Implement compliance policies, procedures and controls to mitigate your risks

Table of Contents


On this page:

What this means

Each business is unique. Your compliance policies should be too. There are no ready-made solutions to ensuring compliance. Your policies must be tailored to your operations, risk profile and the tasks your employees do every day.

Compliance policies spell out your organization’s expectations from your employees and your organization’s leadership. They should include standards such as a code of conduct and organizational policies.

Procedures are internal controls that are designed to help your employees and your organization avoid breaking the law. The procedures should be customized to mitigate the specific risks faced by your organization that you would have identified in your risk assessment.

A small reminder on what makes a compliance program credible and effective

Your compliance program needs to be credible and effective to truly help you.

To be credible, your program must at a minimum show your business’ genuine commitment to obeying the law and competing fairly.

To be effective, your program must inform all your people, and those acting for your organization, that compliance is important. It must inform them of their legal duties and your internal compliance measures. It should also give you the tools to prevent and detect misconduct.

Your program should be reasonably designed, implemented and enforced in the circumstances. This means that it addresses your organization’s risks within your resources and in light of your business activities.



  • core values of the organization
  • code of business conduct
  • general do’s and don’ts for staff

Procedures and internal controls


  • internal controls to prevent possible misconduct (e.g., approvals to participate in trade associations, procedures for vetting marketing campaigns)
  • mechanisms to report possible illegal activity or risky behaviour anonymously
  • protocol to be followed in case of possible illegal activity

Why it matters

Maintaining compliance policies, procedures and controls is an ongoing commitment that is critical to the effectiveness of your compliance program. Your high-level compliance policy sets out your expectations from your employees. Your internal procedures and controls put your policies into action and provide checks to prevent and detect potentially illegal activity and risky behaviour.

If you’re a small business...

A compliance program is a set of business practices scaled to your organization’s size, resources and risks. It doesn’t have to be costly to implement, but your entire organization has to make a serious commitment. Even small and medium-sized enterprises can have simple yet effective compliance policies, procedures and controls without huge expense or overburdening their day-to-day operations. This guidance covers the principles and key concepts to keep in mind while developing and running your own policies, procedures and controls.

If you do not have adequate resources to create a compliance program in-house, trade associations might be able to help you build compliance policies, procedures and controls. Also, many free or low-cost resources are available online to help you understand compliance best practices and how to apply them in your business.

How you can implement compliance policies, procedures and controls

Design your compliance policies, procedures and controls to:

  • be customized to the operations of your business
  • take into consideration your business’ risks
  • include compliance measures to meet the most likely and most serious risks

Implementing compliance policies, procedures and controls is an ongoing activity. You have to monitor risks regularly and your compliance program needs to be flexible enough to adapt to emerging risks. You have to notify your employees and third parties acting on behalf of your organization about any updates to your compliance policies.

An effective compliance program depends on employees who are properly informed about your policies, procedures and internal controls. Therefore, it is important to communicate this information to your employees and make sure it’s understood.

Tips on compliance policies, procedures and controls

  • Document your compliance program

    Clearly write your compliance policies, procedures and controls and distribute them to all your employees. Think about the jargon and languages best understood by your employees. Use plain language where possible.

  • Publish your code of conduct

    You could publish a code of conduct on your organization’s website. This will help third parties such as suppliers, service providers and customers dealing with your organization to understand your values and expectations.

  • Learn from your risk assessment

    Design policies, procedures and controls for your different business units and regional operations based on their specific risks that you have identified (for instance, a list of do’s and don’ts and “red flag” issues).

  • Update your measures

    Compliance policies, procedures and controls should be updated to factor in changes to your risk profile.

  • Communicate with your employees

    Notify employees promptly of any updates to the compliance program. For major updates, consider holding special training sessions for your employees.

  • Enforce your policies, procedures and controls

    The compliance officer should check regularly that your policies, procedures and controls are properly implemented.

DISCLAIMER: Because every situation presents unique facts, the information set out herein is provided for general information only. This content is not a substitute for legal advice, nor is it a binding statement of the Commissioner of Competition’s position on the requirements or efficacy of any particular compliance program. Indeed, there is no one-size-fits-all approach when it comes to achieving credible and effective compliance.

The Competition Bureau launched a Compliance Portal to help you and your business stay on the right side of competition and labelling laws. It replaces the Corporate Compliance Programs Bulletin. We’re currently reviewing the feedback we received during the recent consultation on the form and substance of this portal. An update will follow later this year.