The Compliance Program That Exists Only in Google Drive
Let me describe a compliance program I meet all the time. It lives entirely in Google Drive.
There's a folder called "Policies (FINAL)." Right next to it, "Policies (FINAL v2)." Somewhere nearby, "Policies_USE_THIS_ONE."
Inside is an information security policy someone downloaded from a template site in 2021, lightly find-and-replaced with the company name, and never opened again. It references a job title nobody holds and a tool the company stopped using two reorgs ago.
No document has an owner. Nobody can tell you the last time any of it was reviewed. There's no evidence a single policy is actually followed — because somewhere along the way, "the policy exists" and "we do this" quietly became the same sentence in everyone's head. And there's no cadence: nothing gets touched until an auditor asks, at which point it becomes a scramble.
Here's the uncomfortable part. On paper, this company "has a compliance program." They'll tell you so with a straight face. It's just that the program is a folder, not a practice.
A real program isn't defined by having documents.
It's defined by:
- Owners — every policy tied to a human who's accountable for it
- Currency — reviewed on a schedule, not in a panic
- Evidence — proof the control actually runs, not just that it's described
- Cadence — a rhythm that keeps all of the above true between audits
The Drive folder is where compliance goes to look alive while being dead.
If your program only wakes up when someone books an audit, you don't have a program. You have a very well-organized graveyard.
Tell us where you are and what you're building — we'll respond with a clear plan.
Get a tailored roadmap