Element 3: Risk Culture

An entity’s risk management framework must support a culture where risk is managed and communicated across all levels of the entity and individuals are encouraged to adopt positive risk behaviours.

Case Studies


This case study is intended to assist Commonwealth officials at Specialist and Executive levels to:

  • develop and establish a positive risk culture,
  • understand practical tips to implement a risk culture change program, and
  • understand how risk culture can be transformed and embedded in their agency.

This case study can be useful to newly created entities or entities wanting to refresh their approach to risk management and instil a positive risk culture across the organisation. It provides guidance to entities seeking to develop or formalise their approach to developing a culture where risk is managed and communicated across all levels of the entity and individuals are encouraged to adopt positive risk behaviours

At a glance

This case study outlines the National Health Funding Body’s (NHFB) strategy to embed a robust organisational culture that continues to support risk-aware decision making whilst at the same time encourages innovation and creativity. This case study details how the NHFB has developed and fostered a risk culture that has enabled them to engage with risk in pursuit of continuous improvement and better solutions in their business activities.

The NHFB and the Administrator of the National Health Funding Pool were established through the National Health Reform Agreement of August 2011. The NHFB were tasked with assisting the Administrator in calculating and advising the Treasurer in the Commonwealth’s contribution to public hospital funding in each State and Territory, which totalled over $24 billion in 2021-22. They were also responsible for monitoring payments (over $59 billion in 2021-22) of Commonwealth, State and Territory public hospital funding into the National Health Funding Pool.

With an operating budget of just over $7 million and as an agency of approximately 28 staff, it was critical that the NHFB developed and maintained effective and robust systems for risk management to ensure they meet their obligations. To do this, the NHFB encouraged everyone to take responsibility for risk by promoting an active engagement with risk.

What is a positive risk culture?

Risk culture is a subset of organisational culture and refers to the system of beliefs, values and behaviours throughout an entity that shape the collective approach to managing risk and making decisions.

A positive risk culture involves staff adopting an open and proactive approach to risk that fosters collaboration, encourages debate and values independent views. In order for risk management to be effective, it needs to align with the entity’s strategic goals and be part of the organisational culture, internal policies, decision making and individual’s behaviour.

Culture is shaped by the behaviours and attitudes of leaders. The desired culture for managing risk should be clearly defined and demonstrated by the executive in a form that is communicated and actively promoted to staff.

Why is it important to have a positive risk culture?

By establishing a positive risk culture, everyone within the organisation is encouraged to take responsibility for managing risk as it is included as a core responsibility within an individual’s job description. Such an environment can lead to early engagement and open conversations about risk and any potential threats or pressures to the entity. This allows for the identification and assessment of emerging and new risks that could impact business activities and have the potential to hinder achievement of organisational objectives.

A positive culture for managing risk can create an environment where there is a distinctive awareness of the entity’s risk profile by staff across all levels and the responsibility for managing these risks is sufficiently understood. This can lead to appropriate actions being taken by the right people in a timely manner for issues and risks that are identified to be out of set thresholds and tolerance.

Levers that drive risk culture

The NHFB worked towards embedding a robust organisational culture that continued to support risk–aware decision making and encouraged innovation and creativity. Managing risk has become a natural part of the NHFB’s core business activities through consistent language, methodologies and documentation across the organisation. Risk is discussed at all levels to ensure every member has the opportunity to raise potential risks in their business area as well as potential opportunities.

The following levers were called upon in order to positively drive change in NHFB’s risk culture:

Governing your entity:

With a collective effort and strong communication in the roll-out of risk appetite and tolerance statements, these statements helped shape and define a strong culture within the NHFB that encouraged active engagement with risk. The risk tolerance statement articulates the amount of risk that the entity is willing to accept to successfully achieve their strategic objectives and was openly communicated and understood across the organisation. In doing so, the establishment of these key documents helped set objectives, define the desired risk culture, allocate resources, comply with legal obligations, and improve transparent decision making. By knowing these boundaries, NHFB staff are empowered to confidently make risk-aware decisions in the workplace.

Governing your entity:

The NHFB adopted a ‘near miss’ approach to reporting risks. This involved a deep dive into the source, impact and consequence of each near miss. This is undertaken immediately after the event to ensure that it was rectified quickly, while minimising the likelihood of a similar occurrence. This process embodied an open and proactive approach to risk that became indicative of the positive organisational culture seen throughout the NHFB that embraced the opportunities contained within each risk event.

