IS Audit in Practice: Auditing Culture

The best-fit job, the best-fit candidate, the enterprise code of ethics and the enterprise mission are all catch phrases used to categorize culture when we look at careers or hire for open positions. Team player, leadership qualities, high performer and coachable are all ways individuals get characterized once they are “in the door” and onboarded into the organization or new team. Culture has always been a critical part of an organization, making or breaking its effectiveness. In fact, culture is a critical evaluation point for reputational and client risk. Employees and clients alike gravitate to organizations that align with their perception of success, integrity and reliability.

Unlike regulatory requirements with prescribed audit findings and a remediation deadline, culture feels unquantifiable, nontechnical and easy to blame for a myriad of organization ills.

Culture has been evaluated for decades. Always considered one of organizational behavior’s soft arts, culture is often the most impactful of all enterprise change activities. On the consulting side, culture evaluation has been a favorite engagement, a chance to connect with client executives and develop senior leader relationships, and an opportunity to suggest changes that can solve an enterprise’s performance woes. But how closely are the final recommendations followed? Unlike regulatory requirements with prescribed audit findings and a remediation deadline, culture feels unquantifiable, nontechnical and easy to blame for a myriad of organization ills. Is there a way that the risk management and audit professions can get through the soft, unquantifiable information to produce actionable recommendations? How does one encourage an enterprise to follow the recommendations without a regulatory hammer of a more traditional audit? How does one facilitate progress when the engagement may already have a predetermined conclusion in the minds of those who have requested it be conducted? As context for these questions, fictionalized stories can draw scenarios for consideration regarding a risk assessment and culture audit approach.

Dive In and Destroy David

Jenny Patel had worked at Fabfarma for almost 20 years as a member of the business technical operations (tech-ops) team. She had seen as much change in the business operating model over the years as she had seen in the technology she managed for her business group. The focus on making successful pharmaceuticals was as strong as ever, but there had been major shifts in how products came off the production line. System uptime was crucial, especially for time-sensitive drug combinations that would be thrown out at a cost of tens of thousands of euros if an outage occurred and the production line was down for longer than allowable. Competition was another growing factor impacting Jenny’s department, always pushing technology at the plant to what Jenny felt was the bleeding edge to move clinical trials through the pipeline as quickly as possible before another company submitted and established market leadership. Regulation had always been around, but recent public privacy concerns prompted new mandates on data collection, retention and retrieval that had brought the business tech-ops team to task. Even so, Jenny felt initiatives were moving along well enough. She had always been a hands-on team player and liked being in the middle of important work. When systems or applications went down, she was one of the first managers to jump in and help get things back online with her team. It felt good knowing the crisis was over and the business was up and running.

With work busy but feeling under control, Jenny was caught by surprise when David Dwightfelt replaced the retiring chief information officer (CIO), and she was even more surprised that a new top-level executive would impact her work all the way down in middle management. It started with a terse employee announcement notifying the IT organization about “transformation.” Initially, Jenny felt safe. After all, she was not core IT, rather she worked with the business directly, on the floor, making the technology they received from headquarters work. Then she received notice from her assistant vice president (AVP) that business tech-ops would be reorganized and she, along with her colleagues and employees, would have to reapply for their positions. There might be layoffs, she was told, so she should look carefully at her own position and other potential positions when she bid on a job in the next two weeks.

The business tech-ops teams heard rampant rumors. What caused this decision for massive change? One manager suggested the business had complained that IT was not responsive enough. Another claimed a shareholder meeting had prompted replacement of the retiring CIO with a change maker. Someone else countered that it was the marketplace, that Fabfarma had just lost the top spot for a promising pharmaceutical, and changes to how emerging technologies were handled needed to be accelerated. David Dwightfelt also became a hot topic. Where had he come from? What happened to IT at his former organization? Did “Dive in and Destroy David” (also known as the “Triple D”) even come from a technology background? Jenny could not believe it and did not know what to do next. Should she look for a new job before she found herself unemployed? Or should she stay and try to learn how to make this work for her career? She was not alone. Most business tech-ops teams were in turmoil trying to figure out what the Triple D meant for their jobs. There was a great deal of speculation, but not as much work happening as the new CIO took charge.

Culture Assessment—What Is the End Goal?

What was leadership thinking at the company that employed Jenny Patel? Those on the manufacturing floor were in the dark apart from self-provided information that caused poor morale and heightened employee dissatisfaction while changes were initiated. Did the company intend to create this dramatic disruption? Is lack of information ever the right way to proceed with an organizational culture shift?

