Most risk frameworks are built on an assumption that rarely holds in practice: consistency. They assume that once risk appetite, controls and governance are defined, they will be interpreted and applied uniformly across the organisation. In reality, they are not. Frameworks remain essential for consistency and oversight, but they are not sufficient on their own.
“Risk culture is often talked about but not always clearly defined. In practice, it’s not what organisations say about risk, it’s how people actually behave and make decisions, particularly under pressure,” said Dr. Martha Phillips (pictured), Enterprise Risk Director at AXA UK.
That gap between design and execution is where risk culture sits, and where many frameworks reach their limits in practice. Behaviour determines whether issues are escalated, how trade-offs are made, and whether people feel safe to challenge.
Organisations typically operate with multiple, overlapping cultures rather than a single, unified one. Drawing on doctoral research conducted within UK insurers, Phillips found that “organisations don’t have a single risk culture; they actually have multiple, and a minimum of four” with different parts of the business operating under distinct norms. “Some are more cohesive and collective, some more rules-orientated, others are more individualistic and performance-driven,” she said.
None is inherently better, but problems emerge when one dominates or when interaction between them weakens. “Resilience depends on how effectively those groups interact, particularly during stress events,” she said.
When those differences are working as intended, they become a strength; balancing perspectives, testing decisions and reducing blind spots. When they are not, organisations can become fragile, either through excessive risk-taking or through rigidity and over-control.
This variation helps explain why even mature risk frameworks can struggle to deliver in practice. “That’s also why formal risk frameworks sometimes fail to deliver real resilience, because they tend to assume consistency of cultural response,” Phillips said.
“If you define risk, controls and appetite centrally, they will naturally translate across the organisation,” she said. “In reality, those frameworks are interpreted and viewed differently depending on the local culture, incentives and leadership behaviours.”
Frameworks standardise language, controls and reporting, but not interpretation. Teams apply risk concepts through the lens of their own pressures and priorities, which can lead to uneven outcomes. “So you can have a really well-designed framework on paper, but it can be quite fragile in practice if people don’t escalate issues, collaborate effectively or feel able to challenge. Frameworks can give a false sense of resilience if behaviour doesn’t follow.”
These dynamics are reshaping the role of the risk function, shifting it away from retrospective assurance and towards forward-looking decision support. “I think this is about moving away from retrospective control, assurance and just holding the mirror up on where things are, and more towards being forward-looking,” Phillips said.
“Risk functions should be helping the business to understand consequences, trade-offs and where it is genuinely vulnerable.”
Regulatory focus on operational resilience has reinforced this shift by requiring firms to identify and prioritise what matters most. “The operational resilience regulations work really well here, because they’ve forced us to prioritise what is most important in terms of delivering for our customers and protecting business value,” she said. “They have also moved us away from trying to protect everything and more towards prioritised outcomes.”
That shift also depends on how risk is communicated. “For me, the main thing is that people are just asking themselves: what could go wrong, and what are we going to do about it?” she said.
Leadership plays a central role in how this shift is realised in practice. “I think leadership behaviour is one of the strongest signals of risk culture, much stronger than policies,” she said. “It’s about what leaders prioritise, reward and tolerate, because that ultimately determines how risk is handled in practice.”
Research shows that leaders influence multiple cultures across the organisation rather than creating a single, unified one. The challenge is maintaining balance between them. “Every cultural mindset has a value to the firm, but it’s about keeping them in balance,” she said.
From a cultural perspective, resilience is not defined by the absence of disruption, but by how effectively an organisation responds when it occurs. “A resilient organisation isn’t one where nothing goes wrong; it’s one where people respond effectively when it does,” Phillips said.
That response depends on both awareness and coordination. “From a cultural perspective, a genuinely resilient organisation is one where people are open-minded and able to accurately pick up on what I call weak signals,” she said. “If you’re not able to collaborate, coordinate and share information, that quite quickly makes the organisation fragile and rigid.”
In that sense, resilience is less a product of framework design than of everyday behaviour. The question is not whether risks are defined, but whether people are prepared to recognise them, and act.
