When tick-box risk management meets real-world crisis...

On paper, many organisations seem to take risk management seriously. They have frameworks, registers, policies, dashboards, and carefully drafted statements about risk appetite and tolerance. Yet when a serious incident hits, such as a cyberattack, supply chain failure, or operational breakdown, it quickly becomes clear whether risk management is part of the culture or just a compliance exercise. The difference rarely lies in the documents' sophistication. It lies in what people believe, how leaders behave, and how risks are discussed honestly.

Risk culture is often treated as a separate topic. In reality, it is simply the organisation’s culture viewed through a risk lens. It is shaped by the same factors as everything else: who gets rewarded, what gets tolerated, how decisions are made, and which conversations feel safe.

In a healthy environment, people instinctively ask “what could go wrong?” and “what would we do if it did?” well before a crisis forces the issue. In an unhealthy one, risk is something you “deal with” in workshops, forms, and spreadsheets; then quietly ignore when it might slow down a target or challenge a comfortable assumption.

Moving from tick-box risk management to a genuinely risk-aware culture does not require starting again; changing how existing tools are used is often a good place to begin transforming the approach to risk.

In the end, the real test of risk management is not how impressive the framework looks, but how people behave under pressure. Do they raise their hand when something feels wrong, even if it slows down a delivery? Do leaders ask probing questions about risk before signing off big decisions? Are appetite limits treated as guidance to design better solutions, or as hurdles to work around?

A mature risk culture turns risk appetite from a paragraph on a page or a section in an annual report into a shared understanding that shapes choices every day. Organisations that make that leap are not immune to shocks, but they are far better placed to anticipate, withstand, and learn from them, without needing a crisis to prove the point.