Recent scandals in the corporate and financial spheres have served to highlight the importance of a strong and well-embedded institutional culture. It is difficult to pinpoint any such scandal that was not, to a material degree, attributable to cultural failings. It comes as little surprise therefore that the regulatory authorities have sharpened their focus on culture.
In the United States, the Financial Industry Regulatory Authority (FINRA) has identified culture as a key area of current supervisory focus; and resolved to formalize its assessment of firm culture. During these appraisals, FINRA will be reviewing how firms establish, communicate and implement cultural values, and whether cultural values are guiding business conduct. “As part of this review, we plan to meet with executive business, compliance, legal and risk management staff … to discuss cultural values. We would also like to discuss how your firm communicates and reinforces those values directly, indirectly and through its reward system. We are particularly interested in how your firm measures compliance with its cultural values, what metrics, if any, are used and how you monitor for implementation and consistent application of those values throughout your organization.” (emphasis added).
In a similar vein, corporate culture is a relevant consideration under the Department of Justice’s guidelines for assessing corporate criminal liability. Wherein a strong culture will serve as a mitigant, a perceived poor culture will be regarded as an aggravating factor.
And such a concerted regulatory focus on culture is by no means a US-specific phenomenon. In the UK, for example, it remains high on the agenda of the Financial Conduct Authority:
“Culture remains a key driver of significant risks … and the root cause of high-profile and significant failings. Our focus on culture in financial services firms and its impact on conduct has been, and remains, a priority. We are interested in the direction of travel of firms’ cultures and if indicators show progress. We will hold management to account … where cultural issues lead to internal controls that fail to promote and support the right outcomes for consumers and the market.” (emphasis added) UK Financial Conduct Authority, 2016/17 Business Plan.
Significantly, cultural failings have featured increasingly of late in UK enforcement actions brought against both firms and individuals; and, in several instances, fundamentally underpinned the Regulator’s case. Serious issues or misconduct have been readily attributed to a flawed culture - for which senior management is considered ultimately responsible. With the introduction of the UK Senior Managers Regime—and its inextricable link to culture—this trend can be expected to continue, resulting in a projected increase in related regulatory sanctions.
As indicated by highlighted extracts above, any credible culture program—in whatever industry or sector—will require a systematic approach to both: (i) the identification of a set of suitable cultural indicators/metrics, each accompanied by a measurable expectation; and, importantly, (ii) periodic assessment—to validate that the reality (the actual conduct of the firm and its employees) matches the expectation (set desired standards). A simple cultural values statement will not, without more, suffice.
For many, culture is an inherently nebulous concept, difficult to define and measure. Although it will ultimately be for firms to choose their own particular metrics, FINRA has identified certain indicators by which it will assess culture:
- Whether control functions are valued within an organization (and adequately resourced);
- Whether policy and control breaches are tolerated;
- Whether the organization proactively seeks to identify risk and compliance events;
- Whether supervisors are effective role models of firm culture; and
- Whether sub-cultures that may not conform to overall corporate culture are identified and addressed.
Other cultural indicators might typically include:
- Responses to issues or incidents—was the response sufficiently credible and robust? Did it indicate a resolve on the firm’s part to “do the right thing”?
- Complaints handling—how seriously is the firm treating complaints?
- Incentive structures—is an appropriate balance struck between the interests of clients and the firm?
- Performance management—are appropriate metrics being used to assess individuals’ performance? Is there an over-focus on revenue generation and an under-focus on regulatory compliance?
- Demonstrable board and senior management engagement in regulatory compliance matters.
- Credibility of management response to adverse audit findings.
- Use of, and response to, employee surveys to help gauge culture.
- Approach to training—embraced, tailored and engaging; or off-the-shelf, unrealistic and a “necessary evil”
- Credibility and robustness of approach to contravention of internal requirements - actions speak louder than words.
- Status of relationship with, and attitude towards, regulators—healthy and constructive; or hostile and awkward
- Approach to product development and ongoing monitoring—is there an appropriate focus on customer/client interests?
- Quality and frequency of management information—are “red flags” highlighted, escalated and acted upon as appropriate?
