paper

Compliance as a Truth System : Why boards must govern for signal integrity — not just rule adherence

Most governance failures do not begin with missing policies. They begin when organisations stop surfacing uncomfortable truths. This paper explores compliance as a signal-integrity system — where silence, filtered escalation, and organisational drift become hidden governance risks.

Institute for Systems Integrity

4 min read
Share
Compliance as a Truth System : Why boards must govern for signal integrity — not just rule adherence

Dr Alwin Tan, GAICD, MBBS, FRACS, EMBA (Melbourne Business School)

Senior Surgeon | Governance Leader | HealthTech Co-founder
Harvard Medical School — AI in Healthcare
Australian Institute of Company Directors — GAICD graduate
University of Oxford — Sustainable Enterprise

Institute for Systems Integrity (ISI)

Introduction: The wrong question

Most organisations approach compliance by asking:

“Are we following the rules?”

It sounds reasonable.

But it is the wrong question.

Because compliance failures rarely occur due to absence of rules.

They occur when the system fails to:

  • detect problems early,
  • escalate them honestly,
  • and correct them before harm occurs.

At the Institute for Systems Integrity (ISI), we frame compliance differently:

Compliance is not a rule system.
It is a truth system.

From rule adherence to system integrity

Traditional compliance models focus on:

  • policies,
  • procedures,
  • training,
  • and audits.

These are necessary.

But they are not sufficient.

A system can be:

  • fully documented,
  • fully trained,
  • fully audited—

…and still fail.

Because the real question is not:

“Do rules exist?”

It is:

“Does the system tell the truth — early enough to act?”

ISO 37301 — what it gets right

ISO 37301:2021 provides a structured approach to compliance management through:

  • context
  • leadership
  • planning
  • support
  • operation
  • performance evaluation
  • improvement

This aligns with the Plan–Do–Check–Act (PDCA) model:

  • Plan → identify obligations and risks
  • Do → embed controls
  • Check → monitor and test
  • Act → improve

The strength of this model lies in continuous improvement.

But its limitation is this:

It assumes information flowing through the system is accurate, complete, and timely.

In practice, this assumption often fails.

Where compliance systems break

Across industries — healthcare, financial services, aviation, aged care — failure patterns are consistent.

Not because rules were absent.

But because signals were distorted.

Common failure modes include:

1. Suppressed escalation

Concerns are raised but not progressed.

2. Filtered reporting

Information is softened as it moves upward.

3. Normalised deviation

Workarounds become “accepted practice.”

4. Incentive misalignment

Performance is rewarded over compliance.

5. Psychological unsafety

Speaking up carries personal or career risk.

These are not compliance failures in design.

They are failures in system integrity.

Compliance as a signal system

A functioning compliance system should behave like a signal network.

It must:

  • detect weak signals (near misses, deviations)
  • transmit them without distortion
  • amplify material risks
  • suppress noise (irrelevant data)
  • deliver timely insight to decision-makers

When this signal flow is compromised:

  • risks remain hidden
  • issues escalate silently
  • and boards operate on incomplete reality

This is how organisations become:

compliant on paper,
but unsafe in practice.

The board’s real exposure

Boards are rarely criticised for not having policies.

They are held accountable when:

  • risks were foreseeable,
  • signals existed,
  • but were not acted upon.

This shifts the governance burden from:

rule oversight → system oversight

Directors must ask:

  • What signals are we receiving?
  • What signals are we not receiving?
  • Where might information be filtered?
  • How quickly do issues surface?
  • What happens to bad news?

Because the greatest governance risk is not non-compliance.

It is:

undetected non-compliance.

Healthcare: a high-stakes example

In healthcare systems, compliance failures are rarely due to missing protocols.

They occur when:

  • junior staff hesitate to escalate
  • VMOs lack protection or influence
  • workload pressures override safeguards
  • hierarchy suppresses dissent

In such environments:

  • incident reporting declines
  • near misses are lost
  • and harm emerges late

This is not a documentation problem.

It is a signal suppression problem.

The performance–compliance tension

Many organisations operate under an implicit belief:

“Breaking the rules is faster and cheaper.”

In the short term, this can appear true.

In the long term, it leads to:

  • regulatory breaches
  • systemic risk accumulation
  • reputational damage
  • organisational failure

The role of governance is not to eliminate performance pressure.

It is to ensure performance is not achieved by:

silencing the system that detects risk.

What good looks like: signal integrity in action

A high-functioning compliance system demonstrates:

1. Clarity of ownership

No ambiguity about responsibility.

2. Unfiltered escalation

Bad news travels quickly and intact.

3. Early warning visibility

Near misses are treated as critical signals.

4. Psychological safety

Staff can escalate without fear.

5. Independent challenge

Compliance functions are empowered to speak.

6. Demonstrated learning

Failures result in system change — not cosmetic fixes.

Without these, compliance becomes:

ceremonial rather than operational.

A reframing for boards

Boards should stop asking:

“Are we compliant?”

And start asking:

“Is our system telling us the truth — early enough to act?”

This reframing shifts governance from:

  • passive assurance
    → active interrogation

From:

  • documentation
    → detection

From:

  • comfort
    → visibility

Conclusion: Compliance is a living system

Compliance is not static.

It is a continuous loop of:

  • sensing,
  • signalling,
  • responding,
  • and improving.

If the system stops moving, it becomes:

  • predictable
    → then fragile
    → then unsafe

At ISI, we define compliance maturity as:

the ability of an organisation to detect and respond to its own failure signals before harm occurs.

Final line

Compliance is not about rules.
It is about whether the system tells the truth — in time.

Harvard-style references

Australian Securities and Investments Commission (ASIC) 2019, Corporate governance: The role of directors and culture, ASIC, viewed March 2026.

Australian Prudential Regulation Authority (APRA) 2018, CPG 220 Risk Management, APRA, Sydney.

Australian Prudential Regulation Authority (APRA) 2022, Information Paper: Transforming governance, culture, remuneration and accountability, APRA.

ASX Corporate Governance Council 2019, Corporate Governance Principles and Recommendations, 4th edn, ASX, Sydney.

Department of Justice (DOJ) 2024, Evaluation of Corporate Compliance Programs, Criminal Division, Washington DC.

International Organization for Standardization (ISO) 2021, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, ISO, Geneva.

OECD 2023, G20/OECD Principles of Corporate Governance, OECD Publishing, Paris.

Read more