Risk Culture

Risk Culture

After completing this reading, you should be able to:

  • Carry out a comparison between risk culture and corporate culture and explain how they interact.
  • Explain the factors that influence a firm’s risk culture and corporate culture.
  • Describe methods of measuring risk culture and corporate culture.
  • Describe the characteristics of a strong risk culture.
  • Outline and explain the challenges to the implementation of an effective risk culture.
  • Assess the relationship between risk culture and business performance.

Risk Culture

Risk culture is a system of values and behaviors that shapes the risk decisions of a business. It defines the norms and traditions of the behavior of employees or employers in an organization that determines how they identify, understand, discuss, and manage the risks that a business faces and the risks it takes.

In the case of a bank, risk culture is the bank’s “norms, attitudes, and behavior related to risk awareness, risk-taking, and risk management and controls that shape decision on risks.” It influences the decisions of employers and employees during their day-to-day activities, even when they are not consciously analyzing and weighing risks. It also has a bearing on the risks they assume.

Risk CultureCorporate Culture

Corporate culture is the beliefs and behaviors that determine how an organization’s employees and management interact and handle business transactions. Many times, organizational culture is implied, but not expressly defined. It develops organically through time from all the cumulative behavior and norms of the people that the business employs.

Culture is the result of shared values, business experiences, behavior, and beliefs, as well as strategic decisions. It is much more than a management style; it is a set of experiences, opinions, and behavioral patterns. It is created and developed when a team of employees or people working together learn to cope with the changing outside world and internal systems.

Corporate culture deals with different approaches. One approach considers external outputs such as the environment, architecture, technology, office layout, dress code, behavioral standards, official documents, and company symbols.

These aspects reflect the core values of the organization and explain or justify the behavior of individuals. Culture can be very effective but also resistant to the need for change and is therefore seen as a complex concept for any organization.

Organizational Culture or Corporate CultureSample Corporate Culture Statements

  • Bank of America: “Our culture comes from how we run the company every day. At the heart of our responsible growth strategy is our commitment to “act responsibly,” which includes our commitments to ethical behavior, acting with integrity, and complying with laws, rules, regulations, and policies that reinforce such behavior.”
  • Starbucks“We’re committed to upholding a culture where inclusion, diversity, equity, and accessibility are valued and respected. Your entire experience—starting with your application—is designed to be the beginning of an inspirational journey, where you are treated warmly and with transparency, dignity, and respect.”
  • JP M. Chase: “Eventually, it all comes down to people. Creating a winning team and self-sustaining culture takes hard work, and there is no substitute for it. Teams do not win because they have a new stadium or the most attractive uniforms… Teams succeed because they are disciplined, they work well together, and they have a passion to win.”

Risk Culture vs. Corporate Culture

Risk culture is an element of corporate culture. It is the aspects of corporate culture that relate to risk. The culture of an organization is neither unique nor uniform throughout the company.

Different subcultures exist at different levels of an organization. These variations are brought about by the variety of operations, roles, and activities performed by each organization and each department. For instance, the point of view on the environment taken by the risk management department can be substantially different from that taken by the marketing department.

Risk culture is not static but a process that is continuously repeating and renewing itself. Both risk culture and corporate culture evolve through time to the events that affect an organization’s internal operations and to the external environment within which the organization operates.

Factors that Influence a Firm’s Risk Culture and Corporate Culture

Several factors determine a firm’s risk culture and corporate culture. These include:

The Tone from the Organization’s Leadership

Commitment and support from top management play a significant role in influencing success in almost any initiative within an organization. Corporate culture and risk culture require the acknowledgment that they are an essential reality from an organization’s leadership for the right culture to take shape.

Consistency in communication, decision-making, and ultimate actions is critical in the avoidance of misinterpretation. Employees may otherwise adopt what they see, and not what they are told.

Company Governance

Building a sound risk culture is a process that should involve the entire business and not just the supervisory team. An organization’s board should form a clear and communicable approach to risk, which is understood by all levels of the employees.

Changes in the Playing Field

Changes in both external and internal conditions usually lead to changes in the culture of a business. Such changes also inform the changes to be made within the organization.


The existing lines of accountability need to be clear and enforced, preferably to individuals and not just committees where accountability is often lost.


The focus should be on identifying what went wrong, what can be learned, and whether it is necessary to initiate changes in processes or controls. Dealing with disciplinary or assignment of accountability as a separate matter encourages openness from employees.

Incentives and Remuneration

Performance measurement and rewards should be based on an organization’s desired risk culture. This should be both financial and non-financial. Setting goals based on key performance indicators will influence the culture you wish to create.

Training and Employee Talent Management

Training and employee talent management in an organization will support and enforce the desired risk culture and behavior, if properly utilized. An organization should be conscious of the existing or desired risk culture when making decisions on these aspects.


