Skip to main content
Blog Post

The challenge of creating an effective risk culture

Insurance Consulting and Technology|Reinsurance
Insurer Solutions

By Alasdair Wood , Mike Wilkinson and Kenneth McIvor | November 5, 2019

How to collect data to evaluate risk culture and use insights gleaned from that information to shape, manage and nurture the culture over time.

Unlock More

About our 'A Year in the Life of the Strategic CRO' series

In our ongoing A Year in the Life of the Strategic CRO series, risk experts from our Insurance Consulting and Technology team, Willis Re and other parts of Willis Towers Watson cover how a strategically focused CRO can drive corporate strategy through the enterprise risk management planning process and throughout the year.

The adage “what gets measured gets managed” is as true for risk culture as it is for more readily quantifiable aspects of risk management. But there are many challenges to measuring and managing organizational risk culture because it is difficult simply to describe the concept. However, the strategic chief risk officer (CRO) can use analysis and structured frameworks to promote a risk-aware culture and embed risk-related measures into performance management, helping drive the business forward.

Many companies have invested heavily in risk management and governance frameworks, which rely on an alignment with the underlying organizational culture. When governance frameworks fail, experience shows that they are often undermined by cultural issues.

One of the CRO’s roles is to monitor the frameworks for effectiveness, but cultural aspects can still slip under the radar unless specifically addressed and measured in the same way. This is an essential dimension for the CRO to enable both the letter and the spirit of the risk framework to work effectively.

Culture runs deep, and has its roots in peoples’ beliefs and the organization’s tone from the top. It is a product of myriad factors, which can be influenced to different degrees and in different ways, such as:

  • Performance management
  • Pay and incentives
  • Recruitment and training
  • Managerial styles
  • Interpersonal relationships

In this article we describe a process for collecting data to evaluate risk culture and how to use these insights to shape, manage and nurture the culture over time.

Collecting the data

Many companies collect reams of data relating to organizational culture but do little with it — and perhaps don’t even recognize it as such. A structured and systematic approach can offer a significant insight; with a well-designed process, firms can build a clear picture of staff and stakeholder attitudes and the practices that drive risk culture.

Below we focus on three key aspects:

  1. Organizational risk assessments take the form of surveys that provide valuable data on the employee perspective, helping to understand underlying attitudes. While actual behaviors can be monitored in relation to processes and controls, risk culture surveys are well established and proven to uncover issues that management are frequently unaware of, such as how leadership messages are received and the impact of incentives, monetary and otherwise.

    Organizational risk assessments should measure the collective impact of employee views and behaviors and identify the drivers of employee risk attitudes, highlight potential risk “hotspots” and answer core questions such as:

    • How do staff view the examples set by leaders?
    • Do employees understand the firm’s risk appetite and take personal responsibility for risks?
    • Do employees understand the risk controls and do they feel it is necessary to adhere to them?
    • How safe do employees feel to speak their minds?

    For many organizations that make extensive use of outsourcing and other business partnerships, the culture of these extended relationships can also be material to the overall organization’s culture. It is possible to expand this type of assessment to the broader enterprise.

  2. Process and program risk assessments show the effectiveness of organizational governance and behavior-influencing tools such as pay and incentives. We have identified a range of levers that management can use to impact risk culture. In addition to pay and incentives, recruitment, talent management, performance management and training are also important and need to work together in a complementary manner to be fully effective.

    We have found that introducing a defined risk culture measurement process that benchmarks against peers makes the topic more accessible and tangible to stakeholders. It provides a common language and consistent set of criteria and concepts that managers can use to discuss the topic and influence the culture in a practical and constructive way. This will help all stakeholders (internal and external) to understand the positive value of the existing risk culture that should be nurtured and establish priorities for measurable improvement.

  3. Individual risk assessments provide in-depth behavioral evaluations of leaders, senior management or other key, risk-taking individuals. Extensive research tells us that the motivations, talents and capabilities of key employees can be assessed to provide a holistic picture of behavioral tendencies in the workplace.

    Many regulators — and more recently investors and customers — are holding board members and management responsible for establishing company culture, values and ethics. Regulators, rating agencies and other professional bodies increasingly hold fthat boards should set the right tone from the top to help prevent misconduct and unethical practices and assess their effectiveness.

    We believe that directors and senior management should be able to answer the following questions:

    • How have you defined your risk culture and how does this support your risk appetite?
    • How is the risk culture assessed and monitored in your organization?
    • What roles do non-executive directors and operational management play in influencing risk culture?
    • How do you obtain assurance of success?

Using the data

Combining data from these sources with common information like performance management, pay and bonus outcomes, broader employee engagement and manager span of control can greatly improve its descriptive power. And by correlating this with incident reporting and other event data, a comprehensive picture can be built of the factors driving behaviors that lead to risk outcomes.

We have found that using a risk culture dashboard that summarizes assessment results helps companies to understand and monitor their own evolving risk culture. In addition, this can allow businesses to compare their risk profiles to benchmarks that are derived from an aggregate of companies with different strategies and at different stages of maturity. It also provides valuable reference points for risk professionals and directors in understanding how they rank against similar or competitor companies, and analyzing where improvements can be made.

Shaping risk culture

Many companies have focused on risk management and governance frameworks as drivers of risk culture. But the roots run deeper and concern leader and employee beliefs, risk attitudes and behaviors. Assessing risk culture is one of the early steps in the process to create an organization with its optimum risk profile.

Measuring risk culture gives leaders, managers and employees the insights they need to begin managing that culture effectively and identifying changes to governance, control, communication and supporting HR programs that will improve culture and help to manage risk effectively.

The strategic CRO should work with the rest of the business to create a sustainable framework and program to manage and develop the risk culture in full alignment with the risk appetite and overall risk management framework, which evolve with and support the business strategy and operations.

By taking these steps CROs can clearly articulate what risk culture encompasses and measure it effectively.


Alasdair Wood
Senior Director, GB Reward Practice Leader

Mike Wilkinson
Senior Director
Insurance Consulting and Technology

Kenneth McIvor
Director, Insurance Consulting and Technology

Contact Us

Related Solutions