Understanding and Auditing Culture
description
Transcript of Understanding and Auditing Culture
Understanding and Auditing Culture
Dave Reynolds and Philip AtkinsonHeads of Audit Workshop
13 February 2014 Edinburgh
• What is the current culture / risk culture in your organisation?
• What are the key characteristics of a strong culture?
• Have appropriate cultural norms and an appropriate “tone at the top” been set for your organisation ?
• How could IA help move from where your organisation is to where it needs to be culturally?
• Auditing culture ?
Discussion Points
So from where you sit, what does your organisations culture look like ?
Risk culture defined :
• “the values, beliefs, knowledge and understanding about risk, shared by a group of people with a common purpose” IRM
• “the norms and behaviours for individuals and groups within an organisation that determine the collective ability to identify, understand and openly discuss and act on the organisations future risks” IIF / FSB
Corporate culture defined :
“The shared values, attitudes, norms, behaviours and beliefs that characterise members of an organisation and define its nature” Culture is rooted in the organisation's goals, strategies, structure, ethical standards and its approach to its people, customers, investors, and wider society” R&A
This wider definition introduces issues around eg ethical standards, bullying, fear, fairness etc
“Board Risk Committees are responsible for ensuring that a supportive risk culture is appropriately embedded so that all employees are alert to the wider impact on the whole organisation of their actions and decisions” Walker Report
“The Board should set the company’s values and standards and ensure that the obligations to its shareholders and others are met” Combined Code
7
What’s Behind the Definition ?
Artefacts
Processes
Behaviours & Rituals
Values & Beliefs
Formal and Informal Elements
Sub Cultures Dynamic
SymbolsPhysical settingPoints of contactFirst impressionsPublished documentsDefined processesSystemsTeamworkClimateWorking practicesConflict resolutionStandardsBehavioursDecision MakingManagement styleExpectationsShared valuesBeliefs, History, Heroes Legends, Stories
8
Strong Culture• Clarity of Direction• Right tone at the top• Focus on business /
customer priorities• Core values and
behaviours understood / adopted
• Crisis - people pull together
• Positive grapevine• Breeds achievers –
deadwood controls• Strong ethical
position
9
Weak Culture
• Culture by default & undefined
• Leadership positions change
• Bad news stifled • Absence of role
models• Rewarding failure
• Confusion in behaviour
• Vague PM• Transactional• Control trumps
empowerment• Negative attitude to
audit and audit findings
10
Identifying a Risk Culture on the wane warning signs !
• Disregard for Risk Appetite
• Overconfidence• Ignore Crucial
Issues
• Passive• Ignorance• Rewarding Bad
Behaviour
“We have to have the moral compass to deliver profits and growth responsibly and honestly – culture must be synonymous with integrity. In other words its not just about how much money we make but how we make it”
Quote a global banking CEO C2007
The right tone at the top – espoused – is not necessarily the tone in practice !
A compliant culture is not necessarily an ethical culture !
Auditing Culture IA Engagement - Starting Points
• What do you know/feel about culture in your organisation and its sub units?
• Consider scope – group wide v business unit• Will the review be risk focused or take a wider view of culture?• Consider state of risk maturity• Consideration of indicators and “as is” position • Board and management buy-in• Identify and engage with key stakeholders• Consider pilot – appropriately supported• Consider reporting expectations
Auditing Culture Focus
IRM Model FSB Model Generic Model
Tone at the top Tone at the top Tone at the top
Governance Accountability Governance and accountability
Competency Effective challenge Competency and challenge
Decision making Incentives Incentives and remuneration
Ethical strength
• Consider a maturity based scoring approach e.g. IRM’s Risk Culture Aspects Model or IIA risk maturity model to establish “as is” and “to be” position
Issue 9 to 10 6 to 8 3 to 5 1 to 2
Tone at the Top - Risk Leadership
In addition to 'green', executive sponsor is very visible and leaders demonstrate their commitment on a sustained basis, show personal conviction in how they communicate and ask questions regarding business risks.
Leadership expectations are clearly expressed and consistently communicated. Direction is set and leaders create a 'Tone at the top' through reinforcement and challenge.
Leadership expectations on risk management are defined but inconsistently communicated and understood. Staff are not clear on overall direction.
