In a recent discussion with a colleague on preparing for 'black swan' events, we concluded that regardless of the size, type and structure of an organisation, it was having the right risk culture that was the key success factor in preparing for and surviving an improbable event.

Our view is that getting the right culture to support risk management across the business is the most important ingredient for success. But what actually is this thing called 'risk culture' and where can you get it? We believe that risk culture is the system of values and behaviours that are present in an organisation and guides all the decisions related to risk, made by management and employees. 

System of Values and Behaviours

Having agreed and communicated values that are actually lived through behaviours is seen to be critical to successful organisations, departments within organisations, and teams within departments.

The starting point in establishing and maintaining the right risk culture is to have in place an appropriate system of values, shared beliefs and individual and group behaviour. The foundation of the values are an acceptance that the group (organisation, department or team) is a team with shared goals and objectives; they have a mutually agreed way of doing things and regularly meet to work out how to do things better. Read why is Risk Training Important?

But what does this really mean? Organisational values are used to indicate the type of conduct expected by individuals regardless of their position. Risk related values include such factors as risk taking is acceptable, as is acceptance of failure within set risk tolerance; and compliance with obligations is non-negotiable (e.g., zero tolerance to non-compliance with WHS).

Values relate to principles of behaviours and transcend specific situations. An example of a risk value statement could be "Employees will never engage in theft, fraud or embezzlement, or participate in deceptive or fraudulent activities towards the organisation, customers, suppliers or any other party with whom the organisation has business dealings".

With values in place, behaviours are identified that support and contradict the values so that all employees are clear about what is expected of them. Behaviours which bring to life risk values need to be reinforced while those that contradict the risk values need to be challenged and where appropriate, removed. 

"Individuals and groups within successful organisations know their risk values and the appropriate behaviours that support those values. They use them in making risk based decisions and actions."


Organisation leaders have a crucial role to play in setting risk values and living the behaviours that demonstrate their commitment to the values.

Embedding Risk Culture

To embed the right risk culture for your organisation, Protecht recommends that you understand and follow these SIX key principles:

  1. Risk and risk management must be understood by all of your staff. They cannot have a strong culture around what they do not understand.
  2. The risk management framework must be aligned as a business enabler, not a hindrance.
  3. The risk management process must be efficient and not cumbersome.
  4. Risk management should be simple and easy to understand. It should be kept “real”.
  5. Good behaviour and actions should be recognised and rewarded. Bad behaviour should have consequences. See article How to balance Risk and Reward.
  6. Most importantly, the correct culture must be set at the Board and Senior Management level ("tone at the top") and must be demonstrated to staff through “walk the talk” not “talk the talk”.

If you wish to learn more about how Protecht can help you in assessing and developing your risk culture through training, surveys and framework design, please email

Banner_Compliance and Compliance Risk Management_Facebook_1200x600


Related Articles

feature image
Compliance Management, Enterprise Risk Management, Operational Resilience

How resilient is Australia’s critical infrastructure?

Australia’s Department of Home Affairs issued a warning to critical infrastructure stakeholders in February 2022 in the wake of widespread...
Read more
feature image
Enterprise Risk Management

Cyber risk: Bringing resilience to remote working

Most businesses and security experts agree that the shift to remote work has encouraged malicious actors and opened new attack surfaces for them to...
Read more
feature image
Risk Culture

Wells Fargo: The standard you walk past?

The US retail bank Wells Fargo has had a considerable number of incidents over the last several years. The list of scandals, complaints, and fines is...
Read more