Share with your friends

How to create a robust risk culture

How to create a robust risk culture

Your weakest link? Is a flabby risk culture undermining robust risk management in your business?



Also on

Cyber Security: How to create a robust risk culture - illustration of people under a magnifying glass

A strong risk culture is increasingly a regulatory requirement. But how well does your organisation measure up? Discover key steps for building better risk management behaviour across your business.

Is your organisation the type of place where people only want to hear good news? If so, that’s bad news for your business. Firms that are unwilling to identify or escalate issues around risk ultimately leave themselves open to dangerous blind spots occurring.

A robust risk culture is no longer a ‘nice to have’ with many regulators now insisting on it – with the buck stopping with the boards. After all, a good risk and conduct culture doesn’t maintain itself. If your board and senior management cannot adequately answer thee following four questions, you need to take action, fast.

1. What are the warning signs?

  •  A clear lack of cultural clarity

Many firms struggle with spelling out exactly what’s expected of people on the front line. At the same time, meaningful data about risk culture performance may end up not being escalated. All executive committees and boards should therefore ensure people throughout the firm know exactly what they should be doing and how, through regular communication and a constant review of management information about the organisation’s risk culture. 

  •  Employees don’t understand regulatory requirements

Poor compliance training and a lack of behavioural controls can create blind spots. You need a behavioural policy framework, supported by a clear steer on what is and is not acceptable, sophisticated training and a visible link to performance and reward.

  • Senior management is out of touch

Senior managers may well tell a good news story about their values and culture, but this may be directly contradicted by logs showing front line behavioural breaches and a growing number of customer complaints. If you see a pattern emerging in terms of behavioural problems and this type of customer complaint, it is a strong warning signal that your firm lacks sufficient risk controls – or even that certain types of behaviour are being rewarded. 

2. How well do you define and incentivise good risk management behaviour?

It’s vital your employees understand what risk-laden behaviour is and how best to respond. This is particularly important for new areas such as technology risk, from business continuity to cyber-crime. All too often, compliance and risk functions are just fire-fighting, rather than scanning the horizon to understand any major new risks emerging. Firms should, for example, help their technology teams become risk-aware and able manage risks. Many heads of technology do not have deep risk management skills; firms therefore need to take a hard look at their competency framework, recruiting strategy and performance management.

Scroll down to continue reading... 

3. Are you measuring culture in a meaningful way?

It’s no longer possible – or acceptable to regulators – to say, ‘it’s impossible to measure culture’. On the contrary, many firms are now coming up with frameworks to assess, measure and challenge their existing culture. They do this by referring to conduct data, customer feedback and behavioural policy compliance.

They’re also moving beyond the old qualitative engagement scores that came out of staff surveys and on to the use of sophisticated people analytics. That allows them to look at everything from adjusting reward to reflect behaviour, to what they know about predictors of major behavioural events like rogue trading.

4. How do you achieve the right balance?

There’s a fine balance to strike between a control culture that stifles innovation and one which supports the right decisions in ethically ambiguous territory.

But, the focus on culture and risk management isn’t going away. Firms that adapt fast will be far better placed than those who haven’t yet woken up to the urgency of these issues.

The answer? To be unequivocal and unrelenting in terms of your behavioural expectations of staff, so that an effective risk culture becomes second nature throughout your entire organisation.

If your board and senior management cannot adequately answer these four questions, you need to take action, fast.

© 2021 KPMG LLP a UK limited liability partnership and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organisation please visit

Connect with us


Want to do business with KPMG?


loading image Request for proposal

Save, Curate and Share

Save what resonates, curate a library of information, and share content with your network of contacts.

Sign up today