Chair: Derek Jamieson - Director of Regions, Chartered IIA
Institute: Liz Sandwith - Chief Professional Practices Advisor, Chartered IIA
Chair's opening comments
Our last session welcomed Stephen White, Interim CEO for Yorkshire BS who shared his views on the importance of internal audit and its evolving role. He was clear that we are a valuable and indeed critical service to the audit committee, the executive and the organisation overall.
Stephen also emphasised the importance of culture and behaviours in the organisation and the need for IA to play its role in helping the organisation align its culture and behaviours to its strategic agenda and to the tone expected at the top.
Culture is a subject that has been on our agenda for a number of years now, not least since the launch of the FS Code in 2013, yet for many it is still a topic that we have yet to become comfortable with.
For some the subject is certainly on the agenda and is a fixture in the audit plan while for others it is not as clear. In some cases, the audit committee is not asking for coverage. In others, there is no desire from the executive. In others still, there is some discomfort within internal audit at addressing the subject.
We recently published a report on culture called Cultivating a Healthy Culture - Why internal audit and boards must take corporate culture more seriously in a post-Covid world. The report identified positive progress in the internal audit world but also highlighted the opportunity to do more.
In today’s session, we are going to share the views of four people on the content of the report. All have considerable experience in this area, have performed at HIA level, and have personal perspectives.
Perceptions from our speakers on the subject of Culture
James Paterson, Director Risk AI, Former HIA for Astra Zeneca/ Trainer for Chartered IIA UK
Geraldine Smith, Former HIA HSE Ireland:
Sandro Boeri, Head of Staff Development and Culture Assessment, Deutsche Bank group:
Nicholas Crapp, Former CAE, NatWest
Thank you. Some fascinating thoughts on culture from our subject matter experts today. The report could have gone further, but we need to take our members with us on this journey. After 13 years, we had hoped that internal audit work on culture would be more embedded than the statistics suggest. The report contains great questions to ask of your organisations and of yourselves.
Before internal audit looks at the culture of the organisation, internal audit should look at the culture within the internal audit team. Does it reflect the culture of the organisation or is it built on the independence of the function and therefore separate and distinct from the organisation? It would be helpful for you to start by looking at your own culture as it will help guide your conversations with the business.
Please do take a look at our Resources section. It includes technical guidance and IIA Global guidance on auditing culture. It’s important to remember that there is no ‘one size fits all’ approach with this. Use the guidance and make your work in this space relevant to your organisation.
Chair's closing comments
Thank you, Geraldine, James, Sandro and Nicholas. When I read the report, particularly the statistics, I was disappointed and I feel that the profession could come under serious criticism if we don’t get to grips with the subject of culture. We will revisit this area in future.
Our next session will focus on cyber risk. We have moved the date to the 18th May to accommodate the speaker, Magdalena Skorupa, Cyber Director for Reckitt Benckiser Group (in Warsaw, Poland). Poland is coping with a massive influx of cyber-attacks. Magdalena will share what’s going on in her world, working for an international company based in Poland. I think it is fair to say that global events are very much putting the focus on this subject at the moment. Cyber was already at the top of the agenda in our last Risk in Focus report, and was for the previous three years. It will most likely be in the top two in this year’s report.
I would suggest that, for many organisations just now, both sides of the consequence and likelihood equation have moved in the wrong direction as they either review and reposition their connectivity with Russia or reassess their potential to be seen as a realistic target for an attack.
As usual, notes, chat comments will be placed on our web pages in the next 24 hours.
We have a number of events scheduled for the coming months, including our Leaders Summit and our Internal Audit Conference. Please visit our Events section for further details.
Q: Geraldine, you did some work regarding a major cultural issue within an organisation. Could you share the circumstances and generalities coming from that work?
A: There was a major scandal emanating from a Chief Executive who was all-powerful and revered. The board was ineffective and enabled the Chief Executive. Like all similar corporate scandals, there was a lack of oversight and there were huge financial issues with the organisation, which ended with a government bailout. Then there was a big change to the corporate governance and root and branch change to the organisation. It had to be rebuilt from scratch in terms of setting out best practice, with a new Chief Executive. It has been a long, hard slog and shows that if governance isn’t effective and issues aren’t dealt with, then the organisation could fail. There are huge reputational risks and rebuilding this with a new board and committees.
Q: Nicholas, you started in RBS not long after the financial crisis and it’s been rebuilt. You’ve started to respond to this word, culture, has your view changed about how to approach this subject?
A: Geraldine outlined the same issues. Poor corporate governance and a very strong CEO is a recipe for disaster. I often say that even if you get rid of a CEO, it still leaves a shadow on the rock, much like from an atomic explosion. We were an early mover and did a lot of work on culture which became behavioural risk and then the business ‘got it’, revealing things the business didn’t know, and became something the business couldn’t get enough of. We then took the behavioural risks and looked at this in dealing with customers and the questions asked of them. What do you put on your website? How do you design this? It all generates behavioural risk from a customer side which then potentially generates conduct risk. The team has 15 people and now at least half the work is being done on the customer side. It would be hard not to have this team given what they’ve uncovered and the value they’ve added.
The Ockenden Report is the report into Maternity Services at Shrewsbury and Telford and this is a worthwhile read as it aligns to today’s discussions but in an NHS setting.