Culture is Key:Assessing/Auditing CultureWithin Your Organization

Edmund Green, Managing DirectorRisk ConsultingKPMG, LLPMay 12, 2017

2© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775

• What is Culture?• What is Risk Culture?• Why is Culture for Internal Auditors?• How do you assess/audit Culture?• Questions

Agenda

What is Culture?

4© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775

What is Culture -Behavioral “Default Settings”

5© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775

Formal (Overt) Aspects

The way we say we get things done.

Informal (Covert) AspectsThe way we really get things done.

DirectlyObservable

Characteristics

Less ObservableCharacteristics

What is Culture - “The Iceberg”

BeliefsPerceptions

AssumptionsAttitudes

informal systems.

6© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775

Norms of Behavior and Attitudes Relative to:Risk Awareness

Risk TakingRisk Management

“The norms of behaviour for individuals and groups within an organisation that

determine the collective ability to identify and understand, openly discuss

and act on the organisations current and future risk”

2009 International Institute of Finance,Reform in the financial services industry:

Strengthening Practices for a More Stable System

DirectlyObservable

Characteristics

Less ObservableCharacteristics

What is Risk Culture?

7© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775

Risk culture is one of the key elements in an organization’s Enterprise Risk Management Framework.

Risk culture both influences and is influenced by the other ERM framework elements.

Risk culture influences an organization’s risk appetite, and governance in a reciprocal manner.

Recent research demonstrates that It is possible for an organization to evaluate their risk culture specifically and to measure the system of values and behaviors present throughout an organization that shape risk decisions.

Risk Strategy &

Appetite

What is Risk Culture - An integral part of ERM

Why is culture important forInternal Audit?

9© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775

Why is culture important?

10© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775

Why is culture important?

“Culture eats strategy for breakfast”

Source: Peter Drucker, has been described as "the founder of modern management"

11© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775

Why is culture important?

12© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775

Source: Corporate Culture: Evidence From the Field, John R. Graham Duke University & NBER, Campbell R. Harvey Duke University & NBER, Jillian Popadak Duke University, Shivaram Rajgopal Columbia University, September 13, 2016.

Why is culture important?

91% of executives who

believe culture is“important” or

“very important” at their firm.

2016 culture survey of > 1,300 C-Level Executive at North American firms revealed:

13© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775

Source: Corporate Culture: Evidence From the Field, John R. Graham Duke University & NBER, Campbell R. Harvey Duke University & NBER, Jillian Popadak Duke University, Shivaram Rajgopal Columbia University, September 13, 2016.

Why is culture important?

% of executives who rank culture as atleast at “top 5” Contributor to Firm Value.

2016 culture survey of > 1,300 C-Level Executive at North American firms revealed:

79

14© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775

Source: Corporate Culture: Evidence From the Field, John R. Graham Duke University & NBER, Campbell R. Harvey Duke University & NBER, Jillian Popadak Duke University, Shivaram Rajgopal Columbia University, September 13, 2016.

Why is culture important?

% of Executives who Believe improving

Culture would Increase

Firm Value.

2016 culture survey of > 1,300 C-Level Executive at North American firms revealed:

92

15© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775

Source: Corporate Culture: Evidence From the Field, John R. Graham Duke University & NBER, Campbell R. Harvey Duke University & NBER, Jillian Popadak Duke University, Shivaram Rajgopal Columbia University, September 13, 2016.

Why is culture important?

% of Executives who Believe poorly implemented,

ineffective culture increases chance ofunethical or illegal

behavior.

2016 culture survey of > 1,300 C-Level Executive at North American firms revealed:

85

16© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775

Source: Corporate Culture: Evidence From the Field, John R. Graham Duke University & NBER, Campbell R. Harvey Duke University & NBER, Jillian Popadak Duke University, Shivaram Rajgopal Columbia University, September 13, 2016.

Why is culture important?

% of Executives who Believe their

firm’s culture isWhere it Should be.

2016 culture survey of > 1,300 C-Level Executive at North American firms revealed:

16

17© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775

Maintain

Enhance

Promote

Protect

Why is culture important?

Reputation with key stakeholders

Asset and Earnings Quality

Innovation, creativity and agility

The Brand

How do you audit/assess culture?

19© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775

How do you assess/audit Culture?

Entering Area 51

20© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775

An organisation’s culture exists whether its leadership intentionallyseeks to cultivate one or not.

How do you assess/audit Culture?

SOFT STUFF

HARD STUFF

Policies and ProceduresResources

GoalsTechnology Norms of Behavior

Informal InteractionsValues

Feelings

OFTENFOCUSED UPON

RARELYFOCUSED UPON

21© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775

How do you Audit/Assess Culture – Adopt a FrameworkCultural drivers Entity level instruments

Competencies & Context

Belief & Commitment

Action & Determination

Knowledge & Understanding

VisibilityIs employee behavior, e.g. the risk responses and the effects

thereof visible within the organization?

ClarityAre rules, (risk) policies

and procedures accurate, concrete and complete and do employees understand what is

expected?

Role ModelingDoes management lead by

example and display leadership, especially regarding

risk management?

InvolvementDo employees feel

accountable for the proper use of risk policies and take

ownership for the strategyof the organization?

OpennessIt is normal to discuss (latent)

risks and is there an atmosphere of both challenge

and mutual respect?

PracticabilityDo the organization’s targets

correspond to the risk appetite and overall risk strategy and are employees enabled to do what is requested of them in

terms of managing risks?

