Culture Audits: Removing the Blindfold

Leaders along all Three Lines of Defence are being held personally accountable for misconduct that takes place on their watch. To avoid individual liability, they must identify leading indicators of risk that allow for “upstream” interventions, say Starling’s Stephen Scott and former HSBC Global Head of Operational Risk and ORX Chairman, Mark Cooke.

On 30 April, Starling released its 3rd annual Compendium, a report on global regulatory activities aimed at promoting improved culture and conduct in the banking sector. Based on the report’s findings, last month we published an article describing personal accountability for conduct risk failures as being “the new normal.” Here, we focus on the development of “culture audit” requirements.

Starling’s annual Compendium series has traced an evolution in thought regarding the supervision and governance of conduct risk among bank regulators and industry leaders, worldwide. Clear trends have emerged, as reflected in the three of the key takeaways from this year’s report:

  • Culture supervision – For those regulators emphasising the importance of culture, attention is now focused on how supervision of culture and conduct risk is best operationalised, both with a view to how financial institutions are expected to better audit such risks, and to evidence their success in related risk management and culture reform efforts.
  • Behavioural science – Principal global regulators are turning to behavioural science to discover how culture drives propensities towards misconduct, and what it may teach us about how best to drive good culture, good conduct, improved firm performance, and beneficial customer outcomes. A concern for company “purpose” is an increasingly prominent element in this context.
  • Cross-border collaboration – Structured cross-border regulatory collaboration has continued to expand significantly. The Global Financial Innovation Network (GFIN), for instance, grew from a few dozen to over 50 participating entities. Regulators prioritising culture and conduct risk supervision are actively sharing lessons-learned and seeking to benefit by one another’s experiences.

Culture Audits and Corporate Governance

“Five years ago, the prevailing reaction to a suggestion that regulators and supervisors should pay attention to culture was, in essence, ‘seriously?’,” write New York Fed attorneys Michael Held and Thomas Noone. This has changed: culture has become a recognised corporate governance concern and has moved away from issues that typically occupy HR departments and firmly into the remit of risk and compliance teams. “A financial firm’s culture is the key driver of their conduct and more general risk management,” Reserve Bank of New Zealand (RBNZ) Governor Adrian Orr argued in a recent speech.

The Institute of Internal Auditors (IIA) recently published a guide called “Auditing Culture,” offering views on how culture and subcultures within firms are best evaluated, so as to facilitate relevant risk management processes. IIA CEO Richard Chambers recently noted that earlier in his career, “there was great debate as to whether internal audit could develop the requisite qualitative and quantitative skills to audit culture.” Today, Chambers concludes, “I believe it is safe to say we are well on our way to answering that question with a resounding ‘yes’.”

Increasingly, regulators are sharing lessons-learned regarding the application of behavioural science in the context of culture and conduct risk supervision. The UK’s Financial Conduct Authority (FCA) continues to set the bar for its peers and, on 5th March, published its first Discussion Paper of 2020, entitled “Transforming culture in financial services – driving purposeful cultures.” The Paper collects views contributed by asset managers, industry bodies, and academia, all aimed at exploring the concept of corporate “purpose” in connection with promoting good corporate governance and culture in the financial services sector.

Interest in these themes is not restricted to regulators: concern for culture and conduct reform has merged with ongoing global dialogue regarding corporate governance reform and related disclosure requirements. In its recently released Annual Report, for instance, the UK’s Financial Reporting Council (FRC) states, “We want to see improvements in governance practices and reporting so that companies can demonstrate their positive impact on investors and wider stakeholders.” In this direction, the FRC argues, “greater focus is needed, from companies, on stakeholder engagement, diversity and the importance of corporate culture.”

Across the English Channel, the European Commission has issued a non-financial reporting directive (NFRD) that sets rules regarding the disclosure of non-financial information by large companies. The NFRD covers some 6,000 firms, to include listed companies, banks, insurance companies and other firms designated by national authorities as “public-interest entities.” Diversity, treatment of employees, and anti-corruption efforts all feature in the NFRD, as they do in many regulator-driven culture reform initiatives.

Putting the ‘G’ In ESG

These developments reflect a growing concern for environmental, social, and governance (ESG) considerations, which are now deemed “material” factors for investors and other stakeholders. While much of the attention in the popular press is focused on environmental concerns and, latterly, with social concerns, the ‘Governance’ component is less often spot-lighted. But governance concerns are a clear priority for institutional investors, who have a ‘stewardship’ interest in promoting the long-term health of the companies in their portfolios.

“The links between ESG, company strategy, and risk have never been clearer than during the COVID-19 pandemic,” Deloitte maintains in a just-issued report. “It is, therefore, critical that board members understand how corporate purpose and ESG principles are considered and effectively integrated into the strategy and enterprise risk management efforts of the companies they serve.”

Because ESG factors are seen as a key determinant of financial strength and future performance, investors, regulators and others are calling for the development of reliable culture metrics that serve as leading indicators of culture challenges and the risk governance concerns they may indicate.

