Regulatory staff – and the public sector as a whole – understand risk primarily as a threat. They see risk analysis as a vital tool to help them contain and prevent hazards.
Commercial staff, by contrast, see risk as an obstacle that can be identified, structured and controlled to pursue opportunities for profit.
Although these two different risk cultures are not exact opposites, they show a contrast in emphasis which helps to explain why there are gaps between regulatory design and the reality of compliance, why, in the real world, rules are broken, and why different risk cultures exist.
As an auditor your journey into auditing Culture, might begin by an exploration of risk management and to find out whether there any clues in the organisation’s risk register as to whether ‘Culture’ is recognised as a dimension of risk. And, from here you might want to explore how the organisation interprets the management of culture risk: is culture risk an obstacle to business as usual that can be overcome? or is it a threat to the organisation’s very existence? Answers to these two questions will give you clues as to what to expect when you begin to talk to individuals about risk and culture.