← Otros blogs

The compliance program that produces records but not decisions

Most compliance programs do exactly what they were designed to do: produce a record. Modules completed, policies acknowledged, certificates issued. What they do not produce is the decision that matters, when an employee faces a real vendor and a real relationship. 93% of employees say they would report misconduct; only 50% do when they actually witness it (Ethisphere, 2024 Ethical Culture Report). That gap is not a training failure. It is a design problem, and it takes a different architecture to close.
Compliance
Human risk management
Security culture

An organization can have a high completion rate, a signed acknowledgment from every employee, and a fully documented anti-bribery policy, and still have three people handle the same gift from the same vendor three different ways. One declines it. One logs it. One says nothing, because the relationship felt more real than the rule.

None of them broke a rule they understood. That is the point. The failure is not a knowledge gap. It is the three seconds before a decision, when no module, no policy document, and no compliance manager is in the room.

ISO 37001 gives organizations a structured approach to anti-bribery management, and its value is real. But the standard measures whether the program exists and is documented. It does not measure whether people behave differently when nobody is watching.

The documentation trap

Compliance programs are structurally optimized for documentation. Regulators ask for evidence of training. Programs produce evidence of training. Auditors review it. The cycle closes.

What does not close is the loop between the training record and the real decision. A high completion rate meets the evidentiary standard. It does not protect the organization from the employee who rationalizes a gray-area gift because "this relationship is different." The 43-point gap between the 93% who say they would speak up and the 50% who do is that assumption, measured.

The exposure lives in the gray area

Anti-bribery exposure concentrates in gray areas, not clear violations. The employee who accepts an obviously improper payment is rare. The employee who applies the gifts policy inconsistently is everywhere: same vendor, same gift, different thresholds across the team.

Those scenarios are not gray because people do not know the rule. They are gray because the rule collides with a real relationship, a real social dynamic, or a real deadline the training never addressed. And the inconsistency is visible before any incident: different answers to the same scenario, avoidance of edge-case options, different thresholds applied by different teams. Those are measurable signals, sitting in how employees handle simulated interactions, not in a completion record.

Consistency, in other words, is the real control. Most programs never measure it.

Measuring behavior, not activity

A completion rate is a lagging activity metric. It tells you what was delivered, not what changed. The signals that actually predict anti-bribery exposure are leading and behavioral: whether the same vendor scenario produces the same decision across teams, whether people choose the safe option or quietly avoid the edge case, whether judgment is converging over time or drifting apart.

A program that tracks those can show a trend in behavior across a quarter. A program that tracks completion can only show attendance. When a board asks "are we less exposed than we were three months ago?", only one of those is an answer.

The gap is architectural, not motivational

The instinct when behavior does not change is to improve the training: more engaging, more scenarios, more often. That largely misses the point.

The gap between knowing a standard and applying it under pressure is not a knowledge gap. It is a habit gap. Habits are built through reinforcement at the point of decision, repeated until the right response is automatic, not in an annual module.

A program that delivers modules and measures completion is an architecture for producing records, not for building habits. Closing the behavior gap takes a different design: detecting a gray-area interaction, then triggering a targeted ISO 37001 simulation for that employee — on recognizing bribery risk and on handling gifts and hospitality — before the next real scenario arrives. The response informs the next intervention. A closed loop, automated with human oversight, not a linear program.

Practical implications

For compliance leaders evaluating a program, the question is not "what is our completion rate?" It is: what happens between training and the next real gifts or hospitality interaction?

Three questions worth raising:

Can you see how employees actually handle gray-area scenarios, or only whether they finished the module?

When a team applies the gifts policy inconsistently, do you find out before or after an incident?

Could you show your board that behavior improved this quarter, not just that training was delivered?

The standard itself moved

The 2025 revision of ISO 37001 formally introduces anti-bribery culture as essential to the effectiveness of the management system (ISO 37001:2025). The standard organizations certify against now says, in effect, that documentation is necessary but not sufficient, and that culture and behavior are what make the system work.

The programs that still treat the standard as a documentation exercise are now behind the standard itself.

ISO 37001 gives organizations a structure worth having. But a structure describes what should happen; it does not produce the decision an employee makes when the rule meets a relationship they value. That decision is shaped before the moment arrives, and it can be seen, measured, and improved.

The programs that reduce exposure over the next few years will not be the ones with the most complete documentation. They will be the ones that closed the loop between what the policy says and what people do when nobody is watching.

Escrito por:
Suscríbase a nuestro boletín
Contenido
Actúa ahora antes de que lo hagan los atacantes
Unifique las simulaciones de deepfake, la formación personalizada y el análisis de riesgos en una única plataforma que cree una defensa mensurable.
Hable con un experto

Cómo Zepo ayuda a las empresas

Cuando todo se conecta, los resultados llegan

Nadia Cappelletti

Gerente de Seguridad de la Información Digital

Recomendaría Zepo a colegas de otras empresas porque creo que ha satisfecho todas nuestras necesidades. Nos ha permitido ejecutar tres tipos de campañas que otras herramientas que hemos probado simplemente no pueden hacer. Y más allá del producto en sí, el apoyo de todo el equipo nos ha ayudado a sacarle mucho más partido.”

+9K

Empleados Protegidos

–10%

Tasa de clics en ataques

+18%

Tasa de finalización de la capacitación

Ramon Fernandez Blanco

Ciberseguridad y Gerente de Producto Digital

Desde la implementación de Zepo, la concienciación de los empleados ha aumentado significativamente. Los empleados ahora debaten activamente sobre ciberseguridad y campañas de phishing, y los correos electrónicos sospechosos se reportan rápidamente en lugar de ser ignorados.”

+600

Empleados Protegidos

–15%

Credenciales enviadas

+26%

Tasa de finalización de la capacitación

Jonathan Nelson

Director de Inteligencia de Riesgos

La visión de Zepo para una solución de ciberseguridad en tiempo real, hiperpersonalizada y multiplataforma es verdaderamente única y está muy por encima de la competencia”

+100

Empleados Protegidos

Anticípate antes de que ataquen.