Mobile Edition
Print
Get the Mag
Weekly UpdatesMECHANISTIC VS. ORGANIC
A mechanistic culture is highly formalized, controlled, and structured, with personnel assigned to precisely defined jobs in a rigid hierarchy. By contrast, organic cultures lack strong formality and standardization. Workers have jobs that are loosely defined, and they perform ever-changing tasks using whatever methods meet the needs of the endeavor. There are high levels of interaction, collaboration, and open communication across a pliable organizational hierarchy.
So which of these culture types is more conducive to effective ERM? It could be argued that it would be easier to implement ERM in a mechanistic environment. With its emphasis on strict procedures, detailed direction, segregation of duties, and watchful supervision of employees, the mechanistic system appears to mesh nicely with the types of control activities auditors have traditionally advocated. In such an environment, the recipe for ERM deployment appears straightforward; simply establish the new policies and job duties, outline the revised hierarchical structure, and have ERM mandated from the top. If the planning is done well, the ERM deployment should occur smoothly.
Unfortunately, ERM deployments may not go as planned. When problems occur, more than just the compliance of employees will be needed, and ERM by its nature is broader than conformity. Employee involvement is needed to identify risks, communicate them, assess them, and determine how to deal with them. While industries face increasing complexity and rapid change, organizations may not be able to wait for risks to be processed through a mechanistic culture before a decision is made.
ERM requires open and effective communication across the organization and a culture in which employees and their managers do not feel threatened by internal disclosure of risks. Thus, an organic culture appears to be better suited for handling these basic aspects of ERM, as it emphasizes lateral communication, collaboration, and employee commitment to the organization coming from within, rather than being coerced from without.
LINKING CULTURE TO ERM
To test the theory that an organic culture would provide better support for an ERM deployment than a mechanistic culture, we developed a survey using Reigle's "Organizational Culture Assessment" (OCA) instrument in conjunction with several questions regarding progress and success in implementing ERM. The OCA portion provides a score that ranges from a minimum of one, signifying a fully mechanistic culture, to a maximum of five for a wholly organic culture. Participants' OCA scores were statistically analyzed in relation to each of the possible responses to the ERM questions. The survey was deployed online using The IIA's Global Auditing Information Network Web site in late 2004. There were 116 respondents.
AGE AND MATURITY OF ERM PROGRAM The average OCAs generally trended upward with the length of time an organization had been implementing ERM and the amount of progress made. Statistically significant differences in average OCA scores were found at the extremes. For example, OCA scores were significantly lower for those who had not begun their ERM implementation when compared to those who were 100 percent complete. Similarly, respondents from organizations actively implementing a risk management process had higher OCA scores than those where ERM implementation was deemed unlikely.
APPOINTMENT OF A CHIEF RISK OFFICER (CRO) The survey asked participants whether their organizations had appointed a CRO, and if so, how long that position had been in place. Results for this section were inconclusive, as no significant differences or patterns were found.
ERM PROGRESS IN TERMS OF COSO'S ERM FRAMEWORK A positive relationship between average OCA scores and progress in implementing the eight COSO ERM components was observed. In other words, those who estimated their organizations were further along in implementing the COSO components had, on average, higher OCA scores. Regression analysis indicated a degree of statistical predictability between OCA scores and ERM implementation measured in this way.
SATISFACTION WITH ERM PROGRESS Participants were asked whether they were satisfied with the speed and effectiveness of their organizations' ERM programs. Although those who answered "no" had OCA scores ranging widely from mechanistic to organic, the "yes" respondents overwhelmingly represented organic cultures.
OPINIONS OF CULTURE'S IMPACT ON ERM Similarly, when asked about how the culture of their organizations impacted ERM implementation speed and effectiveness, those who said the culture helped mostly were from more organic entities.
WILLINGNESS TO CHANGE TO CULTURE When asked whether or not the organization had taken steps to alter its culture to support implementation of ERM, those who said "yes" were from more organic cultures.
IMPLICATIONS FOR ERM
If it is indeed true, as the survey results indicate, that ERM deployment is influenced by organizational culture, what does this mean for implementers and auditors? For ERM implementers:
* Managers might consider measuring how mechanistic or organic their organizations are, before plunging into ERM, and use this knowledge as input to implementation planning.
* A robust change-management plan may be beneficial to deal with undesirable culture tendencies, one which regularly assesses organizational culture.
* Implementers should practice what they preach during planning and implementation. If the goal is a more organic culture, they should demonstrate collaboration, employee involvement, open communication among departments, and other organic attributes as ERM is rolled out.
* The culture itself may be considered a risk worthy of ERM identification, assessment, response, and reporting to senior management and the board.
If it is decided that a more organic culture is desirable, internal auditors may wish to evaluate whether their activities support or inhibit that objective. The following questions may help internal auditors to make this determination:
* Does the language in audit reports convey a mechanistic or organic mindset about the organization?
* Are audit recommendations mechanistic-based, such as more stringent policies, closer supervision of employees, or strictly defined job tasks? Or, is there an emphasis on organic approaches like improved communication among departments, collaboration, and innovation involving all employees?
* Which culture type better describes the typical relationship between auditors and their customers?
* What are the audit department's instinctive assumptions about the nature of the organization? Are they trying to control people or processes to manage risk?
* Does internal auditing promote collaboration among functional units for the good of the whole enterprise or adversarial relationships between organizational silos?
These questions hint at an apparent fundamental paradox: Internal auditors may be prone to manage risk through traditional controls that seem perfectly logical and prudent in a mechanistic culture, yet we are learning that managing risk may be more organic. This is not to promote the abandonment of a heritage of control theory and practice for a sweeping swing of the pendulum to the opposite extreme. Can a pragmatic balance be achieved?
Concepts for dealing with similar ambiguity have been proposed in the past. In the 1980s, management consultants Tom Peters and Robert Waterman Jr. put forth the idea of "Simultaneous Loose--Tight Properties," which describes how excellent companies are able to nullify several supposed paradoxes through a corporate culture that embraces organic qualities while exercising rigid control. And in the 1990s, Peter M. Senge, author of The Fifth Discipline--The Art & Practice of the Learning Organization, asserted that learning organizations "achieve control without controlling" through applying "localness," which involves cultural elements consistent with organic cultures.
Perhaps the time has come for the internal audit and ERM communities to evaluate their cultures and consider how they influence the management of risk throughout the organization.
BY LANE KIMBROUGH, CIA, CCSA, AND PAUL COMPONATION, PHD
RUSSELL A. JACKSON
FREELANCE FINANCIAL WRITER
ILLUSTRATION BY TIMOTHY COOK
FEED