Creating a Culture of Risk Throughout the Organization


Written by: Jon Siegler

Reviewed by: Brock Wackerle
Updated: March 24, 2023

Table of contents

An effective risk culture is one that allows and encourages individuals and departments to take risks in an educated and confident manner. When separating companies based on their risk culture, you will find two types of companies:

  • Company A: Doesn’t acknowledge risk.
  • Company B: Has given every employee the power to identify & monitor for potential risk.

Company A: Doesn’t acknowledge risk.

Rather, they spend the majority of their time managing risks, working towards achieving compliance, and staying on track and task. Managers of these companies are often not given the autonomy to look beyond their specific duties and siloed departments. Usually, these managers are fine with the status-quo and over time this culture creates an environment where change will not happen unless they have faced regulatory criticism or have been reprimanded for sub-par practices.

Creating a culture of risk is a step towards progress and innovation. While not easy or quickly done, it will improve every aspect of an organization.


Company B: Empowers Employees to Identify & Monitor Risk

All employees are educated on the various risks that could impact their jobs. If a risk is identified, any employee can assess the risk and quickly notify management, executives, board of directors, and any other individual or group impacted, so that action can be put in place to mitigate or respond to the risk.

This company’s board of directors are very informed on the potential risks and risk appetite of the company and ensures that executives and managers understand and buy-in to the importance of risk awareness and prevention.

KRI Guide

In this post you’ll learn:

  • Why Creating a Culture of Risk is Important
  • How to Create a Culture of Risk
  • What a Good Risk Culture Looks Like


Why Creating A Culture of Risk is Important

An effective risk culture is essential to the overall success of the risk management process. An abstract from ERM Initiative Faculty, 2014 stated that effective risk cultures do the following three things:

  • Recognize the reality that risks exist and be willing to do something about those risks
  • Seek out information about risk from all parts and levels of the enterprise and promote discussion about risk
  • Design appropriate risk management policies and processes and hold personnel accountable for adhering to those policies and processes

When organizations have not created a culture of risk, decisions are often made that are not in line with company policies and procedures. According to The Institute of Risk Management’s paper, Under The Microscope: Guidance for Boards, “organisations with inappropriate risk cultures will inadvertently find themselves allowing activities that are totally at odds with stated policies and procedures or operating completely outside these policies. An inappropriate risk culture means not only that certain individuals or teams will undertake these activities but that the rest of the organisation ignores, condones or does not see what is going on. At best this will hamper the achievement of strategic, tactical and operational goals. At worst it will lead to serious reputational and financial damage.”


How to Create a Culture of Risk

The key to successfully creating a culture of risk is patience. Often, changing a climate and culture of any sized organization is a two to three year process. This is not the type of change that occurs during one board meeting, memo, or staff meeting. It takes time to educate the organization properly and for leaders to demonstrate the importance of the change.


The following are clear action steps to change your organization’s risk culture.

  1. Identify your current risk culture- Knowing exactly where your organization currently stands concerning risk will help you navigate where you want to be.
  2. Strong leadership participation- This type of change must come from the top down in order to be effective. Mckinsey and Company states, “CEOs and CFOs who want to initiate the process must build a broad consensus among the company’s top 50 or 60 leaders about the current culture’s weaknesses.”
  3. A consensus among leadership- Leadership must come together to map out and agree upon the type of culture they are wanting to build. Creating four or five core statements about the values and the desired culture will allow for clear process changes.
  4. Commit to changes- this often means the company will need to change the way it approves activities, whether those are transactions at banks, capital projects in heavy industry, or even surgical procedures at hospitals.
  5. Policies and Procedures that reflect a culture of risk- policies and procedures need to reflect the nature of the organization and potential risks.
  6. Utilize appropriate tools to meet your needs- using a robust and agile platform that helps automate processes and procedures will help educate and support your organization as it adapts to a changing culture.
  7. Communicate- risk management needs to be clearly communicated often throughout the organization. Spend time educating everyone in the organization on their roles and responsibilities of risk management.


What Does a Good Risk Culture Look Like

You know that you have successfully created a good risk culture if your organization resembles these 10 character traits:

  1. Consistent approach to risk management from the top level board and executives.
  2. All decisions align with ethical principles.
  3. Clear accountability and management of risks throughout the organization.
  4. Quick responses to risks that easily travel up the chain of command without fear of blame or reprimand.
  5. Learn from mistakes and encourage the organization to report risks.
  6. Understand the risk to every process or activity.
  7. Encourage appropriate risk taking and reprimand poor risk taking.
  8. Value employees with risk management skills and knowledge and encourage training and professional development of risk management skills.
  9. Challenge status-quo with diversity of experience, perspectives, and values.
  10. Manage people according to their needs while keeping people focused on the task at hand.


LogicGate can help transform your risk culture

LogicGate’s Enterprise Risk Management platform is a robust and agile system that automates your risk management processes across the organization. When changing an entire organization’s culture, it’s helpful to have tools in place that will increase risk visibility for every employee. Implementing a tool such as LogicGate that defines potential risks associated with activities and allows stakeholders across the organization to rate risk dimensions, emphasizes the organization’s desire for a good risk culture. With LogicGate in place, you will empower every level of your organization to embody a culture of risk by providing them with an easy to use, agile and centralized platform for managing risks.

Related Posts