As the ethics crisis at FIFA continues to play out in the news, it would be easy for business leaders to dismiss the headlines as uninstructive, even irrelevant. FIFA, after all, is a non-profit sports organization, not a business. And its ethical failures are on such a grand scale that most security and compliance officers could reasonably conclude they’ll never face anything like them.

But I’d warn against ignoring the FIFA scandal. In fact, it can be highly instructive to every security and compliance officer.

To quickly review, FIFA, the governing body for world soccer, has been engulfed in scandal since Spring 2015, when Swiss authorities indicted 14 soccer officials on corruption charges. But allegations of bribery, self-dealing and other corrupt behaviors have swirled around FIFA for decades, and especially since the election of Sepp Blatter as president in 1998. Last June, Blatter announced his resignation, but said he’d stay until FIFA found a suitable replacement. Instead, FIFA’s ethics committee suspended him in October while it looked into suspected corruption. And then, on December 21, the committee concluded its investigation and banned Blatter from soccer for eight years.

While banning its long-time president may seem like a show of strength by FIFA’s ethics committee, it can also be seen as too little, too late.

Corruption in FIFA has been a problem for years. Back in 2002, Blatter’s chief deputy submitted a dossier to Swiss authorities detailing all sorts of malfeasance at FIFA. Blatter survived the scandal, keeping his job while the whistleblowing deputy was squeezed out. It helped that FIFA had no ethics policy at the time; whatever he’d done, Blatter hadn’t broken the rules because there weren’t any.

First lesson: Every organization needs ethics and compliance policies that set the standards of behavior that employees and executives are expected to abide by. The policies must be written, updated regularly and treated seriously by leadership. And the goal should be not just to ensure employees abide by the law, but that they behave in a way that protects the organization’s reputation.

FIFA did release a Code of Ethics in 2004, but here we are, 11 years later, and the committee charged with enforcing those rules is accusing the president of conflicts of interest, breach of fiduciary duty and other ethical failings. Between the creation of the policy and Blatter’s punishment, he was reelected twice amid a steady stream of scandalous headlines.

What this suggests is that, even with a Code of Ethics, FIFA didn’t really take ethics seriously. This is something that we see, albeit on a smaller scale, at many organizations: Policies are commemorated in writing, but not communicated or enforced in ways that indicate leadership truly cares about them. This helps create a culture of tolerance for behavior that will inevitably bring legal and reputational harm on the organization.

Second lesson: It’s vital to exercise constant vigilance against cultures that allow employees and executives to bend the rules to achieve business objectives, or for personal gain. Without such vigilance, it is all too easy for individual actors to rationalize taking unethical actions – indeed, to not even see them as unethical.  Clear polices are essential to this effort – but it also requires consistent enforcement.

What’s most shocking about Blatter’s downfall is that he’s only now being truly scrutinized by FIFA. Why didn’t the organization clean itself up, say, back in 2002, when Blatter’s own deputy documented financial mismanagement, conflicts of interest and abuse of power? Why wait until 2015? From the outside the answer looks simple: because this was the year that Swiss and American law enforcement got involved. It is only in the aftermath of their actions that FIFA seems to be getting serious, with the Executive Committee approving widespread institutional reforms in December 2015, and with the Ethics Committee’s actions following a few weeks later.

Third lesson: Never, ever wait to take action on ethical matters until outside authorities get involved.

Handling matters internally – as early as possible – without sweeping them under the rug or providing superficial closure, not only keeps those problems from escalating, but also gives employees confidence to come forward in case they ever encounter ethical violations. If those issues are not addressed, it sends the implicit signal that unethical behavior is tolerated.

None of these lessons is a revelation brought on by the FIFA scandals, of course. What those scandals illustrate, however, is just how crucial it is to abide by the most basic of rules for creating and maintaining a culture of ethics and compliance.