Ralph Daals, group chief auditor of RSA Insurance, is passionate about the journey he and his team have been on over the past two years. “The seeds for the transformation were sown in October 2013 when internal audit uncovered significant irregularities during a routine review in our Irish business,” he explains. “That event was publicly reported and brought home the message that, in the end, internal audit will be judged by the things it misses.”
This clarity about internal audit’s accountability led to new, forward-looking, expectations of the function. Daals recalls: “Our chairman put it nicely – ‘I would like you to be able to tell me that the building is about to catch fire, as opposed to pointing me to it after the event.’”
Meanwhile, RSA was transforming with an agenda of significant strategic rationalisation, cost reduction and operational turnaround. The company was changing rapidly with innovations around big data, digital, robotics and more agile developments; and with these changes a new profile of risks emerged. “Typically, internal audit follows the company,” Daals says, “but we were driven to make a huge leap to get ahead and stay ahead.”
The challenges were tough. “We not only had to become more dynamic and forward-looking, and get on top of the new risks RSA was facing, but we also had to play our part from a cost and efficiency point of view. We had to do more with less – we’re talking about a double-digit percentage cost reduction here,” he says. “Doing this right meant reinventing ourselves and fundamentally changing our mind-set, skills and ways of working.”
This meant that the function had to be inventive – particularly since, Daals emphasises, it did not have deep pockets and could not hire expensive consultants. “Constraint was a key driver of innovation and, ultimately, became a real friend,”he says.
The team started to assess the world around it, identifying and learning from cutting-edge companies regardless of industry and function. “We ended up casting the net pretty wide and then adopting and tailoring what we thought could work well for us,” Daals says. “Jim Collins’ book Good to Great provided a lot of early inspiration. It was all about starting with purpose and people – attracting and retaining the right talent, giving them freedom within a framework and playing to their strengths.”
He was wary that, in too many cases, change programmes introduced new processes that existed on paper, but didn’t lead to new ways of working in the long term. Theirs was not, he argues, a traditional transformation programme – it had no project plans, no champions and no reams of documentation.
“We looked to make change easy and infectious, with small iterative improvements driven by obsessing over the right things; sharing successes, challenging each other, and ultimately deeply embedding practices and improvements in our behaviour and culture,” he says. “At any time we have about five function-wide ‘Obsessions’, both behavioural and technical. These create a ripple-effect-based transformation – contagion can be very powerful.”
This approach allowed people to see and feel the build-up of momentum and meant that evolution could happen at an increasing – and often surprisingly rapid – pace. Daals explains that he borrowed from Pixar’s innovation culture and started to experiment, test and refine ideas. “If you fail, fail fast, learn fast, and never compromise on outcome,” he says.
The transformation rested on four main interconnected “building blocks”. The first of these was to simplify and standardise what the team did and when it did it. This was intended to minimise complexity and distractions to allow internal audit to focus all its time and efforts on what mattered most. A vital part of this process was that internal audit had to be comfortable about not doing some of the things it had taken on in the past. Daals says they started with “bonkers lists”, which evolved into a function-wide leaning exercise aimed at making the function more efficient and focused.
“We also wanted to keep it simple to ensure the real value comes from our core activities. We shouldn’t have to resort to ‘add-on’ activities, such as advisory reviews, before value is created or recognised. It would imply something is fundamentally wrong,” he argues.
The second building block involved increasing the relevance and timeliness of insights and interventions. The traditional annual planning process became a flexible six-plus-six rolling plan with a strategic three-year outlook. This allowed audits to run in parallel with changes in the business and emerging risks and to anticipate better the skills the team needed now if it was to be ready for the future.
At the same time the team brought plan-delivery in line with reporting to executives and non-executives, cutting the time between identifying findings and committee reporting to a minimum. “Our team now delivers 100 per cent of our plan every quarter, which was unheard of in the past,” Daals says.
The third building block involved implementing an “AsOne” operating model, inspired by Daals’ past work with Deloitte. “We broke down the silos that typically exist in an international function and eliminated the traditional reporting structures and hierarchies,” he explains. RSA internal audit consists of more than 60 people based in key cities across three regions: UK, Ireland and the Middle East; Canada; and Scandinavia. Daals says that the AsOne model “facilitates a high level of connectivity and collaboration between the teams” so they can work together as if they were all in the same room. This necessitated a new digital way of working and using communication channels such as Yammer.
“Building on AsOne, we advanced our way of working based on Spotify’s agile culture. We even adopted some of their naming conventions,” Daals says. “We now structure ourselves around ‘squads’ – fluid teams that bring together the right people for an audit or other initiative, regardless of hierarchical position or location”.
