Wednesday, December 10, 2025

Why "paper compliance" does not work and companies continue doing ir

Iratxe Gurpegui
Compliance Fundamentals
Why "paper compliance" does not work and companies continue doing ir

Policies that look impeccable on paper, glossy codes of conduct, and immaculate registers are comforting. They also fail, often at the exact moment you need them most. In 2025, regulators in Europe and beyond evaluate whether compliance programs work in practice, not how elegant your documentation looks. Paper compliance is not a shield in court, and it will not prevent breaches.

Split-screen comparison: on the left, a dusty binder labeled “Policies & procedures” sitting untouched on a shelf; on the right, a diverse team in an office workshop discussing real cases on antitrust and anti-bribery, with a manager leading and a visible “speak up” poster in the room.

The cost of paper compliance in 2025

Paper compliance is the illusion of control. You have policies, but they are unknown to the workforce. You have controls, but nobody tests them. You have a whistleblowing channel, but fear of retaliation keeps it silent. When an investigation starts, you cannot produce credible evidence that your program was understood, applied, and improved over time.

Global enforcement practice has moved decisively toward effectiveness. The U.S. Department of Justice’s Evaluation of Corporate Compliance Programs asks how programs are designed, implemented, and tested. France’s AFA emphasizes practical adoption under Sapin II in its Guidelines. In Spain, Article 31 bis of the Criminal Code makes clear that only effective prevention models can mitigate or exempt organizational liability, not formalities (BOE, Código Penal). Antitrust regulators like Spain’s CNMC have dedicated guidance on competition compliance programs that focuses on real deterrence and detection, not mere certification (CNMC compliance programs). AML regimes, grounded in the Financial Action Task Force’s risk based approach, expect demonstrable outcomes and ongoing monitoring, not binders, see the FATF Recommendations. And the EU AI Act requires risk management, post market monitoring, and incident reporting that actually operate, not static checklists (EU AI Act on EUR Lex).

What paper compliance is

Paper compliance is a tick the box posture: policies exist, but the organization does not use them to make decisions. Typical symptoms include outdated risk maps, training that is not role specific, controls that exist only in flowcharts, and KPIs that measure outputs rather than outcomes.

In practice, paper compliance looks like this:

  • The risk map was last updated years ago, and business changes are not reflected in the controls.
  • Training is generic and mandatory, but completion equals compliance and there is no assessment of behavioral change.
  • Managers rarely mention integrity when allocating budgets, structuring incentives, or approving deals.
  • Speak up channels exist, but employees doubt they are safe. Retaliation is not addressed swiftly and visibly.
  • Third party due diligence is “file and forget”, with no risk based updates.
  • Incident logs exist, but remediation is not tracked through to completion.

Why paper compliance fails with regulators and courts

When authorities review your program, they look for credible evidence that it was designed based on risks, was resourced, and actually influenced behavior over time. They ask for audit trails, not brochures.

Across the frameworks that mid sized organizations commonly face, the theme is the same.

  • Under Loi Sapin II, companies must implement eight anti corruption measures. The AFA checks whether the risk mapping drives training, third party screening, accounting controls, and disciplinary measures in practice, not just on slides.
  • ISO 37001, the anti bribery management system, is explicit that controls and monitoring must be risk based and proportionate. Certification alone is not a safe harbor, it must reflect living processes.
  • In Spain, UNE 19601 requires an effective criminal compliance management system with oversight, resources, and monitoring. Courts analyze whether the model worked before the incident, not whether a policy existed after.
  • For antitrust, UNE 19603 and CNMC guidance expect prevention, detection, and response mechanisms that actually constrain anticompetitive behavior.
  • AML regimes, guided by FATF, expect documented customer due diligence, ongoing transaction monitoring, quality alerts, and timely suspicious activity reporting. If it is not evidenced, it did not happen.
  • The EU AI Act imposes operational duties for high risk systems, including risk management, data governance, human oversight, and post market monitoring. These are living obligations, supported by logs and incident management, not one time documents.

In short, documentation without adoption and testing will not mitigate sanctions, and it can even erode credibility if it suggests window dressing.

What a living compliance program looks like

A living program is integrated into how the company decides, sells, procures, hires, and builds products. It is measurable, updated, and supported by leadership behavior. It blends culture and controls.

  • Tone from the top and the middle. Executives and line managers speak regularly and concretely about integrity. They link targets and incentives to compliant behavior and they walk away from risky deals.
  • Psychological safety and speak up. Employees know how to report concerns, they trust the process, and they see non retaliation enforced. The EU Whistleblower Directive sets a baseline for internal channels, but culture makes them work.
  • Role specific training and coaching. Content is brief, practical, and risk based. Sales learn about antitrust and gifts, procurement about third party risk, finance about books and records, tech teams about AI Act obligations.
  • Compliance by design in projects and deals. New product approvals, market entries, and high risk transactions include pre defined compliance checkpoints. Compliance provides clear playbooks, not just policy PDFs.
  • Dynamic risk assessment and compliance monitoring. The risk map is a living artifact that drives testing plans, dashboards, and remediation priorities.
  • Evidence and improvement. Control tests, incident handling, and remediation actions are tracked through to closure, and lessons learned change policies and training within weeks, not quarters.

