Understanding and Shaping Organisational Culture to Disrupt the Cycle of Misconduct
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
We have left the most important coding of human conduct, the legal code, in the hands of behavioral novices.
Traditional approaches to compliance are often rote corporate exercises, focused nearly exclusively on legal, regulatory and enforcement considerations. Yet, even well-resourced compliance programmes are failing. A new approach, drawing on disciplines outside law and focused on human behaviour and evidence-based decision-making, is required to break this cycle.
For decades, the behavioural sciences have challenged even basic assumptions about human decision-making, debunking the view of people as rational, independent actors who are predictably responsive to rules, incentives and punishments. Research indicates that people are powerfully influenced by the cultural context in which they are immersed. To understand and guide the behaviour of the individual, it is essential to understand and account for culture.
In this chapter, we take a close look at organisational culture and how it relates to corporate compliance and ethical behaviour, as well as how companies can measure and, ultimately, manage their organisational cultures.
Approaches to understanding, measuring and changing organisational culture in the commercial world have evolved over the past few years. While organisational culture has been the subject of much academic study, academic findings are now being translated for use by organisations themselves.
Before delving more deeply into organisational culture, it would be useful to define a number of terms that will likely be heard in this space in the coming years. In the following list, the terms are ordered by their level of specificity, with the first three referring to targeted fields of study and the last three referring to sweeping approaches to scientific inquiry:
- Industrial and organisational psychology: The study of people in the workplace.
- Social psychology: The study of how people are influenced by the real or imagined presence of others.
- Cultural psychology: The study of how people shape and are shaped by their cultural context.
- Behavioural science: An umbrella term used to describe many fields of study focused on human behaviour, including psychology and its sub-disciplines (e.g., social psychology and cognitive neuroscience), economics, anthropology and sociology.
- Reductionism: Often described as mechanistic, a reductionist approach is linear, oriented towards understanding cause-and-effect relationships and premised on the assertion that by reducing a whole to its parts, even the most complex object or system can be understood. This approach works well if the context for a decision complicated. According to the Cynefin Framework (a tool to assist in decision-making), complicated contexts have clear ‘right answers’ that may require special expertise, such as a mechanic repairing a machine.
- Complexity science: Complex contexts, in contrast, have no right answers. Complexity science studies systems that have many individual components that interact with one another. Those systems are referred to as ‘complex systems.’ Within those systems, local interactions can give rise to self-organisation without the influence of leaders or authorities. Examples of complex systems include the interactions of neurons in the brain, ants in a colony and people in organisations.
Much of the research done to date in the behavioural sciences has been conducted through a lens of reductionism, often failing to recognise the complex relationship between people and their cultural context. For instance, mainstream psychology journals are filled with research conducted with samples of undergraduate students in WEIRD (western, educated, industrialised, rich and democratic) contexts. Organisations, in contrast, operate in a range of contexts with employees from diverse backgrounds. Universal claims about human psychology, which are used to define and influence organisational culture, are nevertheless made based on these limited and biased samples.
Cultural psychology emerged as a field to centre and uplift the many ways in which psychological processing is not universal but very locally shaped; therefore, while much of the research in the field of psychology has tended towards reductionism, cultural psychology has, in large part, been defined by its acknowledgement of diversity and complexity.
A framework for thinking about culture
Culture can be a slippery, multifaceted concept to grasp. Some define ‘culture’ as the shared characteristics of an organisation’s members, including their collective values, goals, assumptions and knowledge. Organisational psychologist Edgar Schein defines it in terms of artefacts, espoused beliefs and values, and basic underlying assumptions. Still, others define it in terms of formal systems, such as policies and procedures, and informal systems, such as values and social norms.
Three important cultural insights
Although not entirely congruent, these definitions offer three important insights into the complexity and nuance of corporate culture.
Culture is both the explicit and the implicit
Explicit components of culture include what is named and articulated, such as corporate values or policies and procedures. The implicit, in contrast, is what is unspoken: the subtle cues as to what is good and appropriate behaviour. This can be thought of as the cultural climate or social norms, such as social practices, standards or informal rules that guide behaviour. Culture often is felt through intangibles that are not immediately observable or identifiable but that nonetheless influence and direct behaviour.
Individuals and their cultural context are mutually reinforcing
Individuals are not static – they are both shaping and being shaped by the environments in which they are immersed.
Culture is multi-layered
There is often a main, overarching culture that is rooted in the core values or mission of an organisation and their manifestation in policies, procedures and social norms. There can also be a number of subcultures within an organisation that may be based on factors such as function and leadership personality. These different cultures and subcultures are often interacting in complex, even contradictory ways.
The Four ‘I’s
Throughout this chapter, we approach culture using a tool from cultural psychology that captures the complex interplay between people and their environments. That tool is called the culture cycle, which breaks culture into four levels known as the Four ‘I’s: ideas, institutions, interactions and individuals.
- Ideas are the broad, pervasive values and ideologies driving what is considered good, right and moral within the organisation. They are typically set at the highest levels and cascaded down throughout the organisation.
- Institutions refer to the formalisation of those values into policies, procedures and practices, such as incentives, training and hiring procedures.
- Interactions refer to the lived reality of people on the ground. How are people behaving and interacting with each other? Is leadership practicing what they preach?
- Finally, consideration is made of how these forces come together to shape individuals’ perceptions of what is appropriate and the behaviours in which they are likely to engage. The individual’s behaviour either reinforces or resists each of the other levels.
Organisation as organism
When thinking about corporate culture, it can be helpful to imagine a company as a human body – a complex universe made up of smaller, interconnected systems. In the human body, DNA plans, organises and structures all those varied systems into a larger, cohesive whole; in a company, the corporate culture plays that role.
Diagnosing the patient versus the disease
When a disease manifests in a human body, a doctor is consulted to diagnose the problem and to prescribe the correct medication. A similar process happens when misconduct occurs in a company; the legal, compliance or investigations teams find the facts, diagnose the problem and prescribe corrective action.
Typically, the focus is on identifying the ‘disease’ to find the ‘cure’. In the corporate setting, that often means holding individuals accountable or identifying potential lapses in controls (or both). In the medical field, however, the question is not always what ‘kind of disease (or organism) the patient has, but rather the kind of patient the disease has attacked’. By analogy, in the world of ethics and compliance, not only the type of misconduct that occurred in a company must be considered but also the type of company in which the misconduct occurred. To look at misconduct with a limited scope on individuals or controls is the same as treating a disease without considering the patient.
Assume Employee A is in the process of applying for a licence to operate in another country. Employee A takes a government official out to a fancy dinner, complete with fine wine. Employee A tells the government official that if the company can operate in the country, there will be ‘plenty more lavish meals and entertainment to be had, with an endless supply of your favourite wine.’ In attempting to identify the root causes of this wholly inappropriate offer, the inquiry might unfold as follows:
- Why did the employee do that? Because Employee A did not know that specific situation could constitute bribery – Employee A was going along with what everyone else was doing.
- Why did Employee A not know? Because Employee A was not properly trained.
- Why was Employee A not properly trained? Because the training made available was of a poor quality.
- Why was the training of a poor quality? Because the compliance department hired the cheapest provider to develop its training.
- Why did the company go with the cheapest option? Because it had budget constraints.
- Why did the company put such tight restrictions on its compliance budget? Because the company did not prioritise compliance.
The root cause analysis might not always be this simplistic, but it will often end in the same place. An individual’s actions are unlikely to be the beginning and the end of a story of non-compliance. More likely, the individual’s actions are also influenced by seemingly far-removed organisational priorities and decision-making – and the values that are the basis of both.
Applying the Four ‘I’s illustrates the importance of considering organisational culture at multiple levels. If the analysis had stopped at question (1), the treatment would have been limited to the actions and interactions of individuals surrounding the misconduct (individuals and interactions). Questions (2) and (3) identified potential control-related shortcomings beyond the individuals involved. Filling control gaps, however, may not have a lasting effect as they treat only the institutionalisation of compliance, without necessarily addressing the broader ‘why’ that led to the control failures and misconduct. A long-lasting treatment can only come from addressing that which connects those systems: the complex system that is corporate culture.
How culture can enable misconduct
Enforcement authorities and government regulators are increasingly focused on the role of organisational culture in corporate misconduct.
For instance, the Evaluation of Corporate Compliance Programs, a guidance document for US Department of Justice (DOJ) Criminal Division prosecutors, emphasises the important role of culture in driving effective compliance. The guidance states: ‘The effectiveness of a program requires a high-level commitment by company leadership to implement a culture of compliance from the middle and the top.’
Similarly, the UK Financial Conduct Authority considers culture a key driver of conduct. Additionally, the UK Serious Fraud Office (SFO) has stated that corporate culture matters as much as corporate structure.
In light of these statements, it is no surprise that a strong culture of compliance – and a company’s efforts to assess and improve compliance culture over time – will be a factor in regulators’ decisions about prosecution, financial penalties and monitorships.
Boeing 737 Max airliner scandal
The deadly consequences of a failed culture of compliance were displayed in the Boeing 737 MAX airliner scandal. From late 2016 to 2018, Boeing misled the US Federal Aviation Administration’s Aircraft Evaluation Division (FAA AED) about the integration of an important new flight stabilisation programme. As a result, the FAA AED approved the Boeing 737 MAX for commercial use with a more lenient, and cheaper, level of required pilot training than they would have otherwise. Internal company emails show that obtaining approval with the more lenient training requirement was a top priority for Boeing employees. One employee central to the scandal wrote that ‘nothing can jepordize [sic]’ the lower training requirement, and worried that they would be blamed for ‘cost[ing] Boeing tens of millions of dollars’ if that approval was not obtained. In an email in response to concerns about the relative skill of younger pilots, a chief technical pilot wrote: ‘It’s the box we’re painted into with the . . . training requirements . . . It’s a bad excuse, but what I’m being pressured into complying with.’
The planes hit the market and the result was tragic. On 29 October 2018, Lion Air Flight 610, a Boeing 737 MAX, crashed in the Java Sea near Indonesia after the new flight stabilisation programme activated. The pilots were not trained in how to respond. All 189 people on board died. Less than five months later, on 10 March 2019, Ethiopian Airlines Flight 302, another 737 MAX, crashed near Ejere, Ethiopia, under similar circumstances, killing all on board.
The investigation and subsequent litigation implicated Boeing’s faulty compliance culture. In a civil suit, shareholders alleged that ‘Boeing’s corporate culture [had] shifted from “safety to profits-first” and “focusing on cost-cutting rather than designing airplanes”’. Contemporaneous emails indicate that employees agreed with this assessment, with one employee remarking that a relevant ‘group has created a culture of “good enough[.]” And that is an incredibly low bar. It just doesn’t cut it anymore. The cozy [sic] days with regulators are over’. The exchange continued: ‘It’s a culture issue. It takes 5-12 years (ish) to change culture. Better not waste any time making changes.’  One Boeing engineering manager expressed frustration to the director of global operations: ‘It’s systemic. It’s culture. It’s the fact we have a senior leadership team that understand very little about the business and yet are driving us to certain objectives.’
Consequently, the DOJ focused on culture in its deferred prosecution agreement (DPA) with Boeing. The agreed corporate compliance programme described in the DPA led with a section titled ‘Commitment to Compliance’, which required that Boeing ‘create and foster a culture of ethics and compliance with the law.’ Boeing directors and senior management were required to ‘provide strong, explicit, and visible support and commitment’ to compliance, and middle management were similarly required to ‘reinforce those standards and encourage employees to abide by them.’
While the plane itself is a complicated piece of equipment that in theory only requires expertise to operate, this example speaks to the importance of attending to the broader complex system in which these machines are being used.
Measuring and assessing organisation culture
It has often been asserted in management circles that if you cannot measure it, you cannot manage it. Although there is debate about the origins of this aphorism and how broadly it applies, there is at least some truth when it comes to organisational culture: to shape corporate culture, it is essential to take a data-driven and human-centred approach. Without measurement, it is impossible to benchmark, track progress and determine whether change has occurred, and without putting people at the centre of an assessment, it is impossible to understand the ways in which employees are both shaping and being shaped by the culture.
A data-driven approach
Taking a data-driven approach means both analysing data that already exists within the organisation and collecting new data to answer important questions about compliance performance, effectiveness and culture.
Data can be both quantitative and qualitative. Quantitative data refers to numerical data, such as the number of internal investigations, the number of reports to a compliance hotline, the number of policy deviations identified through continuous monitoring efforts, metrics about employee use of compliance tools and resources, or employee responses to survey items with numerical scales. One benefit of quantitative data is that it is readily analysable using statistics. Additionally, quantitative data is less susceptible to bias.
