Enhancing Culture Governance

Persistent governance failures reveal a harsh truth: prevailing regulatory and governance approaches often encourage superficial compliance rather than comprehensive oversight.

Financial services entities continue to face issues due to poor governance and culture, even a decade after new risk culture standards were introduced. Risk culture and behavioural risk approaches are failing to provide early warnings or support effective interventions.

However, change may be on the horizon. Recent regulatory discussions are emphasising the importance of understanding the interconnectedness and outcomes of board-approved settings and guardrails.

Regulatory Discussions

Regulators in several jurisdictions including APRA (Australia), ECB (Europe), OSFI (Canada), FCA (United Kingdom), and RBNZ/FMA (New Zealand), have recently reinforced the need, or put forward proposals, to strengthen governance of financial services entities.

“With respect to the role of senior management, APRA proposes an outcomes-focused definition that supports the execution of the regulated entity’s activities in line with the board-approved strategy, risk appetite, culture, and values…” >>

These proposals aim to shift the focus from mere compliance with procedural activities to demonstrating the appropriateness of the outcomes from those activities.

Interdependence of Organisational Settings and Guardrails

A common critique has been that existing Board approval and oversight approaches are not adequately protecting entities from serious incidents. Attempts over the past 15 years to bring together elements such as risk and culture have created new reports built from novel activities, but they have not adequately curtailed the levels of avoidable non-financial risks and incidents stemming from poor governance and culture.

Research published by the London School of Economics (LSE) back in 2013 described the industry-wide focus on culture as “a desire to reconnect risk-taking and related management and governance processes to a new moral narrative of organisational purpose”.

Regulators increasingly echo this intent, codifying the need for governance forums to evaluate the interdependence of purpose, strategy, risk, and culture.

It is through culture that strategy, risk, and compliance are managed, and performance delivered. Culture is a pivotal factor in evaluating the effectiveness, interdependence, and outcomes from these organisational settings and guardrails.

Implications for Board Reporting

To effectively understand and oversee the outcomes generated from organisational settings and guardrails, clearer and more coherent information is needed. The following questions help illustrate how culture-related information can support effective oversight:

  • Strategy: How does our culture enhance or undermine Board confidence in evaluating different strategic choices? What are the most critical culture attributes that underpin successful strategic execution and how can we strengthen and monitor these?
  • Transformation/Change: Is our culture ready and sufficiently resilient to take on the scale and speed of required organisational change? Is the culture ‘grain’ (i.e., nature of direction-setting, ways people work together) compatible with how programs are structured and executed?
  • Compliance: How can we be confident that our people consistently support both the letter and spirit of all applicable obligations?
  • Risk Appetite: Are current risk-taking attitudes and decision-making trade-offs consistent with the desire and capacity to take on risk in the pursuit of strategic aims?
  • Risk Management: Will the organisation's culture support effective operation of the risk management strategy/framework? Or do we need to be more/less prescriptive throughout the risk and control environment? How does our culture affect our evaluation of residual risk across key risk classes - including strategic risk?

Existing Management reporting on culture often falls short in helping decision makers understand how Board-approved settings operate in practice.

Subsidiary Boards also need to understand the impacts of imposed settings and guardrails on the local entity, including exposure to any group-wide control-related issues. If unable to influence imposed conditions, subsidiary Boards must mitigate effectively.

“Senior management should be responsible for briefing the board effectively, with succinct and relevant information to support decision making, rather than briefing with a view to satisfy compliance requirements” >>

The Culture 'Sandbox'

An organisation's 'aspired culture' encapsulates values, and often, leadership expectations. The Code of Conduct, also Board-approved, sets minimum conduct standards. LSE’s research introduced the concept of a culture 'sandbox,' where the boundaries of acceptable conduct are defined between aspiration and minimum standards.

While behaviour within the ‘sandbox’ may align with Board settings, it may not always be suitable for all workplace situations or higher-risk roles. Organisational formal systems (policies, procedures, technologies) must be designed to accommodate acceptable cultural variations within the 'sandbox' and, where needed, consider targeted control.

