In the post-crisis reflection of many reputationally damaging events, organisational culture surfaces as one of several multifaced and interconnected factors contributing to poor risk-taking and an underappreciation of external expectations.

Regulated entities, to reduce the risk of such events or in response to imposed standards, have invested significant time and resources building new capabilities to understand how organisational culture influences risk and compliance outcomes.

However, many of these capabilities borrow or misappropriate techniques from other management disciplines without empirical validation. The allure of aesthetics may provide a false sense of security regarding cultural soundness, inadvertently hindering critical re-evaluation of ‘the culture problem’.

The question arises: Should organisations expect better insights for their organisation-wide culture management investment? The following case study sheds light on common limitations in culture and ‘risk culture’ approaches adopted and often defended across industry:

Case Study: Anti-Money Laundering (AML) Compliance

A global commercial bank initiated a comprehensive AML remediation program to address identified compliance capability gaps, in the context of industry-wide prosecutions and fines.

Surprisingly, recent internal Risk reporting rated the bank’s risk culture maturity as “adaptive”, suggesting no cultural concerns. However, this rating contradicted the reality of a costly remediation program. To bridge this disconnect, an external culture review was swiftly conducted, revealing the following insights:

• Executives did not perceive any serious issues with AML compliance. They found comfort in having a financial crime compliance team that was occasionally “alarmist, but rightfully so".
• Governance forums often deferred investment decisions in compliance capabilities, seemingly balancing the view no serious incidents had ever been reported, and the culture was "high performing".
• When tested, two out of three senior leaders could not adequately identify potential weaknesses in their part of the bank where bad actors could exploit business practices for illicit purposes.
• Bankers in key jurisdictions firmly held the view they only dealt with clients that did not require KYC enhanced due diligence and so avoided triggering such reviews.
• The bank rarely submitted suspicious matter/activity reports to regulators; very few employees knew when or how to raise reports for review by the internal financial crime team.

Neither of the two (Risk and HR) sources of culture information relied upon by executives and directors identified misalignment of organisational culture with risk and compliance requirements.

Three questions for reflection:

• Framing: Should culture reporting draw attention to key factors affecting the performance of specific risk or compliance requirements, in the same way as for strategic performance?

• Accountability: Should responsibility for culture-related activities primarily rest with the HR stewards of organisational culture, and if so, how might the Risk function’s culture ‘oversight and challenge’ role be clarified and enhanced?

• Outcomes: Is the completion of activities (box-ticking) prioritised over demonstrating their impact?

Much like corporate reputationally damaging events that stem from a complex interplay of factors, managing organisational culture should look beyond mere perceptions of mindset and behaviour. Instead of isolating risk culture from overall organisational culture, embrace a more integrated approach. After all, it’s the same culture through which strategy is delivered and risk managed within appetite.