Back to blog

Wednesday, February 4, 2026

Tone at the top: leadership in compliance risk management

Ethics, Culture & Leadership
Iratxe Gurpegui
Written by
Iratxe Gurpegui
9 min read
Tone at the top: leadership in compliance risk management

Few elements of a compliance program change outcomes as decisively as tone at the top. Regulators and auditors consistently look for visible, sustained leadership that sets expectations, funds the work, and acts when it is inconvenient to do so. This is not about inspirational slogans. It is about governance, resources, incentives, and documented decisions that demonstrate the organization will trade a short‑term commercial opportunity for long‑term integrity when risks cross the line.

Why tone at the top matters in leading frameworks

Tone at the top is not a soft add‑on. It is a defined requirement across major standards and guidance:

  • ISO 37001 requires top management to demonstrate leadership and commitment, approve the anti‑bribery policy, assign roles and resources, and take responsibility for effectiveness.
  • Spain’s UNE 19601 on criminal compliance links leadership to prevention under Article 31 bis of the Penal Code. Governing bodies and top management must endorse the model, ensure independence of the compliance function, and verify effectiveness.
  • UNE 19603 on antitrust compliance emphasizes governing body oversight, competition law policy approval, adequate resources, and training for commercial leadership.
  • International guidance like the U.S. Department of Justice’s Evaluation of Corporate Compliance Programs asks whether leaders demonstrate commitment through their words and actions, and whether the company takes compliance into account in decision‑making, compensation, and discipline. The DOJ’s landing page outlines the questions prosecutors ask DOJ evaluation of corporate compliance programs.

In practice, all these instruments converge on the same test: does leadership make compliance real, measurable, and consequential for daily decisions, especially in high‑pressure commercial contexts.

What tone at the top means in practical terms

Operationally, tone at the top shows up in five places:

  • Governance, who approves policies, who the compliance officer reports to, how often the board reviews risks and incidents.
  • Resources, budgets, tools, and time allocated to risk assessments, training, and monitoring.
  • Incentives, how performance targets and variable pay embed compliance, how misconduct is sanctioned, independent of seniority or revenue.
  • Decision records, minutes that show leaders challenging risky deals and stopping or remediating them when needed.
  • Communication and listening, leadership‑led messages, live Q&A, and robust speak‑up mechanisms that are safe and acted upon.

Auditors will not accept assertions. They will look for repeatable evidence across a reasonable period, typically the past 12 to 24 months, and will sample from board and committee minutes, budget lines, HR records, policy approvals, training logs, hotline data, and remediation trackers.

Five measures that make tone at the top credible

1 Establish accountable governance and reporting lines

Give the compliance function an explicit mandate, access, and accountability. For ISO 37001, UNE 19601, and UNE 19603, this means a written charter approved by the board or audit committee that defines responsibilities, escalation rights, and independence from day‑to‑day commercial pressures. Require quarterly risk and incident reporting at the board level, with ad hoc escalation for material events. Publish a clear delegation map so employees see who decides what when risks arise.

What to document: board approvals of the charter and policies, the compliance officer’s appointment letter and reporting line, a standing board agenda item for compliance, and minutes that show substantive questions and decisions.

2 Allocate resources and time proportionate to risk

Leadership sets priorities through budgets and staffing. A risk‑based plan should include funded time for risk mapping, due diligence, training, and monitoring. For UNE 19603, ensure sales and pricing teams have time to train and update templates. For UNE 19601, support investigations with specialist counsel or forensic capacity when needed. For ISO 37001, finance and procurement need budget cover to perform enhanced third‑party due diligence and reject non‑compliant vendors.

What to document: a multi‑year compliance plan with budget lines, headcount or fractional allocations, and a quarterly progress tracker aligned to the risk register.

3 Align incentives and discipline with compliance outcomes

If sales growth and cost savings dominate incentives, employees will take shortcuts. Define specific compliance KPIs in senior leadership scorecards, for example remediation velocity on high‑risk actions, third‑party due diligence coverage or cooperation with compliance in identifying risks or during internal investigations. Establish consistent disciplinary measures that apply equally to top performers and senior executives. Reference these expectations in leadership contracts and performance reviews.

What to document: KPI definitions and targets, HR policy that ties pay and promotion to compliance, anonymized but seniority‑segmented discipline statistics, and examples where incentives were adjusted due to compliance outcomes.

4 Make high‑risk decisions traceable and explainable

Leaders must show their work. For high‑risk counterparties, pricing strategies, gifts and hospitality to public officials, or the use of high‑risk AI systems, require documented approvals and rationale. Maintain a register of exceptions, including who approved them and what mitigating controls were applied. If a deal was declined for compliance reasons, keep the record, it is one of the strongest proofs of tone at the top.

What to document: decision templates, exception registers, evidence of control conditions attached to approvals, and follow‑up that checks those conditions were met.

5 Communicate, listen, and protect

A credible tone depends on two‑way communication. Require the CEO and business leaders to deliver periodic messages that are specific to current risks, for example tendering season, distributor renewals, or trade association meetings. Pair that with safe, well‑advertised speak‑up channels, zero‑retaliation enforcement, and feedback loops that explain outcomes. Run leadership‑led case clinics where real scenarios are discussed with teams.

What to document: copies or recordings of leadership messages, attendance logs for town halls, hotline usage and case aging metrics, survey data on psychological safety, and examples of how feedback changed a policy or control.

An executive team and the compliance officer meet around a boardroom table. On the wall, a simple dashboard shows a compliance risk heat map, status of remediation actions, and speak‑up metrics. The chair is pointing to a slide titled “decisions with conditions,” illustrating leadership oversight.

