Risk culture, which is essentially how the organization as an entity feels about and deals with risk. This culture is developed from several sources. First, it can come from the organization’s leadership, based upon their business and management philosophies, attitudes, education, and experience. It can also come from the organization’s governance. Remember that governance is essentially the rules and regulations imposed either by external entities (in the form of laws, for example) or internally by organization.
In any case, the culture of the organization really defines how the organization feels about risk and how it treats risk over time.