Building a Risk Culture That Survives Digital Transformation

Why transformation is a risk culture stress test

Risk culture is not what an institution says about risk. It is what happens when the right risk decision is also the inconvenient one. When a technology project is running late and the pressure is to deploy without completing the security assessment. When a new digital product is generating strong commercial interest and the compliance team's concerns feel like obstacles. When the board is excited about transformation progress and management is reluctant to report problems. These moments — not the calm periods of normal operations — reveal whether risk culture is genuine or merely described.

Digital transformation creates more of these moments than almost any other institutional experience. The pace of change creates pressure that erodes normal deliberation. The technical complexity creates information asymmetry that undermines board and management oversight. The commercial urgency creates incentives that compete with risk management discipline. And the novelty of the risks — model risk, third-party technology dependency, digital operational resilience — means that the institution's established risk management reflexes may not be adequate to the new risk landscape.

Institutions that manage this well do not do so because their technology projects run smoothly. They do so because their risk culture is strong enough to hold under pressure. Understanding what that means in practice — and how to build it — is the subject of this article.

What FINMA looks for

FINMA's supervisory assessment of risk culture focuses on three observable dimensions: whether risk information flows freely to the board and senior management without filtering or delay; whether individuals who raise risk concerns are supported rather than marginalised; and whether risk considerations genuinely influence business decisions or are applied retrospectively to justify decisions already made. In a transformation context, these dimensions are tested more severely than in normal operations — and FINMA's examiners know this.

The five risk culture failure modes in digital transformation

Observing how institutions manage risk culture through transformation programmes reveals five failure patterns that recur consistently. Each is recognisable, each is avoidable, and each has been the proximate cause of significant governance failures in financial institutions undergoing digital change.

Failure 01

The enthusiasm trap

Board and senior management excitement about transformation creates an implicit signal that risk concerns are unwelcome. Compliance and risk teams learn to moderate their messages. By the time problems surface, they have been accumulating for months.

Failure 02

The expertise deficit

Risk and compliance teams lack the technical expertise to challenge management's technology decisions. They cannot ask the right questions about model risk, cloud security or third-party dependencies. Their oversight becomes formal rather than substantive.

Failure 03

The velocity problem

Transformation programmes move faster than governance processes. Risk assessments are completed after decisions are made. Compliance reviews are conducted for already-deployed systems. Governance becomes retrospective rather than preventive.

Failure 04

The silo effect

Technology teams and risk/compliance functions operate in parallel without genuine integration. Risk insights do not reach technology decision-makers in time to influence design. Technology developments do not reach compliance teams until they create compliance problems.

Failure 05

The success narrative

Positive reporting to the board crowds out early warning signals. Transformation programmes are presented as on-track when they are not. The board's ability to intervene early is compromised by the time it receives accurate information.

What genuine risk culture looks like in a transformation programme

Risk culture in a digital transformation programme is observable — not just in what people say about risk, but in the specific behaviours that characterise how risk is managed day to day. Three behavioural markers are particularly diagnostic.

Marker 1: escalation without consequence

In a healthy risk culture, individuals who raise risk concerns — even inconvenient ones, even ones that challenge management's preferred narrative about transformation progress — are supported, not sidelined. In practice, this means that the compliance officer who raises a concern about a technology deployment timeline should not subsequently find themselves excluded from project meetings. The risk manager who flags an unresolved model validation issue should not have that concern categorised as an obstacle to progress. And the relationship manager who refuses to onboard a client through a newly automated process they believe is inadequate should not be penalised for the commercial impact.

FINMA's examiners assess this dimension specifically. They will interview staff below senior management level and ask whether risk concerns are taken seriously. They will review the pattern of escalations and the outcomes for those who escalated. And they will look at how transformation project reporting to the board has evolved — whether early concerns were reflected in board reporting or whether difficulties appeared only after they could no longer be concealed.

Marker 2: risk appetite as a decision filter

In a healthy transformation risk culture, the institution's risk appetite framework is applied proactively to technology investment decisions — not just cited in governance documents. When the technology team proposes a cloud migration, the risk appetite for third-party technology dependency is considered as part of the decision, not noted in retrospect. When an AI model is proposed for deployment in a compliance function, the model risk appetite determines the validation requirements before deployment — not after a supervisory finding.

This requires risk appetite to be articulated specifically enough to be operational in a transformation context. Generic statements about "moderate risk appetite for operational risk" do not provide the guidance that technology investment decisions require. The risk appetite framework must be updated to address the specific risk categories that transformation creates: model risk, third-party dependency, digital operational resilience, data governance. Without this specificity, risk appetite exists as a compliance document rather than a decision tool.

"A risk culture that only functions in normal conditions is not a risk culture. It is a risk communication programme. The test comes when the pressure is real."

Marker 3: the board's genuine engagement with transformation risk

Board oversight of digital transformation risk requires more than receiving management's transformation update at each board meeting. It requires the board to ask specific, informed questions about risk — and to be unsatisfied with answers that are reassuring but imprecise. What is the current model validation status of the AI system we deployed last quarter? What is the residual risk profile after the third-party security assessment? What happened to the compliance concern raised at the last programme review, and how was it resolved?

These questions require board members to have sufficient understanding of transformation risk categories to ask them — which in turn requires the board to invest in its own capability development. This is not a counsel of technical expertise for board members. It is a recognition that the board cannot exercise oversight of risks it does not understand at a strategic level. Digital literacy at the board level — understanding what model risk is, what cloud dependency means for operational resilience, why data governance is a board-level issue — is a governance requirement, not a nice-to-have.

Building the governance structures that support risk culture

Risk culture is shaped by governance structures — the formal mechanisms that determine how risk information flows, how risk decisions are made, and how risk outcomes are reported. In a transformation context, several governance structures deserve specific attention.

