Skip to main content
Blog Post

Changing risk culture and the dynamic CRO


By Alasdair Wood | April 15, 2019

Establishing a consistent and enterprise-wide risk management framework, supported by a strong risk culture, aids business resilience. It can also help organizations identify and take advantage of the right strategic opportunities and ultimately gain competitive advantage.

Deficiencies in leadership, competence, communications and culture have been blamed for many of the worst industrial accidents and environmental disasters. Rogue traders causing huge losses for investment banks and significant reputational damage can even be traced back to flaws in risk behavior.

Success of strategic initiatives and of risk management requires a good risk culture. This article from our “Year in the life of the strategic CRO” series provides a starting point for CROs to reflect on their companies’ risk culture.

Equally, an inappropriate risk culture isn’t always about taking too much risk. Kodak was a trusted brand for over a hundred years, but its strategic failure to reinvent itself and exploit digital technology led to bankruptcy. Its culture meant that the company avoided decisions that seemed risky and instead developed policies that maintained the status quo rather than adapting to change.

Clearly, the prevailing risk culture within an organization can make it significantly better or worse at managing risks. The management of risk culture offers more than just a way of avoiding the downside. More and more firms are adopting the view that a strong risk culture, which can build consumer trust in organizations and markets and inspires employees, is in the economic interests of businesses and their shareholders. And the chief risk officer (CRO) is in the position to have a major impact on the strength on that culture.

The board shares that responsibility. Along with the CRO, board members need to set, communicate and enforce a risk culture that consistently influences and directs the strategy and objectives of the business. This starts with their own risk behaviors, attitudes and culture, and translates into concrete actions throughout the organization.

All organizations need to take risks to achieve their objectives. However, establishing a consistent and enterprise-wide risk management framework, supported by a strong risk culture, aids business resilience. It will help them identify and take advantage of the right strategic opportunities and ultimately gain competitive advantage.

Managing and improving risk culture

In a volatile and changing business environment and with pressure from shareholders to achieve quarterly performance results, long-term work on risk culture often takes a back seat to short-term targets. However, while achieving quarterly goals can help to satisfy shareholders, they can also impede strategic success. To influence and improve a risk culture, an organization must use both a top-down and bottom-up perspective. Doing so will help identify and mitigate risky behaviors, helping to reduce, for example, fines and claims, and ultimately help lower the total cost of risk.

An integrated, forward-looking approach to risk management, founded on a clear understanding of the organization’s risk culture and its influences, gives leaders the power to shape strategy to match desired outcomes. This can be the difference between success and failure.

The role of boards and CROs is to clearly articulate a balanced and business-orientated view of risk – the ”one from the top” identified by regulators. This then forms the basis for educating and advising the rest of the organization and bringing about change.

Changing a risk culture

Risk cultures develop over time, and leaders play a crucial role in helping them mature. Training for people with crisis management responsibilities and leadership workshops can provide staff with the knowledge and skills that build and reinforce a strong risk culture throughout an organization, as can testing and employee surveys.

Applying psychometric assessments to employee groups that manage risk or represent material risk exposure, for instance, can help organizations understand their combined risk profile. Assessing leadership can help organizations see their senior management group’s propensity for unduly risky or risk-averse behavior, and whether the tone set from the top matches the desired risk profile.

Measuring risk culture is important for internal assessment and risk culture management, and will help companies meet relevant regulatory and governance requirements. Cultural characteristics can be identified, measured and understood using risk profiles and tailored employee surveys, which can help the organization consider key questions such as:

  • How safe do people feel it is to speak up?
  • How do they view the example set by leaders?
  • Do employees feel a sense of personal responsibility for managing risks in the business?
  • Do they feel it is necessary to adhere to risk controls?
  • Do performance management or bonus metrics make them more prone to risky behavior?

What does a good risk culture look like?

Ultimately, an effective risk culture enables and rewards individuals and groups for taking the right risks in an informed manner.

A successful risk culture includes:

  • A distinct and consistent tone from the top, making clear which risks are positive and potentially beneficial and which are negative and should be avoided or controlled
  • A holistic approach, ensuring governance and control systems and risk parameters are aligned with HR programs, bonuses and other non-monetary incentives
  • Consideration of wider stakeholder positions in decision making
  • A common acceptance throughout the organization of the importance of continuous management of risk, including clear accountability for and ownership of specific risks
  • Transparent and timely risk information flowing up and down the organization with bad news rapidly communicated without fear of blame
  • Encouragement of t reporting and whistle blowing
  • No process or activity considered too large, complex or obscure for the risks to be readily understood
  • Appropriate risk taking behaviors rewarded and encouraged and inappropriate behaviors challenged and sanctioned
  • Risk management skills and knowledge valued, encouraged and developed, with widespread membership in professional bodies. Professional qualifications supported as well as technical training
  • Sufficient diversity of perspectives, values and beliefs to ensure that the status quo is consistently and rigorously challenged
  •  A commitment to ethical principles
  • Alignment of culture management with employee engagement

Developing a risk culture where none existed previously, where the risk appetite was erratic, or at odds with the strategic goals of the company is obviously difficult. But for organizations that are operating in a competitive market with an increasing degree of oversight from activist investors and governments, it is essential if the business is going to operate and thrive.


Alasdair Wood
Senior Director, GB Reward Practice Leader

Related content tags, list of links Blog Post
Contact Us