The theatre of compliance

Roz Dixon-Burnett shines a spotlight on performative compliance and calls for a new direction to achieve effective outcomes.

Overture

Picture the scene: a board meeting where compliance risk appetite is being set at ‘zero’. The executive team nods in agreement. Strong commitment to compliance, they note. Excellent risk culture. The decision is minuted and filed. You’ve probably been in this meeting – perhaps you’ve even prepared the paper. And if you’re honest, you knew while writing it that zero compliance risk is impossible. Everyone in that room knew. But the statement sounds rigorous, looks good in regulatory attestations, and protects decision-makers when something goes wrong. So, we perform the ritual and move on.

Curtain up

This is what compliance professionals in the cybersecurity world started calling ‘compliance theatre’ nearly two decades ago. Compliance theatre symbolises activities that demonstrate compliance without necessarily achieving the outcomes that the regulation is meant to deliver (and, by extension, compliance with that regulation). It emerged as a term when security experts noticed firms could be certified to ISO 27001, pass audits, and still experience breaches because they’d optimised their processes for visible controls rather than actual security.

But this pattern isn’t limited to cybersecurity. Across regulated industries – such as financial services, healthcare, data protection, environmental compliance – the same dynamic appears. Comprehensive frameworks exist. Policies are documented. Training completion rates are tracked. Governance structures are in place. Yet compliance failures continue. Not because people aren’t working hard, or are actively looking to circumvent controls, but because we’ve created systems that reward measurable compliance activity over effective compliance outcomes.The question isn’t whether compliance professionals are doing their jobs well. Most, if not all, are. The question is whether being compliant and being effective have become two different things.

Act one

So, how did we get here? The dynamic starts with regulatory pressure. After every major compliance failure, whether it’s a data breach, a financial scandal, a safety incident, or a money laundering case, regulators face intense public and political demands to demonstrate that they are taking action. Society expects a visible response. Governments demand accountability. Regulators respond by creating more requirements. Additional policies must be comprehensive, further training must be documented, enhanced risk assessments must be regular, and updated governance structures must be robust.

These requirements all have something in common, in that they are measurable. A regulator can review a policy, check training logs, examine risk registers, and assess governance frameworks. What is far harder to inspect is whether these activities actually prevent the harm that they are designed to address. Does the policy drive a change in behaviour? Does the training shift the firm’s culture? Does the risk assessment identify real risks or predictable, easily quantifiable ones?

The result is unsurprising. Organisations optimise for what they can readily evidence, and hence what regulators can check. If success is measured by comprehensive policies, then firms write comprehensive policies. If training completion rates matter, then training gets completed. If risk assessments must be documented, then risk assessments will be documented. This isn’t cynicism or criticism; this behaviour is completely rational in a system that rewards visible compliance activity.

Consider anti money laundering compliance. The UK has extensive AML regulations, supervised sectors, mandatory training requirements, transaction monitoring systems, and suspicious activity reporting, to name just a few of the measures required. In its most recent Mutual Evaluation (published in 2018, with the next review due in 2027), the Financial Action Task Force (FATF) assessed that, ‘the United Kingdom has a well-developed and robust regime to effectively combat money laundering and terrorist financing’. Firms invest significantly in AML frameworks. Yet the UK’s National Assessment Centre estimates over £100 billion is laundered through the UK annually. The system generates millions of Suspicious Activity Reports, many of which are filed because firms need to demonstrate compliance, while the actual flow of illicit funds continues largely unimpeded. The framework is comprehensive. The compliance is demonstrable. The international assessment is positive. But is it effective?

Or let’s take data protection. The General Data Protection Regulation (GDPR) created unprecedented requirements for privacy policies, consent mechanisms, and data processing documentation across the world. Organisations spent millions ensuring compliance. Privacy notices proliferated. Yet research shows these notices are rarely read and poorly understood, and data breaches continue. We created a system optimised for documented consent rather than genuine data protection.

The pattern repeats across sectors because the underlying dynamic is the same: when effectiveness is hard to measure but activity is easy to evidence, we get sophisticated activity and questionable effectiveness. A healthcare organisation can demonstrate compliance with the Health Insurance Portability and Accountability Act (HIPAA) through comprehensive privacy policies and training logs, while data breaches continue. A manufacturer can have documented safety management systems and still experience preventable accidents. The documentation exists. The boxes are ticked. But the harm that we are trying to prevent still occurs.

It bears repeating that this is not a failure of individual compliance professionals, with the vast majority working diligently within the systems they are given. I believe that it is a structural issue. Organisations – and people – respond rationally to the incentives they face. If regulatory visits and investigations focus on policy comprehensiveness, training completion rates, and documented risk assessments, that is precisely what organisations will focus on. The question is whether these measures correlate with the outcomes we actually care about; those of preventing financial crime, protecting consumer data, maintaining workplace safety, ensuring market integrity, and so on.

This isn't cynicism or criticism; this behaviour is completely rational in a system that rewards visible compliance activity.

Intermission

So, what would different look like? If the current system drives us towards documented activity, then effective compliance must focus on actual outcomes, including reduced harm, better consumer protection and genuine risk mitigation.

This requires asking different questions. Not ‘can we evidence our compliance activities?’ and ‘will this satisfy regulatory scrutiny?’ but ‘is what we are doing actually working?’ and ‘are we addressing the problem that we are trying to solve?’

If the current system drives us towards documented activity, then effective compliance must focus on actual outcomes, including reduced harm, better consumer protection and genuine risk mitigation.

Act two

Let’s consider how compliance effectiveness might be assessed differently. Instead of reviewing policy accuracy and completeness, what if regulators assessed whether the policy actually drives the required behaviour? Instead of checking training completion rates, what if measures related to improvements in individuals’ understanding and decision-making?

The challenge is that outcomes are harder to measure than activity. A regulator can review a hundred policies in a day. Assessing whether those policies have prevented harm requires longitudinal analysis, counterfactual thinking, and acceptance of uncertainty. It’s a genuine challenge. But difficulty doesn’t make it less necessary.

Some regulatory developments point in this direction. The UK Financial Conduct Authority’s Consumer Duty focuses on demonstrating good customer outcomes rather than simply having robust processes, and could represent a meaningful shift. This shift relies on the regulator being willing and able to assess actual consumer outcomes, rather than evidence of outcome-focused thinking by firms.

For compliance professionals, this shift also requires developing new and different capabilities. There needs to be an understanding of what genuinely drives behavioural change, methods for assessing organisational culture and effectiveness, and techniques for measuring impact rather than activity. It means being comfortable with less certainty and more judgement. It means focusing resources on interventions that work rather than interventions that look impressive.

It also requires courage. The courage to tell boards that comprehensive documentation doesn’t equal effectiveness, to challenge regulatory expectations that prioritise demonstrable activity, and to admit when we’re performing compliance rather than achieving it.

These are uncomfortable challenges for a profession built on frameworks, documentation, and demonstrable process. Asking whether we’re only performing for the regulator rather than achieving true compliance is risky, particularly when regulatory expectations seem to reward the performance.

But, being honest, most compliance professionals have been in meetings where everyone knew the exercise was more about evidence than effectiveness. Most have completed risk assessments where the outcomes were predetermined. Most have seen comprehensive programmes that somehow missed the risks that crystallised.

Curtain call

The question here is not whether compliance theatre exists. I believe that it does, 100%. Are we brave enough to name it, and thoughtful enough to explore what genuine effectiveness might look like instead? This means challenging not only how firms approach compliance, but how regulators measure it, how effectiveness is assessed, and what success truly means.

Are we as compliance professionals protecting our organisations from regulatory censure, or are we protecting the people and systems our regulations are designed to safeguard? And perhaps more fundamentally, when does the distinction between those two goals become too wide to ignore?

For details on the ICA Certified Head of Compliance course, including how to enrol, visit our website.

Are we as compliance professionals protecting our organisations from regulatory censure, or are we protecting the people and systems our regulations are designed to safeguard?