Part 4 - Regulatory & Compliance Risk: A culture lens on integrity, oversight and exposure

Part 4 - Regulatory & Compliance Risk: A culture lens on integrity, oversight and exposure

Part 4 in the Culture Risk Intelligence Series for Boards and Executives

“A director cannot ignore red flags or close their eyes to corporate misconduct.” - AICD Practice Statement, October 2024

Compliance failures are rarely just system failures. They contain breakdowns in the beliefs, attitudes and behaviours that shape how policies are understood, applied and enforced.

Regulatory & Compliance Risk arises when those behaviours silently drift. When ethical shortcuts are tolerated. Speaking up feels unsafe. And when informal culture begins to overpower formal controls.

Boards and Executive teams must now govern culture with the same seriousness they bring to financial oversight. Compliance is no longer just about frameworks and policies, it’s about how the organisation behaves when no one is watching.

Why this risk matters

From ASIC’s conduct-focused surveillance to APRA’s tightening expectations and the AICD’s Practice Statement on Compliance Oversight, a common message is emerging:


  • Boards must challenge red flags, not just review reports
  • Executives must embed compliance behaviours, not just controls
  • Both must ensure culture actively supports legal and ethical obligations


A strong compliance culture is the invisible infrastructure that protects integrity, reduces risk and builds trust. Without it, even the best policies will fall short in moments that matter most.

Why the risk is rising

Several forces are accelerating exposure to this risk:


  • Expanding obligations - from anti-bribery and AML to cyber, ESG and WHS
  • Strategic transformation - M&A, restructuring, AI adoption and growth initiatives
  • Increased scrutiny - from regulators, media, employees and investors
  • Subcultural fragmentation - where values and behaviours vary across working groups, business units and locations


The AICD is now calling on directors to remain alert to behavioural red flags including under-reporting, lack of candour from management and failure to escalate known issues. But detecting those flags requires visibility into culture, not just compliance documentation.

What this risk looks like in practice

Cultural compliance risk may be present when:


  • Employees are reluctant to raise concerns, even with channels available
  • Minor breaches are normalised under pressure
  • Policy is seen as “box ticking” rather than guiding behaviour
  • Speak-up mechanisms lack trust and credibility
  • Leadership sends mixed signals between compliance and performance
  • Cultural differences between teams, geographies, or legacy structures go unassessed


These conditions often exist below the surface making them difficult to detect without a structured culture risk intelligence capability.

Key questions for Boards and Executives

To assess whether culture is supporting or undermining compliance:


  • Does our culture reinforce ethical decision-making, not just technical compliance? Are integrity and escalation treated as strategic strengths, or operational burdens?
  • Do employees feel safe and supported in raising concerns? Are there informal rules or leadership behaviours that might be silencing dissent?
  • Are cultural enablers and inhibitors of compliance actively monitored? Are we drawing insight from behavioural data, not just sentiment surveys or lag indicators?


Why this is a shared leadership responsibility

Boards govern. Executives operationalise. But culture sits between shaped by the expectations, signals and behaviours of both.

The AICD’s Practice Statement underscores that governance includes not just reviewing systems but understanding the context in which those systems succeed or fail. That means:


  • Boards challenging assurance where it lacks behavioural evidence
  • Executives reinforcing integrity through their own conduct, decisions and incentives
  • Both parties aligning around the idea that culture is a compliance system in its own right


In a complex and fast-moving regulatory landscape, cultural visibility is no longer optional.

Conclusion

Compliance frameworks don’t fail on paper, they fail in practice. When red flags go unacknowledged. When pressure overrides principle. When silence is safer than speaking up.

As the AICD reminds us: “A director cannot ignore red flags or close their eyes to corporate misconduct.” But many of today’s red flags aren’t written in reports. They're embedded in the cultural tone, informal norms and behavioural blind spots that shape daily decisions.

Boards and Executives don’t need to guess where those risks live. With the right culture risk intelligence capability, they can see clearly and act early.