When Bad Things Happen to Good Companies — the Case For Culture Assurance

May is Internal Audit Awareness month. Over the course of the month, we will be taking a closer look at the internal audit profession from various perspectives, including industry, technology, and the “future auditor”— an embodiment of those skills and capabilities most valuable to the future of the internal audit function. Subscribe to our blog to follow the discussion.



By Brian Christensen, Managing Director
Global Internal Audit Leader




Within the internal auditing profession we’ve become accustomed to talking about “tone at the top,” and the importance of executives setting the right example. Most organizations have embraced the concept of core values — at least on paper. And still, we keep seeing headlines about major companies we respect and admire for their size and success in the marketplace that stumble and stub their toe over cultural issues — anything from sales practices, to the way they treat employees, customers or vendors.

Every organization has its own values or “ethos.” It turns out that that, in itself, is not enough to prevent faux-pas of the kind we have seen lately. When bad things happen to good companies, it is important to ask ourselves, “What happened, and how do we prevent it from happening again?” In the age of viral news, the topic is more relevant than ever; it is also the central theme of Internal Audit Around the World, Volume XIII, the 2017 edition of our popular performer perspectives series, which will be released at The IIA Global Conference in July.

It may seem obvious to everyone that culture is important, and that the risks associated with unhealthy organizational culture can derail operations,  damage the brand, drive away customers and put a sizeable dent in the bottom line. Yet for many organizations, culture continues to be a buzzword in the boardroom discussions but has been given short shrift as an operational priority. “Doing the right thing” is a key performance indicator that doesn’t appear as a line item on any balance sheet but contributes considerably to the “goodwill” capital of a company, and its loss or erosion presents a significant risk. Culture assurance then becomes something much more specific and necessary.

The job falls on internal auditors who, by virtue of their “all access” hall pass can provide assurance against cultural lapses. Because we already peer across all departments and business units at all levels of the company, we are uniquely positioned to monitor and report on the various tone and executional elements within an organization. In the most basic sense, a culture audit should determine whether policies and practices encourage and enable employees to do the right thing.

Too often, when bad things happen, executives tend to fall back on whether policies and procedures were followed. A culture audit should test and verify — through interviews and surveys — whether those policies and procedures enable operators to employ common sense in how they treat people, or whether they create duress and pressure for ethical compromise.

Culture audits are an opportunity for auditors to talk to employees, managers, customers and vendors, and measure whether conduct matches words, and report on whether the company is living its values, or whether they are hollow. Empowering people to better themselves is beneficial for the organization in the long run. You don’t want to be the company that becomes a running loop on social media or on the front page of the paper.

DOJ Fraud Section Puts Boards of Directors on Notice Regarding “Conduct at the Top”

In February 2017, the U.S. Department of Justice (DOJ) Fraud Section published its latest guidance on corporate compliance programs with the release of the very useful document titled “Evaluation of Corporate Compliance Programs.”

While many legal and compliance scholars have rightly stated that this latest publication isn’t anything radically different than prior authoritative guidance issued by the DOJ and other organizations, what jumps out is the reframing of the well-worn expression, “tone at the top,” with the potentially more insightful, and arguably much scarier, “conduct at the top.” In a just-released Flash Report, we put forth questions and insights that illustrate the degree to which the DOJ is examining senior management and the board of directors while evaluating a corporate compliance program.

Ten Keys to Managing Reputation Risk

Warren Buffett once famously said that it takes 20 years to build a reputation and just five minutes to ruin it. All of us see evidence of how true this bit of wisdom is all the time. In the wake of recent corporate scandals, I thought now might be a good time to revisit some of the advice we give our clients on how to preserve reputation and brand.

These “Ten Keys to Managing Reputation Risk” were originally published in April 2013, in Volume 5, Issue 2 of The Bulletin, but they are as relevant today as they were then. They represent what I believe to be the nuts and bolts of reputation risk management, and their effectiveness or absence can make or break a company, as many have discovered first hand. We have organized them below according to five broad imperatives.

Strategic Alignment – A sustainable reputation begins at the top.
  • Effective board oversight – Sets the expectations and lays a foundation for managing reputation risk. The board is an organization’s last line of defense in preserving its reputation and brand image.
  • Integration of risk into strategy-setting and business planning – Makes risk a factor at the decision-making table and facilitates the intersection of risk management with performance management. (This is a critical connection.)
  • Effective communications, image and brand building – While a good story is easy to tell, some companies are better at it than others. Messages that the press, analysts and others communicate are influenced by the good marks on the other nine keys discussed here.
Cultural Alignment – The importance of ethical and responsible business behavior has never been more evident.
  • Strong corporate values, supported by appropriate performance incentives – Tone at the top is vital to effective corporate governance and appropriate incentives help drive a consistent tone in the middle.
  • Positive culture regarding compliance with laws and regulations – A record of having made a strong effort to prevent and detect fraud and corruption is essential to demonstrating the “reasonable assurance” regulators expect.
Quality Commitment – All companies with a strong reputation are noted for their commitment to quality people, processes, products and services.
  • Priority focus on positive interactions with key stakeholders – Stakeholder experiences, or the accumulation of everyday interactions with customers, employees, vendors, regulators, shareholders and other stakeholders in the company, get noticed in the marketplace and are a powerful approach to improving and sustaining reputation. They represent critical “moments of truth” that collectively define an organization’s reputation.
  • Quality public reporting – Quality public financial reporting is something investors expect. If management doesn’t deliver it, it may take a long time for the markets to forgive and forget.
Operational Focus – A strong operational focus is vital to managing reputation risk.
  • Strong control environment – The control environment comprises, among other things, the organization’s commitment to integrity and ethical values; the organizational structure and assignment of authority and responsibility; the process for attracting, developing and retaining competent people; and the rigor around performance measures, incentives and rewards to drive accountability for results. The standards, processes, structures and technologies that provide the basis for carrying out internal control across the organization, lay the foundation for a strong controls culture.
  • Company performance relative to competitors – Even if a company does everything else right, its reputation will suffer if its business model is not competitive in the marketplace.
Organizational Resiliency – A company’s reputation is inextricably linked with the resiliency provided by its risk management and crisis management.
  • World-class response to a high-profile crisis – Sooner or later, every company faces a crisis. Its reputation depends on the rapid and decisive response to crisis situations, putting responsibility to the safety of people first. It is a management imperative to build a rapid-response crisis management capability for sudden and unexpected events, especially where they relate to security, safety and environmental issues.

The ten keys outlined above represent the key components to address to reduce reputation risk to an acceptable level. Their common thread is a consistent and sustaining culture that recognizes the value of reputation and actively protects it with a systemic commitment to quality, ethics, communication, controls and preparation.

No company should believe it is immune to a reputational crisis. Nevertheless, a sincere and concerted effort to manage reputational risk by paying attention to the ten components outlined above gives a company a good shot at making it through the fire with its reputation intact.


Thinking M&A or Divestiture? We’ve Got Answers in Our M&A FAQ

Jim Ryan low resby
Jim Ryan
Managing Director – Leader, Protiviti’s Mergers & Acquisitions practice


We recently published our M&A FAQ Guide and the timing could not be better. M&A activity, including carve-outs and divestitures, is on the rise around the globe as organizations sharpen their strategic focus. Yet, as noted repeatedly in articles in Forbes and the New York Times, among other media, the majority of companies fail to realize the desired value of their transactions. Why? Simply put, organizational responses are not comprehensively designed to match the complexity of an integration or separation.

Our M&A Guide offers considerations that may better prepare your organization. Mergers and acquisitions tend to be corporate-wide initiatives that, by their very nature, are sprung on employees with little analysis of people, process and technology interdependencies. Additionally, planning is rushed, runways for execution are shortened and key personnel become overcommitted. Our guide can accelerate your M&A activities by providing insights for many of the key challenges that organizations must solve to meet expectations.

For a glimpse at the guidance we offer, consider five questions to ask about your M&A activity:

  1. What is a typical deliverable of the due diligence team?
  2. Have we sufficiently defined the scope and change control process?
  3. How do we structure the team without detracting from daily business demands?
  4. What are the unique issues facing Finance, IT, Marketing and Sales?
  5. What are the key risks?

To make a merger or divestiture succeed, you must align the growth strategy with your corporate strategy; identify the right markets and targets; define and execute thorough, fast due diligence; prepare a detailed plan by phases; and follow up with well-resourced execution.

While nothing replaces focused thought and aggressive action, the information in our guide can help sharpen your focus while reducing risk, improving your chances of realizing desired value – and maybe get a little sleep.

Ethics in Corporate Governance: “Walking the Talk”

If it’s true you can’t legislate morality – and all evidence, including but certainly not limited to corporate malfeasance such as the Enron and Worldcom scandals or the questionable corporate behavior of reckless risk-taking to maximize short-term profits and compensation (under “heads I win, tails you lose” compensation structures that left shareholders with the short stick) that contributed to the financial crisis, supports this hypothesis – why do companies bother with ethics policies?

I know Section 406 of Sarbanes-Oxley requires publicly traded companies to disclose whether they have ethics policies and whether their executives are bound by them. But Enron had a beautiful 64-page ethics policy, suitable for framing – for all the good it did them. So what’s the big deal?

Continue reading