Where Compliance Goes From Here
Last week I attended a forum here in Boston talking about the future of the corporate compliance profession. The conversation meandered across numerous issues, but one unspoken question was never far from people’s minds: Should compliance officers be worried that some day soon, your role will become obsolete?
My answer is no — or at least, the answer will be no if your board and management team are paying attention to what matters, and you keep your eye on the right technology, economic, and career development trends.
Those are some big assumptions to make, of course; so let me explain what I mean.
Compliance officers’ fear of becoming obsolete is really rooted in two questions:
- Will the regulatory environment degrade so much that corporations come to believe they no longer need dedicated compliance officers?
- Will technology, and specifically artificial intelligence, advance so much that the need for a human compliance officer’s expertise will go away?
Those questions might seem very different, but deep down they’re not. Deep down, both are asking whether the responsibilities of a compliance officer can be disaggregated into several distinct threads, which management would then weave into other risk functions in the Second Line of Defense. Which would leave no role for you.
That insight came to me as I was listening to one of the panelists at that Boston meeting, the inestimable Kristy Grant-Hart. She was speculating about various scenarios that compliance officers could encounter, and knocking down most of them as unlikely. Repeal of the Foreign Corrupt Practice Act? No. An end to internal reporting hotlines? No. Third-party due diligence no longer necessary? No.
Then Grant-Hart said something that stopped me short. Could compliance be subsumed into legal, she asked? “Well, maybe.”
Compliance Program vs. Compliance Capabilities
One can see why a legal team might go down that path of subsuming compliance into legal. If the Trump Administration continues to retreat from regulatory enforcement, that will mean (a) fewer enforcement actions overall; and (b) fewer resolutions requiring long-term reforms that would typically be housed in a compliance program.
So in that case, why not leave regulatory compliance to a manager of regulatory compliance tucked away in the legal team? And while we’re at it, why not assign privacy compliance to the IT team; and oversight of the internal hotline and training to HR; and third-party due diligence to procurement; and risk assessments to some two-person team from legal and internal audit?
That’s the disaggregation scenario I mentioned above. Someone in senior management (probably a tight-fisted CFO or a territorial general counsel) splits the compliance function’s role into its component parts; and then assigns those parts to other business functions that, at least on paper, could manage the work. In a world of weaker regulatory enforcement — where the threat of getting that work wrong is much less — why not give disaggregation a try?
It’s the difference between a single, dedicated compliance program, versus the multiple compliance capabilities (risk assessment, policy management, due diligence, internal reporting, training) within that program. Short-sighted folks will think you can have the latter without the former. That’s the poor thinking compliance professionals need to intercept.
I would knock down this thinking in two ways.
First is the tactical. Who would corral all this compliance activity into one holistic picture for senior management or the board? “Subsumists” never seem to answer that question. You’d have multiple business functions handling multiple parts of the compliance burden, but would they all understand what the others are doing? Or would there be duplication, mis-communication, and misunderstanding of compliance risk?
Second is the strategic. With every passing day, robust compliance capabilities become more valuable to manage operational risk — everything from better cybersecurity, to more reliable supply chains, to a stronger internal culture that brings problems to management’s attention rather than letting them fester. Strong compliance capabilities make your company a more trustworthy, attractive business partner to your customer base. So do you really want those capabilities fractured and subsumed into business functions across the enterprise? Or do you want those capabilities clear, demonstrable, and vigorous, under the oversight of a single compliance executive?
As I said at the start, a wise board and management team will understand that compliance capabilities and integrity are as much a strategic advantage to manage risk, as they are duties to demonstrate compliance with a regulatory settlement. That’s the framing compliance officers need to bring up constantly.
AI and Redundancy
We still have that second question, about whether artificial intelligence will improve so much that human compliance officers will no longer be necessary. My answer is still no — if you have wise, forward-thinking management.
Consider the very language of the question, “Will AI make compliance officers redundant?” It assumes that AI replaces the chief compliance officer.
So, will the AI then report to the general counsel? Will the chief risk officer ask the AI to identify the riskiest third parties in your extended enterprise and then inform First Line operations leaders that those vendors have been dropped from the approved vendor list?
Of course not. Such questions make no sense, but they are the questions that would naturally follow from the starting point that AI “replaces” the CCO.
What people really mean to ask is whether AI would allow the general counsel to perform the CCO’s work, or at least to assign that work to someone else. It’s another version of the disaggregation scenario I unpacked above: a belief that better technology (AI) will allow other people across the enterprise to manage compliance duties without an actual compliance function. That’s the true question lurking at the back of everyone’s mind.
Compliance officers need to turn that thinking on its ear. If AI will let one person do 1.25 persons’ worth of work — shouldn’t you be harnessing AI to do more of that work, and to make a robust culture of integrity and compliance even more valuable to your organization? Isn’t that going to be the wiser course in our modern world, rather than using AI to disaggregate the ethics and compliance function and sprinkle its duties across the org chart?
For example, you could use AI for better regulatory change management, faster policy development, more accurate transaction monitoring, better risk assessment and reporting, and so forth. AI would also let you foster a stronger sense of integrity and trust within your workforce, which can be leveraged into an organization more cohesive and responsive to changing business conditions. That’s using ethics and compliance in a strategic manner.
The one point that does worry me is that the CCO might see less growth (or outright reduction) in the size of your team. That is, if AI is letting you do 1.25 persons’ worth of work, you might not need a compliance analyst to evaluate all those suspicious activity reports, or a policy analyst to keep policies current with changing regulations. Which raises unsettling questions about where the CCOs of 2040 will come from, if they don’t secure junior-level compliance roles today.
I don’t have an answer for those questions now. (If you do, I’d love to hear them; please send them to mkelly@radicalcompliance.com.) But a compliance function that is growing more slowly in personnel terms is not the same as a compliance function split into shards and assigned to other business functions.
So yes, this is a challenging time to be an ethics and compliance professional. I’d still bet on the durability of the ethics and compliance profession every day of the week.
