“Our compliance framework is comprehensive.”
Policies are up to date. Reviews happen on schedule. Every risk has a control. The framework has matured with the organization.
The framework grew. Nobody measured what it costs the people who live inside it.
Every incident added a control. Every audit finding added a step. Every regulatory change added a review. None of them were ever removed. The compliance burden now takes 40% longer than it did three years ago. Not because risk increased — because controls accumulated. The people doing the work spend more time proving they did it right than actually doing it right.
When compliance takes longer than the work it protects, the framework has outgrown its purpose.
“Legal is here to help.”
Teams know to involve legal early. We want to be a partner, not a gatekeeper. Our door is open for questions and consultations.
They stopped asking you. Not because the risk went away.
Teams learned that involving legal adds three weeks. So they stopped involving legal. Not for the big things — for the medium things. The ones that feel manageable until they aren’t. By the time you see the issue, it’s already a problem. You weren’t excluded by policy. You were excluded by experience. The system taught them that your help costs more than the risk.
When teams stop calling legal, the risk didn’t decrease. It went underground.
“Compliance owns the risk framework.”
The compliance function is accountable for regulatory adherence. Risk is their domain. They have a charter and a mandate.
You own the risk. You don’t own the behavior that creates it.
When the audit finds a gap, your name is on the response. But the gap was created by a product decision you weren’t consulted on, a sales commitment you didn’t review, and a timeline you couldn’t influence. You own the consequence. You don’t own the cause. The system made you responsible for outcomes produced by decisions you had no role in making.
When compliance owns the finding but not the decision that created it, accountability is theater.
“Our teams know how to work within the rules.”
People follow the process. Compliance training is completed annually. The rules are clear and people respect them.
They follow the rules you can see. They work around the ones that don’t work.
The procurement policy says three bids for anything over $10K. Everyone knows you can split the purchase into two orders under $10K. Nobody talks about it. The rule isn’t broken — it’s routed around. And the people doing it aren’t cutting corners. They’re doing what they were implicitly taught: the official process is too slow for the actual pace of the business.
When the workaround is common knowledge and the policy hasn’t changed, the system has two operating models — only one is documented.
“Our policies are documented and current.”
The policy library is maintained. Version control is in place. Regulatory changes are tracked. Everything is on record.
The policy exists. Why it was written that way is gone.
The clause was added after an incident in 2019. The person who wrote it left in 2021. The incident report is archived somewhere nobody checks. Now a new leader wants to simplify the policy and asks why that clause exists. Nobody knows. So it stays — not because it’s still needed, but because removing it feels riskier than keeping it. Your policy library is a museum of decisions nobody remembers making.
When policies persist without context, compliance becomes preservation of the unknown.
Every lens sees the same system. Shared language is how the system starts to learn.
These aren’t failures of people. They’re the physics of organizations operating at scale and speed.