Risk culture refers to the norms, attitudes, and behaviours regarding risk within an organisation. It plays a significant role in how risks are identified, discussed, evaluated, and managed. Risk culture encompasses formal control measures, but also the unwritten norms, values, and behaviours that influence employee conduct. A healthy risk culture contributes to better decision-making, ethical behaviour, and organisational sustainability. Especially in the financial sector—where trust is key—risk culture is crucial.
Many investment firms are relatively small and may believe that "risk culture" only applies to large banks or insurers. However, it is equally essential for smaller firms. In smaller organisations, informal structures often dominate, making it easier to overlook risks. There's also a higher chance of groupthink and less access to independent checks. Misconduct or errors are less likely to be noticed, while a single incident can result in severe reputational damage or even fines.
A healthy risk culture helps smaller firms to:
- Make ethical decisions,
- Protect their reputation and licence,
- Detect conflicts of interest or compliance risks early,
- And ensure the client’s interest is embedded in all aspects of their work.
What Goes Wrong Elsewhere and What Can We Learn from It?
Almost daily, the media highlight examples where a poor culture has led to problems, cases like De Giro, De Volksbank, ING, or ABN Amro. But even outside the financial sector, issues abound: Ajax, The Voice of Holland, DWDD, and TU Delft, to name a few.
Underlying causes often include:
- Inadequate checks and balances,
- A weak speak-up culture,
- Governance issues,
- Fear of raising concerns,
- Target-driven cultures,
- A tendency to look the other way,
- Or fear of hierarchy.
Even when misconduct is not immediately visible as a cultural issue, breaches of formal rules often trigger supervisory authorities to examine the informal side of the organisation—its behaviour and culture.
The common thread: Risks were not sufficiently discussed, signals were ignored, or employees didn’t feel safe to speak up.
The lesson: A culture that fosters openness, dissent, and reflection is essential.
What Do Supervisors Say About Risk Culture?
The AFM, DNB, and ECB have long emphasised that behaviour and culture ("soft factors") are just as important in risk management as "hard factors" like rules and procedures.
They state that a healthy risk culture promotes sound decision-making, careful client service, and the prevention of incidents.
- AFM regards risk culture as part of sound business conduct and a foundation for serving the client's best interest.
- DNB has included behaviour and culture in its supervisory methodology since 2011, focusing on leadership, decision-making, and group dynamics.
- ECB published a new Draft Guide on Governance and Risk Culture in 2024, integrating behaviour, culture, leadership, and controls into supervisory expectations.
All three -AFM, DNB, and ECB- explicitly address risk culture in their guidance documents and supervision calendars. Below is an overview of relevant publications.
| Publication | Key Message |
|---|---|
| AFM Behavioural Supervision 2015 | Supervising the "why" behind human behaviour leads to more effective oversight. |
| AFM Building a Healthy Organisational Culture 2016 | A strong culture helps identify and discuss risks earlier. |
| AFM Balanced Decision-Making: Dealing with Blind Spots 2017 | Understanding group dynamics and decision-making helps prevent tunnel vision. |
| AFM Open Mistake Culture 2016 | Learning from mistakes requires an open culture where errors can be discussed. |
| AFM Agenda 2024 | Ongoing focus on governance, behaviour, and culture—key factors in recognising and managing risks. |
| AFM Supervision of Investment Firms 2023–2024 | We assess operational integrity, sound risk management, conflicts of interest, and compliance—even in smaller firms. |
| ECB Draft Guidance on Governance and Risk Culture | Replaces the SSM expectations from 2016. Sets detailed requirements for governance and risk culture, with a focus on behavioural aspects, management roles, and internal control functions. |
| DNB Supervision on Governance, Behaviour, and Culture 2023 | Highlights the importance of behaviour and culture in financial supervision. |
| DNB Supervision Methodology and Culture 2015 | Explains how DNB investigates behaviour and culture in financial institutions, focusing on leadership, decision-making, and communication. |
| Supervision in Focus 2024–2025 | Annual priorities, including attention to behaviour and culture. |
| Behaviour and Culture in the Financial Sector 2025 | Dedicated DNB web page stressing that behaviour and culture impact financial institutions' performance. Management must be aware of their influence. |
| ECB Guide to Fit and Proper Assessments 2021 | Guidelines for board member assessments, including integrity, knowledge, and experience. |
These lessons are not only relevant for large institutions. Smaller investment firms also benefit from recognising and discussing risks and decision-making more effectively.
Examples:
- Creating space to discuss mistakes or doubts,
- Remaining alert to conflicts of interest,
- Building a culture focused not only on “what must be done” but also “what is right”.
DSi on Risk Culture and the Compliance Function
As a standard-setting body for the investment sector, DSi stresses that compliance is not just about following rules but about cultivating an ethical culture. In various lectures and newsletters, risk culture has been highlighted as an area where compliance officers must play an active role:
- Promoting open discussion of ethical dilemmas,
- Detecting behavioural patterns,
- Advising on governance structure and checks and balances,
- Translating codes of conduct into daily practice.
Risk culture has also been incorporated into the professional competence requirements for compliance professionals. The 2025 continuous education programme includes the following learning objectives:
- Explain the influence of supervisory publications on the compliance function (e.g., ECB Guide on Governance and Risk Culture),
- Describe what risk culture entails and how it affects compliance activities,
- Provide examples of how risk culture has led to non-compliance,
- Name good practices that strengthen both risk culture and control measures.
Practical Tips for Smaller Investment Firms
How can smaller organisations bring risk culture to life?
- Make culture a topic of discussion: Schedule regular team talks about dilemmas or incidents.
- Encourage dissent: Allow employees to voice questions and concerns freely.
- Lead by example: Leaders should model openness, reflection, and integrity.
- Use real-life examples: Learn from incidents in the sector to raise awareness.
- Secure checks and balances: Even in small teams, an (external) compliance officer or independent perspective is valuable. Clarify roles—everyone should know what they're accountable for.
- Embed culture into governance and compliance: Use the code of conduct as a living document. Make it relatable and practical—don’t let it gather dust.
A strong risk culture starts with awareness and attention. Especially in small organisations, every voice matters, and every voice shapes the culture. Curious how to embed risk culture in your day-to-day operations? Contact us for practical support tailored to smaller investment firms.