In the past decade, the expanding scope of corporate criminal liability and the increasing appetite by prosecutors and regulators to investigate potential misconduct have intensified the importance of accurately assessing and managing corporate risk. But how do you achieve this? Where do you start?

Conventional wisdom would point you to data analytics tools (that would help you spot questionable conduct) and to crisis management plans (that would help you manage problems when they arise). However, in recent years, the investigations landscape has shifted in a way that makes it more difficult to predict and contain risk with these conventional tools alone. There are many reasons for this increased uncertainty, including not only new laws and prosecutorial priorities but also social and technological developments such as the rise of cyber crime (which can turn any business into an attractive target of potential fraud) and the increased use of social media at work (which can increase the ease with which sensitive information can become public).

In this shifting risk landscape, companies are seeking ways to holistically manage corporate risk – and increasingly turning to corporate culture to help them do so. From an investigations risk perspective, companies that get culture ‘right’ encourage ethical behaviours in difficult situations – increasing the chances, say, that a supplier refuses to mislabel a product in a way that would be deceiving, or that an accountant flags up a group of transactions that together look suspicious. Companies that get culture ‘wrong’, by contrast, encourage questionable decisions in critical moments – such as, for example, declining to ask tough questions during due diligence of a possible agent, or following instructions to pay funds to an offshore bank account without asking why.

Culture is a slippery concept, however. It is hard to describe and harder to measure. Indeed, many corporate leaders find it difficult to assess whether their company has an effective culture until they find themselves in a crisis. But not many organisations have the appetite to wait for a crisis to test whether their culture is effective or not. Where, then, should a company look to see whether its culture is helping or hurting its investigations risk profile?

To answer this question, it is helpful to understand that there are a number of key common governance and risk factors behind the majority of corporate investigations and crises (e.g., lack of training, unclear allocations of responsibility and a failure to identify the broader implications of a series of discreet red flags). Identifying these kinds of cultural and governance factors present in major investigations, but for which the misconduct or crisis would not have occurred or would not have become so significant, can help boards test their own corporate culture before a crisis arises.

In a recent article in Financier Worldwide Magazine, we examine two such risk factors and offer some initial thoughts about what organisations can do to avoid or address them.