top of page

Non-Financial Risk as the Cultural Transmission System

  • Writer: Julien Haye
    Julien Haye
  • 1 day ago
  • 15 min read
Abstract network graphic illustrating interconnected systems and signal flows, used as a visual metaphor for non-financial risk acting as a cultural transmission system within organisations.
Non-financial risk operates as a system, transmitting behavioural signals across the organisation.

Introduction: What Actually Shapes Risk Culture


Risk culture is rarely formed by values statements or leadership messaging. It is shaped by how non-financial risk is handled as work progresses and choices are made. Every risk decision sends a signal. Every escalation teaches a lesson. Every unresolved issue defines what is acceptable.

 

In most organisations, non-financial risk processes operate as designed. Risks are identified. Controls are documented. Issues are logged and tracked. Reporting is produced for senior forums. From a distance, the system appears orderly and disciplined. Assurance is generated. Governance routines are followed.

 

At the point of delivery, the experience is different. Judgement is exercised continuously to balance objectives, constraints, and uncertainty. Decisions are made about what can be absorbed locally, what can be deferred, and what must be surfaced. These decisions are rarely shaped by formal frameworks alone. They are shaped by how the system responds when risk becomes visible.

 

Over time, patterns emerge. Escalation is delayed because it rarely changes outcomes. Issues are resolved informally because formal pathways add friction without authority. Controls are preserved because removing them implies exposure. None of this reflects poor intent. It reflects how the organisation has learned to manage risk in practice.

 

This creates a structural disconnect. Governance encounters risk through summarised narratives and periodic forums. Delivery encounters risk through trade-offs, workarounds, and cumulative strain. Both perspectives are rational. Neither is dysfunctional in isolation. The problem is that non-financial risk is often designed to connect these perspectives only after choice has narrowed.

 

This article examines risk culture through that lens. It argues that non-financial risk is not merely a reflection of culture, but the system through which culture is taught, reinforced, and normalised. It explores why well-intentioned NFR frameworks frequently transmit the wrong behavioural signals, how cultural drift accumulates without crisis or misconduct, and what boards and risk leaders can observe and redesign if they want risk culture to change in practice rather than rhetoric.


Executive takeaways


For readers scanning rather than reading in full, five governing insights frame the argument that follows:


  1. Risk culture is produced by system behaviour, not stated values.What gets escalated, delayed, or absorbed through non-financial risk teaches the organisation how risk is really managed.

  2. Most NFR failures are system outcomes, not individual lapses.Frameworks often exist and operate as designed, yet still transmit the wrong behavioural signals.

  3. Cultural drift accumulates through routine accommodation, not crisis.Delayed escalation, informal resolution, and narrow framing interact over time to absorb risk quietly.

  4. The same NFR artefacts can shape behaviour or suppress it.Policies, RCSAs, escalation routes, and controls matter less than how they are used and what happens when they signal discomfort.

  5. Boards see culture through outcomes, not frameworks.Surprise incidents, repeated issues, and late escalation indicate how governance design is influencing behaviour.

Table of Contents


Reframing Risk Culture Through Non-Financial Risk

 

Risk culture is often discussed as a separate attribute of the organisation, shaped through leadership messaging, values statements, or behavioural initiatives. In this framing, culture sits alongside non-financial risk as a parallel concern. One focuses on attitudes and behaviours. The other focuses on processes, controls, and loss events.

 

This separation does not reflect how organisations actually operate.

 

In practice, risk culture is not something that exists independently of non-financial risk. It is produced through it. The way risks are identified, classified, escalated, challenged, and resolved defines what behaviour is expected, rewarded, or discouraged. Culture is not an overlay on the framework. It is an outcome of how the framework behaves in use.

 

Non-financial risk provides the infrastructure through which leadership intent becomes operational reality. Priorities expressed at the top are translated into thresholds, controls, escalation pathways, and consequence mechanisms. These design choices determine what is visible, what is tolerated, and what requires action. Over time, they shape how judgement is exercised across the organisation.

 

This is why attempts to assess or improve risk culture in isolation so often fall short. Surveys, training programmes, and tone-from-the-top initiatives may influence perception, but they do not alter the structural signals that govern everyday decisions. If the non-financial risk system rewards stability over visibility, or explanation over intervention, behaviour will adapt accordingly, regardless of stated values.

