Questions to ask about GRC – #5: Culture
Continuing the discussion from:
5. Does the organization have a culture that embraces performance, intelligent taking of risk, and compliance with laws, regulations, and society’s expectations?
Thought leaders have been writing about organizational culture for a long time. Many were interested in assuring organizational values, ethics, and integrity. Others focused on compliance, both with external laws and regulations and with internal standards and policies.
The culture of every organization affects its behavior. For example:
- How aggressive or passive are managers and executives in driving employees and others (such as vendors and channel partners) to perform?
- Are they so aggressive that they are willing to take risks beyond levels acceptable to the organization?
- Are they so passive that opportunities fly by without being noticed? Is so much time taken deciding whether to take the risk that “time expires”?
- Is failure punished so severely that risks are not taken?
- Is failure too easily accepted, so more risks are taken than appropriate?
- Are they so busy performing that they fail even to consider compliance requirements?
- Does management listen to the compliance professionals? Do the risk officers have a voice?
- Are they willing to risk compliance issues in order to turn a profit?
- Is everybody advancing their own interests (compensation, power, etc.) over those of the organization? Is this an accepted behavior?
- Do units compete unhealthily? (I worked at a company where two of our factories bid on a major contract with a telecom company; they continued to lower their bids even when the field was reduced to two – and they were fully aware who the other bidder was.)
- Is the long-term sacrificed for short-term rewards?
- Do executives and the board trivialize societal expectations, or are they given prioritized over performance?
- Are employees valued? Really? Do they believe they are valued and perform accordingly?
- How great is the pressure on employees to perform? Is it too much, too little, or just right?
One interesting ‘test’ is to walk around the offices or factory floors and see what is posted. If you see group performance and safety metrics that are current and clearly part of discussions at group meetings, you are seeing signs of a healthy culture.
Another test is to see how many people leave, and how they leave, at ‘quitting time’. When everybody stays and are clearly relieved to be heading home (or to the nearest watering hole), you might question their commitment to the firm. When many stay and appear totally stressed, you might worry about pressures may lead them to cut corners. But when people are happily chatting about the business and results, the culture is more likely to be healthy.
Culture can be excessively aggressive or passive. Striking and maintaining the right balance is not easy, but is essential to delivering sustained performance, considering risks, and remaining in compliance.