ECIIA organised a webinar on October 3, 2024, at 17:00 CET to explore the critical topic of risk culture and highlight insights from our recent publication, “Auditing Risk Culture,” with a focus on the banking sector.
Key topics included:
- The role of internal audit in assessing risk culture
- Regulatory expectations in banking
- The unique nature of risk culture in different organisations
Webinar Recap
Risk culture plays a fundamental role in shaping how organisations manage and respond to risks, making it a critical focus for internal auditors. In this webinar, we have discussed the importance of understanding and assessing risk culture, particularly in light of regulatory expectations from the European Central Bank (ECB). By addressing both hard frameworks and softer behavioural drivers, internal auditors can better evaluate how an organisation’s culture influences its overall risk management.
- Risk culture is a critical driver of corporate scandals and is highly regarded by the ECB as a key area of focus. See ECB consultation.
- There is a clear connection between governance and risk culture, with both hard drivers (frameworks) and soft drivers (behavioural patterns) playing vital roles.
- Tone at the top is crucial, as leadership, core values, and a strong code of conduct set the foundation. All three lines of defence must be involved, focusing on key dimensions: leadership, effective communication, accountability, and incentive structures.
- Internal audit must define clear objectives and engage leadership early to ensure the success of the audit process.
- One of the main challenges in auditing risk culture is its intangible nature, requiring auditors to remain objective and detached from their own cultural biases.
- Combining quantitative and qualitative data is essential for assessing risk culture. Surveys and benchmarking provide valuable insights.
- Various audit approaches can be employed, including top-down audits, targeted audits, and dedicated behavioural risk audits. Auditors may also integrate risk culture assessments across all audits.
Conclusion: Auditing risk culture is a continuous journey that must be tailored to each organisation. There is no one-size-fits-all solution, and internal audit plays a pivotal role in managing risk culture effectively through creativity and innovation.
Webinar recording is available here.