Your Call and Rely were joined by a panel of experts to discuss how to lead an intelligent risk culture. Here is a summary of the key takeaways, together with a recording of the webinar.

What is a risk culture?

Risk culture is how an organisation manages risk. It is defined by the attitudes, behaviours, actions and everyday practices at an individual and group level that shape how current and emerging risks are managed. It often translates as everyday decisions, and what risk assessment criteria employees use to base their decisions on.

Once just a theory, a clear definition of risk culture that is understood from the top down and the bottom up is now a must have, especially for organisations in highly regulated industries, such as financial services, healthcare, aged care, disability care and education.

Risk culture is a subset of organisational culture.


Risk culture starts at the top, but without the echo from the bottom, it remains nothing more than a vision, Anne-Marie Paterson, Executive Program Director, Risk Transformation, HSBC. 

How is risk culture articulated?

It’s more common to see a suite of policies that cover risk culture, than a specific risk culture policy. Organisations also define a target ‘risk culture’ state, which is a goal and and a strategy to work towards. 

Organisations may feel they have risk culture covered within different policies, but a clear definition of the risk culture sometimes remains ‘unsaid’. In this instance, there is hope an employee will understand how to make intelligent risk decisions, which will trickle down from leaders to employees.  This approach places the onus on employees to interpret what the level of risk is acceptable.

What role does whistleblowing play in risk culture?

Risk culture is an important topic for boards and leadership to always consider but especially when the macro environment is volatile. 

Empowering employees to recognise risks and manage them intelligently in an agile way is very important, especially with hybrid work, where leaders have less visibility of what’s going on. Employees are often aware of significant risks that are not on the radar of boards or executives so it is important that leaders encourage employees to “see something, say something”. For example, if employees see intentional or unintentional breaches of  IT security protocols, encourage employees to notify IT and report them via the whistleblowing program. An IBM study estimated that organisations that contained a breach in under 30 days saved more than $1 million compared to those that took longer.

Connecting the dots using data from the whistleblowing program with other risk indicators also helps measure and monitor the organisations’ risk culture. For example, the largest global study of occupational fraud found that more than 20 percent of executives who commit fraud are also workplace bullies who intimidate their colleagues.

Is risk culture a handbrake for performance?

In short, no. A strong risk culture underpins strong performance.

Often, people will start a business asking – ‘How will I make money?’, rather than ‘How will I set up good governance or risk culture?’ But a better mindset is ‘How will I set up good governance, and risk culture, so the money that comes in will be safeguarded?’. It is more likely that finances will be harmed through poor risk culture.

How do I measure risk culture?

The panel recommended a blend of formal and informal approaches where middle management has the opportunity to set the tone. 

Qualitative methods include:

  • A discussion around risks taken during project post-mortems
  • Toolbox/work-in-progress meetings where risk decisions are on the agenda. Has anything been left unsaid?
  • Culture surveys
  • Conduct a root cause analysis and share findings with others
  • Use risk management gaps to build a business case

Quantitative measures include:

  • Customer feedback data
  • Whistleblowing data
  • Employee grievances
  • Employee turnover rate

Consider including risk culture as a KPI where employees are encouraged to reflect and take accountability for their risk-taking behaviours and decision-making

Watch the webinar

In this webinar (1 hour), our panel of experts discuss:

  • What is an intelligent risk culture?
  • How to set up an intelligent risk culture, where everyone from the board to frontline staff understand how to manage risk
  • How to measure and manage the efficacy of your organisation’s risk culture

Watch Recording

Additional resources

Meet Rely

Rely is an intelligent case management platform that helps you prevent, detect and respond to conduct and culture risks. See how it works.