Audit and Culture – Regulation of Organisational Culture?

Can you effectively regulate organisational culture? Will that regulation achieve desired changes in behavior and risk mitigation, or will it drive a compliance mindset? What are the implications from an internal audit perspective, does this become a compliance activity, or will attempts to regulate culture increase risks and hence require additional, perhaps more pervasive cultural audit activity? Associate Partner – Audit, Todd Dewey, discusses.

The two key regulators in Australia, the Australian Securities and Investment Commission (ASIC) and Australian Prudential Regulatory Authority (APRA) have both suggested there are significant risks in relation to corporate culture. Neither APRA or ASIC have a defined Cultural or Ethical framework. ASIC Commissioner John Price noted that “ASIC has a regulatory interest in risk of misconduct and culture because it is part of ASIC’s vision that investors and consumers have trust and confidence in the financial system”. ASIC recognises that culture is about how organisations think and behave.

APRA has adopted a broad perspective on organisational (risk) culture and provides guidance on how Boards should manage risk appetite and develop a risk management strategy with ongoing monitoring of significant risks (SPS 220 Risk Management).

The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Hayne report) has over 70 recommendations that apply to financial organisations, individuals in those organisations and the regulators who control these industries in an effort to improve the way financial services are provided to the people of Australia. Many of these recommendations involve changing existing and enacting new legislation as industry oversight. But much of the material considered by the commission concerned behaviour at the individual and organisation levels – behaviour often related to organisational culture.

So, the obvious question to be asked is: “Can you regulate behaviour and organisational culture?”

In a recent SMH (23 October 2019) article titled ‘Unworkable': APRA exec pay shake-up adds to complexity, industry warns’, it was noted that “Company directors, superannuation fund trustees and company secretaries all took issue with the APRA plan to require financial businesses to put more weight on factors such as customer service when setting bonuses” (draft CPS 511 Remuneration).

Criticism has focused on APRA's proposal that financial measures would not be allowed to comprise more than 50 per cent of the criteria for bonuses. Industry stakeholders have generally responded with concerns. The Governance Institute (Institute), which represents company secretaries, said APRA should reconsider the 50 per cent cap. Instead, its chief executive Megan Motto argued APRA should recommend a percentage role for non-financial targets and ask firms to explain why they didn't hit these targets. So, will these regulated changes be effective to drive cultural change?

What does drive behaviour are values and beliefs at the individual and collective levels. Such beliefs are based in our core value system and cause us to behave or not behave in certain ways according to these beliefs and values. The key question to ask here is; to whose benefit is such behaviour oriented – the individual, the organisation, the customer, the wider society, etc?

The Hayne report quite correctly defines culture as “the shared values and norms that shape behaviours.” However, what were the underlying values and beliefs that drove the cultures and led to the behaviours outlined in the review? These values and beliefs are evident through commissions, pay incentives and financial goals. Interestingly the Hayne report states that “there is no single best practice for creating and maintaining a desirable culture”, but there is a substantial body of research that disagrees with this conclusion.

In 1975 for instance (Academy of Management Journal December 1975) Stephen Kerr wrote a paper titled “On the folly of rewarding A, while hoping for B.” In this paper he presents research and examples of organisations attempting to use bonuses and other incentives to drive behaviour. As the title suggests, they got other behaviours that were unexpected.

In the current climate many believe that increased regulation may be more beneficial at changing behavior than increasing financial penalties. However, changes to organisational culture will still be required to complement any increase in regulation i.e. greater protection for whistleblowers, enhanced education and support. The result may be a more complex environment within which internal audit operates.

If you would like any further information about internal audit, contact your Findex adviser.