Governance, fraud and corporate culture: sorting through a complicated relationship

Governance, fraud and corporate culture are as vast a topic, and as such, there is far too much information to cover in one article. This article is part one of three to go over the complex relationship between work environment and fraud risks. Read part two, “Why it matters: corporate culture and fraud risk”, to learn more.

At first glance, the relationship between an organization’s fraud risk and its corporate culture might seem obvious. Even a casual observer is likely to assume that a high-pressure, results-driven organization – with a culture that tolerates or even encourages people to cut corners or find loopholes and succeed at any cost – is bound to be at greater risk of financial reporting fraud and other risks. A root cause of almost every major scandal or fraud is dysfunction in the organization’s culture, with recent history offering numerous examples.

However, in many cases, the links between an organization’s corporate culture and fraudulent activity are not straightforward or clear-cut. In fact, the role that an organization’s underlying culture plays in contributing to fraud risk is often subtle and difficult to quantify, just as the culture itself can be challenging to define with specificity.

Few management teams, if any, set out to establish a deliberately dysfunctional organizational culture that allows fraud to thrive or encourages unethical behavior. To put it another way, they do not set out to fail. So, the critical question is how directors and executives can develop a culture that reduces the risk of fraudulent activities and encourages ethical behaviors.

The first step toward addressing that question is to develop a general understanding of what corporate culture really is, what factors contribute to it and the role it plays in effective risk management.

Organizational culture: hard to define, even harder to measure

Canadian social scientist Elliott Jaques is credited with introducing the concept of organizational culture in a 1951 study of factory productivity. Among other factors, he explored how workers’ behaviors were shaped by cultural factors, which he defined as “the customary and traditional way of thinking and doing things, which is shared to a greater or lesser degree by all its members, and which new members must learn, and at least partially accept, in order to be accepted into service in the firm.”

Over the years, the definitions of “organizational culture” or “corporate culture” have evolved as numerous writers added their interpretations. Today the definitions vary widely, from simple, popular expressions such as “the way we do things here” to more complex and technical explanations.

The “dictionary definition” of corporate culture is relatively simple: “The philosophy, values, behavior, dress codes, etc., that together constitute the unique style and policies of a company.” Another popular consumer site, investopedia.com, offers a similar take on the term: “Corporate culture refers to the beliefs and behaviors that determine how a company’s employees and management interact and handle outside business transactions….[A] company’s culture will be reflected in its dress code, business hours, office setup, employee benefits, turnover, hiring decisions, treatment of clients, client satisfaction, and every other aspect of operations.”

Looking beyond such popular sources, we find that researchers and professional organizations have developed more sophisticated and comprehensive explanations of the concept. For example, in its 2019 Auditing Culture Practice Guide, the Institute of Internal Auditors (IIA) drew on the work of a team of authors who defined culture this way: “Culture represents the invisible belief systems, values, norms, and preferences of the individuals that form an organization.” The definition goes on to note: “Conduct represents the tangible manifestation of culture through the actions, behaviors, and decisions of these individuals.”

One widely recognized researcher in the field, Edgar Henry Schein, professor emeritus at the MIT Sloan School of Management, discussed organizational culture at length in a 2014 online interview. In that interview, Schein defined the term as “the sum total of everything an organization has learned in its history in dealing with the external problems – which would be goals, strategies, means, how we do things – and how it organizes itself internally, which is how we’re going to relate to each other.”

Schein also made a point of adding, “these early learnings become the definition. But it’s always something that’s been learned; it’s not something that can be imposed or is just there.”

All variations, distinctions and definitions of “corporate culture” or “organizational culture” have one thing in common: the characteristics they describe are largely intangible and broadly dependent on individuals’ perceptions and interpretations of events and corporate priorities. This makes it inherently difficult to measure critical aspects of the culture and even more challenging to quantify the culture’s impact on an organization’s risk profile.

The difficulty of measuring culture’s contribution to fraud risk should not deter organizations from trying. The notion that we cannot manage what we cannot measure is one of the oldest and most widely understood principles of sound business management – it’s an observation that has been attributed to a host of thinkers, from Archimedes to Lord Kelvin to Peter Drucker. Regardless of its source, that concept is applicable in this discussion in that an organization’s ability to manage fraud risk depends, at least in part, on its ability to identify and quantify how its underlying corporate culture may contribute to that risk.

Continue reading our governance, fraud and corporate culture series in the next article “Why it matters: corporate culture and fraud risk”.