February 10, 2022


[Extract from Hillson, D. (2013). ‘The A-B-C of risk culture: how to be risk-mature. Paper presented at PMI® Global Congress 2013—North America, New Orleans, LA. Newtown Square, PA: Project Management Institute.’ (www.pmi.org, accessed 08 – 02 – 2022) & The Importance of Risk Culture to Your Risk Management Structure January 10, 2017, | By Scott Unterrheiner | Enterprise Risk Management (www.genre.com, accessed 08 – 02 – 2022)]

The development of good organisational risk culture is critical for risk management. Risk culture exists at different levels within an organisation which need to be coherent and aligned. Developing and maintaining a strong positive risk culture is important for several reasons, including influence on compliance, organisational performance and risk management effectiveness.

Risk culture is also a determinant of organisational success and failure. The desired risk culture should be actively communicated to all staff and appropriate risk-related behaviour is actively promoted and encouraged. A positive cycle is created where acting properly towards risk creates a strong risk culture, and that in turn encourages the right-related behaviour. Risk culture drives risk thinking and attitudes as well as risk-taking behaviour. Inappropriate or immature risk culture can cause problems by leading a group to take either too much risk or too little.

Having an appropriate risk culture aids the transition from mere compliance to something that creates value for an organisation. In some cases, adequate frameworks are in place but they are not embedded in business operations due to misaligned risk culture. Risk culture is manifested in how an organisation reacts to uncertainty and risk and is organisation-wide (operational, strategic, market/investment, and underwriting). An appropriate risk culture that is aligned with business strategy ensures that all members of an entity approach risk in a manner in which senior management and the Board expects.

Risk culture should be the focus of the business operations and risk management functions. Risk culture is essential for the success of the enterprise risk management (ERM). Risk culture is a building block of the success of ERM which is essential for developing a good risk management practice. A dedicated risk management function is headed by the Compliance Risk Officer (CRO). The Board is the owner of risk management and the baton is passed to the CRO to lead the race of development of risk management. One of the key components of ERM is the risk culture, that is, how does every employee use risk management in practice.

There is a great need to develop the risk culture. Underdeveloped risk culture is a breeding ground for operational risks. Operational risks result from the failure of people, processes, and systems resulting in losses. The most important requirement for ERM to succeed is for the first line of defense to think like a manager. Risk culture is essential for fully embedding ERM within an organisation, the exercise should continue till employees are able to identify the risk in their own work.

Developing an appropriate culture should not be limited to the senior leadership of an organisation, but needs to be addressed and communicated at all levels, leading to an aligned and coherent culture across the entire organisation. It would help the organisation to identify its risk literacy that will help in developing the risk culture. The maturity of an organisation on risk issues will contribute to how proactive the risk function can be to support strategy. Risk culture remains a developing area.

Please note that our blog posts are informal commentaries on developments in compliance management risk governance at the time of publication and not legal advice.

About the author 

Sipho Nkosi

Sipho Nkosi is an experienced Legal Professional with a demonstrated history of working in the legal services industry. A strong legal professional with a B Proc degree focused in Law from the University of Natal (Howard College), with a keen interest in corporate governance and a profound insight into Compliance Risk Management. Skilled in litigation and procedural law, and an affiliate member of the Compliance Institute Southern Africa.

Leave a Reply
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}