Formal Compliance

by

Use back button from the brower

Governance Definition

Topics
show

Governance Definition

1. What is it?

2. What problem does it address?

3. Where does it appear in organisations?

4. What can go wrong if misunderstood?

5. Who is accountable, and what oversight is required?

Difference from Demonstrable Control

A small list of synonyms and their use:

Policy-Based Compliance

Documentary Compliance

Design-Level Compliance

Procedural Compliance

Declarative Compliance

Rules-Based Compliance

Where It Is Explicitly Contrasted

Within regulatory and governance frameworks such as DORA, Formal Compliance is a Governance Definition, not jargon. It refers to the documented fulfilment of regulatory requirements, typically through policies, procedures and attestations.

1. What is it?

Formal compliance is the state of meeting regulatory requirements in documented, policy-level or procedural form. It demonstrates that an organisation has:

  • written policies,

  • defined processes,

  • assigned responsibilities,

  • documented controls.

It answers the question: “Do we have the required framework in place?”

2. What problem does it address?

Formal compliance addresses the need for structured adherence to regulatory obligations. It ensures that:

  • regulatory requirements are identified,

  • responsibilities are allocated,

  • documentation exists for supervisory review.

It provides structural alignment with the law.

3. Where does it appear in organisations?

Formal compliance appears in:

  • policy documents and control manuals,

  • governance frameworks,

  • board-approved procedures,

  • regulatory filings and attestations.

It is typically visible during supervisory inspections or internal audits.

4. What can go wrong if misunderstood?

If formal compliance is treated as sufficient in itself:

  • controls may exist on paper but not in practice,

  • policies may not translate into operational behaviour,

  • documentation may mask ineffective execution,

  • regulatory exposure may remain despite “compliance.”

The key risk is paper compliance without operational control.

5. Who is accountable, and what oversight is required?

Management is accountable for ensuring regulatory frameworks are properly documented and approved. Boards must oversee that:

  • policies are aligned with regulation,

  • compliance frameworks are complete,

  • documentation is regularly reviewed.

However, oversight cannot stop at documentation.

Difference from Demonstrable Control

Formal compliance answers: “Have we documented the control?”
It does not automatically answer for demonstrable control being: “Does the control work in practice?”

 A small list of synonyms and their use:

Policy-Based Compliance

Focus: existence of written frameworks.
Emphasis on documented alignment with regulation.

Typical in:

  • regulated financial institutions
  • ISO-based environments
  • early-stage governance maturity

Documentary Compliance

Focus: ability to produce required documentation.
Often implicit in supervisory reviews.

This term highlights:

  • documentation sufficiency
  • evidence of policies
  • procedural completeness

But it does not imply effectiveness.

Design-Level Compliance

Focus: control design rather than control performance.
Meaning: controls are designed appropriately on paper.

Common in:

  • risk and control self-assessments (RCSA)
  • internal control documentation
  • SOX-style frameworks

This is often contrasted with Operating Effectiveness.

Procedural Compliance

Focus: adherence to documented procedures.
Suggests compliance through following prescribed steps.

Often seen in:

  • internal audit findings
  • control testing environments
  • operational compliance functions

Declarative Compliance

Focus: attestation-based compliance.
Meaning: the organisation declares that requirements are met.

Common in:

  • regulatory filings
  • annual compliance statements
  • board attestations

This is highly relevant under DORA when declarations must be backed by proof.

Rules-Based Compliance

Focus: meeting prescriptive regulatory requirements.
Implies box-ticking orientation rather than outcome orientation.

Used in countries with Highly Prescriptive Regulatory Regimes where rules-based compliance is dominant where regulation is detailed, technical and checklist-driven and Supervisory Regimes With Clear Technical Standards where regulators publish:

  • RTS / ITS (Regulatory Technical Standards),
  • explicit reporting templates,
  • mandatory procedural steps,

organisations frequently default to rules-based interpretation.

Example:

– Mapping DORA articles to internal policy paragraphs.

and Early-Stage Governance Maturity Organisations that are:

  • new to regulation,
  • under regulatory pressure,
  • remediating enforcement findings,

often move into rules-based mode because it provides psychological and structural clarity.

It feels safer.

and Legal-Driven Compliance Cultures, where compliance is led primarily by legal departments rather than risk/control functions, the posture often becomes:

  • “What exactly does the law require?”
  • “Have we implemented that article?”

Less focus on:

and Post-Enforcement Environments, where after fines or regulatory findings, firms may temporarily adopt:

  • strict rule mapping,
  • article-by-article implementation,
  • enhanced documentation.

This is reactive rules-based compliance.

Where It Is Explicitly Contrasted

Rules-based compliance is often contrasted with:

  • Principles-based regulation (e.g., UK FCA philosophy),
  • Outcome-based supervision (ECB, PRA evolving stance),
  • Risk-based supervision (Basel, EBA frameworks).

DORA represents a hybrid:

  • It contains prescriptive elements,
  • but supervisory expectation increasingly leans toward demonstrable resilience, not mere rule mapping.

IFRS Synonyms:
Policy-Based Compliance, Procedural Compliance, Documentary Compliance, Declarative Compliance, Design-Level Compliance