Contributions to the Supervisors on Supervision Stocktake
What does culture mean in the supervisory context?
“Social media allows information to flow freely and people to mobilise quickly, which means companies are far more likely to be caught out and face consequences for doing the wrong thing. The consequence is that materiality effectively moves in line with the social license. The way to manage this — and turn it into competitive advantage — is by building a culture of trust right through an organisation.
When we consider where trust in business comes from, we can draw a direct line from the public perceptions of a company to its corporate culture. Culture is the unwritten rules of how things are done in a business. It shapes employee behaviour and decision-making right through an organisation. As such, it is inextricably linked to a business’s ability to act in the interests of its customers and to do the right thing.”
Should culture, and the conduct proclivities it may promote or discourage among employees, factor into supervisory engagements?
“Behavioural science teaches us that culture is the unwritten code of how things are done in a business, and so, it is a good predictor of poor conduct.”
“In our surveillance, we increasingly used indicators of poor culture — which was normally correlated to poor conduct — to direct us to the companies we would visit.”
“I think it's getting a lot better, as prudential regulators realize that poor conduct risk can result in prudential risk. Prudential regulation is protecting the entity, while conduct regulation is generally protecting the individual. But they are both dealing with institutions that, if they behave badly, could become financially unviable because they'll lose their customers and face fines.”
“Often, people move around within the same sector, so you end up having sectoral cultural problems, which is what we had in the Australian banking industry. It doesn't just affect one firm; it can often affect the whole sector because people move around and bring their bad habits. Sometimes competition in a sector creates a bad culture. The banking Royal Commission [in Australia] was largely a result of the poor culture in the banking sector, where people didn't really care what they were doing to customers.”
What role does culture play in governance failures that ultimately require supervisory attention?
“It comes back to the concept of the ‘directing mind.’ What is directing the mind of the person in the organization? The culture really reflects that directing mind — what's driving that individual to do things the way they do.
It probably comes back to the same techniques you use for corporations. You start with the indicators of problems with culture. I was talking to a chief of police about this, because police forces often have issues with culture, and he said, ‘Look, we don't have one culture. We have lots of subcultures.’ Part of it is identifying subcultures that are not consistent with the culture you're trying to portray.”
How do supervisors approach culture as a factor in governance failures in the absence of clear frameworks?
“If we see the same thing happening repeatedly within one firm, where it's not just one advisor but a whole lot of them, we would then look further up the chain. We would prosecute the company as a whole for enabling a culture where the individual advisors were not properly supervised.
There's a culture of willful ignorance about what's going on. So when you've got a poor culture, you probably have to start at the top and see whether the board and management are actually the issue enabling everything else.
Who you appoint as a CEO and what your values are — those are pretty good tools. Upholding the company's values and using them as a basis for sacking someone is a good thing. It says, ‘Look, what you're doing may not be illegal, but it's not consistent with our values as a company.’
At one point, APRA and ASIC had people observing boards and their dynamics because they went to boards where the directors said nothing; it was just the CEO and the chair dominating.
The problem, as I’d summarize it, is that often it's not a whole lot of ‘bad Indians’, but the ‘chief.’ It's the tree that's the problem, not a few bad apples. We realized that was what culture was; it was driving poor conduct.”
“Our surveillance people were seeing this sort of behavior out in the field and saying, ‘Look, it is a culture. They don't really have a culture of compliance with the law.’ This is what the courts recognize; if you fail to have a system of checks and compliance that results in the law being broken, they consider that to be a culture of non-compliance.”
“The definition of culture is almost as simple as ‘the way things get done,’ whether it's written or unwritten. The lawyers add the phrase ‘culture of compliance’ because the first level of culture is that you've got to comply with the law. The next level is a culture that's compliant with the company's values. So you almost have two concepts: the minimum is complying with the law, and the second is complying with your values as a company.
Lawyers will often talk about a ‘culture of compliance’ or a ‘culture of risk management,’ whereas others may talk about a culture of making sure that what they say is what they do.”
How can supervisory culture be made more proactive and effective in connection with evaluating culture-related risk matters?
“[International bodies] can develop principles, based on observation and research of what good looks like, that help guide regulators in how they approach the issue.
The other thing you can use organizations like the OECD for is peer reviews. A country can have the OECD come in and do a peer review and assess whether the culture at companies or regulators is up to scratch. Peer reviewing is a good way of getting people to focus on how they're performing at a country level.”
How should supervisory bodies approach enforcement in the context of culture risk governance and supervision?
“There are two things you do [when there are signs of a culture problem]. One is you keep reasonably constant supervision on them. But often, it's better to be fairly blunt with the CEO and the chairman that there appears to be a problem. You tell them you're concerned about their mechanisms and that you're keeping a close eye on how they're operating.”
What tools, metrics, and data collection capabilities are currently available to support culture risk governance and supervision? What is working and what does this hold for the future?
“I gave a very controversial speech to the Law Council in September 2015 called ‘Culture and Regulation.’ Around that time, the Senior Managers Accountability Regime came about to try and make senior managers more accountable for poor conduct. But I was trying to say that we should talk more constructively about how you create a good culture, monitor it, and give companies the tools to do so.
From a regulatory perspective, you have pretty good indicators that tell you there's a problem, like customer complaints or our own direct supervision visits revealing unreported breaches of the law. If we saw a pattern of conduct that was breaking the law or close to it, or if we had a lot of complaints about a company, those were usually indicators.
There are a lot of tools companies can use to identify cultural problems, which you can then unpack. You have both internal and external techniques to identify where culture problems exist.
Boards have got to have tools that enable them to challenge management. They need dashboards that can give an indication of problems further down the organization. Directors at the board need to challenge the executive about what they are doing about these issues and continue to challenge them until the problem is resolved.
Often, the problem is that these things are identified but perhaps not challenged with enough focus before they get out of hand.”
What emerging techniques and tools offer promise to improve culture measurement and risk assessments?
“Machine learning and big data analytics have enabled ‘regtech’ solutions capable of interpreting organisational data, predicting conduct and culture risks and suggesting remedies.“
“Large datasets that are now available to us which, when combined with machine learning and predictive models of behaviour, can be used by regulators and compliance functions to detect potential misconduct before it even arises.
Data-driven models provide a window into individual teams across an organisation. Culture is not uniform across a company — it exists in many different layers right down to small units. Behavioural science provides valuable insights into where culture is going right, and where it’s not, which is crucial in the pursuit of restored trust in the industry.”
What steps should regulators consider to enable more effective culture risk supervision?
“We also looked at existing legal obligations. For example, under anti-corruption laws in the UK, directors can be held liable if they don't have a proper system of checks and balances for bribery. It’s the same in most countries with occupational health and safety; directors can be held liable if there isn't a system to monitor and avoid problems. So, the law, to a large extent, already extended to conduct in certain areas and held directors liable where the problem was a culture of poor conduct.”