First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

How do you manage culture?

cultureThere’s a new ‘Good Practice Guide’ from Australia. The Ethics Centre, Governance Institute of Australia, Chartered Accountants Australia New Zealand, and IIA – Australia recently released Managing Culture – A Good Practice Guide.

This is a topic I have been writing about for several years. In addition to covering it in World-Class Risk Management, I have posted about a dozen times on the topic in the last 5 years, here and at

In my posts, I make the point that there are many aspects or dimensions to culture, just as there are many dimensions to the behavior you want it to drive.

They may include:

  • Acting with integrity
  • Working as a team towards shared goals
  • Putting the enterprise ahead of personal interests
  • Complying with corporate policies
  • Sharing and communicating
  • Listening and empowering
  • Treating all others with respect
  • Respect for authority
  • Tolerance for dissent
  • Considering risk (what might happen) in every decision
  • Being willing to try new ideas and think out of the box
  • Putting the customer first
  • A commitment to the community and the environment
  • Focusing on quality
  • Putting employee and others’ safety first
  • Coming forward to report suspected violations of corporate policies
  • Having a strong work ethic
  • A desire for the health, welfare, and growth of the employees and their families

I suspect that most organizations would embrace these values.

They will want the culture to encourage related behavior

The Good Practice Guide talks about many but not all of these dimensions.

In a 2014 blog post, Culture is a Business Issue, I suggested questions that might help an organization assess its culture and whether it is what they want it to be.

  1. Have the executive team and the board defined the culture they want?
  2. Has it been clearly communicated to employees?
  3. What measures are in place to measure whether the desired culture is achieved, and what actions are taken when it is not?
  4. What is the effect on the organization if behaviors are not aligned with the desired corporate culture? Which strategies and objectives are likely to be affected and how? Is this significant? Does it merit action?
  5. Does the management team reinforce the message about desired behavior when they meet employees and others? Are they credible?
  6. Does the management team walk the talk, setting the example they want others to follow?
  7. Do managers (and risk and audit professionals) pay attention to signs that the desired culture is not in place?
  8. Are indicators of deteriorating culture noticed and action taken (for example, employees failing to attend or arriving late at meetings; a high level of stressed managers and staff; loss of key employees and failures to hire talent when needed; a scarcity of smiles and laughter in the office; and so on)?
  9. When actions such as reorganizations and compensation decisions made, is the potential impact on culture considered?
  10. Are compensation and related programs based, at least in part, on whether employees’ behavior is consistent with the desired culture?

Today, I am suggesting a simple methodology.

  • Select one or more dimensions of culture and desired behavior – but not all of them. That would not be practical.
  • For each, what is the desired state? (That becomes the ‘objective’.)
  • What can happen that would lead individuals or groups to diverge from the desired behavior?
  • What are we doing to enable the culture we desire?
  • What controls are in place that would either prevent inappropriate behavior or detect it so that appropriate and timely action can be taken?
  • Do they provide reasonable assurance that the culture is as it should be and that individuals and groups will behave as desired?

What do you think?

I welcome your comments and suggestions.

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, , , , , ,

Comments are currently closed.