intro to blog

James Paterson's blog

A selection of blog posts by James Paterson.

Some perspectives on Culture

A conversation between James Paterson and Liz Crede – March 2016

Liz, can you talk about the idea of a right culture?

In my opinion there is only a right culture if it has the right fit for your organisation, business and its strategy. What would be a good culture for one organisation may not be so for another, due to the fact that their context may be different.

An effective culture is one that ensures your organisation is achieving the results you want to achieve, both externally and internally – and in all areas. It’s not just about profit and return on investment. It is about achieving the right results in terms of human performance, people being engaged with their work, doing the work they want to do as well as delivering on innovation as well as robust risk management and accounting practises.

Can you expand in more detail on the idea of different contexts demanding a different organisational culture?

Let me share my experience from two different industries I have worked in. In the pharmaceuticals sector, part of their culture is for it to be process orientated and to think in longer-term time horizons because it takes a long time to find and develop new drugs. So the whole process of creativity and experimentation and longer time frames is necessitated by the business and should be part of the culture.

However, if you go and work in a retail environment you’ve got to make decisions about what to do tomorrow which might be different from what you did yesterday; the context demands very fast paced, very quick reactions, so that business imperative feeds through back into the whole organisation. You couldn’t have a pharmaceutical type culture in a retail organisation or a retail culture in a pharmaceuticals company. It just would not work because of the need for immediacy and response, with a fast paced turnaround of trying things, and getting results and building on that in a very quick time scale versus the need for a more deliberate approach.

Consequently a good culture in a retail context is one that would enable decision making at the customer facing end, where face to face with customers you need autonomy of decision making, and a culture that supports, that empowers people, to enable them to do that, which is very different from a culture in pharmaceuticals that needs to double check decisions before putting a new drug out into the market. This context has a very different risk profile and requires a different organisational culture. Continue Reading

Speaking at IIA International Conference

IIA International Conference, 17 – 20 July 2016, New York, USA.

Lean Auditing: How, What and Why?
James Paterson | Director, Risk & Assurance Insights Ltd.

In this session, participants will:

  • Discuss the definition and theory of Lean Auditing.
  • Learn how Lean Auditing can offer a back-to-basics way of looking at value and efficiency in audit.
  • Explore what stakeholders want and do not want, and how Lean Auditing can serve those requirements.
  • Identify new approaches to assignment planning and delivery based on the precepts of Lean Auditing.

Further details about the conference can be found here.

Speaking at IIA HIA Conference

Internal Audit Leaders’ Conference 16th March 2016 

Combined assurance, one language, one voice, one view
James Paterson | Director, Risk & Assurance Insights Ltd.

  • consistent messaging across all governance bodies and functions within an organisation
  • breaking down silos and more efficient collection and reporting of information
  • a common view of risks and issues.

Further details about the conference can be found here.

Root Cause Analysis – An important tool for Internal Audit

Over the past 14 years working in the internal audit arena I have seen a growing interest in the topic of Root Cause Analysis (RCA). My involvement in the topic has evolved from using it as part and parcel of a “lean auditing” approach, to running RCA webinars and seminars for the IIA UK, to the delivery of various in-house training workshops on this topic, and now more recently, offering a 1 day open course on RCA, as well as supporting the IIA UK to write a new practice guide on the topic.

This article explains:

  • What Root Cause Analysis is
  • What involvement should IA have in RCA
  • Why effective RCA is not as straight-forward as you might think
  • Why RCA is gaining interest in audit
  • Some practical steps audit teams can take

What is RCA?
RCA is about identifying why an issue occurred compared to simply reporting the issue, or its immediate or contributing causes. The issue could be an error, non-compliance, and non-delivery of an objective or anything else that would be regarded as a failure or problem in the eyes of stakeholders. Continue Reading

Assurance ratings – simplistic approaches are not always a good idea

I talked in an earlier blog about the benefits and drawbacks of having a ‘standardized approach’. Here is another example from assurance mapping where ‘standard’ terms can cause problems. Consider the standard assurance ratings as follows:

  • Low assurance confidence – where management are self assessing their own work
  • Medium assurance confidence – where the second line of defense (compliance and risk functions etc.) are checking what is being done
  • High assurance confidence – where there is independent checking of  (say) >50% or 75% of key controls

These seem so sensible and reassuring – let’s use these criteria to produce an assurance map! The importance of independent checking by Internal Audit will become clear!

The problem with this sort of standardized assessment is that it implicitly downplays assurance from the first and second lines of defense and favours audit work in a way that can cause significant issues when management are told about their low levels of assurance.  Lets consider this question more closely how confident should we be with each type of assurance:

1)    Management

Of course there is always a risk of self-deception in self-assessment by managers of their own activities, but if the criteria management should apply are clearly spelled out, and the manager concerned is experienced and unafraid to be honest, we can take a lot from their assessment. This is all the more so when management may be reporting upwards that they have issues and concerns that need to be addressed.  Thus it is a dangerous over simplification to say that all management assurance is only of low quality. Continue Reading

Join our mailing list

We will keep you updated with news and events.

Contact

Contact and appointments:

Risk & Assurance Insights
T: +44 (0)7802 868914
Email

Please also use our contact form