Home > Risk > Auditing Risk Culture

Auditing Risk Culture

November 22, 2021 Leave a comment Go to comments

Earlier this year, the Institute of Internal Auditors Australia published Auditing Risk Culture, A practical Guide.

It’s a very interesting publication. They start with a definition of ‘risk culture’, something that I believe is a challenge in practice but that they address well.

Culture is a characteristic of a group of people – the shared perceptions about what behaviour is ‘correct’, prioritised and likely to be rewarded. Organisations pursue many different strategic priorities and operate in different political, economic and social contexts, so their cultures vary.

Individual behaviour is affected by the way in which actions are rewarded or punished. In the workplace, people learn what is acceptable behaviour by observing the behaviour (including speech) of peers and managers. Behaviour that is repeated regularly becomes the norm, or ‘the way we do things around here’. Behaviour of managers and leaders is particularly important in demonstrating the priorities of the organisation.

Risk culture is an aspect of broader organisational culture. Risk culture refers to the behavioural norms that help or hinder effective risk management. Some definitions of risk culture also incorporate the group’s underlying values and assumptions about risk management, and others incorporate policies and systems. In large organisations, subcultures often form in different areas and even in specific teams with different managers. Internal audit teams should not assume that risk culture is consistent throughout an organisation, or even within a large division or function or tier of management of that organisation. Culture normally forms in groups of people that have regular interaction with one another, often with a common manager.

I especially like these points they make in this definition:

  • “Risk culture is an aspect of broader organisational culture.”

Behavior towards risk-taking is just one aspect of organizational culture. In fact, it needs to be considered together with the desire for innovation, imagination, creativity, entrepreneurship, employee empowerment, compliance, and commitment to the customer. In other words, I question the value of assessing risk culture in a silo, not recognizing the tension between risk-taking, compliance, and achieving objectives.

  • “Risk culture refers to the behavioural norms that help or hinder effective risk management.”

I like this. It asks whether people generally support desired practices around taking risk – and seizing opportunities.

  • “Internal audit teams should not assume that risk culture is consistent throughout an organisation, or even within a large division or function or tier of management of that organisation. Culture normally forms in groups of people that have regular interaction with one another, often with a common manager.”

Attitudes towards risk-taking should vary. Do you want your accounting and sales people to have the same desire or antipathy about taking risk?

The Guide continues.

An unfavourable risk culture can compromise the effectiveness of the risk management framework in a range of ways. When risk management is seen as a ‘tick-box’ exercise rather than a genuine priority, investment in risk capability and systems may be insufficient to really achieve adequate effectiveness. An overemphasis on short-term profits, growth in market share or cost minimisation can override risk management considerations in decision-making.

When risk management is not seen as helping people make informed and intelligent decisions, when it is not seen as an element in achieving success, it defaults to a compliance activity. It is not surprising that so many executives (80% in surveys I have seen) view risk management as just that, an impediment rather than a valuable tool in running the business.

The Guide makes a good point, that if you are to assess risk culture you need something to assess it against. With that in mind, the IIA Australia has shared a risk culture model. It is based on the one developed by Macquarie University. One of the authors, Elizabeth Sheedy, is a professor there.

The Guide then shares a ten-step process for assessing risk culture.

I have a chapter on risk culture in Risk Management for Success. I discuss what it is and suggest that rather than assess risk culture by itself, it makes more sense and has more value to assess it within the context of overall organizational culture. I provide my own very simple ten steps for such an audit:

  1. Select one or more dimensions of culture and desired behavior – but not all of them. That would not be practical.
  2. For each, what is the desired state? (The assessment will be against that.)
  3. What can happen that would lead individuals or groups to diverge from the desired behavior?
  4. What are we doing to enable the culture we desire?
  5. What controls are in place that would either prevent inappropriate behavior or detect it so that appropriate and timely action can be taken?
  6. Do they provide reasonable assurance that the culture is as it should be and that individuals and groups will behave as desired?
  7. Are there areas where the desired culture does not appear to be in place?
  8. Understand what is happening in those areas.
  9. Identify corrective actions, if any.
  10. Communicate the results.

My serious problem with the idea of assessing risk culture (acknowledging that, as the Guide says, internal audit may be mandated by some regulators to do so) is that you should first assess risk management.

If risk management activities are poor, what’s the point of assessing risk culture? It means that management and the board are satisfied with a defective system of risk management. I have seen this many times, where everybody believes that the periodic review of a list of risks is effective risk management, when it is not.

In fact, it is difficult to consider risk management as effective if the culture means it is ignored or seen as a compliance activity.

So, my advice is to include culture in the scope of an audit of risk management, rather than do something separate.

I also like the idea of assessing whether the culture of the organization (which has multiple dimensions) drives desired behavior, such as risk-taking, compliance, ethics, teamwork, innovation, and so on.

However, if you really, really want to audit risk culture by itself, I recommend the Guide.

I welcome your thoughts.

  1. John Fraser
    November 22, 2021 at 8:50 AM

    You are so right. As I have taught for years: ERM will not work in all organizations, only those with a healthy culture. QED.

  2. Narinder Jit Singh
    November 23, 2021 at 12:58 AM

    Culture is one of most difficult thing to audit and if it relates only to risk management culture, it will become more challenging to handle. Maturity is required. If risk management is compliance activity rather than proper taken in true spirits then one can imagine handling risk management culture itself will be hariculan task

  3. Risk Culture Builder
    January 11, 2022 at 5:41 AM

    Some great points here, but nobody can ever do an assessment and provide assurance on the risk culture, the key to success is on-going monitoring of the level of maturity and driving actions to improve. Risk culture building never stops and can also regress if not driven for constant improvement. Executives must pay attention to that!

  1. November 22, 2021 at 8:29 AM
  2. November 24, 2021 at 9:30 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: