In the 16 years since the 2008 Global Financial Crisis (GFC), organisations and regulators worldwide have invested considerable time and other resources into culture, risk culture, and behaviour risk activities.

Reports of serious compliance breaches, misconduct, court enforceable undertakings, monitorships, and increased capital risk overlays attributed to poor organisational culture continue to hit the headlines – casting doubt on the return on that investment.

“...much progress has been made in implementing … improvements in governance, culture, risk management and accountability. However, certain recent developments are troubling.”

Culture as the Root Cause of Serious Incidents

Through our work over the past 15 years helping organisations understand the role of culture in serious incidents, we consistently find culture and risk culture information available to governance forums failed to provide early warnings that could have supported proactive and confident Board or Management intervention. Recurring themes include:

1. Narrow definitions: Focusing on narrow aspects of culture, such as soft controls, frameworks (Inputs), mindsets, behaviours (Throughputs), or risk/issue management (Practices) leads to reporting that can overlook critical issues and is prone to over-simplification and misinterpretation.

2. Deconstructing culture: Evaluating and overseeing culture, governance, accountability, and remuneration in isolation of each other complicates holistic monitoring and assessment. Each of these elements are integral and interdependent parts of organisational culture.

Focusing only on parts of organisational culture can unintentionally complicate monitoring and assessment activities, whilst overwhelming governance forums with partial and unhelpful information.

With over 50 definitions of ‘organisational culture’ in academic literature, the quest for consensus can result in definitions that are too abstract to be actionable. The lack of definitional clarity impedes efforts to adopt industry-wide guidance that withstands empirical validation.

“…despite the risks [that] culture challenges may pose to firms and to the financial system more broadly, the industry — and its overseers — are failing to address these risks with the degree of purpose warranted.”

If we assume most academic definitions of organisational culture are valid, the culture problem has the potential to become quite overwhelming - but it doesn't need to be.

The Need for Holistic Oversight

Effective culture oversight requires understanding of how all culture layers and elements interact to generate outcomes in real life settings. Few organisations have succeeded in this goal.

Common flaws in culture-related approaches can show up in many ways:

• Governance forums receive fragmented culture-related reports from multiple sources, lacking consolidation for holistic oversight
• Culture reporting submitted ‘for noting’ generates interesting discussion without evidence of active oversight
• Dashboards or maturity ratings report culture norms without analysing their relationship to organisational outcomes, hindering understanding of causality and the ability to validate reported culture information
• HR/P&C defensiveness to incorporate adequate outcome-related factors (incl. strategic goals, transformative change, risk, conduct, compliance) in employee listening activities, instead preferencing HR/P&C-led initiatives or staff engagement
• Responsibility for culture-related actions resting with multiple individual line managers rather than being holistically managed and supported; with managers providing multiple sets of actions to the various culture-related activities performed by Audit, Risk, P&C/HR, and/or self-assessments

Simplifying Culture Governance

There is growing appetite for improving Board oversight of organisational culture:

The AICD's 2024 review of published governance reports concluded that Boards recognise the need to improve their oversight of culture to enhance performance and resilience.

APRA’s Governance Review Discussion Paper outlines new expectations that can help improve culture oversight, including references to the quality of reporting to enable risk-based decision-making and oversight.

However, recently published international perspectives indicate a considerable amount of change may be needed.

Looking Ahead

Strengthening culture governance may involve reviewing and renewing existing governance structures, charters, and systems to improve accountability and effectiveness, which in turn clarifies culture-related accountabilities across key functions to elicit better information.

Regulated organisations not subject to prudential standards, including Private Assets and Markets (Credit / Equity), can heed the lessons from the financial sector. Those subject to AML/CTF Tranche 2 regulations in 2026 should particularly take note given regulatory consequences in recent times.

First, consider the nature of decisions that need to be informed and evidenced through governance forums, then focus on the most critical information by surfacing the specific culture attributes that may be helping or hindering required organisational outcomes.

Questions for Directors and Officers

Reflecting on culture-related activities and reporting across the organisation, consider:

1. How many teams produce information, and how is it rationalised and consolidated to support holistic Board oversight?
2. With overlapping culture-related activities performed by different functions, are organisational resources (incl. staff participation) and governance forum capacity efficiently utilised?
3. Is there a disconnect between reported information and the nature of incidents or other organisational outcomes?
4. Are critical warning signs being missed? How do we know?
5. When was the last time culture approaches and reporting were independently validated and back-tested?