How auditors test whether the tone is real

Auditors and regulators move past slogans quickly. Expect them to:

  • Read minutes over time, they look for challenge and consistency, not a one‑off statement.
  • Follow the money, resourcing, budgets, tooling, and leadership time allocations.
  • Sample decisions, especially exceptions and high‑risk approvals, including antitrust‑sensitive pricing, public sector engagements, or high‑risk third parties.
  • Compare words and consequences, disciplinary cases and incentive adjustments across seniority bands.
  • Test adoption, whether middle management echoes and implements leadership messages, training coverage in frontline teams, and the quality of evidence.

For a deeper view of the board metrics that resonate, see our guide on what leadership monitors in practice 10 compliance dashboard risk metrics your board actually cares about.

Metrics that demonstrate effective leadership

Tie leadership assertions to measurable indicators that map to ISO 37001, UNE 19601, and UNE 19603 expectations.

  • Governance cadence, board or committee sessions with compliance on the agenda, percentage with documented decisions and actions.
  • Resource adequacy, budget execution versus plan for risk assessments, due diligence, training, and monitoring.
  • Third‑party coverage, proportion of high‑risk third parties with completed due diligence and contract clauses updated.
  • Speak‑up health, case intake by channel, substantiation rate, average time to triage and close, retaliation rate at zero.
  • Training effectiveness, role‑specific completion and scenario scores for sales, procurement, and executives.
  • Exception discipline, number of approvals with conditions, percentage verified on time, number of rejected deals for compliance reasons.

Document these in a concise dashboard, with definitions and sources. Automate input collection where possible to remove manual bias and quarter‑end chasing. Our practical guide explains how to remove friction and create audit‑ready evidence how to automate evidence collection for compliance controls.

Common pitfalls and how to fix them

  • Announcements without follow‑through - fix by assigning owners and due dates to leadership promises, and track them.
  • Delegating all messages to compliance - fix by scheduling leadership‑delivered messages that reference current business context and decisions.
  • Under‑resourcing versus risk - fix by tying budget to the risk register and explaining trade‑offs in the board pack.
  • No record of hard calls - fix by keeping a simple exceptions and declined‑deals register with rationales.
  • Middle management gap - fix by adding manager‑level KPIs and case clinics so messages are translated into local actions.

For antitrust specifically, the Spanish competition authority’s evolving expectations reinforce these points. Our analysis of the consultation to update CNMC’s guide outlines practical criteria and evidence leadership should prepare update of CNMC's antitrust compliance guidelines.

Where technology helps leadership sustain tone

Leaders cannot personally collect every document, but they are accountable for effectiveness. Automation raises both visibility and credibility:

  • Regulatory risk assessment, centralize obligations for ISO 37001, UNE 19601, and UNE 19603 and keep the risk register live as the business evolves.
  • Tailor‑made policies, generate role‑specific policies and playbooks, mapped to risk and local languages.
  • Automated data collection, pull evidence for controls, approvals, training, and third‑party checks from source systems so dashboards are current and audit‑ready.
  • Compliance workflow automation, route approvals for high‑risk decisions, apply conditions, and verify closure without email chains.
  • Remediation actions, assign owners, due dates, and follow‑ups that create a defensible trail for auditors.

Naltilia’s AI‑powered platform focuses on these exact capabilities, helping companies turn leadership intent into measurable outcomes. To see how risk maps, approvals, and evidence can be automated and presented in a board‑ready view, explore our step‑by‑step primers on ISO and Sapin II implementations risk assessment methodology for ISO 37001, practical steps and compliance under Loi Sapin II explained.

Frequently asked questions

Does tone at the top require the board to oversee compliance directly? Yes, in risk‑exposed organizations the governing body should have explicit oversight, often via an audit or ethics committee. Management runs the program day to day, but the board approves key policies, resources, and receives regular reports.

How often should leaders communicate on compliance? At least quarterly, with additional messages during risk peaks such as tender seasons, distributor renewals, trade association events, or acquisitions. Short, specific messages are more credible than annual generic speeches.

What evidence do auditors value most for tone at the top? Minutes that show challenge and decisions, resource allocations, decisions declined or conditioned for compliance reasons, leadership‑led trainings, and discipline or incentive adjustments aligned to compliance outcomes.

How do UNE 19601 and UNE 19603 differ on leadership expectations? Both require governance, resources, and independence. UNE 19601 focuses on preventing criminal offenses across the company, including investigations and disciplinary systems. UNE 19603 is specific to competition law risks in commercial behavior, so leadership attention often centers on pricing, distribution, information exchange, and dawn‑raid readiness.

Can we meet ISO 37001 without changing incentives or disciplining senior people? Unlikely. ISO 37001 expects leadership commitment that affects behaviors and decisions. Incentives and consequences are central to that. Regulators also look for consistent discipline across seniority, which is a strong proof of real commitment.

Ready to turn leadership intent into measurable, auditable results? Naltilia helps compliance teams operationalize tone at the top with regulatory risk assessment, tailor‑made policies, automated data collection, workflow automation, and remediation tracking. Get a walkthrough tailored to ISO 37001, UNE 19601, or UNE 19603 and see how your board can monitor the right metrics in real time. Book a conversation with us.

Back to blog

About the Author

Iratxe Gurpegui

Iratxe Gurpegui

I've spent 20 years as a compliance and competition lawyer across Europe and Latin America, and throughout my career, I've seen firsthand how complex and costly regulations can hold companies back. But I've also learned that compliance doesn't have to be a burden, it can be a strategic advantage. My mission is to help companies harness the power of AI, transforming compliance into something faster, simpler, and most importantly, a real driver of growth for businesses.

View LinkedIn profile