The GRC culture influences the management and employees decisions, sometimes even at an unconscious level. C-level executives should ensure that the “whatever it takes” attitude to get results does not affect stakeholders´ interests. Employees should understand that GRC rules apply to everyone in the company as they pursue their business goals. In other words, all levels of a company need to understand the boundaries within which they can operate. In this post, I articulated my ideas about the three aspects of a GRC culture.
Risk Culture: It can be defined by the system of values and behaviors, called the culture, that affect the risk decisions. In practical terms, employees need to understand the company risk exposures. The risk culture is created by risk management training, risk assessment and guidance about decision-making. It involves organizational risk policies, as well as, risk statements and procedures. A strong risk culture is part of a good ERM practice. For instance, banks with a healthy risk culture were able to deal better than average the 2008 credit crisis.
Compliance Culture: It can be defined as the overall environment that affects how compliance issues are handed. In a strong compliance culture, employees follow the right processes and perform the right controls even without oversight. In practical terms, it refers on how effective a company is in meeting compliance regulations and deterring and detecting compliance problems. It covers how proactive are the employees in averting compliance issues, interpreting the meaning and the intention of rules, and getting examination resources. Compliance culture involves strategic planning, effective control points, careful audit traceability and documentation, proper disclosure and well known company procedures.
Governance culture: It can be defined as the attitudes and actions to build a strong and competitive company that enhances shareholder value. It involves the strategic direction of a company, and how this strategy is embedded into business practices and leadership capabilities at every level. A healthy governance culture would create a reputational advantage in the investors. The governance culture involves the beliefs about how business should be done and the ethical principles of the management and employees in general.
The boundaries about the tree aspects of the GRC culture are hard to establish. At the end, the general term for culture is also hard to delineate. These aspects are linked to create a company culture.
Building a GRC culture is a consistent and long process based on effective communication around ethics and practices and rewarding proper actions to comply with the GRC strategy. It is not enough to have good intentions. It is not enough to have an internal audit department. It requires leadership, accountability and infrastructure to create an environment that is conducive to ethical behavior and it is part of the company business model. There is an overwhelming amount of research to support that an ethical culture is part of the company success.
