Banks’ risk culture and management control systems: A systematic literature review

Over ten years of a debate about the best ways to make banks safer have led to the conclusion that improving their risk culture is one venue to achieve this goal. Consequently, different disciplines discuss topics related to risk culture from varying methodological angles. This effort of many scholars provides a rich basis of theoretical and empirical evidence to guide business practice and improve regulation. However, the application of many approaches and methods can result in fragmentation and loss of a comprehensive perspective. This paper strives to counteract this fragmentation by providing a comprehensive perspective focusing particularly on the embeddedness of risk culture into banks’ management control systems. In order to achieve this goal, we apply a systematic literature review and interpret the identified findings through the theoretical lens of management control research. This review identifies 103 articles, which can be structured along three categories: Assessment of risk culture, relation between risk culture and management controls (with the subcategories embeddedness of risk culture in overall management control packages, risk culture and cultural controls, risk culture and action controls, risk culture and results controls, as well as risk culture and personnel controls) and development of banks’ risk culture over time. Along these categories the identified findings are interpreted and synthesized to a comprehensive model and consequences for theory, business practice and regulation are derived.


Introduction
The banking and economic crisis of 2007/8 resulted in the call for a fundamental change of banks' professional norms (e.g., Cohn et al., 2017;Palermo et al., 2017;Pan et al., 2017;Power et al., 2013) and regulators started to emphasize the concept of risk culture in their standard setting (e.g., Carretta et al., 2017; European Banking Authority (EBA), 2017; Financial Stability Board (FSB), 2014).
As risk culture is part of qualitative regulation, those standards considering this topic provide a wide range of qualitative recommendations, covering internal controls, like remuneration, but also soft factors, like open communication (e.g., FSB, 2014). This qualitative character of risk culture and the related recommendations to establish it in a reasonable way, constitute a major challenge for banks: As literature on management controls stresses, corporate culture -and thus also a firm's risk culture as part of this corporate culture -constitutes a socially constructed management control system (Bedford & Malmi, 2015;Malmi & Brown, 2008;Merchant & Van der Stede, 2017), and it is embedded into a whole set of further management controls (Merchant & Van der Stede, 2017). Thus, when trying to develop an appropriate risk culture, banks have to cope with the need to change socially constructed entities and they have to consider and understand the mentioned embeddedness in whole sets or packages of management controls. Moreover, banks are confronted with partly contradicting external requirements, e.g., there is a strong tension between market and regulatory demands (Lim et al., 2017), which in turn result in contradicting demands with respect to risk behavior. If such complexities are neglected, the application of particular instruments to establish a reasonable risk culture might miss the intended effect (Power et al., 2013).
Due to this need for deeper insights into how risk culture can be implemented and managed successfully and sustainably in banks, since the last financial crisis scholars devoted increasing attention to this topic. For example, they discussed issues as diverse as the impact of incentive systems (Gande & Kalpathy, 2017;Iqbal & Vähämaa, 2019;Schnatterly et al., 2019) or the way to measure risk culture (e.g., Sheedy, 2016;Sheedy et al., 2017). Within these emerging research fields different methods and theoretical perspectives are applied. This differentiation fosters a pluralistic perspective on banks' risk culture and thereby provides the possibility to develop a broad set of recommendations for business practice and regulation. However, it also bears the risk of fragmentation and mitigates the development of a comprehensive view on banks' risk culture. Particularly, as different authors stress different building blocks to achieve a proper risk culture, it is difficult to select and prioritize the relevant building blocks. This is all the more true since regulators do not show causal relationships between individual building blocks in their papers, but rather list them individually. Moreover, scholars disagree on the relation between certain instruments and risk culture. For example, Stulz (2016) discusses incentives and culture as two distinct measures to influence prudent risk-taking, while McConnell (2013) mentions remuneration as integral component of risk culture. Finally, in the wake of the last financial crisis, the discussion on risk culture became ethically inflated, as an inadequate risk culture is seen as an important reason for misconduct. In summary, there are many reasonable views on risk culture in banks, but they need to be integrated to develop a more coherent understanding that allows banks to develop their risk culture in an appropriate direction.
The present paper aims to provide insights for such a coherent understanding by focusing particularly on the embeddedness of risk culture into banks' management control systems. In order to achieve this goal, we apply a systematic literature review and interpret the identified findings through the theoretical lens of management control research. When defining a clear-cut inclusion criterion for the considered articles in this review, we have to consider that this field of research is still under development. In order to cover the relevant literature, we selected those articles which simultaneously deal with risk culture and management control systems or particular elements of these systems both in the sense of explicitly combining them but also in the sense of discussing them in a less related way. Thus, we consider both articles which explicitly strive to understand risk culture in relation to management control systems and articles which at least point to the fact, that risk culture has to be understood in the broader context of (elements of) management control systems, without necessarily providing the precise relations between them. The application of this systematic literature review allows the structured discussion of recommendations for business practice and regulation as well as the derivation of promising paths for future research. Thereby, the analysis mitigates increasing fragmentation and helps to direct future research effort to existing blind spots.
On the one hand, our study extends the mainly interpretative research in management control literature that aims to foster the understanding of effective practices to achieve an appropriate risk culture (e.g., Mikes, 2009Mikes, , 2011Power, 2009). By combining evidence from this literature with further insights from other research streams on risk culture, we broaden the perspective and provide a comprehensive view on risk culture as management control system and its embeddedness within other management control systems. This makes our study one of the few analyses that deal explicitly with the relationship between risk culture and management control systems. On the other hand, we provide evidence to enhance theory and business practice on risk culture in banks by compiling the current state of research, bringing together the most important findings and highlighting existing research gaps. Particularly, we discuss in detail issues related to the assessment of risk culture, the relation between risk culture and other management controls and the possibility to change risk culture. Moreover, we provide a comprehensive model relating risk culture to other management control systems in order to disentangle their complex relationships. From these insights, we draw recommendations for business practice, regulators, education and research.
The remaining paper is structured as follows: To lay the ground for the following analysis, in Sect. 2 we derive a definition of risk culture within banks and relate it to management control research. Based on this combination we elaborate on the relevant categories to be analyzed in order to derive the intended comprehensive view. Section 3 provides detailed information regarding the procedure to identify the relevant literature for the systematic literature review. Section 4 covers the results of the systematic review and in Sect. 5 we discuss these results. Section 6 contains concluding remarks and the discussion of the limitations.

Risk culture and management controls
According to Schein (1990) organizational culture is the derivative of organizational learning processes through which particular norms and behavioral patterns have evolved that served to solve problems in the past. It "may be defined as the shared basic assumptions, values, and beliefs that characterize a setting and are taught to newcomers as the proper way to think and feel, communicated by the myths and stories people tell about how the organization came to be the way it is as it solved problems associated with external adaptation and internal integration" (Schneider et al., 2013, p. 362). As a consequence, organizational culture is a dynamic organizational phenomenon whose content can change over time dependent on organizational learning within changing environments due to external pressure und internal processes. Risk culture forms part of the overall organizational culture and describes the way an organization takes and manages risk (e.g., Australian Prudential Regulation Authority (APRA), 2016). Similar as overall organizational culture, also risk culture develops according to learning processes related to external and internal determinants, as exhibited by relevant definitions.
One frequently cited definition is applied by the Institute of International Finance (IIF) (2009), which is also used by the FSB (2014) and the APRA (2016). They define risk culture as "the norms and traditions of behavior of individuals and of groups within an organization that determine the way in which they identify, understand, discuss and act on the risks the organization confronts and the risks it takes" (IIF 2009, p. 35). According to the Institute of Risk Management (IRM) (2012, p. 7) risk culture comprises "the values, beliefs, knowledge and understanding about risk, shared by a group of people with a common intended purpose, in particular the leadership and employees of an organization." Another well-known definition of risk culture as "bank's norms, attitudes and behaviors related to risk awareness, risk-taking and risk management and controls that shape decisions on risk" is provided by the Basel Committee for Banking Supervision (BCBS) (2015, p. 2). Overall, these definitions stress the importance of individual perceptional and cognitive processes in combination with social interactions for the evolution of a bank's risk culture.
The literature further states that different organizations also can have different risk cultures (IRM 2012). Moreover, as the norms and traditions related to risk culture are formed via shared experiences over time, and these experiences are driven by various external factors, also various sets of shared norms and traditions within organizations are possible.
However, despite the possible differences between risk culture across and within banks, the FSB (2014) suggests four core elements that support a sound risk culture in each bank: tone from the top, accountability of employees, adequate incentives and effective communication and challenge. The IRM (2012) adds further aspects, like the commitment to ethical principles or risk event reporting. These aspects are part of an overarching management concept that is anchored in the bank's internal management control systems. Thus, as also outlined by the APRA (2016) in addition to the less formal psychological and social processes mentioned above, formalized systems also have an influence on the orientation of risk culture.
Finally, the adequacy of a particular risk culture must always be assessed in the light of a bank's business model. Regulators expect banks to implement a prudent risk culture, which does not necessarily mean that banks should be as risk-averse as possible. Rather, it is intended to promote a risk behavior that only allows the bank to take acceptable risks, so that it can prosper sustainably and does not get into financial difficulties (e.g., FSB, 2014).
Overall, the mentioned definitions stress that risk culture refers to a general organizational attitude towards risk and its handling. It constitutes the shared experiences of individuals and comprises norms, values, traditions, and attitudes, which lead to particular activities related to the handling of risk and its consideration in decision processes. It is formed through the interaction between informal psychological and social processes, formal instruments, like reward systems, and external circumstances, like regulation. Risk culture is therefore an elusive phenomenon, the development of which is difficult to predict. Nevertheless, regulators expect banks to exert a targeted influence on their risk culture and to develop it in an appropriate direction, i.e. in a manner that fits to their business model and does not result in financial distress.
Management control systems can be defined as a collection of practices that are intended to align staff's decision-making and action taking with overall organizational goals (e.g., Anthony, 1965;Berry et al., 1995;Chenhall, 2003;Gooneratne & Hoque, 2013). While in older research a more objective perspective on management controls can be observed, more recently scholars stress that management control systems "are also viewed as socially constructed phenomena within the particular context in which they operate; being subjected to wider social, economic and political pressures" (Gooneratne & Hoque, 2013, p. 147). Given this definition, on the one hand, it becomes clear that literature of management controls can help to make sense of banks' risk culture and its relation to the mentioned instruments as well as to foster its active development into an adequate direction. On the other hand, according to this literature, culture is its own management control system (Malmi & Brown, 2008;Merchant & Van der Stede, 2017). Thus, a deeper understanding of risk culture, as a particular part of culture, also can inform management control research. Especially it can add insights to the growing research stream on management control systems in banks (Gooneratne & Hoque, 2013). In order to achieve both goals, we derive three issues, which are to be clarified by the systematic literature review.
First, the idea of management controls is closely related to the idea of making issues relevant to organizational goal achievement assessable. At first glance, this statement seems to be at odds with the previously derived definition of risk culture and the conclusion that it is an elusive phenomenon. Moreover, particularly authors from the field of management controls, like Power (2009) andMikes (2009), are rather critical regarding a culture of assessment or even precise measurement in the context of risk culture. However, in order to embed the active management of risk culture within banks, this management process has to be conceptualized in a way 1 3 that fits to the general thinking within this industry. The banking industry not only has to cope with qualitative but also with quantitative regulation, which still results in a clear focus on measurable aspects. Moreover, in order to learn about possible progress made in developing an adequate risk culture (i.e. a risk culture that fits the selected business model), banks need clear benchmarks. Consequently, possible ways of assessing risk culture constitute the first category of the following systematic literature review. In detail, we elaborate on existing assessment instruments in extant literature and on the need for future research.
Second, as previously discussed, to achieve a risk culture that fits to the selected business model, regulators as well as recent literature propose to implement certain instruments, like appropriate incentive systems, adequate communication structures and suited leadership. Thus, the understanding of the relation between particular instruments as part of management control systems and banks' risk culture constitutes a second important issue. Management control research provides frameworks to foster this analysis. Based on previous research (e.g., Galbraith, 1973;Lawrence & Lorsch, 1967;Perrow, 1970;Thompson, 1967), Chenhall (2003) classifies management controls in the two broad categories of organic, less standardized and mechanistic, formalized management controls. Merchant and Van der Stede (2017) provide a more nuanced categorization by differentiating results controls (focusing on the outcomes of employees' work activities), action controls (setting decision frames within that decision makers can operate), personnel controls (ensuring a good fit between the recruited employees and the job requirements) and cultural controls (norms, traditions and organizational values). Malmi and Brown (2008) separate five types of management controls: Planning controls are dedicated to the definition of targets of different business units and their coordination. Cybernetic controls constitute activities that ensure goal achievement through for example budgets and performance measures. Reward and compensation controls comprise incentive systems to motivate employees to behave in accordance with organizational goals. Administrative goals consist of organizational structures, procedures and routines. Cultural controls focus on the application of organizational norms and values to influence employees' behavior.
Banks' risk culture is part of cultural controls and as such, forms part of organic, less standardized management controls. In contrast, those aspects that are discussed in literature as important to reach a risk culture that fits the business model form part of other management controls, like results/rewards and compensation controls. The systematic literature review builds on this observation and serves to identify these aspects discussed to date and their relation to risk culture. To assure a structured discussion of the articles assigned to this category, we apply the framework designed by Merchant and Van der Stede (2017), that provides the subcategories cultural, action, personnel and results controls. In the first subcategory, cultural controls, we present articles that for example deal with different manifestations of risk culture as one form of cultural controls, that emphasize ethical aspects as another part of cultural controls or that indicate an impact of national culture in this context. Further three subcategories deal with articles which provide insights regarding one of the relations between banks' risk culture and action, personnel and results controls. Additionally, we identified articles which deal with more comprehensive frameworks related to banks' risk culture comprising issues considering all kinds of management controls. These articles are discussed in one further subcategory.
Third, management control systems are not static, but they develop over time, the same holds for banks' risk culture and its embeddedness in banks' overall management control systems. This observation leads to a third important issue which is related to the nature of the change and the changeability of risk culture in banks and its relation to management controls.

Method
To get a comprehensive overview of the recent developments in risk culture research we performed a systematic literature review (Tranfield et al., 2003). The previous discussion on risk culture in Sect. 2 indicates, that risk culture, as an immaterial, organizational and social phenomenon, is difficult to delimit, which complicates the design of a systematic literature review, as many aspects can affect it, which in turn become important for management control systems to manage it. In order to do justice to this problem and the continuous progress of research in this rapidly growing field, we have conducted multi-phase research. The starting point here was a broad view on the topic.
As adequate risk culture is reflected in risk taking behavior that fits to the selected business model, in the first phase we focused on both, articles that explicitly cover the topic banks' risk culture and papers that deal with risk taking in banks. However, with respect to the latter topic we concentrated on papers that are related to qualitative regulation, i.e. aspects of quantitative regulation like proper risk measurement tools, capital requirements, credit regulation regimes and similar aspects were not considered. In order to achieve a broad perspective on the topic, in this first phase we included peer reviewed articles from two different sources. Furthermore, as we deemed risk culture as a more recent concept in the area of bank regulation, we restricted this first search phase to the time period of January 1997 to the beginning of November 2019.
First, we performed a comprehensive database research of articles in the Abi Inform Complete database (only peer reviewed articles, English language) with the keywords risk culture, risk climate, risk management and risk taking as part of the title, abstract or keywords in the articles. This search was intended to provide a broad overview of relevant articles across all levels of peer-reviewed journals without any restrictions in terms of ranking levels. Due to the great amount of unfitting search results, we had to narrow, where appropriate, the thematic scope by applying by the database provided pre-set filters to exclude articles focusing on other research topics, such as for example public health. This search procedure provided in a first step the results illustrated in Table 1, where the first row shows the results without the pre-set filters and the second row those results applying the pre-set filters, respectively.
However, despite the application of the pre-set filters, the received hits still contained a large number of articles, which were not in the focus of the present study, as they did not deal with risk culture in the banking industry, but e.g. risk taking related to sexual behavior or risks related to climate change. A research fellow (master level) knowledgeable in the field of risk management scanned these articles for their relation to risk culture in terms of a general organizational attitude towards risk and its handling in banks. This procedure resulted in 95 articles, which he considered as potentially relevant.
Second, in this first phase we in parallel performed an additional in-depth search in several premium journals to additionally identify those articles which were not listed in the database or which were related to our topic but could not be identified via the keywords within the database. We decided to perform this step, although it might result in a certain bias as here we explicitly focus on highly ranked journals, as we consider articles in these journals to be the most impactful, whose neglect in an overview would result in considerable restrictions. By pursuing this double strategy (database search and journal search) we try to do justice to the tension between breadth and depth of a literature review as mentioned by Tranfield et al. (2003), which arises especially in a still young and self-defining field.
As we focus on both risk culture in banks, i.e. a finance topic, and management control systems, i.e. a management control topic, we selected journals from two disciplines: On the one hand, as we focus on risk culture in banks, we considered financial premier journals. We identified the following journals using journal ranking and bibliometric studies (e.g., García-Romero et al., 2016;Ritzberger, 2008;Schäffer et al., 2011)  During the first search phase, we performed several searches: The first one in February 2018 covered literature from January 1997 to February 2018, the second considered the literature from March to September 2018, the third search was dedicated to papers published from October to December 2018 and the fourth dealt with articles from the period of January to November 2019. Thus, data provided in Table 1 covers the sum of the hits found in all searches. Moreover, with respect to risk management and risk taking we focused during the first search (performed in February 2018) only on the title, as the search within abstracts and keywords yielded unreasonably high results, which were not linked to our topic. Thus, regarding risk management and risk taking  Bonner et al. (2006) and Balstad and Berg (2019). The search, which was performed by reading the title and the abstract, in these premier journals lead to 310 potentially relevant articles. The search in the journals was conducted independently by one of the two authors and partly by a research fellow (master level) knowledgeable in the field of risk management.
In the further process the authors once again read the abstracts or, if necessary, the complete texts of the articles so far identified in the database and the premier journals as potentially relevant. During this process further articles were identified which, in contrast to our or the research fellow's initial judgement, did not provide insights directly related to risk culture as a qualitative aspect of regulation, but 1) focused mainly on aspects related to quantitative regulation like risk measurement or capital requirements, 2) covered a much broader perspective, like risk management or risk taking in banks in general or 3) dealt with risk management in general independently of the industry. Therefore, further articles, which were initially considered as potentially relevant by one of the authors or the research fellow, were excluded from our sample after debating it with the other author. Moreover, those articles which focused on risk culture in the sense of the present paper were further analyzed whether they also contained a relation to management control systems as defined in the present paper. This procedure reduced our sample from initially 405 potentially relevant articles to 37 articles. One further article was eliminated due to a reviewer recommendation during the revision process leading to a sample of 36 relevant articles. To assure completeness of our sample, we hereafter executed a backward search, i.e. we analyzed the literature of our sample and identified 15 additional articles that we considered in our further analysis. Finally, we retained 51 articles in our sample.
However, as research on risk culture is conducted with growing interest and published in a broad range of journals apart from premium journals and potentially not listed in the ABI Inform Complete database, we decided to execute a second search phase in June 2020. During this search, we did not focus on a pre-set period of time to additionally also cover literature, which was overlooked during the first phase as it was published before the pre-set time frame. We decided to make this change to the search framework because when we read the articles already identified we noticed that some older sources were indeed cited. We searched the following databases: Abi Inform Complete (226 hits), Business Source Premier/EconLit (111 hits), Ingenta (225 hits) and Science Direct (114 hits) with the search strings "risk culture AND bank" and "risk climate AND bank" in title, abstract or keywords. It has to be mentioned, that due to this more focused search strategy in terms of the search string, this second search provided a much lower number of initial hits, while yielding a number of additional articles almost comparable to the outcome of the first search phase. Additionally, we searched the first 200 hits of Google Scholar applying these search strings. The total amount of hits contained 148 duplicates. After reading the 1 3 abstracts and partly the papers, we identified 32 articles additionally to the previously selected papers. These articles also were subject to a backward search, which yielded 20 further papers. Thus, in total we identified 103 relevant articles.
The identified literature is structured along those categories that are derived in Sect. 2: The first category focuses on the assessment of risk culture. The second category deals with the relation between risk culture and particular management controls or packages of them. We differentiate five subcategories: The first subcategory contains articles dealing with more holistic aspects regarding the embeddedness of risk culture in overall management control packages. They mention several management controls simultaneously. The remaining four subcategories are dedicated to articles which focus on one of the four management control types introduced by Merchant and Van der Stede (2017), i.e. cultural, action, results and personnel controls. In the third category we elaborate on issues related to the development of banks' risk culture over time. Table 2 provides an overview of the papers, the applied method and the sample, where applicable. Table 3 constitutes the concept matrix resulting from categorizing the content of the identified articles (Webster & Watson, 2002).

Assessment of risk culture
Literature regarding the assessment of risk culture still is scarce. We identified two validated scales and one framework. Sheedy et al. (2017) present a scale of 16 items (structured along four factors) to measure the perception of risk culture, which they call risk climate. The scale comprises the following dimensions: "Valued: Staff perceive that risk management is genuinely valued within the organization […] Proactive: Staff perceive that (in the local business unit) risk issues and events are proactively identified and addressed […] Avoidance: Staff perceive that risk issues and policy breaches are ignored, downplayed or excused in the organization […] Manager: Staff perceive that their (local) manager is an effective role model for desirable risk management behaviours" (Sheedy, 2016, p. 6). Sheedy (2016) uses this scale to investigate the relation between risk climate and banks' size. Sheedy and Griffin (2018) apply this scale to analyze staff's perception of risk culture and its relation with risk structures and risk behavior, i.e. in this recent publication, they switch from their previous term risk climate to risk culture. The data (30,126 responses by staff of banks in Australia and Canada in the period of 2014 to 2015) provides evidence for varying perceptions with regard to the quality of risk culture between business units and business lines and a rather complex relation between risk structures, risk culture and risk behavior. Muñiz et al. (2020) present another 18-item scale to assess risk culture in banks considering the four building blocks according to the FSB (tone from the top, accountability, effective communication and challenges, incentives), i.e. they more closely follow regulators' specifications, but also focus on staff's perceptions.

3
Banks' risk culture and management control systems: A systematic… Table 2 Method, sample and core aspects of the identified literature Author ( Impact of compensation structure on risk taking  Conceptual Impact of compensation structure on risk taking Table 2 (continued) Author ( Relation between compensation structure on risk taking Cohen (2015) Conceptual Relation between governance and risk taking 1 3 Banks' risk culture and management control systems: A systematic… Table 2 (continued) Author (   Banks' risk culture and management control systems: A systematic… Table 2 (continued) Author ( Table 2 (continued) Author ( Banks' risk culture and management control systems: A systematic… Table 2 (continued) Author (     Banks' risk culture and management control systems: A systematic…    Banks' risk culture and management control systems: A systematic…    (2016) transfers the Competing Value Framework to banks' credit culture to create an instrument, which allows banks to assess their culture. The original framework differentiates the four corporate culture orientations compete, create, control and collaborate, which are related to different leader styles, value drivers and basic assumptions about the means to effectively achieve goals (Quinn & Rohrbaugh, 1983). Thakor (2016) adapts this framework to assess credit culture and differentiates competitive individual culture (compete), product-innovation-focused culture (create), risk-minimization-focused culture (control) and partnership culture (collaborate). Banks act differently in the context of credit risk management depending on the particular culture type. In contrast to the two previously mentioned assessment instruments, Thakor (2016) does not provide a validated scale, but rather points to a more subjective self-assessment process.

Embeddedness of risk culture in overall management control packages
On a conceptually basis, several scholars develop and discuss comprehensive frameworks to foster banks' risk culture, which highlight learning from failure, organizational resilience and corporate governance as more general aspects, but also individual responsibility and supervision (which are related to action controls), remuneration systems (which constitute results controls) as well as training, recruitment and knowledgeable leaders (which are components of personnel controls) (Bott & Milkau, 2018;Cordery, 2007;Drennan, 2004;Drummond, 2002;Gontarek, 2016;Jackson, 2015;McConnell, 2013;Srivastav & Hagendorff, 2016;Wood & Lewis, 2018). Young (2011) adds the concept of high-reliability organizations to the discussion. They offer the possibility to establish more stable banks in terms of risk taking due to high levels of resilience and responsiveness, exemplary leadership and customer-centric objectives. Fritz-Morgenthal et al. (2016) and Yusuf et al. (2020) add to this further insights regarding the positive effects of an adequate risk culture on risk management.
These concepts promote a holistic perspective on risk culture or as Stulz (2008, p. 47) stresses: "If risk is everybody's business, it is harder for major risks to go undetected and unmanaged." This view underpins the importance not only of individual management controls in the context of risk culture, but also and especially of the importance of embedding risk culture in an overarching concept for entire management control systems. The following articles add to this perspective further insights. Cordery (2007, p. 64) elaborates on the severe foreign exchange loss announced by the National Australian Bank in January 2004 and identifies problems applying "behavioural controls, such as supervision and security restrictions, attitudinal controls affecting hiring procedures and corporate cultural development, and accountability controls consisting of budgets, targets, incentives and reporting" as instruments to attenuate dysfunctional behavior in this context. According to the author, particularly, incentive systems motivated dealers to break trading limits and to work around established control systems. Moreover, dealers did not exhibit proper 1 3 attitudes to behave in an ethical way. Although the bank applied codes of conduct signed by each employee, they were not trained to fill this declaration of intent with life and there was no exchange between the board members to develop systems implementing the declaration in daily business. Furthermore, due to a focus on profit only good news was passed to the top management. Additionally, board members did not have a full understanding of the business model and particularly the risk underlying it. Dellaportas et al. (2007) discuss the same case study, i.e. the National Australian Bank. They also highlight detrimental effects of incentive systems. Moreover, they stress that management followed a profit-oriented perspective, neglecting ethical aspects and that the organization operated in a bureaucratic manner, where top management focused on processes, documentation and procedure manuals instead of really understanding the issues. This points to dysfunctional communication structures. Furthermore, management also did not take on responsibility, personal and professional attacks were observed towards market risk and internal audit staff by traders and traders were selected only according to their ability to make profits irrespectively of how they achieved them.
Barings Bank is another prominent example of failing to embed a proper risk culture in an overarching set of management controls (Stonham, 1996a(Stonham, , 1996b. Drennan (2004) particularly points to missing personnel and action controls in this context. The author provides evidence that the recruitment of extreme risk takers in reaction to the de-regulation of the UK financial services market and dysfunctional supervision processes allowed Nick Leeson, a trader on the Singapore International Monetary Exchange (SIMEX), to continue fraudulent activities. He was not only Chief Trader but also Head of Settlements. Moreover, his local supervisor did not monitor him and his manager in London left the monitoring to the local supervisor. Drummond (2002) adds to the discussion that Leeson's supervisors were not knowledgeable enough to supervise his activities and operated in a state of "groupthink". Stein (2000) discusses the case of Barings Bank from a psychoanalytical point of view. He also identifies the deregulation of the UK banking sector as one major factor that enhanced the dysfunctional structures, which allowed Leeson to act without proper supervision.
Lehman Brothers constitutes a third example of failure, which is explicitly discussed in extant literature. Based on Schein's (2010) organizational culture framework Ganon et al. (2017) identify the behavior of Richard Fulder, the final CEO of Lehman Brothers, and the culture installed by him as major drivers for the bank's collapse, i.e. in this context the authors particularly stress the absence of proper personnel and cultural controls.
Literature dealing with the reasons behind the last financial crisis as well points to missing relations between risk culture and other management controls. Jackson (2015) highlights (among other aspects) inadequate incentives, poor information flows, poor leadership and no clear accountability as reasons for inadequate risk taking resulting in the financial crisis. Furlong et al. (2017) argue that misconduct, which also led to the financial crisis in 2007/2008, is rooted in poor judgements resulting from underdeveloped character dimensions and organizational culture which does not mitigate them. Thus, the authors focus on both personnel and cultural controls. They explicitly stress that poor conduct not only is an ethical or moral issue. This perspective has the advantage that " [v]iewing misconduct as a judgement issue instead of a moral issue engages audiences who want to improve decisionmaking but without the judging that is typically associated with moral agendas. Discussions can be had more dispassionately and rationally, and the audience does not feel themselves under attack" (Furlong et al., 2017, p. 208). The authors develop a Leader Character Framework that comprises those characteristics relevant for leaders to behave adequately. Hashagen et al. (2009) present a study with more than 400 participants (senior managers involved in risk management of banks) carried out by KPMG and the Economist Intelligence Unit. The participants were asked to name the weaknesses in risk management in banks that fostered the recent financial crisis and the measures that banks take to prevent such a crisis from occurring again. The participants stress the importance of risk culture and highlight the relevance of senior managers' leadership to implement a prudent risk culture, i.e. 77% of the participants stress tone from the top as one important issue to develop an appropriate risk culture. Also, proper remuneration and a strengthening of risk professionals' role is mentioned. However, as many as 45% of the banks surveyed also admit that their management boards do not have sufficient knowledge about risks.

