A solid risk culture is a key component to ERM
  • Home
office desk with keyboard, plant, and notepad

A solid risk culture is a key component to ERM

Feb 02, 2023 · 3 min read · AICPA Insights Blog

Frequently, organizations must adapt to a changing external environment that could encourage leaders to contemplate expansion. In contemplating a bold strategic step, such as opening an office in another location or merging with another company, you’ll want to consider your staff’s tolerance and enthusiasm for risk.

Along with understanding a company’s financial risk tolerance, understanding employees’ risk tolerance is critical to organizational resilience and ties together the key elements of enterprise risk management (ERM). Organizations should balance risk-taking with stability to thrive. To assess that balance, here are 4 ways to identify blind spots in your organization.

In a strong workplace culture, employees understand the company’s appetite for risks and how those risks are managed. This clear picture empowers teams to make appropriate assessments for strategic decision-making and positively affects day-to-day business practices.

The success of ERM implementation hinges on how well employees understand the organization’s risk approach.

Define it

Risk culture is part of the overall workplace culture and specifically focuses on the shared ability to manage risk.

Creating a risk culture entails understanding and assessing the existing work culture, building awareness around risks, monitoring and reporting metrics, and addressing areas of weakness.

First, leaders seeking to create awareness around risks must define the culture they want in their organization.

To create a shared understanding of risk across the organization, you should identify the specific elements of the desired risk. In defining risk, you should articulate the company’s mission and vision and provide examples of how to uphold organizational values. During staff meetings, you could highlight select members who demonstrate the level of risk appetite you seek.


Assess the existing workplace culture

To cultivate a workplace that is not risk-adverse, you’ll want to understand and measure the existing culture.

Workplace culture influences risk management effectiveness, so assessing your organization’s culture should be a dynamic process that ensures you can take a proactive stance around initiatives.

By evaluating culture, you uncover people’s existing risk mindsets in your organization and how you can build employees’ comfort levels around the unknown.

Start by identifying the metrics you want to gather. Then, you can collect data, which can include a combination of both quantitative and qualitative metrics.

Questions to consider include:

Do the employees have an adequate understanding of the risks the company takes?

Is staff training relevant to an employee’s level and risk exposure?

Have employees received sufficient training?

Are employees taking too much or too little risk?

By creating culture-specific surveys, focus groups, and interviews, you can obtain key employee perspectives. A solid assessment will uncover the risk mentality within the organization and give insight into how well employees know and embrace risk management.

Leaders must understand their current environment to gain a forward-looking view on strengthening risk culture within the organization.

Use the information you gather to analyze overall risk culture and create substantial reports that inform strategy and drive action going forward. Boards and leadership can then work with risk leaders to monitor data points continuously.

Leaders can move forward by creating action plans for their teams that acknowledge staff concerns and use vulnerabilities as a tool to set priorities. This will help establish a forward-looking view on strengthening the organization’s risk culture.


How to build your employees’ capacity for risk

Through clear communication, leadership must define the parameters of organizational risks.

To increase enthusiasm and risk tolerance of the organization, you could use a risk assessment tool, like this Chartered Global Management Accountant® (CGMA®) risk heat map. Visuals foster clearer discussions for strategic decision-making and greater integration of risk management across the organization.

Further, this CGMA guide for the risk leader offers guidance on creating ERM initiatives. It details the essential skills and abilities needed to lead your organization’s ERM strategy.

Your company’s ERM framework will likely include more training, cross-departmental collaboration, and additional leadership engagement and support.


A solid ERM framework and workplace culture create awareness of risk appetite and enables people to work within set boundaries that further the organization’s strategic goals.

ERM insights for the finance risk leader include a checklist and direction on how the checklist can lead an entity through the current and future risk environment.

Every organization builds workplace culture. The question is whether the culture supports the organization’s appetite for risks, ERM practices, and overall strategic goals.

To further expand your knowledge of ERM, join the COSO Enterprise Risk Management Certificate Program.

Mari Sagedal, M.A.

Mari Sagedal is a senior content writer at AICPA & CIMA, together as the Association of International Certified Professional Accountants.

What did you think of this?

Every bit of feedback you provide will help us improve your experience

What did you think of this?

Every bit of feedback you provide will help us improve your experience

Related content