Cobwebs and skeletons: Cast light on your law firm's real culture
Firms that audit their cultures are best placed to recruit and retain the best legal talent, say Stephen Gould, Stephen Lucas and Russell Davis
Three things you will learn from this Masterclass:
-
What culture and culture audits mean for many successful leadership teams and internal auditors in financial services and corporate organisations
-
The four key stages for a tried-and-tested solution for developing an approach for assessing and auditing culture
-
Some common misconceptions around culture audits
Successful leadership teams across a wide range of organisations recognise that a strong organisational culture drives compliance outcomes and provides competitive edge.
In law firms, there is an increasing awareness of the importance of undertaking culture audits as part of pre-merger due diligence and new partner screening processes. A culture audit of both firms is vital to consolidate the organisational culture of the newly-merged firms. Among other things, it enables the business to identify
the leadership messaging and behaviours so that the merger integration process
is successful.
Research has found that many UK law firm merger negotiations fail, often after months of discussions.1 Often, this is because firms fail to address issues such as cultural compatibility early in merger discussions.2 Many of these failures could have been avoided by incorporating culture audits as part of their due diligence of potential merger partners. Another benefit would be improved internal communication when merging teams pre- and post-merger.
With rising competition for legal talent posing big challenges to recruitment and retention, a firm's organisational culture can be a big differentiator. For example, in a firm with a strong organisational culture, those seen to succeed will be those who have a common purpose with the firm. They will stand out as role models, worthy of imitation by their colleagues who also want to succeed at the firm. This in itself propagates more commonality of purpose throughout the firm and helps to avoid people becoming disgruntled and joining the firm's competitors.
Defining and articulating the desired organisational culture is a critical first step on the journey to strengthening it. However, a greater challenge is embedding and sustaining the desired culture across the organisation. To do that, leadership teams must be able to measure progress on their culture change or transformation programmes so that they know which techniques are working to strengthen the firm's culture.
In response to this, many audit committees and senior stakeholders are demanding that their internal audit functions measure, monitor and provide assurance on the firm's culture transformations and, accordingly, carry out culture audits as
part of their audit plans.
Numerous financial services, legal, pharmaceutical, aviation and commodity trading organisations, as well as public sector organisations and consumer businesses, have implemented ongoing programmes for their internal audit
functions to carry out culture assessment
and monitoring.
For example, a major global financial services organisation has experienced reduced operational costs since implementing and responding to management actions arising from its programme of culture assessment and monitoring. Closing the management actions has driven through the desired compliance outcomes and, accordingly, reduced losses from compliance breaches, anti-money laundering and professional liabilities.
Also, some of these organisations have undertaken or recently undergone culture transformation programmes. Many of these initiatives are in response to increased regulatory scrutiny following the financial crisis, numerous cases of 'rogue' trading in financial services and new internal codes and ethics for better practice.
It is a powerful message to regulators and stakeholders that a leadership team is serious about getting its firm's culture right by appointing internal auditors to carry out culture audits and then responding positively to the audit findings.
Assessing culture
Many auditors, regulators and industry professionals view assessing culture as the priority measure for evaluating how embedded are a firm's business and risk strategies, goals, objectives, minimum requirements, key principles, values and ethics. A culture audit provides tangible evidence of what happens on the ground, even when no one else is watching.
Culture measurement, monitoring and management are here to stay. In the financial services sector, internal audit teams are expected to have a view on their firm's risk and control culture.3 With organisations such as these increasingly demanding that their legal advisors put in place systems and processes that match their own, it makes sense for law firms to get a head start on their internal audits.
The debate amongst audit professionals has moved from 'should culture be included in the risk-based audit plan?' to 'what type of culture should internal audit focus on in its audit plan?' For example, this could be all-encompassing culture or the more granular risk and control culture. It could even be more granular sub-risk category cultures, such as conduct risk culture, operational risk culture and market risk culture (see box: 'What is culture?'). For the purposes of the remainder
of this article, culture is taken as
all-encompassing behaviour norms,
symbols and systems that make up an organisation's 'DNA'.
What is culture?
Culture is ‘the way we do things around here’ – even when no one else is watching. It is the DNA of an organisation.
Culture can be visualised as the systems, behavioural norms and symbols in an organisation, specifically the ‘hardware’ and ‘software’ available to leadership teams to influence the culture of their organisation.
The ‘systems’ are the ‘hardware’ or top-down components (such as the firm’s strategic goals and objectives, policies, processes and procedures, values and ethics, risk appetite and remuneration frameworks).
Risk culture or risk-intelligent culture is a subcomponent of the all-encompassing culture in organisations. Risk culture or risk-intelligent culture means that “everyone understands the organisation’s approach to risk, takes personal responsibility to manage risk in everything they do, and encourages others to follow their example” (Deloitte’s definition).
This article sets out a 'tried and tested' four-stage solution for developing an internal audit approach for assessing firm culture (see Figure 1). The approach can be augmented to include the more granular assessment required for assessing risk culture and its more granular sub-components, such as conduct risk culture.
Stage 1: Develop a culture assessment framework to audit against
In firms where the senior leadership team has defined its desired organisational culture, internal audit has a baseline from which to immediately 'kick start' developing its culture assessment framework to audit against.
