An audit of a company’s culture identifies its DNA. Peter Jones explains why this is becoming a key part of the risk management process, with internal auditors in the driver’s seat.
Culture is about people, what they say and what they do. And regulators are tuning-in to the best way for boards to set the pace on culture.
The business case for a positive work culture is undeniable: an engaged and committed organisation helps to fuel growth and reduces corporate risk by embedding the right kind of behaviour, beliefs and practices. While a positive culture is the goal, major corporate scandals such as allegations of bribery and corruption at FIFA, evidence of modified emissions tests at Volkswagen, and over 56 major events locally since 2009 tell a different story. And after each major breach, regulators step in to introduce more legal compliance.
In the UK, the Financial Reporting Council’s chair Sir Winfried Bischoff, is adamant that “it’s important to have a continuous focus on culture, rather than wait for a crisis. Poor behaviour can be exacerbated when companies come under pressure.”
The financial services industry often appears in the firing line, with incidents such as the Commonwealth Bank of Australia’s (CBA) Storm Financial crisis and ANZ and the Opes Prime investors. Then there are the rogue LIBOR traders in the UK and other back stories in the US.
The difficulty in the financial services sector is the premium placed on financial results. An Economist Intelligence Unit global survey of 382 financial services executives in 2013 found that 53 per cent of respondents think that career progression at their firm would be difficult without being flexible on ethical standards.
The same proportion also think that being too rigid on ethical standards would render their firm less competitive. Only 37 per cent think their firm’s financials would improve as a result of an improvement in the ethical conduct of employees at their firm.
But not all sectors are ignoring the impact of a good culture on the bottom line. A McKinsey & Company global study of executives in 2013 showed that a majority believed that issues relating to external affairs would affect their company’s income.
McKinsey suggested that there are three elements to a successful approach. First, the company must have a clear purpose with a clear set of values; secondly, the approach needs to be strategic; and third, companies need to decide on the nature of the approach – will it be open and proactive or defensive.
But how do you ensure that the “positive“ culture permeates throughout the organisation?
The dilemma may be solved by an internal audit, which can play a key role in identifying the elements of the real culture as experienced by the employees, and relate that back to the leadership team.
Raising the red flag
But the internal auditor has a difficult driving role as he is an “insider-outsider” – a person inside an organisation conducting reviews and analysis, yet mandated to be independent and objective, with the brief determined by the board and audit committee.
Internal auditors will have a different view from investors as they need to assess the company’s culture as part of the “controls” environment in audit planning and risk assessment.
At the same time, there are ongoing discussions about corporate culture and how important it is to the financial health of an organisation. This should be a wake-up call to develop a consistent approach to the auditing of corporate culture.
According to the Institute of Internal Auditor’s 2016 Global Pulse of Internal Audit survey of 2,254 respondents from 111 countries, the majority indicated a number of factors impeding their ability to progress.
And 23 per cent indicated lack of executive management support to conduct audits of organisational culture. An internal auditor can easily be derailed by executive management if they do not act on recommendations to improve internal controls. The internal auditor is then left with the fallout.
Of those organisations that did conduct internal audits, the survey found that 60 per cent of those that include culture in the audit coordinate with other departments such as HR, compliance and risk management.
The Chartered Institute of Internal Auditors (UK) in its paper Organisational Culture – Evolving approaches to embedding and assurance argue that the internal auditor is well placed to succeed in providing assurance on an organisation’s culture.
The internal auditor’s knowledge and expertise in the organisation’s internal controls and compliance programs means they can build a well-informed perspective on practices across an organisation over time. No other function has the mandate to move across an organisation in the same way that internal audit does.
A hard look at the soft stuff
Currently, the internal auditor reviews “hard controls” as part of its brief, but attention also has to be given to “soft controls”. In doing so the internal auditor needs to work with a variety of stakeholders in an organisation, but closer with executive management and HR.
There are at least three approaches to audit culture: an organisation-wide assessment; individual engagement as part of many (if not all) audits; and/or reporting on the aggregation of a series of micro-culture audits, conducted over time.
The UK’s Financial Stability Board identifies four major areas that may influence an organisation’s risk culture: tone from the top; accountability; effective communication and challenge; and incentives.
A culture audit starts with investigating the “tone from the top” – top-down organisation wide culture. It will determine whether the tone of the “macro-culture” driven by the leadership trickles down to all levels of the organisation.
But every organisation has many small cultures or “micro-cultures” reflecting locations, departments, divisions and other areas or groups of employees with something in common.
Culture is not a monolithic homogeneous entity within an organisation. The approach to auditing and measurement of culture should be tailored to each specific organisation. Along with satisfaction and opinion surveys of employees, there needs to be measurement of employee compliance and ethics programs, induction training and exit interviews, customer surveys and review of customer complaints.
The internal auditor should also review the effectiveness of whistleblower programs, training and HR practices and programs.
Considering auditing culture
Auditing culture is a top-down and bottom-up exercise that requires all the skills of a forensic investigator coupled with a diplomat’s skill in negotiating different layers of management politics.
It’s time audit committees and boards start asking questions about culture using the expertise of the internal auditor. This will put the focus on culture where it belongs – with the board.
The auditing of culture is not an exact science and questions remain on the best way to measure intangibles. But the increased focus of regulators on culture should send a wake-up call to senior management, boards and audit committees to crank up the dial on culture audits.
Directors should not wait for a crisis before they take a closer look at their own company culture.
Improving corporate culture from the top
- Recognise the value of culture
- Demonstrate leadership
- Be open and accountable
- Embed and integrate
- Align values and incentives
- Assess, measure and engage
- Exercise stewardship
Source: Financial Reporting Council (UK) 2016
Already a member?
Login to view this content