By Bob Cummins, the Founder and CEO at Sodak

Part 1: Risk is Multiplied, Not Contained

When we talk about risk, we often talk about it as though it sits neatly within the individual. One worker, one action, one outcome. But that’s not how risk actually behaves. Risk multiplies. It radiates outward.

Think about a worker at home, tinkering in their garage, doing DIY without eye protection. If something goes wrong, who suffers? Mainly the individual. The ripple is small – they may lose a day’s work, their family might take on the burden of care, and perhaps their employer is short a worker for a short time. Still, the circle of consequence is tight.

Now, move that worker onto a site with a gang of ten. The same act – working without protection – carries a completely different set of consequences. If they’re injured, the gang stops work immediately. That’s lost time, a dent in productivity, and an emotional impact on colleagues who’ve just watched their mate get hurt. The supervisor is pulled away from leading the work to deal with paperwork, investigations, and the fallout.

At the level of a contracts manager, that one injury may delay a project. Deadlines slip, the client is frustrated, penalties could be triggered. And if that client happens to be a repeat customer, their trust in the company weakens.

Go up another level: the subsidiary director. They now have another incident on their books. Their record of performance against safety KPIs is dented, their ability to win new contracts is weakened. They might face difficult questions in monthly reviews or from the board.

And if the company is part of a wider group? A single serious incident doesn’t just stay with the subsidiary. It lands on the group’s annual report. It can attract regulator attention, unsettle investors, and, in the case of listed companies, knock share price. Clients don’t usually make a neat distinction between one part of a group and another. If one brand in the group falters, confidence in the group as a whole suffers.

So risk doesn’t stay in a box. It doesn’t stop neatly at the level where it happened. The bigger the organisation, the further the ripple runs.

But it’s not only big accidents that ripple outward. So does the tolerance of small ones. A worker wearing glasses pushed up onto their helmet instead of over their eyes, a guard left off a machine, a lanyard unclipped “just for a moment.” These don’t trigger headlines. They often don’t cause immediate harm. But tolerated month after month, they quietly build a culture that says “this is normal.”

For a small contractor of five people, the cost of such tolerance is contained: it may increase the odds of one person getting hurt, but the fallout is local. In a group of 10,000 employees, those same acts multiplied across hundreds of sites become systemic risk. When leaders shrug at “minor” breaches in monthly reviews, they signal that breaches don’t matter. And when a serious incident does happen, they’ve already created the conditions for it.

In other words: as organisations grow, the multiplier on risk grows with them. What once looked like a personal decision now looks like an organisational vulnerability. What once was tolerable in a five-person outfit becomes catastrophic in a multi-subsidiary group.

This is the first lesson: risk is multiplied, not contained – by scale, and by tolerance.

David Brown is an executive and non-executive director with a proven track record in leading large, multi-site and multi-discipline commercial and public sector organisations.

Culture, Change and the Boardroom

David Brown, the CEO of a large enterprise business, was sitting in his office wading through emails. His personal assistant was nearby, so David asked whether she had sent his note to the local managers.

She did, but made a few changes before she sent it. Her edits aligned with a decision the leadership team had recently made: everyone, regardless of their position, should be referred to as “colleagues.” The idea was to move away from a hierarchical culture. David agreed he had inadvertently reverted to the old ways and his original note didn’t support the new culture.

David tells this story when people ask him about building a positive culture. He spent decades in leadership roles across transportation, energy, and infrastructure, and he’s now the Chair of Renew Holdings and TripShift. He has the kind of CV that usually insulates a person from being corrected by anyone.

However, the interaction above is “one of the things I always want to aim for” David explains. “I want people to voice their opinion. I want people to feel they’re involved. I want people to actually contribute in a positive way”.  This is not because he’s proud of writing the perfect email – but because it’s important to him that people in his company would feel safe enough to stop him from sending the wrong message – “where people aren’t just keeping quiet for fear of having their heads chopped off”.

Why should you care?

For David, building a strong culture is about creating an environment where people voice their opinions without fear, they can contribute in a positive way and thrive in their work. We spend approximately one third of our lives at work, and so, David says: “Why wouldn’t you want a better place to work?

But beyond having a good workplace, David believes it’s good for business. First, a good culture is essential to decision making. Those at the senior level need to communicate with their people at all levels of the company to know what is going on. “You don’t want people hiding. You don’t want people not telling you the truth. ‘Truth to power is very important.” Senior leaders are only as good as the information they get – and in most organisations, bad news gets filtered, softened, or buried completely before it reaches the top. David explains that when people aren’t afraid to speak up, he can hear what really needs fixing before systems break and catastrophes happen.

