Compliance, Policy & Regulation
Learn the difference between a company policy and an outside regulation, and how compliance connects the two in everyday work.
What you'll learn
- Tell the difference between a policy, a regulation, and compliance
- Recognise when a rule comes from inside the company or outside the law
- Know when to pause and check before you act
You don’t need a law degree to work inside the rules. What you do need is a feel for where the rules come from and a habit of pausing when something feels uncertain. Most people use the words policy, regulation, and compliance loosely, as if they were the same thing. They’re not, and the difference is genuinely useful. Once you can tell them apart, you’ll know who to ask, where to look, and when a quick question now can save a real headache later. This lesson keeps it plain and practical.
Three words, three meanings
A regulation is a rule that comes from outside your company — a government, a regulator, or a law. You don’t get to negotiate it, and breaking it can carry real consequences for the business. Think of rules about how customer money is handled, how safety is managed on a worksite, or how personal data must be protected. These exist whether your company likes them or not.
A policy is a rule your company writes for itself. Often a policy exists because of a regulation — it’s the company’s plain-language answer to “so how do we actually do this here?” A regulation might say personal data must be kept secure; your company’s policy then says exactly which systems to use, who to email, and what’s forbidden. Policies can also go beyond the law, setting standards the company simply chooses to hold.
Compliance is the everyday work of following both — and being able to show you did. It’s not a department you hand things off to; it’s something you take part in every time you follow a process, fill in a form properly, or flag something that looks off.
A regulation sets the requirement; a policy translates it; you make it real day to day.
Why the difference matters
Knowing which is which tells you how much room you have. If a colleague suggests skipping a step “just this once,” your first question should be: is this an internal policy or an outside regulation? Bending an internal preference is one conversation; ignoring a legal regulatory requirement is a different matter entirely, with consequences that can reach beyond your team. You don’t have to know the answer yourself — you just have to know that the question is worth asking.
Spotting a regulatory requirement
A regulatory requirement is the specific thing the outside rule demands — keep these records for seven years, verify a customer’s identity before opening an account, report a serious incident within a set time. These often have hard edges: deadlines, exact wording, no exceptions. When you see language like “must,” “required by law,” or a named regulator, treat it as a regulation and slow down.
When a rule sounds absolute and comes from outside the company, treat it as a regulation, not a suggestion. If you’re unsure which it is, ask before you act — never after.
Policies are living documents
Policies change as laws change and as the company learns. That’s why “we’ve always done it this way” isn’t a safe answer — the way may have moved on. When you’re about to do something significant, glance at the current policy rather than relying on memory or a colleague’s half-remembered version. A two-minute check against the source beats an honest mistake.
Spot it: Rules and sources
Read each situation and decide which type of rule it is, then tap a card to flip it and check your answer.
Sort the sources
Drag each statement into the bucket it belongs to — or tap a statement, then tap a bucket. Hit Check placement when you’re done.
Here's where each one goes:
- Must be followed because the regulator says so → Regulation — that's an outside requirement.
- Can change as the company learns and laws evolve → Policy — policies are living documents that adapt.
- Comes from outside the company — law, a regulator, or government → Regulation — by definition, regulations come from the outside.
- The company's own plain-language answer to "how do we do this here?" → Policy — that's exactly what a policy is.
- Breaking it can carry real consequences for the business → Regulation — that's the weight of outside law.
- Sometimes goes beyond the law, setting standards the company chooses → Policy — companies write policies that exceed minimum requirements.
Tip: drag with a mouse, or tap a statement then tap a bucket on touch screens. Get one wrong and the answer key appears.
How to use it
In practice, this is mostly about good instincts and good questions. Try phrases like these when something feels unclear:
- “Is this a company policy, or is it coming from a regulation?”
- “Where’s the current version of this policy written down?”
- “This sounds like a legal requirement — can we confirm before we proceed?”
- “I’d rather pause and check than guess on this one.”
None of these make you difficult; they make you reliable. The people who get into trouble are rarely the ones who asked too many questions — they’re the ones who assumed. Keep the three words straight, follow the policy that’s actually current, and treat anything that smells like a regulation with extra care. That’s compliance, and you’re already part of it.
Quick check
1. A rule your company writes for itself is called a…
2. A regulation is best described as…
3. "Compliance" mostly means…