LSE also highlighted the challenge of closing gaps between current and aspired culture (often defined as Behavioural Risk) when, at some point, closing gaps becomes uneconomic relative to the value gained.

The 'sandbox' concept conflicts with prevailing risk culture and behavioural risk approaches, which primarily focus on attitudes and behaviours in relation to an aspired culture. Which raises an interesting question, would these approaches be more beneficially used to evaluate the performance of formal systems within the ranges of acceptable conduct?

Interdependence and Outcomes

Proposed governance standards should be viewed as an opportunity to distil new insights by replacing existing activities and reports, rather than creating additional documents that add congestion to governance agendas. At face value, a change in reporting of this magnitude may seem unattainable. But it's been done before.

The May 2018 Prudential Inquiry into the Commonwealth Bank of Australia (CBA) highlighted the interdependence of Governance, Culture, Accountability, and Remuneration (GCRA) elements and the resulting risk-related impacts on markets or consumers. Following the CBA Inquiry, APRA instructed regulated entities to conduct their own GCRA self-assessments.

Amidst ongoing revelations from the Banking Royal Commission, the self-assessment process was cathartic for many senior and specialist roles, surfacing long accepted but unsurfaced cultural characteristics that hindered their ability to effectively manage risk and compliance to mitigate serious reputational harm.

Many organisations published objective and insightful conclusions on the interaction of GCRA elements, showing improvement in follow-up assessments published in subsequent years.

Organisations that segmented their findings by each GCRA element or withheld reports from public scrutiny often experienced prolonged deep-seated cultural challenges.

The self-assessment process demonstrates that complex cultural dynamics can be surfaced and addressed by considering the interplay between culture and other organisational settings to deliver required outcomes.

Recognition that Change is Needed

In Australia, AICD's 2020 Director Sentiment Index found only two-thirds of directors said their Board has sufficient oversight of the culture of their organisation. It’s 2025 analysis of recent governance failings concluded Board oversight of culture continues to be ‘challenging’, and while Boards understand their accountability, governance changes are needed.

Culture governance varies around the globe, as illustrated by Deloitte’s 2024 Centre for Board Effectiveness article. It revealed 48% of US Boards do not have explicit responsibility for culture oversight, only 18% review the company’s definition of culture, and just 3% approve it.

In line with regulators in different jurisdictions, APRA’s 2025 Governance Review discussion paper outlines eight proposals intended to update standards to reflect contemporary governance practices.

With a clearer regard for culture, these proposals may finally reconnect risk-taking and related management and governance processes in the pursuit of strategic goals that deliver on organisational purpose.

Questions for Reflection

  1. How completely does existing governance reporting capture and reflect the true state of organisational culture and its influence on risk and performance outcomes?
  2. Does reporting adequately highlight the interdependencies between governance, strategy, risk, and culture?
  3. To what extent do reports provide clear, actionable insights that support the oversight and decision-making responsibilities of the various governance charters?
  4. How reliable and consistent is the culture information provided to the Board from different Board committees and executives?
  5. How might enhanced governance standards change what we do today for culture (incl. risk culture) reporting?

Older Perspectives

Featured
Framing for Precision: Four Culture Learnings
Framing for Precision: Four Culture Learnings
Read More →
1. Confusing Culture with Climate
Read More →
2. The Sum of Culture Subsets
Read More →
3. ‘One-Size-Fits-All’ Doesn’t Fit Everyone
Read More →
4. CMMM (Culture Maturity Model Misappropriation)
Read More →
Challenging Culture Complacency
Challenging Culture Complacency
Read More →
The 'Culture Problem'
The 'Culture Problem'
Read More →
The 2023 Banking Turmoil: One-Year Anniversary Analysis and Lessons Learned
The 2023 Banking Turmoil: One-Year Anniversary Analysis and Lessons Learned
Read More →
Corporate Governance Principles and Culture
Corporate Governance Principles and Culture
Read More →
The Concorde Fallacy and Organisational Culture
The Concorde Fallacy and Organisational Culture
Read More →