AI GRC Director | AI Risk Manager | Quantitative Risk Lead
Speaker, Corporate Trainer and Executive Advisor
The Three Dimensions Of GRC Culture: How Risk, Compliance, And Governance Culture Shape Organizational Behavior
Why GRC Culture Is A Governance Priority
The culture of an organization influences how management and employees make decisions, allocate resources, and respond to ethical dilemmas, often at a level that operates below conscious deliberation. Culture determines whether policies and controls function as intended or exist only as documentation that bears no relationship to actual behavior. It determines whether employees escalate concerns or suppress them, whether risk-taking is informed or reckless, and whether governance structures exercise genuine oversight or serve as ceremonial formalities.
Senior leadership bears direct responsibility for ensuring that the organizational drive to achieve results does not override the boundaries within which those results must be achieved. The pressure to deliver financial performance, meet aggressive targets, or secure competitive wins can create environments in which employees interpret implicit or explicit signals that outcomes matter more than the means used to achieve them. This dynamic, sometimes described as a culture of getting results at any cost, is among the most frequently cited root causes in regulatory enforcement actions, corporate scandals, and organizational failures across industries.
Employees at every level must understand that governance, risk management, and compliance requirements apply universally throughout the organization and that adherence to these requirements is not optional, situational, or subordinate to commercial objectives. In practical terms, this means that all levels of the organization must understand the boundaries within which they are expected to operate, that those boundaries are enforced consistently, and that leadership demonstrates through its own conduct that the boundaries apply equally to those at the top.
Regulators have increasingly focused on organizational culture as a determinant of compliance program effectiveness. The DOJ Evaluation of Corporate Compliance Programs, most recently updated in 2023, examines whether the organization's leadership has clearly articulated the company's ethical standards, whether those standards have been communicated effectively through the organization, and whether the compliance program has been implemented in a manner that demonstrates the organization's culture of compliance. The UK Financial Conduct Authority has published extensive guidance on the relationship between culture and conduct risk in financial services, and the Basel Committee on Banking Supervision addressed culture directly in its 2015 Corporate Governance Principles, stating that the board should set and oversee the implementation of the bank's corporate culture and values.
The Fiscalía General del Estado in Spain, through Circular 1/2016, emphasized that compliance programs must reflect the genuine compliance culture of the organization rather than serving as instruments designed solely to avoid criminal liability. This regulatory expectation, discussed in detail in the earlier post on Spanish corporate criminal liability, reinforces the principle that culture is evaluated as evidence of program authenticity, not as an intangible quality that exists beyond regulatory scrutiny.
Understanding Culture As A System Of Behavioral Determinants
Before examining the three dimensions of GRC culture individually, it is important to establish what culture means in an organizational context and why it matters for governance, risk management, and compliance outcomes.
Organizational culture is the system of shared values, beliefs, behavioral norms, incentive structures, communication patterns, and leadership behaviors that collectively determine how work is performed, how decisions are made, and how individuals and groups respond to ethical challenges, operational pressures, and uncertain situations. Culture is not what the organization says it values. It is what the organization demonstrably rewards, tolerates, and punishes through the cumulative pattern of its decisions, promotions, disciplinary actions, resource allocations, and leadership conduct.
The influential work of Edgar Schein, particularly his foundational text Organizational Culture and Leadership, identifies three levels at which culture operates. Artifacts are the visible structures, policies, and processes that the organization has created. Espoused values are the stated strategies, goals, and philosophies that leadership articulates. Underlying assumptions are the unconscious, taken-for-granted beliefs and perceptions that actually drive behavior. The gap between espoused values and underlying assumptions is where culture risk resides. An organization that espouses ethical conduct but systematically rewards individuals who achieve targets through boundary-pushing behavior has a culture problem that no policy or training program can resolve without addressing the underlying assumptions and incentive structures.
This analytical framework is directly relevant to GRC because it explains why organizations with well-documented policies, comprehensive training programs, and formal governance structures can still experience compliance failures, risk management breakdowns, and governance scandals. When the underlying assumptions of the culture conflict with the espoused values of the GRC framework, the culture wins.
