May 11, 2021

Demonstrating Compliance – the Challenge of Measuring Culture

With culture high on the agenda of regional regulators, Chris Fordham and Jacky Lo discuss in Lexology why businesses in Asia need to strive towards a sound culture and formulate ways to measure their culture.


The Hong Kong Stock Exchange (HKEX) recently proposed enhancements to corporate governance codes to highlight the importance of corporate culture and require disclosures on measures used for continuously assessing and monitoring culture in a Consultation Paper on Review of Corporate Governance Code and Related Listing Rules (Apr 2021). The Hong Kong Monetary Authorities also made clear that banks are expected to make greater efforts in fostering a sound internal culture in their Report on Review of Self-assessments on Bank Culture (May 2020). Meanwhile, the Monetary Authority of Singapore similarly stressed that “culture is a key driver of conduct” in an Information Paper on Culture and Conduct Practices of Financial Institutions (Sep 2020), and it is “driven by both the hardware (policies and processes) and software (beliefs and values)” in an organisation. Clearly, with culture high on the agenda of regional regulators, businesses in Asia need to formulate ways of measuring their culture in conjunction with defining their purposes, values and strategies.

“Having a culture of fraud that lets an employee get away with misconduct leads other employees to think ‘if everyone else is doing it, I may as well too’; either that or they prefer to leave the company, rather than be tarred by its reputation,” commented Fordham. Equally as dangerous is a culture that only rewards risk-taking behaviours for financial gain and disregards or downplays ethical standards. What organisations need to strive towards is a sound culture that sets the tone from the top, encourages transparency, individual accountability, independence oversight, effective communication, and incentivises good behaviour as proposed by the HKEX.

“Should regulators come knocking on the door to enquire about one rogue employee’s misdemeanour, the organisation needs to be able to demonstrate that it has a strong compliance culture in place, and this will now include presenting evidence of the organisation’s efforts to measure and where necessary improve the compliance culture,” observed Lo.

When measuring culture, only reviewing the compliance framework is not enough. “Having robust compliance policies and frameworks in place is no use if they are just gathering dust on the shelf and employees do not understand them, let alone comply with them,” observed Fordham. The MAS Information Paper also advises that “rules and regulations alone are insufficient to build and maintain a sound organisation culture.” Regulators are clearly expecting companies to go beyond minimum standards set by rules and extend their efforts to achieving the desired ethical culture.

“Although culture itself is difficult to quantify,” said Lo, “proxy indicators can be used instead to measure culture indirectly and indicate to what extent employees’ behaviours align with regulatory standards and compliance requirements. However, each indicator has its own unique weaknesses and companies should take these into account and take a multi- dimensional approach to the measurement of culture.”
 
Surveys & Experiential Training
A widely accepted method to gauge a company’s culture is by conducting employee pulse surveys and exit interviews. One disadvantage of surveys is that employees are likely to respond in ways that reflect how they envision they should behave, instead of how they behave in reality. Companies can also incorporate questions in employee exit interviews to ask about conduct issues that would have been too sensitive to discuss in other circumstances. However, information provided during an involuntary departure process can be biased and difficult to verify.

Experiential training can provide an additional indicator of an organisation’s culture. This approach incorporates case studies from past misconduct into training and asking employees how they would have responded and acted. “The goal of these training sessions is for employees to understand how to make ethical risk-based decisions. Compliance should form an integral part of the decision-making process, even when the compliance issues are not obvious or highlighted in the training,” explained Fordham.

Anti-corruption Programmes and Whistleblowing Programmes
In many cases, businesses have obligations to comply with both domestic and foreign anti- corruption and whistleblowing laws and regulations. As made clear by the HKEX, the regulatory expectation is no longer on a “comply and explain” basis. Instead, organisations will be required to establish clear and transparent policies and preventative measures as part of the anti-corruption and whistleblowing programmes in support of the prevailing laws and regulations. Measuring the effectiveness of an organisation’s anti-corruption and whistleblowing programme is a good indicator of its culture.

Anti-corruption programmes should be evaluated in terms of:

  • Clear Policies – are anti-corruption policies clear and transparent, setting out adequate scope covering both company personnel at all levels and business partners?
  • Company Anti-corruption Statement – is there a statement of policy and zero tolerance against corruption in doing business?
  • Effective Mechanisms - are mechanisms in place to effectively prevent, identify and address corruption risks?

“Effective whistleblowing programmes and reporting hotlines are important to building a culture where employees feel they can report incidents in a safe environment without fear of repercussions to their career,” said Lo.

Whistleblowing programmes should be evaluated in terms of:

  • Independence – is the reporting hotline operated by an internal independent function or an external vendor? If the reports are handled internally, are the reports being received and reviewed by a sufficiently independent part of the organisation’s management or board, with the authority to formulate and execute response plans free from hindrance?
  • Clear Understanding – are employees aware of the contact points and reporting hotline channels, and have faith in those charged with handling reports?
  • Action Taken – are all reported incidents investigated and corrective measures taken where appropriate? Where incidents are not investigated, are the decisions taken documented with reasons?
  • Subject to Audit – are the decisions of those handling the reports documented and subject to review as part of a regular audit of the compliance function?

Fraud Risk Assessments
Fraud risk assessments are another key indicator to measure an organisation’s culture. They should cover all risks, including risks of the management themselves perpetrating fraud. “Examining management’s attitude to undertaking fraud risk assessments helps shed light on the organisation’s culture. We look at whether management view these assessments as integral, and prioritise and resource them accordingly,” explained Fordham. “Signs that indicate good management attitudes include iterative undertaking of fraud risk assessments where new risks are considered, and where the discovery of unethical behaviour triggers a fresh risk assessment, with compliance policy revisions and implementation where necessary.”

Using Technology to Uncover Patterns
More technological tools are being developed to measure how compliant a company’s culture is. Utilising data analytics to look at communication data from internal emails or messaging systems and unstructured data from files and ledgers, these tools examine language and uncover patterns that reveal what culture a company has. Data analytics looks to be a promising solution to measuring culture, but it has its limitations. Incomplete data sources and algorithmic bias could skew results and data interpretation. Also monitoring communications can be considered intrusive and organisations need to balance such intrusiveness with the need to measure culture.

The Big Picture
Whichever methods a company chooses to adopt in measuring its culture, it is important to build a system to understand the convergence of multiple data points and their correlations with one another to establish a “big picture”. From training and survey results to data analytics findings, these can be analysed together with any non-compliance issues. Organisations are then better placed to understand the causes of issues such as employee misappropriation, fraud or bribery identified through whistleblowing channels, internal and external audits and compliance assessments.

Next Steps
Measuring culture helps companies to identify areas of improvement and a plan to improve these areas. Building a supportive culture by incentivising the right behaviour will motivate employees in the desired direction. Organisations can consider incorporating culture assessments into their existing internal audit, and designing culture audit programmes that examine behaviours, decision-making and leadership. Reinforcing the message is also key, and it can be as simple as having visual reminders in the form of anti-fraud posters or informative newsletters that explain the terminology and the damage to the company of issues such as bribery or channel stuffing.

Conclusion
Measuring culture should be a continuous process instead of a one-off exercise. An organisation’s culture continually evolves as it goes through mergers or other changes, and people leave, join, or are moved around. “Regulators will be scrutinising organisations’ efforts to measure and improve their culture,” observed Fordham, and “those that make a head-start now will be in a better position than those left on the starting blocks.”

FOLLOW & CONNECT WITH A&M