There is a force at work beneath every organization’s risk management practices – a force that can either aid or harm any attempt to capture, understand, and utilize risk information strategically.  In its recent thought paper, the Institute of Risk Management (IRM) addresses this force head-on: risk culture.  The IRM discusses what risk culture is and why it’s important to risk management.  Most notably, the authors of the thought paper also introduce several methods for boards of directors to use in gauging their organizations’ risk cultures and shaping them for success.

What Is Risk Culture?

Risk culture is simply the common way in which members of an organization (e.g. employees) understand and approach risk.  Risk culture is, by nature, a softer subject, since risk culture can vary infinitely from organization to organization.  However, the IRM does note a number of hallmarks of a healthy risk culture, including:

  • A strong flow of risk information throughout the organization with no stigma in regards to negative information
  • All members of the organization, from top to bottom, are exposed to the business’s risk management practices and understand them enough to appreciate those practices and get involved in risk management
  • The board of directors and management team are invested in risk management and are willing to communicate that enthusiasm down through the organization

Information for Boards of Directors

As part of its governance role in risk management, a board of directors should be seeking answers to two key questions:

  1. What is our organization’s risk culture like today?
  1. What changes might need to be made to our risk culture and how can we, the board, oversee that change?

In order to answer the first question, the Institute of Risk Management proposes the use of its IRM “Risk Culture Framework.”  This framework prompts the board of directors to consider organizational culture from the smallest unit (the individual employee) outward to the organization at-large.  This approach plays on the idea that a multitude of individuals make up the fabric of an organization and its culture; thus, it is important to consider the individual’s ideas about risk and ethics as a starting point in considering organizational risk culture.

To answer the second question, the Institute of Risk Management notes that boards of directors must be willing to devote enough time to altering risk culture.  While there is not a “silver bullet” for achieving a healthy risk culture, the IRM believes that boards can make a difference through effort and critical thinking.  The authors of this paper include a list of ten questions for boards to ask themselves as part of this process.  The Institute also proposes the use of its Risk Culture Aspects Model, a tool for diagnosing characteristics of risk culture in any organization.


The important thing to understand about risk culture is that it impacts all aspects of an organization’s efforts with regards to enterprise risk management.  Honing a suitable risk culture can help to ensure successes in risk management, and the board of directors is responsible for taking on that task.  This article from the Institute of Risk Management summarizes information found in a more detailed document about risk culture entitled, “Risk Culture: Resources for Practitioners.”  This document is also available for download, for a fee, on the IRM website.

Link: The Institute of Risk Management (IRM)

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.

ERM Enterprise Risk Management Initiative 2012-10-01