ComplianceKeys#33: Key mistakes in implementing a Compliance System
The implementation of a Compliance System has become a cornerstone of modern corporate governance. The consolidation of these systems within the business environment finds its origin in the reform introduced by Organic Law 1/2015, of 30 March, which incorporated into our legal system the possibility of exemption from criminal liability where it can be demonstrated that an appropriate organizational and management model had been implemented to prevent or reduce the risk of criminal conduct arising from the company’s activities. Since then, the requirement for effective organizational and management models has ceased to be merely a matter of good practice and has become an essential instrument for the prevention, detection and mitigation of criminal risks.
Despite the undeniable legal and reputational relevance of a Compliance System, many companies make frequent mistakes during its design and implementation, which can deprive the model of its potential exculpatory or mitigating effect in criminal. Such shortcomings may deprive the model of its potential exempting or mitigating effect in the criminal sphere, as they reveal a structural organizational deficiency incompatible with the requirements set out in Article 31 bis 2) of the Spanish Criminal Code.
This ComplianceKeys#33 analyses the most common errors occurring in the implementation of a Compliance System, with the aim of identifying those practices which, far from strengthening the culture of compliance, undermine the effectiveness of the model and compromise its validity.
The first mistake, and perhaps the most recurrent, consists of copying a standard model without adapting it to the company’s actual activities. While this may appear to be a quick solution, a generic model rarely withstands expert scrutiny and does not survive the level of examination typically associated with a criminal investigation. Criminal compliance must be designed taking into account the specific activity, sector, size, structure, geographical locations in which the organization operates, the typology of third parties involved and, above all, the real risks derived from internal processes and decision-making. The absence of such material adaptation turns the system into a mere documentary formality disconnected from day-to-day operations. In this regard, Circular 1/2016 of the Spanish Public Prosecutor’s Office, dated 22 January, when interpreting the scope of Article 31 bis of the Criminal Code following the reform introduced by Organic Law 1/2015, expressly warns that the adoption of merely formal or standardized organizational and management models raises well-founded doubts as to their real effectiveness and as to the authenticity of the legal entity’s commitment to crime prevention. This warning is consistent with the doctrinal criticism of so-called Paper Compliance, understood as systems designed exclusively to project an appearance of regulatory compliance while lacking effective integration into the organizational structure, decision-making processes and corporate culture.
Closely related to the above is the absence of a detailed criminal risk assessment report. Frequently, risk analysis is mistakenly equated with the mere enumeration of criminal offenses in a document, or even with the uncritical reproduction of categories of offenses according to their classification in the Criminal Code, such as a generic reference to offenses against the market and consumers. However, a criminal risk report of genuine relevance requires the identification of specific exposure scenarios, their linkage to the processes and/or activities carried out by the company, the assessment of their probability and impact, and the application of a coherent risk assessment methodology supported by robust criteria.
Thirdly, it constitutes a serious mistake to delegate the Compliance System entirely to the legal department or to a formally appointed responsible person without the effective involvement of the management body and senior management. The concept of tone from the top should not be understood merely as a corporate communication mechanism, but rather as a genuine evidentiary element of the due diligence exercised by senior management and the governing body. Conversely, any ambiguity, tolerance or lack of reaction to questionable practices by those holding the highest organizational responsibility may be interpreted as implicit acceptance of the risk, revealing a deficit of control incompatible with the requirements of Article 31 bis 2 of the Criminal Code.
It is equally problematic to underestimate the importance of organizational culture as an essential element of Compliance, involving all members of the organization. A model may be technically well designed yet remain ineffective if there is no real and transversal commitment to regulatory compliance. Ethical culture is the foundation that transforms procedures into practices genuinely embraced by the members of an organization. Without such culture, compliance is reduced to a formal architecture devoid of substantive effectiveness.
However, such culture does not arise spontaneously and cannot be presumed. It necessarily requires a structured and continuous effort in training and awareness-raising. Consequently, the absence of specific and periodic training is not merely an autonomous operational deficiency but also a direct cause of the weakening of ethical culture. A system will be ineffective if those responsible for managing critical processes are unaware of which behaviours generate criminal risk for the organization or how they should act in situations involving conflicts or practical dilemmas. Training cannot be limited to a one-off session or to the mechanical annual repetition of standardized content. It must be periodic, updated, segmented according to responsibilities and specific risks, and properly documented. Furthermore, a distinction should be made between training (the transmission of knowledge and applicable procedures) and awareness-raising (the consolidation of culture and reinforcement of ethical messages), since both fulfil different and complementary functions.
Sixth, it is common to formally appoint a control body, whether individual or collegiate, that exists only nominally. A Compliance Officer appointed merely as a formality, or a committee that does not meet, analyse risks, propose improvements, or maintain proper records, is legally equivalent to the effective absence of the supervisory body required under Article 31 bis 2 2 of the Spanish Criminal Code. The functions and responsibilities of the Compliance Officer can be consulted in ComplianceKeys#18 or ComplianceKeys#32.
Another classic operational mistake is the production of extensive, excessively technical manuals with no real use. Documentary overproduction may create an appearance of robustness but becomes counterproductive if the texts are unintelligible or impracticable. Policies and procedures must be clear and operational, providing concrete instructions, decision-making criteria and defined roles. Legal language may and should be present, but not at the expense of practical comprehension by those responsible for applying it.
It is also particularly detrimental not to review and update the system following internal or legal changes. An obsolete system is, in practice, a useless system. Variations in the organizational structure, staff turnover, entry into new markets, changes in the range of products or services, or regulatory reforms must be reflected in the risk map, controls and procedures. Updating should not be conceived as an exceptional task but rather as a periodic review cycle, including indicators, internal audits, effectiveness assessments and action plans.
Regarding the detection mechanisms, another common mistake — which may even lead to sanctions where its implementation is mandatory — is the absence of an internal reporting channel, which must in any event comply with Law 2/2023, of 20 February, on the protection of persons who report regulatory infringements and on the fight against corruption. Without a channel, without guarantees against retaliation and without an established procedure for action, the system loses one of its fundamental pillars for the prevention and early detection of potential criminal misconduct.
Another of the most serious errors lies in conceiving Compliance as a mere formal or documentary requirement. The so-called Make-Up Compliance or Paper Compliance — models designed solely to create the appearance of Compliance — are not only ineffective from a preventive perspective but will also hardly be capable of producing exempting or mitigating effects within the framework of article 31 bis of the Criminal Code.
In this same line, another frequent mistake is the absence of internal consequences for breaches of policies and procedures. This lack of sanctions not only structurally weakens the model but also reveals the absence of a genuine ethical culture, by conveying the perception that internal rules lack seriousness, binding force and effective support from management. When non-compliance does not generate a response, the implicit organizational message is that compliance is optional, thereby eroding the credibility of the system and its preventive capacity.
Ultimately, a Compliance System only achieves real effectiveness when it is conceived as a living instrument integrated into the organization’s structure and culture. Mere documentary formalization does not satisfy the requirements of article 31 bis of the Criminal Code, nor does it guarantee its potential exempting or mitigating effect. The key lies in risk-based design, the effective involvement of the governing and management bodies, and the constant updating of the system.
Only through a genuine and materially effective implementation can Compliance become the true driver of corporate integrity and the guarantee that sustains the organization’s regulatory Compliance.