Since the last financial market crisis, risk culture has repeatedly become the focus of regulation. A current example is the statements in the 7th MaRisk amendment, which calls on institutions to further develop their risk culture and make it controllable. This article takes up this discussion and highlights the critical points that are relevant to the successful and sustainable management of risk culture. It addresses the basic attitude towards risk culture management, its practical implementation and its consolidation.
Basic approach to risk culture management
Banks are subject to a dense network of regulations. The monetary and time expenditure required to meet all these requirements is correspondingly high. The discussion on risk culture adds another facet to this high burden in the perception of many decision-makers. As a result, practitioners are often reserved in this regard and see the management of risk culture as hardly adding any value. However, a closer look at the concept of risk culture shows that this falls short of the mark. Risk culture represents the part of an organizational culture that comprises the unwritten, internalized rules of the game with regard to dealing with risks [see Bockius/Gatzert 2023, p. 2; Roeschmann 2014, p. 285]. It therefore underlies all decisions and actions of organizational members in risky situations [see Gatzert/Schmit 2016, p. 38; Basel Committee on Banking Supervision 2015, p. 2]. They are often unaware that they are influenced by such norms [cf. Sheedy/Griffin 2018, p. 6]. Risk culture is therefore not another element of risk management, but rather the context in which risk management is embedded. Against this background, it is clear that there should be a basic consensus that effective risk management can only succeed if the risk culture in which it is embedded is understood.
An important part of this basic consensus is the acceptance of the fact that different areas of the company can have different risk cultures [see Sheedy/Griffin 2018, p. 20; Ring et al. 2016, p. 367]. However, this is not a hindrance with regard to managing the risk culture, but only illustrates how important it is to create transparency here. It can help to understand and resolve underlying conflicts between areas, as in many cases these can also result from unconscious but actionable views on how to deal with risks.
Implementation of risk culture management
When it comes to implementation, the challenge is that risk culture is a “soft” topic that at first glance defies measurement. It is therefore at odds with the quantitative risk management that prevails in banks. It is also true that issues that are not quantified are difficult to manage. In the course of the discussion on risk culture, however, a number of validated scales have now been developed that can be used for measurement. The advantage of these scientifically based scales is that they have undergone an extensive validation process, which ensures that they measure what they are supposed to measure. What is meant by this becomes clear when you present questions developed in a brainstorming session to several test subjects and then realize that everyone understands something different about what is being asked and that this results in non-comparable answers. The validation process mentioned above therefore ensures that the questions are asked in such a way that they are understood by as many respondents as possible in the intended sense and that they actually grasp the underlying aspects.
With this in mind, Sheedy et al. (2017) provide a measurement scale that uses 16 questions to capture employees’ perceptions of the prevailing risk culture. Fernández Muñiz et al. (2020) have developed an 18-question instrument that briefly examines compliance with the FSB guidelines [FSB, 2014]. Dürst & Kunz (2025a) provide a scale that also refers to these guidelines, but is much more detailed and provides a total of 78 questions. In contrast to the short scale by Fernández Muñiz et al. (2020), this enables a comprehensive evaluation as well as a focus on specific sub-areas of the FSB guideline.
However, a validated measurement tool alone does not ensure that the management of risk culture does not degenerate into a purely compulsory exercise. Reports on the successful implementation of a risk culture management process suggest that an important element is the establishment of an interdisciplinary and cross-hierarchical project team that enjoys backing at board level and feeds back every step of the transformation process into the organization and obtains feedback on it [see Dürst & Kunz, 2025b]. This team is initially responsible for finding a suitable perspective on the risk culture for the organization and defining it [cf. Dürst & Kunz, 2025b]. This seemingly trivial step proves to be quite challenging in practice, as everyone understands risk culture differently. The understanding generated in this way lays the foundation for all further steps. Subsequently, all measures that are already being implemented with regard to managing the risk culture in the organization should be recorded [see Dürst & Kunz, 2025b]. It is not unlikely that the project team will discover that a number of such measures have already been implemented, but that no one has yet considered that they have anything to do with the risk culture. In some cases, it is also found that measures that pursue the same goal are carried out independently of each other and in an uncoordinated manner. Such consolidation is therefore also in the interests of corporate efficiency and helps to streamline processes and align them more clearly. In a subsequent step, the aforementioned measurement tool should be used to determine where the company stands in terms of risk culture. This allows the identification of further necessary measures and shows which measures exist but are not perceived by the workforce and therefore have no effect. One example of this is the handling of compliance violations. In companies, these cases are often handled inconspicuously. This saves face for the people involved and should therefore be seen as positive. However, it also means that parts of the workforce assume that such cases are not punished at all because these processes remain hidden from them. This in turn could encourage dysfunctional behavior.
