Discover how to develop a compliance program that adapts to regulatory changes, minimizes risks and drives business growth.
- Gartner client? Log in for personalized search results.
Compliance Program: How to Build and Implement One
Adapt your compliance program to stay ahead in an expanding risk environment
In an era of increasing regulatory complexity, getting ahead of risk challenges requires a proactive compliance program. Future-proof your compliance program with strategies to:
Adopt data-driven risk management. Use advanced analytics for real-time risk monitoring.
Enhance speak-up culture. Foster transparency and trust in reporting mechanisms.
Embed compliance guidance. Integrate compliance into daily workflows for better adherence.
Navigate disruption with a resilient compliance program
Stay ahead of today’s challenging risk environment by building a compliance program that minimizes risk exposure and supports business growth. Successful compliance leaders focus on the following three areas.
Program Effectiveness
Third-Party Risk Mgmt
Regulatory Tracking
Optimize your evaluation approach to deliver a strong compliance program
The pressure to deliver an effective compliance program is enormous — yet only 37% of compliance leaders are fully confident they can assess their program’s effectiveness.
The most common approaches to compliance program evaluation include high-effort, low-return methods such as root-causing verified instances of misconduct or identifying compliance risk hot spots. But these approaches fall short for two reasons:
They’re too infrequent to be reliable, providing anecdotal information rather than real performance data.
They’re too general to be insightful, helping to indicate that a problem exists, but failing to provide the reason.
Evaluate compliance programs against quality standards
Quality standards are a set of documented principles, specifications, guidelines or characteristics used consistently to guide the design, development, execution, monitoring and improvement of activities that impact employee behaviors. Examples include standards of conduct, policies and procedures; communication and education; and reporting and investigating.
Compliance leaders who effectively integrate quality standards in their assessments do three things well:
They articulate quality standards clearly and document them in accessible and scalable formats (such as checklists, frameworks and questionnaires).
They apply quality standards regularly and proactively, not just when a compliance failure occurs.
They ensure their quality standards serve two purposes: promoting compliant behavior and reducing compliance risks.
By effectively integrating quality standards into your compliance program evaluations, you can achieve the following:
Explicitly tie defined quality standards to desired compliance outcomes.
Continually test whether compliance activities are abiding by the standards.
Fully grasp the overall health of your compliance program over time.
Positively impact employee behaviors.
Employees who see quality standards reflected in compliance activities are 139% more likely to understand and prioritize compliance — and employees who understand and prioritize compliance are 63% more likely to fulfill their compliance obligations.
To assess the design of your compliance program activities, start with these actions:
Create uniform assessment criteria and a scoring rubric to determine compliance’s effectiveness at controlling risk across various risk areas.
Share the criteria and rubric with owners of compliance risk throughout the business so they can assess their activities in a standardized and objective way.
- Set mechanisms to validate the consistency of assessments across risks and norm-to-appropriate scoring over time (for example, regular compliance check-ins with risk owners).
Adopt five best practices in your compliance program to improve risk outcomes
As more stringent regulations drive increased accountability, 40% of legal and compliance leaders are prioritizing third-party risk management (TPRM) in their compliance programs. Five actions can help you optimize TPRM and maximize your compliance program results:
Clarify roles and responsibilities to drive better TPRM outcomes
Use streamlined (versus exhaustive) due diligence questionnaires
Conduct ongoing (versus point-in-time) third-party relationship monitoring
Managing increased board, regulatory and stakeholder oversight requires a coordinated, consolidated view into TPRM activities. If roles and responsibilities aren’t clear, activities overlap (leading to slowdowns) and will be overlooked (leading to poor risk outcomes).
Outline the activities that need to take place across the third-party life cycle. Delineate what’s expected from accountable individuals and train them on these expectations. Then work with business partners to identify who will be responsible for each activity to promote accountability and improved outcomes.
Building a cross-functional understanding of risks and required trade-offs boosts risk remediation and helps avoid time delays caused by exhaustive questionnaires. Organizations that use a single, streamlined due diligence questionnaire are 53% more likely to surface potential risks sooner and 24% more likely to remediate third-party risks before they have a material impact.
Work cross-functionally to identify business partners’ top risk priorities. Then use those priorities to identify which questions will provide them with the most important risk indicators.
When services in a third-party contract increase or decrease, or when a third party extends its relationship with your organization, a change in scope may occur. Organizations that track these changes on an ongoing basis are 29% more likely to remediate risks before they have a material impact.
Reassess the effort dedicated in your compliance program to monitoring activities and how your organization currently learns about and responds to scope changes. Partner with the business to increase visibility into changes in third-party relationships and improve risk outcomes.
