Is culture a corporate compliance risk?

Corporate culture, while generally accepted as important for business success and sustainability, is often viewed in the context of “employee engagement” and therefore strictly under the purview of Human Resources. Yet years of media headlines demonstrate that corporate misconduct is not as much “a few bad apples” as often as “a rotten tree.” Meaning, a company’s ethical culture has a large role to play in enabling or creating the conditions for misconduct to occur. Against this backdrop, what happens when we broaden our understanding of corporate culture to also view it as a compliance risk? Or, to paraphrase Michael Volkov, as a company’s most effective internal control? 

These questions guided LRN’s latest panel discussion, hosted by Compliance Week, on “Culture as a compliance risk.” (Available here to watch on-demand.) Ethics and compliance professionals at leading organizations shared how they incorporate ethical culture into their E&C program strategies. The panel was moderated by LRN’s Director of Advisory Services Emily Miner and included the following speakers: 

  • Nicole Diaz: Global Head of Integrity & Compliance Legal at Snap 
  • Carlos Villagrán Muñoz: Director of Compliance at CMPC 

Corporate culture vs. Ethical culture: What’s the difference? 

Miner kicked off the discussion by diving into the dimensions that make up ethical culture and how this differs from corporate culture. Harvard Business Review notes that defining corporate culture is tricky because much of it is anchored in unspoken mindsets in addition to more tangible elements like company social gatherings or having beer on tap in an office. But the panelists agreed that corporate culture is often much broader in its definition, while ethical culture is defined by distinct dimensions of behavior. The LRN Benchmark of Ethical Culture provides a model outlining 11 dimensions of ethical culture. 

11 dimensions of ethical culture outlined in the LRN Benchmark of Ethical Culture report.

Villagrán Muñoz followed up by explaining how his ethics and compliance team thinks about ethical culture vs. company culture at large. While some organizations view culture as too theoretical or amorphous at times, he explained that CMPC uses it to identify risk areas and measure progress. At CMPC, company culture comprises the values of the organization, while ethical culture is the framework for acting on those values. Villagrán Muñoz also noted that bringing culture into a risk management framework requires educating employees on how to apply their values on a daily basis. 


Diaz added that even though ethics and compliance teams are steeped in ethical culture, the concept is not owned by E&C alone. Many people contribute to a company’s ethical culture. However, because the initiative is cross-functional, it can be slower to adopt and requires a thoughtful approach to company-wide education. Snap, for example, has demonstrated the LRN model internally to help employees understand its scientific and statistical significance as well as its practicality. Presenting ethical culture through its distinct pillars (outlined above) has helped Snap show how this model can be a useful lens through which to view daily business operations. 

Is it practical to talk about culture as a compliance risk? 

Another key topic of discussion was exploring the connotations around “risk,” and whether associating culture with risk is a pragmatic choice or something to avoid. Villagrán Muñoz did not consider risk brought a negative connotation to culture, If anything, he argued, it is strategic way to promote his team’s work and help senior leaders make business decisions. “E&C competes with other elements of the company,” he explained, “but risk is a natural component of business. When you talk about [culture as a] risk, it gets their attention.” 


Diaz concurred by saying that using a risk management framework to talk about ethical culture can help people better understand that culture is something the organization can manage and measure. In fact, Snap is already integrating culture into its corporate risk assessments. But Diaz emphasized that risk, while important to bring up, is only half of the conversation when it comes to ethical culture. To elaborate, she used an analogy she called “the floor and the ceiling.”   

The “floor” of ethical culture is to prevent misconduct, she explained, which is where risk management comes in. The “ceiling” of ethical culture, on the other hand, is to inspire action that goes above and beyond what risk management requires. It involves using company values to come up with creative solutions that are beneficial to both the bottom line and the people Snap does business with every day.  


Incorporating ethical culture into risk assessments 

Diaz spoke at length about incorporating ethical culture as a metric into Snap’s risk assessment, a strategic move that came from the business re-evaluating its purpose, audience, and intended outcomes tied to risk assessments in general. Diaz and her team found that many organizations opt to follow a risk assessment process that documents their business units, business activities, and day-to-day operations to ultimately develop controls.

However, leaders at Snap were more interested in learning where there were gaps in providing support that employees need to act ethically in their jobs. Where were people starting to lose confidence in the ethics of the business? What parts of the business needed course-correcting before misconduct arose? How could leaders help their teams do the right thing? Diaz and her team developed materials to help answer these questions, starting with a code of conduct that explained how to tie the company’s values into making decisions. The team also launched a company-wide speaker series that invited people across the business to share stories about how they apply Snap’s values to their day-to-day work. Topics range from talking about role models to discussing how to balance competing priorities. 


Investing in culture as well as risk management 

Villagrán Muñoz talked about the importance of making the case to invest in culture, especially i organizations are in the early stages of developing their larger E&C program. He used CMPC’s own experience with a corporate crisis as an example, citing a case where members of the company colluded with competitors to control market share and product prices for around 10 years. The crisis revealed not only a failure of compliance, but a failure of culture. In addition to paying approximately $30 million in fines, CMPC lost clients, business opportunities, and talent. The company knew it needed a complete overhaul of its corporate governance structure, business strategy, and leadership to ensure this wouldn’t happen again. 

Villagrán Muñoz and his team set out to understand the root causes of this misconduct, ultimately identifying the following factors that needed addressing: 

  • Silos and subcultures 
  • Lack of proper leadership modeling
  • Competing business objectives and incentives
  • Lack of accountability and speak-up culture
  • “Checkbox” compliance 

From there, the team developed a plan using the CMPC’s values as the foundation. They focused on promoting transparency and encouraging people to speak up, strengthening their reporting system and creating materials that could easily guide employees through the process of filing a report. They also developed a “Words & Actions” training program focused on company leadership and its role in supporting ethical compliance. Throughout these efforts, Villagrán Muñoz noted, was also the shift in emphasizing values—not just rules—as the constant. “Rules may change, but our values are steady,” he said. 


Where to get insights into your company’s ethical culture 

In closing, Miner shared a starter list of direct and indirect sources that organizations can tap to “keep a pulse” on the state of their ethical culture.  

Direct and indirect sources of culture data, from the LRN Benchmark of Ethical Culture.

Direct sources included: 

  • Employee surveys 
  • Focus groups 
  • Roundtable discussions 
  • Exit interviews
  • Feedback forms after key processes (e.g., investigations)

Indirect sources included: 

  • Turnover rates, absenteeism, and promotion rates (e.g., by department) 
  • Disclosures, hotline, or manager reports
  • Themes from Glassdoor reviews and social media
  • Employee activity with company policies or the company code of conduct
  • Network mapping
  • Analysis of email/collaboration tool data using natural language processing

Finally, Diaz and Villagrán Muñoz talked about their company partners in fostering ethical culture and shared the types of departments that ethics and compliance teams can (and should) collaborate with when determining how to incorporate ethical culture into broader business metrics: 

  • Senior leaders and higher-level managers 
  • Learning and development (L&D) teams 
  • Environmental, social, and governance (ESG) teams 
  • Human resources (HR)
  • Legal teams
  • Diversity, equity, and inclusion (DEI) teams 

The key takeaway 

Panelists concluded the discussion by emphasizing that at the end of the day, ethical culture is everyone’s responsibility. It informs not only how people do business each day, and how they can do the right thing each day. To learn more about how your organization can incorporate culture as a compliance risk, watch the full discussion on-demand and download a copy of the LRN Benchmark of Ethical Culture.