An effective risk management culture is foundational to an organization's success and resilience. It begins with strong leadership and "tone at the top," requiring directors to take an active role in overseeing risk (F). This culture ensures that risk management is not a siloed compliance function but is fully integrated into strategic planning and decision-making, aligning risk appetite with business objectives (E). For this to be effective, a sense of shared responsibility must be fostered, where all staff are aware of the key risks affecting the organization and understand their role in managing them (D). This creates a proactive, risk-aware environment throughout the entity.

A. Penalising staff for being associated with negative events fosters a "blame culture," which discourages the open communication and reporting necessary for effective risk management.

B. The goal of risk management is to manage risks to an acceptable level (within the risk appetite), not to eliminate all risk, which is impossible and would stifle all business activity.

C. While a risk manager is important, responsibility for risk management must be embedded throughout the organization; it is the responsibility of everyone, with ultimate oversight by the board.

1. Committee of Sponsoring Organizations of the Treadway Commission (COSO). (2017). Enterprise Risk Management—Integrating with Strategy and Performance.

For F: Principle 1, "Board Exercises Risk Oversight," states that the board of directors is responsible for overseeing the development and performance of the enterprise risk management framework (p. 29).

For E: The entire framework is built on the premise of integrating risk management with strategy setting and performance. Principle 7, "Defines Business Objectives," and Principle 8, "Analyzes Business Context," directly link risk assessment to strategic goals (pp. 61-72).

For D: Principle 5, "Enforces Accountability," and Principle 14, "Communicates Risk Information," emphasize that risk awareness and responsibility must be cascaded throughout the entity to all personnel (pp. 47, 105).

2. Financial Reporting Council (FRC). (2018). The UK Corporate Governance Code.

For F & E: Principle O states, "The board should establish procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks the company is willing to take in achieving its strategic objectives." (p. 10). This directly links board responsibility with risk and strategy.

3. Fraser, J. R., & Simkins, B. J. (Eds.). (2010). Enterprise risk management: Today's leading research and best practices for tomorrow's executives. John Wiley & Sons.

For C (Incorrect): Chapter 1, "Enterprise Risk Management: An Introduction and Overview," explains that ERM is a process "effected by an entity’s board of directors, management and other personnel," refuting the idea of devolving it to a single manager (p. 6).

For A (Incorrect): Chapter 11, "A New Approach for Chief Risk Officers," discusses the need for a culture that encourages transparency and learning from failures, which is contrary to a punitive approach (p. 215).