Skip to main content


How enterprise risk management influences risk culture

Strategy plays a dominant role in the success of a company. Effective risk management can support business strategy, including through one of its most-discussed components - risk culture.
Motion blur group of people walking in office

How enterprise risk management influences risk culture 

Strategy plays a dominant role in the success of a company. Effective risk management can support business strategy, including through one of its most-discussed components - risk culture. 

Risk culture is a topic many companies often struggle with. Nevertheless, it is the subject that unites all elements of an enterprise risk management (ERM) framework together. ERM assists organisations with identifying the potential risks and controls in place. An organisation’s risk culture is the driving influence behind the management of these issues, as well as attitudes toward risk. 

Although creating and sustaining a risk culture is challenging, it can serve as a foundational driver for a corporate’s long-term value and success. The Institute of Risk Management (IRM) defines risk culture as ‘the values, beliefs, knowledge, attitudes, and understanding about risk shared by a group of people with a common purpose’. This applies to all organisations, including private companies, public bodies, governments and not-for-profits. 

Each organisation’s risk culture is unique and cultivated internally - driven by employees and staff. As a result, the complexities of risk culture are influenced by many factors such as leadership, incentive structure, operational protocols, and stressors, including workload and challenging working environments. 

Why risk culture is important now

The Strategic Risk Global Benchmarking Risk survey of 2023 reveals risk culture has soared up the risk agenda. When asked where risk professionals’ future efforts would focus, survey respondents identified risk culture (40%), risk appetite (36%), and ESG and sustainability risk (32%) as the top three priorities. This suggests directors should act decisively to bring risk management and culture into their regular agendas.

International governance regulations emphasise the criticality of risk culture. The presence of a ‘healthy’ risk culture permits an organisation to take controlled and well-informed risks. This can help minimise unnecessary exposures, unwelcome uncertainties, or even future disasters. Furthermore, an effective risk culture can protect enterprise value, actively assist with share price recovery in case of shock, mitigate exposure to operational practices, enhance workforce productivity, and avert incidents with significant consequences. 

Risk culture should be tailored to the needs and strategic objectives of each organisation. An effective risk culture must be consistent, transparent, proactive, and aligned with the organisation’s overall culture. However, achieving this in today’s volatile corporate, economic, political, and social environment can be difficult. 

How to effectively implement risk culture

Problems with business and risk culture are frequently at the heart of organisational scandals and collapses - consider the recent example of Silicon Valley Bank. Conversely, a strong risk culture can provide sufficient risk management implementation at all levels of a company, ensuring an organisation is better positioned to achieve its overall strategic and operational goals.

Successfully creating an appropriate risk culture requires both time and commitment. Business leaders should play a prominent role in demonstrating and educating about risk culture’s importance to their organisations.

It also requires paying attention to the ‘people-side’ of ERM. Without the support and involvement of employees, organisations will not be able to achieve long-term results or ensure business viability. Introducing a ‘people-centred’ approach in corporate decision-making, incentivising employees (via monetary and non-monetary based incentives) and promoting ‘healthy’ working hours can enable employees to become a risk management ‘asset’. 

Getting started, however, and maintaining momentum can often be difficult.

Basic roadmap – where to start 

Organisations seeking to build an effective risk culture must clearly define the type of risk culture they want to pursue. This crucial first step requires an organisation to deeply comprehend and assess any existing risk culture. Such actions can enhance a business’ understanding of important areas for improvement, as well as provide insights into strengths and weaknesses related to potential risk culture changes.

In addition to these initial steps, organisations should consider the following points for delivering a strong risk culture:

  • Creating a clear and well-communicated risk strategy.
  • Launching a consistent tone from the top of the business regarding risk. 
  • Encouraging enhanced transparency from the board and senior management regarding the risk governance and management.
  • Establishing clear risk responsibilities and accountabilities. 
  • Promoting a mindset that boosts continuous improvement.
  • Fostering an environment to learn from experiences of mistakes and near misses by encouraging risk event reporting and whistleblowing.
  • Creating tangible incentives for people to ‘do the right thing’ and think about the overall health of their organisation.


A strong risk culture is key to a successful ERM framework. Embedding risk culture within an organisation can improve resilience to external influences and provide better adaptability. Risk culture can pose numerous challenges – including both its cultivation and maintenance, for example. However, an established, ‘healthy’ risk culture can provide worth to an organisation, as well as, complementing the existing ERM.