An organisation’s risk culture has a major role to play in influencing its risk taking and control decisions. Organisations with the ‘right’ risk culture, whatever this might mean, will typically make more effective and profitable risk taking decisions, they will also be better able to anticipate potential loss events and recover quicker when things go wrong.

Despite the importance of risk culture it can prove a very difficult subject to manage in an effective way. This sound practice guidance paper provides insights into how risk culture can and should be managed, paying particular attention to the role of the operational risk function. Its key observations and recommendations are as follows:

  • Organisational risk cultures are affected by a range of factors, both internal and external. Organisations should understand these factors so that they can manage them in an effective manner.
  • Organisational risk cultures can and should be managed. There are a range of tools that can be used, including mechanisms such as strategy and structure; and effective communication and staff training.
  • Assessment of risk culture is possible, but care must be taken. Risk culture is a soft subject that is not amenable to precise measurement.
  • Risk culture change requires an integrated approach that combines operational risk professionals, HR and top leadership.