Approach is always key for culture assessments and change. It is important to understand what problem the organization is trying to solve, how quickly leadership seeks to solve the problem, and why the focus is on culture for the specific problem. Understanding the need for change and the appetite for change starts with answers to the following questions:

• Is there a need for disruption, including technology disruption?
• What, if any, threat of market competition is prompting this action?
• Are there significant changes in consumer or client attitudes that cultural changes might address?
• Is there a shift in the regulatory climate and, if so, what are the time frame requirements?
• Is the assessment request prompted by changes in board of directors' attitude?

The answers can and should be provided by the organization’s decision makers when they are considering a cultural risk assessment/audit engagement. Issues with any of these factors may signal the need for action. However, changing an organization’s culture does not happen quickly unless something dramatic alters attitudes and immediately compels new behaviors. Organization change makers must have a clear vision of what must change, and change makers must be committed to execute changes that may not be popular and can often result in short-term consequences before long-term benefits are realized. Not only must the decision makers be committed to making a cultural change for specific, agreed-upon reasons, but the decision makers also must determine how to make the changes and who should lead the transformation.

Assessing How to Change—Weathering Regulation While Capturing Market Share

Theo Andropolous had led his network sales teams through the fringes of the international sales scene, working with US-based multinational clients for 15 years. Politics and resulting regulations, complicated by in-country technology infrastructure considerations, always made the work challenging, but Theo lived for the challenge. Every year, Theo made new attempts to gain a foothold outside of the United States, but to date, none had really made a big impact. Business conditions were changing, however, with the economy seemingly going to a borderless model. Theo’s company, ConnectMe Global, decided on a bold move, a joint venture with a European upstart and an overlay technical product team to create a uniform culture that would result in ubiquitous name recognition for ConnectMe Global. The decision had been made quickly in corporate terms, basically over the past 10 months, but it was not done lightly. Early on, a consulting group known for its expertise in global culture assessment was engaged. The consultants were not only experts on ideation, but also had a track record of successful results. The decision makers at ConnectMe Global started with a risk assessment and determined the competitive risk regarding the existing base was not dire, yet there was a huge opportunity to expand the base.

Capital cost management was a big consideration, but virtual sessions with the consultant led to a survey that would be sent to hand picked managers who would be involved in the potential joint venture initiative. The selected managers were encouraged to extend the survey to their employees. The survey outlined a potential reorganization and joint venture partnership, followed by a potential dismantling of the organization once the initiative was determined to be complete. Both company decision makers and the consultant team had carefully worked through and documented what “complete” would signify in terms of metrics and end-state market share status and passed the summary information along to survey recipients. The survey goal was clear to both the decision-making team and those who received the survey: Would the proposed reorganization and partnership work in the real world? And would the chosen team take on the challenge of an initiative that was projected to last only two years?

Theo was excited when the survey request came across his desk. The questions and objectives were clear, and he liked the fact that his input would help determine the formal course of action. He also liked the open tone of the survey. The proposed initiative outlined the scope and identified two initiative options, allowing survey input to modify the plans or to suggest another path. The proposed initiative also clearly outlined the teams involved and encouraged conversation as individuals thought through their survey responses.

Changing an organization’s culture does not happen quickly unless something dramatic alters attitudes and compels new behaviors.

Time lines were established for the initial milestones, including survey readout and decision dates. Estimates for other milestones were included as proposed time frames. Theo was pleased to be surveyed and was ready to get involved despite the challenges outlined in this bold undertaking.

Culture Assessment—Which Approach to Take?

The two stories outline very different scenarios where organizations saw implementing a cultural shift as the best way to meet their objectives. It is important to look at why such different paths were chosen:

• Understanding the risk—As a company insider or even board member, it is difficult to look at the benefits of cultural shift or culture solutions objectively. In the case of the company that employed Jenny Patel, executives faced outdated plant technology and what they and the board perceived to be an antiquated attitude toward managing technology. They hired a risk assessment team to confirm or correct their view and bought into the assessment report that the existing IT culture needed a complete overhaul. Facilitated discussions led by the consulting team tested the executive team’s appetite for managing through a disruptive overhaul that might take as long as 18 months.

