Risk culture is no longer perceived to be a compliance box to be ticked. Companies are lifting the lid on cultural and behavioural issues that affect the way people make decisions and manage risks as part of their day-to-day work. It’s likely that most internal auditors and risk managers can appreciate the expression: “The more things change, the more they stay the same.” That’s because they see it in action all the time.
At most companies, for example, the internal audit and risk management capabilities have improved considerably over the past 15 years, yet problems continue to crop up. Despite evolving operational risk and compliance practices; increased investment in governance, risk, and compliance systems; and increased awareness and understanding of non-financial risk by business leaders, scores of companies each year seem to find their way to investigations, regulatory enforcement actions, reputational harm, scandal, or worse.
Just barely a decade ago, the world experienced significant financial consequences from the global financial crisis, broadly caused by inappropriate and unacceptable behaviour in the financial services sector. Despite the harm the crisis caused and the vast regulatory response, big banks and financial firms continue to get caught up in large scandals and incur massive fines. Regulators are still fining financial services firms, for example, for not investing appropriately in anti-money laundering controls. In the United Kingdom, regulators have accused large audit firms—perhaps now forgetting the lessons of Arthur Andersen in the Enron fiasco—of being too cosy with audit clients and neglecting their oversight duties. And more recently, several large technology companies have abused their powers by breaching privacy obligations, despite at least a decade of large data breaches and embarrassing privacy and security debacles.
So we must ask the question: “If organizations are increasing their investment in risk and audit activities, why are they not identifying and addressing these issues in a timely manner?” A large part of the answer, explored below, is that traditional risk and audit teams still tend to focus on “codified” controls and do not lift the lid on cultural and behavioural issues that affect the way people make decisions and manage risks as part of their day-to-day work.
Over the past few years, global regulators, particularly financial regulators, have begun to focus much more intently on risk culture. They have been asking boards and executive management teams to demonstrate that they understand the risk culture in their organizations and are taking steps to address challenges that persist at their firms. While some companies have made a significant effort to understand what risk culture means, others in the financial sector—and beyond—still struggle with this term and find it difficult to distinguish risk culture from organizational culture, which has traditionally been the purview of human resources.
Taking on Behavioral Risk
Risk management and internal audit teams now appreciate that many of the issues they are grappling with are rooted in “behavioural risk.” Indeed, many are working to improve their practices for measuring and monitoring how the culture in organizations and teams creates behavioural risk. Risk culture is no longer perceived to be a compliance box to be ticked. It is a behavioral risk that influences conduct and the manner in which day-to-day decisions are made.
This realization has pushed internal audit teams to modify the way they execute internal audits so that they can lift the lid on behavioural issues and objectively identify where behavioural risk is the root cause of things that have gone wrong in the business. Internal audit teams are adopting several emerging practices to support boards and executive management on assessing and improving risk culture. Such initiatives include:
- Diversifying the skillset within internal audit teams to include behavioural scientists, organizational psychologists, anthropologists, and members with other non-traditional audit backgrounds to better measure behavioural risk.
- Shifting internal audits to focus as much on people as they do on documents and data. Internal audit team members with behavioural science skill-sets are interacting with employees in different roles and at different levels to assess what cultural factors influence the decisions employees and managers make and the actions they take.
- Introducing new data points into audits to measure behavioural risk. Specifically, they are adding behavioural card sorting exercises and conducting anonymous focus groups and individual interviews. The outcomes from these data points are triangulated with traditional risk and control assessments to form a three-dimensional view of the risk and control environment.
Indeed, companies are encouraging other management areas to take highly focused actions to address behavioural risk issues identified by internal audit. Specifically, boards and executive teams are instructing human resources teams to address people, behavioural, and leadership challenges. They are asking risk teams to address risk infrastructure type challenges, where policies and procedures do not interface with systems, for example. And they are pushing business leaders to address areas where the team is not clear on the strategy of the business.
Cultural factors that drive behavioural risk typically include:
- Senior leadership behaviour, including actions of the board and executive management (tone at the top)
- Line manager behaviour
- Recruitment practices (hiring and induction)
- Remuneration and incentives
- Risk infrastructure, including the simplicity and clarity of risk policies, procedures and systems
- Accountability structures in the organization
- The alignment of organization, team, and individual goals
- Collaboration (inter and intra-team)
An Uphill Climb
While organizations whose internal audit teams have implemented methodologies to measure behavioural risk as part of their audits are seeing positive benefits, there are some challenges associated with integrating behavioural risk assurance into traditional audits. Some of the common hurdles that internal audit face in this area include:
- Not enough talent. There is a scarce pool of specialist in the market with the necessary skills and background in behavioural science or psychology, and some aren’t eager to work on internal audit teams. This challenge is exacerbated by cultural integration challenges when traditional internal auditors and behavioural auditors see things very differently.
- Difficulty achieving scale. Providing objective assurance requires the collection of sufficient data to make balanced, insightful conclusions. Gathering enough behavioural-based data can be particularly challenging in organizations that are geographically spread out. That’s because the quality of insight is dependent on internal audit teams reaching out and engaging directly with people in different roles, job levels, and geographical locations where micro cultural influences may be emerging that impact responsible decision-making.
- Difficulty in “auditing up.” It can be awkward for internal audit to assess and influence the culture amongst business leaders. Behavioural risk audits force business leaders to look in the mirror, and outcomes may be confrontational. Agreed actions from this type of audit work often require business leaders to better engage with their teams to deeply understand the behavioural risk factors within their teams and turn the dial to address these. In other words, since so many of the cultural factors lie with upper management, internal audit must be prepared to “speak truth to power.”
Many organizations are working on solutions to these challenges. Digital tools, for example, are starting to emerge that facilitate behavioural card sorting and virtual focus groups to interact and engage with geographically spread teams in a psychologically safe manner. These tools help internal audit teams form reliable conclusions on the behavioral risk that can drive actions from leaders across the business, including with risk management teams and human resources.
Community expectations are evolving. Stakeholders at many levels, including shareholders and regulators, want to see that large organizations are driving the right behaviour and identifying poor behaviour that can lead to crises and other problems. Internal audit is well placed to do things differently and provide rich insights that can make a significant difference to business outcomes. Evolving audit to understand where behavioural risk is the root cause of deep problems in the organization will add significant value, and enable boards, audit committees, and executive management to get a better handle on risk and break the cycle of repeating the mistakes of the past.
Justin Greenstein and Gavin Freeman are directors at the Business Olympian Group, a risk advisory firm based in Melbourne Australia which has the psychology of risk as one its areas of expertise.