A Starling Insights Deeper Dive Report

Supervisors on Supervision

Public Exposure Draft

Greg Medcraft

past-Chair

Australian Securities and Investments Commission

Picture of Greg Medcraft
View Full Report

Contributions to the Supervisors on Supervision Stocktake

What does culture mean in the supervisory context?

1.1.1c Others define the scope of supervisory interest in culture much more broadly.

“Social media allows information to flow freely and people to mobilise quickly, which means companies are far more likely to be caught out and face consequences for doing the wrong thing. The consequence is that materiality effectively moves in line with the social license. The way to manage this — and turn it into competitive advantage — is by building a culture of trust right through an organisation. 

When we consider where trust in business comes from, we can draw a direct line from the public perceptions of a company to its corporate culture. Culture is the unwritten rules of how things are done in a business. It shapes employee behaviour and decision-making right through an organisation. As such, it is inextricably linked to a business’s ability to act in the interests of its customers and to do the right thing.”

Should culture, and the conduct proclivities it may promote or discourage among employees, factor into supervisory engagements?

1.2.1a Many participants see culture as a precursor to misconduct and consumer harm, making it of key interest to conduct regulators.

“Behavioural science teaches us that culture is the unwritten code of how things are done in a business, and so, it is a good predictor of poor conduct.”

1.2.1a Many participants see culture as a precursor to misconduct and consumer harm, making it of key interest to conduct regulators.

“In our surveillance, we increasingly used indicators of poor culture — which was normally correlated to poor conduct — to direct us to the companies we would visit.”

1.2.1b Other participants note that misconduct that results from cultural problems often lead to prudential failures.

“I think it's getting a lot better, as prudential regulators realize that poor conduct risk can result in prudential risk. Prudential regulation is protecting the entity, while conduct regulation is generally protecting the individual. But they are both dealing with institutions that, if they behave badly, could become financially unviable because they'll lose their customers and face fines.”

1.2.1d Some supervisors have suggested that organizational culture has the potential to generate systemic risks, rather than merely idiosyncratic risks isolated to a given firm.

“Often, people move around within the same sector, so you end up having sectoral cultural problems, which is what we had in the Australian banking industry. It doesn't just affect one firm; it can often affect the whole sector because people move around and bring their bad habits. Sometimes competition in a sector creates a bad culture. The banking Royal Commission [in Australia] was largely a result of the poor culture in the banking sector, where people didn't really care what they were doing to customers.”

What role does culture play in governance failures that ultimately require supervisory attention?

2.1.1d Participants observe that culture can undermine incentive programs, employee engagement efforts, and other common management measures aimed at shaping behavior in desired directions, making it even more so a challenge for large, complex organizations.

“It comes back to the concept of the ‘directing mind.’ What is directing the mind of the person in the organization? The culture really reflects that directing mind — what's driving that individual to do things the way they do.

It probably comes back to the same techniques you use for corporations. You start with the indicators of problems with culture. I was talking to a chief of police about this, because police forces often have issues with culture, and he said, ‘Look, we don't have one culture. We have lots of subcultures.’ Part of it is identifying subcultures that are not consistent with the culture you're trying to portray.”

How do supervisors approach culture as a factor in governance failures in the absence of clear frameworks?

2.2.1a Participants discuss how the relationship between governance and culture risk presents unique challenges for supervision.

“If we see the same thing happening repeatedly within one firm, where it's not just one advisor but a whole lot of them, we would then look further up the chain. We would prosecute the company as a whole for enabling a culture where the individual advisors were not properly supervised.

There's a culture of willful ignorance about what's going on. So when you've got a poor culture, you probably have to start at the top and see whether the board and management are actually the issue enabling everything else. 

Who you appoint as a CEO and what your values are — those are pretty good tools. Upholding the company's values and using them as a basis for sacking someone is a good thing. It says, ‘Look, what you're doing may not be illegal, but it's not consistent with our values as a company.’
At one point, APRA and ASIC had people observing boards and their dynamics because they went to boards where the directors said nothing; it was just the CEO and the chair dominating. 

The problem, as I’d summarize it, is that often it's not a whole lot of ‘bad Indians’, but the ‘chief.’ It's the tree that's the problem, not a few bad apples. We realized that was what culture was; it was driving poor conduct.”

2.2.1b Participants argue that focusing on the cultural proclivities that underpin or undermine risk and control environments (“risk culture”) can bring structure to supervisory judgment.

