Why Strong Compliance Still Matters So Much
Earlier this week I had the good fortune to attend a panel discussion here in Boston of compliance officers talking about how their approach to compliance might change thanks to the arrival of the Trump Administration. As I suspected, all of them said their approach really hasn’t changed at all — and they weren’t sure that it ever will. Let’s discuss.
The forum took place at Suffolk University Law School. The panelists were two senior compliance officers from tech giants, one compliance officer from a multi-state credit union, and one law firm lawyer who works as an outsourced compliance adviser for local healthcare startups. In other words, the panel had a wide range of experience and perspectives. Still, in one form or another, all four ended up saying pretty much the same two things.
First, the challenges for corporate compliance programs haven’t changed. Second, and perhaps even more important, the need for compliance capabilities hasn’t changed either.
“Yes, Trump got elected,” one panelist said. “I still wake up to 90 emails every morning that need an answer.”
I suspect that answer rings true with many compliance officers. Like, yes, President Trump is firing off one ill-explained executive order after another; but that isn’t translating into fewer concerns that corporate organizations need to worry about. In many ways the chores of corporate compliance are marching along unabated.
And as I listened to the Suffolk panelists describe their experiences with that dynamic, I came away more convinced than ever that strong ethics and compliance functions are crucial for modern business success.
It’s About Risk Management
Perhaps the best example of this point came from the lawyer representing healthcare startups. Many of his clients, he said, have developed impressive technology products, and want to sell those products to the numerous teaching hospitals we have here in Boston or some other large corporate healthcare player.
Except, “those hospitals will have a dozen different people looking at that proposal, and any one of them could say no,” the lawyer said. “Winning a contract with these folks is brutal.” So he counsels his startup clients on how to build strong data protection protocols, privacy compliance regimes, conflict-of-interest policies, and all the other routine elements of a healthcare compliance program; all so those startups can work their way into the good graces of those highly regulated, highly cautious customers.
Consider what the lawyer is really saying there. No senior executive — compliance officer, general counsel, CEO, CFO, board director, or anyone else — would dispute that vendor risk management is an increasingly important piece of business success. A bad vendor can bring financial instability, cybersecurity risk, supply chain glitches, compliance risk, and lord knows what else.
OK, but let’s remember that what is vendor risk management to the customer is enterprise risk management to that vendor. The two are opposite sides of the same coin. The issues that the hospital worries about as vendor risks, are the same issues the startup wants to tame as enterprise risks.
Yes, hospital and startup worry about those issues in different ways, but their objectives are fundamentally the same. The hospital wants to obtain evidence that the startup’s cybersecurity, privacy, and other legal or compliance risks are all kept at acceptable levels. The startup wants to provide evidence that its cybersecurity, privacy, and other legal or compliance risks are all kept at acceptable levels, so that it can win customers more easily.
In all sorts of ways, across a host of industries, we see that dynamic over and over again. Strong compliance isn’t just about fulfilling certain regulatory obligations; it’s about demonstrating that your organization can be a reliable business partner to others.
I don’t see that dynamic changing much just because Trump puts regulatory enforcement on pause. Those pauses might change how aggressively you handle certain matters — like, maybe you investigate and fix an FCPA violation internally, rather than hire a white-shoe law firm billing you at $2,200 an hour — but that’s a far cry from dismantling your compliance capabilities entirely.
What’s more, for many compliance concerns, such as cybersecurity or third-party risk management, who cares whether Trump pauses anything? Those compliance enforcement risks are also operational risks, and you need the same set of compliance capabilities (risk assessment, policy management, third-party due diligence, and so forth) no matter what Trump tweets. The skills your company gains by having a strong corporate compliance function are going to have value to your enterprise for a long, long time.
Compliance and ‘Who You Are’
Another great line of inquiry came from an attendee who works in compliance at a small financial advisory firm. His immediate problem was that the Securities and Exchange Commission under the Biden Administration proposed lots of rules for financial advisers, which then received lots of comment; but those proposed rules haven’t been adopted yet. So how is his small firm, with its small compliance function, supposed to know which proposed rules to prepare for right now?
Well, that depends. What is your firm’s business strategy, and how might that strategy affect the risks you encounter? That’s the question compliance officers need to unpack first, so you can understand where to allocate precious resources.
Let’s use our financial advisory firm as an example. His firm might be small today, but striving for rapid growth through some sort of franchise or independent sales team model, targeting zillions of customers at mid-income level. Or maybe his firm wants to stay small forever, providing exclusive services to a handful of customers each worth zillions of dollars.
Neither of those strategies is better or worse than the other; they just lead your compliance program priorities down radically different paths. For example, what would your money laundering risks look like in each scenario? What identity theft controls would you want in place for each one? What technologies would you want in place to document customer due diligence? The answers for each growth model are as different as night and day.
The Suffolk University panelists picked up on that idea repeatedly. A successful compliance program depends on “knowing who you are as a business,” as one speaker put it — that is, knowing your organization’s mission, objectives, and values.
Yes, those things ultimately come from the board and senior management, not you. But once you do have that understanding, you can derive what the biggest risks are likely to be for your business. Then you can derive the compliance program specifics (policies, controls, training materials, automation technologies, and the like) you’d want in place.
And all of that is likely to hold true regardless of Trump’s deregulatory pronouncements coming so fast and so furious these days. Compliance isn’t just about responding to the latest regulation that pops up or vanishes into the breeze. It’s about building capabilities that help your organization navigate a complicated world — and I just don’t see that world becoming any less complicated any time soon.