How can risk culture elevate ERM as we navigate the future of risk and compliance?

We operate in an increasingly changing world, where organisations must react and adapt to regulatory expectation as well as the pace of technological change. To be successful, organisations need an effective enterprise risk management (ERM) that is not just about frameworks and processes, but about fostering a risk-intelligent culture.¹

This means empowering individuals at all levels to understand, own, and proactively manage risk, transforming risk capabilities into a strategic asset. A risk-intelligent culture is fundamental for business success, integrating risk awareness and accountability into everyday decision-making. Ethical and desired risk cultures can also act as an organic mitigant for some potential risks relating to ethical considerations around artificial intelligence (AI) development and enhancements made at pace.

Chief Risk Officers (CROs) often juggle competing priorities. However, fostering a positive and risk-aware culture is no longer optional; it's a necessity for navigating the rapid pace of technological disruption and evolving risk profiles. This requires a human-centric approach, embracing agility and data fluency. The future of risk and compliance requires CROs to deliver more robust risk management and control, with more efficient and prompt delivery of insightful analysis and enhanced control.

While boards and executives have grappled with this since 2008, the increasingly complex and fast-moving risk landscape has elevated the focus on a risk-intelligent culture as the bedrock for successful, dynamic risk management.

Why is a risk-intelligent culture crucial now?

The current landscape presents unprecedented challenges:

• Rapid technological disruption: As we navigate the future of risk and compliance, our end-to-end AI and advanced analytics-led transformation, coupled with a risk-intelligent culture, increases the efficiency and effectiveness of risk management and compliance, mitigating potential negative consequences. Specifically, by building trust, having the right governance around AI capability, future-proofing the skillsets in a risk function and cultivating a culture of innovation and continuous learning in the face of rapid technological change.
• Heightened volatility and uncertainty: From global pandemics to geopolitical instability, organisations need to be prepared for a wider range of potential disruptions. A proactive risk culture enhances preparedness and allows organisations to respond to unforeseen events with greater agility and resilience.
• Increased regulatory scrutiny: Particularly in financial services, organisations face growing pressure from regulators including the Financial Conduct Authority (FCA)² and Prudential Regulation Authority (PRA)³ in the UK, the European Central Bank (ECB)⁴ in Europe and APRA in Australia to demonstrate a robust risk culture. The Institute of Internal Auditors (IIA) – a global organisation dedicated to advancing the internal audit profession – recently released a consultation draft on organisational behaviour⁵. This will be a ‘topical requirement’ and introduces mandatory expectations for internal auditors in assessing culture and behaviour. This marks another significant milestone in the evolution of best practice, and the regulatory scrutiny underscores the importance of a strong risk culture in maintaining compliance and navigating an increasingly complex regulatory landscape.

A risk-intelligent culture provides the foundation for navigating these challenges by fostering:
 

• Proactive risk management: Moving beyond reactive responses to anticipate and mitigate potential risks before they escalate. This proactive approach is fundamental to building organisational resilience, as it allows for early detection and mitigation of potential threats.
• Agility and resilience to future-proof risk functions: Enabling organisations to adapt quickly to changing circumstances and bounce back from setbacks. Leveraging technology and risk-intelligent teams to focus on higher-value activities such as partnering with the business.
• Informed decision-making: Empowering employees at all levels to consider risk implications in their everyday decisions. When risk is factored into decision-making processes, organisations are better equipped to make decisions that minimise negative impacts and enhance resilience.

Practical steps to embed a risk-intelligent culture

Building a risk-intelligent culture requires a shift in mindset and approach. Here’s how to make it work:

• Understand attitudes and behaviours: Conduct assessments to understand existing risk perceptions and behaviours within the organisation. Identify enablers and blockers to effective risk management. Risk culture assessments need to go beyond surveys to get to behaviours and root causes.
• Build high-performing teams through accountability and attention to results: As part of AI transformation and more generally, empower risk owners and champions and clearly define roles and responsibilities for risk management and have strength of accountability to call each other out. Move away from a siloed approach and fostering a sense of ownership at all levels.
• Align risk intelligence with business strategy: Consider a capability assessment to determine how you balance the art of the possible (being technology-led) with the art of the practical (ethics, people and risk-led). Integrate risk considerations into strategic planning and decision-making processes, ensuring that risk management supports strategic objectives.
• Create a safe space for risk discussion: Encourage open dialogue and constructive challenge around risk. Integrate risk discussions into regular meetings and communications.
• Build a risk-intelligent workforce: Provide training and development opportunities that focus on risk awareness, technological adoption, critical and sceptical thinking, and decision-making in uncertain environments utilising techniques such as war gaming, red teaming, and pre-mortems.

Turning risk into a strategic advantage

By taking these steps, organisations can cultivate a risk-intelligent culture that transforms risk management from a compliance exercise into a strategic advantage, enabling organisations to:

• Navigate disruption with confidence: Respond to challenges with agility and resilience, turning potential threats into opportunities.
• Enhance decision-making: Make more informed and strategic decisions that consider both opportunities and risks.
• Strengthen organisational resilience: Build a proactive and adaptable organisation better equipped to face future challenges.

We operate in an increasingly changing world, where we must react and adapt to regulatory expectation as well as the pace of technological change. Ultimately, a risk-intelligent culture empowers everyone to embrace risk awareness and accountability, creating a more resilient and successful future. It's about building a culture where managing risk is not just a responsibility, but a shared value that drives innovation and sustainable growth.

_____________________________________________

References

1. Deloitte’s proven definition for risk-intelligent culture is one where individuals understand the organisation's approach to risk management, take personal responsibility for managing risk, and encourage others to do the same. It's characterized by open communication, a shared understanding of risk, continuous improvement, and the integration of risk considerations into all activities.

2. Culture, Purpose and D&I | FCA

3. SoP – The use of PRA powers to address serious failings in the culture of firms | Prudential Regulation Authority Handbook & Rulebook

4. ECB – Draft Guide on Governance and Risk Culture  https://www.bankingsupervision.europa.eu/framework/legal-framework/public-consultations/pdf/ssm.pubcon202407_draftguide.en.pdf

5. IIA Organisational Behaviour Topical Requirement https://www.theiia.org/en/content/communications/press-releases/2025/july/the-institute-of-internal-auditors-opens-organizational-behavior-topical-requirement-for-public-comment/