Thriving in an era of scrutiny - Recommended actions

Thriving in an era of scrutiny

Get involved in assessing culture

Legal and compliance leaders should be involved in assessing culture to help ensure any cultural assessment stands up to regulatory and legal scrutiny

Undertaking a culture assessment is a multi‑disciplinary project and will produce more insightful results if it is undertaken as a cross‑functional endeavour. It is critical that legal and compliance teams are involved. The findings of the assessment can have serious implications for the Board and the company under criminal and civil law. For example, should a criminal offence covered by Australia's Criminal Code Act 1995 (Cth) (Criminal Code) be committed by an employee or an agent of the company, and a corporate culture assessment found a company had a culture that tolerated non‑compliance with the law, a prosecutor might use such an assessment as evidence with which to attribute the company with liability under the corporate culture provisions of the Criminal Code. Legal and compliance functions can help ensure the findings of the assessment are based on evidence and articulated accurately.

The law increasingly regulates culture directly and indirectly. In Australia, recent examples include the new corporate and tax whistleblower regime, and the introduction of modern slavery reporting requirements at Commonwealth and NSW level. The latter is an example of a law requiring corporations to police the culture not just within its own organisation but also within its broader supply chain.

In addition, the law and regulators focus on the following key drivers of culture:

  • Governance
  • Tone from the top and oversight from the Board and senior management
  • Accountability
  • Issue, incident and risk escalation and management
  • Approach to compliance
  • Remuneration and incentive structures.

Regulators are increasingly active in assessing culture and expecting corporations to do the same. Legal and compliance functions can help ensure these drivers are assessed properly. Further, as many of these drivers are themselves influenced by compliance and legal functions, both can make important contributions to the assessment process.

Clearly articulate culture strategy

There must be clearly articulated culture and explanation of how that relates to the corporation's strategy, organisational structure and governance.

Of course, there is no such thing as a ‘one size fits all’ culture. Each organisation is different, and assigns its values and priorities accordingly. Similarly, there is no rule about the required components of a corporate culture. What is clearer, however, is how both regulators and the courts assess the articulation of culture within an organisation, and how, in turn, that culture is reviewed, communicated and enforced.

For example, whether there is a ‘culture of compliance’ within a commercial organisation is often a relevant a consideration in civil penalty decisions. Among the factors relevant to the Federal Court’s decision to impose civil penalties for an infringement of Australia's Competition and Consumer Act 2010 (Cth) (CCA) is whether the company has a corporate culture conducive to compliance with the CCA and takes corrective measures in response to an acknowledged contravention.

Similarly, should penalties be imposed, the court will examine whether there is a substantial compliance program in place which was actively implemented, and whether the implementation was successful (ie, whether the contravention was an isolated incident). That is, was the compliance policy ‘one to which mere lip-service’ was paid.5

Other relevant factors based on case law to date include:

  • whether the program was regularly updated and involved employees attending lectures or seminars at regular intervals including in the period covering the contravention;
  • whether the compliance program required attendance by key staff involved in the contravention (ie, those with exposure to competition law risk);
  • evidence of lack of commitment by senior executives; and
  • whether the company voluntarily addressed any deficiencies in the compliance program when the contravention came to its attention.

The project

A new approach to the tendering process and public-private collaboration led to a world-leading social infrastructure development in the Ravenhall Prison Project, which opened in late 2017.

The 1300-bed facility, located in Melbourne's west, introduced the first 'payment by results' model to the market. Four primary service providers and a broad range of additional services providers, representing both the public and private sectors, worked together on a complex operating model to address behavioural, educational, and drug and alcohol issues.

The GEO Consortium (The GEO Group, Capella Capital, John Holland and Honeywell), advised by Allens, won the role to design, build, maintain and operate the prison over a 25-year period.

With a focus on new and long-term ways to reduce the risk of future crimes, the project is expected to have a significant impact on re-offending rates and, in turn, significant benefits for the wider community. It has also boosted the local economy, creating thousands of jobs during the construction period and additional jobs during operations.

