Risk culture is the difference between bureaucracy and belief

Sometimes, it is easy to miss the forest for the trees. We can quickly lose sight of the big picture by getting tangled up in the (fascinating/distracting/colourful/noisy/inspiring… err, where was I?) details! 

All investigations of major disasters and severe risk events almost always point to deficiencies in the prevailing management culture, as a root cause of fragile thinking. Vulnerabilities are embraced as strengths, triggering a chain of other more severe risk outcomes that require deeper enquiries. Almost always in these investigations, the presence of risk management is discovered – and then found to be ineffectual, blind-sided, distracting or just plain irrelevant to the reality of what was going on.


How do we explain the different paths between the appearance of risk management and the effective management of risks? In the end, it’s all about risk culture…

Organizations are complex systems and each develops a form of collective consciousness about the right way to get things done; we call that ‘culture’. In many ways, culture is what the people in your organization do when they feel they are not being monitored. It is based on values, ethics and untested assumptions but is rarely written down, curated, designed or consciously directed. You can create ever-stricter processes and controls, but if your staff doesn’t understand, or trust them, or care about outcomes, then bureaucracy or lip-service are the likely behaviours that follow. 

Each group and organization has its own approach to risk – its risk culture – which may or may not be helpful to successful risk management over time. Within that, every staff member also has their own sensitivity to risk levels coming from their unique blend of character and experience of risks. We have seen many instances of people working in risk roles without enthusiasm, commitment, curiosity or conviction. They generate risk documentation but they do not contribute to improved risk outcomes.


The mechanisms and techniques the organization use to manage risk are shaped by the prevailing attitudes, beliefs, skills and motivations of the workforce that use them.

The Institute of Risk Management (2012) offers the following working definition for risk culture:

The values, beliefs, knowledge and understanding about risk shared by a group of people with a common purpose, in particular, the employees of an organization or of teams or groups within an organization”.

Risk culture is a key indicator of the degree of adoption of an organization’s risk management framework, as well as the attitudes and behaviours of employees toward risk.  

Risk culture is about what we do, why we do it and how we do it. And how we do things is usually a major factor affecting outcomes. It is best when risk management is integrated into day-to-day operations: 

  • Always challenge existing assumptions and forecasts – internally and externally
  • Be aware of the cognitive bias to accept information that confirms
  • Cultivate cognitive dissonance to uncover disruptive information 
  • Communicate regularly and relentlessly on all aspects of risk-balanced and ethical decision making
  • Continuously improve all risk management processes
  • Avoid leadership “know tow” and group sloppiness
  • Designate a senior non-executive director to monitor all suspicious feedback
  • Encourage risk-taking, knowing that sometimes it can go wrong and be costly
  • Adopt a continuous learning attitude. 

An organization with a risk-aware culture is one that is more resilient to outside influences and better able to adapt.

When it is resilient, the organization develops a strong risk capacity, with staff having developed a real ability to manage critical risks and to identify and manage new risks.  They have a trained skill to quickly recognise when risk profiles shift or transform, ensuring that appropriate responses are formed, in timescales matched to the rate of change.

A strong risk culture purposefully influences improved and timely decision making, keeping the organization on track to achieve its objectives. A risk-aware organization that is able to learn from past events and mistakes and improve its processes in a timely manner leads to fewer outcomes that destroy value.

A positive risk culture creates an ecosystem where people are motivated and rewarded to recognize risk and engage in the process of dealing with it professionally. They believe that such activity is good for them personally, for the organization and the wider community of interested stakeholders. Interested to find out more? Please visit www.riskcultureweek.com or watch the third of our related video segments (3 minutes) here: