Understanding and Shaping Organisational Culture to Disrupt the Cycle of Misconduct

Traditional approaches to compliance are often rote corporate exercises, focused nearly exclusively on legal, regulatory and enforcement considerations. Yet, even well-resourced compliance programmes are failing. A new approach, drawing on disciplines outside law, is required to break this cycle.

For decades, the behavioural sciences have challenged even basic assumptions about human decision-making, debunking the view of people as rational, independent actors who are predictably responsive to rules, incentives and punishments. Research indicates that people are powerfully influenced by the cultural context in which they are immersed. To understand and guide the behaviour of the individual, it is essential to understand and account for culture.

In this chapter, we take a close look at organisational culture and how it relates to corporate compliance and ethical behaviour, as well as how companies can measure and, ultimately, manage their organisational cultures.

A framework for thinking about culture

Culture can be a slippery, multi-faceted and complex concept to grasp. Some define ‘culture’ as the shared characteristics of an organisation’s members, including their collective values, goals, assumptions and knowledge.^[2] Organisational psychologist Edgar Schein defines it in terms of artefacts, espoused beliefs and values, and basic underlying assumptions.^[3] Still others define it in terms of formal systems such as policies and procedures, and informal systems such as values and social norms.^[4]

Three important cultural insights

Although not entirely congruent, these definitions offer three important insights into the complexity and nuance of corporate culture.

Culture is both the explicit and the implicit

Explicit components of culture include what is named and articulated, such as corporate values or policies and procedures. The implicit, in contrast, is what is unspoken: the subtle cues as to what is good and appropriate behaviour. This can be thought of as the cultural climate, or social norms such as social practices, standards or informal rules that guide behaviour. Culture often is felt through intangibles that are not immediately observable or identifiable but that nonetheless influence and direct behaviour.

Individuals and their cultural context are mutually reinforcing

Individuals are not static – they are both shaping and being shaped by the environments in which they are immersed.

Culture is multi-layered

There is often a main, overarching culture that is rooted in the core values or mission of an organisation and their manifestation in policies, procedures and social norms. There can also be a number of subcultures within an organisation that may be based on factors such as function and leadership personality. These different cultures and subcultures are often interacting in complex, even contradictory ways.

The Four ‘I’s

Throughout this chapter, we approach culture using a tool from the behavioural sciences that captures the complex interplay between people and the environments in which they are immersed. That tool is called the culture cycle,^[5] which breaks culture into four levels known as the Four ‘I’s: ideas, institutions, inter­actions and individuals.

1. Ideas are the broad, pervasive values and ideologies driving what is considered good, right, and moral within the organisation. They are typically set at the highest levels and cascaded down throughout the organisation.
2. Institutions refer to the formalisation of those values into policies, procedures and practices, such as incentives, training and hiring procedures.
3. Interactions refer to the lived reality of people on the ground. How are people behaving and interacting with each other? Is leadership walking the talk?
4. Finally, we consider how these forces come together to shape individuals’ perceptions of what is appropriate and the behaviours in which they are likely to engage. The individual’s behaviour either reinforces or resists each of the other levels.

Organisation as organism

When thinking about corporate culture, it can be helpful to imagine a company as a human body, a complex universe made up of smaller, interconnected systems. In the human body, DNA is the thread and the fabric that plans, organises and structures all those varied systems into a larger, cohesive whole;^[6] in a company, the corporate culture plays that role.

Diagnosing the patient versus the disease

When a disease manifests in a human body, a doctor is consulted to diagnose the problem and to prescribe the correct medication. A similar process happens when misconduct occurs in a company; the legal, compliance or investigations teams find the facts, ‘diagnose’ the problem and ‘prescribe’ corrective action.

Typically, the focus is on identifying the ‘disease’ in order to find the ‘cure’ and, in the corporate setting, that often means holding individuals accountable or identifying potential lapses in controls (or both). In the medical field, however, the question is not always what ‘kind of disease (or organism) the patient has, but rather the kind of patient the disease has attacked’.^[7] By extension, in the world of ethics and compliance, we cannot focus only on the type of misconduct that occurred in a company without also considering the type of company in which the misconduct occurred. To look at misconduct with a limited scope on the individual or controls is the same as treating a disease without considering the patient.

