Recently, there has been increased focus on the impact of culture on an organization’s business practices. My colleague Brian Christensen discussed culture in a May blog post titled “When bad things happen to good companies,” and culture was the key theme of Internal Auditing Around the World, Volume XIII, the 2017 edition of our popular performer perspectives series. Let me add some additional thoughts to this fascinating and important topic.
Multiple recent high-profile company culture failures have led to intense regulatory focus on the measures taken by organizations to prevent employee misconduct. Based on my observations from working with financial services industry (FSI) clients and colleagues, I believe internal auditors are well positioned to help maintain a culture of accountability and risk awareness to avoid an embarrassing public disclosure or regulatory scrutiny and sanctions.
What Is Risk Culture and Why Is It Important?
Before we emphasize the importance of risk culture, we need to understand how risk culture differs from organizational culture. At Protiviti, we define risk culture as the set of encouraged and acceptable behaviors, discussions, decisions and attitudes toward taking and managing risk within an institution. Organizational culture, on the other hand, is broader and can be defined as an organization’s set of values, conventions and practices inclusive of attitudes towards risk management. Risk culture is the collective organizational understanding of the balance between business performance and sound risk management practices. But how does one audit something so intangible and subjective? As illustrated in Internal Auditing Around the World XIII, companies are taking different approaches to report on risk culture.
Reporting on Risk Culture
While it is possible for internal audit to perform stand-alone assessments and report specifically on risk culture, more often we are seeing internal audit incorporate risk culture assessment into existing audits. Doing this allows internal audit to provide a dual rating that includes a rating on the effectiveness of controls and another rating on management’s awareness of controls and risk culture as a part of each audit report. Alternatively, some organizations are opting to assess risk culture as a part of each audit, and perform an analysis of results across audits to identify risk culture-related cross-institutional themes. As a result of the thematic review of risk culture-related observations across audits, internal audit would issue a roll-up report on risk culture. Some internal audit departments at financial institutions are embedding an opinion on risk culture as a part of their opinion on the effectiveness of the second-line function.
Certain other internal audit departments are treading softly by beginning to present risk culture-related findings to the business verbally or informally at the end of the audit and incorporating audit results back into the risk assessment process. While practices in assessing risk culture may differ, internal audit departments should be thinking about ways to evaluate risk culture as a part of the audit process.
Approach to Assessing Risk Culture
Regardless of the format used to report results, an auditor’s goal, when it comes to evaluating risk culture, should be to assess whether the gatekeepers for risk culture — executive leadership, the board, risk management and human resources (HR) — have designed and implemented processes for employees to emulate risk-appropriate behaviors while focusing on operational and financial results. We include three main assessment areas in our approach to auditing risk culture – tone at the top, risk management, and talent or people management.
Tone at the Top
Tone at the top should reflect the vision and values of an organization established through the organization’s written values and mission statement. There are several ways to assess tone at the top, including the following:
- Determine if leadership consistently uses a common risk management taxonomy, articulates expected risk management behaviours within relevant policies and procedures, and exemplifies the behaviours it expects employees to emulate.
- Review board meeting minutes and communications to determine if risk management and risk culture are a priority and get adequate attention at the board level.
- Assess consistency of understanding of the organizational strategy and the relevance of the risk framework, including risk appetite and corresponding tolerances relative to the strategy across all levels and business functions.
- Assess firm communications to determine if leadership promotes open and transparent communication.
From a risk management perspective, as auditors we want to understand whether organizational leaders consider risk management purely a compliance matter, or whether they embrace the value of the discipline. Companies with a strong risk culture have clearly established risk management frameworks supported by clear roles and responsibilities, accountability and strong escalation mechanisms. Some of the areas of focus include the following:
- Determine whether management holds regular and open discussions about risk issues, whether there is a focus on self-identification of issues, and whether reporting of risk incidents is encouraged.
- Determine the effectiveness of escalation processes (e.g., line manager, internal audit, whistleblowing guidelines and hotline) in the identification and addressing of conduct, ethics and risk management issues.
- Determine whether risk management and compliance functions are adequately involved with change initiatives and provide input relative to effective risk management.
Another key element of assessing risk culture is understanding the effectiveness of talent and people management processes in encouraging the desired risk management behaviors. Key areas to focus on:
- Use incentive programs (both variable and fixed) to reinforce desired risk culture. Leading organizations foster collaboration between risk management and HR to incorporate risk-related measures into the rewards and recognitions programs.
- Determine if risk culture-related attributes are present across the employee life cycle management processes, including recruitment processes, induction programs, career pathing, succession planning and training plans.
- Review employee termination/exit interviews and external data, such as Glassdoor, for trending and root-cause analysis and as a feedback loop into improving the risk culture of the organization.
Finally, a maturity assessment with a focus on developing action plans to address gaps against management expectations, as opposed to delivery of a traditional audit report with a satisfactory/unsatisfactory opinion, can help drive the right behavior.
Historical events that have occurred in the wake of increasing regulations (such as inappropriate sales practices, circumvention of emission rules, etc.) have proven that risk culture plays an important role in the control framework and must be proactively assessed and influenced. Internal auditors are sometimes reluctant to assess risk culture as it is difficult to evaluate and the results are not always clearly substantiated through tangible data points. However, culture plays a significant role in employee behavior toward risk management. Further, regulators in the financial services industry are already placing significant focus on risk culture, and expectations of boards and governing bodies in other industries will soon catch up. Internal audit can play an important role in this process by assessing risk culture and helping organizations place the right mechanisms to influence desired behaviors toward better risk management.