Why Bad Things Happen to Good Companies: A Risk Culture Study

There’s a famous expression: “Culture is what people do when no one is looking.” Increasingly, studies suggest that what happens when no one is looking should be cause for concern. In one Russell Reynolds Associates study, 30% of financial services employees admitted that they had either breached their firm’s code of conduct, or witnessed the breach of others. Meanwhile, a number of respected brands across the automotive, retail, and technology industries have recently navigated value-destroying reputational crises, resulting in litigation and investigations. It may take years for them to recover.

These breaches are always a shock. No leader ever wants to believe that integrity, ethics, and compliance with applicable laws and regulations are anything less than foundational. All organizational cultures, of course, are a complex blend of motives and behaviors, but most leaders prefer to focus on the sunnier, more stable elements: shared values, good management practices, and consistent adherence to the articulated vision of the leadership team. What, then, should leaders do when faced with evidence – like a breach of ethics – that suggests there is more to the story?

How can leaders know what their people are truly thinking?

In the risk and controls space, it’s a question that begets more questions, including: how can leaders strike a balance between encouraging growth and maintaining the appropriate level of risk controls? How can leaders help businesses grow while maintaining company culture, both in the short and long-term? Is it possible that an organization’s culture – the patterns of behaviors across the company – can expose it to risk or prevent it from achieving its objectives? How can leaders address problems if they don’t know they exist until it’s too late? In sum, why do bad things happen to good companies?

Russell Reynolds set out to answer these questions. We interviewed over 20 chief risk, compliance, legal, and human resources officers across industries who navigated their companies through extremely challenging times. Additionally, we have executed approximately 500 searches globally across the legal, risk, regulatory, and compliance spaces over the past three years. These leaders and our market insights confirmed: understanding what people truly think, experience, and decide to do on a daily basis is critical…and elusive.

For governance and controls leaders focused on identifying culture pain points before crises hit, this paper offers the following takeaways:

• Overreliance on controls and processes won’t identify risk—what’s crucial is behavior.
• Defining your organization’s culture depends on who and how you ask.
• Ignorance is not bliss—it’s risk.
• Developing and adapting culture is everyone’s job.

First, what is culture?

At Russell Reynolds, we define culture as the shared set of assumptions held by people within an organization about who we choose to hire, how we behave, how we lead, what we reward and what we punish. It includes the tone set by leadership at the top of the organization – not just what leaders say, but what they do. It also includes the echo from the bottom – the beliefs and actions that are held and demonstrated broadly across the enterprise. Culture is the difference between an organizational chart that makes sense on paper, and the way that work really gets done. It’s also what happens when people think that no one is watching.

CEOs, chief people officers and board leaders often want to know if they have a “good culture.” It is critical to ask this question, but impossible to get a simple answer. Cultures are complex systems. Most leaders use organization-wide surveys to channel many voices into clear themes, in hopes that these themes will point towards useful action. At a minimum, these surveys are a signal to employees that their opinions matter and that they have a channel through which their perspective can be heard.

Too often, however, these survey results fail to illuminate what’s really going on in an organization. Many leaders find the results of standard measurement tools to be either –

(a) too broad to be actionable,

(b) more positive and encouraging than other signs would suggest, or

(c) both.

Broad culture measurements are not able to surface the more nuanced, subtle, and systemic culture risks that can occur in pockets of an organization.

Most organizations aren’t effectively measuring or monitoring culture, so they don’t know what they don’t know.”

Controls and processes won’t identify most risk—what’s crucial is behavior

When discussing culture, leaders often seem to forget that companies are made up of individuals. And individuals never behave in just one way. Reliable people make mistakes, honest leaders become compromised, and even the hardest workers can burn out. Mitigating culture risk isn’t about plucking out one ‘bad apple’—those people are easily identifiable and, as such, easier to remove—instead, it’s about the employees who don’t intend to create risk but are exhausted, disengaged, afraid to speak up, or ignored when they do. In fact, we heard from several leaders that one of their biggest concerns was getting their boss to pay attention to risk—particularly around talent behavior and retention—earlier.

Policies should define what you reward and what you punish. Culture is the huge grey area in the middle, all of which is called ‘acceptable behavior.’”

Controls and processes won’t identify these people or the culture risk they introduce, as these effects are subtle, harder to measure, and sometimes take place over long periods of time.

Consider this example: a company invests in upgraded technology for all employees, but asks that the new devices remain in the office. This company has a non-confrontational culture, in which people are reticent to call out senior team members’ bad behavior, for fear of it affecting their growth potential. When a few people begin taking the new technology home to their personal offices, no one speaks up and no one is punished. While this specific issue is fairly low stakes, it sets a precedent that rules don’t apply to everyone, especially those that have power within an organization. Even worse, if someone does speak up and the issue remains unaddressed, this introduces doubt—what other rules are people breaking? Perhaps none of these rules actually matter.

