There is a close-knit relationship between governance, fraud and corporate culture that at times is obvious and at other times is not as straightforward or clear-cut. Understanding this dynamic interaction begins fist with defining corporate culture, as discussed in part one of this series. In part two, we discussed the complex relationship between work environment and fraud risk, and how corporate culture can be quantified. In the last installment of this series, learn about using tools to diagnose culture types and six initiatives to build a positive, ethical culture.
It is important to look beyond the obvious in such research. In addition to blatant examples of management pressure, noncompliance, or lax controls, surveyors should also be alert to subtle signs that certain risky behaviors might be tolerated or overlooked, even if they are not encouraged overtly.
A more sophisticated approach can also reveal potential weaknesses and fraud risks that do not appear to be directly related to governance and compliance issues at all. An example of this type of approach can be found in one widely used text, Diagnosing and Changing Organizational Culture, which advocates using a questionnaire known as an Organizational Culture Assessment Instrument (OCAI).
The questionnaire asks participants to respond to just six items. There are no right or wrong answers to the questions. Still, the authors contend the employee responses will provide a picture of the fundamental assumptions on which the organization operates and the values that characterize it.
The responses to the OCAI questions are plotted on a highly detailed scorecard that is used to diagnose organizational culture on a matrix framework. The four fundamental culture types that are plotted on this matrix are:
Note that the cultural types defined on this matrix are not explicitly related to fraud risk or governance. Instead, they depict broader themes affecting an organization’s risk profile in less obvious, more subtle ways.
For example, while the Adhocracy and Market Cultures described by the authors would seem to pose a much higher direct risk of financial statement fraud, the relatively benign-seeming Clan Culture could also pose significant fraud risk, even though the risk may be less apparent. The Clan Culture’s emphasis on teamwork, consensus and tradition can exert subtle yet powerful pressures on an employee to “go along” with the rest of the team, even at the expense of that employee’s ethical concerns or personal misgivings.
Similarly, the Hierarchy Culture’s emphasis on rules and policies does not necessarily guarantee compliance. Such an organization’s focus on efficiency, coordination and smooth-running processes could lead managers to conclude that some “cumbersome” controls should be eliminated or ignored.
Whether the risks or obvious or subtle, there are many positive steps boards and executive teams can take to shape both the control environment and the organization’s broader overall culture.
One essential early step – a step anyone with experience in risk management will immediately recognize – is to establish the oft-cited “tone at the top.” A more appropriate expression might be “tone from the top,” which recognizes that the right tone must be communicated from the top and resonate down and throughout the organization. According to the IIA’s Practice Guide, management must also have an open dialogue with all levels of the organization, through which it can gather feedback, suggestions and questions about its programs, ethics hotline, open-door policies and employee events and meetings.
The 2020 World Economic Forum (WEF) paper lays out a series of high-level practices designed to consider the importance of social context in shaping behaviors at an individual level. These include employee training initiatives that go beyond the conventional explanations of regulatory compliance and legal consequences and focus more specifically on helping employees understand how their own cognitive biases and blind spots could affect their decision-making and behaviors.
Another important element of the effort is reviewing employee incentives, which often produce conflicting perceptions among employees. As the WEF paper notes, “It is common to find that employees are incentivized both to avoid compliance violations and accompanying sanctions and to respond to high sales targets or bonus schemes that reward achieving results by any means necessary.”
At the organizational level, the WEF study proposes six initiatives designed to provide what the organization describes as “a holistic approach to organizational ethics.” The six initiatives are:
This approach is but one example of the dozens of models, methods and frameworks available to help organizations shape and adapt their corporate cultures. Some focus on high-level objectives and strategies; others are more granular and comprehensive. But virtually all such approaches share some common themes, such as the importance of a senior-level commitment to ethical behaviors and the essential value of audits and other conventional risk management tools.
Above all, any effort to mitigate the fraud risks associated with organizational culture must work proactively to engage employees – ideally through a combination of ethics and compliance training programs along with less overt cultural outreach efforts. Ultimately, as the World Economic Forum paper notes, “creating and sustaining a strong ethical culture is the key to creating an organization that makes behaving ethically as easy as possible.”