Compliance: regulatory and internal corporate compliance

·

Compliance is the set of processes, policies, and controls through which an organisation ensures that its activities conform to applicable laws, sector-specific regulations, and its own internal codes of conduct. It is not a department that simply says "no" — it is a risk management function: it identifies the obligations to which the company is subject, assesses the likelihood and impact of non-compliance, and designs the controls that keep that risk within an acceptable level. In many jurisdictions, compliance has moved beyond voluntary good practice to become a legal requirement, particularly since the introduction of corporate criminal liability in modern penal codes.

The criminal law framework: corporate liability and the exculpatory programme

Most developed legal systems now allow organisations to be held criminally liable for offences committed in their name and for their benefit. The pivotal mechanism across jurisdictions is the compliance programme: an organisation can be exonerated, or have its liability significantly reduced, if it demonstrates that it had implemented, before the offence was committed, an effective organisational and management model designed to prevent it. That programme must meet substantive requirements: identify risk activities, establish decision-making protocols, manage financial resources to prevent offences, impose an obligation to report risks internally, provide a disciplinary system, and — critically — maintain an autonomous supervisory body (the compliance officer) with its own powers and reporting line to the governing body.

Courts have been unequivocal that a programme carries no exculpatory weight as a mere document: it must be real, living, and supervised. A manual that sits on a shelf and is applied by no one does not exonerate; on the contrary, it can worsen the organisation's position by demonstrating that it was aware of the risk and did nothing. The international reference standard for structuring this function is ISO 37301 (compliance management systems), which replaced ISO 19600, complemented by ISO 37001 specifically for anti-bribery management systems. Many jurisdictions also have nationally recognised standards for criminal compliance management systems that are certifiable and carry significant evidentiary weight.

The pillars of the programme: from the risk map to the whistleblower channel

A compliance programme is built on rigorous analysis. The first pillar is the risk map: an inventory of the legal and conduct risks to which the organisation is exposed based on its sector, size, and geographic footprint, evaluated by probability and impact. From that map flow the controls and policies: code of ethics, anti-corruption policy, gifts and hospitality policy, anti-money-laundering procedures where applicable, and area-specific protocols for each identified risk. The third pillar is training and communication: policies prevent misconduct only when employees know and understand them, which requires periodic, documented training.

Essential components of an effective compliance programme
ComponentFunctionEvidence of effectiveness
Risk mapIdentify and prioritise legal risksDocument reviewed periodically
Compliance officer / bodySupervise the programme autonomouslyResources, independence, and reporting to the governing body
Policies and controlsPrevent risky conductSigned code of ethics, operational controls
Whistleblower channelDetect non-compliance in timeConfidential channel with whistleblower protection
Training and recordsDisseminate and evidence knowledgeDocumented attendance and assessments
Audit and reviewVerify and improve the systemInternal audit reports and action plans

The fourth pillar, which has acquired its own legal force, is the internal reporting channel. The EU Whistleblower Protection Directive (2019/1937), transposed into national law across member states, obliges companies with 50 or more employees to maintain a confidential internal channel with set response deadlines, non-retaliation guarantees, and a designated system manager. Failure to comply with this obligation is independently sanctionable, irrespective of the substance of any reports received.

Data privacy: GDPR compliance

One of the areas of compliance with the greatest exposure to sanctions is data protection. The GDPR imposes a model of proactive accountability: it is not enough to comply — the organisation must be able to demonstrate compliance. This translates into specific obligations such as maintaining a record of processing activities, conducting data protection impact assessments (DPIAs) for high-risk processing, notifying the supervisory authority of a personal data breach within 72 hours, and appointing a Data Protection Officer (DPO) where required. GDPR fines can reach 4% of global annual turnover, which places privacy firmly at the top of the risk map of any organisation that processes personal data at scale.

Privacy compliance integrates with the broader programme: the DPO and the compliance officer share a risk methodology and, often, the same reporting channel for incidents. In environments where artificial intelligence systems are deployed, the regulatory horizon also includes the EU AI Act, which adds governance obligations for certain uses. National data protection authorities publish practical guidance on how to structure these obligations in practice.

Internal audit and continuous improvement

A compliance programme is not static. Periodic internal audits verify that controls exist, operate, and are effective, and identify deviations before they become violations. The Plan-Do-Check-Act (PDCA) cycle that structures ISO management standards applies here in full: the risk map is reviewed whenever regulations or the business change, controls are adjusted in response to audit findings, and the governing body receives a report that closes the accountability loop. Programme effectiveness is measured through indicators: reports received and handled within deadlines, training completed, incidents detected by internal controls versus external sources, and time to close action plans.

Third-party compliance: the supply chain as an owned risk

One of the areas where most organisations stumble is the risk that enters through the door of suppliers, distributors, and business partners. Criminal and reputational liability does not stop at the organisation's own boundaries: if an intermediary pays a bribe in the company's name, or a supplier violates labour or environmental law, the exposure reaches the contracting entity. A mature programme therefore incorporates third-party due diligence: a know-your-counterparty (KYC) process proportionate to the risk of each relationship, which verifies the counterparty's ultimate beneficial ownership, financial standing, track record, and its own level of compliance before the contract is signed.

This diligence is graduated by risk. An office supplies vendor in the same country requires a basic check; a commercial agent operating in a high-corruption jurisdiction to win public contracts requires enhanced verification, contractual anti-corruption clauses, and audit rights. ISO 37001 on anti-bribery systems dedicates specific attention to controls over business partners, and the EU Corporate Sustainability Due Diligence Directive (CSDDD) extends to large companies obligations to monitor human rights and environmental conduct throughout their chain of activity.

Third-party compliance connects with the risk map and the reporting channel: alerts about a supplier's conduct must be channelled and managed in the same way as internal ones. Documenting this diligence — what was checked, when, and with what outcome — is, once again, the evidence that sustains the organisation's position if a third party commits an irregularity despite the controls in place. Without that documentary trail, the organisation is exposed to responsibility for conduct it could not have prevented, and cannot demonstrate it tried to prevent.

Common mistakes in implementing compliance

Frequently asked questions

Is compliance mandatory for all companies? The criminal prevention model is not formally mandatory, but without it the company forfeits the possibility of exoneration from criminal liability. The internal reporting channel is mandatory from 50 employees upwards, and GDPR obligations apply to any organisation that processes personal data.

What is the difference between compliance and audit? Compliance designs and operates the controls that prevent violations; internal audit independently verifies that those controls exist and function. They are complementary but separate functions.

Is it worth getting certified to ISO 37301? Certification does not automatically exonerate, but it constitutes robust evidence of due diligence before a court or a regulator, since it demonstrates that an independent third party verified the system against a recognised standard.

Can the same professional serve as both DPO and compliance officer? It is possible in smaller organisations, but potential conflicts of interest and workload must be carefully assessed. Both roles require their own autonomy and specialisation.

Conclusion: compliance is proven by actions, not by manuals

The lesson repeated by courts over many years is unambiguous: the value of a compliance programme lies not in the thickness of its manuals, but in the evidence that it works. An effective model is recognisable because the risk map is current, the compliance officer has real autonomy and resources, the reporting channel is used and protects those who report, training leaves a documentary trail, and internal audit catches problems before an inspector does. When all of this exists and is kept alive, the programme fulfils its dual function: it genuinely prevents misconduct and, if matters come to a head, it demonstrates before a tribunal that the organisation acted with due diligence. The opposite — an impeccable binder with no practice behind it — not only fails to exonerate, but incriminates. At Summum Consulting, we implement compliance systems aligned with ISO 37301, integrated with data protection and whistleblower channel requirements, designed to withstand the only test that truly matters: the test of the facts.