First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

The board and enterprise culture

enterprise cultureThis article looks at the Board’s involvement in managing enterprise culture.

Deloitte has shared an interesting and useful piece, Corporate Culture and the Board.

It includes a definition of culture that I have seen before and makes sense:

In the corporate context, culture is a system of values, beliefs and behaviors that shape how things get done within the organization.

They make an important point when they say:

Culture matters, because a strong, positive corporate culture provides a framework not only for risk mitigation, but also for both short- and long-term value creation. It aligns values, goals, behaviors, and systems throughout the organization in ways that can have favorable impacts, both internally (for example, through positive employee engagement or by facilitating optimal performance or a strong safety record) and externally (through positive branding, reputation and competitive advantage).

On the other hand, a damaged or broken culture can create dysfunction throughout the organization and create risk to critical assets, including brand reputation, intellectual property, and talent. As recent developments demonstrate, these and other negative impacts can destroy value and, ultimately, the organization itself. An important takeaway from the above is that a strong, positive culture is an important asset of any organization that should be supported and protected. It is not merely a “soft” issue of interest to investors and the media; rather, it can be critical to the company’s growth and performance.

Deloitte suggests 10 questions for the board to consider. I have a different set. These are questions the board should ask of management—putting the emphasis on management’s responsibility to run the organization, while the board provides oversight and obtains assurance that management is doing a good job.

  1. How have you defined the culture you want the organization to have?
  2. Does it include all forms of desired (and less desired) behavior?
  3. How have you communicated this to everybody involved in the organization’s success?
  4. How have you ensured everybody understands?
  5. Are there repercussions for unacceptable behavior, even if there is no breach of law?
  6. How do you know whether behaviors across the organization reflect the desired culture?
  7. What is the level of noncompliance, how do you know, and is it acceptable? If not, what are you doing about it?
  8. How often is culture discussed, measured, and who is involved?
  9. Do our employees agree our stated culture is appropriate and is in place? How do you know?
  10. How can you keep us assured of an appropriate culture, especially as the environment changes, including the onboarding of new management and staff, completion of acquisitions, and so on?

Please see this earlier post, How do you manage culture?

What do you think?

I welcome your comments.

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

Send to Kindle

, , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.