The IIA-Australia's guide is a timely reminder of the need for continued focus on risk culture. Although the guide is focused on Financial Services, it has equal relevance to the wider business world. The business world needs to set a clear vision of its desired culture, have the ability to measure and understand its current culture and have the ability to steer any undesired culture back on the right path. This will ensure any gap between desired and actual culture is bridged.
The recent focus on culture has been relentless. From the FCA in the UK, the FED in the US, APRA and ASIC in Australia culture and conduct is clearly front of mind. The IIA-Australia's guide adds another chapter, this time specifically focused on the role of Internal Audit in risk culture.
The IIA-Australia's guide has 32 recommendations split across six principles, focused on improving the role and value of Internal Audit within an organisation. The guide is a timely response to the Australian Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry, and the Financial Services Regulator, APRA's, prudential inquiry into the CBA.
Of particular interest are Recommendation 1.4: The scope of internal audit should be unrestricted and organisation-wide and Principle 6: Adopt appropriate methodologies for auditing risk culture.
In Australia, the Australian Prudential Regulatory Authority has for some time, required the Board of Directors of an APRA regulated entity to:
- Ensure that they form a view of the risk culture in the institution
- Understand the extent to which that culture supports the ability of the institution to operate consistently within its risk appetite
- Identify any desirable changes to the risk culture
- Ensure the institution takes steps to address those changes
This article focuses on:
- The key elements of IIA-Australia's new guide.
- Evaluating and measuring risk culture.
- Risk Management's role in risk culture
1. The key elements of IIA-Australia's new guide
The guide was issued in November 2020. The guide sets out what is expected of internal audit, so that Boards, Audit Committees and Regulators can set their expectations. The guide is divided into 6 Principles, supported by 32 Recommendations. The principles are:
Principle 1 – Position internal audit for success.
Principle 2 – Ensure adequate resourcing and seniority.
Principle 3 – Provide assurance which adds value.
Principle 4 – Employ methods and tools appropriate to the task.
Principle 5 – Report to influence positive change.
Principle 6 – Adopt appropriate methodologies for auditing risk culture
Of particular interest for Risk Culture is Recommendation 1.4 and Principle 6.
Recommendation 1.4 The scope of internal audit should be unrestricted and organisation-wide. It states:
At a minimum, internal audit should include the following areas within its scope:
- Governance, risk structures and processes;
- Risk and control culture of the organisation;
- Risk of poor customer treatment; and
- Key corporate events.
Item 2. is firmly aimed at Risk Culture while item 3. is aimed more at Conduct Risk. The two are linked as follows:
Fig 1. Culture and Conduct
Culture is more of an internal concept while conduct has an external perspective focused on the way we treat our customers.
At Protecht, we take the view that “risk culture” as a standalone concept does not exist. It is not separate from organisational culture. Risk Culture is a subset. It is the aspects of organisational culture that impact the way risk management is practiced and as a result how well the objectives of risk management are achieved. The IIA-Australia guide also refers to control culture which is a subset of risk culture, specifically relating to how culture impacts the effectiveness of controls.
Conduct, on the other hand, relates to how we behave in relation to stakeholder outcomes, specifically customers, but more widely, the range of external stakeholders.
Culture and Conduct are connected. A poor culture is likely to lead to poor conduct.
Specifically, Recommendation 1.4 of the guide states in relation to the risk and control culture of the organisation, the need for Internal Audit to focus on:
- The manner by which the processes, actions, tone from the top and observed behaviours across the organisation are aligned with the organisation’s core values, ethics, policies and risk appetite; and
- The observed attitude and approach to risk management and internal controls, including management’s actions to address known control deficiencies and the continuing assessment of controls.
In relation to conduct risk, (the risk of poor customer treatment), it recommends a focus on:
- Whether the organisation acts with integrity in its dealings with customers and broader interactions with the market; and
- The manner by which the business and risk management are designing and controlling products, services and supporting processes to align with customer interests and conduct regulation
Principle 6 – Adopt appropriate methodologies for auditing risk culture, sets out an in depth look at the role of internal audit with respect to risk culture. The two recommendations are:
Recommendation 6.1
Since risk culture is a fundamental component of the risk management framework, in its ‘business as usual’ audits, whether of a business unit, a process or a review of a risk event, IA should consider the (risk) cultural dimension.
- Given its independent role in the organisation, IA provides a crucial perspective on the organisation’s risk culture;
- Where the first or second line are performing risk culture assessments, internal audit should challenge these assessments as necessary;
- Internal audit should use a variety of techniques to produce risk culture insights in its audit activities;
- These risk culture insights should be presented in audit reports where relevant, including, for APRA-regulated entities, the annual review of the risk management framework; and
- Risk culture insights should be reported to management and the Audit Committee on a regular basis.
and
Recommendation 6.2
Internal audit should conduct audits of the risk culture framework on a cyclical basis consistent with the risk appetite of the organisation, or sooner if circumstances change substantially or if a self-assessment is requested by the regulator. An audit of the risk culture framework would involve assessing:
- The framework and process for setting the desired risk culture from the Board, and the way that has been communicated throughout the organisation;
- The policies and procedures in place (in particular those dealing with risk, people and conduct) to ensure that they align with and support a favourable risk culture;
- The process by which the organisation monitors and reports on its actual risk culture and what actions are taken when the actual risk culture is not consistent with the desired risk culture; and
- The actual risk culture of the organisation, either as a whole or in part, including observations from past ‘business as usual’ audits.
When considering the implications for risk management from these recommendations, the key recommendation for IA is "Where the first or second line are performing risk culture assessments, internal audit should challenge these assessments as necessary;"
At Protecht, we believe that the primary responsibility for risk management sits with Line 1, the business. This should include the measurement, evaluation and management of risk culture. We therefore welcome IIA-Australia's role as a source of independent challenge to these assessments and independent assurance as to their quality and integrity.
This will require many organisations to further develop their approaches to risk culture but now the methodologies and systems are available to do this, it comes down to priority.
2. Evaluating and measuring risk culture
"Measuring" risk culture is not easy and there are a number of approaches that can be taken. We reviewed a range of potential methods in Culture and Conduct Risk - Myths and Realities.
The IIA-Australia guide recognises a number of potential methods being:
- Interviews and focus groups;
- Observation of behaviours, including at meetings
- Anonymous staff surveys to quantify perceptions of risk culture
- Analysis of customer outcome data such as number/nature of complaints, time taken to resolve complaints, customer turnover, etc.
- Analysis of performance review data such as variation in manager ratings, suitability of consequences where misconduct is identified, etc.
- Analysis of risk management effectiveness data such as risk appetite breaches, control failures, events and regulatory breaches, and timeliness of issue remediation etc.
- Analysis of staff data such as exit interviews, employee rating sites, staff turnover, use of confidential hotlines, etc.
- Analysis of risk/issue reporting including reasons for underreporting and repeat/recurring issues
- Root cause analysis of major risk events
- Data analytics such as emails, social media, textual analysis of complaints, etc.
- Comparison of key documents to assess the degree of interconnectivity and consistency with which they address risk culture; and
- Evaluation of people behaviour during an audit such as whether they take accountability, are transparent, deny, deflect or discredit, etc.
Many of these methods involve the collection of relevant metrics, including such things as customer complaints, timeliness of issue remediation and risk appetite breaches. At Protecht, we refer to these as Risk Culture Metrics which forms the basis of the Protecht.ERM Risk Culture dashboard
A word of caution on staff surveys.
The guide quite rightly calls out the need to be wary of staff surveys, especially those without a scientific base. This includes the range and type of questions asked, the level of anonymity and the recognition of bias in responses.
Protecht includes staff survey and culture survey capabilities within our Protecht.ERM risk system.
Fig 3. Examples of survey. (Source: Protecht.ERM System)
The issue with staff surveys is the level of objectivity in the response. Staff will often answer how they believe the boss wants them to answer. In addition, humans suffer all sorts of biases, anchored thinking, heuristics and the like. We are not exactly a reliable source of information!
On their own, surveys are not robust, but they can form a source of information that can then be triangulated with other information to form a much more comprehensive and robust measure of culture.
At Protecht, we have been working on the measurement of risk culture for some time. This has culminated in the development of our Protecht.ERM Risk Culture dashboard.
Fig 4. Example of a Risk Culture dashboard (Source: Protecht.ERM system)
This is based on risk management related digital data / metrics and is obtained directly from the Protecht.ERM risk system. It is focused on gathering evidence of how employees are behaving with respect to their risk management responsibilities and accountabilities.
Some examples of useful metrics may include:
- Number of attestations not entered
- Number of actions overdue
- Number of times actions have had due by date changes
- Number of actions reopened once closed
- Time taken to report an incident
- Number of incidents not self-reported
- Number of risks outside of appetite for an extended period
- Number of risks outside of appetite without an agreed action
3. Risk Management's role in risk culture
As noted above, risk management is the prime responsibility of Line 1, the business. This is supported by the Line 2 functions. We therefore believe that the business should develop its own capability to measure, evaluate and manage risk culture rather than rely on IA for this. IA should be there to independently challenge what the business is / is not doing around risk culture and provide independent assurance over the way the business is managing that culture.
This will require many organisations to further develop their approaches to risk culture but now the methodologies and systems are available to do this it comes down to priority. With the ongoing increased focus on risk culture and now the latest guide from IIA-Australia, we suggest that this matter be given top priority in your organisation so you are not left playing catch up with the leaders in the field or that you end up in front of a government or regulatory inquiry!.
To continue the conversation around this important topic, we have recorded a live webinar: Best Practices to Measure and Manage Risk Culture. This webinar also covers topics such as the importance of risk culture, the elements of risk culture and provides some ideas on how to improve risk culture. You can access the video and transcription, here: