Workplace culture may be loosely defined or difficult to measure, but the consequences of a negative culture, such as one that encourages excessive risk-taking or stifles initiative, can be problematic if not downright catastrophic
SINGAPORE (Jan 21): Last July, Ernest Tan, a manager at Integrated Health Information Systems (IHiS), was reluctant to inform his superiors about what was to become the most severe data breach in Singapore’s history. IHiS is the IT arm of the Ministry of Health, responsible for designing and managing the IT systems for the healthcare sector. Tan, whose job it was to report security incidents and respond accordingly, was worried about the attendant stress and having to work overtime; he admitted as much a few months later, during an inquiry IHiS commissioned into the breach at SingHealth, the country’s largest public healthcare organisation: “Once we escalate to management, there will be no day, no night.”
Tan was fired from his job on Jan 14, not long after the Committee of Inquiry (COI) released a public version of its findings on the breach and the lapses that led to it. IHiS also fined seven members of its management, including CEO Bruce Liang, “for their collective leadership responsibility”. Meanwhile, Wee Jia Huo, the cluster information security officer specifically responsible for cybersecurity in SingHealth, will be demoted and redeployed.
Separately, the Personal Data Protection Commission has fined IHiS $750,000 and SingHealth $250,000 for breaching their obligations under the Personal Data Protection Act. In a statement, PDPC said it found that SingHealth personnel responsible for such security incidents were unfamiliar with how to respond to a breach, were overly dependent on IHiS and failed to understand the significance of the information that IHiS provided on the incident. “Organisations... must ultimately take responsibility for the personal data that they have collected from their customers,” the commission noted.
What was galling about the event was not just the sheer scale of the breach — critical personal data of 1.5 million people was stolen — but the lapses that led to it. According to the COI report, Tan clearly failed to understand and discharge his duties; he had a “mistaken understanding” of what constituted a security incident and when it should be reported. At the same time, Wee’s response was “clearly lacking, and displayed an alarming lack of concern”. He had left the reporting of the data breach, and its response, to Tan and other members of the team. Consequently, the data breach was allowed to continue for six days and was only reported to the police on July 12, and disclosed to the public on July 20.
The COI noted the “considerable initiative” shown by officers on the frontline, but was scathing about the managers’ failures. “It is a shame that such initiative was then smothered by a blanket of middle management mistakes,” it said.
Among the panel’s recommendations were that IHiS should address its governance practices, which in turn “involves creating a culture of security” to help prevent such an event, as well as creating a “culture of constant learning” and encouraging proactive and early reporting.
However, the lapses reach even the heart of the organisation. Importantly, the panel also questioned to what extent Tan’s views and behaviour “have been shaped by the [organisational] culture in IHiS”. Indeed, it noted Tan’s reporting officer’s statement that the person who sounds the alarm “may look bad” should it turn out to be false. This effectively translates into a general reluctance to stick one’s neck out or speak up for fear of reprisal, even if a situation warranted an alert. It is a mindset that can have dire consequences, as the SingHealth breach shows.
This is not the first time that “culture” has been highlighted in the context of public organisations’ encountering problems. In 2017, the national rail operator grappled with severe disruptions, which resulted in commuter outrage and a public inquiry. Among the issues that contributed to the disruptions was flooding in train tunnels because SMRT employees failed to conduct regular inspections, even though they reported doing so. SMRT’s CEO at the time, Desmond Kuek, attributed the cause of the problem to “deep-seated cultural issues” within the organisation.
What is “culture” in the context of these organisations? And why does it matter?
Culture and performance
Even among the experts, there are various descriptions of what work culture is and how it is assessed. Still, there are key characteristics. And, the consensus is that an organisation’s culture is an increasingly important consideration among stakeholders, as its impact is actually visible.
The workplace culture is ultimately reflected in the organisation’s performance — how well a rail network is run and maintained, for instance, or whether an investment bank incurs hefty fines from the authorities resulting from the actions of its employees.
“Organisations can be described as having a culture of being risk-tolerant or risk-averse; or having a culture of high quality or performance; or a culture of engagement and well-being. Hence, it can have a significant impact on operations,” says Dilys Boey, EY Asean people advisory services leader, Ernst & Young Advisory.
Work culture can be an organisation’s “competitive edge”, says Jovina Ang, a lecturer in the Department of Management and Organisation at NUS Business School. This is because it is centred on the set of values that everyone, from the CEO to the clerk, should be operating by. “You can have the best strategy, but if people are not operating in line with the strategy, the strategy will fail — which is why Peter Drucker once said ‘culture eats strategy for breakfast’,” she says.
Indeed, the culture in a workplace can make all the difference in how well two companies in the same business perform, says Jason Seng of Deloitte Human Capital Consulting. He points to how studies have shown that companies that intentionally manage their culture significantly outperformed companies that did not, in all key performance metrics. “For example, an organisation with an effective culture that focuses on safety will typically see operational improvements in the [fewer] number of site accidents, employee injuries and casualties,” says Seng.
Yet, it is crucial that workplace culture is not just tied to sheer numbers-based growth or incentive-led performance. This mere transactional approach would be counterproductive and result in unsustainable, ever-escalating costs for the company.
In fact, a recent Glassdoor survey has shown that compensation and benefits are no longer the only, or even the most important, factors that determine a person’s job satisfaction. According to the recruitment site, 83% of the jobseekers it polled in Singapore consider finding the right workplace culture more important than simply earning more money. “Culture and values end up being the most important factors that determine whether a person is satisfied in their job,” says Christian Sutherland-Wong, Glassdoor’s global chief operating officer. “We see the strongest driver of Glassdoor ratings being culture and values, and not compensation and benefits.”
