I've watched a dozen organizations in the past five years try to build compliance programs by drafting policies, sending an email about them, and checking a box. Every single one of them failed when it mattered. When the auditor showed up, when the breach happened, when the regulator came asking questions—that's when they discovered their "program" was a stack of PDFs no one had read and behaviors no one had changed.
Building a culture of compliance isn't about documentation. It's about changing how people actually work. That requires leadership accountability, incentive structures that don't reward shortcuts, and environments where people feel safe speaking up when they see problems. The gap between what's written in your policies and what happens on Tuesday afternoon when someone's under pressure—that's where your real compliance posture lives.
This isn't theoretical. I've built these programs in healthcare organizations handling PHI, defense contractors managing CUI and ITAR-controlled data, and federal contractors navigating NIST 800-171. The patterns that work and the patterns that fail are consistent across industries.
Why Most Compliance Programs Stay on the Shelf
The typical compliance program starts with a consultant or internal team writing policies. Someone holds a training session, gets signatures on acknowledgment forms, and declares success. Six months later, IT discovers people are still using personal Dropbox accounts for work files, still emailing unencrypted documents, still granting access based on phone calls instead of tickets.
The problem isn't that people are malicious. The problem is that the organization never actually changed the work environment to support compliant behavior. Compliance stayed theoretical while operational pressures remained concrete and immediate.
In my experience, programs fail at the shelf stage for three reasons. First, leadership treats compliance as a checkbox exercise rather than an operational priority. Second, following the rules is harder than breaking them, and nobody fixed that imbalance. Third, the organization never built feedback loops that surface non-compliance early, when it can still be corrected without drama.
You can identify a shelf-stage program by asking three questions. Can a random employee explain why a specific control exists? Can they describe what happens if they can't follow a procedure? Do they believe their manager cares more about the documented process or the expedient result? The answers tell you everything.
Leadership Accountability: Where Culture Actually Starts
Culture flows from leadership behavior, not from mission statements. If your executives ask for information that requires compliance violations to produce on the requested timeline, you don't have a compliance culture. If managers are measured solely on delivery speed with no weight given to how that delivery happens, you don't have a compliance culture. If the CEO talks about security and privacy in all-hands meetings but leadership meetings never include those topics, you definitely don't have a compliance culture.
The pattern I see in organizations that actually build this culture starts with consequence symmetry. When someone violates a control, there's a conversation and potentially a consequence. But when someone reports a violation or flags a compliance risk that delays a project, that person needs to be protected and ideally rewarded. Most organizations get the first half right and completely miss the second half.
I worked with a healthcare organization where the CEO started every leadership meeting with a five-minute compliance briefing. Not because there was always news, but because it signaled priority. Within six months, every department head had incorporated the same practice into their team meetings. Within a year, compliance issues were surfacing weeks earlier than they had before, when they could still be solved without crisis management.
Making Accountability Visible
Accountability requires visibility. That means compliance metrics in the same dashboards where you track revenue and delivery. It means naming owners for specific controls and frameworks, not hiding behind "the compliance team" as a black box. It means executives demonstrating compliance with the same rules that apply to everyone else—no executive carve-outs for mobile device management, no special exceptions for email retention, no separate standards for remote access.
One defense contractor I advised had struggled with ITAR compliance for years. The breakthrough came when the CEO put his own laptop through the same approval process required for everyone else accessing technical data. The symbolism mattered, but the operational effect mattered more: it forced leadership to understand whether the process was actually workable or just theoretical.
Incentive Alignment: Making Compliance Easier Than Non-Compliance
People generally follow the path of least resistance. If violating a policy is faster, easier, and carries no real consequence while following it is slow, bureaucratic, and makes you miss deadlines, you'll get violations. The answer isn't harsher penalties. The answer is fixing the friction imbalance.
I've seen this play out most clearly with access control. Organizations implement strict access request processes that require multiple approvals and take three days to complete. Then they wonder why people share credentials or leave systems logged in. The access process didn't balance security with operational reality, so operational reality won.
How to build a culture of compliance requires changing the cost-benefit calculation. That means making compliant tools and processes at least as convenient as non-compliant alternatives. It means measuring and reducing approval latency for legitimate requests. It means building automation that reduces the manual burden of compliance activities. It means celebrating examples where following procedure caught a problem before it became a breach.
