Corporate culture: Creating strong guardrails for governance and ERM

How do you define your organization’s corporate culture? Often, corporate culture is difficult to describe. Every company has a unique culture—and culture is frequently the difference between highly successful organizations and ones that struggle with morale, operational efficiency, strategic vision, weak internal control environments and other business challenges.

Culture directly affects behavior

What impact does corporate culture have on organizational behavior and employee activities? Together, organizational strategy, corporate culture and employee behavior create the framework for corporate governance, which includes an understanding of the design effectiveness and ongoing monitoring of an organization’s internal control environment. As companies invest in enterprise risk management (ERM) and related governance initiatives, one area often overlooked is the assessment of corporate culture. A direct link exists between a company’s culture and employee behavior. People generally behave based on the metrics that drive compensation, incentives, promotions, job security and career success.

For years, internal auditors have referred to tone at the top as they assess a company’s culture and develop a strategy and corresponding plan for annual audit activities. Although this strategy is helpful in developing an annual audit plan, refining audit scope and executing specific audit steps, a formal assessment of corporate culture is rarely a part of the final deliverable.

Companies with a strong, ethically grounded, value-driven, entrepreneurial culture have a number of similar characteristics. These include:

  • Strong, visionary leadership
  • Complete participation
  • An expectation to “walk the talk”
  • Investment in the vision

Strong, visionary leadership

What are the characteristics of great leadership and how does strong management drive an organization and its employees? Leadership is one of a number of key factors that can unite or divide an organization. There is a definite correlation between strong, visionary leadership within an organization and its culture, people and the overall control environment.

A well-known company recently hired a new CEO with strong leadership skills and vision. He inherited a company with significant challenges. Sales and overall growth were flat; the sales infrastructure was inefficient and disconnected from the rest of the company; productivity and morale needed improvement; and the board and executive team had historically been comfortable doing the same thing year after year. What’s fascinating about this company’s history is it was founded and subsequently developed from a novel idea. The brand was extremely strong in the markets in which the company operated, and the company enjoyed a significant market share related to similar-sized competitors. However, it was clear the entrepreneurial spirit and vision had faded as the company matured. Employees accepted the status quo because their results were deemed to be “good enough.”

The new CEO quickly assessed the company’s challenges and prospects. He was passionate about the company’s future and set out to transform the organization by implementing a new strategy. He garnered support from the board and initiated calculated changes to drive results. The modifications to people, processes and strategy included turnover in the executive suite over a defined period of time, a consistent, one-firm strategy cohesively developed and implemented with extensive support throughout the management ranks, and tactical leadership meetings to evaluate facts and embrace decision making that challenged the current and past culture and business model. The new CEO simply used strong, visionary leadership skills to tap into his and other team members’ experience and drive synergies that led to greater success for the whole. Today, the company has doubled in size and continues to challenge current success with a continuous improvement mindset.

Complete participation

Company culture could be described as a traditional view, a way of doing business or a custom that affects every employee. The reality is a company’s culture cannot be separated from individual behavior, and risk management is everyone’s responsibility. Case studies of poorly performing companies—companies with fraud and abuse or operational failures, which could lead to compliance issues, quality defects, product recalls and, ultimately, financial restatements, among others—can often be directly traced to the corporate culture and poor tone at the top.

For example, managers may not believe their actions affect overall behavior. This style of leadership, however, can result in an atmosphere of organizational tolerance or leniency toward cutting corners. The status quo can become an acceptable level of success. Employees are quick to conclude what’s acceptable and what’s overlooked—to realize what they can “get away with.” 

One company failed to establish and enforce ERM, internal audit and internal control activities within the fabric of the organization. Executive leadership thought everything was fine simply because the company wasn’t experiencing many of the challenges its competitors or peers were tackling. Control-related activities, however, were not aligned or coordinated. They existed in silos and failed to identify the company’s most significant risks, and there was no understanding of the interdependency of common risks.

