Companies - and regulators - are paying more attention to getting culture right

The emerging flavor of the month in regulatory circles is the “culture of compliance” with recognition that corporate culture has a profound influence on how an organization conducts its business.

A culture that consistently places ethical considerations and client interests at the center of business decisions helps protect employees as well as investors and the integrity of the markets. Conversely, significant cultural failures can impose substantial harm on companies themselves including fines, penalties, and loss of reputation.

This growing attention is good news for the compliance professional and internal auditors. Compliance officers have already been attuned to the importance of corporate culture, especially since the 2004 amendments to the Federal Sentencing Guidelines paid special attention to it. The revised guidelines stated that in order to have a truly effective compliance program an organization needed to “promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”

The latest regulator to take notice is the Financial Industry Regulatory Authority (FINRA). In its 2016 Regulatory and Examination Priorities, FINRA stressed that assessing firm culture would be a major focus. A Targeted Exam Letter that followed made good on that promise by asking the firms it oversees questions on how they communicate, reinforce, monitor, and measure organizational values, including indicators of a firm's culture, such as:

  • whether control functions are valued within the organization including having key policies and processes by which the firm establishes cultural values;

  • whether policy or control breaches are tolerated;

  • whether the organization proactively seeks to identify risk and compliance events;

  • whether immediate managers are effective role models of firm culture; and

  • whether sub-cultures that may not conform to overall corporate culture are identified and addressed.

Companies have started to get the message. In particular, the CEO who must run the company in a light-speed-paced environment (with a trend toward shorter tenures) will want to stay attuned to the organization’s culture. When there is high turnover, for example, employee dissatisfaction or other turmoil impacting the bottom line, poor culture is often the culprit.

 A Role for Auditors
Internal audit has now entered the corporate culture game. The Institute of Internal Auditors (IIA) published a new white paper encouraging its members to take a closer look at the culture that can impact its business. The paper makes the case that too many high-profile compliance failures in recent history can be tied to cultures that encouraged, allowed, or looked past illicit behavior. The IIA pointedly observes that culture needs to be added to the internal audit workload, “Because auditing culture helps the organization manage it.”
 

The paper provides recommendations on how internal auditors can forge more formal entry into a relatively uncharted area for the audit profession. As culture is a key contributor to corporate performance, both positive and negative, it is important for auditors to either figure out how to periodically perform a corporate culture audit or to incorporate consideration of culture in each and every audit project being done.

Auditing culture has been an area viewed with hesitation by the profession. Culture can be so subjective that it can take auditors—who are processed oriented and seek objective measures—out of their comfort zone. Yet evaluating culture and the effectiveness of a compliance program certainly fits within the bailiwick of the audit skill set. It is much more than a checklist, however, and requires consideration of the qualitative aspects of the business. Still, it can be approached in a systematic and methodological manner.

What is Corporate Culture?
In basic terms, culture is the set of enduring and underlying assumptions and norms that determine how things are actually done in the organization. A coherent culture is based on shared values and beliefs, and the evidence they are shared is that they shape behavior across the organization. The challenge for leadership is knowing how to instill or modify those assumptions and norms in the direction that is needed.

Culture is not simply the articulation of an organization’s mission and values. It turns out that simply stating your values does nothing for performance. Studies, including a recent one on the Value of Corporate Culture among S&P 500 companies found that the existence and prominence of a defined set of corporate values made no difference to short or long-term financial performance. But, the study found that the behavior of a company’s senior managers (and the values their behavior embodied) made a huge difference in determining performance.

In other words, the organization needs to be deliberate and diligent about making sure those values are reflected in its team’s attitudes and interactions. Anyone can pay a marketing firm to develop a mission statement for them. A common tale for compliance professionals is that Enron had a fabulous mission statement along with award winning code of conduct.

When rigorously evaluating corporate culture, auditors will need to make sure that these values as reflected in written procedures are actually demonstrated in how the business operates. When demonstrating and measuring success, it is often not so much whether a compliance violation happens, as to how the company responds once it does.

Yes, Culture Can Be Measured
Culture is a challenge to measure, in part, because of the built-in structural and behavioral forces that can keep CEOs and senior management from having their finger on the cultural pulse of the organization. Employees often have a difficult time sounding off to management. Their livelihood depends on keeping their jobs, and if the culture in the organization is the kind where, “We don’t talk about our problems” then employee will shut down and keep their opinions to themselves. Executive leaders also have a vested interest in getting the CEO’s approval, and if that approval only goes to people who report what leadership wants to hear, it can mean the true state of affairs is not known.

Enter internal audit who have the independence and objectivity to evaluate corporate culture. There are a number of ways internal auditors have already historically looked at aspects of culture within the context of audit engagements. While there’s no specific framework for auditors to conduct an audit of culture, the COSO Internal Control -- Integrated Framework provides a starting point. The evaluation of the control environment is one that should already be leveraged by internal audit to apply to compliance program effectiveness as well to fraud control standards. Auditors can refer to the points of focus in the new framework to enhance their understanding.

Keep in mind that that the points of focus under the first principle that, "The organization demonstrates a commitment to integrity and ethical values," aligns with the promotion of ethical conduct under the Federal Sentencing Guidelines. The updated framework provides four points of focus:

  • Sets the "tone at the top"

  • Establishes standards of conduct

  • Evaluates adherence to standards of conduct

  • Addresses deviations in a timely manner

Auditors have used several techniques to evaluate corporate culture as areas of focus of the control environment. Most audit projects should already look at the tone at the top of whatever functional area is in scope of the audit, including communication among senior managers, middle managers, and rank-and-file employees to help gauge that tone. Some audit departments integrate soft control evaluations into their everyday audit procedures. Others conduct structured, entity-level interviews and may combine those with the use of focus groups.

Employee surveys that allow anonymity, however, are becoming acknowledged as one of the most effective and efficient ways to measure corporate culture. Compliance and audit professionals more routinely incorporate compliance program questions into broad workplace surveys. Such questions probe areas related to the tone at the top/middle, and management's overall commitment to upholding the company's ethical and legal standards.

Learning how employees perceive the company's values can be eye-opening, with results are categorized by position, functional area, geography, or operating unit without compromising anonymity. Don't assume that culture is uniform across departments or locations, or that line employees will have the same opinion of the company's values as the executives, the law department, or the human resources group.

Other activities of the compliance program further reveal cultural aspects. Auditors can also look at hotline activity, consistency of discipline, and incentives, likes sales commissions. Each activity on its own may not be indicative of culture, but when you’re looking at multiple incidents and issues you can start to identify trends.

There are instances where organizations have taken hardline approaches to how they remediate certain compliance violations. In a check-the-box culture, where there isn’t a good tone at the top, employees will pay lip service to compliance. They cannot be expected to view it as important if they model their behavior on that of their managers.

Other areas of culture measurement for the internal auditor to consider include:

  • Retaliation Factors: Studies suggest that the highest indicator of workplace misconduct is fear of retaliation and the confidence employees feel when raising issues. Fear of retaliation is not only significant in and of itself, but may be a proxy of other problematic cultural factors such as distrust of management. Data on employee willingness to address matters with their immediate supervisor or to use the compliance hotline, as well as their views on what would happen if they reported misconduct, can be meaningful. Even better would be measures on how issues are reported and ultimately addressed.

  • Rewards and Incentives: Recognition, reward, and incentive programs can convey positive cultural messages. If executives don't meet compliance objectives, do they risk having their annual bonuses reduced? A measure to develop is the degree to which ethical business practices have been factored into executive-level performance evaluations and/or compensation criteria.

  • Management Operating Style: Analyze the company turnover and retention for information where turnover has not achieved acceptable levels. Through employee interviews, auditors can ascertain whether the turnover rate is attributed to organizational transition or stress stemming from management's philosophy and operating style (e.g., inappropriate compensation packages, unreasonable sales goals requirements, etc.).

  • Talent Management System: A company can actively recruit new hires based on culturally consistent, desired behaviors and reinforce these when people join the company. To measure, sample the records of employees who have had poor performance evaluations in the past years, and determine whether those employees had appropriate qualifications relative to their job descriptions. Perform the review with an eye toward ascertaining whether the company's hiring practices appropriately matched employee qualifications, skill set, and delegated authority to their formal position and job description.

Achieving a high-performance culture deserves to be a top agenda item for every company hoping to stay competitive. The collective corporate culture can, be an important driver of financial results and an element of other key business issues, such as talent acquisition and management and innovation-fueled growth. 

Although auditors might meet some resistance when they take a discussion about culture to the highest levels of the organization, this is an opportune time really step up and demonstrate the capabilities of a robust evaluation of your company’s culture.


Jose Tabuena provides audit and compliance services bringing Big 4 firm experience and having held a variety of roles, including compliance auditor, risk manager, corporate counsel, and chief compliance officer. He has held major compliance and audit management roles at Kaiser Permanente, Texas Health Resources, Orion Health, and Concentra/Humana, and is certified as a fraud examiner, in healthcare compliance, as well as an OCEG Fellow.