Risk Culture: How The Organization Makes Decisions Under Uncertainty
Risk culture is the system of values, beliefs, knowledge, attitudes, and behaviors related to risk that influences how the organization identifies, assesses, communicates, and responds to risk in its decision-making at all levels.
The Institute of Risk Management published a detailed risk culture framework that identifies several dimensions of risk culture including tone at the top, accountability, incentives, risk communication, and competence in risk management. The Financial Stability Board, in its 2014 guidance on risk culture, identified four indicators of a sound risk culture in financial institutions: tone from the top, meaning that the board and senior management set and communicate the organization's risk appetite and expectations for risk conduct; accountability, meaning that relevant employees at all levels understand and accept the risks they take and are held accountable for risk outcomes; effective communication and challenge, meaning that a risk-aware environment promotes open communication, transparency, and the willingness to challenge decisions and practices that are inconsistent with the risk framework; and incentives, meaning that financial and non-financial incentive structures reinforce the organization's risk management objectives.
In practical terms, a strong risk culture is one in which employees understand the organization's risk exposures and how those exposures relate to their own roles and decisions. It is one in which risk management training is not a compliance checkbox but a genuine capability-building exercise that equips employees to identify, assess, and escalate risks in the course of their daily work. It is one in which risk policies, risk appetite statements, and risk management procedures are understood, accessible, and consistently applied rather than existing as documents that are reviewed during onboarding and then forgotten.
The academic research on climate strength, discussed in the earlier post on building a sustainable risk and compliance culture, provides empirical evidence about the conditions under which strong shared risk perceptions develop. Smaller teams with clear leadership guidance, dense communication networks, high employee engagement and tenure, and leaders who behave consistently with stated standards all contribute to stronger shared risk culture. These findings suggest that risk culture is not built through policy declarations alone but through the structural and behavioral conditions that determine whether risk-related information flows effectively through the organization and whether employees internalize risk management as part of their professional identity.
The observation that financial institutions with stronger risk cultures navigated the 2008 global financial crisis more effectively than those with weaker cultures has been supported by multiple analyses, including the findings of the Senior Supervisors Group report of 2009, which examined how governance and risk management practices at major financial institutions affected their performance during the crisis. The report identified firm-wide risk culture, including the willingness to challenge assumptions and escalate concerns, as a differentiating factor between institutions that managed through the crisis and those that did not.
Compliance Culture: How The Organization Responds To Rules And Obligations
Compliance culture is the overall environment that determines how the organization identifies, interprets, implements, and monitors its compliance with applicable laws, regulations, contractual obligations, and internal policies.
In a strong compliance culture, employees follow the correct processes and perform the required controls not because they are being watched but because they understand why the requirements exist and have internalized compliance as a professional and ethical obligation. The distinction between compliance driven by surveillance and compliance driven by internalization is fundamental. The former is fragile and expensive to maintain. The latter is resilient and self-reinforcing.
In practical terms, compliance culture encompasses the organization's effectiveness in meeting its regulatory obligations, its ability to prevent and detect compliance violations, the proactiveness of employees in anticipating compliance issues rather than merely reacting to them, the organization's approach to interpreting both the letter and the spirit of applicable rules, and the adequacy of resources allocated to compliance examination, monitoring, and remediation.
Compliance culture is shaped by several organizational elements. Strategic commitment means that compliance is embedded in the organization's strategic planning and not treated as a cost center that competes with revenue-generating activities for resources and leadership attention. Effective control design means that the organization has identified the control points most critical to preventing and detecting compliance violations and has implemented controls proportionate to the risks at each point. Audit and monitoring infrastructure means that compliance activities are traceable, documented, and subject to independent verification. Disclosure and transparency means that the organization's compliance obligations, policies, and performance are communicated clearly to all relevant stakeholders, including employees, regulators, and business partners. Accountability and consequences means that compliance violations result in appropriate disciplinary action applied consistently across all levels of the organization, including senior management.
