Barclays is taking a three-pronged approach to auditing culture:
In 2013, Barclays launched a programme called TRANSFORM with an aim to make the bank the ‘go to’ bank for all stakeholders. Internal audit are facilitators of the initiative but are not designing any part of it that they will then later audit. It is made up of three workstreams, which will deliver three overall goals:
Within these workstreams are ten priority projects, and one significant project to help address 1 and 3 is on culture and values. Its core components are:
Antony Jenkins, CEO of Barclays, says that culture is more than anything modelled at the top of the organisation so the leadership at the top of the organisation have to set the right tone for the organisation. This buy-in right at the top is very important.
Measuring the outcomes stemming from these four areas is the tricky part. Risk and control culture and culture are seen as synonymous as nearly all behaviours impact risk and control. Knowledge of risk and control issues is incorporated throughout the employee life cycle. Every employee is accountable for risk and control through their performance objectives and all new starters now need to demonstrate knowledge of these issues.
Internal audit will both integrate culture as part of every audit and conduct thematic reviews of culture.
Through assessing the culture, internal audit will look to answer:
The roll-out of auditing culture began in Q1 of 2014 and they will share the findings with the audit committee on a quarterly basis.
Here they will look at systems and processes as usual but will also examine if there is a good underpinning risk culture. Root cause analysis will form the basis of the audits i.e. they will actively look at whether there is a cultural driver to any issues that arise.
They will look at whether a certain behaviour or set of behaviours caused an issue? This focus on underpinning behaviours takes them beyond their usual methodology of focussing on processes and controls.
This can be a difficult area to audit as the root cause analysis may be the opposite to what they think, in other words it may not be the underlying culture that causes an issue but the underlying structures that drive behaviour e.g. incentives which may be the cause.
So as well as looking at the standard control objectives they will assess whether the key decisions are being made in the right way. To make such an assessment they will look at a wide range of information that informs the Balanced Scorecard (used across Barclays to bring a balanced assessment of every business taking into account the 'what' is delivered and the 'how' it is delivered, for example, HR grievance data, whistleblowing activity, complaints, cultural surveys, and mystery shopping.
They will also conduct interviews against a structured framework (organisational psychologists have been brought in to advise on devising the interview questions). The top down approach will be assessed through reviewing governance and strategy.
An assessment of the Management Control Approach (MCA) against the dedicated control objective will be made in all standard rated audits. MCA is assessing the risk and control management processes AND the culture and behaviours to support the business.
The way they will assess is through a specific control objective alongside the standard control objectives. They will do specific testing to assess MCA through a combination of survey, interview, data metrics, testing and observation.
In addition, from the standard control objective testing, auditors will review whether any behaviour/culture root cause of issues and the management awareness/response to any issues (e.g. were they known and being proactively escalated and fixed).
This combination will give a rating of MCA for the audit area.
In addition to MCA assessment for every audit, from Q1 they have rolled out an MCA assessment for every business/function area quarterly based on key indicators (one of which is specific audit results). This was piloted throughout 2013 to identify the quantitative and qualitative measures to assess both the processes and behaviours to support risk and control identification, assessment, action and escalation.
This approach helps internal audit to assess how well the Barclays values are lived across the organisation and how colleagues are operating in line with these values. The indicators they are looking at are broadly similar to the ones set out by the Financial Stability Board as outlined in section B of this report. These are tone from the top; accountability; effective challenge; and incentives.
The auditors will test the performance management framework against the values and will look at the design of levers that influence behaviours and therefore culture e.g. of incentive reward structures.
Conduct risk is a key metric for culture and some thematic audits will revolve around conduct and culture.
Another idea they are considering is whether to benchmark the top 100 senior managers across the bank against each other to help internal audit assess culture. This would work like a peer review system and their competitive spirit would make them want to be the best.
Alongside specific testing of culture/behaviour levers; any culture or behaviour root cause of issues will also be assessed (same approach as individual audits).
Back to practical examples | Next: Lloyds of London