The Day Risk Became Real
In 2016, Wells Fargo found itself at the center of one of the most widely cited risk culture failures in modern corporate history. Thousands of employees had opened unauthorized customer accounts to meet aggressive sales targets. The systems were in place. Policies existed. Internal controls were documented. Yet the organization failed—not because it lacked risk frameworks, but because its culture rewarded behavior that undermined them. The lesson is both simple and uncomfortable: risk management frameworks do not fail on paper; they fail in practice.
Across industries, organizations have invested heavily in enterprise risk management (ERM), internal control frameworks, and compliance systems. Yet, as both regulators and advisory firms repeatedly observe, failures continue to occur not because risks are unknown, but because they are ignored, misunderstood, or improperly escalated. In other words, the issue is not risk management, it is risk culture.
What Risk Culture Really Is (and What It Is Not)
Risk culture is often described in abstract terms, but at its core, it is remarkably practical. It is the collective way in which people perceive, discuss, escalate, and respond to risk in their daily activities. The Institute of Risk Management defines it as the shared values, beliefs, and behaviors that shape how risk is understood and managed within an organization. What makes this concept powerful is that it operates beneath formal structures. Policies may define expectations, but culture determines whether those expectations are followed. Deloitte’s work reinforces this point, emphasizing that a risk-intelligent culture exists when individuals at all levels understand risk, take ownership, and integrate it into decision-making.
This distinction explains why organizations with sophisticated frameworks can still experience catastrophic failures. As COSO itself highlights, governance and culture form the foundation upon which all other components of enterprise risk management depend. Without that foundation, even the most advanced risk registers and control matrices remain largely ineffective.
From Siloed Risk to Enterprise Risk Intelligence
One of the most persistent challenges in building an effective risk culture is overcoming fragmentation. In many organizations, risk management remains siloed, i.e. owned by compliance teams, internal audit functions, or a central risk unit, rather than embedded across the enterprise. This creates a dangerous illusion. Risks are identified, documented, and reported, yet they are not truly owned by the business. Decision-makers view risk as something external to their role, rather than integral to it. The RIMS-CRMP body of knowledge places significant emphasis on enterprise-wide integration, where risk management is embedded into strategy, planning, and performance management. In practical terms, this means that risk is not discussed only in risk committees, but in:
- Strategic planning sessions
- Budget reviews
- Investment appraisal discussions
- Operational decision-making forums
When risk is treated as a separate process, it becomes reactive. When it is embedded, it becomes anticipatory.
The Architecture of a Working Risk Culture
Building a risk culture that actually works requires more than awareness. It requires structure, discipline, and reinforcement mechanisms that align behavior with intent. A defining feature of mature organizations is the existence of a risk network, a distributed system of risk owners, risk champions, and functional leaders who collectively manage risk across the enterprise. This network ensures that risk identification and mitigation are not centralized bottlenecks, but continuous processes embedded within operations.
Equally important is the quality of risk reporting. Too often, risk reports are static, backward-looking, and disconnected from decision-making. Effective organizations treat risk reporting as a strategic tool. Risk dashboards are dynamic, aligned with key risk indicators (KRIs), and regularly escalated to executive management and board-level risk committees. The objective is not to report risk, but to inform decisions. This aligns closely with ISO 31000 principles, which emphasize integration, structured processes, and continuous improvement. Risk management is not an isolated function; it is part of how the organization is directed and controlled.
Embedding Risk into Decision-Making and Performance
Perhaps the most critical and most difficult aspect of risk culture is embedding it into performance management. Organizations often articulate risk appetite statements but fail to align incentives with them. The result is predictable. Employees respond to what is measured and rewarded. If performance metrics emphasize revenue growth without corresponding attention to risk, behavior will follow accordingly. This is precisely what occurred in the Wells Fargo case. Targets were met, but at the expense of governance and ethics. A functioning risk culture requires that risk considerations be integrated into:
- Performance evaluation frameworks
- Incentive structures
- Strategic KPIs
- Capital allocation decisions
As the World Bank and other institutions have highlighted, aligning incentives with risk governance is essential for long-term resilience and performance.
Training, Coaching, and Continuous Learning
Risk culture cannot be mandated; it must be cultivated. This is where training and coaching play a critical role. Formal training programs introduce concepts, risk appetite, tolerance, control frameworks, but true cultural change occurs through reinforcement. Scenario exercises, crisis simulations, and post-incident reviews help translate theory into practice. Leading organizations go further. They embed risk discussions into routine meetings, encourage constructive challenge, and create environments where speaking up is not only accepted but expected.
Deloitte’s research emphasizes the importance of creating a “safe space” for risk dialogue, where employees feel empowered to raise concerns without fear of negative consequences. Without this psychological safety, risks remain hidden until they materialize.
Tracking, Mitigation, and the Discipline of Follow-Through
Another defining feature of effective risk cultures is discipline in execution. Risks are not only identified but tracked, mitigated, and reviewed over time. This involves maintaining:
- Risk registers aligned with strategic objectives
- Clear ownership and accountability
- Defined mitigation plans with timelines
- Regular monitoring through KRIs and dashboards
Equally important is the concept of continuous learning. Organizations that treat risk events as learning opportunities, conducting root cause analysis, and embedding lessons into processes develop resilience over time. This reflects the ISO principle of continual improvement, where risk management evolves in response to new information and changing conditions.
The Role of Governance and Policy Frameworks
Policies and governance frameworks remain essential, but their role is often misunderstood. They do not create culture; they anchor it. The COSO framework highlights the importance of the control environment, the tone set by leadership, as the foundation of effective internal control systems. This includes clear policies, defined roles, and consistent messaging from the board and executive team. However, governance must go beyond documentation. Boards must actively engage in risk discussions, challenge assumptions, and ensure that risk appetite is clearly understood and applied across the organization.
Risk committees, when effective, serve not as reporting forums but as decision-making platforms where risk insights influence strategy.
What Actually Works
If there is a single insight that emerges from both practice and research, it is this: risk culture is built through alignment. Alignment between:
- Strategy and risk appetite
- Performance and incentives
- Policies and behaviors
- Reporting and decision-making
Without this alignment, risk management remains performative. With it, it becomes transformative.
A Final Reflection
Organizations often ask how to build a strong risk culture. A more useful question might be: What behaviors are we currently rewarding? Because culture is not defined by what is written in policies or presented in frameworks. It is defined by what is tolerated, encouraged, and reinforced over time. In an environment of increasing complexity, the organizations that succeed will not be those with the most sophisticated risk models, but those in which every individual understands their role in managing risk, and acts accordingly. That is what a risk culture that actually works looks like.
References
Deloitte (2025) How Risk Culture Elevates Enterprise Risk Management. Available at: https://www.deloitte.com
Institute of Risk Management (IRM) (2012) Risk Culture: Resources for Practitioners. Available at: https://www.theirm.org
World Bank (2014) Risk Culture, Risk Governance, and Balanced Incentives. Available at: https://openknowledge.worldbank.org
COSO (2017) Enterprise Risk Management – Integrating with Strategy and Performance.