Qualitative data, in contrast, is non-numerical, and could include policies and procedures, codes of conduct, values statements, leader communications, standard compliance practices, and verbal or written feedback from employees about their perceptions of compliance and their experience within the organisation’s cultural ecosystem. Qualitative data can still be analysed through text analysis and by classifying responses (e.g., identifying and codifying themes in the data), though this analysis introduces additional layers of subjectivity. Together, quantitative and qualitative data can tell a rich story that covers both breadth and depth.
There are also many opportunities to gather more – or better – data. In a 2018 Harvard Business Review article, Hui Chen and Eugene Soltes argue that data-driven measurement is necessary to meaningfully assess compliance effectiveness. Chen and Soltes focused their analysis specifically on the use of data to improve training outcomes. They observed that compliance training is rarely evaluated, and when it is, evaluation is typically limited to completion rates or self-reported ‘enjoyment’ of the training. These methods fail to assess whether the training accomplished its stated goals by evaluating what employees learned from the training, whether they can apply those lessons in the real world and if they remember those lessons six months after the training. Perhaps most importantly, looking only at completion rates and self-reported ‘enjoyment’ tells a company nothing about employee behaviour, social norms and the culture of compliance within the company.
A more nuanced and effective way to measure culture is through a cultural assessment, which can involve a combination of policy audits, interviews with leadership, focus groups and surveys. Cultural assessments should centre on the perspectives and experiences of people within the organisation and be rooted in a systematic collection and interpretation of available and collected data. To capture change in an organisation, cultural assessments can be conducted at multiple points in time.
The Four ‘I’s are a strong foundational framework for a cultural assessment.
To begin, it is important to understand an organisation’s core values and mission – the ideas that shape its culture. To do so, a thorough review of values or mission statements and communications can be conducted. This can also be gathered through interviews with leadership and by a close examination of both the explicit and implicit messages that leadership sends to employees.
Questions to ask include:
- What are the core values and mission of the organisation?
- Are compliance and ethics central to the core values and mission?
- How are the values and mission communicated throughout the organisation?
- At which points throughout a day or year are the values and mission brought to employees’ attention?
- Are the values or mission physically represented in the organisation, such as on the walls or on posters?
- Are the values or mission communicated through training and in regular correspondence from leadership?
Next, a thorough audit can be conducted of existing structures, including policies, programming, training and procedures, which encapsulate the way in which foundational ideas are institutionalised at the organisation. This step involves assessing incentives, reward and punishment systems and compliance resourcing.
Questions to ask include:
- How are people incentivised to comply with company policy and act in accordance with the organisation’s ethical standards?
- What punishment systems or sanctions are in place if misconduct occurs?
- Are there full-time or part-time employees who are dedicated to compliance and ethics?
As social norms and peer influence are strong determinants of human behaviour, it is important to understand how employees are interacting with each other and with the organisation. Social norms can be captured through a combination of observation, focus groups and surveys.
Questions to ask include:
- Have you ever witnessed unethical behaviour within the organisation? If so, how frequently?
- To what extent do you trust the leadership’s commitment to ethics and compliance?
- How trustworthy do you think leadership is?
- Are they authentic?
- Does their conduct match their messaging?
- How ethical would you rate your peers?
- How ethical would you rate leadership?
At the individual level, it is important to understand how people feel in the organisation and perceive the ideas, institutions and interactions. As people like to feel autonomous in their decision-making, it is also important to ensure that the compliance culture does not feel coercive or overbearing.
Questions to ask include:
- Would you report unethical behaviour; if so, in what circumstances?
- How important is it to you to work for an organisation that is ethical?
- How much do you feel that you belong at this organisation?
- To what extent do you feel included at this organisation?
- How consistent are the organisation’s values with your own?
Interventions to shape organisational culture
If the results of the cultural assessment indicate that the organisation has room to improve how it is fostering a culture of ethics and compliance, there are many interventions that can be taken.
Prioritise ethical behaviour
Often, the best place to begin is with ideas. If compliance and ethics are not central to the values and mission of the organisation, it is unlikely that the rest of the organisation will abide by those standards. For example, if the organisation prioritises short-term profits above anything else, it will be no surprise when other considerations, such as safety (as in the Boeing example), suffer.
