Culture is a governance imperative in the UK context, according to AuditBoard, a risk platform. The firm has conducted research of senior professionals in Internal Audit, Governance, Risk Management and Compliance (GRC) roles across the UK, Germany and the United States to find out how they approach cultural risk management. The firm writes:
Organisational culture is not a soft issue; it is a systemic driver of risk, performance, and reputation. The UK Corporate Governance Code establishes that “the board should establish the company’s purpose, values and strategy, and satisfy itself that these and its culture are aligned.” This makes culture oversight a formal governance requirement rather than an optional consideration.
Under the revised 2024 code, governance reporting must “focus on board decisions and their outcomes in the context of the company’s strategy and objectives”, making culture assessment not just a compliance exercise but a strategic governance activity.
In both 2023 and 2025, UK GRC leaders consistently recognise culture’s importance. Yet awareness hasn’t translated into structured ownership, effective tooling, or integrated oversight that meets these regulatory expectations.
The SM&CR influence on accountability
The SM&CR, launched in 2016 and extended to all FCA-regulated firms by 2019, aims to “reduce harm to consumers and strengthen market integrity by creating a system that enables firms and regulators to hold people to account.” This regime has fundamentally changed how UK financial services firms approach individual accountability and culture.
Recent evaluation shows that “around 95 per cent of the 120 firms that responded said the SM&CR was having a positive effect on individual behaviour, while around 70pc of PRA supervisors surveyed found the SM&CR had helped them hold individuals to account.” The regime has also demonstrated cultural impact, with “the proportion of respondents (employees) who agreed that senior leaders in their organisation took responsibility, especially when things went wrong, rose from 58pc in 2016 to 68pc in 2022.”
Shared ownership within the UK framework
In 2023, internal audit was positioned as the key driver of culture oversight. While internal audit still plays a vital assurance role under the UK’s three lines of defence model, the complexity of today’s culture-related risks – spanning conduct, ESG, digital behaviour, and stakeholder expectations – requires a broader governance response that aligns with UK regulatory frameworks.
Our 2025 findings show that internal audit alone cannot shoulder assurance on culture risk within the UK’s regulatory environment. Functions like risk management, compliance, and increasingly human resources are engaging with cultural indicators, but they do so in silos, without integration or mutual reinforcement. HR plays a pivotal second-line role in shaping and reinforcing organisational behaviour through people policies, leadership development, and employee engagement, yet is often overlooked in culture risk discussions.
To address this, we must move beyond the idea that any one function “owns” culture within the UK context. Instead, culture risk must
be governed through shared responsibility across all three lines of defence:
-The first line shapes and enacts culture through decisions, leadership behaviour, and operational norms.
-The second line (including compliance, risk, and HR) must measure, influence, and monitor culture-related behaviour, often with limited tools and authority but clear regulatory backing.
-The third line (including internal audit) remains essential for independent assurance, but must collaborate more extensively with peers in the second line to ensure oversight reflects lived reality and meets regulatory expectations.
Why this moment matters for UK organisations
Culture risk is now tied to some of the most dynamic and sensitive risk areas UK organisations face, including AI ethics, ESG authenticity, post-Brexit operational changes, and shifting stakeholder expectations. The 2024 Corporate Governance Code’s emphasis on “outcomes-based reporting” and requirements to “expand reporting on corporate culture to include how it has been embedded” make this alignment more critical than ever. If culture isn’t connected across functions and aligned with strategy, UK organisations risk being out of step with regulators, employees, and stakeholders, not to mention opportunities for performance gains that are lost.
We are at a crossroads. One path leads to continued fragmentation, where culture is discussed but not owned. The other leads to connected oversight, where culture becomes a proactive lever for trust, resilience, and performance.
What they say
Richard Chambers, Senior Advisor, Risk and Audit at AuditBoard, says: “When organisations treat culture as a check-the-box commodity, it will remain vulnerable to latent risks, slow responses, and declining trust. In contrast, when culture is embedded into GRC strategy through behavioural insight, shared accountability, and proactive infrastructure, it yields strategic value that fosters resilience and integrity.”
“Across governance, risk, and compliance functions, there’s a growing recognition: culture matters — but also deep uncertainty about what it means and who owns it. This fragmentation is no longer sustainable,” said Sandro Boeri, Culture Advocate and Internal Audit Leader. “To move forward, we must dismantle silos and establish a shared language revolving around behavioural risk — something more concrete and auditable than the abstract notion of culture. This shift requires upskilling, cross-functional collaboration, and smart use of technology.”
For the findings, visit https://auditboard.com/resources/ebook/2025-organizational-culture-and-ethics-report to download the eBook.
