulatory framework (
BoG 2021b).
However, the BoG and Ghanaian banks could benefit from scientific evidence of the perceptions of Ghanaian banks’ risk managers regarding the envisaged implementation of Basel III. To date, no research has been carried out on the role of risk culture in promoting the effective management of operational risk in Ghanaian banks.
Ghana is a developing country located in the West African sub-region, characterised by economic underperformance, weak legal and regulatory frameworks, illiquid stock markets, and frequent market interventions by government agencies (
Tsamenyi et al. 2007). According to
Asomah (
2019) and
Transparency International (
2020), successive Ghanaian governments have claimed to be fighting corruption, but little success has been achieved so far. This points to a lack of accountability, transparency, and integrity in the environment in which Ghanaian banks operate, and this influences their risk culture.
The current research contributes to the implementation of the risk management directive of the BoG, and to the theory of risk culture and research in the area. The main argument of this research is that, for operational risk management to succeed, an appropriate risk culture in each of the banks involved is required. The purpose of this study was, therefore, to investigate the risk culture perceptions of Ghanaian banking personnel and to provide recommendations to enhance the risk culture among Ghanaian banks to promote effective operational risk management practices. Any challenges faced regarding risk culture need to be addressed in order to enhance the successful implementation of operational risk management and ultimately ensure the financial stability and sustainability of banks in Ghana.
This research followed a positivist paradigm and utilised a survey to collect the data from risk management employees of Ghanaian banks to assess the role of risk culture in the enhancement of their operational risk management practices. This study used both descriptive and inferential statistics to analyse the collected data.
This article is structured as follows.
Section 2 provides a review of the relevant literature, while
Section 3 describes the methodology of the research. In
Section 4, the analyses of the data and the empirical results are presented. Finally,
Section 5 provides a summary, and
Section 6 provides the conclusions of this study.
2. Literature Review
Since the financial crisis of 2007–2008, interest in governance, risk, and compliance (GRC), as well as the concept of risk culture, has grown significantly. Most banks now strive to re-align risk management and governance processes to a new moral narrative to achieve organisational success and sustainability (
Deloitte 2012;
Power et al. 2013). Research suggests that the arguments on risk culture in financial institutions are indicative of the aspiration to ensure that risk management becomes a more prominent component of organisational decision-making and governance processes (
BIS 2021;
Deloitte 2012;
Power et al. 2013).
The BCBS has highlighted that robust risk culture is essential for a bank to achieve sound corporate governance and risk management practices (
BIS 2011,
2021). A corporate risk culture, which supports professional and responsible behaviour and provides the appropriate norms and incentives, lays the necessary foundation for exercising good governance. In this regard, the board of directors should lead by establishing professional standards and corporate values that promote integrity for itself, for senior management, and for all other bank employees (
BIS 2011,
2021).
Risk culture is fundamental to effective risk governance, organisational success, and value creation. The Committee of Sponsoring Organisations (COSO) updated its enterprise risk management framework in 2019 and acknowledged the vital role risk culture plays in enterprise-wide risk management (ERM). The board of directors is responsible for embedding risk culture into discussions concerning strategy and risk management. Implementing the 3LOD model to manage operational risk will not deliver optimal results if it is not supported by an organisational culture that enables and promotes effective risk management (
Global Institute of Internal Auditors 2019).
The board of directors and senior management should provide the necessary leadership to build and maintain a strong risk culture for operational risk management. Banks with a robust risk culture and solid ethical business practices are unlikely to experience potentially damaging operational risk events, and they are also equipped to effectively deal with operational risk events when they do occur (
BIS 2011;
Pepi 2019;
Stanciu 2010).
To embed an effective risk culture in a bank’s operations, a bank should aim to achieve risk-intelligent culture status. This implies that every employee understands the way the bank approaches risks, takes personal responsibility to manage the risks related to their daily activities, and encourages fellow employees to follow their proactive example. Bank management systems and behavioural norms should encourage employees to make accurate risk-related decisions and exhibit appropriate risk awareness. To accomplish these objectives, the board of directors and senior management are responsible for setting the right tone and cultivating an enterprise-wide awareness of risks at all levels within the bank. Robust risk culture can give a bank a competitive advantage that would be difficult for competitors to emulate. A risk culture binds together crucial elements in a bank, such as risk governance, risk management, and compliance, and ultimately makes a bank cohesive and resilient to internal and external disruptions (
International Finance Corporation 2015;
Institute of International Finance 2009;
IRM 2012a;
Sants 2010).
