Modern organizations—particularly those with global operations—face a staggering variety of risks. Geopolitical tensions can spark armed conflicts or trade sanctions that swiftly upend the best-laid business plans. An increasingly complex web of anti-corruption regulations and data privacy laws, combined with new levels of scrutiny from the Twittersphere, makes regulatory investigations likelier than ever. And cyber attacks are growing in both number and sophistication, raising the odds that organizations will have to confront a substantial data breach.

These risks have such fundamentally different characteristics, it is no wonder that companies struggle to respond across the full risk spectrum. Unable to address everything, most businesses prioritize specific types of risks – and favor certain responses. These preferences are a reflection of that organization’s risk culture. Of course the best risk management approaches develop organizational muscles that can be flexed in different ways, not a one-size-fits-all approach. Still, most company responses are driven by ingrained cultural assumptions about risk.

Companies that have strong internal control systems and a cautious, compliance-based approach to risk often struggle to react quickly to market developments and to be competitive and nimble; their response to the external environment is slow and highly controlled. Meanwhile, companies that focus on strategic and commercial responsiveness often harbor cultures that resist rigid compliance processes; the ability to be fluid in responding to changes in the external environment does not easily flourish in a strong compliance framework. Companies that deal with a complex web of regulations and government interactions are often inclined to leave risk management to the legal department. Companies that face particularly challenging external risk environments may assign risk to the security team. Companies with aggressive investment plans highlight the opportunity dimension of risk. Companies that focus on reputation and customer perception are more inclined to incorporate ethics and governance terminology in their risk management approach.

Numerous research studies have determined that rules and processes do not exist in a vacuum and that organizational culture is a critical explanatory factor of employee behavior1. This has led to fashionable talk of ‘a culture of compliance’. The norms and assumptions that determine responses to ethical guidelines are more important than procedures that cover every eventuality. If employees do not believe that risk management is an essential component of organizational success, processes will not solve the problem. Indeed, processes that exist but are widely ignored cause more damage than no processes at all because they can generate a false sense of security among senior leaders. The danger is that risk assessments focus too exclusively on process and structure, ignoring more subtle drivers of employee behavior.

Comprehending a company’s risk management strengths and weaknesses is greatly enhanced by gaining an understanding of a company’s risk culture. This can be viewed as a subset of wider organizational culture – commonly summarized as “the way we do things around here”. The importance of culture is often underplayed, as it appears to be a function of human irrationality and is difficult to measure and describe. But ignoring culture is a mistake. When mergers and acquisitions run into trouble, this is often the product of nebulous ‘cultural factors’ – the difficulties that members of different organizations encounter working together – rather than poor planning, pricing or market strategy. Cultural factors also explain why 70 per cent of organizational change efforts fail.

According to Edgar Schein, a pioneer in the organizational culture field, culture is the most difficult aspect of organizational life to alter. It can outlast leadership transitions, changes in products and services, geographic footprint and other physical, measurable attributes of a company2. Schein describes three levels of culture. The first level, an organization’s artifacts and rituals, are easily observable. They include facilities, offices, furnishings, the way employees dress and behave and the myths and stories the organization tells about itself and its history. A company that names conference rooms after major global cities is saying something about its culture and aspirations, as is a company whose line managers sit in cubicles, along with their teams.

The second level, espoused beliefs and values, reflect an organization’s statements about what it stands for – its primary goals and modus operandi. This includes statements such as ‘we put our customers first’ and ‘we value diversity in our employees’. The values of a company will include perceptions an employee has about its reliability and trustworthiness and will also determine its approach to risk. An organization focused on aggressive expansion into new markets is going to have a different risk culture than a domestic operation in a highly regulated industry.

The second level of culture can conflict with the third level – an organization’s underlying assumptions. This level describes traits that are rarely, if ever, discussed; they are taken for granted. Employees become acclimatized to these ‘unspoken rules’ over time and may not even be conscious that they exist. Nonetheless, they are critical to understanding organizational culture. For example, employees may avow belief in open communication around risk and integrity issues while communicating a strong, unstated belief that concerns should not be shared with the boss. A heavy focus on internal processes and checks and balances can be undermined by implicit signals that it’s OK to game the system. A CEO may speak regularly about transparency and inclusiveness but make opaque, highly political promotion decisions. The existence of this third layer explains why so many organizations engage in apparently contradictory behavior.

By gaining a deeper understanding of organizational culture, it is possible to enhance risk management efforts. As a consultant, I have used employee surveys, confidential interviews and focus groups to understand a company’s risk culture. It is particularly useful to highlight gaps between employees’ experience of risk and an organization’s standard responses. Any risk management change effort that does not take into account organizational culture across divisions, locations and levels of seniority will never be ‘owned’ by the organization. It cannot take root or succeed.

The business world is awash in different tools and techniques for risk management, many of which are quite sophisticated. Yet any risk framework that fails to account for the importance of organizational culture will be of limited use. It is no accident that state-of-the-art enterprise risk assessments so often end up on a shelf, ignored.