We are a Kultcha’d lot!
The affable Sir Les Patterson the self appointed Minister of Kultcha from Gough Whitlam’s era would be very pleased – the broader financial services sector has finally acquired an expansive taste for culture. It seems to be appearing everywhere across the Australian business sector – with a particular focus on financial services.
Regulators have turned their collective focus to the promotion of the requirement that Directors should ensure that their stewardship drives the right culture in their organisation. They should also be prepared, at the very least,to meet the pronounced principles or statements of the minimum requirements sought by their sector Regulator :-
risk governance and a risk culture associated with the operation of ADIs (Banks and Credit Unions) and Insurers – APRA CPS 220 and CPS 510 –slated for commencement 1 January 2015
a risk culture embedded within the risk management framework and governance of Superannuation Funds – APRA SPS 220 –which commenced 1 July 2013
a risk management culture associated with the operation of a Responsible Entity in the funds management space- March 2013 Draft Regulatory Guide – Risk Management systems of Responsible Entities – final version of Regulatory Guide still pending
a compliance culture – ASIC has found that recipients of recent Enforceable Undertakings in the financial planning sector –including the highly publicised Commonwealth Financial Planning debacle – suffered from “A poor compliance culture meaning that deficiencies were not identified, escalated and remedied in a timely and efficient manner.”
So 2014 and beyond looms as the period when participants across the heavily regulated financial services sector need to define and implement what execution of a risk culture might look like across their sector(s) and within their organisation. In addition, financial services enterprises also need to determine what their internal benchmark will be – remembering that the Regulatory outline is the required minimum standard.
Although the financial services arena is currently under the microscope the application of an enterprise wide culture –that facilitates seamless delivery of governance, risk and compliance activities – is something that every business should aspire to.
How do we get Kultcha’d?
So let’s unpack what the Regulators and others are looking for and how to get there –
What is a ‘culture’?
The word culture is derived from Latin and generally refers to patterns of human activity and the symbolic structures that give such activity significance. However, ASIC and APRA, has a slightly different take on what they are looking for. ASIC is obviously concerned as to the procedural and regulatory compliance culture whilst APRA has its microscope on risk governance and risk culture.
There is not a single uniformly used definition of risk culture but my personal preference is “ the set of encouraged and acceptable behaviours, discussions, decisions and attitudes toward taking and managing risk within an institution.”
Unlike operational compliance issues there is no hard measure that can be developed to assess the level of culture- the level at which an organisation and its’ employees execute on everyday activities within a common understanding is a purely subjective assessment. This subjective assessment needs to be carried out under the umbrella of the risk appetite that the organisation has embraced as appropriate and acceptable for their business.
What drives ‘culture’?
There is no single or collective component that can be pointed to as the items that evidence that there is a certain culture within an organisation. After all every enterprise has a unique identity that stems from circumstances peculiar to their point of origin and genesis. The recent Financial Services Inquiry Interim report made this observation –
“The culture of an organisation, its’ appetite and its’ approach to managing risk ultimately flow from the policies and practices set at the very top. The rules and requirement set by regulators and internally within the institution will only go so far: an organisation’s culture and risk appetite determine how an institution responds to the spirit of the requirement and circumstances that are not addressed by the rules.” [Corporate Governance Section Paragraph 3-43 Financial System Inquiry – Interim Report]
So at the end of the day we have to assess the degree of cultural execution through a subjective lens which is akin to a gut- feeling – or by using some modern iconic terminology “it’s the vibe!!” (with thanks to the movie ‘The Castle’). Notwithstanding, that the presence of a culture is akin to a vibe there are means of measuring some of the mechanical components that make up culture –for example the reaction by the business to operational failures. The fact that when there is a failure in some part of the business rather than pointing fingers or hoping that the problem will just go away – the staff involved identify the problem, commence procedures to rectify the cause of the incident, address or remedy the impact, take steps to create and implement a solution and notify the appropriate sections of management – such events indicate that there is a cultural approach to operating the business. Put another way if the staff (at all levels) assume a position of ownership or accountability for effecting remedial activities as soon as the event is identified then the tenets of a cultural execution are well embedded in the organisation.
If the cause of the failure is a systemic breakdown in protocols there is work to be done –if the failure is a quality of personnel issue then that too leads to better management of training and skills or an acknowledgement that the required skillset does not match the requirements for the role.
Measuring Kultcha
So why is it important to have a sense of the extent of the methodology by which governance, risk management and compliance are delivered across an enterprise?
Greg Medcraft the ASIC Commissioner said it quite clearly in a recent speech at an Australian Institute of Company Directors lunch in June 2014 –
“A directors’ stewardship should drive a culture of compliance within the company. If we find that a company’s culture is lacking, it is a red flag that there may be broader regulatory problems within a company..”
John Laker the former APRA Chairman in his final media interview gave us the APRA perspective –
..if a Board is able to articulate and then make sure it embeds a very clear risk appetite and then the organisation is able to develop a strong risk culture then you can be more confident that you won’t get those episodes ( of being exposed to fundamental flaws in the enterprise wide risks)”
These assessments reflect the differing focus of the two Regulators – ASIC adopts the compliance lens and APRA the risk lens. The takeaway from both Regulator on what is a culture is actually very similar and the cultural theme has the same tenets:-
A framework that reflects a body of protocols:-
- Supporting a collective outcome;
- Clearly enunciated and understood
- Reinforced by the activities and behaviours of the business leaders : and
- Supported and encouraged at all levels within the business.
The language addressing the presence of a culture is addressed in the same fashion by the two primary Australian Regulators in a similar theme – if there is no culture then it is expected there will be additional weaknesses present which no doubt raises the spectre of a higher level of regulatory oversight being required for such an organisation.
The getting of Kultcha
There are an enormous number of interactions necessary to both develop and maintain a cultural execution of governance, risk management and compliance. The core drivers will always be the people within an organisation –which means that the People and Performance initiatives need to foster the right attitudes and behaviours. It is simple when you say it really quickly! But from past experience alignment of operational requirements, conformance obligations and remuneration programs is a time consuming and challenging project – after all you are dealing with individuals and their subjective perception on the value that a culture can deliver.
This is as true for the business leaders as it is for the employed staff, the oft used term “tone from the top” is paramount in creating a culture. But the importance of the “tone from the top” is greater AFTER the initial work to develop a risk or compliance culture –one slip or a noticeable drop in overt support and years of development effort very quickly evaporates.
Conversely there are organisations where the ‘cultural’ approach to running the business is actually an enticement for people to seek to work for the enterprise – Google, Apple are two highly visible entities. Now these cultures are considered to make Google or Apple ‘fun’ places to work but within the culture is a risk/governance framework that is delivering the minimum conformance obligations as well as a variety of standards that go well beyond the minimum levels required by a myriad of Regulators. The fact is that the risk/governance/compliance obligations are integrated into the daily working lives of the employees –something that participants in the Australian financial services sector need to find a way to achieve.
Kultcha Forever!
The cultural phenomenon is not restricted to the Australian marketplace. Financial services regulators across the Western world are all dealing with means to improve the standard of behaviour that is achieved internally within banking institutions and insurers, fund/asset managers and Trustees of superannuation vehicles. The internal behaviours are the cogs that drive the organisational culture – and for many years to come we will be presented with a constant stream of regulatory tinkering on how to externally manage an entirely internal deliverable – the human system that exists inside financial services organisations.
So rather than bunker down and seek to ride out the regulatory storm the more astute CEOs of highly regulated financial service participants are looking to spend time (and lots of money) to create enduring frameworks and systems that facilitate creating internal behaviours that reflect the organisations appetite for risk, it’s desired position on issues of conformance and compliance and generating a highly engaged workforce always striving to create stakeholder value. I have often stated my belief that development of ‘sensible’ programs aimed to develop and extend culture are part of a well run business –the catalyst for embracing a cultural execution model should not be brought about by a reaction to enforced guidelines. But in the never ending pursuit of better corporate behaviours and a cultural delivery any activity that acts as a catalyst for generating an improved risk culture and compliance culture MUST be welcomed.