The COVID-19 pandemic has created a time of unprecedented change for both public and private organizations across the globe. Executives and boards have had to move quickly to address threats and seize opportunities, all while continuing to protect employee and customer health and safety and evolving to adopt new digital and work-from-home norms.
Risk and integrity culture refers to the mindsets and behavioral norms that determine how an organization identifies and manages risk. In this challenging and highly uncertain moment, risk culture is more important than ever. Companies cannot rely on reflexive muscles for predicting and controlling risks. A good risk culture allows an organization to move with speed without breaking things. It is an organization’s best cross-cutting defense.
Beyond today’s travails, a strong risk culture is a critical element to institutional resilience in the face of any challenge. In our experience, those organizations that have developed a mature risk and integrity culture outperform peers through economic cycles and in the face of challenging external shocks. At the same time, companies with strong risk cultures are less likely to suffer from self-inflicted wounds, in the form of operational mistakes or reputational difficulties, and have more engaged and satisfied customers and employees.
This article explores the steps involved in setting up an effective risk-culture program, when to launch such a program, and the factors we have found to be critical for long-term success.
Understanding and measuring risk culture
The starting point for most organizations looking to improve their risk culture is to diagnose the current state. Organizations that have built strong risk and integrity cultures seek to understand (and then address) three mutually reinforcing drivers: risk mindsets, risk practices, and contributing behavior.
Risk mindsets can be understood as the set of assumptions about risk that individuals hold within the organization; risk practices are the daily actions that determine the effectiveness of risk management; contributing behavior comprises the collective actions that build risk attitudes. Ideally, these actions will be systematic and deliberately intended to strengthen individuals’ risk attitudes, with desired risk behavior built into everyday functioning.
Companies that seek to understand risk culture can best begin by establishing concrete, detailed definitions. They should clearly spell out the specific elements of risk culture to set aspirations and measure progress. For example, we define ten dimensions of risk culture, based on a wide range of experiences with companies across all major industries, and incorporating close study of a range of real-world risk-culture failings (Exhibit 1).
We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at:
McKinsey_Website_Accessibility@mckinsey.com Systematic measurement
Once risk and integrity culture is defined, measurement can begin. Leading companies assess themselves systematically, looking at mindsets, practices, and behavior.
Companies with strong risk cultures have more engaged and satisfied customers and employees.
This assessment is often based on interviews among units and functions, then followed by a more comprehensive organization-wide survey.
The survey will typically include 20 to 30 questions that measure performance against the elements of risk culture (covering mindsets, practices, and behavior) and will set the organization-wide baseline. The team can complement results with qualitative insights gleaned from follow-up interviews to provide further detail on the particular strengths or weaknesses revealed, and help uncover their root causes.
Leading companies take proactive steps to maintain strong risk cultures in normal times, in times of stress, and when they are undergoing transformations.
Instead of using a dedicated risk and integrity survey, many organizations falter by relying on a combination of employee-engagement surveys, focus groups, and analyses of incidents and near-misses to measure their risk culture. Each of these tools can bring useful results when used with sufficient rigor. However, typical employee-engagement surveys contain only a few relevant questions and therefore do not usually uncover enough insight to create an effective measure. These approaches, furthermore, do not provide a view over time or ready comparisons between organizational units.
We believe that a dedicated survey is an indispensable tool for obtaining a broad measure of a company’s risk culture. It is the only way to set a true initial baseline. A comprehensive survey creates hard data, comparable across divisions, geographies, and roles; with repeated use, it traces trends through time. The results allow
fact-based conversations about risk culture, fostering engagement while deepening executive-level understanding.
Once an initial baseline is developed, the results should be shared with leadership teams and the broader organization. Transparent results are an important first step in increasing the focus on risk culture. While maturity levels across different dimensions matter, outliers (both strengths and weaknesses) or areas of change where a survey is repeated over time tend to drive the greatest insights for an organization. Differences among units, functions, geographies, and tenure levels can also be illuminating.
In one example of this process, a government-owned corporation held a series of town-hall meetings to share the results of its risk-culture survey. The town halls were the first active communications on risk culture and demonstrated to employees a new openness. The comparative data shared showed divergent strengths and weaknesses, which stimulated strong interdepartmental conversations in what was a traditionally siloed organization.
As a second example, a high-performing financial institution created tailored readout packs for a series of thoughtful discussions between the chief risk officer and the leader of each major line of business and function. The readout materials highlighted areas of opportunity for each business and function, including dimensions where their risk culture was weaker than the organization as a whole or where results were at odds with stated strengths or goals of the leader. For instance, with one leader who had taken pride in his organization’s openness to sharing bad news, the conversation centered around weak scores in this area in some geographies.
