Risk Management in Balance – The Key to Sustainable Success

Rules-Based and Values-Driven: How Balancing Hard and Soft Controls Leads to Sustainable Success

In today’s dynamic business environment, risk management is often seen as a critical factor in achieving long-term success. Yet many organisations still treat compliance and risk management as a mandatory obligation – something to be implemented purely to meet external requirements, focusing primarily on avoiding anything that could go wrong.

This often results in a rules-heavy approach, with strict procedures and controls in place, while attention remains on performance, growth, and revenue. Of course, implementing, maintaining, and evaluating a risk control framework is vital – not only to manage risk, but also to demonstrate to stakeholders, including regulators, that appropriate measures are in place.

But is an abundance of procedures and control measures truly the most effective way to manage risk and guarantee sustainable success? What if risk management isn’t just about limitation – but about finding balance? What if managing risk isn’t about eliminating all uncertainty, but about striking the right balance that creates room for innovation and growth?

We believe the key lies in balance. Control and trust must go hand in hand. Excessive control leads to bureaucracy, while too much trust without controls or evidence can be equally ineffective (“taking someone’s word for it”). It’s about striking a balance between hard and soft control measures – as outlined in this article and Projective Group’s Compliance Risk Management Cycle.

It’s not just about processes, controls, and audits – it’s also about leadership setting the tone at the top, championing a strong risk culture, encouraging collaboration, and fostering intrinsic motivation to do the right thing – both legally and ethically. Organisations that find this balance build a healthy risk culture, enhance their reputation, and achieve sustainable growth.

Let’s move beyond compliance for the sake of compliance – and focus on creating value.

The Organisational Iceberg: The Complexity Behind Risk Management

The organisational iceberg is a powerful metaphor used to illustrate the complexity of organisational structures and dynamics. It divides organisations into two layers: the visible and the invisible. The visible part – the ‘above the waterline’ elements – includes formal, observable aspects like structures, policies, and official processes that support a control framework.

However, most of the iceberg lies beneath the surface – representing informal, harder-to-grasp factors like interpersonal relationships, unwritten rules, and the prevailing organisational culture. This metaphor highlights the importance of both visible and invisible aspects of human behaviour when understanding and managing risk in organisations.

The model has evolved over time, drawing from fields such as psychology, sociology, and organisational science. Its roots lie in Sigmund Freud’s psychodynamic theories (Freud, 1915), where the human mind is likened to an iceberg, mostly hidden beneath the surface. Later, the metaphor was adapted to organisations, emphasising visible and hidden aspects of structure and process.

Edgar Schein’s work on organisational culture further developed this model. In Organizational Culture and Leadership(Schein, 2010), he describes how underlying values and assumptions shape behaviour within organisations – often invisibly. These ideas form the foundation of the iceberg model as we use it today.

Managing Operational Risk: Hard & Soft Controls

The iceberg model helps us understand the complexity of organisational structures and the risks tied to managing them. Risk is inherently linked to entrepreneurship and success. Managing risk doesn’t mean avoiding it completely – but managing it effectively.

A proper risk assessment considers both the formal and informal sides of the organisation and how they influence control measures. Formal structures are often supported by ‘hard controls,’ while informal aspects are harder to prove – but can be influenced through ‘soft controls’ that shape risk culture.

What are hard and soft controls?

The iceberg model provides insight into the complexity of organizational structures and dynamics, and thus also into how an organization operates and the risks involved in managing it. Risks are inherently linked to doing business and therefore to the success of the company. Risk management does not necessarily mean that risks must be completely avoided, but rather that it is important to manage them effectively. When conducting a risk assessment, it is therefore useful to look not only at requirements but also at the formal and informal organization and how these affect control measures.

Risk management aimed at the formal organization is often anchored in ‘hard controls’, while the informal organization—and thus human behavior—is harder to demonstrate. However, with the help of ‘soft controls’, the desired risk culture can be encouraged.

