A robust risk culture goes beyond having a strong basic risk management process. But the rewards for the extra work you’ll put in to build that culture are huge. This is particularly so when you have to deliver large, complex, or strategically important projects.
Some of my readers may hope to influence the risk culture of their whole organization. But, for many, I suspect this may be too great an ambition. For you, the right aspiration is to build a positive risk culture within your project. As a Project Manager, that’s entirely within your scope.
But these ideas do scale. And the process for creating a robust risk management culture within your project can apply equally if you get a chance to influence your wider organization.

What we will cover
In this article, I will cover everything you need to know:
- What is Risk Culture?
- What are the Benefits of a Robust Risk Culture?
- How to Create a Robust Risk Culture in Your Project
- The Assets You’ll Need for a Strong Project Risk Culture
- Implementation Imperatives
- Learn More about Risk Management and Project Risk Culture
We start, of course, with the absolute basic question…
What is Risk Culture?
Risk culture is a shared set of processes, knowledge, attitudes, beliefs, and values about how to deal with risk. If your team has a common purpose and approaches risk in a consistent way that reflects that purpose, that will protect your project and make it more secure.
So, what does ‘good’ look like?
For your risk culture to work well, three things need to come into alignment:
- Attitudes and Ethics
You, your Project Sponsor, and your Project Board need to set the right tone from the top of your project organization. And that needs to be reflected by a sense of personal responsibility for risk throughout your project. Team members need to be constantly aware of risk and share a common attitude to it. You also need to cultivate a consistent attitude to project risks among your stakeholders. - Behaviors and Practices
You and your team need to act on, as well as think about, risk. To make this work, you need a solid set of risk awareness and management processes. These need to work smoothly and be an integral part of how your project does things, rather than just an add-on to other processes. Information about risks needs to flow, and people need to deal with it quickly and consistently. - Rewards and Recognition
You need to back up attitudes and processes with recognition and reward for people who do things right. Accountability is vital, but people will only accept it if they know that, by doing so, they will gain endorsement for their behavior. This is especially so if you set out to build a ‘whistle-blower’ procedure to bring to the surface any poor practices or failings. Whistle-blowers must enjoy protection and support. A good risk culture will be a ‘no-blame’ culture, where calling out and owning up to mistakes feels completely safe.
With these components in place, your project can be confident in making informed decisions and in understanding the risks it takes.
What are the Benefits of a Robust Risk Culture?
A project is a temporary endeavor. So why would you go to the extra trouble of creating an infrastructure?
Every project will have a culture, whether you craft it or not. Part of the project leadership role is to decide what culture will serve your project best, and to work at creating it. It isn’t extra work to create a culture: it’s extra work to create a worthwhile one.
And there are plenty of benefits you can gain by embedding risk management into your day-to-day project practices. These work together to have an increasing effect on the overall health and performance of your project.
Systems and Procedures
When you build risk management into your culture, you will reduce the overhead of imposing risk management at each step. Your team will apply a consistent set of processes, with standard tools and templates, automatically. And, for a longer project, you’ll be able to optimize these over time, to work more and more efficiently. Ideally, if you can also provide your team with training, you will see greater consistency in how they apply your processes.
Records and History
One of the challenges of identifying and analyzing risk is to learn from the past. By placing risk management at the heart of your project culture, you can build an archive of knowledge to carry forward to future projects. You may or may not be able to begin embedding this culture more widely in your organization. But you have a career ahead of you, and you can carry this knowledge with you from project to project.
Patterns and trends may start to emerge that you can use to optimize your risk planning and processes, and inform benchmarks and metrics. This will help you improve your budget and schedule estimates, and therefore reduce cost and schedule over-runs.
Attitudes and Values
Prudent behavior is an obvious outcome of a more risk-aware culture. But prudence is just a filter applied to your decisions. The more powerful outcome will be better quality decision-making.
You get better decisions when they can draw upon more data, and gain a deeper understanding of the nature of risk and uncertainty. You will start to see more consistency in how your team evaluates scenarios, seeing risk as a core business and strategic issue, rather than a stand-alone project-only concern.
Probity and Control
Your biggest wins will come from better governance, with little or no extra cost and time overhead. Taking an evidence-based approach to planning, strategy development, and policy-making will lead to more robust decisions, with conscious choices around risk profile. And when you apply risk methodologies in a consistent way, they will contribute to improved oversight and transparency around high-risk decisions.
