The most uncomfortable audit moment is not when a policy is missing. It is when every policy exists and nobody can explain what people actually do when pressure hits.
The pattern repeats too many times: a polished code of conduct, a training completion rate above 95%, a whistleblowing hotline, a gifts policy, a sanctions clause in supplier contracts. Then one simple question lands: why were there zero incident reports in a business unit operating in three high-risk markets?
Silence.
Maybe nothing happened. Maybe. But in compliance, perfect silence is not automatically good news. Sometimes it means people trust the system. Sometimes it means they do not believe speaking up is safe, useful, or career-neutral.
That is the gap between a compliance program and a compliance culture.
A compliance program is the designed system: policies, procedures, controls, risk assessments, training, approvals, investigations, remediation actions, and evidence. It gives the company a way to prevent, detect, and respond to regulatory compliance risk.
Compliance culture is different. It is what people do with that system when incentives, deadlines, hierarchy, and fear enter the room.
Question | Compliance program | Compliance culture |
|---|---|---|
What does it look like? | Policies, controls, workflows, registers, audit trails | Escalation reflexes, management tone, peer norms, psychological safety |
How does it fail? | Gaps, outdated procedures, weak evidence, unclear owners | Silence, normalization of shortcuts, retaliation fear, selective enforcement |
What proves it works? | Operating controls and documented remediation | People raising concerns early, managers acting consistently, bad news traveling fast |
You need both. A program without culture becomes paper — and
has its own failure modes, ones that tend to surface at the worst possible moment. Culture without a program becomes aspiration.
The DOJ Evaluation of Corporate Compliance Programs asks whether a program is well designed, applied in good faith, and works in practice. That last part matters. Works in practice means behavior, not just documentation.
The company with the perfect code and no reports
Zero reports can be a sign of trust. It can also be a sign of fear.
The difference is not visible in the hotline statistics alone. You have to look at the surrounding signals. Are managers escalating small issues before they become formal cases? Do employees ask questions about gifts, competitors, vendors, conflicts of interest, data use, or public officials? Are investigations closed with real remediation?
The EU Whistleblower Directive did not create speak-up obligations because regulators love portals. It reflects a very practical truth: misconduct is often known internally before it is known externally. If your own people will not tell you, someone else eventually will.
The same logic applies beyond whistleblowing. A conflict of interest policy is only useful if people disclose uncomfortable relationships. An antitrust policy is only useful if sales teams leave the WhatsApp group when competitors start discussing pricing. A third-party due diligence process is only useful if procurement does not treat red flags as an administrative annoyance.
Culture without program fails too
Some leaders dislike the word program because it sounds bureaucratic. They prefer values. Trust. Integrity. Doing the right thing.
I understand the instinct. But I do not trust culture that has no operating system.
If the rule is do the right thing, who decides what right means when a distributor asks for an urgent success fee before a public tender? If people are told to escalate, where do they escalate? If a manager approves an exception, how is it recorded? If a concern is raised, who triages it, who investigates, who protects confidentiality, who tracks remediation?
Good intentions do not survive turnover, growth, acquisitions, or commercial pressure unless they are translated into repeatable processes.
That is why standards like ISO 37001 treat compliance as a management system, not a poster campaign. Culture is not a substitute for controls. It is the environment that makes controls meaningful.
The real failure pattern: the handoff breaks
Most compliance failures I have seen do not happen because nobody wrote a policy. They happen because the handoff between policy and behavior breaks.
A realistic example: a mid-size company has a gifts and hospitality policy. It sets thresholds. It requires pre-approval for public officials. It has an annual training module. On paper, fine.
Then a regional sales manager invites a state-owned enterprise executive to an expensive event during a tender process. A junior employee sees the issue. The approval workflow exists, but the manager says, we have always done this. The employee knows the hotline exists, but nobody she knows has ever used it. She also saw another colleague labeled difficult after raising a concern last year.
So she stays quiet.
In that moment, the program existed. The culture decided the outcome.
Practical levers when you do not have a compliance team of ten
Most companies do not need more slogans. They need a few cultural levers tied to real controls. (If you are still defining what your compliance function should cover, this article on compliance function essentials is a useful starting point.)
- Make escalation simple: Employees should not feel that raising a concern is a dramatic act. Build simple intake routes for questions, not only formal reports. The earlier the question, the cheaper the fix.
- Train managers first: Culture is not transmitted by the compliance team. It is transmitted by managers under pressure. Give them scripts for gifts, competitors, conflicts, third parties, and data issues.
- Measure silence carefully: Do not celebrate zero reports without context. Compare hotline use, advisory questions, training scenarios and comments, audit findings, exit interview themes, and remediation delays.
- Close the loop: People stop speaking up when reports disappear into a black box. You cannot share everything, but you can communicate process, timelines, and visible lessons learned.
- Reward clean decisions, not just fast results: If commercial heroes are allowed to bypass controls, everyone notices. Incentives are culture in accounting form.
- Turn exceptions into data: Every policy exception tells you something about pressure points, unclear rules, or business reality. Track them and adjust controls.
- Automate the administrative layer: Small teams cannot build culture if they spend all week chasing attestations and evidence. This is where tools matter.
At Naltilia, this is exactly how we have conceived our AI compliance tool. It should not pretend to create integrity. That remains human work. But it can automate data collection, route approvals, track remediation, generate tailored policies, and keep evidence connected to risks and controls. That frees the compliance officer to do the harder work: challenge decisions, coach managers, read silence correctly.
My test is simple. Pick one high-risk area, gifts, third parties, conflicts, pricing, AI use, whatever matters most in your business. Ask four questions: Do people recognize the risk? Do they know where to go? Do managers respond consistently? Can we prove what happened?
If one answer is no, you do not only have a program gap. You have a culture gap. Fix both, or expect the same issue to come back wearing a different badge.
Questions compliance officers actually ask
Is it possible to build a compliance culture in a company that has never had one? Yes, but not by starting with culture. Start with one visible behavior. Make escalation easy in one area. Close the loop on one report. Have one manager handle one difficult conversation correctly — and make sure the team sees it. Culture builds from repeated, consistent signals. It does not start from a values statement.
Our hotline numbers are low. Should we be worried? It depends on context. Low volume in a small, low-risk company with active open-door management is probably fine. Low volume in a high-risk market, a fast-growing sales organization, or a company that recently went through a restructuring is worth probing. Look at the surrounding signals: are managers escalating small issues? Are employees asking advisory questions? Do exit interviews surface concerns? Zero is a data point, not a conclusion.
We have strong values at the top. Why do we still get compliance failures at the operational level? Because values do not travel automatically. They travel through managers, through incentive structures, through how exceptions get handled, and through what happens to the person who raises the uncomfortable question. If commercial pressure consistently wins against compliance process at the mid-management level, the message reaches every junior employee. Values need an operating system.
How do we prioritize when we are a small compliance team with limited resources? Choose one high-risk area and go deep rather than spreading thinly across everything. Automate whatever is administrative — evidence collection, attestations, approvals, reminders. That time buys you the capacity to do the work that cannot be automated: coaching managers, reading signals, challenging decisions. A program maintained by a spreadsheet will always lose the race against organizational complexity.
What is the difference between a policy exception and a control failure? A policy exception is a documented, approved deviation with a rationale and an owner. A control failure is when the deviation happens without any of that. Both tell you something. Exceptions tell you where controls do not fit business reality — useful data for adjusting the program. Failures tell you where the handoff between policy and behavior broke. Track both separately.