An example

Assume Employee A is in the process of applying for a licence to operate in another country. Employee A takes a government official out to a fancy dinner, complete with fine wine. Employee A tells the government official that if the company can operate in the country, there will be ‘plenty more lavish meals and entertainment to be had, with an endless supply of your favourite wine’. In attempting to identify the root causes of this wholly inappropriate offer, the inquiry might unfold as follows:

• Why did the employee do that? Because Employee A did not know that specific situation could constitute bribery – Employee A was going along with what everyone else was doing.
• Why did Employee A not know? Because Employee A was not properly trained.
• Why was Employee A not properly trained? Because the training made available was of a poor quality.
• Why was the training of a poor quality? Because the compliance department hired the cheapest provider to develop its training.
• Why did the company go with the cheapest option? Because it had budget constraints.
• Why did the company put such tight restrictions on its compliance budget? Because the company did not prioritise compliance.

The root cause analysis might not always be this simplistic, but it will often end in the same place. An individual’s actions are unlikely to be the beginning and the end of a story of non-compliance; more likely, the individual’s actions are also influenced by sometimes seemingly far-removed organisational priorities and decision-making – and the values that are the basis of both.

Applying the Four ‘I’s illustrates the importance of considering organisational culture at multiple levels. If we had stopped at the first question, the treatment would have been limited to the actions and interactions of individuals surrounding the misconduct (individuals and interactions). The second and third questions identified potential control-related shortcomings beyond the individuals involved; but filling control gaps may not have a lasting effect as they treat only the institutionalisation of compliance, without necessarily addressing the broader ‘why’ that led to the control failures and misconduct. A long-lasting treatment can only come from addressing the thread and the fabric that connects those systems: the corporate culture.

How culture can enable misconduct

Enforcement authorities and government regulators are increasingly focused on the role of organisational culture in corporate misconduct.

For instance, the Evaluation of Corporate Compliance Programs,^[8] a guidance document for US Department of Justice (DOJ) Criminal Division prosecutors,^[9] emphasises the important role of culture in driving effective compliance. The guidance states: ‘The effectiveness of a program requires a high-level commitment by company leadership to implement a culture of compliance from the middle and the top.’

Similarly, the UK Financial Conduct Authority considers culture as one of the key drivers of harm.^[10] Additionally, the UK Serious Fraud Office (SFO) has stated that corporate culture matters as much as corporate structure.^[11]

In light of these statements, it is no surprise that a strong culture of compliance – and a company’s efforts to assess and improve compliance culture over time – will be a factor in regulators’ decisions about prosecution, financial penalties and monitorships.

The Boeing 737 Max airliner scandal

The deadly consequences of a failed culture of compliance were displayed in the Boeing 737 MAX airliner scandal. From late 2016 to 2018, Boeing misled the US Federal Aviation Administration’s Aircraft Evaluation Division (FAA AED) about the integration of an important new flight stabilisation programme.^[12] As a result, the FAA AED approved the Boeing 737 MAX for commercial use with a more lenient, and cheaper, level of required pilot training than they would have otherwise.^[13] Internal company emails show that obtaining approval with the more lenient training requirement was a top priority for Boeing employees. One employee central to the scandal wrote that ‘nothing can jepordize [sic]’ the lower training requirement, and worried that they would be blamed for ‘cost[ing] Boeing tens of millions of dollars’ if that approval was not obtained.^[14] In an email in response to concerns about the relative skill of younger pilots, a chief technical pilot wrote: ‘It’s the box we’re painted into with the . . . training requirements . . . It’s a bad excuse, but what I’m being pressured into complying with.’^[15]

The planes hit the market and the result was tragic. On 29 October 2018, Lion Air Flight 610, a Boeing 737 MAX, crashed in the Java Sea near Indonesia after the new flight stabilisation programme activated – the pilots were not trained in how to respond.^[16] All 189 people on board died.^[17] Less than five months later, on 10 March 2019, Ethiopian Airlines Flight 302, another 737 MAX, crashed near Ejere, in Ethiopia, under similar circumstances, killing all on board.^[18]

