When Compliance Works and Nothing Happens

0
1296

By Natasha Pardasani, CCEP-I, ACCA, CMA, CIA

Nothing happens. That sounds like a criticism. It isn’t.

Some of the most important decisions I’ve been involved in or helped take to fruition left almost no trace. A vendor due diligence process that quietly stopped. A key hire that didn’t go ahead. A concern that got logged formally when it would have been easier to handle it over the phone and move on. No case was opened. No report was written. Nothing appeared in a compliance dashboard.

At the time, those moments rarely feel significant. They feel like someone choosing to slow down when everyone else is trying to speed up.

The half of the story we don’t measure

Most organizations measure compliance by what goes wrong. Incidents, investigations, regulatory findings. These are visible, reportable, and they tend to dominate board conversations. I understand why. They’re concrete. They have timelines and outcomes and lessons learned sections.

But they only tell half the story, and arguably the less interesting half.

The decisions that prevent issues from becoming incidents are harder to see and almost impossible to count. They happen early, often in the middle of something else. A due diligence review, a recruitment panel, a routine financial sign-off. Someone notices something slightly off. They pause. They ask a question nobody particularly wants to answer. They document a judgment call that might never be looked at again.

In the moment, that behavior can feel inconvenient. Over time, it’s what a control environment is actually made of.

What a mature governance framework actually looks like

I’ve worked in and around compliance and internal controls long enough to know that the organizations that appear quiet externally are rarely just lucky. Fewer surprises usually means earlier intervention. People engaging with governance functions before a decision is made rather than after it’s gone wrong. That shift doesn’t happen on its own. It’s the result of consistent, deliberate friction applied in the right places over a long period of time.

It also requires something that’s harder to build than a policy framework: a culture where people feel it’s acceptable to question, to escalate, and to document even when it slows things down.

That last part matters more than I think we acknowledge. A lot of compliance failures don’t start with bad intent. They start with a busy person making a seemingly reasonable shortcut, and nobody around them flagging it. The shortcut gets made again. And again. And by the time it becomes visible, it’s no longer a shortcut. It’s just how things are done.

What I’ve seen in the education industry

Schools are high-pressure environments with real safeguarding responsibilities and, often, limited administrative resources. The signals that matter tend to come from people on the ground. A concern raised by an admin staff, a reference that doesn’t quite add up, a parent complaint that someone wants to resolve quickly and quietly because the term is already chaotic enough.

I’ve seen what happens when those signals get acted on properly. And I’ve seen what happens when they don’t.

The difference is rarely dramatic in the moment. It’s a school leader choosing to log something formally when informally would have been easier. A recruitment panel deciding to go back to a referee before making an offer. A team pausing to ask whether something sits within policy before approving it. None of those decisions feel heroic. Some of them feel frustrating.

But they’re the decisions that matter.

The gap between what governance measures and what it should

I don’t think internal control or compliance functions are particularly good at explaining their own value, and the profession as a whole hasn’t cracked it yet. We’re better at reporting what went wrong than articulating what didn’t happen because of work done quietly in the background. The metrics don’t really support it. Neither does the way most board reporting is structured, which if I’m honest, tends to reward incident counts and investigation outcomes over the quieter evidence of a governance culture that’s actually working.

There’s no clean solution to that. Prevention is genuinely hard to quantify. But it can be recognized. Through narrative reporting, through escalation trends, through examples of decisions that changed course before they became something larger.

A strong compliance culture tends to show itself in small signals. Earlier engagement with internal controls. More formal logging. People asking for guidance before proceeding rather than after. These aren’t dramatic indicators. But they’re meaningful ones.

The measure that actually matters

Investigations matter. They expose weaknesses and drive real improvement, and I’m not arguing otherwise.

But I think the measure of an organization’s ethical strength isn’t only how it responds when things go wrong. It’s the quality of the decisions made before that point. In the middle of normal operations, under normal pressure, when nobody is watching and there’s no particular reason to pause except that something feels slightly off.

In many organizations, prevention is invisible. In mature organizations, it is intentional. And that is not silence; it is governance working as intended.