Think Tone at the Top doesn’t matter? A front page headline in the Friday, September 25th New York Times Business Day section, commenting on Volkswagen’s use of sophisticated software to circumvent omissions standards, read “Problems at VW Start at the Boardroom” and continued “The governance of Volkswagen was a breeding ground for scandal. It was an accident waiting to happen.” The article describes a boardroom where outside views rarely penetrate. An observer said, “It’s an echo chamber.” Former executives describe the corporate culture as insular, reinforced by a board with a “paucity of independent directors.” ((Problems at Volkswagen Start in the Boardroom. New York Times. September 25, 2015. http://www.nytimes.com/2015/09/25/business/international/problems-at-volkswagen-start-in-the- boardroom.html?_r=0))
Volkswagen is an extreme example to be sure. However, some spectacular corporate failures in the early and mid-1980s led to a number of initiatives to address instances of fraudulent reporting – Drysdale Government Securities, Washington Public Power Supply System, Baldwin-United Corp., and E.S.M. Government Securities among them. One of those initiatives led to the formation in 1985 of COSO (The Committee of Sponsoring Organizations of the Treadway Commission), which has been at the forefront of risk management guidance for decades. ((http://www.coso.org/))
When the National Commission on Fraudulent Reporting (also known as the Treadway Commission) released its groundbreaking study in 1987, it declared that Tone at the Top was “an element within the company of overriding importance in preventing fraudulent financial reporting.” It said:
“The tone set by top management – the corporate environment or culture within which financial reporting occurs – is the most important factor contributing to the integrity of the financial reporting process. Notwithstanding an impressive set of written rules and procedures, if the tone set by management is lax, fraudulent financial reporting is more likely to occur.” ((Report of the National Commission on Fraudulent Reporting. 1987. http://www.coso.org/Publications/NCFFR.pdf))
Almost three decades have passed since the original Treadway Report was published and Tone at the Top has emerged again as one of the most critical elements in predicting not just the likelihood of financial reporting fraud, but more broadly the likelihood any organization can mount and sustain a successful enterprise risk management process. In COSO’s 2004 Enterprise Risk Management Integrated Framework, it defined eight components of enterprise risk management, including the “Internal Environment,” defined as “The tone of an organization, [setting] the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and appetite, integrity and ethical values, and the environment in which they operate.” ((Enterprise Risk Management-Integrated Framework. Committee of Sponsoring Organizations of the Treadway Commission. 2004. http://www.coso.org/documents/COSO_ERM_ExecutiveSummary.pdf))
During the last three years, we’ve seen the essential role of executive management in building risk culture emerge as a central theme in both ISO standards and banking guidance. A few quick examples come to mind:
- OCC Bulletin 2013-29. Subject: Third-Party Relationships.
- OCC 2014 Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations and Insured Federal Branches.
- ISO’s 2012 integration of standards – Emergence of “Leadership” (Clause 5) as a core concept in ISO Annex SL, which established new formatting for ISO Management System Standards.
((OCC BULLETIN 2013-29. Subject: Third-Party Relationships. US Department of Treasury. Office of the Comptroller. October 30, 2013. http://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html; OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations and Insured Federal Branches; Integration of Regulations. US Department of Treasury. Office of the Comptroller. 12 CFR Parts 30 and 170. Docket ID OCC-2014-001: RIN 1557-AD78. September 2, 2014. http://www.occ.gov/news-issuances/news-releases/2014/nr-occ-2014-117a.pdf; Tangen, S. & Warris, A. Management Makeover – New format for future ISO management system standards. International Organization for Standardization. July 18, 2012. http://www.iso.org/iso/home/news_index/news_archive/news.htm?refid=Ref1621))
And in Protiviti’s just released Annual IT Security and Privacy Survey, the number one key finding: “Tone from the top is a critical differentiator – from strong board engagement in information security to management establishing “best practice” policies, effective security begins with the right tone from the top, which is important as any policy.” The study shows that just 28% of boards had high levels of understanding about and high engagement with information security risks relating to the business of their firm. ((The Battle Continues – Working to Bridge the Data Security Chasm. Proviti, Inc. 2015. http://www.protiviti.com/en-US/Documents/Surveys/2015-IT-Security-Privacy-Survey-Protiviti.pdf))
Yet, despite the intensifying focus on the criticality of leadership to establishing and maintaining an organization’s risk culture, it is not clear that many of us think about Tone at the Top in a way that translates into organizational components we can see and understand. In his keynote address at the University of Waterloo’s 2013 Tone at the Top Symposium, Chris Macdonald discussed what he called two “unavoidable truths” about ethical leadership and tone:
- “Ethical tone must be established at the top of the organization and communicated downward throughout the organization.
- Ethics cannot be simply imposed by the organization: it must be reinforced by the practices, systems, structures and ultimately the actions espoused throughout the organization.”
((Gunz, S. & Thorne, L. Introduction to the Special issue on Tone at the Top. Journal of Business Ethics. January 2015. Volume 126, Issue 1, pp 1-2. http://link.springer.com/article/10.1007/s10551-013-2035-1/fulltext.html))
Indeed, the very the practices, systems, structures, and actions Macdonald highlights are part of what the Shared Assessments 2015 Vendor Risk Management Benchmark Study measured. Those Benchmark Study results are part of what has focused my attention on Tone at the Top. Analysis above and beyond the published results suggest that in many important areas some firms are simply not undertaking practices that are key to successful third party risk management, while at the same time others in the same industries are progressing quite well.
I’ve been thinking about those results in the context of the FFIEC Cybersecurity Assessment Tool, released in the summer of 2015. The tool includes a maturity model designed to help bank management understand the gaps between an organization’s actual performance and any of the levels defined in the maturity hierarchy. ((https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_CS_Maturity_June_2015_PDF2_c.pdf)) There are five levels, ranging from Baseline to Innovative. In the FFIEC model, Baseline is defined as “characterized by minimum expectations required by law and regulations and recommended in supervisory guidance…including compliance driven objectives,” and assumes that “management has reviewed and evaluated guidance.”
When I’ve tried to (subjectively) correlate the FFIEC’s Baseline level 1 with the Shared Assessments Vendor Risk Management Maturity (VRMMM) scale, it seems to me that at a high level the FFIEC baseline lies somewhere between VRMMM levels 3 and 4, well above what the 2015 study suggested was a common level of performance. (See graphic below.) And outside the banking industry, in many areas, the gaps were quite large.
Say what you want about banking regulations, in point of fact most of the third party risk guidance regulators have issued merely formalizes what should be basic security hygiene in an increasingly complex cyber security environment. That’s why the guidance is relevant to industries wherever cyber security is a significant concern; healthcare, utilities, communications, and the list goes on.
Click image to enlarge
There’s a strong case to be made that executive managers need to motivate enterprise risk management disciplines within their firms in a way that so far has been elusive, even in the face of escalating threat environments. The good news is that there finally seems to be more recognition of that reality, and more tools to help the C-suite achieve the results everyone wants to see. So Tone at the Top, at least from a third party risk perspective, should start to improve, and we should expect to see evidence of that change in future Vendor Risk Management Benchmark Studies. Stay tuned…
For more than 35 years, The Santa Fe Group Senior Advisor, Gary Roboff, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems, and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) Board of Directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its Board.