How effective is your risk culture?

It’s accepted that strong leadership and a positive culture can make a big impact in whether a business achieves its goals. The same applies to risk management.

What is risk culture?

Risk culture describes a businesses’ shared values, beliefs, knowledge, attitudes and understanding about risk1. Every business has a risk culture. The question is whether that culture is supporting or hindering success.

Why is risk culture important?

Risk culture affects both your business’ and employees’ ability to take strategic risk decisions to deliver performance goals. And depending on the culture it could lead to serious reputational and financial damage. These industry examples can be traced back to flaws in risk culture:


Risk-taking is an essential part of the financial services industry. However it’s important for it to be well managed. According to the Financial Services Authority, the collapse of the Royal Bank of Scotland (RBS) in 2008 was partly down to poor decision making by the management and board. This was underlined by their management capabilities and style, mechanisms for oversight and challenge, and their culture. Particularly its attitude to the balance between risk and growth.


An unsuitable risk culture isn’t always about taking too much risk. Kodak was a leading brand for over a hundred years. But its strategic failure to reinvent itself and use digital technology led to bankruptcy. Their culture was risk averse so to maintain the status quo. They didn’t adapt to the changing external environment, and rivals did.


VW have admitted to lying about vehicle mileage and emissions. Reports say their leadership had such aggressive goals, the technical teams couldn’t achieve them. Rather than have the courage to speak up, employees chose the ‘easier’ route of dishonesty.

What does an effective risk culture look like?

An effective risk culture enables and rewards individuals and groups for taking the right risks in an informed manner. This can include:

  1. A consistent tone from the board and senior management
  2. Commitment to ethical values and thought to wider stakeholder needs
  3. Clear accountability and ownership of specific risks and risk areas
  4. Clear and timely communication of risk information without fear of blame
  5. Learning from mistakes and near misses by supporting risk event reporting
  6. Ensuring no process or activity is too large or complex for the risk not to be understood
  7. Rewarding and encouraging suitable risk-taking behaviour. And challenging and punishing wrong behaviours
  8. Valuing, encouraging and developing risk management skills and knowledge
  9. A diversity of perspectives, values and beliefs so the status quo is challenged
  10. Employee engagement to ensure focus on both business and personal needs 

How can your business improve its risk culture?

To improve the risk culture, your employees need to understand their roles and responsibilities. And their importance to the success of your business. This starts with senior figures leading from the top by:

  • Recognising that they’re accountable
  • Defining roles, responsibilities and accountability for managing and reporting on risk
  • Setting achievable risk management goals
  • Communicating commitment
  • Providing the infrastructure to support successful risk culture elements 

By leading from the top, staff will feel they can raise concerns be listened to. They can then:

  • Be aware of the risks that relate to their roles and activities
  • Improve their management of risk
  • Provide information to develop the risk management process
  • Implement controls as part of day-to-day duties
  • Report ineffective and/ or inefficient controls


1. https://www.theirm.org/media/885907/Risk_Culture_A5_WEB15_Oct_2012.pdf