ASIC has recently announced an approach to surveillance reviews which will include an examination of organisational culture. In addition, it has asked a Senate committee to consider laws that would allow it to punish individuals and companies for poor organisational culture.

Poor culture is not industry-specific

Although ASIC’s recent speeches have been directed at, and have used examples of, the practices of the financial services industry, the issue of managing organisational culture risk is common to all organisations.

Our article ‘Why effective policy management is critical to organisational success’ provides guidance on developing a desirable corporate culture.

In many ways, culture comes from above. The nature of an organisation’s culture is set by its leadership team – the board and senior management – through management, the execution of strategies, and practices that set the tone for an organisation.

ASIC made this point last year when, in another speech, Mr Medcraft noted that directors should ensure that the compliance function strongly drives a culture of compliance.

The bottom line is that ASIC is sending a message to directors that they have a duty not only to ensure the viable functioning of a business, but also to ensure that a culture of regulatory compliance, risk management and proper corporate governance exists and is enforced in their organisation.

ASIC speeches

ASIC’s concern about poor organisational culture has been repeatedly emphasised in recent speeches given by its Chairman Greg Medcraft.

On 3 June 2015 Mr Medcraft presented to a Senate Estimates hearing, remarking that ‘it is a sad fact that bad culture leads to bad conduct and this inevitably leads to poor outcomes for consumers’. Given there is a strong connection between poor culture and poor conduct, ASIC thinks culture is a major risk to:

  • investor and consumer trust and confidence; and
  • the fair orderly and transparent operation of our markets.

Mr Medcraft announced that ASIC intends to incorporate culture into its risk-based surveillance reviews. For AFS Licensees, this could result in ASIC determining that a licence should be revoked because the culture of the Licensee breaches its obligation under section 912A of the Corporations Act 2001 (Cth) (the Corporations Act) to provide its services ‘efficiently, honestly and fairly’.

ASIC believes that breaches of the Corporations Act caused by cultural conduct should attract civil penalties and administrative sanctions.

It seems that ‘culture risk’ should now be added to an organisation’s risk register – if it wasn’t already there.

What can I do to improve culture?

In a speech delivered to the Annual Stockbrokers Conference on 25 May 2015, Mr Medcraft stated that the culture within a firm – its shared values and assumptions – has a positive influence on behaviour and good or bad culture can lead to good or bad market practices.

In the same speech he introduced the ‘3 C’s’ framework on culture risk for organisations.

The ‘3 Cs’ stand for:

  1. communication;
  2. challenge; and
  3. complacency.

Those 3 elements are important influencers of an organisation’s culture as follows:

1. Communication

Communication of conduct expectations needs to be clear, concise and effective. This includes communication that is proactive and regularly and consistently repeated across the organisation.

2. Challenge

Organisations:

  • should challenge existing practices to determine whether current conduct is appropriate;
  • need to foster an environment where employees are encouraged to escalate concerns without fear of retribution; and
  • should consider rewarding staff for speaking up.

3. Complacency:

Don’t be complacent. Conduct should be continually reviewed, enforced and validated.

Civil penalties for a bad corporate culture?

You may be surprised to know that ASIC is asking for a change in the law to allow it to prosecute companies for a poor corporate culture. In his opening statement, Mr Medcraft said that in addition to administrative action (revoking an AFS License), ‘we think that when an officer breaches a law ASIC administers – and culture is responsible – then the officers and the firm should be responsible’.

Mr Medcraft is referring to section 12.3 of the Criminal Code Act 1995 (Cth) (the Criminal Code), which defines ‘corporate culture’ as ‘an attitude, policy, rule, course of conduct or practice existing within the body corporate generally or in the part of the body corporate in which the relevant activities takes place’.

The Criminal Code also states that ‘this Code applies to bodies corporate in the same way as it applies to individuals. … A body corporate may be found guilty of any offence, including one punishable by imprisonment’.

The Criminal Code introduces the concept that criminal responsibility should attach to organisations where the corporate culture encourage situations which lead to the commission of offences. The provisions make organisations accountable for their general managerial responsibilities and policy.

ASIC is asking for the introduction of civil penalties relating to poor corporate culture to apply to the Corporations Act provisions that it administers. Civil penalties require a lower standard of proof than criminal offences (‘the balance of probabilities’ as opposed to ‘beyond reasonable doubt’).

ASIC has used the opportunity to give evidence before the Senate committee to ask for these changes in the law, stating that ‘the Financial System Inquiry recommended a broad review of penalties, and this would be an opportune time to consider these issues’.

How can your reflect the ‘three Cs’ in your organisation?

The answer lies in your organisation’s governance and risk frameworks and the policies, procedures and practices which form part of them.

According to Mr Medcraft, if ‘ASIC find that the policies, procedures and practices in an entity don’t influence good conduct, it raises a red flag with us. It tells us to look harder, as there are likely to be problems within that entity. And, we will look to apply the right nudge to change behaviour.’

To avoid ASIC ‘nudging’ your organisation, it might be timely to review your risk and compliance frameworks to ensure they are tailored towards the delivery of a robust culture that promotes trust and confidence in your organisation.