Skip to content

The six key elements to creating and maintaining a good risk culture.

You can take a horse to water but you cannot make it drink. You can take risk management to your business but you cannot make them do it. People, to be successful in anything they do, must have a desire to do it. This breeds passion which drives people to excel.

Getting the right culture to support risk management across your business is the most important ingredient for success. 

So what does the right 'risk culture' mean, and how do we create and maintain it? Culture is embedded within people’s thoughts which then influence their behaviors and actions. Risk culture is their thinking, behaviors and actions around risk and risk management.

In order to achieve a great corporate-wide risk culture, we need to define what it is and then we embed it into our people. Let’s start with what it is.


Subscribe to our Knowledge hub to get practical resources, eBooks, webinar invites and more showing the latest developments in risk, resilience and compliance, direct to your inbox:

Subscribe now


This comes down to whether a person has the knowledge of what is 'right' and 'wrong' and then whether they choose to do the 'right thing'. Corporate culture must be clear on defining what right and wrong is and then promote that across the organization. This should come from corporate values, manifested in the risk appetite and policies, practices and behaviors of our senior management and board. The uncertain grey area between right and wrong should be minimized as far as possible.

We then need to motivate staff to do the right thing. This comes from explaining why doing the right thing is better: we will be more successful and we can all share in that, we will be positively recognized by our peers, we will create a great environment in which to work, etc.

Lastly, we need mechanisms to recognize wrong behavior, call it out and encourage staff to choose the right thought next time. Organizational creep occurs when staff push away from the right into the shade of grey and sometimes the plain wrong and no one notices and there are no consequences. They will continue to operate in the wrong and after time even encourage colleagues to join then on the 'dark side'. Over time, our culture deteriorates.


Once our people’s thinking is right, they will behave accordingly. This will include typically strong risk culture behaviors such as:

  1. Strong and open communication. Escalate as soon as a problem or issue arises
  2. Always considering risk in any decision that is made, prior to the decision being made
  3. Taking responsibility for risk and controls. Be willing to stand up and claim ownership
  4. Telling the truth and taking ownership of problems
  5. Being concerned about the impact of their risk management on others – appreciating what is downstream when something goes wrong
  6. Encouraging and educating others in risk and risk management
  7. Showing a desire to be more risk aware gain more risk management knowledge
  8. Demonstrating a positive attitude to risk management.


When the right thinking and behaviors exist, we can move to developing specific actions for each staff member with respect to risk management.

This will include:

  1. Calling out, escalating, recording, reporting and managing all risk incidents as soon as they occur
  2. Reviewing key risk indicators in amber and red and following them up on a timely manner
  3. Following up outstanding actions and ensuring they are implemented by due date
  4. Being risk aware at all times and updating risk assessments as risk profiles change
  5. Taking compliance attestations seriously. Answering then honestly and in a timely manner
  6. Raising risk as part of every decision
  7. Praising staff who call out risk incidents and issues early. 

Key elements to creating and maintaining a good risk culture

In order to foster the thoughts, behaviors and actions above, some key principles must be followed:

  1. Risk and risk management must be understood by all of your staff. They cannot have a strong culture around what they do not understand.
  2. The risk management framework must be aligned as a business enabler, not a hindrance
  3. The risk management process must be efficient and not cumbersome
  4. Risk management should be simple and easy to understand. It should be kept 'real'
  5. Good behavior and actions should be recognized and rewarded. Bad behavior should have consequences
  6. Most importantly, the correct culture must be set at the board and senior management level and must be demonstrated to staff through walk the walk not talk the talk. Setting the tone at the top helps drive the importance of risk culture across the organization.

Next steps

Protecht's Culture and Conduct risk eBook gives you all the information you need in order to better understand, manage and monitor your culture and conduct related risks, being culture risk and conduct risk. It also addresses risk culture as a sub component of organizational culture and provides examples of the key traits of a good risk culture. Find out more and download the eBook now:

Find out more


Subscribe to our Knowledge hub to get practical resources, eBooks, webinar invites and more showing the latest developments in risk, resilience and compliance, direct to your inbox:

Subscribe now


This article was originally published in January 2017.

About the author

David Tattam is the Chief Research and Content Officer and co-founder of the Protecht Group. David’s vision is the redefine the way the world thinks about risk and to develop risk management to its rightful place as being a key driver of value creation in each of Protecht’s clients. David is the driving force in driving Protecht’s risk thinking to the frontiers of what is possible in risk management and to support the uplift of people risk capability through training and content.