Compliance is the set of processes, policies, and controls through which an organisation ensures that its activities conform to applicable laws, sector-specific regulations, and its own internal codes of conduct. It is not a department that simply says "no" — it is a risk management function: it identifies the obligations to which the company is subject, assesses the likelihood and impact of non-compliance, and designs the controls that keep that risk within an acceptable level. In many jurisdictions, compliance has moved beyond voluntary good practice to become a legal requirement, particularly since the introduction of corporate criminal liability in modern penal codes.
The criminal law framework: corporate liability and the exculpatory programme
Most developed legal systems now allow organisations to be held criminally liable for offences committed in their name and for their benefit. The pivotal mechanism across jurisdictions is the compliance programme: an organisation can be exonerated, or have its liability significantly reduced, if it demonstrates that it had implemented, before the offence was committed, an effective organisational and management model designed to prevent it. That programme must meet substantive requirements: identify risk activities, establish decision-making protocols, manage financial resources to prevent offences, impose an obligation to report risks internally, provide a disciplinary system, and — critically — maintain an autonomous supervisory body (the compliance officer) with its own powers and reporting line to the governing body.
Courts have been unequivocal that a programme carries no exculpatory weight as a mere document: it must be real, living, and supervised. A manual that sits on a shelf and is applied by no one does not exonerate; on the contrary, it can worsen the organisation's position by demonstrating that it was aware of the risk and did nothing. The international reference standard for structuring this function is ISO 37301 (compliance management systems), which replaced ISO 19600, complemented by ISO 37001 specifically for anti-bribery management systems. Many jurisdictions also have nationally recognised standards for criminal compliance management systems that are certifiable and carry significant evidentiary weight.
The pillars of the programme: from the risk map to the whistleblower channel
A compliance programme is built on rigorous analysis. The first pillar is the risk map: an inventory of the legal and conduct risks to which the organisation is exposed based on its sector, size, and geographic footprint, evaluated by probability and impact. From that map flow the controls and policies: code of ethics, anti-corruption policy, gifts and hospitality policy, anti-money-laundering procedures where applicable, and area-specific protocols for each identified risk. The third pillar is training and communication: policies prevent misconduct only when employees know and understand them, which requires periodic, documented training.
| Component | Function | Evidence of effectiveness |
|---|---|---|
| Risk map | Identify and prioritise legal risks | Document reviewed periodically |
| Compliance officer / body | Supervise the programme autonomously | Resources, independence, and reporting to the governing body |
| Policies and controls | Prevent risky conduct | Signed code of ethics, operational controls |
| Whistleblower channel | Detect non-compliance in time | Confidential channel with whistleblower protection |
| Training and records | Disseminate and evidence knowledge | Documented attendance and assessments |
| Audit and review | Verify and improve the system | Internal audit reports and action plans |
The fourth pillar, which has acquired its own legal force, is the internal reporting channel. The EU Whistleblower Protection Directive (2019/1937), transposed into national law across member states, obliges companies with 50 or more employees to maintain a confidential internal channel with set response deadlines, non-retaliation guarantees, and a designated system manager. Failure to comply with this obligation is independently sanctionable, irrespective of the substance of any reports received.
Data privacy: GDPR compliance
One of the areas of compliance with the greatest exposure to sanctions is data protection. The GDPR imposes a model of proactive accountability: it is not enough to comply — the organisation must be able to demonstrate compliance. This translates into specific obligations such as maintaining a record of processing activities, conducting data protection impact assessments (DPIAs) for high-risk processing, notifying the supervisory authority of a personal data breach within 72 hours, and appointing a Data Protection Officer (DPO) where required. GDPR fines can reach 4% of global annual turnover, which places privacy firmly at the top of the risk map of any organisation that processes personal data at scale.
Privacy compliance integrates with the broader programme: the DPO and the compliance officer share a risk methodology and, often, the same reporting channel for incidents. In environments where artificial intelligence systems are deployed, the regulatory horizon also includes the EU AI Act, which adds governance obligations for certain uses. National data protection authorities publish practical guidance on how to structure these obligations in practice.
Internal audit and continuous improvement
A compliance programme is not static. Periodic internal audits verify that controls exist, operate, and are effective, and identify deviations before they become violations. The Plan-Do-Check-Act (PDCA) cycle that structures ISO management standards applies here in full: the risk map is reviewed whenever regulations or the business change, controls are adjusted in response to audit findings, and the governing body receives a report that closes the accountability loop. Programme effectiveness is measured through indicators: reports received and handled within deadlines, training completed, incidents detected by internal controls versus external sources, and time to close action plans.
Third-party compliance: the supply chain as an owned risk
One of the areas where most organisations stumble is the risk that enters through the door of suppliers, distributors, and business partners. Criminal and reputational liability does not stop at the organisation's own boundaries: if an intermediary pays a bribe in the company's name, or a supplier violates labour or environmental law, the exposure reaches the contracting entity. A mature programme therefore incorporates third-party due diligence: a know-your-counterparty (KYC) process proportionate to the risk of each relationship, which verifies the counterparty's ultimate beneficial ownership, financial standing, track record, and its own level of compliance before the contract is signed.
This diligence is graduated by risk. An office supplies vendor in the same country requires a basic check; a commercial agent operating in a high-corruption jurisdiction to win public contracts requires enhanced verification, contractual anti-corruption clauses, and audit rights. ISO 37001 on anti-bribery systems dedicates specific attention to controls over business partners, and the EU Corporate Sustainability Due Diligence Directive (CSDDD) extends to large companies obligations to monitor human rights and environmental conduct throughout their chain of activity.
Third-party compliance connects with the risk map and the reporting channel: alerts about a supplier's conduct must be channelled and managed in the same way as internal ones. Documenting this diligence — what was checked, when, and with what outcome — is, once again, the evidence that sustains the organisation's position if a third party commits an irregularity despite the controls in place. Without that documentary trail, the organisation is exposed to responsibility for conduct it could not have prevented, and cannot demonstrate it tried to prevent.
Common mistakes in implementing compliance
- The paper programme. A well-drafted manual that sits in a drawer and is applied by no one does not provide exoneration; it can actually worsen liability by proving the risk was known.
- Compliance officer without autonomy or resources. If the supervisory body reports to the person it is supposed to oversee, or lacks the means to operate, the model is legally deficient.
- A reporting channel without guarantees. A channel that offers no confidentiality or protection against retaliation will not be used and breaches applicable whistleblower protection law.
- Copying generic policies. A code of ethics downloaded from the internet, without a bespoke risk map, does not reflect the organisation's actual risk activities.
- Failing to update the model. A programme that is not kept current with regulatory or business changes becomes obsolete and loses its exculpatory value.
Frequently asked questions
Is compliance mandatory for all companies? The criminal prevention model is not formally mandatory, but without it the company forfeits the possibility of exoneration from criminal liability. The internal reporting channel is mandatory from 50 employees upwards, and GDPR obligations apply to any organisation that processes personal data.
What is the difference between compliance and audit? Compliance designs and operates the controls that prevent violations; internal audit independently verifies that those controls exist and function. They are complementary but separate functions.
Is it worth getting certified to ISO 37301? Certification does not automatically exonerate, but it constitutes robust evidence of due diligence before a court or a regulator, since it demonstrates that an independent third party verified the system against a recognised standard.
Can the same professional serve as both DPO and compliance officer? It is possible in smaller organisations, but potential conflicts of interest and workload must be carefully assessed. Both roles require their own autonomy and specialisation.
Conclusion: compliance is proven by actions, not by manuals
The lesson repeated by courts over many years is unambiguous: the value of a compliance programme lies not in the thickness of its manuals, but in the evidence that it works. An effective model is recognisable because the risk map is current, the compliance officer has real autonomy and resources, the reporting channel is used and protects those who report, training leaves a documentary trail, and internal audit catches problems before an inspector does. When all of this exists and is kept alive, the programme fulfils its dual function: it genuinely prevents misconduct and, if matters come to a head, it demonstrates before a tribunal that the organisation acted with due diligence. The opposite — an impeccable binder with no practice behind it — not only fails to exonerate, but incriminates. At Summum Consulting, we implement compliance systems aligned with ISO 37301, integrated with data protection and whistleblower channel requirements, designed to withstand the only test that truly matters: the test of the facts.