Expanding the View to Include Culture
Does your organization view compliance as a “check the box” exercise? Many companies do. Chuck Saia, CEO of Deloitte Risk and Financial Advisory, feels differently and shares five ways a board can start broadening its view – and management’s view – of compliance to include issues of culture.
With so many strategic issues to address, how can a board most effectively execute its responsibility to oversee compliance?
The answer: by taking a broader view of compliance.
Many boards see compliance as a check-the-box exercise — a relatively mundane matter to be quickly dispatched so they can focus on more strategic issues. If you view compliance in those terms, then a check-the-box approach actually makes sense.
But, after countless conversations with board members and executives on the topic of overseeing compliance, I’m convinced that this issue needs to be looked at from a different angle — one that helps a board understand the culture of the organization it is overseeing.
Keeping in mind the context of a board’s risk oversight responsibilities, compliance should be viewed more broadly. Employees can operate within legal and regulatory rules while behaving in ways that do not reflect the values of the organization. Such behaviors generate culture risk. Left unchecked, those behaviors can multiply, negatively impacting customers, suppliers, investors, community members and other key stakeholders. Those negative impacts can give rise to other risks – particularly reputational risk.
While regulatory noncompliance presents reputational risks, they generally pale next to those stemming from culture risk. The media and public often have difficulty understanding regulatory violations, but a violation of the trust built up over years between an organization and its stakeholders makes for a dramatic, readily understood — and often very damaging — story.
Addressing culture risk does not mean creating a “culture of compliance.” Such attempts tend to preserve a narrow, rules-driven view of compliance and culture. Addressing culture risk calls for a new view of compliance. This view calls for operating not only within legal and regulatory bounds, but also in ways that reflect the core values of the organization.
Here are five ways a board can start broadening its view, and management’s view, of compliance to include issues of culture.
#1: Grasp the Nature of Culture Risk
Culture risk is a strategic risk – that is, a risk that can undermine the ability of the organization to implement its strategies and achieve its goals. Culture risk also poses financial risks and risks to data, intellectual property and other assets. Yet reputation risk may be the most serious threat, because loss of reputation directly undermines the organization’s ability to implement strategies and achieve goals, often for months or years to come.
As the ultimate overseers of risk and guardians of reputation, the board is responsible for setting the tone at the top and promulgating the right values. The board is also responsible for overseeing culture, reputation and other strategic risks — bearing in mind that regulatory noncompliance also presents reputational risk.
#2: Understand Your Organization’s and Board’s Culture Risk Posture
Culture can be defined in various ways, but essentially, it is the sum total of the values that drive people’s behavior within the organization. Those values — and the culture — are reflected in hiring, compensation, promotion, investment and other decisions at all levels. Culture determines which behaviors are accepted and encouraged in the organization.
Vague notions of culture create culture risks and undermine oversight of the culture. Early in my tenure as Deloitte’s Chief Risk, Reputation and Regulatory Affairs Officer, I was asked about our level of culture risk. Truthfully, I had only a vague, finger-in-the-wind idea. So, we embarked on a journey within our organization to understand insider threats and to build out a broader culture risk program that enables management to identify areas where culture risk might emerge and how to address it.
One caution: Culture risk and conduct risk are not the same. Conduct risk, which includes the risk of fraud and embezzlement, is often monitored in very specific areas (for example, in procurement in manufacturing or trading in financial services). For that reason, a focus on conduct risk can lead to a siloed approach to culture risk and overlook larger cultural issues.
And it is not just a management issue; a board should also understand and periodically reflect on its own culture and risks associated with its behavior.
#3: Promote the Use of Technology
Currently available technologies can help organizations to address compliance and culture risk. Technology-supported compliance programs manage ongoing compliance and reporting based on defined regulatory requirements. These programs enable management, audit committees and boards to know, on a quarter-to-quarter or month-to-month basis, that the organization is in compliance with applicable rules and where issues of noncompliance could emerge.
