“Culture shapes and influences people’s attitudes and behaviours towards, for example, customers and compliance. ASIC sees culture as a driver of conduct. A poor corporate culture can be a driver of misconduct.”
— ASIC Chairman, Greg Medcraft’s speech at the launch of the Inaugural Governance Institute Ethics Index
Confused about culture?
‘Culture’ has been the recurring theme of the Royal Commission into Misconduct in Banking, Superannuation and Financial Services. Offered as both a justification and an apology, ‘culture’ explains everything and nothing. Worse still, it excuses and normalises misconduct.
It’s well known that environment can affect the ethical choices made by individuals (Stanford Prison Experiment) so it’s not unreasonable to believe that ‘corporate culture’ can lead to the mismanagement, misconduct and maladministration identified at the Royal Commission and repeated in the media.
ASIC themselves see “poor culture as both an indicator and a driver of poor conduct” and many of those who appeared at the Commission have clung to this particular mitigator when addressing their conduct.
Culture is an excuse.
The environment can influence a person’s ethical choices but it doesn’t determine them.
The danger of accepting ‘culture’ as the cause of misconduct undermines the agency of the participants and ignores the reality that culture is created and maintained by the choices made by people within the organisation.
For example, consider the example played out before the Commissioner where it was revealed that Licensees charged ongoing service fees for services they did not provide.
The Licensees chose to do so, to continue to do so or not enquire if they were doing so. Whether their staff chose sustain or ignore this practice because of peer pressure, to achieve bonuses or simply to keep their positions is irrelevant; they made that choice.
If the management of an organisation implemented policies and procedures that drove unethical conduct, or if management was wilfully blind to misconduct within their organisation; they made those choices too.
If an adviser manipulated records to maximise their bonus; the adviser made that choice. If the Manager ignored the adviser’s behaviour, the Manager made that choice.
‘Culture’, that ill-defined and unmeasurable concept so beloved of Consultants and Recruiters, is little more than the product of choices and consequences. ‘Culture’ is an artificial construct; it may emerge organically but it’s shaped, incrementally and inevitably, by the conscious choices of the participants.
It’s tempting to think that ‘Culture’ is simply the result of tolerated conduct, but conception that conceals the fact that Culture is the result of conscious decision-making.
Incentives may influence conduct, but people (not ‘culture’) determine the incentive structures and determine when bonuses are paid or withheld.
As a Manager, a Director or an Employee the conduct that you accept, normalise or reward signals to others the conduct that is expected and rewarded.
The critical role of compliance
As a Responsible Manager or Compliance Manager, you’re well placed to influence the environment in which you operate. Admittedly, you may not wish to. It’s certainly easier to accommodate, rationalise and accept behaviours and choices where the consequences are material or personally damaging.
The Royal Commission offered numerous examples of Executives failing to act “efficiently, honestly and fairly” and excusing their failure to act appropriately as ‘cultural issues’. These are simply excuses for poor decisions (or for decisions that may now have some consequence).
The role of the Compliance Manager is often poorly understood, even by some of those that assume the role. Regardless of what you might think, Compliance is a strategic and commercial discipline that requires far more courage than is often appreciated. It also has a far greater capacity to influence ‘culture’, nudge management and correct misalignments than most management positions. To be fair, it’s also one of the most vulnerable corporate positions.
You can easily nudge the environment to influence others’ behaviours.
As boring as it may appear, you can achieve this objective by focusing on the capability and competence of the Licensee and the Licensee’s representatives.
When I talk about a Licensee’s Capability, I’m referring to processes, tools, resources, skills and behaviours that constitute, define and support their activities. Competency refers to the knowledge, skills, behaviour and attitude of the Representatives.
A critical point where these intersect is how your Business responds to incidents, breaches and contraventions – this is Consequence Management.
Your Consequence Management Policy outlines how your business will react, (predictably consistently and proportionally) to failures to “act professionally, treat customers fairly and prioritise clients’ interests”.
Your policy nudges your ‘culture’ by articulating what conduct is unacceptable and outlining the consequences of that conduct. If culture is a reflection of the worst behaviour people in your business tolerate, your Consequence Management Policy promises that bad conduct will not be tolerated and will be addressed in a consistent, appropriate and effective manner.
“Is there proper accountability as demonstrated by discipline for managers under whose watch misconduct occurred? Is the application of discipline consistent? Is there an incentive program for good compliance and ethical behavior? Can the company point to specific examples of actions taken (promotions or awards denied) as a result of compliance and ethics considerations?”
— U.S. Department of Justice, Criminal Division, Fraud Section “Evaluation of Corporate Compliance Programs”
How you approach Consequence Management is a matter for you and your business. It will depend on the “nature, scale and complexity of your business” and your business’ Risk Appetite. I would suggest that start with your ‘zero’ and ‘low’ risk tolerance items and build a conceptual framework to explain when you’ll take remedial actions – fixing the problem – and when you’ll take Administrative actions – addressing the conduct and the cause.
Remember that the options need not be mutually exclusive.
In an advice business, you might conceive of your framework to look like this:
For clarity, your Policy should clearly explain when and why you’ll take the required action.
It’s telling that one of the common failings of those Licensees that appeared before the Royal Commission was the apparent absence of any effective way of identifying and reacting to incidents, breaches and contraventions.
It’s not a complete solution (monitoring, supervision and remediation are equally important) but focusing on consequence management is an effective and efficient way to create and maintain a good corporate ‘culture’. Properly applied, it may also spare you adverse publicity.
If you liked this, you may enjoy reading:
U.S. Department of Justice, Criminal Division, Fraud Section Evaluation of Corporate Compliance Programs