top of page
  • Julien Haye

What is Risk Culture

A positive risk culture promotes a proactive and innovative culture, where employees contribute to the risk management strategy.

Enron cost its shareholders reportedly $74 billion to its shareholders, making it the largest bankruptcy in U.S. history up to that point. Enron was a prime example of how a toxic risk culture, combined with unethical behaviour and a lack of transparency, can lead to catastrophic consequences for an organisation and its stakeholders.

A positive risk culture promotes a proactive and vigilant approach to risk management, fostering an environment where employees understand their roles in managing risks and are empowered to contribute to the overall risk management strategy. On the other hand, a poor or toxic risk culture can lead to complacency, poor risk oversight, and inadequate responses to emerging risks, potentially exposing the organisation to unforeseen challenges or its downfall as the Enron’s saga illustrates.

What is Risk Culture

Risk culture refers to the values, beliefs, attitudes, and behaviours within an organisation regarding risk management. It encompasses the collective understanding and approach that an organisation takes towards identifying, assessing, prioritising, and managing risks. A strong risk culture is essential for effective risk management and risk governance, as it influences how employees at all levels of the organisation perceive and respond to risks.

The key components of risk culture include

  • Risk Awareness: The extent to which individuals within the organisation are aware of potential risks and uncertainties.

  • Risk Appetite: The organisation's willingness to take on and tolerate risks in pursuit of its objectives. This involves setting clear boundaries for risk-taking.

  • Risk Communication: The effectiveness of communication regarding risks, ensuring that relevant information is shared across the organisation in a transparent and timely manner.

  • Responsibility and Accountability: The extent to which individuals and teams within the organisation are held responsible and accountable for managing the risks associated with their activities.

  • Learning and Adaptation: The organisation's ability to learn from past experiences, both successes, and failures, and adapt its approach to risk management accordingly.

  • Risk Decision-Making and Risk Evaluation: How risk considerations are integrated into decision-making processes within the organisation.

Integration with Organisational Culture

Beyond these individual components, it's crucial to recognise how risk culture integrates with the broader organisational culture. This integration ensures that risk management is not a standalone practice but woven into the fabric of the organisation. For instance:

  • In a company with a strong innovation culture, risk-taking may be encouraged to foster creativity. The risk culture aligns with the broader organisational culture, creating a synergy that promotes calculated risk-taking in pursuit of innovation.

  • In contrast, an organisation with a conservative culture may prioritise risk mitigation and adherence to established protocols, reflecting a risk culture that aligns with the broader emphasis on stability and reliability.

Understanding this integration is pivotal for organisations seeking to build a cohesive culture that effectively navigates challenges and opportunities while staying true to its core values. By aligning risk culture with broader organisational culture, companies can create a harmonised approach to risk management that resonates at every level of the organisation.

For example, in an innovation-centric culture:

  • Organisational Culture: Imagine a company known for its cutting-edge products and emphasis on innovation like IDEO the Global Design & Innovation Firm. This organisation fosters an environment where creativity is celebrated, and calculated risk-taking is encouraged to drive ground-breaking advancements.

  • Risk Culture Integration: In such a setting, the risk culture aligns with the broader organisational culture by promoting risk-taking as a means to foster creativity. Employees are encouraged to experiment, knowing that calculated risks are essential for innovation. The risk culture synergises with the organisation's emphasis on pushing boundaries and exploring new frontiers.

Enron’s Risk Culture

Examining Enron's downfall through the lens of key risk culture components unveils the underlying deficiencies that precipitated its demise.

  1. Financial Manipulations and Deficiency in Risk Awareness: Enron's risk culture was marred by a lack of awareness regarding the true financial health of the company. Employees were unaware or misled about the precarious financial situation, contributing to a false sense of security.

  2. Lack of Transparency and Poor Risk Communication: Enron's leadership failed in fostering transparent communication. Key financial information was concealed from investors, regulators, and even internal stakeholders, eroding trust and impeding informed decision-making.

  3. Failure of Governance and Risk Oversight: Poor Risk Communication: Enron had a board of directors and executives who either actively participated in or turned a blind eye to the financial misconduct. This equates to a failure in corporate governance, with conflicts of interest among executives and inadequate oversight from the board.

  4. Incentives for Unethical Behaviour: Enron had a corporate culture that rewarded excessive risk-taking and short-term financial gains. Employees were incentivised to meet ambitious financial targets, and those who raised concerns about the company's practices were often marginalised or ignored.

  5. Crisis of Confidence: When the truth about Enron's financial condition became public, it led to a loss of confidence among investors, employees, and the public. The company's stock price plummeted, and it filed for bankruptcy in December 2001, resulting in one of the largest corporate collapses in history.

  6. Tone from the Top: Enron's leadership, including key executives and the board of directors, set a tone that tolerated unethical practices. The emphasis on financial success at any cost permeated the organisation, influencing decisions that prioritised immediate gains over long-term sustainability.

  7. Impact on Decision-Making: The leadership's endorsement of aggressive risk-taking practices influenced decision-making at all levels of the organisation. Employees were driven by a culture that rewarded excessive risk-taking without due consideration for the potential consequences.

  8. Role in Cultural Norms: Enron's leaders played a pivotal role in shaping cultural norms that tolerated and, in some cases, encouraged unethical behaviour. The lack of ethical leadership created an environment where individuals were reluctant to challenge the prevailing culture, contributing to a systemic failure.

How to measure risk culture

Understanding and assessing an organisation's risk culture is a critical undertaking that can significantly impact its long-term success and sustainability. The effectiveness of risk management practices, ethical and risk decision-making, and overall organisational resilience are directly influenced by the prevailing risk culture.

In my experience, measuring risk culture can be a complex task as it involves assessing the values, beliefs, attitudes, and behaviours of individuals within an organisation towards risk. With that, risk functions should consider both quantitative and qualitative data to develop a comprehensive understanding of their organisation’s risk culture. Regular assessments allow for adjustments to be made to improve risk culture over time. While there isn't a one-size-fits-all approach, here are several methods and indicators that organisations commonly used to measure risk culture:

Importance of Assessing Risk Culture

Before exploring the methods of measuring risk culture, it's essential to underscore why such assessments are vital for organisations. The very fabric of risk culture influences how employees engage with uncertainty, make decisions, and contribute to the overall risk management strategy. A thorough understanding of an organisation's risk culture provides leadership with valuable insights into potential vulnerabilities, areas of improvement, and opportunities for enhancing resilience.

Implications of Poor Risk Culture

A poor risk culture can have profound consequences for an organisation, as exemplified by the case of Enron. The Enron scandal serves as a sobering reminder of the real-world implications of inadequate risk culture. The consequences included financial manipulation, lack of transparency, governance failures, and a crisis of confidence. These issues not only led to Enron's collapse but also eroded trust among investors, employees, and the public.

Organisations with poor risk cultures may find themselves susceptible to a range of challenges, including increased operational risks, regulatory scrutiny, and a compromised reputation. The failure to establish a positive risk culture can result in complacency, oversight, and inadequate responses to emerging risks, ultimately threatening the organisation's viability.

Benefits of a Positive Risk Culture

On the flip side, a positive risk culture is a powerful asset that can contribute to an organisation's resilience, innovation, and sustained success. A culture that encourages proactive risk management fosters an environment where employees are not only aware of potential risks but also feel empowered to actively contribute to the risk identification, risk assessment, and mitigation of those risks.

In organisations with a positive risk culture, decision-making becomes more informed and aligned with strategic objectives. Employees at all levels understand their roles in managing risks, creating a collaborative and transparent atmosphere that supports ethical behaviour. A positive risk culture is a catalyst for improved decision-making, increased adaptability, and enhanced overall organisational performance and ultimately innovation.

Measuring Risk Culture

Effective measurement of risk culture involves a combination of quantitative and qualitative approaches. Here are some examples:

  • Surveys are a powerful tool for assessing risk culture due to their scalability, enabling efficient data collection from a large employee base. They offer structured, quantifiable data, facilitating statistical analysis and benchmarking. However, they may also oversimplify complex issues and miss individual nuances. Additionally, the risk of response bias exists, with employees providing socially desirable answers. To enhance survey effectiveness, think about designing them with a combination of closed and open-ended questions, allowing for both quantitative and qualitative insights. Ensuring anonymity in survey responses encourages honest feedback, contributing to a more accurate depiction of the organisation's risk culture.

  • Interviews and focus groups are valuable methods for delving deeply into individuals' attitudes and behaviours regarding risk. They offer a contextual understanding and the ability to uncover unforeseen issues not apparent in structured surveys. However, they can be time-consuming and resource-intensive, restricting participant numbers. Additionally, findings may be subjective, influenced by the facilitator's biases. To enhance the effectiveness of interviews and focus groups, organisations should select a diverse group of participants to capture a broad range of perspectives and employ skilled facilitators who can guide discussions impartially, minimising the impact of bias on the results.

  • Observations offer a direct and first-hand insight into the integration of risk into daily organisational activities, enabling a nuanced understanding of risk-related processes. They have the strength of uncovering potential discrepancies between stated intentions and actual behaviours related to risk. However, observations may be intrusive and potentially alter normal behaviour, and it can be challenging to comprehensively observe all relevant aspects of risk culture. To mitigate disruptions, it is crucial to be transparent about the purpose of observations. Practical tips include combining observations with other measurement methods to achieve a more holistic and accurate understanding of an organisation's risk culture.

  • Analysing incident and near-miss reports is a valuable method for understanding an organisation's risk culture. Incident reports provide tangible, real-world examples of how individuals and teams respond to risk events, offering insights into the effectiveness of existing risk controls. However, relying solely on incident reports may underestimate cultural aspects not visible in reported incidents, and reporting biases may lead to some incidents going unreported. To enhance this method, organisations should actively encourage a culture of reporting and learning from near misses, promoting transparency and continuous improvement. Cross-referencing incident data with other measurement methods is recommended for a more comprehensive and nuanced understanding of the organisation's risk culture.

In my experience, using these tools together provides a more comprehensive view of the organisation's risk culture.


Fostering a positive risk culture is not a one-time effort but an ongoing commitment that demands proactive leadership and a dedication to continuous improvement. The Enron case illustrated how a toxic risk culture, marked by financial manipulation and a lack of transparency, can lead to catastrophic consequences.

Measuring risk culture can be complex and requires using various methods such as surveys, interviews, and observations. Notably, the analysis of incident and near-miss reports emerged as a valuable tool, highlighting its strengths, limitations, and practical tips for effective implementation.

So as a parting thought, it is crucial to reiterate the paramount importance of fostering a positive risk culture within organisations. This requires ongoing commitment, proactive leadership, and a dedication to continuous improvement. A positive risk culture is not merely a checkbox but a dynamic and integral aspect of sustainable and resilient organisational success in an ever-evolving landscape. Organisations that prioritise and invest in the development of a positive risk culture will be better equipped to navigate uncertainties, make informed decisions, and thrive in the face of challenges.

Ready to take your risk management and culture to the next level? Don’t hesitate to book a free exploratory consultation or reach out via email at

Recent Posts

See All


Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page