Once compliance and ethics have been integrated into the core values and mission of the organisation, the next step is to organise a communication strategy to ensure that these values are relayed and familiarised throughout the organisation. Buy-in from leadership is essential, as employees will be looking to leaders for guidance on how to behave. Tone is neither compelling nor impactful unless it is authentic and consistent with leaders’ conduct.
Embed values in policies and practices
Next, the organisation can assess how these core values are being institutionalised in policies and practices. The values of compliance and ethics should permeate every aspect of the organisation, ranging from hiring and on-boarding to training, incentives and performance reviews. Incorporating compliance and ethics into the hiring process, for example, such as through questions specifically addressing ethics or the organisation’s core values, signals a strong commitment and invites the recruit to reflect on their own values and alignment with the organisation. This can lead to a greater sense of autonomy and buy-in among new employees.
These values should also show up consistently throughout compliance training. The training should be clear about how policies reflect the organisation’s values. This can foster a values-based approach to compliance that makes compliance about more than just following rules.
Providing an ethical framework (often the ‘why’ behind the rules) contextualises the policies for employees and provides cognitive flexibility for how to think in novel situations where specific rules may not apply – or where their application may be less than obvious. Furthermore, the best compliance training sessions are often those that are grounded in reality and that help employees do their jobs – because ‘being compliant’ and ‘acting with integrity’ are not add-ons, they are foundational requirements to doing the work itself.
But training – in the more traditional sense – has its limitations and is only one source of acquired knowledge within an organisation. Education also requires mentorship, curiosity and day-to-day knowledge-sharing. These are all things that are expected to be present in a healthy compliance culture.
Highlight and reward ethical behaviour
Finally, to promote positive interactions and social norms, it is important to highlight the performance of employees who behave ethically. Stories of these employees can be shared so that their behaviour is celebrated and acknowledged as exemplary.
At the beginning of 2023, the DOJ announced its focus on the use of financial compensation systems to foster ethical behaviour. Financial incentives can be an item in the company’s ‘rewards toolkit’; however, they are not and should not be the only one: different individuals weigh financial rewards differently.
In addition, research shows inconsistent data regarding the effectiveness of financial compensation, speaking to the complexity of the system and the limitations of simple ‘carrot and stick’ approaches. Here, a cultural assessment is even more crucial to inform the right incentive to effectively foster ethical behaviour.
It is also important to foster a psychologically safe environment in which it is acceptable to speak up and report misconduct or mistakes when they occur (or simply to ask questions in ways that promote learning and growth). This kind of environment can be fostered by leadership and managers being self-aware and willing to admit their own mistakes, preventing retaliation, having an orientation towards growth and learning, and encouraging speaking up.
A robust compliance programme is only one of several interconnected, complex systems within a company that influence employee misconduct. If the compliance programme is alone in fighting misconduct, the other interconnected systems could easily overcome its efforts; therefore, the company should look at its culture, which develops, organises and connects all those systems.
Promoting a culture that values ethical behaviour is attainable with the right tools. Data that provides insights into an organisation’s culture is the bedrock on which a cultural assessment can then be built. By conducting a cultural assessment, organisations can benchmark where they are and track progress towards where they want to be. If improvement is needed, there are many behaviourally informed interventions that can be implemented and then tracked to measure their effectiveness.
Such a data-driven and human-centred approach can have resounding effects on fostering a culture of compliance and ethics – and ultimately help to break the cycle of non-compliance that so many have struggled with for so long.
 Zachary Coseglia is co-founder and managing principal and Caitlin Handron is a senior lab consultant and behavioural scientist at R&G Insights Lab; Amanda Raad is a partner at Ropes & Gray International LLP and co-founder of R&G Insights Lab; and Leah Dowd, Jeffrey Irwin and Karina Thomas are associates at Ropes & Gray International LLP. The authors are deeply grateful to R&G Insights Lab members Hui Chen, Megan Zwiebel, and Nitish Upadhyaya for their insightful feedback on this chapter.
 Benjamin van Rooij and Adam Fine, The Behavioral Code, Beacon Press, 2021, p. 10.