Adopt technology solutions and tools that facilitate timely risk identification
- Share and integrate critical information with business partners
Eighty-six percent of organizations that deploy technology solutions and tools surface potential risks before they are too late to remediate and are 30% more likely to address third-party risks before they cause substantial harm.
Determine use cases for technology aligned to business-driven department objectives. Organizations that use this approach are able to prioritize outcome-driven opportunities, recoup investment nearly twice as fast, and ensure higher adoption and implementation of solutions, resulting in improved risk management outcomes.
Organizations that fully understand and integrate third-party risk information shared cross-functionally are 43% more likely to quickly remediate risks before they have a material impact. De-silo third-party risk information across the TPRM process and categorize it consistently throughout the organization. Consider housing the information centrally to improve information sharing and reduce the amount of resources spent on gathering or collating key risk information.
Ensure your compliance program supports rapid, informed regulatory decisions
Ongoing geopolitical tensions, increased activism and new areas of regulatory oversight have increased the importance of regulatory tracking as part of an effective compliance program.
The more regulatory change your organization is exposed to, the more sophisticated your compliance program’s approach to regulatory tracking will need to be. Establish an effective system by taking the following actions:
Determine regulatory tracking sources. Work cross-functionally to identify which regulatory issues have the greatest implications for the business’s core operations and decision making. Include tenured attorneys or compliance staff who work with core functions or oversee specific risk domains.
Create a regulatory tracking process. Defining roles and responsibilities for tracking changes has three benefits:
It reduces duplicative and siloed regulatory tracking efforts.
It establishes a consistent regulatory intelligence knowledge base.
It ensures clear regulatory oversight throughout the organization.
Then create a list of information sources to monitor changes in relevant regulations. Most compliance programs source this information from a mix of law firms, regulatory agencies, discussion forums and industry associations.
Assign an owner to each regulatory jurisdiction and subject matter. The same person may own multiple areas, and each owner should be responsible for:
Identifying changes in the relevant jurisdiction or subject
Consulting the affected function or business partner to determine whether the organization has a sufficient compliance program in place
Good candidates for regulatory owners are typically experienced lawyers from a relevant practice area or representatives from business units involved in regulatory compliance (such as tax, finance and HR).
Once you’ve identified your regulatory owners, create a RACI (responsible, accountable, consulted and informed) matrix to delineate the extent to which stakeholders are involved in different tracking and implementation activities.
Evaluate the regulatory tracking technology and service landscape. Purchasing a regulatory tracking solution may be valuable if your organization or industry is highly regulated. Use the following questions to understand whether legal and compliance technology investments would be beneficial to mature your compliance program:
Are you operating in a highly regulated and/or volatile regulatory environment? Do vendors support your primary industry?
Do any particular terrains need extra support (e.g., data privacy, third party)?
Are your legal and compliance staff — as well as business and functional partners — overburdened with regulatory intelligence work?
Would a technology system address the actual challenge you face?
Would investing in a technology system meaningfully improve efficiency and resource allocation in the long term?
Though regulatory intelligence solutions can boost compliance program efficiency, poorly integrated technology solutions can lead to workflow challenges that ultimately drag down efficiency and productivity.
Attend a Conference
Join Gartner experts and your peers to accelerate growth
Gather alongside fellow leaders on September 8–9 in Grapevine, TX to gain insight on emerging trends, receive one-on-one guidance from Gartner experts and create a strategy to tackle your priorities head-on.
8 – 9 Sep 2025
Gartner Enterprise Risk, Audit & Compliance Conference
Grapevine, TX
Related Compliance Program resources
Gartner clients: Log in for a complete suite of actionable insights and tools on Compliance Program.
Compliance Program FAQs
What is a compliance program?
A compliance program is a set of internal policies and procedures implemented by a company to ensure it follows laws, regulations and ethical standards. It helps prevent and detect violations, promotes a culture of integrity and protects the organization from legal risks.
Why is a compliance program important?
Policies and procedures: clear guidelines for conduct
Leadership and oversight: commitment from top management and a compliance officer
Training and education: regular training for employees
Monitoring and auditing: regular reviews to detect issues
Reporting mechanisms: confidential channels for reporting concerns
Enforcement and discipline: consistent policy enforcement
Response and prevention: addressing issues and preventing recurrence
How often should a compliance program be reviewed?
A compliance program should be reviewed at least annually to ensure it remains effective and up-to-date with any changes in laws, regulations and business practices. However, more frequent reviews may be necessary if there are significant changes in the regulatory environment, industry standards or within the organization itself. Regular reviews help identify areas for improvement and ensure the program continues to meet its objectives.
Drive stronger performance on your mission-critical priorities.