Home /

The culture and conduct risk — Series 2

Why a board cannot delegate accountability for corporate culture to the CEO Pressure continues to mount for boards to focus on the link between corporate culture and corporate scandals.

The recent Governance Institute of Australia and LexisNexis publication, Transforming Culture and Driving New Behaviours: How the ASX Corporate Governance Principles and Recommendations Can Change Culture for the Better,1 reflects upon recent inquiries (such as the Australian Prudential Regulation Authority’s (APRA) Prudential Inquiry into the Commonwealth Bank of Australia2 and the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry3 (Royal Commission)) and regulatory changes (such as the 4th edition of the Australian Securities Exchange Corporate Governance Principles and Recommendations) which have reinforced the accountability of boards for the culture of their organisation.

Both the APRA inquiry and the Royal Commission identified deficiencies in corporate culture as contributing to poor conduct. Inevitably, this has led to a debate about where accountability for failures in organisational culture lies.

Some directors have suggested that they should be entitled to look solely to the CEO to “own” the corporate culture. This is reflective of the desire of many boards to take a “hands off” approach to organisational culture. This approach is not appropriate for two reasons – the governance accountability of the board and the board’s involvement in the key drivers of organisational culture.

Governance accountability of the board

Boards are accountable for establishing a meaningful governance framework in relation to all areas of risk.

This involves providing guidance to management regarding its risk appetite, and then providing adequate monitoring of the identified risks and their mitigation plans.

When considering oversight of organisational culture, there is a significant risk that must be managed – conduct risk. As a result, this board guidance should cover both a broad strategic description of the desired culture and the clearly defined board tolerance for unacceptable cultural drivers, such as leader behaviour and organisational systems. In recent years, boards have increasingly provided clear guidance to management in relation to their tolerance for operational risks such as workplace health and safety, but very few examples exist of boards providing clear guidance in relation to their tolerance for conduct risk.

Boards are generally reasonably adept at setting broad organisational values and identifying their desired organisational culture. What they are not so adept at is executing appropriate, independent oversight of the actual culture to determine whether it matches the desired culture. Where boards falter is in providing clear guidance to management on specific and measurable parameters on which they expect reporting to be provided.

Usually the information that is provided to the board in relation to culture comes from the human resources department and does not have a risk focus. Risk departments have historically seen culture as an esoteric concept rather than a significant driver of operational risk, and they are beginning to look at people issues. Risk departments rarely link their reporting to organisational culture in a quantitative way, nor do they seek an independent assessment of the conduct risk created by the organisational culture.

This shortcoming in board guidance frequently means that management provides the board with what they think the board requires. This, in turn, results in board packs with page after page of general data, from which directors are expected to extract the information they need to oversee culture and conduct risk, as opposed to clear and targeted data that reflects the board guidance provided.

So, in order to enable concise reporting from management, the board must be specific about the information it wants to see.

Key drivers of organisational culture

The key drivers of organisational culture are leader behaviour and organisational systems. Leader behaviour occurs at all levels. Role modelling does not stop at the level of the CEO because what the board “demonstrates” and what it “tolerates” sends a strong – or stronger – message to the organisation as does the behaviour of any other leader. The culture is not defined by the posters on the wall or the values on the website. Employees look to the behaviour of their leaders (and their leaders’ leaders) to see what is considered to be acceptable conduct, and the behaviour of the board ultimately defines what is acceptable.

Employees are very good at quickly identifying the “real” culture, because when they see a conflict between the stated organisational values and the behaviour demonstrated at the top of the organisation, they will always believe what they see, rather than what they are told.

Many of an organisation’s systems are strongly influenced by both what a board does and does not say to management, both formally and informally. When communicating with management, boards often “assume” that management shares a common understanding of their objectives and expectations, such that it is not necessary to clearly stipulate boundaries.

One such system is the organisational budgeting process. For example, if the board makes it clear to management that a significant reduction in expenditure is expected, then frequently the system that is developed in response to this direction will primarily reflect financial drivers. Because the board did not specify its expectations regarding any cultural and conduct risk implications, it is likely that the resultant system will deliver reduced expenses across the organisation “at all costs”. Without the board balancing its budget guidance to management against its cultural risk tolerance, it is contributing to the organisational risk by creating ambiguity.

Boards can also often underestimate the informal influence they wield. A passing comment by the chair about outdated office décor may result in a complete
refurbishment of the premises prior to the next board meeting.

As a result, no board can avoid its accountability for the organisational culture or abdicate responsibility to the CEO. The board’s behaviour as an organisational role model, and the guidance it provides, will always be key drivers of the culture, and as a result, the behaviour
of employees.

So, what can boards do to mitigate the conduct risk created by organisational culture?

Listed below are steps that a board can take to proactively manage and mitigate conduct risk:

  • Provide the executive with clear statement of the board’s tolerance for critical areas of conduct risk. This guidance must provide a framework within which the executive can operate;
  • Role model behaviour which aligns with the desired organisational culture;
  • Set clear expectations for the behaviour of the executive team and actively monitor this behaviour. Where demonstrated behaviour is inconsistent with the communicated expectations, take action to address it;
  • Seek an independent external evaluation of the culture and conduct risk which exists within the organisation. This evaluation should be quantitative and should focus on behaviour; and 
  • Provide the executive with clear guidance on the reporting the board expects from management to allow it to gain sufficient insight into the culture to conduct meaningful risk monitoring and mitigation.

In summary, given that boards are accountable for the organisation’s culture, they cannot try to abdicate this accountability to management. The board must take proactive steps to manage conduct risk exactly as they would for all other categories of risk. Management will, of course, be the primary tool for driving and implementing the culture of the organisation, and as a result, they cannot provide independent advice and support to the board in this process. In diagnosing the organisational culture, developing board guidance for management, and overseeing and monitoring actions and progress, independent external support is required. This is not a case of lack of trust – just the application of robust governance process.


Footnotes

1 Governance Institute of Australia and LexisNexis Transforming Culture and Driving New Behaviours: How the ASX Corporate Governance Principles and Recommendations Can
Change Culture for the Better
(2020) www.lexisnexis.com.au/en/insights-and-analysis/research-and-whitepapers/2020/transforming-culture-and-driving-new-behaviours.

2 J Laker, J Broadbent and G Samuel Prudential Inquiry into the Commonwealth Bank of Australia Final Report (2018) www.apra.gov.au/sites/default/files/CBA-Prudential-Inquiry_Final-
Report_30042018.pdf.

3 K Hayne Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry Final Report (2019) www.royalcommission.gov.au/royal-commission-misconduct-banking-superannuation-and-financial-services-industry.

Authors
Melissa Grundy
Senior Advisor
Melissa is a Senior Advisor with Effective Governance, a governance consultant, accountant, former company secretary and market supervisor. Melissa’s focus is on corporate and regulatory governance stemming from her strong background in the...
Ian Doyle
Specialist Advisor – Culture and Conduct Risk
Ian Doyle is Human Resources Professional with over 25 years’ experience in HR roles in the Banking and Insurance Industries. Ian started his Human Resources career in Westpac ultimately having responsibility for Senior HR portfolios across the Qld...