Much ink has been spilled exploring business culture in recent years, mostly in the aftermath of corporate scandals. Unsurprisingly, what has emerged is the systematising of culture, with good practice, roles, responsibilities, checks and balances and opportunities for internal auditors and others, particularly in the financial services sector to assure, comment and advise.
What is plain is that you cannot legislate for a good culture, however you can enforce actions on businesses that may yield better outcomes. On 16 September in the aftermath of the BHS pensions and Sports Direct minimum pay scandals The Business, Innovation, and Skills (BIS) Committee of the UK parliament launched an inquiry on corporate governance, focussing on executive pay, directors duties, and the composition of boardrooms, including worker representation and gender balance in executive positions.
Will measures like these be more effective in preventing corporate scandals in the future than a systems and inspection or even an alternative coaching and learning approach to business culture if the corporate structures and governance remain the same?
How effective is the current approach to managing business culture? How can internal audit provide an objective view as it is part of the organisation’s culture? How does internal audit address confirmation bias? Are you, as internal auditors as confident that your organization is as scandal-proof as it is fraud-proof? Could your internal audit department get a worker representative on the board?
I’d be most interested in hearing about your approach to assuring culture and how it adds value both now and in the future.
I support Mark's views - taking Mark's comment "Good culture will see current issues remediated quickly and reliably, and will evolve the approach for new risks to secure a sustainable and effective future framework"; I am looking for practical examples of how the employee risk regarding data and cyber security can be mitigated through the right culture of good risk awareness, good practice and shared learning.
Risk and control culture is hard to access within an audit context, but is crucial for internal audit to observe it and to form and communicate a view on it.
An informed view on risk and control culture provides crucial intelligence for the organization, intelligence that has a predictive capability. A control environment can be observed and assessed for current effectiveness, but the risk and control culture of the relevant management team will greatly influence how that control environment can be expected to behave over time. Good culture will see current issues remediated quickly and reliably, and will evolve the approach for new risks to secure a sustainable and effective future framework. Poor culture will see slow or ineffective remediation of current issues, and the further degradation over time - for example in failing to identify and respond to new risks.
It is important to distinguish between forming a view "top down" and assessing culture "bottom up" i.e. from a coal face view. The quality of the top down framework is relatively accessible. The coal face view - far less so. Here, Internal Audit is uniquely placed and so this is where real value can be added. Audit functions will, in the ordinary course, execute every year multiple audits across their organization - under a risk-based plan they will by definition expect over time to touch all key teams, irrespective of geography and business line. Each of these audits will see an intensive engagement over weeks and month with the leadership and teams of a business area or function. With the right approach and mindset, the core cultural values and behaviours of the audit subject - certainly in relation to risk and control culture - ought to be inescapable. The ability to express that view simply requires an agreed mandate, a methodological foundation, sound judgment, and the courage and desire to do so.
Mark Starbuck, Credit Suisse Internal Audit