From burning platform to strategic priority: Tackling culture risk in the GRC ecosystem

In 2025, we no longer ask whether culture matters. Our new and more pressing question: Why aren’t we managing it like it does?

Culture is now widely acknowledged as a strategic driver of organizational behavior, risk, performance, and reputation. However, many organizations still treat a healthy organizational culture as an aspirational ideal rather than an operationalized, systematically addressed business objective. 2025 organizational culture and ethics report: Tackle culture risks in the GRC ecosystem exposes a startling gap between intention and execution.

This year, I had the privilege of partnering with Sandro Boeri and the team at AuditBoard to produce this report. Our 2025 findings are both affirming and sobering. The survey of more than 400 governance, risk, and compliance (GRC) professionals in North America and Europe clearly shows that while incremental progress has been made, ownership, assessment, and management of culture remain underdeveloped, underintegrated, and woefully undermanaged in most organizations.

The 2025 report builds upon the foundations laid in the 2023 report. It also takes a critical step forward, examining why and how professionals across the three lines must come together to leverage culture as a strategic lever. In other words, connected risk — a cross-functional approach to managing risk across the enterprise — is also the right path forward for transforming culture risk management.

Download the full report for our detailed analysis and recommendations. These top takeaways offer a preview.

1. Culture must move from siloed efforts to shared mandate

Most GRC leaders agree on culture’s vital importance. Nearly all respondents say culture plays a central role in shaping risk and compliance behavior, and 80% see it as essential to governance. However, when examining who owns culture risk, the most obvious answer is “no one.”

This lack of ownership breeds fragmentation and blind spots. While every function plays a role in shaping and understanding culture, each sees it through their own lens. For example, internal audit tends to focus on executive behavior and policy alignment, risk on leadership sentiment and employee surveys, and compliance on training, incident responses, and policy adherence. When each team views the cultural landscape from its siloed perspective, nobody sees the full picture. This increases the risk of missing emerging issues, trends, or other signals that — viewed together — could provide early warning of cultural drift or failure.

Organizations must reframe culture risk as a shared mandate governed collaboratively across the three lines. This requires connecting perspectives; integrating approaches to culture assessment, monitoring, and management; and formalizing ownership and accountability through clearly defined responsibilities. The report provides recommendations for how functions can singly and collectively evolve their capabilities.

2. Many organizations aren’t measuring what matters

Our research confirms that while culture assessment is gaining traction, it’s often reactive and backward-looking. Many organizations still rely on lagging indicators like periodic employee surveys or incident reports. These indicators can tell us when something has gone wrong — but not when something might go wrong. Fewer than half of respondents use real-time behavioral culture risk indicators, and even fewer have predictive tools in place.

Real-time visibility on culture is essential for early detection and proactive responses. It requires a shift from anecdotal data to real-time insight and continuous monitoring. Organizations that lead on culture embed leading indicators (e.g., behavioral analytics) into GRC workflows. They use integrated dashboards and tools that track sentiment, decision-making patterns, and behavioral drift. Proactive culture leaders don’t just detect cultural risks earlier — they build a system of shared accountability that promotes integrity, resilience, stakeholder trust, cross-functional alignment, and performance.

3. A strong culture is a strategic imperative, not a “nice-to-have”

Culture shouldn’t be treated as a side conversation, special project, or afterthought. Rather, culture should be understood as the all-important operational context in which risks unfold and decisions are made.

That’s why our report is a cross-functional call to action to start managing culture as the strategic asset it surely is. Of course, as the 2023 report explained, culture drives employees’ behavior and mindsets, but individual employees’ decisions also shape culture. Accordingly, the 2025 report emphasizes the need for a structured culture risk model that creates the conditions for clear ownership roles, shared insight and action, connected and aligned execution, and board-level oversight enabled by transparent reporting. Download the full report for more information on the infrastructure, tools, frameworks, and reporting organizations can use to enable such models.

4. One size doesn’t fit all — context and nuance matter

Organizational cultures are also shaped by the societies and systems in which our businesses operate. Indeed, the 2025 findings identify key variances in how different regions define, manage, and measure culture. For example, in the US, cultures are often reactive, shaped more by political pressure than strategy. In the UK and Germany, however, other forces (e.g., policy, performance, board engagement, metrics) tend to dominate.

The key takeaway is that rigid one-size-fits-all culture risk models are unlikely to gain traction across diverse regions. Organizations operating globally should be sensitive to nuances, empowering regional leadership to interpret and apply culture risk frameworks in ways that resonate with their teams.

5. Internal audit must make culture assurance core to its mandate

As longtime advocates of internal auditors taking a proactive role in culture, Sandro and I are encouraged by findings suggesting that many teams are rising to the challenge. But our findings reveal a sizable gap between aspiration and execution. Most internal auditors still treat culture as an occasional topic, not a core audit plan element.

Results also show that internal audit often faces resistance rooted in internal politics and resource constraints. Fortunately, The Institute of Internal Auditors’ (IIA’s) recently released public consultation Topical Requirement on Organizational Behavior will be a game-changer. Sandro is participated in the drafting of the requirement (open for public comment through August 22, 2025), which calls on auditors to evaluate not only the design of behavioral controls, but also their operational effectiveness. Such bold direction is needed to overcome resistance.

Make the case for a connected culture risk model

A healthy culture is a critical strategic lever organizations can use to protect, enhance, and create business value. It’s high time we stop treating it as aspirational, and start doing the work to make it operational.

As the 2025 organizational culture and ethics report: Tackle culture risks in the GRC ecosystem, makes clear, cultural governance transformation requires a connected culture risk model in which all three lines share and operationalize culture ownership, data, and insights. This requires all players to commit to meaningful evolution, including challenging outdated assumptions, integrating culture into GRC workflows, and improving behavioral fluency. Together, we have the power to lead culture forward.

About the authors

Richard Chambers, CIA, CRMA, CFE, CGAP, is the CEO of Richard F. Chambers & Associates, a global advisory firm for internal audit professionals, and also serves as Senior Advisor, Risk and Audit at AuditBoard. Previously, he served for over a decade as the president and CEO of The Institute of Internal Auditors (IIA). Connect with Richard on LinkedIn.