ONE OF THE THINGS associated with enterprise risk management (ERM) is the creation of a risk‐conscious culture, or a ‘risk culture’ for short. A risk culture is that vaunted state of affairs where risk management becomes ‘a way of life’. If such a culture can be instilled, chances are that much of the rest will take care of itself. This happens because taking responsible action, and giving risk the proper consideration, becomes the default mode. A risk culture is therefore an important part of the solution to the general risk management problems facing an organization that we encountered in Chapter 3.

Risk culture defies easy definitions, however. It is perhaps easier to see what it does when it works well. A risk culture is one in which the evaluation of potential threats is a self‐evident and important part of the decision‐making process. Employees are encouraged to report information about vulnerabilities upward in the system for resolution, and horizontally for the sharing of best practices. In other words, information about risks that supports decision‐making should flow without impediments through the organization, and managers should be willing to act on this information. Risk culture, when it works along these lines, becomes a firm's first line of defence: risks find their way onto the corporate radar and receive the appropriate attention without any fuss. When a strong risk culture is present, this sequence is automatic and frictionless. The organization ...