Protecht.ERM Showcase: Manage the full lifecycle of risk management in one system
Register Now

In a recent discussion with a colleague on preparing for 'black swan' events, we concluded that regardless of the size, type and structure of an organisation, it was having the right risk culture that was the key success factor in preparing for and surviving an improbable event.

Our view is that getting the right culture to support risk management across the business is the most important ingredient for success. But what actually is this thing called 'risk culture' and where can you get it? We believe that risk culture is the system of values and behaviours that are present in an organisation and guides all the decisions related to risk, made by management and employees. 

System of Values and Behaviours

Having agreed and communicated values that are actually lived through behaviours is seen to be critical to successful organisations, departments within organisations, and teams within departments.

The starting point in establishing and maintaining the right risk culture is to have in place an appropriate system of values, shared beliefs and individual and group behaviour. The foundation of the values are an acceptance that the group (organisation, department or team) is a team with shared goals and objectives; they have a mutually agreed way of doing things and regularly meet to work out how to do things better. Read why is Risk Training Important?

But what does this really mean? Organisational values are used to indicate the type of conduct expected by individuals regardless of their position. Risk related values include such factors as risk taking is acceptable, as is acceptance of failure within set risk tolerance; and compliance with obligations is non-negotiable (e.g., zero tolerance to non-compliance with WHS).

Values relate to principles of behaviours and transcend specific situations. An example of a risk value statement could be "Employees will never engage in theft, fraud or embezzlement, or participate in deceptive or fraudulent activities towards the organisation, customers, suppliers or any other party with whom the organisation has business dealings".

With values in place, behaviours are identified that support and contradict the values so that all employees are clear about what is expected of them. Behaviours which bring to life risk values need to be reinforced while those that contradict the risk values need to be challenged and where appropriate, removed. 

"Individuals and groups within successful organisations know their risk values and the appropriate behaviours that support those values. They use them in making risk based decisions and actions."


Organisation leaders have a crucial role to play in setting risk values and living the behaviours that demonstrate their commitment to the values.

Embedding Risk Culture

To embed the right risk culture for your organisation, Protecht recommends that you understand and follow these SIX key principles:

  1. Risk and risk management must be understood by all of your staff. They cannot have a strong culture around what they do not understand.
  2. The risk management framework must be aligned as a business enabler, not a hindrance.
  3. The risk management process must be efficient and not cumbersome.
  4. Risk management should be simple and easy to understand. It should be kept “real”.
  5. Good behaviour and actions should be recognised and rewarded. Bad behaviour should have consequences. See article How to balance Risk and Reward.
  6. Most importantly, the correct culture must be set at the Board and Senior Management level ("tone at the top") and must be demonstrated to staff through “walk the talk” not “talk the talk”.

If you wish to learn more about how Protecht can help you in assessing and developing your risk culture through training, surveys and framework design, please email

Banner_Compliance and Compliance Risk Management_Facebook_1200x600


Related Articles

feature image
Risk Management, ERM, Protecht.ERM

ERM and other Risk Management acronyms

The management of an organization's risks on a true enterprise basis should be the aim of contemporary risk management. Enterprise Risk Management...
Read more
feature image
Risk Culture

Are you really in control of your Culture and Conduct risks?

The list of key risks that should be keeping us awake at night seems to be forever changing. Whatever your list, Culture and Conduct Risk should be a...
Read more
feature image
Risk Culture

Victorian Government raises the bar on Risk Management. How will you rise to the occasion?

The Victorian Government’s Risk Management Framework (VGRMF) which applies to Victorian Government departments and public bodies covered by the...
Read more