The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

Firms’ responses to regulatory and supervisory expectations on risk culture tend to cluster into four observable patterns (as highlighted below), primarily shaped by core factors i.e. organisational ability (how capable the firm is at managing risk in practice) and organisational willingness (how motivated leadership and the business are to engage with risk proactively).

The four observable patterns are:
1. Neglect culture - This pattern sits at the lowest end of the maturity scale, where firms normalise
warning signs, lack clear ownership, and allow risk to build silently. Escalation is often discouraged or
ignored, meaning issues only surface once they become material events.
2. Analysis paralysis - Whilst a step up from the neglect culture, it is still ineffective. Firms understand risks and produce analysis, gap assessments, and frameworks - but still struggle to convert insight into action. Decision-making is delayed while waiting for certainty, leading to missed opportunities to intervene early.
3. Painkiller culture (The paracetamol problem) - A higher ability but still lower willingness, where firms are operationally capable but culturally reactive. They prioritise quick fixes to stabilise situations and, consequently, issues frequently re-emerge in different forms because underlying structural drivers
remain unaddressed.
4. Healthy risk culture - The target state, where both the ability and willingness of the firm are strong. In such environments, early warning signals trigger investigation, root causes are addressed directly, constructive challenge is fostered, and employees are actively encouraged to speak up. Crucially, risk ownership is embedded in the First Line, while the Second Line provides effective oversight and partnership rather than acting as a “fixer.”

Firms that treat risk culture as a whole-organisation responsibility - rather than a risk function initiative -
are far more likely to prevent failures driven by cultural weaknesses.

Why the “Paracetamol Problem” continues to drive risk culture failures:
Across financial services, firms continue to invest heavily in governance frameworks, controls, and
remediation programmes - yet major failures linked to risk culture persist. The underlying issue is this
“Paracetamol Problem”: firms repeatedly treat symptoms rather than diagnosing and fixing the root
causes of cultural weakness.

In practice, this means applying short-term fixes – such as governance changes, additional controls, or
training rollouts - that temporarily reduce visible risk signals but do not address how decisions are really made, how challenge and escalation are encouraged and monitored, or how commercial and control priorities are balanced in day-to-day operations. Over time, issues often reappear in different forms,
creating cycles of remediation without sustained improvement.

Strong risk culture is therefore less about what exists on paper, and more about how people behave under pressure and uncertainty.

Our observations from practice:
From what we see across global firms, the early signals are usually consistent:

• Escalation that only happens for “major” incidents, rather than early-warning issues
• Unclear or uneven 1LoD ownership
• MI that is voluminous and reassurance-led, rather than decision-useful
• Remediation that closes actions, but doesn’t institutionalise learning or address systemic root
  causes

What good risk culture looks like:
Firms that avoid this cycle typically demonstrate:

• Early investigation of weak signals and emerging risks
• Clear first-line ownership of risks and controls
• Environments where challenge and escalation are encouraged and rewarded
• Management information designed for decisions, not reporting volume Risk appetite embedded into
• strategic and operational decisions
• Learning from incidents that drives systemic change, not just action closure

Critically, strong risk cultures align leadership behaviours, incentives, governance signals, and day-to-day decision-making across all levels of the firm.

Why this matters:
Weak risk culture rarely remains contained. Over time, it can drive poor decision-making, excessive risk- taking, reduced resilience, and loss of stakeholder confidence. Strong risk culture, by contrast, supports sustainable performance, improves decision-making under uncertainty, and strengthens long-term organisational resilience.

Therefore, addressing weak risk culture is not about launching a single transformation initiative. It
requires sustained leadership behaviour, aligned incentives, embedded controls, and organisational
environments where transparency, challenge, and early escalation are consistently reinforced.