The DOJ Evaluation of Corporate Compliance Programs specifically examines whether the compliance function is perceived within the organization as having genuine authority and respect, whether compliance personnel have adequate stature and resources, and whether there is a pattern of compliance standards being enforced consistently or being waived for commercially important employees or transactions. These factors are direct indicators of compliance culture, and their presence or absence determines whether the organization's compliance program is effective in practice or merely effective on paper.
Governance Culture: How The Organization Directs, Controls, And Accounts For Itself
Governance culture is the system of attitudes, practices, and institutional behaviors that determine how the organization exercises direction, oversight, and accountability at the board and senior management level, and how those governance practices are embedded throughout the organization's operations and decision-making processes.
A strong governance culture is one in which the board provides genuine strategic direction rather than merely ratifying management's proposals, in which oversight mechanisms function as substantive checks on management rather than procedural formalities, in which transparency and accountability are practiced as operational realities rather than declared as aspirational values, and in which the interests of all stakeholders, including shareholders, employees, customers, regulators, and the communities in which the organization operates, are considered in strategic and operational decisions.
Governance culture encompasses the ethical principles that the board and management establish as the foundation of the organization's conduct. It includes the organization's beliefs about how business should be conducted, the standards of integrity expected from all participants in the governance structure, and the mechanisms through which the organization holds itself accountable for its commitments. In practical terms, governance culture determines whether the organization's stated values are reflected in its actual behavior when values and commercial interests come into conflict.
The governance frameworks that have addressed culture most directly include the UK Corporate Governance Code, which requires the board to assess and monitor culture and to satisfy itself that the culture is aligned with the company's purpose, values, and strategy. The King IV Report on Corporate Governance for South Africa takes an even more explicit position, establishing that the governing body should lead ethically and effectively by steering and setting the direction for the realization of the organization's core purpose and values in a manner that is ethical and contributes to value creation for the benefit of the organization and its stakeholders. The OECD Principles of Corporate Governance, revised in 2023 as the G20/OECD Principles of Corporate Governance, address the role of the board in setting ethical standards and in monitoring the effectiveness of governance practices.
A strong governance culture creates a reputational advantage that extends beyond compliance with minimum standards. Organizations whose governance practices are perceived by investors, regulators, customers, and employees as genuinely committed to transparency, accountability, and ethical conduct attract capital at lower cost, retain talent more effectively, and build stakeholder trust that provides resilience during periods of crisis or disruption. This reputational premium is not automatic. It must be earned through consistent demonstration that the organization's governance culture is authentic rather than performative.
The Interdependence Of Risk, Compliance, And Governance Culture
The boundaries between risk culture, compliance culture, and governance culture are inherently difficult to establish because these three dimensions are deeply interdependent and mutually reinforcing. An organization cannot have a strong compliance culture without a governance culture that prioritizes accountability and transparency. It cannot have a strong risk culture without a compliance culture that ensures risk management processes are followed and a governance culture that provides the strategic direction and oversight within which risk decisions are made. And it cannot have a strong governance culture without a risk culture that surfaces the information the board needs to exercise effective oversight and a compliance culture that ensures the organization meets the obligations that underpin its social license to operate.
In practice, these three dimensions function as aspects of a single organizational culture rather than as three separate cultures that must be independently built and managed. The factors that strengthen one dimension, including clear leadership communication, consistent enforcement of standards, aligned incentive structures, open communication channels, training that builds practical skills, and governance structures that exercise genuine oversight, simultaneously strengthen the others. Conversely, weaknesses in one dimension inevitably undermine the others. An organization with strong risk identification but weak compliance enforcement will find that risks are identified but not mitigated. An organization with strong compliance processes but weak governance oversight will find that compliance activities are performed without strategic direction. An organization with strong governance structures but weak risk culture will find that the board receives sanitized information that does not reflect the organization's actual risk exposure.