How to Create a Robust Risk Culture in Your Project
As a Project Manager, you will almost certainly be thinking:
Okay, I buy it. I want a robust risk culture… What’s the plan?’
So let me give you a workplan, in the form of an outline Work Breakdown Structure.
Phase 1: Getting Started
Set up the right conditions from the outset.
- Sponsorship
- Engage your project sponsor
The process must start with you, but without the support of your project sponsor, you run the risk of team members wondering how important risk management really is. - Win top-tier commitment
Your sponsor must win support across the top of your project’s governance structure, and among other senior people who need to be a part of your project process. - Access resources and budget
Commitment must be conspicuous to everyone, and backed up by funding and resources. Include your risk culture in your project budget from the start.
- Engage your project sponsor
- Communication
- Communicate the imperative
Start communicating the imperative for solid risk management and your intent to build a robust culture, from early on. - Stakeholder engagement
As you would with any project, identify and analyze stakeholders in your plan to create a risk culture, and build a thorough communications plan. Be sure to consult and inform appropriately. - Reporting
Create a reporting process to ensure your sponsor and project board can monitor and guide progress.
- Communicate the imperative
Phase 2: Build Your Assets
Give people the knowledge, tools, and processes they need.
- Team
- Team Enrolment
When you bring on new people to work on the project, ideally find people who share your attitude to a strong risk culture. But, as a necessity, share your expectations with new team members as they join. - Brief your team
You want to create a common understanding of the culture you are creating, and the processes and behaviors that go with it. If necessary, provide training or other development opportunities - Build depth of understanding
Keep people up-to-date by sharing new thinking and good practices that emerge. Use lessons learned reviews and project meetings to fine-tune processes and behaviors.
- Team Enrolment
- Basics
- Create the basic process and basic supporting tools
Adapt or create the tools, templates, and process that will implement the behaviors you want. - Make them ‘Good’
Test and refine your tools, but do not aim for perfect. Aim for the continuous improvement of your processes and tools iteratively. - Share your processes and tools
Get your process and toolset out into your wider organization. You may not aspire to create change at that level, but by adopting a generous approach to sharing, you’ll create a somewhat more comfortable environment for your own project’s culture to sit within.
- Create the basic process and basic supporting tools
Phase 3: Demonstrate and Grow Value
Let your team succeed and find ways to recognize and celebrate their successes.
- Quick wins
- Create quick wins
Look for opportunities to demonstrate the value of what you are doing. - Communicate successes widely
Ideal opportunities are formal project reports and presentations – particularly to senior executives in your organization. But there are also informal opportunities with project bulletins and knowledge sharing. - Engage champions
Look for enthusiasts from among your team; people who have seen success and feel part of it. Then, engage them to spread the word to your wider stakeholder community.
- Create quick wins
- Learning and Development
- Evaluate early implementation or piloting of processes and tools
Discover what works and what does not. - Enhance your initial process and tools
Develop the processes and tools, and supplement with more tools. - Develop briefing and training materials.
For a long project, you’ll need to brief and train new team members as they come on board.
- Evaluate early implementation or piloting of processes and tools
Extending the Risk Culture Beyond Your Project
If you do aspire to extend your Risk Culture beyond your project, then one way is to treat a successful project implementation of risk culture as an organizational pilot.
- Roll-out
- Training
Create a training program and make a schedule for a wider organizational staff to attend modules designed for their work. - Communication
Build an organization-wide communication plan and maintain your communication process relentlessly. - On-going support
Set up mechanisms to support practitioners who are using your new processes and tools.
- Training
- Embedding and Reviewing
- Assess progress periodically
If necessary, step in and make changes. - Scan your business, political, and competitive environment for changes that should inform regular reviews of your processes, tools, and decision criteria.
- Consolidate performance and reward successes.
Recognize the contributions team members make and find ways to celebrate and reward their work.
- Assess progress periodically
The Assets You’ll Need for a Strong Project Risk Culture
In this section, I want to briefly outline the asset set you’ll need to develop, to maintain your risk culture.
Policies
A risk culture needs underlying policies. But keep them as light-touch as you can. They need to reflect the nature of your project and the risks it faces. Think about factors like scale, complexity, value, and the consequences of success or failure.
Crucially, your policies should identify responsibilities at all levels. Everyone must share responsibility – that is the meaning of ‘culture’. But who will take the lead on risk management, and review the processes, tools, and outcomes? And what about governance? How will risk be monitored at Sponsor or Project Board level?
