Home > Risk > Is there an effective risk culture?

Is there an effective risk culture?

Horst Simon describes himself on LinkedIn in a challenging way:

Transformational Nonconformist – It is time to Think Differently about Risk; Transformative change requires Disruption!!

I like that!

His primary description is as a “Risk Culture Builder”.

A while ago, he wrote an interesting piece, Calling all Risk Culture Experts. In it he says, and I agree, “we suddenly find a whole bunch of Risk Culture ‘Experts’ talking absolute garbage”.

The trouble is that while I agree a great deal with Horst, I am not 100% with him on this.

He says:

Let us get the basics right:

Basics No 1: Governance structure: Firstly, the reporting line for the Head of Risk/ Chief Risk Officer is directly to the Board. If you run your business by Committees, that would be the Chairperson of the Board Risk Committee; if not, it should be a Non-executive Director who knows something about the management of risk.

If you want to ensure that there is tension and more, even conflict, between the Chief Risk Officer (CRO) and management, emphasize the independence of the CRO. Make it clear that the CRO is the sheriff appointed to ensure the cowboys in management don’t take too much risk.

But if you want to promote effective management, de-emphasize independence and have the CRO report to the CEO with access to the board. Then hold the CEO (not the CRO) accountable for the effective management of risk and opportunity.

I like Horst’s two definitions of risk culture:

  • “Risk culture is the system of values and behaviours present in an organization that shapes risk decisions of management and employees. One element of risk culture is a common understanding of an organization and its business purpose” NC State ERM Initiative
  • “Risk culture is a term describing the values, beliefs, knowledge, attitudes and understanding about risk shared by a group of people with a common purpose” Institute of Risk Management[1]


  1. What is a “risk decision”? Every decision should be a business decision. What might happen (risk, or harm, and opportunity, or benefit) needs to be considered as an integral and necessary part of decision-making.
  2. The culture of an organization is not consistent across the organization (just think of Sales vs. Finance) and can and probably should change as business conditions change.
  3. Organizational culture, as I have explained many times in this blog and my books, has many dimensions. Attitudes towards taking risk can conflict, for example, with attitudes towards compliance, entrepreneurship, customers, teamwork, innovation, and more.

Basically, considering attitudes towards risk without also considering other dimensions of culture is considering it in a silo.

Horst shares a definition of “Risk Culture Building”:

Risk Culture Building is the training of mind, of heart and of personal character to respond effectively to any situation of risk and take the right decision to mitigate, control or optimise risk to the advantage of the organisation.

We all need to take risk if we are to survive and thrive.

Horst’s blog, and I am sure the training and services he provides, makes some excellent points. But aren’t we better off thinking about whether the culture of the organization as a whole promotes the behaviors necessary for success?

Let’s first examine the demonstrated behaviors towards:

  • Shared objectives
  • Teamwork and collaboration
  • Information sharing
  • Concern for employees
  • Customer-focus
  • Compliance
  • Innovation
  • Challenging ingrained beliefs
  • Involving others and obtaining appropriate information when making decisions
  • Employee empowerment
  • Taking the right level of the right risks
  • Escalating to more senior management when appropriate, but making decisions when it is not
  • … and more

If it is clear that desired behaviors are demonstrated every day, we can be satisfied with the culture.

If not, then let’s find out why not.

As for risk culture, we are talking about the ability to make (risk and opportunity) informed and intelligent decisions.

You can’t have effective risk management without assurance that decision-makers know and then take the right risks for success.

I welcome your comments.

[1] Full disclosure: I was one of the reviewers of the IRM’s publication on risk culture, although I did not endorse the final product for the reasons I discuss in this blog post.

  1. January 6, 2022 at 8:05 AM

    I don’t get Horst, in 7+ years I still have no idea if he is just virtue signaling or there science behind it :))

    • April 5, 2022 at 11:51 PM

      Most Global regulators “got it” …. most recently, the Canadians.

      I offer a 12 months Risk Culture Builder Coaching program, you should join us.

  2. Doug Anderson
    January 6, 2022 at 8:20 AM

    I like your statement that: “The culture of an organization is not consistent across the organization (just think of Sales vs. Finance) …”. However, you slip a bit when you state: “But aren’t we better off thinking about whether the culture of the organization as a whole promotes the behaviors necessary for success?” I believe there are many cultures within an organization and you challenge would be better stated: But aren’t we better off thinking about whether the cultures within the organization promote the behaviors necessary for success? Different parts of an organization require different cultures and different considerations of risk. I don’t want new product design people to act like attorneys nor plant operators to act like HR.

