Understanding culture and how to audit it

Understanding and Auditing Culture
Dave Reynolds and Philip Atkinson
Heads of Audit Workshop
13 February 2014 Edinburgh
[email protected]
Discussion Points
• What is the current culture / risk culture in your
• What are the key characteristics of a strong
• Have appropriate cultural norms and an
appropriate “tone at the top” been set for your
organisation ?
• How could IA help move from where your
organisation is to where it needs to be
• Auditing culture ?
So from
where you
sit, what
does your
culture look
like ?
Risk culture defined :
• “the values, beliefs, knowledge and
understanding about risk, shared by a group
of people with a common purpose” IRM
• “the norms and behaviours for individuals and
groups within an organisation that determine
the collective ability to identify, understand
and openly discuss and act on the
organisations future risks” IIF / FSB
Corporate culture defined :
“The shared values, attitudes, norms, behaviours
and beliefs that characterise members of an
organisation and define its nature” Culture is
rooted in the organisation's goals, strategies,
structure, ethical standards and its approach to
its people, customers, investors, and wider
society” R&A
This wider definition introduces issues around eg
ethical standards, bullying, fear, fairness etc
“Board Risk Committees are responsible for
ensuring that a supportive risk culture is
appropriately embedded so that all employees
are alert to the wider impact on the whole
organisation of their actions and decisions”
Walker Report
“The Board should
set the company’s values
and standards and ensure that the obligations
to its shareholders and others are met”
Combined Code
What’s Behind the Definition ?
Behaviours & Rituals
Values & Beliefs
Formal and Informal Elements
Sub Cultures
Physical setting
Points of contact
First impressions
Published documents
Defined processes
Working practices
Conflict resolution
Decision Making
Management style
Shared values
Beliefs, History, Heroes
Legends, Stories
Strong Culture
• Clarity of Direction
• Right tone at the top
• Focus on business /
customer priorities
• Core values and
understood / adopted
• Crisis - people pull
• Positive grapevine
• Breeds achievers –
deadwood controls
• Strong ethical
Weak Culture
• Culture by default
& undefined
• Leadership
positions change
• Bad news stifled
• Absence of role
• Rewarding failure
• Confusion in
• Vague PM
• Transactional
• Control trumps
• Negative attitude to
audit and audit
Identifying a Risk Culture on the wane
warning signs !
• Disregard for Risk
• Overconfidence
• Ignore Crucial
• Passive
• Ignorance
• Rewarding Bad
“We have to have the moral compass to
deliver profits and growth responsibly and
honestly – culture must be synonymous with
integrity. In other words its not just about how
much money we make but how we make it”
Quote a global banking CEO C2007
The right tone at the top – espoused – is not necessarily the
tone in practice !
A compliant culture is not necessarily an ethical culture !
Auditing Culture
IA Engagement - Starting Points
• What do you know/feel about culture in your
organisation and its sub units?
• Consider scope – group wide v business unit
• Will the review be risk focused or take a wider view of
• Consider state of risk maturity
• Consideration of indicators and “as is” position
• Board and management buy-in
• Identify and engage with key stakeholders
• Consider pilot – appropriately supported
• Consider reporting expectations
Auditing Culture
IRM Model
FSB Model
Generic Model
Tone at the top
Tone at the top
Tone at the top
Governance and
Effective challenge Competency and
Incentives and
Ethical strength
Decision making
• Consider a maturity based scoring approach e.g. IRM’s
Risk Culture Aspects Model or IIA risk maturity model to
establish “as is” and “to be” position
9 to 10
6 to 8
3 to 5
1 to 2
Tone at the
Top - Risk
In addition to 'green', executive
sponsor is very visible and leaders
demonstrate their commitment on
a sustained basis, show personal
conviction in how they
communicate and ask questions
regarding business risks.
Leadership expectations on
risk management are
defined but inconsistently
communicated and
understood. Staff are not
clear on overall direction.
It is not possible to
describe a 'Tone at the
top' or leadership
expectations on how
risks are managed.