The project involved the coordination of five service providers (including a government body, Forensicare, which was integrated into the consortium offering as a 'nominated contractor'), making it the most complex integrated service offering delivered through an Australian PPP.

On completion the prison represented the largest 'whole of life' investment in a prison ever undertaken by a government (approximately $6 billion). Its service model and outcomes focus were world-leading.

Allens' role

Allens played a central role in refining the performance regime to ensure it incentivised the right behaviours. This regime formed the basis of the performance regime adopted in the subsequent Grafton Prison PPP as well as the majority of operating arrangements since.

The complexity of the project's integrated service offering played to Allens' strengths in dealing with complexity and developing new structures to address it.

Allens was awarded the 2015 Infrastructure Partnerships Australia (IPA) Advisory Excellence award for its work advising the GEO Consortium.

Ravenhall was incredibly complex. It introduced a number of firsts for the Australian market that required new thinking, particularly around the structure, unique risks and the many interfaces. The Allens team expertly drew on their experience across all aspects of these projects to deliver clear, workable and importantly explainable solutions, and then bring a very broad group of stakeholders along for the ride. The team are incredibly commercial and go well beyond what you usually expect. They just get it.

Commercial Lead – GEO Consortium

Gather the right data points

Gather the key data points recognised by the law and regulators.

Here are some of the data points that the law and regulators have recognised as important drivers of corporate culture and from which valuable insights may be drawn.

Interviews with board members and senior management Interviews – when anonymised these will reveal more frank assessments of strengths and weaknesses of culture at the top of the organisation, which can provide a roadmap for exploring issues in more granular detail involving some of the steps listed below.

Board and senior management papers – reviewing these materials can reveal the extent to which these bodies consider issues relevant to culture and communicate their will. They can also reveal the degree to which there is debate and challenge of management from the Board and how much news, whether good or bad, is communicated to the Board and management.

Employee survey data – often this is the most valuable data in understanding what happens in practice within an organisation, and what people on the ground think. Most organisations will have existing data that can be useful, including performance reviews, firm-wide discussions and exit interview notes. Culture surveys and focus group interviews on corporate culture, too, can provide an opportunity to engage with employees on their views on that organisation’s culture, and can be a highly effective way of obtaining a firm‑wide view.

Employee survey data is frequently cited by corporates as one of the most informative data points when assessing culture.

Customer data – assessing customer feedback data can identify trends in customers’ experiences interacting with the organisation, which can be reflective of its corporate culture. Specific measures that customer‑facing teams can use to assist with measuring and assessing corporate culture include:

  • Customer surveys and focus groups; and
  • Social media audits and reputational analysis.

Australia's Financial Services Royal Commission has highlighted the importance of focusing on the tail of customer complaints, not just aggregated data regarding customer satisfaction.

Incident data – data relating to the frequency and seriousness of any breach of compliance controls, or legal and regulatory requirements, can highlight issues and gaps in an organisation’s corporate culture. A lack of data, however, could reveal a reluctance by employees to speak up about problems, or shortcomings in the organisation’s identification processes, which may be driven by a concern about reprisals and/or apathy – a sense that nothing will be done about their complaint. It may also reveal a lack of quality in reporting systems. Whistleblower data can reveal the willingness of staff to speak up, trends in reporting, how whistleblower complaints are investigated and how often complaints are corroborated or otherwise resolved. This data can be benchmarked against peers to see whether the company’s performance in relation to whistleblower complaints is outside of the range expected for a company of its size, shape and risk profile.

Compliance and risk reviews – compliance reviews which involve mapping the legal, regulatory and best practice standards that apply to an organisation, and assessing the extent to which the organisation exceeds or falls short of its required and/or desired cultural standards, can identify cultural traits, strengths and deficiencies in how an organisation approaches compliance and risk. Risk reviews can reveal the company's attitude towards risk, its level of sophistication and strengths/deficiencies in governance processes.

Conduct culture assessment

Conduct rigorous, cross‑functional and ongoing culture assessments against articulated culture

Assessment of corporate culture is challenging. It cannot be a box‑ticking exercise and necessarily involves qualitative judgement. The law and regulatory guidance provide a helpful roadmap as to how to go about assessing culture from a process perspective and what data points to focus on as part of an assessment.

[culture assessment] demands intellectual drive, honesty and rigour. It demands thought, work and action informed by what has happened in the past, why it happened and what steps are now proposed to prevent its reoccurrence.6

The assessment process must be independent. External review or input can add a degree of impartiality, fresh thinking and peer benchmarking. Regulators and law enforcement expect to see an assessment process that is independent of the Board and management.7 This does not necessarily mean the assessment needs to be outsourced to an external consultant, although such consultants can often add insight, fresh thinking and a degree of objectivity.

Assessment must be cross‑functional and have depth in terms of access to employees. While the Board and senior management should have a chance to contribute to the assessment process with their own views and experiences, there should be careful governance placed around the degree to which they are able to shape or influence the findings of the assessment.

Where views of directors, senior management, employees, customers and third parties are sought, more accurate and insightful results will be achieved where anonymity is assured. Stakeholders asked to provide views may be more comfortable sharing responses with a third‑party consultant on the assurance of anonymity, than an internal contact.

Culture assessments must involve an identification of the root cause of any failings or misconduct. Assessments must avoid confusing root cause and symptoms. To produce results that are insightful, a cultural assessment must be informed by the events of the past, and the reasons why they happened.8 Only then can steps be proposed to prevent their reoccurrence. One way of analysing the past is to choose case studies for analysis, to understand what causes the outcome. Balance needs to be achieved through this process. Assessments that only focus on instances of failings will necessarily identify defects in culture. Examples of successes should also be chosen for analysis to understand what the root cause of the success was. This will produce a more balanced assessment and offer greater insight into the organisation’s culture. Care should be taken in choosing case studies that may be subject to legal proceedings, since discoverable documents could be generated.

Start to make a mindset shift

Help your organisation to make a mindset shift

The spotlight on culture is here to stay. We expect to see Australia emulating UK trends and for assessing and continually improving culture to become the norm. Boards and senior executives will be increasingly held accountable for failings. In the wake of Australia's Financial Services Royal Commission, the need for organisations to rethink not just their culture, but also their approach to defining, monitoring and assessing it, has become paramount.

For some organisations, a mindset shift is required; one through which Boards and senior management recognise the opportunities presented by a thriving culture, and the risks (both legal and reputational), posed by a poor one.

A plan of action should be developed for the organisation to strengthen culture and access opportunities. This should focus on providing the Board with routine feedback on how the organisation’s culture is standing up against the Board’s articulated vision. Cultural assessment processes that focus on conducting smaller assessments within an organisation on a rolling basis, with particular areas of the organisation being reassessed regularly to pick up changes in culture, have been praised by Commissioner Hayne in the FS Royal Commission Final Report. Cultural assessments should be ongoing, providing real‑time feedback to Board and management to see whether improvement initiatives are working and to spot emerging issues more quickly.


Read our more detailed guide for further information on:

  • the legal and reputational risks and opportunities presented by corporate culture;
  • the growing influence of law and regulation on corporate culture;
  • the key factors recognised by the law and regulators as important drivers of corporate culture; and
  • the essential steps to ensure an assessment of corporate culture is defensible in the eyes of regulators and sets up your organisation for success.

Download guide



  1. ACCC v Harvey Norman Holdings Ltd [2011] FCA 1407.
  2. FS Royal Commission Final Report, 392.
  3. Speech by Greg Medcraft, Chairman of the Australian Securities and Exchange Commission, Thomson Reuters, 4th Annual Australian Regulatory Summit, 21 June 2016, The Importance of Corporate Culture, page 3
  4. FS Royal Commission Final Report, 392.