E&C assessments - Part 3 - Integrity Culture
Rupert Evill
Reducing Integrity & Sustainability Risks for Investors, Mid-Caps & SMEs | Risk Assessments, Implementation, Training, Incident Response | Author "Bootstrapping Ethics" | Advisor @Association of Corporate Investigators
You can’t manage risk (effectively) without assessing culture. If you try, you’ll waste a lot of time and money. Why? Because control failures account for risk issues in around 30% of instances (according to data from the ACFE). What’s happening in the majority of cases? Humans are being human. We make mistakes, fail to understand instructions or get scared. And, yes, sometimes we intentionally break things.
You can unpack those risk drivers in many ways, but for simplicity, let’s focus on accessibility, accountability, knowledge, and trust.
Accessibility
Can people access the resources and support they need when they need it? I remember a particularly unrewarding project I worked on years ago. A healthcare organisation wanted an update of their crisis management and business continuity framework, including dawn raid protocols. The last iteration was a set of monster files that would put your back out if you tried to lift them. The client wanted a similarly-girthed sequel. No counter-reasoning seemed to work.
I don’t know how anyone uses manuals and documents like that. “In case of emergency, break cabinet, blow off years of dust, thumb through hundreds of pages trying to find out what to do if, let’s say, a pandemic looms.”
Most risk issues - especially integrity ones - have a pressure component (often time-sensitive). Your folks need to be able to access succinct, relevant, and clear guidance, quickly. Not all should live in policies. Ideally, most should not. That requires colleagues (managers, integrity champions, compliance officers, etc.) who are readily accessible and supportive of those raising questions.
Accessibility starts with training and communication and ends with a speak-up framework that works. In this assessment, we dip into that at a high level. Would the answers help you?
Accountability
Does your organisation really incentivise people to behave ethically? I’m sure the answer will usually be yes. That response can change when we listen to the folks on the frontlines juggling J-curve targets as the economy heads for the precipice.
Do leaders walk the talk? Do people feel the disciplinary framework is fair (and consistent)?
These questions are often asked, but how you ask them matters. If we’re asking people to make judgments about people they don’t see (common in many organisations where C-suite are unseen-suite), it might not work as a Y/N. Opt for sliding scales and nuance-capturing tools.
Knowledge
Do we know what to do? How to do it? Are we adequately trained (including those vital risk-response reflexes for when bad things happen, as they do)? Do people understand risk; if you’re not involving them in the other steps of risk assessment (see the earlier posts here and here), you’re missing out on gold.
领英推荐
The questions in this post may seem affronting or antagonistic, but that’s not the intention. We all make the mistake of assuming knowledge. How often have you (or someone else) said, “But, surely, they should know that.” I spent years assuming people understood the risk gibberish I spoke. Then my daughter took a sledgehammer to that glass house I’d been throwing stones from. It can help us take a step back and test our fundamental assumptions about what people (don’t) know about risk, appropriate responses, what (not) to do, and more.
Trust
If we don’t feel trusted, it’s hard to engage. And that includes risk and compliance. Do people feel trusted by managers and peers? Are integrity issues discussed (regularly)? Do they trust their managers and peers to do the right thing? Do they feel safe: speaking up, admitting mistakes, saying “I don’t know”?
With some focused questions aimed at understanding the user experience for employees consuming the organisation’s values, culture, and compliance content, we can get a LOT of value.
How we answer
Finally, it’s not just about what we answer, but how. If it takes people, on average, 15 seconds to answer a simple Y/N question like “Leaders (and managers) are held accountable for their actions”, that’s interesting. Similarly, if people drop out of the questionnaire when asked, “I feel safe making mistakes”, we may need to dig deeper.
Assessments, surveys, focus groups, and alike can be very powerful if we do something with the results! I am not suggesting assessment like these will fully diagnose risks and culture challenges. But a slightly deeper version can get you 80% of the way there in 20% of the time.
Risk is always about prioritisation and insight. How do you get yours on integrity culture?
Now, to save time and money
Of all the work I do, the results from external analysis and these internal culture assessments are the most powerful. They cut to the chase. Armed with the findings, we can start to build content, communications, and frameworks that meet people where they truly are.
Only then can we start to shift the needle and change integrity cultures. As easy as ABC…
Healthcare Compliance & Privacy | In Constant Pursuit of Knowledge and Improvement | Better than Yesterday
2 年That is an interesting idea of changing the mindset from blocker to enabler. I often think about, and attempt, ways I can make myself more approachable to staff. Yet, I feel like there is much left unspoken. Not only about potential issues and concerns but questions in general that could help shape and mold our policies and procedures. Any suggestions for creating greater dialogue from staff?
Strategic Intelligence & Public Affairs | Advisor & Entrepreneur
2 年Great take Rupert - no one-size-fits-all in risk management and the first step before designing the "suit" should be to measure the "shape" of the client!