From enforcer to coach: Engineering compliance that happens at speed

It’s late on a Friday. A business leader wants to complete a time-sensitive vendor renewal before a contract expires. The leader hesitates: Does this vendor count as “high risk”? Are we required to re-screen? If we escalate, will it delay the deal?

Under pressure, the path of least resistance often wins—maybe an incomplete form, maybe a vague justification, maybe a “we’ll fix it next week.” Thus, compliance failures are often born not from malice but from time pressure, ambiguity and workflow friction.

Fundamentally, this is a program effectiveness issue. When leaders aren’t sure what “right” looks like, then in the heat of the moment they tend to delay, workaround or delegate compliance. Compliance considerations then happen after the operational decision, rather than as part of it.

One data point in Gartner research should feel uncomfortably familiar to ethics & compliance leaders: 88 percent of risk owners say they’re motivated to fulfill their responsibilities, but only 35% feel confident about how to meet risk ownership expectations.

Traditional compliance approaches tend to focus on publishing policies, annual training, and periodic attestations. While this raises awareness, it doesn’t reliably create the kind of reflexive “muscle memory” that risk owners need to make the right decisions day-to-day in a fast-moving environment, hence the aforementioned confidence gap.

As a result, Gartner experts recommend an approach that engineers systems, prompts and incentives so compliant behavior is reflexive.

Engineer the environment so compliance is unavoidable

First, compliance must engineer systems that make the right behaviors unavoidable for the business.

Importantly, many compliance leaders have invested in making things easier for the business to follow – for example, compliance has worked to improve access to requirements via shorter policies, more tailored trainings, clearer guidance and better tooling.

The problem is that, in many cases, these efforts haven’t moved the needle much in terms of employee compliance. Ease is not the same as effective. What is more effective is engineering systems that make compliance hard to avoid - meaning hard to miss, hard to justify ignoring, and hard to hide one’s avoidance.

To be clear, “hard to avoid” is less about adding gates and more about integrating controls into operational platforms so that doing the right thing doesn’t require additional effort or interpretation. Take the Friday renewal. If the compliance requirement sits outside the procurement or contracting system—if it’s a separate email, a separate spreadsheet, a separate portal—someone will eventually treat it as “extra.” Not because they’re reckless, but because the system teaches them it’s detachable.

Therefore, the optimal compliance control is third-party onboarding and renewals integrated into procurement/contract workflows instead of separate bolt-on activities. The “right” path is built into the flow, and exceptions are explicit and traceable. The leader can still move quickly—but not invisibly.

When controls live inside the workflow, it reduces the two biggest drivers of real-world noncompliance: ambiguity (what’s expected) and friction (this is slowing me down). It shifts compliance from “remember to do this” to “this is how we do work here.”

Provoke the intellect: avoid checkbox compliance

Second, reflexes need stimulus. In compliance, stimulus is the moment a business leader pauses long enough to ask, “What’s the exposure here?” and “What would be irresponsible to ignore?” Getting the business to pause and consider their compliance responsibilities requires prompting.

Yet too often the moment is wasted with shallow prompts that invite checkbox behavior not better judgment.

Instead, it’s better to design prompts that challenge business leaders to think and act if needed. For example, instead of “Have you completed due diligence?”, ask “What could go wrong with this relationship, and what would we see first?”. Instead of “Are controls in place?” ask, “Where would this process break under time pressure?”

Further, provocation is about what compliance returns to the business. If compliance outputs are generic—findings that read like policy citations, dashboards no one recognizes, reports that don’t translate into decisions—you don’t build capability. You build resentment.

On the other hand, when compliance returns insight that is novel and actionable—insight about the real conditions that cause failures: incentives, handoffs, stakeholder alignment, information gaps—leaders learn. And learned judgment is what turns compliance from a ritual into a reflex.

Recognize the right behaviors

Finally, a reflexive response to compliance responsibilities requires recognizing the right behaviors.

Today, compliance programs tend to excel at spotlighting failure: overdue actions, repeat issues, missed training, incidents, exceptions. Yet far fewer are good at good at recognizing success: early escalation, transparent disclosure, proactive remediation, a leader who pauses a deal to get it right.

That matters, because what you recognize is what you train.. If business leaders see that early escalation is treated as responsible leadership, they’ll escalate sooner—and they’ll encourage others to do the same.

Recognition doesn’t need to be flashy, but it does need to be consistent and visible. That means defining what good looks like in terms of specific behaviours not vague values. It means creating an infrastructure so that successes are visible to assurance and other business leaders. And it means sharing these successes with executive leadership so the right risk ownership behaviors receive proper recognition.

Again, how the business leader approaches an urgent vendor renewal is not a morality test. It’s a systems test.

If your program assumes leaders will remember the right step at the right time under pressure, you’re relying on heroics. If your program makes the right step the easiest step—embedded, prompted, and reinforced—you’re building an operating system.

Engineer the environment. Provoke better thinking. Recognize the behaviors you want repeated.

That’s how compliance becomes reflexive: not something the business does for the compliance team, but something the business does because it’s how work gets done.

Editor’s note: This article is based on the opening keynote at Gartner’s 2025 Enterprise Risk, Audit & Compliance Conference.