The Governance Institute of Australia, The Ethics Centre, The Institute for Internal Auditors – Australia (IIA-A), and Chartered Accountants Australia New Zealand have jointly released a new guide: Managing Culture – A Good Practice Guide.The guide argues that an ethical framework should sit at the heart of the governance framework of an organisation and work to drive strong culture by informing the decision making process and conduct: 'In organisations with strong ethical cultures the systems and processes of the organisation will align with the ethical framework in the making of day to day decisions both large and small' the guide states. In addition, the guide argues that embedding a clear ethical framework is not purely the role of the board, but rather that the board, management, human resources, internal and external audit all play a role in ensuring the alignment of strong culture with actual or lived culture and conduct across the organisation.

Structure and scope of the guide

The guide is divided in to five chapters:

• The regulatory context: An overview of culture in regulator standards and governance codes; Australian, UK, US, Hong Kong and other regulatory responses.
• Definition of culture: An explanation of why culture is important and a discussion of risk aware culture.
• Identifying and setting culture: Discussion of desired culture, drivers of culture, identifying and monitoring the current culture, cultural change and the role of ethical frameworks in a cultural change process.
• Embedding culture: Discussion of the role of governance in risk management and the role of the board in overseeing monitoring and evaluating lived cultures, and the role of other functions within organisations in cascading values to the rest of the organisation.
• Gaining assurance over risk culture: Discussion of the role of internal and external audit in auditing culture.

In addition, the guide includes a number of appendices, including a summary of the responsibilities and duties of directors in relation to culture, and a summary of the drivers of good culture as identified by the Australian Securities and Investments Commission and the UK Financial Reporting Council.

Characteristics of a strong ethical framework

The guide argues 'that an ethical framework – which is different from a code of ethics or a code of conduct – should sit at the heart of the governance framework of an organisation. An ethical framework includes a clearly espoused purpose, supported by values and principles'. Characteristics of a strong ethical framework identified in the guide include:

Factors influencing risk culture: The guide notes that regulators do not 'dictate' what cultural frameworks should look like but have identified factors that may influence an organisation's risk culture including: leadership, good governance, translating values and principles into practices, measurement and accountability, effective communication and challenge, recruitment and incentives. In addition, the guide notes that regulators have identified that the greatest risk 'lies in organisations that are believed to be hypocritical when it comes to the espoused versus actual culture'.

An ethical framework to inform and drive good conduct and consistency of decision making in alignment with the values of the company: The guide states that 'one method of achieving consistency of organisational conduct is to build an ethical framework in which employees can function effectively by achieving clarity about what the organisation deems to be a "good" or a "right" decision.'

Characteristics of a strong ethical framework:

• Practical – able to be applied in practice and with consistency
• Authentic – it will ‘ring true’
• Stable – it will not change much (in its essence) over the long term
• Understandable – by all of those required to apply it in practice.
• Company-specific: The guide adds that the framework should be appropriate to the purpose of individual organisations and the culture each organisation wishes to cultivate.

Setting and embedding a clear ethical framework: 'all areas can play a role'

The guide argues that the role of boards is to determine the purpose, values and principles of the company, that the CEO and senior management have the responsibility for implementing the desired culture and that personnel in human resources, ethics, compliance and risk functions all have a role to play in embedding values and ethics.The publication provides high level guidance to the different roles.

The Role of the Board

The board is responsible for:

• Establishing the ethical framework for the organisation or 'setting the tone from the top': Directors’ duties include setting the ethical foundations for corporate culture and monitoring and correcting any misalignment between the purported and the actual culture within the organisation they govern. The ethical foundation that the board sets, the guide argues, will ultimately be expressed in ways that set the culture of the organisation: 'This is commonly referred to as setting the ‘tone from the top’.
• How to set the 'tone from the top'? ASIC has stated that in setting the right tone from the top, the board might wish to consider: how the board is modelling the firm’s desired behaviours and values when interacting with management and staff; how the actions and behaviours of the board support and advance the firm’s desired culture; and how the board sees its role in relation to cultivating the firm’s values and ensuring that the firm has a culture of integrity.
• Establishing risk appetite for the organisation: The guide states that the role of 'articulating the desired risk culture rests solely in the hands of the board and senior management, who should define the desired state and the values and principles. These will be different from organisation to organisation'.
• Overseeing culture within the organisation: 'Consistently, the board needs to be assured that the ethical framework is embedded within the organisation’s systems, processes and culture'.The guide notes that ASIC has suggested boards may choose to consider the following questions to help gain insights into a company's culture:
• Is culture a regular feature on the board and audit committee agenda?
• Do directors have regular interaction with staff across the organisation and not just with the CEO and executive management?
• Are there good relationships with key employees, such as line managers, to help with gathering insights about team-specific issues and subcultures?
• Is there periodic engagement with all stakeholders to get a broad perspective on the issues impacting on customers, suppliers, regulators and the community? This should help with balancing various competing and conflicting interests.

