Understanding and Auditing Culture

Dave Reynolds and Philip AtkinsonHeads of Audit Workshop

13 February 2014 Edinburgh

www.philipatkinson.comdave.reynolds@btinternet.com

• What is the current culture / risk culture in your organisation?

• What are the key characteristics of a strong culture?

• Have appropriate cultural norms and an appropriate “tone at the top” been set for your organisation ?

• How could IA help move from where your organisation is to where it needs to be culturally?

• Auditing culture ?

Discussion Points

So from where you sit, what does your organisations culture look like ?

Risk culture defined :

• “the values, beliefs, knowledge and understanding about risk, shared by a group of people with a common purpose” IRM

• “the norms and behaviours for individuals and groups within an organisation that determine the collective ability to identify, understand and openly discuss and act on the organisations future risks” IIF / FSB

Corporate culture defined :

“The shared values, attitudes, norms, behaviours and beliefs that characterise members of an organisation and define its nature” Culture is rooted in the organisation's goals, strategies, structure, ethical standards and its approach to its people, customers, investors, and wider society” R&A

This wider definition introduces issues around eg ethical standards, bullying, fear, fairness etc

“Board Risk Committees are responsible for ensuring that a supportive risk culture is appropriately embedded so that all employees are alert to the wider impact on the whole organisation of their actions and decisions” Walker Report

“The Board should set the company’s values and standards and ensure that the obligations to its shareholders and others are met” Combined Code

7

What’s Behind the Definition ?

Artefacts

Processes

Behaviours & Rituals

Values & Beliefs

Formal and Informal Elements

Sub Cultures Dynamic

SymbolsPhysical settingPoints of contactFirst impressionsPublished documentsDefined processesSystemsTeamworkClimateWorking practicesConflict resolutionStandardsBehavioursDecision MakingManagement styleExpectationsShared valuesBeliefs, History, Heroes Legends, Stories

8

Strong Culture• Clarity of Direction• Right tone at the top• Focus on business /

customer priorities• Core values and

behaviours understood / adopted

• Crisis - people pull together

• Positive grapevine• Breeds achievers –

deadwood controls• Strong ethical

position

9

Weak Culture

• Culture by default & undefined

• Leadership positions change

• Bad news stifled • Absence of role

models• Rewarding failure

• Confusion in behaviour

• Vague PM• Transactional• Control trumps

empowerment• Negative attitude to

audit and audit findings

10

Identifying a Risk Culture on the wane warning signs !

• Disregard for Risk Appetite

• Overconfidence• Ignore Crucial

Issues

• Passive• Ignorance• Rewarding Bad

Behaviour

“We have to have the moral compass to deliver profits and growth responsibly and honestly – culture must be synonymous with integrity. In other words its not just about how much money we make but how we make it”

Quote a global banking CEO C2007

The right tone at the top – espoused – is not necessarily the tone in practice !

A compliant culture is not necessarily an ethical culture !

Auditing Culture IA Engagement - Starting Points

• What do you know/feel about culture in your organisation and its sub units?

• Consider scope – group wide v business unit• Will the review be risk focused or take a wider view of culture?• Consider state of risk maturity• Consideration of indicators and “as is” position • Board and management buy-in• Identify and engage with key stakeholders• Consider pilot – appropriately supported• Consider reporting expectations

Auditing Culture Focus

IRM Model FSB Model Generic Model

Tone at the top Tone at the top Tone at the top

Governance Accountability Governance and accountability

Competency Effective challenge Competency and challenge

Decision making Incentives Incentives and remuneration

Ethical strength

• Consider a maturity based scoring approach e.g. IRM’s Risk Culture Aspects Model or IIA risk maturity model to establish “as is” and “to be” position

Issue 9 to 10 6 to 8 3 to 5 1 to 2

Tone at the Top - Risk Leadership

In addition to 'green', executive sponsor is very visible and leaders demonstrate their commitment on a sustained basis, show personal conviction in how they communicate and ask questions regarding business risks.

Leadership expectations are clearly expressed and consistently communicated. Direction is set and leaders create a 'Tone at the top' through reinforcement and challenge.

Leadership expectations on risk management are defined but inconsistently communicated and understood. Staff are not clear on overall direction.

