For more than a decade, organisational culture has been widely acknowledged as “important” but rarely governed as such.
It has featured prominently in value statements, leadership speeches and post-incident reviews, yet remained largely peripheral to formal risk architecture. Too often, culture has been treated as context rather than causation; as atmosphere rather than infrastructure.
That distinction is now collapsing.
Across the UK, Europe and key APAC jurisdictions, regulators are signalling a clear shift.
- Culture is no longer viewed as a soft consideration sitting alongside risk. It is increasingly understood as a material driver of conduct, operational resilience and institutional stability.
- For firms that still treat culture as an HR adjective or a communications theme, 2026 is likely to arrive as a shock. For those paying attention, the direction of travel is already clear.
- Culture is moving from PR to risk metric.
Culture Was Never “Soft”. Governance Simply Failed to Contain It.
Most major failures do not begin with missing policies or poorly worded procedures. They begin with behaviour.
What risks are tolerated in practice?
Which issues are escalated – and which are quietly absorbed?
How leaders respond to bad news.
Whether challenge is encouraged or subtly discouraged.
These are not abstract ideas. They are the mechanics of culture in motion. And yet, for years, they sat uncomfortably outside formal governance frameworks.
Culture did not map neatly to operational risk. It felt broader than conduct risk. It resisted quantification within traditional assurance models.
So, organisations acknowledged culture rhetorically rather than governing it structurally.
The result was a persistent blind spot: culture became something firms explained after failures, rather than something they actively managed to prevent.
Regulators are now closing that gap.
Regulatory Focus Is Shifting from Values to Behaviour
What regulators are increasingly examining is not cultural intent, but behavioural evidence.
Across jurisdictions, supervisory attention has shifted away from whether organisations articulate the “right” values and toward how those values are translated into decisions under pressure.
The question is no longer what do you say you stand for? But how does your organisation actually behave when trade-offs arise?
This shift is visible in how regulators probe leadership incentives, escalation dynamics and accountability frameworks. Supervisors are paying closer attention to whether psychological safety exists in practice, whether escalation pathways are genuinely used, and whether stated risk appetites survive contact with commercial reality.
The UK’s Financial Conduct Authority has been explicit that culture shapes conduct and decision-making, with direct consequences for outcomes for consumers, markets and the wider economy. In a February 2025 speech, the FCA reiterated that culture influences how firms interpret rules, make trade-offs and respond to emerging risks.
Earlier FCA work has also framed culture as a root cause of major conduct failures, setting expectations that firms embed cultures aligned with the spirit, not just the letter, of regulation.
In Europe, the European Central Bank has taken a similarly practical approach. In 2024, ECB Banking Supervision published a draft guide on governance and risk culture, setting out how supervisors assess behavioural patterns, escalation practices and governance effectiveness in practice.
Comparable themes appear in APAC. Australia’s prudential regulator, APRA, treats risk culture as prudentially material, explicitly linking behaviour, incentives and decision-making to risk outcomes.
The Monetary Authority of Singapore has likewise positioned culture as a driver of conduct, emphasising leadership behaviour, accountability and escalation in shaping outcomes.
Taken together, these signals point to a converging regulatory view: culture is observable, and therefore governable.
Measurement Anxiety Is No Longer a Valid Defence
One of the most persistent objections to governing culture has been measurement.
Culture does not behave like a control deficiency. It cannot be reduced to a single metric.
It resists binary scoring.
But this objection is increasingly beside the point.
Regulators are not asking firms to measure culture perfectly. They are asking them to govern it credibly.
This means shifting attention away from sentiment-based proxies alone and toward behavioural evidence: patterns in whistleblowing and speak-up activity, delays in escalation, repeat audit and assurance findings, leadership responses to adverse indicators, and gaps between formal risk appetite and actual decision-making.
None of this information is new. What is new is the expectation that it will be interpreted together, rather than remaining fragmented across HR, compliance, audit and risk silos.
The measurement challenge, in other words, is not technical.
It is architectural.
Culture Is Emerging as a Risk Multiplier, not a Risk Type
A critical evolution in regulatory thinking is the recognition that culture is not a standalone risk category.
It operates instead as a second-order risk amplifier.
- Weak culture magnifies conduct risk.
- Misaligned incentives undermine operational resilience.
- Poor psychological safety suppresses early warning signals.
- Overconfidence erodes assurance challenge.
This helps explain why cultural weaknesses so often surface across multiple risk events simultaneously. Culture shapes how risks propagate, how quickly they escalate and how effectively they are addressed.
For boards and executive committees, this reframes the issue entirely. Culture cannot be managed through annual diagnostics or isolated interventions. It must be embedded into risk appetite calibration, issue prioritisation, assurance planning, escalation thresholds and accountability frameworks.
Most governance models were not designed for this level of behavioural interdependence. That design gap will become increasingly visible in 2026.
Board Oversight Is Moving from Comfort to Challenge
For boards, the hardest part of this shift is not accepting that culture matters – it is learning how to oversee it without retreating into abstraction.
High-level assurances, aggregated survey results and carefully worded narratives are no longer sufficient. Directors are increasingly expected to understand where behaviour diverges from intent, and why.
That requires boards to become comfortable asking more difficult questions. Not simply whether the organisation has the right values, but where escalation pathways exist on paper yet fail in practice. Not whether people can speak up, but whether they do. Not how many issues are reported, but where under-reporting may itself be a signal of cultural risk.
This is a different kind of oversight. It blends qualitative judgement with behavioural indicators and recognises that friction, challenge and unease are often signs of healthy governance, not governance failure.
As supervisory expectations evolve, boards that continue to rely on polished cultural narratives without supporting behavioural evidence are likely to find themselves increasingly exposed.
Why 2026 Is the Inflection Point
Several forces are converging rapidly.
- Hybrid and distributed working models have weakened formal oversight and social signalling.
- AI-enabled decision tools are reshaping accountability and delegation.
- Generational shifts are changing attitudes to authority, challenge and escalation.
- Regulators are placing greater emphasis on evidence of outcomes, not statements of intent.
Together, these dynamics are accelerating behavioural change faster than traditional governance frameworks can adapt.
Culture can no longer be managed through narrative alone. It must be operationalised, not reduced to simplistic metrics, but integrated into how risk is identified, challenged and acted upon across the organisation.
This is not a future debate. It is already underway.
From Cultural Rhetoric to Behavioural Governance
The coming year will expose a clear divide.
- Organisations that continue to treat culture primarily as a communications exercise will struggle to explain repeated failures.
- Those who attempt to quantify culture without understanding behaviour risk generating false confidence.
- Those that embed behavioural governance into risk, assurance and accountability structures will quietly strengthen resilience.
Culture was never soft.
It was simply left unmanaged.
In 2026, that will no longer be credible.
Stay up to date with the latest stories from the world of governance, risk, audit and compliance >>>
