ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > How Company Culture Helps Shape the Risk Landscape

How Company Culture Helps Shape the Risk Landscape

Paul Phillips, CISA, CISM, MBA, Technical Research Manager, ISACA
| Posted at 3:00 PM by ISACA News | Category: Risk Management | Permalink | Email this Post | Comments (0)

Paul PhillipsIn today’s environment, companies all over the globe are experiencing culture risk. Yes, culture indeed has an impact on risk and every company has a unique culture. The key is to understand it, manage it, and leverage it when possible to obtain competitive advantage. Every company is faced with both positive and negative risk – that is, threats and vulnerabilities that could adversely impact the organization, its reputation and stock value, as well as opportunities that could have a positive impact. While there are many factors that impact the risks that a company faces, many times business leaders overlook and underestimate the impact of company culture.

So, what makes up company culture? Company culture is the character of a company. It sets the tone of the environment in which employees work daily. Company culture includes a variety of elements, including company strategy, mission, vison, value, policies and behaviors. Recently, many major organizations like Google and Microsoft are revamping policies and procedures to address issues such as sexual harassment, racism, and discrimination because of the negative impact these cultural behaviors have had on the overall success of the company. Policies and procedures are tools that can be used to hold individuals accountable for their behavior. The key is ensuring that everyone adheres to the rules. It is also important to visibly reward good behavior and punish bad behavior on a consistent basis.

Once policies and procedures are put in place, it is important to gauge their effectiveness. Are the policies being followed and do they need to be modified in any way? Organizations that are truly committed to the idea will institute monitoring mechanisms to ascertain this information. Oversight and reporting tools that are properly implemented will allow employees at all levels to feel free to report breaches without fear of retribution. The actions of the oversight function to move quickly and consistently on reports will encourage a culture of accountability. The lack of such functions leaves an enterprise at risk of high-turnover, unmotivated employees, and even potential lawsuits. Tools and procedures such as anonymous hotlines, required compliance training, and explicitly stated company values could be viewed as ways to mitigate such risk.

Simply instituting tools, policies, and procedures could be largely ineffective if the organization’s leadership doesn’t first take a long hard look at the current state of affairs. What is the employee demographic (age, gender, educational status, etc.)? Understanding backgrounds and human behavior can be key to having a clear picture of the culture within an enterprise. For instance, studies have shown that millennials view and respond to the world, including the workplace, in a very different way than older professionals. Understanding people helps an organization refine its culture, including the inherent risks associated with it.

There are many factors that typically impact the culture of an organization, including industry regulations, the competitive environment and economic climate. These factors have direct and indirect influence on how people make decisions on a daily basis. Leadership should set clear expectations about what is acceptable behavior in light of these factors. Influencing culture is not easy and can be time-consuming and costly. However, the cost of doing nothing can be even greater.


There are no comments yet for this post.
You must be logged in and a member to post a comment to this blog.