When Bad Things Happen to Good Companies — the Case For Culture Assurance

May is Internal Audit Awareness month. Over the course of the month, we will be taking a closer look at the internal audit profession from various perspectives, including industry, technology, and the “future auditor”— an embodiment of those skills and capabilities most valuable to the future of the internal audit function. Subscribe to our blog to follow the discussion.



By Brian Christensen, Managing Director
Global Internal Audit Leader




Within the internal auditing profession we’ve become accustomed to talking about “tone at the top,” and the importance of executives setting the right example. Most organizations have embraced the concept of core values — at least on paper. And still, we keep seeing headlines about major companies we respect and admire for their size and success in the marketplace that stumble and stub their toe over cultural issues — anything from sales practices, to the way they treat employees, customers or vendors.

Every organization has its own values or “ethos.” It turns out that that, in itself, is not enough to prevent faux-pas of the kind we have seen lately. When bad things happen to good companies, it is important to ask ourselves, “What happened, and how do we prevent it from happening again?” In the age of viral news, the topic is more relevant than ever; it is also the central theme of Internal Audit Around the World, Volume XIII, the 2017 edition of our popular performer perspectives series, which will be released at The IIA Global Conference in July.

It may seem obvious to everyone that culture is important, and that the risks associated with unhealthy organizational culture can derail operations,  damage the brand, drive away customers and put a sizeable dent in the bottom line. Yet for many organizations, culture continues to be a buzzword in the boardroom discussions but has been given short shrift as an operational priority. “Doing the right thing” is a key performance indicator that doesn’t appear as a line item on any balance sheet but contributes considerably to the “goodwill” capital of a company, and its loss or erosion presents a significant risk. Culture assurance then becomes something much more specific and necessary.

The job falls on internal auditors who, by virtue of their “all access” hall pass can provide assurance against cultural lapses. Because we already peer across all departments and business units at all levels of the company, we are uniquely positioned to monitor and report on the various tone and executional elements within an organization. In the most basic sense, a culture audit should determine whether policies and practices encourage and enable employees to do the right thing.

Too often, when bad things happen, executives tend to fall back on whether policies and procedures were followed. A culture audit should test and verify — through interviews and surveys — whether those policies and procedures enable operators to employ common sense in how they treat people, or whether they create duress and pressure for ethical compromise.

Culture audits are an opportunity for auditors to talk to employees, managers, customers and vendors, and measure whether conduct matches words, and report on whether the company is living its values, or whether they are hollow. Empowering people to better themselves is beneficial for the organization in the long run. You don’t want to be the company that becomes a running loop on social media or on the front page of the paper.

DOJ Fraud Section Puts Boards of Directors on Notice Regarding “Conduct at the Top”

In February 2017, the U.S. Department of Justice (DOJ) Fraud Section published its latest guidance on corporate compliance programs with the release of the very useful document titled “Evaluation of Corporate Compliance Programs.”

While many legal and compliance scholars have rightly stated that this latest publication isn’t anything radically different than prior authoritative guidance issued by the DOJ and other organizations, what jumps out is the reframing of the well-worn expression, “tone at the top,” with the potentially more insightful, and arguably much scarier, “conduct at the top.” In a just-released Flash Report, we put forth questions and insights that illustrate the degree to which the DOJ is examining senior management and the board of directors while evaluating a corporate compliance program.

The Four C’s in Overseeing Internal Audit

This week, Protiviti is joining the best and brightest thought leaders from Fortune 500 companies at The Institute of Internal Auditors’ 2017 General Audit Management (GAM) Conference in Orlando, FL. For nearly 40 years, GAM has been the premier experience for internal audit leaders to explore emerging issues and exchange leading practices for positive outcomes. The theme for the 2017 conference is Fostering Risk Resilience. Two Protiviti leaders, Brian Christensen and Jordan Reed, will be conducting panel discussions on stakeholder expectations and the Internet of Things, respectively. We are covering these events and more from the conference here on our blog and on Protiviti’s social media platforms. Subscribe to our blog and follow us on Twitter for timely podcasts and analysis of this year’s conference topics.


By Brian Christensen, Managing Director
Internal Audit Global Leader




In 2016, The Institute of Internal Auditors and Protiviti conducted the world’s largest ongoing study of the internal audit profession — the Global Internal Audit Common Body of Knowledge (CBOK) study — to ascertain expectations from key stakeholders, including board members, regarding internal audit performance. Several imperatives for internal audit emerged from the responses of the participants in the study. Among them: focus more on strategic risks, think beyond the scope of the audit plan, and add more value through consulting.

Continue reading

Ten Keys to Managing Reputation Risk

Warren Buffett once famously said that it takes 20 years to build a reputation and just five minutes to ruin it. All of us see evidence of how true this bit of wisdom is all the time. In the wake of recent corporate scandals, I thought now might be a good time to revisit some of the advice we give our clients on how to preserve reputation and brand.

These “Ten Keys to Managing Reputation Risk” were originally published in April 2013, in Volume 5, Issue 2 of The Bulletin, but they are as relevant today as they were then. They represent what I believe to be the nuts and bolts of reputation risk management, and their effectiveness or absence can make or break a company, as many have discovered first hand. We have organized them below according to five broad imperatives.

Strategic Alignment – A sustainable reputation begins at the top.
  • Effective board oversight – Sets the expectations and lays a foundation for managing reputation risk. The board is an organization’s last line of defense in preserving its reputation and brand image.
  • Integration of risk into strategy-setting and business planning – Makes risk a factor at the decision-making table and facilitates the intersection of risk management with performance management. (This is a critical connection.)
  • Effective communications, image and brand building – While a good story is easy to tell, some companies are better at it than others. Messages that the press, analysts and others communicate are influenced by the good marks on the other nine keys discussed here.
Cultural Alignment – The importance of ethical and responsible business behavior has never been more evident.
  • Strong corporate values, supported by appropriate performance incentives – Tone at the top is vital to effective corporate governance and appropriate incentives help drive a consistent tone in the middle.
  • Positive culture regarding compliance with laws and regulations – A record of having made a strong effort to prevent and detect fraud and corruption is essential to demonstrating the “reasonable assurance” regulators expect.
Quality Commitment – All companies with a strong reputation are noted for their commitment to quality people, processes, products and services.
  • Priority focus on positive interactions with key stakeholders – Stakeholder experiences, or the accumulation of everyday interactions with customers, employees, vendors, regulators, shareholders and other stakeholders in the company, get noticed in the marketplace and are a powerful approach to improving and sustaining reputation. They represent critical “moments of truth” that collectively define an organization’s reputation.
  • Quality public reporting – Quality public financial reporting is something investors expect. If management doesn’t deliver it, it may take a long time for the markets to forgive and forget.
Operational Focus – A strong operational focus is vital to managing reputation risk.
  • Strong control environment – The control environment comprises, among other things, the organization’s commitment to integrity and ethical values; the organizational structure and assignment of authority and responsibility; the process for attracting, developing and retaining competent people; and the rigor around performance measures, incentives and rewards to drive accountability for results. The standards, processes, structures and technologies that provide the basis for carrying out internal control across the organization, lay the foundation for a strong controls culture.
  • Company performance relative to competitors – Even if a company does everything else right, its reputation will suffer if its business model is not competitive in the marketplace.
Organizational Resiliency – A company’s reputation is inextricably linked with the resiliency provided by its risk management and crisis management.
  • World-class response to a high-profile crisis – Sooner or later, every company faces a crisis. Its reputation depends on the rapid and decisive response to crisis situations, putting responsibility to the safety of people first. It is a management imperative to build a rapid-response crisis management capability for sudden and unexpected events, especially where they relate to security, safety and environmental issues.

The ten keys outlined above represent the key components to address to reduce reputation risk to an acceptable level. Their common thread is a consistent and sustaining culture that recognizes the value of reputation and actively protects it with a systemic commitment to quality, ethics, communication, controls and preparation.

No company should believe it is immune to a reputational crisis. Nevertheless, a sincere and concerted effort to manage reputational risk by paying attention to the ten components outlined above gives a company a good shot at making it through the fire with its reputation intact.


Ethics in Corporate Governance: “Walking the Talk”

If it’s true you can’t legislate morality – and all evidence, including but certainly not limited to corporate malfeasance such as the Enron and Worldcom scandals or the questionable corporate behavior of reckless risk-taking to maximize short-term profits and compensation (under “heads I win, tails you lose” compensation structures that left shareholders with the short stick) that contributed to the financial crisis, supports this hypothesis – why do companies bother with ethics policies?

I know Section 406 of Sarbanes-Oxley requires publicly traded companies to disclose whether they have ethics policies and whether their executives are bound by them. But Enron had a beautiful 64-page ethics policy, suitable for framing – for all the good it did them. So what’s the big deal?

Continue reading

Using Five Lines of Defense for Your Risk Management Super Bowl

With the Super Bowl just around the corner, don’t ask me who is going to win. That I don’t have a clue just makes it even more exciting as either team is capable of winning.

Unlike the anticipation many of us are feeling with the Super Bowl match-up between Seattle and Denver, risk management and compliance management issues do not generate the same level of excitement unless something goes wrong and the board of directors, CEO and executive team are pushed into crisis management mode. Instead of the outcome being decided in one football season or a single game, effective enterprise risk management is an ongoing process of “blocking and tackling” to make sure it works — and, in today’s fast-paced world, a company’s viability often depends on it being done right.

In a recent issue of Board Perspectives: Risk Oversight, we discuss how an effectively designed and implemented lines-of-defense framework (as shown below) can provide strong safeguards against breakdowns in risk management and compliance management.

5 lines

As you can see, this lines-of-defense model emphasizes a fundamental concept of risk management: From the boardroom to the customer-facing processes, managing risk, including compliance risk, is everyone’s responsibility. It differs from the traditional view of three lines of defense.

I encourage you to subscribe to this newsletter and invite you to provide any comments or responses here. How does your organization safeguard against breakdowns in risk management and compliance management? How does executive management evaluate the organization’s risk culture? Do the board of directors and executive management play separate and distinct roles in overseeing the execution of risk management and compliance management?

Note that this article is also available on my blog for the National Association of Corporate Directors: http://www.directorship.com/author/jim-deloach/. You also can find more about the five lines of defense here.