Many compliance professionals excel at writing policies, which we all should agree is the easy part. Where many can go wrong is in turning policy into action. Compliance Conversations authors Anna Romberg and Julia Haglind dig into the real-world impact of inadequate policy implementation.
Compliance doesn’t have to be a solo journey. Join Anna Romberg and Julia Haglind in a collaborative exploration of real-world compliance challenges. Share your experiences and challenges; your issue could be featured in the next Compliance Conversations With Anna Romberg & Julia Haglind.
As the year draws to a close, many ethics and compliance officers are busy assessing risks, refreshing policies and preparing to meet new regulatory demands. Often, these policy updates must be reviewed and approved by the board of directors, putting ethics and compliance teams under tight deadlines to ensure the policy framework is up to date. With the constant influx of new regulations — from antitrust and data privacy requirements to environmental and human rights standards in supply chains — policy updates have become a significant undertaking for ethics and compliance teams.
The process involves countless hours spent reviewing, revising and fine-tuning policy documents. Lawyers are brought in to verify that the latest legal standards are accurately reflected, and other functions — like finance, HR, communications and purchasing — review the drafts to ensure alignment across the organization. Traditionally, this entire process was handled manually, with documents passed around for feedback. However, as technology advances, many organizations are adopting policy management software to streamline these reviews and revisions.
After rounds of revisions, the updated policy documents are sent to the board of directors, who, more often than not, will have minimal feedback. Once approved, the chief ethics and compliance officer may feel a momentary sense of relief — another cycle of policy updates is complete. As more AI-powered tools emerge, ethics and compliance teams hope that next year’s process will be even more streamlined, perhaps even with AI tracking relevant regulations and proposing updates.
Ultimately, though, the real goal is to reduce the amount of time ethics and compliance officers spend on writing policies and free up more resources for implementing them, where the real work lies. Creating a policy may be relatively straightforward; implementing it effectively, however, is the real challenge.
What policy implementation is — and is not
So, what does effective policy implementation look like? Perhaps more importantly, what does it not look like? Implementation is not as simple as posting an update on the company intranet, pushing out a mandatory e-learning module, requiring employees to sign off on the new document, adding clauses to supplier agreements or conducting internal audits to verify compliance.
These actions are all part of a comprehensive ethics and compliance program, and they provide mechanisms to support implementation. However, relying solely on these as “tick-the-box” exercises can lead to a false sense of security. Effective policy implementation goes deeper, ensuring that employees understand how policies relate to their specific roles and that they feel empowered to make responsible decisions, even under pressure or in ambiguous situations.
For compliance to be effective, organizations must translate complex regulations and internal policies into practical, understandable guidelines for employees. This is commonly what the dedicated compliance team focuses on. But there is an added layer: ethics. Policies outline the rules, but ethics determine how those rules translate into real behavior at every level of the organization.
Most companies don’t have ethics and compliance officers watching every decision made by every employee and lawyers providing legal interpretations on every rule. Instead, they need to cultivate a culture where all employees are equipped to make the right choices, well beyond the boundaries for what could be considered illegal. Employees should be equipped to make the right ethical choice, especially when situations are unclear or high pressure.
Implementing a policy in these “gray zones,” where there is no obvious right or wrong answer, is particularly challenging. Under such circumstances, “ethical blindness” can set in — people may bend the rules to meet targets or start rationalizing behavior that deviates from policy. In these cases, employees might argue that their actions align with policy goals even when they don’t, especially if there are incentives to prioritize short-term gains over ethical considerations.
Real-world consequences of weak implementation
Take, for instance, the repeated cases of large banks fined for enabling money laundering. Often, these banks did not lack policies, e-learning courses or regular due diligence questionnaires. Yet, red flags were missed, exceptions were granted and questionable transactions went unreported or not appropriately investigated. Compliance mechanisms were in place, but employees — consciously or subconsciously — looked the other way, often influenced by rationalizations like, “This doesn’t make a difference,” “It’s not my job to intervene,” “I’ve tried before and nothing changed” or “Raising concerns will harm my career.”
In such environments, a culture of silence can permeate the organization, where employees feel that their voice will not impact change or that challenging unethical behavior is outside their role. Addressing these cultural challenges is at the heart of effective policy implementation.
True implementation starts with a risk assessment that goes beyond financial or operational risks to identify potential cultural pitfalls. Employees must be trained not only to recognize risk factors but also to stay vigilant against ethical “tunnel vision” — and, most critically, to feel safe speaking up about concerns.
From Paragraph to Pixel: Reflections on Compliance & AI
Compliance Conversations: How should we be using AI?
Read moreDetailsMoving beyond the surface
Board members often receive regular updates on policy changes, compliance dashboards and audit results and feel assured that “everything is under control.” While these indicators are valuable, they often do not capture whether policies are effectively integrated into day-to-day practices.
Fortunately, while real implementation may be challenging, it is achievable. Experience shows that the key to successful policy integration lies in fostering open and transparent discussions about real-world challenges and ethical dilemmas. Organizations should engage employees in conversations about why policies exist, the underlying regulatory requirements and the broader responsibility companies hold not only for financial results but for positive social outcomes as well.
For example, discussing case studies of situations where policy adherence was challenging or even where policies were circumvented can help employees understand the real-world complexities of ethical decision-making. When employees understand why certain policies are in place and the potential impact on both the company and society, they are more likely to internalize and uphold these standards.
Building a culture of ethical decision-making
In the end, policy implementation is about more than compliance — it’s about cultivating a culture where ethical decision-making is the aim. A strong policy can guide behavior, but employees need more than rules to make the right choices in difficult situations. They need to feel empowered, supported and informed. By encouraging transparent discussions, fostering a speak-up culture and providing practical tools for ethical decision-making, organizations can bridge the gap between policy on paper and policy in action.
The goal is not just adherence to rules but a company-wide commitment to ethical behavior, regardless of the pressure to perform. This commitment is the true measure of policy success — not just writing it down but ensuring it lives in the day-to-day decisions made at every level.