For internal audit’s stakeholders, Daals says that AsOne increased the quality and consistency of output and coverage, improved the way they shared best practice and boosted efficiency by reducing duplication and, ultimately, cost.
The fourth building block was all about striving to build a high-performance culture. “This may sound clichéd – and many talk about it – but in the end we are a people business and so building a high-performance culture was crucial,” Daals explains. “For us, this is about striving to create an environment where we can attract and retain the best.” He was inspired by Google’s approach to investing in talent and its view that hiring remarkable people is its single most important activity.
“We tailored this – only people with the passion and aptitude for it are involved in recruitment,” he says. “Our recruiters, typically our most senior people, dedicate significant time to finding the right talent. Every candidate is recruited with an international interview as standard.”
Daals and his team also looked to elite sports for ideas. “We work closely with performance company PlanetK2, which uses the same kind of performance psychology ideas with us as it uses with Olympic teams. Everybody is challenged about how to get the best out of themselves and each other.”
All these changes helped to create what Daals characterises as an agile function. “Agility for us is about being dynamic and flexible. It is about our ability to anticipate, respond and continuously improve.” He adds that agility needs to be embedded in the mind-set, culture and values of the team; processes and methodologies then follow naturally. “It’s about having a team that gets better and better with every challenge thrown at it,” he says.
He believes that this agility has many advantages: internal audit is now better at using the full capabilities and experience of the entire team, it can rapidly gather and deploy the right resources via the squads, and the rapid feedback between stakeholders and the function facilitates quick and constant improvements in what the function does and how it does it.
Accountability remained a focal point throughout the changes. “Our accountability is always front of mind. We regularly ask ourselves our killer question: ‘Have we missed anything significant?’,”Daals says. “To answer this, we perform a bi-annual exercise where we look back across our business through the lenses of issues raised by others, risk incidents and material external events. We ask ‘where were we?’, ‘did we pick it up?’, and if so, ‘did we report it appropriately?’” The lessons identified are widely discussed and fed into the continuous improvement of the function and Daals says the results are getting better every time. He sees it as crucial to delivering against internal audit’s purpose of keeping RSA safe and improving.
Daals also takes quality assurance seriously. He employs Deloitte to review and challenge audits done in the previous quarter. The reviewers assess whether the audits focused on the right areas and identified the correct risks and issues.
The new-style internal audit team needs to attract a new type of internal auditor, with skills that will be important to the organisation of the future. This means it needs to offer an exciting proposition in terms of both working environment and opportunities, Daals says. New recruits may come from other sectors or have a non-audit background. The team currently includes non-typical members such as a web and app developer and a criminologist. “It’s important to get the balance right between maintaining their unique skills and perspectives and learning internal audit essentials,” Daals adds.
His search for innovative people who are willing to be shaken out of their comfort zone and are eager to improve constantly is making the team more diverse. “We are always asking how we can break through the typical talent barriers,” he says. “We are well aware that what we are creating doesn’t suit everybody, it requires tenacity and resilience. At times we have had to make some difficult decisions, but that’s ok”.
To help team members grow to their full potential, Daals has introduced innovations such as a dedicated “Learning Friday” every second month on which everybody can choose what they learn. No work is allowed.
"We took a lot of inspiration on how to create the best workplace from a company called MindValley”, Daals explains. “It is important we not only bring in new skills, but make sure all our people are set up for the future. So we are investing in upskilling people in ‘new world risks’.” This includes teaching them the basics of coding and auditing agile developments, and simulating mock crises such as a cyberattack.
He also wanted to move away from a system where people couldn’t progress until the person above them left. The new structure has no fixed number of people per level, so, if someone is ready to be promoted, they can be.
So what’s next? “It has been good so far,” Daals says. “Our feedback scores have consistently gone up and our people are in high demand by the business. We have a more agile and forward-looking model that we hope will help us to deal with whatever comes our way. But it doesn’t stop here. We have identified, for example, seven ways of injecting innovation into auditing, including stress-testing the control environment and risk-event and scenario-based auditing. As long as it supports our purpose and we keep an appropriate eye on what we call ‘audit risk’, we won’t hesitate to give it a go.”
He is keen, however, to stress that agile is not the same as chaos and needs careful management. He advises others looking at creating an agile culture to establish first a stable “backbone”. You also need to find a way to combine opposites. “Looking forward is great, but not if you don’t look backwards at the same time,” he warns. “Sustainability of controls and remediation activity is as, if not more, important.” Chasing emerging risks or organisational change can be catastrophic if you don’t focus on the areas that everybody takes for granted, but can still hurt the company.
Daals concludes: “We may get it wrong sometimes; you can’t win without ever failing. But in the end, it’s fun putting yourself out there. If you fail, fail and learn fast, but never compromise on outcome.”
This article was first published in Audit & Risk July/August 2017.