Compliance that holds up: what a system has to do when it's challenged
Every compliance programme looks fine on a normal day. The real test comes when a regulator opens a file, a journalist publishes a story, a customer escalates a due-diligence question or the board asks how a problem was missed. The difference between an organisation that emerges with credibility intact and one that does not is rarely the incident itself – it is what the compliance system can show, in writing, on the day it is challenged.
Compliance is, for most of the year, an invisible function. Policies are reviewed, training is delivered, audits are closed and reports go to the board. None of it generates much attention. Then something happens – a sanctioned counterparty is discovered in the supply chain, a payment to an agent comes under scrutiny, a data breach is reported, a whistleblower contacts a regulator – and the function suddenly has to demonstrate, in days or weeks, that years of work add up to a defensible position.
This is the moment that separates a compliance programme from a compliance system. A programme is a set of activities the organisation performs. A system is something the organisation can produce, evidence and defend when an external party demands answers. Most programmes hold up reasonably well to internal scrutiny. Far fewer hold up when scrutiny comes from outside.
Who is doing the challenging
It is worth being specific about who the challengers actually are, because each has different expectations and the system has to answer all of them. Regulators look for evidence that the organisation took its obligations seriously before the incident occurred – risk assessments, controls, monitoring, training, escalation. Their question is whether the failure was a single point of breakdown in a managed system, or whether it reflects a system that was never really there.
Customers and business partners look for assurance that the organisation is safe to do business with going forward. Their concern is forward-looking: will this happen again, and what has changed. Investors and ratings agencies look at governance maturity – whether the board was informed, whether oversight was adequate, whether disclosures were timely. Journalists and the public look at culture and intent. Internal auditors and boards look at all of the above and then some.
None of these audiences will be satisfied by the statement that the organisation has a compliance programme. They want to see how it works.
What "defensible" actually means
Defensibility is a word that gets used loosely. In practice it has a narrow meaning: the organisation can produce, on demand, evidence that its compliance system was designed appropriately for the risks it faced, was operating as intended, was monitored and was being improved. Each of those four elements matters.
Designed appropriately. The system has to reflect the risks the organisation actually has – not a generic programme adapted from somewhere else. A regulator looking at a sanctions failure will want to see a sanctions risk assessment, with documented logic, that connects the organisation's exposure to the controls in place. A copy-paste policy from another sector does not survive this question.
Operating as intended. Designing controls is not the same as running them. Evidence of operation – logs, screening records, escalations, training completion linked to job roles, exceptions handled and documented – is what separates a system from a document. Organisations that cannot produce this evidence quickly tend to find that they were running on assumptions, not controls.
Monitored. Someone other than the people running the controls has to be checking that the controls work. Internal audit, second-line monitoring, management review – different organisations structure this differently, but the principle is the same. Without it, the system has no feedback loop and no way to catch problems before they become incidents.
Improved. Issues raised through monitoring, audit, whistleblowing or external events have to be tracked, addressed and closed in a documented way. A regulator finding the same control weakness twice, with no evidence of action between the two findings, is the most damaging pattern there is. Continual improvement is not a slogan – it is the evidence that the organisation learns.
Why certification changes the conversation
Independent certification of a compliance management system – against ISO 37301, the international standard – is what turns internal effort into external evidence. It shifts the burden of the conversation in a way that matters when challenge arrives.
Without certification, the organisation has to prove, from scratch, that its system meets a credible standard. The regulator or partner is entitled to be sceptical. Internal documents are evaluated by people who have no reason to extend the benefit of the doubt. Every claim about the system has to be evidenced from the ground up – under pressure, with the clock running.
With certification, an independent third party has already evaluated the system against an international benchmark and concluded that it meets the requirements. The organisation is not asking to be trusted – it is pointing to an external verification that has already been done. Regulators give credit for this. Partners take comfort from it. Boards rely on it. The framing changes from "prove your system is credible" to "explain how this slipped past a credible system." That is a different conversation – and it is the conversation organisations want to be having on the day they are challenged.
What the system has to be able to produce on the day
There is a useful exercise that any compliance leader can run without involving external parties: imagine a regulator has just opened a file. They have 48 hours of meetings scheduled. What does the organisation need to be able to produce?
A current compliance risk assessment with documented logic. A list of compliance obligations with named owners. The controls mapped to those obligations, with evidence of operation. Training records connected to job roles. Monitoring reports from the past 24 months with clear evidence of issues raised and action taken. Internal audit reports and management responses. Records of board engagement – not minutes that say "compliance was discussed," but substance. Records of incidents, near-misses and the responses to them. Evidence of continual improvement – not as a claim, but as a documented trail.
Organisations that have built their system around an international standard tend to be able to produce most of this within hours. Organisations that have run their compliance work as an activity rather than a system often spend weeks assembling evidence – and frequently discover, in the process, that the evidence does not exist.
The cost of finding out under pressure
The hardest version of this conversation is the one that happens when an organisation discovers, mid-incident, that its compliance system is not as defensible as it assumed. The discovery is rarely about a missing policy. It is usually about missing evidence – monitoring that was not done, exceptions that were not documented, training that was completed but not linked to roles, audits that flagged issues that were never closed.
By the time this is discovered, the options are narrow. The organisation can disclose the gaps and accept the consequences, or it can try to remediate under pressure and risk the appearance of constructing a system retrospectively. Neither is a good place to be. The alternative – building the system, evidencing it and having it independently verified before the challenge arrives – is significantly cheaper, and significantly less stressful, than the reactive version.
What this means in practice
For organisations that already operate a structured compliance management system, the value of certification is that it converts internal effort into external evidence. The work was already being done; certification makes it visible to the people who need to see it.
For organisations whose compliance function is still organised around activities rather than a system, the value of working toward a recognised standard is that it provides a blueprint. ISO 37301 does not tell organisations what laws apply to them, and it does not eliminate compliance risk. What it does is force the discipline of designing controls to risks, evidencing their operation, monitoring them independently and improving them – the four elements that determine whether the system holds up when challenged.
The decision is not really about a standard, or a certificate, or an audit. It is about what the organisation wants to be able to produce, and on what timeline, the next time someone outside the organisation asks the question.
Building a compliance system that holds up
Want to make sure your compliance management system is defensible? Speeki certifies organisations to ISO 37301 and delivers internal auditor and lead auditor training through Speeki Executive Education.
Get in touch to discuss certification or training.