← Other Blogs

The compliance program that produces records but not decisions

Most compliance programs do exactly what they were designed to do: produce a record. Modules completed, policies acknowledged, certificates issued. What they do not produce is the decision that matters, when an employee faces a real vendor and a real relationship. 93% of employees say they would report misconduct; only 50% do when they actually witness it (Ethisphere, 2024 Ethical Culture Report). That gap is not a training failure. It is a design problem, and it takes a different architecture to close.
Compliance
Human risk management
Security culture
Zepo Intelligence

An organization can have a high completion rate, a signed acknowledgment from every employee, and a fully documented anti-bribery policy, and still have three people handle the same gift from the same vendor three different ways. One declines it. One logs it. One says nothing, because the relationship felt more real than the rule.

None of them broke a rule they understood. That is the point. The failure is not a knowledge gap. It is the three seconds before a decision, when no module, no policy document, and no compliance manager is in the room.

ISO 37001 gives organizations a structured approach to anti-bribery management, and its value is real. But the standard measures whether the program exists and is documented. It does not measure whether people behave differently when nobody is watching.

The documentation trap

Compliance programs are structurally optimized for documentation. Regulators ask for evidence of training. Programs produce evidence of training. Auditors review it. The cycle closes.

What does not close is the loop between the training record and the real decision. A high completion rate meets the evidentiary standard. It does not protect the organization from the employee who rationalizes a gray-area gift because "this relationship is different." The 43-point gap between the 93% who say they would speak up and the 50% who do is that assumption, measured.

The exposure lives in the gray area

Anti-bribery exposure concentrates in gray areas, not clear violations. The employee who accepts an obviously improper payment is rare. The employee who applies the gifts policy inconsistently is everywhere: same vendor, same gift, different thresholds across the team.

Those scenarios are not gray because people do not know the rule. They are gray because the rule collides with a real relationship, a real social dynamic, or a real deadline the training never addressed. And the inconsistency is visible before any incident: different answers to the same scenario, avoidance of edge-case options, different thresholds applied by different teams. Those are measurable signals, sitting in how employees handle simulated interactions, not in a completion record.

Consistency, in other words, is the real control. Most programs never measure it.

Measuring behavior, not activity

A completion rate is a lagging activity metric. It tells you what was delivered, not what changed. The signals that actually predict anti-bribery exposure are leading and behavioral: whether the same vendor scenario produces the same decision across teams, whether people choose the safe option or quietly avoid the edge case, whether judgment is converging over time or drifting apart.

A program that tracks those can show a trend in behavior across a quarter. A program that tracks completion can only show attendance. When a board asks "are we less exposed than we were three months ago?", only one of those is an answer.

The gap is architectural, not motivational

The instinct when behavior does not change is to improve the training: more engaging, more scenarios, more often. That largely misses the point.

The gap between knowing a standard and applying it under pressure is not a knowledge gap. It is a habit gap. Habits are built through reinforcement at the point of decision, repeated until the right response is automatic, not in an annual module.

A program that delivers modules and measures completion is an architecture for producing records, not for building habits. Closing the behavior gap takes a different design: detecting a gray-area interaction, then triggering a targeted ISO 37001 simulation for that employee — on recognizing bribery risk and on handling gifts and hospitality — before the next real scenario arrives. The response informs the next intervention. A closed loop, automated with human oversight, not a linear program.

Practical implications

For compliance leaders evaluating a program, the question is not "what is our completion rate?" It is: what happens between training and the next real gifts or hospitality interaction?

Three questions worth raising:

Can you see how employees actually handle gray-area scenarios, or only whether they finished the module?

When a team applies the gifts policy inconsistently, do you find out before or after an incident?

Could you show your board that behavior improved this quarter, not just that training was delivered?

The standard itself moved

The 2025 revision of ISO 37001 formally introduces anti-bribery culture as essential to the effectiveness of the management system (ISO 37001:2025). The standard organizations certify against now says, in effect, that documentation is necessary but not sufficient, and that culture and behavior are what make the system work.

The programs that still treat the standard as a documentation exercise are now behind the standard itself.

ISO 37001 gives organizations a structure worth having. But a structure describes what should happen; it does not produce the decision an employee makes when the rule meets a relationship they value. That decision is shaped before the moment arrives, and it can be seen, measured, and improved.

The programs that reduce exposure over the next few years will not be the ones with the most complete documentation. They will be the ones that closed the loop between what the policy says and what people do when nobody is watching.

Subscribe to our newsletter
Blog content:
Act now before attackers do
Unify deepfake simulations, personalized training, and risk analytics into a single platform that builds measurable defense.
Talk to an expert

How Zepo helps companies

When everything connects, results follow

Nadia Cappelletti

Digital Information Security Manager

I would recommend Zepo to colleagues at other companies because I believe it has met all our needs. It has allowed us to run three types of campaigns that other tools we have tried simply cannot do. And beyond the product itself, the support from the whole team has helped us get far more out of it.””

+9K

Employees Protected

–10%

Click Rate on Attacks

+18%

Training Completion Rate

Ramon Fernandez Blanco

Cybersecurity & Digital Product Manager

Since implementing Zepo, employee awareness has increased significantly. Employees now actively discuss cybersecurity and phishing campaigns, and suspicious emails are quickly reported instead of ignored.””

+600

Employees Protected

–15%

Credentials Submitted

+26%

Training Completion Rate

Jonathan Nelson

Director of Risk Intelligence

Zepo’s vision for a real-time, hyper-personalised, multi-platform cybersecurity solution is truly unique and stands head and shoulders above the competition”

+100

Employees Protected

Get Smarter Before Attackers Strike.