 The Cynefin Company, ‘The Cynefin Framework’, www.thecynefin.co/about-us/about-cynefin-framework (accessed 11 August 2023).
 Shelby D Hunt, Van R Wood and Lawrence B. Chonko, ‘Corporate ethical values and organizational commitment in marketing’, Journal of marketing, Vol. 53, No. 3, 1989, pp. 79–90.
 Edgar H Schein, ‘Organizational culture’, American Psychologist, Vol. 45, No. 2, 1990, pp. 109–19.
 John R Graham, Campbell R Harvey, Jillian Popadak and Shiva Rajgopal, ‘Corporate culture: Evidence from the field’, No. w23255, National Bureau of Economic Research, 2017; Linda K Trevino and Katherine A Nelson, Managing business ethics: Straight talk about how to do it right, John Wiley & Sons, 2021.
 Hazel R Markus and Shinobu Kitayama, ‘Cultures and selves: A cycle of mutual constitution’, Perspectives on Psychological Science, Vol. 5, No. 4, 2010, pp. 420–30.
 DNA ‘is the molecule that carries genetic information for the development and functioning of an organism. . . . The sequence of the bases along DNA’s backbone encodes biological information, such as the instructions for making a protein or RNA molecule.’ (National Human Genome Research Institute, ‘Deoxyribonucleic acid (DNA)’, updated 10 August 2023, www.genome.gov/genetics-glossary/Deoxyribonucleic-Acid (accessed 11 August 2023)).
 Andrew R Robinson (Professor of Dermatology, New York Polyclinic), ‘Dermatology, Sycosis’, in Prince A Morrow (ed.), A system of genito-urinary diseases, syphilology and dermatology, Vol. 3, D Appleton and Company, 1893/4, p. 891, (accessed 11 August 2023).
 See Chapter 3 on ‘US Compliance Requirements’ in this Guide.
 US Department of Justice (DOJ), Criminal Division, ‘Evaluation of Corporate Compliance Programs’ (updated March 2023).
 UK Financial Conduct Authority, ‘From Zeroes to Heroes: How culture in financial services can change for everyone’s benefit’, speech by Emily Shepperd at City and Financial Global’s 8th Annual Culture and Conduct Forum for the Financial Services Industry, 29 November 2022, www.fca.org.uk/news/speeches/zeroes-heroes-how-culture-financial-services-can-change-everyones-benefit (accessed 11 August 2023).
 UK Serious Fraud Office, ‘The Nature of Compliance’, speech by Alun Milford at the Cambridge Symposium on Economic Crime 2015, Jesus College, Cambridge, 8 September 2015, www.sfo.gov.uk/2015/09/08/the-nature-of-compliance (accessed 11 August 2023).
 DOJ, Press Release, ‘Boeing Charged with 737 Max Fraud Conspiracy and Agrees to Pay over $2.5 Billion’, 7 January 2021, www.justice.gov/opa/pr/boeing-charged-737-max-fraud-conspiracy-and-agrees-pay-over-25-billion (accessed 11 August 2023).
 U.S. v. The Boeing Co., No. 21-CR-005-O, 7 January 2021, Deferred Prosecution Agreement at A-3 (Boeing DPA).
 ibid. at A-6.
 ibid. at 3.
 ibid. at A-14 to A-15.
 ibid. at A-14.
 In Re The Boeing Company Derivative Litigation, C.A. No. 2019-0907-MTZ, 7 September 2021 (In Re Boeing) at 8.
 Boeing DPA at 64.
 ibid. at 64–65.
 In Re Boeing, n. 83.
 Boeing DPA at C-1.
 Hui Chen and Eugene Soltes, ‘Why compliance programs fail and how to fix them’, Harvard Business Review, Vol. 96, No. 2, 2018, pp. 116–25.
 DOJ, ‘Deputy Attorney General Lisa Monaco Delivers Remarks at American Bar Association National Institute on White Collar Crime’, 2 March 2023, www.justice.gov/opa/speech/deputy-attorney-general-lisa-monaco-delivers-remarks-american-bar-association-national (accessed 11 August 2023).
 Uri Gneezy, Stephan Meier and Pedro Rey-Biel, ‘When and Why Incentives (Don’t) Work to Modify Behavior’, Journal of Economic Perspectives, Vol. 25, No. 4, 2011, pp. 191-210.