AuditBoard, the AI-powered global platform for connected risk transforming audit, risk, and compliance, today announced the paradoxical results of its 2025 Organisational Culture and Ethics survey. While nearly all governance, risk, and compliance (GRC) professionals recognise the importance of organisational culture, it remains virtually unmanaged. While culture is the lens through which every risk, decision, and behaviour is expressed, the data found that organisational culture is deeply undermanaged. It’s valued but not fully operationalised, recognised but not owned, measured reactively, and addressed in silos instead of systemically.

AuditBoard partnered with Panterra Research to survey 412 GRC professionals across the United Kingdom, Germany and the USA for its report. Key findings include:

• No one owns culture risk… which creates more risk. While everyone values culture, no single function is accountable for managing culture risk. 80 per cent of respondents agree organisational culture is essential to governance. But when asked how well it’s integrated into enterprise risk management, audit planning, or compliance strategy, most rated their integration as low to moderate. Culture remains a special project, rather than a core risk category, creating gaps, blind spots, and missed opportunities for coordinated action.
• Maturity and Modernisation in the UK. The UK’s regulatory landscape has made culture a formal governance requirement, driven by regulatory developments including the updated UK Corporate Governance Code and the ongoing evolution of the Senior Managers and Certification Regime (SM&CR). 95 per cent of firms said the SM&CR was having a positive effect on individual behaviour, while around 70% of PRA supervisors surveyed found the SM&CR had helped them hold individuals accountable. However, this maturity comes with challenges, as teams experience governance fatigue and a need to modernise legacy frameworks to address newer risks like AI ethics.
• Evolving Regulations Drive Awareness in Germany. The German Corporate Governance Code (GCGC) and the "Minimum Requirements for Risk Management" (MaRisk), are raising the visibility of culture risk in the region. However, a significant gap between intent and implementation persists, as German GRC leaders have failed to develop adequate ownership structures, tools, or oversight to meet these new regulatory expectations. The data reveals this shortfall: only 32 per cent of risk management teams track front-line behavioural risk metrics, and 62 per cent of compliance teams report needing greater integration with the business to meaningfully influence behaviour. With culture risk now intersecting with critical areas like AI ethics and ESG, bridging this gap has become more essential than ever to ensure organisational resilience and integrity.
• The health of organisational culture is measured reactively. Despite culture’s elevated visibility, most organisations continue to rely on reactive, lagging indicators such as incident reports or employee surveys. These sources are useful for identifying when things have gone wrong, but offer little in the way of foresight. Less than half of organisations reported using any form of real-time behavioural indicators, and few had tools in place to support predictive or forward-looking cultural analysis. Without these capabilities, emerging risks often go undetected, and cultural drift is only noticed after it leads to performance, conduct, or reputational failures.
• Tools and infrastructure for managing culture risks are lacking. Despite recognising the importance of culture, most organisations lack the necessary tools, frameworks, and integrated platforms to assess, monitor, and manage culture risk effectively. 37 per cent of respondents reported technology or dashboard limitations being one of the biggest barriers their team faces in using behavioural indicators to manage risk. This absence of infrastructure leaves major blind spots and limits the ability to act on cultural insights.

Richard Chambers, Senior Advisor, Risk and Audit at AuditBoard, commented: “When organisations treat culture as a check-the-box commodity, it will remain vulnerable to latent risks, slow responses, and declining trust. In contrast, when culture is embedded into GRC strategy through behavioural insight, shared accountability, and proactive infrastructure, it yields strategic value that fosters resilience and integrity.”

“Across governance, risk, and compliance functions, there’s a growing recognition:  culture matters — but also deep uncertainty about what it means and who owns it. This fragmentation is no longer sustainable,” said Sandro Boeri, Culture Advocate and Internal Audit Leader. “To move forward, we must dismantle silos and establish a shared language revolving around behavioural risk — something more concrete and auditable than the abstract notion of culture. This shift requires upskilling, cross-functional collaboration, and smart use of technology.”

For the full findings and actionable insights, visit https://auditboard.com/resources/ebook/2025-organizational-culture-and-ethics-report to download the eBook.