Practical ideas: Regularly evaluate risk management culture

Every risk manager we have interviewed explained to us that periodic risk culture evaluations help strengthen the risk culture. So, we wanted to give readers some practical ideas around it.

There are multiple models which can be used to assess the current state of risk culture, including the risk culture framework developed by the Institute of Risk Management, UK or the risk maturity model developed by G31000 that covers elements of risk culture. Whatever the model risk managers select, they should make sure it is aligned with the ISO 31000:2009 principles.

When reviewing risk management culture, risk managers should, among other things, look at:

  • Whether accountabilities and responsibilities for risk are well documented – A critical component of risk management integration is including responsibility and accountability (authority, resources, competences) for managing risks into all business activities. Top management should ensure that responsibilities and authority for relevant roles with respect to risk management are assigned and communicated at all levels of the organisation.
  • Evidence of risk management competencies Risk management competences should be developed in all core business units. Risk management competences should also become an important attribute when hiring new personnel to the organisation.
  • Evidence of risk management training and awareness – All employees should receive risk management training appropriate to their level and risk exposure.
  • Whether individual performance management considers risk information – Mature organisations align individual performance management with risk management. Employees should have individual key performance indicators relating to the management of risk and their participation in the risk management processes.
  • Evidence of open communication and transparency – Information about the risks is openly discussed during the decision-making process. Significant risks are given due attention at the management and Board meetings. Executives are receptive to bad news and are ready to discuss risks and risk mitigations.

Risk managers should regularly discuss culture and attitude to risk with senior management and the Board, as well as help communicate Board and senior management expectations to the employees.



Choose the maturity model used to evaluate risk management culture (G31000, IRM, Risk-academy)

Discuss with HR how to integrate risk culture evaluation into the regular employee surveys or broader organisational culture assessments

Use online questionnaires and face-to-face interviews to assess risk culture maturity

Monitor the progress at least once a year



Alex Sidorenko from RISK-ACADEMY shares some of his practical suggestions to build risk management culture.



Risk management culture assessment – management-culture-questionnaire/

RISK-ACADEMY offers online courses


Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!


ISO31000 Integrating Risk Management

Alex Sidorenko, known for his risk management blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.


Advanced Risk Governance

This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.