Purpose + Design + Accountability = Measurable Behaviour

Culture is the invisible operating system of your organisation. You rarely notice it, until it crashes. And, when it does, the consequences aren’t just inconvenient; they’re catastrophic. Think of the billions lost to fines, reputational damage, and leadership churn after cultural failures. Decisions stall, trust erodes, and risk spirals.

Regulators know this. They call culture the foundation of effective risk management and compliance. But here’s the twist: they don’t prescribe what your culture should look like. No templates. No checklists. Why? Because culture isn’t a policy – it’s behaviour. It’s ‘the way things are done around here.’

For years, firms have poured billions into compliance processes, technology, and tick‑box training. Yet the same failures keep resurfacing.  Why would you spend billions to end up with the same issue? Why don’t we learn from others’ failures? Because often changes implemented are quick fixes or patches applied in response to a regulatory pressure rather than a reset of the underlying behaviours that drive decisions.

A robust culture isn’t a quick win. It’s a long-term investment that pays dividends in resilience, risk mitigation, customer trust, and sustainable growth. But changing culture means understanding how humans think and act which is not easy, especially as AI begins to influence decision-making and workplace behaviours. Most people intend to do the right thing, but good intentions don’t always translate into good actions. Culture isn’t about values on a wall, it’s about the behaviours people choose under real-world pressures. Controls and technology can help, but they don’t guarantee those choices. Regulators and auditors are catching up to this truth, reframing culture as something observable, measurable, and auditable: behaviour.

Why Behaviour Matters

Culture fails when behaviour fails. Regulators and the internal audit profession reflect this reality: controls and technology are necessary, but not sufficient. People, and the choices they make, remain central.

In December 2025, The Institute of Internal Auditors’ (IIA)^[1]The Institute of Internal Auditors Releases Organizational Behavior Topical Requirement | Press Room reframed ‘culture audits’ into a structured assessment of behaviour‑related risks, setting a minimum baseline for governance, risk management, and controls that influence how people act in the workplace. Why does this matter? Because most compliance failures aren’t caused by missing policies, they’re caused by human shortcuts or workarounds. Under pressure, good intentions can collapse into bad decisions.

Incorporating behavioural science into organisational processes can help to transform compliance and culture. Rather than relying solely on rules and technology, behavioural science offers a multidisciplinary framework for shaping compliant organisational behaviour. It provides an understanding of the cognitive biases and contextual factors that shape individual and collective decision-making. Drawing on principles from economics, psychology, sociology, and neuroscience these solutions are not typically expensive, but they do require careful design and at times, experimentation.

Behavioural science helps to explain why traditional compliance can fail to prevent poor decisions. Three foundational insights are particularly relevant:

• Humans respond to incentives^[2]Motivating vaccination with financial incentives – ScienceDirect. If metrics and rewards place more emphasis on sales or speed, behaviours will follow, even if policies say otherwise.
• Humans care about social norms and relative outcomes^[3]Social Norms (Stanford Encyclopedia of Philosophy). Most people want to belong so they align with their peers.
• Humans feel losses more intensely than equivalent gains (‘loss aversion’)^[4]Loss Aversion – The Decision Lab. Framing compliance around potential losses, such as clients, careers, and licences, can be more compelling than vague benefits.

These dynamics show up in everyday conduct failures:

Designing environments where the right action is the easy action, and the wrong one is harder, is essential.

The urgency is real. Enforcement is intensifying worldwide with regulators imposing tougher penalties for failures in financial crime compliance, governance, misconduct and consumer harm. Annual global fines in banking^[5]BNP Paribas US$8.9bn, TD Bank US$3.1bn, Goldman 1MDB US$2.9bn, Danske Bank Estonia US$2bn, HSBC US$1.9bn, digital assets^[6]Binance US$4.3bn, OKX US$500m, Coinbase Europe €21.5m and gambling^[7]Platinum Gaming £10m, William Hill £19.2m run into the billions year after year.  Ineffective, or lack of appropriate controls are costly. Unless firms do something different, this trend will likely worsen as supervisors gain more powers across other sectors like law and accountancy.

Assessing Organisational Behaviour

If we acknowledge that culture fails when behaviours fail and behaviour drives outcomes, then measuring and managing behaviour becomes non-negotiable.

Today regulators and auditors expect more than slogans or values; they want evidence. That’s why the IIA has reframed its culture audits into structured assessments of organisational behaviour. The question is no longer “Do you have a good culture?” Ask yourself, “Can you demonstrate, with evidence, that organisational behaviours align with your purpose and risk appetite?”

The IIA treats organisational behaviour as the observable choices employees make and a subset of culture, translating ‘how things are done around here’ into verifiable expectations and evidence. Its codified approach is organised into 15 Governance, Risk Management, and Controls requirements that internal audit must assess.

Here are some examples of what this looks like in practice:

Element	Requirement	Action
Oversight	Boards and senior management must define behavioural expectations and hold employees accountable	Document accountability maps and retain evidence of consequence management
Risk Management	Firms must identify gaps between expected and actual behaviours, analyse root causes, and communicate findings consistently	Behavioural risk assessments and dashboards to be included in Audit committee packs
Control Design and Incentives	Organisations must show how controls and reward structures mitigate higher risk behaviours	Map incentives to compliance outcomes and track override rates

Regulatory Expectations

Internal audit isn’t the only voice calling for behavioural evidence, regulators share the same view. The UK’s Financial Conduct Authority (FCA) defines culture as the habitual behaviours and mindsets that characterise an organisation. It neither prescribes a single culture nor tries to assess mindsets directly. Instead, FCA speeches ^[8]Culture is contagious | FCA emphasise that ‘culture drives conduct and decision making‑’, and that non-financial misconduct (such as bullying or ‑harassment) signals a failing culture. The FCA expects leaders to manage the drivers of behaviour and it supervises firms based on how effectively these drivers reduce harm^[9]Culture and governance | FCA:  

The tide is turning. Systems and controls alone are not enough. Technology, including AI, can streamline processes and enhance detection, but it cannot replace judgement or integrity. Organisations must demonstrate the effectiveness of their frameworks and people remain the critical variable. Effective risk management demands critical thinking and sound judgement at every level, especially when interpreting AI-driven insights.

The buck stops with leadership. Can you prove that your culture works, not just in theory but with evidence?

Behaviour Determines Outcomes

Regulators and auditors agree that culture is about the choices people make every day. Proving those choices align with purpose and risk appetite requires more than policies, it demands behavioural design. The challenge for leaders is clear ‘How do you turn principles into predictable actions under real-world pressure?

Traditional training often treats compliance as content delivery: read, click, done. Unsurprisingly, many employees complete mandatory training only when chased by a plethora of emails, signalling compliance is secondary. Behavioural science, and countless enforcement cases, show that choices are shaped by context, incentives, friction, social norms, and leadership signals. In the chaos of everyday life, convenience often beats principles in decision making unless organisations deliberately design environments to make ‘the right thing’ the easiest, and most obvious, choice.

To shift this, organisations should consider three principles:

• Purpose: connect rules to the harm they prevent and the trust they create. This aligns with regulatory emphasis, is more motivating to the workforce reframing compliance from a perceived brake on business growth to a recognised driver of value and a catalyst for sustainable profitability and customer trust.
• Design: engineer choice architecture so the right thing is easier than the wrong thing; apply default options, integrity prompts, and pre-commitments transparently and ethically.
• Accountability: measure what matters and act consistently on deviations to reward integrity and deter misconduct. This expectation is embedded in IIA’s focus on accountability structures.

These principles set the stage for practical action.

Seven Levers to Operationalise the Right Behaviours

Turning principles into predictable actions requires deliberate design. These seven levers help organisations embed integrity into everyday decisions, turning integrity from aspiration into operation.