Risk culture and cultural controls
The present section is dedicated to the relation between risk culture and banks' overarching cultural controls. Rad (2016) provides a particular perspective on this issue. The author focuses on the interplay between risk management and management control systems. Thus, he does not refer to risk culture, but rather to a concept which is related to it. However, by drawing on Simons' Levers of Control Framework to analyze this relation in two case studies, he identifies belief systems to be of high relevance in this context. Thus, although he does not focus on risk culture in particular, his analysis stresses the importance of cultural components, when analyzing the relation between risk management and management controls. Similarly, Stulz (2016) highlights culture as an important factor to mitigate the limitations of risk management.
While risk culture as such is by definition one component of cultural controls, it is also related to other aspects linked to this control type. One important aspect in this context are ethical issues. For example, Lui (2015) investigates five British banks and finds evidence that these banks have undergone a transformation from a customer-driven culture to a sales-oriented culture, which resulted in a greedy, reckless and dishonest behavior. Llewellyn (2014) discusses detrimental effects of banks' culture in the context of the last financial crisis. The author does not explicitly state risk culture, but rather refers to banks' culture in general and their effect on consumers. Nevertheless, it is clear from this discussion that risks relating to financial products must be clearly recognizable to customers in order to maintain a lasting basis of trust. In addition, he sees the establishment of cooperative banks as an opportunity to establish prudent risk behavior. Consequently, ethical behavior in terms of consumer-oriented and sustainable decision making can be related to prudent risk taking, which in turn is related to an adequate risk culture that mitigates systemic collapses of financial systems. Accordingly, Minto (2016) discusses the specific values of cooperative banks as reasons for these banks to cope much better with the financial crisis in 2007/2008 than commercial banks. The author specifically highlights trust and reciprocity, solidarity, mutualism, proximity and "relationship banking" via local presence, heterogeneity through member ownership as well as social commitment and the "cooperative spirit". In their conceptual paper, also Awrey et al. (2013) debate how to achieve a more ethical culture in the financial service industry. According to them, especially process-oriented regulation "backed by a credible threat of both public enforcement and reputational sanctions" (Awrey et al., 2013, p. 191) can help to establish a more ethical organizational culture in banks by reshaping individual ethical choices. Thus, they argue for stronger regulation and societal sanctioning via reputational losses in case of unethical behavior. Complementary to this discussion, Fichter (2018) elaborates on how ethical issues are solved in the daily decision processes within the financial industry and provides several suggestions for how financial institutions can translate formal ethical standards into decision making practice. The author stresses challenging authority, creating opportunities for discourse, valuing positive emotion or making time for reflection. Overall, this literature stresses the link between prudent risk raking, (risk) culture and ethical decision making. Thus, for a risk culture to be effective in terms of the overall financial system and to help to prevent systemic collapses, it must be embedded in an overarching cultural context of the bank that follows clear ethical standards.
Another component of cultural controls is the organizational handling of failure. In this context, Gendron et al. (2016) add to the discussion a perspective on stabilizing processes, which restore risk management credibility after failures and thereby inhibit a fundamental change in approaching risk management in banks. The authors find that failure of risk management is attributed to external factors like implementation failures rather than to failures within the core ideas behind the implemented instruments. Thus, a particular culture of handling failure can affect or inhibit the development of risk culture, in terms of how to manage risks reasonably, into an appropriate direction.
Other scholars focus more on the antecedents and components of risk culture. They particularly discuss the relation between values, norms and risk culture. Lo (2016) mention different sources of such values. They can be derived top-down (through leadership and authority) and bottom-up (merging form individual behavior) and they are influenced by incentives and environmental factors. By applying Schein's model of organizational culture Kane (2016) identifies particular norms in financial institutions and central banks, which foster destructive risk taking. The author argues for a fundamental change of norms within this industry, as the implementation of mechanisms just to constrain the resulting behavior will not effectively mitigate it. In line with this argumentation, Cohn et al. (2017) expected that professional norms in the financial industry in combination with the salience of the staff's professional identity foster risk taking. However, in an experimental setting with 128 employees of a large, international bank they find evidence that participants took fewer risks. The authors conclude that their results "contradict the conventional thinking that the professional norms in the banking industry make the employees in that industry less risk averse" (Cohn et al., 2017, p. 3803). However, this finding has to be put in a broader perspective. The identification of an adequate risk culture for a particular bank does not mean that the bank has to become risk averse, but instead the risk culture has to fit to the bank's business model and to induce in this sense prudent risk taking. In this context, further findings by Cohn et al. (2014) are more informative, as the authors find evidence, that the salience of bankers' professional identity fosters their dishonest behavior, which points to a fundamental problem when establishing an adequate risk culture, as according to the previous discussion such a culture depends on transparent, responsible and honest behavior.
Further scholars consider different manifestations of risk culture to be the condensate of the mentioned values and norms: In order to analyze, whether the growing and in literature criticized focus on quantitative risk management is inevitable, Mikes (2009) discusses two different risk cultures. Mikes (2011) further elaborates on these different manifestations and investigates the perspectives on risk measurement within two case studies and 53 further interviews with risk management staff in the period of 2001 to 2010. Some organizations have a culture of quantitative enthusiasm, i.e. they believe in the power of risk measurement, while others follow a culture of quantitative skepticism, which results in risk envisionment by providing alternative future scenarios. The two cultures lead to different behavior of risk officers and their boundary work. A culture of quantitative enthusiasm fosters risk control through the implementation of measurement instruments and the emphasis of independent and scientific risk control. In contrast, in a culture of calculative skepticism, "controllers in this camp lacked the analytical mystique wielded by those with quantitative enthusiasm and they appeared to have deliberately left the boundaries between themselves and the rest of the organization blurred and porous in order to influence decision makers in the business lines" (Mikes, 2011, p. 241). Lim et al. (2017) add to this further evidence. Based on qualitative data, they argue that banks are confronted with "a core paradox of market versus regulatory demands and an accompanying variety of performance, learning and belonging paradoxes" (Lim et al., 2017, p. 75), which are so far resolved by inappropriate measures, as a power imbalance between front and back office remains. The authors suggest that this problem only can be resolved if risk management is less defined by normative, standard based rules but considers a behavioral dimension. Thus, they argue for a shift from quantitative enthusiasm to quantitative skepticism. Stulz (2015) also contrasts a behavioral perspective with a statistical, calculative orientation in risk management. The author states that "it's important to keep in mind that companies in the financial industry differ considerably from non-financial firms in the extent to which employees are empowered to make decisions that affect risk" (Stulz, 2015, p. 16) and stresses adequate risk culture as a way to increase flexibility which is mitigated by statistical risk management. Based on the notion that the application of quantitative models increases the perception of decreasing uncertainty and increasing manageability of risk, LaBriola (2019) analyzes a possible positive relation between the relative level (1) of securities and (2) of trading securities and levels of leverage. The data (bank-years for large U.S. commercial banks over the period of 1996 to 2016) supports the second hypothesis, whereas it does not lend any support to the first one. However, the support of the second hypothesis does not indicate that actually the application of quantitative models as such results in imprudent risk taking, as the author does not test this relation. Yet, the results point to a possible relation, which again favors calculative skepticism over quantitative enthusiasm. Based on the Competing Value Framework, which comprises the four corporate culture dimensions compete, create, control and collaborate (cf. Sect. 4.1) developed by Quinn and Rohrbaugh (1983), Nguyen et al. (2019) add to these results by differentiating two foci of risk culture: compete and create cultures are related to a growth focus, while collaborate and control cultures pertain a safety focus. The authors find that banks following the earlier focus incur greater loan losses than banks applying the later focus. In sum, besides categorizing risk culture into different categories the mentioned authors also evaluate the identified types. Risk cultures stressing on collaboration, trust, solidarity and a healthy critical distance to mathematical risk management approaches seem to be favored over competitive, aggressive and quantitatively enthusiastic cultures, as the former result in more resilient banks.
Additionally, scholars find evidence that the conceptualization of an adequate risk culture might vary between organizational units within one single bank depending on the units' tasks: Based on semi-structured interviews Wahlström (2009) finds differences with respect to the acceptance of the approaches of risk measurement by Basel II between the operational staff and staff working with risk measurement. The author explains this observation with differences in the frames of reference, which can be interpreted as parts of the risk culture prevailing within each unit. While such differences can result in conflicts, Bruce (2014) provides evidence that different perspectives on risk culture within one bank also can be advantageous. The author presents four worldviews, which can be interpreted as antecedents of risk culture and which result from a combination between grid and group: Grid refers to the extent to which the social context expects people to behave in a particular way dependent on their role, i.e. the military is a high grid-context, as the hierarchical position clearly determines how a person can act. In contrast, "[g]roup measures both how strongly an individual associates with the organization or collective, and how strongly the organization or collective exerts influence over the individual" (Bruce, 2014, p. 552). Each dimension can have two levels (high and low). Therefore, the combination of the dimensions results in four worldviews, which in turn guide human behavior differently and, thus, also the interpretation of the reasons behind the recent financial crisis. Based on this analysis, the author argues that diversity and the joint incorporation of different worldviews can improve risk management. Consequently, the implementation of an adequate risk culture that fits the selected business model also comprises the acceptance of different worldviews.
National culture constitutes another source of norm-based influence. It forms part of cultural controls, but it is less changeable by firms as such. It rather constitutes a pre-set condition, in which other cultural controls are embedded. Scholars actually find evidence that it exerts an important impact on banks' risk taking.  2019) as well observe this relation, but not for globally operating banks. In contrast, in a global sample of 467 commercial listed banks from 56 countries, Illiashenko and Laidroo (2020) find evidence of a negative relation between individualism and banks' risk taking. The authors explain this observation by the cushioning hypothesis, i.e. decision makers in collectivist cultures receive more support if they make a mistake and are therefore more willing to take risks. Kanagaretnam et al. (2019) add to these observations evidence of a relation between societal trust and banks' risk taking: Banks located in high-trust countries exhibit lower levels of risk taking than banks located in lowtrust countries. The authors further provide first evidence that this attenuating effect is channeled via greater accounting transparency, higher scores in social CSR and lower CEO equity incentive compensation, i.e. in the study societal trust is related to these aspects in the mentioned direction and they attenuate imprudent risk taking. In sum, these results suggest that the basic attitudes towards risk behavior within a national culture have an important impact on banks' risk taking and thus supplement and influence the risk culture of a particular bank.
Finally, also different stakeholders can exert an impact on risk culture, because they can have more or less influence depending on their position of power by communicating corresponding expectations and setting certain regulatory standards. Also in this context only some scholars explicitly discuss risk culture, while others rather provide indirect insights with respect to risk culture, as they focus on risk taking. However, as risk taking also is an expression of the prevailing risk culture and the investigated stakeholders have the power to set norms and values and thereby to transport their worldview into the banks and to influence the manifestation of cultural controls, we consider also this part of literature as insightful for the present topic. Several scholars focus on the impact of regulators on risk culture as particularly powerful stakeholders (Cohen, 2015;Mongiardino & Plath, 2010;Rattaggi, 2017;Walter & Narring, 2020). For example, Schnatterly et al. (2019) investigate the implications of the selection of one of three possible regulators by the initial board of directors within new U.S. banks for the banks' future risk taking. Their results point to a joint effect of board independence and the selected regulator on the banks' risk. The analysis is based on a sample of 140 new banks from the population of 1,367 U.S. banks chartered between 1992 and 1998. Carretta et al. (2017) observe differences between national supervisors' conceptualization of risk culture as well as their substantial distance to the ECB's risk culture in the period of 1999 to 2012. These differences complicate the development of an adequate risk culture within European banks, particularly the ones that operate internationally, because they are confronted with different requirements. Sinha and Arena (2018) investigate the viewpoints of regulators as well as normalizers, consultants, and implementers on risk culture. Their sample consists of 20 interviews and 295 documents. They find two distinct interpretations. While the first interpretation concentrates on the control of risk culture via verification, the second interpretation focuses on the control of risk culture through internal audits and the empowerment of employees through training. Regulators and implementers promote the first interpretation, while consultants and normalizers foster the second one. In order to fully satisfy the different stakeholders' demands, banks have to set up a process, which discloses these viewpoints and integrates them into a comprehensive approach related to the management of risk culture.
Bank founders and owners constitute another important group of stakeholders which exerts an impact on banks' risk culture. Almandoz (2014) finds that bank founders' institutional logic influences those banks' risk taking, at least in banks with larger founder teams. Based on archival data from 225 local banks founded between 2006 and 2009 and interviews with 73 bank founders, he observes that banks, whose founder team adheres to a financial logic, define the bank as an investment and profit-maximization vehicle and increasingly use risky deposit instruments. In contrast, the dominance of a community logic stresses the relevance of the bank to meet community needs and leads to a lower utilization of such instruments. According to Saunders et al. (1990) stockholder held banks exhibit a higher level of risk taking than managerial controlled banks. Sullivan and Spong (2007) observe that hired managers' stock ownership increases risk taking. Kwan (2004) finds moderate evidence of a lower level of risk taking in publicly held banks than in private owned banks. Iannotta et al. (2007) as well find differences regarding risk taking across banks with different ownership structures. The findings in a sample of European banks by Barry et al. (2011) indicate that difference in risk taking induced by different owners rather occurs in privately owned banks than in publicly held banks. Additionally, applying a panel of commercial banks from 17 European countries containing 1,237 banks with ownership information within the period of 1998 to 2011 Barry et al. (2019) observe an effect of the acquirer type on the level of risk (and profitability). Institutional investors, the state or non-financial companies lead to increasing risk, while profitability remains the same. In contrast, banks and families as acquirer have no significant effect on risk.

