Risk Culture Measurement

Sean McGing and Andrew Brown share their research and ideas on risk culture in banking and life insurance practices.

In recent months the topic of Risk Culture has burst on to our screens – yet again.

This time everyone is lamenting the poor culture reflected in certain banking and life insurance practices.  Industry specialists believe that these poor practices results in some customers being treated unfairly. Labor is calling for a Royal Commission into Bank practices and ASIC is being given an extra $122m in funding for high intensive surveillance of the insurance and banking industries.

We thought it timely to share some thoughts on how risk culture in organisations can be measured and better understood to mitigate risks as part of a comprehensive enterprise risk management program.



Risk culture in organisations

An organisation’s risk culture describes the degree to which its culture encourages or limits the taking of risks and the opportunities that arise from those risks. It is about people’s individual and collective behaviours.  A culture constantly evolves through various stages of maturity.   

Ken Wilber, integral philosopher, has summarised four aspects of a system into his integral model. In any organisation, the way these four aspects operate together shapes the culture.













Wilber’s Integral Model

Source: Putz, M. (2006): AQAL: Journal of Integral Theory and Practice, Spring 2006, Vol 1, No 1, Integral Business and Leadership: An Intermediate Overview




The culture of an organisation is heavily influenced by its individual and collective behaviours. To move an organisation to a more mature risk culture requires an understanding of its people’s behaviour(s), beliefs and mindsets. To support and reinforce any cultural change, it is also essential to have in place appropriate systems and structures.

Measuring risk culture

If culture is important to ERM, then we have to find a way to measure it.  The case for measuring culture seems very straight forward – by measuring culture we are better able to assess the effectiveness of our attempts to shape or control it.  In financial services APRA as the regulator effectively expects you to measure culture in order to manage it. But that has its challenges: 

  1. We need to be careful that any changes in results are due to changes in the underlying culture and not changes in how the measurement is being applied.
  2. The harder that things are to measure, or the more subjective they are, the more likely it is for people to ignore or discount the results.
  3. Measurement of the culture isn’t independent of the culture – measuring signifies importance, and can change people’s awareness and perceptions of the cultural questions, leading to shaping of views and being more likely to act differently.
  4. The type of measurement that is appropriate will also depend on the stage of organisational maturity.

Methods of measurement

There are several ways to measure risk culture.

  • Surveys
  • Staff interviews
  • Focus groups
  • External stakeholder interviews
  • Social media reviews
  • Review of operational processes
  • Training

These measures broadly cover off Wilber’s four quadrants.You must balance quantitative with qualitative.  Measuring regularly such as annually enables changes and trends to emerge and be assessed.  Surveys and staff interviews are the most common and the easiest.  The survey needs to be designed very carefully.   It can be incorporated as part of the annual staff survey particularly if the organisation‘s risk culture has already evolved to a level where people are consciously aware of the culture and the impact it has on performance.

Findings and insights into risk culture across industries

We undertook a pilot risk culture measurement exercise as part of our research.  We conducted (mostly) face-to-face interviews with a limited number of Chief Risk Officers in organisations across financial services, education and energy.  We also analysed and compared the online questionnaire responses by our interviewees.  The most important aspects of an effective risk culture in their eyes were:

  1. Tone from the top AND tune from the middle.
  2. Open and effective communication in a safe environment.
  3. Awareness, understanding and ownership of risk at all levels.

The insights we gained were:

  1. The driving force behind best practice risk management across an enterprise is the evolving culture.
  2. There are more similarities than differences across industries / areas.
  3. Cycles are essential for learning.  A long memory – of the bad events – helps.


Original research is from our paper presented to the Actuaries Institute Financial Services Forum in 2014. 

See also, Sean and Andrew’s other article Board Leadership in a Complex World – Optimising value from risk and opportunity’

CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.