The conference room went silent. I'd just asked the executive team a simple question: "If a mid-level manager discovers a significant security vulnerability tomorrow, what would they do?"
The CTO looked at the CFO. The CFO glanced at the CEO. After an uncomfortable fifteen seconds, the CEO finally said, "Honestly? They'd probably try to fix it quietly and hope nobody finds out."
That's when I knew we had a culture problem, not just a risk management problem.
This was back in 2017, at a financial services firm with $2.3 billion in assets. They had spent over $400,000 implementing COSO Enterprise Risk Management (ERM) framework controls. Beautiful documentation. Impressive risk registers. Detailed procedures.
But when I interviewed employees across the organization, I discovered something alarming: people were actively hiding problems because they feared being blamed. Their sophisticated ERM framework was built on a foundation of fear, and it was completely ineffective.
After fifteen years in cybersecurity and risk management, I've learned this fundamental truth: Risk management frameworks don't fail because of poor documentation—they fail because of poor culture.
What COSO ERM Culture Actually Means (And Why Most Organizations Get It Wrong)
Let me start with what COSO ERM culture is NOT:
It's not about being risk-averse or saying "no" to everything
It's not about creating a culture of blame and punishment
It's not about bureaucracy and endless paperwork
It's not about making people afraid to take action
Here's what it actually is: A risk-aware culture means every person in your organization understands how their decisions affect risk, feels empowered to speak up about concerns, and sees risk management as an enabler rather than a blocker.
"Culture eats strategy for breakfast, and it devours risk management frameworks for lunch."
Let me share a contrasting example. In 2019, I worked with a mid-sized healthcare technology company. During my first week, a junior developer pinged me on Slack: "Hey, I noticed something weird in our authentication flow. Probably nothing, but wanted to flag it."
That "probably nothing" turned out to be a critical vulnerability that could have exposed patient data for 40,000 users. We fixed it within 48 hours, before any breach occurred.
I asked the developer later: "What made you reach out about something you thought was 'probably nothing'?"
Her answer was perfect: "Our CTO always says, 'I'd rather investigate 100 false alarms than miss one real problem.' Nobody gets in trouble for raising concerns here, even if they turn out to be wrong. So I just... raised it."
That's risk-aware culture in action.
The Five Pillars of Risk-Aware Culture (Based on COSO ERM)
COSO's ERM framework emphasizes culture as foundational to effective risk management. Through my work with over 50 organizations, I've identified five critical pillars that separate organizations with genuine risk-aware cultures from those just checking compliance boxes:
Pillar | What It Looks Like | What It Doesn't Look Like |
|---|---|---|
Psychological Safety | People report concerns without fear of retaliation | Issues are hidden until they become crises |
Shared Ownership | Risk management is everyone's job, not just the risk team's | "That's not my problem" mentality |
Transparent Communication | Bad news travels fast and reaches decision-makers | Information is filtered, sanitized, or buried |
Learning Orientation | Failures are analyzed for lessons, not scapegoats | Incidents result in blame and punishment |
Risk-Informed Decision Making | Decisions explicitly consider risk-return tradeoffs | Risk is an afterthought or ignored entirely |
Let me break down each pillar with real examples from the field.
Pillar 1: Psychological Safety—The Foundation Everything Else Builds On
In 2020, I was consulting for a manufacturing company that had recently suffered a ransomware attack costing them $1.8 million in downtime and recovery. During the post-incident review, we discovered something shocking:
Three different employees had noticed suspicious emails weeks before the attack, but none of them reported it.
Why? In interviews, the pattern was clear:
"I thought I might be wrong, and I didn't want to look stupid"
"Last time someone raised a false alarm, they got lectured about wasting everyone's time"
"IT always makes you feel like an idiot for asking questions"
The company had invested heavily in technical controls but had created a culture where people were afraid to speak up. The result? A completely preventable breach.
Compare this to a retail company I worked with in 2021. Their security awareness program included a simple metric: number of security concerns reported per month. They celebrated teams that reported the most issues, regardless of whether those issues turned out to be real threats.
One month, a customer service representative reported that a customer was asking unusual questions about their data storage practices. The security team investigated and discovered an attempted social engineering attack targeting customer service staff.
The CSR who reported it was publicly recognized in the company newsletter. The CEO personally thanked them in an all-hands meeting.
That company hasn't had a successful phishing attack in three years. Why? Because people aren't afraid to raise concerns.
"In a risk-aware culture, bringing up a concern that turns out to be nothing is celebrated, not criticized. False positives are the price of vigilance."
Pillar 2: Shared Ownership—Risk Is Everyone's Responsibility
Here's a conversation I've had too many times:
Me: "Who's responsible for cybersecurity risk in your organization?" Executive: "Our CISO." Me: "And who's responsible for compliance risk?" Executive: "Our compliance officer." Me: "And operational risk?" Executive: "Our COO, I guess?"
This is the classic mistake: treating risk management as something done TO the organization by specialized functions, rather than BY the organization as a whole.
I worked with a SaaS company in 2018 that transformed their approach completely. They implemented what they called "Risk Champions"—not a formal program, but a cultural expectation that every team had someone who thought actively about risk in their domain.
The results were remarkable:
Before Risk Champions | After Risk Champions |
|---|---|
Security team discovered 90% of vulnerabilities | Development teams discovered 60% of vulnerabilities before code reached production |
Average time to detect issues: 23 days | Average time to detect issues: 4 days |
Post-incident analysis focused on blame | Post-incident analysis focused on process improvement |
Risk discussions happened quarterly in formal meetings | Risk discussions happened daily in standup meetings |
Compliance seen as "overhead" | Compliance seen as "quality assurance" |
The engineering team started reviewing their own code for security issues. The sales team began flagging unusual customer requests that might indicate fraud. The finance team identified process gaps that created audit risks.
Why? Because risk management became part of everyone's job description, not just a specialized function.
Pillar 3: Transparent Communication—Bad News Must Travel Fast
Let me tell you about two different organizations and how they handled the same type of incident.
Company A (2019): A developer accidentally committed AWS credentials to a public GitHub repository. The developer noticed it three hours later but was terrified to report it. They quietly rotated the credentials and hoped nothing had happened. Two weeks later, the company got a $47,000 AWS bill from cryptocurrency mining running on their compromised account. The security team discovered the breach only when finance escalated the unusual charge.
Company B (2020): A developer accidentally committed Azure credentials to a public repository. Within 45 minutes:
The developer reported it to the security team
Credentials were rotated
The repository was made private
Audit logs were reviewed
All relevant systems were checked
An incident report was filed
The team held a brief lessons-learned session
Total impact: Zero. The developer who made the mistake? They presented the incident and the lessons learned at the next all-hands meeting. The CEO publicly thanked them for their quick response.
The difference? Company B had established clear communication protocols and, more importantly, had proven through repeated actions that reporting mistakes quickly was valued and rewarded.
Here's a framework I help organizations implement for transparent risk communication:
Risk Level | Response Time | Communication Path | Decision Authority |
|---|---|---|---|
Critical | Immediate (< 15 min) | Direct to CISO/CRO and CEO | Executive team |
High | Within 1 hour | Department head and risk management | Department head with risk oversight |
Medium | Within 4 hours | Team lead and risk management | Team lead with documentation |
Low | Within 24 hours | Team lead | Team lead |
Informational | Weekly summary | Risk management dashboard | Tracked for trends |
The key is that these aren't just policies in a handbook—they're lived practices that leaders demonstrate and reinforce constantly.
"The speed at which bad news reaches decision-makers is the single best predictor of an organization's risk resilience."
Pillar 4: Learning Orientation—Failure Is Data, Not Destiny
This is where I see the biggest cultural gap between effective and ineffective risk programs.
I once worked with a financial services company that had what they called a "three strikes" policy for security incidents. If an employee was involved in three security incidents—even minor ones, even if they self-reported—they were put on a performance improvement plan.
Guess what happened? People stopped reporting incidents. Self-reported incidents dropped by 73% over six months. But actual incidents? They didn't decrease at all. They just went unreported until they became major problems.
Contrast this with a technology company I advised in 2021. They held monthly "Failure Forums" where teams shared things that went wrong and what they learned. Not just cybersecurity failures—any kind of failure.
One month, the engineering team shared how they'd accidentally deleted a production database. They walked through:
What happened
Why their safeguards didn't prevent it
What they learned
What they changed to prevent recurrence
Instead of being punished, the team was praised for their detailed post-mortem and the improvements they implemented. The insights from that incident led to three other teams improving their backup procedures.
Here's a comparison of learning-oriented vs. blame-oriented responses to common risk events:
Scenario | Blame-Oriented Response | Learning-Oriented Response |
|---|---|---|
Employee clicks phishing link | "You should have known better. Required security training." | "What made this phishing email convincing? How can we improve our email filters and training?" |
Configuration error causes outage | "Who made this change? This is unacceptable." | "What in our change process allowed this error to reach production? How do we catch it earlier?" |
Vendor security questionnaire missed | "Why didn't you follow the process?" | "What made this fall through the cracks? How do we make the process more robust?" |
Audit finding discovered | "This makes us look bad. Fix it immediately." | "What does this finding tell us about our controls? What related risks might we have?" |
Near-miss incident | "No harm, no foul. Move on." | "This is valuable intelligence. What can we learn from this close call?" |
The learning-oriented organization treats every incident as an opportunity to strengthen their defenses. The blame-oriented organization ensures that the next incident will be hidden until it's too late to prevent damage.
Pillar 5: Risk-Informed Decision Making—Balancing Risk and Opportunity
Here's a scenario I've encountered in multiple organizations:
Sales team: "We need to close this enterprise deal. The customer wants to use their own authentication system instead of ours. Can we build that in two weeks?"
Security team: "No. That's too risky. We can't allow external authentication integration."
Sales team: "So we lose a $2 million annual contract?"
Security team: "Security policy is non-negotiable."
Guess what happens next? In many organizations, one of two things:
The sales team escalates to the CEO, who overrides security without understanding the risks
The security team holds firm, the deal dies, and security becomes seen as "the team that kills deals"
Neither outcome is good.
Now let me show you how a risk-aware organization handles the same scenario:
Sales team: "We have a $2M opportunity but they want custom authentication. What are our options?"
Security team: "Let's map out the risks and mitigations. We have four options:"
Option | Revenue Impact | Risk Level | Implementation Cost | Recommended Mitigations |
|---|---|---|---|---|
Decline request | Lose $2M contract | No change | $0 | None needed |
Full custom integration | Win $2M contract | High | $80K + ongoing | • Extensive security testing<br>• Dedicated security review<br>• Enhanced monitoring<br>• Customer security audit |
Standard SSO integration | Win $2M contract (if acceptable) | Medium | $25K | • Standard security controls<br>• Regular penetration testing<br>• Audit logging |
Hybrid approach | Win $2M contract | Medium-Low | $45K | • Use established protocols (SAML/OAuth)<br>• Sandbox environment<br>• Phased rollout |
Sales team: "The hybrid approach gives them what they need. What's the timeline and what support do we need from them?"
Security team: "8 weeks with their cooperation on security reviews. We'll need their security documentation upfront and a pentest before go-live."
Both teams together: "Let's present this to the customer with clear requirements and timelines."
This is risk-informed decision making. The conversation shifts from "yes or no" to "here are the options, risks, and tradeoffs—let's make an informed decision together."
"A mature risk culture doesn't eliminate risk—it makes intelligent choices about which risks to take, which to mitigate, which to transfer, and which to avoid."
Building Risk Culture: The 90-Day Transformation Plan
After working with dozens of organizations on culture transformation, I've developed a practical 90-day framework for building risk-aware culture. This isn't theory—it's based on what actually works in real organizations.
Days 1-30: Foundation and Assessment
Week 1: Leadership Alignment
Conduct executive workshop on risk culture
Get leadership commitment (verbal commitments don't count—watch for actual behavior changes)
Define what risk-aware culture means for your organization specifically
Identify culture champions among leadership
I worked with a healthcare company where the CEO started every executive meeting with "risk spotlights"—each leader shared one risk they were thinking about. This simple practice signaled that risk awareness was a priority.
Week 2-3: Current State Assessment
Anonymous employee survey on risk culture
Focus groups across different departments
Review of past incidents for cultural patterns
Analysis of risk communication flows
One organization I worked with discovered through surveys that 68% of employees didn't know how to report security concerns. They had beautiful policies, but nobody knew they existed.
Week 4: Quick Wins
Establish "no-fault" reporting channels
Create simple risk escalation paths
Recognize someone publicly for raising a concern
Share a "lessons learned" from a recent near-miss
Days 31-60: Implementation and Reinforcement
Week 5-6: Communication Infrastructure
Implement regular risk communication rhythms:
Frequency | Format | Audience | Content |
|---|---|---|---|
Daily | Slack channel or Teams | All staff | Quick risk alerts, incident updates, security tips |
Weekly | Team standups | Department teams | Risk discussions in regular meetings (5 min) |
Monthly | Newsletter | All staff | Lessons learned, risk trends, success stories |
Quarterly | All-hands | Entire organization | Major risk initiatives, culture metrics, recognition |
Annually | Risk summit | Leadership + key staff | Strategic risk planning, culture assessment |
Week 7-8: Training and Enablement
Not boring compliance training—engaging, practical education:
Interactive scenario-based workshops
Department-specific risk awareness sessions
"Lunch and learn" with real incident stories
Create risk champions in each department
I helped a company create 15-minute "Risk Fridays" where different teams shared how they think about risk in their work. The marketing team talked about brand risk in social media. Operations discussed supply chain risk. Engineering covered technical debt as risk. It made risk tangible and relevant.
Days 61-90: Measurement and Sustainment
Week 9-11: Establish Metrics
You can't improve what you don't measure. Here are the culture metrics that actually matter:
Metric | What It Measures | Target | Why It Matters |
|---|---|---|---|
Incident Self-Reporting Rate | % of incidents self-reported vs. discovered | >80% | Indicates psychological safety |
Time to Escalation | Average time from detection to appropriate escalation | <4 hours | Shows communication effectiveness |
Cross-Functional Risk Discussions | # of risk topics raised in non-risk meetings | Increasing trend | Demonstrates shared ownership |
Near-Miss Reporting | # of near-misses reported monthly | Increasing trend | Reflects proactive risk identification |
Risk Culture Survey Score | Employee perception of risk culture | >4.0/5.0 | Overall culture health |
Risk Training Completion | % completing risk awareness training | >95% | Basic competency baseline |
Leadership Risk Actions | # of visible leadership risk behaviors | Weekly minimum | Top-down reinforcement |
Week 12: Sustain and Evolve
Review metrics and adjust approach
Celebrate successes publicly
Address gaps identified
Plan next quarter's initiatives
Real-World Transformation: A Case Study
Let me share a detailed example that brings this all together.
In 2020, I worked with a regional insurance company—about 400 employees, $500M in premiums, heavily regulated industry. They'd just failed their third consecutive compliance audit, primarily due to cultural issues around risk management.
Their Starting Point:
Risk management was seen as "the compliance department's job"
Employees actively avoided the risk team
Incidents were routinely underreported
Risk discussions were confrontational and focused on blame
Turnover in the compliance department was 45% annually
What We Did:
Month 1: Leadership Reset
The CEO did something radical—he shared a story in an all-hands meeting about a major mistake he'd made early in his career that nearly sank his previous company. He talked about what he learned and how it shaped his approach to risk.
This one act of vulnerability changed the tone completely. If the CEO could admit mistakes and focus on learning, maybe everyone else could too.
Month 2-3: Process Overhaul
We redesigned their risk processes:
Replaced 47-page risk assessment forms with simple, one-page formats
Created a Slack channel where anyone could ask risk questions
Implemented "risk office hours" where the compliance team was available for quick consultations
Started recognizing employees who identified risks early
Month 4-6: Cultural Reinforcement
We launched "Risk Champions" in each department—volunteers who became local resources for risk questions. They weren't compliance police; they were helpful colleagues who could quickly answer "Is this something I should be concerned about?"
The transformation was remarkable:
Metric | Before | After 6 Months | After 1 Year |
|---|---|---|---|
Self-reported incidents | 23% | 67% | 84% |
Average escalation time | 3.2 days | 8 hours | 2 hours |
Employee risk culture score | 2.1/5.0 | 3.7/5.0 | 4.3/5.0 |
Compliance department turnover | 45% | 12% | 0% |
Audit findings | 23 (critical) | 4 (moderate) | 0 (passed with commendation) |
Cost of risk incidents | $430K annually | $89K annually | $12K annually |
But here's the most telling metric: employee referrals to the compliance team increased by 340%. People who previously avoided the risk team were now actively engaging with them.
What changed? Not the framework (they were using COSO ERM before and after). Not the documentation (it actually got simpler). What changed was the culture.
"Framework gives you the roadmap. Culture determines whether anyone actually follows it."
The Leadership Behaviors That Make or Break Risk Culture
After fifteen years of observation, I can predict an organization's risk culture within 30 minutes of watching their leadership team. Here are the behaviors that matter:
What Effective Risk-Aware Leaders Do:
1. They Ask "What Could Go Wrong?" Before "How Fast Can We Go?"
I watched a CEO in a product planning meeting ask: "This is exciting. Before we commit, what are the top three things that could derail this?" The team spent 20 minutes discussing risks and mitigation strategies. The product still launched—but with safeguards in place that prevented two major issues that would have otherwise occurred.
2. They Reward Transparency, Even When the News Is Bad
A CFO I worked with had a rule: anyone bringing bad news got 30 minutes of her time immediately, no matter what else was on her calendar. She wanted to send a clear message that surfacing problems early was valued.
3. They Participate in Risk Activities, Not Just Delegate Them
The most effective CTO I've worked with personally reviewed every critical security incident. Not to assign blame, but to understand what happened and what the organization could learn. His participation signaled that this mattered.
4. They Make Their Own Risk Thinking Visible
One CEO started sharing his "Monday Morning Risk Thoughts" email—a brief note about what risks he was thinking about that week. It normalized risk awareness and showed that even the CEO actively thought about risk.
The Career-Limiting Leadership Behaviors:
These are the behaviors that destroy risk culture faster than anything else:
Destructive Behavior | Why It's Toxic | Better Alternative |
|---|---|---|
Shooting the messenger | Ensures bad news gets hidden | Thank people for raising concerns, even if the news is bad |
"I don't want to hear about problems, just solutions" | Creates fear of reporting issues | "Bring me problems early. We'll solve them together." |
Publicly criticizing mistakes | Drives risk underground | Address issues privately; discuss lessons publicly |
Making risk decisions in isolation | Undermines shared ownership | Involve relevant stakeholders in risk discussions |
Inconsistent risk tolerance | Creates confusion and paralysis | Establish clear risk appetite and stick to it |
Treating compliance as a checkbox | Signals risk isn't really important | Engage meaningfully with risk processes |
Common Pitfalls and How to Avoid Them
Let me share the mistakes I see organizations make repeatedly:
Pitfall 1: Confusing Risk Awareness with Risk Aversion
A manufacturing company I worked with became so focused on risk that they stopped innovating. Every new idea was shot down because "it's too risky." They weren't risk-aware—they were risk-paralyzed.
The Fix: Establish clear risk appetite. Define what risks you're willing to take in pursuit of objectives. The goal isn't to eliminate risk; it's to take the right risks intelligently.
Pitfall 2: Making Risk Management Too Complicated
I've seen organizations create risk frameworks so complex that nobody uses them. One company had a 12-step process for reporting security concerns that required five approvals. Nobody used it.
The Fix: Simple always beats perfect. If people won't use your process, it doesn't matter how theoretically sound it is.
Pitfall 3: Treating Culture Change as a One-Time Event
Organizations launch a "Risk Culture Initiative," run it for three months, declare victory, and move on. Six months later, everything reverts to the old ways.
The Fix: Culture change is continuous. Build risk awareness into regular business rhythms—meetings, communications, performance reviews, recognition programs.
Pitfall 4: Neglecting Middle Management
Senior leaders talk about risk culture. Front-line employees receive training. But middle managers—the crucial translation layer—get overlooked.
The Fix: Middle managers need specific training and support for building risk awareness in their teams. They're your culture multipliers.
Measuring Success: What "Good" Looks Like
How do you know if you're building effective risk culture? Here are the signs I look for:
In Meetings:
Risk is discussed naturally, not just when the risk manager is present
People freely challenge ideas based on risk concerns
"What could go wrong?" is a standard question, not an afterthought
In Day-to-Day Operations:
Employees proactively report concerns
Cross-functional collaboration on risk issues happens organically
People seek out the risk team for consultation, not just compliance
In Incidents:
Issues surface quickly
Focus is on learning, not blaming
Similar mistakes don't repeat
Near-misses are treated as valuable intelligence
In Metrics:
Self-reporting rates are high and stable
Time-to-escalation is low and decreasing
Employee satisfaction with risk processes is high
Actual incident impacts are decreasing
The Personal Element: Why This Matters to Me
I've spent fifteen years helping organizations build better risk programs. The technical stuff—frameworks, controls, procedures—that's the easy part. The cultural transformation is where the real work happens.
I've seen organizations prevent catastrophic failures because someone felt safe enough to raise a concern. I've watched companies thrive because they built risk awareness into their DNA.
I've also seen the opposite. I've received those 3 AM phone calls about breaches that could have been prevented if someone had felt comfortable speaking up weeks earlier. I've watched talented security professionals burn out because they were fighting cultural resistance every single day.
That's why I'm passionate about this topic. The difference between a risk-aware culture and a risk-ignorant culture isn't academic—it's the difference between organizations that survive and those that don't.
Your Starting Point: Three Actions for This Week
You don't need to transform your entire culture by Friday. Start small:
1. Ask One Question Differently
In your next team meeting, instead of asking "What's our status?" try asking "What risks are we watching?" Notice how the conversation changes.
2. Recognize One Person
Find someone who raised a concern or reported an issue. Thank them publicly. Be specific about why it mattered.
3. Share One Story
Tell your team about a time when you made a mistake and what you learned. Model the vulnerability and learning orientation you want to see.
These three small actions send powerful cultural signals. And culture, ultimately, is built through thousands of small signals over time.
Final Thoughts: Culture as Competitive Advantage
Here's what I've learned after fifteen years: Organizations with strong risk cultures don't just avoid disasters better—they move faster, innovate more effectively, and outcompete their peers.
Why? Because when people aren't afraid to discuss risks openly, problems get solved earlier and cheaper. When risk management is everyone's job, you have 400 people watching for issues instead of 4. When risk is viewed as an enabler rather than a blocker, innovation happens within guardrails instead of in spite of them.
The irony is that organizations that embrace risk culture end up being less risky than those that try to eliminate all risk through rigid controls.
COSO ERM provides the framework. But you provide the culture. And culture, more than any framework, will determine your success.
"The best risk management framework in the world is useless if your culture prevents people from using it. The simplest framework in the world is powerful if your culture embraces it."
Start building that culture today. Your future self will thank you.