What is risk culture?

Risk Culture – This is the first in a series of blogs on risk culture. We start the fundamentals and a definition. Subsequent posts will delve into how to measure, analyse, and manage an effective risk culture, how to understand what ‘good’ looks like and how to influence your risk culture to support business objectives.

What is risk culture and why is it important?

Organizations have made significant progress in developing rules, frameworks, processes and standards for managing risks. However, rules can be misunderstood and misapplied, inadvertently or deliberately. The ‘missing link’ in understanding how to balance risk and reward decision making successfully is an organisation’s risk culture.

Risk culture – you have one, but is it effective?

But what is risk culture? According to the Institute of Risk Management, it is the sum of the organisation’s “shared values, beliefs, knowledge, attitudes and understanding about risk, shared by a group of people with a common intended purpose, in particular the leadership and employees of an organisation”.

Every organisation has a risk culture. The question is whether that culture is effectively supporting or undermining long-term success.

Deficiencies in leadership, competence, communications and culture have been blamed for many of the worst industrial accidents and environmental disasters. Rogue traders causing millions of pounds of losses for investment banks can also be traced back to flaws in risk behaviour.

Equally, an inappropriate risk culture isn’t always about taking too much risk. Kodak was a trusted leading brand for over a hundred years. But its strategic failure to reinvent itself and exploit digital technology led to bankruptcy. Its culture meant that Kodak avoided risky decisions and instead, developed procedures and policies to maintain the status quo rather than adapting to the changing external environment.

Risk culture: more than just a statement of values

Clearly, the prevailing risk culture within an organisation can make it significantly better or worse at managing risks.

As a result, corporate governance requirements around the world are increasingly demanding that boards of organisations should understand and address their risk cultures. According to the Financial Reporting Council’s (FRC) Corporate Governance Code, each board member must be ‘risk aware’, establishing a company’s culture, values and ethics.

A strong risk culture is in the economic interests of firms and their shareholders

The board has a responsibility to set, communicate and enforce a risk culture that consistently influences and directs the strategy and objectives of the business. This starts with the risk behaviours, attitudes and culture of the board itself and translates into concrete actions down through the organisation.

Importantly, the management of risk culture offers more than just a way of avoiding the downside. More and more firms are forming the view that a strong risk culture, which builds consumer trust in firms and markets and inspires employees, is in the economic interests of firms and their shareholders.

All organisations need to take risks to achieve their objectives. However, establishing a consistent and enterprise-wide risk management framework, supported by a strong risk culture, aids business resilience, and minimises risks and potential losses. It also helps an organisation identify and take advantage of the right opportunities, and ultimately gain competitive advantage.


Next: Managing and improving an organisation’s risk culture. We’ll look at the role of leaders and the tools to gather data on risk culture.

For more information on Risk Culture, please contact your local Willis Towers Watson office of visit www.willistowerswatson.com.

About Alasdair Wood

Alasdair Wood is a Director in Willis Towers Watson’s Human Capital and Benefits team, based in London. He has 17…
Categories: Financial Services | Tags: ,

3 Responses to What is risk culture?

  1. Zimvo Garane says:

    How does risk culture of the organisation impact the success of failure of the project.
    How to integrate project risk management with organisational culture

  2. No two people will respond the same way to a situation of risk, the way any person responds to risk is influenced by a number of factors, the main ones are:

    Nationality & culture
    Childhood experiences (and formative environment)
    Work ethics, trust & honesty
    Education (and the way it was obtained)
    Work experience
    Religion and other spiritual thinking
    Attitude towards life (and death)
    Risk practitioners generally failed to address these underlying human aspects. Since the publication of the Basle accord, ISO 31000 and other standards and regulations, it has often been argued that compliance with these standards and regulations will mitigate and control risk, but this is only true if the standards and regulations are embraced in an effective Enterprise Risk Management Culture. Just like the policies, procedures and systems, these are worthless if human attitude, acceptance and desired response lack.

    Addressing the aspect of people risk is the only way an organisation can improve the results of how their people respond to a situation of risk and the effectiveness of their risk management function. No organisation can ever have a perfect risk management culture, but organisations can achieve a level of maturity where they have an effective risk culture process and every employee is risk-minded and does something on a daily basis to mitigate, control and optimize risk

  3. Ian Beale says:

    I agree that culture is important in both risk taking and risk management. But I was hoping that you would say more about exactly how a culture can be created or adjusted. What are the most effective levers that management have – both formal and informal.
    We know policies are important but so are actions – what do management – senior and operational actually do. Do staff feel they can raise questions and get answers, can they raise concerns be listened to etc

Leave a Reply

Your email address will not be published. Required fields are marked *