Expanding the View to Include Culture
Does your organization view compliance as a “check the box” exercise? Many companies do. Chuck Saia, CEO of Deloitte Risk and Financial Advisory, feels differently and shares five ways a board can start broadening its view – and management’s view – of compliance to include issues of culture.
With so many strategic issues to address, how can a board most effectively execute its responsibility to oversee compliance?
The answer: by taking a broader view of compliance.
Many boards see compliance as a check-the-box exercise — a relatively mundane matter to be quickly dispatched so they can focus on more strategic issues. If you view compliance in those terms, then a check-the-box approach actually makes sense.
But, after countless conversations with board members and executives on the topic of overseeing compliance, I’m convinced that this issue needs to be looked at from a different angle — one that helps a board understand the culture of the organization it is overseeing.
Keeping in mind the context of a board’s risk oversight responsibilities, compliance should be viewed more broadly. Employees can operate within legal and regulatory rules while behaving in ways that do not reflect the values of the organization. Such behaviors generate culture risk. Left unchecked, those behaviors can multiply, negatively impacting customers, suppliers, investors, community members and other key stakeholders. Those negative impacts can give rise to other risks – particularly reputational risk.
While regulatory noncompliance presents reputational risks, they generally pale next to those stemming from culture risk. The media and public often have difficulty understanding regulatory violations, but a violation of the trust built up over years between an organization and its stakeholders makes for a dramatic, readily understood — and often very damaging — story.
Addressing culture risk does not mean creating a “culture of compliance.” Such attempts tend to preserve a narrow, rules-driven view of compliance and culture. Addressing culture risk calls for a new view of compliance. This view calls for operating not only within legal and regulatory bounds, but also in ways that reflect the core values of the organization.
Here are five ways a board can start broadening its view, and management’s view, of compliance to include issues of culture.
#1: Grasp the Nature of Culture Risk
Culture risk is a strategic risk – that is, a risk that can undermine the ability of the organization to implement its strategies and achieve its goals. Culture risk also poses financial risks and risks to data, intellectual property and other assets. Yet reputation risk may be the most serious threat, because loss of reputation directly undermines the organization’s ability to implement strategies and achieve goals, often for months or years to come.
As the ultimate overseers of risk and guardians of reputation, the board is responsible for setting the tone at the top and promulgating the right values. The board is also responsible for overseeing culture, reputation and other strategic risks — bearing in mind that regulatory noncompliance also presents reputational risk.
#2: Understand Your Organization’s and Board’s Culture Risk Posture
Culture can be defined in various ways, but essentially, it is the sum total of the values that drive people’s behavior within the organization. Those values — and the culture — are reflected in hiring, compensation, promotion, investment and other decisions at all levels. Culture determines which behaviors are accepted and encouraged in the organization.
Vague notions of culture create culture risks and undermine oversight of the culture. Early in my tenure as Deloitte’s Chief Risk, Reputation and Regulatory Affairs Officer, I was asked about our level of culture risk. Truthfully, I had only a vague, finger-in-the-wind idea. So, we embarked on a journey within our organization to understand insider threats and to build out a broader culture risk program that enables management to identify areas where culture risk might emerge and how to address it.
One caution: Culture risk and conduct risk are not the same. Conduct risk, which includes the risk of fraud and embezzlement, is often monitored in very specific areas (for example, in procurement in manufacturing or trading in financial services). For that reason, a focus on conduct risk can lead to a siloed approach to culture risk and overlook larger cultural issues.
And it is not just a management issue; a board should also understand and periodically reflect on its own culture and risks associated with its behavior.
#3: Promote the Use of Technology
Currently available technologies can help organizations to address compliance and culture risk. Technology-supported compliance programs manage ongoing compliance and reporting based on defined regulatory requirements. These programs enable management, audit committees and boards to know, on a quarter-to-quarter or month-to-month basis, that the organization is in compliance with applicable rules and where issues of noncompliance could emerge.
Similarly, a technology-supported insider-threat program can monitor employee behavior in various ways. For example, surveillance of emails and texts can identify individuals or pockets of individuals who may be engaged in or close to engaging in behavior outside legal, ethical or cultural bounds. Such cases should be referred to the chief ethics, legal or risk officer for consideration and potential action, which may include remediation, training or other steps.
Cultural attributes can be identified and measured and then monitored by tech-supported programs. While less prevalent than compliance and insider-threat programs, culture monitoring programs are gaining traction. Some culture-monitoring programs are geared more toward human resources concerns – for example, tracking employee morale – while others also monitor broader behaviors.
Any tech-supported compliance, insider threat or culture monitoring program should be implemented by, or with direct input from, the business if it is to serve the needs of management and the board. IT can support the implementation, but it shouldn’t drive it.
#4: Ask Culture-Related Questions
In its risk oversight role, the board can broaden management’s approach to compliance to include conduct and culture risk. This entails broadening the conversation around compliance to include culture.
Some useful questions to ask include:
- To what extent and in what ways are we using technology to monitor compliance? To what extent are we using it to monitor conduct? Do we have an insider-threat program?
- What have we done to define the values and the culture that we need in order to support people in their pursuit of organizational goals?
- How are we communicating our organizational values inside and outside the enterprise?
- What are our greatest conduct risks and culture risks?
- How are we measuring conduct risk and culture risk?
- How are we monitoring and managing those risks?
- How have we prepared for the reputational impact of a compliance, conduct or culture risk event?
While broadening the discussion, the board must of course continue to receive adequate assurance that the organization is operating in regulatory compliance.
#5: Start Small, But Get Started
A check-the-box mindset can be hard to overcome, yet given the speed of social media and the durability of internet-based reports, noncompliance can create reputational risks. As we have all seen in various media stories, even more damage can stem from breaches of ethical behavior or betrayals of organizational values.
Technologies that enable continuous monitoring, data visualization and real-time reporting can ratchet up the efficiency of compliance programs. That positions the organization to direct resources toward addressing culture risk. Many organizations begin by instituting a robust, tech-supported insider-threat program. If such a program already exists, it can often be built out into a broader culture-risk monitoring program.
Boards must also bear in mind that culture monitoring programs call for robust governance mechanisms, which typically involve the board as well as the chief legal, ethical or risk officer.
Beyond Table-Stakes Compliance
Today, regulatory compliance programs represent table stakes. Costs of noncompliance can range from minor to major, but when it comes to risks, compliance issues such as regulations often lag behind emerging challenges. Additionally, as they have done to date in financial services, they may also stress the importance of a sound culture while leaving organizations to define what that means and how to go about achieving it.
Focusing on the strategic issues and implications that compliance — and culture — present can engage board members at an appropriate level and enable the board to expand its oversight role to include conduct and culture. This, in turn, can support the executive team in its efforts to create a culture that supports people in their efforts to reach the organization’s goals.