Risk: The Culture Blind Spot

Yet, stability is not resilience. And what financial modeling missed would soon become the most powerful force shaping the deal’s future: the collision between two fundamentally incompatible operating models.

Over more than 100 years, Fireside had developed a reputation for financial safety and relationship banking. Its brand was built on personal interactions, conservative lending, and deep community ties.

Meanwhile, the $1 billion founder-led Finumbra Fintech was known for its anti-establishment mantra, “Banking is necessary. Banks are not.” Its culture prized speed, experimentation, and aggressive risk-taking.

Cultural cracks soon began to appear. Legacy managers resisted the aggressiveness of the fintech business model. To many, the shift felt like abandoning a century of values. Dissenters of the more aggressive, tech-driven future were quickly removed, creating a culture of silence.

Later, system incompatibilities stalled product launches, new talent left the company, customer churn climbed to 15%, integration costs overshot projections by $10 million, and deposits shrank. One year after a brief, post-merger stock rally, the bank’s share price sat 10 points below its pre-deal value.

What Went Wrong?

Culture is often defined in terms of leadership expectations, management practices, norms, beliefs, or group dynamics that guide behavior. It is culture that is the root cause of most behavioral risk — negative outcomes that arise from human actions or inactions, such as unhealthy and unnecessary organizational, interpersonal, or individual conflict.

Behavioral risks surface during mergers and acquisitions (M&As) but often remain hidden. For internal audit, this blind spot is both a challenge and an opportunity. Behavioral risk management is the identification of unseen, unspoken, and unrealized dynamics that negatively influence behavior. Internal audit can help predict and shape the organizational dynamics that determine whether transformations like M&As support or erode the very value leaders hope to create.

Behavioral Collisions

For Fireside, the market had changed. Fintech innovators had begun to bypass traditional banks with world-class technology and peer-to-peer transactions. Faced with growing pressure from its board, Fireside had turned to external advisors for a rapid solution: acquire new technological capacity rather than build it.

The merger took only six months to complete. Finumbra Fintech’s digital platform was integrated, and leadership rebranded the bank as modern and tech-forward.

Soon, the bank began closing branches and replaced face-to-face banking with mobile-first services. Performance incentives shifted from stability and compliance to sales and customer conversion. Internal audit noted that “timeliness” and “speed of integration” had become the board’s dominant performance indicators.

As the fintech model took precedence, Fireside’s historical strengths deteriorated. Customer trust weakened. Employees felt disoriented as roles changed abruptly, reporting lines collapsed, and workloads intensified.

Internal audit noted patterns that precede control erosion: information hoarding, workarounds, inconsistent customer treatment, and decision-making shortcuts. “Know your customer” checks were deferred, dual-signature requirements bypassed, and credit decisions ignored risk signals. Fireside’s legacy management complained that the bank was betraying community expectations.

Further, stress testing — a cornerstone of safe banking — was sidelined as “mundane” in the face of digital transformation. “If it interferes with progress,” one regional executive warned, “it will need to wait.”

Seeing Risk Others Miss

From its singular vantage point, internal audit can scrutinize how decisions are really made — who gets listened to, how conflicting priorities interact, where incentives distort oversight, and how frontline pressure shapes daily behavior. While leaders assess strategy, and human resources (HR) monitors morale, internal audit observes the connective tissue of the institution: the behaviors that hold the system together or quietly tear it apart.

In Fireside’s case, internal audit could see the signals that the merger was drifting into value-destructive territory: deviations from standard operating procedures, escalating exceptions, rising turnover, talent fleeing, growing tension between risk and business units, and widening gaps between policy and practice. These are not merely cultural signs — they are precursors to operational and financial breakdowns.

The emotional dynamics of change further magnify the risk. Organizational upheaval generates fear, uncertainty, and loss. These feelings influence how people follow rules, interpret policies, escalate concerns, and manage controls. Internal audit is one of the few functions able to detect behavioral cracks before they widen.

Mitigating Behavior Risk

Internal audit should not wait to be invited to the table during planning for mergers, acquisitions, or other major changes. It should insist on being included as a strategic advisor. Most transformative initiatives — technology rollouts, restructuring, third-party expansions, performance system redesigns — carry behavioral implications that directly influence control effectiveness. Ignoring these signals increases risk exposure.

Internal audit should monitor control bypass patterns, report on allegations of wrongdoing or counterproductive behavior, check measures of employee attitudes, and investigate the loss of key employees. Internal audit can implement rapid escalation protocols to alert leadership of risk directly, while boards should expect discussions of high-risk culture indicators. Additionally, internal audit, along with HR, should report on organizationwide turnover, especially where talent from the acquired firm appears mismanaged.

Further, internal audit can: 

• Run quick “pulse” audits during the integration.
• Audit skill competence gaps, especially when product value or quality might get compromised, such as during accelerated onboarding.
• Help shift culture integration success metrics away from speed and toward value by pointing out how rushed decisions and workarounds can incur significant costs in a postmerger rework.
• Create progress monitoring dashboards that include markers of behavioral change that enhance deal value, rather than only setting metrics to ensure control.
• Conduct deep-dive reviews of high-risk processes like expedited credit approvals. Misaligned incentives can pit compliance against sales, producing behavioral ramifications.

During times of change, using internal audit as a partner to the second line is a strategic advantage. Internal audit can validate second-line controls or protocols for information-sharing. Audit can also act as a facilitator, creating joint risk workshops where controls across business units are investigated and aligned. As conflicts become evident, internal audit can lead joint planning sessions that bridge compliance and risk management.

When to Speak Up

Not all signals require alarm, but several conditions demand heightened vigilance. For example:

• When leadership shifts the mission, especially toward revenue generation.
• When incentives change and behavior realigns to a new set of objectives.
• When ordinary, natural tensions between lending and risk create unhealthy divisions.
• When roles, reporting lines, or processes are redesigned, and when technology outpaces people’s capabilities.
• When control bypasses, risk minimization, or pressure threaten the integrity of decision-making.

In a world where behavioral risk drives strategic failure, internal audit’s greatest value lies in foresight. Internal audit must serve as the organization’s cultural and behavioral early warning system. Deal value, enterprise resilience, and organizational integrity depend on it.