“Our surveillance people were seeing this sort of behavior out in the field and saying, ‘Look, it is a culture. They don't really have a culture of compliance with the law.’ This is what the courts recognize; if you fail to have a system of checks and compliance that results in the law being broken, they consider that to be a culture of non-compliance.”

2.2.1c Other participants note that culture drives impact well beyond risk and control functions, and that it therefore requires supervisory attention for these reasons as well.Other participants note that culture drives impact well beyond risk and control functions, and that it therefore requires supervisory attention for these reasons as well.

“The definition of culture is almost as simple as ‘the way things get done,’ whether it's written or unwritten. The lawyers add the phrase ‘culture of compliance’ because the first level of culture is that you've got to comply with the law. The next level is a culture that's compliant with the company's values. So you almost have two concepts: the minimum is complying with the law, and the second is complying with your values as a company. 

Lawyers will often talk about a ‘culture of compliance’ or a ‘culture of risk management,’ whereas others may talk about a culture of making sure that what they say is what they do.”

How can supervisory culture be made more proactive and effective in connection with evaluating culture-related risk matters?

2.2.3c Participants highlighted how supervisory bodies are beginning to explore how their own supervisory cultures might be assessed.

“[International bodies] can develop principles, based on observation and research of what good looks like, that help guide regulators in how they approach the issue. 

The other thing you can use organizations like the OECD for is peer reviews. A country can have the OECD come in and do a peer review and assess whether the culture at companies or regulators is up to scratch. Peer reviewing is a good way of getting people to focus on how they're performing at a country level.”

How should supervisory bodies approach enforcement in the context of culture risk governance and supervision?

2.3.1b Participants describe various structural challenges related to enforcement and culture risk.

“There are two things you do [when there are signs of a culture problem]. One is you keep reasonably constant supervision on them. But often, it's better to be fairly blunt with the CEO and the chairman that there appears to be a problem. You tell them you're concerned about their mechanisms and that you're keeping a close eye on how they're operating.”

What tools, metrics, and data collection capabilities are currently available to support culture risk governance and supervision? What is working and what does this hold for the future?

3.2.1a Participants discussed the promise and the challenges that new technologies offer in culture risk supervision.

“I gave a very controversial speech to the Law Council in September 2015 called ‘Culture and Regulation.’ Around that time, the Senior Managers Accountability Regime came about to try and make senior managers more accountable for poor conduct. But I was trying to say that we should talk more constructively about how you create a good culture, monitor it, and give companies the tools to do so.

 From a regulatory perspective, you have pretty good indicators that tell you there's a problem, like customer complaints or our own direct supervision visits revealing unreported breaches of the law. If we saw a pattern of conduct that was breaking the law or close to it, or if we had a lot of complaints about a company, those were usually indicators. 

There are a lot of tools companies can use to identify cultural problems, which you can then unpack. You have both internal and external techniques to identify where culture problems exist. 

Boards have got to have tools that enable them to challenge management. They need dashboards that can give an indication of problems further down the organization. Directors at the board need to challenge the executive about what they are doing about these issues and continue to challenge them until the problem is resolved. 

Often, the problem is that these things are identified but perhaps not challenged with enough focus before they get out of hand.”

What emerging techniques and tools offer promise to improve culture measurement and risk assessments?

3.2.2b Participants highlight the potential offered by analyzing latent data sets in innovative new ways.

“Machine learning and big data analytics have enabled ‘regtech’ solutions capable of interpreting organisational data, predicting conduct and culture risks and suggesting remedies.“

3.2.2b Participants highlight the potential offered by analyzing latent data sets in innovative new ways.

“Large datasets that are now available to us which, when combined with machine learning and predictive models of behaviour, can be used by regulators and compliance functions to detect potential misconduct before it even arises. 

Data-driven models provide a window into individual teams across an organisation. Culture is not uniform across a company — it exists in many different layers right down to small units. Behavioural science provides valuable insights into where culture is going right, and where it’s not, which is crucial in the pursuit of restored trust in the industry.”

What steps should regulators consider to enable more effective culture risk supervision?

4.1.1a Some participants described the importance of establishing a firm legal basis for supervising culture.

“We also looked at existing legal obligations. For example, under anti-corruption laws in the UK, directors can be held liable if they don't have a proper system of checks and balances for bribery. It’s the same in most countries with occupational health and safety; directors can be held liable if there isn't a system to monitor and avoid problems. So, the law, to a large extent, already extended to conduct in certain areas and held directors liable where the problem was a culture of poor conduct.”