It is not possible to describe a 'Tone at the top' or leadership expectations on how risks are managed.
Tone at the top - Dealing with Bad News
In addition to 'green', leaders see their ability to extract learning from good and poor risk management judgements as a key corporate competitive advantage. This is seen as part of the organisation's knowledge management process.
Leaders encourage the timely communication of material risk information. They challenge managers to divulge 'bad news' early to ensure it is acted upon in a timely manner.
The communication of 'bad news' is sporadic. Attempts are made to encourage early communication of risk information. It is recognised that this is important but processes are still to be formalised and embedded.
The organisation does not encourage the communication of information about potential negative events. Managers have concerns about communicating 'bad news' to leaders. Stories exist of the manager having been 'shot'.
Themes and aspects in the IRM Risk Culture Model Themes AspectTone at the Top
Risk Leadership: clarity of direction Senior management set clear and consistent expectations for managing risk Leaders role model risk management thinking and actively discuss tolerance to risk issues
Responding to bad news: welcoming disclosure Senior management actively seek out information about risk events Those that are open and honest about risks are recognised
Governance Risk governance: taking accountability Management are clear about their accountability for managing business risks Role descriptions and targets include risk accountabilitiesRisk Transparency: risk information flowing Timely communication of risk information across the organisation Risk events are seen as an opportunity to learn
Competency Risk resources: empowered risk function The risk function has a defined remit and has the support of leaders It is able to challenge how risks are managedRisk Competence: embedded risk skills A structure of risk champions support those managing risks Training programmes are in place for all staff
Decision making
Risk Decisions: informed risk decisions Leaders seek out risk information in supporting decisions The business’s willingness to take on risks is understood and communicatedRewarding appropriate risk taking Performance management linked to risk taking Leaders are supportive of those actively seeking to understand and mange risks
• A distinct and consistent tone from the top from the board and senior management in respect of risk taking and avoidance.
• A commitment to ethical principles, reflected in a concern with the ethical profile of individuals and the application of ethics and the consideration of wider stakeholder positions in decision making.
• A common acceptance through the organisation of the importance of the continuous management of risk, including clear accountability for and ownership of specific risks and risk areas.
• Transparent and timely risk information flowing up and down the organisation with bad news rapidly communicated without fear.
• Encouragement of risk event reporting and whistle blowing, actively seeking to learn from mistakes and near misses.
Auditable characteristics of a positive risk culture
.• Appropriate risk taking behaviours rewarded and encouraged
and inappropriate behaviours challenged and sanctioned.• Risk management and audit skills and knowledge valued,
encouraged and developed, with properly resourced risk management and audit functions. Professional qualifications supported as well as technical training.
• Sufficient diversity of perspectives, values and beliefs to ensure that the status quo is consistently and rigorously challenged.
• Alignment of culture management with employee engagement and people strategy to ensure that people are supportive socially but also strongly focused on the task in hand.
Auditable characteristics of a positive risk culture cont.
Risk oriented evidence / audit trail sources might include:
– meeting minutes which demonstrate the substance of risk discussions held, questions raised and ‘pull’ for risk data to inform decision making
– evidence of risk events being used to facilitate learning– reports showing the number of incidents/near misses reported– frequency with which risks are raised– examples of leadership demonstrating risk management
values– performance objectives that include risk responsibilities– frequency and reach of risk communications and education– examples of action taken against those where risk behaviour
was considered inappropriate or exemplary – the extent to which risk functions collaborate
Other evidence / audit trail sources might include:
– results of employee satisfaction / engagement surveys – audit committee insights – behaviours, issues etc– internal audit results – patterns, responses, behaviours– “ “ “ – why rather than what – key stakeholder opinion - gathered by interview – Consider published ethical standards and social
responsibility statements – Consider remuneration and reward policies and potential
unwanted outcomes / behaviours– HIA and audit team gut feeling about culture
Thank You Questions ?
www.philipatkinson.com
http://www.lse.ac.uk/researchAndExpertise/units/CARR/pdf/Final-Risk-Culture-Report.pdf
http://www.theirm.org/RiskCulture.htm
https://www.financialstabilityboard.org/publications/c_131118.pdf