The unified nature of GRC culture means that efforts to strengthen it must be integrated and consistent across all three dimensions rather than pursued through separate initiatives managed by separate functions. Risk management, compliance, and governance are distinct professional disciplines with different methodologies and different regulatory requirements, but the culture that enables all three to function effectively is the same culture, and it must be built and maintained as a coherent whole.
The Critical Role Of Tone At The Middle
Much of the governance and regulatory literature on culture emphasizes tone at the top, and rightly so, because the board and senior management establish the foundational expectations and set the ethical boundaries within which the organization operates. However, as discussed in the earlier post on building a sustainable risk and compliance culture, research and practical experience consistently demonstrate that tone at the middle is where culture is transmitted, reinforced, or undermined in daily operations.
Middle managers are the individuals who translate executive expectations into operational reality. They make the day-to-day decisions about staffing, prioritization, resource allocation, and performance evaluation that determine whether GRC requirements are treated as genuine constraints or as administrative burdens to be managed around. When middle managers visibly prioritize commercial targets over compliance standards, dismiss risk concerns raised by their teams, or tolerate deviations from policy for high-performing employees, they effectively neutralize the tone set at the top regardless of how clearly the board has articulated its expectations.
Organizations that invest in tone at the top without corresponding investment in middle management alignment, accountability, and capability development will find that their culture initiatives produce documented policies and training completion records but limited behavioral change at the operational level where most decisions are actually made.
Building GRC Culture: A Long-Term Governance Commitment
Building a sustainable GRC culture is a consistent, long-term process that cannot be achieved through a single initiative, a policy announcement, or an annual training program. It requires sustained leadership commitment, institutional infrastructure, and the integration of cultural objectives into the organization's operating model.
Communication must be continuous, consistent, and multi-directional. Leadership must articulate the organization's ethical expectations clearly and repeatedly, not only through formal communications but through the daily conduct that employees observe and interpret as signals of what the organization truly values. Communication must also flow upward and laterally, through reporting channels, escalation mechanisms, and the informal networks through which employees share information about how work is actually performed and how standards are actually enforced.
Incentive alignment is among the most powerful levers for shaping culture. When remuneration, promotion, and recognition structures reward behavior that is consistent with the organization's GRC objectives, the culture reinforces those objectives. When incentive structures reward outcomes without regard to the means used to achieve them, the culture undermines those objectives regardless of what policies and training programs say. The DOJ guidance specifically examines whether the organization's incentive structures promote or undermine compliance, making incentive alignment a regulatory expectation as well as a governance best practice.
Accountability and consequences determine whether the organization's stated standards have operational force. When compliance violations, risk management failures, and governance breaches result in appropriate consequences applied consistently across all levels of the organization, employees learn that the standards are real. When violations by senior or commercially important individuals are tolerated or addressed less severely than violations by junior staff, employees learn that the standards are aspirational rather than binding, and the culture degrades accordingly.
Infrastructure encompasses the systems, processes, governance structures, reporting mechanisms, and organizational arrangements that enable GRC culture to function. An organization that expects employees to manage risk, comply with regulations, and exercise good governance without providing the tools, training, information, and authority to do so is setting expectations that cannot be met. Culture is enabled by infrastructure and expressed through behavior, and both elements must be present for the culture to be genuine.
From Intention To Institutional Behavior
It is not enough to have good intentions. It is not enough to have an internal audit department. It is not enough to have a code of ethics, a compliance hotline, and an annual training program. These are necessary elements of GRC infrastructure, but they are not sufficient to create a culture in which ethical behavior, informed risk-taking, and genuine accountability are the organizational norm.
Culture is built through the accumulated effect of thousands of decisions, conversations, promotions, disciplinary actions, resource allocations, and leadership behaviors over time. It is reinforced or eroded every day by the signals that leadership sends, the behaviors that middle management models, and the outcomes that the organization rewards. The organizations that build and sustain strong GRC cultures are those that recognize this reality and commit to the sustained, deliberate, and visible investment in the conditions that make ethical and effective behavior the path of least resistance rather than the path of greatest personal risk.