Paper vs living, at a glance

Aspect

Paper compliance

Living program

Evidence regulators expect

Risk assessment

Static, generic, done annually

Dynamic, role based, tied to business changes

Versioned risk map with triggers and approvals

Policies

Long, legalistic, hard to find

Short, practical, embedded in workflows

Usage analytics, acknowledgments by risk role

Training

One size fits all, checkbox

Role specific, scenario based, measured retention

Completion plus quiz scores, behavioral metrics

Controls

Described, not tested

Tested on a plan, with owners and KRIs

Test logs, issues, and retest results

Speak up

Channel exists but not trusted

Trusted channels, quick triage, no retaliation

Case timelines, outcomes, trend analysis

Third parties

Initial screening only

Risk based ongoing due diligence

Re screening logs, adverse media hits, actions

Remediation

Ad hoc, undocumented

Tracked, time bound, lessons learned

Corrective action plans with closure evidence

Governance

Compliance isolated

Managers accountable, cross functional RACI

Committee minutes, resource allocation, incentives

How a mid sized company can move from paper to practice in 90 days

This is a pragmatic path you can tailor to Loi Sapin II, ISO 37001, UNE 19601, UNE 19603, AML expectations, and AI Act duties.

Days 1 to 30, establish the baseline and set the tone

  • Publish a clear message from the CEO and business leaders linking performance to compliant conduct.
  • Run a rapid risk refresh focused on top exposure areas, for example corruption in sales intermediaries, antitrust in pricing and distribution, AML for customer onboarding, and AI governance in product features.
  • Identify 10 must do controls that actually reduce risk, for example third party onboarding checks, deal approvals above a threshold, training for high risk roles, and incident intake triage.

Days 31 to 60, embed and communicate

  • Launch role based micro training for high risk populations with short scenarios and one question follow ups.
  • Activate the speak up channel with a non retaliation pledge, publish response SLAs, and brief managers on how to escalate concerns.
  • Build compliance by design into two key workflows, for example procurement and new market entry, with lightweight checklists and approvals.

Days 61 to 90, test and improve

  • Test the must do controls. Log gaps, assign owners, and set due dates.
  • Close the loop on at least five remediation actions and share lessons learned company wide.
  • Prepare a one page effectiveness dashboard for leadership that links risk assessment and compliance activity to outcomes.

By day 90, you will have a defensible narrative, evidence of implementation, and a rhythm of improvement that maps to Sapin II’s eight measures, ISO 37001’s risk based structure, UNE 19601’s oversight and monitoring, UNE 19603’s antitrust prevention, AML monitoring, and AI Act post market obligations.

The role of technology and AI in sustaining effectiveness

Manual compliance struggles to keep pace with changing risks, fragmented data, and the evidence burden. Technology helps teams move from intent to impact.

Naltilia is an AI powered platform for compliance teams that supports a living program by focusing on operationalization, not just documentation.

  • Regulatory risk assessment. Keep your risk map current, tie risks to controls, and prioritize actions.
  • Remediation actions. Assign owners, due dates, and track closure, so you can prove improvement over time.
  • Tailor made policies. Generate practical, role adapted policies that people can actually use.
  • Automated data collection. Gather training, control tests, and third party checks automatically, creating audit ready evidence.
  • Compliance workflow automation. Embed approvals and checkpoints into everyday processes, so compliance by design becomes the default.

If you are starting from paper compliance, tools like Naltilia reduce manual effort, increase coverage, and give you verifiable proof of effectiveness. Explore how this applies to your program at Naltilia.

Common objections, answered briefly

We do not have time. A living program saves time by preventing crises, fines, and rework. Focus on the 20 percent of controls that mitigate 80 percent of your risk and automate evidence collection.

We are already certified. Certifications help, but they do not replace effectiveness. Regulators look for how your program operates day to day. Keep your certification, and add proof of adoption and testing.

Compliance will slow the business. Good compliance accelerates safe growth. When controls are embedded and clear, decisions are faster and more resilient.

Final thoughts and next steps

Paper compliance is a comfort blanket that will not protect you. A living program is cultural, operational, and evidenced. It is built on tone from the top, psychological safety, role based training, proactive managers, and compliance by design. It is tested and improved, continuously.

If you need to move quickly from paper to practice, start with a risk assessment anchored in your real exposures, make managers the owners of key controls, and automate evidence. When you are ready to scale with less friction, see how Naltilia can help with risk assessment, remediation tracking, tailor made policies, automated data collection, and compliance workflow automation at Naltilia.

Back to blog