Consolidation of risk culture management
In order to stabilize the risk culture management process, a resource-adequate mode should be found in which the current status of the risk culture is queried. As a guideline, this can be done every 2 to 3 years, as the risk culture cannot be changed very quickly and measures must first take effect.
It is also advisable to review the existing KPI landscape with regard to risk culture aspects. Many institutions already have KPIs and reporting routines that often reflect elements of the risk culture. A systematic analysis of the existing KPI landscape can show where additions are still necessary. The combination of KPI tracking and periodic culture surveys creates a dual monitoring approach. This combines data-based culture indicators collected at short intervals with the subjective perceptions of employees. This enables a continuous, more comprehensive and more robust understanding of the risk culture to be obtained.
Conclusion
Both current developments in regulation and the positive effects of an adequate risk culture on long-term business success show that the management of risk culture should become an integral part of bank management [see Bianchi et al., 2021, p. 1 and p. 12; Fritz-Morgenthal et al., 2015, pp. 71-73]. To ensure that this does not degenerate into a mere compulsory exercise, a structured process for recording and long-term monitoring of the risk culture should be set up, which involves the entire organization and uncovers, develops and supplements existing measures that have not yet been associated with the risk culture but influence it. To this end, it is advisable to put together an interdisciplinary, cross-hierarchical project team, use validated measuring instruments to record the risk culture and implement a regular monitoring process. First, however, the organization must be clear about what it understands by an adequate risk culture and that this is essential for effective and sustainable risk management.
Basel Committee on Banking Supervision (ed.) [2015]: Guidelines – Corporate governance principles for banks, Basel 2015.
Bianchi, N./Carretta, A./Farina, V./Fiordelisi, F. [2021]: Does espoused risk culture pay? Evidence from European banks, in: Journal of Banking & Finance 122/2021, Art. 105767.
Bockius, H./Gatzert, N. [2023]: Organizational risk culture: A literature review on dimensions, assessment, value relevance, and improvement levers, in: European Management Journal, 2023.
Dürst, N./Kunz, J. [2025a]: The Risk Culture Scale: A Measurement Tool to Comprehensively Assess Banks’ Risk Culture, in: Abacus, Online First 2025.
Dürst, N./Kunz, J. [2025b]: Embedding risk culture in a financial institution: An action research perspective, in: Review of Managerial Science, Online First 2025.
Fernández Muñiz, B./Montes Peón, J. M./Vázquez Ordás, C. J. [2020]: Misconduct and risk climate in banking: Development of a multidimensional measurement scale, in: Global Policy 11/2020, pp. 73-83.
Financial Stability Board (FSB) [2014]: Guidance on supervisory interaction with financial institutions on risk culture. A Framework for Assessing Risk Culture .
Fritz-Morgenthal, S. G./Hellmuth, J./Packham, N. [2015]: Does risk culture matter? The relationship between risk culture indicators and stress test results, in: Journal of Risk Management in Financial Institutions 9(1)/2015-2016, pp. 71-84.
Gatzert, N./Schmit, J. [2016]: Supporting strategic success through enterprise-wide reputation risk management, in: The Journal of Risk Finance 17(1)/2016, pp. 26-45.
Ring, P. J./Bryce, C./McKinney, R./Webb, R. [2016]: Taking notice of risk culture – the regulator’s approach, in: Journal of Risk Research 19(3)/2016, pp. 364-387.
Roeschmann, A. Z. [2014]: Risk Culture: What It Is and How It Affects an Insurer’s Risk Management, in: Risk Management and Insurance Review 17(2)/2014, pp. 277-296.
Sheedy, E. A./Griffin, B./Barbour, J. P. [2017]: A framework and measure for examining risk climate in financial institutions, in: Journal of Business and Psychology 32(1)/2017, pp. 101-116.
Sheedy, E./Griffin, B. [2018]: Risk governance, structures, culture, and behavior: A view from the inside, in: Corporate Governance: An International Review 26(1)/2018, pp. 4-22.