By Jonathan T. Marks, CPA, CFF, CITP, CGMA, CFE, NACD Board Fellow
I recall being asked to perform a cultural risk assessment in late 2004 because certain members of a client company’s board of directors were concerned about communication and information flow. Specifically, they wanted to know if issues were being raised timely and appropriately and not extinguished by mid-level managers. The board and senior management were not particularly concerned about fraud or ethical violations, even though there were events that should have caused concern.
I immediately went to work and designed a bespoke program that focused on the control environment, risk assessment, information and communication, monitoring activities, and existing control activities that could help identify, at a high level, the relative strengths and weaknesses of the company’s risk and control environment across the key attributes of effective risk management.
I hoped that assuming a good response rate, the company would get a general idea of the key areas of strength and challenges or weaknesses in the company’s risk and control culture. I did make it very clear the program was not designed to provide definite conclusions, but rather it could be a directional indicator that would require follow-up.
What I had not realized at the onset was the relationship between corporate culture and fraud risk. The results of the program were astounding. The response rate for approximately 3,000 employees was above 75%. Still, the data was so powerful – and so contradictory to what the board and senior management believed – that the program ultimately died in the very boardroom where it was created.
At first glance, the relationship between an organization’s fraud risk and its corporate culture might seem obvious. Even a casual observer is likely to assume that a high-pressure, results-driven organization – with a culture that tolerates or even encourages people to cut corners or find loopholes and succeed at any cost – is bound to be at greater risk of financial reporting fraud and other risks. A root cause of almost every major scandal or fraud is dysfunction in the organization’s culture, with recent history offering numerous examples.
However, in many cases, the links between an organization’s corporate culture and fraudulent activity are not straightforward or clear-cut. In fact, the role that an organization’s underlying culture plays in contributing to fraud risk is often subtle and difficult to quantify, just as the culture itself can be challenging to define with specificity.
Few management teams, if any, set out to establish a deliberately dysfunctional organizational culture that allows fraud to thrive or encourages unethical behavior. To put it another way, they don’t set out to fail. So the critical question is how directors and executives can develop a culture that reduces the risk of fraudulent activities and encourages ethical behaviors.
The first step toward addressing that question is to develop a general understanding of what corporate culture really is, what factors contribute to it, and the role it plays in effective risk management.
Culture: Hard to Define, Even Harder to Measure
Canadian social scientist Elliott Jaques is credited with introducing the concept of organizational culture in a 1951 study of factory productivity. Among other factors, he explored how workers’ behaviors were shaped by cultural factors, which he defined as “the customary and traditional way of thinking and doing things, which is shared to a greater or lesser degree by all its members, and which new members must learn, and at least partially accept, in order to be accepted into service in the firm.”
Over the years, the definitions of “organizational culture” or “corporate culture” have evolved as numerous writers added their interpretations. Today the definitions vary widely, from simple, popular expressions such as “the way we do things here” to more complex and technical explanations.
The “dictionary definition” of corporate culture (from the http://www.dictionary.com website) is relatively simple: “The philosophy, values, behavior, dress codes, etc., that together constitute the unique style and policies of a company.” Another popular consumer site, http://www.investopedia.com, offers a similar take on the term: “Corporate culture refers to the beliefs and behaviors that determine how a company’s employees and management interact and handle outside business transactions….A company’s culture will be reflected in its dress code, business hours, office setup, employee benefits, turnover, hiring decisions, treatment of clients, client satisfaction, and every other aspect of operations.”
Looking beyond such popular sources, we find that researchers and professional organizations have developed more sophisticated and comprehensive explanations of the concept. For example, in its 2019 Auditing Culture Practice Guide, the Institute of Internal Auditors (IIA) drew on the work of a team of authors who defined culture this way: “Culture represents the invisible belief systems, values, norms, and preferences of the individuals that form an organization.” The definition goes on to note: “Conduct represents the tangible manifestation of culture through the actions, behaviors, and decisions of these individuals.”
One widely recognized researcher in the field, Edgar Henry Schein, professor emeritus at the MIT Sloan School of Management, discussed organizational culture at length in a 2014 online interview. In that interview, Schein defined the term as “the sum total of everything an organization has learned in its history in dealing with the external problems – which would be goals, strategies, means, how we do things – and how it organizes itself internally, which is how we’re going to relate to each other.”
Schein also made a point of adding, “These early learnings become the definition. But it’s always something that’s been learned; it’s not something that can be imposed or is just there.”
All variations, distinctions, and definitions of “corporate culture” or “organizational culture” have one thing in common: the characteristics they describe are largely intangible and broadly dependent on individuals’ perceptions and interpretations of events and corporate priorities. This makes it inherently difficult to measure critical aspects of the culture and even more challenging to quantify the culture’s impact on an organization’s risk profile.
The difficulty of measuring culture’s contribution to fraud risk should not deter organizations from trying. The notion that we cannot manage what we cannot measure is one of the oldest and most widely understood principles of sound business management – it’s an observation that has been attributed to a host of thinkers, from Archimedes to Lord Kelvin to Peter Drucker. Regardless of its source, that concept is applicable in this discussion in that an organization’s ability to manage fraud risk depends, at least in part, on its ability to identify and quantify how its underlying corporate culture may contribute to that risk.
Why It Matters: Corporate Culture and Fraud Risk
Virtually all of today’s widely recognized risk management systems or frameworks recognize the implied link between organizational culture and fraud risk. For example, in its 2013 Framework for Internal Control, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) identifies five underlying principles that support the design and implementation of an effective control environment. Many of these are clearly functions of organizational culture.
Specifically, the COSO framework defines an effective control environment as one in which personnel at all levels “demonstrate a commitment to integrity and ethical values.”
It goes on to list other attributes, such as, “the organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives,” and “the organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.”
More recently, some contemporary researchers have begun to clarify – and to some extent quantify – the link between culture and fraud risk. A recent study by The Hong Kong Polytechnic University and The George Washington University used thousands of employee reviews on the popular Glassdoor social media site to analyze the relationship between workplace culture and fraud. Their research led them to conclude that “the work environment, as perceived by employees, appears to play a critical role in financial reporting risk.”
The Glassdoor application allows employees of companies to submit reviews of their employers for other prospective employees to consider. The Hong Kong Polytechnic and GWU researchers reviewed thousands of such comments submitted between 2008 and 2015, looking specifically at three measures of company culture: 1) the employees’ ratings of a company’s culture and values; 2) the ratings of its senior leadership, and 3) the company’s overall rating. These ratings were then compared to records of fraud enforcement actions by the U.S. Securities and Exchange Commission (SEC) and securities-related class action lawsuits.
After controlling for other characteristics that could influence accounting practices and employees’ opinions, the researchers concluded that firms with lower levels of job satisfaction and lower levels of “culture and values” were more likely to be subjects of SEC fraud investigations and lawsuits. One Glassdoor writer reporting on the research summarized the findings in simple terms: “a dysfunctional culture could lay the foundation for an accounting scandal down the road.”
Other researchers have made similar observations. For example, a recent Harvard Business Review article asserted, “The reality is that culture, which is often thought of as a company’s most precious asset, is increasingly a liability for companies that don’t tend to it.”
A 2019 report in Financier Worldwide made a similar observation: “In (today’s) shifting risk landscape, companies are seeking ways to holistically manage corporate risk – and increasingly turning to corporate culture to help them do so. From an investigations risk perspective, companies that get culture ‘right’ encourage ethical behaviors in difficult situations… Companies that get culture ‘wrong,’ by contrast, encourage questionable decisions in critical moments.”
Some examples from recent history demonstrate the accuracy of that assertion. In 2015, consumer electronics and engineering giant Toshiba announced it had overstated operating profits by $1.9 billion over seven years. After the CEO stepped down, a subsequent investigation found there “existed a corporate culture at Toshiba where it was impossible to go against the boss’s will,” which led directly to the earnings inflation.
More recently, in 2020, Wells Fargo, the nation’s fourth-largest bank, agreed to pay $3 billion to resolve investigations into a long-running fake-account scandal, which investigators found was driven by exceptional pressure on loan officers to meet sales quotas.
Shaping the Culture: Start With a Diagnosis
As tricky as defining and measuring corporate culture are, it is even harder to shape and develop it. An October 2020 World Economic Forum paper acknowledged the challenge, noting, “How corporate culture is created and changed remains an elusive, complex question, and its measurement subject to intense debate and some confusion… Much is implicit, unspoken or even unconscious among its members, making it difficult for them to identify when they might be swimming in cool water or when they might be like frogs slowly boiling to death.”
Many would argue an organization’s culture is not something that can be created or built at all. To paraphrase the point made by MIT’s Schein in the interview cited earlier, an organization’s culture is something that is learned, not created.
Although corporate culture cannot be created, it can be influenced and shaped. An obvious first step in this effort is for management to figure out just where things stand in terms of organizational culture. This means assessing the current state of the culture and determining whether that culture positively or negatively contributes to the company’s risk management efforts. It also means moving beyond instinct or anecdotal information to seek out objective evidence and metrics.
The Glassdoor study cited earlier offers an example of how such research can reveal useful insights. For individual companies, confidential surveys conducted by neutral third parties can often provide the management team with highly valuable information, particularly when respondents are assured of their anonymity.
Ideally, such confidential surveys would encompass both current and former employees, providing them an opportunity to speak frankly about their perceptions of the organization’s culture – particularly any disparities between the organization’s stated values and its managers’ actual views and its employees’ behaviors. In some instances, a focus on recent hires or even prospective employees could provide other perspectives regarding how the organization’s culture is perceived.
Beyond the Obvious: Recognizing Subtle Signs
It is important to look beyond the obvious in such research. In addition to blatant examples of management pressure, noncompliance, or lax controls, surveyors should also be alert to subtle signs that certain risky behaviors might be tolerated or overlooked, even if they are not encouraged overtly.
A more sophisticated approach can also reveal potential weaknesses and fraud risks that do not appear to be directly related to governance and compliance issues at all. An example of this type of approach can be found in one widely-used text, Diagnosing and Changing Organizational Culture, which advocates using a questionnaire known as an Organizational Culture Assessment Instrument (OCAI).
The questionnaire asks participants to respond to just six items. There are no right or wrong answers to the questions. Still, the authors contend the employee responses will provide a picture of the fundamental assumptions on which the organization operates and the values that characterize it.
The responses to the OCAI questions are plotted on a highly detailed scorecard that is used to diagnose organizational culture on a matrix framework. The four fundamental culture types that are plotted on this matrix are:
- The Clan Culture – a friendly place, like an extended family, held together by loyalty and tradition, which places a premium on teamwork, participation, and consensus.
- The Hierarchy Culture – a formalized and structured environment, held together by rules and policies, where the focus is on running an efficient, smooth-running operation.
- The Adhocracy Culture – a dynamic, entrepreneurial, and creative place, where people are encouraged to be innovators and risk-takers on their industry’s leading edge.
- The Market Culture – a competitive, hard-driving, results-oriented organization, where the emphasis is on winning, reputation, and successfully achieving objectives.
Note that the cultural types defined on this matrix are not explicitly related to fraud risk or governance. Instead, they depict broader themes affecting an organization’s risk profile in less obvious, more subtle ways.
For example, while the Adhocracy and Market Cultures described by the authors would seem to pose a much higher direct risk of financial statement fraud, the relatively benign-seeming Clan Culture could also pose significant fraud risk, even though the risk may be less apparent. The Clan Culture’s emphasis on teamwork, consensus, and tradition can exert subtle yet powerful pressures on an employee to “go along” with the rest of the team, even at the expense of that employee’s ethical concerns or personal misgivings.
Similarly, the Hierarchy Culture’s emphasis on rules and policies does not necessarily guarantee compliance. Such an organization’s focus on efficiency, coordination, and smooth-running processes could lead managers to conclude that some “cumbersome” controls should be eliminated or ignored.
Developing a Positive Culture: A Balanced Approach
Whether the risks or obvious or subtle, there are many positive steps boards and executive teams can take to shape both the control environment and the organization’s broader overall culture.
One essential early step – a step anyone with experience in risk management will immediately recognize – is to establish the oft-cited “tone at the top.” A more appropriate expression might be “tone from the top,” which recognizes that the right tone must be communicated from the top and resonate down and throughout the organization. According to the IIA’s Practice Guide, management must also have an open dialogue with all levels of the organization, through which it can gather feedback, suggestions, and questions about its programs, ethics hotline, open-door policies, and employee events and meetings.
The 2020 World Economic Forum paper lays out a series of high-level practices designed to consider the importance of social context in shaping behaviors at an individual level. These include employee training initiatives that go beyond the conventional explanations of regulatory compliance and legal consequences and focus more specifically on helping employees understand how their own cognitive biases and blind spots could affect their decision-making and behaviors.
Another important element of the effort is reviewing employee incentives, which often produce conflicting perceptions among employees. As the WEF paper notes, “It is common to find that employees are incentivized both to avoid compliance violations and accompanying sanctions and to respond to high sales targets or bonus schemes that reward achieving results by any means necessary.”
At the organizational level, the WEF study proposes six initiatives designed to provide what the organization describes as “a holistic approach to organizational ethics.” The six initiatives are:
- Build a new vision for boards – Incorporate an integrated approach to governance, a long-term vision for value creation, and a systemic approach with integrated financial reporting.
- Improve organizational oversight – Elevate the status and effectiveness of groups that conduct oversight, manage risk, and set ethical direction and ensure they have adequate resources.
- Review mission, strategy, and purpose – Manage with a longer-term perspective rather than short-term goals, and eliminate contradictions and inconsistencies between stated values and actual priorities.
- Identify and encourage ethical leadership – Integrate employees into the system, with leaders taking personal ownership of risk, communicating the importance of ethical standards, and holding employees accountable.
- Increase organizational diversity and inclusion – Develop a culture of inclusion that enables employees to have difficult conversations, manage values conflicts, and speak up when problems or concerns arise.
- Measure stakeholder trust – Arrange for thorough, third-party due diligence checks, complemented by objective assessments of stakeholder trust and engagement.
This approach is but one example of the dozens of models, methods, and frameworks available to help organizations shape and adapt their corporate cultures. Some focus on high-level objectives and strategies; others are more granular and comprehensive. But virtually all such approaches share some common themes, such as the importance of a senior-level commitment to ethical behaviors and the essential value of audits and other conventional risk management tools.
Above all, any effort to mitigate the fraud risks associated with organizational culture must work proactively to engage employees – ideally through a combination of ethics and compliance training programs along with less overt cultural outreach efforts. Ultimately, as the World Economic Forum paper notes, “creating and sustaining a strong ethical culture is the key to creating an organization that makes behaving ethically as easy as possible.”
I welcome your thoughts and comments.
 Fred Shuneman, “The Origins of Organizational Culture,” Invista Performance Solutions, Aug. 1, 2019, https://www.invistaperforms.org/the-origins-of-organizational-culture/
 “Corporate culture” definition at Dictionary.com, https://www.dictionary.com/browse/corporate-culture
 Evan Tarver, “What Is Corporate Culture?” Investopedia.com, updated July 12, 2020, https://www.investopedia.com/terms/c/corporate-culture.asp
 Elizabeth St-Onge, Ege Gürdeniz, and Elena Belov, “Measuring Conduct and Culture: A How-To Guide for Executives,” Oliver Wyman, 2018, https://www.oliverwyman.com/content/dam/oliver-wyman/v2/publications/2018/april/Conduct_and_Culture_Measurement_Oliver_Wyman.pdf
 Internal Control – Integrated Framework, Executive Summary, Committee of Sponsoring Organizations of the Treadway Commission, May 2013, https://www.coso.org/Documents/990025P-Executive-Summary-final-may20.pdf, p. 6
 Yuan Ji, Oded Rozenbaum, Kyle Welch, “Corporate Culture and Financial Reporting Risk: Looking Through the Glassdoor,” June 1, 2017, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2945745
 “Corporate Fraud Linked to Poor Glassdoor Reviews,” Glassdoor Economic Research, May 8, 2017, https://www.glassdoor.com/research/corporate-fraud-linked-to-poor-glassdoor-reviews/#
 Sarah Jensen Clayton, “Six Signs Your Corporate Culture Is a Liability,” Harvard Business Review, Dec. 5, 2019, https://hbr.org/2019/12/6-signs-your-corporate-culture-is-a-liability
 Matthew Bruce and Katie Palms, “Risky Business: Fraud, Corruption and Corporate Culture,” Financier Worldwide Magazine, February 2019, https://www.financierworldwide.com/risky-business-fraud-corruption-and-corporate-culture#.YBIHZU-SmUk
 Thomas Franck and Al Lewis, “Wells Fargo to Pay $3 Billion in Settling Criminal and Civil Investigations,” CNBC.com, Feb. 21, 2020, https://www.cnbc.com/2020/02/21/wells-fargo-to-pay-3-billion-in-setting-criminal-and-civil-investigations-into-its-fraudulent-sales-practices.html
 Alison Taylor, “Good Intentions, Bad Outcomes? How Organizations Can Make the Leap from Box-Ticking Compliance to Building a Culture of Integrity,” World Economic Forum, October 2020, http://www3.weforum.org/docs/WEF_GFC_on_Transparency_and_AC_pillar2_good_intentions_bad_outcomes.pdf, p.4
 Kim S. Cameron and Robert E. Quinn, Diagnosing and Changing Organizational Culture Based on the Competing Values Framework, John Wiley & Sons, 2006, p. 23
 Ibid. p. 37
 Practice Guide: Auditing Culture, Institute of Internal Auditors, November 2019, https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Auditing-Culture.aspx, pp. 7-8
 “Good Intentions, Bad Outcomes,” p. 5
 “Good Intentions, Bad Outcomes,” pp. 6-8
 “Good Intentions, Bad Outcomes,” p. 5