Risk Culture: From Compliance to Strategic Advantage

The New Imperative

In today’s regulatory environment, a good risk culture is no longer a “nice to have,” it is a strategic imperative. Recent years have demonstrated the substantial financial and reputational costs associated with a breakdown in risk culture, as regulatory enforcement actions cost billions of dollars globally in 2024.¹ One pattern has emerged consistently: organisations that prioritise growth over controls, underfund compliance relative to risk or fail to create a “speak-up” culture, face increasingly severe consequences from regulators across jurisdictions.

For entities regulated by the Australian Prudential Regulation Authority, the urgency has always been present. Following years of governance and conduct failings, culture has become a cornerstone of prudential supervision under standards such as Prudential Standard CPS 220, Risk Management, and CPS 230, Operational Risk Management, which came into effect in July 2025. The Financial Accountability Regime (“FAR”) and governance reforms further raise the bar on transparency, accountability and behavioral integrity, reinforcing the idea that culture risk is a business risk with a direct commercial impact.

Risk Culture and the Impact on Business Performance

Risk culture influences business performance by shaping how decisions are made, how risks are escalated and how people respond under pressure. A strong risk culture requires an environment where people feel psychologically safe to speak up early, challenge assumptions, escalate concerns before they impact outcomes and admit mistakes without fear of judgment. Without this foundation, even robust frameworks cannot protect performance.

Our experts at FTI Consulting have supported clients through complex risk-culture challenges, focusing on uncovering the root causes of behaviours rather than just the visible symptoms of culture failures. Our experts have collaborated with numerous banks facing significant regulatory action and reputational damage due to systemic misconduct, including falsified customer documentation and governance failures. Under intense scrutiny from regulators, these firms have needed to rebuild their risk cultures from the ground up. Our teams have had significant exposure to redesiging risk and control architecture, facilitated critical engagement with the regulators, embedded enforceable policies and implemented targeted controls in high-risk areas. This has restored regulatory confidence and shifted these organisations from reactive compliance to a culture of proactive risk ownership, transparency and ethical conduct. This demonstrates how addressing cultural and behavioural foundations is essential to improving performance and trust.

Organisations need to ask themselves:

Do leaders actively ask questions and challenge assumptions, or is risk only discussed when issues arise?
Are leaders comfortable escalating concerns, even if it conflicts with short-term business goals?
Do teams feel safe when raising alternative viewpoints to leadership decisions?
Are challenging decisions recognised and rewarded, or subtly discouraged?

Culture sits at the intersection of behaviour and governance. A strong culture also ensures resilience and agility, surfacing weaknesses and systemic issues long before they crystallise into reputational or financial losses.

Signals of a Weakening Culture

Regulatory actions across jurisdictions have demonstrated how a weak culture translates into tangible consequences:

In Australia, APRA has applied capital add-ons to organisations for weaknesses in non-financial risk management, unclear accountabilities and cultures characterised as “too accepting of long-standing gaps.”² The regulator continues to conduct risk culture surveys across the banking, insurance and superannuation sectors, identifying varying levels of maturity and providing feedback on areas requiring improvement. Enforceable undertakings have been used where concerns about non-financial risk practices and risk culture required formal remediation.

Globally, international regulators have intensified focus on governance and risk culture failures, where:

Compliance programs remained static despite expanding business operations and risk profiles.
Budget mandates prioritised growth and customer experience over control effectiveness.
Transaction monitoring systems failed to adapt to new products, services and emerging risks.
Employees lacked clarity on escalation processes or feared raising concerns.
Senior management received repeated warnings from internal audit and regulators but delayed action.

The common themes across enforcement actions include inadequate funding for compliance relative to risk, insufficient oversight of non-financial risks and cultures that discouraged bad news from reaching senior leadership or boards. And, the financial consequences have been substantial, with penalties reaching billions of dollars in some cases.

These are not isolated events. They signal that culture remains a critical vulnerability in otherwise mature frameworks, and regulators are intensifying their focus accordingly.

Risk Culture

Why Risk Culture Can’t Be a “Set and Forget”

Risks and behaviours evolve constantly, so organisations must continually reinforce expectations to stop vulnerabilities from taking root. Reflecting this, APRA has embedded risk culture assessment into its supervisory approach, signalling a long-term commitment to cultural insight in prudential supervision. While attention may have shifted to new prudential standards, such as CPS 230, supervisory expectations regarding culture have only deepened.

While APRA’s mandates formally apply to financial institutions, the principle of strong risk culture extends across sectors. In energy, infrastructure and beyond, culture shapes how effectively organisations manage operational, safety and environmental risks.

