If poor employee behaviour is the most frequent root cause of misconduct, what can audit do to remediate the problem?
The importance of corporate culture is widely recognised as one of the crucial foundations for sustainable corporate success. Equally important is that the corporate culture is consistently understood by all staff and is reinforced by appropriate employee behaviours, which in turn make them equally important elements for effective management of risks. This includes being able to recognise the opportunity associated with risk informed decisions (the upside of risk) as well as processes to mitigate the potential downside of risks.
Well-crafted corporate policies are necessary of course, but ensuring that employees understand and can work in the spirit of those policies is vital for maintaining a healthy organisation. For example, they need to know the benefits of acceptable risk as well as how to recognise potential ethical dilemmas. More importantly, employees need to be able to speak up to help resolve those risks. These are critical components within today's highly regulated business world, where international businesses are intensively scrutinised by the often critical eye of 24x7 media.
CEB research shows that:
• A strong "tone at the top" does not percolate down to become a strong "tone at the middle" - even though it is vital that the more numerous middle managers really understand corporate values and deploy them personally with their teams;
• More than 60% of employees report knowingly ignoring company policies;
• Only 6% of breaches of company policies are reported to the corporate Speak Up or the whistleblowing team;
• 15% of employees report observing misconduct but 40% of them wouldn't report a violation of company policy because they fear personal retaliation or they believe that the company will not take effective action.
Increasingly audit, risk and other assurance teams are deploying root cause analysis to truly understand the reason(s) for incidents, events, failures and near misses. While unclear policies or poor training of staff may play a role, we see that in many cases one of the key components is employee behaviour. In other words, trained employees make the conscious decision to either ignore policy, chose to do the wrong thing, or do nothing at all.
Chief auditors are now searching for techniques to better understand how they can evolve their working practices to be able to evaluate the corporate culture and employee behaviour. In some sectors, such as financial services, the increased focus is partly driven by regulators, but nonetheless, it has become a major focus for auditors across the board.
Three promising approaches for better evaluating corporate culture and employee behaviour to keep in mind include:
1. Leveraging company-wide employee survey techniques. For example, by building in specific questions to extend an existing employee engagement survey or alternatively deploying a customised and targeted culture survey. Surveys can efficiently give insight into corporate culture and employee behaviours (including what action they take when faced by misconduct) across the whole company and be used to identify areas of relative strength or areas of concern;
2. Auditing the effective use of personnel policies. For example, how are external candidates evaluated, before being hired, to confirm that they understand and can work within your company's ethical requirements? How are employees measured and rewarded for exemplary performance exhibiting corporate values and ethical standards including, for example, being eligible for promotion, bonus or other recognition? How is poor ethical performance identified and dealt with?
3. Identifying proxy measures that give an easy to find and reliable indication of risk culture. For example, the proportion of critical issues reported by audit that management sustainably resolve on the agreed timetable may be one useful indicator. Others could include the number (and severity and trend) of accidents or insurance or legal issues within a country / location.
The importance of this challenge, to better understand effective techniques that audit teams can use, is currently driving research by CEB. So, watch out for an update on this later in the year. Until then, if you would like to contribute to the debate, please comment below!
Ian Beale is a senior director in CEB's Legal, Risk, and Compliance practice in London. CEB, the leading member-based advisory company, equips more than 10,000 organizations around the world with best-practice insights and solutions to transform enterprise performance. Read our 'Risk Quarterly Magazine', which is focused on how to manage enterprise-wide risks here.