Toxic culture and its consequences represent one of the latest types of rapidly emerging risks. The finance industry has been badly shaken by high-profile cases featuring, among other firms, Wells FargoBNP Paribas and, more recently, the Commonwealth Bank of Australia.

John Thackeray Headshot
John Thackeray

The U.K.’s Financial Conduct Authority and the U.S.’s Financial Industry Regulatory Authority have designated culture, and how it is reinforced, as a priority in their oversight of firms. Against this backdrop comes the need to audit and evaluate culture risk independently. To meet the requirements of regulators and to address their concerns, firms must ask the right questions about culture risk, with no bias or subjectivity.

Let me explain.

Internal and external data — gained through observation, questions, communication and documentation — can help each firm rank and weight its culture risk by means of a scorecard. While a scorecard can enable an organization to gauge its culture risk and implement improvements and controls (before the culture turns toxic), it is just a tool. Every employee, regardless of stature, should understand his or her role with respect to culture risk — and, what’s more, those responsibilities should be evidenced by their interactions with one another and the outside world.

Risk should be owned and included within each firm’s the enterprise risk framework. Let’s now look at the key components of an effective culture risk framework:


Culture risk should be incorporated in both the risk taxonomy and risk appetite statement, with the latter aligned to the corporate values of the organization. The corporate values should not only be the moral compass of an organization but also dictate its behavioral patterns. Moreover, the values should be articulated and evidenced (both internally and externally), as well as aligned with the corporate objectives.

Reinforcement of these values should be promoted both inside and outside the work environment — reflected internally, for example, in incentive and reward policies, and externally through contracts with third parties. Policies and procedures should encourage employees to provide honest, unbiased feedback about the organization’s corporate values, as well as their effectiveness. Moreover, they should be regularly evaluated and should deliver the proper message to employees.


Culture risk should have well-thought-out metrics that make organizational sense. Human resources (HR) need to be the custodians of these corporate values and metrics. Making sure that the organization’s policies and procedures align with such metrics is one of the responsibilities of HR, which also must ensure that working conditions (e.g., tools and equipment) are reflective of corporate values and that the organization promotes change and innovation through cultural training and education.

To ensure compliance, business and control groups must collaborate, and audit must play a key role in reinforcing corporate values. The mandate of the audit team involves finding evidence to determine (1) how information is shared and disseminated within the organization; (2) how robust the review and challenge is for both decisions and decision makers; and (3) how active participation in meetings is both encouraged and respected. Audit should also evaluate the competency and the control structure of compliance and risk management, with a view toward understanding if these control functions are furthering corporate values.

Moreover, audit should discuss and evaluate the cultural risk mitigants — e.g., active leadership, knowledge management and employee commitment — currently being employed. A great deal of thought should also be given to an independent evaluation from an outside audit service, which can perhaps act as an overlay to the existing (internal) audit function.


The process for gathering, distilling, analyzing and interpreting sensitive information should be outlined in the policy and procedures manual. More specifically, HR should gather and collate information derived from questionnaires, surveys, social media platforms, regulatory findings, outside audits, customer complaints and resolutions.

The evaluation process should include analysis of (1) a company’s hotline activity; (2) turnover and retention; (3) incident reporting; and (4) the consistency of discipline when things go wrong. To understand how values are being communicated (with respect to dispute, collaboration and cooperation), behavioral analysis of internal email traffic should also be performed.

All this information should be given to an outside auditor, who can rank and weight this data by means of a scorecard.


Senior management will be in a better position to understand the cultural pulse of the organization when it receives the results of the scorecard and an outside audit opinion. Monitoring how quickly the organization effects and reacts to change — particularly with respect to escalation and incident reporting — is one of the key responsibilities of senior managers.

Contingency planning (e.g., assessing various scenarios of cultural threats) also falls under the auspices of senior management, whose performance should be at least partly evaluated based on their effectiveness in dealing with real-world cultural incidents.

Parting Thoughts

Culture is everything — it is the lifeblood of the organization and is manifest in every decision and action. Ignore it at your peril.

This article was published on Global Association of Risk Professionals