Culture shock: auditing culture

Coronavirus, an invisible enemy, has thrown into sharp relief the least tangible of risks: culture. Everyone is braced for a big recession, although its full scale and duration are as yet unknown. Management are in crisis mode, rapidly reviewing strategies, realigning resources, shelving some plans, while accelerating others.

Meanwhile, many key staff are working from home – and are likely to continue doing so for some time, at least while the threat of the virus remains. This means that managers are dealing with HR and cultural issues from the other side of a laptop, rather than across a desk. Fraud risks have risen, while increasing numbers of employees fear for their jobs. At times like this, the underlying culture of an organisation, the relationship between management and employees and the behaviour expected of staff become even more critical.

It is usually accepted that culture, conduct and customer outcomes are intertwined. An organisation’s culture can be understood as its espoused values reflected (or not) in the behaviour of its people. Good behaviours drive desirable outcomes and vice versa. This is all good, but there is no handbook or regulatory framework for culture as such.

In the past, much of the focus for culture has centred on financial institutions, largely because they deal with large temptations (money) and have a huge impact on the performance of their customers via their control of access to, and the cost of, funds. When they abuse their powers, they can affect whole economies and cost taxpayers huge sums – as we saw in the financial crisis of 2007-08 and in the LIBOR scandal.


Personal accountability

Because of this, there have been more efforts to create governance structures around culture in the financial services sector than elsewhere. The latest development was to extend The Senior Managers and Certification Regime (SM&CR), introduced for large banks in 2016, to all organisations regulated by the Financial Conduct Authority (FCA) last December. This is intended to make senior management personally accountable for behaviour throughout the organisation and so to create cultural change by raising expectations of conduct and, as a consequence, standards of customer treatment.

At the time when this regime was being extended, there were suggestions that work on culture in banks (and other large organisations) had stalled and that, after a flurry of interest a few years ago, much of the innovative work on culture had petered out. Had the lack of any further high-profile scandals led, as often happens, to too much complacency and a reliance on platitudes and box-ticking?

It was not long before some of this was put to the test. The current recession is not the fault of any bank, however rising unemployment and struggling businesses mean that the banks and their behaviour to customers are again the focus of attention. The UK government is using banks for its Covid-19 loan schemes, and has urged lenders to introduce payment holidays on many mortgage loans.

In the midst of the economic storm, Chris Woolard, interim chief executive of the FCA, wrote to bank chief executives reminding them of their responsibility to ensure that lending decisions remain fair during this exceptional period. However, the FCA has been clear that it cannot tell any particular bank what its culture should look like and lenders have discretion over their leniency to customers during the crisis.

“There’s definitely clarity on the overall outcome, in that you should be making it as easy as possible for the customer, and there are specific rules in terms of things that should not be done” (such as not using a request to take a payment break to downgrade a customer’s credit rating), says Steven Sanders, head of audit at Bank of Ireland. But there are no explicit requirements as to whether they should continue to charge interest or to accrue it.

Banks have taken their own approaches to this, he adds. “I think the question from regulators will be – whichever approach you’ve gone with, can you explain why you thought that was the right one to take and can you articulate how you considered all the risks?”


On purpose

A focus of the FCA in recent months has been to promote the concept of “purposeful” culture. The regulator has said that, when aligned to positive outcomes for shareholders, employees and customers, purpose can benefit firms and play a fundamental role in reducing potential harm to consumers and markets. Putting a clear, meaningful purpose at the centre of a firm’s business model and strategy is therefore critical to developing a healthy culture.

One bank at the forefront of this change is RBS, or NatWest as it will now be known. As part of its new “purpose-led strategy”, the company has set a target of making its operations carbon neutral in 2020 and halving the climate impact of its financing activities by 2030. It has also set up an initiative to improve banking literacy and has announced a goal of advancing more loans to SMEs and start-ups. 

This public declaration of a long-term focus is a far cry from the short-termist PPI misselling that marked one of UK banking’s more ignominious periods. Banks are keen to demonstrate that lending is no longer a zero-sum game in which the interests of lenders and customers are at odds.

“We believe that if we’re true to our purpose, we will over time not only do the right thing for our customers, but will be rewarded for it, because we will have differentiated ourselves through that purpose,” says Nicholas Crapp, group chief audit executive at NatWest. “We will effectively win the marginal customer.”


Down to a science

But how does “doing the right thing” work in practice and what does it look like? When Alex Chesterfield, head of behavioural risk in NatWest’s audit team, joined the bank, having previously worked at the FCA, she was keen to apply behavioural science to the treatment of customers.

“Often the root cause of poor outcomes for customers, and therefore for banks over the long term, is poorly designed products, experiences and practices, which are clearly influenced by culture. Firms play a key role in shaping those customer outcomes, choices and experiences through how they design products, touchpoints and customer journeys,” she says. “We know from behavioural science that different presentations of the same information can affect the choices people make and their outcomes.”

Chesterfield sees huge potential in examining how customer experiences “exacerbate rather than ameliorate” people’s inherent psychological biases and lead to undesirable outcomes. Behavioural scientists call this “nudge” (encouraging actions) versus “sludge” (creating friction to prevent actions). Both can be used for good or bad.

“Friction can be used strategically to help customers,” says Chesterfield. “Cooling-off periods, for example, can help people to reflect and think about whether a loan is in their best interest in the long term. Not just now, but in six months’ time.”

Internal audit should therefore ask how the customer “journey” and overall experience might affect behaviour and, ultimately, the outcomes for the bank, as well as how it is viewed by the market and regulators.


Behavioural clues 

Most large organisations say they constantly strive to improve their cultures. Even where there is no regulator demanding explicit managerial accountability for culture, they will tell you that culture starts with the “tone at the top” and will talk of embedding values and ideals in “the organisation’s DNA”.  Times of crisis, however, test whether such phrases have real meaning – and once crisis strikes, it may be too late to change.

So what can internal audit do to identify culture in practice and ensure the organisation is doing what management says it is doing? Tools such as surveys and interviews can quantitatively and qualitatively measure cultural indicators and systems of governance and frameworks can help auditors to kick the tyres for evidence that the culture is still roadworthy.

But “softer” behavioural signals usually offer greater insights and these are less easily recorded in audit assessments and reports. They often depend on face-to-face contact and personal rapport, which can hard to achieve over the phone or in video meetings when everyone is working in isolation.

Culture may also seem less important than more tangible risks at times of rapid change and high stress, which is why it may help to frame cultural findings as “behavioural risks” and
“risk culture”.

Nicola Rimmer-Hollyman, chief audit executive at AMP, says her team does not carry out psychological assessments of staff, but questionable behaviour offers clues that help auditors to follow their noses. “If we were looking at more than processes and procedures then I think people would find our presence a lot more uncomfortable,” she says. “But if we’re observing a lot of tension in the room, for example, or that somebody seems to be wanting to make risky decisions that are making others uncomfortable, we’ll delve down and try to find some facts around it.”

If her team spots behavioural red flags they may start to pay closer attention to the output of a team or an individual’s work, or to whether controls protocols are being followed. “When we’re looking at risk culture, we still position it in terms of risk and controls. The behavioural elements are sometimes slightly different, which is why we may not put them in a formal report. We might say that we have observed certain issues and suggest it’s something that management should dig into.”


Back to basics

Times of great change can affect corporate culture rapidly, so internal audit cannot rely on past cultural audits to inform the future. A swathe of redundancies, significant changes to the top team, new working conditions, an unstable, fearful atmosphere, distrust of those at the top and the information they are releasing can all change corporate culture dramatically. Strong cultures may be weakened and weak ones turn toxic overnight.

At the same time, employees are coping with new threats and demands on their time and emotions. They are facing sickness, childcare and concern for their families and their livelihoods. They will not be the same people and will not necessarily work and respond the way they did before the crisis. New temptations and distractions may arise and opportunities to commit fraud or to circumvent processes may prove irresistible.

Similarly, changes to corporate policies or incentive packages may be implemented before anyone has realised negative cultural consequences. Auditors will have to assess new or altered systems and work out what they mean for their organisation’s culture.

As the way we work physically shifts over the coming months, the way we think about and assess culture will also have to change significantly. Small flaws may have become gaping chasms and new methods will be needed to spot problems and promote desired behaviour. Intangible must not mean invisible.


What is the SM&CR

SM&CR was introduced in the banking sector in March 2016 to create greater accountability for those within responsible roles. The FCA extended SM&CR to all financial firms in December 2019, replacing the Approved Persons Regime.

The FCA stresses that SM&CR compliance should not simply be seen as a box-ticking exercise, but as a cultural shift towards transparency.

The FCA describes the SM&CR as a catalyst for change – “an opportunity to establish healthy cultures and effective governance in firms by encouraging greater individual accountability and setting a new standard of personal conduct” by:

• Encouraging a culture of staff at all levels taking personal responsibility for their actions.

• Making sure firms and staff clearly understand and can demonstrate where responsibility lies.


Five drivers at Lloyds Banking Group

Whether conducting dedicated assignments or embedding a cultural thread into traditional audits, auditing culture is ultimately a case of triangulating many inputs from, for example, staff surveys, interviews, observing meetings, reviewing leadership communications, assessing remuneration, talent recognition, bonus structures and incentive schemes. These give clues about cultural weaknesses and are unlikely to be uniform across the organisation. 

Three years ago, Lloyds Banking Group identified five drivers that need to be in balance to create a healthy culture:

  1. Line managers and leaders. Ensure managers and leaders role model the group values and behaviours and demonstrate the leadership behaviours – and are supported in doing this.
  2. Accountability and empowerment. Identify whether colleagues feel empowered to make decisions within their control and have the confidence to challenge or raise concerns where they see opportunities for improvement.
  3. Communication and the colleague voice: Do you have clear  two-way communication across the group, transparent group  activity and active colleague listening?
  4. Enable and develop colleagues: Through upskilling and reskilling, as well as by supporting colleagues’ holistic health and wellbeing.
  5. Reward and recognition: Reward and recognise the behaviours the group wants to see demonstrated, aligned to its values.

“Our aim is not to provide a definitive view on the group’s culture, but to influence the culture of our organisation by providing a perspective on how the behaviours and ways of working we observe during our audits affect how risk is managed within those  areas,” says Paul Day, chief internal auditor of Lloyds. He adds that those observations are gathered at the end of each audit, aggregated by division and measured against the Banking Standards Board’s Nine Characteristics of Effective
Culture framework.


Remote viewing

As lockdown measures are eased, staff will return to offices, but many will continue to work remotely, at least some of the time. International travel is also likely to be limited. While it is harder to pick up signals from body language, tone of voice or atmosphere over a computer screen, there are advantages to observing remotely.

“We might join Zoom meetings and observe a leadership meeting to watch the dynamics of the relationships between people, the degree of challenge and what’s being said and, importantly, what’s not being said,” says Alex Chesterfield, head of behavioural risk in NatWest’s audit team.

She adds that being a remote fly on a distant wall may also mitigate the Hawthorne effect, whereby people modify their behaviour if they think they’re watched. “We’re almost invisible. People feel safer to open up and modify their behaviour less than if we were physically sitting around the table, meaning that what we observe has greater integrity.”

This article was first published in July 2020.