Positive Reinforcement Structures
Most compliance programs are built entirely on negative reinforcement: training that emphasizes penalties, policies that threaten consequences, messaging that focuses on what not to do. That approach creates a culture of fear-based box-checking, not genuine buy-in.
Organizations that succeed add positive reinforcement. They recognize teams that identify and fix compliance gaps. They showcase examples where controls prevented actual harm. They incorporate compliance metrics into promotion criteria for leadership roles. They make compliance success visible in the same way they make sales success or delivery success visible.
A healthcare system I worked with created a quarterly award for the department with the best improvement in security awareness metrics. The prize wasn't large—a catered team lunch and recognition at the all-hands meeting. But the visibility changed behavior faster than any policy revision or training mandate had.
Need to Build Compliance Culture in Your Organization?
Carl delivers keynotes that help leadership teams understand what actually drives culture change in regulated environments. Real patterns, real examples, actionable frameworks.
Book Carl to SpeakBuilding a Speak-Up Culture That Functions Under Pressure
Every organization claims to want people to report problems. Most organizations have actually built environments that punish problem reporters. The person who flags that a new tool isn't HIPAA-compliant becomes the obstacle preventing the team from using that tool. The engineer who points out that a deployment shortcut skips required security steps becomes the reason for a missed deadline. The messenger gets blamed for the message.
A functioning speak-up culture requires three elements. First, visible protection for people who raise concerns, especially when those concerns turn out to be wrong or overstated. Second, leadership response that focuses on fixing the issue rather than finding someone to blame. Third, feedback loops that show reporters their concern was heard and addressed, or explain why it wasn't a problem.
I've watched speak-up cultures break down in real time. A junior analyst discovers that production data is being used in a non-compliant testing environment. She reports it to her manager. The manager escalates it, which triggers a crisis meeting. The project gets delayed. Three months later, the analyst is informally excluded from project planning because she's seen as someone who "blocks progress." She learns the lesson: next time, stay quiet.
Anonymous Reporting Isn't Enough
Many organizations implement anonymous reporting hotlines and consider the problem solved. But anonymous reporting is a last resort, not a primary mechanism. If your culture requires anonymity for people to feel safe reporting compliance issues, you have a much deeper problem than a reporting mechanism can solve.
The goal is an environment where people can raise concerns openly, with their name attached, and not face retaliation or informal penalties. That requires consistent leadership response over time. Every time a concern is raised and the response is "thank you for flagging this" rather than "why are you making my life harder," you reinforce the right behavior. Every time someone faces consequences for raising a concern, you destroy trust that takes months to rebuild.
For more detail on where these dynamics typically break down, see my article on common compliance program failures—many of them trace back to a broken speak-up culture that wasn't recognized as such.
How Compliance Behavior Actually Spreads
Compliance behavior doesn't spread through policy distribution. It spreads through observed peer behavior and management reinforcement. New employees learn how things actually work by watching what their colleagues do, not by reading the employee handbook. If they observe shortcuts being taken without consequence, they adopt those shortcuts. If they observe compliant behavior being modeled and rewarded, they adopt that instead.
This is why the early culture-building phase is so critical. The patterns that get established in the first year of a compliance program tend to persist. If you allow exceptions and workarounds early because you're "still ramping up," those exceptions become the actual standard. If you hold the line early even when it's inconvenient, compliance becomes the default expectation.
I worked with a defense contractor bringing a new engineer cohort into an ITAR-controlled environment. The company invested in a detailed onboarding process where new engineers shadowed experienced ones for their first month. Every access request, every technical data transfer, every visitor interaction was modeled by someone who did it correctly. Within six months, that cohort had the lowest ITAR violation rate in company history. They learned how work actually happens from people who were doing it right.
Middle Management Is Your Leverage Point
Executive commitment matters, but middle managers determine whether culture change actually reaches the front lines. A committed CISO and supportive CEO can't overcome a layer of middle managers who see compliance as overhead that interferes with their departmental goals.
The most effective approach I've seen is making compliance performance a formal part of management evaluation. Not just whether their team had violations, but whether they proactively identified risks, whether they resourced compliance activities appropriately, whether they created an environment where their team felt comfortable raising concerns. When promotion to senior management requires demonstrating those capabilities, middle managers start taking them seriously.
A federal contractor I advised struggled for years to get engineering managers to care about NIST 800-171 controls. The breakthrough came when the VP of Engineering made control compliance a standing agenda item in every one-on-one with managers, with the same weight as delivery metrics. Within two quarters, engineering's control compliance rate went from 73% to 94%. The controls hadn't changed. The management focus had.
Measuring Culture: Beyond Compliance Audits
You can't manage what you don't measure, but measuring culture is harder than measuring control implementation. Audit results tell you whether controls exist and function. They don't tell you whether people understand why those controls matter, whether they'd follow them when no one's watching, or whether they'd speak up about problems before an audit forces the issue.
The pattern I use involves three measurement categories. First, leading indicators: time-to-report for compliance issues, percentage of issues caught internally versus externally, employee survey responses about psychological safety around raising concerns. Second, behavioral indicators: exception request rates, workaround frequency, access control violation patterns. Third, outcome indicators: audit findings, regulatory actions, breach root causes.
Most organizations only measure the third category. That's like trying to manage health by only tracking mortality rates. By the time outcome indicators move, you've already succeeded or failed. Leading indicators let you course-correct while there's still time.
What Good Survey Questions Look Like
If you're going to survey employees about compliance culture, the questions matter. Generic questions like "Do you understand our policies?" produce useless data because everyone says yes whether they do or not. Better questions probe specific behaviors and scenarios.
Questions I've found useful: "In the past month, have you observed a potential compliance issue? If yes, did you report it?" That tells you about both observation and reporting behavior. "If you couldn't follow a required procedure because of time pressure, what would you do?" That tells you what people actually believe is expected, not what they think they should say. "Do you believe your manager would support you if raising a compliance concern delayed a project?" That tells you about psychological safety.
The responses need to be anonymous or you won't get honest answers. But the aggregated data, broken down by department and management chain, will show you exactly where your culture is strong and where it needs work. For organizations building the business case for this investment, I've written about how to demonstrate ROI for compliance programs that include these cultural elements.
Looking for a Keynote Speaker on Compliance Culture?
Carl speaks at conferences, leadership offsites, and industry events about building programs that work under pressure. See all keynote speaking topics or reach out about your event.
Book Carl for Your EventIntegration: Making Compliance Part of How Work Gets Done
The goal isn't to create a compliance program that runs parallel to operations. The goal is to integrate compliance requirements into operational workflows so thoroughly that people follow them without thinking about it as a separate compliance activity. When access control is part of the standard onboarding checklist, when data classification is part of the document creation template, when privacy review is part of the feature release process—that's when how to build a culture of compliance becomes sustainable.
This integration requires collaboration between compliance, IT, and operational teams. It requires understanding actual workflows, not theoretical ones. It requires willingness to modify both compliance requirements and operational processes to find sustainable middle ground. I've seen too many compliance teams design theoretically perfect requirements that are operationally impossible, then express shock when no one follows them.
A healthcare organization I worked with integrated HIPAA controls into their electronic health record system through smart defaults and workflow automation. When a clinician created a patient note, the system automatically classified it correctly and applied appropriate access controls. When someone requested access to a medical record, the system routed the request based on relationship and role, with most legitimate requests approved automatically within minutes. Compliance became the path of least resistance instead of an obstacle.
Technology as Cultural Enabler
Technology alone doesn't create culture, but it can reinforce or undermine it. Security tools that generate dozens of false positives train people to ignore alerts. Access control systems that require ten clicks for routine tasks train people to find workarounds. Monitoring systems that feel like surveillance train people to game the metrics.
Good compliance technology makes the right thing easy and the wrong thing hard, without feeling punitive. It provides guardrails, not roadblocks. It automates routine compliance activities so humans can focus on judgment calls. It surfaces risks early enough that they can be addressed proactively rather than reactively.
The best implementations I've seen came from cross-functional design teams that included compliance, IT, and end users. They prototyped solutions, tested them with real workflows, and iterated based on actual friction points. They measured compliance metrics, but they also measured operational metrics like time-to-access and support ticket volume. They optimized for both.
Sustaining Culture: What Happens After Year One
Building culture takes a year. Sustaining it takes continuous effort. The patterns that work in year one don't automatically persist. People leave, new people join, organizational priorities shift, and what was once reinforced becomes assumed. Assumptions are where culture dies.
Sustained culture requires continuous reinforcement through multiple channels. Regular leadership messaging, not just during compliance awareness month. Ongoing recognition of positive examples. Persistent measurement and feedback. Integration of compliance topics into regular management meetings and operational reviews. Visible consequences when violations occur, especially at senior levels.
I've watched strong compliance cultures degrade after leadership transitions. The new executive team didn't explicitly reject the previous culture, but they stopped reinforcing it. They removed compliance metrics from executive dashboards. They eliminated the standing compliance agenda item from leadership meetings. They made subtle comments suggesting compliance concerns were slowing the business down. Within eighteen months, the organization was back to treating compliance as checkbox exercise, and audit findings reflected that shift.
Adapting Culture to New Requirements
Regulations change. New frameworks emerge. Your organization enters new markets or adopts new technologies that bring new compliance obligations. A mature compliance culture can adapt to these changes more easily than an immature one, but adaptation still requires intentional effort.
The key is connecting new requirements to existing cultural values rather than treating them as completely novel obligations. When CMMC requirements emerged for defense contractors, organizations with strong existing compliance cultures framed them as an extension of existing security and access control practices. Organizations without that foundation treated CMMC as an alien imposition, and struggled much more with implementation and culture change.
When your organization is navigating multiple frameworks—HIPAA, ITAR, NIST 800-171, state privacy laws—the cultural foundation becomes even more critical. People can't memorize every control in every framework, but they can internalize principles: protect sensitive data, verify access before granting it, report issues when you see them, document what matters. Those principles apply across frameworks.
Common Pitfalls and How to Avoid Them
Every organization building compliance culture makes mistakes. I've made most of them myself. The goal isn't perfection; it's learning from common pitfalls before they derail your effort.
The first pitfall is moving too fast. You can't change organizational culture in a quarter. Attempting to do so produces superficial compliance: people saying the right things while continuing to do what they've always done. Sustainable culture change takes a year minimum, and often two. Accept that timeline or accept that you'll need to rebuild later.
The second pitfall is assuming training equals culture change. Training is necessary but not sufficient. People sitting through a presentation and passing a quiz doesn't mean they'll behave differently when under pressure next Tuesday. Training needs to be paired with environmental changes, incentive alignment, and persistent reinforcement.
The third pitfall is treating culture building as a compliance team responsibility. The compliance team can design the program and measure the results, but they can't change culture. That requires leadership buy-in, middle management execution, and peer reinforcement. If culture building stays inside the compliance function, it fails.
The fourth pitfall is underestimating the importance of quick wins. Culture change is a long-term effort, but people need to see progress in the short term. Find problems that can be fixed quickly, fix them visibly, and communicate the results. Early wins build momentum and credibility for the longer-term changes that take more time.
The fifth pitfall is inconsistent enforcement. If violations sometimes trigger consequences and sometimes don't, people learn that the rules aren't actually rules. Consistency matters more than severity. A predictable response to every violation does more for culture than harsh penalties applied selectively.
The Strategic Implications of Culture-First Compliance
Organizations that build genuine compliance cultures outperform those that treat compliance as documentation. They have fewer breaches, better audit results, lower regulatory risk, and higher trust from customers and partners. These outcomes have direct business value, not just risk reduction value.
In regulated industries, compliance culture becomes a competitive advantage. Healthcare organizations with strong HIPAA cultures win contracts that require demonstrated security capabilities. Defense contractors with strong ITAR cultures get access to programs that others can't touch. Federal contractors with strong NIST 800-171 cultures will maintain access to DoD work while others lose it.
But the strategic value goes beyond winning contracts. Organizations with strong compliance cultures adapt more quickly to regulatory changes. They catch problems earlier when they're cheaper to fix. They avoid the resource drain of crisis management and remediation. They retain employees who value working in ethical, well-run organizations. They build reputations that matter when something does go wrong.
When I talk to boards and executive teams about why this matters, I focus on the operational and strategic implications, not just the compliance ones. A culture where people feel safe raising concerns catches operational problems, quality issues, and ethical lapses—not just compliance violations. A culture where leadership demonstrates accountability and follows through on commitments drives performance across the organization. The compliance outcomes are important, but they're part of a larger pattern of organizational excellence.
If you're building this culture from scratch, expect resistance. Expect setbacks. Expect people who don't believe it will work or don't want to change how they've always done things. Persist anyway. The organizations I've seen succeed are the ones where leadership maintained focus and consistency even when progress felt slow. The ones that failed are the ones where leadership gave up when results didn't materialize in the first quarter.
Culture change is hard. But for organizations operating in regulated environments, it's not optional. The question is whether you'll build it intentionally with a plan, or build it accidentally through crisis response. The former is cheaper, faster, and produces better results.