Cultural assurance: comfort that your organisation has the right mindset to operate securely and successfully

There is a famous Peter Drucker quote that says: "culture eats strategy for breakfast". 

In his statement, Drucker pointed out the importance of the human factor in any company. No matter how detailed and solid your strategy is, if the people executing it don't nurture the appropriate culture, your projects will fail.

In fact, various high-profile failures within the financial industry over the past years have demonstrated that governance, risk management and internal control are simply not enough to prevent fraud.

As a result, regulators are increasingly focusing on adequate behaviours within organisation, i.e. culture supporting the right mindset within organisations. Often Board of Directors are made accountable for an adequate corporate culture supporting sound risk management.

Moreover, culture is in the spotlight due to the greater understanding of the competitive advantages available through effective management of behaviours.

Therefore, providing the Board of Directors with comfort that they have a culture which is aligned to their strategic objectives is becoming more and more important.

What is corporate culture? 

Corporate culture is the patterns of thinking, believing, valuing and acting in an organisation. It is about how people behave within the business and can be described as “the way we do things around here” – or as the personality of the organisation.

Culture is highly stable and self-sustaining over time, which makes it difficult and time consuming to change. Therefore, when embarking on a culture change project you need to work with the culture you have and focus on nudging or shifting a critical few behaviours towards the culture that it is more aligned with your organisation’s strategy and risk appetite.

Behaviours are the observable signs of the culture.

What role does internal audit play in cultural assurance?

Board of Directors are looking for assurance that they have the culture they need and increasingly looking to their internal audit functions. Internal Audit is best placed to provide this as it:

• Has access to cultural insights across the whole organisation.
• Understands the organisation and interacts with the business day-to-day.
• Has the ability to get under the surface to understand the cultural issues.
• Can uncover behavioural root causes, looking at the ‘why’, not just the ‘what’

How to approach a culture audit

The need for a culture audit can be triggered through various events:

As culture is pervasive and covers the whole organisation, it is usually not feasible to cover everything in one audit. Therefore, we are seeing some organisations using a combination of approaches to provide both breadth and depth to give an indicative view of the culture of the organisation. We see this as best practice. This includes a combination of the following:

• Discrete culture reviews - A standalone audit included on the audit plan focusing specifically on culture
• Component reviews - Consideration of culture built into each internal audit review as appropriateWhat is corporate culture? 

Consolidation of the results provides a thematic analysis of the discrete and component reviews

Moreover, it is important to work with a solid methodology & the right skills to provide cultural assurance and make results tangible and explainable to maintain credibility in the organization. In addition, buy-in from stakeholders is key.

When engaging in cultural assurance activities, the question is not whether a culture is good or bad as culture is something highly unique to every organisation. Instead the alignment across the three dimensions intended culture vs. expressed culture vs. actual culture is key and provides the basis for the audit.

Combined with the following key principles a risk-based, tangible assessment of culture will be enabled.

1. There is no ‘one size fits all’ approach to auditing culture – It is important to use a framework that will work for your organisation.

2. Clarify your cultural aspiration – Define what you are auditing and be clear on what you are assessing against.

3. Alignment of behaviours is key – Focus on assessing the alignment between your cultural aspiration, how the organisation has set itself up to achieve this and how people behave.

4. Take a risk based approach – Incorporate cultural risk into your annual planning risk assessment to focus your attention to areas of the organisation that are subjected to greater cultural risk.

5. Utilise a combination of audit approaches – To get coverage across your high cultural risk areas use a combination of approaches (e.g. discrete culture reviews and/or component).

6. Draw on a variety of data from different sources – Use a combination of qualitative and quantitative data gathering techniques.

7. Pull it all together – Analyse all culture outputs to provide the Board and Audit Committee with an overview of the culture of the organisation.

How can we help you implement an approach to cultural assurance?

Perform a culture health check

• High-level exercise to understand your cultural setup and help determining a starting point
• Propose what to audit and assess against and identify potential areas of focus

Build a framework for cultural assurance

• Develop and implement a holistic framework to cultural assurance across your organization
• Provide supporting stakeholder management, methodology, guidance and upskilling

Deliver your culture audits

• Co-sourcing for internal audit engagements focusing on cultural assurance providing you with the right specialist
• Coaching your internal resources throughout the culture audit to build up the necessary skills