Compliance, Culture and Compliance Culture
In his 2017 address to the AICD Directors Forum, Commissioner John Price described culture as “a set of shared values or assumptions .. the mindset of an organisation.” He then doubled down to describe ‘risk culture’ as “the norms of behaviour that determine how an organisation identifies, understands, discusses and acts on risks.”
It’s a reasonable definition if one ignores the reality that organisational culture is not monolithic; most large institutions are collections of disparate and disconnected cultures. Unfortunately, the Royal Commission has highlighted that the ‘mindset’ of most licensees demonstrates faulty perception, inappropriate actions, delusion and mental fragmentation.
Although ASIC’s definition assumes “shared values and assumptions”, the reality is that for most institutional licensees, conflicts, associations and commercial imperatives prevent the emergence of a dominant, consistent and ethical corporate mindset. In my view, the critical role of the Royal Commission is to expose the consequences of this ‘cultural schizophrenia’ and propose treatments more likely to ensure fairness, transparency and accountability.
Culture: Whatever made me do it anyway?
One significant problem with ASIC’s focus on ‘culture’ rather than ‘agency’, is that it excuses, legitimises and rationalises individuals’ conduct, and undermines the idea of personal accountability. It seems perverse that, as the advice industry stumbles towards professionalism, ASIC continues to emphasise ‘Culture’ over ‘Choices’.
Despite their belated focus on personal accountability, ASIC in this respect are particularly inconsistent. Their public recognition of the importance of culture, of ‘tone from the top’ and communication, seems to be conveniently ignored in their administrative action against advisers.
As recent examples demonstrate, while ASIC accept that ‘culture’ can explain and excuse licensee and management failures, they insist that individual advisers are, and always will be, personally responsible for their own conduct.
Another key problem with ‘Culture’ is that it’s notoriously difficult to identify, measure or assess (except retrospectively). While ‘cultural failures’ can be readily identified in the wake of failures, few organisations have the perspective, insight and incentive to identify them before it’s too late. Frydenberg’s recent criticism of past and multiple failures of the Australian Securities and Investments Commission, suggests cultural problems within ASIC that even ASIC, with all their expertise on ‘corporate culture’, were not able to identify or address.
For the record, neither were APRA.
Why culture matters
ASIC consider that culture “is a key driver of conduct”. They also suggest that “poor culture often leads to poor outcomes for investors and consumers”.
It’s a logical argument but I’d suggest that there are more proximate drivers of conduct. I’d also suggest that concept of ‘poor culture’ is so vague, ill-defined and imprecise that it has limited utility. You could substitute ‘innumeracy’, ‘lack of diversity’ and ‘over-regulation’ for ‘poor culture’ and support an equally valid argument about their contribution to “poor outcomes for investors and consumers”.
“Culture’ is a catch-all. Think of it as the ‘silver-bullet’ or ‘thneed’ of compliance.
Culture is a comfortable short-hand designation that encompasses a wide range of choices, contexts and conduct. While conduct (acts or omissions) can be positively identified and objectively verified, ‘culture’ (or corporate intent) needs to be inferred - often from policies, public statements and management assurances. Unfortunately, in the absence of identified misconduct, these assessments are often inaccurate, misleading and subjective.
As difficult as it may be to define ‘good culture’, international regulators continue to emphasise it.
The reasoning seems to be that focusing on conduct (the ‘what’) without any consideration of the context and culture (the ‘why’) addresses the symptoms of the failures, but not their underlying causes.
Thankfully the consideration of environmental concerns (structures, incentives, associations, values and ethics) provides a more complete and convincing explanation of misconduct than the ‘bad apples’ philosophy so beloved of institutional licensees.
In truth, any examination of misconduct needs to consider Context, Culture and Choices. As limiting as it may be, focusing on culture at least encourages systemic analysis, facilitates general observations and allows for simpler causal relationships.
What does good culture look like?
In 2015, ASIC volunteered that Communication, Challenge and Complacency were three elements by which an organisation’s risk culture could be assessed.
Unfortunately, the Banking Royal Commission has disabused the community that there’s any relationship between regular, consistent and clear communication of expectations and licensee conduct.
While Clearview may not have prioritised compliance, they were hardly alone and each failed licensee was backed by strong and clear commitment to Industry Codes, Ethics and Community Standards.
Where legal advice is rewritten or decisions made in wilful ignorance of the law, the idea that employees would fearlessly challenge bad practices is hopelessly quixotic; few did and fewer still were ‘rewarded for raising concerns’.
REP 515 revealed that while these organisations appeared to have complacency licked, their well-structured and well-reviewed arrangements suggested active engagement, they concealed ineffectiveness, bias and marginal impact.
An international perspective
For all its limitations, Culture is a topic embraced by many international regulators.
In April 2018, the Financial Conduct Authority (UK) released “Five Conduct Questions” designed to help organisations understand their “firm’s culture and the norms and beliefs (coming from both within and outside the organisation) that drive staff behaviour.”
Although designed as part of their Wholesale Banking Supervision program, firms’ consideration of the questions and their subsequent actions provided the FCA with insight into firms’ cultures and identified the measures they had taken to improve conduct in their firms.
The questions were:
What proactive steps do you take to identify conduct risk?
How do you encourage staff to feel, and be, responsible for the conduct of their business?
What support do you provide to help people improve the conduct of their business?
How does the Board gain oversight of the conduct of business AND how does the Board consider the conduct implications of their decisions?
How do you ensure that you’re not sabotaging your own attempts to improve conduct?
Although there’s innumerable ways to respond to these questions, the brilliance of this approach is that the focus on mechanics (structures, frameworks and policies) exposes a firm’s ‘compliance culture’ far more effectively than by focusing on its principles, intent and aspirations.
Better yet, it provides the seed for a consistent and predictable methodology for assessing compliance culture.
Answering the five questions
So, given Regulators’ focus on culture, and the inherent limitations of their approach, how can a Licensee best satisfy their expectations.
Thankfully, demonstrating ‘good culture’ is surprisingly easy for a well-managed Licensee.
Although written for an entirely different audience and for very different purposes, a Licensee could use these questions to explore (or prove) their compliance culture. Clearly, responses to these questions will depend on the ‘nature, scale and complexity’ of the licensee grappling with them, but any acceptable response requires a considered and consistent focus on good governance and effective management.
What proactive steps do you take to identify conduct risk?
Embrace reg-tech, data analytics and key risk indicators. If you lack the internal capability to build interrogable and interconnected systems, use a platform like OpenAFSL to drive your monitoring and supervision processes, manage remediation and flag ‘root causes’.
Analyse financial, client and complaint data. The frequency, timing and volume of transactions should be considered. Consider whether your advisers are inappropriately focused on a particular strategy or product. Assess concentration risk. Compare growth in activity against their internal resources.
Verify any remediation undertaken (and assess its effectiveness). Where remediation was required how did the adviser respond? Was remediation completed within the required timeframes? Have the identified issues (or related issues) recurred?
Move beyond compliance to explicitly consider Competency and Character. Are representatives meeting, or exceeding, current requirements?
2. How do you encourage staff to feel, and be, responsible for the conduct of their business?
Review your Employee Handbook, Induction material and Role Descriptions. Ensure that these establish that “compliance is everyone’s responsibility” and that there are consequences for failing to act. Review your KPI to include ‘compliance’ as both an essential pre-requisite for any bonus or reward AND as ‘discretionary effort’ that may qualify for additional bonuses or rewards.
Check your Remediation and Consequence Management Policies. Confirm that consequences for non-compliance are clear. Investigate to confirm that these policies are consistently and predictably applied. Require any proposed exception to obtain Board approval.
Develop a Code of Conduct. Publish it. Support it. Enforce it.
Implement a ‘CEO award’ for Professionalism. Award this to staff, and advisers, that demonstrate consistent and considered efforts to exceed compliance requirements.
3. What support do you provide to help people improve the conduct of their business?
Catalogue and list the systems and platforms available to staff and advisers.
Review your Organisation Chart to clearly and effectively identify key support units. Document their scope and capability.
Nominate a Senior Executive with clear responsibility for ‘culture’. This appointment should demonstrate real commitment to culture and sustainability. It’s an expansive role with cross-department responsibilities that should be differentiated from both Compliance and Governance.
Review your Employee Handbook, Induction material and Role Descriptions. Ensure that these establish that “compliance is everyone’s responsibility”. Clarify that there are consequences for failing to identify and escalate issues. Recognise and reward ‘fixes’.
Review your Compliance Plan and controls. Make sure the arrangements are clearly and effectively detailed. Cover these in your Induction and Training material.
Create open communication channels. Create a simple (and anonymous) way for staff and advisers to identify problems or raise concerns. Implement a ‘no blame’ approach to identified issues.
4. How does the Board gain oversight of the conduct of business AND how does the Board consider the conduct implications of their decisions?
Create open communication channels. Invite business representatives (or advisers) to attend one or more Board Meetings to provide their perspective and insights. Encourage the Board/Management to sit in/work with the business units affected by their decisions.
Embrace reg-tech, data analytics and key risk indicators. Give Management direct access to your interrogable and interconnected systems. Allow them to explore the data (and test their decisions) without the assistance and intervention of conflicted staff.
Introduce client surveys.
5. How do you ensure that you’re not sabotaging your own attempts to improve conduct?
Link values and standards to your reward framework. Any bonus, reward or promotion depends on alignment with your values.
Increase your investment in Compliance and technology.
 “The Lorax”, Dr Seuss.
“I'm being quite useful. This thing is a Thneed.
A Thneed's a Fine-Something-That-All-People-Need!
It's a shirt. It's a sock. It's a glove. It's a hat.
But it has OTHER uses. Yes, far beyond that.
You can use it for carpets. For pillows! For sheets!
Or curtains! Or covers for bicycle seats!"