How Internal Audit Can Help Shape Your Risk Culture

Last weekend I played “The Game of Life” with my son and I realized how early we expose our kids to the concept of risk.  As he approached the choice to take “The Safe Path of Life” or “The Risky Path of Life,” I found myself anxiously awaiting his decision. 

If you recall my last blog, I talked about cultivating curiosity in my son (and your internal audit teams), so I was curious to see the impact of the risk culture that my husband and I have created for our family. The result wasn’t a huge surprise. His mother, the internal auditor, had successfully instilled a conservative risk appetite and my little guy chose to stay safe (phew!). 

Risk culture is a term describing the values, beliefs, knowledge, attitudes and understanding about risk shared by a group of people with a common purpose. As an internal auditor, I think about risk as part of the regular course of business.

Here are some ways that internal auditors, as trusted advisors to the organization, can help companies shape their overall risk culture - just as I’ve helped shape the risk culture for my family: 

  • Help articulate risk and how it affects you – If I ask my son why he should look both ways before he crosses the street, he’ll answer “so I don’t get hit by a car.” Internal auditors have a unique view into the risks of an organization. They can help management communicate which risks should be prioritized and which should be accepted.  


  • Think about maturity – It’s important to talk about risks with your kids and your organization, but it’s important to do so in a way that they will understand. Internal auditors should assess the risk maturity of the organization and find ways to explain risk in a manner that will be impactful. Remember when explaining why someone should care about risk, “because I said so” is rarely the most effective response.


  • Identify warning signs of risky behavior – When my son is playing and it suddenly gets quiet, that’s an indicator that he may be up to trouble. Internal audit can help management identify mechanisms to recognize if risky behavior is occurring within their organization.  More and more, I am seeing Internal audit reviewing culture and corporate governance, which could help identify these warning signs.


  • Assess how the organization measures up When it comes to kids, sometimes Monkey See…Monkey Do. Companies are not much different.  Internal audit can help benchmark against other organizations to help gauge how other companies think about risk and help management determine what that means for their own risk culture.  

Remember that risk appetite is a product of your environment. As a parent and internal auditor, I can continue to lead by example and trust that I’ve done everything I can to impart ways to mitigate risk.  But no matter how much planning and preparation I’ve done, things happen.  The most important thing is to be there to help clean up a “skinned knee” or figure out how to prevent the same thing from happening in the future.

Click Here to Learn More about Internal Audit

6 Steps to Prepare for the New FX Global Code of Conduct
What to expect when you’re budgeting for a new ERP
Related Posts
Risk and Control Gap Analysis and Remediation
Risk and Control Gap Analysis and Remediation
Strategies for Managing Post-Pandemic Risks & Requirements
Strategies for Managing Post-Pandemic Risks & Requirements
Internal Audit: Harnessing the Power of RPA
Internal Audit: Harnessing the Power of RPA