So what exactly are hard and soft controls? ‘Hard controls’ refer to formal, tangible measures designed to implement regulations, enforce desired behavior, and prevent undesired behavior. These measures are often documented and focus on structural aspects of the organization, such as procedures, protocols, job descriptions, and administrative systems. The goal is to safeguard the efficiency and effectiveness of business processes through clear guidelines and rules.

Soft controls, or cultural and behavioral influencing factors, play a crucial role in effectively managing risks within organizations—provided they are applied correctly. This is emphasized by professor Muel Kaptein, who in his research shows that a strong moral corporate culture contributes to sustainable success and ethical behavior within organizations (Kaptein, M., 2018, Business Ethics: Managing Corporate Integrity and Responsibility).
Soft controls are also called people-oriented control measures and refer to the human factor within an organization. These include employees’ knowledge, motivation, loyalty, integrity, inspiration, and personal values and norms. Soft controls focus on creating a motivating and stimulating environment, based on the assumption that personal goals will then align with organizational goals, leading employees to act in the organization’s best interest.

The risk culture within an organization is a major cause of incidents, misconduct, undesirable behavior, and strategic missteps. Even the best policies, procedures, and rules ultimately depend on the ‘human’ factor within a company or organization. Elements from the lower layers of the iceberg can have a profound impact on the day-to-day functioning of an organization’s risk culture. Think of informal networks and relationships, beliefs, power dynamics, unwritten rules, hidden agendas, and informal communication channels.

Better soft controls and/or increased attention to soft controls reduce the need for unnecessary bureaucracy in the hard controls. In addition, by focusing more on soft controls, there is greater understanding and intrinsic motivation for the necessity and importance of regulation and a sound risk culture. The key lies in balance: an equilibrium between hard and soft controls. Not only processes, controls, and audits, but also leadership, collaboration, and intrinsic motivation. A company that finds this balance creates a healthy risk culture, improves its reputation, and achieves sustainable growth.

Examples of instrumental control measures / hard controls:

• Objectives: specific, measurable goals the organization aims to achieve within a given timeframe
• Laws and regulations: the external legal and regulatory requirements the organization must comply with
• Compliance policies and procedures: the official rules, guidelines, and standard operating procedures that define how tasks are to be performed
• Product development / NPAP: the (new) product approval processes in which risks are assessed prior to launching products
• Formal communication channels: the established methods by which information is shared within and outside the organization, such as meetings, memos, and reports
• Governance structure: the systems and processes used to manage and control the organization
• Reporting: the processes and guidelines for (compliance and risk) reporting
• Performance evaluation systems: the methods and criteria used to evaluate and reward employee performance
• Core values: the formally communicated values and standards of conduct expected from employees
• Technological infrastructure: the technological systems and tools used in the organization’s operations, such as IT systems, software, and communication platforms
• Training and development programs: the programs and initiatives for the professional development and training of employees
• Safety protocols: the procedures and measures designed to ensure workplace safety and to respond to emergencies

Professor Muel Kaptein developed a model in which he identified eight soft controls that influence behavior within organizations.
These soft controls are: clarity, role modeling, commitment, feasibility, transparency, discussability, accountability, and enforcement.
As early as 2003, he emphasized the importance of these control measures in his article “Controlling the Soft Controls”(Tijdschrift voor Organisatie en Control), a view he continues to promote in all his publications, including “Soft Controls: What Are They and What Can I Do with Them?” published by Erasmus University Rotterdam.

This article provides further depth and examples of soft controls in practice:

• Organizational culture and communication: clear expectations regarding shared values, norms, and appropriate behavior within the organization.
• Safety to address each other: a feedback culture, but also the feeling of being heard.
• Making concerns and ideas discussable: open communication in which everyone is allowed to speak up, dilemmas are openly discussed, and interests are carefully weighed. The possibility to escalate and see that follow-up is provided.
• Engagement: giving trust to employees; involving them in business operations to create and express shared interests. Empowering employees with trust and responsibility to contribute to organizational goals.
• Tone at the top: managers’ role modeling in which the desired risk culture is genuinely and intrinsically demonstrated.
• Psychological safety: the feeling that you can be yourself within your team without fear of negative consequences. It is essential for effective collaboration, innovation, and learning.
• Learning culture within the organization: creating, preserving, and transferring knowledge within the organization. A learning organization enables its employees to adapt services to a constantly changing environment by encouraging training, development, and initiative.
• Intrinsic motivation to act with integrity: employees have knowledge of and insight into integrity and compliance risk management—and understand how this benefits the organization.
• Safety within a group/team: collaborating, seeing the bigger picture, and fostering mutual trust.
• Enforcement: recognizing/rewarding appropriate behavior and sanctioning undesired behavior.
• Monitoring of risk culture: assessing various elements such as leadership, team dynamics and collaboration, decision-making, risk awareness, communication, or other factors like those mentioned above.

One of the most powerful ways to bring risk management into balance is by embedding it into the culture of the organization.
When risk management is not seen solely as a responsibility of management, but as a shared responsibility of the entire team, a proactive approach to risks emerges. Employees feel involved in the process and are better able to identify and manage risks. This not only creates a safer working environment but also strengthens innovation and collaboration within the organisation.

The Importance of Managing Risk Culture According to Various Stakeholders – Including Specific References from Financial Sector Regulators (DNB, AFM, ECB)

Regulation alone is not enough.
A healthy risk culture – in which integrity is lived, not merely enforced – is essential for maintaining trust, reputation, and sustainable growth.
We are witnessing a shift not only in the financial sector: from incidents arising from regulatory breaches to integrity issues that are deeply rooted in behavior, role models, leadership, team dynamics, and group pressure.

Integrity goes beyond building a strong control framework; it requires ethical conduct and attention to the human and informal aspects of the organization.
Your organization’s stakeholders also have high expectations when it comes to managing risks, culture, sustainability, and reputation.

• Clients & Society: “Reputation damage, scandals, and ignoring societal expectations influence my decision to become or remain a client.”
• Supervisors (and regulation itself) emphasize the importance of a sound risk culture: “Behavior and culture are the root causes of failing organizations. That is why this is an integral part of our supervision, alongside compliance with laws and guidelines.”
• Employees experience the power of a strong culture: “A working environment driven by a clear mission and clear expectations motivates and inspires me to feel more engaged with my work and colleagues. This leads to greater engagement and productivity.”
• Organizations aim to be future-proof and resilient: “We strive to be a robust, future-proof, and agile organization that demonstrably has a grip on integrity risks.”
• Forward-thinking banks address behavior and culture structurally: Major banks such as ABN AMRO, ING, and RBS have set up specialized teams focusing on behavioral risks within their organizations.
• A broader view on integrity risks: The compliance function (also supported by the professional association VCO) is increasingly expected to focus not only on regulation and hard controls, but also on the human factor: the behavior behind the risks.

What Projective Group Can Do for Your Organisation

Our consultants are happy to support you in meeting compliance requirements, so that your risks remain manageable and your reputation is protected. However, implementing regulation alone is not enough. A healthy risk culture – in which integrity is experienced – is essential for maintaining trust, reputation, and sustainable growth.
Rule-based and value-driven. We believe that a balance between hard and soft controls leads to sustainable success.

That’s why we offer a range of services to help you strengthen and grow your risk culture. We always recommend starting with a shared understanding of the desired culture and assessing where your organization currently stands. With the right culture in place, the number and intensity of hard controls and their monitoring can be reduced.

Here are some of the ways we can support you:

• Assessment of desired risk culture vs current situation (“baseline assessment”)
• Designing the risk culture monitoring process for your organization, or
• Performing risk culture monitoring for you on a regular basis
• Evaluating the balance between hard & soft controls
• Organizing the management of integrity, behavior and culture within the organization (e.g. role of the Compliance Officer / team – Integrity Plan for behavior and culture)
• Promoting integrity in decision-making (e.g. dilemma dialogue, product approval process, meeting culture) through training and facilitation of workshops
• A variety of training programs
• Tailor-made projects customized to your specific situation