Tone at the
top - Dealing
with Bad
In addition to 'green', leaders see
their ability to extract learning
from good and poor risk
management judgements as a key
corporate competitive advantage.
This is seen as part of the
organisation's knowledge
management process.
Leadership expectations
are clearly expressed and
communicated. Direction
is set and leaders create a
'Tone at the top' through
reinforcement and
Leaders encourage the
timely communication of
material risk information.
They challenge managers
to divulge 'bad news' early
to ensure it is acted upon
in a timely manner.
The communication of 'bad
news' is sporadic.
Attempts are made to
encourage early
communication of risk
information. It is
recognised that this is
important but processes
are still to be formalised
and embedded.
The organisation does
not encourage the
communication of
information about
potential negative
events. Managers have
concerns about
communicating 'bad
news' to leaders. Stories
exist of the manager
having been 'shot'.
Themes and aspects in the IRM Risk Culture Model
Tone at the
Risk Leadership: clarity of direction
 Senior management set clear and consistent expectations for managing risk
 Leaders role model risk management thinking and actively discuss tolerance to risk issues
Responding to bad news: welcoming disclosure
 Senior management actively seek out information about risk events
 Those that are open and honest about risks are recognised
Risk governance: taking accountability
 Management are clear about their accountability for managing business risks
 Role descriptions and targets include risk accountabilities
Risk Transparency: risk information flowing
 Timely communication of risk information across the organisation
 Risk events are seen as an opportunity to learn
Risk resources: empowered risk function
 The risk function has a defined remit and has the support of leaders
 It is able to challenge how risks are managed
Risk Competence: embedded risk skills
 A structure of risk champions support those managing risks
 Training programmes are in place for all staff
Risk Decisions: informed risk decisions
 Leaders seek out risk information in supporting decisions
 The business’s willingness to take on risks is understood and communicated
Rewarding appropriate risk taking
 Performance management linked to risk taking
 Leaders are supportive of those actively seeking to understand and mange risks
Auditable characteristics of a positive risk culture
• A distinct and consistent tone from the top from the board
and senior management in respect of risk taking and
• A commitment to ethical principles, reflected in a concern
with the ethical profile of individuals and the application of
ethics and the consideration of wider stakeholder positions in
decision making.
• A common acceptance through the organisation of the
importance of the continuous management of risk, including
clear accountability for and ownership of specific risks and risk
• Transparent and timely risk information flowing up and down
the organisation with bad news rapidly communicated
without fear.
• Encouragement of risk event reporting and whistle blowing,
actively seeking to learn from mistakes and near misses.
Auditable characteristics of a positive risk culture cont.
• Appropriate risk taking behaviours rewarded and encouraged
and inappropriate behaviours challenged and sanctioned.
• Risk management and audit skills and knowledge valued,
encouraged and developed, with properly resourced risk
management and audit functions. Professional qualifications
supported as well as technical training.
• Sufficient diversity of perspectives, values and beliefs to
ensure that the status quo is consistently and rigorously
• Alignment of culture management with employee
engagement and people strategy to ensure that people are
supportive socially but also strongly focused on the task in
Risk oriented evidence / audit trail sources might include:
meeting minutes which demonstrate the substance of risk
discussions held, questions raised and ‘pull’ for risk data to
inform decision making
evidence of risk events being used to facilitate learning
reports showing the number of incidents/near misses
frequency with which risks are raised
examples of leadership demonstrating risk management
performance objectives that include risk responsibilities
frequency and reach of risk communications and education
examples of action taken against those where risk
behaviour was considered inappropriate or exemplary
the extent to which risk functions collaborate
Other evidence / audit trail sources might include:
results of employee satisfaction / engagement surveys
audit committee insights – behaviours, issues etc
internal audit results – patterns, responses, behaviours
– why rather than what
key stakeholder opinion - gathered by interview
Consider published ethical standards and social
responsibility statements
Consider remuneration and reward policies and potential
unwanted outcomes / behaviours
HIA and audit team gut feeling about culture
Thank You Questions ?
[email protected]

similar documents