The Strategic Importance of Managing Culture Risk

Guest Author: Jacqueline McGinn | Founder, Aurora Leadership | BVC Senior Associate
www.auroraleadership.ca

Summary

In today’s complex and volatile business environment, the alignment of organisational culture with strategic objectives is no longer a soft issue. Culture shapes how risks are perceived, decisions are made, and strategies are developed and executed. It is a critical driver of strategic success or failure.

When misaligned, it can quietly undermine even the most well-crafted plans. As strategic risks become more interconnected and dynamic, organizations must recognize that their internal culture plays a central role not only in execution but also in shaping their ability to identify, respond to, and withstand strategic challenges. In practice, most organizations operate along a spectrum, where elements of culture may simultaneously support or hinder different aspects of performance.

Framework for Considering Culture Risk

In their influential work Managing Risks: A New Framework, Mikes and Kaplan (2015) categorize organisational risks into three broad types:

• Preventable risks: Internal and controllable risks that should be eliminated or avoided (e.g., operational failures, ethical lapses).

• Strategy risks: Risks accepted by management as part of pursuing strategic returns (e.g., entering new markets, launching new products).

• External risks: Risks arising outside the organization’s control (e.g., natural disasters, geopolitical shocks).

Culture risk, defined as the potential for organisational values, behaviours, and norms to misalign with strategic goals, can be classified as both a preventable and a strategic risk. As a preventable risk, culture may contribute to operational inefficiencies, weak collaboration and planning as well as misconduct, regulatory breaches, and weak or compromised decision-making. As a strategic risk, a misaligned or dysfunctional culture can distort or delay strategic choices and execution, especially in times of uncertainty, transformation or innovation.

Mikes and Kaplan (2015) emphasize the need to embed culture into the fabric of enterprise risk management (ERM). Organizations that fail to do so risk allowing cultural blind spots to undermine both performance and resilience. High-performing organizations realize this. They treat culture as part of enterprise risk management (ERM), embedding it into governance, metrics, and strategic oversight.

In addition, the rapid emergence of advanced artificial intelligence (AI) introduces a new category of external risk that interacts directly with organisational culture. While AI itself sits outside the organization’s control, how it is adopted, governed, and used is deeply shaped by internal norms, values, and leadership behaviours. In this way, AI amplifies existing cultural strengths and vulnerabilities: cultural gaps may enable misuse, over-reliance, or ethical lapses, while strong cultures establish appropriate boundaries, accountability, and disciplined use.

Culture and Insider Risks: A Critical Link

One of the most underestimated manifestations of culture risk is the insider risk. Insider risks arise when employees, contractors, or other internal actors intentionally or unintentionally compromise the organization’s security, operations, or strategy. These threats are especially dangerous because they are difficult to detect and often facilitated by a permissive or disengaged cultural environment. Research shows that cultural conditions such as low trust, disengagement, unclear ethics, or weak leadership, increase the likelihood of insider risks (Greitzer & Frincke, 2010). For example:

• Employees who feel undervalued or resentful may engage in sabotage or data theft.

• A culture that lacks accountability may allow poor practices to go unchallenged.

• If reporting mechanisms are absent or distrusted, early warning signs are missed.

• More recent reports reinforce this:

• The Ponemon Institute’s 2023 Cost of Insider Risks Global Report found a 26% increase in insider incidents since 2020, with cultural factors such as burnout and disengagement strongly correlated.

• The Carnegie Endowment (2022) emphasizes that insider threats in cybersecurity are not purely technical issues but deeply cultural, rooted in weak governance and poor leadership oversight.

• Gartner (2024) frames insider risk as a cultural and leadership issue, urging organizations to focus as much on “trust, ethics, and accountability” as on monitoring technologies.

The proliferation of generative AI tools further heightens insider risk. Employees now have unprecedented ability to access, generate, and disseminate information, often outside traditional controls. In such an environment, culture becomes even more critical: norms around responsible use, confidentiality, and professional judgment determine whether these tools enhance performance or introduce new vulnerabilities.

Thus, insider risks are not just security issues. They are culture concerns. High-performing organizations address insider risks using an integrated approach that includes values-based and accountable leadership, trust-building, and clear behavioural expectations, all of which fall under the umbrella of culture management.

The Barrett Model®

To better understand how cultural conditions shape behaviours such as those underlying insider risks, it is useful to examine how organisational cultures operate and can shift in response to leadership and strategic imperatives.

The Barrett Model provides a developmental framework for understanding how organisations progress from foundational needs, such as survival and control at the lower levels, to purpose and service at the higher levels (Barrett, 2016). Organisations operating at lower levels (Levels 1-3 Viability, Relationships, Performance) tend to prioritize control, hierarchy, and risk aversion, often leading to more compliance-driven or fear-based cultures. Such cultures may appear stable, but they are inherently more fragile, particularly under stress or disruption.

