Ideas on Auditing Organizational Culture
This week I attended another meeting of the Chief Audit Executive Leadership Forum, where the subject was auditing organizational culture. The conversation brimmed with useful ideas on how to audit and monitor this particularly intangible thing, and we’ve seen plenty of examples this year of culture gone awry. So let’s get into it.
Consider Where the Risk Is
At first we struggled even to define organizational culture. Some of us reached for the natural candidate, tone at the top. That’s true to some extent; the tone senior executives set is critical for organizational culture. CEOs who set a bad tone can certainly put their culture on the path to failure.
Still, I would recommend defining culture more precisely than that, so you can define the risks against it more clearly, too. Early-education teachers have a saying about toddlers: they hear only half of what you say, but see all of what you do. That’s also very true of employees; they take their cues from what senior executives do far more than what those executives say.
So the more formal efforts for tone at the top—the Code of Conduct, the CEO speeches, the mission statements—can help, but they are a rounding error compared to the importance of senior leaders’ daily conduct. When the CEO gets a hefty pay raise during the middle of bitter union contract negotiations (which just happened at News Corp.), or pushes for personal use of corporate aircraft even while profits are plunging (which just happened at Sports Direct), employees notice.
To put it another way, as soon as employees get an impression of undeserved privilege, your culture efforts are sunk. Deserved privilege is fine; that’s the spirit of incentive pay and rewards for hard work or talent. Undeserved privilege, however, breeds employee discontent. They see managers getting special treatment the managers don’t deserve, and from there your culture starts to rot away.
More broadly, we can define corporate culture as the customs, attitudes, and behaviors within an organization. But let’s be honest: auditors look for evidence of bad culture. A bad corporate culture suffers from indifference, where employees don’t care about performing to ethical standards. Why don’t they care? We could probably write a book about that. For starters, however, audit or compliance professional can look for evidence that some people in the company believe others are getting something they don’t deserve. Right or wrong, those beliefs do put your culture at risk.
Culture vs. Sub-Culture
Another point to consider is that you will rarely find a material weakness in the whole organizational culture, where the CEO is the proper throat to squeeze. Much more likely, you’ll find multiple sub-cultures with different problems. That raises the question of how to assign accountability for them.
Sub-cultures themselves aren’t necessarily bad. Highly acquisitive companies will always have sub-cultures. Geographic disparities will create sub-cultures. The issue is whether the fundamental values are the same across the whole enterprise, and whether someone is accountable for the sub-culture to ensure its actions correspond to those values.
What we’re talking about, really, is the balance between enterprise-level accountability for the whole culture and unit-level accountability for the sub-culture. The unit might be a geographic region, or a business function, or possibly even a business process. However you define the sub-culture, that’s where you are much more likely to find trouble.
To be sure, sometimes those problems will be so common across multiple units that accountability does trace back all the way to the top. That’s exactly what we saw with Wells Fargo and its scandal of creating fictional accounts for customers. The practice was widespread and long-term, and driven by the (now former) CEO declaring that a “high sales” culture was what he wanted.
In most cases, however, you’ll be auditing a local unit. That means the local chief must be held accountable for culture, and you’ll need to find information about the unit’s culture somehow.
So What Do You Actually Audit?
We struggled on that question, too. You can try auditing culture directly, through mechanisms such as an employee culture survey. (Send the HR department eggnog and ask them to do it for you.) Other ideas were to audit the ethics & compliance function itself, or to examine training completion rates. Several people suggested adding a culture component to whatever routine functional audit you plan to do.
The difficulty is that most information about culture comes in the form of feedback you solicit. That’s not the same as data you can quantify and analyze. Quantified data—something you can feed into a risk matrix, or compare to control performance goals—is the ideal. It helps you determine whether the root cause is some flawed process or operational control failure, or the broader control environment (that is, the culture).
So auditors will probably end up approaching culture indirectly, looking for hints found in other places. One of my favorites is to look at the timing of performance compensation; not how much is awarded, but when employees actually achieve it. We saw an example of that in the SEC enforcement action against Credit Suisse earlier this year; employees improperly classified assets under management to win bonuses, and did so at the end of quarter.
You might also do root cause analyses; in the Credit Suisse example above, the root cause clearly was a high-pressure sales culture. Better yet, do a trend analysis of your root cause analyses. That can show whether the same basic causes of misconduct or risk manifest in multiple units. Which is a big red flag that your culture has gone south.
Other ideas were to look at employee turnover, or termination versus quit rates, or employee turnover compared against different business units or departments. And don’t forget an analysis of your hotline metrics, which we discussed in this blog earlier this year.
Breaking the Bad News
So how do you present these findings, especially if you find severe culture problems? When a function does have culture issues, you could give the function head one quarter to remedy the problems or at least devise a remediation plan. After that, the function head becomes a “special guest” you bring to the next audit committee meeting.
Lots of the remediation can look like the usual audit report and action plan: weakness, proposed remediation, person accountable, and deadline for improvement. The structure and formality of a good internal audit department pays off here, since telling someone “your culture stinks” is a delicate task. The auditor only wants to be the facilitator of improvement, nothing more.
Now, of course when you show the department head all the red flags on your audit report, he or she will insist that the problem is one of resources. (“We know we have a flawed culture, but we can’t secure proper funding for pay raises or new computers.”)
In that case, try enlisting the CFO as the heavy: no department head can postpone your action plan without the CFO’s permission. That puts the onus on the function chief either to re-allocate resources, or ask the CFO’s blessing for help or an extension.
All in all, the CAE forum was a great discussion as usual. If you have other ideas for auditing culture that you want to share, post below!