Writing

The Greenfield CMS Build Sequence

2026-05-29  ยท  Drew Davidson

Build the sequence, or build nothing.

The two most likely benefactors of reading this are the compliance hire looking out at their first solo build and the person who hired them.

Zero-to-one compliance programs do not fail because an artifact is missing. They fail because they were built out of sequence. There is a sequence to how a compliance management system gets built, and the sequencing is paramount, because each layer rests on the one underneath it. Build out of order and you wind up with controls you cannot defend, policies you cannot enforce, risk you cannot assess, and a litany of program material that looks fine at first pass and collapses the moment your sponsor bank starts pulling on a thread.

No one has marketed this part. Vendors sell components. Consultants sell deliverables. The order of operations is not on a slide because it is not something you buy. It is the effort that determines whether what you bought works. What follows is the order, what each step needs from the step above it, and what I have watched happen when people try to skip the line.

Risk Assessment First. Excuses and Blockers Inform That Risk.

This is the foundation of your program. The strength of your program depends on your ability to understand the associated risk exposure of the business you are supporting. The risk assessment is a living artifact that explains every decision the rest of the program makes. Every person who scrutinizes your program will eventually ask some version of the same question. Why does your policy say what it says, and why does your control test what it tests. The answer lives in your risk assessment.

The thing I see most often is policies written first and a risk assessment dressed up afterward to match. External auditors and your sponsor bank will spot it in five minutes. It is easier than you might think. The policies are too clean. The risk assessment lines up perfectly. The dates do not match. What you have built is a false sense of confidence that will come undone during questioning from oversight. Avoid this easy pitfall. Do it for real. Build real gates that involve revisiting it when the business shifts.

Governance Second. Who Decides?

Before anybody writes a policy, the company has to know who has standing to approve one. Who escalates when something is off. Who hears the escalation. That is what governance is. It is not a well-polished board deck and it is not a charter you replicated from another company. It is who decides, clearly documented, with names attached.

Skip this and your policies get signed by whoever was in the room that day. Six months later somebody asks who owns the decision behind a given control and the answer is some version of a shrug. This is going to start you backpedaling under review. Authority gaps are exacerbated under pressure. Governance does not feel urgent. The product team is not asking for it. That is exactly why it gets pushed off. Do it, or your program is performative at best.

Policies Third. Now They Have Teeth.

Once you have a real risk assessment and a real governance structure, policies start to mean something. Each one has a documented basis. Each one has an approval authority. Each one reflects a decision a person holding authority made.

The version of this I see most is the company with thirty crisp policies sitting on top of nothing. It reads well from the outside. It does not survive the first follow-up question. The point is not how many policies you have or how many pages they are. The point is whether you can confidently, and competently, defend them. A small library that holds its weight wins over a long one that does not.

Controls Fourth. Policies in the Wild.

Controls are how policies get implemented in the production environment. They are what the policy looks like when it actually has to do something. A control with no policy behind it is just a business choice somebody made, regardless of how impressive the technical solution is.

This is where things can really go sideways, and I want to be clear that it is rarely the compliance team's doing. Engineering can ship controls fast. Product wants them shipped. So controls get built, and then policies get written to describe what is already running. That is policy as post-process documentation, which is not the same as policy as design, and any examiner will be sure to let you know they understand the difference. Policy design first. Align as an organization on where you will accept friction. Engineering builds to that spec. The control is defensible because of how it got there, not because of what it delivers.

Monitoring Fifth. Can You Do What You Say?

Monitoring tests whether the controls are doing what they were supposed to do. Which means monitoring only works if the controls exist. The controls can only be successful when the supporting policies exist. Skip the upstream work and the monitoring tool starts producing alerts nobody can field, because there is no clearly defined standard for what the alerts mean.

The most common version of this is the company that buys a transaction monitoring platform early. It is the most visible compliance investment they can make. The slide deck from the sales team made you feel like you could do anything. Then you integrate, the alerts start firing, and no one can say with certainty what the right disposition is, because no policy defines the risk appetite, no control defines the threshold, and no governance framework identifies who calls it. The tool is doing its job. The program around the tool does not exist yet. This is the recipe to jeopardize a sponsor bank relationship.

Evidence Is Not a Step. It Is Its Own Discipline.

Every step above creates evidence as you do it, assuming you do it in order. The risk assessment is evidence. The governance documentation is evidence. The policy approvals, the control implementations, the monitoring tuning calls, all of it. Companies that treat evidence as something to assemble in the week before a review learn the hard way that you cannot rebuild decision-making after the fact. I have watched teams spend weeks trying to fabricate a paper trail that should have taken months to build. It never holds up.

The trail gets built while the decisions are being made, or it does not get built. Who proposed it, who approved it, what the basis was, what got considered and rejected, what was still open. None of that is hard if you do it in the moment. All of it is nearly impossible to recreate later in a way that survives scrutiny. Build the discipline in week one of the program, not week one of the review prep.

Why This Order Works

This is not my opinion. This is the compliance lifecycle as it exists today. The dependencies are real. Policies need a risk basis and an approval authority to exist. Controls need a policy to enforce. Monitoring needs controls to test. The evidence trail is what makes the whole thing legible to somebody who was not in the room. Skip a step and everything below it becomes unprovable, which means the program becomes unprovable, which means it does not survive its second sponsor bank review even if it limps through the first.

Founders miss that last part. The first review grades you on intent and effort. The second one grades you on operational reality. A program built out of order can pass the first by looking the part. By the second review the questions have shifted from what does your program look like to how does your program actually run, and looks do not answer that question.

What This Asks of Founders

If you are the founder, the most useful thing you can do is enable the sequence. Every other part of the business will pull against it. Product wants controls. The sponsor bank wants policies. Sales wants the program to look ready for demo calls. Those pressures are real. None of them change the order the work has to happen in if you want to see your hard work preserved.

Compliance programs built out of order are exponentially more expensive, because you end up tearing it down and rebuilding it, usually under time pressure and usually after a finding. This is not an uncommon path, but know that the second build is always worse than the first.

Built in order, even slowly, it compounds value. The risk assessment makes the policies easier. The policies make the controls easier. The controls make the monitoring meaningful. The evidence trail makes all of it defensible. Each step lowers the cost of the next one.

If you are the founding hire, drive the risk assessment first and defend the order against everyone who wants you to skip ahead. If you are the founder, back them when they do. They are doing their job. That alignment, more than any single deliverable, is what separates a program that survives its second review from one that only survived the first.

Back to writingWork with Drew