Tag: change management

Categories
Blog

When Employees Are Drowning in Compliance Change

Compliance professionals know the drill. A new policy is issued. A new training module goes live. A new third-party platform is rolled out. A new AI use standard is announced. A new M&A integration plan hits the field. A new sanctions update requires immediate attention. Each initiative may be defensible on its own. Taken together, they can overwhelm the very employees the compliance program depends upon.

That is the central compliance lesson from David Grossman’s MIT Sloan Management Review article, “When Employees Are Drowning in Change.” Grossman argues that effective leaders do not simply manage change; they manage how people experience change. His article identifies three disciplines that matter: make dialogue nonnegotiable, align leaders around a shared change narrative, and sequence change with employee capacity in mind. For compliance professionals, this is not merely a communications issue. It is a program effectiveness issue.

The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) asks three core questions: Is the program well designed? Is it adequately resourced and empowered? Does it work in practice? The DOJ also makes clear that prosecutors look at whether compliance policies, training, reporting lines, incentives, discipline, and controls are integrated into the company’s operations and workforce. That means a compliance change that employees cannot absorb is not fully implemented. It may exist in a slide deck, an LMS platform, a policy portal, or a board report. But if it does not change behavior, it is not yet operating as a control.

Compliance Fatigue Is a Real Risk

Compliance professionals often think about risk in categories: anti-corruption, sanctions, fraud, conflicts, privacy, cybersecurity, antitrust, money laundering, books and records, and now AI governance. Employees do not experience risk in neat categories. They experience messages, requirements, approvals, certifications, controls, deadlines, and consequences.

That distinction matters. A sales manager may receive anti-bribery training, a gifts-and-hospitality update, a new distributor due diligence process, a revised approval matrix, an AI acceptable use notice, and a speak-up campaign in the same quarter. Compliance may see six separate risk-based initiatives. The employee sees a wall of instructions.

When that happens, the program creates noise. Employees may technically complete training but not internalize it. They may certify to policies but not understand how to apply them. They may attend a town hall but not know what has changed in their daily work. Worse, they may stop asking questions because the system feels too heavy to navigate. That is where Grossman’s change management lessons become directly relevant to the Chief Compliance Officer and the compliance team.

Make Dialogue a Compliance Control

The first discipline is dialogue. In compliance, dialogue should not be treated as a courtesy or a soft engagement tool. It is a control input.

The ECCP asks whether training and communications are tailored to the audience’s size, sophistication, subject matter expertise, needs, interests, and values. It also asks whether employees can ask questions arising out of training and whether the company measures training effectiveness, engagement, learning, and behavioral impact. This is a direct invitation for compliance teams to move beyond “push” communications. A one-way compliance rollout looks like this: publish the policy, assign the training, send three reminder emails, track completion, and report 98% completion to leadership.

A better model looks like this: identify the affected employee groups, ask where the new requirement will create friction, test the message with managers, build scenarios from real operational issues, provide a practical decision tool, hold short Q&A sessions, track questions and exceptions, and adjust the rollout based on what employees tell you.

Dialogue also requires closing the loop. When employees raise concerns about a new control, compliance does not have to accept every suggestion. But it should explain what it heard, what it changed, and what it could not change. Silence breeds skepticism. In compliance, skepticism becomes a workaround.

Build One Compliance Change Narrative

Grossman’s second discipline is alignment around a shared change narrative. This may be the most underused tool in the compliance function. Compliance teams frequently communicate in fragments. Legal explains the law. Compliance explains the policy. Internal audit explains control gaps. HR explains discipline. IT explains system access. Procurement explains third-party onboarding. Finance explains approval requirements. Each message may be accurate. Together, they may feel disconnected.

A compliance change narrative answers four practical questions:

  • Where have we been?
  • Where are we today?
  • Where are we going?
  • What must employees do differently?

For example, an AI governance rollout should not begin with a policy citation. It should begin with the business reality: employees are already using AI tools; the company wants innovation; customer and confidential information must be protected; decisions must remain accountable; and the company needs a consistent control framework. Then the compliance team can explain the required behavior: approved tools, prohibited uses, human review, data restrictions, escalation points, and monitoring.

This is also where middle management becomes essential. The DOJ expects senior leaders to communicate ethical standards clearly and demonstrate adherence by example. It also asks how middle management reinforces those standards and encourages employees to abide by them. In practice, employees often take their cues not from the CCO but from their direct supervisor. If the supervisor treats a new compliance requirement as administrative noise, the employee will do the same. Before any significant program change, compliance should align leaders on the story. Not a script. A shared narrative. What risk are we addressing? Why now? What will be easier? What will be harder? What support will employees receive? What does good look like?

