That is not a sign of poor compliance work. It is a structural problem. And it stems from the fact that the technology to consolidate compliance across all lines of defence into a single system has barely existed until recently.
Three lines, three separate realities
Most organisations operate on a three-lines-of-defence model for internal control. The first line owns and executes controls. The second line monitors and verifies that controls are working. The third line — internal audit and the board — reviews and reports.
In theory, these connect. In practice, they live in separate systems, separate documents, and separate processes that rarely talk to each other.
That creates three concrete problems.
Duplicated effort. The same requirements are documented and reported by multiple functions independently. The first line fills in a form. The compliance function runs its own mapping. Internal audit requests materials that already exist somewhere — but not in the right format or the right place.
Blind spots. When systems are not connected, no one has a complete picture. An incident handled in the first line does not automatically appear in the compliance function's risk view. A control that has stopped working does not surface in the board report until someone manually compiles the information.
Retroactive reporting. The board and management receive a picture of how things looked last quarter, not how they look today. That is a problem in itself — but it becomes an acute problem when DORA requires incident reporting within four hours and NIS2 demands continuous documentation of security measures.
The misconception about what a "compliance system" means
Misconception: A compliance system is a tool for the compliance function.
Reality: A compliance system used by only one function does not solve the problem. It creates another silo.
This is where system design matters. For compliance to work across the whole organisation, the system must be built for all three lines simultaneously — with different views, different tasks, and different reporting formats, but a single shared data source underneath.
The first line needs concrete tasks, not abstract requirements. The compliance and risk function needs a configurable control system with continuous status updates. The board and management need a real-time view of compliance status and a complete audit trail.
If those three views are built on different data sources, the problem has not been solved — it has just been digitised.
What it takes to make it hold together
A consolidated compliance programme requires three things to be in place.
A single source of truth. All three lines work against the same underlying requirements, controls, and evidence. Not copies of each other — the same source.
Role-based views. What a lawyer in the first line sees and does differs from what the compliance manager needs, and from what the board is reported. The system must handle all three without requiring manual translation between them.
Event-driven updates. When something changes in the business — a new contract, an incident, a system change — it should be reflected across all relevant views automatically. Not after the next quarterly meeting.
That is the difference between compliance as an administrative function and compliance as an operational control mechanism.
Want to see what compliance looks like when all three lines work in the same system?
Hy5 is built to operationalise compliance across the entire organisation — from concrete tasks in the first line to real-time oversight for the board. Used by Swedish organisations in finance and critical infrastructure to replace fragmented processes with a single, consolidated system.
Hy5 ökar dramatiskt hastigheten och tillförlitligheten i compliancearbetet. För hela företaget.
