4 Surprising Truths I Learned About Finding What Really Matters in an Organization

When most people hear the word "audit," they picture a tedious, box-ticking exercise. It conjures images of someone with a clipboard, searching for missing paperwork and focusing on procedural compliance. It feels like a test of administrative hygiene, not a measure of organizational health.

But some of the most insightful audits, like those for the risk management standard ISO 31000, flip this idea on its head. This approach reveals that understanding an organization's true health isn’t about documents—it’s about behavior, decisions, and culture. It requires a unified diagnostic method.

This post will share four interconnected lessons from this world that form a powerful methodology for understanding how a business really works. It starts with asking for stories to understand decisions, then seeing the culture for yourself to validate them, and finally, testing for effectiveness to measure what truly matters.

1. It’s Not About the Paperwork, It’s About the Decisions

In a principle-based audit, the focus shifts dramatically away from static artifacts like risk registers and policy documents. The classic mistake I see is teams treating these documents as the objective. But paperwork is often a lagging indicator or, worse, a tool for plausible deniability. The real focus must be on the dynamic, human elements: judgment, decision-making, behavior, and the organization's escalation culture.

For this reason, the most critical evidence comes from talking to people, not from reading documents. My job as a consultant is to understand the "how" and "why" behind choices, which can only be uncovered through conversation.

In ISO 31000 audits, how people decide matters more than what documents exist.

This is a critical distinction. Documents show intent—what the organization plans to do. Conversations about actual decisions reveal reality—what people actually do when faced with uncertainty and pressure. But how can you validate what you hear in these conversations? The most powerful way is to see the culture in action for yourself.

2. You Can Literally See a Healthy Culture in Action

In this context, "observation" isn't a passive activity. It means actively watching decision-making in its natural habitat—management meetings, project reviews, or other key forums where choices are made and resources are committed.

During these observations, what I look for is tangible evidence of a risk-aware culture. Are risks and opportunities discussed openly and honestly? Is constructive challenge encouraged, or is dissent shut down? Are decisions made with an explicit awareness of the associated risks?

This stands in stark contrast to the common red flags: a dominant personality who suppresses discussion, a group that makes decisions without any reference to risk, or meetings focused solely on hitting delivery dates without considering the organization's exposure.

A risk-aware culture is visible—you can see it in meetings.

This is a powerful concept. A healthy culture isn't just a slogan on a poster; it's a set of observable behaviors that can be seen and evaluated in real-time. Observing these behaviors is key, but it still doesn't tell you if all this activity is actually making a difference.

3. Being Busy Is Not the Same as Being Effective

It's a common misconception that more activity equals better risk management. Organizations can feel a false sense of security from having a large risk register, complex heat maps, or thick binders of documentation. But this activity is meaningless if it doesn't lead to better outcomes.

Effectiveness in this context has a very specific definition. It means that risk information actually informs and influences decisions. It means that actions taken to treat a risk genuinely reduce the organization's exposure, that monitoring of key trends actually triggers an action, and that leadership actively intervenes when necessary.

The single most important test—the real acid test for effectiveness—can be distilled into one direct question: “Did risk information change a decision?”

This is the ultimate measure because it proves the entire system is more than a theoretical exercise. If the answer is yes, it demonstrates that the process has a real, tangible impact on the organization's direction. If the answer is no, the process is likely just administrative theater. To get to this answer, you have to ask the right kind of questions.

4. The Best Questions Ask for Stories, Not Statements

Because this entire approach relies so heavily on interviews, the quality of the questions asked is paramount to uncovering the truth. The goal is to move beyond generic assurances and get to concrete evidence of behavior.

This requires a shift away from closed-ended questions that merely check for the existence of something and toward open-ended questions that ask for examples and narratives.

• Poor questions: "Do you have a risk register?" or "Is risk management implemented?" These invite simple "yes/no" answers that provide no real insight.
• Good questions: "Can you describe a recent risk decision you made?" or "What happens when a risk exceeds tolerance?" These questions compel the person to tell a story, revealing how processes actually work in practice.

One of the biggest red flags is when a leader makes a vague claim like, "We always manage risk," but cannot provide a single concrete example to back it up. This gap between assertion and evidence is the single most reliable indicator that a process exists only on paper. Asking for stories is a universally useful technique because it cuts through corporate jargon and reveals how things are actually done.

Conclusion: Look for the Evidence of Action

To truly understand an organization, you must look beyond the artifacts—the policies, the reports, the registers—and examine the behaviors. The real story is found in the decisions people make, the discussions they have, and the challenges they are willing to raise. This entire method is designed to diagnose the divergence between what is said and what is done.

The combination of story-based interviews, direct observation of decision-making, and an unwavering focus on outcomes provides a far more accurate and defensible picture of an organization's health than any document-only review ever could. It separates intent from reality and activity from effectiveness.

As you look at your own corner of the business world, ask yourself this: In your own team or organization, what do people's actions—not their reports—tell you about what is truly important?

Share This Article

Found this useful? Share it with your network: