Taking notice of risk culture – the regulator’s approach

Following the financial crisis and a series of mis-selling and ‘rigging’ scandals in the financial services, organisational culture, and particularly the risk culture of organisations, has come to be regarded as a key issue for both financial firms and their regulators This paper considers the extent to which regulatory published notices, ‘Final Notices’ (FNs), relating to breaches of the regulatory Handbook, are able to provide lessons, or pointers, in the development of ‘appropriate’ cultures. By undertaking a qualitative content analysis of all the FNs in 2012, we examine the extent to which FNs draw attention to issues of culture, and to the regulator’s analysis of the drivers of culture published as part of its treating customers fairly (TCF) initiative. The analysis finds that, although not easy to extract, there are important learning points in FNs relating to organisational culture, and in particular to the factors driving behaviours and outcomes that are signs of poor culture. This paper suggests that, whilst it may not be for a regulator to dictate firms’ culture, it could do much more to make use of the content of FNs as a learning tool for firms; particularly in the context of its cultural framework for TCF. This would support the ‘outcomes-based’ approach being espoused by the UK’s regulators.


Introduction
Organisational culture in financial services firms has become an important issue for the UK's regulator (Sants 2010a;2010b, Wheatley 2012a) as well as the firms themselves (Salz 2013). In the wake of the financial crisis, significant academic attention has also been paid to risk culture within financial organisations (Ashby, Palermo, and Power 2012;FSA 2012a;McConnell 2014). Given the behaviour of 'rogue' individuals, the inadequacies of large organisations such as RBS and HSBC, and the failings of an industry as a whole as evidenced by scandals such as PPI and LIBOR (Bryce, Cheevers, and Webb 2013), it is increasingly argued that, for financial firms, an appropriate risk culture is a key element of an appropriate firm culture; that is, the acceptability of '"doing what we do" in the ordinary course of business' (IIF 2009, AIII2).
Ashby , Palermo, and Power draw attention to an increasing expansion, since the financial crisis, in the use of the term 'risk culture' in the news, and by professional bodies and consultancy firms (2012,19). For example, in KPMG's 2008 global survey on risk management in banks, which covered over 400 professionals involved in risk management in 79 countries, it was found that 77% of participants were dedicated to establishing a more effective risk culture, with 48% citing risk culture as the element of risk management most at fault in contributing to the crisis (KPMG 2009). Again, a global financial services survey by Deloitte (2011) indicated that 29% of respondents had 'materially reformed our risk culture to improve the effectiveness of risk oversight'.
An area of regulatory development in the UK where culture has been specifically identified as a key issue is the Financial Conduct Authority's (FCA's) (formerly the Financial Services Authority's (FSA's)) Treating Customers Fairly (TCF) initiative (FSA 2001(FSA , 2004(FSA , 2006. More particularly, the key drivers and high-level indicators and contra-indicators of appropriate culture were specifically identified by the regulator and set out in its 'Treating Customers Fairly -Culture' document (FSA 2007a), establishing a 'TCF Cultural Framework' to assist firms in achieving acceptable treatment of customers in the sale of financial services products. The FSA consistently stressed the importance of 'embedding TCF into strategy and culture … [of firms]', noting that 'TCF work focuses mostly on the culture of a firm and its systems and controls' (FSA 2005, 31, 59). Since being established, the FCA has made it clear that TCF still 'remains central to our expectations of firms' conduct' (FCA 2013a), and the issue of culture remains central to its supervisory risk assessment of firms. It has also been noted elsewhere (McConnell 2014), that the TCF Cultural Framework provides a sound basis for establishing a broader risk culture framework.
One specific example of the regulator taking up the issue of culture has been its 'Thematic Review' on risks to consumers from financial incentives (FSA 2012a). This review examined the practice of 22 authorised firms, identifying the importance of culture in the context of product mis-selling. It also illustrated how good and poor practice in staff incentivisation affects the probability of mis-selling, thus providing guidance to the wider authorised community. In an appendix to the review, which supports the discussion around culture and incentives, there is a list of examples of regulatory enforcement cases with references in each case to the relevant final notice (FN). An FN is issued under s.390 of the Financial Services and Markets Act 2000 when the regulator has taken enforcement action against individuals or firms because their conduct has fallen below the standards expected by the regulator. It sets out action taken against firms or individuals for breaches of regulatory requirements and explains the nature of, and reasons for, the breach. The penalties and their publication in an FN are specifically intended to encourage change in the behaviour of the offender and deter future non-compliance by others. A broader aim of this approach is to help the regulator fulfil its statutory objectives (FCA 2013b, sec. 2). This paper starts from the position that FNs have the potential to provide guidance to firms concerning culture and behaviours, part of their objective as set out in the regulator's own Enforcement Guide (FCA 2013b). It is certainly the case that FNs are examined by those involved in the financial services sector for guidance as to the regulator's approach to specific issues (see, e.g. Brown and Rice 2012;TaylorWessing 2012), although it is less clear the extent to which the FNs are drafted with this in mind. Given the significance of risk culture for regulated firms, this paper examines the potential use of FNs as a means of communicating how the regulator interprets the relevance of (risk) culture in an organisation; in particular, the nature of behaviours and actions which might signal what a good or bad (risk) culture looks like.
First of all, this paper reviews the literature relating to organisational and risk culture, and in particular notes the principal dichotomy between an interpretivist and objectivist approach to risk culture. In doing so, it identifies some of the key elements or features of each approach. The literature review then goes on to examine the development of the UK regulator's approach to risk culture, noting in particular the development of a cultural framework as early as 2007.
Thereafter, this paper employs a two-stage qualitative content analysis. In the first instance, it attempts to establish the extent to which the regulator specifically draws attention to the term 'culture' in FNs. It identifies, through analysis of FSA Final Notices issued in 2012 (FSAFNs), references to the notion of culture, and examines the nature of the cases where culture is specifically mentioned. In particular, it considers the extent to which elements identified as significant in the development of culture by the risk management industry are also acknowledged as important by the regulator.
Acknowledging that issues relevant to risk culture might be addressed without mentioning the word 'culture', in the second instance a similar technique is used to identify the extent to which the key drivers of culture set out by the regulator in the TCF Cultural Framework are mentioned in the FSAFNs. Having established this framework in 2007, and subsequently recognising its importance in speeches and published documents, one might expect that the key drivers and indicators of culture identified by the regulator in 2007 would, by 2012, have percolated down into its day-to-day enforcement work and be reflected in the discussion of behaviours and outcomes discussed in the FSAFNs.
The paper uses the results of this analysis to critically assess the extent to which, and the nature of, issues concerning risk culture, and specifically the cultural framework elaborated by the regulator itself, are highlighted in the FSAFNs examined. Thereafter, it considers how useful FNs are, or could be, in communicating the regulator's position concerning organisational (risk) culture, and behaviours which have the potential to drive appropriate (risk) culture within financial firms. This is important given the power of risk culture to unconsciously drive action (IIF 2009) and the work of the likes of Fahlenbrach, Prilmeier, and Stulz (2012) which suggests institutions need to learn from their behaviour.

Culture and risk management
Culture is what a group learns over a period of time as that group solves its problems of survival (Schein 1990, 111) an organisational culture may be generally described as a set of norms, beliefs, principles and ways of behaving that together give each organisation a distinctive character (Willcoxson and Millett 2000, 93) Organisational culture can be regarded as encapsulating the values and behaviours of a firm, as demonstrated in its business decisions and actions (Willcoxson and Millett 2000;Brooks 2010;Group of Thirty 2012). The strength of that culture is determined by the consistency of decisions and actions, made with consideration (consciously or subconsciously) of the desired outcomes of the organisation, thereby aligning daily behaviours with the principles and values of that organisation (Althonayan, Killackey, and Keith 2012). As the Institute of Risk Management (IRM) has noted, 'the culture of a group arises from the repeated behaviour of its members' (IRM 2012a, 22). To that extent, culture encapsulates a description of the 'nature' of an organisation as a whole, as well as a set of functions and practices within that organisation. Risk culture might thus be considered to be 'a term describing the values, beliefs, knowledge and understanding about risk shared by a group of people with a common purpose' (IRM 2012b, 7) where 'attitudes and behaviours towards risk are both inputs to risk culture and they are also both outcomes from it' (IRM 2012a, 22).
Whilst some suggest any distinction between culture and risk culture is pointless (Power, Ashby, and Palermo 2013), it is perhaps useful to consider risk culture as inextricably entwined with, but not the same as, organisational culture. The increasing emphasis on enterprise-wide risk management in risk literature signifies the importance, when discussing organisational culture, of the alignment and consistency of risk decisions and behaviours with the broader principles, values and ways of behaving within the organisation (Althonayan, Killackey, and Keith 2012). In other words, risk culture, by its very nature, is inherently part of the fabric of organisational culture, and its nature can be shaped by the organisational culture which a firm strives to adopt.
A good risk culture? An 'interpretivist' approach to culture focuses on the multiple interests and sensibilities within an organisation (Waring and Glendon 1998) which give rise to the 'nature' of, or epithet applied to it when encapsulating, its culture. From this perspective, culture is not framed by its rules, corporate mission or training modules; but rather by the way it grows, learns and changes in the interaction amongst its operating groups, sub-groups and ultimately individuals (Schein 1990). Culture is not delivered or inherited, but learned. Hofstede refers to it as 'the collective programming of the mind that distinguishes the members of one organisation from others' (Hofstede, Hofstede, and Minkov 2010, 6), emphasising a 'taken-for-grantedness' of (more or less) shared basic assumptions and learning (Schein 2004).
It is also important to note that, within a single organisation, there can exist a plurality of (sub)-cultures, each with its own specific effects and implications for the organisation as a whole (Willcoxson and Millett 2000). As McConnell (2014) points out, it may be important for success that a diversity of opinions within different areas of an organisation are not overwhelmed by a single, dominant, culture. Here, a more nuanced understanding of the relationships and interactions within an organisation is required, where the interplay between risk-taking sub-cultures is important for eventual outcomes (Power, Ashby, and Palermo 2013).
Operationalising culture On the other hand, for 'scientific rationalists' (Bate 1994), culture is a more objective issue. Althonayan, Killackey and Keith (2012, 4) argue that culture 'is not an intangible concept but one which can be measured', and there are various elements which can be identified 'that signify a strong risk culture within an organization'. As Power, Ashby, and Palermo point out, 'most of the practice literature on risk culture tends to adopt an underlying conception of culture that is objectivist (culture is anchored in systems, structures and other objective features) ' (2013, 17). In the UK, the IRM has developed a 'Risk Culture Aspects Model' (IRM 2012b) which, whilst not setting out an 'ideal' risk culture, nevertheless identifies features, processes and behaviours which the IRM believes an organisation should consider when assessing the appropriateness of its risk culture. These are arranged into four groups: tone at the top, governance, competency and decision-making.
'Tone at the top' refers to the nature of risk leadership and how an organisation deals with bad news. The issue of leadership is common in this type of analysis (IIF 2009(IIF , 2013PWC 2010;Davidson et al. 2012). Equally, Schein (1990) also notes that norms and beliefs (for Schein a key feature of culture) can 'arise around the way members respond to critical incidents ' (1990, 115). Governance is seen as encapsulating the transparency and timeliness of information flows, as well as accountabilities for managing risk. Again, these issues have been noted elsewhere as being important in helping establishing an appropriate (risk) culture (Ashby, Palermo, and Power 2012;IIF 2013). Competency encompasses risk resources and risk skills; that is, the resources and skills that enable the embedding of a risk infrastructure sufficient to support the desired (risk) culture. Finally, decision-making is linked to information flows in the sense that it seeks to confirm risk decisions are informed decisions, and that employee incentives reward appropriate behaviours. These issues are also underlined elsewhere (IIF 2013;McConnell 2014) as being important elements in this type of framework.
Overall, if culture is a function of repeated behaviours, then it is understandable that attempts to influence organisational culture will focus on specific behaviours, as well as identifiable systems and processes that engender those behaviours; all of which can be identified and measured and changed. Yet, what is also clear from this discussion is that whilst culture may well arise from repeated behaviours, the prevailing culture which develops can itself influence future behaviours in a mutually reinforcing process (IRM 2012a). Therefore, even as organisations may, at a practical level, focus on culture from an objectivist perspective; the 'interpretivist' approach, focusing as it does on giving 'name' to the assumptions and values underlying systems, processes and behaviours, should not be overlooked; since it is only in characterising these assumptions that one can consider their recursive influence on behaviours.
Risk culture and the regulator A review of regulatory speeches delivered by the FSA Chairman, Chief Executive and other senior officers in the period 2010-2012 indicates culture is an essential dimension of enquiry for the regulator (see Table 1).
Whilst this review revealed a great deal of discussion about the nature of culture required from firms: … it is about the customer being able to trust you and know the advice process is working for them. This is the culture I want to see running through your firm than through the industry … (Wheatley 2012b) such comments are better understood as identifying what the regulator regards as appropriate outcomes. As the FSA's Director of Supervision noted: 'Very important here is the culture of the firm. We see this as a potential root cause of poor outcomes ….' (Adamson 2012). The regulator's approach does not appear to be about determining the appropriate culture of a firm, but about looking at outcomes as an indicator of, or helping to characterise, the culture of that firm. It is summed up in a speech by the then Chief Executive of the FSA: For regulators, the starting point should be that we want the firm to have a culture which encourages individuals to make the appropriate judgements and deliver the outcomes we are seeking … The regulator's focus should therefore be on what an unacceptable culture looks like and what outcomes that drives. It should not be on defining the culture itself.

…
What should matter to the regulator are the outcomes that the culture delivers and that the firm can demonstrate it has a framework for assessing and maintaining it. (Sants 2010a) The regulator may not wish to define 'good' culture, but it clearly wants to judge and assess it (Sants 2010b), and to 'incentivise a culture that delivers the right [regulatory] outcomes' (Sants 2012a). What makes culture visible for the regulator and enables the regulator to make judgements are the outcomes of firms' behaviour; as well as the individual behaviours, firm structures, and systems and processes which 'drive', or incentivise, those outcomes. It follows that, to encourage the 'right' culture, one must have a view on what practices or behaviours should be encouraged or avoidedfor the regulator, those which facilitate, or militate against, its regulatory outcomes. One might expect these views to be communicated in FNs issued by the regulator, as these reflect the judgements of the regulator in relation to outcomes arising from behaviours and practices that should be avoided in so far as they result in outcomes the regulator does not want to see. This is particularly pertinent given the 'judgement-based' approach to regulation that has been emphasised in the wake of the financial crisis and the introduction of a new structure of regulation in the UK (Treasury 2010;Sants 2011).
Ethics, principles, culture and TCFthe regulator's existing track record In spite of pronouncements that the regulator 'does not do ethics' (Sants 2010a(Sants , 2010b, it has in the past set out the kind of ethical model or framework, underpinning its Principles for Business, which it argued could inform the values and culture of firms (FSA 2002a). This approach envisaged regulatory dividends for firms with the right culture and values, at least in part heralding the 'principle-based' approach to regulation set out by the FSA in 2007 (FSA 2007b). Much criticised post-financial crisis, the principle-based approach has not disappeared; rather, the regulator has shifted to an 'outcomes-based' approach to achieve its objectives (see Black 2010). Importantly, the use of principles, and their 'higher level articulation of what the [regulator] expects firms to do' (Black 2010, 13) remains. If culture can be said to be 'doing what we do in the ordinary course of business', post-financial crisis, the regulator has focused on judging the outcomes of what firms doand, by implication, judging a firm's culture.
Whilst the debate about ethics envisaged in the 2002 Discussion Paper (FSA 2002a) that did not materialise, one specific initiative which took forward the efforts of the regulator to instil an ethical approach in firms was the 'TCF' initiative (Edwards 2006). The initiative found its feet in 2001 with the publication of a Discussion Paper entitled 'Treating customers fairly after the point of sale' (FSA 2001). This document pointed out the poor 'complaints culture' of financial services firms, too many of whom did not give adequate priority to complaints, nor did they use them as a means of improving service. Publishing a progress report in 2002, the FSA indicated its commitment to 'embark on a programme of work ' (2002b, 10) and thus the TCF initiative was born.
Significantly, in the context of this paper, the FSA made it plain that: Treating customers fairly (TCF) is a cultural issue. It is only through establishing the right culture that senior management can convert their good intentions into actual fair outcomes for consumers. (FSA 2007a, 2) TCF is based on the regulator's Sixth Principle for Business: 'A firm must pay due regard to the interests of its customers and treat them fairly'. In 2006, as further guidance for firms, the regulator set out six specific outcomes it wanted its TCF initiative to deliver (FSA 2006). The first of these was that: 'Consumers can be confident that they are dealing with firms where the fair treatment of customers is central to the corporate culture' (FSA 2006, 3). There followed publication in 2007 of a 'Cultural Framework Model', based on the TCF cultural outcome, which established six key drivers of TCF culture; drivers which are considered to have much wider applicability (McConnell 2014). Each driver was accompanied by indicators and contra-indicators (FSA 2007a, Annex 1). The document also contained brief scenarios covering good and poor practice, which allowed firms to consider their own circumstances. Taken together, all of these developments suggest a long-standing recognition from the regulator that it is possible, and indeed necessary, to indicate clearly to firms the types of behaviours, attitudes and practices it might expect to drive, or indicate, good and poor cultureor at least the good and poor outcomes that may be driven by that culture. The FSA made clear in 2007 that it would incorporate the TCF framework in its ARROW risk assessment of firms, thematic reviews and enforcement cases where necessary (FSA 2007a, 7-8).