To enhance the risk culture of a bank and its interrelationship with risk governance, the bank should pay careful attention to its risk culture framework, as acknowledged by both practitioners and researchers. The views of risk practitioners are discussed first, followed by those of researchers.
Risk practitioners, such as
Deloitte (
2012) and the
IRM (
2012a), have contributed to the field of risk culture. According to
Deloitte (
2012), a risk culture comprises four risk culture drivers, namely, risk competency, organisation, relationships, and motivation. Although the risk culture framework of Deloitte highlights four significant practical considerations of risk culture, the IRM considers four dimensions and eight aspects of risk culture, including the so-called ‘soft issues’ (such as people, communication, and learning and development) and the ‘hard issues’ of risk culture (such as governance and the risk management framework). In their research, the
IRM (
2012a) invited 36 risk practitioners to formulate their guidelines for enhancing risk culture and summarised them in their risk culture model, indicated in
Table 1 below.
As indicated in
Table 1, the
IRM (
2012a) identified four dimensions of risk culture, namely, the tone at the top, governance, decisions, and competency. Each of these has its own aspects requiring close attention. The tone at the top requires risk leadership by providing a clear vision and common approach to risk understood at all levels in the organisation. The leadership should lead by example and have an open mind to evaluate any criticism should strategic proposals be criticised, or when bad news surfaces; in other words, they need to practise what they preach. Governance requires transparency. Organisational structures need to support effective risk management by being accountable and by having access to the board of directors, authority, and management reporting capabilities, such as the prioritisation and escalation of decisions. The decision dimension emphasises the development of a set of policies and standards that provide confidence to individuals on the way to operate and manage risks. This includes the fact that objective setting should be aligned to risk management responsibilities and have a clear link to an individual’s performance and remuneration. The competency dimension requires that employees undergo the necessary learning and development to enable them to identify and assess risks and know what, when, and how rapidly to escalate risk matters. The IRM acknowledges that risk culture remains a developing area, and it anticipates more models, tools, and research in the future.
Several researchers have contributed to the field of risk culture, as reported by
Kunz and Heitz (
2021). These researchers performed a systematic literature review and developed a comprehensive model of risk culture within the context of the external environment and bank management control systems. The risk culture model of
Kunz and Heitz (
2021) is depicted in
Figure 1 below.
These factors affect the development of risk culture, in other words, the common understanding of adequate and ethically acceptable risk-taking (
Drennan 2004). Risk culture in turn influences personnel controls, including hiring and training (see
Drennan 2004), communication (see
Dellaportas et al. 2007;
Muñiz et al. 2020), knowledge (see
Holland 2010), and personnel characteristics such as those of CEOs (see
Buyl et al. 2019), and the flexibility of staff, which could entrench dysfunctional risk cultures in cases where there is an unwillingness to change (see
Gendron et al. 2016).
Incentive systems influence individual risk-taking, especially variable and stock-based incentives for decision-makers in top management (
Chen et al. 2006) as well as severance contracts (
Brown et al. 2015). Individual risk-taking is also influenced by the organisational structure (
Roy 2008), individual accountability (
Cordery 2007), and a lack of supervision (
Cordery 2007;
Drummond 2002).
The limitations of the study by
Kunz and Heitz (
2021) were that they searched for English articles only and that they included only knowledge in their model instead of considering the broader concept of competencies. They concluded that further research is needed regarding the factors indicated in their model to gain deeper insight and measure the causal relationships. However,
Marx and de Swardt (
2019) determined that there is a relationship between competencies and successful risk management, and that such competencies comprise knowledge, skills, attitudes, values, and attributes, such as experience. The values required for successful risk management require upholding principles that ensure moral conduct, such as integrity, ethical conduct, respect, and accountability, which will influence risk culture positively.
Njogu (
2017) observed that, when employees have worked in an industry for many years, they have gained significant experience and knowledge about the culture, products, and services of their organisation. These employees have experienced many changes within their working environment and, as a result, have a good understanding of processes that work effectively in the organisation, compared to those with less experience. All the above-mentioned researchers nevertheless acknowledged that further research is required.
According to the BCBS, risk management should be embedded into a bank’s culture (
BIS 2011,
2021). Risk management should be a critical focus area of the chief executive officer (CEO), the chief risk officer (CRO), the chief operating officer (COO), senior management, and all business line managers. These officials should communicate risk management information in an appropriate manner to all staff members to make accurate strategic and day-to-day business decisions (
BIS 2020).
The BoG directive (
BoG 2021b) requires Ghanaian banks to adopt an adequate risk culture. Corporate firms in Ghana are increasingly also being induced by their Institute of Directors (IoD-GH), the Private Enterprise Foundation, and the State Enterprise Commission to enhance effective risk-culture and corporate-governance practices to compete effectively and efficiently internationally (
Agyemang and Castellini 2015). The IoD-GH recommends that legal and regulatory frameworks should be reinforced and that governance roles and responsibilities should be clarified. Other measures recommended include strengthening enforcement mechanisms by providing training, logistics, and equipment, as well as an independent judiciary and more active reporting on issues of corporate governance by the media (
Agyemang and Castellini 2015).
The research goal of the current study was to assess the perceived relationship between risk culture and monitoring and reporting procedures of Ghanaian banks, their three lines of defence, compliance, internal auditing, disclosure of operational risk information, and guidance from the Ghanaian banking regulator on their operational risk management practices. This study also aimed to determine the challenges that participating Ghanaian bank employees experience with the implementation of a risk culture at their respective banks.
3. Methods
This study investigated the relationship between the risk culture of Ghanaian banks and their operational risk management practices. This study aimed to make generalisations about risk culture and operational risk within the Ghanaian banking sector. The positivistic research paradigm was deemed most appropriate, based on the works of
Saunders et al. (
2012),
Mutezo (
2015), and
Schindler (
2019).
A non-experimental descriptive research design was selected to address the research questions and research objectives (see
Creswell 2014;
Saunders et al. 2012). A non-experimental research design describes the phenomenon and examines relationships between different phenomena without any direct manipulation of conditions that are experienced during the research process (
Creswell 2014;
Schindler 2019).
A quantitative research method was implemented, as this research approach involves collecting primary data from a representative sample with the objective of generalising the results to the target population. A further reason for implementing this research method is that it stems from empirical generalisations, which can then be utilised to determine future outcomes or be implemented to solve a specific research problem (
Mutezo 2015;
Schindler 2019;
Tustin et al. 2010). As
Newby (
2010) explains, the ultimate objective of quantitative research is to produce theory, truths about behaviour, and relationships applicable in various circumstances.
From the literature review, it was evident that specific individuals equipped with specialised knowledge of operational risk management had to be targeted within the Ghanaian banking sector.
Purposive sampling was, therefore, best suited to address the research problem of this study. To ensure a homogeneous sample, respondents were carefully selected based on their relevant background and knowledge of the subject area. The sample included individuals specialising in operational risk management, risk governance and compliance, banking supervision, and risk analyses, as well as staff members involved in the implementation of the operational risk management requirements of the Basel regulatory framework. Unfortunately, no such information was available in the public domain. Consequently, a database comprising 126 Ghanaian bank personnel employed at the 23 Ghanaian banks with the relevant background, experience, and specialised knowledge of operational risk management, risk culture, banking supervision, and the implementation of the Basel regulatory framework was developed. The Ghanaian banks selected to participate in the study comprised the 23 banks operating in Ghana, all of which were registered members of the Ghana Association of Banks at the time (
BoG 2022). The database was developed by conducting web searches, liaising with the Ghana Association of Banks (GAB), and appointing a fieldworker employed at the Ministry of Finance in Ghana who was able to correspond and interact with each of the 23 selected Ghanaian banks to obtain the contact information of appropriate Ghanaian bank personnel to form part of this study’s sample. A questionnaire was employed as the data-collection instrument, distributed via e-mail to the 126 identified respondents. The questionnaire was considered the optimal method for the collection of data due to geographical and financial constraints. An additional reason for making use of a questionnaire was that the respondents were able to complete the questionnaire in their own time, when it suited them best, to ensure a high response rate. The questionnaire comprised closed-ended and open-ended questions. For the closed-ended response categories, a four-point Likert scale was chosen to collect the data, which varied from “strongly agree” to “strongly disagree” and from “a very large extent” to “no extent”. The open-ended questions were included to obtain additional information and equip the researchers with an improved perspective on the challenges the respondents experienced with the implementation of an appropriate risk culture that supports the effective management of operational risks.