Risk culture and action controls
There is very little literature on the link between risk culture and action controls. Apart from the literature discussed in Sect. 4.2.1, which, among other aspects, mentions the importance of supervision and accountability, we identified one article, which deals indepth with one particular aspect related to action controls. Again, this article discusses the effect on risk taking and thus only indirectly provides evidence regarding risk culture.
In a conceptual paper applying the theoretical lens of principal-agent theory, i.e. aspects like moral hazard, conflict of interest and adverse selection, Roy (2008) investigates the impact of different organizational structures (functional versus divisional hierarchy) on banks' risk taking. According to the author, functional hierarchy inhibits the application of soft information and the transfer of information in time to the relevant place within the organization, which for example can mitigate the proper examination of a loan. In contrast, divisional hierarchies foster the individualization of risk choices without considering the whole risk portfolio of the bank. However, the author concludes that after considering the pros and cons of both structures, the divisional structure is superior to the functional one in terms of fostering an adequate risk taking behavior. As previously mentioned, this paper does not deal explicitly with risk culture. However, it provides evidence of how organizational structure can shape risk taking. Through this framing process, organizational structure on the one hand can inhibit or foster risk taking which is in line with a particular risk culture, and thereby influence risk culture's impact. On the other hand, it also can shape risk culture as such as it fosters the acceptance of particular risk taking as inevitable (within the given structures), which is translated into organizational believes about how risk taking should take place.

Risk culture and results controls
A very broad stream of literature discusses incentive systems, i.e. results controls, as they focus decision makers' attention towards certain aspects and thereby directly influence their risk taking. Thus, many scholars in this context rather discuss risk taking than risk culture. However, we also consider this literature as valuable for the present research focus because it illustrates, how certain incentive systems as manifestation of a particular risk culture can induce certain risk taking. Thereby they can further stabilize this risk taking behavior and strengthen underlying norms related to risk behavior, i.e. risk culture. The identified literature discusses aspects both on the top and on the operational level. Moreover, scholars apply both mathematical and empirical methodologies in this research field.
Two articles provide evidence regarding normative results with respect to variable compensation at the top-management level. They mathematically analyze possibilities to influence the way of how decision makers evaluate and take risks and to curb a culture of excessive risk taking by aligning investor interests and executive interests via compensation. By applying a principal agent-based methodology, John et al. (2000) explore the possibility to influence bank risk taking through the incorporation of incentive features of top-management compensation in the FDIC (Federal Deposit Insurance Corporation) insurance premium scheme. Such schemes should induce bank owners to design optimal incentive schemes for top managers. Additionally, based on the results of their principal agent-model, Bolton et al. (2015) suggest to mitigate excessive risk taking by relating compensation to stock prices and credit default swaps.
However, while the previously mentioned research based on mathematical modelling identifies a positive relation between the alignment of investors' and top managers' interests via variable compensation components, empirical evidence and conceptual discussion is somewhat contrary. Zalewska (2016, p. 331) questions the suitability of transferring insights from literature on principal-agent conflicts in general, as "in the case of the banking sector, remuneration may be a source of type III agency conflict, i.e., the conflict between shareholders and other stakeholders, and as such cannot be left in the hands of shareholders or even financial institution-related stakeholders (e.g., employees)". Thus, the author argues that regulators should also be actively involved in setting the remuneration to achieve a comprehensive approach in regulation and to calibrate incentives in a way that fits to the desired risk level and thereby fosters an adequate risk culture. Accordingly, Fahlenbrach and Stulz (2011) find, based on a sample of 95 banks extracted from Standard and Poor's Execucomp database, no evidence that a better alignment of CEOs' compensation with shareholders' interests leads to a better performance of banks during the last crisis. They rather argue that banks following this path even might have performed worse with respect to stock returns and accounting return on equity. Thus, their findings do not indicate any positive impact of compensation schemes related to investor interests on prudent risk taking leading to superior performance. Bebchuk et al. (2010)  In sum, this stream of literature stresses negative effects of particularly optionbased and other variable incentives on prudent risk taking. These incentive systems foster a culture of excessive risk taking, which is detrimental to the banks' performance and thus does not fit to any viable business model, be it rather risk averse or risk seeking. Thus, they transport a kind of risk culture into the banks which is detrimental and not in the sense of regulation which attaches great importance to minimizing unnecessary risks (e.g., FSB, 2014).
Yet, Iqbal and Vähämaa (2019) find ambiguous evidence for a clear relation between incentive systems and banks' systemic risk. Data obtained from 71 large U.S. financial institutions on CEO and CFO compensation over the period of 2005 to 2010 with 332 firm-year observations points to a negative relation between systemic risk and the sensitivities of CEO and CFO compensation to stock return volatility. In contrast, the data also provides evidence that "financial institutions with greater managerial risk-taking incentives were associated with significantly higher levels of systemic risk during the peak of the financial crisis in 2008" (Iqbal & Vähämaa, 2019, p. 1229. Acrey et al. (2011) as well do not find a clear indication for detrimental effects of options and bonuses. In their study, based on a sample of the largest U.S. banks in the period of 2004 to 2008 (dependent on the analysis the sample size varies between 35 and 85), these compensation components are either insignificantly related to risk variables or exhibit a negative correlation with them. Moreover, Houston and James (1995) do not find evidence that compensation is structured in a way that fosters more risk taking in banks than in other industries within a sample from 1980 to 1990. Applying a sample of bank-years for large U.S. commercial banks over the period of 1996 to 2016 LaBriola (2019) tests the relation between the sensitivity of compensation of CEOs to gains in the bank's stock price and levels of leverage but does not find any significant effect. Moreover, Guo et al. (2015) observe a positive relation between short-and long-term variable compensation components and particular risk measures, i.e. a positive relation between these incentives and risk taking, but also a negative relation between the proportion of variable incentives and the likelihood of a bank to fail (data was taken form 134 bank holding companies during the period of 1992 to 2008). According to Cheng et al. (2015) variable pay does not lead to increased risk taking but high-risk jobs, like activities in the banking sector, require firms to provide employees with high-powered, variable payment to recruit suitable staff: "Career rewards for working at high-risk firms are turbulent, and so risk and pay are correlated not because pay causes risk but because risk-averse managers require pay to keep them working at firms with higher risk. According to this view, the management teams of Bear Stearns, Lehman Brothers, Countrywide, and AIG were paid more than management at other firms as the strategies demanded by shareholders were fundamentally riskier" (Cheng et al., 2015, p. 842).
This stream of research puts the previously mentioned findings into a broader perspective and points to the important differentiation between risk taking as such and risk culture. Although, particular kinds of incentive systems induce a higher propensity to take risks, this risk seeking behavior might not be detrimental in all instances. An adequate risk culture does not necessarily have to be risk-averse. It only has to match the level of risk that a bank wants to and, above all, can hold (e.g., FSB, 2014). Consequently, regulators' increased focus on adequate incentives after the last financial crisis seems to be warranted, but the relation between compensation and risk behavior on the higher organizational levels is more complex than expected, as the following discussion also shows.
Several articles provide evidence that the relation between incentives and risk taking is further affected by various factors. Based on a principal-agent model Kolm et al. (2016) derive a complex relation between regulation, CEO compensation and active boards. According to their model in the presence of active boards "[c] ompensation regulation prevents overinvestment in strategies that increase risk, but it is ineffective in preventing underinvestment in strategies that reduce risk" (Kolm et al., 2016(Kolm et al., , p. 1901. Consequently, these results indicate that regulation targeting risk taking by regulating compensation only has limited effect. Cerasi and Oliviero (2015) further qualify these results. Based on a mathematical model which is tested with an empirical sample of 116 banks (data taken in the period of 2007 to 2008), they find that "greater sensitivity of CEOs' equity portfolios to stock prices and volatility is associated with poorer performance and greater risk at the banks where shareholder control is weaker and in countries with explicit deposit insurance" (Cerasi & Oliviero, 2015, p. 242). Consequently, the detrimental impact of particular compensation components on risk taking is affected by further situational factors. Accordingly, it can also be assumed that the strength with which incentive systems transport a certain risk culture into a bank and stabilize it is also affected by such factors. This conclusion is further corroborated by Bannier et al. (2013). By applying a principal-agent framework they find a positive relation between banks' competition for talent, their incentives to offer bonuses and risk taking. The mathematical model by Thanassoulis (2012) leads to similar observations. Consequently, limited human resources can result in excess risk taking via compensation structures that are implemented to recruit the most talented staff. This result points to external impact factors on the design of incentive systems which could counteract the intended manifestation of risk culture, because the structure of these incentives makes a certain risk behavior appear desirable even though it deviates from a risk behavior that is appropriate for the bank's business model and thus runs counter to an adequate risk culture. It also reveals that banks can get under strong tension while they try to cope simultaneously with regulatory and market requirements.
Further articles deal with the impact of variable compensation on the behavior of staff on the lower levels. Berger et al. (2016) show different effects of lower-level and higher-level managers' shareholdings on risk taking based on a sample of 85 U.S.-based and held failed commercial banks and a control sample of 256 U.S.based and held non-failed commercial banks (both over the period of the first quarter of 2007 to the third quarter of 2010). In case of non-CEO executives and lower level managers, high shareholdings are related to higher failure risk, while CEOs' high shareholdings are not related to failure risk. Consequently, the former seems to be induced to take higher risk by their high stakes, while the latter are not. On the other hand, based on experimental evidence with commercial bank loan officers Cole et al. (2015) find that high-powered incentives foster screening effort and profitable lending decisions, while deferred compensation and limited liability mute this effect. These results point to the importance of a strong and timely relation between incentives and job-performance for staff engaged into the operational activities. In contrast, by applying a lab-in-the-field experiment with 269 finance professionals, Sheedy et al. (2019) find evidence that fixed compensation (as compared to variable compensation) and risk-focused (as compared to profit-focused) work culture increase the proportion of people exhibiting risk compliance. Overall, this research exhibits partly different effects of variable compensation on different organizational levels. Moreover, findings are ambiguous, e.g., Sheedy et al. (2019) observe results in favor of fixed compensation on the operational level, while Cole et al.'s (2015) findings point to a superiority of high-powered incentives. Both studies refer to different activities on the operation level, which might explain the different outcomes. However, these ambiguous observations indicate that the call for a change of compensation schemes and the reduction of variable pay to implement an adequate risk culture and thereby more prudent risk taking in banks also on the operational level only is partly warranted.

