There have been a number of high-profile issues in the London insurance market in recent times which have increased the discussion on culture within the market and within individual organisations. One outcome has been increasing numbers of reviews of businesses and assessments of their culture most commonly as a result of regulatory interaction. The issue has received increasing focus from the FCA in 2020, with a ‘Dear CEO’ letter in January setting clear expectations of senior managers and a clear statement of intent in their 2020/21 Business Plan. We have even seen Lloyd’s issue a ‘Culture Dashboard’.

However, the issue is not new. Any Director (non-executive or otherwise) or senior manager in a Category 1 or 2 firm with FCA and PRA supervisors will have been asked questions at one time or another in the past 10 or more years about the culture within the firm in which they worked. At least since the creation of the FSA there has been an interest in culture within financial services firms. All we are seeing now is a more public discussion on those questions. Many of these are in line with a change in public attitude and views.

For a significant portion of that time the focus has been primarily on culture and the impact on customers. The prime question being “how do you (the senior management) ensure that customers are treated fairly?”. Within that overall question the issue at the heart of the focus has been ensuring that all employees “do the right thing”. The manifestation has been seen in the drive to improve TCF and more recently to ensure conduct risk was mitigated properly. This is just the next phase in which the regulators tie governance and firm-wide conduct closer together.

Now, the focus has moved to be more widely with the times looking at the internal elements of organisational culture dealing with treatment of staff: equality, diversity and inclusiveness being the most high profile but by no means the only areas of focus. It is not a significant transformation in focus, but it does represent a change. The intention is to still ensure that firms have the right culture but instead of being primarily concerned with customer outcomes, the focus is on outcomes for employees and all other stakeholders. Do not misunderstand: the regulators have always been interested in ensuring culture meant employees and potential employees were treated properly, but in many ways it was treated as a gauge for whether the firm was likely to ensure customers were treated properly. This remains their overall key deliverable.

So, what is culture and how do you ensure it is both the right culture for your firm and acceptable to the regulator?

The Definition of Organisational Culture

Unfortunately, there is no single definition. Too many academics have been involved in the study and teaching of organisational culture in the past 70+ years to mean there is a simple definition for something so intangible. However, it is possible to discern the key elements of what constitutes culture within a firm and from that we can consider how to measure and monitor it.

• The key elements of organisational culture are driven by the tone from the top, by which:The long-term vision and strategy for the organisation is determined and communicated to the entire organisation, and
• Leadership sets the customs and values of the organisation which penetrate throughout the business to all employees,
• Appropriate feedback loops ensure that the senior management are able to be in touch with the pulse of the organisation and respond when required.

These actions lead to:

• The fair treatment of all employees or potential employees,
• Shared values and opportunity to be involved in the development of the business,
• A clear understanding of authority and accountability for all,
• Appropriate interactions between all employees including the development and support for each employee to ensure they are able to achieve their potential with the skills and resources to perform their role, and
• Appropriate stakeholder (including customer) outcomes from the approach adopted by staff – often known as staff who are incentivised to “do the right thing”.

Firms should have and are expected to be able to demonstrate that they have developed and are maintaining a healthy and positive culture. The signs of such a culture include strong communication of values and policies, an agenda for diversity and inclusion with fair and equal treatment for all, an engaged workforce where the firm has invested in their development and learning so there is the ability for employees to realise their full potential. Other indicators include employee pride and enthusiasm, a low staff turnover, a lack of employee issues such as high levels of illness from stress or employee claims. To achieve these require the management to be listening to their employees through strong and demonstrably working feedback loops between senior management and all staff based on transparency and openness using a variety of modes including focus groups, one to one reporting and “speak up”  or whistleblowing opportunities including the use of fora for communicating suggestions for improvements.

All of these relate to internal processes and controls relating to employees and help with the evidencing of the right culture if the metrics are favourable. However, it is rare for a Culture review to be solely focused on the internal employee related culture alone. There are other indicators which regulators will consider, if necessary, during a Culture review which relate to the approach of the firm to its governance and its approach to other stakeholders such as the regulators themselves and the firm’s customers. For that reason, culture reviews very commonly include a review of the firm’s Governance and control environment particularly within the HR, compliance and risk functions. These will include how it meets its compliance and regulatory obligations including Conduct Risk. Some obvious areas include:

• From a Governance perspective a review may include:
  • A review of the Board and Board Committees looking at the effectiveness of their engagement with staff,
  • Quality of reporting and decision-making with a particular focus on employee engagement and issues, customers and other stakeholders,
  • The proactivity and responsiveness of the Board to issues the firm faces,
• The firm’s approach to Risk Management – is it fully embedded in the business and treated as a key element of the control environment,
• The firms’ response to regulatory change – initial adopter or last minute and meaningful adoption or barest minimum,
• Whether the firms’ risk and compliance policies and frameworks are up to date and utilised properly
• Whether it follows guidance issued by the barest minimum or seeks to exceed regulatory requirements and guidance – a good example being the recent guidance by the PRA for firms to not pay dividends,
• The approach to Conduct Risk and the oversight of its approach to ensuring good customer outcomes from meeting PROD requirements to Board oversight and metrics reporting,
• Whether the firm is “tick boxing” or has its controls at the heart of the organisation – for example, is the approach to outsourcing aimed at ensuring the right customer outcomes, and
• Whether filings are always on time or made at all, for example change of directorships or change of control applications made after the event.

Possibly the most important indicator is proactivity. A firm which is proactively developing its employee relations and its employees or can demonstrate that it deals appropriately and swiftly with issues which arise will be better placed than one which is not.

Another key factor should be the size of the firm and whether the firms’ approach is proportionate. However, that is not always the case. A severe issue can arise within a small firm in the same way it can within a large firm but the impact within the large firm will likely be greater which is why regulators spend more time focusing on larger firms. The difference can be that a small firm should be able to rectify an issue more quickly than a large firm, but a large firm has the resources the small firm does not. However, there is no doubt that changing the direction of a large oil tanker to avoid a collision takes more than a small fishing boat.

The depth to which these reviews can go is quite significant. Often the firm will feel as if and will describe the approach as being like “using a sledgehammer to crack a nut”. However, the consultancies which are asked to undertake these reviews on behalf of the regulators feel that it is their duty to pull the floorboards up and visit the drains of the business. There is no doubt that the reviews take time, cost considerable money and are a significant distraction to firms and their management.

These reviews often cost hundreds of thousands of pounds with any remediation often costing even more. They can also impact the regulators’ views of a firm and may lead to a firm being placed on their Watch List, the consequence of which is greater oversight by the regulator. In more severe cases they can lead to capital loadings on insurers and/or penalties and fines for any regulated firm. In the age of SM&CR this may include personal responsibility for senior managers.

Before we look at the detail of culture, culture metrics and what a culture framework might look like within an organisation, depending on proportionality, there is an important point to be made. Having the right framework and good metrics and oversight of the culture within an organisation can be pointless unless it is clear that management believe in and care about their culture and stakeholders including customers and staff. No better examples of the latter have been provided than by firms’ recent responses to the pandemic. One firm improved its already good internal culture and employee relations by proactively taking insignificant and inexpensive steps to improve its employees lives, rolling over annual leave entitlement without the need for consent to do so and by ceasing to collect loan payments on travel cards while the employees await the refunds for cancelled travel cards from National Rail and TFL. The employees did not ask for these concessions. The firm simply took the time to consider what might help its employees. Another firm, no doubt with a view to ensuring staff had a safe and suitable working environment provided all staff with the cash to buy a suitable chair for working at remotely on and a new screen for plugging into their laptop. Again unprompted. On the other hand, another firm cut its staff’s salaries while at the same time proceeding with dividend payments benefitting the most senior employees who earned a high proportion of their income through share arrangements arguably to the detriment of the lesser well paid employees.

How do you avoid a Review?

A significant number of regulatory driven reviews of firms arise as a result of an issue at the firm. There are many ways this may arise including identification by the internal control environment through the actions of risk, compliance or internal audit, or by coming to the attention of management or the regulators through whistleblowing or as a result of a thematic review which identifies an issue.

So, the obvious answer to avoidance is don’t have an issue. However, pragmatism says that all firms have issues. It is a part of their continuing evolution that issues arise. It is the severity of the issue and the firm’s response when that issue arises that really counts.

Usually a firm is given an opportunity by their Regulator to evidence that it has the issue under control and has dealt with or is dealing with the underlying cause unless the issue is very significant or the firm has failed in the past to evidence that it has the right approach/culture. Evidencing the right controls, approach and culture during this period is absolutely critical. The timeframe will be tight and if the firm is unable to satisfy the regulators the result is often the introduction of a third party firm who will assist the regulators by undertaking a review, at cost to the firm, known as a S.166 review.

How do you evidence the right controls, approach and culture?

At the top of the list is documentary evidence. The view of the regulators is that if you do not have documentary evidence readily available, it, (that is whatever you are seeking to prove) does not exist.

So, the question is: what documentary evidence will be required? That answer may depend on the issue which has arisen and how it has arisen. However, if the discussion moves to a broader question about the firms’ culture the following will be important:

• Evidence that the firm has a strategy which is communicated to the staff who are provided with regular updates such as annual plans and performance against plans and strategy. Town halls, by video conference or otherwise depending on firm size and geographic location are helpful.
• Evidence that the firm has the right principles in place through a Code of Conduct or Code of Ethics which all staff are aware of, required to comply with and are held accountable against if they do not. The Code should include provisions relating to diversity, inclusion and fair treatment for all, and appropriate treatment and behaviours towards customers and other stakeholders.
• Evidence of how the firm engages with its employees outside of high-level strategy. This may include:
  • focus groups and team building initiatives including the budget spent on these,
  • a clear management structure with management at all levels engaging regularly and appropriately with their direct and indirect reports,
  • appropriate employee objective and appraisal processes by which objectives are set in line with the individuals’ roles as a apart of achieving the group, function or business lines’ annual plans, and which provide the individual with the appropriate authority to achieve those objectives,
  • remuneration arrangements which incentivise the right behaviour and control or mitigate incorrect or inappropriate behaviour,
• Evidence that the Board or Board Committees receive and review reports relating to:
  • Employee engagement including outcomes from surveys,
  • Employee compliance with the objective and appraisal processes and training requirements,
  • Actual against plan expenses on training costs,
  • Headcount (actual against planned) and staff turnover rates and leaver interviews,
  • Whistleblowing or “speak up” and other feedback loops from the staff through focus groups or other fora,
  • Staff issues such as grievances, disciplinary procedures and disputes with ex-employees,
  • Diversity and inclusion within the firm, Board, Senior Management and each business or function) including gender, ethnicity and sexual orientation, and
  • Equality, particularly in remuneration.
• Evidence that the firm has the right approach to customer outcomes through an operating and effective TCF and Conduct Risk Framework including its approach to Product Governance, how it handles claims which may be borderline covered and complaints and how it engages with customers through surveys.
• Evidence that the firm has the right approach to stakeholder engagement such as through surveys of producing brokers and other third parties such as coverholders.

Historically a great deal of this will be dissipated throughout the firm and the time to pull it together when asked by a regulator will be tight. However, a firm with the right frameworks and an effective governance model should have most if not all of this information available in the packs presented to Board or Executive Committees. It should not be necessary to ask the HR, Compliance or Risk teams to produce new material as appropriate metrics and information should already be available in the firm’s reporting arrangements.

A firm which can produce the information quickly may be able to avoid a review or at least substantially limit the review to a small number of items or areas where it has not been able to establish it is doing the right thing.

What Do you Do if you End up on the Wrong End of a Review?

Simple. Get help. You may have good quality management, HR, risk and compliance individuals or teams but more often than not, and particularly at this point in time with so much happening, they may already be at capacity. There is also the following to think about:

1. Often the functional heads may have given advice on what has been required but it has been overlooked or disregarded due to budgetary constraints leading to employees having a vested interest and may feel that their role is on the line leading to advice and decisions which are not necessarily the best. Importantly though, we have found that quite often individuals within the firm are not at fault with the dynamic being lack of funds and resources so that with the right support and resources the individual should remain the appropriate person for that role,
2. Objectivity is a significant factor in helping a firm identify the appropriate steps to take when there may be several routes which can be taken,
3. Firms with wider market experience can provide advice on whether the approach being adopted by the reviewer is likely to be considered appropriate or even in some cases correct,
4. Regulators will take a view on the response of the firm and its attitude to the review will reflect on the culture of the firm and on the management individually, so having third party advice from a firm can help to temper natural urges to push back,
5. With SM&CR in place the management need to be advised on their own personal position, something and FCA-appointed reviewing firm will not be at liberty to help with, without creating a significant conflict of interest.
6. Many of the reviewing consultancies are already invested in their relationship with the firm being reviewed leading to difficult and often overlooked conflicts.
7. Engaging a firm to assist you is evidence to the regulators that you are taking the issue seriously and investing in getting the issue resolved appropriately by obtaining objective advice.

Remediation

The remediation can often take longer than the review because of the need to embed the changes required and often costs more than the initial review. Often firms will seek to undertake the remediation utilising internal resources, however many of the reasons for obtaining help during the review also apply for the remediation, particularly the need for objectivity and expertise without vested interests.

Regulators will be interested in ensuring that the remediation has been designed, built and embedded properly and will often expect to be consulted on the proposed response to any report following a review. Thereafter, depending on the severity of the issues they may wish to be kept updated on progress during the implementation of any change or remediation programme. At the end of the remediation they may also ask the original consulting firm which undertook the review to validate the work. However, the subject firm may wish to pre-empt this by engaging with their own firm to undertake a validation exercise or use their Internal Audit function if that function has not been the subject of or implicated in the issues reviewed.

Conclusion

The question of organisational culture is becoming deeply embedded in most aspects of the oversight work undertaken by the FCA and PRA. It is seen as something of a lead indicator to what could be wider issues signifying the risk of potential harm to customers in the way a firm is led by the senior managers. With the tools now available to the regulators to hold senior managers and firms to account for failures to define, implement, measure and adapt appropriate cultures within their organisations, it is clear that culture is an issue that should be understood at all levels of the a firm – from the most junior staff to the Board. Don’t underestimate the importance of culture to the regulators.

If you would like to discuss any of these issues in complete confidence, please contact us.

Kenneth Underhill

Director
Implement Compliance Solutions & Resources