“Culture is something I last heard about in a petri dish when I was studying O-level biology”
I was once talking to the managing director of an insurance broking firm in London: “Culture” he said, “culture [and he really did repeat the word for emphasis] is something I last heard about in a petri dish when I was studying O-level biology.” Well I guess he has heard a lot, lot more about it since then. The Financial Conduct Authority (the “FCA”) “bang on” about culture, as does the Financial Reporting Council (the “FRC”). The FRC has even set up a “Culture Project” to provide further guidance to directors about culture. So I have carried out a mini-trawl of what regulators are saying about culture. I chose four regulators entirely not at random and looked at a couple of documents where they are talking about culture. Here are my findings.
The FRC talks a lot about culture. In their Guidance to Directors on “Risk Management, Internal Control and Related Financial and Business Reporting” the word “culture” appears at least 20 times in 28 pages. Extracts from the FRC’s Guidance includes the following:
“The board’s responsibility for the organisation’s culture is essential to the way in which risk is considered and addressed within the organisation and with external stakeholders.”
“The board must determine its willingness to take on risk, and the desired culture within the company.”
“The board has ultimate responsibility for risk management and internal control, including for the determination of the nature and extent of the principal risks it is willing to take to achieve its strategic objectives and for ensuring that an appropriate culture has been embedded throughout the organisation.”
“Training and communication assist in embedding the desired culture and behaviours in the company. To build a company culture that recognises and deals with risk, it is important that the risk management and internal control systems consider how the expectations of the board are to be communicated to staff and what training may be required.”
It is interesting that they avoid the term “risk culture”, but prefer to talk about the culture in which risk is considered and managed. My suspicion is that they grappled with the “risk culture” phrase, but like the Institute of Risk Management in their seminal work on culture, failed to nail the concept of risk culture.
Instead of looking at the FCA, I decided to look at the seminal guidance on culture from the Financial Stability Board: the meta-regulator of regulators in the banking world. They are far more explicit about the risk culture. Indeed they published a document called: “Guidance on Supervisory Interaction with Financial Institutions on Risk Culture”. The word “culture” is mentioned at least 100 times in the document, and the phrase “Risk Culture” is mentioned 73 times in just 14 pages. Critical issues in this document seem to me that firstly, regulators have got to get to grips with understanding this more ephemeral topic, but also that directors are clearly responsible for it. Extracts from the document include the following:
“An anticipatory and strategic approach to supervision rests, among other things, on the ability to engage in high-level sceptical conversations with the board and senior management on the financial institution’s risk appetite framework, and whether the institution’s risk culture supports adherence to the board-approved risk appetite.”
“Culture can be a very complex issue as it involves behaviours and attitudes. But efforts should be made by financial institutions and by supervisors to understand an institution’s culture and how it affects safety and soundness. While various definitions of culture exist, supervisors are focusing on the institution’s norms, attitudes and behaviours related to risk awareness, risk taking and risk management, or the institution’s risk culture.”
The FSB outline four indicators that help a regulator to understand the risk culture:
- Tone from the top;
- Effective communication and challenge; and
I do not propose to go into those any further here, although there is a lot of good guidance in the document itself.
I know that the National Audit Office has focused quite a lot on risk management in the public sector. So I went to their 2011 document, post Global Financial Crisis (the “GFC”), entitled “Managing Risk in the Public Sector”. They talk about proportionality, process, accountability and all of those good things, but they barely talk about risk culture. This despite that in the aftermath of the GFC most people were already beginning to talk about culture in the context of managing risk, even if they were still grappling with the idea of there being a separate “risk” culture. In a little under 6,000 words, the word “culture” gets precisely four outings, and one of those is in the full name of the Department for Culture, Media and Sport. Needless to say, Risk Culture is not mentioned once. And yet the stresses that have been put on the Public Sector for the last five years, and those that are bearing down in the next five are at least the equivalent of those in the Banking and other private sector organisations. And the stresses will inevitably manifest themselves in stressed cultures and multiple failures to balance off the competing demands of today and tomorrow.
Department of Justice
I was curious to know whether this abhorrence of the word “culture” extended to other areas of national government, so I looked at the guidance from the DoJ about the Bribery Act. Bearing in mind that this is a very legalistic document – albeit in layman’s terms, it is pleasantly surprising that the word culture is mentioned six times. The main manifestation is in what is called Principle 2 – Top-level commitment, where the principle states:
“The top-level management of a commercial organisation (be it a board of directors, the owners or any other equivalent body or person) are committed to preventing bribery by persons associated with it. They foster a culture within the organisation in which bribery is never acceptable.”
The commentary goes on to say, in the first paragraph of explanation of the principle that:
“Those at the top of an organisation are in the best position to foster a culture of integrity where bribery is unacceptable. The purpose of this principle is to encourage the involvement of top-level management in the determination of bribery prevention procedures. It is also to encourage top-level involvement in any key decision making relating to bribery risk where that is appropriate for the organisation’s management structure.”
My take is that we are at a tipping point where regulators who interface with the private sector totally “get” the concept of culture and that it is as important as process and procedure in determining what will happen within an organisation. So expect regulators of all complexions to take an interest in culture. We are also seeing an emerging concept of risk culture, but the sense of what it means is much more woolly at the moment.
In the interests of moving the debate forward, and always in the spirit of contribution, rather than trying to utter the last word on the subject, I would like to suggest that there are two competing concepts: Culture and Risk Culture. My suggestion is that the culture is about the “here-and-now” and the risk culture is about “tomorrow”, or the future at any rate. So here are two definitions for you to mull over:
Culture: The culture of the organisation is an accretion of the behaviours, beliefs, attitudes, activities and ethical responses of the individuals in the organisation and determines how those individuals will respond to issues in the “here-and-now”. It is influenced by the tone from the top, incentives and social & regulatory environment.
Risk Culture: The risk culture of the organisation is about how individuals tackle the complexity of the multiple futures that face them in dealing with issues today. It is about “tomorrow” rather than the “here-and-now”. It is what gives an organisation the resilience to tackle difficult decisions today while having an eye on the impact tomorrow.
It is my contention that a poor mismatch between the culture and the risk culture in an organisation can lead to catastrophes: witness Volkswagen, and many more of the organisations that I cite in my article 300 Years of Failure. Surely it is more than your personal and corporate reputations are worth not to get to grips with this difficult subject.
Richard Anderson is a director of AndersonRisk, and is the former Chairman of the Institute of Risk Management. He can be contacted here.