Building an effective culture in high-risk operations
After more than two decades working with organisations across mining, energy, logistics, and security, I’ve come to understand a simple truth: compliance keeps you legal but it’s culture that really helps businesses succeed and keep people safe.
I’ve worked with businesses where every sign was in place, every permit in order, and every procedure followed to the letter: yet the culture did not match the requirements of the business; all of which made them a prime candidate for cutting corners on safety, adopting unsuitable behaviours, and eroding the company’s ‘social licence. I’ve also worked with teams in high-risk environments who, despite operating under extreme pressures, made safe choices instinctively, because security and safety wasn’t just a rulebook, it was part of who they were.
That’s the shift we’re talking about here: not just better paperwork but a better mindset. This mindset is led by culture. Culture drives attitudes, and creates the behaviours that keep your entire workforce more effective. They are more vigilant, better attuned to their environment, working well both within and outside the organisation, and ultimately making good decisions.
Compliance: Necessary, but Not Enough
Let’s be clear: compliance matters. Rules, regulations, policies and procedures all exist for good reason. But if the goal is to create a workplace where people consistently identify, manage, and reduce risk, then compliance alone won’t get you there.
In many operations I’ve seen what I call ‘the illusion of safety’. All the indicators look fine, but under the surface, people are disengaged and complacent, reporting is low, unsafe practices go unchallenged, and early warning signs are missed.. When risk is just a tick-box activity, people learn how to tick the box, and do not think about how to reduce risk and improve things. This illusion is more than just safety: its risk management across the organisation: from security, to safety, to employee welfare, to local community relations and much else besides.
And in high-risk operations, that disconnect can be fatal.
In 2010, the Deepwater Horizon disaster in the Gulf of Mexico resulted in 11 fatalities and the largest marine oil spill in history. The incident was caused not just by technical failures, but by a flawed safety culture. Despite clear warning signs, workers didn’t escalate concerns and the situation was allowed to exist and then get out of control. Subsequent investigations identified fragmented. accountability between the business and its contractors, a history of ignored safety warnings, an emphasis on a very narrow definition of operational success, and many other small problems. In combination they were catastrophic. From our perspective, it shows the culture did not flow into day-to-day behaviours: everybody knew that these behaviours were problematic, but they continued.
In 2016, 15 staff were killed in an attack as they travelled to work in Kabul [source]. 13 Nepalese and 2 Indian security staff died when their unarmoured minibus made its routine shuttle run, their daily commute, to their workplace. The incident was caused by failures in basic security, but also a culture in which these failings were tolerated day in, day out. As the Nepalese Government angrily observed, their citizens should have been in protected transport, but better yet they should never have been obliged to make the same journey every day in an environment where such patterns are ripe for deadly exploitation. Again, it was the culture that allowed these failings to develop: everyone knew that these were serious risks but let them persist.
What Commitment Really Looks Like
The shift from compliance to commitment is cultural, not procedural. It’s about creating an environment where people make safe decisions because they believe in it, not because someone’s watching. Culture manifests itself as attitudes and behaviours, and the aim is for these to become second nature.
I’ve seen the difference play out time and again. In organisations that value commitment. Staff approach routine problems in the right mindset and aim to get it right, first time. It’s just what they do. Staff call pause on a job, not because the JSA told them to, but because something doesn’t feel right. Staff ‘live and breathe’ the company’s commitment to doing it right and doing it well.
The strongest safety cultures I’ve worked with are built on honesty, humility, and a shared belief that every task should be done safely: or not at all.
Five Pillars of an Effective Culture
Here are five consistent things I see when organisations get it right:
1. Leadership Sets the Tone
A business culture starts with leadership. It starts at the top, and everything flows down from this. . Leaders need to take the time to be clear about what they want, what they want to avoid, and what their business culture needs to be. This is not a separate exercise from being a successful and profitable business, it is a critical part of it. Is your business dependent on the good will of the local population? If yes, then it's essential you have an approach and culture that ensures the population wishes you success.
C Suite can help themselves in working this out by walking the floor, listening without judgement, and demonstrating safe behaviours themselves. It sends a powerful message that this matters.
2. The Business is Well Informed
Any business needs to be informed to be successful. You can’t manage or fix what you don’t know about, and this applies as much to culture as it does to competitors, etc. If managers are to know that their business is working they want and need it to, then they must be sure they know what's really going on. A business culture that has no means of rewarding honesty, or inadvertently reduces this, is obviously not going to achieve this.
