When governance fails — truly fails, not just technically falls short — the cause is almost never a missing policy or an undocumented control. It is a culture where the wrong things were permitted, rewarded, or silently tolerated.
This month, I want to address the governance dimension that most frameworks reference but few organisations take seriously: risk culture. Not as a buzzword. As a measurable, manageable, and ultimately board-level responsibility.
The Culture-Governance Gap
In the organisations I have assessed across Singapore, Malaysia, and the wider ASEAN region, I consistently observe a meaningful gap between documented governance and practised governance. The risk appetite statement exists — but business decisions regularly exceed it without formal escalation. The whistleblowing policy is in place — but anyone in the organisation will tell you candidly that using it is career-limiting. The three lines of defence are mapped — but the lines don’t speak to each other.
This gap is not documented in any audit report. It lives in the space between what an organisation declares and how it actually operates.
What Regulators Are Now Measuring
Regulators across the region are evolving beyond documentation review. The supervisory conversations I am aware of are increasingly behavioural: How do senior leaders respond when risk is raised? Is there evidence of psychological safety in escalation processes? Does the board receive genuine risk information — or managed narratives?
MAS’s supervisory approach, BNM’s governance expectations, and the updated IIA Standards all point in the same direction: the quality of governance culture is now part of the assessment, not just the quality of governance documents.
Boardroom Cue
Ask this at your next meeting: ‘What was the last piece of genuinely uncomfortable risk information this board received — and what did we do with it?’ The answer to that question will tell you more about your risk culture than any maturity assessment.
One Idea Worth Sharing
“A governance framework tells you what should happen. Risk culture determines what actually does.”
Final Thought
Culture is not a soft issue. It is the foundation on which every hard control rests. If the culture does not support honest escalation, transparent reporting, and accountability without blame — no framework will compensate for it. That is where governance either holds or breaks. And that is where leadership matters most.
Is your risk culture an asset or a liability? Let’s start that conversation.