Failure to Succeed: Why Companies Struggle to Change Risk Culture

We’ve all heard the saying, “Culture eats strategy for breakfast.” It’s a powerful reminder that no matter how well-crafted a strategy might be, if the culture doesn’t support it, the strategy is likely to fail.

We talked about the importance of culture in relation to embedding AI, this time, we discuss Risk Culture and Change Management.

Risk culture is the shared beliefs, values, and behaviours within an organisation that influence how people perceive and manage risk. It’s the difference between an organisation that proactively addresses potential pitfalls and one that turns a blind eye until it’s too late.

In today’s business world, everyone knows that a strong risk culture is essential, but here’s the hard truth: changing a company’s risk culture is incredibly challenging, and more often than not, companies fail to succeed in this endeavour. Despite their best efforts, they find it incredibly difficult to change their risk culture.

It’s not for lack of trying—leaders introduce new policies, launch training sessions, and send out messages emphasising the importance of risk management. But somehow, these initiatives often fall short.

So why is that? The truth is, changing risk culture isn’t just about checking off boxes, following a plan or communications. It’s about fundamentally changing how people think, act, and make decisions every day.

So, what are the real, human-centred reasons why companies often fail to change their risk culture, and why it’s so tough to get it right.

Misalignment Between Policies and Behaviours

Here’s the thing, when a company decides to change its risk culture, one of the first things they usually do is update or introduce new policies. This makes sense—it’s a necessary step. But here’s where it gets tricky: having the right policies is just the start. The real challenge is making sure these policies actually influence how people behave on a daily basis.

One of the biggest mistakes companies make is thinking that rolling out new risk management policies is enough to change the culture. But policies are just words on a page. They don’t automatically change how people think, feel, or act. For a real shift to happen, those policies need to be lived and breathed by everyone in the organisation. If there’s a gap between what the policy says and what actually happens on the ground, the culture won’t change. Employees might go through the motions, but if they don’t see their leaders walking the talk, they’ll stick to their old habits.

Resistance to Accountability

Let’s be honest, accountability is crucial for any strong risk culture. But in practice, getting everyone on board with accountability can be tough. It’s not just about setting policies—it’s about having the courage to enforce them, even when it’s uncomfortable.

The reality is that we all know that accountability is key. But let’s face it, enforcing accountability isn’t always easy. In many organisations, there’s a reluctance to hold people accountable for risk-related decisions, especially when those decisions impact performance or financial rewards. It’s a delicate balance. On one hand, you want to encourage innovation and risk-taking where it makes sense. On the other, you need to make sure people are making responsible decisions. When companies fail to enforce accountability, it sends the wrong message—that risky behaviour is acceptable as long as it gets results. This can quickly undermine any efforts to build a solid risk culture.

Complacency and Comfort with the Status Quo

Here’s another challenge, change is disruptive, and for many employees, the idea of altering something as deeply ingrained as organisational culture can feel overwhelming. So, it’s natural to want to stick with what’s familiar, even if it’s not perfect.

This happens because change is hard—especially when it involves something as deeply rooted as culture. In many organisations, there’s a comfort level with the status quo. People have been doing things a certain way for years, and it’s worked for them—so why change now? This comfort with the old ways is one of the biggest obstacles to changing risk culture. If employees don’t see the need for change, or if they believe the old ways are good enough, they’ll resist any efforts to shift the culture. They might agree in meetings, but when it comes to their day-to-day actions, they’ll fall back on what they know best.

Inconsistent Leadership Commitment

The truth is leadership sets the tone for the entire organisation’s culture. When leaders are genuinely committed to a cultural shift, their actions inspire others to follow. But when that commitment wavers, even the best initiatives can lose momentum.

Now, leadership is crucial for any culture change, but when it comes to risk culture, inconsistency at the top can be particularly damaging. If leaders don’t consistently prioritise risk management in their decisions, or if they send mixed signals about how important it is to manage risk, it creates confusion and mistrust among employees. People take their cues from their leaders—if they see that risk management isn’t a top priority for the executives, they’re unlikely to take it seriously themselves. The same applies to how middle managers lead. This inconsistency can derail the entire effort to change the culture, making it difficult to achieve lasting change.

Lack of Risk Awareness and Education

Education can often the missing piece in culture change initiatives. It’s not just about training and having a clear understanding of what’s at stake and how to manage risk effectively, employees need to see why they need to change their behaviours and how this plays through on a daily basis.

One major hurdle to changing risk culture is a lack of awareness and education about what risk management actually involves. Many employees don’t fully understand how risk management applies to their work, so they don’t see why it’s important. Without proper and relatable education and training, risk management remains an abstract concept—something that gets talked about in meetings but isn’t really understood or integrated into daily practices. If employees aren’t clear on the risks and their implications, they’re unlikely to change their behaviours in meaningful ways.

Short-Term Focus and Pressure

Here’s a tough one, the pressure to deliver quick results is intense, especially in competitive industries like financial services. But this short-term focus often conflicts with the need to manage risks that might not show up until later.

The pressure to deliver short-term results is a fact of life in many organisations, but it can be a big obstacle to changing risk culture. When the focus is on hitting quarterly targets or meeting immediate goals, there’s often little room for considering long-term risks. This short-term focus can lead to risk-taking behaviours that clash with a strong risk culture. Employees might feel pressured to cut corners or ignore potential risks to achieve quick wins, keeping the organisation stuck in a cycle of prioritising immediate results over long-term sustainability. This conflict is often driven, or reinforced at the top.

Fear of Transparency and Blame

The reality is for risk culture to be truly effective, transparency is essential. But in many organisations, a fear of blame creates an environment where people are hesitant to speak up about potential risks or mistakes.

What goes wrong? A strong risk culture requires transparency—a willingness to speak up about potential risks without fearing retribution. But in many organisations, there’s a culture of blame that discourages this kind of openness. Employees worry that if they admit to a mistake or raise a concern, they’ll be penalised or judged. Worse still is that everyone knows but no one confronts it. We are all too nice. This fear of transparency undermines efforts to build a robust risk culture, as issues often get hidden or downplayed until they become serious problems. To change the culture, organisations need to create a safe environment where employees feel they can speak up, and where mistakes are seen as learning opportunities, not grounds for punishment.

Lack of Integration into Daily Practices

Culture change simply can’t just be a top-down directive—it needs to be woven into the daily practices and decision-making processes of the organisation. Without this integration, risk management can become an afterthought rather than a core value.

For a risk culture to take hold, it needs to be integrated into the daily practices and decision-making processes of the organisation and at team level. Risk management shouldn’t be something that’s done in a silo or treated as an afterthought—it needs to be part of everything the organisation does. Unfortunately, in many companies, risk management is still seen as a separate activity, disconnected from core business operations or delegated to line 1A. This separation leads to a lack of ownership and responsibility for managing risk, resulting in a culture that doesn’t fully embrace risk management principles.

Prioritising Metrics Over People

A final and common issue is that in the quest to manage risk, organisations often turn to dashboards and metrics to track progress. While these tools are useful, an over-reliance on them can lead to missing the human aspects of risk culture.

Risk dashboards and metrics are valuable for tracking potential issues, but often only tell you what you already know. Also, when organisations prioritise these over the people who manage the risks, they risk creating a culture that values numbers more than behaviours. Metrics can only tell part of the story—they often focus on the risks that are easiest to measure, rather than the ones that pose the greatest threat. Moreover, when risk management becomes a box-ticking exercise driven by dashboards, employees may feel disconnected from the process, seeing it as a compliance task rather than a fundamental part of their role. This can lead to disengagement, where the deeper, more proactive elements of risk management are overlooked, undermining the organisation’s ability to respond effectively to emerging risks.

The Human Side of Failure

Changing risk culture is incredibly challenging because it involves altering deeply held beliefs, habits, and attitudes. From a human perspective, it’s not just about implementing new policies or enforcing accountability—it’s about addressing the fears, complacency, and resistance that naturally arise when people are asked to change the way they’ve always done things.

It’s about making risk management a part of the organisation’s DNA, not just a set of policies on paper. And most importantly, it’s about leading by example, consistently prioritising risk management in every decision, and creating an environment where transparency and accountability are the norms.

Without this deep, human-centred approach, efforts to change risk culture are likely to fail, leaving the organisation vulnerable to the very risks it seeks to manage. So, if your company is struggling to change its risk culture, take a step back and consider the human factors at play. It might just be the key to finally succeeding where others have failed.