Understand your risk appetite, and should a loss occur within this appetite, acknowledge that it happened, learn from it and move on. Many organizations expect perfection, especially in operational processes. This makes them end up with very many controls, leading to bureaucracy. This deters employees from enforcing the desired framework. Find the right balance.

Core Competency

The risk culture should be implemented in such a way that it supports the business strategy and core competency. There is a close link between the success of strategy implementation and the corporate culture. If they are not already aligned, then changing one is critical to changing the other. The organization’s risk culture should mirror what the clients perceive.

Measuring Risk Culture and Corporate Culture

Qualitative Methods

Qualitative methods allow for an in-depth investigation. However, they also limit the comparability of results.

Direct observation may be the only way to understand a culture since many of its aspects are silent. Additionally, people within an organization are not aware of how many assumptions affect their behavior. In addition, they take for granted that it applies to everyone in the sector.

Sometimes, the cognitive beliefs of whoever is carrying out the study may influence their evaluation capacity. Due to this, a problem of objectivity prevents the possibility for other researchers to replicate the analysis and confirm the results.

Quantitative Methods

Quantitative methods use standardized approaches of analysis through statistical tools. These methods do not provide in-depth observations but are more objective and allow the comparison of different situations.

Quantitative methods have been primarily used to evaluate culture indirectly, by observing developments in risk governance and the link between risk governance and the company’s risk-return combinations. They include:

Engagement Surveys

Many firms use annual employee engagement surveys, supplemented by culture and other surveys.

Indicator Dashboard

Some organizations use a range of indicators, sometimes consolidated into “culture dashboards”, such as:

  • Customers: Satisfaction scores, complaints.
  • Employees: Engagement scores, speaking up scores, turnover, absence rates, grievances, etc.
  • Conduct and risk: Conduct breaches, material events, and escalations.


Organizations use a range of methods to validate progress or performance and confirm understanding. These methods include:

  • Consultancy firms’ benchmarking exercises.
  • Other external benchmarks.
  • Internal audit assessments.
  • Triangulation across various data sources, e.g., staff and customer surveys.

Characteristics of a Strong Risk Culture

Risk culture is a key element of an organization’s enterprise risk management framework, which encompasses the general awareness, attitudes, and behavior of an organization’s employees toward risk and how risk is managed within the organization. It is a key indicator of how widely an organization’s risk management policies and practices have been adopted.

Risk-related Behavior

Strong risk culture has generally been associated with more desirable risk-related behavior (e.g., speaking up) and less undesirable behavior.

Personal Characteristics

Personal characteristics are important when it comes to a strong risk culture. Long-tenured and less risk-tolerant employees and employees with a positive attitude towards risk management are more likely to display desirable risk-related behavior. Those with high personal risk tolerance are more likely to display undesirable risk-related behavior.

Risk Structures

Good risk structures such as policies, controls, IT infrastructure, training, remuneration systems, etc. appear to support a strong culture and ultimately, a less undesirable risk behavior. Good risk structures do not necessarily guarantee good behavior. There have been suggestions that structures such as remuneration are interpreted through the lens of culture.

Staff Ranking

Senior staff tends to have a significantly more favorable perception of culture than junior staff. This highlights the importance of anonymous and independent risk culture assessments where staff feel safe to reveal their true beliefs.

Challenges to the Implementation of an Effective Risk Culture

The Complexity of the Organization

Changing the culture of a complex organization like a bank is possible. Even then, it is difficult and requires awareness of the need for change, many resources, and a long time.

View from the Top Management

Addressing cultural issues must be the responsibility of the board and management of firms. This will determine how the entire organization views these issues. Supervisors and regulators cannot, by themselves, determine culture. They, however, have an important monitoring function.

Company-wide Involvement

The process of cultural change is ambitious since it involves many players. It is usually challenging to bring all the different forces on board in an effort to promote a new risk culture shared by both the regulatory authorities and clientele.

Integration in Business Decision-making

The implementation of a risk culture needs to be integrated into business decisions. This is sometimes difficult as all stakeholders, including a firm’s customers and shareholders, may need to be involved in supporting these changes.

Consistency of Messages and Action

The tone at the top is not always supported by consistent actions that demonstrate proper alignment between the proposed changes and the subsequent actions. The differences in these aspects pose challenges for organizations seeking to establish consistent expectations across the institution.

Relationship Between Risk Culture and Business Performance

Risk culture influences an organization’s performance and competitiveness, while changes in business objectives and strategies often have a bearing on the risk culture. There is, therefore, an interaction between the two concepts.

Regulatory Changes

The banking sector, for example, has seen an evolution in its corporate structure. This is because of changes that the sector has gone through, moving from public institutions to profit-oriented private entities. Regulations have also increased the range of banking services offered and, indirectly, competition. The new culture of supervisors is based on collaboration with banks and this relationship may have positive effects in terms of business performance.

Financial Behavior

The financial behavior of families and firms has also undergone drastic changes. For instance, families’ propensity to save has decreased. Families today tend to invest more in financial instruments inside or outside their home countries. Firms, on the other hand, are adopting new forms of financing, by acting directly on the capital markets.

New Market Opportunities

In some cases, the culture in financial institutions has demonstrated the ability to integrate organizations’ know-how and new market opportunities. For example, the entry of banks into the insurance business was difficult, because of their limited experience with sophisticated products.

On the other hand, insurers had limited experience with bank retail client requirements. The problem was solved through successful alliances in which banks used their distribution capacity and insurers developed simpler products.

Culture has also driven the creation of new approaches to deal with increasing competition. A culture of distribution has replaced the pre-existing culture of production. Due to this change, management has been able to shift the focus from efficient service development toward an effective selling system, thereby creating a new kind of risk culture.

Risk Culture as a Resource

In the new context, culture is a resource rather than a limitation. If taken into consideration, it can ensure the success of events such as mergers and acquisitions.

Culture may be used to improve firm performance and stability. Nowadays, it is challenging to develop and implement a strategy. This is due to the intrinsic variability of the market, with controls becoming increasingly complicated due to a broader range of business activities and functions. In this context, culture can create shared values to drive individual behavior in pursuing the organizational strategy and assisting the role of internal controls.

Competitive Advantage

Risk culture can result in a competitive advantage for firms with better cultures and conducts. This is particularly with regard to client reputation and the ability to attract employees and investors.

Organizations can succeed if they accept that culture is core to their business models and if they decide that fixing culture is key to their economic sustainability. A good risk culture should not just be about complying with regulations but rather creating something that will help to prevent or resolve problems.

Since risk is an inherent aspect of business function, risk culture has an impact on the risk-taking propensity and policies, types of risk assessment/performance ratio, and final decisions.

Organizations need to develop their risk culture beyond regulatory guidelines so that they can support their corporate strategy, strengthen their core skills, and turn risks into opportunities.

Just How Bad  Can It Get for a Firm With a Weak Risk Culture?

  • In 2018, Uber was forced to part with over $20 million dollars in fines over the loss of confidential customer data. Senior leaders, including the CEO, were fired, and customers switched over to competitors.
  • The Cambridge Analytica scandal at Facebook, which involved massive misuse of private and personal data, resulted in the largest stock market drop in value in history – $120 billion.
  • Wells Fargo’s fake customer accounts scandal of 2018 resulted in over $1 billion in fines.

Practice Question

Who is responsible for an organization’s risk culture?

A. Everyone who works at the organization.

B. Industry regulators.

C. The CEO.

D. The CEO and the Board of Directors.

The correct answer is A.

In a risk intelligent organization, everyone in the organization understands its approach to risk, and they take personal responsibility for managing risk in their work every day. That’s part of the definition of risk intelligence. At the same time, there are a handful of people who have elevated responsibilities for risk culture.

B is incorrect: Industry regulators may give guidelines on what is expected, but is not responsible for the organization’s risk culture.

C is incorrect: The CEO may set the pace, and even set the tone for risk culture, but if he alone is responsible for the risk culture, then its implementation will not be successful.

D is incorrect: The Board of Directors, just like the CEO, may set the tone within the organization. However, if they assume resposnsibility at the expense of the rest of the company workforce, then implementation will not be successful.

Shop CFA® Exam Prep

Offered by AnalystPrep

Featured Shop FRM® Exam Prep Learn with Us

    Subscribe to our newsletter and keep up with the latest and greatest tips for success
    Shop Actuarial Exams Prep Shop MBA Admission Exam Prep

    Daniel Glyn
    Daniel Glyn
    I have finished my FRM1 thanks to AnalystPrep. And now using AnalystPrep for my FRM2 preparation. Professor Forjan is brilliant. He gives such good explanations and analogies. And more than anything makes learning fun. A big thank you to Analystprep and Professor Forjan. 5 stars all the way!
    michael walshe
    michael walshe
    Professor James' videos are excellent for understanding the underlying theories behind financial engineering / financial analysis. The AnalystPrep videos were better than any of the others that I searched through on YouTube for providing a clear explanation of some concepts, such as Portfolio theory, CAPM, and Arbitrage Pricing theory. Watching these cleared up many of the unclarities I had in my head. Highly recommended.
    Nyka Smith
    Nyka Smith
    Every concept is very well explained by Nilay Arun. kudos to you man!
    Badr Moubile
    Badr Moubile
    Very helpfull!
    Agustin Olcese
    Agustin Olcese
    Excellent explantions, very clear!
    Jaak Jay
    Jaak Jay
    Awesome content, kudos to Prof.James Frojan
    sindhushree reddy
    sindhushree reddy
    Crisp and short ppt of Frm chapters and great explanation with examples.