Understanding and Auditing Culture Dave Reynolds and Philip Atkinson Heads of Audit Workshop 13 February 2014 Edinburgh www.philipatkinson.com firstname.lastname@example.org
Discussion Points • What is the current culture / risk culture in your organisation? • What are the key characteristics of a strong culture? • Have appropriate cultural norms and an appropriate “tone at the top” been set for your organisation ? • How could IA help move from where your organisation is to where it needs to be culturally? • Auditing culture ?
Risk culture defined : • “the values, beliefs, knowledge and understanding about risk, shared by a group of people with a common purpose” IRM • “the norms and behaviours for individuals and groups within an organisation that determine the collective ability to identify, understand and openly discuss and act on the organisations future risks” IIF / FSB
Corporate culture defined : “The shared values, attitudes, norms, behaviours and beliefs that characterise members of an organisation and define its nature” Culture is rooted in the organisation's goals, strategies, structure, ethical standards and its approach to its people, customers, investors, and wider society” R&A This wider definition introduces issues around eg ethical standards, bullying, fear, fairness etc
“Board Risk Committees are responsible for ensuring that a supportive risk culture is appropriately embedded so that all employees are alert to the wider impact on the whole organisation of their actions and decisions” Walker Report “The Board should set the company’s values and standards and ensure that the obligations to its shareholders and others are met” Combined Code
What’s Behind the Definition ? Symbols Physical setting Points of contact First impressions Published documents Defined processes Systems Teamwork Climate Working practices Conflict resolution Standards Behaviours Decision Making Management style Expectations Shared values Beliefs, History, Heroes Legends, Stories Artefacts Processes Behaviours & Rituals Values & Beliefs Formal and Informal Elements Sub Cultures Dynamic
Strong Culture • Clarity of Direction • Right tone at the top • Focus on business / customer priorities • Core values and behaviours understood / adopted • Crisis - people pull together • Positive grapevine • Breeds achievers – deadwood controls • Strong ethical position
Weak Culture • Culture by default & undefined • Leadership positions change • Bad news stifled • Absence of role models • Rewarding failure • Confusion in behaviour • Vague PM • Transactional • Control trumps empowerment • Negative attitude to audit and audit findings
Identifying a Risk Culture on the wane warning signs ! • Disregard for Risk Appetite • Overconfidence • Ignore Crucial Issues • Passive • Ignorance • Rewarding Bad Behaviour
“We have to have the moral compass to deliver profits and growth responsibly and honestly – culture must be synonymous with integrity. In other words its not just about how much money we make but how we make it” Quote a global banking CEO C2007 The right tone at the top – espoused – is not necessarily the tone in practice ! A compliant culture is not necessarily an ethical culture !
Auditing Culture IA Engagement - Starting Points • What do you know/feel about culture in your organisation and its sub units? • Consider scope – group wide v business unit • Will the review be risk focused or take a wider view of culture? • Consider state of risk maturity • Consideration of indicators and “as is” position • Board and management buy-in • Identify and engage with key stakeholders • Consider pilot – appropriately supported • Consider reporting expectations
Auditing Culture Focus
Consider a maturity based scoring approach e.g. IRM’s Risk Culture Aspects Model or IIA risk maturity model to establish “as is” and “to be” position
Themes and aspects in the IRM Risk Culture Model
Auditable characteristics of a positive risk culture • A distinct and consistent tone from the top from the board and senior management in respect of risk taking and avoidance. • A commitment to ethical principles, reflected in a concern with the ethical profile of individuals and the application of ethics and the consideration of wider stakeholder positions in decision making. • A common acceptance through the organisation of the importance of the continuous management of risk, including clear accountability for and ownership of specific risks and risk areas. • Transparent and timely risk information flowing up and down the organisation with bad news rapidly communicated without fear. • Encouragement of risk event reporting and whistle blowing, actively seeking to learn from mistakes and near misses.
Auditable characteristics of a positive risk culture cont. . • Appropriate risk taking behaviours rewarded and encouragedand inappropriate behaviours challenged and sanctioned. • Risk management and audit skills and knowledge valued, encouraged and developed, with properly resourced risk management and audit functions. Professional qualifications supported as well as technical training. • Sufficient diversity of perspectives, values and beliefs to ensure that the status quo is consistently and rigorously challenged. • Alignment of culture management with employee engagement and people strategyto ensure that people are supportive socially but also strongly focused on the task in hand.
Risk oriented evidence / audit trail sources might include: • meeting minutes which demonstrate the substance of risk discussions held, questions raised and ‘pull’ for risk data to inform decision making • evidence of risk events being used to facilitate learning • reports showing the number of incidents/near misses reported • frequency with which risks are raised • examples of leadership demonstrating risk management values • performance objectives that include risk responsibilities • frequency and reach of risk communications and education • examples of action taken against those where risk behaviour was considered inappropriate or exemplary • the extent to which risk functions collaborate
Other evidence / audit trail sources might include: • results of employee satisfaction / engagement surveys • audit committee insights – behaviours, issues etc • internal audit results – patterns, responses, behaviours • “ “ “ – why rather than what • key stakeholder opinion - gathered by interview • Consider published ethical standards and social responsibility statements • Consider remuneration and reward policies and potential unwanted outcomes / behaviours • HIA and audit team gut feeling about culture
Thank You Questions ? www.philipatkinson.com Dave.email@example.com http://www.lse.ac.uk/researchAndExpertise/units/CARR/pdf/Final-Risk-Culture-Report.pdf http://www.theirm.org/RiskCulture.htm https://www.financialstabilityboard.org/publications/c_131118.pdf