Across sectors, risk culture shifts with leadership changes, market volatility, restructuring and other organisational pressures. When organisations assess risk culture only periodically rather than continuously monitoring it, those gradual shifts can go unnoticed - until they surface as governance failures. As organisations progress toward higher risk maturity, where risk management actively shapes decisions, performance management and behaviour rather than merely checking compliance boxes, the role of culture becomes even more strategic.Regulators and boards alike recognise that the challenge is not assessing culture once, but sustaining it continuously through reinforcement, measurement and open dialogue. Achieving integrated maturity requires a risk culture to be embedded across all organisational levels, supported by deliberate behavioural changes that enable people to consistently act in ways that identify and manage risk, rather than relying solely on formal frameworks or processes.

The real test of risk culture is identifying what behaviours are reinforced, not what’s documented. Regulatory findings consistently highlight organisations in which internal auditors and supervisors repeatedly flagged deficiencies, yet senior management decisions systematically prioritised other objectives over remediation of control deficiencies, and compliance functions were underfunded relative to the expansion of products, customer bases and risk profiles.

Thus, the questions boards and executives should be asking are:

When mistakes happen, are they seen as opportunities for learning and improvement?
How can lessons be shared in a way that encourages learning and speaking up, rather than creating shame that discourages future reporting?
Are individuals rewarded for speaking up, escalating risks and reinforcing the right behaviours across the organisation?

APRA continues to reinforce governance and accountability through FAR, which has been applicable to banking organizations since March 2024 and was extended to insurance and superannuation in March 2025. APRA’s 2024-2025 Corporate Plan explicitly stated it would “retain a close watch on risk culture and risk management” and “increase the intensity of supervision to address inadequate risk management practices.”³

Globally, supervisors, including the European Central Bank, have published updated guidance on governance and risk culture, noting that while progress has been made, it has not been sufficient.⁴ The guidance emphasises that it is often in a bank’s culture that the first whispers of trouble can be discerned.

How Do I Know What a Healthy Risk Culture Looks Like?

Understanding what defines a healthy risk culture is the first step in shaping one that supports sound decision-making and organisational resilience. Such cultures typically exhibit several key hallmarks:

Tone from the top, where leaders model the behaviours they expect.
Constructive challenge, where staff feel safe to raise and debate issues.
Shared understanding, where risk appetite is clearly defined and lived in daily decisions.
Learning mindset, where failures become opportunities to adapt, not to assign blame.
Aligned systems, where governance, incentives and reporting reinforce desired behaviours.
Open communication and escalation, where people feel safe to speak up when risk issues arise.
Clear responsibility and accountability, with well-understood risk roles across the three lines of defence and ownership of risk responsibilities.
Risk capability, ensuring staff are trained, supported and equipped with skills and systems to identify and manage material risks.
Oversight of risk culture with regular independent expert assessment, board engagement and monitoring.

Culture Lifecycle

Circular diagram showing five steps labelled Assess, Act, Embed, Monitor and Refresh with brief explanatory text around the circle.

What Can You Do To Embed a Resilient Risk Culture?

For regulated entities and any organisation managing material operational, conduct or financial crime risks, the time to act is now. Regulatory findings consistently demonstrate that risk management frameworks must evolve in tandem with business growth, the introduction of new products and the emergence of new risks.⁵ Programs that remain static despite documented gaps and expanding risk profiles inevitably attract supervisory intervention; instead boards and executives should:

Use APRA’s 10 Dimensions⁶ as a holistic framework to assess and strengthen your organisation’s risk culture, whether or not you are regulated by APRA.
Embed cultural metrics into board dashboards, performance frameworks and audit plans.
Align governance and accountability structures — financial institutions must align expectations to CPS 230 and FAR.
Refresh previous assessments to reflect current operating realities.

Conclusion

In today’s highly regulated environment, culture is a powerful competitive differentiator. Organisations that understand and actively invest in their risk culture benefit from greater confidence in decision-making, earlier detection of systemic risks, stronger stakeholder trust and sustainable, risk-aligned performance.

The question for boards and executives is clear: what mechanisms are in place to ensure your organisation hears bad news before regulators do? For those ready to move beyond compliance toward strategic cultural maturity, the choice is simple — will you identify and address cultural issues internally, or wait for regulators and the media to reveal them?

To learn how to embed a resilient risk culture and turn it into a strategic advantage, contact Mark Gossington to learn more.

Footnotes:

1: https://fintech.global/2025/02/19/global-regulatory-fines-soar-to-record-breaking-19-3bn-in-2024/.

2: “APRA applies additional capital requirements to three major banks in response to self-assessments,” APRA (July 11, 2019).

3: “APRA Corporate Plan 2024-25,” APRA (Aug. 28, 2024).

4: “Exchanging perspectives for better bank governance”.

5: “CPS 230 Operational Risk Management | Prudential Handbook”.

6: “Risk Culture 10 Dimensions | APRA”.