Risk Culture: The invisible architecture behind trust, growth and resilience

Written by Keith Davies & Natalie Wharton

Most organisations don’t fail because they lack risk frameworks. They fail because their risk culture prevents people from using them when it matters.

Risk culture has always been a central, if underappreciated, component of a firm’s risk management stance. While Boards have long understood that the way people behave matters as much as the rules they are asked to follow, the importance of risk culture for long-term performance remains significantly undervalued. This article sets out:

Why risk culture matters
Why it matters more in today’s environment
What strong risk culture looks like in practice
How organisations can build a more risk-intelligent culture

Why Risk Culture Matters (Beyond Compliance)

At its core, risk culture reflects how risk is understood, discussed, and acted upon across an organisation. It has traditionally shaped three core components of effective risk management:

Firstly, as no framework can operate effectively without constant supervision, risk culture determines whether policies and controls are lived or merely complied with, and whether employees apply them even when doing so is inconvenient, commercially uncomfortable, or personally risky.

The Wells Fargo mis-selling scandal illustrates this clearly: staff operated within extensive formal controls, yet a sales-driven culture, misaligned incentives, and fear of challenge led to widespread circumvention of those controls, normalising misconduct rather than preventing it.

Second, risk culture determines how quickly and transparently organisations respond when things go wrong. Incidents are inevitable. Delays, defensiveness, and opacity are not. Firms with strong risk cultures tend to escalate issues earlier, respond more openly, and recover more quickly. Those with weaker cultures often default to blame, delayed disclosure, and fragmented responses, amplifying harm and eroding trust.

The response of Japan Airlines Flight 516 demonstrated how an embedded safety & risk culture enabled effective decision-making under pressure, translated trust, training and escalated norms into co-ordinated action when it mattered most.

Finally, a culture of constructive challenge is a primary defence against groupthink. Diverse perspectives, inclusive leadership and psychological safety reduce blind spots and enable better, risk-aware decisions.

This insight is reinforced by Amy Edmondson’s work on psychological safety. Her field research in hospital settings showed that higher performing clinical teams reported more errors not fewer, reflecting stronger learning and escalation cultures. This contrasts with failures such as the automotive emissions scandal, where internal challenge was muted and cultural pressures overrode compliance frameworks.

These experiences underline a critical point: risk culture is not a “soft” or intangible nicety. It has tangible consequences for performance, reputation, and long-term strategic success.

Why it Matters More in Today’s Environment?

While risk culture has always mattered, three factors mean its importance has increased materially in recent years, and its scope has evolved:

Risk Prevention to Decision Enablement – the real power of a strong risk culture lies not in avoiding failure, but in enabling faster, sharper, smarter decisions.

Risk culture is increasingly recognised not just as a mechanism to avoid and recover from failure, but as a driver of growth, innovation, and better decision-making. In a world where the speed of change and information flow is accelerating, and risks are crystallising and compounding more quickly than in the past, firms must make informed, risk-based decisions at pace. As a result, risk can no longer be something considered late in the process or delegated solely to specialist functions. Instead, it needs to be ingrained in the firm’s processes and DNA.

Looking ahead, the rapid adoption of Artificial Intelligence (AI) will amplify the importance of risk culture, strengthening organisations with transparency and challenge while exposing weaknesses such as bias, opacity, and over-reliance on algorithms. The PRA’s 2025 Priorities explicitly link data integrity and AI governance to board oversight, warning that poor data and weak culture can undermine controls. AI needs to be fully enhanced with risk culture from keeping a ‘human‑in‑the‑loop’ for oversight and challenge, to explainability and fairness. Boards should treat AI governance as culture‑critical, not just model‑risk technical.

Healthy risk culture means that risk management is not a tick box or a constraint to business progress, but instead an embedded part of business activity and change which allows organisations to move quickly with confidence, understanding trade-offs and acting with eyes open. In this sense, risk culture becomes a strategic enabler and, if done well, a source of competitive advantage.

Trust, Transparency and the multi-stakeholder world – heightened stakeholder scrutiny and rapid reputational risk mean organisations are judged as much on intent and behaviour as outcomes.

The growing emphasis on trust and ethical behaviour is being shaped by social media, customer empowerment, and rising multi-stakeholder expectations. Reputational damage now travels faster, lasts longer, and is harder to contain. Customers, employees, investors, and communities increasingly judge firms not just on what they do, but how they do it. This has shifted attention away from simple adherence to processes or contracts towards outcomes, intent and conduct.

In this environment, risk culture matters more than formal frameworks. It shapes whether people default to “meeting the letter of the rule” or to doing the right thing when rules are silent, ambiguous or inappropriate…or as Christine Lagarde famously said, “when no one is watching”.

This evolution is reflected in the changing perception of the Chief Risk Officer role. In many organisations, the CRO is no longer seen solely as a guardian of limits, but as a steward of culture and trust, helping ensure that the values and incentives driving employee actions support good decision-making and long-term sustainability.

Regulatory Expectations & Scrutiny – regulators are placing growing emphasis, explicitly and implicitly, on evidencing a robust risk culture, as foundational to effective governance and resilience.

Supervisory authorities increasingly assess whether firms can demonstrate healthy cultures, including effective challenge, accountability, and escalation. For example, the European Central Bank explicitly expects governance frameworks to be supported by everyday behaviours; the PRA increasingly views risk culture as a potential root cause of material weakness; and the FCA highlights healthy cultures as critical to informed, responsible risk‑taking and thereby foundational for conduct compliance and long‑term economic growth. In all cases the message is clear: culture is not peripheral; it underpins risk decision-making and firm stability – with cultural failures creating regulatory risk (and therefore attract greater regulatory scrutiny).

At the same time, regulators are reinforcing the importance of culture through a stronger focus on outcomes and resilience. A clear example is the FCA’s Consumer Duty, where the guiding principle is the delivery of good customer outcomes—and not merely technical compliance with rules. Firms are expected to act in the spirit of regulation, requiring frontline staff to exercise judgement and challenge practices that, whilst in line with policies and contracts, are harmful for customers.

Similarly, heightened scrutiny of operational resilience further elevates the importance of culture, as it depends on how people respond, decide, and adhere to controls under stress. Resilience requires good risk culture – with leaders doubling down on transparency when the pressure hits, and employees feeling safe to challenge the consensus – at the time when this is most difficult but most needed.

What Does Strong Risk Culture Look Like in Practice?

Real risk culture doesn’t sit in the risk function — it lives in daily decisions. Poor culture can undermine the most rigorous risk management, yet good culture enables a business to think and act smarter and faster.

Firms with good risk cultures make the types of risk-based decisions needed to thrive in such an environment as:

Risk appetite is not seen as determining which risks should be avoided but what level of risk firms need to take in order to succeed
Business leaders actively seeking risk perspectives to inform decision-making, rather than viewing them as hurdles
Routine practices such as speaking up, reporting near-misses and anomalies, and challenging assumptions are treated as core operational disciplines, not optional behaviours
All employees proactively consider risk as an integral part of planning and execution
Risk teams are involved early in strategic and commercial decisions

How can Organisations Build a More Risk-Intelligent Culture?

Risk culture has evolved from being a background consideration to a central strategic capability. It now shapes not only if firms avoid failure, but how they grow, adapt, and earn trust in an increasingly complex world. For CROs and boards, the question is no longer whether culture matters, but how deliberately and consistently it is embedded and evidenced. Regulators will continue to scrutinise outcomes, resilience, and real‑world behaviours; stakeholders will judge firms on how decisions are made, not just on whether policies exist.

The firms that thrive will be those where doing the right thing is instinctive, challenge is normalised, AI is governed ethically, and risk is treated not as a brake but as a lens for better, faster decisions. In short: build the invisible architecture or risk structure, and the visible results—trust, growth, and resilience—will follow.

In Part 2, we will share practical insights on how to: