Home > Risk > Questions to ask about GRC – #5: Culture

Questions to ask about GRC – #5: Culture

Continuing the discussion from:

Questions to ask about GRC – Part 1

Questions to ask about GRC – Part 2, question 1: Goals and Strategies

Questions to ask about GRC – Part 2, question 2: Harmony

Questions to ask about GRC – Part 2, question 3: Integration

Questions to ask about GRC – Part 2, question 4: Fragmentation


5. Does the organization have a culture that embraces performance, intelligent taking of risk, and compliance with laws, regulations, and society’s expectations?

Thought leaders have been writing about organizational culture for a long time. Many were interested in assuring organizational values, ethics, and integrity. Others focused on compliance, both with external laws and regulations and with internal standards and policies.

More recently, the discussion has turned to the notion of a “culture of greed”. Consider these stories about Spanish and UK banks, and this about Goldman Sachs.

The culture of every organization affects its behavior. For example:

  • How aggressive or passive are managers and executives in driving employees and others (such as vendors and channel partners) to perform?
  • Are they so aggressive that they are willing to take risks beyond levels acceptable to the organization?
  • Are they so passive that opportunities fly by without being noticed? Is so much time taken deciding whether to take the risk that “time expires”?
  • Is failure punished so severely that risks are not taken?
  • Is failure too easily accepted, so more risks are taken than appropriate?
  • Are they so busy performing that they fail even to consider compliance requirements?
  • Does management listen to the compliance professionals? Do the risk officers have a voice?
  • Are they willing to risk compliance issues in order to turn a profit?
  • Is everybody advancing their own interests (compensation, power, etc.) over those of the organization? Is this an accepted behavior?
  • Do units compete unhealthily? (I worked at a company where two of our factories bid on a major contract with a telecom company; they continued to lower their bids even when the field was reduced to two – and they were fully aware who the other bidder was.)
  • Is the long-term sacrificed for short-term rewards?
  • Do executives and the board trivialize societal expectations, or are they given prioritized over performance?
  • Are employees valued? Really? Do they believe they are valued and perform accordingly?
  • How great is the pressure on employees to perform? Is it too much, too little, or just right?

One interesting ‘test’ is to walk around the offices or factory floors and see what is posted. If you see group performance and safety metrics that are current and clearly part of discussions at group meetings, you are seeing signs of a healthy culture.

Another test is to see how many people leave, and how they leave, at ‘quitting time’. When everybody stays and are clearly relieved to be heading home (or to the nearest watering hole), you might question their commitment to the firm. When many stay and appear totally stressed, you might worry about pressures may lead them to cut corners. But when people are happily chatting about the business and results, the culture is more likely to be healthy.

Culture can be excessively aggressive or passive. Striking and maintaining the right balance is not easy, but is essential to delivering sustained performance, considering risks, and remaining in compliance.

  1. Khanh Vuong
    July 22, 2012 at 6:33 AM


    I have been reading this latest series with great interest. I believe the GRC concept to be furthest on the continuum of developments of all risk, compliance and governance frameworks or standards.

    About culture, I would say (and hope you would add a special section on it) that besides the broader organizational culture regarding the management style and values, there is also a lot to be discussed about the risk management culture of an organization. The latter refers specifically to an organization’s views and perceptions of risk, internal controls, risk management strategies, governance, etc. I am continually amazed at how nuanced these subjects can be, and how most organizations (except may be for the largest) choose the most convenient way out of the conundrum by going with whatever may be the most talked about techniques and ideas–where cultural biases and ignorance (both within an organization and within the larger community of peers and other members) unfortunately take over and infect the entire GRC program or concept from the very first step.

    Take the subject matter of how to define risk. Even with the ISO31K definition, a risk manager is left with an impossibly vast mandate to get his/her arms around. This then leaves him/her to find ways of whittling down the list of areas/categories of risk to consider, and invariably forces a way of thinking that follows the easiest or most familiar paths. What one ends up with is a recast of the old sins in new buzz words.

  1. August 1, 2012 at 1:48 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: