The other day, I attended a panel discussion of compliance officers talking about how corporate compliance might change with the arrival of the Trump Administration.
Except, we never got around to that discussion – we were too busy talking about how corporate compliance probably won’t change that much, despite all the regulatory uncertainty rumbling along in the background.
Why not? Because while corporate ethics and compliance programs might have started 25 years ago as a company’s effort to respond to something (usually an enforcement action from a regulator), the business landscape today is utterly different. Strong ethics and compliance programs now have an intrinsic value to the success of large businesses, regardless of any particular president’s policy agenda.
That’s a point compliance officers should keep top of mind as you talk with your boards and management teams about the future of corporate compliance broadly, and the future of your corporate compliance program specifically.
So how can you have those conversations? Focus on a few key messages.
Robust compliance can help grow the business.
For starters, remind everyone that while corporate compliance programs may have started to placate regulators, just about all organizations today need compliance programs to placate customers. The stronger your compliance program is, the more attractive a business partner you’ll be to those customers.
For example, say you’re a tech business looking to sell your IT systems to large corporate customers. You could have the most affordable, whiz-bang technology in the world – but if you can’t prove that your systems also have solid privacy and cybersecurity control, those corporate customers won’t return your calls.
Or let’s say that you’re an electronics distributor, working in markets around the world. If you can’t demonstrate that you have a robust compliance program to avoid corrupt government officials, sanctioned entities, transnational gangs, and the like – expect lots of skepticism from global businesses considering whether to use your services.
Both of those scenarios were true before the Trump Administration showed up, and they’ll remain true after it ends. They’re true irrespective of any particular administration because those compliance program capabilities address business risks your vendors have, not specific regulations pushed by a specific administration.
As the business world keeps moving toward more inter-dependence, with more reliance on third parties, the ability to identify and control your own compliance risks will become ever more valuable to your customer base. That’s a message the board, senior management, and First Line operating teams should hear.
Robust compliance can help govern internal risks.
You can also stress that a robust compliance program is critical to the company’s own internal operations, too. The capabilities of a strong ethics and compliance program – risk assessment, due diligence, policy management, internal reporting systems, training – are ones that a business can use to manage all sorts of risks. And lots of those risks are operational threats as much as they are compliance headaches.
Again, privacy and cybersecurity are excellent examples to cite. Yes, they’re compliance risks because they’re so heavily regulated – but they’re also operational risks. A ransomware attack can paralyze your business for weeks and cost millions; a privacy breach can alienate customers and cause civil litigation. Strong privacy and cybersecurity compliance programs can keep such risks in check, and those risks are the ones that keep boards and CEOs awake at night.
Anti-harassment training is another example. A strong anti-harassment training program keeps potential regulatory enforcement or civil lawsuits at bay, but it also improves workplace morale and camaraderie. That, in turn, brings benefits such as lower employee turnover, higher productivity, and easier workforce development and planning.
So, in multiple ways, compliance officers can – and these days, must – argue that a strong program does more than help the company to meet specific regulatory compliance obligations. Those same capabilities also make your business more responsive to all sorts of risk, and that’s the strategic advantage all organizations need.
You already have the fundamentals in place.
The good news with this message is that your compliance program already has (or at least, should have) all the capabilities you need to help your enterprise navigate its business risks. They’re the same capabilities that guide the compliance program itself: risk assessment, due diligence, policy management, internal reporting systems, training.
That’s not to say you can just provide a copy of your own compliance program dashboard to senior management and declare victory. The reporting you provide to the board will need to be more nuanced and contextual. But the mechanisms you use to identify problematic new regulations, or weak internal controls, or errant business teams that seem to be deviating from policy – those mechanisms are the ones you already use now.
For example, your compliance program could collect data on employee training rates and exception requests for gifts and entertainment expensing. You could then compare those numbers across geographic or operating segments (ideally in a dedicated GRC tool) to identify business segments that might pose higher corruption or sanctions risk than other parts of the company.
That last part could then go into a report to senior management: “We should tread carefully with Division ABC, which seems to be struggling with customer due diligence procedures. If we launch our growth initiative there right now, that could haunt us later.”
We could spool up numerous other scenarios along similar lines: assessing IT access procedures for independent contractors working on your behalf; identifying business units with high rates of harassment complaints; documenting your compliance with GDPR requirements so would-be business partners know they can share data with you; and so forth and so on.
The bottom line is that in today’s complicated, global, IT-centric, and highly regulated world, businesses will always need the capabilities that a strong compliance program provides. That’s true no matter what regulatory thunderstorms roll through the headlines on any given day – and it’s a message the rest of your enterprise needs to hear.
Final thoughts
Looking to benchmark your program to establish norms and identify areas where you might need to build a business case for additional resources? Join us on March 20 for the annual Whistleblowing and Incident Management Benchmark webinar, featuring Carrie Penman, Anders Olson and Jane Norberg. This year, they’ll uncover exclusive data and share insights from a record-breaking number of reports received in 2024.
