• About us
  • Raising the Bar
  • Raising your Game
  • The Extra G - Geopolitical
  • Risk Matters - Roundtables
  • Leadership Team
  • Events
  • Blog
  • Contact
  • Menu

The Risk Coalition

  • About us
  • Raising the Bar
  • Raising your Game
  • The Extra G - Geopolitical
  • Risk Matters - Roundtables
  • Leadership Team
  • Events
  • Blog
  • Contact

Internal audit and risk functions must collaborate to champion a healthy culture

April 13, 2022

A rotten or weak corporate culture can seriously damage an organisation’s health.  That is the clear message coming from the Chartered Institute of Internal Auditor’s new report ‘Cultivating a healthy corporate culture – why internal audit and boards must take corporate culture more seriously in a post-Covid world’.  Indeed, it seems there is not a week that goes by without fresh media headlines linking a major scandal to an unhealthy culture.  Such culture-related scandals highlight the visible impact a culture crisis can have on reputation, public trust, and damage to long-term sustainability. 

In fact, we’ve seen time and again the role that an unhealthy culture can play in being a major cause of corporate collapses.  Whether it be BHS, Carillion or Patisserie Valerie, the root cause of these company failures is often associated with an unhealthy corporate culture.  Often fuelled by misconduct, bad behaviour, and the wrong tone from the top.  

Yet despite the potential negative impacts, the Chartered IIA’s research suggests that not enough boards are taking the risks associated with culture seriously.  The research based on a poll of over one hundred senior internal audit executives found that almost a quarter of boards have not even established and articulated what culture they want for the organisation despite this being a basic but fundamental requirement for the effective leadership, governance, and resilience of organisations.  Moreover, over half of the senior internal audit executives surveyed indicated that they had not been asked by the board or the audit committee to provide reports on culture or equality, diversity, and inclusion initiatives.

Yet with what many have described as the ‘Great Reshuffle’ taking place, following the Covid-19 pandemic, and many organisations facing significant challenges in attracting and retaining talent, this means it has never been more important for boards to focus on cultivating a healthy corporate culture.  This is reflected by a recent survey by the recruitment firm Hanson Search which found that culture ranks as the number one consideration when people are looking to make a job move.

Meanwhile, the Chartered IIA research found that the top three risks to have the biggest impact on culture are: human resources, talent management, and recruitment and retention risk (64.5%), inclusion, equality and diversity risk(34.1%) and health, safety and well-being risk (31.6%).  The fact is corporate culture is not just a risk in its own right, but it has a significant impact on a broad range of other risks, and vice versa with other key risks having a big impact on the corporate culture.

Given the increasing prominence of corporate culture as a business-critical risk, the Chartered IIA is calling on internal audit, audit committees, and boards to start being more proactive and step up regarding their organisation’s culture.  But it is not just internal audit or those governing an organisation that have a critical role to play here, there is also a vital role for risk functions too in monitoring, assessing, and providing assurance that the culture is healthy.  In fact, one of the key roles of internal audit is to assess how well the risk function is performing in its role in monitoring  culture, in other words providing third line assurance that the second line is doing its job properly. 

This point helps to underline the critical importance of cross-organisation collaboration on corporate culture and the need for internal audit, risk management and other business functions to work together in this area.  This was reaffirmed by the Chartered IIA’s latest survey which found that around half of all internal audit functions collaborate with risk management on their work on culture, only second behind HR.  Risk management should therefore work with internal audit to ensure there is a joined-up approach to identifying, managing, and mitigating culture-related risk.

Expectations for organisations to pro-actively cultivate a healthy culture are only likely to rise in the years ahead, along with the increased focus on ESG more broadly.  We therefore urge boards, internal audit, and all those engaged in the management of risk, to collaborate and work together in partnership to now step-up and play their part in monitoring, assessing, and providing independent assurance on corporate culture.


Gavin Hayes is Head of Policy and External Affairs at the Chartered Institute of Internal Auditors and author of ‘Cultivating a Healthy Culture’ which is available on the Chartered IIA’s website

Tags: Gavin Hayes
Prev / Next

Blog

Featured
Apr 15, 2025
Vera Cherepanova
The future of ESG: navigating a fragmented landscape
Apr 15, 2025
Vera Cherepanova
Apr 15, 2025
Vera Cherepanova
Mar 6, 2025
Mo Warsame, Gavin Hayes
Internal audit and risk management must work together to navigate uncertainty
Mar 6, 2025
Mo Warsame, Gavin Hayes
Mar 6, 2025
Mo Warsame, Gavin Hayes
Sep 4, 2024
Polly Williams, Mia Harris
Three key threats of phishing to be aware of
Sep 4, 2024
Polly Williams, Mia Harris
Sep 4, 2024
Polly Williams, Mia Harris
Aug 25, 2024
Felix Ritchie
Principles versus rules in data and corporate governance
Aug 25, 2024
Felix Ritchie
Aug 25, 2024
Felix Ritchie
Jul 16, 2024
Jane Hunter, Mia Harris
How can you maintain high standards in your business without suffering burnout?
Jul 16, 2024
Jane Hunter, Mia Harris
Jul 16, 2024
Jane Hunter, Mia Harris
Jun 2, 2024
Afshan Moeed
Enforcement of individual accountability in UK banking: a new boardroom recipe for change or continuity?
Jun 2, 2024
Afshan Moeed
Jun 2, 2024
Afshan Moeed
May 28, 2024
Craig Morris, Mia Harris
Three exciting new developments for AI in 2024 that you need to know about
May 28, 2024
Craig Morris, Mia Harris
May 28, 2024
Craig Morris, Mia Harris
May 24, 2024
Stefan Hunziker
The stuff of nightmares: risk management is shut down, and nobody notices
May 24, 2024
Stefan Hunziker
May 24, 2024
Stefan Hunziker
Mar 20, 2024
Neil Tinegate
What should boards know about digital technology?
Mar 20, 2024
Neil Tinegate
Mar 20, 2024
Neil Tinegate
Mar 15, 2024
Francis Kean
The insolvency risk for company directors - are you swimming naked?
Mar 15, 2024
Francis Kean
Mar 15, 2024
Francis Kean
Feb 29, 2024
Andy Watkins-Child
Are you sitting comfortably?  Cyber risk, board attestations and the implications for NEDs
Feb 29, 2024
Andy Watkins-Child
Feb 29, 2024
Andy Watkins-Child
Oct 24, 2023
Mamun Madaser
Risk management and internal audit should collaborate to navigate the poly-crisis of risk
Oct 24, 2023
Mamun Madaser
Oct 24, 2023
Mamun Madaser
Oct 18, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 2
Oct 18, 2023
Jim Watson
Oct 18, 2023
Jim Watson
Oct 13, 2023
Nisha Sanghani
Risk management and internal controls: much (needed) work to do as a result of the proposed changes to the UK Corporate Governance Code
Oct 13, 2023
Nisha Sanghani
Oct 13, 2023
Nisha Sanghani
Oct 9, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 1
Oct 9, 2023
Jim Watson
Oct 9, 2023
Jim Watson