Sequence Change With Capacity in Mind

The third discipline is sequencing. This is where compliance teams can create immediate business value. Grossman’s article notes that organizations often fail not because they are doing too much, but because they are doing too much at the same time without discipline. Compliance is vulnerable to this problem because every risk owner believes their initiative is urgent. The answer is not to do less compliance. The answer is to sequence compliance change with the same rigor applied to capital projects, technology rollouts, or major business transformations.

A mature compliance function should maintain a compliance change calendar. It should show what is hitting which employee population, when, and why. It should identify collision points. It should distinguish regulatory deadlines from preferred deadlines. It should flag high-risk groups that are already carrying heavy control burdens, such as sales, procurement, finance, logistics, government affairs, and third-party management teams.

The ECCP supports this risk-based discipline. Prosecutors ask whether the company deploys compliance resources in a risk-based manner, whether risk assessments are current, and whether updates to policies, procedures, and controls reflect lessons learned and evolving risks. Sequencing is part of that risk-based resource allocation. It is how compliance protects both the business and the control environment.

This is especially important in M&A integration. After closing, compliance must integrate codes, policies, hotline access, third-party controls, financial controls, training, investigation protocols, and audit plans. The DOJ specifically asks about the post-transaction compliance program, compliance oversight of the new business, incorporation into risk assessments, and post-acquisition audits. If compliance imposes all requirements on the acquired business at once, it may create both formal coverage and practical confusion. A sequenced plan gives employees a path from old expectations to new standards.

Measure Whether the Change Landed

Completion rates are not enough. Certifications are not enough. Attendance is not enough. The ECCP asks whether the program works in practice, whether it evolves, whether the company uses data to assess the program’s effectiveness, and whether it measures culture and seeks input from all levels of the organization. That means compliance change management must be measurable.

For training and communication, useful measures include questions asked, policy search data, guidance requests, hotline and speak-up trends, control exceptions, approval delays, audit findings, investigation themes, manager feedback, and pulse survey results. The issue is not simply whether employees received the message. The issue is whether they understood it, trusted it, and used it.

This is the practical bridge between Grossman’s article and the ECCP. Change management is not separate from the effectiveness of the compliance program. It is how effectiveness is achieved.

Practical Takeaways

  1. Create a compliance change inventory. List every major policy, training, system, control, campaign, certification, and reporting change scheduled for the next two quarters.
  2. Map the impact by employee group. Identify who is being asked to absorb the most change and whether those employees sit in high-risk roles.
  3. Require a change narrative for every significant rollout. The narrative should explain the risk, the business rationale, the required behavior, and the available support.
  4. Build dialogue into the process. Use listening sessions, manager huddles, Q&A channels, post-training feedback, and office hours. Then close the loop.
  5. Sequence based on risk and capacity. Not every compliance initiative can be first. Prioritize what is legally required, what addresses the highest risk, and what enables other controls to work.
  6. Measure behavior, not just delivery. Report to leadership on whether the change landed in the business, not merely whether the email was sent or the training was completed.

The compliance lesson is clear. Employees do not fail to follow compliance programs only because they lack information. Sometimes they fail because the organization has given them too much change, too little context, and no practical path to execution. A better compliance program does not simply say more. It listens better, aligns better, sequences better, and measures whether the business can actually do what compliance has asked.

Categories
Blog

The AI Revolution in Regulatory Change Management

Recently, I had the opportunity to visit with John Byrne, the CEO at Corlytics. You can listen to the podcast here. Every compliance professional understands that regulatory change management is one of the most complex, labor-intensive, and time-consuming tasks within any organization. Regulations emerge continuously, each bringing extensive new obligations that ripple across multiple business units, policies, and control frameworks. Compliance teams historically faced daunting timelines, sometimes taking an entire year to fully analyze, interpret, and implement changes in business operations. However, innovations in technology are dramatically reshaping this landscape. Imagine compressing twelve months of arduous regulatory adjustments into mere moments. This is no longer just aspirational thinking; it is reality.

In today’s post, we’ll examine the traditional complexities around regulatory change management, how cutting-edge technology is radically streamlining this process, and highlight five critical lessons compliance professionals can leverage to optimize their organization’s responsiveness to regulatory developments.