In firms where this is not the case, gone are the days of being able to and needing to postpone culture audits until the leadership team has agreed its desired culture for the firm. A culture assessment framework to audit against can be developed by considering a proxy culture baseline for a firm from the montage of its existing culture-related drivers, influencers and indicators. This can be done, for example, by:
-
leveraging (identifying, reviewing and collating) the firm's existing board-approved business and risk strategies, goals, objectives, minimum requirements, key principles, values and ethics; and
-
enhancing these with any other key influencers and indicators typically
found in good organisational cultures within their firm's industry.
For example, in supporting internal
audit functions to develop culture assessment frameworks, we use the following four generic influencers of a
good organisational culture:
-
risk competence: the collective
risk competence of the organisation; -
motivation: the reasons why people
do the things the way that they
do, particularly when no one else
is watching; -
organisation: how the organisational environment is structured and what
is valued; and -
relationships: how people in the organisation interact with others.
Themes have emerged across both financial services and corporate firms on the types of indicators to audit against for these four influencers and the minimum standards for what 'good looks like' for each (see Figure 2).
When deciding on the appropriate number of proxy culture influencers and indicators to include in the culture assessment framework, internal audit
can consider:
-
what is pragmatic for the firm in terms of the nature, scale, size and complexity of the business and its risk strategy, growth plans and risk profile;
-
what level of assurance is required by the audit committee for culture audits; and
-
how flexible are its chosen influencers and indicators for assessing the different dimensions of sample populations (for example, size of population, career bands, geographical locations, lines of business, heritage views (years in role), lines of defence4 and functional areas).
Stage 2: Create an evidence source model
The minimum amount of evidence required for internal audit to provide an appropriate assessment of the organisation's culture
is dependent on the required level of assurance and the desired reporting
output. The required level of assurance can be determined by considering (a) the availability of evidence; and (b) the desired reporting output.
Availability of evidence
The availability of audit evidence can be determined and the evidence source model created by:
-
identifying and assessing the credibility of existing audit evidence from existing processes and audit activities in the internal audit plan that relate to the indicators set out in the culture assessment framework developed in Stage 1; and
-
if necessary, identifying new sources of evidence to close any 'gaps' against each indicator to meet the required levels of assurance (See Figure 3).
A tip when identifying tangible audit evidence for the evidence source model is to consider the three categories of audit evidence for each indicator:
-
independent observations;
-
self-reported evidence; and
-
data analytics (see box: 'Categories
of audit evidence to inform the
culture assessment').
Categories of audit evidence to inform the culture assessment
-
Independent observation. Evidence gathered by the internal audit team leveraging business-as-usual audit activities (for example, observed behaviours, case studies or walkthrough testing, structured interviews).
-
Self-reported evidence. Evidence gathered from sources where an individual external to internal audit gives a subjective opinion (for example, surveys, personal performance objectives, balanced scorecards, loss reporting).
-
Data analytics. Evidence gathered from data sources from within the organisation (for example, email traffic, key performance, risk or control indicators, and employee retention rates).
To achieve the required level of assurance, it may be necessary to have at least one source of evidence from all three of these categories for each individual indicator in the culture assessment framework. (For example, see the 'performance management' indicator in Figure 3.)
Desired reporting output
The desired reporting output can be determined by considering the frequency, timing, level, grading and format of the report (see box: 'Determining the desired reporting output for auditing culture').
Determining the desired reporting output for auditing culture
Report frequency and timing
-
Annually, quarterly, monthly or continuous monitoring as part of ‘dashboard’ type reporting?
-
Aggregate findings at a point in time or over time?
-
Is trending of culture transformation over time required – if so, at what frequency for the data points?
Report level
-
Legal entity, business unit, functional level, country level or group level?
Report grade
-
Provide a culture grading (such as red, amber, green) or directional narrative themes or both?
-
Provide statistics or results as a percentage of responses to surveys, questionnaires or interview questions?
-
How will culture findings be calibrated with internal audit’s existing rating methodology that is already used in non-culture or normal ‘business as usual’ audits?
Report format
-
Separate report for culture audits or culture observations included in existing audit reporting for relevant ‘business as usual’ audits?
-
How to include culture observations and trends in audit committee/risk and audit committee summary reporting?
Stage 3: Select an audit approach
When selecting which approach(es) to use for culture audits, internal audit should consider the level of assurance that is required and the desired reporting output. Two of the more common approaches for culture audits are as follows.
-
Culture-specific audits. These are standalone audits of culture which often include a case study. Internal audit assesses the evidence for each of the culture indicators in its culture assessment framework to determine an aggregate view of the overall culture in the area, function of business unit in scope of the audit.
-
Culture consideration in all audits.
A culture element is included as a 'bolt on' to other audits by conducting a root-cause analysis to identify if any behavioural drivers were primary or secondary causes for the audit findings (for example, inadequate behaviours by employees or their misperceptions of what is valued by the firm).
A third approach involves continuous monitoring of the firm's culture by
reporting positioning against a selection of key culture indicators from the culture assessment framework. That reporting can then become part of internal audit's regular management information report to the board and board committees.
