Rethinking Conduct Risk: Why Compliance Alone Is Not Enough
- Christiane Wuillamie

- May 16
- 6 min read
Updated: Jun 2

Risk is not knowing what you are doing. ~ Warren Buffet
Risk is also not knowing what your culture is doing. ~ John R Childress
Corporate culture is one of the most written-about and talked-about topics in business today. And rightly so. Culture is more than just vision, values, or employee satisfaction. Culture has another side: RISK.
Three Examples Of How Corporate Culture Can Create Significant Business Risk
1. Boeing: A "Profit at Any Cost" Culture Silences Safety Voices (2021–2024)
Boeing's culture crisis deepened dramatically after 2020, despite repeated promises of reform following the 737 MAX disasters of 2018–19. Rather than resetting the culture, Boeing maintained a "profit at any cost" approach that led to the suppression of serious product flaws and manufacturing deficiencies. The culture did not foster honesty, integrity, and transparency in reporting quality control problems.
The consequences were severe: in January 2024, a door plug blew out of an Alaska Airlines 737 MAX during flight, triggering a criminal investigation and congressional scrutiny. What made this a culture failure rather than a technical one was the treatment of those who tried to raise the alarm. One whistleblower was fired in April 2023 after flagging improperly drilled holes in fuselages, and later told reporters: "I think they were sending out a message to anybody else — if you are too loud, we will silence you."
2. Credit Suisse: A Toxic Risk Culture Destroys a 167-Year Institution (2021–2023)
Credit Suisse is arguably the most dramatic post-2020 example of culture risk destroying enterprise value. The bank lost the trust of investors and markets due to the combined effects of its involvement in a row of scandals. Switzerland's financial regulator, FINMA, conducted a damning review, revealing that despite 43 preliminary investigations and 108 on-site reviews between 2018 and 2022, the bank's governing bodies were unable to implement long-term solutions to the shortcomings identified — and even in years when the bank reported large losses, variable remuneration remained high. The culture normalized risk-taking without accountability.
The outcome: a forced fire-sale acquisition by UBS for $3.25 billion, wiping out bondholders and erasing 90% of shareholder value since 2021. Culture was not a soft issue here — it was the proximate cause of institutional death.
3. Activision Blizzard: A "Frat Boy" Culture Triggers Regulatory Action and Strategic Collapse (2021–2022)
Activision Blizzard, publisher of Call of Duty and World of Warcraft, became a case study in how a toxic internal culture can metastasize into an existential corporate risk. The company was accused of cultivating a "frat boy" culture that resulted in sexual harassment of female employees, discrimination against women in pay and promotions, and discrimination against pregnant workers. The California Department of Fair Employment and Housing filed suit in July 2021, followed by the EEOC, which alleged violations of federal law through pervasive sexual harassment, pregnancy discrimination, and related retaliation. Compounding the business risk, a Wall Street Journal investigation revealed that CEO Bobby Kotick had intervened repeatedly to prevent or limit discipline of executives found to have engaged in sexual harassment, and had kept such information from the Board.
The legal, financial, and reputational fallout was enormous: settlements, regulatory oversight, mandatory third-party audits, and a deeply damaged employer brand that made talent retention in a competitive industry far harder. The scandal also became a direct factor in Microsoft's $68.7 billion acquisition — the cultural chaos made the company strategically vulnerable at precisely the wrong moment.
The Real Problem: Few Understand Corporate Culture
While the impact of a poor culture may be clear, the understanding of corporate culture is anything but clear, nor is it standard, for that matter.
There are over 70 different culture assessments on the market, each with its own version of “what culture is”. And definitions of corporate culture are equally broad and vague.
No wonder there is a growing discussion among risk professionals about how to define, understand, and manage corporate culture, and cultural risk in particular.
To be useful for running an effective and safe business, culture needs to be seen as a systemic business issue, and not just an HR issue. A business understanding of risk culture refers to the network of factors (culture drivers) within a company that influence and reinforce how employees at all levels behave when confronted with a potential business risk.
Therefore, risk culture is a systemic, organizational issue and cannot be fully understood through employee engagement surveys or even risk or compliance audits.
Employee behavior, whether related to business risk, customer service, or safety, is an outcome of company culture, not the culture itself. Corporate culture is most useful when viewed as an ecosystem of causal factors, with employee behavior is the output. Within the company, numerous operational and policy causal factors interact in a network to influence and reinforce risk attitudes and behaviors. And many of these causal factors never show up in traditional risk assessments or culture surveys.

Consider peer pressure, which we have found to be a strong influence on employee behavior. When your peer group strongly urges you not to speak up, or to short-cut the procedure in order to “get the job done”, few employees have the courage to “go against the tide” and risk being considered an outsider to their work group. Management pressure on schedules and costs is another powerful cultural driver that leads employees to ignore potential risks. These also rarely show up on surveys or assessments. There are numerous other causal factors that determine whether a culture is strong or weak regarding risk attitudes and behaviors.
Culture Mapping Using Analytics and Expertise
If we view culture as a systemic, organization-wide issue, then we must develop new tools to identify the many cultural causal factors within the company, understand how they interact as a culture “ecosystem,” and, more importantly, learn how to proactively manage and improve conduct and compliance.
Using a unique Culture Management Platform™, PYXIS Culture Technologies has developed an innovative approach to identifying and mitigating conduct risk. This approach focuses on the elements within an organization that act as influencers and reinforcers of attitudes and behavior towards risk.
Imagine a conduct risk culture map of your organization, showing strong and weak drivers. By identifying those elements that most impact employee conduct, management can implement specific improvement actions.
Here is an example of a color-coded culture system map, showing multiple drivers as an interrelated operating system that not only impacts the overall culture, but also important business metrics.

With such a visual “digital twin” of your risk culture, it is easy to identify potential risk areas and the causal factors that positively enable good risk behavior. Embedded in the software system is a list of Best Practices for each causal factor, enabling specific improvement actions.
With such a data-driven analysis, conduct risk can be managed and improved.
A Few Important Questions
What are the causal factors of risk conduct in your organization?
Which are enablers?
What acts as barriers, putting your organization at risk?
About PYXIS Culture Technologies
PYXIS Culture Technologies helps organizations understand and improve the cultural drivers of performance, safety, and cyber resilience.
By combining deep research, operational experience, and advanced culture analytics, we help organizations close the gap between strategy and everyday behavior.
The PYXIS approach is effective:
We treat culture as a systemic business issue, not an HR initiative.
We identify key internal business practices that create performance and risk challenges and provide effective solutions you can immediately implement.
We link organizational culture to business and financial metrics, demonstrating clear ROI from strengthening alignment and performance.
Connecting the dots
If the ideas above resonate with what your organization is facing, it may be worth exploring what a structured diagnosis of your cybersecurity culture would reveal.
About the Author

Christiane Wuillamie OBE is an advisor to senior leaders on cybersecurity culture and IT transformation.
She has decades of experience advising boards and executive teams across Fortune 500 and FTSE 250 organizations. Christiane is a successful entrepreneur and business executive who founded a pioneering IT services company and grew it 100% year on year into a multimillion-pound enterprise, achieving a successful trade sale in 2001. Christiane’s passion is blending technology, agile tools, and cross-functional business processes with culture change to drive business transformation projects that deliver greater business agility, speed to market, and a significant competitive advantage.