Addressing risk-culture shortcomings
With the help of measured risk-culture results, companies can act to address weaknesses in risk culture. The leadership team, with support from the team coordinating risk-culture efforts, can use the strengths, weakness, and cultural differences identified to agree on a set of prioritized interventions or intervention areas based on enterprise-wide and divisional aspirations.
Some interventions will affect the entire organization—for example, certain compensation or recruiting changes. These warrant group-led approaches, and a dedicated team should be created or assigned to take charge of them.
Many, however, will be specific to and driven by particular parts of the organization. For instance, affected business units would take charge of work to redesign problematic product-approval processes; likewise, business-unit leaders might “localize” a groupwide focus on a topic like accountability. Where possible, interventions or their application should be driven, and owned, by the front line to ensure that cultural change is truly lived locally and linked to day-to-day business activities and outcomes. Successes and lessons from these localized efforts can be shared across the organization by a central coordinating team.
The process of developing interventions end to end is well illustrated by the experience of one insurance company. The company explored the results of an initial risk-culture survey at a top-team offsite. The survey data allowed leaders to move from discussions based on intuition to those based on evidence. The leaders discovered that the organization was universally strong in some dimensions and universally weak in others. Clear differences also emerged among business units. The CEO probed the comparative differences, challenged executives to understand the causes of low scores, and explored ways for everyone to learn and apply lessons from higher-performing business units. Coming out of the discussions, the team agreed on focus areas and assigned responsibility for carrying out the improvements.
Designing and deploying tailored interventions
To lift risk culture, organizations move from measuring and planning to taking action. A broad range of techniques can be summoned to inspire change. Successful efforts are usually the result of several kinds of actions taken together. In thinking about how to generate meaningful, lasting changes in risk and integrity culture, leaders can be guided by the “influence model” schematized in Exhibit 2. This model has proven useful in ensuring that change programs draw upon a breadth of approaches, and its use increases the chance of success for a transformation by three or four times.
We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at:
The effort to address risk-culture gaps usually involves a balance of short- and long-term interventions. Targeted short-term interventions allow organizations to respond flexibly to changing needs while longer-term programs constantly reinforce core elements of desired risk culture. Long-term interventions are often formal programs like speak-up hotlines or training and compensation standards (based on risk criteria) that continually reinforce desired behaviors.
In an effective example of a long-term intervention, one bank developed a program that both encouraged employees to speak up on risk issues and increased the level of responsive actions. The program includes an externally managed channel for employees to register concerns, with the option of confidential help from internal speak-up champions on navigating the process. The board receives regular reports on both internal and external complaints, with resolution rates and common themes and trends.
The following short-term initiatives are just a few examples of how organizations have addressed gaps in risk culture:
A government agency developed a short-term program to increase its speed of response, which was identified as a major weakness. This was done with walk-throughs of key processes, which identified bottlenecks; components were then redesigned as needed to speed up the process and ensure future clarity on escalation and resolution.
A bank discovered weaknesses in its approval process for new products. Its investigation led to the creation of a dedicated challenger role, filled by rotating members of the approval committee. The role is charged with taking deliberately contrarian positions and pressure-testing proposed products on how well they served the long-term interests of the customer and the bank.
A pharmaceutical company sought to address a weak culture of challenge by training new and junior colleagues on how to constructively question leadership decisions. To encourage the best results, senior leaders acted as role models, visibly promoting nonhierarchical decision making.
Launching a risk-culture program
Risk-culture programs can have multiple triggers. Leading companies take proactive steps to maintain strong risk cultures in normal times, in times of stress (such as under the COVID-19 crisis), and when they are undergoing transformations.
Proactively shaping risk culture
Building and sustaining strong risk culture requires proactive attention. In normal times, this means addressing risk culture before issues arise. Under the stress of the COVID-19 pandemic, which has disrupted the traditional mechanisms that reinforce an organization’s risk culture, this includes understanding how risk culture is evolving and then taking action to protect or improve it. Because of the pandemic, people are working together differently, often from home. In addition, many individuals and organizations are under added stress (including financial stress), increasing the risk of nearsighted decision making and cultural problems.
Once a crisis with roots in risk culture hits, existing leadership, including boards, will find it difficult to lead change as they themselves become increasingly associated with the cultural problems. The problems tend to be seen as leadership failings in the eyes of the public, investors, and regulators.
