The Silent Chasm: Why Risk Culture Fails to Take Root and What It Costs Us

Background:

In boardrooms and town halls, “risk culture” often gets generous lip service. It’s in slide decks, policy documents, and compliance manuals. But in far too many organisations, it remains a concept in theory—not a lived practice. And when this culture fails to penetrate the organisation’s bloodstream, even the most sophisticated systems collapse under the weight of blind spots, missteps, and avoidable disasters. When that happens, organisations end up being exposed to reputational damage, financial loss, and, in extreme cases, systemic collapse.

In 2015, Volkswagen’s emissions scandal rocked the world, exposing how a weak risk culture allowed deliberate rule-breaking to flourish, costing the company over $30 billion in fines and settlements. This wasn’t an isolated failure but a stark reminder: a deficient risk culture can silently erode even the most robust organisations, leading to financial, reputational, and operational devastation. 

Here we explore why risk culture fails to permeate, what gets overlooked, the potential fallout, and how to turn intention into action.

The Culture Disconnect: Understanding Risk Culture 

Risk culture isn’t just about identifying red flags or having a policy or framework – those are structures. It refers to the set of shared values, beliefs, knowledge, attitudes, and understanding about risk that is established and upheld across an organisation. Risk culture isn’t about eliminating risk it’s about creating an environment where intelligent, risk-based decisions are second nature. It dictates how people behave when facing uncertainty, how they respond to potential threats, and how they make decisions that involve trade-offs. A strongly embedded risk culture dictates how people think about, engage with, and manage risk. It’s about how people actually behave when no one is watching. 

A strong risk culture empowers employees at all levels to identify, discuss, and act on risks proactively, aligning with frameworks like COSO ERM, which emphasises integrating risk management into strategic and operational decisions. Yet, many organisations struggle to embed this mindset.

According to a 2023 Deloitte survey, only 30% of firms integrate risk KPIs into leadership performance appraisals, highlighting a gap between rhetoric and reality. Without a pervasive risk culture, organisations are vulnerable to blind spots that can escalate into crises.

Organisations often remain compliance focused rather than culture focused leading to an absence of risk culture penetration.

At its core, a risk culture should answer the following questions: 

• Are employees encouraged to speak up? 
• Are trade-offs between risk and reward openly discussed? 
• Do incentives promote prudent decision-making or reckless risk-taking? 
• Is short-term gain prioritised over long-term resilience? 

In a healthy risk culture, employees speak up about red flags without fear, risk is integrated into strategy, not bolted on after, trade-offs are acknowledged, not denied, and leaders walk the talk. When risk culture is absent or superficial, the opposite happens — silence, shortcuts, silos, and surprises.

Why Does Risk Culture Often Fail to Penetrate?

• Tone at the Top Goes Mute: If leaders don’t consistently champion risk management, employees perceive it as a secondary priority. In a recent Global Operational Risk Management Survey Report, 80% of executives said that organisational culture is vital for effective risk management, yet only 21% felt that it was a strong part of their existing system. When leadership does not model prudent risk behaviour, then employees feel disconnected from decision-making and culture becomes a checkbox. Overoptimism or “disaster myopia,” exhibited by leadership at times, can also foster a false sense of security. The 2008 financial crisis exemplified this, where banks’ collective belief in market stability led to excessive risk exposure. 

Common Symptoms of Poor Risk Culture:

1. Inconsistent messaging: Leaders preach risk awareness but reward short-term gains.
2. Lack of accountability: Risk failures are ignored or scapegoated.
3. Siloed decision-making: Risk considerations are absent from strategic planning. 

• Top-Down vs. Grassroots Disconnect: Risk awareness is often seen as a compliance responsibility delegated to risk or audit departments. While risk and compliance professionals have noticed a shift from “checkbox compliance” to a more strategic mindset in recent years, gaps in embedding still remain. Risk culture on the other hand, is behavioural, it must be lived by all, not just checked by a few. A study by Drata revealed that 71% of organisations rate their compliance maturity as “excellent” or “very good,” but culture and operational risk management still lag behind.
• Misplaced Confidence in Controls: Organisations frequently mistake tools for culture. Implementing an enterprise risk management platform or conducting a few trainings doesn’t mean risk thinking is embedded in how daily decisions are made. Frameworks like ISO 31000 provide structure, but they’re ineffective without a shift in mindset. If performance metrics prioritise financial targets over risk-adjusted outcomes, employees may cut corners to meet goals.
• Punitive Environments: In companies where raising a risk is seen as exposing a flaw, rather than preventing a future problem, people stay silent. Fear of blame leads to information suppression, and eventually, catastrophic surprises. A risk-aware culture thrives on open dialogue. Many organizations also suffer from siloed communication channels, where risk information doesn’t flow across departments or up the chain. Fear of blame further stifles reporting. For instance, a 2022 PwC study found that 60% of employees hesitate to report risks due to fear of retaliation, undermining proactive risk management.
• Lack of Cross-Functional Risk Ownership: Risk is often not seen as everyone’s job. Departments like sales, operations, or HR assume it’s someone else’s concern.
• Inadequate Training and Awareness: Employees need role-specific training to understand their impact on the organization’s risk profile. Without it, they’re ill-equipped to identify or respond to risks. A 2024 EY report noted that only 25% of organizations offer regular risk management training, leaving employees disconnected from the risk culture. 
• Success Bias: Organizations that have “always done it this way” often become victims of their own track record. They underestimate emerging risks or novel threats.  Example : Blockbuster’s demise wasn’t just technological—it was cultural. The leadership underestimated digital disruption risk, believing customers wouldn’t abandon physical stores so easily.

What Gets Overlooked in a Weak Risk Culture?

High Cost Consequences of Risk Culture Oversight

• Wells Fargo Fake Accounts Scandal (2016): Driven by an aggressive sales culture, Wells Fargo employees created millions of unauthorized accounts to meet targets. Leadership’s failure to align incentives with ethical risk-taking fostered a culture of fear and corner-cutting. Despite multiple red flags and whistleblower alerts, systemic pressure overrode ethical conduct. A weak risk culture allowed misconduct to flourish. The scandal cost the bank $3 billion in fines and eroded public trust, highlighting the dangers of misaligned performance metrics. 
• Boeing 737 MAX Crisis (2018-2019): Design flaws in the 737 MAX and cost-cutting initiatives drove engineering shortcuts; compounded by a culture that sidelined safety concerns. The organisation prioritised delivery over safety, resulting in two fatal crashes and regulatory overhaul, causing $20 billion in losses, and grounded fleets. Employees feared raising issues, and leadership ignored red flags. This case illustrates the catastrophic impact of poor risk communication and accountability. 
• BP Deepwater Horizon (2010): Safety protocols were bypassed and early warning signs ignored. The tragedy wasn’t just a technical failure—it was a cultural one. Risk wasn’t seen as a shared responsibility.
• The Collapse of Archegos: The 2021 implosion of the family office Archegos Capital Management, which caused billions in losses for global banks like Credit Suisse, was a stark example of a deficient risk culture. Archegos used complex derivatives to build massive, highly leveraged positions while avoiding public disclosure requirements. The banks that served them, competing for lucrative business, failed to gain a complete picture of the fund’s total exposure. A culture of weak due diligence, lack of challenge, and fear of losing business allowed a single client to pose a systemic risk. 
• Silicon Valley Bank (March 2023): The 16th largest bank in the United States collapsed in a stunning 48-hour period. While analysts pointed to interest rate hikes and concentrated tech-sector deposits, the true root cause was far deeper and more insidious: a catastrophic failure of risk culture. For years, a culture prioritising hyper-growth over prudent risk management allowed foundational risks to go unaddressed, ultimately leading to a predictable, yet shocking, demise.

How to Build a Resilient Risk Culture 

Building a strong risk culture is not a one-time project but an ongoing journey. It requires a structured, multi-dimensional approach. Organisations can adopt a practical roadmap to architect a culture that lasts.