The academic and empirical evidence overwhelmingly supports the proposition that organizations with strong ethical cultures outperform their peers across multiple dimensions, including financial performance, employee engagement, stakeholder trust, regulatory relationships, and organizational resilience. This evidence, drawn from research published in journals including the Journal of Business Ethics, the Journal of Applied Psychology, and the Academy of Management Journal, and reinforced by the post-crisis analyses of regulatory bodies including the Financial Stability Board and the Senior Supervisors Group, provides the empirical foundation for treating GRC culture not as a soft governance aspiration but as a measurable determinant of organizational success.
Why Culture Should Be Viewed Through Governance, Risk, And Compliance Lenses
The original distinction among risk culture, compliance culture, and governance culture is useful, but it benefits from a more integrated and precise explanation. In practice, these dimensions overlap significantly. They are not separate cultures inside the same company. They are different but connected expressions of how the organization thinks about accountability, uncertainty, conduct, and oversight.
Risk culture influences how people perceive uncertainty, challenge decisions, escalate concerns, and operate within risk appetite.
Compliance culture influences whether people understand and follow legal, regulatory, and policy expectations in both letter and spirit.
Governance culture influences how leadership sets direction, exercises oversight, allocates authority, handles accountability, and reinforces ethical and strategic discipline.
Together, these dimensions shape whether the organization can pursue objectives responsibly and sustainably.
Risk Culture
Risk culture is best understood as the shared values, assumptions, and behaviors that influence how people identify, discuss, take, escalate, and manage risk. It affects whether employees understand the company’s risk appetite, whether they feel responsible for surfacing concerns, whether bad news travels upward, and whether business decisions reflect a realistic view of downside exposure.
A strong risk culture does not mean the organization avoids risk. It means people understand which risks are worth taking, which are outside tolerance, and who has authority to make those judgments. In practical terms, this requires more than annual training. It requires clear risk appetite statements, consistent decision frameworks, escalation discipline, scenario based thinking, and leadership behavior that encourages challenge rather than silence.
The original draft correctly linked risk culture to training, risk assessment, policies, and decision guidance. Those elements do matter. But the stronger point is that risk culture is visible in action. It is visible in whether commercial decisions are challenged, whether controls are bypassed under pressure, whether emerging issues are surfaced early, and whether management responds constructively to bad news.
The example of banks during the 2008 financial crisis is directionally valid, but it should be framed with caution. Institutions with stronger risk governance, better capital discipline, and healthier risk culture were generally better positioned than peers, but no single crisis example should be oversimplified. The broader lesson remains sound. Where risk culture is stronger, organizations are usually more resilient under stress.
Compliance Culture
Compliance culture refers to the environment that shapes how employees understand, interpret, and act on legal, regulatory, policy, and ethical expectations. In a strong compliance culture, people do not follow rules only because they are monitored. They follow them because the organization has made the standards clear, relevant, and credible.
This is an important distinction. Compliance culture is not simply the presence of rules. It is the extent to which employees understand what is expected, why it matters, how to act when the rules are not explicit, and how to escalate concerns when pressure or ambiguity arises.
A mature compliance culture therefore involves more than formal controls. It includes policy clarity, training quality, access to advice, investigation credibility, documentation standards, recordkeeping discipline, management accountability, and confidence in speak up mechanisms. It also includes whether employees understand the intent behind rules rather than only their literal wording.
The original draft was right to emphasize proactive behavior, documentation, traceability, and process discipline. Those are all important. The stronger articulation is that compliance culture becomes visible when employees make the right choice even when the control is not watching, because the environment has made expectations real and consequences credible.
Governance Culture
Governance culture is the set of beliefs, behaviors, and leadership norms that shape how the organization is directed, overseen, and held accountable. It determines whether strategic ambition is matched by discipline, whether authority is exercised responsibly, whether decisions are challenged appropriately, and whether ethical standards remain intact when outcomes are under pressure.
