What your board actually wants from compliance
Compliance has moved from operational concern to board agenda. Directors no longer want a tour of policies – they want evidence the system works, that risks are owned and that someone independent has checked. This is what gives them that.
Board responsibility for compliance is not a new idea. What is new is the level of scrutiny that responsibility now attracts. Regulators expect boards to be able to evidence how they oversee compliance risk. Investors expect governance disclosures that go beyond statements of policy. Courts and enforcement agencies increasingly look at board behaviour when assessing whether an organisation took its compliance obligations seriously.
In this environment, the question for directors is no longer whether they are responsible for compliance oversight – they are. The question is how to do it well: how to know the system works, where the risks sit and what to ask when reporting arrives. A certified compliance management system, built on ISO 37301, is one of the most practical ways to answer those questions.
What boards are actually expected to do
The trend across jurisdictions is consistent. Boards are expected to set the tone for compliance, ensure adequate resources, oversee the compliance function, review effectiveness and act on issues. The detail varies – the UK Corporate Governance Code, the US Department of Justice evaluation criteria for corporate compliance programmes, the French Sapin II regime, the Singapore code on corporate governance and many others all express versions of the same expectation.
None of these frameworks tells the board how to do this work. They describe what good looks like; they do not specify the mechanism. That is where ISO 37301 comes in.
What boards actually need – and how to get it
Boards do not need to know how a compliance management system works in detail. They need to know that it has the right governance spine – defined reporting lines, evidence of effectiveness, independent assurance and a common language across the organisation. ISO 37301 builds each of these in by design.
A defined reporting line
The standard requires a compliance function with direct access to top management and the governing body. It requires defined roles, documented authority and reporting that reaches the board on a regular basis. For directors who have struggled to get compliance reporting that is consistent, comparable and timely, this structure is a meaningful upgrade.
Evidence of effectiveness, not just activity
Compliance reports often describe activity – training delivered, policies updated, investigations closed. Activity is not the same as effectiveness. ISO 37301 requires monitoring of outcomes, internal audit of the system itself and management review focused on whether the system is delivering. The board receives information about whether compliance is working, not just whether compliance is busy.
Independent assurance
Independent third-party certification gives the board external confirmation that the compliance management system meets an international standard. This is not the same as an opinion on every compliance decision the organisation has made – but it is independent evidence that the system around those decisions is structured, monitored and improved. For directors signing off on governance disclosures, this evidence carries weight.
A common language across the organisation
In large or complex organisations the board often hears compliance reported differently from different parts of the business. ISO 37301 imposes a common structure – the same vocabulary for context, risk, controls, monitoring and improvement, used consistently regardless of which business unit or jurisdiction is reporting. The result is information the board can actually compare and act on.
The five questions every director should be able to answer
Directors typically have a small set of questions they need to be able to answer about compliance – the ones that matter when a regulator, an investor or an auditor asks. A certified compliance management system maps almost directly onto these.
Do we know what we have to comply with? ISO 37301 requires a systematic process to identify and document compliance obligations. The board has a defensible answer.
Have we assessed where the risks are? The standard requires risk assessment that links obligations to the activities, processes and jurisdictions where they apply. The board has visibility into which risks the organisation has prioritised and why.
Do we have the right controls in place? The standard requires controls proportionate to the risks identified, with documented ownership and monitoring. The board can ask – and be answered – about specific controls.
How do we know it's working? The standard requires performance monitoring, internal audit, management review and continual improvement. The board receives outcome data, not just process descriptions.
What happens when something goes wrong? The standard requires processes for non-conformity, corrective action and lessons learned. The board sees a system designed to absorb and respond to failure, not one that pretends failure will not happen.
For directors, this is a more useful conversation than the one most boards currently have about compliance.
What certification will not do for the board
It does not relieve directors of their compliance duties. Certification is evidence of a managed system, not a shield against personal liability. A board that adopts ISO 37301 and then disengages from compliance oversight has missed the point – and may find that regulators or courts are unimpressed.
It also does not turn compliance into a tick-box exercise. The standard requires substantive oversight, not formal compliance with the standard itself. Boards that treat ISO 37301 as paperwork rather than as a governance discipline get little value from it. Boards that use it as a structured way to ask better questions get a lot.
Where the board fits in
ISO 37301 explicitly addresses governance bodies. Top management is required to demonstrate commitment, ensure resources, integrate compliance into business processes and report to the governing body. The governing body, in turn, is expected to oversee. The standard does not require the board to do compliance work – it requires the board to oversee the work being done.
In practice this means three things for directors. First, satisfy yourself that the compliance function has the structure, resources and authority required. Second, engage with the management review process – ask questions, challenge assumptions, follow up on findings. Third, treat compliance reporting as something you read carefully, not something you accept at face value.
The strategic angle
Beyond risk management, ISO 37301 has a strategic dimension that often gets less attention than it deserves. Compliance maturity is increasingly a commercial asset. Customers prefer partners they can rely on. Investors discount governance risk. Regulators give credit for credible systems. Talent prefers organisations that take their obligations seriously.
Boards that approach ISO 37301 as pure cost miss this. Boards that treat it as part of how the organisation creates and protects value over time get more out of it – and tend to lead organisations that find compliance easier rather than harder.
The bottom line
Compliance oversight is a responsibility boards cannot delegate – and one that is being watched more closely every year. A certified compliance management system, built on ISO 37301, gives directors a structured, internationally recognised way to discharge it. It is not a strategy and it is not a substitute for engagement. But for boards looking for a credible answer to "how do we know our compliance programme is working?", it is the most practical tool currently available.
Considering ISO 37301 for your organisation? Speeki certifies organisations to ISO 37301 and delivers training for boards, compliance teams and internal auditors through Speeki Executive Education.
Get in touch to discuss certification or training.