The investigation and subsequent litigation implicated Boeing’s faulty compliance culture. In a civil suit, shareholders alleged that ‘Boeing’s corporate culture [had] shifted from “safety to profits-first” and “focusing on cost-cutting rather than designing airplanes”’.^[19] Contemporaneous emails indicate that employees agreed with this assessment, with one employee remarking that a relevant ‘group has created a culture of “good enough[.]” And that is an incredibly low bar. It just doesn’t cut it anymore. The cozy [sic] days with regulators are over’.^[20] The exchange continued: ‘It’s a culture issue. It takes 5-12 years (ish) to change culture. Better not waste any time making changes.’ ^[21] One Boeing engineering manager expressed frustration to the director of global operations: ‘It’s systemic. It’s culture. It’s the fact we have a senior leadership team that understand very little about the business and yet are driving us to certain objectives.’^[22]

Consequently, the DOJ focused on culture in its deferred prosecution agreement (DPA) with Boeing. The agreed corporate compliance programme described in the DPA led with a section titled ‘Commitment to Compliance’, which required that Boeing ‘create and foster a culture of ethics and compliance with the law’.^[23] Boeing directors and senior management were required to ‘provide strong, explicit, and visible support and commitment’ to compliance, and middle management were similarly required to ‘reinforce[] those standards and encourage[] employees to abide by them’.^[24]

Rolls-Royce bribery scandal

The Rolls-Royce bribery and corruption scandal is another example of cultural shortcomings catching the attention of enforcement agencies. In January 2017, the SFO and the DOJ announced they had each entered into a DPA with Rolls-Royce after years of investigation into bribery and corruption allegations that spanned decades and multiple jurisdictions.^[25] The total combined penalty against the company was US$800 million, accounting for actions in the United States, the United Kingdom and Brazil. The investigations revealed that over a period of 30 years, employees had paid bribes, including a luxury car and millions of dollars in cash, to third-party intermediaries to win contracts and obtain confidential information in Indonesia, Thailand, India, Russia, Nigeria, China and Malaysia.^[26]

At a company so large and with misconduct so widespread and varied, this was not a case of one, two or even a dozen bad actors. This was a systemic problem, deeply embedded in the company’s culture even though, as the SFO noted, Rolls-Royce had ‘a number of written policies and committees’ concerning third-party intermediaries.^[27] Rolls-Royce had the policies and procedures in place; nevertheless, these controls could not stem the flood of criminal activity. The company had even hired a consulting firm in 2009 to complete a bribery and corruption compliance review and implemented changes in response to the consultant’s recommendations. The missing element was a culture of compliance.

The misconduct permeated the organisation, with bad actors at multiple levels across multiple business lines and jurisdictions. As Lord Justice Leveson noted in his judgment in the UK DPA, the misconduct ‘involved senior (on the face of it, very senior) Rolls-Royce employees’.^[28]

For example, a memo to senior employees discussed a third party’s understanding of a previous conversation as a promise to reward him with a luxury car if a deal was secured.^[29] The memo noted that, although the car was not part of the agreement: ‘One way or another we are going to have to deliver.’^[30] The SFO found that the company ‘exhibited a culture of wilful disregard of the commission of offences’.^[31] The attitudes and actions of these senior executives, combined with the complicity of many others, enabled misconduct to spread throughout the organisation and become part of the organisation’s DNA.

The DOJ ultimately reduced Rolls-Royce’s criminal penalty, in part because the company had taken remedial measures, including dismissing responsible employees and third parties, expanding compliance procedures relating to third parties, and implementing enhanced controls to address and mitigate risks. In May 2020, the DOJ ordered the charges be dismissed because the company had effectively met its obligations under the DPA. Similarly, in February 2019, the SFO decided not to prosecute any individuals and to close the investigation into Rolls-Royce, noting that the company had taken responsibility for the misconduct and ‘embraced the need to make essential change’.^[32]

A key takeaway, therefore, is that culture is not just a buzz word or compliance fad but a true focus of enforcers and regulators both in terms of punishing misconduct and rewarding reform.^[33]

Measuring and assessing organisation culture

It has often been asserted in management circles that if you cannot measure it, you cannot manage it. Although there is debate about the origins of this aphorism and how broadly it applies, there is at least some truth when it comes to organisational culture: to shape corporate culture, it is essential to take a data-driven and human-centred approach. Without measurement, it is impossible to benchmark, track progress and determine whether change has occurred, and without putting people at the centre of an assessment, it is impossible to understand the ways in which employees are both shaping and being shaped by the culture.