Where people are afraid to speak up, nothing changes. Inaction, or action based on misunderstanding creates problems. It is essential that managers create a culture of honesty and of psychological safety.This means moving away from blame and towards welcoming accurate and honest reporting. . When staff know their voice matters, they’ll use it. Better yet, when staff know that they are rewarded for speaking up then they’ll use it well. And when they do, you’re safer for it.
3. Engagement Must Go Beyond Training
Too many inductions are only about following procedures. There is no effort to instill actual insight about ‘why’. Behavioural science shows that people generally perform better when they understand why they are required to do things, rather than when they are merely told to do things. Insight improves culture, and culture improves behaviours.
Worse yet, inductions and on the job training, that recite rules without insight usually just become information overload. Engagement isn’t about volume, it’s about relevance. In an effective risk management culture, knowing that the company truly believes that you, as a staff member, are valuable and important is instrumental in driving better behaviours. One way of getting at this is for frontline workers being involved in designing work methods. Feedback loops should be short and real. One of the most effective strategies I’ve seen? Informal peer-to-peer and peer-to-boss behaviours, where information flows quickly and easily . No forms. Just a chat about what went well, what could’ve gone better, and what's going to change next time. That’s how you build real engagement: give people ownership, give them a voice..
4. Policies and Procedures are Real and Valued
Policies and procedures must go beyond being mere documents on a shelf: they must be actively embedded into the daily rhythm of operations. When staff see that these guidelines are clearly communicated and consistently followed and enforced by leadership, they begin to trust in their relevance and necessity. This builds a culture where safety protocols, security measures, and compliance standards are seen not as bureaucratic hurdles, but as integral to protecting people and the environment.
5. Reward What You Value
You can tell a lot about a company’s culture by what it celebrates. If the biggest cheers go to a slim measure of productivity, but risk management barely gets a passing mention:you’ve got a problem.
Recognise the behaviours you want more of. This is harder than it looks, as risk culture is often counterfactual. It's hard to prove the impact of something that didn’t happen. This is the greatest problem with risk management: money gets spent and the result is that nothing happened. It's also the point, and the measure of success.
So how to get past this problem? The first step is to know what you really value, and as a business that is always going to be a successful, profitable business. But to be successful, especially in the long term, means managing and mitigating risks. The business needs a culture that recognises that reducing risk is instrumental to success. The means of success is as vital as the end-state of success itself. Of course, in practical and realistic terms a balance has to be struck as a business that takes no risk whatsoever is doomed.
A business culture understands this balance. But what about the counterfactual problem? An effective culture accepts that while you cannot prove exactly what was avoided, you can prove that somebody acted to prevent it. The culture must be designed to recognise and encourage the combination of small behaviours that nip problems in the bud: these really do ensure the chances of problems, or even disasters, are reduced bit by bit, and constantly. Waiting for a lagging indicator that something has gone wrong is clearly disastrous, so an effective culture must encourage behaviours and metrics that show this constant vigilance. It is for this reason that reporting near-misses is considered valuable, but even this is often a need to get metrics rather than create a culture.
People notice what gets rewarded, so make sure it aligns with your values .
Take a Strategic Advantage to Risk Aversion
Let’s be honest, risk management is still viewed as a cost. Spending time, effort and money getting an effective risk management culture in place looks expensive on all measures. But in reality, in high-risk industries not only is it a differentiator, it's a tool for success. It sets the conditions for long term success. This is both better performance (encouraging the positive) and avoiding costly mistakes (avoiding the negative). Organisations with a deeply embedded risk management culture:
Operate efficient best practice operations
Attract and retain better talent
Improve staff motivation and productivity
Foster better local community relations, driving a social licence to operate
Reduce downtime, inefficiency, complacency and other factors that erode profitability
Reduce the risk of costly incidents.
Win contracts and build client trust.
But perhaps most importantly, in high-risk environments managers and staff both share the common understanding that . They're building a workplace where everyone goes home safely, every day. And that’s what it’s all about.
Final Thought
If you’re still measuring risk management by audit scores and KPIs alone, it’s time to ask a harder question: What does risk management mean to our people when no one’s watching?
While compliance will keep the regulators satisfied, its culture will really keep your people safe and your business successful: the organisations that thrive are the ones who choose culture over convenience, people over process, and values over visibility.
It’s not easy work. But it’s the work that matters most.