Mark Steward, the British Financial Conduct Authority's new head of enforcement who joined one month ago, delivered his first public speech in his new capacity at yesterday's MetricStream GRC summit in London. He chose to dwell not on enforcement but on the nebulous concept of 'culture.'

In view of the fact that he had barely begun his job, many of the Australian regulatory veteran's observations rested on experiences that he had had in the last 25 years around the world. The result was a suitably cautious first speech that stayed away from the nuts and bolts of enforcement policy.

Steward's theme of the day was how to evolve a “culture of compliance” and he found that nebulous term as difficult to define as any private bank compliance officer might. He linked good 'governance,' by which he might have meant corporate governance, to a good culture and began: “Regulators have been talking about 'culture' ever since the financial crisis [began in 2008]. 'Culture' is in danger, I guess, of becoming another buzz-term. An integrated ideal of good governance, regulatory compliance and fair process. It's an ideal. It's intangible and theoretical. It's in danger of becoming something regulators talk about but it doesn't really have any practical anchor.

“How to tell its value? We do know that without good culture there is cost. That cost might be demonstrated in significant regulatory fines, or loss of customer confidence, or new and more draconian rules and regulations, but we're still talking around the subject of what culture really is.”

How, then, to bring about this ideal that is so hard to define? Steward thought that a good starting-point was a collection of good rules and standards. He was careful to point out that regulatory rules were not like the rules of Monopoly, the board game, in which the rules absolutely govern every move, because in the real world “there is too much discretion and room in between.”

Secondly, he wanted to see boards understand the business that they are supposed to be governing in detail. This, he thought, meant (i) knowing how the front line, middle management and senior management operate; (ii) understanding risks; (iii) doing something to mitigate them. He once, he recalled, asked a financial firm to present him with its board papers in relation to heavy sales of a complex product that carried a significant amount of risk to customers. He hoped to see an an accurate account of the product's nature, the risks associated with it, the sorts of customers for whom it might be useful; how it was going to be sold; measures to ensure that staff really knew what they were selling; what training they had had to ensure that they could answer questions that customers might have to ensure that they could sell the product in a suitable way. None of those things materialised, just a piece of paper that described how much money could be made. This, he thought, was a demonstration of what could go wrong when a firm failed to understand risks, although he did not mention what happened next.

Thirdly, he said that senior managers at firms could hardly be expected to watch everything at the same time, so they need to approve systems and controls to ensure that the business is operating effectively.

Steward thought, however, that this could lead to further problems. He added: “There needs to be a healthy dosage of reality. Systems and controls can lull you into a false sense of security.” He added: “I've seen institutions with first-class systems and controls, but they existed in a manual, in a book, on an intranet site. I've seen organisations where good systems and controls have been implemented, but a long time ago and they haven't been kept up. These problems were quite fatal to these businesses.”Nevertheless, he acknowledged that systems and controls can give an organisation a measure of predictability.

He thought, moreover, that the predictability that systems and controls bring can be exploited by the unscrupulous. Most rogue traders, he thought, exploited gaps in systems that were designed to protect the business. The problem here, he said, that the system was never designed from the point of view of the rogue trader or with his perspective in mind.

Steward's criteria for a good culture also included an interest in execution and an ability to lead and engender leadership and “to influence across an organisation.” He then came on to the thorny problem of how to gauge the quality of the culture at a firm, for which there is no standard regulatory metric. He thought that three things stood out:

• how quickly it takes for staff to escalate problems up to the compliance department or senior managers;
• how many problems are not identified or fixed until they have “gone past their use-by date” (this is a reference to the imperative of nipping problems in the bud as a matter of routine); and
• how difficult it is to fix problems in the organisation.

Steward did admit that the balance to strike was a delicate one. It was obvious during his speech, however, that he was fascinated by the ability of firms to “nip things in the bud” and “quickly detect and uproot problems.” Whether this fascination will find its way into his enforcement policy, only time will tell.