How to Audit Corporate Culture and Reduce Conduct Risk

In the UK financial services sector, “conduct risk” is hard to define even though many people use the term confidently. This is in part because the Financial Conduct Authority (the UK’s financial regulator) hasn’t provided a single overarching definition.

In broad terms it is the idea that all FCA-regulated organisations should ensure customers are being offered the most appropriate information and products, and that they are receiving a fair and beneficial deal.

The FCA outlined nine “drivers” of conduct risk (pdf), of which the majority fall under the scope of  traditional audit work (see chart 1). Chief auditors in CEB’s network of internal audit teams say consistently that the cultural aspect of these nine drivers is the hardest to audit. Not least because changes can take time to make a difference; in fact, one chief auditor points out that their business is being judged on decisions that were made five or even 10 years ago even though the company has gone through enormous structural and cultural changes since then.

---

Chart 1: Key drivers of conduct risk  Source: Financial Conduct Authority “FCA Risk Outlook 2013”

---

How to Measure Culture

Whether or not it’s a fair assessment, the world’s banks are clearly seen as having room to improve their corporate cultures. The global financial crisis left a seemingly indelible stain and recent events – like the Wells Fargo news – have only fixed it more firmly in the public consciousness.

If internal audit teams want to ensure the organizational changes they recommend improve the firm’s culture they should first ascertain what culture they have now, and then quantify that view if possible. The more they can do to measure culture, the more prepared they can be to mitigate conduct risk and one of its important causes.

Measuring the culture of an organization is an inherently difficult activity and one that nearly half of chief audit executives tend not to approach. Only 37% of audit teams incorporate cultural reviews into existing audit engagements and only 8% have a dedicated audit to review culture, while 49% conduct no explicit cultural assessment at all, according to CEB data. Not only does this show that measuring culture is difficult, but that it can be even more difficult to translate findings into meaningful action.

In spite of an increase in focus on improving corporate culture across the past four years from compliance teams, and other assurance providers in a big company, there have been no discernible improvements in the ability to mitigate the risk of misconduct, according to CEB analysis. Between 2012 and 2016, the percentage of employees observing, or believing they observed, misconduct activities only fell from 25.5% to 23.3%.

Internal Audit’s Role

Internal audit teams can take a simple four-phase approach to auditing a company’s culture. CEB Audit Leadership Council members can learn a lot more in this guide, which uses research and case studies from companies both inside and outside the banking sector that have successfully audited culture.

1. Start small: Use pilot audits that include a component of cultural assessments to direct management’s attention to these risks and address any resistance or concerns at the initial stage, ensuring a smooth transition.

2. Use judgement during the interview process: Use a senior auditor’s experience and soft skills to gain management’s trust and access sensitive information during the interviews.

3. Improve root-cause analysis capabilities: Comprehensively analyse hard and soft control weaknesses to highlight issues related to not only the organizational processes but also employee behaviours and attitudes.

   And then identify common trends and themes from root-cause analysis.

4. Focus on sensitivity when reporting:

   • Alert auditors to the potential sensitivity and implications of the cultural assessments’ findings, and communicate the implications either verbally or in written form based on the consideration.

   • Ensure that auditors consider the potential business implications of their recommendations.

   • Adopt a “no surprises” approach.

   • Be sensitive but discourage auditors from diluting findings.

5. Increase influence through consistency:

   • Do not measure culture separately; include it as part of an overall audit finding.

   • Present findings appeal to the audience (e.g., use data points and graphics to quantify employee and management feedback).

   • Link findings to the elements of the internal control framework.

   • Connect employee performance on cultural aspects to the appraisal, reward, and development system.