Culture counts so safeguard it at all cost
The takeout from corporate scandals tracing back to the early 2000s make it very clear that without an ethical and compliant culture, organisations are at risk. The good thing now of course is that the concept of culture is moving from a lofty, soft concept to something that should be defined, measured and improved.
In fact, in a speech last year ASIC chairman Greg Medcraft defined culture as ‘a set of shared values and assumptions within an organisation that reflect the underlying ‘mindset of an organisation’, the ‘unwritten rules’ for how things really work. Because culture lies at the heart of how an organisation and its staff think and behave.’ He also made the point that poor culture can be a driver of poor conduct.
That is why boards and senior management must understand the impact culture has on an organisation and what they need to do to protect it.
Simply put, culture is the norms and behaviours of everyday practice. The way someone greets you at reception; the sorts of things that are rewarded, celebrated or punished. It underpins all aspects of an organisation’s performance from how strategy is executed, how products are sold, change resilience and how risks are managed.
It informs how the risk appetite, risk frameworks and internal controls are impacted by an employee’s behaviour every day.
Some examples of a healthy connection between culture and risk management involve employees being able to question work practices, challenge the status quo and speak out if things don’t feel right without fear of consequence.
And while every organisation is different there are levers you can use to integrate risk and culture including leadership, communication, incentives and capability.
It is well documented also that cultural leadership starts at the top. A report released by Korn Ferry in 2016 found business executives in Australia cited the CEO as the most important factor in strengthening culture. They need to cascade simple messages across the organisation that outline how risk is valued, taken and monitored. They need to walk the talk and there needs to be consequences when they don’t.
Now comes the tricky bit. Complexity is the enemy of good risk management. Policies, procedures and reporting are all integral to a good risk management framework. However, you cannot write policy for every decision or every judgement so ethics and values are paramount in ensuring that the right thing gets done. Good behaviours must be rewarded and recognised, poor behaviours must be acted upon and when necessary action undertaken, openly and transparently.
Most of the risk assessment involves a large amount of quantitative data. To get a true insight into how an organisation operates you need behavioural data collected through interviews, anonymous voting and focus groups to get a true picture of what is happening and - more importantly - how things are done.
A lived culture is dynamic. It can shift over time and requires ongoing monitoring. ‘Set and forget’ and you’re in real trouble.
Hear more on corporate culture at Corporate Governance Forum 2017
Robyn Worthington, Partner at KordaMentha and I will be presenting a session on ‘Culture: how to ride the risk and reward seesaw’ at Governance Institute’s Corporate Governance Forums across the country from 31 May to 2 June. We look forward to seeing you there and continuing the conversation on corporate culture.