Risk culture has always been the hardest thing to measure in an enterprise. You can audit policies. You can count training completions. You can run annual attestations and collect signed acknowledgments.
What you can't do — with any of those tools — is tell whether your people actually behave differently because of them.
Teneo's 2026 UK Financial Services Chief Risk Officer Survey, drawn from 40 CROs polled in late 2025, makes this tension explicit. Risk culture is now a top-3 priority for a quarter of the CROs surveyed — trailing only cybersecurity and operational resilience. And yet the data infrastructure to actually see and measure risk culture is almost universally absent.
The Three-Lines Problem
The three-lines-of-defence model has been the organizing framework for enterprise risk for two decades. First line owns the risk. Second line monitors it. Third line audits it.
On paper, the Teneo survey suggests it's working: 85% of CROs say roles and responsibilities are clearly defined, and 88% say the first line formally owns and manages risk.
In practice, the numbers tell a different story. Only 40% believe the model is consistently understood across their organization, and just half describe the risk mandate as truly embedded across the business. You can have a well-documented framework and a poorly practiced culture simultaneously — and most organizations do.
This is the gap. The framework is documented. The behaviors are invisible. And 87% of CROs acknowledge capability gaps — specifically in influencing, technology fluency, and cross-functional leadership — that make closing that gap harder.
Risk Culture Is a People Intelligence Problem
Here's what gets missed when risk culture is treated as a compliance function: risk behavior is fundamentally a people phenomenon. It lives in how individuals respond to pressure, which signals they escalate and which they suppress, who they trust enough to raise a concern with, how they behave when the incentive structure cuts against the policy.
Those patterns don't show up in attestations. They show up in behavior. In communication networks. In which teams escalate and which ones absorb problems quietly. In whether a risk professional's calendar is filled with collaborative sessions or whether they've been slowly isolated from the lines of business they're supposed to be advising.
75% or more of CROs expect risk headcount to increase over the next five years. But adding headcount to a culture you can't see doesn't fix the culture — it just adds more people operating in the same blind spot.
The Technology Gap Is Actually a Data Gap
The survey shows CROs are planning to invest in technology: 63% plan to implement risk tools for process automation within 12 months, and 55% aim to upgrade risk data and reporting. That's the right instinct — but the data problem runs deeper than tooling.
Only 6% of CROs have active data-quality monitoring. Which means 94% are running risk functions on data they can't verify the integrity of. You can have the most sophisticated risk dashboard in the industry and still be managing on noise if the underlying data quality isn't actively maintained.
This is the same problem that shows up in AI governance. The Teneo survey notes that while most firms have AI usage policies, model inventories, and basic safeguards, few have embedded bias monitoring, ethical review, or ongoing performance tracking. Policy without behavioral monitoring. Framework without feedback loop.
What Risk Culture Actually Requires
Measuring risk culture means measuring behavior — specifically, the behavioral patterns that indicate whether risk thinking is embedded or performed. That requires:
- Escalation pattern analysis — which teams surface issues early, which ones absorb them? The difference between a team that escalates a data quality concern on day two and one that runs with it for six weeks is a culture signal, not an incident.
- Cross-functional collaboration visibility — are risk professionals deeply networked across the business, or isolated in their function? The organizational network map tells you more about risk culture than any policy document.
- Attrition signals in the risk function itself — the departure of an experienced risk officer doesn't just create a headcount gap. It creates a judgment gap, a network gap, and — increasingly — an AI workflow gap as automated risk processes lose their human owner.
- People-risk surface area in the first line — the three-lines model only works if the first line actually owns risk. Identifying which first-line managers are flight risks, which teams are brittle, and where key-person concentration creates vulnerability is the intelligence layer that makes the framework real.
None of this is captured in a compliance system. All of it is captured in the behavioral signals your organization is already generating — if someone is reading them.
The CRO and CHRO Convergence
The most important structural shift in enterprise risk over the next 24 months will be the convergence of the CRO and CHRO agendas. Not organizationally — but informationally. The data that tells a CHRO who is likely to leave is the same data that tells a CRO where the risk function is most exposed. The map of AI agent ownership that a CHRO needs to manage workforce transitions is the same map a CRO needs to understand operational dependencies.
As we wrote in People Risk is Enterprise Risk: the organizations that see people data as risk data — not just HR data — will have a structural advantage in 2026. The CROs who are now prioritizing risk culture are reaching the same conclusion from the other direction. The question is whether the two functions will compare notes before the next incident forces them to.
Risk culture isn't built by writing better policies. It's built by seeing — in real time — whether the organization is behaving the way the policies describe. That's a behavioral intelligence problem. And the tools to solve it already exist. They're just not being pointed at the right questions yet.
For how people risk maps to enterprise risk frameworks, read People Risk is Enterprise Risk. For the hidden cost of workforce decisions made without behavioral visibility, read The Real Intelligence Gap Isn't Artificial.