Compliance Is Not the Enemy, Culture Is

Christina Harawa

11/24/20254 min read

In many organizations, “compliance” has become a dirty word.

It’s blamed for slowing things down, killing innovation, and creating layers of red tape that make it harder to get real work done. When something goes wrong, be it a control failure, a regulatory breach, an ethical lapse, the conclusion is often the same: compliance didn’t work. Or worse, the compliance team didn’t warn us.

But those conclusions are usually wrong. Compliance is rarely the problem. Culture is.

Take for example, my favorite football team: The Washington Commanders. The Commanders haven’t struggled in the last decade because they misunderstood the rules of football. They struggled because of culture, leadership instability, unclear accountability, and erosion of trust which ultimately undermined execution on the field. The same is true in organizations: when culture is weak, no amount of rules will produce consistent results.

The Illusion of Control

Many leaders respond to risk by adding more rules. More approvals. More training. More sign-offs.

On paper, this looks like progress. In practice, it often creates the illusion of control rather than control itself.

Tick-the-box compliance can tell you that a process exists, that a policy was acknowledged, or that a training course was completed. What it cannot tell you is whether people believe in those controls, respect them, or follow them when it’s inconvenient.

The uncomfortable truth is this: an organization can be fully compliant on paper and deeply unhealthy in practice.

Culture Always Wins

Controls don’t operate themselves. People operate them. And people take their cues from culture, especially from leadership behavior. What gets rewarded, tolerated, or ignored.

If leaders talk about integrity but reward results at any cost, the message is clear. If deadlines are unrealistic but control failures are unacceptable, people will find ways around the controls. Not because they’re unethical, but because they’re responding rationally to the environment they’re in. In each case, culture sends a louder message than any policy ever could. When culture rewards speed over integrity, loyalty over honesty, or silence over transparency, controls become performative. People comply when observed and cut corners when they believe it is necessary to succeed. Over time, this creates an environment where compliance exists, but trust does not.

This is where many control environments (or NFL locker rooms) quietly break down.

Rules Don’t Replace Judgment

Another problem with over-reliance on compliance is the assumption that rules can cover every situation. They can’t.

Business is messy. Risk is dynamic. Employees face grey areas all the time whether conflicting priorities, incomplete information, pressure from customers or internal stakeholders. No policy manual can anticipate all of that.

In those moments, people don’t reach for the rulebook. They rely on judgment. And judgment is shaped by culture.

This is the difference between:

  • “What am I allowed to do?” and

  • “What is the right thing to do?”

Compliance answers the first question. Culture answers the second. The difference matters more than any control design.

Why Leaders Default to Compliance

If culture is so important, why do so many organizations still default to compliance-heavy responses?

Because compliance feels safer.

It’s tangible. It can be measured, audited, and reported. Culture is harder. It requires consistency, self-awareness, and often uncomfortable reflection, especially for leaders.

You can outsource compliance activities. You cannot outsource culture.

A compliance program can be owned by a function but Culture is owned by everyone and modeled by leaders.

Building a Culture That Strengthens Control

Strong control environments aren’t built by choosing culture or compliance. They’re built by making sure the two support each other.

Below are a few ways to consistently make a difference and shift the balance:

  • Design Controls for Humans: Controls and risks associated should make sense to the people using them. If a control feels pointless or disconnected from real risk, it will be bypassed.

  • Make Ethical Leadership Visible: Leaders need to be visibly accountable. When senior people own control failures, not just delegate fixes, controls gain credibility.

  • Align Incentives with Company Values: Incentives matter. When performance is measured purely by outcomes, controls will always lose. But when ethical behavior and risk ownership are genuinely valued (and rewarded) behavior follows. That means embedding “doing the right thing” into how performance is measured. For example, instead of only celebrating an engineering team for shipping three of four planned features, celebrate shipping three features with zero critical or high-risk vulnerabilities too.

  • Encourage and Protect Speaking Up: Employees must believe that raising concerns is safe, valued, and acted upon. Several high-profile airplane safety failures in recent years demonstrate how pressure and silence can neutralize even sophisticated control environments.

  • Lastly, treat compliance as an enabler and not an obstacle: Controls exist to protect people, decisions, and reputations. Organizations that communicate this effectively transform compliance from a burden into a shared responsibility.

These dynamics aren’t theoretical. We’ve seen them play out in professional sports, tech scale ups and global manufacturers. all organizations with extensive rules, controls, and oversight, yet cultures that quietly undermined them. The lesson is consistent: controls don’t fail in isolation; culture fails them first.

The Real Question Leaders Should Ask

Instead of asking, “Are we compliant?” leaders would do better to ask, “What behavior are we encouraging right now?”

Because behavior tells the truth.

When culture supports doing the right thing even when it’s uncomfortable compliance stops being a burden. It becomes a framework that helps good people make good decisions consistently.

Final Thought

Compliance isn’t the enemy of strong control environments. It’s a necessary foundation.

But culture determines whether that foundation holds under pressure.

Organizations don’t fail because they lack rules. They fail because their culture quietly teaches people when it’s acceptable to ignore them.

And that’s something no policy can fix.

CMH Consultancy
Contacts

info@cmhconsultancy.com
+31 658567997

We respect your privacy. Any information submitted through our forms is used solely for responding to inquiries and providing requested services. We do not sell or share personal data with third parties unless required by law. By using this site, you consent to our basic use of cookies for functionality and performance.