Assessing risk culture

What role does Internal Audit play in assessing risk culture?

Building and embedding desired organisational culture and values has never been so important, with many failures and corporate scandals directly resulting from poor culture and behaviours.

A sound approach to assessing risk culture provides confidence as to the quality of desired behaviours, both for internal and external stakeholders.

40% believe their executive team are the main drivers for a focus on culture and behaviour
50% have not developed an approach to assess risk culture within their internal audit function

A strategic approach to auditing risk culture

To successfully embed risk culture assessments, internal audit must first consider 4 key elements.

Alignment between risk culture and assessment

There is alignment between internal audit’s risk culture approach and assessment dimensions, and the overall cultural direction of the organisation.
Stakeholder engagement

Stakeholders have been engaged and are supportive (including your Exec & HR).
Consistent approach

A consistent approach is undertaken when assessing each area of the business.
Start with the end in mind

Consider what it is we want to be reporting, and to whom.

Three steps to assessing risk culture

looks_one

Define your risk culture assessment strategy and approach

Agree in consultation with management, HR, Risk, Exec and Audit Committee the risk cultural dimensions to be assessed.
Clearly articulate the roles and responsibilities of risk culture assessment across the second and third lines of defence.
Define and agree method/s and extent to which risk culture assessments will be incorporated into your IA activities.
Communicate

looks_two

Embed your risk culture assessment approach

Agree the techniques and approaches to assess risk culture.
Incorporate your risk culture assessment approach into your Internal Audit methodology and tools.
Identify and address capability gaps within the team.
Decide how risk culture insights will be reported and presented per internal audit.

looks_3

Execute and monitor your risk culture approach

Deliver and report risk culture assessments via the agreed method.
Identify key learnings and reflect in enhancing the assessment approach.
Theme risk culture insights on an ongoing basis and present to the Audit Committee, Risk and HR as appropriate.
Use risk culture insights to inform focus areas on next year’s IA plan.

Download the factsheet

Insights from a poll conducted during our Auditing Risk Culture webinar revealed that half of all respondents have not developed an approach to assess Risk Culture within their Internal Audit Function. For more information on the results of the survey, download the factsheet below.