A few years ago I was training finance functions in risk and control assessments. My course materials focused on well-defined risks, how to best document controls, and the approach to performing impact and likelihood assessments. One of my analogies for explaining the importance of controls was to ask the participants why racing cars have brakes. The response, paradoxically, was to enable cars to go faster, remaining on the track both in control but at speed. What was never covered however was a crucial and hugely significant omission – a reference to the driver themselves.

You can create a perfectly designed racing car with fully operational systems, but errors in driver judgement, capacity and capability override all. The gathering global momentum in recognising, assessing, and – more often than not – blaming elements of people culture and behaviours, in my view represents the biggest step change in assessing operational business effectiveness since Sarbanes Oxley. Moreover internal audit is perfectly positioned to take on the challenge.

Background and importance

Culture and behavioural risk is all over the news, impacting multiple industries and sectors with severe consequences. Often boards are aware of the problems but fail to identify the root causes or take tangible actions to address systematic behavioural issues.

The increased focus on controls amongst risk professionals over the past decade has been intense to the extreme. However fundamentally, risk management capability is often attributed to control design and operational effectiveness, focused around traditional frameworks such as the Committee of Sponsoring Organisations (COSO) or the Information Technology Infrastructure Library (ITIL). Whilst the 2013 COSO update has sought to place a greater focus on management actions, in my experience the actual business operational changes have been limited.

Culture is often the unspoken variable impacting corporate performance but rarely measured due to its perceived intangible nature. It is however certainly being identified as one of the keys to competitive advantage, be that through reputation, resilience, innovation or customer retention. Yet strategic objectives can just as easily be derailed by cultural challenges as they can be enhanced.

According to a recent report from TATA Consultancy (Kant, 2015) a company whose culture is strongly aligned with its strategy is likely to report a profit margin of 11.5% against 4.8% reported against firms whose organisational culture and strategy are out of sync with each other.

Strategy & (Booz&Co) undertook a Culture and Change Management Survey in 2013 of more than 2,200 global organisations. The report found that whilst 84% believe that their organisation’s culture is critical to business success, only 45% thought that culture was being effectively managed.

The regulators and guidance bodies are all too aware of these figures. Certainly in the UK the financial regulators have positioned culture and behaviours at the heart of their supervisory regime, with the FSA recently publishing a paper on Performance Management and Incentivisation (Financial Services Authority, 2015).

A corporate governance paper (Basel Committee on Banking Supervision, 2014) refers in depth to the role culture plays, and the Financial Stability board has long been a supporter of cultural awareness stating that ‘the driver of bank failure is not insufficient capital but rather a bad risk culture’ (Samuels, 2014). The FSB’s risk culture paper (Financial Stability Board, 2014) highlights four indicators of a sound risk culture across tone from the top, accountability, effective communications and challenge and incentives.

Our perspective

In agreeing there is relevance and a need to focus on culture and behaviours, management should take overall ownership through setting the intended behavioural direction. A complementary venture is developing a measurement framework to assess the effectiveness of the initiatives being implemented. Internal audit is ideally positioned to take on the challenge of supporting management through forming an assessment of culture within the organisation.

What does this practically mean? A colleague once said to me ‘you can audit and assure anything’, provided you have a clear subject matter and defined criteria. The same is true for assessing culture. The PwC assessment model is built on social learning theory and focuses on the inter-relationship between three important components: intended, expressed and actual behaviours.

Social learning theory (Bandura, 1977) states that behaviour is learned from the environment through the process of observational learning. Models are observed and behaviour can be encoded and may be imitated. Behaviour is more likely to be imitated if it is deemed socially acceptable and if the behaviour is rewarded it is likely to be reinforced and strengthened. It is possible to assess these reinforcers and also the actual results to determine if cultural change is really having an impact.

Firms have intended behaviours which is who they want to be, articulated through the organisation’s purpose, vison and values (PVV). Expressed behaviours are how the organisation encourages those intended behaviours through behavioural reinforcers.

Actual behaviour is the behaviour displayed by employees, driven by the reinforcers but also, intrinsic motivation and personal alignment to PVV.

The key to an effective culture is to align intended, expressed and actual behaviours. The expressed behaviours relate to how you have set yourselves up as an organisation against a number of behavioural reinforcers. These are in effect the levers you have at your disposal to pull and adjust according to focus. Whilst not exhaustive, in our opinion these cover the following key themes:  performance management, communication, leadership actions, people practices, organisational structure and external environment.  Crucially, these reinforcers can be measured.

Assessment activity

Internal audit should bring behavioural risk into the audit universe as with any other risk component. Whilst it is management’s responsibility to set the strategic direction, internal audit can play a valued partner role by undertaking both an assessment of management’s behavioural measurement framework, and also by independently forming a view on cultural alignment by assessing effectiveness of reinforcers.

The approach requires both quantitative and qualitative measures, and is not without its challenges, but an awareness of the catalysts and constrains will help to make informed decisions over your next steps. What is clear, is that taking on a role in delivering effective risk management will position internal audit at the heart of driving future strategy and informing organisational decisions. The internal audit function can support management in providing a connected view of risk across the organisation.

Some of the questions you need to consider:

  • How would you reorganise yourself, how focused are you on risk, how do you derive continued value given the changing face of risk management activity and respond to the drives/needs of the organisation?
  • Are you able to gather evidence to confidently represent the whole organisation?
  • Do you need to upskill in qualitative methods such as surveys, interviews and focus groups, or co-source a provider?
  • Is there a lack of open culture that will hinder open discussions?

The element of subjectivity may take internal auditors out of their comfort zone. The approach used to auditing culture should quantify assertions wherever possible to mitigate this.

Recognise that internal audit may be part of the culture, causing the independence and credibility of IA reports to be questioned.

And how can you best prepare for the challenge:

  • Making the review real, relevant and measurable is fundamental, to avoid spending extensive time in areas that won’t have significant impact.
  • Take time to perform a risk assessment of cultural issues to help focus on the priority areas.
  • Apply a behavioural lens to previous audits to help scope plan. Consider light touch application of cultural considerations to all audits, saving the time consuming deep dives for proven areas of challenge.
  • Develop a clear understanding of identity (PVV)
  • Encourage an appetite from the top either via regulatory drive or CEOs and senior management.
  • Have robust discussions about what is and isn’t expected/ in scope.
  • Ensure confidentiality and anonymity in staff perception metric collection.
  • Develop relationships which enable the discussion on softer elements of testing, and findings.

Internal audit is in a great position to take on this challenge head on and the corporate world is waking up to the importance and relevance of culture.  A consideration of both the ‘driver’ and the ‘racing car’ will ensure your audit plans are robust, comprehensive and relevant to the challenges we face today.

Mark spoke at ACCA UK’s Internal Audit Network Conference on Auditing Culture in April 2015. Watch a webcast of the sessions



Please note: If you are following the unit route to CPD, and the content is relevant to your learning and development needs, reading this article and answering the questions (under 'related links') can count towards your verifiable CPD. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units.