Genuine risk culture is a culture of trust, learning and responsibility

Learning from high reliability organisations

Risk culture: Learning from high reliability organisations Comment

Even the best system for risk and opportunity management will be ineffective if it is not genuinely put into practice by all employees in the company on a daily basis. To prevent management of opportunities and risks becoming nothing more than a façade, risk and opportunity management must be viewed as a process that creates value and must be integrated into strategic and operational business management. This is the only way to make risk and opportunity management into a strategic and value creating instrument.

Risk management that is genuinely practised is frequently referred to as risk culture. But this apparently simple term conceals a complex system that is actually what breathes life into risk management. The risk culture covers the entirety of all standards, attitudes and behaviours relating to risk awareness, willingness to take risks and risk management. The general section (AT 3) of the minimum requirements for risk management (MaRisk) for banks describe risk culture as follows: "The risk culture is a general description of the way in which the institution’s employees (should) deal with risks as part of their work. The risk culture should promote identification and conscious management of risks and ensure that decision-making processes lead to results that are balanced from a risk perspective. The key characteristic of an appropriate risk culture is a clear commitment to risk-appropriate behaviour by senior management, strict adherence by all employees to the risk appetite standards communicated by senior management, and enabling and promotion of transparent and open dialogue within the institution on issues relating to risk."

Particularly in colourful annual reports and codes of conduct, corporate culture is constantly being wheeled out and held up as a kind of Holy Grail. We can regularly read all about transformation, and a "globally practised" and "interdisciplinary" corporate culture. Of course, it is always characterised by mutual respect and openness. The fact that in many cases these terms are nothing more than filler words is proved when commercial risks occur or scandals come to light (as a consequence of compliance violations, with examples including the current fraud scandal involving Wirecard, the various compliance scandals at major banks and the fraudulent misappropriation of Corona reduced hours compensation). The whole thing then frequently turns out to be a façade. Glossy brochures promise a lot in an effort to conceal the actual, disastrous situation. Deep inside there is nothing of substance.

Learning from high reliability organisations

To understand how risk culture can be implemented in practice, it is useful to look at high reliability organisations (HROs – including power stations, oil rigs and aviation). For example, aviation provides us with plenty of reference points for realigning our own risk management and implementing effective ways to achieve a culture of collective care. High redundancy navigation and early warning systems, along with anticipatory and effective risk management systems, have led to a highly developed risk culture and an excellent level of safety in aviation. Simulations play a major role these days. Standard procedures are used to regularly practice for potential emergencies and system failures and, most important of all, the experiences are analysed and discussed.
Being aware of your own weaknesses in intuitively dealing with risks is the first step to improving risk management capabilities. For example, games (business games, business war games) can deliver considerable added value.

Particularly in the context of risk culture, we see confirmation of the old adage that leadership is everything and, without leadership, everything else counts for nothing. It is important not to equate risk culture with risk avoidance. The key characteristics of a genuine and appropriate risk culture are, on the one hand, that all decisions are consistent with the risk appetite defined in the strategy (risk acceptance) and, on the other hand, an open dialogue on issues relevant to risk [see Romeike/Hager 2020].

The tone from the top and the tone from the middle are what determine the value system. It is important to set a consistent and credible example on risk management. This then leads to an echo from the bottom. Conversely, a failure to practice a genuine governance culture (with an insensitive approach to the issue of compliance perhaps) at senior management level results in a lack of a genuine risk culture throughout the organisation.

Genuine risk culture is a culture of trust, learning and responsibility

In this context, it is vital to communicate, document and monitor a clear assignment of responsibilities (accountability). If variations from expected results/events occur, the causes need to be investigated in detail. The most honest way to do this is in an environment that looks for better procedures, organisations and methods rather than someone to blame. Responsibility also means mutual support and a desire to learn from each other.

This includes clear and transparent responsibility for risk (ownership of risk). The governance system and an internal monitoring system are closely interrelated here.