1) Purpose: Make the “Why” Unmissable

Rules without meaning feel like bureaucracy; rules tied to purpose feel like responsibility. When employees understand the harm a control prevents, compliance becomes personal.  

Practical moves:

• Build purpose narratives into policies: every critical control gets a short “harm prevented” vignette and a client-impact case study
• Use training time to explore the ‘why’ behind controls, not just the ‘what’ and ‘how’
• Measure effectiveness by periodically asking employees to articulate the purpose of key controls

2) Social Norms: Define the In-Group

Social norms are the unspoken behavioural rules shared by people in a given group. They can influence, for instance, how to dress in the office, how people greet each other, or how to execute operational processes. People want to belong. Social norms can shape behaviour more than rules.

Practical moves:

• Use change agents to model the desired behaviours
• Publish ‘This is how we do it here’ micro-standards in short plain English (or local equivalent) guides for recurring risky processes
• Deploy norm nudges: show aggregated peer adherence (e.g., “92% of employees completed their annual training ahead of the deadline”) to encourage alignment.

3) Ethical Nudges: Timely, Visible, Specific

Nudges are subtle design features that influence people to comply with organisational behavioural expectations. Defaults, prompts, and precommitments can steer decisions towards integrity, without removing choice. Design these nudges transparently as the goal is ethical influence, not coercion.

Practical moves:

• Defaults: preselect safer paths (e.g., automatic EDD for PEPs; default four-eyes checks on high-risk overrides)
• Prompts:  insert pause points before risky actions such as ‘truthfulness reminders’ at expense submission;
• Precommitments: require brief attestations on a regular basis, for example, “I will not override risk limits without prior written approval”.

4) Friction: Make the Wrong Thing Harder

Friction determines how easy, or difficult, it is for people to comply. If compliance feels like climbing a mountain, most will look for shortcuts. The goal is to remove unnecessary friction from processes where we want people to do the right thing (e.g., SAR submission pathways, KYC document capture) and add friction where we want to make harmful behaviour harder (multi-factor authentication (MFA) for sensitive actions, four-eyes for high-risk overrides).

Practical moves:

• Map end-to-end journeys to identify compliance friction points, then redesign
• Reduce clicks, simplify forms, and automate evidence trails to make the right behaviours easier; add MFA to riskier processes or second-line approvals to high-risk overrides
• Track before/after metrics (error rates, cycle time, exception volumes) to evidence improvement for audit and regulators.

5) Tone from the Top and Middle-Out: Walk the Talk

Regulators expect leaders to set the tone that drives good conduct and decision-making. Employees take their cues from leadership. If the board and senior managers demonstrate integrity, accountability, and transparency, those values can cascade through the organisation.

Think about whose message people will respond to the most. The head of division may be a more powerful voice for the business rather than the Group CEO or Head of Compliance, who are just that bit removed. People are often more influenced by their local leaders (those that can impact performance ratings and bonuses) rather than corporate messages from the top. 

The tone from the top cannot get through the organisation if there is a level of permafrost in the form of middle management that has not bought into the tone from the top. Therefore, attention must be given to ensure that managers at all levels are aligned in the messaging and behaviours. Permafrost is a blockage to positive culture embedding through the organisation. It creates friction, and not the good kind. It slows transformation, breeds cynicism, and signals to staff that culture is optional.

Tone from the top isn’t just about what leaders say – it’s about what they do. Leaders must Walk the Talk –  i.e. model the behaviours they expect from others. If leaders say one thing and do another, the organisation will use the visual signals over the audio signals as a basis of understanding ‘how things are really done around here’. If leaders ignore breaches or cut corners, the message is clear: rules don’t matter. Culture is shaped by actions, not slogans.

Practical moves:

• Run cascading leader-led conversations where business heads (not just Compliance) discuss real case studies, decisions, and consequences.
• Melt the ‘permafrost’: diagnose middle-management blockers; use change agents, rotations, and skiplevel forums to ensure messages travel and behaviours align.

