Recommended actions
Legal and compliance leaders should be involved in assessing culture to help ensure any cultural assessment stands up to regulatory and legal scrutiny
Undertaking a culture assessment is a multi‑disciplinary project and will produce more insightful results if it is undertaken as a cross‑functional endeavour. It is critical that legal and compliance teams are involved. The findings of the assessment can have serious implications for the Board and the company under criminal and civil law. For example, should a criminal offence covered by Australia's Criminal Code Act 1995 (Cth) (Criminal Code) be committed by an employee or an agent of the company, and a corporate culture assessment found a company had a culture that tolerated non‑compliance with the law, a prosecutor might use such an assessment as evidence with which to attribute the company with liability under the corporate culture provisions of the Criminal Code. Legal and compliance functions can help ensure the findings of the assessment are based on evidence and articulated accurately.
The law increasingly regulates culture directly and indirectly. In Australia, recent examples include the new corporate and tax whistleblower regime, and the introduction of modern slavery reporting requirements at Commonwealth and NSW level. The latter is an example of a law requiring corporations to police the culture not just within its own organisation but also within its broader supply chain.
In addition, the law and regulators focus on the following key drivers of culture:
- Governance;
- Tone from the top and oversight from the Board and senior management;
- Accountability;
- Issue, incident and risk escalation and management;
- Approach to compliance; and
- Remuneration and incentive structures.
Regulators are increasingly active in assessing culture and expecting corporations to do the same. Legal and compliance functions can help ensure these drivers are assessed properly. Further, as many of these drivers are themselves influenced by compliance and legal functions, both can make important contributions to the assessment process.
There must be clearly articulated culture and explanation of how that relates to the corporation's strategy, organisational structure and governance
Of course, there is no such thing as a ‘one size fits all’ culture. Each organisation is different and assigns its values and priorities accordingly. Similarly, there is no rule about the required components of a corporate culture. What is clearer, however, is how both regulators and the courts assess the articulation of culture within an organisation, and how, in turn, that culture is reviewed, communicated and enforced.
For example, whether there is a ‘culture of compliance’ within a commercial organisation is often a relevant consideration in civil penalty decisions. Among the factors relevant to the Federal Court’s decision to impose civil penalties for an infringement of Australia's Competition and Consumer Act 2010 (Cth) (CCA) is whether the company has a corporate culture conducive to compliance with the CCA and takes corrective measures in response to an acknowledged contravention.
Similarly, should penalties be imposed, the court will examine whether there is a substantial compliance program in place which was actively implemented, and whether the implementation was successful (ie, whether the contravention was an isolated incident). That is, was the compliance policy ‘one to which mere lip-service’ was paid.1
Other relevant factors based on case law to date include:
- whether the program was regularly updated and involved employees attending lectures or seminars at regular intervals, including in the period covering the contravention;
- whether the compliance program required attendance by key staff involved in the contravention (ie, those with exposure to competition law risk);
- evidence of lack of commitment by senior executives; and
- whether the company voluntarily addressed any deficiencies in the compliance program when the contravention came to its attention.
Gather the key data points recognised by the law and regulators
Here are some of the data points that the law and regulators have recognised as important drivers of corporate culture and from which valuable insights may be drawn.
Interviews with board members and senior management – when anonymised these will reveal more frank assessments of strengths and weaknesses of culture at the top of the organisation, which can provide a roadmap for exploring issues in more granular detail involving some of the steps listed below.
Board and senior management papers – reviewing these materials can reveal the extent to which these bodies consider issues relevant to culture and communicate their will. They can also reveal the degree to which there is debate and challenge of management from the Board and how much news, whether good or bad, is communicated to the Board and management.
Employee survey data – often this is the most valuable data in understanding what happens in practice within an organisation, and what people on the ground think. Most organisations will have existing data that can be useful, including performance reviews, firm-wide discussions and exit interview notes. Culture surveys and focus group interviews on corporate culture, too, can provide an opportunity to engage with employees on their views on that organisation’s culture, and can be a highly effective way of obtaining a firm‑wide view.
Employee survey data is frequently cited by corporates as one of the most informative data points when assessing culture.
Customer data – assessing customer feedback data can identify trends in customers’ experiences interacting with the organisation, which can be reflective of its corporate culture. Specific measures that customer‑facing teams can use to assist with measuring and assessing corporate culture include:
- Customer surveys and focus groups; and
- Social media audits and reputational analysis.