A key element of an effective risk management system is communication, i.e. a constructive dialogue on risk issues, all the way through the organisation. Above all, this includes dealing openly with criticism and a genuine error culture. High reliability organisations use every failure, every variation, every negative and positive surprise as an early warning indicator for the entire system. For example, on aircraft carriers there are daily "Foreign Object Damage (FOD) Walkdowns". The entire crew searches the deck for any tiny particles that do not belong there (a single screw on the flight deck can destroy a jet engine. You can easily imagine what that would mean with a catapult take-off). 

The aim is to analyse potential causes so that preventive measures can be implemented to prevent a risk occurring. While high reliability organisations are notable for their rigorous investigation of errors, in many other organisations the emphasis tends to be on covering them up. It is not uncommon in many industries for critical risk managers to be muzzled, regarded as troublemakers or hypochondriacs, or even eliminated completely. In practice, this would be a clear indicator that there is not a genuine risk culture.

The key success factors for a genuine risk culture are:

  • Careful selection of personnel: The focus should be on criteria that evaluate personality, such as empathy, dependability or responsibility, teamwork skills or leadership behaviour or capabilities; 
  • Leadership philosophy: Good leadership creates a feeling of security and belonging, is inspiring and thus creates trust and cooperation;
  • A clearly worded code of values;
  • Open and transparent communication;
  • People must be able to express themselves on any potential dangers to the company that are identified without this being detrimental to them, and managers must want to know about these dangers;
  • A non-punitive and positive error culture: A genuine risk culture is a culture of trust, learning and responsibility. It is not about sanctions, it is about learning from mistakes so they can be avoided in the future, and making people, the organisation, processes and methods more resilient to the occurrence of risks. It is about looking for solutions to prevent future risks occurring, not looking for people to blame;
  • this means regular briefings & lessons learned.

Aviation is risk management

In aviation, flight safety, standardisation and air traffic control are the pillars of risk management. Air traffic control is the nervous system of aviation. All flights are planned in detail and, after approval from air traffic control, are commenced and monitored.

Standardised procedures make flights predictable and traceable. They provide important orientation for pilots and air traffic control. Flight safety involves ensuring that technology, people, organisations and procedures are in optimum shape. Any irregularities, from minor incidents to an air accident, are recorded and evaluated, and findings are fed back into the entire organisation. This is linked to an almost insatiable curiosity to learn more and obtain new findings about the entire state of the system, in order to continuously increase the overall safety level. Along with experience, variables that contribute to good situational awareness include well-developed cognitive ability, and high perception speed and accuracy. One of the key features of modern aviation, alongside excellent and, at the same time, highly reliable technology, is a genuine error and risk culture that is practised by all parties involved.

Lack of risk culture leads to risk blindness

The future is not a mirror of the past. Therefore, when analysing new risk scenarios you should not depend only on looking in the rear view mirror. However, risk researchers have been aware from a long time that people systematically underestimate the painful consequences of extreme effects. The reasons for this are plain and simple. We think in coherent stories, link facts to form a plausible picture and look to the past as a model for the future. We thus create a world in which we feel comfortable. But reality is different. It is chaotic, complex, surprising and frequently unpredictable. As a result, the past is not really a good guide and, without proper reflection, can easily lead to us taking a simplistic view of the present and the future. What we have to do is work on the capabilities of the organisation and its people with understanding and caution, so that we can make constructive use of the past and present, rather than just extrapolating them into the future. We have to learn to think systematically and, where possible, based on sound science about alternative futures and constructively address worst case scenarios.

The French mathematician Benoît B. Mandelbrot, who died in 2010, constantly criticised financial institutions’ unprofessional approach to risks and uncertainty. Based on his analyses, most risk management systems are blind to extreme events. Mandelbrot pointed out that risks are incorrectly measured and painful worst case scenarios tend to be masked. “For centuries, shipbuilders have been designing their hulls and sails with great caution. They know that most of the time sea conditions are benign. But they also know that typhoons and hurricanes can blow up. They do not design for the 95 percent of days at sea when the weather is kind, but for the other five percent, when storms are raging and their skills are really put to the test. The world's financiers and investors are currently like seafarers who do not pay attention to weather warnings.” [see Romeike 2015].