Culture and Final Notices
It has been argued in relation to risk culture that, as yet, 'there is no consensus on exactly what it is or how it might be managed' by firms (Ashby, Palermo, and Power 2012, 4). That said, one of the leading risk management organisations in the UK, the IRM, has established four groups of constituent aspects of risk culture around which there is much agreement (IRM 2012b). At the same time, the UK regulator has provided a set of drivers, indicators and contra-indicators, along with examples, in relation to 'culture'. These provide, at least from an objectivist perspective, a benchmark which firms might use to assess the way they do things i.e. their risk culture.
Therefore, if firms were to look for examples of regulatory judgements about poor culture, as well as discussion of the relevance of systems, processes, controls and behaviours to culture, they might be justified in expecting to find these in the FNs issued by the regulator. Public censure through the publication of FNs is a means by which the regulator can communicate poor behaviour to the regulatory community; and potentially, if not always successfully, seek better conduct from regulated individuals and firms (Turner 2005). Indicators of good or poor culture in a firm are likely to be found in the behaviours of the firm discussed in the relevant FN. Consequently, for others seeking guidance on what good or bad risk culture might look like, FNs could be expected to be a useful source of help in this regard. Further, this might also be expected given that the regulator's whole approach to enforcement should be designed to be in furtherance of its statutory objectives. In these circumstances, it is to those FNs we now turn for further analysis.

Methodology
The current study is composed of a two stage inductive and deductive qualitative content analysis (Mayring 2000) of FNs for the period 1 January 2012 to 31 December 2012the FSAFNs. The examination of FNs in research is not unique (Turner 2005); however, this is a more methodical process of content analysis (Weber 1983;Elo and Kyngäs 2008) than may have previously been carried out. The work of Linsley and Shrives (2006) and Miihkinen (2012) provides justification for content analysis when looking at risk disclosures within the accountancy profession, albeit this current methodology intends to ascertain the importance of culture in relation to regulatory behaviour.
FNs serve as notices for those who have been censured by the UK financial services regulator, but are also relevant for the behaviours of peers or other market participants. Nevertheless, whilst the pursuit of 'credible deterrence' by regulators relies on the public nature of such notices, there is no specific regulatory obligation to signpost failings in a way that assists other parties in learning from regulatory breaches. That said, given the sensitivity of businesses in relation to their failing, and therefore the lack of information generally provided by market participants in relation to such failings, FNs provide richness, transparency and robustness beyond much that otherwise exists, and are generally regarded as a significant source of information by compliance specialists. Given the FSA's focus on culture, its judgement-based approach, and increased concentration on outcomes in relation to regulated firms, it might therefore be expected that it would have used its pronouncements in the FNs as a means of communicating about behaviours of firms, and the relevance of culture in relation to those behaviours. This might particularly have been expected by 2012, at which point its post-financial crisis approach had become embedded, and it was already clear in regulatory speeches that outcomes and culture would be key issues for the new FCA regulator (see Table 1).

Sample
It was therefore decided to examine all FNs for the period 1 January 2012 to 31 December 2012 (the FSAFNs), which were obtained from the FSA website (www. fsa.gov.uk/library/communication/notices/final/2012). The initial sample of all FSAFNs returned 160 notices totalling £311,569,256 in fines, reflecting the universe of regulatory sanctions imposed by the FSA for this given year.
These notices were then filtered using the following inclusion and exclusion criteria: (1) must be issued to a firm and (2) must have at least two FSA approved persons within the firm. The rationale for this screening process is the consensus in the literature that culture as a concept relates to groups, even though it may be informed and created by individuals. Therefore, where an FSAFN was addressed to individuals alone it was excluded. However, the nature of UK financial services is that a large number of financial advisory firms are made up of one 'Approved Person' i.e. authorised by the regulator and appearing on its register, either trading as a limited company or a sole trader. Therefore, firms with only one approved person were also excluded from analysis. It was recognised that some excluded firms may employ non-approved person staff who contribute to behaviours and practices in a firm, but it was considered that a firm with two or more approved persons was more likely to be of sufficient overall size of staff to be relevant to issues of culture. A total of 53 FSAFN met the inclusion/exclusion criteria.
The FSAFNs followed a consistent and standardised format both in tone, framing and content thus allowing for relative ease in comparability and data extraction. Importantly, an FSAFN does not suffer from the kind of bias found in data sourced from the organisations under analysis (Linsley and Shrives 2006;Miihkinen 2012), bias which may become more pronounced when communicating negative information.

Analysis techniques
The 53 FSAFNs extracted from the original sample were all initially read in order to facilitate immersion in the topic (Glenn, Champion, and Spence 2012), and were then analysed in a two stage methodology. The first stage involved a summative analysis of all FSAFN using word search criteria that involved the words 'culture' and 'cultural' (Hsieh and Shannon 2005) with the purpose of capturing all references to the term 'culture'. Whilst it is clear that there is a range of, sometimes contestable, elements that might be regarded as together constituting an organisation's culture, their relevance and significance for the development of a firm's culture can easily be overlooked. This, in turn, makes it even more important for issues to be clearly signalled; especially, if FNs are to be useful for reflective learning by industry practitioners about their organisation's culture. The most obvious signalling is reference to the term 'culture', hence the nature of the initial search.
This created a population for further study consisting of 9 FSAFN containing the word 'culture', with none returning a match for 'cultural'. Brief details of each Notice are set out in Table 2. Upon initial examination, it was found that in each case the issue of culture was relevant to the decision in the Notice (see Table 2).
There then followed an analysis of the context within which the issue of culture had been considered by the regulator to be relevant in each of the nine FSAFNs (Holsti 1969;Babbie 1992;Morse and Field 1995), examining for evidence of the themes established in the literature review: namely, the objectivist/interpretivist dichotomy; the relevance of sub-cultures; and the four elements identified as relevant by the IRM when assessing risk culture. Whilst it might be assumed, given the nature of the TCF Cultural Framework (discussed in more detail below), that the regulator would take a more objectivist approach in its discussion of culture, our analysis allowed this to be tested. Further, it enabled the extent of commonality between the elements of systems, processes and behaviours identified as key by a leading risk industry body (the IRM) and those identified by the regulator to be considered.
The second stage of the analysis focused on the TCF Cultural Framework Model previously discussed. It might be expected that whether or not there was direct use of the word 'culture', in the FSAFNs, the regulator would nonetheless use the elements identified in its Cultural Framework to discuss the relevance and importance of the issue of organisational culture. The analysis was deductive in nature, using the drivers specified in the Cultural Framework Model for coding (Hsieh and Shannon 2005) as it sought mention and discussion in the FSAFNs of the indicators or contra-indicators of good culture established by the regulator itself.
Given that any FN identifies a relevant breach of the regulator's Principles for Business, and Principle 6 is the 'TCF' Principle, it was considered that any FSAFN assessing behaviour relating to the drivers for culture discussed in relation to Outcome 1 of the TCF Outcomes would be most likely to involve a breach of Principle 6. In particular, if the regulator was using its own cultural framework as a means of judging and assessing culture, then evidence of this should be most apparent in those FSAFNs that involved a breach of Principle 6. A search yielded six instances of a Principle 6 breach within the sub-sample of 53 FSAFN. We then searched for the six drivers of 'Leadership', 'Strategy', 'Decision making', 'Controls', 'Recruitment, training and competence' and 'Reward' identified in the Cultural Framework Model, amongst the six FSAFNs stated to involve a breach of Principle 6.
The two stage analysis techniques were performed by two researchers autonomously so as to improve research validity (Patton 2002) with consultation on each of the stages prior to finalisation of the data-set. The following section will now discuss the findings of this two stage analysis.

Findings and analysis
Stage 1the nature of risk culture Whilst much of the discussion in the nine FSAFNs identified in Table 2 considers behaviours, the FSAFNs also make it apparent that it is not sufficient for firms to rely upon an objectivist approach in addressing risk culture within an organisation.
In some of the sample of FSAFNs, the nature of behaviours and effectiveness of systems and controls appear to be, at least in part, a function of the broader, more interpretivist, notion of culture. When the FSA noted in Case 4 that 'there was a culture within Martin Currie to seek and support the fund managers in what they wanted to do' (FSA 2012c, 7); or that in Case 7 'The historic culture of the Collections Department had been to focus on the quick recovery of arrears' (FSA 2012d, 10); it may be simpler to say that behaviours, systems and controls, are inevitably shaped by and, in some senses, reflect, a prevailing culture. This is underlined in Case 1, where the FSA noted 'there continued to be significant unresolved issues with the effectiveness of the control framework, which were exacerbated by issues in relation to culture and management information' (FSA 2012e, 22). This in turn requires firms to consider the nature of that culture, since the specific values or norms embodying that culture will have specific effects. Thus, in Case 1 it was also noted that 'the culture of optimism impeded the effective management of transactions' (FSA 2012e, 4). Recent work by Power, Ashby, and Palermo (2013) specifically draws attention to this continuum between what they refer to as objectivist and subjectivist approaches, and to the fact that the risk management industry has adopted a more objectivist approach. They emphasise the narrowness of the objectivist approach and the manner in which it may underestimate the complexity of organisations (2013, 17-18) It is submitted that an examination of the regulator's views in the FSAFNs identified could provide firms with a similar lesson.

Sub-cultures
Whilst not specifically identified as such, the regulator also highlights the significance of sub-cultures in the FSAFNs. In Case 8, 40 staff, including 11 managers, engaged in blatant LIBOR rate fixing, yet this was not reported, even by seven other managers found to be aware of the practice. This 'reckless' behaviour was traced back to 'a poor culture in its [UBS] interest rate derivatives trading business' (FSA 2012b, 36). Again, Case 4 indicates 'there was a culture within Martin Currie to seek to support the fund managers in what they wanted to do' (FSA 2012c, 7), in this case ultimately resulting in misclassification of investments, breach of investment limits on unlisted investments, breach of conflict of interest policies and an eventual payment of £5.1M in compensation.
Case 6 refers to an internal UBS report indicating 'there were weaknesses related to the culture of challenge required in the logistic and control function' (FSA 2012g, 10)weaknesses which subsequently contributed to losses of £2.3Bn in rogue trading. Whilst the act of challenging is itself a behaviour, what actually appears to be in question is the norms and values which influence that behaviourindicating a more interpretivist view of culture. What we see here is the regulator drawing attention to the need for firms not just to focus on behaviours, but on the character of the norms and beliefs underpinning those behaviours; and not just at a firm level, but in identifiable groupings which have their own specific norms and beliefs i.e. sub-cultures.
There was also a second theme concerning the dominant influence of strongminded directors and managers (Cases 2, 3 and 9) on the way things were done in (parts of) organisations. For example, in Case 9 the Chief Executive, also carrying out a broker role, was found to be responsible for 'the unacceptable pressure sales culture' (FSA 2012f, 3) at the firm, which led to a number of rule breaches. The consequences of such behaviours included lack of reporting, breaches of procedures and withholding of material from the FSA. This influence of one strong individual on a risk environment might be regarded as 'cultural capture'. It highlights the manner in which an individual, or group of individuals, can use their influence and power to enforce behaviour upon others. This can create a culture that represents the attitudes and integrity those individuals, as opposed to the employees over whom they exert that power. It may also result in a sub-culture that is capable of undermining, or subverting, the development of an appropriate risk culture across an organisation as a whole.
What is clear from the above that there may be a number of cultures in a firm, and their interaction, as well as the exercise of power in developing behaviours and practices, can have significant consequences. It is also clear that the discussion in the FSAFNs indicates the need to adopt a pluralist, as opposed to unitarist, conception of risk culture within an organisation (Willcoxson and Millett 2000;Ashby, Palermo, and Power 2012;McConnell 2014). Finally, it is also important for firms to appreciate the complex interaction between behaviours and the firm's culture. They need to go beyond an objectivist approach and examine the norms and values underlying specific behaviours, as well as the implications of that examination for their business.
Having established this last point, the examination of the FSAFNs, as well as regulatory statements, nevertheless highlights that a main focus when making judgements about culture concerns behaviours. The work of the IRM in this regard identified four key groups of behaviours, and therefore our next step was to consider the extent to which the FSAFNs mentioning culture could be said to highlight what risk managers would consider to be the key behaviours influencing culture (IRM 2012b).