Lesson 1: Understand the Traditional Challenges of Regulatory Change

Before appreciating modern solutions, it’s crucial to acknowledge historical complexities. Significant regulatory initiatives, such as MiFID II and Dodd-Frank, have dramatically reshaped the compliance landscape, demanding extensive recalibration. For example, MiFID II significantly impacted the Financial Conduct Authority’s (FCA) handbook, altering roughly 40% of its content. Such sweeping regulatory changes ripple throughout an organization, affecting various business functions, including operations, risk management, and compliance.

Traditionally, each of these changes required meticulous manual analysis, dissemination across multiple departments, and comprehensive impact assessments. Compliance teams had to painstakingly map how regulatory shifts affected their business model, risk frameworks, internal controls, and policies, typically involving months of collaboration, interpretation, and documentation.

Lesson 2: The Importance of Cross-Functional Collaboration

Managing significant regulatory changes is not a solitary compliance exercise. It demands deep cross-functional collaboration between compliance, risk, legal, operations, and business leaders. Historically, compliance teams coordinated painstakingly with each business unit to understand regulatory impacts and necessary adjustments.

This cross-functional coordination ensured a comprehensive understanding of the business and a successful implementation. Yet, manually driven communication meant the process was slow and prone to misunderstandings. A robust, streamlined mechanism to align diverse departments swiftly is now not only beneficial but essential. Compliance professionals must embrace strategies and technologies that facilitate rapid, precise, and accurate cross-departmental collaboration.

Lesson 3: Assessing Risk—Beyond Just Understanding Changes

It is not sufficient merely to understand regulatory changes; one must also apply them effectively. Compliance teams must rigorously assess how these changes influence organizational risk profiles. Each regulatory adjustment brings new risks or modifies existing ones. Historically, comprehensive risk assessments involved extensive discussions and manual reviews, taking months to identify, classify, and appropriately mitigate emerging threats.

Advanced technology can dramatically accelerate and automate this critical phase. Modern systems enable compliance professionals to model potential regulatory impacts instantaneously, revealing dynamic insights into evolving risk landscapes. Adopting such real-time analytical capabilities significantly enhances compliance teams’ ability to manage emerging threats proactively.

Lesson 4: Implementing and Updating Controls and Policies Efficiently

Once compliance professionals understand the regulatory implications and associated risks, the next challenge is to adjust internal controls and policy frameworks accordingly. Typically, senior executives across risk, compliance, and legal functions painstakingly review, adjust, and approve these critical documents. Implementation, followed by extensive training and communication, added significantly to the process time.

The transition from manual to automated processes is transformative here. Imagine a scenario where changes to policies, procedures, and controls are instantly drafted, reviewed, and documented, allowing senior compliance and risk leaders to validate adjustments swiftly. Such automation dramatically reduces operational disruption, enhances accuracy, and enables compliance professionals to focus strategically rather than getting bogged down in administrative minutiae.

Lesson 5: Leveraging Technology for Real-Time Regulatory Compliance

Perhaps the most groundbreaking shift in regulatory change management is transitioning from manual, slow-moving processes to leveraging AI and automation tools capable of real-time responses. The technology described, for instance, compresses extensive manual processes, such as marking up regulatory documents and determining future obligations, into seconds, thereby enabling rapid adjustments to controls and procedures.

Imagine: within moments of identifying a new regulatory requirement, compliance teams instantly understand the implications across obligations, policies, and internal controls. The immediate efficiency, traceability, and accuracy this provides are profound. It represents a paradigm shift in compliance effectiveness and agility, transforming compliance from a reactive, slow-moving department into a nimble, strategic powerhouse capable of proactively safeguarding organizational integrity and regulatory adherence.

Conclusion: Embracing the Future of Compliance

For compliance professionals, the transformative potential of real-time regulatory change management is immense. The era of manual, drawn-out compliance adjustments is rapidly fading, replaced by swift, technology-driven processes offering unprecedented accuracy, responsiveness, and strategic value.

To remain competitive and compelling, compliance teams must proactively adopt and leverage these technological advancements to stay ahead of the curve. Real-time analytics, dynamic traceability, and instantaneous updates to controls and policies allow compliance professionals to move from reactive gatekeepers to proactive business enablers. Ultimately, organizations adopting these innovative approaches will experience significantly reduced compliance risks, greater operational efficiencies, and enhanced strategic decision-making capabilities.

Compliance leaders must act now by exploring, testing, and deploying technologies that enable rapid and accurate responses to regulatory shifts. Those who succeed will not only dramatically enhance their compliance effectiveness but will solidify their role as indispensable strategic partners within their organizations, capable of guiding businesses confidently through the ever-changing regulatory landscape.