Skip to content

On this page

The Victorian Government Risk Management Framework (VGRMF) requires your organisation to demonstrate a positive risk culture.

By risk culture, we mean the attitudes, beliefs and behaviours specifically relating to risk.

Those attitudes, beliefs and behaviours shape how people make decisions in situations of uncertainty, how they satisfy their appetite for risk, and how they collaborate on shared risk.

In a positive risk culture, people use risk management frameworks and processes effectively to create and protect value.

They also approach uncertainty confidently with the skills to turn it to the organisation’s advantage. They communicate effectively about risk and look for opportunities to collaborate on managing it.

They also take long-term benefits into consideration and think about how the consequences of an event can cascade through a system.

The Risk Culture Guide [PDF, 1.34MB] talks about what a positive risk culture is, how you can spot the signs of a poor risk culture and how to build a positive one. It also includes a Risk Culture Health Check Tool.

In this topic, we’ll look at

  • Why’s risk culture so important?
  • The work of cultural change
  • How you can use some of our other materials to help you create an organisational culture that takes a positive attitude to risk.

Why’s risk culture so important?

A positive risk culture motivates people to use the organisation’s frameworks and processes.

It prompts them to actively reduce uncertainty by seeking out more information and communicating cooperatively with others.

It’s what makes it possible for people to respond intelligently and effectively to novel situations and—related to that—make decisions when the frameworks and processes don’t specify what to do. It makes an organisation resilient.

A positive risk culture is also a way to reduce uncertainty in the internal and external context. Knowing that you can rely on your colleagues, leaders and partners is what carries teams through situations of high uncertainty, whether that’s an emergency or the intense research and development that leads to something new.

And finally, our organisations exist to create and protect value for the people, places and systems in our care. The kind of culture your organisation has determines to some extent what you value, so a positive risk culture is crucial in this respect too.

The work of cultural change

Risk culture emerges from the day-to-day decisions and efforts of people across the organisation, from the leadership to those on the frontline. In that sense, creating a positive risk culture is everyone’s responsibility.

A positive risk culture, though, is something that must be worked towards in a conscious, systematic and goal-directed way. This involves a strategy and a plan, as outlined in the Risk Culture Guide [PDF, 1.34MB], but also leadership, governance, change management and a system for monitoring change.

This will involve several parties. In this case, the responsible body, executive team and the business units tasked with the organisation’s culture, and with risk champions and decision-makers across the organisation.

It should also be a formal piece of work carried out in the workshops and meetings of the responsible body and executive committees that have been specifically designed for the task. It should also be part of the organisation’s planning and reporting cycle.

  • A risk practitioner could contribute in a number of ways, for example:

    • designing surveys and other health checks
    • mapping lines of influence across the organisation to identify opportunities to create change
    • advising on better practice in risk management and decision-making in situations of uncertainty 
    • identifying strengths and weaknesses based on their experience of working with members of the leadership team or management
    • making sure frameworks and processes are fit for purpose and easy to use
    • working with colleagues to design organisational governance and practices so that risk is at the heart of them all
    • identifying the key risk indicators of poor risk culture
    • working with colleagues in your People and Culture team to embed the implementation of the risk culture strategy into the wider organisational strategy.

If you’re the enterprise risk lead, we also encourage you to make the most of our online self-assessment tool Risk Maturity Benchmark (RMB) to set goals and monitor change.


  • The health care organisation transforming its risk culture

    A recent experience with a small health care organisation showed VMIA’s risk advisers how important risk culture was to the quality of its services.

    The organisation, which provides urgent care, primary and community care, aged care and in-patient acute services at two sites in Victoria, had four CEOs in six months and a divided board. Its management operated in silos and it had outsourced its People and Culture function. There was a culture of bullying and cover up.

    Many employees felt they couldn’t escalate risks that they came across in their day-to-day work without negative repercussions, which jeopardised patient safety and staff wellbeing. The organisation’s reputation in the community was also suffering.

    A new CEO introduced a two-year plan specifically designed to re-shape the organisation’s risk culture. As a result

    • a new organisational structure and board governance was established to promote better communication
    • position descriptions and committee terms of reference were revised to explicitly spell out accountability for risk management
    • employees co-designed the organisation’s values model
    • a consumer advisory committee was set up so that clients could contribute to decision-making
    • regular People Matters surveys were conducted so that staff could raise concerns and more forums for staff engagement and interaction gave staff a safe way to raise risks
    • the leadership communicated consistently about what a positive risk culture looked like

    The results of this change? Staff now believe that identifying risks and managing them is part of their everyday work and feel able to raise their concerns. Services also improved, showing the link between good risk management and organisational performance.

  • Taking a systematic approach to sustained change

    In our Risk Culture Guide [PDF, 1.34MB], we describe an essential first step of understanding your current risk culture.

    Sustainability Victoria assessed its risk culture in 2019 with exactly that purpose. The assessment helped them to challenge assumptions, test anecdotal reports and quantify dimensions of risk culture so they could continuously measure cultural change over time.

    In 2020, they surveyed their people again, reporting changes on all dimensions of risk culture and assessing motivational factors for staff.

    This is valuable information for the leadership which has an opportunity to commit to definite courses of action, such as developing a statement of risk appetite or fine-tuning some of their decision-making processes. Other opportunities to adjust frameworks and processes are also proposed for their 2021 Risk Culture and Capability Action Plan.

    The experience at Sustainability Victoria is a great example of taking an evidence-based approach to change but also, importantly, integrating risk culture with risk frameworks and processes, so that risk management improves in a sustained and mutually reinforcing way.

Using our guides to help change the risk culture

We’ve tried to talk about risk in a different way with these guides and we encourage you to adopt the language and outlook in them.

Our guides can help you and others in the organisation to

Continuous improvement

As the example from Sustainability Victoria shows, to sustain change in the long term you need to approach it systematically.

Use the Risk Maturity Benchmark to decide your target and plan how your organisation will develop a more positive risk culture. Once you’ve implemented your plan, you can see where your organisation is at and look at how you can improve again.

Decide what your target is, create a plan, implement enhancements, and assess your current risk management maturity.