View from the top: Culture – listen, understand and plan ahead

I’ve been an internal auditor in the financial services sector since 1979 and for many years I was confident that internal auditors were good at raising recommendations on controls that are poorly designed or not working adequately. However, the global financial crisis in 2008 was a shock. As banks went bust and had to be bailed out by taxpayers, I realised many of our fantastic recommendations were being ignored.

The problem was that we were giving logical recommendations to human beings, who are illogical, emotional creatures. This sparked an interest that became a passion: to make a real impact, we must become better at understanding the human condition.

In the following years I worked as a consultant, which allowed me to research and explore how culture can be articulated, measured and managed. By “culture”, I mean a pattern of repeatable behaviour. The internal audit profession needs to focus on the things that create inappropriate patterns of repeatable behaviour, which prevent organisations from achieving their objectives and, sometimes, lead to misconduct. And we don’t need to be psychologists to do it.

If every internal auditor upgraded their understanding of culture, the impact of our work would increase. All the controls we devise will be operated by humans. First, therefore, we need a tactical plan to identify culture.

We also need to consider communication – the tone at the top and in the middle. The way leaders and managers communicate has a massive impact on individuals’ behaviour. If managers instil fear, people respond negatively. Inspirational managers encourage people to behave in a way that benefits the whole organisation.

Internal audit teams should not need any extra training or support to do this well.

Second, we need to review the framework for managing organisational risk. We should ask whether our organisation has articulated its behavioural risk appetite – has it explained what good behaviour looks like? Does it measure and monitor whether the behaviour it seeks is the behaviour it attains? Does it have a transformation plan to ensure that it gets the behaviour it wants?

Many internal audit functions will be able to do much of this already, but they may need some additional support.

Third, we need a tactical plan to achieve our ultimate goal – the ability to conduct behavioural risk reviews. For this, internal auditors need the skills to interview stakeholders, consider their findings and really understand why people behave as they do. Once we understand the “why”, we can recommend ways for the organisation to increase its chances of achieving the behaviours it seeks.

I am passionate about this subject, so I hope people will forgive my frequent references to culture while I am the institute’s President. Culture and
behaviour interacts with so many other risk areas. There are many powerful undercurrents in our society today and we need to understand these to deal with them effectively.

Most developments in what society views as acceptable behavioural norms emerge from a crisis – for example, the murders of George Floyd and of Sarah Everard and the scandals around the behaviour of Jimmy Savile and Harvey Weinstein. Too many crises develop because people turn a blind eye to inappropriate behaviour. When the scandal breaks, past behaviour is examined with hindsight and reputations (of individuals and institutions) are destroyed. Afterwards, new societal standards emerge.

As a profession, we need a sophisticated approach to talking about and analysing emotive societal debates. We are not ethical police. We need to listen and observe and understand the factors that change the way people behave and how the way society views behaviour shifts over time. Much behaviour that was acceptable (if not constructive) 20 years ago is unacceptable today.

We need to have a mature conversation about behaviour and reputation, and we must start thinking ahead and spotting issues that could put our organisations’ reputations at risk in the future. What do we accept or turn a blind eye to now, that could cause a scandal and immense reputational damage in years to come?

Social media makes assessing and managing behavioural and cultural risk more complicated. How much can or should organisations monitor
employees’ behaviour online? A problem shared on social media can turn into a crisis in hours.

Geopolitics also comes into play. The pandemic and lockdowns, the presidency of Donald Trump and the war in Ukraine have all created societal rifts and widely differing perceptions of culture and behaviour. The media and politicians have a huge impact on what society perceives as acceptable behaviour, but so do social media influencers. Misinformation may be as important as genuine news.

Internal auditors need to be looking ahead to the next crisis and asking how it will change society – this may be affected by who wins the next US election, what happens in China or in Russia and developments in national and global media – mainstream and alternative sources.

Internal audit has a role to play in promoting thought leadership around the future of ethics, ethical behaviour and reputational risk. The Chartered IIA has our flagship Risk in Focus report, which reflects what people are concerned about now. I’d like us to look also at what we will be thinking about in future – what are we missing now and what could emerge as a crisis next?

We must become better at emerging risk management, and understanding how and why people respond to situations and stimuli as they do is a vital element. Our behaviour today will be judged through the lens of the future.

 

This article was published in November 2023.