Editorial
Risk culture is a term that sounds good and often used. But is it something that actually exists (or should exist), and does the term have a useful meaning?
Defining 'Risk Culture'
Microsoft Copilot definition of risk culture, including sources, was this:
Risk culture refers to the collective values, beliefs, knowledge, attitudes, and understanding about risk shared by a group of people within an organization. It plays a crucial role in how risks are identified, assessed, managed and communicated across the organization.
A strong risk culture is characterized by:
- Clear communication: Everyone in the organization understands the importance of risk management and their role in it.
- Accountability: Individuals and teams are held responsible for managing risks within their areas.
- Informed decision-making: Decisions are made with a thorough understanding of the associated risks.
- Continuous improvement: The organization regularly reviews and improves its risk management practices.
Developing a positive risk culture involves leadership commitment, effective training and embedding risk management into everyday business processes.
Here's what OpenAI’s ChatGPT turned up on risk culture:
Risk culture refers to the values, beliefs and behaviors within an organization that influence how it perceives and manages risk. It encompasses the attitudes of employees and management towards risk-taking and risk management, as well as the processes and systems in place to identify, assess and respond to risks.
A strong risk culture promotes transparency, accountability and proactive risk management, encouraging employees at all levels to communicate potential risks and contribute to the organization's risk strategy. Conversely, a weak risk culture might lead to complacency, silos, and an unwillingness to confront or disclose risks, potentially resulting in negative outcomes.
Key components of a healthy risk culture include:
- Leadership Commitment: Leaders set the tone for risk management and demonstrate its importance through their actions and decisions.
- Clear Communication: Open channels for discussing risks and concerns help foster a culture where employees feel safe to voice their thoughts.
- Employee Empowerment: Encouraging employees to take ownership of risk management and make decisions based on a clear understanding of risks.
- Training and Awareness: Providing ongoing education about risk management processes and the organization’s risk appetite.
- Integration with Strategy: Ensuring that risk management is aligned with the organization’s overall goals and objectives.
Google Gemini defined risk culture as:
Risk culture is the shared attitudes, beliefs and behaviors within an organization towards risk. It's how an organization perceives, assesses and manages risks. A strong risk culture fosters a proactive approach to identifying, evaluating and mitigating risks, while a weak risk culture can lead to complacency, denial or even concealment of risks.
Key elements of a strong risk culture include:
- Risk awareness: Employees at all levels understand the importance of risk management and recognize their role in identifying and mitigating risks.
- Open communication: There's a culture of open communication about risks, allowing for the free exchange of ideas and information.
- Risk appetite: The organization has a clear understanding of its risk appetite, which is the level of risk it is willing to accept.
- Risk governance: There are effective systems in place for identifying, assessing, and managing risks, including clear roles and responsibilities.
- Risk education and training: Employees receive ongoing training and education on risk management principles and practices.
A strong risk culture is essential for the long-term success of an organization as it helps to protect its assets, reputation, and financial performance.
And finally, here's Alex Sidorenko's definition, from his Risk Management Advisor:
Risk culture refers to the collective attitudes, beliefs and behaviors within an organization that influence how risk is understood, discussed and managed. It encompasses:
- Decision-making processes: How risk considerations are integrated into everyday business decisions.
- Communication: The openness and transparency in sharing risk-related information across the organization.
- Risk awareness and education: Training and empowering employees to understand and manage risks effectively.
- Leadership tone: The extent to which leaders promote a positive attitude towards risk-taking and informed decision-making.
Developing a strong risk culture involves embedding these elements into the organizational fabric, ensuring that everyone understands their role in managing risks.
A Consensus on a Risk Culture Definition — But Does It Matter?
All of these AI sources (which are relying on articles and publications by consultants and practitioners) agree on a definition. While they may use different words, there are no material differences between them.
But just because they agree doesn’t mean that the concept makes sense in the real world. Is it something you can define, measure and assess in any organization? Is it something that the CEO (with the help of the CRO) can tell the board is effective and helping the organization succeed?
I am not convinced.
The definitions use words like “shared” and “collective” “attitudes” towards risk. But are attitudes towards risk and risk-taking ever homogenous, and should they be?
I asked two of the AI tools about risk attitude:
Copilot shared the following (with a source):
Conference
Sep
16
HR Tech Conference Las Vegas 2025
Register
Conference
Oct
27
Gartner HR Symposium/Xpo Orlando 2025
Register
Risk attitude refers to an individual’s or organization’s disposition towards uncertainty and risk, which influences how they perceive, assess, and respond to risks. Understanding risk attitudes is crucial for effective risk management, as it helps tailor strategies to align with stakeholders’ preferences and tolerance levels.
There are generally four types of risk attitudes:
- Risk-Averse: These individuals or organizations prefer to avoid risk and are uncomfortable with uncertainty. They tend to see risks as threats and prefer safer, more predictable outcomes.
- Risk-Seeking (Risk-Taker): These people are more comfortable with risk and often see it as an opportunity. They are willing to take on higher levels of risk in pursuit of potentially higher rewards.
- Risk-Neutral: This group approaches risk objectively, neither seeking nor avoiding it. They analyze risks using various techniques and make decisions based on expected outcomes rather than emotional responses.
- Risk-Tolerant: These individuals or organizations are willing to accept a certain level of risk but do not actively seek it out. They are comfortable with some uncertainty and can manage risks effectively without being overly cautious or overly aggressive.
Once again, the AI tools were in agreement. The following is from Gemini:
Risk attitude refers to an individual's or organization's preference for taking or avoiding risks. It's a psychological and behavioral trait that influences decision-making.
Here are the three main risk attitudes:
- Risk-averse: Individuals or organizations that are risk-averse prefer certainty over uncertainty. They tend to avoid risky situations and opt for safer, more predictable options.
- Risk-neutral: These individuals or organizations are indifferent to risk. They are neither drawn to nor repelled by risky situations and make decisions based on expected outcomes without considering risk.
- Risk-seeking: Individuals or organizations that are risk-seeking actively seek out and embrace risky situations. They are often willing to sacrifice certainty for the potential of higher rewards.
Understanding risk attitude is crucial in various fields, including finance, economics, psychology and decision-making. It can help individuals and organizations make informed choices that align with their preferences and goals.
Risk Neutral Makes Business Sense
I like those definitions, but there’s only one risk attitude that I think we all would agree is appropriate for a business. Maybe individuals can be risk-averse or risk-seeking, but that is not where we want our business leaders and decision-makers. We want them to be risk neutral.
Let me illustrate with an example.
At Tosco, everybody was risk neutral, but some were more willing than others to take risk.
- Everybody agreed employee safety was our #1 concern. But at the same time, we operated multiple oil refineries that are inherently dangerous places to work. During my 10 years with them as CAE, we had a few (TG) fires and explosions that resulted in deaths. The only way to bring safety risk to zero (which is the only level of risk we would publicly talk about) was to exit the business. We also operated 6,000 convenience stores and gas stations, which also are not without risk to employees.
So at least publicly our risk attitude towards safety was somewhat risk averse. Somewhat because we stayed in the business and were cautious about spending excessively on safety measures, such as doubling the number of employees so we could make sure every refinery worker followed safety protocols. That means that in reality we were actually more risk neutral than risk averse.
- Our attitude to accounting was similarly somewhat risk-averse in public, risk neutral in reality. While we deplored any material error, we were also prudent in spending on people and systems (and internal auditors).
- But when it came to the sales side of the business, including our derivatives trading, I wouldn’t say we embraced risk-taking, but we were willing to take risk where it was justified by the potential for reward: risk neutral.
- When I joined the company, it was struggling to earn a profit and cash was scarce — so scarce that the Treasurer held two cash call meetings every day to see if they could make it to the next one. But over time, the company became highly profitable. This meant that our attitudes towards taking risk changed as our earnings changed. Attitudes also changed as the economy changed, the company and its capacity to take risk changed, and influences from investors, regulators and others changed. But we were always risk neutral.
It was pretty much the same at my other companies.
- When it came to the safety of employees, we were publicly risk-averse, but in reality risk neural.
- We were similarly risk neutral in our accounting.
- We leaned towards risk taking in the revenue driving part of the organization, but only where justified: risk neutral.
- As the business or the economy changed, our attitudes and capacity for risk-taking changed. But we remained risk neutral.
If there was consistency, it was a desire to take the level of risk in each area that made business sense. Regardless of our function, we were risk neutral.
Do you need a term like “risk culture” to define acting with good business sense in line with corporate values?
In fact, shouldn’t everyone fall into the Risk Neutral category described by Copilot and Gemini?
A risk neutral group approaches risk objectively, neither seeking nor avoiding it. They analyze risks using various techniques and make decisions based on expected outcomes rather than emotional responses. These individuals or organizations are indifferent to risk. They are neither drawn to nor repelled by risky situations and make decisions based on expected outcomes without considering risk.
Isn’t there a problem if this is not the prevailing common risk attitude? Why not just ask if this is how everybody behaves (behavior being what is most important), rather than talking about risk culture? Do you need to talk about risk culture rather than informed and intelligent decision-making? What does talking about risk culture add? How is it different? Where’s the value in the term?
I don’t see it. And if it has no practical meaning, let’s stop using the term.
Do you have a single, homogenous, consistent risk culture? Is it risk neutral?
Informed and intelligent decision-making is a term that has a clear meaning. Does risk culture?
Learn how you can join our contributor community.
