top of page
Search

Regulations Can Mandate Culture. Only Leadership Can Model It

  • juliachinjfourth
  • 5 days ago
  • 8 min read

The 2LOD paradox in operational risk management, and what to do about it


The Compliance Officer who flagged the risk and got labelled "not commercial."


The risk manager whose bonus was tied to deals closed, not deals stopped.


The team that raised concerns and watched them get quietly buried.


We've seen this too many times.


The frameworks were there. The policies were written. The flags were raised. And still, when it was profits vs. compliance, the wrong call got made.


Because 2LOD wasn't making that call. The business leader was. The CEO was. The board was.


If you've lived this or you're watching it happen right now, this is for you.


The 2LOD Paradox


The second line of defence has real power. They can:

  • Build frameworks

  • Write policies

  • Raise flags

  • Escalate concerns

  • Train staff

  • Monitor and report

  • Send the memos


Good 2LOD teams do all of this, consistently and professionally. They create the architecture for sound risk management. They make sure the organisation knows what good looks like.


But here's what 2LOD cannot do:

  • Make the call when it's profits vs. compliance

  • Set the incentive structures

  • Hire, fire, or promote

  • Walk away from the deal

  • Model behaviour from the top


When the deal is on the table and someone needs to say NO, that's not 2LOD's call. That's leadership's call.


Regulators increasingly expect the second line to "instil risk awareness" across the organisation. MAS's recent ORM consultation uses exactly this language (Consultation ends 20 April 2026).


But here's the tension every compliance leader faces: can 2LOD instil culture? Or can they only enable it?


The honest answer: 2LOD can design the architecture. They can sound the alarm. They can hold up the mirror every single day.


But they can't make leadership look.


And they can't control what leadership does when they see their reflection.


This is the 2LOD paradox: accountable for outcomes they don't control.


The Incentive Problem


The MAS's consultation requires "incentives for responsible behaviour."


But let's be clear about who designs those incentives.


Incentives are designed by leadership. Incentives are approved by the board. When leadership rewards revenue over integrity, the incentive structure is already broken, before 2LOD even gets involved.


2LOD can recommend. 2LOD can flag. 2LOD can write papers about best practice. But 2LOD doesn't set the bonus pool. 2LOD doesn't decide who gets promoted.


The Patterns That Break Culture


We've seen the same patterns destroy risk culture across organisations:


Bonuses tied to the wrong outcomes. Revenue generated. Deals closed. Targets hit. Nothing about risks avoided. Nothing about concerns raised. Nothing about the deal that should have been stopped.


"Commercial awareness" valued over risk awareness. In performance reviews, the person who "gets things done" is celebrated. The person who slows things down, even for good reason, gets labelled "not commercial." Career-limiting.


Escalations that disappear. The flag gets raised. The memo gets sent. And then... nothing. The deal proceeds. The concern gets "noted." Everyone moves on. The person who raised it learns not to raise the next one.


The wrong people getting rewarded. The person who closed the risky deal gets the promotion. The person who said NO gets passed over. The organisation says it values integrity. The incentive structure says otherwise.


The Question No Regulation Can Answer


Here's the question regulators can't answer for you:


What happens when saying NO costs you your bonus? Your promotion? Your job?

Who protects the person who protects the organisation?


You can have the best 2LOD team in the industry. World-class frameworks. Comprehensive policies. Robust escalation procedures.


But if leadership's incentives point the wrong way, culture follows the money ... Every time.


Section 3: What regulators expect


The Consultation's Key Requirements


MAS's ORM consultation sets clear expectations:

  • "Instilling operational risk awareness" as a 2LOD responsibility

  • "Incentives for responsible behaviour" embedded in the framework

  • Clear accountability for risk culture outcomes across all three lines


All three lines must "promote a sound risk management culture across the organisation." The second line is specifically responsible for "instilling operational risk awareness and promulgating a sound risk management culture."


It goes further: boards and senior management must "set standards and incentives for professional and responsible behaviour."


But Here's What Regulators Can't Mandate


Regulations can set expectations. Regulations can create consequences for failure. Regulations can put "culture" in black and white.


But regulations can't make leaders lead. Regulators can't mandate:


  • Whether your CEO walks away from a bad deal

  • Whether your board ties compensation to risk outcomes

  • Whether your culture rewards integrity or just revenue

  • Whether the person who raises concerns gets protected or punished


The gap between regulation and reality is leadership.


Why This Matters Beyond Singapore


This isn't just a Singapore story.


The consultation aligns with Basel's Revised Principles for Sound Management of Operational Risk. It echoes FSB guidance on risk culture and governance.


The direction of travel is global. What MAS is codifying today, other regulators will expect tomorrow.

But the lesson is universal: you can regulate frameworks. You can't regulate character.


Section 4: The PULSE® Lens - Leadership


At JFourth, we use the PULSE® framework to help organisations understand where culture actually lives.

The L in PULSE® is Leadership.


2LOD can hold up the mirror. Only leadership can decide what they see, and what they do about it.


What "Modelling Culture" Actually Looks Like


Leadership models culture through decisions, not declarations.


Saying NO - publicly, not quietly. When leadership walks away from a profitable deal because of risk concerns, and the organisation knows about it, that's culture. When it happens behind closed doors and no one learns from it, that's just one decision.


Promoting the right people. Not just the closers. The people who flagged issues. The people who asked hard questions. The people who slowed things down for the right reasons.


Tying compensation to risk outcomes. Not just revenue targets. Did we avoid losses? Did we catch problems early? Did we maintain our risk appetite?


Asking different questions. Not just "what did we close?" but "what did we stop?" Not just "how much did we make?" but "what risks did we take to make it?"


The Mirror Test


Ask yourself:

  • Does leadership celebrate risk avoidance, or just risk-taking?

  • When 2LOD raises a flag, does it get heard — or buried?

  • Would a junior employee feel safe escalating a concern about a senior leader's deal?

  • When was the last time someone was rewarded for saying NO?


The answers tell you what your culture actually is. Not what your policies say it should be.


Practical Tool: The Leadership Alignment Audit


Review the last five deals that 2LOD flagged as high-risk.

  • How many proceeded anyway?

  • Who made the call to proceed?

  • What happened to the people who raised concerns?

  • What happened to the people who overrode them?


If the pattern is "concerns raised, concerns ignored, deal proceeds, flagger sidelined" - you don't have a 2LOD problem. You have a leadership problem.


Section 5: What It Looks Like When Leadership Actually Models Risk Culture


So far, we've diagnosed the problem. Now let's talk about what good looks like.

We've seen organisations where leadership gets this right. They're rare. But they exist. And the difference is visible, not in their policies, but in their behaviour.


The Signals That Travel Down


Culture isn't set by what leadership says. It's set by what leadership does and what the organisation sees them do.


The deal that got walked away from. Everyone knew about it. The CEO explained why in the town hall. It became a reference point: "Remember when we said no to X because of the risk profile?" That story gets retold. It shapes decisions three levels down.


The promotion that surprised people. The person who flagged the issue - the one everyone thought was "difficult", got promoted. Not despite raising concerns, but because of it. The message was clear: this is what we value.


The bonus criteria that actually changed. Risk outcomes appeared in the scorecard. Not as a footnote. As a real factor. People noticed. Behaviour shifted.


The escalation that got thanked. A junior employee raised a concern about a senior leader's deal. Instead of getting buried, it got heard. The senior leader thanked them publicly. The deal got restructured. The junior employee's career didn't suffer - it accelerated.


These aren't policies. They're moments. And moments like these, visible, repeated, reinforced, are what actually build culture.


The Five Leadership Behaviours That Matter Most


Based on what we've seen work, here are the five behaviours that separate organisations with real risk culture from those with just risk frameworks:


1. Visible sacrifice. Leadership walks away from revenue — and makes sure the organisation knows why. Not as a PR exercise, but as a teaching moment. "We could have made money here. We chose not to. Here's why."

2. Rewarding the right friction. The people who slow things down for good reasons get recognised. Not just tolerated — celebrated. The message: friction in service of integrity is valuable.

3. Asking "what did we stop?" In leadership meetings, in board reports, in performance reviews — the question gets asked. Not just "what did we achieve?" but "what did we prevent?" Risk avoidance becomes visible, not invisible.

4. Protecting the escalators. When someone raises a concern, they're protected. Publicly. Explicitly. The organisation sees that speaking up is safe — and that leadership has their back.

5. Owning the failures. When something goes wrong, leadership doesn't blame 2LOD for not catching it. They ask: "What did we miss? What signals did we ignore? What incentives did we set that led here?" Accountability flows up, not down.


The People Element


The P in PULSE® is People.


Culture lives in people. Not in documents. Not in frameworks. In the daily decisions of hundreds of individuals across the organisation.

When leadership models the right behaviour, it gives people permission to do the same. The compliance officer who flags the risk doesn't get labelled "not commercial" — they get backed. The relationship manager who pushes back on a client doesn't get overruled — they get supported.

People watch leadership. They learn what's really valued. And they adjust their behaviour accordingly.

If leadership models integrity, people follow.

If leadership models revenue-at-all-costs, people follow that too.


Section 6: Three Questions to Ask Monday Morning

You don't need a transformation programme to start examining this. Start with three questions:


1. "When was the last time our leadership said NO to a profitable deal because of risk concerns?"

If you can name it: How was it communicated? Did the organisation learn from it? Did it become a reference point for future decisions?


If you can't name it: That's your answer.


2. "Are our incentives aligned with the behaviour we say we want?"

Look at the last three promotions in revenue-generating roles. Were risk outcomes part of the conversation? Was "how they got there" discussed, or just "what they achieved"?


Look at the bonus criteria. Is there anything about risks avoided? Concerns raised? Deals stopped for the right reasons?


3. "If someone in 2LOD raised a flag about a senior leader's deal today, what would happen?"


Would it be heard? Really heard, not just "noted"?

Would they be protected? Or would they be labelled "not commercial"?

Would anything change? Or would the deal proceed anyway?

If your honest answer is "I'm not sure", that uncertainty is the problem.


The Mirror


2LOD can build the frameworks. Write the policies. Raise the flags.

But when it's profits vs. compliance, they're not making the call.

The business leader is. The CEO is. The board is.

2LOD holds up the mirror every day. They show leadership what the organisation looks like. Where the risks are. What's working. What's broken.

The question is: what does leadership see when they look?

And what do they do about it?


Regulations can mandate culture. Only leadership can model it.

The good news: we've seen it done well. Leadership that walks away from bad deals. That rewards the right people. That asks "what did we stop?" That protects the people who speak up.

It's not easy. It's not common. But it's possible.

And it starts with looking in the mirror.


Ready to Look in the Mirror?


If you're not sure what your leadership sees, or whether they're looking, we should talk.




*****


📩 Subscribe to Tripwire for weekly insights on building robust risk and compliance cultures: https://thetripwire.substack.com/subscribe


📖 Follow our Blog for more: https://www.jfourthsolutions.com/blog-post


 
 
 

Comments

bottom of page