Organisations contain people who must work together to achieve common objectives. Wherever there are people there is culture; a social mechanism that helps them to collaborate and coordinate their activities. An organisation’s culture, and by extension its risk culture, is both a source of strength and weakness when it comes to the management of operational risk. An appropriate risk culture will ensure that staff accept the importance of effective operational risk management and behave in a manner consistent with the organisation’s operational risk policies, procedures, and appetite. Inappropriate risk culture can be both a cause of operational risk events and a mechanism for intensifying their impact.

This guidance explains how risk culture may be identified, assessed, and controlled to help reduce the frequency and severity of operational risk events. It must be emphasized that there is no one optimal risk culture, nor are the universal characteristics of a ‘strong’ or ‘weak’ risk culture. In addition, we should recognise that while we tend to associate certain cultures with certain types of organisations, many – particularly large diverse firms – may have different cultures in different parts of the organisation. A bank’s investment banking operation, for example, may have a different culture from the same bank’s retail entity. However, it is possible to provide guidance on the effective management of risk culture, as part of a robust operational risk management framework.