AI GRC Director | AI Risk Manager | Quantitative Risk Lead
Speaker, Corporate Trainer and Executive Advisor
How To Build A Sustainable Risk And Compliance Culture Across The Enterprise
A sustainable risk and compliance culture is no longer a secondary consideration in corporate governance. It is a core determinant of how organizations make decisions, escalate concerns, manage misconduct, and respond to pressure. In practice, culture shapes whether policies are followed, whether risks are challenged early, whether employees speak up, and whether accountability is applied consistently.
This makes culture a board and executive leadership issue. The board, the CEO, the chief compliance officer, the chief risk officer, and business leadership all influence whether the organization’s stated values are translated into everyday behavior. While tone at the top remains important, employees are influenced just as much by what leadership rewards, tolerates, ignores, and investigates. In other words, culture is not built through messaging alone. It is built through management signals.
Where culture is strong, employees are more likely to act within policy, escalate concerns, challenge risky decisions, and understand the boundaries of acceptable conduct. Where culture is weak, the opposite occurs. Misconduct is rationalized, control failures are normalized, concerns go unreported, and short term performance begins to outweigh disciplined decision making.
Why Regulators And Prosecutors Care About Culture
Regulators, prosecutors, and supervisory authorities increasingly examine culture when assessing governance failures. In major enforcement matters, authorities often look beyond whether policies existed on paper and ask whether management behavior, incentives, escalation channels, and accountability structures supported compliance in practice.
This trend is evident across jurisdictions. In Spain, the discussion around corporate criminal liability has reinforced the expectation that compliance programs should foster a genuine compliance culture rather than function as a formal shield against liability. Similar thinking appears in US Department of Justice guidance, which evaluates whether a compliance program is adequately designed, applied in good faith, and working in practice.
This shift has an important implication for boards and GRC leaders. A compliance program that is technically complete but culturally weak may be viewed as ineffective. Poor culture is often inferred from recurring patterns such as commercial pressure that overrides controls, tolerance of inappropriate behavior by high performers, weak challenge from management, reluctance to escalate concerns, or inconsistent disciplinary action. These are not only cultural failures. They are governance failures.
What Actually Shapes Risk And Compliance Culture
To improve culture, organizations need a realistic view of what drives it. Culture is not simply the result of ethics training or a code of conduct. It is shaped by the interaction between formal governance mechanisms and informal behavioral norms.
Formal drivers include incentive design, performance management, role clarity, promotion criteria, policy architecture, speak up mechanisms, issue escalation processes, investigation quality, and leadership accountability. Informal drivers include trust, peer behavior, local management style, tolerance for bad news, psychological safety, and whether employees believe that raising concerns will lead to fair treatment and action.
External factors also matter. Market pressures, investor expectations, regulatory scrutiny, public attention, supply chain complexity, labor conditions, and digital transformation can all influence behavior and risk taking. This means culture cannot be managed as a static internal attribute. It evolves with the business environment and must be monitored as part of the organization’s broader governance context.
What Research Suggests About Stronger Team Culture
Research across organizational behavior, ethics, and safety culture suggests that local team conditions strongly influence how culture is experienced. Employees tend to display stronger shared norms where leadership expectations are clear, communication is active, engagement is higher, and team members trust each other and their managers.
Studies have also highlighted the importance of cohesion, well being, tenure, leadership consistency, group identification, and constructive social interaction. Teams are generally more likely to follow shared standards when leaders provide clear direction, model the desired behavior, and respond consistently to problems and tradeoffs.
Some caution is necessary in interpreting this research. For example, findings that refer to smaller or less heterogeneous groups should not be taken as arguments against diversity. Diverse teams can improve challenge, innovation, and governance outcomes when supported by inclusive leadership and strong norms. The more useful lesson is that complexity requires more intentional management. Where teams are larger, more distributed, or more diverse, leadership must work harder to create clarity, trust, and consistency.
This has direct implications for compliance and risk leaders. Enterprise wide culture is always lived locally. It is shaped in business units, country teams, projects, functions, and leadership layers. That is why culture programs fail when they rely only on central messaging without reinforcing the same expectations in frontline management.
Why Culture Should Be Assessed As Part Of The Risk Framework
Leading risk frameworks recognize that organizational culture affects how risk is understood and managed. ISO 31000 emphasizes the importance of internal and external context in shaping risk management. COSO similarly links governance, ethical values, accountability, and behavior to the effectiveness of internal control and enterprise risk management.
This means culture should not be treated as an abstract concept outside the formal risk framework. It should be assessed as part of the control environment and the organization’s risk context. If risk appetite is clear on paper but ignored in decision making, that is a cultural issue. If employees fear retaliation for speaking up, that is a cultural issue. If incentive plans encourage excessive risk taking, that is both a risk management issue and a cultural one.
A credible assessment should rely on evidence, not only perception. Employee surveys can be helpful, but they should be complemented by analysis of whistleblower activity, investigation themes, misconduct trends, audit findings, control override patterns, remediation delays, turnover in sensitive roles, conduct related complaints, and board or committee reporting quality. Culture becomes measurable when the organization looks at behavioral indicators rather than values statements alone.
How To Strengthen Risk And Compliance Culture In Practice
A stronger culture is created through management design choices that reinforce responsible behavior consistently over time.
One of the most important foundations is a clear articulation of risk appetite and tolerance. Employees and managers need to understand the boundaries within which they are expected to operate across compliance, operational, financial, strategic, and conduct risks. Without this clarity, commercial pressure will often fill the gap.
Performance and cost management programs should also be reviewed through a risk lens. Organizations frequently measure efficiency and growth with precision, yet apply far less discipline to understanding losses, incidents, misconduct trends, fraud events, near misses, or control failures. A mature culture does not treat these as unfortunate side effects of performance. It treats them as management signals that require analysis and response.
Human resources policies are another major lever. Promotion criteria, performance reviews, succession decisions, and disciplinary frameworks all communicate what the organization truly values. If strong financial performance consistently outweighs control behavior, collaboration, and ethical judgment, then the culture message becomes self defeating. Open door communication, issue escalation, and confidence in speak up mechanisms should be reinforced through actual management behavior and not left as policy aspiration.
Remuneration also matters. Incentive design should not reward risk taking that depends on control bypass or weak conduct. This does not require simplistic formulas that penalize any incident. It requires a more balanced approach in which risk management, control quality, and leadership behavior influence how performance is evaluated.
Training should move beyond awareness and focus on capability. High quality training helps employees and managers recognize fraud indicators, respond to workplace incidents, handle regulatory obligations in context, manage teams responsibly, and make sound decisions under pressure. The objective is not just to inform people of the rules, but to help them act appropriately when the rules meet real world complexity.
Reporting channels are equally critical. Organizations need credible mechanisms to aggregate risk and compliance information, monitor behavioral and control indicators, escalate concerns, and support board and executive oversight. When designed well, these channels help management identify where culture is deteriorating and where interventions are needed.
A value based compliance framework also plays a central role. Policies and procedures should reinforce personal accountability, explain why requirements matter, and make clear that ethics and risk discipline are part of business performance rather than constraints outside it.
Finally, organizations should recognize that culture extends beyond employees. Suppliers, investors, clients, regulators, and other stakeholders influence conduct expectations and can also be affected by the company’s control environment. Engaging them transparently can help anticipate risks and strengthen the broader ecosystem of trust.
What High Performing Organizations Do Differently
Organizations with stronger risk and compliance cultures do not treat culture as an annual communication theme. They embed it into governance routines, leadership evaluation, decision making, issue management, and talent processes. They look for evidence of deterioration early. They challenge teams that deliver strong results through weak controls. They examine whether managers handle bad news constructively. They reinforce the expectation that speaking up is part of performance, not a disruption to it.
Most importantly, they understand that culture is tested under pressure. It is revealed when targets are at risk, when regulators ask difficult questions, when misconduct involves top performers, and when fixing a control weakness is operationally inconvenient. Those moments show whether the organization’s values are operational realities or only formal language.
Final Perspective
A sustainable risk and compliance culture does not emerge from policy statements alone. It is built when leadership behavior, incentives, governance structures, and daily management practices consistently support the standards the organization claims to value.
For boards, chief compliance officers, and chief risk officers, culture should be managed with the same discipline as any other material risk factor. It should be assessed regularly, supported by data, reinforced through accountability, and strengthened through practical interventions that shape behavior across the enterprise.
In the current regulatory environment, culture is no longer a soft issue. It is part of the control environment, part of enterprise resilience, and increasingly part of how organizations are judged when failures occur.
References
International Organization for Standardization. ISO 31000 Risk Management Guidelines
Committee of Sponsoring Organizations of the Treadway Commission. Enterprise Risk Management Integrating With Strategy And Performance
Committee of Sponsoring Organizations of the Treadway Commission. Internal Control Integrated Framework
US Department of Justice. Evaluation Of Corporate Compliance Programs
Spanish legal and prosecutorial guidance relevant to corporate compliance culture and legal entity liability
Get the latest in corporate governance, risk, and compliance on Twitter