Culture drives conduct

By Jay McMahan and Victoria Loutsiv

Conduct risk is not a new issue for organizations but, despite the focus on managing corporate behaviours to mitigate systemic risk and meet consumer interests, this issue is far from solved. Although there was hope that regulatory reform would counter some of the problems of the short-term mindset that arose during the financial crisis, new scandals continue to erupt and corporate misconduct remains rampant.

Consider: US banks alone have paid out more than $200 billion in fines and sanctions for questionable behaviour . This misconduct is not limited to the financial services industry. In recent years, automotive manufacturers, oil and gas companies, and consumer goods producers have all been implicated in a range of deceptive practices, from selling unsuitable products to charging egregious fees to engaging in aggressive sales practices.

Yet despite the costs organizations have paid, both in fines and in brand damage, corporate misbehaviour continues apace. It is clear, then, that compliance programs alone are not enough to curb these practices. Instead, combatting conduct risk comes down to fostering a more effective corporate culture. For leaders, this means identifying the cultural factors within their own enterprise that may be contributing to undesirable behaviours and resulting in inappropriate outcomes. 

Where compliance, conduct, and culture intersect
As organizations engage in this process, it’s helpful to understand the interrelationship between compliance, conduct, and culture:

• Compliance refers to the minimum standards or rules employees are expected to follow to meet organizational norms.
• Conduct is usually an expression of outcomes that reflects the way employees actually behave. 
• Culture refers to the organizational norms meant to promote the right behaviours.
  

When people talk about risk culture, they often refer to visible indicators—what you see, feel, or hear within the organization. However, research in organizational psychology, behavioural science, and anthropology indicates that culture is considerably more layered. In addition to the visible indicators—such as the behaviours you witness in moments of stress or decision-making—culture also presents itself in system design, in the organization’s express value statements, and, most critically, in people’s mindsets: their unconscious beliefs, attitudes, and feelings.

This means organizations may have strong risk-management protocols and good governance but still have a culture that excuses—or even unconsciously promotes—misbehaviour. In essence, it’s culture that drives conduct.

To effect change, organizations consequently need to delve down to root causes and present people with explicit, real-world examples of where their behaviours, decisions, and activities contravene the organization’s accepted norms and risk appetite.

Follow the leaders
There are certain best practices organizations can follow to cultivate a culture that prioritizes customers’ needs over individual or organizational interests:

• Get the board involved. The board of directors should be intimately involved in the conversation about culture and help drive cultural expectations into the business. Rather than asking only for the results of a survey, board members should talk to business leaders about the cultural factors within their functions and determine the extent to which those leaders understand the organization’s risk appetite. The board should also review and approve the organization’s conduct risk and culture framework.
• Include risk culture in the internal audit (IA) plan. Have IA assess the extent to which people are protecting market integrity while acting in the best interests of clients. One way to do this is by examining the cultural enablers designed to drive expected behaviours. These can include communication of expected behaviours, the actions displayed by leadership, the people practices used by management, and organizational design and structure. By probing these areas, IA can begin to assess how well actual outcomes align to intended behaviours.
• Understand that conduct risk is everybody’s job. While the second line of defence (risk management and compliance) may drive risk culture and conduct, and then track performance against key metrics, it does not own risk. The first line of defence (business units) also plays a pivotal role. For instance, HR should help to formulate culture and enforce appropriate behaviours. Conduct should be examined not just at the enterprise level, but also at business unit and functional levels. People across the enterprise must also receive the training needed to understand that compliance isn’t confined to a manual, policy, or procedure—it’s an expected mode of behaviour.
• Integrate risk management factors into compensation and rewards programs. Rewards and promotions are among the strongest signals organizations send regarding what they truly value. If sales staff are rewarded for hitting aggressive sales targets, they may cut corners on compliance to make more sales. Some organizations are countering this trend by linking the variable component of their professionals’ compensation to their behaviours—expressly tying expected conduct to compensation.

As organizations uncover the root causes of misbehaviour, they can begin to make the explicit changes required to truly safeguard market integrity and protect consumer interests. Success, however, will unquestionably hinge on their commitment to fostering a culture of doing the right thing.

For more information about market conduct, contact Jay McMahan or Victoria Loutsiv. To learn more about other regulatory trends affecting financial services organizations, read Navigating the year ahead: Canadian regulatory outlook for financial institutions in 2017.