Step 1: Diagnose Your Reality  You Can’t Fix What You Don’t Understand

Before we can build, we must assess. Use a combination of tools to get an honest picture of your current risk culture.

Frameworks for Diagnosis: 

1 – The I.C.E. Framework (Intention – Conduct – Environment) – This model is designed to evaluate alignment between internal beliefs, external behaviour, and environmental reinforcements.

Intention

• What is the stated philosophy or aspiration around risk?
• Do leaders genuinely value risk intelligence?
• Are risk appetite statements embedded in strategy?
• Are people aware of what “good risk behaviour” looks like?

Conduct

• How do individuals actually behave when making decisions under uncertainty?
• Are shortcuts taken to meet goals?
• Do managers escalate red flags or suppress them?
• Are decisions based on data, ethics, and foresight?

Environment

• What systems, structures, and incentives reinforce behaviours?
• Do KPIs support prudent risk-taking?
• Is psychological safety present?
• Are systems designed to catch deviations early?

The goal here is to spot where there is misalignment (e.g., good intention but poor conduct) and recalibrate the culture-building process.

2 – The R.I.S.K. Diagnostic Lens (Reinforcement – Integrity – Signal – Knowledge)

This framework emphasises the drivers of behavioural risk alignment—from tone-setting to capability-building.

Reinforcement

• Are desired behaviours rewarded and undesired ones discouraged?
• Are ethics and risk awareness part of performance reviews?
• Do people who raise concerns receive recognition—or retaliation?

Integrity

• Is there consistency between what is said and what is done?
• Are rules applied equally across levels?
• Do leaders back their values with tough decisions?

Signal

• What cues do people pick up about acceptable risk behaviour?
• Are there visible consequences when protocols are bypassed?
• Do peers model responsible behaviour or exploit loopholes?

Knowledge

• Do people have the understanding and tools to manage risk?
• Are frontline staff trained to spot early signals?
• Are tools, playbooks, and decision-making frameworks accessible?

The goal here is to diagnose whether gaps in reinforcement, credibility, social modelling, or enablement are undermining the risk culture.

Step 2: Define Your North Star What Does “Good” Look Like?

A desired risk culture must be aligned with business strategy and risk appetite, defined within a framework like  COSO’s Enterprise Risk Management, and should effectively integrate with strategy and performance. An innovative tech startup will have a different target culture than a stable organisation. There is a need to create clear, concise statements about the desired attitudes and behaviours needed to achieve strategic goals. This isn’t about eliminating risk; it’s about defining the boundaries for intelligent risk-taking.

Step 3: Bridge the Gap: a Four-Dimensional Action Plan

Once the current and target state is defined, efforts can be ou can build a focused change initiative across four key dimensions.

Strategy & Leadership:

• Secure Board Backing: Change must be driven from the top. The Board must define the desired culture and hold leadership accountable for embedding it.
• Integrate Risk into Strategy: Ensure risk discussions are a core part of strategic planning, not an afterthought. This aligns with principles from ISO 31000:2018 (Risk Management).
• Lead from the Front: Leaders must visibly model desired behaviours. Start management meetings by discussing a risk or a “near miss.” Publicly praise employees who bring problems to light.

People & Engagement:

• Align Incentives: Review performance criteria. Does it reward only short-term output, or does it also recognise ethical conduct and proactive risk management?  Regulatory bodies like the RBI are increasingly scrutinising incentive structures.
• Build Psychological Safety: Create a “no-blame” environment where employees feel safe to report errors and challenge decisions without fear of retaliation.
• Tell Stories: Share narratives of both successes (where risk was managed well) and failures (with blameless lessons learned) to build institutional memory.

Process & Governance:

• Simplify and Demystify: Ditch the jargon. Implement simple, user-friendly systems for reporting risks. A complex process is an unused process.
• Establish Clear Escalation Paths: Ensure that when a risk is identified, there is a clear and well-understood path for escalating it.
• Embed in Performance Management: Make risk competency a part of formal job descriptions and performance reviews for all employees, especially managers. 

Technology & Data:

• Leverage GRC Platforms: Use centralised Governance, Risk, and Compliance (GRC) platforms to create a single source of truth for risk data, automate controls, and improve visibility.
• Enhance Training with Tech: Build cost-effective, accessible online training modules to enhance employee capabilities without straining budgets.
• Use Data for Early Warnings: Implement data analytics to identify trends and anomalies that could be leading indicators of emerging risks. 

How Risk Culture can penetrate every function

For risk culture to move beyond the boardroom, it must embed into functional behaviours, processes, and language. Here’s how that happens:

Step 4: Measure What Matters From Lagging to Leading Indicators

To maintain momentum, you must measure progress. Move beyond tracking only lagging indicators (e.g., number of incidents, financial losses) and focus on leading indicators that signal a cultural shift.

“A recent study found that only 30% of firms effectively embed risk-related KPIs into the performance appraisals of senior leadership.”

Leading Metrics for Risk Culture:

• Frequency of risk discussions in team meetings.
• Number of near misses reported.
• Employee survey scores on psychological safety and trust in leadership.
• Time taken to close out identified risk actions.
• Completion rates and feedback scores for risk training.

The above metrics can be used as a base to refine approach and make changes in the operating model. Culture change is iterative and continuous feedback is essential for sustained improvement.

Risk Culture Is a continuous cycle, not a one-time effort and will involve an active and persistent effort towards:

Risk culture is not a dashboard or a document – it’s a living, breathing ethos shaped by behaviour, trust, and shared responsibility. It thrives not in rulebooks but in conversations, in courage, and in the consistency with which organisations reward transparency and ethical decision-making. It is no more a “soft” initiative but a strategic imperative. It transforms risk management from a defensive, compliance-driven function into a forward-looking capability that enables intelligent risk-taking, fosters innovation, and builds sustainable resilience.

As leaders, we have a duty to recognise that the absence of a risk culture is itself a risk. And it’s one we can no longer afford to overlook.

The journey begins with a simple, yet profound, question that every leader must ask:

“Are we just writing the rules, or are we building a culture that lives by them?”

The answer will define your organisation’s future.

Essential Reading for Risk Culture Architects

• Black Box Thinking by Matthew Syed – Explores how high-performing organizations embrace mistakes and risks to learn and grow.
• The Fifth Discipline by Peter Senge – Emphasizes the role of systems thinking and shared mental models, which directly relate to how risk is internalized culturally. 
• Amy C. Edmondson – The Fearless Organization – A foundational book on psychological safety and its role in fostering risk-awareness and innovation.

Sources and References:

• Deloitte (2023). Global Risk Management Survey.  
• PwC (2022). Global Risk Survey 
• EY (2024). Global Risk and Resilience Survey 
• Volkswagen Emissions Scandal (2015) 
• Wells Fargo Fake Accounts Scandal (2016) 
• Boeing 737 MAX Crisis (2018–2019) 
• Theranos Scandal (2003–2018) 
• Archegos Capital Management Collapse (2021) 
• Silicon Valley Bank Collapse (2023) 
• COSO (2017). Enterprise Risk Management—Integrating with Strategy and Performance 
• ISO 31000:2018. Risk Management—Guidelines 
• Institute of Risk Management (IRM). Risk Culture Toolkit 
• 12 ways to improve your risk culture 
• Addressing the Unavoidable: Why a Risk Culture is Important 
• Risk Culture: The Classified Risk Culture 
• What is risk culture and why should we care about it?  
• The Role of Risk Culture in Effective Risk Management: Building a Resilient Organization 
• Say–Do–Enable” models in culture change literature
• COSO ERM 2017 Framework – Integration of culture and governance
• McKinsey 7S Framework (especially “Shared Values” + “Style” + “Systems”)
• Edgar Schein (Levels of Organizational Culture)
• Daniel Kahneman & Amos Tversky (Behavioural Economics – separating intention vs action)
• Harvard Business Review’s “Competing Values” model
• Gartner’s Risk Appetite and Culture research
• Risk transformation models from PwC, EY, and BCG
• Influences from “Nudge Theory” by Richard Thaler (Signal & Reinforcement)