By taking a preemptive look, leaders might see early signs of concern or inadequate processes for understanding the state of risk culture. An initial deep dive into the root causes of seemingly isolated incidents or complaints can be a starting point, eventually expanded into a broader risk-culture review to build a comprehensive picture. Today, the preemptive look should also seek to understand the impact the COVID-19 crisis is having on employees and develop interventions to strengthen the culture by filling the gaps created by remote working.
The effort might be triggered by the need to understand whether an organization is vulnerable to incidents experienced by peers, either before or during the pandemic. By proactively driving this topic, leaders can avoid larger problems and demonstrate that they are part of the solution and not the problem. For example, a company in the advanced industries sector built a speak-up program after leadership recognized the devastating impact of other failures in the industry. The leaders methodically created formal mechanisms to support desired behavior, helping to ward off potential crises before the point of no return was reached.
Maintaining risk culture under company transformation
Many organizations are transforming their operations, particularly to
become more digital and more efficient. The COVID-19 crisis has served to accelerate many planned change programs. Large transformations can themselves raise risk levels, as risk-management practices are disrupted, core processes are redesigned, and teams and organizational structures shift. “Change fatigue,” a species of anxiety that comes with a transformation, can contribute its own share of risk. But transformations also afford organizations the opportunity to reset their model to their desired risk-management culture. They must include programs to promote desired behaviors, in transparent, organization-wide efforts, as opposed to siloed, business-as-usual approaches.
For example, one global manufacturing company undertook a major transformation in response to a series of product- and regulatory-compliance incidents. Front and center were issues of culture, integrity, and compliance, which became the core focus of the groupwide transformation.
As a second example, a bank undertook a major transformation and restructuring effort, partly in response to COVID-19-triggered considerations. The program included a dedicated cultural component with a specific risk-culture stream. As the transformation progressed, business units incorporated risk-culture initiatives into their broader program of activities, ensuring risk-culture changes became core elements of the new ways of working.
Whatever the original motivation for a risk-culture program, a one- or two-year plan covering a range of intervention types can begin with a small set of priority initiatives targeting key weaknesses. In addition to achieving progress in important areas, these initiatives will create visibility and momentum for the entire plan. An example campaign would be one to encourage employees to speak up where they see risk concerns. The initiative might include a confidential speak-up line, communications from the top to set the tone on the importance of speaking up, and, for a dedicated period, an explicit focus on speaking up in team meetings. Results would be conveyed to the board, in a report covering internal and external complaints, whistleblower activity, overarching themes, and resolutions. This would serve as a first step and a gesture of commitment to the larger effort of changing risk culture.
Setting yourself up for risk-culture success
Careful risk-culture definition, measurement, and initiative work plans are not enough. Successful risk-culture programs share five essential characteristics that leaders should put in place as part of their focus on risk culture:
True ownership and responsibility for risk culture sits with the front line. To be truly lived, culture must be linked with the day-to-day business activities and outcomes of an institution. First-line leaders must feel accountability for their role in supporting the company’s risk culture.
Dedicated ownership is assigned for coordinating the definition, measurement, reporting, and reinforcement of risk culture. These responsibilities should sit centrally—either within enterprise risk management, with a risk chief operating officer or an enterprise chief operating officer, or within HR. It is helpful to have a central point, as too often varying language is used to discuss culture within a bank. Without an enterprise-wide view and vocabulary, it is not possible to effect true, coordinated cultural change.
The case for change is visible and compelling. The strengths and weaknesses of the prevailing risk and integrity culture need to be spelled out, supported by data. The vision for an enhanced culture and how it will benefit the organization and individuals can then be articulated.
The effort is sustained over time. Cultural change takes time, and gains must be regularly reinforced. Successful programs combine periodic measurement of organizational risk culture with a multiyear change program encompassing short- and long-term initiatives. Too often organizations bring a burst of energy to the initial diagnostic but then fail to implement initiatives or sustain the changes needed to drive long-term improvement.
The C-suite holds leaders accountable for success. Risk-culture programs need someone to provide overarching direction and drive, but to succeed, leadership across the organization should be actively engaged. Business-unit owners in particular should champion initiatives. Leaders need to show they are serious about change if they want their people to adopt new risk behaviors, which may themselves be perceived as risky—for example, speaking up.
As senior leaders
navigate the complexity of the current crisis, they must ensure the organization as a whole maintains its cultural health. Organizations that nurture their risk and integrity culture will be better positioned to serve their clients, team members, and society effectively, and to avert risks that could potentially prove catastrophic. By taking the steps outlined above, institutions can prepare, reap near-term rewards, and be ready for future uncertainties and challenges.