Weak organizational cultures are widely considered to be one of the primary causes of the global financial crisis that struck a decade ago. As a result, maintaining a strong risk culture has become a top priority for all major businesses today — as well as an expectation by their stakeholders, regulators and customers.
Business leaders are looking to the internal audit function to assess not only tone and conduct at the top of the organization, but also how and if this conduct is reflected throughout the business. They want to know if the company’s core values and strategic vision are understood and actively practiced by employees.
Culture is complex and different within every organization. The Risk Management Association (RMA) defines culture as “the set of encouraged and acceptable behaviors, discussions, decisions and attitudes toward taking and managing risk within an institution.” But even when defined, culture remains largely abstract.
The 13th edition of Internal Auditing Around the World, debuting this week at The IIA’s International Conference in Sydney, Australia, examines this issue through the experience of 15 organizations around the world. As you will discover, there is no one-size-fits-all solution. Their journeys are as varied as the cultures they reflect.
As I wrote here back in May, every organization has its own ethos. But corporate values and “tone at the top,” alone, are not enough to prevent ethical lapses. Culture audits are an opportunity for auditors to talk to employees, managers, customers and vendors, and report on whether the company is living its values, or whether they are hollow.
For many of the organizations featured in the 13th edition of Internal Auditing Around the World, risk culture audits are new endeavors that are only at the planning or pilot stage. Senior management and boards are looking to internal audit leaders to help the business develop the right approach for, and get the most value from, these types of audits. The function has a clear opportunity to play a transformative role in responding to the needs of key stakeholders, particularly boards, who want assurance that the organization is aware of and addressing all types of potential risk.
Where to begin? Several of the leaders we interviewed said they recognized early the importance of examining and strengthening the culture within the internal audit function before moving to assess other business units, or the company as a whole.
Ruurd van den Berg, Executive Vice President and CAE of Group Internal Audit at Aegon N.V., a multinational life insurance company headquartered in The Hague, Netherlands, summed it up nicely when he said, “We believe we should lead by example. We knew that if we didn’t have a strong culture, we would lack the credibility to run culture audits.”
Richard W. Moore, inspector general for the Tennessee Valley Authority’s Office of the Inspector General, voiced a similar sentiment. “If you’re going to instill trust in people, you need to be vulnerable and fix yourself first, then invite other to join you in your journey to improve,” he said.
The profiles featured in this edition of Internal Auditing Around the World are all inspiring and informative. They will either validate your organization’s existing risk culture journey, or serve as a catalyst to spark transformation. Either way, I hope you’ll pick up a copy at the International Conference, or download one from our website. I think you will find valuable insights on auditing risk culture. For many of us, this is a new venture far afield from our accounting roots. But just like partnering effectively across the organization and working in a collaborative environment, it is a challenge worth conquering.