You can take a horse to water but you cannot make it drink. You can take risk management to your business but you cannot make them do it. People, to be successful in anything they do, must have a desire to do it. This breeds passion which drives people to excel.

Getting the right culture to support risk management across your business is the most important ingredient for success. 

So what does the right “risk culture” mean and how do we create and maintain it? Culture is embedded within people’s thoughts which then influence their behaviours and actions. Risk culture is their thinking, behaviours and actions around risk and risk management.

In order to achieve a great corporate wide risk culture, we need to define what it is and then we embed it into our people. Let’s start with what it is.


This comes down to whether a person has the knowledge of what is “right” and “wrong” and then whether they choose to do the “right thing”. Corporate culture must be clear on defining what right and wrong is and then promote that across the organisation. This should come from corporate values, manifested in the risk appetite and policies, practices and behaviours of our senior management and board. The uncertain “grey” area between right and wrong should be minimised as far as possible.

We then need to motivate staff to do the “right thing”. This comes from explaining why doing the right thing is better: we will be more successful and we can all share in that, we will be positively recognised by our peers, we will create a great environment in which to work etc. Lastly we need mechanisms to recognise “wrong” behaviour, call it out and encourage staff to choose the right thought next time. Organisational creep occurs when staff push away from the “right” into the shade of grey and sometimes the plain wrong and no one notices and there are no consequences. They will continue to operate in the “wrong” and after time even encourage colleagues to join then on the “dark side”. Over time, our culture deteriorates.


Once our people’s thinking is right, they will behave accordingly. This will include typically strong risk culture behaviours such as:

  1. Strong and open communication. Escalate as soon as a problem or issue arises
  2. Always considering risk in any decision that is made, prior to the decision being made
  3. Taking responsibility for risk and controls. Be willing to stand up and claim ownership
  4. Telling the truth and taking ownership of problems
  5. Being concerned about the impact of their risk management on others – appreciating what is downstream when something goes wrong
  6. Encouraging and educating others in risk and risk management
  7. Showing a desire to be more risk aware gain more risk management knowledge
  8. Demonstrating a positive attitude to risk management.


When the right thinking and behaviours exist, we can move to developing specific actions for each staff member with respect to risk management.

This will include:

  1. Calling out, escalating, recording, reporting and managing all risk incidents as soon as they occur
  2. Reviewing key risk indicators in amber and red and following them up on a timely manner
  3. Following up outstanding actions and ensuring they are implemented by due date
  4. Being risk aware at all times and updating risk assessments as risk profiles change
  5. Taking compliance attestations seriously. Answering then honestly and in a timely manner
  6. Raising risk as part of every decision
  7. Praising staff who call out risk incidents and issues early. 

Key elements to creating and maintaining a good risk culture

In order to foster the thoughts, behaviours and actions above, some key principles must be followed:

  1. Risk and risk management must be understood by all of your staff. They cannot have a strong culture around what they do not understand. Also read: What does it take to be a Risk Manager?
  2. The risk management framework must be aligned as a business enabler, not a hindrance
  3. The risk management process must be efficient and not cumbersome
  4. Risk management should be simple and easy to understand. It should be kept “real”
  5. Good behaviour and actions should be recognised and rewarded. Bad behaviour should have consequences
  6. Most importantly, the correct culture must be set at the Board and Senior Management level and must be demonstrated to staff through “walk the talk” not “talk the talk”. Setting the tone at the top helps drive the importance of risk culture across the organisation.

Want to learn more about how to improve risk culture?

If you wish to learn more about the elements of risk culture and how Protecht can help you in assessing and developing your risk culture through training, surveys and framework design, please email

Banner_A Pratical Guide to Risk Maturity_Blog_1200x6002


Related Articles

feature image
Risk Culture

When risk and reward don’t talk

Recently I visited a shopping centre that I hadn’t visited in a while. The below ‘feature’ caught my eye and caused me to scratch my head. Multiple...
Read more
feature image
Risk Culture

Wells Fargo: The standard you walk past?

The US retail bank Wells Fargo has had a considerable number of incidents over the last several years. The list of scandals, complaints, and fines is...
Read more
feature image
Risk Culture, Operational Risk, Risk Manager, GRC

Top 5 Risk Management Challenges for FinTechs

It’s clear that today’s operating environment is changing at a very rapid pace, which means the risks are evolving fast, too. In this blog, we...
Read more