While auditing risk culture is still a relatively new concept for most organisations, it’s an area that is receiving increased focus.

Brought on by themes identified from the Royal Commission into Financial Services, the outcomes from the CBA Inquiry, APRA's renewed focus on Governance Culture Remuneration & Accountability (GCRA), as well as International Regulators such as FCA, organisations need to understand embedding risk culture audits in a more fomalised way.

Guided by the Institute of Internal Auditors’ (Australia) recent publication “Auditing Risk Culture: A practical guide”, coupled with our deep expertise in the financial services industry, we’ve developed a 6-step framework. Our framework outlines key considerations when developing a methodology for risk culture measurement and monitoring, as well as performing audits on the subject.

We believe that there is no ‘one size fits all approach’ and each financial institution will likely adopt a different approach that best suits their size, complexity and operating model. Our 6-step guide is designed as a basis to be tailored to your individual approach.

Grant Thornton’s 6-step framework: Measuring and auditing risk culture

GTAL_2017_Light bulb icon.png

1. Consider the changing role of Internal Audit and how you can better leverage it to support the provision of insights on culture and conduct to the Board of Financial Institutions.

• Annual review of themes impacting culture.

• Incorporation of ‘risk culture’ indicators or behaviour indicators, as well as qualitative statements within internal audit scopes and reporting.

• Informal interaction between IA and Board / Audit Committee to explore themes (In Camera discussions).

• Root cause analysis – identifying causes for behavioural issues / repeat audit issues or control failures / breaches.


2. Define desired risk culture of the organisation

• Board workshop / brainstorming to determine desired risk culture.

• Consider behaviours and norms that align with the desired culture.

• Link to broader organisational culture and values.

• Develop clear risk culture aspiration statements, for example you could consider 5 value-based statements.

• Is it innovative? Collaborative? Proactive or ethical?


3. Establish/identify the current state

• Define your current state, where is your organisation now? Culture is not static and rarely consistent across an entire organisation.

• Assess inputs – leadership, systems, policies and outputs – attitudes, behaviours, communication approach.

• Is speaking up safe? What evidence reflects this?

• Attitude is everything. Assess the mindset including intention, efforts, motivation and beliefs (surveys, working groups, interviews, review of artefacts including reports, incidents, breaches, HR data, complaints)


4. Bridging the gap between current and desired state: plan for future and development of an appropriate risk culture audit model

• What are the gaps?

• Is your change program aligned to desired culture?

• How will you get there? Set vision and goals, timelines and accountabilities.

• Foster education and awareness across systems, policies, data.

• Implement tools to assess and measure.


5. Establish appropriate tools to assess, measure and report on risk culture

• Risk culture dashboard as a subset of Risk Appetite Statement.

• Key risk culture indicators – artefacts for review include IA findings, complaints, breaches, HR data, surveys.

• Outputs include an integrated and aligned approach to risk culture.

• Regular audit and review (targeted).


6. Determine approach to ‘learnings’, knowledge sharing and ‘moments of truth’

Undertake a root cause analysis to understand deviations from desired state. This forms a key part of success in embedding a strong risk culture and encouraging a transparent sharing of information.

APRA now assesses firms and their leaders against 10 Risk Culture Dimensions, which provide a foundation for Financial Institutions to assess risk culture and map key metrics against each of the dimensions. These dimensions are an important consideration in measuring, monitoring and auditing your risk culture.

10 Risk Culture Dimensions




Risk governance & controls


Risk appetite & strategy


Responsibility & accountability


Decision-making & challenge


Performance management & incentives


Communication & escalation


Shared values


Risk capabilities


Risk culture assessment

Subscribe to receive our publications

Subscribe now to be kept up-to-date with timely and relevant insights, unique to the nature of your business, your areas of interest and the industry in which you operate.