culture is key - chapters site - home€¦ · · 2017-05-24culture is key: assessing/auditing...
TRANSCRIPT
Culture is Key:Assessing/Auditing CultureWithin Your Organization
Edmund Green, Managing DirectorRisk ConsultingKPMG, LLPMay 12, 2017
2© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775
• What is Culture?• What is Risk Culture?• Why is Culture for Internal Auditors?• How do you assess/audit Culture?• Questions
Agenda
4© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775
What is Culture -Behavioral “Default Settings”
5© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775
Formal (Overt) Aspects
The way we say we get things done.
Informal (Covert) AspectsThe way we really get things done.
DirectlyObservable
Characteristics
Less ObservableCharacteristics
What is Culture - “The Iceberg”
BeliefsPerceptions
AssumptionsAttitudes
informal systems.
6© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775
Norms of Behavior and Attitudes Relative to:Risk Awareness
Risk TakingRisk Management
“The norms of behaviour for individuals and groups within an organisation that
determine the collective ability to identify and understand, openly discuss
and act on the organisations current and future risk”
2009 International Institute of Finance,Reform in the financial services industry:
Strengthening Practices for a More Stable System
DirectlyObservable
Characteristics
Less ObservableCharacteristics
What is Risk Culture?
7© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775
Risk culture is one of the key elements in an organization’s Enterprise Risk Management Framework.
Risk culture both influences and is influenced by the other ERM framework elements.
Risk culture influences an organization’s risk appetite, and governance in a reciprocal manner.
Recent research demonstrates that It is possible for an organization to evaluate their risk culture specifically and to measure the system of values and behaviors present throughout an organization that shape risk decisions.
Risk Strategy &
Appetite
What is Risk Culture - An integral part of ERM
9© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775
Why is culture important?
10© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775
Why is culture important?
“Culture eats strategy for breakfast”
Source: Peter Drucker, has been described as "the founder of modern management"
11© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775
Why is culture important?
12© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775
Source: Corporate Culture: Evidence From the Field, John R. Graham Duke University & NBER, Campbell R. Harvey Duke University & NBER, Jillian Popadak Duke University, Shivaram Rajgopal Columbia University, September 13, 2016.
Why is culture important?
91% of executives who
believe culture is“important” or
“very important” at their firm.
2016 culture survey of > 1,300 C-Level Executive at North American firms revealed:
13© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775
Source: Corporate Culture: Evidence From the Field, John R. Graham Duke University & NBER, Campbell R. Harvey Duke University & NBER, Jillian Popadak Duke University, Shivaram Rajgopal Columbia University, September 13, 2016.
Why is culture important?
% of executives who rank culture as atleast at “top 5” Contributor to Firm Value.
2016 culture survey of > 1,300 C-Level Executive at North American firms revealed:
79
14© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775
Source: Corporate Culture: Evidence From the Field, John R. Graham Duke University & NBER, Campbell R. Harvey Duke University & NBER, Jillian Popadak Duke University, Shivaram Rajgopal Columbia University, September 13, 2016.
Why is culture important?
% of Executives who Believe improving
Culture would Increase
Firm Value.
2016 culture survey of > 1,300 C-Level Executive at North American firms revealed:
92
15© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775
Source: Corporate Culture: Evidence From the Field, John R. Graham Duke University & NBER, Campbell R. Harvey Duke University & NBER, Jillian Popadak Duke University, Shivaram Rajgopal Columbia University, September 13, 2016.
Why is culture important?
% of Executives who Believe poorly implemented,
ineffective culture increases chance ofunethical or illegal
behavior.
2016 culture survey of > 1,300 C-Level Executive at North American firms revealed:
85
16© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775
Source: Corporate Culture: Evidence From the Field, John R. Graham Duke University & NBER, Campbell R. Harvey Duke University & NBER, Jillian Popadak Duke University, Shivaram Rajgopal Columbia University, September 13, 2016.
Why is culture important?
% of Executives who Believe their
firm’s culture isWhere it Should be.
2016 culture survey of > 1,300 C-Level Executive at North American firms revealed:
16
17© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775
Maintain
Enhance
Promote
Protect
Why is culture important?
Reputation with key stakeholders
Asset and Earnings Quality
Innovation, creativity and agility
The Brand
19© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775
How do you assess/audit Culture?
Entering Area 51
20© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775
An organisation’s culture exists whether its leadership intentionallyseeks to cultivate one or not.
How do you assess/audit Culture?
SOFT STUFF
HARD STUFF
Policies and ProceduresResources
GoalsTechnology Norms of Behavior
Informal InteractionsValues
Feelings
OFTENFOCUSED UPON
RARELYFOCUSED UPON
21© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775
How do you Audit/Assess Culture – Adopt a FrameworkCultural drivers Entity level instruments
Competencies & Context
Belief & Commitment
Action & Determination
Knowledge & Understanding
VisibilityIs employee behavior, e.g. the risk responses and the effects
thereof visible within the organization?
ClarityAre rules, (risk) policies
and procedures accurate, concrete and complete and do employees understand what is
expected?
Role ModelingDoes management lead by
example and display leadership, especially regarding
risk management?
InvolvementDo employees feel
accountable for the proper use of risk policies and take
ownership for the strategyof the organization?
OpennessIt is normal to discuss (latent)
risks and is there an atmosphere of both challenge
and mutual respect?
PracticabilityDo the organization’s targets
correspond to the risk appetite and overall risk strategy and are employees enabled to do what is requested of them in
terms of managing risks?
ImprovementAre incidents and ’near misses’
evaluated to determine potential risks and do
employees feel they learn from their mistakes?
EnforcementAre employees rewarded for responsible behavior and is
irresponsible behavior disciplined?
Strategic objectives and key risksCascading statement and metrics
Related role descriptions and expectationsPolicies and processes
Management information
Information momentsGovernance
Management messagesPart of (management) agenda
Access to expertiseCompetency profiles
Processes stimulating considerationTools: workshops, assessments
Escalation proceduresKey Performance Indicators (KPIs)
Root cause analyses and recommendationsAggregation of risk information
Tracking recommendations
22© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775
Appropriate Adequate Effective
Met
hod
Res
ults
#1 Mechanism review■ P & P evaluated against industry standards,
best practices and regulatory expectations.■ Allows the firm to understand if policies and
processes, Exist; Have clear ownership; Are Embedded into ongoing management processes and governance structures.
#3 Survey, interviews and focus groups
■ Baseline and ongoing assessment of values, attitudes, observed behaviours.
#2 Incident review (AAR)■Review risk incidents, near misses
and breaches. (“Hot Wash”; MLR).
Key Insights, Facts and Data Relative to:• How people actually manage risk• How do perceptions of risk culture differ
across hierarchies and micro-cultures?• Potential gaps between defined policy and
practice
Would it work if it were used?
Does a framework exist?
The use of multiple lenses provides a complete picture of where cultural issues originate – in the articulation of policy or the way in which people ultimately behave.
Achieving a holistic understanding of an organisation’s risk culture, can be done through the following methods…
How do you Audit/Assess Culture – Three options
23© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775
. Via documentation reviews, surveys, interviews and/or workshop we collect information about entity level instruments. We analyze this data on three aspects: 1. Presence means that the
entity level instrument is present
2. Quality is the entity level instrument of sufficient quality in KPMG’s view (Complete, current, clear ownership, accessible, consistent, governance, etc.) to support management and employees with the desired risk culture
3. Implementation means the entity level instrument is implemented in a way that all management members and employees could be aware of the entity level instrument
NoPartiallyYes
Entity level instruments Presence Quality Implementation
Knowledge and Understanding
Strategic objectives and key risks
Risk policies and processes
Belief and Commitment
Consistent management messages
Part of (management) agenda
Competences and Context
Competency profiles
Assessments
Action and Determination
KPIs
Tracking recommendations
How do you Audit/Assess Culture – Entity Level Instruments
24© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775
Fully disagree Disagree
Partly disagree/
partly agree Agree Fully agree Not applicable
Clarity
Risk information is effectively communicated up and down from my department. O O O O O O
The level of understanding of the department’s policy for managing risk is high within my
department.O O O O O O
Visibility
I see sufficient evidence of business decisions taking risk into account. O O O O O O
I believe my local managers and supervisors know how employees manage risks. O O O O O O
My department is fast enough to realize when things begin to go wrong. O O O O O O
I believe my local managers and supervisors know what type of behavior really goes on within
the organization.O O O O O O
Within my department or work unit the opportunity to engage in misconduct is minimal. O O O O O O
Within my department or work unit adequate checks are carried out to detect risks. O O O O O O
A survey can measure the implementation and understanding of risk management. The survey also provides an understanding of attitudes and perceptions regarding risk culture. The survey can include demographic questions understand seniority, function, location, and business unit of the respondent.
The table on the right gives an impression of possible questions.
Representative example of a survey.
Risk Culture SurveyHow do you Audit/Assess Culture – Survey Questions
25© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775
Cultural drivers Results Organization X
Clarity 63%
Visibility 68%
Involvement 58%
Role modeling 77%
Practibility 44%
Openness 60%
Enforcement 60%
Improvement 58%
0%20%40%60%80%
100%Clarity
Visibility
Involvement
Role modeling
Practicability
Openness
Enforcement
Improvement
Organization X
Clarity (63%) Organization X
Negative Neutral Positive
I am confident that I could describe the benefits of having a risk management policy
8% 12% 80%
The level of understanding of the department’s policy for managing risk is high within my department
40% 5% 45%
The management’s appetite for allowing to take some risks is clear to me
30% 6% 64%
All outcomes of the survey are collected per cultural driver and translated into negative, neutral, and positive. Negative = Fully disagree + DisagreeNeutral = Partly disagree/partly agreePositive = Fully agree + AgreeThe average positive outcome of all questions, represent each cultural driver. All outcomes are represented in a report via a table with all questions, a table with an overview of all cultural drivers and a spider web of all cultural drivers.
How do you Audit/Assess Culture – Survey Results
FrameworkElementss.
26© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775
How do you Audit/Assess Culture – Root Cause Report
27© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 590775
Business / Operational
• Business goals / objectives• Target growth rates compared to CAGR%• Frequency of formal staff communications on values• Accuracy of budget (scale of variance , frequency of adjustments)
Compliance
• Losses, penalties, or fines for regulatory non-compliance• Internal monitoring exceptions• Audit findings and Repeat issues• Compliance investigation activity• Regulatory inspection results
HR
• Employee survey scores• Completion of training• 360 feedback assessments and self assessments• Employee complaints / grievance activity/Exit Interviews• Employee and management turnover and regretted losses• Time to fill vacancy rates
How do you Audit/Assess Culture – Indicative Metrics