Creating a Risk Culture One Story at a Time

Illustration of a big blue wave an a small boat with 4 people braving the wave

By Natalie K. Houghtby-Haddon

When I was growing up, a story my sisters and brother and I heard repeatedly was the story of how Great-Great Uncle Albert blinded himself as a 16-year-old. The story went something like this: While whittling, he was scraping the knife along the piece of wood toward himself; it hit a bump along the wood and came flying up toward his face, and he hit himself in the eye, making himself blind. The story was a cautionary tale, of course—never use a knife in a way that points the blade towards yourself; always whittle (scrape, cut) away from yourself. To this day, the story shapes the way I cut vegetables, bagels, or use anything sharp.

Whether they intended it or not, my parents were very successful in creating a risk-aware culture of safety in our family, at least when it came to using knives. Culture is, of course, the “taken-for-grantedness” of the world around us, the things we think and do and say without really thinking about them. As the person who teaches Change Leadership and Culture Sustainment for the GW Center for Excellence in Public Leadership’s Enterprise Risk Management in Government Certificate and Certification programs, I’m always thinking about how we can create organizational cultures that provide us with the results we’re looking for in enterprise risk management (ERM). These cultures should support information sharing and openness about the risks within our areas of responsibility so that across the enterprise we can make the best possible decisions about those risks that threaten our ability to achieve our mission and our strategic objectives. Further, from a sustainment perspective, I’m always interested in what it takes to make the culture we want simply “the way we always do things around here.” 

Risk Culture graphic - circles stacked to show how personal risk limits set the stage for institutional risk culture. Outer ring text-Risk Culture; Next internal ring-Organization Culture; Next internal ring-Behaviors; Next internal ring-Persanl Ethics; the final circle at the center-Personal Predisposition to Risk.

Recently, I came across the Institute for Risk Management’s Risk Culture Resource Guide for Practitioners (, which I recommend to anyone interested in shaping a risk-aware culture. As you can see in the graphic presented in Figure 1, their framework for risk culture begins with (1) an individual’s personal predisposition to risk, which then shapes (2) the individual’s personal ethics, followed by (3) that individual’s actual behavior; and that person’s behavior combines with all other members of the organization to create (4) the organization’s culture; which then shapes how willing people in the organization are to live in a (5) risk culture that either welcomes openness and information sharing or “punishes” people for identifying risks openly. 

The “Aha!” for me is the reminder that organizational culture is created by the individuals who comprise that organization. What is my personal “risk appetite” for raising issues that I may see as career-ending, rather than career-enhancing? Am I more likely to wait to raise a problem until I have a resolution for it (which may then make it almost impossible to address if I can’t figure out a solution in time), or am I willing to admit that I don’t have a solution on my own and ask others for help early on? Am I willing to share information about a risk that I’ve uncovered, or do I keep that information hidden because there may be negative political consequences? How prepared am I to work collaboratively with others in my organization, even though that may risk them knowing that I and my part of the organization may have made mistakes or failed to achieve something we were responsible for? And what about my colleagues—how do they answer these questions for themselves? 

The leadership challenge in creating and sustaining an organizational culture that supports and rewards people for raising risks is to figure out how to ensure that what we say and what we do are aligned with our vision for that risk-aware, risk-informed culture. It also involves making sure that all those individual mini risk cultures—each person’s own Great-Great Uncle Albert story—are managed in such a way that as a collective we come to believe that working in an organization that supports openness and the sharing of potential risks is the best kind of organization of which to be a part. Roger Connors and Tom Smith, in their book, Change the Culture, Change the Game, suggest that the experiences people have in their organizations lay the foundation for the culture that creates the results the organization produces (see chapter 5). Experiences do this because they confirm or disconfirm the beliefs individuals have, which then shape the actions individuals are prepared to take to complete their work.   

As someone who is concerned about implementing ERM in public sector organizations, let me invite you to consider incorporating these three practices into your leadership tool kit:

  • Tell stories (over and over again—think Great-Great Uncle Albert!) that create a compelling vision for why a risk-informed organization is the best kind of place to work.
  • Be vigilant in making sure that what you say matches what you actually do when it comes to dealing with the sharing of potential risks.
  • Design experiences for your employees that confirm a positive approach to ERM, and risk management in general, and that will help them believe it is safe to raise concerns and possible risks early and often.

For example, consider using In Progress and After-Action Reviews to demonstrate your openness to hearing bad news without shooting the messenger. My Great-Great Uncle Albert blinded himself almost 140 years ago. But the story of his experience, and what we should do to mitigate that risk for ourselves, is now passing on to a fifth-generation in our family. What are the stories that your agency tells about risks that were avoided because committed employees were willing to take the risk to share information and to work across organizational boundaries? If you don’t have those stories yet, how can you help to craft them, so that current and new employees will discover that being open about potential risks is simply “the way we’ve always done it around here?” How will you help to create an enterprise-wide culture of risk-informed decision-making by what you say and do, so that the American people will benefit, as your agency successfully accomplishes its mission on behalf of them?


Natalie K. Houghtby-Haddon, Ph.D., is the Associate Director of the George Washington University Center for Excellence in Public Leadership (GW CEPL). She is the Faculty Director for GW CEPL’s ERM in Government Certificate and Certification Programs. She would love to hear your stories and how you are getting the message out about the successes and benefits of ERM for your organization. Feel free to contact her at [email protected]  


This article originally was published in the AFERM Newsletter June 26, 2018