Risk Is Cultural Before It Is Technical

At some point, most leaders in regulated industries notice the same thing. Their compliance function has quietly shifted from a problem-solving team into a permission-denial machine.

Novel questions get slow answers. New initiatives hit walls that nobody can fully explain. The word no arrives faster than any analysis could justify.

It is tempting to call this a talent problem, or a process problem, or a resourcing problem. It is usually none of those things. It is a culture problem. And it starts long before anyone opens a policy manual.

Controls Do Not Run Themselves

Every compliance program is built on a reasonable premise: document the rules, design the controls, train the people, monitor the outcomes. It is logical. It is auditable. And it creates a quiet illusion that if the framework is sound, the organization is protected.

What the framework cannot account for is the human layer beneath it. Whether people surface problems early or absorb them quietly. Whether compliance is treated as a shared organizational function or a department that exists to say no. Culture is what fills that gap. And in regulated industries, the culture either makes the controls work or makes them irrelevant.

What Your People Are Already Carrying

Before we talk about what happens inside your organization, it is worth acknowledging what your people are walking in with. Geopolitical instability. Economic uncertainty. The permanent background noise of a news cycle that does not stop and rarely reassures.

Many of your employees are in something close to survival mode before they open their laptops. Your organization may be one of the few places in their lives right now where clarity, support, and genuine problem-solving are possible. Leaders who recognize that are not just doing right by their people. They are building something competitors cannot easily replicate.

What Pressure Does to Decisions

Chronic stress and burnout do not just affect how people feel. They change how people decide.

When compliance teams are stretched thin and operating in an environment where being wrong carries disproportionate personal cost, defensive behavior becomes rational behavior. The answer to almost every novel question becomes no, not because no is the right answer, but because no is the safe one. It ends the conversation faster than let me find the best path to yes.

Nearly six in ten compliance officers report feeling burned out, with more than half experiencing extreme job stress. A team operating at that level is not resourced to be a strategic partner. It is resourced to survive.

The goal of a healthy risk culture is not to make compliance easier. It is to make the right answer easier to find together. And when organizations do not get there, the people best positioned to build that culture eventually stop trying and start looking.

What the Exits Are Telling You

When compliance and risk talent leaves, the visible cost is the recruiting budget. The less visible cost is harder to locate because you often do not know where it is until something goes wrong.

The person who held three years of informal regulatory context that never made it into a policy document. Who understood why a specific control was designed the way it was. When that person leaves, they do not just take knowledge with them. They take the map.

Gallup data shows that poor engagement and workplace culture account for 37 percent of the reasons employees leave, well ahead of compensation at just 11 percent. Organizations losing compliance talent are not usually losing to higher-paying competitors. They are losing to better-run ones.

Where to Start

None of this requires a transformation initiative to fix. For most leaders, it comes down to three structural decisions that signal clearly and consistently what the organization actually values.

Train for intent, not just rules. The next time you commission compliance training, add one requirement: every module must open with the risk story behind the regulation. What harm was it designed to prevent? People who understand intent navigate grey areas. People who only know the rules wait to be told what to do.

Create a protected space for hard questions. Stand up a monthly forum, sixty minutes, compliance leads and one business unit representative from each major function. The purpose is surfacing questions without clean answers yet. Your job in that room is not to resolve everything. It is to be present and make it visibly clear that raising a hard question is career-neutral.

Treat recovery time as a risk management tool. Pull up your compliance team's activity for the last thirty days. Consistent late-night and weekend responses mean you do not have a dedicated team. You have a burned-out one. Define what constitutes a genuine emergency versus a habit of urgency, and model it yourself. A leader who sends non-urgent messages at 11pm has already answered the question of whether recovery time is actually protected.

The Question Worth Carrying

Risk culture is not built in a policy revision or a training rollout. It is built in the daily experience of whether your people believe that raising a hard question is safe and that the organization is oriented toward finding the right answer rather than avoiding the wrong one.

The organizations that get this right do not just have fewer compliance failures. They have more capable, more durable teams and a meaningful advantage over every competitor still treating risk as a function rather than a culture.

That is not a compliance outcome. That is a leadership one.

Chris Johnson is a compliance and risk executive and member of the Wryver bench, with 15 years building regulated financial services businesses. He has served as CCO and board-level executive, navigated de novo bank charter processes, and advised on M&A transactions. He is currently CEO of Brightlane, a tech-enabled consulting firm that builds and operates compliance infrastructure for bank-fintech partnerships.