Most employees have annual goals based on the financial results and related the predicted environment. This includes total market, must-win projects, execution of business. The quality of execution includes a proper risk management. So even if not directly, risk management is included in the annual goals; as the better this is done, the more favorable the company's results and higher the annual bonus.

"Doing the right thing" is part of the company's code of conduct and a basic requirement of the employee. Even if this is, of courses, more easy said than done, it should not be included in the annual bonus. It can be discussed that employees, who in one situation, walked the extra mile, can receive a recognition. Such a system is often includes in the HR-processes. The other way around, "not doing the right thing" has to negatively affect the annual bonus.

Darrell Heppner and Heppner Risk & insurance Services, Inc. are contract, professional risk management consultants since 1977. As a contract executive director/risk manager for several risk pools (California public agency joint powers authorities), these public agencies and their many public agency members have achieved safety culture changes - sometime from night to day over several years of our organic risk and safety management programs. We have seen employees and managers change their thinking and habits, too. If you wish examples, let me know.
Sometime it takes several years of patience waiting for changes to occur. I use Academia.edu for my publications since 2014 and the worldwide top hits include: "changing corporate safety culture" and 2015 Zero Lost Time Injury Report by Darrell Heppner.

Great timing for the question. The Directors and Chief Risk Officers group (DCRO) just issued executive compensation guidelines from a risk perspective earlier this month. (Disclaimer: I was a participant). The press release is here: http://www.prweb.com/releases/2018/01/prweb15064734.htm. The full document is here: https://img1.wsimg.com/blobby/go/6299e5c2-5f50-4421-b3c0-652e6c91f6e1/downloads/1c38pm77g_907780.pdf

A delicate management situation.  You want the workforce to "do the right" because they are positively motivated to do so, but not just because you pay them to.  And yet, it has begun to seem as though that is what often must happen to ensure they are motivated to do so.  Affecting a culture change along these lines can be difficult, given this.  I cannot say I have had to do this:  in my past management/executive roles my people always seemed to have the "right" orientation and did not require monetary motivation.  I would like to say that was because they were following the example I worked hard to set for them.  I think what would be more honest is to say that I had the good fortune to work with cybersecurity professionals of outstanding character.  I do encounter this literally all the time in my profession (cybersecurity) at nearly all levels.  I would also like to think I am not alone in enjoying this experience and others in these forums do as well.