Building a Strong Risk Culture

  • Mike Stramaglia, FSA, FCIA, CERA, Executive in Residence, Global Risk Institute
Silhouettes of business people in front of office buildings.


Even the most casual observer will notice that newspaper headlines continue to be fueled by a steady stream of corporate scandals, malfeasance, and other assorted conduct and risk management “missteps”. While no industry, sector, or region appears to be immune to these incidents, the financial services sector seems to have gained a particularly prominent profile in this regard (e.g., rogue trading, misleading sales practices, Ponzi investment schemes, dubious accounting practices, market/benchmark manipulation, and, of course, the late-2000’s financial crisis).

Not surprisingly, these events inevitably generate considerable post-mortem analysis and commentary, as regulators, boards, management, and other key stakeholders strive to understand the root causes, and how these insights might help in preventing similar debacles from occurring.

A commonly recurring theme in much of the ensuing narrative and analysis is that these events are often directly attributable to some form of material “failure of (risk) culture”.

The obvious question this revelation raises for risk managers is “What organizational practices or conditions undermine the establishment of an effective risk culture, and hence our ability to avoid significant losses?” or, equivalently, but framed in more constructive terms, “What organizational practices/conditions help to foster a strong risk culture, and thereby increase our confidence of successfully achieving organizational objectives?”

The process of informing a response to these questions needs to begin with a clear definition of what constitutes a “strong risk culture”:

A strong risk culture can be attributed to an organization that consistently takes the right risks in the right way.

  • “Consistently” applies across multiple dimensions, including over time (not just periodically, or only during certain parts of the economic/business cycle, etc.), across the entire organization (all business units/entities/divisions, the corporate office, etc.) and up/down the management hierarchy (from the front lines all the way up to the boardroom with risk management expectations also explicitly extended to all third-party suppliers/intermediaries, etc.).

  • The “right risks” means only actively taking those risks that are aligned with the organization’s established risk appetite and risk-taking capacity and skill, are actually required to advance the organization’s strategy, mission, and objectives, risks for which the organization is adequately compensated, etc. Also note that this definition acknowledges that organizations need to actively “take” and manage risks in order to achieve their objectives. Strong risk cultures are not characterized by a persistent and uniform bias towards continual risk avoidance.

  • The “right way” implies risk-taking follows robust risk assessment/measurement processes, is subject to proportionate ongoing risk oversight and control, the manner of risk-taking is aligned with organizational values, etc.

With this working definition in mind, it is possible to identify key management practices and conditions that can often play a critical role in shaping an organization’s risk culture. These include the organization’s risk appetite articulation and alignment, ability to envision low incidence/high severity risks, reward and recognition systems, leadership practices, continuous learning discipline and ability to foster constructive challenge. In order to illustrate how the above definition of a “strong risk culture” might help to shape management practices in these key areas, the first three of these are explored in more detail below. Each example is accompanied by a short description, and questions that risk managers should consider in evaluating whether the current state of this practice/condition in their organization serves to foster either a strong or weak risk culture.