If Strategy Is Culture’s Breakfast, Then Governance, Risk, and Controls Are Its Appetizers

The focus on culture and its impact on the organization is increasingly on the radars of regulators and investors. A series of spectacular scandals involving well-known brands in the past 18 months is sparking closer examination of not just the mechanics of the breakdowns, but the atmosphere in which they occurred.

In previous blogs, I shared my observations on how breakdowns of good governance contributed to these scandals, including at FIFA, Toshiba, and Volkswagen. It’s time to take a look at organizational culture’s impact on what should be internal auditing’s primary focus — governance, risk, and control (GRC).

There are many variations on the definition of GRC. For our purposes, I’ll rely on one offered in Internal Auditing: Assurance & Advisory Services that aligns with my own view of GRC.

Governance The book defines governance as, “. . . the combination of processes established and executed by the board of directors (BOD) that are reflected in the organization’s structure and how it is managed and led toward achieving goals.”

The latter part of this definition, “how it is managed and led toward achieving goals,” comes very close to defining organizational culture or, “how things get done around here.” It should not be surprising then that when culture goes bad, governance is often an enabler or co-conspirator.

A recent report from The Financial Reporting Council, Corporate Culture and the Role of Boards, finds, “The board has a responsibility to understand behavior throughout the company and to challenge where they find misalignment with values or need better information.” Importantly, it urges boards to devote sufficient resources to evaluating culture.

It is therefore imperative for boards of directors not just to set the culture, but also to monitor it, and there is no better resource for objective assurance on the health of organizational culture than internal audit.

The report identifies a number of areas where the board can shape culture. Two key areas are:

• Codes of ethics and conduct. These valuable tools translate the organization’s values into specific policies and guidance designed to influence behavior, which can be monitored and measured.
• Appointment of chief executives. Boards must understand that while they largely set their organizations’ cultures, it is chief executives and their management teams that largely drive them.

“Boards must be actively engaged in the business of shaping, overseeing, and monitoring culture and holding the executive to account where they find misalignment with company purpose and values,” according to the report.

From an internal audit perspective, the audit function must be attuned to its organization’s culture and be willing and able to tell the board when and where the organization’s culture is exhibiting unhealthy symptoms.

Risk There are a multitude of definitions of risk and risk management. However, keeping with the same resource, the internal auditing textbook defines risk management as “. . . predicting and managing risks that could hinder the organization to achieve its objectives.”

An organization’s risk culture should align with its values. When it becomes misaligned, risk management can become ineffective.

In a previous blog I used the analogy of risk appetite as being the lanes on a highway where the board directs management to stay within those lanes. Internal audit therefore must have a strong understanding of the board’s risk appetite in order to know when and where the organization is straying outside the lines. When an organization’s culture encourages or rewards management for “reckless driving” with no regard for the risk appetite lanes, an accident often ensues.

Similarly, the board and internal audit should be alert to when corporate culture creates additional risks (such as a culture where the ends justify the means) and take steps to identify and mitigate those risks.

Control As we all know, well designed and implemented systems of internal controls are paramount to mitigating risks. If the real definition of culture is “how things are done around here,” there is no better barometer of an organization’s culture than its respect for a strong control environment.

One of the primary areas internal audit provides assurance to management and the board is on the design and effectiveness of internal controls. Internal audit should be constantly alert to a culture that fosters disregard and noncompliance with the organization’s controls. When internal audit’s work discloses control circumvention or failures, internal auditors have an obligation to seek out the root cause – which from my experience can frequently be cultural.

In a blog, one can only merely scratch the surface on a subject as complex as the impact of culture on GRC. However, as our own body of knowledge on auditing culture emerges, it is important to recognize that it is pervasive and can influence every aspect of an organization. Peter Drucker noted that “culture eats strategy for breakfast.” If that is true, then governance, risk, and controls are often its appetizers.

One line from the FRC report struck me as particularly valuable in discussions about culture and GRC. The report cites Built to Last: Successful Habits of Visionary Companies, whose authors note that strategies and practices change but values do not.

The core values that govern organizations and how they are carried out by the executive team ultimately dictate the strength or weakness of its GRC. CAEs should develop a clear-eyed understanding of what that culture is and build their internal audit plans and strategies accordingly. As always, I welcome your comments.