The popular saying goes: “Culture eats strategy for breakfast.” And when it comes to risk, culture doesn’t just eat your strategy, it leaks your passwords, signs off bogus deals, and buries red flags under a carpet of silence.
So how do you stop that?
How do you build a culture where every employee thinks like a risk manager?
Let’s dive in. This isn’t a textbook answer. This is war-room advice.
Because in today’s Uganda, your biggest risk is not knowing what’s walking out your door, or into your systems.
Start with this truth: Risk is not the job of Internal Audit or the Risk Manager
It’s the job of everyone, from the receptionist to the CEO.
The boda guy who tailgates your CFO knows this. The fraudster, calling “pretending to be URA,” knows it. But inside your company?
People still say, “That’s not my job.”
That mindset is the virus. Culture is the cure.
Step 1: Make risk personal
People don’t care about frameworks. They care about stories.
Tell the story of the accounts assistant who lost her job after unknowingly paying a fake supplier.
Show the case of the NGO that lost UGX 2.4 billion because one USB stick infected their network.
Explain how one weak password gave hackers access to payroll.
When risk becomes real, people change.
Step 2: Use visible leadership
Culture cascades from the top.
If your EXCO doesn’t walk the talk, forget about the staff.
- Is your CEO on WhatsApp groups sharing unverified links?
- Are directors exempt from cyber drills?
- Does finance override controls “because the MD said so”?
Fix that first.
At Summit Consulting, we audit culture before we audit controls. Because we’ve learned this: People don’t do what’s written. They do what’s tolerated.
Step 3: Define your “Risk Culture Anchors”
These are 5–7 core behaviors you embed across the organization. Think of them as your cultural commandments.
Here’s an example set for a Ugandan SME:
# | Anchor | Description |
1 | Own the risk | Don’t wait for the audit. If you see a gap, say it. |
2 | Pause before you act | Don’t click. Don’t pay. Don’t sign unless verified. |
3 | Escalate without fear | No retaliation for whistleblowing. Truth > hierarchy. |
4 | Data is sacred | Lock devices. Use strong passwords. Respect privacy. |
5 | Ask “what if?” | Before any project or decision, think risk first. |
6 | Challenge nicely | Encourage “dissent with respect” in meetings. |
7 | Speak up early | Problems grow in silence. Raise the flag early. |
Step 4: Integrate risk into daily rituals
Culture grows from repetition.
- Add “any risks today?” to morning stand-ups.
- Make “risk impact” a section in all reports.
- Recognize and reward staff who escalate threats early.
- Include a risk-focused question in every performance review.
You don’t need a new department. You need new habits.
Step 5: Run “Red Team” Exercises
This is where you simulate an incident and test the organization’s reflexes.
- Send a fake phishing email to all staff. See who clicks.
- Leave a USB in the staff canteen. Who plugs it in?
- Have a third party pretend to be a vendor and try to get paid.
Then review what failed, not to punish, but to learn.
At Summit, we call this “stress-testing the culture.” It reveals what policies can’t.
Step 6: Flip the language
Stop talking in audit jargon. Talk in human language.
Old way | Risk-aware way |
“Update the risk register.” | “List what could go wrong in this project.” |
“Evaluate inherent and residual risk” | “How bad is the risk now, and after controls?” |
“Report control failures” | “What slipped through the cracks?” |
Plain English builds risk fluency. Fluency builds ownership.
Step 7: Measure what matters
Don’t just measure risks.
Measure risk behavior.
Metric | Why it matters |
% of staff who reported a phishing attempt | Shows alertness |
# of near-misses reported per month | Indicates psychological safety |
# of risk discussions in team meetings | Shows risk is part of work, not an extra |
# of senior leaders who model risk behavior | Signals tone from the top |
The company that turned its mess into a model
A mid-sized Ugandan distributor faced a UGX 870 million fraud, duplicate payments, fake vendors, and insider collusion.
Their solution? Not just controls, but culture repair.
- Every team now has a monthly “risk huddle.”
- They gamified risk awareness: the best alert wins lunch.
- Leaders share one personal risk mistake in every town hall.
Result?
- Fraud attempts are still there, but detection has tripled.
- Staff morale has risen.
- External auditors reduced the control risk rating by 40%.
You don’t rise to the level of your controls.
You fall to the level of your culture.
If your culture rewards silence, punishes whistleblowers, tolerates shortcuts, and exempts leaders, no risk framework will save you.
But if your culture trains reflexes, celebrates escalation, and makes risk part of your DNA, then you’ve built your fortress.
Not a paper policy.
Not a checklist.
But a living, breathing, risk-aware tribe.
Want help embedding a risk-aware culture in your organization?
Summit Consulting offers customized culture transformation programs, red team simulations, and board risk coaching sessions.
Book a strategy call today: www.summitcl.com
Risk isn’t going away. But with the right culture, neither are you.