'Tone at the top'
An examination of the FSAFNs indicates the importance of leadership; the 'tone' set by higher levels of an organisation. The most direct examples, in Cases 2, 3 and 9, draw attention to the importance of the behaviours of founders or key directors of an organisation, and the effect this can have on culture within an organisation. In these three cases, strategic decisions taken by senior managers resulted in insufficient regard being paid to the appropriate regulatory and accounting requirements for running the businesses, and in Case 9 unacceptable sales practices. In Case 7, there was a 'focus on the quick recovery of arrears' (FSA 2012d, 10), as a result of a bonus system established by senior managers; and in that Case this strategic 'tone from the top' incentivised bad practices resulting in the organisation breaching the FSA's requirements and being fined £1,225,000.

Governance
This aspect of the IRM's model refers to the timeliness and transparency of information flows in managing risk, as well as accountabilities for that management. These issues are well illustrated in the sample of FSAFNs, underlining the relevance of lack of governance in relation to the poor culture.
Case 3 highlights the failure of a Finance Director to ensure compliance with accounting standards, as well as attributing this failure to the Chief Executive of the organisationthe FD's line manager. Case 4 draws attention to a failure to manage conflict of interest which ultimately resulted in a lack of transparency of information provided to clients. Delay in identifying the conflict of interest was considered to be partly due to 'the absence of a formal control framework' (FSA 2012c, 11). Case 8 also illustrates clearly how lack of governance through inadequate systems and controls led to unfettered manipulation of published data.
As regards timeliness, Case 5 highlights the fact that, despite reporting to the FSA that implementation was imminent, the organisation had failed to complete, or disclose 'fundamental difficulties' in, the implementation of an IT system considered as essential to providing adequate information to oversee the business. The regulator concluded that the organisation failed 'to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems' (FSA 2012h, 15). Cases 1, 4, 6 and 8 also draw attention to shortcomings of governance, all highlight a failure to establish adequate (risk management) systems and controls.

Competency
The FSAFNs are illustrative of a number of issues related to risk resources and skills. Case 1 highlights the problems that can arise when there are inadequate resources or systems available to assess risk appetite or distribution. The general issue of inadequate resources leading to risk management problems is also illustrated in Cases 2, 6, 7 and 8.
Case 5 draws attention to the manner in which inadequate attention to the board structure of an organisation can result in a lack of skill and experience resulting in inadequate governance. It also draws attention to how inadequate resources and staff changes can create gaps in the 'three lines' of risk defences.
Finally, Cases 5 and 8 also highlight the need for appropriate skills. In the former case, a lack of skills prevented appropriate management information systems being implemented in a timely manner. In the latter case, problems arose as a result of the organisation's approach to the first line of defence in risk management, which assumed skills those involved did not have (FSA 2012b, 29-30).

Decision-making
This aspect of the IRM's framework considers the extent to which decisions are informed, and requires that incentives reward appropriate behaviours. Cases 1 and 6 draw attention to the problems created by mis-aligned incentives. As previously noted in relation to Case 7, an inappropriate bonus system created incentives leading to the inappropriate handling of arrears.
As regards inadequately informed decisions, the examples discussed in the 'competency' section above clearly highlight the way in which inadequate risk management resources can lead to poorly informed decisions. This position is supported by Bryce, Cheevers, and Webb (2011) when discussing the role of risk management accountability and educational awareness of staff in those areas of the business whose primary objective may not necessarily be the management of risks (or so they thought).
As in other work of the regulator, these FSAFNs draw attention to the link between incentives, behaviours and the culture within an organisation.
What does unacceptable culture look like? This first stage of analysis illustrates clearly the potential richness of the FNs in providing evidence of, in the words of Hector Sants, 'what an unacceptable culture looks like' (Sants 2010a)and the outcomes that transpire as a result. They address both the relevance of culture from an interpretivist perspective and the key objectivist behavioural elements which have been identified by the risk management industry as the most significant in the development of risk culture.
Nevertheless, it became clear at the data-gathering stage that the format of these documents does not lend itself readily to deriving lessons concerning the issue of culture. It might have been hoped, given the avowed importance of this issue for the regulator, that firms would have been able to discern more simply and straightforwardly the cultural lessons from the behaviour giving rise to the FSAFNs. Yet, in five of the nine relevant FSAFNs, the word 'culture' is mentioned only once; and no obviously consistent approach is adopted in signposting the issue of culture, let alone explicitly linking the specifics of the cases to the issue of culture. This is despite the fact that, as shown in this part of our analysis, the themes and issues raised in these FSAFNs illustrate the key elements raised in our literature review. Case 9 is instructive in this regard. It draws attention to a 'pressure sales culture' in the firm 'being at odds with relevant July 2007 FSA guidance in its document entitled "Treating customers fairlyculture"' (FSA 2007a) (hereafter 'the TCF culture document') which sets out the TCF Cultural Framework. Yet, although the material in Case 9 highlights a number of the key drivers and indicators of good and bad culture identified in the TCF culture document, it does not specifically identify them as such. Ironically, the firm involved was not found to have breached Principle 6the TCF Principle. Nevertheless, if it is possible for the regulator to address cultural issues in its FNs, even if not schematically, and if this is indeed an important issue for the regulator, then one might expect to find this approach taken more consistently in relation to breaches of the FSA's Principle for Business 6 -TCFupon which the TCF initiative is based. In particular, it might be expected that there would be discussion of the cultural drivers and indicators discussed in the TCF culture document.
The second stage of the analysis therefore examines the extent to which the FSAFNs involve a breach of the TCF principle (Principle 6), and analyses the content of these cases in the context of the TCF cultural framework.
Stage 2deductive analysis of Principle 6 (TCF) breaches Amongst the 53 FSAFNs identified as the relevant population in this study, only six involved a breach of Principle 6. All six were analysed using the framework of cultural drivers set out in the TCF Cultural Framework and explained in the various chapters of the TCF cultural document. This analysis produced the results set out in Table 3.
Once any of the drivers were identified in the six Notices, a detailed analysis was then undertaken of the context within which discussion of that driver took place.
It should be noted that when using the word 'Reward' as a search term none of the relevant Notices produced a result. Given that part of the genesis of this research was an FSA paper on 'Incentives' (FSA 2012a), and that this document appeared to use the term 'rewards' as a synonym for incentives (FSA 2012a, 13, 14, 18, 19, 28, 29), the search term 'Incentive' was also used (see Table 3).
It should also be noted that amongst the breaches of Principle 6 only one notice, Case 7, refers to 'culture', and only Case 13 refers to the TCF initiative itselfand in both instances only once. Interestingly, as Table 3 highlights, these two cases mention the broadest range of TCF cultural drivers, and therefore, one might have expected greater mention of culture and of the TCF Cultural Framework (the latter is not mentioned at all.) In fact, throughout all of this research, the only mention of the TCF Cultural Framework found is in Case 9, which, as already indicated, was not found to involve a breach of Principle 6the TCF Principle.

Cultural drivers Controls
This is the most commonly cited driver (see Table 3). That said, in two FSAFNs (Cases 10 and 11) the word 'control' or 'controls' was used as a reference to text contained in the FSA handbook, highlighting the type of breaches or the regulator's available powers. This does not assist in understanding the nature or context of the behaviour involved in any breach of controls; nonetheless, their presence within the notice does indicate the materiality of controls.
As regards, the other three cases in which controls were mentioned, reference to failure to have adequate controls concerned both the ineffectiveness of adequate controls: 'not ensuring that these were followed in every instance' (FSA 2012d, 19); being 'aware that significant issues had been raised … but failed to take sufficient action to deal with them' (FSA 2012i, 2); as well as inadequate, or a lack of, controls (Case 12). The lack of engagement of both compliance and senior management was also identified as control issues (Cases 7, 12 and 13). The analysis drew attention to problems concerning either the identification, collection or use of appropriate management informationfor example, the failure to 'obtain and review sufficient Management Information to enable it to identify and deal with areas of concern' (FSA 2012d, 19). All of these issues are elements identified both in the TCF cultural document's discussion of 'controls', as well as in the literature on risk culture more generally.

Decision-making
These notices clearly evidence elements of the drivers for good and bad decisionmaking. Case 7 draws attention to a lack of clarity in the decision-making process and the recording of decisions; whilst Case 13 draws attention to the capability of those making decisions as well as lack of sufficient challenge of decisions where these appeared not to have followed guidelines. The lack of review of decisions (a contra-indicator of good TCF culture) is also emphasised in Case 12.
Recruitment/training/competence Cases 7 and 13 identify the problems arising as a result of not having the correctly trained people undertaking tasks. The potential for conflict of interest between delivery of training and compliance monitoring (by the same unit) is also an interesting element raised in Case 7, as well as the case highlighting the importance of resources in the delivery of effective training and competence.
Reward/remuneration/incentive Case 13 identified incentives which 'created a risk of sales agents using inappropriate objection handling techniques to discourage customers who tried to cancel their policies' and resulted in them being 'overly persistent in persuading potential customers to purchase … even after the customers had had made it clear that they did not wish to buy' (FSA 2012i, 14, 19). In Case 7, the culture of the department collecting debt arrears was influenced by key performance indicators and formal bonus systems based on speed of collection of arrears which risked customers not being treated fairly.

Leadership
The only case in which the term 'leadership' appeared is Case 13, where there was concern that the 'Leadership Team' of the firm ignored the recommendations of compliance reportsconsistent with indicators of poor leadership. In addition, a lack of leadership in governance arrangements was noted; in particular, the fact that a 'leadership team' appeared to take decisions outside of the firm's governance structures and which were not recorded. These appear to be contra-indicators of adequate decision-making and controls in terms of TCF culture.

Strategy
The term 'strategy' only appeared in Case 12, and its use referred to the investment strategy of the firm. The main concern in this case was the lack of review or approval of decisions about the investment strategy within the firm, and ultimately the effect this could have on policyholders. Whilst this latter point is a contra-indicator of good culture in so far as it relates to strategy, it is clear that the discussion of strategy in this case also specifically related to both decision-making and controlssee mention of Case 12 in the above discussion of decision-making. This highlights the importance of the contextual analysis undertaken.

Culture, the FSAFNs and TCF drivers
Where there has been a stated breach of Principle 6 for Businesses, our analysis shows that the discussion of the circumstances of these breaches in the FSAFNs draws attention to the drivers of TCF culture identified in the TCF culture document (although none of the six FNs involving a breach of the TCF principle referred to the TCF Cultural Framework stemming from that principle). Whilst the drivers mentioned in the TCF culture document are discussed in the notices, and do provide potential lessons for practitioners should they examine the notices carefully enough, a clear opportunity is being missed. As previously noted, the regulator's own Enforcement Guide makes it clear that one rationale for the enforcement process, including the publication of FNs, is to influence behaviour. That being the case, one might expect a regulator that wishes to influence the culture in firms, and to draw specific attention to the manner in specific behaviours can influence that culture (see also IRM 2012a, 2012b in this regard), would take the opportunity to explicitly link the behaviour discussed in these FSAFNs with its TCF Cultural Framework. Whilst organisational risk culture and TCF culture should not be regarded as referring to the same thing, the IRM and TCF frameworks are similar in that they are both intended for use as a diagnostic tool. Equally, the importance of issues such as 'tone at the top' (leadership), controls, incentives, capability and transparency, all identified as key issues for the development of appropriate risk culture by the IRM (2012b), are also emphasised in the TCF framework. What is clear is that FNs, in conjunction with the regulator's own diagnostic tool (the TCF Cultural Framework), have the potential to guide practitioners to develop a suitable culture in their business which incorporates not only the regulator's TCF initiative, but also an appropriate organisational risk culture.

