It’s no longer cliché: the notion of culture is now front and centre. In his final report, Commissioner Hayne makes the point - multiple times - that every financial services entity, whether named in the report or not, must look to its culture.
It is often said that culture is what people do when no-one is watching. Hayne describes it as the “instinctive application” of the “shared values and norms that shape behaviours and mindsets within an entity.”
He devotes a chapter to exploring the interplay between culture, governance and remuneration, concluding that these “march together” with improvements or inaction in one reinforcing or undermining progress in the others. According to Hayne, these are the issues that lie at the centre of the misconduct he observed.
But what should organisations now do in response to his recommendations? How should they tackle culture?
1. Everyone has room for improvement
Beware the temptation to say that your culture is OK. Hayne warns that this would be “foolish and ignorant”. If we do not examine the systems and practices that were the cause of the misconduct, learn the lessons, and make changes, history will be repeated.
To begin, this task falls to leaders.
Leaders should be properly trained and supported, but they must also have the right intent. Do leaders embody the right values? Are leaders showing up with the capability as well as the humility to accept that mistakes have been made and change is required? Leaders should be ready to ask questions, listen, reflect on past decisions and decide themselves what is the right thing to do - and then lead others to do the same.
Ultimately, regulators will make an assessment.
If APRA builds the supervisory program that Hayne is advocating, supervision of culture to mitigate the risk of misconduct will become part of its mainstream activities. Hayne’s risk-based approach means that APRA will prioritise for review the organisations that have not given enough attention to the cultural drivers of misconduct.
2. Do. Review. Do. Repeat.
According to Hayne, as often as reasonably possible, organisations should:
- assess their culture;
- identify problems;
- deal with the problems; and
- determine whether the changes have been effective.
Assessing culture means understanding what factors drive behaviour and motivate people. It should involve diagnosing problems, as well as identifying strengths to build on. Remuneration practices are undoubtedly a key lever but, as Hayne noted, culture is also influenced by other factors.
Identifying the issues and devising a plan is important, but the smartest strategy is wasted effort if not implemented. Organisations must set objectives, devote resources to the effort, and track and monitor progress. Communication is key – people will want to know what is happening as well as why.
Effective risk management is an ongoing cycle. Culture is not static, and neither should be the work in managing it. As Hayne says, organisations must “apply, reapply and keep re-applying” all the guidance and principles set out in the report.
3. Don’t tick boxes
The culture of each organisation is unique. Adherence to Hayne’s six ‘norms of conduct’ may be indicative of a desirable culture, but there is no universal recipe for a ‘best’ culture. Organisations must do the work, which he says will demand “intellectual drive, honesty and rigour”.
Effective risk and compliance management, and improvements to culture and governance, cannot be achieved by box-ticking. The approach must be targeted and tailored to the organisation.
Data is important, but insights are critical. When organisations undertake their cultural reviews, verbatim comments are necessary to understanding what people really think and believe. The actions and outcomes that result from these perspectives then need to be identified and linked to create insights. While beliefs may not be as readily measurable as outcomes, both should be monitored.
4. Invite risk to the table
Risk culture is an important aspect of overall culture. It refers to the extent and effectiveness of systems and practices by which risks are identified, analysed, managed, escalated and reviewed, as well as the willingness with which people engage in these practices.
Leadership at all levels, or the ‘tone from above,’ is a key lever for culture. In particular, leaders have a critical role to play in elevating the ‘voice of risk’ as well as prioritising investment in the risk function to support its important work. Leaders must ensure that non-financial risk experts – operational, regulatory and conduct risk management – are valued business partners, and have a seat at the table when key decisions are made.
Similarly, all employees should be encouraged and empowered to speak up about conduct and other risk issues. By opening up the conversation in this way, firms can accelerate their progress.
It will inevitably be an ongoing dialogue. As Hayne says, reforming culture and governance will require “continuing effort integrated into day-to-day business operations”.