Clarifying Risk Culture

David van Gogh

Follow us on LinkedIn

9 Dec 2019
  • Risk Transformation
This article is a part of Risk Update 2. 


Risk culture refers to the behaviours, attitudes and norms in an organisation that affect how risks are considered in decision making.

Organisations with a strong risk culture foster transparency and considered decision making. They have long-term performance and incentive structures which make them more resilient, and they encourage staff to ‘speak up’ when they see potential issues. Conversely, organisations with a poor risk culture encourage short-term decision making which ultimately results in issues, incidents and scandals. For the Boards of APRA regulated entities, having an understanding of the organisation’s risk culture is also a regulatory obligation.

This article contains an analysis of factors which influence risk culture in organisations. It also covers typical approaches to measuring and improving risk culture.

“…the Board must ensure that… it forms a view of the risk culture in the institution, and the extent to which that culture supports the ability of the institution to operate consistently within its risk appetite, identify any desirable changes to the risk culture and ensures the institution takes steps to address those changes”

APRA, Prudential Standard CPS 220 Risk Management, July 2017, s9 ‘The Role of the Board’ (b)

How is Risk Culture Measured?

Risk Culture is measured by identifying behaviours that affect decision making. Usually, this is done by surveying members of an organisation. Respondents are requested to reflect on behaviours that they have observed across a variety of organisational groups (themselves, their teams and their leaders), and responses are aggregated and analysed for areas of relative strength and weakness.

These assessments allow us to gain a basic understanding of decision making behaviours within an organisation. While survey-based assessments have limitations, they are composed with consideration for removing respondent biases, maximising actionable insights, and allowing for benchmarking across industries or organisation types.

In more complex environments, assessments are supplemented with more in-depth techniques, such as focus groups and deep-dive reviews of organisational structures and processes. These can provide more information on the causes of undesirable behaviour.

How can improvements be made?

Changes to culture take time. Improvement activities should focus on enduring influencers on culture; priorities, systems and processes. Such actions often include the following:

  • Integrating risk elements into the organisation’s strategy;
  • Focusing on the importance of risk management in leader messaging;
  • Prioritising funding for risk buydown initiatives;
  • Strengthening accountability through organisational structures and workflows; and
  • Focusing performance management, recognition and reward mechanisms on long-term outputs.

The uplift activities required in the context of a specific organisation will vary. Activities need to be considered against the identified root causes of behavioural issues in specific organisations.


Organisations which focus on Risk Culture make considered decisions, avoid issues and incidents, and are ultimately more resilient. While difficult, Risk Culture can be measured through specifically targeted techniques. These allow for undesirable risk behaviours to be identified, understood and reduced.

Amstelveen Risk Update: Edition 2, December 2019
Download the article

You may also like

Let us tell you more

Risk management expectations are evolving rapidly. How well is your organisation equipped to respond?