Starting the Process to Evaluate Culture
Internal auditors often talk about the “tone at the top” – the idea that corporate culture begins with the example set by senior management. But while conduct at the top is where it all starts, it does not end there. An increasing number of companies are beginning to realize that if the tone in the middle is not aligned with the tone at the top, there could be serious risks lurking within the organization.
Internal auditors, because of the unique cross-organizational nature of their work, are in the privileged position of not being siloed – a position that gives them a view into processes and procedures across all departments, from IT to finance and operations. Few other functions, if any, are in a position to observe culture and tone at the bottom, middle and top of the organization.
This unique perspective provides a platform from which auditors can map and analyze enterprise risk management processes, determine whether proper oversight and resources are devoted to critical risk management concerns, and determine whether the organization’s culture supports “doing the right thing.” When it comes to auditing culture, it’s really the strength of relationships and understanding the pressures and motives that contribute to fraud and other misconduct that are likely to add the most value.
Executives and directors are looking to CAEs to open lines of communication and initiate and cultivate those relationships. Nontraditional capabilities that just a few years ago were called “soft skills” – things like communication, critical thinking, relationship building and cultural sensitivity – have become core competencies. CAEs need to be evaluating their audit teams and recruiting now to ensure the right mix of talent to participate in the culture assessment process.
Starting the Culture Assessment
There are several different ways to approach a culture assessment. The internal audit functions of some organizations integrate risk culture into all of their existing audits. Others perform a standalone assessment. Regardless of the form it takes, an effective culture assessment can be divided into three primary focus areas – organizational vision and values, risk management, and people management.
- Vision and Values
This portion of the assessment focuses on the tone at the top, the engagement of the board, strategic planning processes and clarity around the consideration of risk in decision making. A vision-and-values assessment also looks at corporate communications, including frequency, type and volume of top-down and bottom-up exchanges. A good vision-and-values assessment covers the adequacy of policies and procedures, code of conduct, whistleblower hotlines and other forms of escalatory communications channels with an eye on effectiveness. The purpose of this portion of the assessment is to determine the extent to which the vision and values have permeated all levels of the organization. For example, is the tone in the middle aligned with the tone at the top?
- Risk Management
If vision and values are a measure of the culture a company aspires to, risk management provides tangible proof of that culture in action. Under risk management, an effective culture assessment should consider the governance framework and risk orientation, risk appetite, roles and responsibilities, and supporting tools and technology. Think about accountability, ownership, committee charters, and then risk transparency and escalation processes. Look at hotline call logs. Is there a “speak-up” culture? If not, why not? How does risk get reported? Is risk information actionable for decision making?
- People Management
Finally, look at how people are being managed. Consider incentives and rewards. Are the incentives aligned with professed values, or is there a chance that employees might be tempted, or even coerced, to cut corners or behave unethically to attain rewards? This is an area that has gotten companies into trouble in the past. Does the organization employ lifecycle management – considering processes around recruitment, hiring, career-pathing, development and exit? How effective are the feedback loops that keep leaders in touch with business realities? How effective is skills training? In essence, people management evaluation should take a risk-based approach and should apply to everything from employee reviews to board training and executive succession planning. It should consider the diversity of executive ranks and in the boardroom.
This three-pronged approach should provide a well-rounded picture of an organization’s corporate culture, from intention to application and outcome. Internal audit functions that do not have a standalone culture assessment planned but are beginning to consider it can address risk culture in the audits they are currently performing. There is no need to do a separate report, but the results of this informal assessment could be fed into the risk assessment process for next year. Thinking outside the scope of the audit plan can deliver greater value to the audit committee.
KnowledgeLeader has a number of resources on this topic, including the examples listed below: