Compliance doesn’t fail because the law is weak; it fails because the architecture is incomplete. We often treat compliance like a final coat of paint—something applied at the end for aesthetics. In reality, true compliance must be “engineered at the beginning” to survive the messy reality of human and cultural behaviour.
Here is how we move beyond the checklist to a contemporary, “Compliance by Design” framework. In alignment with vision of Viksit Bharat by 2047, it’s a time when collectively Independent Directors, KMPs, Institutional Investors, Regulators, Promoters will have to demonstrate higher integrity to attract better valuation and also bring more sustainability to company.
1. Mapping the Human Matrix
Every framework assumes people act rationally, but they actually act according to their own motivations. When we fail to map these stakeholders, we miss the risks hidden in plain sight.
- The “Shadow” Power Structure: A promoter might hold stakes in multiple similar businesses. Even with perfect paperwork, there is an inherent risk of “value shifting” or strategic bias that a standard audit might miss[1]. Or when the entity is one of the piece of the whole value chain which promoter owns via multiple companies, one needs to be mindful of this risk.
- The Governance Paradox: When one person holds the roles of both Chairman and MD, the board’s ability to challenge senior management or evaluate pay becomes a formality rather than a check[2].
Think of the Satyam scandal or more recent fintech collapses. On paper, the boards were populated with experts; in reality, the concentration of power made dissent a “career-ending move”, rendering the compliance framework an illusion. And therefore many good professional or Independent Director and even institution insist, though not mandatory, to have single structure in group for one business and separation of chairman and management. This systemically reduces risk. Overall we as community, will have to look at compliance from Human matrix.
2. Incentives Drive Behavior, Not Manuals
Policies assume people will follow the rules; incentives determine what they actually do. “People do not violate policies; they follow incentives”.
| Structure | The “Corporate” Intention | The Behavioral Reality |
| ESOPs | Create long-term owners. | Pressure to hit short-term stock targets for immediate payoff. |
| Independent Directors | Provide objective oversight. | Often socially or economically “captured” by promoters, leading to silent boards. It isn’t necessarily a matter of “compulsion” or threats; it is a matter of social and economic gravity that pulls a director toward the promoter’s orbit, often without either party acknowledging it |
| Exec Bonuses | Reward high performance. | Encourages “metric gaming” to trigger payouts. This isn’t usually about “faking” numbers (fraud); it’s about optimizing for the specific metric that determines the pay check, even if it harms the company’s health in long term. |
In the age of “hyper-growth” startups, the pressure to reach unicorn status often created an incentive structure where “breaking things” is rewarded more than building them correctly, making compliance the enemy of speed. Many successful and sustainable corporates take cognizance of incentive based human behaviour and structure their engagements, evaluation, compensation to eliminate such risks.
3. The “Silo” Tax: Where Compliance Breaks Silently
Compliance often fails at the point of coordination, not at the point of law. When departments don’t talk, risk leaks through the cracks.
- Insider Trading (PIT): The Compliance team might have a great policy, but if the Business team or an outside consultant leaks Unpublished Price Sensitive Information (UPSI) because they weren’t “sensitized,” the policy is useless. And sometimes sensitization may need a louder action to demonstrate what organisation stands for.
- The Onboarding Gap: If HR, Legal, and Compliance don’t align during the hiring of Senior Management or Key Managerial Personnel (KMP), background checks and independence assessments remain incomplete. And if their assessments are relied upon by Independent Directors without being sceptical about process, controls and independent check, it can create disaster. In one of the recent cases KMP was alleged to have been on payroll of some group company, which is against principle of exclusive commitment expected from KMPs.
Consider Global Data Breaches. Often, the IT department knows about a vulnerability, but because they aren’t integrated with the Legal/Compliance reporting chain, the “disclosure failure” happens long before the regulator finds out.
Increasing cross functional team meets, more integrated KPI, KRA and reward recognize mechanism is the need of hour.
4. Designing Policies for the Real World
A policy that ignores how people actually act is just a document; a policy that reflects behavior becomes governance.
- Integrated Workflows: If compliance depends on different departments (like RPTs requiring Procurement, Marketing and Sales, HR, Finance, and Compliance), the policy must mandate a single, integrated digital workflow rather than three isolated tools/ systems. Gone are the days when operations used to say that RPT is responsibility of compliance team and we have nothing to do about it OR claiming disclosure is compliance requirement and not flagging the probable event is not my responsibility. Compliance cannot happen without integrated effort, system and accountability.
- Managing Tension: Don’t ignore the tension between ESOP encashment and Insider Trading rules—address it head-on with automated black-out periods and robust pre-clearance triggers.
Compliance team with the support of top management team should design policies and structures to navigate everyone on desired track.
5. Intelligent Supervision and Correction
You cannot achieve result of integrated compliance without adequate supervision and correction.
- Intelligent Supervision: This isn’t “inspection”; it’s the intelligent observation of patterns, predict changes in behavioral pattern which can trigger because of change in situations and accordingly re-structure your systems or increasing supervision typically for a situation. For example if new company is getting acquired or incorporated it will require support from related parties, or if any company is financially weak it will break RPT approval conditions, or when your CSR obligation increases suddenly, ability to cope up will take some time. In such situations compliance needs to be more mindful and alert.
- Continuous Correction: As the business evolves, the policy must evolve. If your risk profile changes (e.g., moving into a new market), your behavior-mapping must start over. Sustainability requires a PDCA (Plan–Do–Check–Act) cycle. Compliance department has to adopt many best practices from matured processes like ISO, Six Sigma and many other frameworks.
The Closing Thought
True compliance isn’t about ensuring nothing ever goes wrong—it’s about ensuring that nothing can go wrong unnoticed. To get there, we must stop building checklists and start engineering environments where integrity is the path of least resistance.
[1] there is no merit in the plea of appellant that the business allocation cannot be treated as a transaction, tantamounting to a RPT under Regulation 2(1)(zc)… business allocation will result in losses or/and gains in different geographies and product-lines which will have a definite value impact…In case such a value exceeds the materiality threshold as in Regulation 23(1), the appellant would be required to obtain the shareholders’ approval. – SAT order in the matter of Linde India Ltd vs SEBI, December 5, 2025.
[2] SEBI adjudication order in the matter of SCAL Services ltd. – October 21, 2022