Similarly, a technology-supported insider-threat program can monitor employee behavior in various ways. For example, surveillance of emails and texts can identify individuals or pockets of individuals who may be engaged in or close to engaging in behavior outside legal, ethical or cultural bounds. Such cases should be referred to the chief ethics, legal or risk officer for consideration and potential action, which may include remediation, training or other steps.
Cultural attributes can be identified and measured and then monitored by tech-supported programs. While less prevalent than compliance and insider-threat programs, culture monitoring programs are gaining traction. Some culture-monitoring programs are geared more toward human resources concerns – for example, tracking employee morale – while others also monitor broader behaviors.
Any tech-supported compliance, insider threat or culture monitoring program should be implemented by, or with direct input from, the business if it is to serve the needs of management and the board. IT can support the implementation, but it shouldn’t drive it.
#4: Ask Culture-Related Questions
In its risk oversight role, the board can broaden management’s approach to compliance to include conduct and culture risk. This entails broadening the conversation around compliance to include culture.
Some useful questions to ask include:
- To what extent and in what ways are we using technology to monitor compliance? To what extent are we using it to monitor conduct? Do we have an insider-threat program?
- What have we done to define the values and the culture that we need in order to support people in their pursuit of organizational goals?
- How are we communicating our organizational values inside and outside the enterprise?
- What are our greatest conduct risks and culture risks?
- How are we measuring conduct risk and culture risk?
- How are we monitoring and managing those risks?
- How have we prepared for the reputational impact of a compliance, conduct or culture risk event?
While broadening the discussion, the board must of course continue to receive adequate assurance that the organization is operating in regulatory compliance.
#5: Start Small, But Get Started
A check-the-box mindset can be hard to overcome, yet given the speed of social media and the durability of internet-based reports, noncompliance can create reputational risks. As we have all seen in various media stories, even more damage can stem from breaches of ethical behavior or betrayals of organizational values.
Technologies that enable continuous monitoring, data visualization and real-time reporting can ratchet up the efficiency of compliance programs. That positions the organization to direct resources toward addressing culture risk. Many organizations begin by instituting a robust, tech-supported insider-threat program. If such a program already exists, it can often be built out into a broader culture-risk monitoring program.
Boards must also bear in mind that culture monitoring programs call for robust governance mechanisms, which typically involve the board as well as the chief legal, ethical or risk officer.
Beyond Table-Stakes Compliance
Today, regulatory compliance programs represent table stakes. Costs of noncompliance can range from minor to major, but when it comes to risks, compliance issues such as regulations often lag behind emerging challenges. Additionally, as they have done to date in financial services, they may also stress the importance of a sound culture while leaving organizations to define what that means and how to go about achieving it.
Focusing on the strategic issues and implications that compliance — and culture — present can engage board members at an appropriate level and enable the board to expand its oversight role to include conduct and culture. This, in turn, can support the executive team in its efforts to create a culture that supports people in their efforts to reach the organization’s goals.
Chuck Saia is CEO, Deloitte Risk and Financial Advisory. Chuck leads a risk consulting and financial advisory business comprised of 12,500+ professionals. Deloitte Risk and Financial Advisory helps organizations turn critical and complex business issues into opportunities for growth, resilience, and long-term advantage. Chuck has more than 24 years of experience advising clients on corporate governance, regulatory issues, risk management, and internal controls.
Chuck serves on the Executive Committee of Deloitte and reports directly to Cathy Engelbert, CEO of Deloitte. He has an unwavering commitment to the success of our firm, our professionals, and our clients.
Prior to his current role, Chuck served as the chief risk, reputation and regulatory affairs officer for Deloitte. In this role, he led the transformation of Deloitte’s approach to risk management, changing the conversation around reputation in the marketplace, and serving as a valued advisor to clients, nonprofits, and global organizations. Chuck oversaw strategic and reputational risk management; regulatory affairs; ethics and compliance; confidentiality and privacy matters; independence and business conflict; reputational sensing; and crisis management. He has been instrumental in advancing Deloitte’s brand through frequent client C-suite interactions and marketplace eminence.
Chuck developed and drove the enterprise-wide effort to protect, preserve, and enhance Deloitte’s reputation to clearly distinguish the organization as the leader in professional services in the marketplace. He developed and executed on a comprehensive strategy that aligned Strategic Risk, Reputation and Regulatory Affairs (SRRRA) with other organizational interdependencies. By engaging with leaders and professionals at all levels of the enterprise, he drove cultural change across the organization and set the tone on reputation, ensuring that Deloitte’s people understand the critical role they play in safeguarding Deloitte’s reputation.
Under his leadership, SRRRA transformed Deloitte’s focus on risk from a traditional enterprise risk management (ERM) approach to one that’s more strategic and nimble, repositioning risk as a key enabler to the different businesses so they can adjust and mitigate top and emerging risks, accordingly. Chuck led SRRRA in creating world-class strategic risk management capabilities, including reputational sensing (reputational, regulatory, vendor, etc.), competitor disruption, portfolio fit, culture risk, insider threat monitoring, third-party risk management, and a comprehensive regulatory strategy and stakeholder wiring map.
Previously, Chuck led the governance of Deloitte’s most strategic risks and related opportunities as Deloitte’s chief risk, reputation and crisis officer. He was responsible for overseeing the US organization-wide reputation and risk governance practices. He oversaw the strategic risk management program and led the efficient and effective governance of Deloitte’s most strategic risks and related opportunities. Chuck also oversaw all functional risk leaders while reporting directly to the CEO.
In previous roles, Chuck oversaw the Advisory Business Risk Service Area practice (formerly known as AERS Advisory), leading various market offerings, service lines, and regions. In addition, he served as the lead client service partner and lead risk partner for several high-profile clients.
Chuck has developed relationships at the C-suite level with Deloitte’s key clients and meets with them regularly to discuss current trends in strategic risk, reputation, and regulatory issues while advising client teams dealing with various complex client engagements. He has represented Deloitte as the keynote speaker at high profile events such as the Extended Enterprise Risk Management Executive Summit and the Million Women Mentors Summit and Awards Gala on the Hill.
Chuck contributes frequently to thought leadership, reporters’ requests and publishing bylines on strategic and reputational risk, crisis response, compliance issues, and other subjects related to reputation and corporate governance. His recently published titles in industry-leading outlets include: “Managing Risk with Digital Technology” and “Turning Reputational Risk into Opportunity,” in the WSJ Risk & Compliance Journal; “To be the disrupted or the disruptor? That is the question,” in CEO Magazine; a three-part series on reputational risk in Directors & Boards; “Triple threat: How to handle three top risks to reputation” and “Practical Ideas on Managing Reputation Risk” in Compliance Week; and “Here’s the best advice I can give you about protecting your reputation” in Business Insider.
Chuck utilizes social media (Twitter, LinkedIn) to build Deloitte eminence and spark conversations around leadership, diversity, and strategic and reputational risk. His insights are regularly featured on various industry groups handles.
Chuck has held various leadership positions at Deloitte, including National Leader of Business Risk Service Area; Northeast Leader of Enterprise Risk Services; National Leader Risk Advisory—Financial Services. Chuck has also served as Lead Client Service Partner and Lead Advisory Partner for multiple multinational banking and financial services clients.
He is a Certified Public Accountant and has an MBA from Quinnipiac University with a focus on internal controls. He serves on various boards, including the Lupus Foundation of New Jersey, the Quinnipiac University’s Business School NYC Advisory Committee, and the Mustang Travel Sports Club of NJ.
A father of two boys and resident of New Jersey, Chuck is committed to giving back to his community through volunteering and pro bono efforts. Chuck is an avid runner, a passionate fisherman, and a devoted fan of the New York Yankees, New York Giants, and New York Knicks.
