Home > Risk > How do you audit risk culture?

How do you audit risk culture?

Some years ago, the Australian affiliate of the IIA started publishing its own guidance for internal auditors. Recently, they shared Auditing Risk Culture: A practical guide. It has been written within the context of Australian financial services organizations, but the authors believe it has more general application.

As you might expect, it has some interesting content – but has a couple of glaring omissions, IMHO.

They start well:

Culture is a characteristic of a group of people – the shared perceptions about what behaviour is ‘correct’, prioritised and likely to be rewarded. Organisations pursue many different strategic priorities and operate in different political, economic and social contexts, so their cultures vary. Individual behaviour is affected by the way in which actions are rewarded or punished. In the workplace, people learn what is acceptable behaviour by observing the behaviour (including speech) of peers and managers. Behaviour that is repeated regularly becomes the norm, or ‘the way we do things around here’. Behaviour of managers and leaders is particularly important in demonstrating the priorities of the organisation.

Risk culture is an aspect of broader organisational culture. Risk culture refers to the behavioural norms that help or hinder effective risk management. Some definitions of risk culture also incorporate the group’s underlying values and assumptions about risk management, and others incorporate policies and systems. In large organisations, subcultures often form in different areas and even in specific teams with different managers. Internal audit teams should not assume that risk culture is consistent throughout an organisation, or even within a large division or function or tier of management of that organisation. Culture normally forms in groups of people that have regular interaction with one another, often with a common manager.

What needs to be said more clearly than this is that people’s actions (behavior) are heavily influenced by culture.

We want assurance that people are likely to act in a way that is desirable. That includes:

  • We want them to avoid unnecessary and unjustified harms.
  • But we also want them to take advantage of opportunities, where the potential upside clearly justifies taking the risk of harm.

The authors ignore two important facts:

  1. We need to manage the business rather than managing the potential for harm. Their view of risk only includes the dark side, not the potential for reward. As has been quoted by me and others many times, both ISO 31000 and COSO ERM see ‘risk’ as including both: what I prefer to refer to “what might happen”.
  2. Desirable behavior includes other attributes that can create a conflict, or at least tension, with attitudes towards ‘risk-taking’. They include:
    1. The taking of initiative
    2. Challenging past thinking and behavior; thinking out of the box
    3. An entrepreneurial attitude
    4. Satisfying the customer

They also ignore one essential element in the consideration of any audit of culture.

Any experienced and competent audit executive should have a nose for the culture of the organization. I always felt I understood the management team, collectively and individually, and which could be relied upon to act wisely.

I would strongly encourage a discussion among the audit staff that surfaces each member’s experience on how management makes decisions; are they informed and intelligent decisions that consider all the things that might happen. Or are they so tied up with red tape and so risk averse that the organization is failing to fulfil its potential?

I recognize that management and the board need assurance that people will act as desired. But I am not convinced that the approach in the IIA Australis guide is the way to go.

Instead, I refer you to a post of mine in 2018, “How do you manage culture?” I believe the approach I suggested is both simpler and more valuable.

What do you think?

  1. July 6, 2021 at 11:06 PM

    Norman,
    Thanks for alerting me to this.
    I agree there are some strengths but also that there is room for improvement in this guidance.
    I like the grounding of the paper in specific behaviours, but bizarrely neither behaviour nor sub-cultures are defined in the guidance, and “subculture” only gets one mention!
    I would also add that it’s great we have guidance on risk culture auditing that refers to the IIA standards and highlights the 3 lines model! (Other IIA guides do not, except for the two guides I was involved in, for the IIA UK and IIA Netherlands).
    I also like that it discusses different approaches to assignments using a depth vs. breadth model (discussed in my “Lean Auditing” book).
    I think it’s a welcome change from a lot of other guides in that it openly considers different approaches but then highlights issues and points to consider with each.
    Like you, however, I am also somewhat concerned about the model of culture selected and the way it comes at some questions. I agree that the need to take risks seems to be “undercooked”. And the need to be able to challenge is referred to under “avoidance” in terms of a “lack of challenge”, rather than being framed more positively.
    I agree with your comment that using IA experience and zooming in on key management decisions is important. In other words, Step 1 of the 10 steps is – in my mind – a much more significant step than stated in this guidance. In the training I run I say: “You need to see the culture before you can audit it. But it’s so powerful and pervasive you can miss key things hiding in plain sight.” So, for example, the design of employee surveys, training programmes, risk culture risk assessments etc. needs more consideration before turning to specific audit assignments.
    The guidance cites culture as a causal factor and makes the important link between root cause analysis and culture, which is excellent. However, it doesn’t sufficiently explain why a culture might have the problems like this!
    Sadly, despite its many strengths, I think the guidance lacks sufficient discussion around dilemmas and constraints (and other systemic factors), which is fundamental to understanding why it’s so hard to get the right behaviour/culture where it matters.
    Finally, we all need to recognize that “assurance” over culture is a very problematic notion, in my experience, you can “assure” culture one day, and the next day behaviour can change, and a risk event can arise.
    Link to the IIA Netherlands guidance:
    https://www.iia.nl/actualiteit/nieuws/iia-standards-and-auditing-culture

    • Norman Marks
      July 7, 2021 at 7:35 AM

      Well said

  2. July 7, 2021 at 1:01 PM

    Although a great deal can be done to encourage desirable behaviour without applying a cultural model, I think it is wise to keep in mind that models do have their place. In auditing, assurance means that there are controls in place to ensure consistencies in the achievement of organizational objectives. When organizational objectives are not being met, there are often some pretty obvious corrective actions that need to be taken. However, culture is a product of human judgement about what is desirable (or undesirable) behaviour. And human judgement can be fairly impervious to corrective active because it is subject to the influence of a hierarchy of associated needs, biases, and experiential learning. Some of the shortcomings in this this associative hierarchy are difficult to detect, let alone correct. Some degree of correction for desirable behaviours can be achieved through rewards and recognition, but if the more fundamental associated human needs are not being addressed, the effects achieved through rewards and recognition may be limited. What a model does is allow detection of these fundamental organizational shortcomings so that they can be effectively addressed. Detection requires feedback from employees, which can obtained through surveys, interviews, and focus groups. Although much of this detection work is the responsibility of human resources, internal audit has a role to play in ensuring that this detection work takes place and is based on an appropriate model. Internal audit can also support this work using some of its domain expertise with regard to policies and processes.

  3. July 10, 2021 at 9:44 PM

    Finding the right balance between risk and innovation is difference between outstanding businesses and everyone else. As an auditor, I tend to preference more conservative strategies but communicating with risk owners throughout the assessment and audit plan is essential to properly calibrate. Setting the right priorities creates sustainable, long-term value and it is not possible without a culture of communication and openness. Excellent post, thanks for such consistent insights.

  1. July 8, 2021 at 1:19 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: