Culture is a key factor in a company’s risk management efforts. The word "culture" is mentioned 124 times in the 2017 COSO Enterprise Risk Management framework because a weak culture that allows undesired behavior to continue can lead to a variety of tangible or intangible risks.
Establishing clear expectations about ethical behavior and guarding against a gradual erosion of an organization’s standards and controls are important factors in reducing fraud risk by maintaining a strong corporate culture.
Panelists on a webinar sponsored by the Anti-Fraud Collaboration stressed the importance of a organization’s leaders establishing a strong tone that promotes ethics and monitors behavior to detect departures from acceptable norms.
“Culture is in the DNA of every company and board, and a healthy culture is critical to the success of a company,” said Brenda J. Gaines, Audit Committee Chair atTenet Healthcare Corp.
The panelists said an organization’s culture, in part, represents shared beliefs about acceptable behavior and interactions with customers and each other. Each organization’s culture is going to be unique, but needs to be aligned with its mission and business model, as well as the expectations of customers, regulators and other stakeholders.
“You need to align your company’s values with its strategy and vision,” said Gilly Lord, PwC UK’s Head of Audit Strategy and Transformation. “If you’re a retailer, you may have a value that says the customer is always right. That value is not going to work for an audit firm, which needs to maintain professional skepticism.”
Lord said an organization’s ethics and culture are often undermined over time by a steady series of actions that may appear small, but can lead to larger transgressions. Culture and behavior reinforce each other in a cycle that can be, depending on the organization and actions it tolerates, helpful or damaging.
“Culture is dynamic, and culture is shaped daily by micro-behaviors and gradual changes that can be easy to miss,” Lord said.
Mark Carawan, Chief Compliance Officer for Citigroup, said it’s important for a company to spell out the types of behavior it wants executives and line employees to follow, and to include discussions about ethics during executives’ performance reviews.
“It’s critical to establish standards and training, and to encourage interaction,” Carawen said. “As items surface, it’s critical not to place the emphasis on assigning blame, but rather to advocate a positive outcome where you can incentivize people toward the [ethical behavior] you’re trying to promote.”
Similarly, Gaines said a good practice is for company directors and management to review the key elements of the organization’s culture and values, and to describe why those values are important and how they’ll be measured. For example, a health care provider is likely to be most concerned with patient care and satisfaction, while a manufacturer will likely emphasize product quality and worker safety.
Carawen said executives, directors and members of the organization’s controls function (including internal and external auditors) have to collaborate to establish and maintain a strong ethical culture.
“These are all part of the company’s cultural ecosystem, and their actions help drive behavior for better or worse,” he added.
Culture is also a key factor in a company’s risk management efforts, said Paul Walker, Schiro/Zurich Chair in Enterprise Risk Management and the Executive Director of the Center for Excellence in ERM at St. John’s University.
For instance, culture is mentioned 124 times in the 2017 COSO Enterprise Risk Management framework because a weak culture that allows undesired behavior to continue can lead to a variety of tangible or intangible risks. Depending on the organization’s sector, this can mean unethical sales tactics that produce favorable results for employees or overlooking safety lapses in the interest of reducing operating costs.
Walker said an important step in reducing risk is creating culture in which employees or board members feel empowered to question behavior they’re not comfortable with, or ask questions to understand the drivers influencing the company’s performance.
“You want a culture that encourages, requires and rewards asking questions, and promotes professional skepticism,” Walker said.” A dysfunctional culture can itself serve as a serious risk.”•