A data-driven approach

Taking a data-driven approach means both analysing data that already exists within the organisation and collecting new data to answer important questions about compliance performance, effectiveness and culture.

Data can be both quantitative and qualitative. Quantitative data refers to numerical data, such as the number and nature of internal investigations, the number of reports to a company’s compliance hotline, the number and nature of policy deviations identified through continuous monitoring efforts, metrics about employee use of compliance tools and resources, or responses to scaled items on a company’s employee engagement or ethics and compliance surveys. One benefit of quantitative data is that it is readily analysable using statistics. Additionally, quantitative data is less susceptible to bias.

Qualitative data, in contrast, is non-numerical, and could include policies and procedures, codes of conduct, values statements, leader communications, standard compliance practices, and verbal or written feedback from employees about their perceptions of compliance and their experience within the organisation’s cultural ecosystem. Qualitative data can still be analysed through text analysis and by coding responses (e.g., identifying and codifying themes in the data), though this analysis introduces additional layers of subjectivity. Together, quantitative and qualitative data can tell a rich story that covers both breadth and depth.

There are also many opportunities to gather more – or better – data. In a 2018 Harvard Business Review article, Hui Chen and Eugene Soltes argue that data-driven measurement is necessary to meaningfully assess compliance effectiveness. Chen and Soltes focused their analysis specifically on the use of data to improve training outcomes.^[34] They observed that compliance training is rarely evaluated, and when it is, evaluation is typically limited to completion rates or self-reported ‘enjoyment’ of the training. These methods fail to assess whether the training accomplished its stated goals by evaluating what employees learned from the training, whether they can apply those lessons in the real world and if they remember those lessons six months after the training. Perhaps most importantly, looking only at completion rates and self-reported ‘enjoyment’ tells a company nothing about employee behaviour, social norms and the culture of compliance within the company.

Cultural assessments

A more nuanced and effective way to measure culture is through a cultural assessment, which can involve a combination of policy audits, interviews with leadership, focus groups and surveys. Cultural assessments should centre on the perspectives and experiences of people within the organisation and be rooted in a systematic collection and interpretation of available and collected data. To capture change in an organisation, cultural assessments can be conducted at multiple points in time.

The Four ‘I’s are a strong foundational framework for a cultural assessment.

Ideas

To begin, it is important to understand an organisation’s core values and mission – the ideas that shape its culture. To do so, a thorough review of values or mission statements and communications can be conducted. This can also be gathered through interviews with leadership and by a close examination of both the explicit and implicit messages that leadership sends to employees.

Questions to ask include:

• What are the core values and mission of the organisation?
• Are compliance and ethics central to the core values and mission?
• How are the values and mission communicated throughout the organisation?
• At which points throughout a day or year are the values and mission brought to employees’ attention?
• Are the values or mission physically represented in the organisation, such as on the walls or on posters?
• Are the values or mission communicated through training and in regular correspondence from leadership?

Institutionalisation

Next, a thorough audit can be conducted of existing structures, including policies, programming, training and procedures, which encapsulate the way in which foundational ideas are institutionalised at the organisation. This step involves assessing incentives, reward and punishment systems, and compliance resourcing.

Questions to ask include:

• How are people incentivised to comply with company policy and act in accordance with the organisation’s ethical standards?
• What punishment systems or sanctions are in place if misconduct occurs?
• Are there full-time or part-time employees who are dedicated to compliance and ethics?

Interactions

As social norms and peer influence are strong determinants of human behaviour, it is important to understand how employees are interacting with each other and with the organisation. Social norms can be captured through a combination of observation, focus groups and surveys.

Questions to ask include:

• Have you ever witnessed unethical behaviour within the organisation; if so, how frequently?
• To what extent do you trust the leadership’s commitment to ethics and compliance?
• How trustworthy do you think leadership is?
• Are they authentic?
• Does their conduct match their messaging?
• How ethical would you rate your peers?
• How ethical would you rate leadership?