“In the United States,” Deloitte argues in the above referenced report, “much of the current focus on corporate purpose and ESG is likely to continue to be driven by investors rather than regulators or legislators in the near term.” It is unclear whether that is true in all markets, however. We observe particular attention to such matters among regulators and policymakers in Hong Kong, Singapore, Japan and Korea, often driven by scandal, corporate governance failings, and inadequate non-financial risk disclosures.

The challenge before supervisors and risk management experts alike is one of anticipating culturally primed behavioural outcomes, rather than hewing to the ‘too-little-too late’ approach to compliance that involves reacting to alerts only when surveillance and monitoring systems indicate that something may have gone awry. The industry’s proclivity towards HR-driven exercises that hope to drive behavioural predispositions among staff by emphasising an appropriate ‘Tone from the Top’ are also insufficient. A decade of banking sector misconduct scandals worldwide demonstrates the inadequacy of these combined approaches.

Better methods and tools are needed and, in that direction, many regulators have begun to require that firms engage in “culture audits” not only as a means of advancing corporate governance purposes, but also to allow supervisors to peer into the ‘soft risks’ that may imperil a particular firm and which, in the aggregate, may present a systemic risk. Notably, many regulators are looking for advanced warning of misconduct and other operational risks. They regard culture audits as a means of identifying leading indicators of such.

Culture and Governance Trends in Asia

Having previously announced that it would work with some thirty firms in running a series of culture audits, in May this year, the Hong Kong Monetary Authority (HKMA) released a report detailing learnings achieved through these “Self-Assessments on Bank Culture.” The HKMA observes that banks have regularly engaged external providers (e.g. consultancies) to assist their boards in developing greater insight into firm culture and the behaviour it promotes. While a step in the right direction, the HKMA also notes that the support sought by the banks take aim most often at soliciting staff feedback through employee surveys and focus groups.

Source: HKMA

Among other key takeaways from the self-assessment exercise, the HKMA argues that:

  • More effort is needed to tackle the key challenge of culture assessment to identify the gaps between current progress and desired culture;
  • More work is needed in promoting an environment which provides “psychological safety” to encourage staff to speak up without fear of adverse consequences; and
  • Deeper analysis is expected of the banks, in order to benchmark themselves against findings from the reviews of the major overseas misconduct incidents.

While the HKMA has announced its intent to continue a series of “culture dialogues” and “focused reviews” with the firms over which it has supervisory remit, in remarks contributed to Starling for inclusion in its 2020 Compendium, the HKMA observed that, “With the right tools and technology, a potential exists for banks to deliver a ‘big picture’ analysis, with meaningful culture insights, to inform Boards and senior management alike.” Such tools, the HKMA adds, “would permit banks to assess how close they are to achieving their desired culture, and will help them to understand what enhancements may need to be implemented in order to drive effective cultural change.”

Here, the HKMA points to the promise of new “Regtech” (regulatory technology) solutions. “The HKMA believes the time is right for closer collaboration among the banking industry, the technology community, and the HKMA to further facilitate the adoption of Regtech in Hong Kong,” it offers in Starling’s report. In that direction, the HKMA will be developing a Regtech “promotion roadmap”, indicating its intent to explore a number of Regtech-related initiatives over the next few years.

“When you spend years responding to problems, you can sometimes overlook the fact that you could be preventing them,” writes Duke Senior Fellow Dan Heath in a new book published this year. The HKMA now appears intent in adopting the sort of “upstream” intervention capabilities Heath urges, with culture audits forming a part of these capabilities.

Reflecting this, the HKMA has just announced the appointment of  KPMG “to assist with organising and rolling out a series of activities to further facilitate the adoption of Regtech.” (A development that we applaud.) As a first step, the HKMA will take stock of the current state of Regtech adoption within the banking industry through a survey and series of interviews with select banks and technology firms, conducted by KPMG. Thereafter, with a view towards “supporting a thriving Regtech ecosystem” in Hong Kong,  the findings will be presented in a white paper, which will seek to describe the pain points that may be hindering Regtech adoption in Hong Kong, and lay out a roadmap for encouraging Regtech growth and talent development.

Meanwhile in Singapore, a spate of stock market delistings, driven in large part by a series of accounting and governance scandals, has helped to move non-financial risk management towards the top of the city-state’s regulatory agenda. “The global financial community has made good progress in raising prudential standards, enhancing risk management, and strengthening controls,” said Monetary Authority of Singapore (MAS) chief Ravi Menon, in comments contributed for inclusion in Starling’s 2019 Compendium. “But reform of the financial industry — to make it safer and more purposeful — will not be complete until the industry ‘gets the culture right’.” In this direction, MAS launched a “Culture and Conduct Steering Group” in mid-2019, in partnership with the Association of Banks in Singapore (ABS), to promote sound culture and raise conduct standards among banks.

