What are some methods/strategies for promoting a healthy risk culture across the agency?

Question asked by Anonymous

AFERM Experts Say...

It is important to establish a common definition of risk culture.  The Risk Management Society (RMA) defines risk culture as “the set of encouraged and acceptable behaviors, discussions, decisions and attitudes towards taking and managing risk within an institution.”  In my opinion, this definition appropriately focuses on attitudes and behaviors as the driving force behind organizational culture because it is ultimately the people, and not the processes and procedures, that determine ERM program success.  A useful model to think about with respect to promoting culture is the Attitude-Behavior-Culture (A-B-C) model where culture derives from repeated behaviors, behavior is influenced by attitude, and attitude is influenced by culture.  (Hillson, 2013) https://www.pmi.org/learning/library/understanding-risk-culture-management-5922

Culture change efforts can focus on shaping attitudes and reinforcing the desired behaviors associated with the desired risk culture.  Considering strategies in relation to the A-B-C model, knowledge and understanding are key to shaping attitude.  There are several approaches that an agency can consider, including frequent communications, specific training on the ERM program, using ERM as a common thread woven throughout agency-provided training, and providing other learning forums.  Strategies to address the behavior component could include setting expectations and reinforcing the desired risk management behaviors.  Creating clearly defined risk appetite statements for employees allows them to apply the statements to the decisions they make within their assigned responsibilities.  Adding a risk management core competency or performance goal to performance appraisals can be useful.  Additionally, having clearly defined and enforced risk management policies and processes that guide behavioral expectations, along with recognizing and rewarding the desired behaviors, are significant ways to establish and reinforce how the agency expects its employees to behave, individually and collectively.  The final culture component of the A-B-C model can be addressed through periodically assessing the risk culture of the organization and by setting the right tone at the top, and through an effective and transparent risk governance process.  These aspects are the most important according to Hillson, and the results of a 2013 study conducted by RMA.  www.rmahq.org/WorkArea/DownloadAsset.aspx?id=5452

It is important to remember that changing culture is very much an evolutionary endeavor and not a revolutionary one.  It is one of the most difficult leadership challenges, takes considerable effort and time and is difficult to measure progress.


Hillson, D. (2013). The A-B-C of risk culture: how to be risk-mature. Paper presented at PMI® Global Congress 2013—North America, New Orleans, LA. Newtown Square, PA: Project Management Institute.

This entry was posted in . Bookmark the permalink.

Comments (1)


I like the connection to behaviors included in the answer, and think that we can take this further. When I think of culture, I think of the culture of the organization. Every organization has a culture, and the key question is how it considers risk in decision-making at every altitude from the highest strategic decision to the front line business process decisions. To me the term risk culture means “is the organization risk averse or risk aggressive?” meaning its stance around risk, does it take risk or avoid risk. It doesn’t consider the nuance of how decision-making affects risk and how risk affects decision-making, performance targets, accomplishing business objectives and fulfilling strategy, all which are part of the organization’s overall culture. In order to influence culture, we have to understand the whole of the culture, including points of pride and key tenets of the culture to understand how those influence decision making. If we focus only on the culture as it relates to risk taking, we may miss the fact that this is often just a symptom of other aspects of the culture.
I would suggest that the organization starts by defining the culture they want through a definition of core values and behaviors. For this example, I assume that the term “healthy risk culture” refers to a risk aware culture. Given this assumption, some additional practical methods/strategies that could be employed to promote a risk aware culture by influencing behaviors include:
– Agency wide communication on the impact of risk in decision-making: for example, how has the budget or investment process taken risk into consideration and changed an outcome for a specific project. This would begin to show the value of risk consideration in decision-making.
– During all hands or small group meetings with managers, incorporate a regular discussion about how what is happening with our constituent group or the broader economy might be impacting our daily work, and are there ways we can change our process to accommodate. This begins the process of employees thinking through potential events, emerging risks, uncertainty and builds risk awareness.
– If there is a Secretary-level awards/recognition program, identifying employees that have identified risk that the agency was able to respond to provides an opportunity for other employees to see the value in identifying and responding to risk, and can impact the culture.
– Developing a training plan that incorporates formal learning, informal learning, communication about risk through already existing forums, developing short podcasts can also help in raising risk awareness.
These are a few practical methods/strategies that could help raise risk awareness.


Leave a Reply

Your email address will not be published. Required fields are marked *

© Copyright 2014-2021 AFERM. All Rights Reserved.
Association for Federal Enterprise Risk Management
1050 Connecticut Ave NW, PO Box 66281 | Washington, DC 20035-6281
Contact Us | Privacy Notice
Request Organization Information
DUNS: 045074054 | CAGE Code: 7PL42
Association for Federal Enterprise Risk Management is a registered 501(c)(3) non-profit organization. Contributions to AFERM are tax deductible to the extent permitted by law. Membership dues and event registration fees are not considered contributions.