The COVID-19 pandemic caused by the Coronavirus SARS-CoV-2 is providing us with an impressive but painful example of risk blindness and a lack of risk expertise among governments and among many business leaders too. A pandemic is an event that will certainly occur sometime (and the scenario was described back in 2012 in a scenario analysis based on experiences after SARS 1). The only unknowns were the exact time and how governments would respond – but not the actual event itself. Risk management should anticipate precisely this kind of stress scenario and define measures so that companies (and also countries) do not founder in the stormy seas. Many actors plainly and simply ignored the weather warnings and neglected to build any lifeboats. And lifeboats cannot be built once the storm has already come.

Infection risks and pandemics have been giving academics and far-sighted and reputable practising risk managers sleepless nights for many years (as have the scenarios of a black out, social disruption and a global financial collapse). For years, the statistician, risk researcher and professor of international health, Hans Rosling, has been highlighting five major global risks that should concern us [see Rosling et al 2018]. In his book “Factfulness”, he cites the number 1 risk as being the risk of a global pandemic. Unfortunately, it is often the case that the apparent unpredictability of events serves as an excuse for a lack of risk management. 

Effective risk management concentrates on surprises in the future, i.e. dealing with what cannot be anticipated. At its heart, it attempts to “learn from the future”. And this is where a genuine risk culture plays a very prominent role. A resilient organisation is resistant to, or at least robustly set up to cope with, a range of unexpected scenarios. Banks and insurance companies regularly simulate stress scenarios, but these are focused on predefined and known risks. And this takes us back to a driver who steers his car just by looking in the rear view mirror. The results are self-evident.


  • Erben, R./Romeike, F. [2016]: Allein auf stürmischer See – Risikomanagement für Einsteiger [Alone on the Stormy Seas – Risk Management for Beginners], 3rd edition, Wiley-VCH, Weinheim 2016.
  • Gleißner, W./Romeike, F. [2020]: Entscheidungsorientiertes Risikomanagement nach DIIR RS Nr. 2 [Decision-Based Risk Management under DIIR RS No. 2], in: Der Aufsichtsrat, Issue 04/2020, page 55-57.
  • Kahneman, D. [2011]: Thinking, Fast and Slow, Penguin Books, New York 2011.
  • Romeike, F. (2015): Beautiful, Colourful Risk: Benoît B. Mandelbrot - Remembering the Father of Fractals, in: Union Investment Institutional [ed.]: The Measurement of Risk, Frankfurt am Main 2015, p. 197-207.
  • Romeike, F./Hager, F. [2020]: Erfolgsfaktor Risikomanagement 4.0: Methoden, Beispiele, Checklisten – Praxishandbuch für Industrie und Handel [Risk Management 4.0 as a Success Factor – Methods, Examples, Checklists: Practical Handbook for Industry and Commerce], 4th completely revised edition, Springer Verlag, Wiesbaden 2020.
  • Rosling, H./Rosling Rönnlund, A./Rosling, O. [2018]: Factfulness, Flatiron Books, New York 2018.

Frank Romeike
, Managing Director, RiskNET GmbH and Member of the Board of the Institute for Governance, Management, Risk & Compliance (GMRC)

Rüdiger Koppe, former Flight Safety Officer and Head of Integrated Training Systems at Airbus Defence and Space - Military Aircraft 

[ Source of cover photo: Adobe / aapsky ]
Risk Academy

The seminars of the RiskAcademy® focus on methods and instruments for evolutionary and revolutionary ways in risk management.

More Information

The newsletter RiskNEWS informs about developments in risk management, current book publications as well as events.

Register now
Solution provider

Are you looking for a software solution or a service provider in the field of risk management, GRC, ICS or ISMS?

Find a solution provider
Ihre Daten werden selbstverständlich vertraulich behandelt und nicht an Dritte weitergegeben. Weitere Informationen finden Sie in unseren Datenschutzbestimmungen.