Individuals

At the individual level, it is important to understand how people feel in the organisation and perceive the ideas, institutions and interactions. As people like to feel autonomous in their decision-making, it is also important to ensure that the compliance culture does not feel coercive or overbearing.

Questions to ask include:

• Would you report unethical behaviour; if so, in what circumstances?
• How important is it to you to work for an organisation that is ethical?
• How much do you feel that you belong at this organisation?
• To what extent do you feel included at this organisation?
• How consistent are the organisation’s values with your own?

Interventions to shape organisational culture

If the results of the cultural assessment indicate that the organisation has room to improve how it is fostering a culture of ethics and compliance, there are many interventions that can be taken.

Prioritise ethical behaviour

Often, the best place to begin is with ideas. If compliance and ethics are not central to the values and mission of the organisation, it is unlikely that the rest of the organisation will abide by those standards. For example, if the organisation prioritises short-term profits above anything else, it will be no surprise when other considerations, such as safety (as in the Boeing example), suffer.

Communicate expectations

Once compliance and ethics have been integrated into the core values and mission of the organisation, the next step is to organise a communication strategy to ensure that these values are relayed and familiarised throughout the organisation. Buy-in from leadership is essential, as employees will be looking to leaders for guidance on how to behave. Tone is neither compelling nor impactful unless it is authentic and consistent with leaders’ conduct.

Embed values in policies and practices

Next, the organisation can assess how these core values are being institutionalised in policies and practices. The values of compliance and ethics ought to permeate every aspect of the organisation, ranging from hiring and on-boarding to training, incentives and performance reviews. Incorporating compliance and ethics into the hiring process, for example, such as through questions specifically addressing ethics or the organisation’s core values, signals a strong commitment and invites the recruit to reflect on their own values and alignment with the organisation. This can lead to a greater sense of autonomy and buy-in among new employees.

Educate employees

These values should also show up consistently throughout compliance training. The training should be clear about how policies reflect the organisation’s values. This can foster a values-based approach to compliance that makes compliance about more than just following rules. Providing an ethical framework (often the ‘why’ behind the rules) contextualises the policies for employees and provides cognitive flexibility for how to think in novel situations where specific rules may not apply – or where their application may be less than obvious. Furthermore, the best compliance training sessions are often those that are grounded in reality and that help employees do their jobs – because ‘being compliant’ and ‘acting with integrity’ are not add-ons, they are foundational requirements to doing the work itself. But training – in the more traditional sense – has its limitations and is only one source of acquired knowledge within an organisation. Education also requires mentorship; it requires curiosity; and it requires day-to-day knowledge-sharing. These are all things that we would expect to see in a healthy compliance culture.

Highlight and reward ethical behaviour

Finally, to promote positive interactions and social norms, it is important to highlight the performance of employees who behave ethically. Stories of these employees can be shared so that their behaviour is celebrated and acknowledged as exemplary. It is also important to foster a psychologically safe environment in which it is acceptable to speak up and report misconduct or mistakes when they occur (or simply to ask questions in ways that promote learning and growth). This kind of environment can be fostered by leadership and managers being self-aware and willing to admit their own mistakes, preventing retaliation, having an orientation towards growth and learning, and encouraging speaking up.

Conclusion

A robust compliance programme is only one of several interconnected systems within a company that influence employee misconduct. If the compliance programme is alone in fighting misconduct, the other interconnected systems could easily overcome its efforts. Therefore, the company should look at the very fabric that develops, organises and connects all those systems: its culture.

Promoting a culture that values ethical behaviour is attainable with the right tools. Data that provides insights into an organisation’s culture is the bedrock on which a cultural assessment can then be built. By conducting a cultural assessment, organisations can benchmark where they are and track progress towards where they want to be. If improvement is needed, there are many behaviourally informed interventions that can be implemented and then tracked to measure their effectiveness. Such a data-driven and human-centred approach can have resounding effects on fostering a culture of compliance and ethics – and ultimately help to break the cycle of non-compliance that so many have struggled with for so long.

Footnotes