In an earlier post, I discussed corporate culture as one of the items Protiviti recommends audit committees focus on as they shape their agendas for 2018. I want to follow up with some suggestions on how organizations might include a culture assessment in their plans for the year.
There are several different ways to approach a culture assessment. The internal audit functions of some organizations integrate risk culture into all of their existing audits. Others perform a stand-alone assessment. Regardless of the form it takes, an effective culture assessment can be divided into three primary focus areas — organizational vision and values, risk management, and people management.
Vision and Values
This portion of the assessment focuses on the tone at the top, the engagement of the board, strategic planning processes and clarity around the consideration of risk in decision making. A vision-and-values assessment also looks at corporate communications, including frequency, type and volume of top-down and bottom-up exchanges. A good vision-and-values assessment covers the adequacy of policies and procedures, code of conduct, whistleblower hotlines and other forms of escalatory communications channels with an eye on effectiveness. The purpose of this portion of the assessment is to determine the extent to which the vision and values have permeated all levels in the organization. For example, is the tone in the middle aligned with the tone at the top?
If vision and values are a measure of the culture a company aspires to, risk management provides tangible proof of that culture in action. Under risk management, an effective culture assessment should consider the governance framework and risk orientation, risk appetite, roles and responsibilities and supporting tools and technology. Think about accountability, ownership, committee charters, and then risk transparency and escalation processes. Look at hotline call logs. Is there a “speak-up” culture? If not, why not? How does risk get reported? Is risk information actionable for decision making?
Finally look at how people are being managed. Consider incentives and rewards. Are the incentives aligned with professed values, or is there a chance that employees might be tempted, or even coerced, to cut corners or behave unethically to attain rewards? This is an area that has gotten companies into trouble in the past. Does the organization employ lifecycle management — considering processes around recruitment, hiring, career-pathing, development and exit? How effective are the feedback loops that keep leaders in touch with business realities? How effective is skills training? In essence, people management evaluation should take a risk-based approach and should apply to everything from employee reviews to board training and executive succession planning. It should consider the diversity of executive ranks and in the boardroom.
This three-pronged approach should provide a well-rounded picture of an organization’s corporate culture, from intention to application and outcome. Internal audit functions that do not have a standalone culture assessment planned but are beginning to consider it can address risk culture in the audits they are currently performing. There is no need to do a separate report but the results of this informal assessment could be fed into the risk assessment process for next year. Thinking outside the scope of the audit plan can deliver greater value to the audit committee.
Do you have an effective culture assessment plan? Please join the discussion by posting your thoughts and ideas in the comment section below.