It is not possible to describe a 'Tone at the top' or leadership expectations on how risks are managed.

Tone at the top - Dealing with Bad News

In addition to 'green', leaders see their ability to extract learning from good and poor risk management judgements as a key corporate competitive advantage. This is seen as part of the organisation's knowledge management process.

Leaders encourage the timely communication of material risk information. They challenge managers to divulge 'bad news' early to ensure it is acted upon in a timely manner.

The communication of 'bad news' is sporadic. Attempts are made to encourage early communication of risk information. It is recognised that this is important but processes are still to be formalised and embedded.

The organisation does not encourage the communication of information about potential negative events. Managers have concerns about communicating 'bad news' to leaders. Stories exist of the manager having been 'shot'.

Themes and aspects in the IRM Risk Culture Model Themes AspectTone at the Top

Risk Leadership: clarity of direction Senior management set clear and consistent expectations for managing risk Leaders role model risk management thinking and actively discuss tolerance to risk issues

Responding to bad news: welcoming disclosure Senior management actively seek out information about risk events Those that are open and honest about risks are recognised

Governance Risk governance: taking accountability Management are clear about their accountability for managing business risks Role descriptions and targets include risk accountabilitiesRisk Transparency: risk information flowing Timely communication of risk information across the organisation Risk events are seen as an opportunity to learn

Competency Risk resources: empowered risk function The risk function has a defined remit and has the support of leaders It is able to challenge how risks are managedRisk Competence: embedded risk skills A structure of risk champions support those managing risks Training programmes are in place for all staff

Decision making

Risk Decisions: informed risk decisions Leaders seek out risk information in supporting decisions The business’s willingness to take on risks is understood and communicatedRewarding appropriate risk taking Performance management linked to risk taking Leaders are supportive of those actively seeking to understand and mange risks

• A distinct and consistent tone from the top from the board and senior management in respect of risk taking and avoidance.

• A commitment to ethical principles, reflected in a concern with the ethical profile of individuals and the application of ethics and the consideration of wider stakeholder positions in decision making.

• A common acceptance through the organisation of the importance of the continuous management of risk, including clear accountability for and ownership of specific risks and risk areas.

• Transparent and timely risk information flowing up and down the organisation with bad news rapidly communicated without fear.

• Encouragement of risk event reporting and whistle blowing, actively seeking to learn from mistakes and near misses.

Auditable characteristics of a positive risk culture

.• Appropriate risk taking behaviours rewarded and encouraged

and inappropriate behaviours challenged and sanctioned.• Risk management and audit skills and knowledge valued,

encouraged and developed, with properly resourced risk management and audit functions. Professional qualifications supported as well as technical training.

• Sufficient diversity of perspectives, values and beliefs to ensure that the status quo is consistently and rigorously challenged.

• Alignment of culture management with employee engagement and people strategy to ensure that people are supportive socially but also strongly focused on the task in hand.

Auditable characteristics of a positive risk culture cont.

Risk oriented evidence / audit trail sources might include:

– meeting minutes which demonstrate the substance of risk discussions held, questions raised and ‘pull’ for risk data to inform decision making

– evidence of risk events being used to facilitate learning– reports showing the number of incidents/near misses reported– frequency with which risks are raised– examples of leadership demonstrating risk management

values– performance objectives that include risk responsibilities– frequency and reach of risk communications and education– examples of action taken against those where risk behaviour

was considered inappropriate or exemplary – the extent to which risk functions collaborate

Other evidence / audit trail sources might include:

– results of employee satisfaction / engagement surveys – audit committee insights – behaviours, issues etc– internal audit results – patterns, responses, behaviours– “ “ “ – why rather than what – key stakeholder opinion - gathered by interview – Consider published ethical standards and social

responsibility statements – Consider remuneration and reward policies and potential

unwanted outcomes / behaviours– HIA and audit team gut feeling about culture

Thank You Questions ?

www.philipatkinson.com

Dave.reynolds123@btinternet.com

http://www.lse.ac.uk/researchAndExpertise/units/CARR/pdf/Final-Risk-Culture-Report.pdf

http://www.theirm.org/RiskCulture.htm

https://www.financialstabilityboard.org/publications/c_131118.pdf