Risk Culture Failures in Indian Financial Institutions

Most Indian financial-services failures of the past decade did not happen because policies were absent. The IL&FS group had a documented enterprise risk framework, a board risk committee, and external risk consultants engaged. PMC Bank had RBI-mandated credit policies and internal audit. DHFL had a stated risk-appetite statement. Yes Bank had a chief risk officer reporting to the board. Each entity could produce a binder showing the right policies on the right letterheads.

What each lacked was a working risk culture: the day-to-day pattern of decisions, escalations, and consequences that determines whether the policies are followed when commercial pressure pulls the other way. The RBI Working Group on Internal Audit (2023) and the IRDAI Corporate Governance Guidelines (2024) both now reference culture explicitly, but neither defines it tightly. Defining it is the institution's own job.

Risk culture is the set of shared expectations about how risk decisions are taken, who can challenge whom, what gets escalated, and what consequences follow good and bad outcomes. It shows up in observable behaviours, not in stated values.

Indicators of a healthy risk culture include:

• second-line functions (risk, compliance, internal audit) can stop a deal or a product launch without senior management retaliation
• bad news travels upward faster than good news, especially near reporting periods
• the most respected leaders in the organisation can name a deal they walked away from on risk grounds
• whistleblowers receive responses, not just acknowledgements
• consequence management is visible: people are removed for risk failures, not just for missing budget

Indicators of an unhealthy risk culture include:

• the chief risk officer or compliance head changes frequently, with the predecessors leaving on disagreements that are not openly discussed
• internal audit reports are softened in revision, with disagreements between auditor and auditee resolved by the auditor
• the same names appear repeatedly in complaint, whistleblower, and incident logs without consequence
• target-setting is anchored to last year plus a growth percentage, regardless of changed risk conditions

Five culture-failure patterns recur across Indian financial-sector incidents.

First, promoter dominance suppressing second-line voice. In several large failures, the chief risk officer and the auditor reported nominally to the board but practically to a dominant promoter or CEO. Disagreements were resolved by quietly moving the dissenter rather than by elevating the issue.

Second, targets disconnected from risk appetite. Growth targets cascaded down from the board did not translate into proportional risk-capacity uplift. Front-line staff met targets by adjusting risk, not by changing strategy.

Third, selective application of policy. Policies were enforced rigorously for small accounts and routinely waived for large accounts on "strategic" grounds. The waiver pattern, visible in retrospect, was invisible at the time because each exception was minuted in isolation.

Fourth, delayed bad news. Loss events, near-misses, and adverse audit findings travelled slowly upward, often arriving at the board only when external pressure forced disclosure. The result was governance reactive to outside events rather than ahead of them.

Fifth, whistleblower retaliation, formal or informal. The whistleblower mechanism existed on paper, but identification and adverse career outcomes for past whistleblowers were known internally. Subsequent whistleblowers calibrated accordingly.

Risk culture cannot be audited the way a control framework can, but it can be measured through a combination of leading indicators and structured assessment.

Leading indicators that should be tracked at the board:

• policy-exception rate for each business line, with trend and outlier review
• risk-event log volume, particularly near-misses, with deliberate attention to under-reporting
• turnover in second-line and audit functions, broken down by voluntary and involuntary
• complaint volumes broken down by source: customers, employees, regulators, whistleblowers
• time from incident to board notification, with explicit tolerance for outliers

Boards are the institution's culture in concentrated form. The IRDAI Corporate Governance Guidelines, 2024 and the RBI's Master Direction on Governance, 2024 both expect board oversight of culture, but expect rather than prescribe.

A risk-culture-conscious board does five things consistently.

First, it spends meaningful time with the second-line heads in executive session, without the CEO or management present. The chair sets a pattern of asking what is being decided by management that risk or compliance would not approve.

Second, it tracks the tenure and exit reasons of CROs, compliance heads, internal auditors, and chief actuaries across the institution and its subsidiaries. Frequent exits, especially with non-disclosure agreements, are a red flag.

Third, it treats whistleblower reports as a board-committee agenda item, not as a management report. The audit or risk committee should see every material whistleblower case and the resolution path.

Fourth, it links executive compensation to risk metrics, not just financial metrics. Deferral, clawback, and conduct adjustments should be explicit and applied.

Fifth, it publishes a culture statement that is specific enough to be falsifiable. Generic statements like "we put the customer first" are pre-failed; specific commitments like "we will not approve a product unless the compliance head signs off" can be tracked.

Indian insurance has its own pattern of culture failures, less spectacular than banking collapses but more pervasive. Three are visible in IRDAI enforcement and policyholder ombudsman data.

The first is target-driven mis-selling in life insurance, particularly through bancassurance and corporate agency. Persistency below 60% at 13 months is a near-certain sign of culture failure, not just product failure. Insurers and bank-partners that allow this without consequence management are propagating the failure across cohorts.

The second is claim repudiation culture in health and motor insurance, where front-line claim handlers are tacitly rewarded for repudiations that hold up against ombudsman or court challenge, regardless of fairness. The IRDAI's claim-handling KPIs and the 2024 Master Circular on Health Insurance push against this, but rewards structures and supervisory tone matter more than guidelines.

The third is TPA accountability gaps, where insurer and TPA blame each other for delays and denials, leaving the policyholder caught between them. The culture failure here sits at both ends: insurers that do not invest in TPA oversight, and TPAs whose internal incentives reward throughput over fair adjudication.

Each of these patterns is visible in data the institution already holds. The question is whether the board chooses to look.

Repair is harder than prevention because the surviving population has learned to operate in the broken culture. Three interventions consistently move the needle, drawn from post-failure remediation programmes at Indian banks and global insurers.

First, change the consequence pattern visibly. The first 12 months of remediation should include at least one senior departure for risk-culture reasons, communicated internally with enough specificity that staff understand the standard. Quiet exits do not signal change.

Second, promote known dissenters. The institution almost always has staff who flagged the failing behaviour before the failure. Identifying and elevating them, including formally on the executive committee, is the most credible internal signal that the rules have changed.

Third, redesign incentive structures end to end. New variable-pay schemes with deferral, clawback, and risk-adjusted scoring take a full performance cycle to bite. Until they do, staff continue to optimise for the old scheme, which is what got the institution into trouble.

Culture repair is a 24 to 36 month effort even with capable leadership. Boards should sequence the work accordingly and resist the temptation to declare victory on early-cycle metrics.