There is no one-size-fits-all risk culture

Please fill in the contact form. In return, we will notify you of updates, provide poll results analysis and new, high-quality risk culture resources.

Notify me

Risk also means different things to different organizations because perceptions of opportunity and threat are shaped by depth of resource, security, growth or decline, confidence and ambition. 

The word itself evokes elements of chance, uncertainty, threat, danger, hazard, loss, injury, or worse in some people’s minds. Given these negative consequences, it would be natural to assume that risks should simply be minimized or avoided altogether, because risk is an ugly and harrowing obstacle we can chose to do away with.  

This is only partially true, because in business life we all know that of we want to achieve something, develop something we have never developed in the past, or simply grow, it involves taking risks. In other words, risk has advantages and disadvantages. Without risk, there would be no opportunity for return.  

For balance, we should also point out that some people think risk is synonymous with excitement, thrills, progress, a chance to prove one’s capabilities, to beat the competition and grow stronger than before. Taking risks is a reason to be alive and that it’s better to risk everything and maybe lose, than to risk nothing at all and never experience something worth being alive for. As it happens, research indicates that most organizations have approximately 12-15% of their staff who occupy each of the two extreme attitudes towards risks that we have characterised here (between them they make up around 1 in 4 of the people who populate your org chart!).

All organizations have a culture whether they try to or not

The challenge is to ensure that this culture supports the effective management of risk rather than working against it. 

The IRM (2012) provides a simple model to determine the type of organizational culture one may be dealing with. It combines two dimensions creating a 2×2 matrix, with 4 culture archetypes: the Engaged Culture, Chaotic Culture, Sleep-walking Culture and Complier Culture shown in Figure 1 below.

The two dimensions are:

  • Conformity pressure – the degree to which staff ‘buy in’ to a common set of behaviours and the organization creates strong pressure to adopt a shared system of meanings. On either side of the spectrum, we find ‘System of Control’ and ‘Independence’. System of control defines the extent to which the behaviours and activities of individuals are governed by formal processes, pressures, and rules to which staff are expected to conform. Independence describes an organization where staff make their own decisions based on their values.
  • Governance spirit – the extent to which rules are followed and the organization wants to have shared goals and common meanings about what it is trying to accomplish. At the two extremes of the spectrum are the ‘Common Governance Spirit’ (i.e. widespread system of shared meanings in which rules are followed) and ‘Weak Governance Spirit’ (i.e. a private system of meanings in which rules are not implemented).
Chart, diagram

Description automatically generated

Figure 1 – Risk Aspects Model of Risk Culture (IRM, 2012)

There can never be a single risk culture that is suitable for all environments. Risk culture cannot be prescribed to an organization; it must be specific to its profile and goals. 

It takes some effort to determine what risk culture should ideally be

By considering these multiple facets that make up a risk culture, it is possible to design a series of interventions. Shaping risk culture is something that can be done by design and intention, taking into account the specificities of each archetype. Failing to be intentional about risk culture, given its centrality to risk management effectiveness, is beginning to look like irresponsibility.

An ERM function must consider both the extent to which the current culture needs to evolve over time, but a pragmatic perspective must start with the current situation. Do you know where your organisation’s risk culture is right now, and if not, do you want some help to find out? Interested to find out more? Please visit or watch the fourth of our related video segments (2 minutes) here: