Where does a company new to culture change start? What should they be looking to measure and understand?

Culture is a living entity that is always there, whether you try to shape it or not. Here are five things to get you started on your culture change journey.

  1. Clarify the need for change. You’re probably thinking about culture change because there are problems at your organisation. But ask yourself: Setting culture aside for a moment, what needs to change to solve those problems? What do people need to learn and unlearn? Culture change is a long and difficult journey. It’s not something you start for its own sake. It should serve a purpose.
  2. Get leaders to commit: Leaders are crucial in setting the direction and modelling the right behaviours. They need to be convinced that the problems exist, that changes are needed, and that they need to be active participants in the change. In practice, this means getting leaders to articulate the problems themselves, commit to going through an uncomfortable unlearning process, and model new behaviours.
  3. Understand your culture. Once you know what needs to change at your organisation, let’s consider culture: What is your organisation’s culture right now? Talk to people across your organisation. Use a quick survey to get a picture of what’s going on. Organise group discussions and ask people what they think the culture is like. Don’t stop at collecting information about what people do. Dig deeper: Why do they do what they do? Do the “values” of the organisation match or conflict with what people are doing?
  4. Decide on culture change: Sometimes the existing culture (once you understand it) actually helps you solve the problems, and you don’t really need a culture change! Other times, you’ll start seeing how elements of the existing culture is a blocker to making the necessary changes. Have discussions with people in the organisation – including leaders, of course – on what specific aspects of culture needs to change, if at all.
  5. Support the change: Culture change often requires people to learn new ways of thinking and working. If there are clear set of behaviours for people to adopt, leaders should model them. If it requires trial and error on the part of each person, people will need to be given the incentives and structures to figure out what works for them. Learning new things are often difficult – everyone needs to be given the space to make mistakes, trouble-shoot, receive feedback, and be rewarded when they’re going in the right direction. Share quick wins with everyone. People are much more likely to get on board when they see the benefits of the new ways of doing things.

Culture grows strongest when people feel like they’re part of the journey, not just watching it happen. Sharing progress openly, and celebrating wins, will help make sure everyone feels involved. Ultimately, building a positive culture is an iterative process that begins with self-awareness – understanding what your culture is, why it exists, and how the organisation’s systems can be tuned to produce the results you want.

Do you worry that culture is a term that is used without understanding its impacts on the organisation and its employees?

There is a genuine concern that the word ‘culture’ is often used without a clear understanding of its real impacts on the business and on staff. Culture is, by nature, intangible, and this creates problems when the term is overly relied upon. It has become a catch-all explanation for everything that goes wrong, from low engagement to ethical lapses. People talk about ‘culture issues’ as if culture itself is to blame.

The components of culture – values, beliefs, assumptions and norms – matter, but they don’t stand alone. They are shaped by the systems, structures, and leadership behaviours around them. Saying that there’s a problem with the ‘culture’ can shut down inquiry into the real causes of the problems that the organisation is facing, like the leadership decisions and structural conditions that produced those behaviours (Hopkins, 2018). Over-focusing on culture risks wasting time and energy when the real problems sit elsewhere.

Some leaders might talk about culture without embracing their responsibility – to build and maintain the systems and structures that give rise to the culture, and to model the behaviours that align with the desired culture themselves. Moreover, they might treat culture change as just another communication exercise. But culture does not shift because a new slogan or narrative is introduced. It changes when systems change, when norms are demonstrated consistently through actions, and when leaders don’t just drive the change but live it themselves.

The danger of misunderstanding culture becomes evident when you look at the gap between actual and purported culture. Recent research from Nottingham Trent University (2024) surveyed 1,170 UK managers and employees. Only 18% felt their organisation’s stated values matched its real culture, and a quarter reported that leaders’ behaviours directly contradicted those values. It’s no surprise that this mismatch leads to loss of trust, disengagement, and lower performance. In fact, erosion of trust is strongly linked to burnout and higher turnover among employees. This reinforces the idea that misusing the term ‘culture’ obscures the real drivers of employee experience, and blaming culture without questioning what that means can compound issues rather than solve them.

In short, culture should be seen as a mirror reflecting what an organisation’s people, systems, incentives, and everyday actions produce. If we focus only on trying to change the reflection, we miss the mechanisms behind it. To truly understand culture’s impact, and to avoid misusing the term, leaders need to concentrate less on talking about culture and more on designing the conditions that allow the right one to emerge.

Nick (the director at Culturlabs) was recently chatting with a Chief Information Security Officer at a mid-sized organisation. There, cyber security awareness meant running monthly phishing simulations.

They logged which employees ‘failed’ their phishing simulations and every first Friday of the month, the security team sent out the list of employees who had ‘clicked’ most often. This organisation is not alone in taking this kind of approach. A common response to cyber risks is to identify ‘high risk’ staff and to provide more tailored, relevant training.

But during the conversation, it became clear that the names on the monthly lists were typically not the same employees. What does that tell us? Whereas some employees may be consistently vulnerable, only focusing on changing their behaviours misses the broader picture. Even well-intentioned, informed staff can make mistakes if the system sets them up to fail. If the list of names changes month after month, it prompts us to look beyond individual blame and consider what aspects of the system make these behaviours more likely.

So, let’s talk about system change a bit.

First of all, what is a system? A system is a set of interconnected elements that are organised in a way that achieves something (Meadows, 2009). An organisation in any industry or sector is by definition a system, because it has elements (e.g., people and information) that are interconnected (e.g., people access and exchange information with each other), and it has a purpose (e.g., sell or provide a product or service). System change is – put simply – the process of changing the system (Hacking, n.d.).

With a systems lens, it becomes obvious that there is more to human risk management than changing a person’s behaviour through training. For starters, people care about what others think. A large-scale survey of over 1,000 employees across Germany, the UK and the US found that employees report suspicious emails more often the more they feel that their peers and managers discuss, prioritise, and pay attention to information security (Petrič & Just, 2025). Many similar studies show that employees’ perceptions of their managers and how security is communicated are key drivers of employee compliance and cyber risk awareness (Flores & Ekstedt, 2016; McKnight & Warkentin 2020). In short, a person’s behaviour doesn’t occur in a vacuum; what’s happening in their social environment influences the person, and vice versa. Together, they form a system that’s more than the sum of its parts.

This doesn’t mean we should throw behaviour-focused approach in the bin! In a manifesto for using behavioural science to address important problems of today, Dr Michael Hallsworth – Chief Behavioural Scientist at Behavioural Insights Team – says that targeted behaviour change can be made a lot more effective by embracing the complexity of systems (Hallsworth, 2023). Complex systems can produce wide-ranging outcomes from smaller, lower-level processes. For example, an organisation’s culture is not just defined and created by leaders but emerges from the day-to-day interactions among its employees. And within these social networks are a handful of people who are influential (think of that colleague whom everyone likes and respects). Behavioural science can help identify and target such leverage points and design interventions – perhaps these ‘influencers’ could champion security within their own network (Alexander et al., 2022; Jaatun & Cruzes, 2021).

So, stop getting too bogged down on the list of employees who ‘failed’ phishing simulations. Step back and start asking how the system reinforces their behaviours. What can you do to shape the system so that cyber security comes easily to everyone? This is a tough question for anyone to answer – and that’s why we want to help you tackle it.