(This article was written by Simon Orton and Rami Royle and originally published in Compliance Monitor, April 2019 edition, Volume 31, Issue 7)
The contribution of cultural weaknesses to major conduct failings is widely acknowledged, but not always easily prevented. Drawing on broader analysis conducted by Freshfields, Simon Orton and Rami Royle consider the particular challenges of powerful personalities and niche areas of technical expertise.
It is now undeniable that the culture of an organisation matters.
The biggest failures often do not arise from single, isolated events; but rather stem from systemic breakdowns in corporate culture. Individual behaviour is driven by the culture within which an individual operates. As a result, the way in which organisations articulate their culture, and the extent to which that culture is in fact lived day to day by the entire organisation, is coming under increasing scrutiny.
Regulators of both corporates and financial institutions have put culture under the spotlight in recent years, focusing in particular on the relationship between culture and risk. The UK Corporate Governance Code places a significant emphasis upon the culture of a company, as well as the board’s responsibility for setting a framework within which a healthy corporate culture can develop. Similarly, in the financial services sector, the Financial Conduct Authority has emphasised that culture is a priority area that has been a key root cause of recent major conduct failings in the industry.
It is clear then that ensuring organisations have a healthy corporate culture so as to mitigate risk, is a priority for regulators. It must therefore similarly be a priority for organisations.
Before we consider how businesses can respond to this critical need to promote a positive culture, it is worth pausing to reflect upon the meaning of ‘culture’ in this context. Organisational culture is widely accepted as referring to the underlying beliefs, values and ways of interacting that contribute to the unique social and psychological environment of an organisation. The parameters of that environment, including the conduct it facilitates and prohibits, influences the way in which individuals operating in the environment conduct themselves.
So, how can you define and measure the culture in your organisation? How can you know whether and how your culture requires improvement?
Those questions are inevitably addressed when things go wrong. When a company faces a regulatory breach, when an institution is sued, or when a material reputational issue arises, key stakeholders - intent on determining why the failure occurred - will turn to a root cause analysis. Culture is likely to play an integral role in the answer, and that can helpfully lead to a ‘lessons learned’ process aimed at improving those aspects of the organisation’s culture that contributed to the failings.
But surely it would be more helpful still to consider how to promote the most valuable culture in an organisation before things go wrong?
Drawing upon its experience of conducting major global investigations for corporate and banking clients, Freshfields has carried out an empirical analysis of such potential cultural factors that can allow misconduct to take place - either as a direct cause or by contributing to an environment that facilitates misconduct. That led us to a matrix of twelve resulting factors that can be used by organisations to test their culture. It is important to test periodically whether cultural factors that often underlie misconduct appear in your organisation; to understand the extent to which the factors pose risk (whether individually or in combination with one another); and to consider the steps that should be taken to mitigate that risk.
In this article, we focus on two of the factors that are common culprits when assessing the cultural or governance reasons as to why major problems occur: (i) the presence of strong personalities in organisations; and (ii) work related to highly technical areas of business.
Turning first to the presence of strong personalities, it is inevitable that the world’s most successful businesses will have imposing characters within them, and it is unsurprising that some of the highest performing individuals in those businesses will have dominant personalities. After all, those are the traits that enable such people to drive change, motivate and inspire effectively.
However, organisations with strong personalities need to be careful to mitigate against associated risks, particularly the risk that forceful individuals unwittingly create a results-driven environment in which others act in unexpected ways. Or the risk that formidable characters are not adequately challenged by those around them or by oversight functions. There can be a reluctance to challenge an individual who is extremely successful in a particular business area, especially if that person is highly respected. Similarly, more junior employees may feel that it would be futile to raise concerns about highly respected and successful individuals.
So, an organisation needs to identify where it has strong personalities within the business who could give rise to these sorts of issues. Once an organisation is clear on that, what can it do to mitigate those risks? Unfortunately, there is no single fix. Organisations can deal with the risks through, for example, developing robust governance and management; increasing self-awareness among senior individuals as to the effect they may have on others; ensuring there is a strong second line of defence (for example, legal and compliance functions); and encouraging people at all levels to speak up.
We turn next to the correlation between work in highly technical areas of business and a heightened risk of conduct failures. Again, it is frequently the case that successful businesses will involve work in highly technical and complex areas. Often, that is where most profit is generated.
This can, however, give rise to challenges that need to be recognised and addressed. In particular, if the degree of complexity is such that only a few individuals are able to understand the underlying subject matter, that can become problematic. It is vital that those in management and control functions can properly oversee the technical area of business. Such oversight becomes extremely difficult in circumstances where those who are responsible are not sufficiently familiar with the subject matter. This may be exacerbated by the natural reluctance of staff at all levels to admit a lack of understanding. A superficial grasp is often more dangerous still, as it can result in an individual having enough knowledge to test the conduct against prescribed criteria, but not possessing a sufficiently holistic understanding to enable a wider assessment of the ethical or reputational risks associated with the conduct.
To manage this risk, businesses need continually to consider questions such as: do the board, management and the control functions include individuals who have sufficient technical expertise to exercise proper oversight? Do those individuals understand the wider ethical and reputational concerns related to the judgements that will be made in the particular area of technical expertise? How does management more widely grapple with these issues? It is also important that the organisation encourages an open dialogue in which individuals feel comfortable asking questions, often best achieved by senior management setting the tone (ie, being seen to indicate when something is not understood and proactively seeking further explanation).
These are just two examples of cultural factors that can give rise to significant misconduct risk, but our research has revealed a number of others. It is important to remember that corporate cultures are not always simply ‘good’ or ‘bad’ - features of a culture can have both positive and negative consequences. For example, collaborative and supportive environments can be rewarding to work in, but can also make individuals reluctant to have difficult conversations with underperformers who make mistakes and expose the organisation to regulatory risks.
The key for organisations is to identify the risks or vulnerabilities arising from their own corporate culture and to think in practical ways about how to address those. After a major problem, organisations should take the opportunity to consider the particular factors that were at play in contributing to the underlying failings.
There is also a need continually to assess culture outside of that context (particularly because the culture of an organisation evolves over time). The greater an organisation’s understanding of its own culture - both as articulated by senior management and as borne out through all echelons of the organisation, the more effective it will be at assessing risks arising from that culture. Such continual assessment can only be a good thing. Good risk assessment will mean better risk mitigation, which can lead to a more powerful risk-management strategy to help prevent future crises.