Processes
Develop processes that meet the needs of your project and fit the priorities of your stakeholders. You will do better with a simple process that is used effectively than a comprehensive one that is soon abandoned or used infrequently. Document your processes clearly, and disseminate them widely. And keep them under periodic review.
Perhaps most important is the need to integrate your processes with supporting infrastructure like:
- tools
- templates
- contract forms
- technology
- reporting and escalation processes
- how you communicate with your organization and stakeholders,
- other project and program management processes,
- organizational process for knowledge management,
- team-member training and induction.
Tool-set
Build a set of tools to meet your project’s needs, and follow the process you’ve created. The most fundamental risk tool will be a risk register. But, on larger projects, you will need more; all the way up to complex and costly enterprise-scale software products.
Capabilities
Set up training and learning programs to create a team of capable people who share a common understanding, language, and toolset. After training, create opportunities for everyone to use their new knowledge and develop their skills, judgment, and awareness. Maintain their professional development by encouraging the sharing of experiences and learning.
Incentives and Recognition
The old saying ‘what gets measured gets managed’ is true here. If you don’t monitor and gather data on risk management activities, then there will be little incentive for people to comply.
Likewise, if your sponsor and project board do not review what these data are telling them and act on what they learn, then poor performance will be tolerated. Use simple incentives like recognition and thanks. And, above all, ensure that people know what you expect of them and that this expectation is a part of how you will assess their performance on your project.
Implementation Imperatives
As with all change, establishing this culture needs commitment throughout your project, but especially from the top. This means that, once started, you must maintain your commitment to it.
More than that, you need conspicuous support and endorsement from the governance structures and individuals who oversee your project. Lobby them hard.
As a project manager, risk management is in your blood. You are used to imposing discipline around uncertainty and the pressures of a project environment. But here is your chance to do it well.
A Risk Culture can achieve two things at the same time
It can:
- Make your life easier by making important behaviors into the default, and
- Enhance your project’s performance and results.
Whilst this kind of culture-building is never easy, this is not a costly initiative, yet it offers a great return on effort. I urge you to consider it.
Learn More about Risk Management and Project Risk Culture
If you want to focus on building a safety-first risk management culture, the first place to start is with my interview with Professor Andrew Sherry of the University of Manchester. He has huge experience in safety-critical industry settings and great examples to help understand the why and how of creating a risk culture…
After that, we have great resources that cover all aspects of Risk Management…
The Basics of Risk Management
- What is Project Risk Management? | Video
- Risk Management 101: An Introduction to Project Risk Management
- How Project Risk Management will Make You a Better PM
- Ultimate Guide to Project Risk Management
- Project Risk Management – How to Manage Project Risk | Video
The Risk Management Process
- 10 Step Risk Management Kick-off for Your Project
- Risk Identification: How to Identify Project Risks | Video
- Spotting Project Threats: How to Find the Sources of Project Risk
- The Project Manager’s Guide to Simple Risk Analysis
- Risk Analysis 101: How to Understand Threats to Your Project
- Every Project Management Risk Response Strategy: Are there 6, 7 or more?
- 5 Ways to Remove a Risk Entirely | Video
- How to Create a Risk Management Plan | Video
- What to Put in Your Risk Register (Risk Log) | Video
More Advanced Risk Management Ideas
- Managing Project Risk: Expert view from Glen Alleman
- 4 Types of Project Risk – Different Forms of Uncertainty | Video
- Risky Analysis: Pitfalls and Good Practices in Estimating Likelihood
- Risk Management – 5 Tips to do it right | Video
- What is a Residual Risk & What is Secondary Risk? | Video
- What’s the Difference: Risk Appetite – Risk Tolerance – Risk Capacity
- How to Do Risk Management in Agile Projects | Video
- Communications Channels: How to De-risk Your Project | Video
- 10 Things Project Managers Need to Know about Strategic Risk Management?
- Project Risk Management: What are the Best Books to Advance You?
Risk Management Certification
- PMI-RMP: All you Need to Know about PMI’s Risk Management Certification
- PMI-RMP: PMI’s Risk Management Professional Certification – with Harry Hall
- Uncertainty Performance Domain: How to Deal with Risk in a VUCA Context
Avoid Project Failure
Project failure is all too common. What are the reasons for it, and how can you stop them?
What are Your Experiences of Creating a Project Risk Culture
I’d love to read about your experiences, observations, or questions and will always respond to any comments below.