“For Singapore to continue thriving as a regional financial centre, it is paramount for the banking industry to operate with the highest standards of culture and conduct,” Steering Group Chairman Shee Tse Koon, Country Head of DBS Singapore, argues in Starling’s 2020 report. “This journey to strengthen culture and conduct requires a collective effort across departments, banks and the industry,” adds Samuel Tsien, ABS Chairman and Group CEO of OCBC. “Only then can we sustainably create long-term value for customers and thrive to grow in this era of new social expectation.”

 Institutional investors share such regulatory and industry views. “By acting to ensure that boards pursue effective corporate governance objectives,” Starling advisor Siew Kai Choy writes in the 2020 Compendium, “institutional investors align company interests with the investors’ own.” Notably, Choy is a former Managing Director of the Singapore sovereign wealth fund, GIC.

Echoes Down Under

In Australia, the prudential regulator has suggested that transforming “GCRA” – governance, culture, remuneration and accountability – is a key priority in its supervision of all regulated financial institutions. In a speech last summer, APRA (Australian Prudential Regulation Authority) Chair Wayne Byers complained that governance and culture were not getting the attention they deserved in Australia, while they were being discussed widely in other global forums. “Our standards and expectations in the future are likely to be more prescriptive and demanding,” he said, “and our enforcement of them will undoubtedly be firmer and more insistent,” he added.

Days later, APRA published its four-year corporate plan, setting out its “sharpened focus” on the supervision of non-financial risks (GCRA), and pledging to take a “constructively tough” enforcement approach when breaches of its prudential standards occur.

Indeed, APRA had already started imposing capital charges on banks and one insurer earlier in 2019, having been disappointed with the quality of work they submitted in their GCRA self-assessments. APRA had found that assessments of culture were less comprehensive than other components of the firms’ self-assessments, that firms had limited ability to identify the root causes behind misconduct, and that self-assessments of insurance and superannuation firms were of worse quality than those from banks.

Late last year, a Corporate Governance Taskforce established by the Australian Securities and Investments Commission (ASIC) completed a review of the country’s largest financial services firms, seeking to  examine how directors and officers of listed firms work to oversee and manage non-financial risk. Many of the companies interviewed for the study acknowledged that non-financial risk is problematic, and that they had been “operating outside appetite for an extensive period.”

“Until now, much of what we know about the corporate governance of our large listed companies has been limited to their own statements,” ASIC Chairman James Shipton remarked during a late 2019 speech. “And while these documents do a good job of describing the various frameworks and policies that companies have in place,” he continued, “they don’t give us a practical insight into what is actually going on inside the company.”

Earlier in the year, Shipton had indicated intent to apply “new technologies such as machine learning and artificial intelligence” to related supervisory tasks. ASIC also appointed a Chief Data Analytics Officer to enhance its data management capabilities, with particular regard to data generated by an increase in misconduct reports during the 2018 and 2019 financial years.

Source: ORX

Absence of Evidence is Not Evidence of Absence

The Operational Risk Exchange (ORX) – an industry association of operational risk leaders across the global financial sector – has just-released its 2020 Banking Operational Risk Loss Data Report. ORX reports that, since 2014, its banking members have suffered an aggregate EUR 482 billion in operational risk related losses. This is in addition to the billions spent annually on governance, risk, and compliance. Such expense is both unsustainable and insufficiently productive of desired outcomes.

In 2019 alone, ORX member banks lost nearly EUR 16 billion due to operational risk management failures. ORX has reported separately that culture and conduct related risk management failures constitute the majority of the OpRisk losses its members have reported in recent years. Consider that, just in the last year:

  • In Australia, Westpac has suffered from a money-laundering scandal involving transactions that facilitated child sex abuse;
  • The CEO of Japan Post was forced to resign in disgrace after a mis-selling scandal involving abuse of the country’s elderly;
  • In the UK, HSBC reported that whistleblower complaints had jumped for the third consecutive year and reported that three-quarters of closed cases had related to conduct complaints ;
  • In March, a US Congressional committee issued a report detailing the governance failures and consumer abuses at Wells Fargo which prompted the forced resignations of long-serving board members and CEO Tim Sloan. Past executives were also assessed personal fines in the millions, and former CEO John Stumpf was banned from the industry for life.

As we have argued previously, the economic crisis cause by the Covid-19 pandemic has placed extraordinary demands upon banks worldwide. Necessary work-from-home orders have effectively eviscerated banks’ ‘First Line of Defence,’ while regulators have suspended many of their usual supervisory activities. In this, the pandemic has served to highlight the industry’s Achilles Heel: poor nonfinancial risk management and, particularly, the management of misconduct risk.

An absence of evidence is not evidence of absence. Banks are increasingly expected to develop leading indicators of risk to permit proactive mitigation efforts. Regtech companies are bringing such capabilities to market and leading institutions will be early adopters.  Different Asian financial centers appear now to be vying to host the heart of the region’s Regtech ecosystem, with the innovation and jobs such a move may represent.

Stephen Scott is a risk management expert and CEO of US-based RegTech firm Starling. Mark Cooke is former Group Head of Operational Risk at HSBC and former Chairman of ORX, now serving on the Risk & Governance Advisory Board at Starling.

To Top