Stage 4: Supplement with auditor intuition
The behavioural nature of culture means that the evidence source model on its own might be too mechanical a procedure to truly evidence and capture how well embedded culture is within a firm.
The initial view on culture from the evidence source model can be supplemented with the additional qualitative evidence on culture that internal audit is privy to. That is, the culture-related evidence that internal audit builds up over time, as its insight, from its frequent interactions with all areas of the firm via its other audits and management information reporting.
Examples of sources of evidence
on cultural messaging that internal audit are likely to be privy to and that might be missed from evidence collected using
an evidence source model are:
-
symbols: inherent interpretations of what is important or valued at the firm (for example, stories or fables of someone getting rewarded, promoted, or let go because of their record of bringing in new clients with large potential revenue gains but with disregard to anti-money laundering risks); and
-
revealed preferences: the actual organisational values as opposed to
the nice-sounding ones (for example, the 'tone from the top' is to bring everyone together to share knowledge on an away day, but the plan goes nowhere because of cost).
Seven misconceptions
Let's clarify some common misconceptions around culture audits.
-
Culture assessment is not a fad. Culture measurement, monitoring and management have been hot topics on regulatory agendas since the financial crisis began in 2008. Culture assessment is becoming established as an approach for assessing the quality and embedding of business and risk strategies, goals, objectives, minimum requirements, key principles, values
and ethics. -
'Off the shelf' best-practice solutions for culture measurement do not exist. There is no 'off the shelf' solutions that can truly measure
all elements of all firms' cultures, because every organisation has its
own unique culture, whether good or bad. A tried-and-tested approach to use is to take a generic culture assessment framework as a starting point to guide the development of the firm's unique framework and specific assessment solution. -
Scorecard approaches alone do not work. A quantitative scorecard approach, such as a percentage or red, amber and green ratings, will not fully capture an assessors' or auditors' view of a firm's culture. The behavioural nature of culture means the results of a culture assessment can only be fully set out using both qualitative descriptions and quantitative scores.
-
New or pioneering sources of evidence are not always required to measure culture. In the first iteration of developing a firm's evidence source model, it is often pragmatic to look first for evidence that already exists and can also be used to evidence culture measurement (for example, key performance, risk and control indicators). External bodies such as regulators, auditors and risk management organisations can
also be referenced for examples
of potential sources of evidence
for auditing culture. -
Culture assessments are unlikely to identify who will commit fraud, be 'rogue' lawyers, miss-sell services or ignore firm codes and ethics. Culture measurements from structured interviews and diagnostic surveys alone do not measure people's propensity to take risk or cut corners. They do measure people's perception of risk and control and their buy-in to a firm's risk management and internal control approach (policies, processes, procedures, systems and frameworks). To measure peoples' propensity for anything requires observation and data analytics of their behaviours over an appropriate length of time.
-
Culture transformation will not always mean a happier workforce. Caution is required when recommending culture-driven actions. When they start taking effect, the knock-on change to the way things are done around a firm might not fit with everyone's purpose, values and beliefs. This can be a 'game changer' for those who want to work at and stay
at the firm. -
Culture transformation cannot be rushed to meet regulatory deadlines. Transformations from culture-driven actions do not happen overnight.
The task of changing behaviours takes time, typically 18 months for a measurable change, even when the senior leadership and middle management teams back it to the hilt.
Reaping benefits
A culture audit can make a real difference to 'the way we do things around here' and how well a firm lives and breathes the values that the leadership team have painstakingly created.5 As with all such initiatives, however, an audit is not enough to produce beneficial results to the firm. Action must be taken to use the findings constructively, with the leadership team setting the 'tone from the top' on how seriously the culture transformation
should be taken.
Failure to take appropriate action
will result in the audit being another sunk cost for the firm's stakeholders and, even worse, risk causing further damage to the firm's culture. Not only will partners and staff know where the rotting cobwebs and buried skeletons are, but they will know that management have no intention of doing anything about them.
Stephen Gould is the leading practitioner in Deloitte UK’s risk and regulation advisory practice on diagnosing and strengthening cultures. Stephen Lucas is a lead partner in helping organisations diagnose and strengthen risk culture and leads the firm’s non-financial risk proposition. Russell Davis is a lead partner in its banking and capital markets audit group (www.deloitte.co.uk).
References
-
See 'UK's top law firms: Two-thirds of our merger discussions fail',
Manju Manglani, Managing Partner,
Vol. 17 Issue 6, March 2015 -
See 'Most 'opportunistic' law firm mergers 'a huge waste of time'',
Manju Manglani, Managing Partner,
Vol. 16 Issue 8, May 2014 -
See 'Effective Internal Audit in the Financial Services Sector', Chartered Institute of Internal Auditors, July 2013
-
In the 'three lines of defence' model for risk governance, the first line (such as front office personnel) 'own' the risk; the second line (such as risk management and compliance) are responsible for independent oversight and challenge; and the third line - independent assurance - is the purview of internal audit.
-
See The Will to Manage: Corporate Success Through Programmed Management, Marvin Bower,
McGraw-Hill, 1966