Organizations contain people who must work together to achieve common objectives. Wherever there are people there is culture; a social mechanism that helps them to collaborate and coordinate their activities. An organization’s culture, and by extension its risk culture, is both a source of strength and weakness when it comes to the management of operational risk. An appropriate risk culture will ensure that staff accept the importance of effective operational risk management and behave in a manner consistent with the organization’s operational risk policies, procedures, and appetite. Inappropriate risk culture can be both a cause of operational risk events and a mechanism for intensifying their impact.

This guidance explains how risk culture may be identified, assessed, and controlled to help reduce the frequency and severity of operational risk events. It must be emphasized that there is no one optimal risk culture, nor are the universal characteristics of a ‘strong’ or ‘weak’ risk culture. In addition, we should recognize that while we tend to associate certain cultures with certain types of organizations, many – particularly large diverse firms – may have different cultures in different parts of the organization. A bank’s investment banking operation, for example, may have a different culture from the same bank’s retail entity. However, it is possible to provide guidance on the effective management of risk culture, as part of a robust operational risk management framework.