The number of large corporate collapses in the past two decades has shed light on the importance of establishing effective internal control systems in organisations to protect stakeholders’ interests, and has elevated corporate governance to prominence.
In much the same way on a more recent scale, corporate scandals including those affecting Volkswagen and the Banking Royal Commission, have brought organisational culture to the forefront of consideration when it comes to impact on internal control systems.
For those corporate failures in the early 21st century, the common themes involved a lack of commitment and accountability across the organisation, and the acceptability of self-interest and unethical behaviours.
Now, these same themes are echoed from the findings of the Banking Royal Commission. The prevalence of similar conduct occurring across all of the major entities indicates that characterising misconduct as merely ‘a few bad apples’ ignores the root causes of conduct, which often lie within the systems, processes and culture cultivated by an entity.
Such behavioural risks are pervasive across all levels of an organisation, and unless identified and accounted for within an organisation’s culture, can critically undermine the effectiveness of even the most robust internal control system.
Organisational culture is set by top management and is essentially ‘what people do without being told to do’.
Cultural norms are a critical driver of behaviour, both at a process and an entity level, by conveying expectations for acceptable behaviours and compliance with internal processes.
These norms require continuous management to ensure that desired and ethical behaviours are exhibited, and to ensure that behaviour-influencing factors, or so-called ‘soft controls’, do not undermine the achievement of organisation objectives.
The upshot of this is that a positive organisational culture can effectively mediate gaps in an internal control system by influencing behaviour as part of a holistic internal control system. Similarly, it can prevent the negative impacts on efficiency and effectiveness associated with excessive and redundant layers of hard controls.
Risk and Internal Audit assurance functions have a critical role in understanding and reporting on the human factors that impact on the processes, risks and the overall control environment.
Historically, when things go wrong within an organisation, the response has been to add layers of hard controls such as additional authorisations, reduced delegations, or extra performance metrics to attempt to close the gap. However, we know from experience that increasing layers of hard controls does not necessarily improve organisational performance. People are at the heart of every organisation, and it is the human factors that drive decision-making, organisational performance, and the effectiveness of the internal control system.
Assessing these human factors can be incorporated in several ways, most notably:
Across these three approaches, Risk and Internal Audit are well placed within organisations to support increased awareness and capability to manage cultural and behavioural considerations, particularly in the following capacities:
Pursuit of short-term financial benefits with little to no consideration of customers.
Focus on the letter rather than the spirit of the law and regulations.
Regarding risk management and controls as an inconvenience.
Lack of prompt, proper management action to address known issues.
Active concealment of problems, lack of openness.
Failure to challenge the status quo.
As a result, Internal Audit can play a strategic role as a culture advisor within an organisation without overstepping its remit or abandoning current approaches to conducting audits. Deficiencies in either cultural or behavioural factors can lead to significant risk exposure, and should be reported to leadership and boards to allow for more informed decision making and to drive meaningful cultural change. Considering soft controls in internal audits will enable boards to receive thematic analysis of behavioural trends over time, challenge management insights, uncover hidden behavioural drivers to allow for improved remediation, and provide a better understanding of what is ‘really’ going on in the organisation.
Similarly, as culture is a critical factor in the achievement of organisational objectives, Internal Audit can add value by assessing existing culture and providing recommendations to management as input for the design of more efficient internal control environments that are able account for both hard and soft controls, and take advantage of their respective strengths and weaknesses.
How do you monitor cultural and behavioural risks?
Are these captured in risk reporting and governance structures?
Have you seen repeat issues, non-compliances, fraud or misconduct across the organisation?
Is there complacency within the organisation when it comes to awareness of culture and likelihood of risks?
Does the board place sufficient focus on non-financial risks?
Does the board provide sufficient challenge to senior leadership when it comes to handling misconduct and policing the closure of issues?
It is necessary to consider the human factors that influence culture to really understand what is happening within an organisation. In response to this, KPMG has developed a model that integrates a consideration of soft controls into our audit and assurance methodology to help us identify, measure, monitor and report on staff behaviours and its impact on the control environment. The model is based on extensive scientific research by Prof. Dr. Muel Kaptein, a partner from KPMG Netherlands and global subject matter expert, and has been in use in the Netherlands for more than 10 years. For more information on the model, refer to Behavioural Risk Advisory.