3
Banks' risk culture and management control systems: A systematic… Finally, one empirical paper is rather descriptive: Based on a sample of regional U.S. bank CEOs between the years of 2007 and 2012, Handorf (2015) investigates the changes made by banks to compensation after the recent financial crisis. The author finds that banks have changed their compensation structures and now reward high capitalization and low-risk loan portfolios. Consequently, banks have reacted to the changing requirements and adapt their compensation schemes accordingly. The focus here is on steering incentives in the direction of risk-averse behavior, which also fosters a risk culture comprising risk-averse norms.

Risk culture and personnel controls
Articles considering the relation between risk culture and personnel controls provide particularly evidence regarding the impact of CEOs' traits on risk taking. Thus, again this research stream does not directly focus on risk culture. However, as risk culture constitutes norms, values and general believes about appropriate risk handling condensed from the individual believes and perceptions, this literature can be considered as valuable to understand the development of risk culture. This is all the more true as CEOs, due to their prominent position in companies, have a particular influence on the establishment of certain behavioral norms and thus also on risk culture, which is also stressed by the emphasis on the tone from the top in the context of risk culture (FSB, 2014). Consequently, the application of personnel controls, specifically the recruitment of CEOs with particular characteristics, can significantly affect risk culture. Bushman et al. (2018) investigate the impact of CEO's materialism, measured via a revealed preferences approach, on, among other things, banks' risk taking, and find a positive relation with risk taking and a weaker risk management. Their sample consisted of 284 firms and 445 CEOs in the period of 1992 to 2013. Based on a sample of 92 CEOs and data from 2006 to 2014, Buyl et al. (2019) investigate the relation between CEO narcissism, banks' risk taking and their resilience to environmental conditions. The authors identify a positive relation between pre-crisis CEO narcissism and risk taking. This effect is fostered by stock options and mitigated by strong boards, i.e. boards including knowledgeable external directors.
A gender-effect can also be observed in the literature: Results by Palvia et al. (2015) indicate more conservative levels of capital in commercial banks with female CEOs, where the sample contains 6,729 commercial banks and an unbalanced panel of 22,978 bank-year observations in the period of 2007 to 2010. Holland (2010) identifies missing knowledge regarding risks and value drivers as important factor determining the extent of individual bank failure during the financial crisis of 2007/2008. Similarly, in the context of the last financial crisis, Holland (2019) identifies a knowledge gap between analysts and shareholders on the one hand and bank managers on the other hand and the problems to communicate the relevant knowledge as reason that the former expected more return than possible with reasonable activities. This asymmetrical distribution of knowledge was exploited by certain insiders in the bank to create structures that benefited them but passed on possible losses to others. While some banks established high risk cultures, others tried to keep with their more conservative activities, but had increasingly problems to do so.
By applying a questionnaire filled out by 151 U.S. community banks, Eastburn and Sharland (2017) investigate why banks fail to recognize risk in a timely manner. In detail, they analyze the antecedents of risk tolerance in terms of behavioral traits and regulatory and performance criteria, the effect of risk tolerance on risk propensity, the joint effect of risk tolerance and propensity on risk practice and the relation between risk practice and performance. Their findings indicate the importance to consider a joint effect of external factors and behavioral aspects to establish a risk culture that fits to the selected business model.

Development of banks' risk culture over time
Power (2009) focusses on the general direction that a recalibration of risk culture should take. Based on a conceptual discussion, he criticizes the concept of risk appetite as inadequate to understand and to develop a proper risk management within banks. According to this author, the concept of risk appetite is based on a view that conceptualizes banks as machines that can be controlled by defining one adequate amount of risk to take. In contrast, he suggests focusing rather on human behavior than on capital to establish an effective risk management in the future. This suggestion also affects the perspective on risk culture. The FSB (2014, p. 1) stresses the importance that "institution's risk culture supports adherence to the board-approved risk appetite". If the concept of risk appetite is considered as inappropriate, the development of an adequate risk culture needs another anchor to be assessable as adequate.
Other scholars investigate particular recalibration processes. Palermo et al. (2017) analyze, by applying a qualitative research methodology in the UK financial sector, the reconsideration of risk culture within financial institutions after the last financial crisis as a way to cope with organizational complexity. They conceptualize this recalibration processes as an answer to the pressure to redefine the ends of financial institutions. Further, this redefinition of ends leads to uncertainty and conflict about the means how to achieve theses ends. The paper demonstrates that the implementation of a reasonable risk culture is a complex process that contains reconstruction processes of different actors, which are difficult to manage. This discussion can be further related to the findings by McConnell (2014). The author investigates two cases, Deutsche Bank and Barclays, with respect to their strategic changes announced in 2012, which also encompass new ways of dealing with strategic risks. The author identifies two different approaches in dealing with these recalibration processes and their outcomes, i.e. although confronted with the same external requirements, the analyzed financial institutions have chosen very different ways to cope with them.
Two articles add more detailed evidence of how recalibration best can be achieved. Cox and Soobiah (2018) analyze the different outcomes of cultural changes in UK banks initiated and managed either top down or bottom up. Based on qualitative data derived from 30 semi-structured interviews they conclude that approaches starting on the middle and grassroots level lead to better results than approaches from the organizational top. They argue that these findings are in sharp contrast to regulators' recommendations. Liff and Wahlström (2018) observe different trajectories from how banks initially judge risk management to how their judgement develops over time dependent on their management control systems. Particularly, organizational structure and strategic alignment have an impact on the possibility to integrate risk management ideas into the overall organization.

