Companies tend to be great at defining new programs, rules, strategies and any other marching orders by top management. Some do it every year. The weak link tends to be the implementation. The board decision is seen by many as the point beyond which "management" must do the rest. If you are lucky, a presentation pack will be made available and a roadshow will be organized to trigger implementation. The flawed assumption is simple: things will happen, because the top management says so.
If you take the view that much of what is decreed in this way is short term oriented nonsense anyway, then you might conclude that the fabric of the company gets protected by the lack of effective implementation. But if you are dealing with international standards on security such as ISO 27001, for example, then an effective implementation is a must and the risk of poor implementation to reputation, material damage, lawsuits and profits is immense. If you need ITIL, CMMI or ISO because no self respecting client will give you a contract without it, then implementation becomes too important to fail.