ImprovementAre incidents and ’near misses’

evaluated to determine potential risks and do

employees feel they learn from their mistakes?

EnforcementAre employees rewarded for responsible behavior and is

irresponsible behavior disciplined?

Strategic objectives and key risksCascading statement and metrics

Related role descriptions and expectationsPolicies and processes

Management information

Information momentsGovernance

Management messagesPart of (management) agenda

Access to expertiseCompetency profiles

Processes stimulating considerationTools: workshops, assessments

Escalation proceduresKey Performance Indicators (KPIs)

Root cause analyses and recommendationsAggregation of risk information

Tracking recommendations

22© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775

Appropriate Adequate Effective

Met

hod

Res

ults

#1 Mechanism review■ P & P evaluated against industry standards,

best practices and regulatory expectations.■ Allows the firm to understand if policies and

processes, Exist; Have clear ownership; Are Embedded into ongoing management processes and governance structures.

#3 Survey, interviews and focus groups

■ Baseline and ongoing assessment of values, attitudes, observed behaviours.

#2 Incident review (AAR)■Review risk incidents, near misses

and breaches. (“Hot Wash”; MLR).

Key Insights, Facts and Data Relative to:• How people actually manage risk• How do perceptions of risk culture differ

across hierarchies and micro-cultures?• Potential gaps between defined policy and

practice

Would it work if it were used?

Does a framework exist?

The use of multiple lenses provides a complete picture of where cultural issues originate – in the articulation of policy or the way in which people ultimately behave.

Achieving a holistic understanding of an organisation’s risk culture, can be done through the following methods…

How do you Audit/Assess Culture – Three options

23© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775

. Via documentation reviews, surveys, interviews and/or workshop we collect information about entity level instruments. We analyze this data on three aspects: 1. Presence means that the

entity level instrument is present

2. Quality is the entity level instrument of sufficient quality in KPMG’s view (Complete, current, clear ownership, accessible, consistent, governance, etc.) to support management and employees with the desired risk culture

3. Implementation means the entity level instrument is implemented in a way that all management members and employees could be aware of the entity level instrument

NoPartiallyYes

Entity level instruments Presence Quality Implementation

Knowledge and Understanding

Strategic objectives and key risks

Risk policies and processes

Belief and Commitment

Consistent management messages

Part of (management) agenda

Competences and Context

Competency profiles

Assessments

Action and Determination

KPIs

Tracking recommendations

How do you Audit/Assess Culture – Entity Level Instruments

24© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775

Fully disagree Disagree

Partly disagree/

partly agree Agree Fully agree Not applicable

Clarity

Risk information is effectively communicated up and down from my department. O O O O O O

The level of understanding of the department’s policy for managing risk is high within my

department.O O O O O O

Visibility

I see sufficient evidence of business decisions taking risk into account. O O O O O O

I believe my local managers and supervisors know how employees manage risks. O O O O O O

My department is fast enough to realize when things begin to go wrong. O O O O O O

I believe my local managers and supervisors know what type of behavior really goes on within

the organization.O O O O O O

Within my department or work unit the opportunity to engage in misconduct is minimal. O O O O O O

Within my department or work unit adequate checks are carried out to detect risks. O O O O O O

A survey can measure the implementation and understanding of risk management. The survey also provides an understanding of attitudes and perceptions regarding risk culture. The survey can include demographic questions understand seniority, function, location, and business unit of the respondent.

The table on the right gives an impression of possible questions.

Representative example of a survey.

Risk Culture SurveyHow do you Audit/Assess Culture – Survey Questions

25© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775

Cultural drivers Results Organization X

Clarity 63%

Visibility 68%

Involvement 58%

Role modeling 77%

Practibility 44%

Openness 60%

Enforcement 60%

Improvement 58%

0%20%40%60%80%

100%Clarity

Visibility

Involvement

Role modeling

Practicability

Openness

Enforcement

Improvement

Organization X

Clarity (63%) Organization X

Negative Neutral Positive

I am confident that I could describe the benefits of having a risk management policy

8% 12% 80%

The level of understanding of the department’s policy for managing risk is high within my department

40% 5% 45%

The management’s appetite for allowing to take some risks is clear to me

30% 6% 64%

All outcomes of the survey are collected per cultural driver and translated into negative, neutral, and positive. Negative = Fully disagree + DisagreeNeutral = Partly disagree/partly agreePositive = Fully agree + AgreeThe average positive outcome of all questions, represent each cultural driver. All outcomes are represented in a report via a table with all questions, a table with an overview of all cultural drivers and a spider web of all cultural drivers.

How do you Audit/Assess Culture – Survey Results

FrameworkElementss.

26© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775

How do you Audit/Assess Culture – Root Cause Report

27© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775

Business / Operational

• Business goals / objectives• Target growth rates compared to CAGR%• Frequency of formal staff communications on values• Accuracy of budget (scale of variance , frequency of adjustments)

Compliance

• Losses, penalties, or fines for regulatory non-compliance• Internal monitoring exceptions• Audit findings and Repeat issues• Compliance investigation activity• Regulatory inspection results

HR

• Employee survey scores• Completion of training• 360 feedback assessments and self assessments• Employee complaints / grievance activity/Exit Interviews• Employee and management turnover and regretted losses• Time to fill vacancy rates

How do you Audit/Assess Culture – Indicative Metrics

Questions?