Risk culture is the system of values and behaviors present in an organization that shapes risk decisions of management and employees1. Risk culture influences how the organization perceives, responds to, and manages the risks that may affect its objectives, operations, or assets2.
The scenario described in the question best demonstrates an organization’s risk culture, because it shows how the management team’s attitude and actions towards risk are driven by the organization’s values and goals. In this case, the organization’s risk culture is characterized by:
A high risk appetite and tolerance, which means that the organization is willing to take and accept significant risks in order to achieve its strategic objectives of launching a new product and penetrating new markets
A low risk awareness and sensitivity, which means that the organization does not pay enough attention or consideration to the potential IT risk factors, threats, and vulnerabilities that may affect its product development and market entry
A weak risk governance and control, which means that the organization does not have adequate or effective policies, procedures, or mechanisms to identify, assess, respond, or monitor the IT risks and their impacts
References = Risk Culture of Companies | ERM - Enterprise Risk Management Initiative …, Taking control of organizational risk culture | McKinsey