The role of Senior management

The guide states that senior management is responsible for implementing and monitoring the desired culture as defined and set by the board and for demonstrating leadership of ethical framework and culture. The guide adds that 'Forging a culture that is aligned with business strategy is the role of management, with the board having oversight of implementation, but not responsibility for it. This is not unlike risk management, where it is the role of the board to set the risk appetite for the entity, to oversee its risk management framework and to satisfy itself that the framework is sound, while it is the role of management to design and implement that framework and to ensure that the entity operates within the risk appetite set by the board'.

More particularly, the guide states that management has the task of implementing a risk culture where everyone in the organisation:

• Is aware of the risks for their span of responsibility.
• Takes responsibility for the controls for managing those risks.
• Is confident that they can raise issues at the time they arise.
• Management must ensure that the right competencies and the appropriate level of resources are available.

The guide notes that regulators have said that that the tone and behaviours manifested by middle management are as important as those exhibited by senior management: 'Middle-level managers channel the culture as set at the top to the business lines whose operational responsibilities take risks in line with the risk appetite set by the board. These operational roles usually are those responsible for identifying, assessing and controlling the risks of their businesses' the guide states.

The Role of Human Resources (HR)

The guide states that Human resources (HR) is 'fundamental in shaping, reinforcing and changing corporate culture within an organisation'.   In addition, the guide notes, HR drives organisational change programs that ensure cultural alignment with the ethical framework of the organisation and provides alignment to the ethical framework through recruitment, orientation, training, performance management, remuneration and other incentives.

• Remuneration and incentives: Though responsibility for setting C suite remuneration rests with the board, the HR team plays a key role in the remuneration process for the rest of the organisation, the guide notes.In addition, the HR team also explain how compensation works, provide advice and help managers with both informal and formal staff recognition systems for outstanding performance. The guide suggests that as such, HR has a role to play in helping to ensure pay systems are in alignment with, and reward behavioural expectations, 'Pay systems that reward based simply on productivity could be creating a culture that is counter to organisational success' the guide states.
• Performance management: The guide states that culturally aligned performance management systems have a strong element of differentiation ie higher ratings, increases and/or promotions are given to those who think, act and behave according to the desired culture than those that do not. On this basis, a company's performance management system can have a negative influence on culture if it is not culturally aligned.The guide notes that ranking employees against each other, and annual performance reviews (rather than more regular coaching and feedback) can have negative cultural consequences.
• Training: the importance of sufficient resourcing for training: 'The allocation of scarce resources is a sign that employees look for when determining if an organisation is serious about creating the culture they espouse', the guide comments.The guide notes that organisations that promote employee development as part of their corporate culture should ensure that enough resources are allocated to HR’s training and development budget.
• Recruitment and orientation: Recruitment practices should aim to increase the probability of recruiting those who reflect or can readily adapt to the values, principles and culture of the organisation to ensure new employee's assimilation into the company and to strengthen corporate culture.For example, the guide notes, job descriptions and other recruitment literature should reflect the desired behavioural characteristics the company is looking for and interviews should include culture-focussed questions eg 'what type of culture do you thrive in?'.In addition, the orientation process should 'build on (not contradict) the individual’s cultural education, commenced during the recruitment process'.Orientation may include for example: facilitated case studies that highlight cultural norms and practices, videos and profiles (of customers and employees) can be useful tools in illustrating the culture of the organisation during orientation.

The role of internal audit

The guide states that internal audit is being increasingly requested by boards, senior management and some regulators to provide an assessment of culture – usually risk culture. The guide notes that assessment of risk culture is already an 'intrinsic part' of independent reviews of Prudential Standard CPS 220 for may internal audit departments. The guide observes that internal audit, based within the organisation but also independent and objective, can provide an independent view of 'whether the lived culture is in line with the desired culture'.

The guide adds that in 'order for internal audit to succeed in this role, it is vital that the value that they can add is recognised and supported by the organisation and by the board'.More particularly, the guide notes that internal audit can

• Assess how well culture is defined and communicated across the organisation: The guide suggests that assessment of this should specifically focus on the desired culture the board and senior management wish to implement and how it is communicated throughout the organisation, so that it becomes part of ‘how we work around here’. Here, internal audit can usefully ‘test’ the communication through their ongoing audit work – for example, by asking staff whether they are aware of the values and behaviours expected of them. As part of the organisation themselves, internal audit will be recipients of key messages from senior management and the board, and will be able to form a view based on their own understanding of the desired culture.
• Provide assurance to the board on alignment of lived culture with espoused culture: The guide states that internal audit can play an important role in providing assurance over how well the desired culture is embedded across the organisation, and assess whether core documentation and policies are aligned to the purpose and values of the company. A review of core information can identify whether there is a misalignment in any area.
• Potential areas for review include the following:
• Is the business strategy in line with the desired purpose, values and principles?
• Is the risk appetite set in line with the desired values and principles, and how is performance against the stated risk appetite monitored?
• Are product development and product pricing decisions aligned?
• Are credit policies aligned with the desired values and principles?
• How are customer and supplier complaints responded to?
• How are problems and mistakes identified and fixed, including breaches?
• Are the appropriate delegated authorities in place, and are these procedures complied with? How are conflicts of interest identified and assessed?
• Does the recruitment process support hiring people whose ethics, values and principles are in line with the organisation?
• Does the induction and training offered enable staff to connect to the values and principles, and desired culture, and reinforce the desired culture?
• Is the appropriate incentive and remuneration structure in place? Does it have any unintended consequences?
• Is the performance management process robust? Does it support both the values and principles of the organisation, and is it linked with the incentives that are in place?
• Monitoring and measurement: The guide also discusses various means of measuring and monitoring culture. Noting that there is no one way to audit culture, the guide points out that there are a number of performance metrics that can be used to provide an indication of the current state of culture. These include: customer complaints; breaches, and timelines of breach reporting; whistleblowing reports; loss events; and response to audit issues. In addition, a number of HR metrics can be used, including levels of sick leave and untaken leave; information from exit interviews; code of conduct warnings, etc. Another measure is the results of staff surveys.

The role of external audit

The external auditor may consider culture as part of their audit process the guide notes and as such 'Working together and sharing insights around culture, the external auditors, internal auditors and management have the potential to deliver powerful insights regarding an organisation’s internal culture'. 

The guide lists examples of where culture might 'come into focus' for an auditor as they obtain an understanding of the control environment. For example: poor staff engagement survey results, staff absenteeism and high levels of customer complaints are occurring in the retail arm of a client could be indicative of a higher risk of control failure, but is also evidence of a culture problem within that part of the business.

The guide also suggests ways of incorporating a cultural review into each audit. For example: a focus on 'red flags', assessment management's control awareness and a focus on root cause analysis.

Drivers of good culture as identified by ASIC and the FRC

The guide includes an outline of key drivers identified by ASIC and the FRC as drivers of 'good culture'. The key points are briefly outlined below.

'Tone from the Top'

The guide states that ASIC has identified 'tone from the top' as a driver of good culture. More particularly ASIC has identified that setting the 'tone from the top' includes:

• The board and senior management are responsible for creating a culture where everyone has ownership and responsibility for 'doing the right thing'.
• The board and senior management should set the values and principles of an organisation's culture and ensure they are reflected in the organisations' strategy business model, risk appetite and compliance and governance frameworks.
• The board and senior management should lead by example by demonstrating the conduct that supports the organisation's values.
• The guide notes that the UK Financial Reporting Council (FRC) has identified a similar driver: 'Demonstrate Leadership' which requires leaders (particularly the CEO) to 'embody their desired culture, embedding it through the business and at all levels of the organisation. Boards should act when leaders fail to deliver'.

In addition, the guide notes that setting the tone from the top, is reflected in the Governance Institute of Australia's Guidelines: Whole of organisation governance which notes the importance of this in setting the boundaries on conduct.

Cascading values to the rest of the organisation

The guide states that ASIC has identified cascading values to the rest of the organisation as a driver of good culture. More particularly ASIC has identified the importance of the role of senior management in cascading information to 'the front line' of the organisation to ensure 'new and junior employees learn "how things are done around here".

• The guide notes that the FRC identified a similar driver 'embed and integrate' which requires that company values need to inform the behaviours of all employees and suppliers; human resources internal audit, ethics compliance and risk should be empowered to embed the values and assess the culture effectively.
• In addition, the guide notes that this is reflected in the Governance Institute Guidelines and reflected in the guide which comments: 'A clear whole-of-organisation governance framework supports the achievement of the organisation’s strategic objectives by clarifying that decision-making is tied to risk and there is accountability for the exercise of authority. Whole-of organisation governance is inextricably linked to good risk management. This aligns with ASIC’s focus on cascading and translating the values set at the top into business practice and ensuring there is accountability for this.'

