This paper conceptualizes risk culture and sheds light on the role it plays in insurers’ risk management frameworks. The paper follows a cognitive, dynamic approach, arguing that risk culture is the product of organizational learning about what has or has not worked for it in the past. Within their local context, the members of a group learn which of the typically centrally prescribed formal risk management policies and procedures and which espoused risk philosophies actually work in practice in the sense of behaviour that is formally or informally encouraged or discouraged, rewarded or punished. While the formal risk management framework defines which processes to use, which limits to obey, and which values to aspire to, it is the risk culture that defines which rules and norms are perceived to be rational and important. The insurance literature commonly argues, and practice suggests, that it is necessary to achieve consistency in order to effectively embed risk management. Nevertheless, inconsistent basic assumptions as the deepest level of risk culture are a likely feature of local subgroups However, what is rational and efficient to one subgroup might be random and dangerous for the organization as a whole