The Difference Between a Compliance Programme and a Compliance Culture

A programme is not a culture. But it is where culture has to begin.

Every organisation with a serious compliance commitment has, at some point, produced a document. A code of conduct. A policy on gifts and hospitality. A whistleblowing procedure. Sometimes all three, and more besides — assembled into a programme that can be presented to a regulator, an auditor, or a new client as evidence that the organisation takes these things seriously.

This is not nothing. The existence of a well-constructed compliance programme is meaningful. It reflects a decision to take the work seriously enough to articulate what it requires. It creates accountability. It gives people a reference point. And in sectors subject to external oversight, it is often a legal prerequisite.

But it is not a culture. And the organisations that confuse the two are, quietly, accumulating the kind of risk that does not appear on a dashboard until it is already too late.

The gap between declared and lived.

A compliance programme operates in the language of policy. It defines what is permitted and what is not. It establishes procedures for handling conflicts of interest, for reporting concerns, for obtaining approvals. It sets thresholds for gifts, timelines for disclosure, requirements for third-party due diligence.

All of this is necessary. None of it is sufficient.

Because policies describe the expected behaviour of rational actors operating in normal circumstances. Culture determines what happens when circumstances are not normal — when a target is unreachable, when a relationship is under strain, when someone is under pressure and nobody is watching.

In those moments, the compliance manual is rarely the thing that determines the outcome. What determines the outcome is the accumulated weight of the decisions the organisation has made before that moment: what it rewarded, what it ignored, what it said out loud and what it communicated through its silence.

Culture is built in the moments between policies.

Building a compliance culture requires something that compliance programmes, by design, cannot provide: the sustained, visible, consistent demonstration that the values the organisation declares are the values by which it actually operates.

This is work that belongs to leadership. Not because compliance officers lack authority, but because culture is ultimately shaped by what the people with the most power do when it costs them something. When a senior leader turns down a contract because the counterparty cannot pass due diligence, and says so explicitly, they communicate something that no policy can replicate.

It also requires investment in the people most likely to face difficult decisions — not just the people most likely to do wrong. The middle manager navigating a supplier relationship. The sales professional under pressure to close a deal before year end. The procurement officer whose decision is being scrutinised by a vendor they see every week. These people deserve preparation, support, and the clear understanding that the organisation has their back when they choose the harder right over the easier wrong.

A compliance programme that is not backed by that kind of culture will, over time, become a liability. It raises expectations without providing the conditions to meet them. It creates documentation without creating behaviour. And when something goes wrong — as something eventually will — it offers the appearance of due diligence without the substance.

The organisations that get this right are not the ones with the thickest policy manual. They are the ones where the question of what is right is asked routinely, answered honestly, and rewarded consistently. That is the culture that makes a programme work — and the culture that no programme, on its own, can create.