Translating values into business practice

The guide states that ASIC has identified this as a driver of good culture. More particularly, ASIC has identified that senior management should ensure the organisation’s values are incorporated into all of its business practices eg how problems and mistakes are identified internally, elevated and fixed. Translating the organisation’s core values into business practices is important, because it ensures there isn’t a gap between the organisation’s desired values and the actual conduct that occurs.

• The guide notes that the FRC identified a similar driver: 'recognise value and culture' which requires that directors be proactive on company culture. 'Good corporate culture is an asset and source of competitive advantage. The board’s role is to determine the purpose of the company and to ensure that the strategy, values and business models are aligned to it. Directors should be pro-active on company culture'.

Accountability

The guide states that ASIC has identified this as a driver of good culture. More particularly, ASIC has identified that senior management should ensure the compliance and governance frameworks that are in place are monitored and enforced.
The guide notes that the FRC identified a similar driver: 'Assess measure and manage' which requires that indicators and measures used should be aligned to the desired outcomes and material to the business. The board has the responsibility to understand the behaviours in the organisation and challenge where they see misalignment. Boards should commit resources to evaluating and reporting on their culture.

Effective communication and challenge

The guide states that ASIC has identified this as a driver of good culture. The board and senior management should promote a culture of open communication and effective challenge to allow current practices to be tested. The board and senior management should encourage a positive critical attitude among employees, and promote an environment of open and constructive engagement.

• The guide notes that the FRC identified a similar driver: 'be open and accountable' which states that Openness and accountability matters at every level. Good governance focuses on how this takes place and those who act on its behalf. It involves respecting a wide range of stakeholder interests, and is concerned with how the company conducts its business, engages with and reports to stakeholders.

Recruitment, training and rewards

The guide states that ASIC has identified this as a driver of good culture. More particularly, ASIC states:

• The board and senior management should include behaviours and attitudes that lead to good conduct and outcomes for customers as part of the selection of all staff.
• The board and senior management should ensure training is available to maintain staff knowledge about the organisation’s values and the attitudes and behaviours expected of staff.
• The board and senior management should also ensure that the company’s remuneration and incentives (including promotions) across the organisation are linked to good conduct and good outcomes for customers.
• Rewards play a big role in driving culture and conduct, because they impact on priorities and act as a motivator and reinforcer of conduct. It is therefore crucial that organisations recognise performance in a way that not only promotes good conduct, but penalises poor conduct as well.
• The guide notes that the FRC identified a similar driver: 'aligned values and incentives' which provides that the performance management and reward system should support and encourage behaviours consistent with the company’s purpose, values, strategy and business model. The board is responsible for explaining this alignment to internal and external stakeholders.

Governance and control

The guide states that ASIC has identified this as a driver of good culture. More particularly, ASIC states: Under the board’s stewardship, the leadership team should promote, monitor and assess the impact of the organisation’s culture on conduct and make changes where necessary. It’s important that there is direct access to the board and leadership team. It’s also important that there is a process in place for periodic reporting to the board on culture, conduct and compliance issues.

• The guide notes that the FRC identified a similar driver: 'exercise stewardship' which provides that effective stewardship should encourage engagement about culture and encourage better reporting. Investors should challenge themselves about the behaviours they are encouraging in companies and to reflect on their own culture.

ASIC Commissioner John Price commented in his Foreword to the guide: 'As a conduct regulator, we invite boards and senior executives to take action and consider conduct issues, particularly where poor conduct has the capacity to cause damage to customers or to the integrity of the markets. In our view, it is in the interests of organisations for senior managers and the board to be focused on conduct within their firm, and this is about asking the right questions and seeking the right information to deal with conduct risk. The multidimensional approach to exploring risk culture written about here draws out best practice and informs pathways to change.'

Governance Institute of Australia CEO Steven Burrell commented: 'While having an integrated governance and risk management framework is important, unless an organisation establishes a culture that promotes risk awareness into everything it does, it is unlikely to achieve its objectives…Governance and risk management must be at the core of an organisation’s culture.'

Ethics Centre executive director Simon Longstaff commented: 'This is an important piece of work which brings together years of research by some of Australia’s most knowledgeable people and organisations working in the field of ethics and risk culture. It is a practical guidebook for leaders in any industry, and we’re proud to have been involved in the creation of such a valuable resource.'

IIA-Australia CEO Peter Jones said that the guide outlined the important role internal audit plays in the governance process, which is being increasingly requested by boards, senior managers and regulators to provide an assessment of a company’s culture.