Through this reporting approach that encouraged frank discussions about the ramifications and resolutions related to realised risk events, the NHFB did not let any fear or concern that impact the organisation’s psyche surrounding near misses. Instead, a pragmatic analysis of the control breakdowns and any required new risk treatments allowed the organisation to move forward and rectify any deficiencies in their processes or systems.

Governing your entity:

Strong and regular communication from the CEO about the NHFB’s risk tolerance and expected risk behaviours, helped transform the organisational culture with respect to risk management. There was an active display of leadership and consistent messaging, supported by the executive group, that encouraged risk-based fit-for-purpose practices that helped champion the implementation of the NHFB’s revised risk management approach. These messages shaped and set the parameters of what is considered best practice risk management and fostered a culture that considered the opportunities associated with risk events.

Underpinning this transparent and concerted effort from the executive leadership was their desire to embed an understanding of risk appetite across the agency. This ‘tone from the top’ encouraged innovative thinking and provided supporting mechanisms to ensure that risk was able to be managed effectively (i.e. through updating their Risk Management Policy and Framework and Risk Management Instructions). Senior leadership also contextualised the relationship between effective risk management and key strategic objectives. This message emphasised the importance of making risk-informed decisions and fostered a culture that viewed risk management as a fundamental component to the achievement of business success.

Governing your entity:

Embracing a lessons learned mindset has enabled the NHFB to consistently evolve and improve their processes after near misses or realised risk events. Openly discussing the lessons learned arising out of these incidents, instead of attributing blame, allowed the organisation to grow and develop.

For example, there was an access error identified for users within the Payments System (critical to the NHFB operations). Using a lessons learned approach, it was determined that there was the need for better communication between the 3rd party provider and the NHFB to ensure that the Payments System remained operational for users during peak periods. This adaptive and open-minded analysis of the risk event outlined the NHFB’s positive culture that is built around a willingness to learn and improve.

Governing your entity:

Incorporating elements of risk management into every role throughout the organisation, provides everyone with a level of responsibility when it comes to managing risk and processing risk related information. A united leadership approach in the NHFB is around ‘Our Behaviours – it starts with me’, which encapsulates the desired attitude whereby all staff are empowered to take ownership of their behaviour when interacting with the different risks faced by the NHFB.

By encouraging all staff to model good risk management behaviours, new starters are more likely to adopt the positive risk culture embedded within the NHFB’s day-to-day operations.

evaluation methods

Figure 1 – ‘Our Behaviours – It starts with me’


This case study is intended to assist Commonwealth officials at Specialist and Executive levels to:

  • identify opportunities to review their risk management framework
  • leverage practical tips to implement a risk culture change program
  • understand how risk culture can be embedded in their agency.

This case study can be useful to newly created entities or entities wanting to refresh their approach to risk management and instil a positive risk culture across the organisation.

At a glance

This case study provides guidance for entities seeking to develop a more advanced or mature risk culture, as modelled off the methods used by the Australian Financial Security Authority (AFSA). AFSA’s management board recognised an opportunity to embed more meaningful conversations and effective risk mitigation across all levels of the agency. With the active support and buy-in of senior leadership, AFSA:

  • Successfully implemented a new approach to risk management
  • Developed guidance materials to define risk roles and promote risk-informed decision making at all levels across the agency
  • Conducted risk culture audits
  • Carried out risk training.

All of this contributed towards a more mature risk culture and a proactive approach to risk management that can be sustained into the future.

There are difficulties with shifting an entity’s risk culture as it involves influencing and altering the inherent behaviours and attitudes of staff towards engaging with risk. Being able to establish and foster a positive risk culture is imperative. This is as it is an entity’s culture that ultimately determines the behaviours of officials when they are making decisions in their day-to-day role.

Background and objectives

AFSA is an executive agency in the Attorney-General’s Portfolio responsible for Australia’s personal insolvency and personal property securities systems. Historically, AFSA adopted a compliance-based approach to risk management, however, with the agency about to embark on a digital and cultural transformation, there was a significant opportunity to invest in the agency’s approach to risk management to ensure it could support effective transformation. AFSA’s approach aims to empower staff at all levels of the organisation to make informed risk-based decisions in their day-to-day work.

Risk culture is a subset of organisational culture and encompasses the beliefs, values and behaviours throughout an organisation that shape the collective approach to managing risk and making decisions. A positive risk culture is one where staff at every level appropriately manage risk as an intrinsic part of their day-to-day work. Positive risk cultures are supported by open discussion about uncertainties and opportunities and internal processes to help manage risk. A poor risk culture is often evidenced by officials being ignorant of the agency’s risks, being excessively risk averse or overconfident.

Evidence-based risk management

AFSA reviewed its existing risk management framework and identified that it was too compliance focussed, and burdened staff by completing overly detailed and complicated risk registers. This created a culture where staff viewed risk management as a technical, paperwork driven activity that had little connection to their day-to-day work. The agency decided to invest in a contemporary approach to risk management that instead focused on utilising objective sources of evidence to verify the actual effectiveness of critical actions, activities and measures that help control key agency risks. The adoption of this approach, combined with significant investment in staff training, the development of a ‘Decision Making Model’ to support staff in their day-to-day work, and the utilisation of scenario-based control testing with key agency decision makers, has created an environment where staff are actively engaging in risk management on a day-to-day basis.

Risk management aligned with the agency’s vision and purpose

Risk management activities are an important driver of strategy. AFSA built strong links between its risk management approach and strategic objectives by prioritising risk across all major governance documents. AFSA refreshed the risk management component of its corporate plan to communicate the agency’s risks more clearly. AFSA also reconfigured its assurance mechanisms into a new assurance strategy that aligns assurance activities to the agency’s risks.

Risk culture audits

AFSA worked with its internal auditors to assess the maturity of the agency’s risk culture. A survey was distributed to staff at all levels to understand how they approached risk management and how AFSA could better equip them to manage risk and make decisions in their daily work. The process highlighted the need for greater practical support, renewed guidance documentation and simplified risk processes. Responding to the staff feedback, AFSA redesigned and streamlined its risk framework, policy and plan into a single readable document. Guidance, risk tools and reporting processes were also refined to ensure their usefulness, and a follow up audit arranged to measure improvements in risk culture.

Support of senior leadership in the agency’s transformation

An agency’s risk culture is strongly influenced by the behaviours and attitudes of leaders. AFSA’s senior leadership team actively championed the risk transformation and were advocates of the new approach. The Risk Team leveraged this buy-in to actively encourage staff to participate in the transformation journey. This enthusiasm and support created an environment where useful conversations regarding agency risks and the effectiveness of AFSA’s current controls could take place.

AFSA maintains ongoing engagement of its board with risk by utilising near misses, realised risks event or fictional yet plausible scenarios to drive a rolling program of risk walkthroughs. This process brings together the risk owner, control owners and board members to actively explore control gaps and current-state preparedness, and discuss areas for enhancement. AFSA has extended this approach across the agency and encourages staff to participate in similar conversations through risk forums. Theses forums have become valuable opportunities to provide assurance to the board that strong controls are in place while also creating opportunities for staff to identify areas of improvement.

New risk management roles across the agency

Whilst a positive risk culture can be established via a clear ‘tone at the top’, it is the staff at the operational level that instil and embed this culture. AFSA’s establishment of new risk roles helped entrench risk management across the workforce, and has helped foster a culture where risk is actually at the forefront of the entity’s mindset when carrying out day-to-day operations. Through the introduction of clear risk roles, a more active engagement with risk was facilitated. These new risk roles were clearly defined in AFSA’s risk documentation, with staff being supported and trained to take on these responsibilities. These new roles ensure staff clearly understand their decision-making responsibilities, how they fit in with AFSA’s approach to risk management, and procedures for escalating issues to risk owners and the board.

Staff training

AFSA embedded a common understanding of the it's new risk management approach across the agency though whole-of-agency risk management training. The training was informed by the findings of the risk culture audit and focussed on practical day-to-day risk management and decision making. AFSA hosted a significant number of workshops for staff across the agency at all levels on why risk management is important, how AFSA manages risk, and how risk management links to the Corporate Plan. This training has helped the agency reach a position where risk management is normalised, staff understand risk is part of their roles, and staff discuss risk using a common language. This has created a clearer understanding of shared issues and concerns, enabling informed risk discussions at all levels across AFSA.


Did you find this content useful?