6) Speak Up, Listen Up: Close the Loop

A strong compliance culture isn’t just about rules – it’s about voice. Silence is the enemy of integrity. Many major conduct failures, from mis-selling scandals to market manipulation were preceded by warning signs that went unheard. The Post Office scandal is the perfect example of unheard warning signs, where reported issues were not aggregated and fully understood across the organisation. When people feel safe to speak up, and leaders actively listen, risks are surfaced early and addressed before they escalate.

Many employees still do not feel comfortable in blowing the whistle for fear of retaliation however may be more comfortable using external reporting lines to regulators, which in itself is an indicator of poor organisational culture. A strong culture means staff prefer using the organisation’s hotlines because they believe issues will be addressed promptly and fairly. External reporting should be a safety net, not the default.

Practical moves:

• Analyse trends in whistleblowing reports for hidden systemic issues
• Publish quarterly anonymised “You said / We did” summaries; include themes and actions in board packs.Track hotline responsiveness and resolution times; compareinternal vs external whistleblowing volumes
• Use regulator data, where available, to benchmark and strengthen channels^[10]Whistleblowing data | FCA and communicate protections under whistleblowing law

7) Incentives & Consequences: Measure What Matters

What gets measured gets managed.People pay attention to what is measured because measurement signals what matters to an organisation.

If commercial KPIs drown behavioural metrics, culture becomes optional. Loss aversion shows people respond strongly to potential losses. When integrity and conduct are tracked, discussed, and tied to performance, they become part of ‘how things are done around here’.

Practical moves:

• Build Key Culture Risk Indicators: e.g., override rates, near misses, repeat findings, voice metrics, and too-good performance patterns
• Tie behavioural KPIs to performance and pay; investigateanomalously high results for hidden conduct risks
• Align disciplinary outcomes with non-financial misconduct expectations and regulatory references

Culture Is Everyone’s Responsibility

Culture doesn’t flash on the screen or demand attention, until it fails. And when it fails, there’s no restart button, no undo, no quick patch. Every decision , every conversation, every behaviour becomes a line of code in your organisational operating system.  If the code is clean, built on integrity, purpose, and accountability, the system runs smoothly. If the code is corrupted by shortcuts or silence, the crashes are inevitable, and ultimately very costly.

We all have a role in the development of the operating system. We write the code every day. We decide whether the platform is secure or vulnerable. Culture isn’t a project you finish, it’s the platform you live on . It powers trust, reputation, and resilience. It’s what keeps the lights on when the storm hits.

To strengthen your culture, design with intent. Make the right thing easy and the wrong harder. Walk the talk, don’t just draft the policy. Measure what matters, not just what’s profitable. And create an environment where integrity isn’t aspirational, it’s operational.

Regulators and auditors are asking for evidence. Boards are asking for assurance. Employees are asking for clarity. When someone asks, “How are things done around here?” the answer should be unmistakable: “with integrity, with purpose, and with pride, because that’s the code our system runs on”.

How can HKA help

HKA is an independent consultancy with specialists in financial crime compliance, fraud and integrity risk management, remediation and response matters. Our experts assist financial institutions, corporates, charitable and purpose-driven organisations, and public sector organisations in navigating complex regulatory landscapes, strengthening compliance frameworks, and aligning with global and industry standards.

About the Author:

Priya Giuliani is a specialist in financial crime investigations & compliance with nearly 30 years’ experience, including a decade as a Partner. She specialises in helping clients on a proactive basis to assess and manage the risk of financial crime including assessing governance, oversight, conduct, and training Senior Managers and Boards. Her investigative experience provides insight in to how various financial crime types (e.g. money laundering, terrorist and proliferation financing, sanctions and tax evasion, bribery, corruption and fraud) can occur, including through the use of professional enablers, and the controls required to manage these risks effectively. Priya has been appointed on many Skilled Person engagements. Widely regarded as a well-qualified and highly experienced expert in financial crime risk management and investigations. She understands risk well and works with clients to assess and develop proportionate and effective control frameworks.