 

Reframing risk culture through non-financial risk changes the governance question. The issue is no longer whether the organisation has the right cultural aspirations. It is whether the design and operation of its NFR framework consistently reinforce those aspirations through decisions, escalation, and consequence.

 

From this perspective, culture is not soft. It is embedded, repeatable, and observable. It can be diagnosed by examining how non-financial risk actually functions under normal conditions, not by how it is described in principle.


Case Study: how culture determines NFR visibility

 

Supervisory evidence illustrates how cultural signals shape what enters the non-financial risk system. A 2024 survey by the Financial Conduct Authority highlights a persistent visibility gap in non-financial misconduct reporting:

  • Around 50% of incidents are identified through reactive channels, such as formal grievance processes, rather than routine management oversight.

  • The most frequently reported issues relate to bullying and harassment (26%) and discrimination (23%).

 

This matters beyond misconduct.

 

Where individuals do not feel safe raising behavioural concerns, they are unlikely to surface:


  • operational near misses

  • control weaknesses

  • early technology or data failures

 

Escalation pathways may exist, yet their use becomes conditional.

 

In these environments, non-financial risk frameworks do not fail because processes are missing. They fail because visibility carries perceived cost. Risk is contained locally until it can no longer be absorbed.

 

Key insight: An operational control does not function simply because it is defined. It functions only if people are willing to use it. Control effectiveness is therefore inseparable from the cultural signals embedded in governance.


👉If you're interested in applying these principles in your organisation, Explore our Risk Culture & Leadership Solutions


Visual banner promoting Aevitium LTD's Risk Culture & Leadership Solutions, highlighting leadership accountability, cultural diagnostics, and risk-informed decision-making.

The Great Disconnect: Why NFR Frameworks Fail as Cultural Transmitters


When a catastrophic failure occurs, whether a major data breach or a systemic conduct issue, the instinct is to look for individual wrongdoing. When non-financial risk (NFR) is viewed as a cultural transmission system, the pattern is usually different. The failure is rarely a human anomaly. It is a system outcome.

 

Many NFR frameworks are designed in ways that distort the signals they are meant to carry. When the operational interface of risk management is poorly calibrated, it does not simply miss risk. It reshapes behaviour. Staff adapt by prioritising delivery survival over risk discipline.

 

This distortion typically arises from five design choices that quietly weaken governance from within.


1. The Reporting Trap and the Illusion of Accountability

 

The most common failure occurs when NFR is designed for reporting rather than decision-making. In many organisations, risk management has drifted into compliance theatre. Data is collected to satisfy committees rather than to shape choices.

 

When a risk control self-assessment or key risk indicator exists primarily to populate a board pack, a clear signal is sent to the front line. The content does not need to be meaningful. It only needs to be complete. Risk becomes an administrative tax on time, and controls are treated as bureaucratic steps rather than operational safeguards.

 

This effect is reinforced when accountability is formal yet lacks authority. Individuals are named as risk owners while being denied budget, decision rights, or the ability to challenge commercially powerful stakeholders. Ownership becomes retrospective. It exists to absorb blame after failure rather than to prevent it.

 

2. The Collision Between Risk Appetite and Delivery Reality

 

Even well-designed frameworks often fail at the point of execution because risk appetite is approved centrally and neutralised locally. A board may adopt a zero-tolerance position on misconduct. Local incentives remain anchored to aggressive growth or throughput targets.

 

In practice, the structures that prioritise delivery dominate.

 

This creates a dual system. Staff sign off formal appetite statements they know cannot be met while operating according to informal rules that determine real success. Over time, the NFR framework becomes symbolic. Actual risk-taking moves outside formal visibility.


3. Escalation Without Protection

 

The social cost of telling the truth

 

The most damaging weakness in an NFR system emerges when escalation is technically available and socially unsafe. Whistleblowing channels and issue-logging tools may exist. Their presence is irrelevant if those who raise concerns are labelled difficult, excluded from decisions, or quietly penalised.

 

In these environments, bad news travels slowly. Issues are reframed, softened, or delayed as they move upward. Each layer strips away urgency to protect performance narratives. By the time risks reach senior forums, they no longer resemble operational reality.

 

Leaders are left governing a sanitised version of the organisation.



4. Control Overload and the Persistence of Zombie Controls

 

Manual checks remain in place despite known ineffectiveness. Decommissioning is avoided because it implies past weakness or requires difficult decisions.

 

The result is control overload. Organisations accumulate long control inventories that signal assurance upward while delivery teams rely on informal workarounds to function. Control presence replaces control effectiveness as the primary success measure.

Leadership feels protected by volume. Exposure continues to grow unnoticed.


5. Fragmented Ownership and the Absence of Consequence

 

When everyone owns the risk, no one acts

 

The final failure arises when ownership is distributed without consequence. Risks that cut across functions are governed through consensus forums with no clear decision authority. Escalation stalls while alignment is sought.

 

In these systems, accountability activates only after impact materialises. Until then, responsibility remains conditional and negotiable. Staff learn that acting early creates friction while waiting carries little cost.

 

This dynamic completes the cultural loop. Risk is managed socially, not structurally.

 

Governing Insight

 

If the NFR framework functions as the nervous system of the organisation, these five design failures act as chronic interference. Signals are muted, delayed, or distorted. Pain is felt late, if at all.

 

When failure finally surfaces, it appears sudden. It has been carefully taught.


Case study: When Reporting Replaces Authority

 

Sector: Universal bank

 

A recurring operational risk linked to legacy systems was identified through the firm’s risk control self-assessment process. The issue was logged accurately, reported consistently, and included in quarterly board materials with stable risk ratings and a clear remediation narrative.

 

The designated risk owner lacked authority to approve system investment and had no mandate to challenge delivery priorities. Each reporting cycle, the issue was rolled forward with updated timelines and assurances that compensating controls remained in place.

 

From a governance perspective, the framework functioned as designed. From an operational perspective, nothing changed. Teams learned that accurate reporting satisfied oversight requirements, while escalation did not alter outcomes.

 

What the NFR system transmitted:Risk ownership existed to explain exposure, not to reduce it.


How Cultural Weakness Accumulates Through NFR

 

Why failure rarely starts with misconduct or crisis

 

Cultural weakness in non-financial risk does not originate in misconduct or crisis. It develops through ordinary decisions made in routine operating conditions, where risk processes are present but not actively used to frame judgement.

 

In most organisations, NFR frameworks exist alongside day-to-day decision-making rather than within it. Risk assessments are completed, controls are documented, and issues are logged. These activities create visibility after decisions are taken. They rarely shape how choices are made at the point where exposure is created.

 

Over time, this separation produces drift.

 

One of the earliest manifestations is the treatment of escalation. Issues are identified and recorded, yet escalation is deferred because it is not required to progress work. Escalation becomes something that happens once thresholds are breached or outcomes are visible, rather than a mechanism for shaping options early. The organisation learns that escalation confirms problems. It does not inform decisions.

 

As escalation loses its role, informal resolution becomes the default. Teams address issues locally because they can. These local adjustments often work in the short term and reinforce the belief that formal NFR pathways are unnecessary for effective delivery. The framework remains intact, but its relevance to real decisions diminishes.

 

This shift is reinforced as issues are communicated upward. To maintain coherence and avoid unnecessary challenge, risks are framed narrowly. Language becomes technical. Impact is bounded. Structural causes are described as isolated or temporary. This reframing is not deceptive. It reflects how the organisation has learned to present risk in a way that fits existing governance rhythms.

 

The most damaging effects arise through interaction. Delayed escalation creates space for informal resolution. Informal resolution encourages further narrowing of how issues are described. Narrow framing reduces the perceived need for intervention. Each adjustment is rational in isolation. Repetition turns adjustment into norm.

 

As this pattern stabilises, the organisation becomes adept at absorbing risk without recognising it. Exposure accumulates quietly while governance processes continue to function as designed. By the time risk becomes visible at senior levels, choice has already been constrained.

 

Failure then appears sudden. In reality, it is the outcome of prolonged accommodation. The organisation has not ignored risk. It has learned, through routine use of its NFR system, how much exposure can be carried without consequence.


Case Study: How Drift Becomes the Operating Norm

 

Sector: Asset servicing

 

Operational issues affecting client reporting were routinely identified and logged. Early escalation was possible, yet rarely used, because local teams could resolve issues through manual adjustments without breaching formal thresholds.

 

These workarounds were effective and preserved service continuity. Over time, escalation became associated with failure rather than foresight. Issues that could be managed locally were reframed as isolated and temporary when reported upward.

Senior forums received accurate but narrowed information. The system appeared stable. When a series of issues eventually exceeded tolerance, available options were limited to remediation rather than choice.

 

What accumulated:Risk was absorbed through routine accommodation until strategic flexibility was lost.


What Stronger Organisations Do Differently

 

Designing NFR to intentionally shape behaviour

 

Organisations with more effective risk cultures do not abandon standard NFR tools such as policies, risk control self-assessments (RCSAs), issue management, or key risk indicators. They change how these tools are used, what decisions they are allowed to influence, and what happens when they signal discomfort.

 

The difference is not the framework. It is the operating logic applied to it.

 

In practice, risk appetite rarely becomes a universal decision rule. What changes is where it is translated. Stronger organisations do not attempt to operationalise appetite everywhere. They focus on a small number of high-exposure processes where decisions are costly to reverse. In these areas, appetite is reflected in escalation triggers, approval thresholds, and tolerances embedded into existing workflows. Appetite stops being something teams attest to annually and starts shaping when decisions must pause, who must be involved, and what trade-offs require senior attention.

 

RCSAs also change role. In weaker environments, they function as completeness exercises. Risks are identified, controls are mapped, and scores are justified to achieve stability. In stronger environments, RCSAs are used selectively as decision preparation tools. Attention is directed to a limited set of risks where control fragility, reliance on workarounds, or repeated issues suggest exposure is increasing. The outcome is not a cleaner risk register. It is a clearer view of where management judgement is being stretched.

 

Ownership is reinforced through how issues are handled. Issue management stops being a tracking mechanism and becomes a forcing function. When the same issue reappears, the response is not a revised action plan. It is a change in priority, funding, or operating model. Authority and ownership are tested through consequence, not reaffirmed through explanation. This is what prevents ownership from becoming symbolic.

 

Escalation also changes in meaning. In many organisations, escalation is treated as evidence of failure or insufficient resilience. In stronger environments, escalation is explicitly linked to decision uncertainty. Issues are escalated when trade-offs cannot be resolved locally, not when thresholds are already breached. Leaders engage with the decision being requested, not the quality of the underlying paperwork. Over time, this alters behaviour. Escalation becomes a way to manage exposure rather than a reputational risk.

 

Controls are treated with similar discipline. Rather than expanding control inventories, stronger organisations periodically remove controls that no longer influence behaviour or decision quality. Control effectiveness is assessed by whether it changes how people act under normal conditions, not by whether it exists in policy or testing documentation. This prevents control overload and reduces reliance on informal workarounds that sit outside the NFR framework.

 

The role of the second line shifts accordingly. Instead of validating completeness or enforcing procedural compliance, it focuses on challenge where decisions are being made close to tolerance, where issues repeat, or where escalation patterns change. The second line uses existing artefacts to highlight trade-offs and consequences, not to police form. This increases the likelihood that risk insight is absorbed rather than managed around.

 

The transition from reporting-focused NFR to behaviour-shaping NFR is often assumed to require wholesale cultural transformation. In practice, progress usually comes through selective redesign rather than comprehensive overhaul. Organisations rarely change everything at once. They change where decisions are most material, where escalation is most contested, and where repeated issues signal that existing mechanisms are no longer influencing behaviour.

 

This makes the transition manageable. Existing policies, RCSAs, issue management processes, and escalation routes are not replaced. They are used differently in a small number of high-impact areas. Early changes focus on how escalation is received, how repeated issues are treated, and whether risk insight alters priorities or investment. These shifts are visible quickly and tend to propagate without formal rollout.


The Risk Within provides a roadmap for embedding psychological safety into risk management. It identifies critical touch points across the risk lifecycle and offers clear actions to align leadership, culture, and governance. It is designed to help risk functions integrate more deeply into the business and strengthen decision-making at every level. 
Promotional banner for the book The Risk Within by Julien Haye, featuring the subtitle “Lead with Confidence in a Complex World.” Includes a preview button, contact email, and the book’s theme on psychological safety in strategic decision-making.


Implications for Boards and Risk Leaders

 

From risk frameworks to behavioural infrastructure

 

At board level, non-financial risk is rarely encountered through frameworks or policies. It is encountered through outcomes. Escalations that arrive late. Issues that reappear. Incidents that feel sudden despite prior assurances. These are not signals of missing controls. They are signals of how the organisation has learned to behave.

 

Boards are often told that surprise incidents reflect execution failure or unforeseen complexity. In practice, they usually indicate cultural drift that has been accumulating within the non-financial risk system. The organisation has been absorbing exposure in the background while maintaining formal stability. When tolerance is finally breached, the board experiences it as a shock. The system has been signalling this trajectory for some time.

 

What boards are observing through NFR outcomes is not simply risk materialisation. They are observing the effectiveness of behavioural cues embedded in governance. Repeated late escalation suggests that visibility is costly. Persistent reclassification of issues suggests that reassurance is valued over challenge. Stable risk ratings alongside recurring incidents suggest that reporting has replaced intervention.


It is sometimes argued that these signals are subjective and therefore less reliable than formal metrics. In practice, they are no more subjective than the interpretation of dashboards or thresholds. Late escalation, repeated reclassification of issues, stable risk ratings alongside recurring incidents, and declining near-miss reporting are observable patterns, not opinions. They are produced by the system’s design and can be tracked over time.

 

The difference is that these indicators describe behaviour rather than status. They do not replace quantitative metrics. They contextualise them. Where metrics show what has happened, behavioural signals show how the organisation is responding. Together, they provide a more complete picture of risk exposure than either can alone.

 

This distinction matters because it changes the nature of board oversight. If incidents are treated as control failures, the response is to add controls, commission reviews, or demand more reporting. These actions often reinforce the very behaviours that produced the surprise. If incidents are understood as evidence of cultural drift within NFR, the focus shifts to how decisions are framed, how escalation is received, and how ownership is exercised.

 

For risk leaders, this reframing is equally significant. The effectiveness of the risk function is judged less by framework completeness and more by whether NFR signals alter decisions before outcomes harden. Where risk insight leads to investment reallocation, priority shifts, or explicit trade-offs, trust builds. Where risk insight leads only to explanation and assurance, trust erodes.

 

Design choices within NFR directly influence this dynamic. Frameworks that reward stability over visibility weaken trust over time. Escalation pathways that emphasise justification rather than decision discourage early engagement. Ownership structures that lack consequence signal that risk accountability is symbolic. Boards may not see these choices individually, but they experience their cumulative effect.

 

Moving from risk frameworks to behavioural infrastructure requires boards and risk leaders to adjust their line of sight. The question is no longer whether NFR processes exist or whether reporting is complete. It is whether the system consistently encourages the behaviours the organisation claims to value. Trust is reinforced when NFR changes what happens next. It is weakened when it merely explains what has already occurred.


Our Risk Leadership Diagnostics help leaders identify behavioural blind spots and shape more accountable risk decisions.

Conclusion: The Governing Insight

 

Non-financial risk does not merely reflect risk culture. It shapes it continuously through the signals embedded in everyday governance. Each unresolved issue, delayed escalation, and preserved control communicates what the organisation values in practice. Over time, these signals accumulate into norms that are stronger than any stated expectation.

 

This is why risk culture cannot be corrected through messaging or training alone. Culture is learned through consequence. When issues recur without decision change, the system teaches tolerance. When escalation leads to explanation rather than action, the system teaches caution. When controls persist despite known fragility, the system teaches appearance over effectiveness.

 

Risk culture is therefore not a separate layer to be assessed alongside frameworks. It is an outcome of how the non-financial risk system behaves under normal conditions. Leaders do not need to ask whether culture is strong or weak in the abstract. They can observe it directly in how risk information alters priorities, reallocates investment, and shapes judgement.

 

For boards and risk leaders, the implication is clear. Strengthening risk culture requires redesigning how non-financial risk operates as behavioural infrastructure. The objective is not more control, more reporting, or faster assurance. It is to ensure that the system consistently rewards visibility, early engagement, and decision clarity.

 

Risk culture is not what leaders say. It is what the non-financial risk system allows to persist, repeat, and be normalised.


About the Author: Julien Haye


Managing Director of Aevitium LTD and former Chief Risk Officer with over 26 years of experience in global financial services and non-profit organisations. Known for his pragmatic, people-first approach, Julien specialises in transforming risk and compliance into strategic enablers. He is the author of The Risk Within: Cultivating Psychological Safety for Strategic Decision-Making and hosts the RiskMasters podcast, where he shares insights from risk leaders and change makers.



bottom of page