The Important Links between Culture, Risk Management, and Business Performance

Culture—often a microculture within a specific business unit or location or function—is a critical underlying component of the likelihood and severity of business misconduct. Corporate Executive Board research finds that companies with healthier cultures realize numerous benefits:

  • Their employees are two-thirds less likely to see misconduct and much more likely to report misconduct and operational failures.
  • Managers that exhibit corporate values can improve employees’ performance by 12%.
  • Their 10-year total shareholder return outperformed peers’ by 16 percentage points.

Unfortunately, three years of highly detailed data from nearly 500,000 employees at over 100 companies show that company executives have consistently rosier assessments of the health of their culture than non-executive staff. The research shows that nearly 60% of employees do not share bad news and negative feedback because they fear it will negatively impact their careers. Furthermore, employees would forego $1m to $10m in company earnings in order to avoid sharing bad news. Although these results were not specific to information security concerns, IREC believes they can be extrapolated to the security arena.

Culture, properly understood, is a risk control, and a control that impacts much more than just compliance. Making this intellectual leap helps companies understand how best to treat culture: as a measurable phenomenon. That is, critical cultural competencies should be defined, tested, and actively fostered. Companies should start by following these three simple guidelines:

  • Equip managers to deal decisively and consistently with instances of misconduct or unethical behavior;
  • Show the whole employee population—using real instances from the company—how the company deals with misconduct; and
  • Close the loop with employees who report misconduct, so they know that appropriate actions were taken.

Related Research:
Managing the Threat from Malicious Insiders
Preventing Employee Misconduct
Preventing Data Leakage

Advertisements
Explore posts in the same categories: Insider Threat, Risk Management

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: