Reviewing and reporting on culture in Banks is now an expected and important part of the internal audit, and the updated FS Code reinforces and extends this requirement.
Culture can have an impact on the effectiveness of policies and behaviours, and is recognised as a key driver of conduct. Many of the major scandals and banking failures have been underpinned by a culture that tolerated, or even encouraged, inappropriate behaviours. Understanding the culture should mean that such risks can be identified and managed.
However, it is not an easy topic to tackle.
The challenges of reviewing culture
Culture is less tangible than traditional internal audit areas, and is more subjective. Subjectivity does not fit well with the Internal Audit Standards and can make things more difficult where management seek to challenge the judgements that you make.
Culture is mainly driven from the top, whether consciously or unconsciously. Reviewing culture can mean that Heads of Internal Audit find themselves criticising their Boards.
Together these make for an uncomfortable combination. Different skills and expertise are needed to do this well.
Option 1 - Taking a process approach
The most straightforward approach to reviewing culture is to look at it as a management process. In effect the review focuses on:
- the process for and extent of definition and communication of the desired culture
- the steps taken to promote the desired culture
- how the culture is monitored and evaluated.
The value of this is that it can help the Bank to improve the way it looks to manage culture and help to ensure that these management processes are sufficient to avoid raising concern with regulators.
This can be complemented by considering what evidence there is of a positive or negative culture through the reviews carried out across the Bank through:
- exploring the extent to which culture appears to be a root cause of both the effectiveness or operational failures of controls
- including in each review consideration of whether there is evidence that the desired culture is present and any management or operational procedures that conflict with it.
This is the most obvious route for Heads of Internal Audit to take as it meets the internal audit requirements and should provide a meaningful assessment of whether the desired culture is in place.
However, where this indicates that the culture is not ideal or the Bank is seeking to change culture, option 2 may provide a better option.
Option 2 - Cultural deep dive
The cultural deep dive seeks to go further by carrying out a true third line evaluation of the culture that is present at the Bank (or sections of it) and how the culture is impacting behaviour. This involves carrying out a gap analysis between the Stated, Measured and Actual culture, its implications and the steps needed to bring the three into alignment.
a) Stated culture - the culture that the Bank wants to have. This is the easiest to identify as it should be captured in strategy and risk appetite statements and communicated across the Bank. It is unlikely that the stated culture will be problematic but it may not be clearly or consistently articulated and may not cascade down into the policies, procedures and incentives. The internal auditor should consider the coherence and suggest any refinements.
b) Measured culture – the culture that the Bank thinks it has. It can be established through a combination of the information on culture reported to the Board and interviews with Board members and other senior managers. Often the interviews also demonstrate that Board members and senior managers recognise that the measures of culture only tell part of the story.
The internal auditor can then consider:
- are the measures appropriate and likely to be giving a true perspective, and if not, how can they be refined?
- are the proposed actions likely to address the gaps?
c) Actual Culture - the culture that is actually influencing behaviours across the Bank. Some elements will span the whole Bank and others only impact individual teams so, in practice, it is appropriate to sample a selection of key teams.
The evaluation will include:
- Interviews with a sample of managers and other staff to understand their views on; what is expected of them, how they go about achieving it, and what constitutes strong and weak performance
- Reviews of quality assurance work and other output measures to understand the extent and trends of errors, non compliances, complaints or other operational weaknesses
- Review of actions taken in respect of weak or strong performance
- Observations of teams working and/or records of activity to consider the quality and priority given to actions.
From this the actual culture can be compared to the stated and measured culture. Often there is a significant gap. The ideal is to engage with management to explore the root causes and steps forward through workshops and present it as a joint evaluation and action plan.
To discuss any of the issues raised in the article, or to find out more about auditing culture please get in touch.
Read more BDO Insights