Translating risk culture into action

Embedding a strong risk culture is vital for effective governance and decision-making. In this context of growing uncertainty, the ECB's 2024 Guide on Governance and Risk Culture highlights the importance of strong governance structures to strengthen risk culture within financial services and ensure decision-making is aligned with risk management practices. Effective risk management is not just about implementing controls or conducting periodic assessments, it requires a deeply embedded risk culture that aligns with the organization's mission and strategy. However, many companies struggle to integrate risk awareness into their decision-making processes and day-to-day operations.

These organizational challenges include:

• Insufficient C-level and C-level -1 engagement: Risk culture often remains disconnected from strategic objectives, resulting in limited attention at senior management levels.
• Limited organization-wide engagement: Company culture is often rigid. Adoption of a new risk culture requires buy-in across the entire organization to be effective.
• Difficulties in translating culture into action: Risk culture is often recognized as the reason “why we failed” when things go wrong, but rarely are actions taken to improve the risk culture.

This article explores these challenges in depth and provides actionable strategies for fostering an organization-wide risk culture. By addressing leadership engagement, practical implementation actions, and measuring the effectiveness of actions taken, companies can bridge the gap between recognizing the importance of risk and embedding it as a fundamental component of their corporate DNA.

The importance of an embedded risk culture in your organization

Risk culture can be defined as the blend of collective mindsets, shared norms, attitudes, and behaviors that guide how risks are identified, assessed, and managed across all levels of an organization. It influences decision-making at both the staff and leadership levels, determining how risks are approached and handled daily. When an organization’s risk culture is aligned with its strategic goals and core values, risk management becomes a proactive, integral part of decision-making, rather than a reactive process.

Moreover, organizations are facing numerous ‘push factors’ in today’s dynamic and fast-paced environment, such as growing pressures from governance, reporting, regulatory scrutiny, economic uncertainties, and the ongoing transformation driven by digitalization and automation. A robust risk culture helps organizations navigate these challenges, positioning them for long-term success. The benefits of a robust risk culture include:

• Reducing the risk of fraud and integrity incidents: A strong culture fosters vigilance and accountability.
• Promoting ethical behavior: Employees act in line with organizational values when risk culture is well-defined.
• Facilitating the reporting of internal incidents: Employees feel safe to report concerns, speeding up resolution.
• Boosting employee engagement and attracting talent: A supportive culture makes employees feel valued and improves recruitment.
• Fostering innovation: A secure environment encourages calculated risks that drive innovation.
• Improving public reputation: Strong risk management practices earn trust from customers and the public.
• Enhancing financial performance: Better risk mitigation leads to fewer disruptions and stronger financial results.

Investing in risk culture is not just beneficial, it is a strategic asset. It ensures greater resilience and long-term value for the organization, making risk management an integral part of core operations.

Assessing risk culture: Key indicators and methods

Understanding and assessing your organization's risk culture is crucial in identifying areas for improvement and pinpointing strengths. A thorough evaluation of risk culture and governance practices can provide valuable insights into how risks are viewed, communicated, and managed at all levels, which is essential for addressing root causes of incidents and implementing meaningful change.

To effectively assess risk culture, organizations can use both qualitative and quantitative research methods, combining structured phases to gather a holistic understanding of their current state.

This methodology can be broken down into the following steps:

• Initial Screening and Qualitative Insights: Screening key governance documents - such as risk appetite statements, remuneration policies, and codes of conduct - provides an initial understanding of the formal approach to risk culture. Interviews with key stakeholders help to uncover underlying perceptions and attitudes, forming a base for deeper investigation.
• Customizing the Measurement Approach: The measurement approach is refined by selecting key indicators specific to the organization's structure and strategic objectives. These indicators ensure relevance and accuracy in capturing organizational attitudes toward risk. Employee surveys may be integrated to gather broader insights.
• Data Collection & Validation: Data collection includes surveys, in-depth interviews, and focus group discussions. Surveys are a powerful tool for measuring risk culture, as they allow organizations to target large populations and identify differences between departments, entities, and subcultures. These methods allow both quantitative metrics and qualitative insights to be gathered, with the latter providing validation of the survey results and offering a deeper understanding of the organization’s risk culture.
• Risk Culture Analysis and Evaluation: The collected data is analyzed and evaluated to identify strengths and areas for improvement across the key dimensions of risk culture, helping to pinpoint actionable insights for development.
• Actionable Insights & Continuous Monitoring: The final phase involves translating insights into actionable steps through workshops and stakeholder engagements. These initiatives should be embedded into the organization’s internal control framework for continuous monitoring, ensuring alignment with strategic risk objectives.

This structured assessment approach allows organizations to gain a comprehensive, evidence-based understanding of their risk culture, laying the foundation for targeted interventions that enhance alignment with organizational objectives. In this context, the assessment criteria are guided by eight soft controls dimensions, offering a comprehensive framework for evaluating the behaviors and practices that influence risk culture within an organization:

• Incentives and Enforcement: Measures how employees are held accountable for misconduct and rewarded for risk-conscious behavior.
• Comfort to Report: Refers to how safe employees feel when addressing misconduct or risky behavior.
• Openness to Discuss Dilemmas: Highlights how often employees engage in discussions about ethical dilemmas and desired behaviors.
• Transparency: Involves how clearly misconduct and its consequences are communicated within the organization.
• Clarity and Communication: Reflects how well expectations for risk-conscious behavior are communicated to employees.
• Tone at the Top and Role Modeling: Focuses on whether leadership sets a positive example of risk culture through their actions.
• Support of Employees: Concerns whether employees are encouraged to use corporate resources appropriately and are aware of leadership and stakeholder interests.
• Enabling Environment: Refers to the resources and support provided to employees to meet expectations of desired behavior.

Strengthening risk culture: Success factors and actions

A strong risk culture does not develop overnight. It requires deliberate effort, leadership commitment, and continuous reinforcement. Organizations that successfully embed risk awareness create an environment where managing risk is not just a compliance exercise but a fundamental part of decision-making.

To strengthen risk culture, organizations need to take several interconnected steps, focusing on four key success factors:

• Aligning risk culture with mission, strategy, and purpose: Risk-management processes and procedures must be aligned with the organization’s strategy and top-level decision making, ensuring that risk culture is integral to day-to-day operations and genuinely committed to addressing risks.
• Encouraging people to speak up and take visible action: It is essential that everyone in the organization feels responsible for raising concerns, and that they are acknowledged and rewarded for doing so. Organizations should focus on whether people will act as expected, especially in times of crisis.
• C-level and middle management behavior: Since behaviors are learned by observing others, leaders must model the behaviors that support the organization’s purpose and actively reward the right behaviors from top to bottom.
• Constant communication as a key ingredient: Building the right risk culture requires ongoing, jargon-free conversations, tailored through training, forums, and regular communication channels, rather than simply communicating values in a static way.

By focusing on these key success factors and implementing practical actions, organizations can strengthen their risk culture, embedding risk awareness throughout their operations and decision-making processes.

Conclusion

In conclusion, building and maintaining a resilient risk culture requires a comprehensive and strategic approach that aligns leadership, governance, and operational practices. The foundation of this culture is built on strong internal governance, where clear structures, board oversight, and defined roles ensure effective risk management across all levels. Leadership behavior and decision-making processes are pivotal, setting the tone for risk-aware attitudes throughout the organization.

Organizations must embed risk management into their daily operations through proactive, structured practices, ensuring that risk is integrated into decision-making, processes, and strategic objectives. The eight dimensions of soft controls provide a framework that guides how risk should be properly embedded in day-to-day operations.

To reinforce and sustain this culture, supporting factors like effective communication, tailored training programs, and targeted incentives are critical. These elements help drive consistent risk-conscious behaviors and ensure that the principles of risk management are not just understood but actively applied throughout the organization.

By focusing on these interconnected pillars, organizations can build a robust risk culture that not only protects against uncertainties but also drives informed decision-making, innovation, and long-term sustainability in an increasingly complex and dynamic business environment. Additionally, quantifying risk culture and measuring it on a recurring basis is crucial to ensure continuous improvement and alignment with organizational objectives.

How KPMG can help

At KPMG, we stand ready to support organizations in strengthening their risk awareness and culture by providing guidance, insights, and tailored solutions to address specific challenges and objectives. Our approach includes assessing the maturity of your current risk culture, identifying gaps and areas for improvement, implementing targeted initiatives to embed risk awareness across all levels, and offering hands-on support to drive tangible cultural change.

At the core of our methodology lies the KPMG Risk Culture Model, a research-backed framework developed from the analysis of 150 cases of organizational misconduct. This model identifies eight key cultural dimensions that shape behavior, ensuring a structured approach to fostering a strong risk culture while mitigating undesirable tendencies. By leveraging this model, we can translate insights into actionable steps, helping organizations build a mature, risk-aware culture that aligns with their strategic objectives.

Authors: Olivier Demeyer, Advisor & Naomi Kerremans, Senior Manager Advisor & Raphaël Schair, Principal