This crucial risk determination looked different for the company that employed Theo, where risk appeared low after the assessment team’s review. Instead, ConnectMe Global’s assessment pointed to upside opportunity that the company could financially support with a team of known change leaders within the organization. An inclusive and open survey constructed by the consultants to those who would be involved confirmed management’s sentiment, to move forward. In both cases, determination of the risk was facilitated through the objective outside participation of an independent consultant group.

Drastic culture change requires instructional communications, whereas inclusive culture shifts benefit from informational and interactive forums that leverage collective input to achieve the intended outcome.

These two examples provide clues as to how to initiate change, including:

• Choosing the best approach—Risk evaluation continues through to the project approach phase. Will current employees adopt the culture shift? Will new employees assimilate well and quickly enough to push the shift forward? Objective reviews of the risk areas and, when possible, objective surveys to confirm the course of action are key. Jenny’s company had done its due diligence by engaging a reputable outside party for the culture assessment, and though there was no formal survey, employee feedback was obtained through a more aggressive approach of requiring job bidding by everyone. It was a different but telling way to collect employee responses to new positions and gauge employee willingness to reapply for one’s own job. Theo’s company, with a more inclusive approach, was driven by the assessment conclusion that the present team could be the company’s change agent for the initiative under consideration.
• The deployment team holds the keys—Initiatives executed through culture change benefit from a responsible, accountable, consulted and informed (RACI) framework to stay on track with the roles the organization envisions as necessary for the new dynamics. RACI fosters accountability, inclusion and follow-through. Dramatic culture change may require a change agent similar to the Triple D―an executive hired for the change duration, who executes the plans and leaves the executive team when the initiative has concluded. Grassroots internal leadership like that of ConnectMe Global’s team may be appropriate when insider brand familiarity and unique insider project skills are key attributes for the initiative’s success.
• Awareness and communication are musts—Even drastic cultural change requires awareness to avoid attrition of team members the company wants to keep. Drastic cultural change requires instructional communications, whereas inclusive cultural shifts benefit from informational and interactive forums that leverage collective input to achieve the intended outcome.
• Clear documentation keeps the mission on track—In all engagements, clear documentation supported by procedures and confirmed executive commitment keeps the initiative on track while mitigating rumors. Decisions must be clear, and expectations for the areas and personnel impacted must be identified in straightforward policy and procedural material.
• Culture shift or culture-initiated projects need metrics—Unlike system and application controls, culture initiatives do not fall into pass or fail categories. Metrics must be created that will provide objective feedback that can be translated to progressive action instead of a single endpoint. Internal and external surveys, productivity metrics and attrition tracking with feedback are all examples of metrics that can offer data on how to improve or get closer to the final goal.
• When and how to monitor—Culture-led initiatives, like any initiative or project, require trigger points for review and decision assessment. Milestones and timelines offer good touchpoints for reassessment and tweaks to the plan if determined necessary. As noted with Theo and ConnectMe Global, time frames for some milestones may not be assessable until after the initiative is underway, yet estimates still are important. They provide good control points for the monitoring team to assess and ensure that milestones are relevant, that controls are reworked as needed, and that they are realistic for accountable and responsible team and executive members to achieve.

Conclusion

Culture can be one of the most interesting and impactful areas to assess and audit. It drives an organization’s character and allows an organization to stay in step with clients, shareholders and employees. Even though culture shift is hard to measure, assigning goals and developing metrics to track success is possible. Developing the best approach for the initiative as a collaborative effort with enterprise decision makers ensures a commitment to implement changes in a responsible fashion. Tracking milestones that adapt to what the organization is experiencing along the implementation path allows recognition of successes along the way. Keeping an eye on the end goal must be top of mind. Reports should be communicated to the decision makers frequently, and proper communications throughout the impacted areas of the organization should be encouraged to ensure the shift takes place with the desired outcome.

CINDY BAXTER | CISA, ITIL FOUNDATION

Is director at What’s the Risk, LLC. Her practice focuses on integrated risk control and process assessments for cybersecurity, privacy and business continuity/disaster recovery. She views risk management and control assessment as a chance to learn the nuts and bolts of a client’s business and help them worry less, because gaps have been uncovered and a stronger operating model can be built. Baxter draws upon her experience in banking, insurance, healthcare and technology after holding compliance and management roles at State Street Corporation, American International Group (AIG), Johnson & Johnson and AT&T. When she is not doing risk and audit work, she enjoys volunteering on climate and environmental issues that impact her community.