• Integrate risk into everyday business processes rather than isolating it in governance structures
• Use behavioral design to make risk-aware decisions the default choice
• Translate risk appetite into measurable KPIs with clear ownership and escalation paths
• Communicate policies through practical examples and reinforce them in performance discussions
• Align incentives with risk-adjusted outcomes, not just financial performance
• Leverage AI and analytics for real-time monitoring while maintaining ethical guardrails

Ahead of Risk Americas 2026, we spoke to David Buck about how organizations can transform risk culture by embedding it into daily decisions, aligning incentives, and translating risk appetite into actionable metrics. By leveraging behavioral design, clear communication, and emerging technologies, firms can shift from static compliance frameworks to dynamic, real-time risk management that drives smarter decisions and sustainable performance.

What practical steps can organizations take to embed risk culture into day-to-day decision making rather than treating it as a compliance exercise?

The shift happens when risk stops being something you report on and starts being something you actually do. In my experience, the organizations that get this right integrate risk into their existing operating rhythm — their planning cycles, their business forums, their deal approvals — rather than only standing up separate risk committees that run in parallel to the business. When you hear senior executives ask “what are we trading off here?” or “what could we be wrong about?”, it signals that uncertainty is a legitimate part of the conversation, not a separate activity. Behavioral economics has been instructive for me here — the concept of choice architecture suggests that if you design decision processes so that risk-aware choices are the default, you don’t have to mandate good behavior, you just make it easier. Ultimately, culture lives in the moments between the policies, and the measure of success is whether people reach for risk frameworks instinctively, without being reminded to.

What are some best practices to translate Board-level Risk Appetite statements into measurable operational KPIs across the wider business?

I find this to be one of the most challenging aspects in enterprise risk management, and I’ve seen it at every type of institution — from my time at the Fed to the large financial services firms I’ve worked with since. The core discipline is cascading architecture: taking enterprise-level appetite statements, focusing on the most impactful risks, and translating them into specific tolerances with defined thresholds, owners, and escalation triggers. What makes it work is bidirectional traceability — every metric should map upward to an appetite statement, and every appetite statement should have at least one measurable indicator someone is accountable for. I’ve also learned to guard against metric overload— a dashboard with hundreds of metrics that no one acts on is arguably worse than no dashboard at all, because it creates the illusion of oversight. I think the firms that do this best tie KRI performance directly to business planning, so risk appetite becomes an active input to resource allocation rather than a governance artifact that gets dusted off once a year.

How do you ensure your organization’s risk culture is influencing actual behavior through well-communicated policies?

While policies are critical to lay out the desired outcomes and requirements, what truly drives behavior is whether people find policies clear, relevant, and consequential in their day-to-day work. That means writing at a length and level that practitioners will actually engage with, pairing policies with worked examples and decision guides, and reinforcing them in performance conversations rather than just annual attestations. I’ve also become a strong believer in consistent, accessible communication as a cultural tool — using narratives, real examples, and even behavioral concepts to build risk fluency over time rather than relying on compliance mandates. Measuring behavior, not just acknowledgment — near-miss reporting rates, escalation frequency, audit findings trends — these tell you far more about whether culture is working than signed attestations.

What are the key challenges leaders face when aligning performance incentives with defined risk appetite, and how can they overcome them?

Most incentive systems reward outcomes, while risk appetite governs the process by which outcomes are pursued. If a business unit hits its revenue number by taking on concentrated exposure that violates risk appetite, the P&L still looks good — and compensation reflects that. The fix requires deliberate design at three levels: governance, measurement, and culture. On governance, compensation committees need to explicitly review risk-adjusted performance metrics, not just financial results. On measurement, scorecards should incorporate risk consumption, limit utilization, and conduct indicators alongside revenue. But the most powerful lever is cultural — when a leader visibly rewards a risk-aware decision that gave up short-term gain, or when a clawback decision explicitly references a risk culture failure, it makes the stakes real in a way that no policy document can.

How do you see emerging technologies like AI and advanced analytics reshaping the way organizations quantify and monitor risk culture in real time?

We’re at an inflection point where risk culture is starting to move from a lagging, survey-based discipline toward something closer to real-time sensing, and its exciting. Natural language processing applied to internal communications and escalation patterns can surface early indicators of cultural drift — whether certain risks are being normalized, whether dissent is being suppressed, or whether particular business units are outliers in how they engage with risk governance. Even more transformative, in my view, is the potential for AI-assisted tools that surface relevant risk context at the point of decision — embedded in deal approvals, credit workflows, or vendor onboarding — so that risk culture becomes part of the action rather than a post-hoc report. That said, I’m equally focused on the governance challenges: these tools need rigorous oversight, and organizations need to draw a clear line between measuring risk culture and surveilling employees. Getting that distinction right requires explicit ethical guardrails and active board-level visibility — it’s an area where the risk function needs to be in the room early.

As business environments become more volatile, how should companies evolve their risk appetite frameworks to remain agile without sacrificing control?

In a world of persistent shocks and structural change, a static, once‑a‑year risk appetite exercise is no longer effective. I think the evolution has three dimensions. 

First, we need to anchor appetite much more tightly to strategy, risk capacity, and control effectiveness, and then be willing to recalibrate as the environment moves. That means combining hard financial and resilience metrics with non‑financial boundaries on conduct, reputation, and culture so there is no ambiguity about what we will not do, even in a crisis.

Second, we should move from static limits to scenario‑aware, data‑driven appetites. Use  richer internal and external data, forward‑looking indicators, and stress scenarios to pre‑define how exposures, limits, and actions change under different regimes—so when volatility hits, you are executing a playbook, not arguing over first principles. That also requires more agile governance: cross‑functional teams empowered to make timely trade‑offs within clearly defined escalation thresholds.

Third, we have to embed appetite into the way our organizations actually run. That means risk appetite shows up in pricing discipline, product approvals, capital allocation, third‑party decisions, and incentive structures—not just in a board paper or presentation.

If done well, risk appetite becomes a source of competitive advantage rather than a compliance artifact: it gives our organizations the confidence to move quickly where we have capacity and strong controls, and the discipline to stop, pause, or pivot when we approach the boundaries we have set for ourselves.