Why you should ditch your risk culture framework

5 min read
Mar 9, 2020

I was recently asked about my views on creating a ‘risk culture framework’. 

My immediate reaction was to question the question. Has our profession gone too far with jargon? Are we over formalising risk protocol?

Indeed, risk culture is important.

Culture is all about people. In fact, all risks are caused, managed, seen, heard and felt by people. And while processes and frameworks exist, we must acknowledge that to improve risk culture, we must influence behaviours and attitudes within our organisations.

The term ‘risk culture’ provides an imperative to take risk management beyond theory and into practice.

It gives us the impetus to think, how can we:

  • embed risk management into the core of the business?
  • empower the workforce to consider upside and downside risks in their decision-making?
  • influence behaviours and attitudes?
  • align behaviours with our corporate objectives and business performance?
  • ensure clear lines of accountability and reporting?

Some would say, ‘create a risk culture framework’ and ‘ensure it has X, Y, and Z’.

But I say, it is less about the framework and more about people, relationships and building engagement.

Only then can we really achieve points 1 through to 5.

So, how would I do it?

Here are my three simple whys and hows to risk culture.

And there is no dedicated risk culture framework insight.

1. Understand and engage all decision-makers and key stakeholders – from the shop floor to the top table


So you can support the c-suite and department heads with their decision-making. And positively influence their attitudes and behaviours towards risk-taking.

This means making an impact on their hearts and minds.


Get into their heads. What are their priorities? What are their KPIs? What do they care about most?

I challenge risk managers to drop the frameworks, processes, templates and try to empathise with the decision-makers through this simple exercise.

Think about the key stakeholders one at a time or as a collective and write out what decision-makers are:

  • Thinking and Feeling
  • Seeing
  • Saying
  • Hearing
  • Doing

Do this, not in the context of risk, but by thinking about their typical business activities. Consider these questions:

  • Are they seeing detailed business cases and reports, packed with financial analysis and data?
  • Are they worried about cutting staff and trying to deliver the work with less resources?
  • Are they losing compared to their peers or competitors?

Now think about your typical risk registers, reports or discussions:

  • How would risk management be perceived in this context?
  • Will the risk materials we produce help them or make a difference for their problems?
  • Are we asking for their time or are we delivering value and being part of their solutions?

I challenge risk managers to drop the frameworks, processes, templates and try to empathise with the decision-makers through this simple exercise.

Use this exercise to help you think differently. Because the fact is, your approach or template might not resonate with the decision-makers.

You might find that, instead, it is the level of detail you capture, your ability to offer new ideas or challenge current approaches that builds the engagement you really want.

Next, introduce a set of guiding principles. This should build on the above exercise and align with your company’s values. Each one should focus on a behaviour and serves as a journey with potential improvement actions.

Here are my guiding principles. It describes how I would position risk management. I call them ‘ETCHED’.

  • Empowerment
  • Transparency
  • Challenging the status quo
  • Holistic thinking
  • Embed risk management in decision making
  • Data-led risk management

Then create a communication plan that supports and complements your guiding principles. I place ETCHED on a slide and use it every single time I speak, until the people at the table can tell me what ETCHED stands for and what it means to them.

2. Ensure your risk culture aids decision-making


Because risk management is not a stand-alone process. Good risk management will empower incisive decisions on risk-taking, innovation and opportunities across the entire company.


Map out and prioritise key decision-making processes and the people behind them – both committees and individuals. And take these key steps to help them see where there is room for improvement:

  • Back yourself with data: Review decision-making processes and the extent to which risks were considered. For example, did every due diligence review result in a green light? What was the ROI of past deals and decisions? What lessons have been learned?
  • Ask governing bodies and process owners these questions: what risks were considered in your decision? And how did risk impact your overall decisions?
  • Understand the psychology behind decisions: uncertainty is part and parcel of business. It is easy to disconnect from this. So, make it personal! You’ll find it easier to engage colleagues. Ask, would you do it if it was your money? What if your children were the customers? If something happens, who would be personally liable? Would you be prepared to put your career on the line for this decision?

Back yourself with data: Review decision-making processes and the extent to which risks were considered.

There are different ways to embed risk management and risk culture in decision-making. Here are a few examples:

  • A simple step is to add a risk section onto the template i.e. business case templates, strategy templates, new vendor forms.
  • If there is an assessment form or scoring method, add risk into the equation/model.
  • If there is a committee, ensure that a risk specialist attends the meetings, and, in some cases, mandate risk management sign-off.
  • Provide risk training for committee members and decision makers.

3. Make your risk appetite and tolerance statements sing.


Risk appetite statements should stop decision-makers dead in their tracks – and encourage them to consider their choices before a decision is made.

What are the real deal breakers? What lines should not be crossed? How are these considerations articulated in your statements? Do decision-makers struggle to see the points?


Consider two approaches – upside risks (rewarded) or downside risks (unrewarded).

For rewarded risks: statements should include direct questions or encourage the board and leadership to question whether they are taking enough risks.

For example, are risks proportionate to the real strategic threats?

Take HMV, Kodak, Blockbuster – these companies went bust because they didn’t take enough risk to drive material change in their products and services.

Here’s another way of looking at it. Tesla vs Ford – who needs to take more risk? Should Tesla’s board support going to space? Should Ford’s board invest in alternative motors or technology?

For downside risks: No one wants these to happen but do the statements and sentiments drive strategy around how these risks should be managed, resourced and controlled.

Risk appetite statements should stop decision-makers dead in their tracks – and encourage them to consider their choices before a decision is made.

More effective questions to place in the statement are:

  • How good do we want to be and how good is good enough. I.e. Do we need to be 100% compliant or at least 80%?
  • Are there gaps to the minimum expectations – these can become priority actions.
  • Are risks adequately managed, controlled, resourced?
  • How do we know, how is this measured?

These are three simple considerations. Creating a robust risk culture is a long-haul journey with several crossroads along the way.

So, why overcomplicate it with yet another risk framework?

We will be taking a detailed look at risk culture with the launch of our Intelligence platform in April. Read 5 ways to become a better leader in risk culture for an outline of the Intelligence content to come.
To find out more about the benefits of becoming a Member of the Risk Leadership Network, click here.

Get new posts by email