A healthy governance culture does not exist only at board level. It is reflected across leadership layers in how objectives are set, how performance is evaluated, how incentives are designed, how issues are escalated, and how accountability is applied when something goes wrong.
This dimension is particularly important because governance failures often sit behind both risk failures and compliance failures. Weak board challenge, poor information flow, inconsistent consequences, overcentralized decision making, or tolerance for star performers can all undermine the broader culture even when formal frameworks appear sound.
The original draft linked governance culture to shareholder value and reputational advantage with investors. That remains directionally true, but the concept should be broader. Governance culture influences not only investor confidence, but also resilience, trust, strategic clarity, and the organization’s ability to act responsibly over time.
Why These Three Dimensions Are Hard To Separate
The boundaries among risk culture, compliance culture, and governance culture are not clean because they reinforce each other continuously. A company cannot have a strong risk culture if governance discourages escalation. It cannot have a strong compliance culture if leadership rewards results achieved through shortcuts. It cannot have a healthy governance culture if risk information is filtered and control issues are normalized.
That is why the most practical way to think about these dimensions is not as separate programs, but as mutually reinforcing parts of the company’s broader control and conduct environment.
This integrated view is more useful for boards and executives because it focuses attention on how leadership signals, incentives, oversight, and operating norms work together.
How A Strong GRC Culture Is Actually Built
Building a GRC culture is a long term management effort, not a communications campaign. It requires repeated reinforcement through leadership behavior, incentives, operating processes, talent decisions, and governance routines.
The original draft correctly emphasized communication, accountability, and infrastructure. Those are necessary, but they need to be made more concrete.
A strong culture is built when leadership messages are consistent with leadership actions. It is built when employees understand the boundaries of acceptable conduct and see those boundaries applied fairly. It is built when people are rewarded not only for what they achieve, but also for how they achieve it. It is built when escalation channels are trusted, investigations are credible, and lessons from incidents lead to visible improvement.
Infrastructure matters as well. Policies, training, controls, reporting channels, committee oversight, management information, and internal audit all support the environment. But none of these is sufficient by itself. Internal audit can assess culture and challenge weaknesses, but it cannot create culture on behalf of management. Culture is a management responsibility.
What High Performing Organizations Do Differently
Organizations with stronger GRC cultures usually do several things consistently. They make risk appetite and conduct expectations understandable in business terms. They align incentives with responsible behavior. They challenge performance that depends on weak controls or questionable decisions. They encourage upward communication and do not punish uncomfortable messages. They use data from incidents, audit findings, investigations, and employee feedback to assess whether culture is strengthening or deteriorating. They also reinforce local leadership capability, because culture is experienced most directly in teams, functions, and business units rather than in corporate statements.
Most importantly, they treat culture as part of the business model rather than as an ethical accessory. They understand that governance, risk, and compliance behavior directly affect resilience, trust, operating effectiveness, and long term value creation.
Final Perspective
GRC culture determines whether governance frameworks actually work under pressure. It influences whether people respect boundaries, escalate concerns, challenge assumptions, and act with integrity when no one is watching.
Risk culture, compliance culture, and governance culture are best understood as interconnected dimensions of the same operating reality. When they are strong, the organization becomes more resilient, more credible, and more capable of pursuing its objectives responsibly. When they are weak, even well designed policies and controls can fail.
That is why culture should not be treated as a soft issue. It is one of the hardest and most important parts of effective GRC.
References
Committee of Sponsoring Organizations of the Treadway Commission. Enterprise Risk Management Integrating With Strategy And Performance
Committee of Sponsoring Organizations of the Treadway Commission. Internal Control Integrated Framework
International Organization for Standardization. ISO 31000 Risk Management Guidelines
US Department of Justice. Evaluation Of Corporate Compliance Programs
Institute of Internal Auditors. Global Internal Audit Standards and guidance relevant to governance and culture assessment
Selected organizational behavior and ethics research relevant to culture, conduct, incentives, and leadership