Conclusion
Our approach today is to draw conclusions about culture from what we observe about a firmin other words, joining the dots rather than assessing culture directly. (Adamson 2013, 2) The Director of Supervision of the FCA, the UK's new conduct regulator, is clearly concerned with the organisational risk culture in firms and its importance in ensuring the FCA achieves its statutory objectives. It is also clear, as has already been discussed, that the regulator's focus is more concerned with behaviours and outcomes than identifying a 'right' culture. Our analysis of the FSAFNs also indicates that the behaviours identified and highlighted by the regulator are very much aligned with the behaviours identified by the risk management industry as the key issues for establishing an appropriate risk culture.
That said, regulator's judgements on regulatory behaviour, as disclosed in the FSAFNs, also indicate the relevance and importance of a broader, more interpretivist, approach to understanding culture. In highlighting this, the FSAFNs also draw attention to the limitations of the more objectivist approach embodied in a risk framework, and of the need to understand the complexity of organisations in their day-to-day activity.
What is also clear from our analysis is that despite having created the TCF Cultural Framework as a diagnostic tool in 2007, with its broad applicability to behaviours affecting culture in firms, it does not appear to be mentioned explicitly as a tool or guide in connection with appropriate behaviours, outcomes or culture. Nevertheless, what our analysis also shows is that the indicators and contra-indicators established by the Framework are discussed in the FSAFNs, but perhaps not as frequently as one might expect.
In all, having created a diagnostic tool concerned with key behaviours related to (risk) culture in firms, and with it placing increasing emphasis on firm risk culture, our research suggests that the regulator may have overlooked the potential of its work in FNs as a means of driving forward its agenda. If the 'dots' referred to can be thought of as firm behaviours, then it is submitted that FNs can be used to draw linkages between those behaviours and the norms and values which underpin them; together encapsulating the 'culture' of an organisation. In turn, this should enable the regulator to illustrate the outcomes (and, where appropriate, the poor culture) that are intimately connected with those behaviours. This is particularly likely given that the methodological approach in this paper has been focused on those FNs where such guidance would be expected to be most obvious. It may well be that the other FNs beyond the FSAFNs could also provide further guidance. Nevertheless, it is submitted that whilst the material in the FNs has the clear potential to significantly assist the regulator in achieving this objective, as they currently stand they are falling short in several ways.
Firstly, undertaking this work has illustrated the potential difficulty for busy practitioners in divining, from the regulator's comments in the FNs about the specific behaviour in individual firms, insight into lessons for the development of their own firm's risk culture. This research suggests there could be more specific signposting of matters relevant to the issue of culture in FNs as it is clear that the lessons and themes that are currently emphasised by the risk management industry are also there to be taken on board and understood in the FNs. What is also clear, however, is that this is made much more difficult for practitioners and others following the decisions of the regulator than it need be.
Secondly, having developed indicators of good and poor culture by at least 2007 in the TCF Cultural Framework, it is disappointing that subsequent discussions of culture in regulatory speeches appear to have largely ignored the potential contribution of this structured approach. What is clear from the examination of the FSAFNs involving a breach of the TCF principle is that, unsurprisingly, the drivers of TCF culture are relevant in the discussion of behaviour and outcomes in the FSAFNs; and that their incorporation in such a discussion could be a useful learning tool for firms. Indeed, other recent research has suggested this framework could also form a basis for assessing and reforming the risk culture of the banking system (McConnell 2014). It is therefore disappointing, and also surprising, that the regulator has not made much more use of this framework; both in assessing the poor outcomes it discusses in FNs, as well as in its work on risk culture more generally.
Thirdly, and following on from this last point, measures need to be taken by the regulator to more clearly integrate the drivers and indicators set out in the TCF Cultural Framework, whenever these are relevant, and signal their use in its FNs. FNs are, first and foremost, formal documents prepared by the Enforcement Division of the regulator in the context of taking action against a firm. In that sense, there has never been an explicit requirement for these documents to be formally framed as educative documents. Nevertheless, the regulator's guide to enforcement indicates that in deciding to publish its decisions it should consider 'whether the publication sets out the FSA's expectations regarding behaviour in a particular area, and if so, whether that message still has educational value' (FCA 2013b, section 6.10.A).
What is also clear from this research is that FNs do not lend themselves to ready examination, particularly in relation to identifying themes and specific issues. Remedying this might involve a change in format that recognises FNs are digested by firms, industry commentators and other interested parties, who could all benefit from an easily accessible document which is drafted in a way that clearly recognises its educative potential. One step further would be the creation of a database (as opposed to a list of pdf-formatted notices) with interrogative search functions that might promote more active learning by firms and their advisers.
Failing all of this, it may be incumbent on the regulator to undertake more analysis itself. It has already used examples of FNs in relation to discussing the culture of incentives (FSA 2012a), and it is not that great a step to provide an annual analysis of FNs in terms of the issues they raise about risk culture in an organisation (at least in the context of the outcomes the regulator wishes to achieve), based on the drivers of those outcomes.
If, as the Salz Review suggested: The goal should be to change the tangible things about what the service does for customers and how people will do their work; gradually, this will change the culture. (Salz 2013, 177) then the regulator's FNs provide a significant and regular opportunity to drive home this message and help firms achieve this goal, That is why the FNs are important, and that is why the financial regulators in the UK need to give greater thought to their use of FNs as a learning tool.