I, like many of you, used to think corporate culture did not matter because others convinced me it did not. Discussion of vision, mission and values was for someone living in an ivory tower, I was told by some. They did not have time for that as they lived in the real world and had to get things done. However there is real evidence, not just anecdotal, that a strong culture produces successful organizations.
As a long-serving consultant, I have had the opportunity time and time again to observe how organizations operate, viewing first hand high-performing cultures where extraordinary things get done daily. These are places where people are aligned and unified in purpose through distinctive social contracts. I need only provide The Walt Disney Company as a case in point. Walt Disney sketched out his strategy on a napkin more than 50 years ago and the company is basically still following it. The company understands that the strategy is dependent on 4 interconnected processes that define their culture: employee selection, training, care and communication. The company excels in these 4 processes. Organizations with a weak or damaged culture struggle. And believe me when I say I have seen this effect first hand.
It is not a matter of picking sides. They are both important (and that is why, even though the enablers are numbered in COBIT 5 for simplicity, they are not ranked).
In COBIT 5, you learn about the 7 enablers and that they are all important to enable change in your organization. However, one of the trickier enablers is Culture, Behaviour and Ethics. Peter Drucker once said “Culture eats strategy for breakfast."1 A truism if ever there was one. But culture does not just eat strategy; it eats all the other enablers as well.
It is not a matter of picking sides: culture vs. process. They are both important (and that is why, even though the enablers are numbered in COBIT 5 for simplicity, they are not ranked). What I and that other Peter mean is that you need look at the time organizations spend on each and you will see that the time spent on each is way out of proportion to their relative contribution to your organization’s success. But it is not just the processes; look at the amount of time you spend on infrastructure compared to culture. Culture is the bedrock of your organization. It will not matter how great your processes are when people do not want to use or follow them.
If there is one thing guidance such as COSO’s Internal Control—Integrated Framework and COBIT 5 teaches us, it is that culture counts. Internal control requires a significant culture change and attitude shift by many, thus your organization must fervently inculcate the desired behaviors into all staff. Awareness of the issues is insufficient to get employees to change as they must also have the desire, knowledge and ability to change. For the change to occur and endure, there must also be constant reinforcement of the reason for the change. The management team must work proactively on fostering the correct corporate culture and drive it from the top. Management must set the example; what we call “tone at the top” and “walking the talk.” This means what they say must be consistent with what they do. They do this by establishing a code of ethics and policies, creating effective feedback channels, and regularly communicating and assessing cultural values and behaviors.
A good culture points to how a company behaves. IT governance and management, and their impact on business value, are strongly influenced by organizational and individual culture. Individual culture manifests itself through behaviors, habits and social interactions. Individuals influence organizational culture and other employees, operating systems, and carry-out processes. A major vulnerability in most organizations is human—awareness, leadership and execution. To achieve success, individuals must have awareness—and the necessary desire and knowledge—to effect a controlled environment. In line with its fiduciary and other leadership duties, management must recognize the importance of mitigating IT risk and set the structure and tone to affect organizational culture.
The definition of business culture varies between organizations: it is a differentiator. Many leaders have learned that culture is today’s major performance differentiator. Zappos.com springs to mind as a unique culture. Zappos is a shoe and clothing e-retailer. There are many ways that Zappos stands out. Employees are encouraged to go above and beyond traditional customer service and they do. The organizational model they use is Holacracy.2 At Zappos, culture counts. And it starts with empowering its employees. To reach the desired cultural outcomes, your leaders must maintain a meaningful dialogue with your organization. Culture induces success or failure of your IT and business. Neglect, ignore or disregard your culture at your own peril.
Peter T. Davis, CISA, CISM, CGEIT, COBIT FC/IC/AC, CISSP, CPA, CMA, CMC, ITIL FC, ISO 27001 LI/LA, ISO 27005/31000 RM, ISO 20000 FC/LI/LA, ISO 9001 FC, ISO 28000 FC, ISTQB CTFL, Lean IT FC, Open FAIR FC, PMI-RMP, PMP, PRINCE2 FC, SSGB, RESILIA FC
Is the principal of Peter Davis+Associates, a management consulting firm specializing in IT governance, security and audit. He currently teaches COBIT 5 Foundation/Implementation/Assessor, ISO 27001 Foundation/Lead Implementer/Lead Auditor, ISO 31000/ISO 27005 Risk Manager (RM), ISO 20000 Foundation/Lead Implementer/Lead Auditor, ISO 22301 Foundation, ISO 9001 Foundation and Project Management Institute Risk Management Professional (PMI-RMP) courses.
1 The Drucker Institute
2 HolacracyOne LLC, How It Works