Some years ago, the Australian affiliate of the IIA started publishing its own guidance for internal auditors. Recently, they shared Auditing Risk Culture: A practical guide. It has been written within the context of Australian financial services organizations, but the authors believe it has more general application.
As you might expect, it has some interesting content – but has a couple of glaring omissions, IMHO.
They start well:
Culture is a characteristic of a group of people – the shared perceptions about what behaviour is ‘correct’, prioritised and likely to be rewarded. Organisations pursue many different strategic priorities and operate in different political, economic and social contexts, so their cultures vary. Individual behaviour is affected by the way in which actions are rewarded or punished. In the workplace, people learn what is acceptable behaviour by observing the behaviour (including speech) of peers and managers. Behaviour that is repeated regularly becomes the norm, or ‘the way we do things around here’. Behaviour of managers and leaders is particularly important in demonstrating the priorities of the organisation.
Risk culture is an aspect of broader organisational culture. Risk culture refers to the behavioural norms that help or hinder effective risk management. Some…