    • Norman Marks
      January 6, 2022 at 8:22 AM

      Fair challenge, Doug

  3. John. Fraser
    January 6, 2022 at 8:25 AM

    Since 2000 I have been teaching that ERM will not work in every organization. Unless the culture is one of openness and sharing then it will not work. A sign of bad management.

  4. Dava
    January 6, 2022 at 3:48 PM

    I think how an organization communicates and handles bad news is an important element of risk culture. Nobody would dare to mention a potentially high-impact issue if the culture is one of pointing fingers at each other.

  5. January 18, 2022 at 2:55 AM

    Having or building an explicit “risk culture” is a bad idea for two reasons:

    – I don’t believe anyone can handle have a multitude of cultures, say a “risk” culture” a “safety culture” a “marketing culture”, a “management culture”, etc. Culture is so much based on stories and images people have, and if these are conflicting, you don’t have an effective/consistent culture of anything

    – Having a “risk culture” exacerbates the notion of risk being something different from whatever else the company is doing. Instead, risk (culture, management, processes, …) should be seamlessly integrated into other processes used in the company.

    Beyond that, I am sure the notion of an “effective” risk culture will differ from the very cautious approach used by some organisations to the “aggressive” risk taking approach used by others.

  6. April 8, 2022 at 2:45 AM

    Culture has a high impact on the management of risk at all stages; including planning, response, and returning to normality after an event. People’s beliefs and values have significant direct and indirect effects on a broad range of behaviours in the workplace, including the leadership and management style, ethical behaviours, job satisfaction and employment practices. All individuals are affected by the organisational culture and factors such as precepts, values, structure, hierarchy and rules that form part of the organisational culture. The level of an individual’s authority and responsibility, and his/her confidence and ability to step outside agreed or standard operating procedures or to challenge more senior personnel; all have connections to the organisational culture. If the culture of the organisation is to see the management of risk as pointless or irrelevant, then they will not invest time and effort in planning, training and executing it effectively.

    Risk-awareness, at the level of the individual worker, is essentially giving workers a “licence to think”. (1) In the first instance, this requires leaders to acknowledge that there may be a gap between “work as imagined” by the leaders and the “work as actually performed” by the workers. (2)

    When a group of employees in an organisation were asked to talk through a practical example of how they think about risk, and their responses were classified according to Endsley’s model of situation awareness, it was found that their responses were incomplete at all levels (perception, comprehension and projection) but most notably at the third level of the hierarchy, that is their ability to project the future status of what they had perceived and comprehended.

    There is thus no guarantee that any paperwork/ attestations enable the employees to foresee all the risks on a job. Teaching all employees risk management skills and building an effective risk culture is the only way to have sound risk management at all levels and achieve sustainable competitive advantage for the organisation.

    A mature risk culture is therefore an essential basis for the successful implementation of risk management and for reaping the benefits of the management of risk. Risk culture influences the decisions of employees, even if they are not deliberately weighing risks and benefits. An effective Risk culture is the main enabling factor for the establishment of a successful risk management process and an organisation’s risk culture is a key element that can ensure that the organisation takes enough risk to achieve its strategic objectives. Risk Culture goes to the heart of the openness and transparency needed for effective corporate stewardship and informed decision-making.

    (1). Westrum, R. (1992). Cultures with requisite imagination. In J. A. Wise, V. D. Hopkin & P. Stager (Eds.), Verification and validation of complex systems: Human factors issues. New York: Springer-Verlag.
    (2) Dekker, S. (2006). Resilience engineering: Chronicling the emergence of confused consensus. In E. Hollnagel, D. D. Woods & N. Leveson (Eds.), Resilience engineering: Concepts and precepts. Hampshire: Ashgate.

    • Norman Marks
      April 8, 2022 at 6:31 AM

      I agree that risk culture affects the management of risks. But we are trying to manage the entire organization for success. Focusing on risks means avoiding failures, but it doesn’t mean that you are taking the risks necessary for success.

      Risk culture is just one facet of organizational culture. If you are not careful, it limits innovation, entrepreneurship, and even intelligent decision-making.

  1. January 6, 2022 at 8:20 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: