During the financial crisis, many U.S. banks' perceived impact on the financial system and the overall economy was so strong, they were ultimately deemed "too big to fail." Now the concept of strength has taken on new context within the banking sector as large financial institutions continue to work at getting to "strong" under heightened regulatory agency expectations.

Many institutions have managed to strengthen their capital positions. However, in risk management capabilities, another area of heightened expectations, many firms are still striving towards being rated strong" by the regulatory agencies. Many banks currently rate only as "satisfactory," based on guidelines from both the Office of the Comptroller of the Currency and the Federal Reserve. Interestingly, the Fed has asserted that many banks are not strong enough regarding risk management because they are not paying attention to risks related to their specific assets and operations.

It is not hard to identify what is being done right at the institutions that garner high ratings. However, as any schoolteacher can attest, one of the toughest parts of grading is pinpointing the issues that hold back C-plus students from becoming B-plus students. The difference between "satisfactory" and "strong" risk management is analogous. Making the shift hinges on issues tied to two subjective traits within the organization that have a significant impact, but cannot simply be flipped on and off like a light switch: culture and leadership.

A strong risk management culture can only be created when the board of directors is not afraid to challenge management and is involved in facilitating this culture throughout the organization, without assuming responsibility for running the bank. Working closely with risk committees, the board must move towards a more tactical and anticipatory approach in helping to identify and mitigate organizational risk. 

While it's imperative that the CEO and executive management team visibly support the chief risk officer and all second lines of defense, it is equally important that business leaders be held accountable for the self-identification of and ownership of the risks in their individual units. Business leaders cannot solely rely on the risk management or auditing functions to identify the risks in their units. The fact is, a risk management culture must be built from the top down as well as the bottom up, or it will likely remain "satisfactory" at best, if not face outright failure during a future crisis.

Strong leaders must be placed in key roles that involve risk management responsibilities. Focusing on compliance is not good enough. For an institution to be strong, it needs a chief risk officer who has a clear, highly regarded role within the organization, a voice that drives the risk management-focused culture, and a willingness to challenge business executives as well as the executive management team.

Personnel in second and third lines of defense (risk management, compliance, credit review and internal audit) also need to demonstrate this sense of leadership. They must not only be highly competent in risk subject matter, but also be inquisitive, confident, anticipatory and adaptable. They must take on the responsibility of identifying and recommending ways of strengthening weak points in their organization's processes and controls.

There has been tremendous progress in the banking sector over the past three years, but to say that we are even close to finished would greatly underestimate the work that remains. Recent surveys point to ongoing challenges in fundamental areas such as timely and accurate data as well as deeply embedded risk appetites.

Many financial institutions still need to take a hard look in the mirror when they think about getting to strong. A culture that does not embrace risk management will unknowingly embrace the polar opposite — unmanaged risk. The responsibility to change that culture falls on an organization's leadership, but the right leaders must be in place to effect such change.

We can talk all we want about policies, process, and technology, but in the end, financial services remains a people-based business.  Daily judgments are made by people that impact the ultimate application of such policies and processes.  Having the right people in the right spots, operating under an appropriately risk-based culture will yield the strong institutions of tomorrow.

Cory Gunderson is a managing director and leader of the risk and compliance practice at global consulting firm Protiviti Inc.