Aligning risk culture with strategy: a boardroom perspective

The challenge is no longer just oversight – but ensuring that culture actively supports and enables strategic objectives.

We were joined by a great panel comprising senior industry leaders in the National Concert Hall on the morning of 27 May who shared practical insights from their experience across regulation, board governance, risk management and internal audit.

Kian Caulwell, Partner & Head of Financial Services Consulting, Forvis Mazars, was the panel chair for the event with the lineup of speakers below:

• Dr Allan Kearns, Head of Operational Resilience, Third Party Risk and Technology Risk Supervision, Central Bank of Ireland
• Sarah Browne, Independent Non-Executive Director and former Global Head of Regulatory Risk and Enterprise Risk Management at Stripe
• Donna Ellanti, Head of Enterprise Risk, National Treasury Management Agency
• Peter Keenan-Gavaghan, Head of Internal Audit, Wells Fargo Bank International UC

The areas explored included:

• What is risk culture?
• How can boards assess and influence risk culture effectively as it continues to evolve?
• The role and importance of risk culture in supporting strategy and decision-making.
• Key expectations from the Central Bank of Ireland and evolving regulatory focus areas.
• Lessons learned and steps to take to help affect a positive risk culture.
• Practical approaches to embedding and sustaining the right culture.

 Key takeaways:

• What is risk culture. Risk culture is the extent to which an organisation considers risk. In order to maintain an effective risk culture, it should be thought about more broadly, linked with the corporate governance and influence the day-to-day decisions of staff and management and shapes their risk-taking behaviour.  Strong leadership is key with risk culture being embedded in the decision-making of an organisation.
• What helps to shape an effective risk culture.
  • Composition and behaviour of the leadership team.
  • Are strategic decisions risk-based?
  • Independent challenge is critical to risk culture and constructive challenge is promoted internally.
  • The organisation is agile and there are structures in place to allow for lessons learned, and to see if a strategic direction requires realignment.
  • Prompt escalation (and notification if required) and actions taken to address risk and control issues.
  • Visibility and inclusion of the control functions in key decisions such as a product launch or implementation of a new system and controls.
  • Quality risk information is provided to the Risk Committee and Board to allow for better decision making and clearer understanding of the risk profile of the organisation.
  • Transparency in the promotion process. Incentives consider the balance of risk and reward in daily decisions.
  • Remuneration is conducted in line with the Risk Appetite of the organisation.
• Regulatory/Supervisory expectations. Risk culture is embedded in all aspects of an organisation. Effective risk culture supports the management of an organisation to ensure operations are carried out in a prudent, proper, forward looking and consumer centric way. The Board has a responsibility to establish the organisations’ purpose, values and strategy and ensure that these and its risk culture are aligned.
• Benefits and indicators that the risk culture is moving in the right direction. When a risk culture is embedded effectively it allows for improved organisational resilience as the discussions relating to the business and strategy consider risk culture. The business and control functions to raise risks, issues, loss events and near misses as the goal is to remediate the issues as soon as possible while considering the consumer impact. Earlier escalation allows for a more stable and deliberate risk management approach which in turn provides confidence to the relevant stakeholders such as the Board, Regulatory Bodies and employees that the organisation promotes good risk management. In addition, getting the organisations risk culture right is an indicator to consumers that they can trust the decision making and operating processes within an organisation.

Another indicator is the engagement level of the Risk Committee, are they asking the right questions and looking for assurance on how the organisations risk management framework is operating and if there are any areas for improvement. Organisations that include risk from the outset of a new project, product launch, regulatory remediation have a clear understanding of the risk requirements and expectations in advance of undertaking a scope of work.

• Steps to take to affect a positive risk culture. Risk culture is critical to an organisation and in order for it to support the overall strategy it should not be a standalone second line of defence responsibility, instead it should be part of what we do and how we do it as a business.

Training is crucial to ensure that the first line business activities feel supported and that risk is a collaborator and not there to stifle innovation. Face to face, eLearning, risk presenting at town halls and risk awareness weeks are all examples of how an organisation can train all aspects of the organisation on the key risks and how these can be identified, monitored and managed.  Senior management should be visibly promoting risk culture and setting the tone from the top while leading with positive behaviours and transparency. 

A positive risk culture is evident in each employee within the organisation through their mindset and how they work while also working tandem with robust processes. It can be seen in the approach and management for incident and error reporting and how operational risk events are remediated. It is important to be cognisant of the needs of the organisation and its employees to allow for the risk culture to be managed and implemented positively and with a balanced approach.

• Impact Artificial Intelligence will have on risk culture. The key consideration is how AI is adopted safely within organisations, and how best to adopt an AI Governance Framework which has been devised in conjunction with the appropriate key stakeholders. The business is ultimately responsible for the implementation of AI, however, the risk team can empower the business units to achieve what they need while remaining within their Risk Management Framework and Risk Appetite parameters.
• Assessing risk culture. Risk culture is measurable not by a single metric or by one team, but through a number of factors, such as leading indicators (self-identified issues and their escalation, effective incident and reporting) and lagging indicators (such as conduct/compliance events, staff attrition or staff issues). When assessing the culture, it is important to consider the risk profile of the organisation, and if the correct governance and structures are in place to support it. 

The Institute of Internal Auditors released Topical Requirements on Organisational Behaviour in December 2025 (which come into effect in December 2026). The Topical Requirement provides a consistent, comprehensive approach to assessing the design and implementation of governance, risk management and control processes related to organisational behaviour. The requirements provide internal auditors with a minimum baseline for assessing behaviour in an organisation.

The below three areas of focus are a common point of discussion from supervisory interactions/interventions. In learning from these organisations can help to embed a more positive risk culture:

• Decision making – Senior Management and Board Directors can stand over their decisions with confidence by understanding the reliability and completeness of the underpinning information. Organisations are providing clear and comprehensive management information which allows for informed decision making by all members of the Committee and not just the subject matter experts.  This also allows for effective oversight and challenge to management.
• Error management – Organisations must cultivate a culture of learning and provide tools (such as root cause analysis and self-reflection) which allow for the identification of issues and their prompt remediation.
• Aligning future-focused goals with behaviours - Organisations risk being able to effectively deliver their strategy or complete sustainable transformation without embedding organisational values in structures, processes and systems and developing a shared understanding of what effective risk culture actually means.

If you are interested in discussing the topic further or any of our financial consulting service offering, please feel free to reach out to our team below.