Compliance that works is not what looks pretty on presentation. This is what appears in the routine
This is not an article against compliance. On the contrary: it is a compliance defense that works.
The problem is not with compliance professionals who map risks, structure policies, alert leadership and try to correct routes. The problem lies in organizations that treat this work as a formality, ignore its warnings and then try to use politics as a shield when the risk becomes a crisis.
I’ve seen companies arrive at the process with everything apparently in order. Approved policy, updated code of conduct, available reporting channel, standard clauses in contracts and training registered in the system. On paper, it looked like protection. In practice, it wasn’t. It is in this gap between document and practice that the risk sets in.
The problem appeared in the detail that usually decides the case: no one was able to demonstrate that that policy had changed the company’s routine. The contract was signed without proper review. The supplier continued without monitoring. The internal complaint took a long time to be dealt with. The commercial area assumed an obligation that the operation was unable to fulfill.
Paper compliance is still a common pitfall. It gives a feeling of organization, improves the presentation for audit and creates internal comfort. But, when the problem reaches the regulator, the auditor or the Judiciary, the question changes. It is not enough to know whether the company had a policy. The question becomes another: was it known, applied, tested and taken seriously?
Brazilian regulatory action already points in this direction. In 2023, the ANPD imposed its first fine for non-compliance with the LGPD, in a case that involved the absence of a legal basis for data processing, non-compliance with regulatory duties and failure to comply with the authority’s requests. The message is clear: in matters of governance, it is not enough to appear adequate; effective compliance must be demonstrated.
In the competition field, CADE also treats compliance programs in a pragmatic way. Its guidelines admit that a program can be considered a sign of good faith or a mitigating factor, but this depends on concrete effectiveness, not the simple existence of a well-written manual.
This is where many companies get it wrong.
In contract management, for example, the policy may provide for prior legal review. But, if the operation manages to sign relevant contracts outside the flow, the risk remains intact. Worse: the policy starts to show that the company knew what the correct procedure should be.
In the supply chain, initial approval can be well documented. But, if after hiring no one monitors execution, corporate change, subcontracting, labor, tax, environmental or reputational exposure, due diligence becomes an old photo. It is for archiving, not governance.
In the internal environment, the code of conduct can address harassment, conflict of interest and use of sensitive information. However, if the reporting channel does not generate reliable investigation, if the response takes time or if certain leaders never suffer consequences, the document stops reducing risk. It only records that the company was aware of the topic.
In most organizations, the compliance area knows where the weaknesses are. You know which policies didn’t get off the ground, which areas resist controls, which training has become a formality and which risks appear every year in the report without real treatment.
What is often missing is a mandate. And a mandate, here, is not a position on the organizational chart. It is access to decision, minimum budget, leadership support and real consequences when the rule is ignored.
There is also a cultural dimension that cannot be ignored. No compliance program, no matter how well structured, can predict all routine business situations. There will always be gray areas, pressure for results and decisions that will not be described in an internal policy. It is in these moments that culture shows its importance. When the organization takes compliance seriously, the decision tends to respect the spirit of the rule even without a ready answer. When it doesn’t, any normative silence becomes a space for risk accommodation.
Without support from senior management, even the best compliance becomes an area of recommendation. Point out the risk, register the alert, suggest corrections and watch the business continue as before. Then, when the problem appears, the company tries to use the policy as a shield. It doesn’t always work.
Compliance program is not measured by the number of documents approved. It is measured by the ability to influence decisions. If the area is unable to prevent risky hiring, trigger a contractual review, demand correction from a supplier, investigate a relevant complaint or generate consequences for non-compliance, perhaps there is a policy. But there is still no governance.
Integration with legal matters is decisive at this point. The legal department cannot only enter when the crisis has already become a process. You need to participate first: in reviewing contracts, structuring flows, the risk matrix, internal investigation, defining evidence and responding to the regulator.
Because when something goes wrong, the central question will rarely be “did the company have a policy?” The question will be different: what did the company do, specifically, to ensure that this policy was fulfilled? This question separates formal compliance from effective governance.
An ignored policy does not protect. In some cases, it makes the problem worse, because it shows that the company knew what conduct it should adopt and, even so, was unable to transform guidance into practice.
Compliance that works is not what looks pretty on presentation. It’s what appears in the routine.
*This text does not necessarily reflect the opinion of Jovem Pan.
