What are Soft Controls?

compliance culturebehavioural science
Written By Rimma Teper

When organizations think about controls, they usually think about the tangible ones.
Policies. Procedures. Approval processes. Dashboards.

And those things matter.

But many risk events don’t happen because a policy was missing or a process wasn’t documented. They happen because behaviour didn’t align with intent.

That gap is where soft controls live.

Soft controls shape what actually happens

Soft controls are the informal forces that shape how people behave at work. They influence how decisions are made, how trade-offs are navigated, and how accountability is experienced, especially under pressure.

They are not written down in policy manuals.
They are rarely owned by a single function.
But they show up every day.

Soft controls show up in leadership tone and role modeling. In whether people feel safe to speak up. In what gets rewarded, tolerated, or ignored. In how escalation really works when timelines are tight and stakes are high.

In other words, soft controls shape how work actually gets done.

Why traditional assessments fall short

Most organizations rely on a familiar set of tools to understand risk and culture.

Policies tell us what should happen.
Dashboards show what has already happened.
Surveys capture attitudes and perceptions, often shaped by bias.

Each of these tools has value. However, none of them, on their own, tell the full story.

That’s because soft controls don’t sit neatly in any single data source. They emerge across them.

How soft controls become visible

Assessing soft controls doesn’t require perfect visibility into every decision or behavior. In reality, that is rarely possible.

What is possible is to look for consistent culture signals.

Patterns in employee experience.
Themes across qualitative and quantitative data.
Signals embedded in leadership practices, governance structures, and decision processes.

Taken together, these inputs reveal how expectations are interpreted, how accountability is reinforced, and how people experience the organization in practice.

This is where a behavioural lens adds depth. By integrating multiple sources of insight rather than relying on any single method, organizations can surface dynamics that traditional approaches often miss.

Why this matters now

An absence of proper soft controls tend to leave predictable traces.

  • Delayed escalation.

  • Normalized workarounds.

  • Silence instead of challenge.

  • Issues addressed after the fact rather than in real time.

Increasingly, these dynamics are being recognized as risk issues in their own right.

Recent updates to the Institute of Internal Auditors standards explicitly bring organizational behaviour and culture into scope for assurance. The signal is clear: understanding risk requires understanding how culture shapes decisions, not just how controls are designed on paper.

Soft controls aren’t soft

Soft controls are not informal because they are optional.
They are informal because they are human.

They are embedded in how leaders lead, how teams interact, and how systems reinforce priorities. And because of that, they are often among the strongest predictors of risk.

Understanding them starts by looking beyond rules and reports and toward how culture is designed, supported, and experienced.

That is where risk actually lives.

Rimma Teper
Previous

AI Governance and Culture Risk: Why Behavioural Risk Sits at the Heart of AI Adoption
Next

How Behavioural Science Approaches Culture & Risk