Ultimately, there is no one perfect work culture. But it drives a company’s operations and growth, as it is closely linked to employee engagement and empowerment, according to NUS’s Ang. “When employees are empowered and engaged, they bring their best to work. They put in a lot more discretionary effort in their work, which in turn impacts the operations of the company.”
Deferring to culture
Evelyn Kwek, managing director of Great Place to Work (GPTW), observes that in many cases, wrongdoings or issues at a company continue because junior employees who would have spotted the issues were afraid to speak up, or believed they would not be taken at their word. “As a result, issues fester,” she says.
Kwek notes that employees need psychological safety, or a sense of security and confidence that, as an employee, they would not be embarrassed, rejected or punished for speaking up. According to her, this would translate into employees feeling that they work in a psychologically and emotionally healthy work environment, and that the leaders they work for recognise honest mistakes and make provisions for them to try new ideas or work on a difficult problem.
But, most organisations are still hierarchical in structure. “For example, junior employees might be aware of fraudulent practices by their supervisors, but do not report these activities for fear of reprisal. Middle-level managers may not be open to listening to innovative workplace ideas that their direct reports might have, leading to potential losses in operational efficiency or employee morale,” says Deloitte’s Seng.
Does our Asian culture, which emphasises deference to elders and leaders, play a part in defining work culture? It is possible that such practices can hinder growth at an organisation.
NUS’s Ang believes work culture trumps local culture, as seen in the success of MNCs across so many countries. “That said, it is important that there is trust between the employees and the leadership team. Trust is the key to a healthy work culture because trust takes fear out of the equation for employees to voice their opinions or to make suggestions on how to make things better for the organisation,” says Ang. “Taking fear out of the equation was what Vinod Kumar, CEO of Tata Communications, did when he was tasked with reinventing Tata Communications and cutting costs.”
“In organisations looking to promote a safety [and] risk-conscious culture or to discourage fraudulent activities, giving employees the courage and avenue to speak up against errant supervisors in a safe environment without fear of retaliation is critical, but might be frowned upon in some Asian organisations,” Deloitte’s Seng notes.
“Leaders can play to the strengths of their respective cultures to make it work for them,” GPTW’s Kwek points out.
Change starts from the top
So, is a poor workplace culture to be blamed for the failings of an organisation? What can be done to mitigate the issues that arise owing to a poor work culture?
Seng notes that work culture could be a root cause or part of a wider set of problems that are unaddressed at an organisation. “The culture of decades of excessive risk-taking by investment banks led to the global financial crisis in 2008 and the high-profile collapse of a couple of established players. Global banks have now put in place compliance-checking mechanisms to ensure that they limit risk exposure while instilling a risk-conscious mindset to prevent history from repeating itself,” he says.
To be sure, there are many factors at play when a problem occurs.
“There are several factors that impact the ability of organisations to meet expected outcomes. They include the ability to adapt to change, to translate plans into action and to monitor performance,” says Boey. “When things go wrong, it’s easy to blame the work culture. However, we must note that it’s the leaders that define what is acceptable behaviour or practice in an organisation.”
“You also can’t put the blame for problems or issues on culture alone. There are many moving pieces that can unravel an organisation, including a less-than-optimal strategy; the capabilities of leadership and people; communication; measures of performance; a partner ecosystem; and organisational inertia,” explains Ang. “All these pieces, with culture at the core, have to work together to achieve organisational effectiveness.”
Regardless, how an organisation and its members respond to a problem is also a reflection of its work culture. “The culture of an organisation is perhaps most telling in times of stress and crisis,” says Kwek. “The real ‘personality of the organisation’ shows up in such times.”
But beyond the crisis situations, there are other challenges that could be resolved or mitigated by a positive work culture. This is especially so when many companies are struggling with hiring, and keeping, millennials in their jobs.
“An important part of keeping millennials engaged is to involve them in the decision-making process, giving immediate, regular feedback on their performance and providing more flexibility in their working environment, all of which are not the features of an organisation with a typical top-down culture,” says Seng.
Unfortunately, there is no easy way to change an organisation’s culture. As the experts have explained to The Edge Singapore, it takes more than having an organisation’s leader define it, or crafting an organisation’s mission statement. The culture in a workplace takes time to cultivate, and involves everyone, from the CEO to the clerk.
The consultants offer change management advisory, which could help develop some aspects of a company’s culture, such as better, open communication, or flagging improprieties in behaviour when it comes to risk-taking. Yet, even this would not help if an organisation’s members, starting with the leaders, are resistant to the changes needed. “For company-wide cultural shifts, leaders will be required to ‘walk the talk’ and ensure that the systems around business practices, performance or rewards are all aligned with the culture,” says Boey.
“It takes leadership commitment and a relentless focus to ensure that the organisation’s culture is aligned with its aspirations, supports the business strategy and is relevant, given evolving staff demographics and the larger external environment [the organisation] operates in,” says Kwek.
“It is about the leadership recognising that they need to work on getting their culture right as hard and as much as they work on their business strategy or operating model. Meaningful change happens when the leadership team first gets intentional about articulating their desired culture and then do the hard work of getting the culture right throughout the organisation,” she adds.
Perhaps for organisations in Singapore, what is needed is a systemic shift in the way people think about jobs and functions: for individuals to forget about “losing face” when speaking out or voicing concerns; and that all actions have to be incentive-driven. That way, even a minor cybersecurity breach, for example, would be reported right away; and inspections and repairs carried out properly and on time, just because it is the right thing to do.