Australia's Financial Services Royal Commission has highlighted the importance of focusing on the tail of customer complaints, not just aggregated data regarding customer satisfaction.
Incident data – data relating to the frequency and seriousness of any breach of compliance controls, or legal and regulatory requirements, can highlight issues and gaps in an organisation’s corporate culture. A lack of data, however, could reveal a reluctance by employees to speak up about problems, or shortcomings in the organisation’s identification processes, which may be driven by a concern about reprisals and/or apathy – a sense that nothing will be done about their complaint. It may also reveal a lack of quality in reporting systems. Whistleblower data can reveal the willingness of staff to speak up, trends in reporting, how whistleblower complaints are investigated and how often complaints are corroborated or otherwise resolved. This data can be benchmarked against peers to see whether the company’s performance in relation to whistleblower complaints is outside of the range expected for a company of its size, shape and risk profile.
Compliance and risk reviews – compliance reviews which involve mapping the legal, regulatory and best practice standards that apply to an organisation, and assessing the extent to which the organisation exceeds or falls short of its required and/or desired cultural standards, can identify cultural traits, strengths and deficiencies in how an organisation approaches compliance and risk. Risk reviews can reveal the company's attitude towards risk, its level of sophistication and strengths/deficiencies in governance processes.
Conduct rigorous, cross‑functional and ongoing culture assessments against articulated culture
Assessment of corporate culture is challenging. It cannot be a box‑ticking exercise and necessarily involves qualitative judgement. The law and regulatory guidance provide a helpful roadmap as to how to go about assessing culture from a process perspective and what data points to focus on as part of an assessment.
[culture assessment] demands intellectual drive, honesty and rigour. It demands thought, work and action informed by what has happened in the past, why it happened and what steps are now proposed to prevent its reoccurrence.2
The assessment process must be independent. External review or input can add a degree of impartiality, fresh thinking and peer benchmarking. Regulators and law enforcement expect to see an assessment process that is independent of the Board and management.3 This does not necessarily mean the assessment needs to be outsourced to an external consultant, although such consultants can often add insight, fresh thinking and a degree of objectivity.
Assessment must be cross‑functional and have depth in terms of access to employees. While the Board and senior management should have a chance to contribute to the assessment process with their own views and experiences, there should be careful governance placed around the degree to which they are able to shape or influence the findings of the assessment.
Where views of directors, senior management, employees, customers and third parties are sought, more accurate and insightful results will be achieved where anonymity is assured. Stakeholders asked to provide views may be more comfortable sharing responses with a third‑party consultant on the assurance of anonymity, than an internal contact.
Culture assessments must involve an identification of the root cause of any failings or misconduct. Assessments must avoid confusing root cause and symptoms. To produce results that are insightful, a cultural assessment must be informed by the events of the past and the reasons why they happened.4 Only then can steps be proposed to prevent their reoccurrence. One way of analysing the past is to choose case studies for analysis to understand what caused the outcome. Balance is required throughout this process. Assessments that only focus on instances of failings will necessarily identify defects in culture. Examples of successes should also be chosen for analysis to understand what the root cause of the success was. This will produce a more balanced assessment and offer greater insight into the organisation’s culture. Care should be taken in choosing case studies that may be subject to legal proceedings, since discoverable documents could be generated.
Help your organisation make a mindset shift
The spotlight on culture is here to stay. We expect to see Australia emulating UK trends, and for assessing and continually improving culture to become the norm. Boards and senior executives will be increasingly held accountable for failings. In the wake of Australia's Financial Services Royal Commission, the need for organisations to rethink not just their culture, but also their approach to defining, monitoring and assessing it, has become paramount.
For some organisations, a mindset shift is required - one through which Boards and senior management recognise the opportunities presented by a thriving culture, and the risks (both legal and reputational), posed by a poor one.
A plan of action should be developed for the organisation to strengthen culture and access opportunities. This should focus on providing the Board with routine feedback on how the organisation’s culture is standing up against the Board’s articulated vision. Cultural assessment processes that focus on conducting smaller assessments within an organisation on a rolling basis, with particular areas of the organisation being reassessed regularly to pick up changes in culture, have been praised by Commissioner Hayne in the Financial Services Royal Commission Final Report. Cultural assessments should be ongoing, providing real‑time feedback to Board and management to see whether improvement initiatives are working and to spot emerging issues more quickly.
Footnotes
- ACCC v Harvey Norman Holdings Ltd [2011] FCA 1407.
- FS Royal Commission Final Report, 392.
- FS Royal Commission Final Report, 392.