Measuring the strength of corporate culture

 ‘A firm’s culture emerges in large part from inputs that are its responsibility. It is for firms to ensure that their desired culture is consistent with appropriate conduct outcomes, to identify the drivers of behaviour within the firm and control the risks that these drivers create’. - Andrew Bailey, Chief Executive, FCA

In recent years, and in response to ongoing corporate misconduct, International regulators have been turning up the heat on Boards and Senior Management, assessing their ability to articulate and evidence appropriate corporate culture and conduct management. In doing so, there has been an increased utilisation (By regulators) of qualitative approaches such as:

• Face to face interviews with Board and Executive Committee members.
• Face to face interviews with randomly selected staff from across the organisation
• Confidential focus groups with representatives randomly chosen from across the organisation
• Self-assessment surveys for Board and Executive Committee members.
• Observations of executive committee meetings.
• Organisation wide anonymous online surveys, with the inclusion of free text feedback mechanisms.

Further evidence of similar techniques were observed in the Central Bank of Ireland’s (CBI) report on the Behaviour and Culture of the Irish Retail Banks. Going one step further, the CBI collaborated with the Dutch regulator (De Nederlandsche Bank), employing their expertise and methodology in the assessment of corporate behaviour and culture - and continuing a trend in the use of behavioural sciences in the assessment of corporate culture.

The motivation for employing such techniques may appear obvious. In any case, let us consider the following justification outlined in the report from the Prudential (APRA) Inquiry into the Commonwealth Bank of Australia (CBA):

• Online staff culture assessment: provided the primary source of data about cultural drivers and approach to risk management, allowing observation of behavioural norms that may be preventing effective identification and mitigation of risks, as well as perceptions of staff surrounding various aspects of risk management.
• Board / Executive Committee Self Assessments and Interviews: Observation and measurement of behavioural norms around team dynamics, decision making, leadership styles, conflict management, communication patterns, risk appetite, emotion management and shared beliefs/values.
• Focus Groups: Assessment of behavioural norms with respect to leadership, cross business unit dynamics, issue escalation, culture and values, remuneration structures and risk management.

In my view, the use of these techniques, in conjunction with traditional quantitative methods (Document review, audit report outcomes etc.), currently places the regulators in a much stronger position than most organisations in the assessment of conduct and cultural strength. The proof of this lies in the findings from these reviews, largely and ironically informed by the feedback of internal employees and board members.

I know there may be some that will argue that outputs from the use of these techniques will be made redundant when a Board and/or Management fails to respond to trends or issues. However, for the purposes of this article, let’s assume that most organisations value these qualitative insights and will benefit from their proactive use (As demonstrated in these reviews, the alternative is to wait until the regulator intervenes).

Time for a change (And debate)

In all aspects of culture, compliance with rules is not enough. For culture to be effective, it must adhere to the spirit as well as the letter of regulation – Behaviour & Culture Review of Irish Retail Banks (Pg. 14)

Perhaps it is a harsh reality that the findings from these recent reviews will challenge the effectiveness of traditional risk management approaches when it comes to conduct and culture. The report into CBA notes that there was an over-reliance and focus on financial risk management i.e. quantified risks. Aside from introducing cognitive bias at Board and Management level (As to effectiveness of organisational risk management), the corresponding lack of focus on non-financial risks (Operational, conduct etc.) compromised effective oversight and the making of informed decisions, resulting in a litany of misconduct issues.

There are also views regard the complexity involved in measuring risk for conduct and culture. I would agree, if continuing to restrict consideration to predominantly lag indicating quantitative methods. In my view, this rigid thinking will continue to overlook the silent evidence, behavioural norms, emerging conduct risks and cultural hotspots. And in my experience, these elements have always been under-represented in risk reporting. However, when the regulator comes knocking, how will organisations evidence the strength of key cultural drivers such as tone to and from the top, speak up effectiveness, communication strength, accountability, cognitive biases etc/?

Whilst the CBA review is unique in many ways (Although I could easily be referring to VW, Wells Fargo, Oxfam, FIFA etc.), the techniques employed by the regulator were able to hone in on key cultural and conduct drivers. Here are some examples from the report:

• Tone from the top: While staff generally agreed with the statement ‘leaders at all levels of this organisation communicate consistent risk-related messages,’ far fewer agreed with the statements ‘I believe senior leaders in this organisation mean what they say’ or ‘senior leaders in this organisation set an example of how to do things the right way.’
• Accountability: Weak accountability was also identified through the staff survey and emerged as a theme in interviews of leaders, with common responses such as ‘if you ask what accountability means you get different answers.’
• Collective accountability: There was relatively low agreement with the statement ‘people in this organisation communicate a lot with others outside their business unit in order to make better decisions.’ One respondent said: Each BU seems to look after their own department, instead of the whole organisation. If any risk doesn't directly impact their BU, very little will be done.
• Defensiveness to challenge: A relatively high numbers of staff agreed with the statement ‘in my experience, people in this organisation often get defensive when their views are challenged by colleagues.’ The survey results on this question had the starkest contrast to CBA’s internal survey results for a similar question.
• Speaking Up: The staff survey conducted for the Inquiry asked staff to respond to the following: ‘If I reported misconduct or other risk issues through a confidential channel, I am confident I would be protected’. The degree of confidence with this comment declined in proportion to the seniority of the staff responding. Some 95 per cent of those at EGM level agreed with the comment, declining to 68 per cent of middle management.
• Performance: Reward & Consequence: More than 90 per cent of surveyed staff agreed with the statement ‘My performance objectives encourage me to manage risk effectively’, only around half agreed with the statement ‘People in this organisation are penalised if they take unacceptable risks, even if their actions end up making a sale or saving the organisation money’.
• Decision making and outcome focus: A significant proportion of respondents agreed with the statement: ‘people are a lot more focused on risk management processes than outcomes in this organisation.’ Comments included, ‘there is a tick box approach rather than one of understanding the true broader risks’ and ‘we don’t empower bankers to utilise their risk judgment to ultimately achieve the best risk outcomes.
• Risk Management Effectiveness: Relatively few people agreed with the statement ‘within this organisation, staff in the risk and compliance functions have equal influence to those in other areas of the business.’ In some areas, the risk function was perceived more as an inhibitor than a necessary partner. A relatively high numbers of staff also agreed with the statements, ‘The time required to complete many risk-related processes exceeds the value they add.’

For the record, I am not suggesting we throw the baby out with the bathwater. As a risk manager, I am only too aware of the importance of quantitative methods in informing sound risk decision making and oversight.

However, when it comes to culture and conduct, integrating qualitative techniques is critical. Without them, organisations will continue to be blind to potential cultural hotspots and open to regulatory challenge. The irony is, that if organisations were to fully embrace these techniques in a consistent and sustainable fashion, meaningful data will inevitably become available to inform potential emerging risks, evidence of positive cultural norms and opportunities for further training, education or clarity.

 The mirror effect

Desired cultural norms require constant reinforcement, both in words and in deeds. Statements of values are important in setting expectations, but their impact is sotto voce- CBA Panel Inquiry Report (Section C, Pg. 81)

I believe the regulators have paved the way for organisations to enhance the qualitative oversight of corporate culture (Not to mention their expectation that organisations will employ similar methods as evidence if requested). Mirroring these techniques also means having the courage to hold the mirror up to ourselves. Extending beyond the foundations of the regulations, organisational best practice would include the following:

• Training for staff on cognitive biases: Regulatory reviews have identified biases in organisations such as group think, over-confidence, halo effect etc. Knowledge of cognitive biases can promote self-awareness, increase challenge at key decision points and align to regulator expectations. I view this as a must for all risk and compliance professionals.
• Introduce ongoing risk culture assessments: no, we are not talking about staff engagement here. The focus is on understanding the health of risk culture across different levels of the organisation. Use free text options to capture additional (And more honest) staff feedback.
• Introduce individual cultural assessments: this is a self-assessment for staff to measure their own views against key cultural factors such as being customer centred, speaking up, treating others fairly etc. A corresponding assessment can be performed by the line manager, with the combination used as part of ongoing performance management. If applied organisation wide, it can provides an additional collective view on cultural health.
• Monitoring / Audit / Assurance functions: introduce a version of risk culture assessment to compliment assurance reviews. This could apply at a business unit or function level and help assurance professionals to assess relevant staff views as to health of the risk culture within their functions. The outputs of this can feed be into one to one interviews, identify any biases of cultural hotspots and act as a compliment/contrast to traditional quantitative components e.g. review samples, document review etc.
• Board and Executive Committees: introduce self and collective assessments of Board and Executive Committee performance e.g. behavioural norms, decision making, cognitive biases etc.
• Focus Groups & Interviews: Board members and Executives should implement the use focus groups as a means of ongoing feedback into key cultural drivers from representative across the organisation e.g. speak up effectiveness, conflicts of interest management, accountability, tone from the top etc.

In implementing any of these methods, anonymity and independent oversight will be key to success. These elements encourage more open and honest feedback, reducing the potential for bias and delivering a more balanced approach. This was reinforced in a speech by Sylvia Cronin, Director of Insurance Supervision at CBI, who stated:

We encourage those that have started on the culture journey to keep going and undertaking staff surveys is a positive first step. Ensure that your surveys are anonymous, in order for them to be more meaningful and we would encourage you to assess risk culture as well as organisation and compliance culture.

Final thoughts

I will finish as I started. Regulators will continue to apply pressure to Boards and Senior Management. Tolerance for lax or ineffective oversight of culture and conduct is zero. However, in my view, the regulators approach provides a foundation for organisations to apply a more robust (And qualitative) assessment / management of culture and conduct. The question remains: do you wait for the regulator to expose shortcomings OR do you proactively integrate the use of these techniques? I know what the regulator will be expecting.

________________________________________________________________________

As an independent consultant, I work with organisations to review existing conduct / culture frameworks, propose alternative methodologies and collaborate to tailor solutions to meet organisational objectives. If you would like to discuss this or any other of my services (Refer to my profile) please message me or call on + 353 083 817 8715.