Identifying and mitigating future cultural risks: Are we doing enough?

If you ask one question this week, make it this one.

Culture is proving one of the most tenacious and difficult issues to address in organisations of all kinds. It raises fundamental questions about the kind of people we think we are, the type of organisation we want to work for and the values we hold dear. And it shifts constantly in response to external events and to evolving social mores. Take your eye off it, and you may find that either your own culture, or the world around it, has morphed into something else entirely – creating a host of risks from reputational to financial and regulatory. 

 

Culture problems tend to mature over many years, then emerge fully fledged and dangerous in just a few weeks. Recent headlines have been full of rows at the BBC about inappropriate behaviour by well-known presenters, at the Post Office about the treatment of sub-postmasters, at the Church of England about a cover-up of decades of abuse, and an appalling history of sexual misconduct and enablement at Harrods.  The NHS has endured a series of scandals concerning whistleblower suppression, misguided priorities and poor relationships at the most senior levels.  

 

Most recently, the FCA, which has itself been warning financial services organisations to do more to improve their cultures, has been the subject of scathing criticism about the treatment of its own internal whistleblowers and bullying behaviour to those who raised concerns.  

 

You don’t need to feel strongly about political stands on “culture wars”, to see that when cultural scandals can claim the scalp of the Archbishop of Canterbury, board directors should be extremely concerned about culture and what it could mean for them personally, as well as for their organisations. Boards should also be aware that the Corporate Governance Code 2024 increases directors’ responsibilities for embedding the desired culture, as well as for setting, monitoring and assessing it. The supporting guidance makes it clear that internal audit has an important role to play in this, along with others including HR, risk management and compliance. 

 

Internal auditors should already be considering organisational culture as a key risk, but it’s worth keeping up with recent developments. It's a rapidly changing area and what was good practice a couple of years ago may now need urgently updating.  

 

Furthermore, internal audit may need to raise awareness at board level if senior management do not seem to appreciate the magnitude and breadth of the risks that a poor or weak culture can cause. As we have seen repeatedly, it’s easy for busy senior managers to assume that what they hear from those eager to say “the right things” is what is going on below the surface.  

 

Eyes and ears 

When things start to go wrong it’s tempting to make protecting the organisation’s reputation a priority, rather than addressing the issues causing the problems. Internal audit has eyes and the ears in every part of the organisation and is in a better position than any other function to join the dots and see what actions and behaviours reveal, rather than just relying on positive words and optimistic values statements. 

 

Culture issues vary widely in different types of organisations, but there are common themes that occur with depressing regularity when big scandals break. So many investigations reveal similar patterns of management-sanctioned (or ignored) shortcuts and sub-standard practices, failures to call out inappropriate language or “jokes”, attempts to sideline or manage out people who take offence, or who call out bad practice, and various efforts to shut down emerging stories of poor practices. 

 

Some organisations have regulatory and governance reasons to scan for damaging behaviour and to introduce training programmes and “speak-up” schemes – whether these are the Consumer Duty rules for financial services firms, or care and safeguarding rules applying to the healthcare and education sectors, or rules governing third sector organisations working with vulnerable people. However, every organisation in every sector also has a host of other cultural issues that may cause huge and spreading problems, and these do not always originate in the areas you’re watching most closely. 

 

What can internal audit do to ensure the organisation protects its people, practises the culture it preaches and encourages, rather than shuts down, reports of potential issues? 

 

  1. Ensure your organisation establishes, publicises, maintains, listens to and learns from speak-up and whistleblower communication channels. This is fundamental and vital. Bear in mind that if people are not using these channels, that is a bad sign, not an indication that there’s nothing to report. 

  1. Collaborate with other functions. HR is an obvious ally here, since exit interviews and training programmes often originate in HR, but other teams from IT and finance to marketing and front-line operations are likely to be just as important. 

  1. Join the dots with data – one of internal audit’s great strengths is its ability to connect disparate information from across the organisation. Use all the knowledge you get from every audit and create an overall picture of culture. 

  1. Use technology. You don’t need the latest most expensive technology to be able to collate and scan different forms of evidence, but you do need to think about how you collect the information that will give you the most complete picture in compatible formats and add to it constantly. Data analytics and AI can help with different levels of sophistication. 

  1. Undertake deep dive audits of cultural hotspots or potentially high-risk areas. 

  1. Communicate and raise awareness of the wide range of risks caused by poor culture. Too often, organisations are much better at advertising their headline missions and values than at discussing what these mean at different levels and in different roles in practice. Internal audit can initiate or lead workshops, management groups, staff forums, campaigns and other initiatives to encourage people to talk about culture and what it means to them in their roles.  

  1. Raise culture up the agenda with the audit committee and the board and discuss where directors might be exposed to issues. There are plenty of examples in the media that could provide sobering reflection. Internal audit can discuss how well these are currently managed and highlight potential improvements. 

  1. Learn from good practice and innovations elsewhereChartered IIA forums are a safe place and an opportunity to discuss what other teams are doing with common challenges. The Audit & Risk Awards provide many examples of innovations that affect corporate culture, from diversity and inclusion initiatives to cultural auditing ideas. Chartered IIA regional and national conferences are excellent sources of inspiration and an opportunity to speak to others grappling with similar issues. 

  1. Consider attending, or sending colleagues, on specialist training courses, such as the Chartered IIA’s courses on Auditing Culture and Auditing Diversity. 

  1. Make time to read reports and articles that may suggest new ideas or approaches that you have not previously considered – the Chartered IIA’s report on “Cultivating a Healthy Culture” and articles are a good place to start. 

  1. Think broadly – culture affects every corner of every organisation. Increasingly, it is also an issue for organisational supply chains (especially for those subject to the new EU Corporate Sustainability Due Diligence Directive (CSDDD) and EU Deforestation Directive (EUDR). This is a new area for many organisations and requires attention and actions that could include changing supplier terms and conditions, rewriting contracts and even undertaking supplier audits. 

  1. Update and refresh constantly – this area evolves fast and it’s easy to forget that the scandals that hit the news today usually originated in actions and mistakes several years before. Think about preventing the scandals of tomorrow as well as dealing with those of the past. 

About Us
Quick Links
Contact