For this study, two inferential statistical tests were conducted: the Mann–Whitney U test and multiple regression analysis. The Mann–Whitney U test, designed to compare the medians of two independent variables, was employed here to test whether a statistically significant relationship existed between specific constructs, which were closely associated with the research objectives of the current study. This non-parametric test was utilised since the measured data were on an ordinal scale. The chosen level of significance for this study was 0.05. For a statistical test to be considered statistically significant, the calculated
p-value has to be lower than or equal to 0.05 (
p ≤ 0.05) (
Anderson et al. 2018).
Multiple regression analysis was utilised for this study to model the relationship between a continuous dependent variable and a number of independent variables. The results of the multiple regression analysis provided an indication of the percentage of variance in the dependent variable that is explained by the independent variables, as well as the significance of each individual predictor (
Cooper and Schindler 2014;
Pallant 2020;
Saunders et al. 2012;
Williams et al. 2012).
This study adhered to all the required ethical procedures and considerations to ensure that it was conducted in an ethical manner.
5. Discussion
The literature points to the complexity of creating an adequate risk culture appropriate to any bank, its business model, and the requirements of the regulator. The regulator (the BoG in the case of this study) requires an adequate risk culture, and it remains the responsibility of the individual banks in Ghana to create such a risk culture for themselves.
The implications for practice are therefore that Ghanaian banks need to incorporate risk culture into their control systems. The point of departure should be to pay attention to internal controls, such as ethical standards and formulating organisational norms regarding the handling of failures. In arriving at a common understanding about adequate and ethically acceptable risk behaviour, each bank will have to align its action controls (organisational structure, accountability, and supervision), results controls (incentive systems), and personnel controls (hiring and training, communication, knowledge, and personnel characteristics) with one another. Another implication is that changes to the external controls may also be needed, and that leadership and integrity need to be promoted by the Ghanaian government, the BoG, and the IoD-GH as part of enhancing a national culture of integrity.
The study found significant relationships (at the 5% level) between risk culture and monitoring and reporting procedures, the three lines of defence, compliance, internal auditing, disclosure of operational risk information, and guidance from the banking regulator in the Ghanaian banking sector. However, the respondents reported the following challenges with their risk culture (in order of priority): training and development, communication, reporting and disclosure, roles and responsibilities, performance appraisal, and technological and environmental barriers.
From the literature and the data collected, it was concluded that significant guidance and training need to be provided to Ghanaian banks to enhance a risk culture that supports and promotes the effective management of operational risk. Ghanaian banks will need to recruit, retain, and develop experienced and knowledgeable bank employees with the necessary knowledge, skills, attitudes, values, and attributes to manage operational risks successfully. Therefore, they must prioritise offering regular training opportunities to all staff members at different hierarchical levels on how to manage operational risk in accordance with the Basel III regulations and deal with operational risk in a dynamic manner. The training interventions could focus on the following key areas for Ghanaian banks:
Creating awareness among bank employees of the importance of operational risk management to ensure the resilience and sustainability of Ghanaian banks.
Fostering a stimulating environment where knowledge and competencies of operational risk management are cultivated, valued, and developed.
It is critical that Ghanaian banks recognise and appreciate that the communication of operational risk information between staff members should be a continuous, interactive process of obtaining, providing, and sharing the required information. Pertinent, structured communication channels should be established throughout these banks to ensure that operational risks are identified in a timely manner, correctly understood, and managed appropriately. The board of directors and senior management of Ghanaian banks have a vital role in establishing and maintaining these communication channels so that operational risk information flows vertically and horizontally throughout the bank. The two communication lines that should receive top priority are, firstly, communication between the board of directors and senior management, and secondly, communication between the three lines of defence. With the successful establishment of these communication lines, operational risk information will be more accurately distributed across the business lines of Ghanaian banks.
For Ghanaian banks to foster effective operational risk management practices, it is recommended that an incentive system should be instituted to promote prudent risk-taking and accurate decision-making. Effective operational risk management practices exercised by bank employees should thus be appropriately acknowledged and rewarded. An incentive system will encourage bank employees and could be utilised to identify shortcomings in an employee’s operational risk management competencies, capabilities, and behaviour. This will likely remove unethical careless behaviour, enhance the quality of operational risk management practices across the entire bank, and improve the risk culture.
Research on emerging operational risks, such as ICT risks for banks operating in Ghana, is necessary since all banks have become increasingly dependent on information technology. Ghanaian banks can advance their operational risk management practices and adapt to volatile banking environments by training risk management personnel to identify and manage ICT risks effectively. Furthermore, investment in artificial intelligence to assist Ghanaian banks to successfully manage ICT risks should be considered.
Additional challenges that Ghanaian banks should address are ensuring that their organisational structure, accountability, and banking supervision influence their risk culture positively and encouraging effective operational risk management practices.
The first limitation of this study was that the data-collection phase took place over 22 weeks. A longitudinal study spanning multiple years could be considered for future research purposes. Such an approach would allow the collection of additional information and observe how specific variables change over time, enabling the improvement of the findings presented in this study. The second limitation was that it was not possible to conduct face-to-face interviews with the sample group of respondents because of financial and technological constraints. The collection of primary data by means of face-to-face interviews and using a qualitative approach could be considered for future research purposes.
6. Conclusions
Arhenful et al. (
2019) found that the ineffective management of operational risk has a negative impact on the financial performance and sustainability of commercial banks operating in Ghana. This was also confirmed by
Gadzo et al. (
2019), who stated that the risk culture, risk governance, and operational risk management practices of Ghanaian banks are not effective and need to be improved as they directly impact the financial performance and competitiveness of Ghanaian banks (
Ozili 2019).
The purpose of this study was to investigate the risk culture perceptions of Ghanaian bank personnel and to provide recommendations to enhance the risk culture among Ghanaian banks to promote effective operational risk management practices. Any challenges faced regarding risk culture need to be addressed to enhance the successful implementation of operational risk management and ultimately ensure the financial stability and sustainability of banks in Ghana.
As indicated in
Section 4.2.1, the participating Ghanaian banks valued the effective management of operational risk as a notable contributor to enhancing the financial stability and sustainability of banks and serving as a competitive advantage in their environment. However, the awareness among Ghanaian banks of the irrefutable value of risk culture could be further enhanced by improving the values, norms, and culture prevalent in the business environment and by improving the knowledge of risk culture among the staff members of banks in Ghana, as envisaged by
Kunz and Heitz (
2021).
The interrelationship between risk management, risk culture, and risk governance should be clearly understood and appreciated by banks to provide them with the required risk culture framework and management controls to manage operational risks effectively, in line with research findings by
Evans and Selim (
2015), the
International Finance Corporation (
2015), and the
IRM (
2012b). However, Ghanaian banks will only achieve risk-intelligent culture status once the challenges identified in
Section 4.2.3 have been adequately addressed.
Risk culture is a continuous, dynamic process and can be improved significantly by strong leadership and commitment by top management. Top management needs to uphold principles that ensure moral conduct and demonstrate integrity, ethical conduct, respect, and accountability. A risk culture that encourages and sustains regular interaction among relevant parties has been found to enable and enhance the operational risk management practices of banking institutions. For this reason, all the employees of a bank should understand and acknowledge the importance of risk culture and the significant role it plays in the ability of a bank to identify and manage operational risk successfully.