Governance structures for transformation risk culture

Integrated programme governance

Risk and compliance representation embedded in transformation programme governance — not as reviewers of completed decisions but as participants in decision-making from the outset. Risk concerns addressed in programme design, not after deployment.

Dedicated transformation risk reporting

Separate risk reporting on transformation programmes to the board risk committee — covering open risk items, unresolved compliance concerns, model validation status and third-party risk assessments. Distinct from commercial progress reporting.

Technology risk expertise in second line

Risk and compliance functions equipped with sufficient technical expertise to challenge technology decisions — through hiring, training or specialist advisory support. The second line cannot oversee what it does not understand.

Go/no-go governance for deployments

Formal go/no-go decision process for technology deployments — requiring sign-off from risk and compliance before production deployment, with documented resolution of all outstanding risk items. No deployment without risk clearance.

Post-implementation risk review

Structured review of risk performance for deployed systems at defined intervals after go-live — assessing actual risk outcomes against pre-deployment risk assessments and feeding lessons into subsequent deployments.

Board risk literacy programme

Structured development of board members' understanding of transformation risk categories — model risk, cyber risk, third-party dependency, data governance — enabling meaningful oversight of management's transformation risk management.

The leadership dimension: what senior management must model

Risk culture is ultimately a leadership phenomenon. The behaviours that senior management models — how they respond to risk concerns, whether they apply risk discipline consistently under commercial pressure, how they talk about compliance and risk management in the context of transformation — set the cultural standard for the entire organisation. Policy documents, training programmes and governance frameworks are necessary but insufficient. The culture follows the leadership.

In a transformation context, three senior management behaviours are particularly powerful in shaping risk culture.

Rewarding the right behaviours

If the individuals who are seen to progress in an organisation are those who drive transformation pace and commercial outcomes, while those who raise compliance concerns or slow down deployments for risk reasons are seen to stagnate — the risk culture message is clear and it is not written in any policy document. Senior management must be explicit and visible in its appreciation of risk management behaviour. The programme manager who insisted on completing the security assessment before deployment, even under significant time pressure, should be recognised for that decision — not despite the delay it caused but because of the discipline it represented.

Honest reporting upward

Risk culture is damaged by senior management that filters the risk picture before presenting it to the board. Transformation programmes that are struggling should be reported as struggling. Risk concerns that have not been resolved should be presented as unresolved. The board's ability to exercise governance depends entirely on the accuracy of the information it receives — and if that information is optimised for board comfort rather than board decision-making, the board's governance is compromised before it begins.

Saying no

The most powerful risk culture signal that senior management can send is the decision to stop a transformation initiative because the risk is not adequately managed. Delaying a product launch, halting a technology deployment, refusing to proceed with a vendor integration until outstanding security concerns are resolved — these decisions are commercially costly. They are also the clearest possible evidence that risk management is real rather than performed. Organisations where senior management has demonstrably said no to commercially attractive initiatives for risk reasons have a different risk culture from those where such decisions have never been made.

Measuring risk culture in a transformation context

Risk culture is difficult to measure precisely — but it is not unmeasurable. Several observable indicators provide meaningful signal about the health of risk culture during transformation programmes.

Escalation rates and outcomes. Are risk concerns being escalated? Are escalations increasing or decreasing as the transformation progresses? What happens to concerns after they are escalated — are they resolved, deferred, or quietly dropped?
Audit and compliance findings timing. Are compliance issues identified during transformation programmes caught by the second line before deployment, or by internal audit and regulators after the fact? Early identification indicates a functioning risk culture; late identification indicates the opposite.
Staff survey data. Do staff feel safe raising risk concerns? Do they believe risk management is taken seriously by senior management? Anonymous survey data on these questions is one of the most useful risk culture indicators available and is directly relevant to FINMA's supervisory assessment.
Board reporting quality. Does board reporting on transformation risk contain genuinely unflattering information — unresolved risk items, delayed validations, open compliance concerns? Or does it consistently present transformation as on-track and well-managed? The latter pattern is itself a risk culture indicator.

The relationship between risk culture and transformation success

There is a persistent misconception that risk culture and transformation pace are in tension — that a strong risk culture slows transformation and a weak risk culture enables it. The evidence from financial institutions that have managed large-scale digital transformation does not support this view.

Institutions with strong risk cultures manage transformation more successfully precisely because their risk culture is strong. They identify problems earlier, when they are cheaper and less disruptive to fix. They avoid the costly regulatory consequences of deploying inadequately governed systems. They maintain staff confidence in the institution's direction, reducing the attrition of key talent that often accompanies poorly managed transformation. And they maintain their regulatory standing — the ability to pursue new business, new products and geographic expansion — that institutions under FINMA remediation focus cannot.

A strong risk culture does not slow transformation. It makes transformation sustainable. And sustainability — the capacity to maintain transformation momentum over the multi-year horizon that genuine digital change in private banking requires — is ultimately the difference between transformation programmes that deliver their strategic objectives and those that stall, reverse or collapse under the weight of accumulated governance failures.

Building that culture starts with the board. It requires leadership that is honest about the difficulty of transformation, disciplined about risk management under commercial pressure, and committed to the long-term view that sustainable transformation is always worth more than rapid but ungoverned change. That commitment, sustained over time and demonstrated in specific decisions, is what risk culture is made of.

Stanislav Bogomolov

Governance & Compliance Leader · Swiss Private Banking & Wealth Management

Senior GRC professional with extensive experience in Swiss private banking and wealth management. Writing on governance, risk management, compliance, board leadership and digital transformation — for practitioners, board members and senior management navigating the Swiss and EU regulatory environment.