Conversely, at Level 4 (Evolution), organisations shift from more rigid, hierarchical structures to adaptive, inclusive systems that empower employees to operate with accountability. As organisations progress to Levels 5–7 (Alignment, Collaboration, Contribution), they reflect a focus on shared purpose, long-term sustainability and societal impact. Organisations at these levels encourage deeper levels of commitment, motivation and greater levels of resilience. As organizations progress from foundational needs (1-3) to higher-order values (4-7) their cultures are characterized by:

• Trust and transparency

• Shared vision and values

• Empowerment and accountability

• Values-based responsible behaviour embedded in daily practice

High-performing and resilient organizations intentionally cultivate higher levels of risk awareness, enabling them to take calculated risks, respond more effectively to uncertainty, and adapt strategies without internal resistance. In other words, cultural maturity is directly linked to performance capacity and strategic success.

Diagnosing Culture

The Barrett Values Centre offers a powerful set of tools to assess and manage culture risk. Central to their approach is the concept of Cultural Entropy®, which measures the degree of dysfunction within an organization. Cultural Entropy measures how much energy is consumed by unproductive work with high levels often arising from fear-based behaviours like blame, control, confusion and internal competition. High Cultural Entropy is correlated with low employee engagement, low morale, resistance to change, poor collaboration and innovation, and higher incidences of misconduct.

However, Barrett Values Centre’s diagnostic framework goes further. In addition to measuring dysfunction through Cultural Entropy, their assessment tools measure values alignment and balance across the seven levels of the Barrett Model. This enables organizations to identify cultural friction, strategic disconnects, and overemphasis on control or compliance. By tracking cultural evolution over time, leaders gain visibility into how culture supports or hinders strategic agility.

By actively managing culture using these measures and insights, organizations can reduce Cultural Entropy, increase alignment, and build environments conducive to sound judgment, responsible behaviour and strategic agility.

Culture as a Strategic Enabler or Obstacle

When aligned with strategic goals, culture acts as a strategic asset. When misaligned, it becomes a strategic liability. These patterns are not fixed but reflect tendencies within a culture that can strengthen or weaken execution over time.

Leadership as the Ceiling of Culture

Leaders set the “cultural ceiling”. Their values, behaviours, and standards powerfully define what is considered acceptable, aspirational, or off-limits.

In practice, when leaders prioritize long-term purpose, employees align their decisions with sustainable performance. When leaders embody transparency and accountability, psychological safety grows and misconduct declines. Conversely, when leaders fail to model, reinforce, and hold others accountable for living stated values in practice, it can cascade quickly into organisational dysfunction.

High-performing organizations recognize leadership development as culture development. They deliberately invest in equipping leaders to operate at higher levels of awareness, knowing that this directly expands the organization’s capacity for sound judgment, values-based decision-making and adaptive strategy.

Practical Implications for Culture Risk and Strategy

To integrate culture risk into strategic risk management, organizations should:

1. Diagnose and monitor culture regularly using validated tools such as those from the Barrett Values Centre.
   Why: Visibility into cultural strengths and risks enables proactive action.

2. Embed cultural indicators into performance and risk dashboards.
   Why: Linking culture metrics to performance reinforces accountability and prioritization.

3. Develop intentional, values-based and accountable leadership and role modeling through training, mentoring, and reflective practice.
   Why: Leadership sets the cultural ceiling and shapes long-term decision quality.

4. Create mechanisms for employee voice and safe reporting.
   Why: Surfacing ethical concerns early prevents escalation into costly insider risks.

5. Link values explicitly to strategy.
   Why: Ensuring day-to-day behaviours reinforce strategic goals enhances both execution and long-term resilience.

Conclusion

Culture is not a background variable. It is the operating system that shapes behaviours, influences decision-making, and determines how well strategy is developed and executed. The growing influence of technologies such as artificial intelligence further underscores this imperative. Resilient, high-performing organizations know this and treat culture risk management as performance management.

References

Barrett, R. (2016). The Values-Driven Organization: Unleashing Human Potential for Performance and Profit. Routledge.

Carnegie Endowment for International Peace. (2022). Insider Threats and Cybersecurity. Retrieved from https://carnegieendowment.org.

Gartner. (2024). Insider Risk as a Cultural and Leadership Challenge. Retrieved from https://www.gartner.com.

Greitzer, F. L., & Frincke, D. A. (2010). Combining traditional cyber security audit data with psychosocial data: Towards predictive modeling for insider risk mitigation. Insider risks in Cyber Security, 85–113. Springer.

Mikes, A., & Kaplan, R. S. (2015). Managing risks: A new framework. Harvard Business Review, 93(6), 48–60.

Ponemon Institute. (2023). 2023 Cost of Insider Risks Global Report. Proofpoint. Retrieved from https://www.proofpoint.com.

NOTE: This article was prepared with the support of AI-assisted research and drafting tools. All conclusions and interpretations are those of the author.