With the number of financial scandals and recent failures of governance across a range of sectors from casinos to mines, internal auditors will now have a practical guide for auditing risk culture to improve the risk management processes in organisations.

Culture is a characteristic of a group of people – the shared perceptions about what behaviour is ‘correct’, prioritised and likely to be rewarded. Organisations pursue many different strategic priorities and operate in different political, economic and social contexts, so their cultures vary. Individual behaviour is affected by the way in which actions are rewarded or punished. In the workplace, people learn what is acceptable behaviour by observing the behaviour (including speech) of peers and managers. Behaviour that is repeated regularly becomes the norm, or ‘the way we do things around here’. Behaviour of managers and leaders is particularly important in demonstrating the priorities of the organisation.

Risk culture is an aspect of broader organisational culture. Risk culture refers to the behavioural norms that help or hinder effective risk management. 

Together with effective policies and systems, sound risk culture encourages desirable risk management behaviours such as open and regular discussion of risk, with concerns about business practices raised and acted upon promptly. Collectively, these behaviours help organisations stay within the risk appetite set by the board and achieve performance aspirations in a sustainable way.

An unfavourable risk culture can compromise the effectiveness of the risk management framework in a range of ways. When risk management is seen as a ‘tick-box’ exercise rather than a genuine priority, investment in risk capability and systems may be insufficient to really achieve adequate effectiveness. An overemphasis on short-term profits, growth in market share or cost minimisation can override risk management considerations in decision-making.

This 40-page guide is for internal auditors, senior management, board audit committees, and other assurance providers in all sectors of the economy.

While the guide was developed in the context of Australian financial services organisations, we believe that it will be useful more broadly: in non-financial organisations and both within and outside Australia.