Culture, not control mechanisms, dictate how behavior is identified and dealt with. Investigating one-off claims is not enough; leaders need to understand organizations’ weak spots—in this case, a management team who does not see the rules as applying to them—and address the underlying problem, rather than symptoms of it. Culture is dependent upon and vulnerable to the behaviors and capabilities of managers at every level, the communication style they encourage, the incentives they put in place, and the bad behaviors they let slide, either intentionally or inadvertently.

Culture is the most important thing. You can have the best controls in the world, but if your culture does not support those policies, you will fail.”

What is your organization’s risk culture? Depends who—and how—you ask

Leaders often think they have one culture. In reality, they have many. Especially in complex, global organizations, it’s normal and expected for local “microcultures” to arise. However, this can introduce risk when each microculture operates off of a completely different rulebook. We heard from multiple interviewees that regional leaders—particularly those that are far removed from company headquarters—had a different perspective on company priorities, risks, and overall culture.

In large, global organizations, there’s often a regional divide between headquarters and the field. You’ll often hear regional leaders saying, ‘My business unit does it this way; my country has this issue.’ That’s not a bad thing, but it also doesn’t discount global rulebooks.”

Just as leaders must remember that their organizations are comprised of many different people with competing motivations, so must they remember that there are a diverse set of cultural norms that influence risk tolerance within any given region. In some jurisdictions, the compliance manual is king; in others, it’s a mere box-check to be referenced when the regulators come around; and for others, the compliance manual functions as a starting point for negotiation and is even used as a loophole for getting around other checks.

In Asia, more than in other regions, you need to emphasize learned behaviors, role modelling, and openly promoting certain behaviors, all while being careful not to berate the old behaviors, which are ‘legacy you must respect.’”

To develop a healthy risk culture, organizations need to engage in an honest dialogue about risk vs. reward at every level—and within every region—of the organization. When discussed openly and clearly role modeled, leaders can create a culture that embraces, or even celebrates, smart risk taking within the organization’s parameters and with input from controls leaders. Business leaders need to be upfront and transparent about what’s needed to support high risk/high reward situations, and empower governance and controls leaders to have a voice in early stages of said situations. This not only secures their own books of business, but also sends a message to others in the organization that getting early buy-in from controls leaders is critical to business success.

Often, leaders forget that they’re dealing with many cultures, not one. This is even more true for large, global, complex organizations.”

Ignorance is not bliss—it’s risk.

Most organizations are not monitoring or measuring culture effectively. Even if leaders utilize employee survey tools, many produce inconsistent insights, have too broad a focus, or measure the wrong things. Often, they run the risk of confirming banalities, such as the priority placed on innovation or collaboration across an organization. They do not provide systematic insights from the different “microcultures” within the company—insights that could actually make a difference when identifying and addressing risk areas.

Controls leaders know they can’t uncover everything with a measurement survey—just the big (likely already obvious) issues. They know that minor, undiscovered issues could eventually become major problems, but there are often too many other known risks and not enough capacity to address them. Additionally, if an issue is raised and the leader does not have time to address it, they’re still responsible if a regulator catches wind. That alone is enough for these leaders to say, “Just don’t tell me.”

If your entire dashboard is green, that doesn’t mean that everything is fine—it likely means that you’re measuring the wrong things.”

While claiming ignorance is tempting, it actually opens organizations and their leaders up to even more long-term risk. Additionally, while it’s valid to be concerned about finding something problematic without resourcing to fix it, the wisest controls leaders know that everything is discoverable now. Without a clear and full view of all issues that need to be addressed, it’s impossible for leaders to correctly prioritize them.

To gain a full view of a prioritized list of problems, controls leaders can utilize more advanced behavioral diagnostics, which provide a unique approach to measurement that creates real psychological safety for survey respondents, asking sensitive questions in a manner that creates confidence in its confidentiality. In our experience, this method leads to powerful group level insights about people’s real beliefs and behaviors. This clarity has profound implications for employees, leaders, and companies. (To learn more about culture imaging, see our recent paper, “Measurement Mindset: A Practical Approach for Understanding Culture.”)

You could have the strongest compliance program in the world; but it wouldn’t matter if leaders aren’t bought in to the culture. You can’t delegate culture or compliance.”

Understanding the full cultural landscape at an organization allows leaders to proactively prioritize issues—potentially asking regulators for more time to address less dire problems—assess whether managers are upholding stated company values, and adjust messaging as needed.

A clear tone from everyone at the top is the bedrock of a healthy risk culture

When it comes to organizational culture and values, leaders can define and control the “tone at the top.” However, the “tone from above”—meaning the signals sent by an employee’s direct manager or supervisor—receives far less focus, making the “echo from the bottom” that much more elusive.

Often, organizations place the responsibility of establishing a risk culture at a select few executives’ feet. However, this is insufficient. An undertone—or worse, explicit message—that business performance matters above all else, even doing the right thing, can reverberate through the organization with disastrous consequences.

A good controls officer should be a culture carrier, but they are not solely responsible for creating or shifting corporate culture. Instead, refining culture is the responsibility of the CEO and the entire leadership team. And maintaining it is everyone’s job.

Every leader and manager has to make explicit statements reinforcing compliance culture. People recognize if their leaders aren’t reinforcing what the company says it values.”

For permanent and ongoing change to occur, organizations need to focus on embedding culture awareness and stewardship at all levels of the organization, with a particular focus on middle management and frontline businesses. By making culture stewardship a permanent and integral part of business conduct at every level, organizations can avoid culture risk.

How to build a healthy risk culture

Revisit the messages being sent from leadership.

• Examine your tone from the top: Strong controls leaders are well equipped to support an evolving culture, but if the tone from existing leaders conflicts with the compliance mandate, even world-class controls leaders are unlikely to make meaningful progress. Building alignment among the CCO, the CRO, the CEO, the C-suite, and the board will help accelerate transformation.
• Consider unintended consequences: Ensure that you’ve considered how changes ripple out across an organization. When business leaders focus solely on financial gains – e.g., a new leader implementing a cost-saving initiative – they run the risk of missing appropriate change management or safety considerations. Send the message via your own actions that controls leaders should be involved in these conversations immediately.
• Ensure that your incentives aren’t in conflict: Even incentives with the best intentions often have a dark side. For example, if an organization rewards on-time product delivery, but this delivery is only achieved via unethical behavior (skipping quality checks, violating worker rights, etc.), does this then become something that’s punished? This also applies to succession planning: what happens if the tyrant rainmaker is promoted into a leadership role? Leaders need to explicitly ask themselves about all potential unintended consequences of rewarding specific outcomes.
• Embed open dialogue into how things get done: To understand how people are feeling, leaders need to make sure the path between them and their employees is clear. Continual, open communication helps eliminate the stigma of only speaking to the boss or the regulator when there’s a problem. By listening with intent and authenticity; challenging constructively, especially around potential disruptions like technology and AI; investing in teams and people; and, finally, putting a premium on transparency, leaders can gain a deeper understanding of their workforce.

Success is often your biggest blind spot. As soon as you reach the top, you need to wonder—what am I not being told?”

There’s a common pattern: problems stem from situations in which people who really want to get a deal done push it across the line, no matter what the consequences.”

Ensure leaders are trained and equipped to lead.

• Hire controls leaders with the right competencies: Focus on hiring people who align with your organization’s purpose and values. This will help create a sense of pride in working in compliance, centering around accountability, trust, and transparency.
• Ensure leaders are trained, equipped, and empowered to lead: Controls leaders should have influence with the CEO, and the entire C-suite should be a part of maintaining and role modeling their company’s risk culture. It also helps to be explicit about control leaders’ decision rights and role clarity, which is often a huge source of risk. This ensures that the right things are being escalated and that decisions—and their consequences—are owned by the right people.
• Build a diverse team: Varying viewpoints and backgrounds are crucial for a well-rounded controls team. Diversity in thinking, problem solving, and leadership styles helps organizations achieve better results.

If you hire individuals that look or act the same way, they will usually all make the same mistake or miss the same flags. To be effective, you need varying views and backgrounds. Different people see different things.”

Measure culture specifically and accurately.

• Ask the right people the right questions: Consider tapping into recent advancements in culture measurement that evaluate how leaders act and what people believe, utilize unique question formats that check for specific issues, and reveal hard truths about an organization.
• Build a culture of psychological safety: Culture is continued reinforcement – to be truly balanced, continually promote an environment that encourages employees to speak up, escalate issues, and share feedback without fear of retribution. Bullying management styles must not be tolerated.
• Don’t over-rely on tools: There is no one size fits all solution. Instead, look to a range of data sources for early warning signs of organizational stress–equipment failures or other resource gaps, overly aggressive business targets, “mosquito bite” complaints about minor isolated annoyances that only spell trouble in the aggregate.

Culture is continued reinforcement – be balanced and thoughtful when people come to you with issues. If you encourage this behavior, you can truly know what’s happening.”

Authors

• Gretchen Anderson leads Russell Reynolds Associates’ Global Culture capability. She is based in New York.
• Leah Christianson is a member of Russell Reynolds Associates’ Center for Leadership Insight. She is based in San Francisco.
• Sean Dineen is a senior member of Russell Reynolds Associates’ Leadership Advisory group. He is based in Boston.
• Cynthia Dow leads Russell Reynolds Associates’ Global Legal, Risk & Compliance Officers capability. She is based in Boston.
• Daria Rokk leads Russell Reynolds Associates’ Legal, Regulatory, Compliance and Risk capability in APAC. She is based in Hong Kong.
• Harsonal Sachar leads Knowledge for Russell Reynolds Associates’ Human Resources Officers and Legal, Risk & Compliance Officers capabilities. She is based in Toronto.
• Alix Stuart is a member of Russell Reynolds Associates’ Leadership Advisory group. She is based in Boston.
• Amelia Stubbs leads the Risk & Controls practice in Russell Reynolds Associates’ Financial Services industry. She is based in London.
• Ellen Yaffe leads the Risk Management practice for Russell Reynolds Associates’ Financial Services industry and is a member of its Legal, Regulatory and Compliance Officers practice. She is based in New York.