Assessing risk culture

To successfully embed risk culture assessments, internal audit must first consider 4 key elements.

1. There is alignment between internal audit’s risk culture approach and assessment dimensions, and the overall cultural direction of the organisation.
2. Stakeholders have been engaged and are supportive (including your Exec & HR).
3. A consistent approach is undertaken when assessing each area of the business.
4. Start with the end in mind, consider what it is we want to be reporting, and to whom. 

• Agree in consultation with management, HR, Risk, Exec and Audit Committee the risk cultural dimensions to be assessed.
• Clearly articulate the roles and responsibilities of risk culture assessment across the second and third lines of defence. 
• Define and agree method/s and extent to which risk culture assessments will be incorporated into your IA activities. 
• Communicate

• Agree the techniques and approaches to assess risk culture.
• Incorporate your risk culture assessment approach into your Internal Audit methodology and tools.
• Identify and address capability gaps within the team.
• Decide how risk culture insights will be reported and presented per internal audit.

• Deliver and report risk culture assessments via the agreed method. 
• Identify key learnings and reflect in enhancing the assessment approach.
• Theme risk culture insights on an ongoing basis and present to the Audit Committee, Risk and HR as appropriate.  
• Use risk culture insights to inform focus areas on next year’s IA plan.

Insights from a poll conducted during our Auditing Risk Culture webinar revealed that half of all respondents have not developed an approach to assess Risk Culture within their Internal Audit Function. For more information on the results of the survey, download the factsheet below.

If you would like to discuss assessing risk culture, please contact us.