Broadening the perspective on assessing risk culture
In the following sections, we further elaborate on the identified findings and derive insights for business practice, research, education and regulators. In the present section we concentrate on the need for a broader perspective on assessing risk culture. Section 5.2 is dedicated to the discussion regarding the insights on the relations between risk culture and management controls. Section 5.3 elaborates on consequences drawn from the literature on the possibility to change risk culture and establishing the most appropriate risk culture. In Sect. 5.4 we integrate the major findings into a comprehensive model. To the best of our knowledge this is the first attempt to generate such a comprehensive perspective.
As discussed in Sect. 2, effective management of risk culture requires an appropriate evaluation tool so that decision makers can determine whether the prevailing risk culture is adequate and in line with regulatory requirements. However, care must be taken not to fall into the unreflective use of number-based control systems criticized in the management control literature (e.g., Mikes, 2011;Power, 2009).
The identified literature provides three evaluation approaches, which constitute a starting point for such a management process. However, they are not yet the final solution for the following reasons. First, they are designed to be applied across a broad range of different institutes. Yet, due to its elusive character, the characteristics of risk culture in detail within an individual bank are very specific. Second, regulators do not require developing a particular risk culture, but only an adequate risk culture fitting to the particular business model. Finally, parts of risk management, as asked for in the scale by Sheedy et al. (2017) are also subject to regulatory requirements, i.e. here banks might not have any scope of action.
Banks need assessment tools that take into account the specifics of their business model and clearly differentiate between issues related to risk culture that are subject to clear regulatory requirements and aspects with more scope of action. Thus, the provided tools have to be tailored to the applying bank to better fit its peculiar needs. Moreover, in order to avoid the mentioned unreflective use, banks have to embed the application of such assessment systems into a broader process of regularly reviewing the current risk culture, setting targets to improve it and relating it to other management controls. This is similar to the design, implementation, monitoring, and embedding of performance measurement systems discussed in management control research in general (e.g., Chenhall, 2005;Chenhall et al., 2017;Kaplan & Norton, 1992). For example, a successful implementation of a Balanced Scorecard requires its development from within the company, the adaptation of the basic structure to the business model, e.g., through the introduction of further perspectives, and its embedding in an overall management process.
Additionally, to foster the possibility to assess risk culture, regulators have to strengthen their case regarding risk culture. On the one hand, regulators demand a targeted development of risk culture, but on the other hand, they emphasize its elusive character and the difficulties to evaluate and interpret it (e.g., FSB, 2014). This is of little help to foster banks' understanding of what is expected from them when dealing with risk culture. Without such an understanding, the development of measurement tools is a difficult venture. This holds even more so, as different national supervisors seem to follow different conceptualizations of risk culture (Carretta et al., 2017). One way to clarify the prevailing concept of risk culture is the involvement of regulators in the process of designing instruments to measure risk culture. This involvement in turn fosters their understanding of practical problems when trying to assess and manage risk culture, which in turn can help to improve regulatory guidelines.

Embedding risk culture in a comprehensive set of management controls
Large parts of the identified literature indicate the importance of embedding risk culture into an overarching perspective regarding cultural controls. This perspective comprises aspects like ethical standards (Awrey et al., 2013;Fichter, 2018;Llewellyn, 2014;Minto, 2016), organizational norms regarding the handling of failures (Gendron et al., 2016) and the cultural context in terms of nationality (e.g., Ashraf et al., 2016;Kanagaretnam et al., 2014;Mihet, 2013). While regulators admit the importance of adequately handling failures and conforming to ethical standards in the context of risk culture (e.g., FSB, 2014), the impact of national culture so far does not play an important role in the debate. Yet, as it can exert an impact on the general perspective on risk taking, it also forms the ground for the development of norms regarding adequate risk handling. These norms, if not made explicit, can affect the concrete manifestation of a particular risk culture and mitigate the further development of this risk culture in an undetected manner. Consequently, the relation between banks' risk culture and the cultural context, in which they are embedded, should be taken more into account by regulators.
Furthermore, articles related to cultural controls point both to different perspectives regarding an adequate risk culture across banks but also across departments within banks. For example, Mikes (2011) differentiates a culture of quantitative enthusiasm from a culture of quantitative skepticism, with different views on how to approach the management and the handling of risks adequately. Bruce (2014) points to the positive effect of different worldviews on risk handling within an organization, while Wahlström (2009) identifies potential for conflict, if such different views meet within one organization. These observations emphasize the importance of transparency between different perspectives on how risks are handled in order to develop a common risk culture appropriate to the business model. This underscores the importance of transparency and open communication culture required by prevailing regulations, which promote such disclosure (e.g., FSB, 2014).
So far, only few articles address the relation between action controls and risk culture. In line with regulation (e.g., FSB, 2014), several scholars stress accountability and adequate supervision as important (Cordery, 2007;Drennan, 2004;Drummond, 2002;Jackson, 2015). However, so far the question of how exactly accountability can be achieved and which measures to hold staff accountable for their risk behavior work best to bring an adequate risk culture into an organization is still unanswered. Roy (2008) investigates the impact of functional versus divisional hierarchy on risk taking and thereby points to organizational structure as an important means to support a certain risk culture. The author's discussion provides a starting point for further investigations into this topic.
The area of remuneration is the most mature within the identified literature. Scholars provide a broad range of findings with respect to the impact of compensation schemes on risk taking. As discussed in Sect. 4.3.4 these findings are also related to risk culture, as incentive systems are an expression of the prevailing risk culture on the one hand and stabilize it on the other. Large parts of particularly empirical research are critical with respect to the application of variable, option and stock-based incentives for decision makers on the top-management level (e.g., Chen et al., 2006;Minhat & Abdullah, 2016). Additionally, other compensation components, like severance contracts, are criticized (Brown et al., 2015). Thus, particularly empirical evidence is critical regarding short-term, variable incentives. However, empirical results are not unambiguous. Several scholars did not find detrimental effects of the mentioned components on risk taking or bank failure (e.g., Acrey et al., 2011;Iqbal & Vähämaa, 2019). Other findings indicate rather complex relations between compensation, risk taking and further factors (e.g., Cerasi & Oliviero, 2015). Especially, on the operational level, positive effects of variable incentives on certain tasks can also be observed (Cole et al., 2015). Irrespective of these individual results in detail, incentive systems have increasingly become the focus of regulation following the financial crisis and variable short-term incentives have come under criticism. This debate led to changes in regulation, like the implementation of the "Institutsvergütungsverordnung" in Germany (first version 2010), which provide detailed guidelines to set up feasible incentive systems. Accordingly, the area of results controls can be regarded as well researched and firmly established in the prevailing regulation.
In contrast, only a few scholars investigate the impact of core decision makers' personal traits (as outcome of personnel controls) on banks' risk culture. Findings indicate a detrimental effect of characteristics related to CEOs' "self-preoccupation ", like narcissism and materialism (Bushman et al., 2018;Buyl et al., 2019) on risk taking. As outlined by the upper echelon theory (e.g., Hambrick, 2007), CEOs have the power to significantly shape organizations, and thus also determine organizational norms and values. Therefore, they also should exert a sustainable impact on banks' risk culture. Accordingly, the identified observations in relation to risk taking also point to the development of a risk favoring culture. Regulators have understood these relations and mention the major impact that executives exert on the development of an adequate risk culture by stressing the "tone from the top". However, while in other research areas the impact of particular CEO characteristics are well investigated, e.g. the impact of managerial overconfidence (e.g., Griffin & Varey, 1996;Hirshleifer et al., 2012), with regard to a deeper understanding of the relation between CEO characteristics and risk culture there are still large gaps. For example, further investigations regarding the impact of other traits, like overconfidence, machiavellianism or the big five, on risk culture and analyses of how these characteristics can sustainably shape risk culture promise valuable insights. Additionally, a link between this research stream and research on personality traits in the context of risk taking in general seems warranted. The mentioned research on managerial overconfidence (e.g., Griffin & Varey, 1996;Hirshleifer et al., 2012), but also on escalation of commitment (e.g., Sleesman et al., 2012Sleesman et al., , 2018Staw, 1976Staw, , 1981Staw & Fox, 1977) constitute two very promising candidates for such a link, as they provide rich evidence on impacts of personality traits in the context of risk taking in general.

Changing and establishing the most appropriate risk culture
Several scholars evaluate a risk culture characterized by collaboration, trust, solidarity, and a healthy critical distance to mathematical risk management approaches as more appropriate (e.g., Mikes, 2011;Minto, 2016;Nguyen et al., 2019;Power, 2009). Therefore, this literature argues for a shift in risk culture into this direction, irrespectively of the particular business model, as it mitigates excessive risk taking and unethical behavior, which in turn endangers the business model of any bank. In business practice, this recommendation can be seen as a call to question both the way risks are dealt with and the basic business conduct in order to develop an adequate risk culture embedded in an ethical background. However, as indicated by the literature discussed in Sect. 4.4 changing risk culture depends on the configuration of the other management controls surrounding it. Particularly, the introduction of healthy skepticism regarding mathematical risk management approaches requires a fundamental change in an industry that is guided by mathematical models. Moreover, as illustrated by Gendron et al. (2016), prevailing risk management practices and thus also risk culture as such are stabilized by strong mechanisms, fostered by board members and consultancies, which inhibit a fundamental reflection on the appropriateness of the existing risk culture. Consequently, the required change is difficult to achieve with long-serving employees and business partners from the consulting industry. Yet, it can be enhanced by changes in educating future banks' staff into the desired direction. Accordingly, recommendations made by regulators and the identified literature with regard to the vocational training of bank employees should be extended to junior employees and explicitly include teaching content at universities. Education in management control comprises both a number-driven management accounting-oriented perspective and a broader behavioral-oriented management control perspective (Gooneratne & Hoque, 2013). Insights gained from this multi-perspectivity also can help to enrich the education of future banks' staff. Therefore, a closer link between management control and financial education should be sought. Additionally, as stressed by the findings discussed in Sect. 4.2.2, risk culture does not only vary across banks but also within banks, particularly Wahlström (2009) observes differences between operational staff and risk management staff, i.e. front and back office. Thus, in banks, different tasks are accompanied by a different view on risks. Bruce (2014) adds to this discussion that banks should incorporate different worldviews, as a pluralistic view strengthens risk management and risk culture, and Sinha and Arena (2018) show that different stakeholders also have various perspectives, which need integration. To accomplish this goal instruments are needed that can bridge the gap between these different views and that promote a common goal-setting process with regard to risk orientation. Management control research has put forth instruments that help to promote a common goal formation of differently socialized parties. Target Costing is a prominent example here, which brings together representatives from the fields of marketing, R&D, production, and management accounting and directs them towards a common goal. Similar instruments are needed to foster a common perspective on risk culture within a single bank.
Finally, as already previously mentioned, the identified literature indicates an impact of national culture on banks' risk taking and risk culture. For example, Carretta et al. (2017) find that European supervisory regulators differ regarding their conceptualization of risk culture. However, evidence is ambiguous, i.e. especially individualism seems to either foster (Ashraf et al., 2016;Kanagaretnam et al., 2014) or attenuate risk taking (Illiashenko & Laidroo, 2020). Either way, national culture seems to exert an impact on the conceptualization of an adequate risk culture for a particular business model. This observation underscores the previous statement that banks must resort to individual concepts to establish a suitable risk culture, both in terms of assessment and in terms of the concrete design of the individual management controls to achieve it.

A comprehensive framework
To cease dysfunctional developments with respect to risk culture, scholars stress the importance of embedding risk culture in an overall fitting organizational context (e.g., Bott & Milkau, 2018;Gontarek, 2016;McConnell, 2013;Wood & Lewis, 2018). In order to achieve this goal, literature provides many instruments which can be categorized into one of the discussed management control categories, e.g. ethical standards as part of cultural controls, incentive systems as results controls, training, recruitment, leadership, and communication as personnel controls as well as organizational structure, accountability and supervision as action controls.
This discussion can be related to the frequent call for a more thorough understanding of the combination of different management controls (Bisbe & Otley, 2004;Cardinal et al., 2010;Grabner & Moers, 2013;Mundy, 2010). The identified literature allows drawing conclusions regarding the combined effect of such management controls in relation to risk culture and individual risk taking. To structure this discussion, we follow the categorization in cultural, action, results, and personnel controls (Merchant & Van der Stede, 2017). Moreover, we focus on the main trajectories drawn from the identified literature to elaborate on the most important dependency paths. The resulting model is depicted in Fig. 1. The arrows indicate the assumed direction of influence.
Within the discussed literature beside risk culture six factors are related to cultural controls: Professional norms (e.g., Cohn et al., 2017), national culture (e.g., Illiashenko & Laidroo, 2020;Kanagaretnam et al., 2014), market and regulatory demands (Lim et al., 2017), ethical standards (e.g. Awrey et al., 2013;Fichter, 2018), and organizational norms regarding the handling of failure (Gendron et al., 2016). Professional norms and market demands affect risk taking across all banks similarly, while national culture only exerts the same impact on all banks within a cultural area. Also, regulatory demands can differ, as national regulators have different conceptualizations of risk culture (Carretta et al., 2017). Either way, these factors are externally given. In contrast, banks develop their own norms regarding the handling of failure. Consequently, this aspect can be classified as an internal impact factor which constitutes one further element of cultural controls. Ethical standards comprise both, an external component shaped by the society and an internal component developed within an organization, i.e. partly they are also elements of cultural controls. These components affect the development of a common understanding about adequate and ethically acceptable risk taking, i.e. risk culture. This risk culture affects individual risk taking, i.e. decision makers' decisions which influence the bank's risk level. In turn, these individual decisions and their outcomes form a further basis to develop a common understanding of the risk-taking behavior that is accepted within the bank and thus in turn also affect risk culture as the manifestation of this common understanding, as e.g. indicated by Drennan (2004).
Moreover, based on the previous discussion we posit that risk culture exerts an effect on personnel controls. For example, literature discussing the failure of Barings Bank illustrates how the desired risk culture (high risk -high return) lead to the recruitment of extreme risk takers (Drennan, 2004), which in turn again affected risk culture through their individual decisions. In this context, scholars further discuss the following aspects: First, authors focus on individual characteristics particularly regarding CEOs (Bushman et al., 2018;Buyl et al., 2019;Ganon et al., 2017;Palvia et al., 2015). Second, literature analyzing case studies of banks' failure and dysfunctional risk culture points to the importance of knowledge (e.g., Drummond, 2002;Holland, 2010). Both aspects are closely related to hiring and training. Third, the discussion of failing banks due to excessive risk-taking highlights the detrimental effects of dysfunctional communication structures (Dellaportas et al., 2007), which are related to leadership as another component of personnel controls. McConnell (2013) and Muñiz et al. (2020) also point to the importance of effective communication structures. While external factors exert an indirect effect on individual decisions, outcomes of personnel controls, like personality characteristics (related to hiring), knowledge (related to training) and communication structures (related to leadership) more directly affect individual behavior. Moreover, while external factors affecting cultural controls and thus the establishment of a particular risk culture are very stable and difficult to change, personnel controls, especially hiring and training, can provide the ground for a fundamental recalibration process, as they can be changed from within the bank in a more flexible way. Yet, as indicated by literature, in case of a lack of willingness to change, they also can exert a stabilizing effect on dysfunctional risk culture (e.g., Gendron et al., 2016). For this reason, when seeking to change risk culture, special attention should be paid to the personnel controls, as they can be directly influenced and at the same time have a direct influence on individual behavior, which in turn has a repercussion on risk culture.
As previously mentioned, a very broad literature exists that deals with the impact of various kinds of incentive systems, i.e. results controls. We assume that these incentive systems are an expression of the prevailing risk culture. However, in the course of a self-stabilizing processes, they determine individual risk taking, whose outcomes form the basis to develop a common understanding regarding reasonable risk handling and thus affect risk culture. Accordingly, also results controls not only are affected by risk culture but provide the input to shape risk culture.
Regarding action controls, within the discussed literature three factors can be identified: First, several scholars stress the importance of individual accountability to induce adequate risk taking (Cordery, 2007;Jackson, 2015), i.e. decision makers have to take responsibility for the outcomes of their decisions. If decision makers are accountable for their actions, they will think in more detail about their consequences and weigh up the appropriateness more thoroughly. Thus, accountability is a viable means to induce staff to act in accordance with the banks' risk culture, while a lack of it undermines an alignment of employee behavior with it, i.e. risk culture affects individual risk taking through the implementation of accountability and accountability is an expression of a certain risk culture. Second, many authors in the context of dysfunctional risk culture and bank failure highlight the lack of clear supervision as antecedent of these failures (e.g., Cordery, 2007;Drennan, 2004;Drummond, 2002). Accordingly, like accountability or incentive systems, supervision directs employees' attention towards a risk-taking behavior which is in accordance with the bank's risk culture. Thus, risk culture can influence risk taking through the prevailing supervision processes. Third, Roy (2008) discusses how organizational structure can affect the application of relevant information in daily risk-taking decisions and thereby points to a possible relation between structure, risk taking and risk culture. However, while supervision and accountability with a focus on risk taking are an expression of the prevailing risk culture, organizational structure serves many purposes. Therefore, it is not reasonable to assume a direct effect of risk culture on the selection of the overall organizational structure. We rather posit an effect of structure on individual risk taking, as discussed by Roy (2008), which in turn then can, as outlined for the other aspects, influence risk culture.
This comprehensive overview of the in the identified literature most cited issues related to management control systems illustrates the complex relations between various components and the self-stabilizing effects within this system of effects. In order to effectively develop an adequate risk culture, banks have to elaborate on all components simultaneously, regulators have to become aware of their and the markets' impact on risk culture and all parties have to understand detrimental effects of professional norms. Finally, so far, literature lacks deep insights regarding the exact relations between the identified components, i.e. which components exert which exact impact. Large parts of the findings are gained through single case studies, which do not allow for drawing causal conclusions. Therefore, more research is needed that elaborates on these causal relations.

Conclusion
The present paper provides the results of a systematic literature review focusing on risk culture in banks and their relation to management control systems. The identified articles were structured along three categories, i.e. assessment of risk culture, relation between risk culture and management controls (with the subcategories embeddedness of risk culture in overall management control packages, risk culture and cultural controls, risk culture and action controls, risk culture and results controls, as well as risk culture and personnel controls) and development of banks' risk culture over time. Based on the discussion of insights gained along these categories, we finally derived a comprehensive framework that illustrates the embeddedness of banks' risk culture within a broader set of further management controls and several external factors.
Thereby, we provide a broad overview about extant literature related to banks' risk culture. However, it also suffers from several limitations. First, we focus on research published in peer reviewed journals in English. Consequently, we abstract from research output that is provided in other languages and in other outlets. We decided to apply these selection criteria on the one hand to keep the discussed literature within a manageable range. On the other hand, we focus on this literature, as it can be perceived internationally and thus should have the strongest impact on further research. Nevertheless, an investigation of country-specific debates or publications that are oriented towards practitioners would provide additional valuable insights. Second, risk culture is a soft, partly vague phenomenon with unclear boundaries. Therefore, it is difficult to define clear selection criteria for the relevant literature. For instance, research of overconfidence or escalation of commitment provides valuable insights into psychological and structural determinants of decisions in risky contexts. Thus, also these fields of research -as only two examples of a broad range of literature -deserve further attention in order to understand the relation between individual and structural antecedents of risk culture. Similarly, the particular elements of management control systems are difficult to delimit, i.e. there is no clearcut decision criterion definable that states which elements in the management process are part of a management control system and which are not. This might result in a somewhat arbitrary selection of papers which do not focus explicitly on management control systems. Third, the selection process as such contains choices which results in a limited perspective on the literature, i.e. the chosen databases.
However, despite these limitations, the present literature overview provides a broad perspective on extant research related to risk culture in banks. It summarizes and interprets this literature, synthesizes its findings, shows relations between risk culture and management controls and highlights promising paths for future research.