Before there was Equifax there was British Petroleum. Before British Petroleum there was Enron.

All three were responsible for disasters. And, all three are evidence of something every who leader needs to embrace:

It’s always the culture.

Sure, skills and experience, tools and technologies, and processes and procedures matter too. For example: Just as you thought it couldn’t be any worse comes the revelation that in Equifax Argentina, an internal system that provided access to customer records had a backdoor, where both login ID and password were “admin.”

Proper security policies and procedures would have prevented this.

Just kidding.

For all I know Equifax Argentina’s security policies and procedures are just fine and dandy. If they’re out of step with the corporate culture they wouldn’t have made any difference. Culture wins every time.

Call it Lewis’s Law of Unnatural Disasters: When something goes terribly wrong you can bet there’s something about the organization’s culture that makes terribly wrong inevitable.

But in engineering your organization’s culture … and yes, culture is something to engineer … you need to consider your chosen solution’s ripple effects for the culture to be a positive force.

Let’s hypothesize that Equifax Argentina does have security P&Ps that specify what constitutes a suitably secure password — that the fault was a culture that resulted in nobody giving a damn. What cultural trait should its leadership be encouraging to prevent a recurrence?

The obvious one is a culture shaped so the employee handbook is law and everyone obeys it. That should do the trick.

It would. It would also create a culture where jailhouse lawyers are on a constant quest for loopholes that can only be closed by increasing the length of the P&Ps. Eventually, all your employees would need a year of study just to learn what’s in the handbook.

Beyond that, it would lead to a culture where checking off the boxes is what matters, not accomplishing the desired outcomes.

Worst of all it would result in a culture that combines blind obedience with a complete absence of risk-taking and initiative.

Compare that to a culture that focuses more on outcomes than obedience. Culture is loosely defined as “how we do things around here.” The cultural trait We don’t put people at risk” wouldn’t just eliminate the admin/admin login/password combo, whoever put it in place would suffer a fate worse than being fired.

They’d be shunned.

But there’s a complication in all of this that isn’t easily addressed.

Enron’s CEO and board chair, Jeffrey Skilling and Kenneth Lay pleaded the ignorance defense — yes, Enron the corporation was doing awful things, but they didn’t know about them. After Deepwater Horizon exploded, BP’s CEO Tony Hayward expressed a similar level of know nothing-ism.

Equifax’s executives haven’t yet pleaded ignorance, but it’s only a matter of time.

Which gets to the complication: They probably were ignorant, and in some important respects they should have been.

The best leaders don’t find ways to succeed. They build organizations that find ways to succeed. They can’t do this without delegating. They can’t do this unless the people they delegate to delegate.

In great organizations, employees at all levels have authority and take responsibility, to degrees that are surprising to those managers who consider any decision not made by themselves or someone higher up the chain of command to be an unacceptable risk.

Or as D. Michael Abrashoff, former Captain of the Benfold and author of “It’s Your Ship” put it, “I chose my line in the sand. Whenever the consequences of a decision had the potential to kill or injure someone, waste tax-payers’ money, or damage the ship, I had to be consulted. Sailors and more junior officers were encouraged to make decisions and take action so long as they stayed on the right side of that line.”

Sounds great. It is great. Only if someone on board the Benfold had done something reckless with Deepwater-Horizon-scale consequences, Captain Abrashoff very likely would have been ignorant, because that’s the whole point: The people in charge not making themselves decision bottlenecks.

Culture is certainly the first line of defense. But those pesky human beings being what they are, it isn’t a perfect, airtight solution.

Leaders also need metrics, controls, and governance mechanisms, to provide the guardrails that backstop culture’s lane markers.

But even with these, culture comes first because with the wrong culture, employees will find ways to jigger the metrics, fake out the controls, and game the governance.

What they won’t do without a culture that encourages it is take the risk of telling you something that should be happening isn’t, or that something that shouldn’t be happening is.

It’s always the culture.

I never thought I’d have to write this column.

I’ve written about workplace bias before — about racism (for example “The uselessness of race,” InfoWorld, 5/27/2002), and about male/female workplace issues (last week; “A tale of two genders,” Keep the Joint Running, 8/14/2017).

Always, when writing about bias, I assumed that its workplace expression would be limited to inappropriate word choices, tasteless jokes, and ignorant race, ethnicity, or gender-based assumptions about various colleagues’ abilities and contributions.

Speaking as someone whose ethnic heritage includes Kristallnacht, I don’t think we can look at images of a torch-bearing crowd of American Nazis and Klansmen and continue to consider the American workplace safe from bigotry-induced violence. And yes, I do include violence against women in my thinking; in groups like this misogyny is never far from the surface.

As a business manager you have a legal responsibility to your employees, to make sure they don’t in any way experience anything they might reasonably construe to be threatening or harassing based on their race, ethnicity, religion, sex, or, for that matter, anything else. Threats and harassment should have no place in your managerial domain.

What Charlottesville changed for all of us is what a reasonable person might find threatening or harassing. Take, for example, something you might discover in an employee’s cubicle: A small Confederate battle flag.

In the early 1980s, when the Duke brothers of Hazzard, Georgia put a decal of the Confederate battle flag on the roof of their car, it was largely considered cute and innocuous. There are those now who oppose its removal from public places, along with the removal of statues of prominent Confederacy leaders, as an attempt to sanitize history.

But we don’t erect statues, or display flags, or name streets and lakes because we think they teach history. If we did, Hawaii would have statues of Tojo and Hirohito near the Pearl Harbor museum.

Statues, flags and so on aren’t mere historical markers. They state who we admire and what we aspire to.

Before Charlottesville, an employee who displayed a Confederate battle flag might have thought it was Dukes-of-Hazzard cute.

No more. After Charlottesville, a Confederate battle flag or other such symbol of the antebellum South is no different from what displaying a Nazi swastika meant all along (Aztec and Buddhist swastikas are mirror images and are square, not diagonal). The person displaying it is communicating his affinity and affiliation with groups that have an explicit goal of suppressing, denying equality to, and inflicting violence on anyone who isn’t a heterosexual Aryan male.

Charlottesville has upped the ante for workplace management: What once might have been considered harmless looks, in Charlottesville’s aftermath, more like threats and incitement.

If you think that’s too strong, it’s certainly parallel to using one of the many ethnic, racial, sex-, or religion-based pejoratives that were at one time in broad use. Just as those who utter such repulsive phrases gripe about political correctness and excuse their behavior with some variation on the theme of “I didn’t mean anything by it,” so those who display symbols of hostility pretend, in public, that there’s no hostility implied to anyone. In private? There’s plenty of hostility to go around.

As a manager, your own attitudes and beliefs don’t much matter. You might be as certain as certain can be that Aryans are the pinnacle of evolution (although probably not; those who wave the Confederate battle flag are among those least likely to accept Darwin’s theory). Be as certain as you like. Your obligation to your employer is to make sure nobody is creating a hostile or threatening work environment.

So if you see any of these symbols in anyone’s cubicle, insist their owners remove them to more suitable environments, which is to say, places they’re only observable when the employee is acting as a private individual, and isn’t easily associated with the company that employs them.

Count me as a proponent of the idea that our Constitution’s First Amendment only matters if it protects speech we find objectionable. There are, however, boundaries even to this principle. Incitement to violence is one of them.

After Charlottesville, when symbols of Nazi-ism and the Klan are displayed, you must assume the displayer’s intention is to express hostility and encourage violence.