Over a two-year period, the company’s internal audit team performed more than 35 audits, resulting in more than 150 audit observations. Approximately 35 percent of the audits were rated as “needs improvement” or “unsatisfactory.” Nearly 90 percent of the audit observations identified by internal audit were accepted by process owners, and appropriate action plans were developed and communicated to the audit committee. The CEO, however, failed to see any value from the related internal audit activities, stating that internal audit’s observations lacked meaning and benefit to the organization regardless of the fact that line managers and process owners accepted and acknowledged value from the audits. Why would line management accept 90 percent of the observations if they lacked value or meaning to the company? In fact, one of the audits identified an accounting-related error that led to a multi-year restatement of the company’s financials.

The example above demonstrates how tone at the top affects corporate culture and employee behavior. After further analysis, it was shown that although line management acknowledged value from the recommendations, internal audit had difficulty getting management to respond to audit requests. The audit cycle was inefficient from the beginning of each audit to the drafting of the report. Many times, the audit reports were only finalized once the audit committee requested updates. Ultimately, management agreed to the recommendations and expressed positive feedback regarding the observations, but responding to audit requests and emphasizing compliance with internal controls wasn’t a priority because the executive team set the example that risk management was less important than other initiatives. As a result, the company dealt with self-generated issues—issues that could easily have been avoided if the proper culture of control had been maintained.

An expectation to “walk the talk”

One way to encourage and maintain employee behavior that can lead to a strong corporate governance program is for the company’s board, each executive and every senior manager to live according to the standard required of company employees. It’s the flip side of “do as I say, not as I do.” In business, as in other areas of life, people do as their leaders do. Too often, leadership is not reprimanded for noncompliance with policies and procedures. They don’t address and correct defiance within the ranks and, as a result, others begin to bend the rules, knowing it’s unlikely there will be meaningful repercussions. One management team that failed to adequately address employee fraud soon found itself dealing with another fraud in the organization. It’s important for management to set a standard, communicate expectations and hold employees accountable for their actions.

Perhaps the best advice is to encourage your team to make decisions and conduct business affairs as though they expect to give an account of their actions to a reporter on the six o’clock news. In one organization, the CEO consistently reminds his management team to live according to the six o’clock news standard. While the standard is admirable, the reality is when something goes wrong it’s often the CEO or a board member answering the reporter’s questions, regardless of whose behavior is at issue.

Clearly, the actions of one can, and often do, impact everyone—the employee whose bonus was reduced due to operational losses, the staff displaced as a result of personnel reductions, the shareholder whose investment loses value because of financial loss or reputational damage, or the CEO interviewed by the investigative reporter regarding why his or her staff failed to follow management’s and the board’s standards or policies.

Investment in the vision

Athletes use the slogan “no pain, no gain” as they train for competition. Wealth management professionals develop a personal plan or investment strategy for each client. The question is: Are you investing in the creation and maintenance of your corporate culture? Creating a strong corporate culture and governance standard isn’t easy, but the effort will pay significant dividends through reduced compliance costs, enhanced efficiency in business processes and operations, strengthened controls, and, ultimately, improved morale and employee satisfaction. Employees want to understand what is required, know they have management’s support and commitment to address challenges and roadblocks, and make certain everyone will be held accountable on the path to success. Employees are willing to be stretched if given the opportunity and support.

A good example is a company that wanted to design and implement an ERM strategy. The CFO and audit committee chair were committed to this cause and rightfully expected benefits from a strengthened risk management program. The CEO, however, wasn’t keen on the idea and didn’t understand how ERM would help them manage daily or long-term tasks more efficiently or effectively. He thought the management team knew what the risks were and challenged the team to properly monitor them. Even though he was open about his reservations, he supported the process and committed to participate and support his management team in the ERM effort.

Throughout the interview process and when survey results were analyzed, consistent trends began to emerge, and key risks to the organization were identified. As the process continued and risks were prioritized, the management team participated in facilitated sessions to discuss and confirm the identified risks. Although slight modifications and consolidations were made during the facilitated discussions, the team settled on the top risks and agreed that additional work was needed.

As expected, the next step was to identify the mitigating strategies for the top risks and further analyze these risks based on risk direction, scope and velocity. The team continued to discuss risk and control gaps and improvement opportunities. Collectively, they realized several gaps and improvement opportunities existed and ultimately developed actionable remediation plans for 91 percent of the top risks identified. The “aha” moment wasn’t in the risk identification phase; it was in the analysis of the mitigating strategies and the gap/improvement opportunities. The CEO later told his audit committee his initial doubts were quickly erased as he participated with his leadership team in identifying risk gaps and improvement opportunities that were unknown before the process began.

Building a culture that encourages the desired behavior

The issue becomes a matter of fostering and encouraging the behavior you desire so trust is established, quality is enhanced and operating efficiencies are gained. Individuals responsible for building the corporate culture should consider the implications of current management philosophies, policies and procedures, key performance metrics and the level of accountability for individual behavior.

There will always be challenges to the process, but focusing on a few key principles can help overcome any obstacles.

People generally want to succeed. Through leadership, investment in developing and maintaining a strong corporate culture, accountability for every employee and participation in risk management at every level, people can be encouraged and persuaded to change and embrace a new philosophy.

Presenting the facts isn’t enough. Simply stating why a change in corporate culture and individual behavior is needed isn’t enough motivation to sustain the level of change required to develop a new culture. Make the value personal by helping the team understand and see more than facts. Help them understand how it will make their life easier and enhance opportunities to achieve individual goals. Find the individual value driver(s) and help employees see the connection between the newly established goal and the desired outcome.

“Groupthink” that contradicts the common goal should be addressed. People can often be swayed by the group. Peer pressure is real and can alter individual motivations. Research studies frequently report on control groups that consistently provide incorrect answers to questions or problems, yet unknowing individuals follow the group, even though they suspect the answers are misguided. Create an environment where individual thought, accountability and leadership are encouraged and rewarded.

Allow mistakes to be teaching moments. It’s difficult to acknowledge one’s mistakes, but that’s the first step to learning. Encouraging an environment where mistakes can be the catalyst to improvement can move the organization from good to great. Mistakes are going to happen, so ensure they are thoroughly studied so future decisions benefit from facts gained from past experiences.

Continuous improvement is a must. The goal is to create a culture that supports desired behaviors. As new employees join a company and old employees leave, the culture constantly changes. This suggests corporate culture isn’t something achieved; rather, culture is something pursued. A corporate culture temperature check should be completed annually, with strategy adjustments according to feedback, desired outcomes, internal and external threats, competition and other relevant considerations.

Employee behavior is critical to maintaining a strong corporate governance environment. Controls can be overridden, overlooked and ignored. Culture creates the guardrails that make undesirable behavior unacceptable. Some questions that can help you assess corporate culture include:

Does your company have a formal, written statement on culture and governance vision that is clearly communicated to all employees?

  • Do employees know they can report objectionable behavior and are they rewarded for doing so?
  • Does the board have and maintain the appropriate tone at the top and is it helping to create and support the desired corporate culture?
  • Is the company’s corporate culture formally assessed on a routine basis and is it measured to ensure cultural strategy is adjusted and continuous improvement is embraced?
  • Is accountability established so individual decisions and performance is assessed, and risk management is integrated into every job description?

These questions can be useful in assessing awareness of the corporate culture, the resulting impact on corporate governance and the effect on employee behavior. True ERM must include an evaluation of corporate culture and tone at the top, as the culture your organization creates will be a major determinant in your employees’ behavior.

About John Brackett

John is a partner in McGladrey’s risk advisory practice where he serves as the firm’s ERM practice leader. He has over 19 years of diversified experience in financial, operational, compliance and process efficiency audits. John has provided strategic guidance and training to various boards of directors and audit committees and facilitated enterprise risk management implementation efforts at numerous organizations. He has worked with companies across the globe, including Fortune 500 and large privately held organizations. 

John is a member of the American Institute of Certified Public Accountants, North Carolina Association of Certified Public Accountants and the Institute of Internal Auditors.

[email protected]

About McGladrey

McGladrey & Pullen, LLP operates under the McGladrey brand as the fifth largest U.S. provider of assurance, tax and consulting services, with nearly 6,500 professionals and associates in more than 70 offices nationwide. McGladrey & Pullen is a licensed CPA firm, and is a member of RSM International, the sixth largest global network of independent accounting, tax and consulting firms.

John Brackett
Partner, Risk Advisory Services
McGladrey & Pullen, LLP

How can we help you?

Contact us by phone

T: +44 207 601 1080

 or submit your questions, comments, or proposal requests.