Most executives take managing risk quite seriously, the better to avoid the kinds of crises that can destroy value, ruin reputations, and even bring a company down. Especially in the wake of the global financial crisis, many have strived to put in place more thorough risk-related processes and oversight structures in order to detect and correct fraud, safety breaches, operational errors, and overleveraging long before they become full-blown disasters.
Yet processes and oversight structures, albeit essential, are only part of the story. Some organizations have found that crises can continue to emerge when they neglect to manage the frontline attitudes and behaviors that are their first line of defense against risk. This so-called risk culture1 is the milieu within which the human decisions that govern the day-to-day activities of every organization are made; even decisions that are small and seemingly innocuous can be critical. Having a strong risk culture does not necessarily mean taking less risk. Companies with the most effective risk cultures might, in fact, take a lot of risk, acquiring new businesses, entering new markets, and investing in organic growth. Those with an ineffective risk culture might be taking too little.