Measuring Risk Culture

Ed Little & David van Gogh

Follow us on LinkedIn

28 Sep 2020
  • Risk Transformation

In our article ‘Clarifying Risk Culture’, we described our framework for considering Risk Culture and the basic requirements for measuring it. In this article, we examine the critical success factors for successfully executing a Risk Culture Assessment, and we provide guidance on interpreting results and driving uplift actions.

Critical Success Factors

Risk Culture Assessments are different from other risk-related assessments in that they require respondents to reflect on cultural facets, which may bias the results of the assessment itself. As an example, transparency is a critical part of a strong organisational Risk Culture; however, in a culture with poor transparency, respondents may be unwilling to share this in an assessment.

An assessment of Risk Culture must take these biases into account. The factors below are important to consider during the design of such an assessment.

Reduction of Biases

Biases must be considered and mitigated when designing an assessment, such as:

  • Positivity bias – An inclination for respondents to respond in an agreeable way to positive statements. This is addressed by using a combination of positively and negatively worded assessment questions.
  • Polarising language – Polarising terms (e.g. “very”) or particularly emotional language must be substituted where possible for neutral language.
  • Self-reflection bias – Respondents will reflect more positively on groups more closely related to themselves and diminishes when reflecting on teams or groups with less affiliation.

The design and interpretation of an assessment must limit these biases where possible and account for them in reporting and uplift activities.

Trust of respondents

Respondents must trust that their response will not be attributed to them individually and that the results will be used to improve their working environment. Responses can be kept anonymous by restricting direct access to data, having minimum statistical thresholds before groups are individually identified, and by preventing reporting on mixed demographic subsets (e.g. a combination of business unit, level and experience that would allow a manager to identify a respondent). Having an independent party conduct the assessment will also aid respondent perception that their response will remain anonymous.

Involvement of Risk and Culture SMEs

Risk Culture assessments require an understanding of risk management concepts and frameworks, as well as behavioural and cultural drivers. The involvement of specialist Risk Culture practitioners is necessary to ensure that the assessment design, approach, and reporting outputs are targeted at the organisation’s desired risk behaviours.

In particular, Risk Culture specialists should be involved in the design of uplift activities to limit any unintended negative consequences that cultural uplift actions might have.


A consistent assessment approach will allow for the comparison of results over time. This can be used to quantitatively measure the impact an organisational change or risk uplift program is having. Care must be taken to control how the assessment is administered, including how assessment instructions and questions are posed to avoid the possibility of misinterpretation.

Having consistent and repeatable assessments also maximises the benefits of benchmarking, which can be used to compare an organisation to others within an industry or sector.

Interpreting Results and Driving Uplift Actions

A well-designed Risk Culture assessment will be able to identify strengths and weaknesses within thematic areas, and target uplift actions to addressing those.

To get the most out of the results from a Risk Culture assessment, a good understanding of the organisational context is important.

This is necessary for understanding the observations or themes, which present themselves as clusters of negative response to a question, a persistent negative trend across a thematic area, or when correlating questions.

With the assessment results and the context understood, a targeted plan can be put in place to address the areas of concern. Uplift actions will vary depending on the areas that require attention.

It is important to have a feedback mechanism in place to measure the impact of uplift actions. If actions are not having the desired effect, adjustments need to be made. Where possible, organisations should develop indicators that leverage existing systems, processes, and metrics as these can show the broader impact that an uplift action might be having. Conducting the questionnaire portion of the assessment periodically will also allow leaders to view changes in culture over time and may provide a clear measure of improvement or regression when correlated to specific uplift actions.


Successfully executing a Risk Culture assessment relies on controlling for critical success factors effectively, interpreting results accurately, and driving appropriate uplift actions. Organisations that seek to conduct a Risk Culture assessment should use the practices outlined within this article to maximise the value achieved.

Measuring Risk Culture
Download the article

Let us tell you more

Risk management expectations are evolving rapidly. How well is your organisation equipped to respond?