Policies are where intent becomes behavior. Yet in many mid‑market companies, they sit in shared drives, rarely read and even less measured. Regulators now expect evidence that policies are risk based, understood, embedded in workflows and tested over time. This practical checklist helps compliance officers and in‑house counsel turn a policy library into a living control system aligned with different regulatory frameworks.
What policies compliance means
Policies compliance means your policies are not only drafted and approved, they are demonstrably risk based, accessible to the right people at the right time, translated into procedures and controls, and supported by evidence of adoption, exceptions management and periodic effectiveness review. In 2026, auditors and regulators increasingly ask for proof of this end‑to‑end lifecycle, not just a PDF with a signature page.
The checklist below is designed for intermediate‑sized enterprises and maps to the standards most of you face, including anti‑bribery requirements under Sapin II and ISO 37001, corporate criminal liability programs under UNE 19601, antitrust safeguards under UNE 19603.
How to use this checklist
Work through the items in order. If you already have a mature risk map, jump directly to drafting, adoption and monitoring. If not, start with scope and ownership. For each item, the goals, actions and evidence are spelled out so you can show auditors a clear chain from risk to policy to practice.
The practical checklist
1) Scope and ownership
Goal: Define why each policy exists, who owns it and who must follow it.
Actions: Build a policy inventory tied to specific risks in your risk register, appoint a policy owner and an executive sponsor, define the audience and applicability by role and geography.
Evidence: Approved inventory, ownership matrix, mapped risk IDs.
2) Approvals and version control
Goal: Ensure your policies are legitimate and auditable.
Actions: Establish a simple approval workflow with timestamps, maintain version history and redlines, define retention rules for superseded versions.
Evidence: Approval log, version history, archive records. ISO 37301 and ISO 37001 expect controlled documented information.
3) Risk‑based drafting
Goal: Write policies that actually treat your top risks.
Actions: Use your latest risk map to prioritize content. Depending on risks for example, for anti‑corruption, cover gifts, hospitality, donations and third‑party interactions, consistent with ISO 37001 and Sapin II. For antitrust, address competitor contacts, pricing and information sharing in line with UNE 19603. For Spain’s UNE 19601, clarify crime prevention objectives, roles, investigations and disciplinary measures.
Evidence: Draft linked to risk register, citations to applicable framework clauses.
4) Plain language with examples
Goal: Make it understandable and usable.
Actions: Use plain language and include real scenarios linked to your risks, what to do and who to contact. Replace vague “should” with clear “must.” Provide do and do not examples for antitrust meetings, gifts and third‑party onboarding.
Evidence: Readability check, scenario appendix.
5) Roles and accountability
Goal: Clarify who does what.
Actions: Map responsibilities by role, include approvals thresholds, segregation of duties and escalation paths. Link antibribery spend thresholds to finance approvals, and antitrust contact approvals to legal.
Evidence: Escalation contact list.
6) Procedures, forms and systems
Goal: Operationalize the policy.
Actions: Attach or link procedures, request forms and workflows that people will actually use, for example gifts registers, third‑party due diligence questionnaires, dawn raid checklists and suspicious activity escalation forms.
Evidence: Working links to live forms, sample completed records.
7) Translations and accessibility
Goal: Reach everyone who is in scope.
Actions: Translate policies for key locations, ensure mobile and offline access where needed, provide audio or short video summaries for frontline roles.
Evidence: Translation records, access analytics by location and role.
8) Attestations and training
Goal: Prove people have read and understood.
Actions: Schedule attestations by risk level and role, add short scenario‑based training for high‑risk teams like sales, procurement and intermediaries. Track completions and comprehension scores.
Evidence: Attestation logs, training records. ISO 37001, UNE 19601 and UNE 19603 expect awareness and competence evidence.
9) Exceptions and dispensations
Goal: Control deviations without killing business velocity.
Actions: Set a formal process to request, risk assess, approve, time bound and monitor exceptions, for example a one‑off hospitality over threshold for a government customer with additional safeguards.
Evidence: Exception register with rationale, risk rating, approver identity and expiry date.
10) Third‑party alignment
Goal: Make sure partners follow your rules where needed.
Actions: Flow down policy requirements into contracts and vendor codes, tier third‑party policies by risk, require certifications or due diligence for high‑risk intermediaries and distributors.
Evidence: Contract clauses, vendor attestations, due diligence files.
11) Records and evidence model
Goal: Keep what auditors need, not everything.
Actions: Define for each policy what evidence proves design, adoption and effectiveness, for example signed approvals, logs of denied gifts, antitrust meeting agendas.
Evidence: Evidence catalog with source systems and retention periods.
12) Monitoring and control tests
Goal: Move from policy on paper to policy in action.
Actions: Link each policy to preventive and detective controls. Define simple tests like sampling gifts entries against receipts, matching antitrust meeting minutes with compliance presence.
Evidence: Test plans, results, issues list and remediation actions.
13) Metrics and thresholds
Goal: Make performance visible to management.
Actions: Select a small set of outcome‑oriented KPIs, for example residual bribery risk trend, exception rate for gifts or antitrust incident rate.
Evidence: KPI definitions, monthly snapshots, management commentary.
14) Speak‑up and investigations
Goal: Ensure the policy is enforceable and trusted.
Actions: Cross reference your speak‑up system, the investigation protocol and disciplinary policy. The EU Whistleblower Directive requires safe channels and anti‑retaliation protections.
Evidence: Channel availability proof, case handling logs, root‑cause summaries.
15) regulatory watch and updates
Goal: Keep policies current.
Actions: Assign owners to monitor official sources and industry bodies. For Sapin II, follow the French Anti‑Corruption Agency’s guidance. For antitrust, monitor competition authority updates.
Evidence: Quarterly watch notes, change proposals, approval records.
16) Communications plan
Goal: Reach people where they already are.
Actions: Announce policy updates in channels your teams use, add short posts for frontline devices and team meetings, equip managers with talking points.
Evidence: Communications calendar, message templates, manager briefings.
17) Board and audit reporting
Goal: Demonstrate governance and effectiveness.
Actions: Report policy coverage, adoption, exceptions, test results and remediation velocity at least quarterly. Escalate significant breaches and lessons learned. Keep a short narrative on how policy changes reduced risk exposure.
Evidence: Board decks, audit committee minutes, issue trackers.
18) continuous improvement
Goal: Close the loop.
Actions: Run an annual effectiveness review, analyze incidents, exceptions and audit findings, and refresh policy content, controls and training accordingly. Document what changed and why.
Evidence: Annual review memo, updated risk and policy map.
A fast path to execution with Naltilia
If you want this checklist to move from plan to proof quickly, Naltilia’s AI‑powered platform can help you operationalize the workflow without hiring a large team.
- Regulatory risk assessment, align your policy inventory to your risk map so drafting is risk based and auditable.
- Tailor‑made policies, generate and adapt policy drafts to your context, roles and geographies, and keep a controlled approval trail.
- Automated data collection, pull the evidence that proves adoption and control operation, for example attestations, approvals and logs from source systems.
- Compliance workflow automation, schedule attestations and training, manage exceptions and track remediation actions to closure.
You keep accountability and judgment, the platform accelerates execution and evidence so you can show effectiveness to auditors and regulators.
Final thought
Policies compliance is not a document exercise, it is a living system connected to risk, people and data. With a clear checklist, a compact but complete library, measurable metrics and light automation.