Another benefit of culture is its connection to purpose and meaning that motivates and unite employees. There is strength in numbers and the feeling of comradery gained from working together. David remembers telling his teams: “we’re affecting the quality of people’s lives”, making sure to repeatedly reinforce that connection between what they do and why it matters. That’s what keeps people from jumping ship when things are hard; a shared vision means employees are more likely to stay with their organisation.

The final and perhaps most important point is that a strong culture is a differentiator for an organisation. When things inevitably go sideways – because they always do – clients notice the difference. They notice when everyone in the organisation, from top to bottom, is trying to do the right thing. They give you the benefit of the doubt.

A Continuous Process of Improvement

Culture isn’t just a quick fix or poster on the wall. It’s not just the Friday afternoon workshop where everyone shares their feelings and then goes back to their desks.

“It needs to be embedded in everything,” David says. “In the recruitment, the language, every policy, every communication, every way you deal with people, the way you reward your managers.”

For David, culture is built through storytelling. He’s learned to look for the small moments where culture lives or dies, and to take every opportunity to embed and solidify culture in the organisation. For example, when the company wins a big contract, he doesn’t just send a congratulations email. He explains how their values and their culture allowed them to grasp that success.

He does this constantly. “You can’t just do it for a couple of weeks and move on.”

The good news? Once you’ve built the kind of place where people speak up, the culture starts to reinforce itself. Acting in accordance with the culture becomes intuitive and innate. No one is perfect, and everyone should be comfortable in looking out for when the culture isn’t being reflected accurately. An assistant having the confidence to suggest improvements to a senior’s email – that’s the culture being alive.

Culture is multidirectional

David is blunt about this: “If I went around saying I want openness and transparency but didn’t listen to people and didn’t care what they have to say – it’s just not authentic,” if there’s no trust and openness in the board, those values won’t trickle down throughout the organisation. “Any leader should be authentic.” But most leadership teams say they want honesty while operating as though they are in a performance where everyone’s playing a role, this doesn’t work, “people can smell inauthenticity from a mile away.” The board must model the behaviours they want to see. They can’t be anonymous entities, detached from the business, showing up quarterly to nod at PowerPoints before disappearing again.

At the same time, culture can’t be imposed onto everyone else. It must also grow from the ground up. David’s approach is simple: listen to what people across the organisation say about their culture, then play those words back to them. “If you’re saying things that they believe themselves, then you don’t get pushback. They feel part of it.”

When he was leading a group of subsidiary companies, he let different cultures flourish in different places – so long as they all connected back to the core. Some variation isn’t just acceptable, it’s necessary. It means that the people at those companies ‘bought into [the culture] and felt that it was important to them’. David explains that what matters is that people feel it’s real. He remembers the subsidiaries with a particular fondness: “They had this ‘can-do’ attitude – and I believed it too. When there was a crisis, they were the people I wanted with me, because they’d roll up their sleeves and get stuff done.”

The Unfinished Work

David talks about his organisations the way people talk about something they helped build with their hands. There’s pride, yes, but also care. A strong culture is something you recommit to, every day, in small and big choices.

It’s the looking out for each other. It’s the constant reinforcement of the story and values. It’s about how they came together – to celebrate and to tackle a crisis. These aren’t just milestones – they’re ongoing maintenance of something unique and precious to the company. The constant, unglamorous work of making sure that “openness and transparency” aren’t just words in a company mission statement, but the lived experience of everyone who works there.

Vic Djondo is the SRO for Security Culture and Education at the BT Group

A security leader’s risky bet and what finally moved the C-suite

Vic Djondo had five hours to prove his point to his new CEO, who had been in post for a few weeks.

Vic, who leads cyber security culture across a major telecommunications company, had a 1 PM presentation scheduled with her. At 8 AM that same morning, his team sent a simulated phishing attack to her office.

“It could have been career limiting,” he laughs now. “But I did it anyway.”

The attack worked and the CEO’s team fell for it. And when Vic walked into that afternoon presentation with the evidence of how easily her inner circle had been compromised, the CEO’s first response wasn’t defensiveness or anger. It was immediate action: “I want my entire office educated on this stuff. And I want it permeated throughout the whole organisation.”

This is a story about what it actually takes to make senior leaders invest in security – enough to change how they work, what they prioritise, and how they hold themselves accountable.

The Problem

Vic has spent over a decade building security cultures across major organisations. “Getting leaders to care – making it relevant and resonate for leaders in the first instance and then getting them to really set the tone of security to the business – that is probably the hardest piece,” he says.

Everything else in the security culture playbook is easier once you’ve secured leadership buy-in. You can have the best awareness campaigns, the most sophisticated training, a network of champions spread across the business. But if the C-suite doesn’t commit their resources, none of it sticks.

Leaders understand that security matters. The issue however is that security is one of fifty things competing for their attention, and most of those other things have clearer, more immediate consequences. Until something goes catastrophically wrong, security lives in the realm of theoretical risk. And theoretical risks are easy to deprioritise when you’re dealing with quarterly earnings, customer complaints, and the person who just quit taking half their team’s institutional knowledge with them.

Not only that, but most organisations, Vic believes, are still in their infancy when it comes to security culture. And it’s not because they don’t have the right policies or tools. It’s because culture takes time – a decade, sometimes longer. In big organisations, the C-suite can change every three to five years. “It can be very difficult to embed a culture that you want when you’re really talking about five to ten year shifts,” he says.

So how do you get leaders to invest in something that won’t fully mature during their tenure? How do you make the need for security culture real, impossible to ignore?

The League Table Strategy

Vic has a secret weapon, and he is “absolutely shameless” about using it (his words!).

“I’ll absolutely put that data front and centre,” he says. The data: phishing resilience metrics, training completion rates. All displayed in board meetings, with each C-suite member’s division ranked against their peers.

“Leaders never want to be second, and they never want to be last.”

This isn’t about shame, exactly. It’s about understanding what drives people at that level. Competitiveness is their superpower – it’s how they got to the C-suite in the first place – but it’s also a “way in” for Vic.

He says, “that embarrassment of being at the bottom of that league table is usually enough to get them moving even quicker than things like reputational or financial risk.”

Vic has seen this approach transform behaviour across functions. No leader wants to be the one dragging down the numbers while their peers excel.

But the more sophisticated part: when someone challenges the data – and they will – it opens up a conversation about why their numbers are worse. Sometimes a division performs poorly not because its staff doesn’t care, but because the security requirements don’t fit how that part of the business actually operates.

Vic gives the example of procurement teams who need to constantly open email attachments: invoices, purchase orders, contracts. If the security policy says “don’t open attachments,” procurement can’t do their jobs. “Then the way we’re trying to work securely doesn’t suit the procurement side of the business. So, we need to create a solution that does suit them.” The league tables start a conversation. Sometimes it’s about attitude and leadership. Sometimes it’s about security needing to adapt. Either way, systemic issues surface, and real change starts taking place.

In part two, we will explore with Vic what that change actually looks like when it takes hold – and the unglamorous, persistent work required to make it stick.

Where does a company new to culture change start? What should they be looking to measure and understand?

Culture is a living entity that is always there, whether you try to shape it or not. Here are five things to get you started on your culture change journey.

  1. Clarify the need for change. You’re probably thinking about culture change because there are problems at your organisation. But ask yourself: Setting culture aside for a moment, what needs to change to solve those problems? What do people need to learn and unlearn? Culture change is a long and difficult journey. It’s not something you start for its own sake. It should serve a purpose.
  2. Get leaders to commit: Leaders are crucial in setting the direction and modelling the right behaviours. They need to be convinced that the problems exist, that changes are needed, and that they need to be active participants in the change. In practice, this means getting leaders to articulate the problems themselves, commit to going through an uncomfortable unlearning process, and model new behaviours.
  3. Understand your culture. Once you know what needs to change at your organisation, let’s consider culture: What is your organisation’s culture right now? Talk to people across your organisation. Use a quick survey to get a picture of what’s going on. Organise group discussions and ask people what they think the culture is like. Don’t stop at collecting information about what people do. Dig deeper: Why do they do what they do? Do the “values” of the organisation match or conflict with what people are doing?
  4. Decide on culture change: Sometimes the existing culture (once you understand it) actually helps you solve the problems, and you don’t really need a culture change! Other times, you’ll start seeing how elements of the existing culture is a blocker to making the necessary changes. Have discussions with people in the organisation – including leaders, of course – on what specific aspects of culture needs to change, if at all.
  5. Support the change: Culture change often requires people to learn new ways of thinking and working. If there are clear set of behaviours for people to adopt, leaders should model them. If it requires trial and error on the part of each person, people will need to be given the incentives and structures to figure out what works for them. Learning new things are often difficult – everyone needs to be given the space to make mistakes, trouble-shoot, receive feedback, and be rewarded when they’re going in the right direction. Share quick wins with everyone. People are much more likely to get on board when they see the benefits of the new ways of doing things.

Culture grows strongest when people feel like they’re part of the journey, not just watching it happen. Sharing progress openly, and celebrating wins, will help make sure everyone feels involved. Ultimately, building a positive culture is an iterative process that begins with self-awareness – understanding what your culture is, why it exists, and how the organisation’s systems can be tuned to produce the results you want.

Do you worry that culture is a term that is used without understanding its impacts on the organisation and its employees?

There is a genuine concern that the word ‘culture’ is often used without a clear understanding of its real impacts on the business and on staff. Culture is, by nature, intangible, and this creates problems when the term is overly relied upon. It has become a catch-all explanation for everything that goes wrong, from low engagement to ethical lapses. People talk about ‘culture issues’ as if culture itself is to blame.

The components of culture – values, beliefs, assumptions and norms – matter, but they don’t stand alone. They are shaped by the systems, structures, and leadership behaviours around them. Saying that there’s a problem with the ‘culture’ can shut down inquiry into the real causes of the problems that the organisation is facing, like the leadership decisions and structural conditions that produced those behaviours (Hopkins, 2018). Over-focusing on culture risks wasting time and energy when the real problems sit elsewhere.

Some leaders might talk about culture without embracing their responsibility – to build and maintain the systems and structures that give rise to the culture, and to model the behaviours that align with the desired culture themselves. Moreover, they might treat culture change as just another communication exercise. But culture does not shift because a new slogan or narrative is introduced. It changes when systems change, when norms are demonstrated consistently through actions, and when leaders don’t just drive the change but live it themselves.

The danger of misunderstanding culture becomes evident when you look at the gap between actual and purported culture. Recent research from Nottingham Trent University (2024) surveyed 1,170 UK managers and employees. Only 18% felt their organisation’s stated values matched its real culture, and a quarter reported that leaders’ behaviours directly contradicted those values. It’s no surprise that this mismatch leads to loss of trust, disengagement, and lower performance. In fact, erosion of trust is strongly linked to burnout and higher turnover among employees. This reinforces the idea that misusing the term ‘culture’ obscures the real drivers of employee experience, and blaming culture without questioning what that means can compound issues rather than solve them.

In short, culture should be seen as a mirror reflecting what an organisation’s people, systems, incentives, and everyday actions produce. If we focus only on trying to change the reflection, we miss the mechanisms behind it. To truly understand culture’s impact, and to avoid misusing the term, leaders need to concentrate less on talking about culture and more on designing the conditions that allow the right one to emerge.

Nick (the director at Culturlabs) was recently chatting with a Chief Information Security Officer at a mid-sized organisation. There, cyber security awareness meant running monthly phishing simulations.

They logged which employees ‘failed’ their phishing simulations and every first Friday of the month, the security team sent out the list of employees who had ‘clicked’ most often. This organisation is not alone in taking this kind of approach. A common response to cyber risks is to identify ‘high risk’ staff and to provide more tailored, relevant training.

But during the conversation, it became clear that the names on the monthly lists were typically not the same employees. What does that tell us? Whereas some employees may be consistently vulnerable, only focusing on changing their behaviours misses the broader picture. Even well-intentioned, informed staff can make mistakes if the system sets them up to fail. If the list of names changes month after month, it prompts us to look beyond individual blame and consider what aspects of the system make these behaviours more likely.

So, let’s talk about system change a bit.

First of all, what is a system? A system is a set of interconnected elements that are organised in a way that achieves something (Meadows, 2009). An organisation in any industry or sector is by definition a system, because it has elements (e.g., people and information) that are interconnected (e.g., people access and exchange information with each other), and it has a purpose (e.g., sell or provide a product or service). System change is – put simply – the process of changing the system (Hacking, n.d.).

With a systems lens, it becomes obvious that there is more to human risk management than changing a person’s behaviour through training. For starters, people care about what others think. A large-scale survey of over 1,000 employees across Germany, the UK and the US found that employees report suspicious emails more often the more they feel that their peers and managers discuss, prioritise, and pay attention to information security (Petrič & Just, 2025). Many similar studies show that employees’ perceptions of their managers and how security is communicated are key drivers of employee compliance and cyber risk awareness (Flores & Ekstedt, 2016; McKnight & Warkentin 2020). In short, a person’s behaviour doesn’t occur in a vacuum; what’s happening in their social environment influences the person, and vice versa. Together, they form a system that’s more than the sum of its parts.

This doesn’t mean we should throw behaviour-focused approach in the bin! In a manifesto for using behavioural science to address important problems of today, Dr Michael Hallsworth – Chief Behavioural Scientist at Behavioural Insights Team – says that targeted behaviour change can be made a lot more effective by embracing the complexity of systems (Hallsworth, 2023). Complex systems can produce wide-ranging outcomes from smaller, lower-level processes. For example, an organisation’s culture is not just defined and created by leaders but emerges from the day-to-day interactions among its employees. And within these social networks are a handful of people who are influential (think of that colleague whom everyone likes and respects). Behavioural science can help identify and target such leverage points and design interventions – perhaps these ‘influencers’ could champion security within their own network (Alexander et al., 2022; Jaatun & Cruzes, 2021).

So, stop getting too bogged down on the list of employees who ‘failed’ phishing simulations. Step back and start asking how the system reinforces their behaviours. What can you do to shape the system so that cyber security comes easily to everyone? This is a tough question for anyone to answer – and that’s why we want to help you tackle it.