Compliance teams in intermediate-sized enterprises are under pressure to do more with less, while regulators, customers, and investors expect professional standards. A formal compliance function is the backbone that turns scattered policies and good intentions into a reliable, risk-based compliance management program that works in daily operations.
This guide explains the purpose of the compliance function, what it is for, the non negotiable requirements to make it credible, and a practical, staged path to implement or upgrade it in 90 days.
Why the compliance function exists (the purpose)
At its core, the compliance function exists to protect value and enable growth by preventing, detecting, and managing the risk of regulatory or ethical breaches. In practical terms, it should:
- translate legal and ethical obligations into clear business expectations, controls, and workflows
- make compliance part of everyday processes, not a parallel bureaucracy
- provide independent, risk-based oversight and timely reporting to the board and executives
- promote a speak-up culture and respond consistently to incidents
- maintain evidence that the program operates in fact, not only on paper
What the function is for (scope and outcomes)
For intermediate-sized organizations, scope should be risk based and proportionate. Most will operate a transversal compliance management program and, where relevant, specific sub-programs for higher risk areas:
- anti-corruption, Loi Sapin II and ISO 37001
- antitrust, UNE 19603 (Spain)
- criminal compliance, UNE 19601 (Spain)
- anti-money laundering, sector dependent
- AI governance, EU AI Act readiness for providers and deployers of AI systems
The outcomes that matter to your board and auditors are simple to state and hard to fake:
- credible risk mapping and prioritized actions
- documented controls that actually run
- trained people and aligned third parties
- functioning speak-up channels and consistent case handling
- timely reporting and continuous improvement with traceable evidence
Requirements that make a compliance function credible
The elements below, and how to demonstrate them during audits or investigations are key to a solid and credible compliance funtion.
Governance and mandate: The function operates under a board approved mandate with a direct reporting line to the board or one of its committees, and a role that is distinct from the businesses it oversees. Typical evidence includes the mandate, an organization chart, and minutes that capture the function’s direct access to directors.
Autonomy and resources: The compliance team controls its budget, has access to people and records, and can consult external experts when needed. Evidence usually consists of a dedicated budget line, an access protocol, and adviser engagement letters.
Independence: Objectives and remuneration are not tied to sales targets, and performance is evaluated by the board or an independent committee. Auditors look for a defined KPI set, the remuneration policy, and an annual evaluation record.
Risk based approach: Risks are identified, analyzed, prioritized, and reviewed on a defined cadence using a documented method. Supporting evidence includes a current risk register, the applied methodology, and a review calendar.
Integration into processes: Controls are embedded in procurement, sales, finance, HR, and IT, rather than living only in a policy binder. Evidence typically includes process maps, control descriptions, and system screenshots that show controls running in practice.
Speak-up and response: Confidential channels exist with clear triage rules, investigations are documented, and non-retaliation is safeguarded. You should be able to show speak-up policy, channel metrics, case files, and disciplinary records as evidence.
Reporting and improvement: There are periodic operational reports, an annual program review, and urgent escalations when warranted. Evidence often includes a quarterly report pack, an annual report, and records of incident escalations.
Documentation: A centralized, access controlled repository holds policies, risks, controls, evidence, and case records. Auditable proof includes the repository structure, access logs, and an evidence index.
Core responsibilities, simplified
A solid compliance function reliably performs seven repeatable responsibilities:
- Obligations management: identify, monitor, and explain the obligations that apply, both mandatory and voluntary codes. Keep the corpus current and accessible to those who must use it.
- Risk assessment and prioritization: map, analyze, and score risks, then validate and review when context changes. Use a clear method that distinguishes inherent and residual risk.
- Controls and remediation: catalogue existing controls, assess their design and operating effectiveness, propose improvements, and drive remediation actions with owners and deadlines.
- Training and awareness: segment audiences by exposure, deliver targeted training, and measure completion and effectiveness. New joiners and high risk roles get extra attention.
- Advisory and reporting: provide timely advice to operations on gray areas, and report periodically to the board. Urgently escalate incidents with significant economic or reputational impact.
- Speak-up and investigations: ensure channels are accessible and confidential, guarantee non retaliation, and oversee case handling to fair conclusions.
- Documentation and audit readiness: maintain an organized, access controlled evidence base that shows how the program operates over time.
Framework specific focus areas
Framework | Distinctive focus | What boards expect to see |
|---|---|---|
Loi Sapin II | Anti-corruption risk mapping, third party due diligence, accounting controls, training, disciplinary rules, evaluation | Eight measures implemented, AFA style evidence trail |
ISO 37001 | Anti-bribery policy, roles and independence, financial and non financial controls, due diligence, investigations | Certification readiness bundle and monitoring cadence |
UNE 19603 (antitrust) | Pricing and information exchange safeguards, trade association protocols, dawn raid readiness | Practical dos and donts, meeting rules, audit logs |
UNE 19601 (criminal compliance) | Risk mapping aligned to Article 31 bis, oversight body role, sanctions framework | Oversight minutes, controls mapped to offences, case history |
AML (sector specific) | KYC, monitoring, suspicious activity reporting, record keeping | Risk based CDD, alert handling, regulator communications |
EU AI Act (readiness) | AI use case inventory, risk classification, data and model governance, transparency and human oversight | Register of AI systems, risk categorization, controls and policies |
A pragmatic 90 day implementation roadmap
Day 0 to 30, set the foundation
- Appoint the compliance lead, define remit and reporting line to the board or its committee
- Approve a short compliance mandate and a risk based scope for year one
- Compile a first cut of obligations, focusing on corruption, antitrust, criminal, AML if applicable, and AI Act exposure
- Stand up a basic evidence repository and a reporting template for the board
Day 31 to 60, assess and integrate
- Run a baseline risk assessment and draft a prioritized plan with owners and milestones
- Map existing controls inside core processes and link them to risks (procurement, sales, finance, HR, IT), identify quick wins and gaps
- Define remediation actions, due dates, and escalation rules
Day 61 to 90, operate and improve
- Roll out targeted training for high exposure roles and new joiners, communicate speak-up options and non retaliation
- Switch on continuous evidence capture for key controls and incidents
- Test the speak-up channel and the investigation workflow end to end
- Brief the board with a one page risk heat map, progress on remediation, training coverage, and incident metrics
- Schedule independent reviews or internal audits for the highest risk areas
Metrics that matter to management and auditors
- Risk posture: top five risks, residual versus inherent scores, and trend since last quarter
- Control health: percentage of key controls tested, exceptions raised and closed, median time to close
- Training and awareness: completion rates in high risk roles, survey based effectiveness scores
- Third parties: percentage risk assessed before contracting, flagged cases and outcomes
- Speak-up: volumes by category, time to first action, substantiation rate, non retaliation confirmations
Typical pitfalls and how to avoid them
- Vague mandate, fix by adopting a short board approved charter clarifying scope and reporting line.
- Paper program, fix by embedding controls in real processes and collecting immutable evidence from source systems
- One size fits all training, fix by segmenting audiences and focusing on high exposure roles
- No urgent escalation path, fix by defining severity thresholds that trigger immediate board notification
- Controls without owners, fix by assigning named owners and due dates for every action
- Fragmented tooling, fix by centralizing evidence and workflows to reduce rework and blind spots
How Naltilia can help
Naltilia provides an AI powered platform for compliance teams in intermediate-sized enterprises. Teams use it to:
- Accelerate regulatory risk assessment and focus on what matters
- Produce tailor-made policies aligned to your risks and jurisdictions
- Automate data collection for control evidence, including recurring control runs
- Orchestrate remediation actions and compliance workflow automation with owners, due dates, and audit ready trails
If you are setting up or upgrading your compliance function, we can help you get to a working, documented program quickly and safely. Book a demo