To enable a measurable assessment, expectations must be set in respect of each chosen cultural indicator. For example (taking a firm’s response to issues as the indicator):
“Firm will respond credibly and robustly to material issues or incidents. In particular, any such issues or incidents will be expected to have been escalated appropriately [including to a member of the Executive Committee]; notified to the Regulator in a timely manner (where appropriate); duly prioritized, with the requisite sense of urgency; and managed at a suitable level of seniority within an appropriate governance framework [as approved by the Board].”
There is no single “right” or “wrong” way in which to measure culture. One obvious approach is through a periodic independent cultural appraisal conducted by, say, internal audit or external professionals. Such an assessment may be conducted by reference to an agreed set of cultural metrics and expectations—to benchmark actual conduct over the previous period against desired standards. Any material deviations would be analyzed to determine whether any lessons need to be learned and/or enhancements are required. Results would in turn be reported to senior management or the board. Outcomes would be incorporated, as appropriate, into compliance monitoring/audit plans and relevant risk assessments.
By way of illustration, one of Firm X’s chosen cultural metrics is “response to issues or incidents.” The related expectation is as per the italicized example above. Firm X has encountered two serious compliance issues over the past year. In this context, the cultural “audit” would (in simple terms) assess whether Firm X’s actual response to these issues was consistent with expectation; and, if not, to highlight any scope for improvement.
Alternative or supplementary approaches to the assessment of culture include:
- Regular staff surveys—focused on issues such as: willingness/readiness to escalate suspicions or concerns; perception of the example being set by superiors and senior management; awareness of the firm’s cultural values and expectations; and
- An independently-run program of tailored scenario-based workshops, involving a representative cross-section of employees at varying levels of seniority with different functions and tenures. Each scenario would incorporate one or more relevant “real life” dilemmas, designed to generate engagement and, importantly, to reveal cultural attitudes and mindset.
Clearly, these approaches are by no means mutually exclusive; and can be regarded as complementary to one another. Any firm wishing to undertake a comprehensive assessment may opt for all three of these initiatives at appropriate time intervals.
The Regulator’s Perspective
For its part, the Regulator will typically assess a firm’s culture by reference to certain key questions and criteria. For example (and to share but a few):
- Are the board and senior management adequately focused on understanding the culture that exists and seeing adherence to firm values and conduct as a strategic imperative?
- Is this evidenced in practices such as transparency for material transgressions, and owning the responsibility for identifying and dealing with problems?
- Do the firm’s promotion and recruitment processes attribute material weight to compatibility with desired values and conduct; and consistent demonstration of the desired behaviors?
- Is there evidence of robust internal sanctioning, with material consequences for staff in the event of poor alignment with conduct and values?
- Does frontline management and staff demonstrate understanding of, and the ability to identify, values and conduct issues and act accordingly?
Such questions can serve as an invaluable and highly effective framework against which firms can self-appraise their overall cultural standing. In our experience, a concerted focus on these factors should be positively additive to any culture initiative.
Culture is, and will likely remain, high on the Regulator’s agenda. The relative ease with which any serious issue or misconduct can be attributed to a “broken” culture (and consequently senior management held accountable) cannot be underestimated.
Regulatory expectations are clear. Firms which take culture seriously by adopting the measures advocated in this article should be well-placed, in the event of regulatory scrutiny. However, these measures should not be seen as solely defensive in nature. In our experience, if actively embraced, they can (and indeed should) add substantive value and result in a materially enhanced operating environment.
Quinn Emanuel’s practitioners have extensive recent experience of assisting institutions with culture change and assessment projects—including:
- Undertaking firm-wide risk culture/assurance reviews (reporting to the board);
- Advising on culture change programs (including the identification of relevant cultural indicators);
- Assisting with the development of culture assessment frameworks;
- Culture benchmarking exercises;
- Advising in relation to the mitigation of cultural enforcement/attribution risk;
- Senior/middle management training and awareness–understanding regulatory expectations;
- Devising tailored scenario content;
- Running workshops and reporting feedback; and
- “Mock” supervisory visits/interviews, focused on culture and conduct risk.