Risk Culture

After completing this reading, you should be able to:

  • Carry out a comparison between risk culture and corporate culture and explain how they interact.
  • Explain the factors that influence a firm’s risk culture and corporate culture.
  • Describe methods of measuring risk culture and corporate culture.
  • Describe characteristics of a strong risk culture
  • Outline and explain the challenges to the implementation of an effective risk culture.
  • Assess the relationship between risk culture and business performance.

Risk Culture

Risk culture is a system of values and behaviors that shapes the risk decisions of a business. It defines the norms and traditions of the behavior of employees or employers in an organization that determine how they identify, understand, discuss, and manage the risks that the business faces and the risks it takes.

For a bank, risk culture is the bank’s “norms, attitudes, and behavior related to risk awareness, risk-taking, and risk management and controls that shape decisions on risks.” It influences the decisions of employers and employees during their day-to-day activities, even when they are not consciously analyzing and weighing risks. It also has a bearing on the risks they assume.

Corporate Culture

Corporate culture can is the beliefs and behaviors that determine how an organization’s employees and management interact and handle business transactions. Many times, organizational culture is implied, but not expressly defined, and develops organically through time from all the cumulative behavior and norms of the people that the business employs.

Culture is the result of shared values, business experiences, behavior, and beliefs, as well as strategic decisions. It is much more than a management style; it is a set of experiences, opinions, and behavioral patterns. It is created and developed when a team of employees or people working together learn to cope with the changing outside world and internal systems.

Corporate culture deals with different approaches. One approach considers external outputs such as the environment, architecture, technology, office layout, dress code, behavioral standards, official documents, and company symbols.

These aspects reflect the core values of the organization and explain or justify the behavior of individuals. Culture can be very effective but also resistant to the need for change and is therefore seen as a complex concept for any organization.

Risk Culture vs. Corporate Culture

Risk culture is an element of corporate culture. It is the aspects of corporate culture that relate to risk. The culture of an organization is neither unique nor uniform throughout the company.

Different subcultures exist in different levels of an organization, and these are brought about by the variety of operations, roles, and activities performed by each organization and each department. For instance, the point of view on the environment taken by the risk management department can be substantially different from that taken by the marketing department.

Risk culture is not static but a process that is continuously repeating and renewing itself. Both risk culture and corporate culture evolve through time to the events that affect an organization’s internal operations and to the external environment within which the organization operates.

Factors that Influence a Firm’s Risk Culture and Corporate Culture

Several factors determine a firm’s risk culture and corporate culture. These include:

The tone from the organization’s leadership

Commitment and support from top management play a significant role in influencing the success in almost any initiative within an organization. Corporate culture and risk culture require the acknowledgment that they are an essential reality from the organization’s leadership for the right culture to take shape.

Consistency in communication, decision making, and ultimate actions is critical to avoid misinterpretation. Employees may otherwise adopt what they see, and not what they are told.

Company governance

Building a sound risk culture is a process that should involve the entire business and not just the supervisory team. An organization’s board should form a clear and communicable approach to risk, which is understood by all levels of the employees.

Changes in the playing field

Changes in both the external and internal conditions usually lead to changes in the culture of a business or necessitate changes to be made within the organization.


The existing lines of accountability need to be clear and enforced, preferably to individuals and not just committees where accountability is often lost.


The focus should be on identifying what went wrong, what can be learned, and whether changes to process or controls are required. Dealing with disciplinary or assignment of accountability as a separate matter encourages openness from the employees.

Incentives and remuneration

Performance measurement and rewards should be based on the organization’s desired risk culture. This should be both financial and non-financial. Setting goals based on the key performance indicators will influence the culture you wish to create.

Training and employee talent management

Training and employee talent management in an organization will support and enforce the desired risk culture and behavior, if properly utilized. The organization should be conscious of the existing or desired risk culture when making decisions around these aspects.


Understand your risk appetite, and should a loss occur within this appetite, acknowledge that it happened, learn from it and move on. Many organizations expect perfection, especially in operational processes, and this makes them end up with too many controls, leading to bureaucracy. This deters employees from enforcing the desired framework. Find the right balance.

Core Competency

The risk culture should be implemented in such a way that it supports the business strategy and core competency. There is a close link between the success of strategy implementation and the coprorate culture. If they are not already aligned, then changing one is critical to changing the other. The organization’s risk culture should mirror what the clients perceive.

Measuring Risk Culture and Corporate Culture

Qualitative Methods

Qualitative methods allow for an in-depth investigation, but they also limit the comparability of results.

Direct observation may be the only way to understand a culture since many of its aspects are silent. Additionally, people within an organization are not aware of how many assumptions affect their behavior and take for granted that it applies to everyone in the sector.

Sometimes, the cognitive beliefs of whoever is carrying out the study may influence their evaluation capacity. Due to this, a problem of objectivity prevents the possibility for other researchers to replicate the analysis and confirm the results.

Quantitative Methods

Quantitative methods use standardized approaches of analysis through statistical tools. These methods do not provide in-depth observations but are more objective and allow the comparison of different situations.

Quantitative methods have been primarily used to evaluate culture indirectly, by observing developments in risk governance and the link between risk governance and the company’s risk-return combinations. They include:

Engagement Surveys

Many firms use annual employee engagement surveys, supplemented by culture and other surveys.

Indicator Dashboard

Some organizations use a range of indicators, sometimes consolidated into “culture dashboards”, such as:

      • Customers: satisfaction scores, complaints
      • Employees: engagement scores, speaking up scores, turnover, absence rates, grievances, etc
      • Conduct and risk: conduct breaches, material events, and escalations


Organizations use a range of methods to validate progress or performance and confirm understanding. These methods include:

    • Consultancy firms’ benchmarking exercises
    • Other external benchmarks
    • Internal audit assessments
    • Triangulation across various data sources, e.g., staff and customer surveys

Characteristics of a Strong Risk Culture

Risk culture is a key element of an organization’s enterprise risk management framework, which encompasses the general awareness, attitudes, and behavior of an organization’s employees toward risk and how risk is managed within the organization. It is a key indicator of how widely an organization’s risk management policies and practices have been adopted.

Risk-Related Behavior

Strong risk culture has generally been associated with more desirable risk-related behavior (e.g., speaking up) and less undesirable behavior.

Personal Characteristics

Personal characteristics are important when it comes to strong risk culture. Long-tenured and less risk-tolerant employees and employees with a positive attitude towards risk management are more likely to display desirable risk-related behavior. Those with high personal risk tolerance are more likely to display undesirable risk-related behavior.

Risk Structures

Good risk structures such as policies, controls, IT infrastructure, training, and remuneration systems, etc. appear to support a strong culture and ultimately a less undesirable risk behavior. Good risk structures do not necessarily guarantee good behavior. There have been suggestions that structures such as remuneration are interpreted through the lens of culture.

Staff Ranking

Senior staff tends to have a significantly more favorable perception of culture than junior staff. This highlights the importance of anonymous and independent risk culture assessments where staff feel safe to reveal their true beliefs.

Challenges to the Implementation of an Effective Risk Culture

The complexity of the organization

Changing the culture of a complex organization like a bank is possible, but difficult and requires the awareness of the need for change, many resources, and a long time.

View from the Top Management

Addressing cultural issues must be the responsibility of the board and management of firms. This will determine how the rest of the organization views these issues. Supervisors and regulators cannot by themselves determine culture, but supervisors do have an important monitoring function.

Company-Wide Involvement

A process of cultural change is ambitious as it involves many players. It is usually challenging to bring on board all the different forces in a common effort to promote a new risk culture shared by both the regulatory authorities and clientele.

Integration in business decision-making

The implementation of a risk culture needs to be integrated into business decisions. This is sometimes difficult as all stakeholders, including a firm’s customers and shareholders, may need to be involved in supporting these changes.

Consistency of messages and action

The tone at the top is not always supported by consistent actions that demonstrate proper alignment between the proposed changes and the subsequent actions. The differences in these aspects pose challenges for organizations seeking to establish consistent expectations across the institution.

Relationship Between Risk Culture and Business Performance

Risk culture influences an organization’s performance and competitiveness, while changes in business objectives and strategies often have a bearing on the risk culture. There is, therefore, an interaction between the two concepts.

Regulatory Changes

The banking sector, for example, has seen an evolution in its corporate structure. This is because of changes that the sector has gone through, moving from public institutions to profit-oriented private entities. Regulations have also increased the range of banking services offered and, indirectly, competition. The new culture of supervisors is based on the collaboration with banks and this relationship may have positive effects in terms of business performances.

Financial Behavior

The financial behavior of families and firms has also undergone drastic changes. For instance, family propensity to save has decreased. Families today tend to invest more in financial instruments inside or outside their home countries, while firms are adopting new forms of financing, by acting directly on the capital markets.

New Market Opportunities

In some cases, culture in the financial institutions has demonstrated the ability to integrate organizations’ know-how and new market opportunities. For example, the entry of banks into the insurance business was difficult, because of limited experience with sophisticated products.

On the other hand, insurers had limited experience with bank retail client requirements. The problem was solved through successful alliances in which banks used their distribution capacity and insurers developed simpler products.

Culture has also driven the creation of new approaches to deal with increasing competition. A culture of distribution has replaced the pre-existing culture of production. Due to this change, management has been able to shift the focus from an efficient service development towards an effective selling system, thereby creating a new kind of risk culture.

Risk Culture as a Resource

In the new context, culture is a resource rather than a limitation. If taken into consideration, it can ensure the success of events such as mergers and acquisitions.

Culture may be used to improve firm performance and stability. Nowadays, it is particularly difficult to develop and implement a strategy due to the intrinsic variability of the market, with controls becoming increasingly complicated due to a broader range of business activities and functions. In this context, culture can create shared values to drive individual behavior in pursuing the organizational strategy and assisting the role of internal controls.

Competitive Advantage

Risk culture can result in a competitive advantage for firms with better cultures and conducts. This is particularly with regard to client reputation and the ability to attract employees and investors.

Organizations can succeed if they accept that culture is core to their business models and if they decide that fixing culture is key to their economic sustainability. A good risk culture should not be just about complying with regulations but rather creating something that will help to prevent or resolve problems.

As risk is an inherent aspect of business function, risk culture has an impact on the risk-taking propensity and policies, types of risk assessment/performance ratio and final decisions.

Organizations need to develop their risk culture beyond regulatory guidelines so that they can support their corporate strategy and strengthen their core skills, and turn risks into opportunities.