Tag: HBR

Blog

What Interruptions Reveal About Corporate Culture

Post author By Admin
Post date June 11, 2026
No Comments on What Interruptions Reveal About Corporate Culture

Every Chief Compliance Officer talks about culture. Every company claims to value ethics, integrity, respect, inclusion, and speak-up behavior. Those words appear in codes of conduct, CEO messages, training decks, town halls, leadership offsites, and annual ethics campaigns. Yet culture is not built into the code of conduct. It is revealed in the meeting.

That is the central lesson of Research: What Interruptions Reveal About Company Culture by William Degbey, Benjamin Laker, Baniyelme Zoogah, Sanjay Kumar Singh, and Ghulam Murtaza. The authors argue that workplace culture is shaped less by formal statements and engagement programs than by everyday interaction patterns, especially interruptions in meetings. Their research found that interruptions, redirections, and moments where employees were spoken over were not merely interpersonal annoyances. They were signals of whose voice carried weight in the room.

For the CCO, that finding should land with force. A company can have a beautifully written value of “speak up.” Still, if employees learn in ordinary meetings that certain people are cut off, ignored, or not credited for their ideas, the real culture is not to speak up. It is speak-only-if-you-have-power. That is a compliance issue.

Culture Is What Happens Before the Hotline

Compliance professionals often think about speak-up culture in terms of hotline reports, investigation data, employee surveys, and anti-retaliation policies. Those are important. The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) asks whether a company has a trusted reporting mechanism, whether employees feel comfortable using it, whether reporting is encouraged or chilled, and whether employees can raise concerns without fear of retaliation.

But by the time an employee reaches the hotline, the culture has already taught that person a great deal. It has taught them that if management listens. It has taught them whether disagreement is welcome. It has taught them whether bad news is punished. It has taught them whether junior employees can challenge senior leaders. It has taught them whether women, employees from underrepresented groups, remote employees, finance staff, compliance staff, or local market employees are taken seriously.

The author’s most important compliance lesson is that interruptions are cultural data. They are small, repeated, observable signals that show whether the company’s stated values are protected in daily business interactions or suspended when authority, speed, revenue, or hierarchy enters the room.

Why This Matters to Ethics and Integrity

Ethics and integrity depend on voice. Employees must be willing to raise concerns, ask questions, challenge assumptions, and slow down decisions when something does not look right. If the organization’s meeting culture teaches employees that unfinished concerns can be interrupted, redirected, or appropriated, then the company is training people not to speak.

The authors found that many senior leaders interpreted interruptions as signs of efficiency and engagement. They saw energetic cross-talk as evidence of a productive culture. Yet the follow-up study found that others experienced the same conduct as exclusionary and predictable. Interruptions were disproportionately directed at women and employees from underrepresented racial and ethnic groups. In the follow-up study, 19 of 27 interviewees described women being interrupted more frequently than men; all seven Black women interviewed described early-stage interruptions, and five said others later resurfaced their ideas without attribution.

For compliance, that is not simply an inclusion issue, though it certainly is. It is also a risk-detection issue. If certain voices are routinely cut off, then certain risks will be underreported. If certain employees must speak faster, more defensively, or only when explicitly invited, the company loses early warning signals. If some ideas are accepted only when repeated by someone with greater status, then the company is not evaluating risk on its merits. It is evaluating risk through hierarchy. That is how ethical blind spots form.

The Silent Cost of Being Interrupted

One of the most powerful findings in the article is that interruptions changed employee behavior. Twenty-one of the 27 participants in the follow-up study said they changed how they contributed to meetings. Some spoke faster or more defensively. Some pre-structured arguments to avoid being cut off. Some waited for explicit permission to speak. Others stopped contributing unless necessary. That is exactly what a CCO should worry about.

A healthy compliance culture does not require employees to perform perfectly polished courage. It gives employees room to raise half-formed concerns, ask awkward questions, and test whether something feels wrong before they have built a legal brief around it. Many compliance issues begin as fragments: “Something about this consultant does not feel right.” “The customer is asking for unusual documentation.” “The timing of this payment seems odd.” “Why are we routing this through that entity? ”I am not sure the data use matches what we told customers.” Those are early-stage compliance signals. They need space.

If the meeting culture rewards only fast, polished, confident speech, then employees who need time to frame a concern may never get the chance. The authors note that faster and more confident-sounding speech was often treated as more authoritative. In comparison, slower or less forceful speech was treated as incomplete and therefore easier to interrupt. For a CCO, the lesson is clear: do not build a compliance program that only works for the loudest person in the room.

From Tone at the Top to Conduct in the Room

Compliance professionals have long emphasized “tone at the top.” That remains important. But this article reminds us that tone at the top is incomplete unless it becomes conduct in the room.

The DOJ expects companies to demonstrate that compliance policies and procedures are integrated into operations and that a culture of compliance is embedded in day-to-day activities. That is precisely where meeting behavior matters. Meetings are where risk appetite becomes real. They are where employees learn whether the company actually values integrity when there is a deal to close, a target to hit, or a senior executive to satisfy.

A CCO should, therefore, ask:

What happens when ethics enters the meeting?

Does the room slow down?

Does the leader protect the person raising the concern?

Does someone capture the issue and assign a follow-up?

Does the business discuss controls and alternatives?

Or does the concern get interrupted, minimized, joked away, or pushed offline?

The answers will tell you more about culture than a slogan.

Reading Interruptions as Compliance Data

The authors recommend that leaders stop treating interruptions as isolated incidents and begin reading them as data. It suggests observing who gets interrupted, when the interruption occurs, and what happens to the idea afterward. Is the idea acknowledged? Is it dropped? Is it later picked up without credit? That framework can be directly adapted into a compliance culture assessment.

A CCO can ask compliance, internal audit, HR, or an outside facilitator to observe selected meetings where risk decisions are made. These might include third-party approval committees, deal review meetings, product governance meetings, investigations triage meetings, M&A diligence sessions, safety committees, privacy reviews, or regional leadership calls.

The observer should not simply count who speaks. This is not about policing manners. It is about understanding whether the company’s ethical culture allows risk information to travel upward and across the organization.

Slow the Meeting to Surface the Risk

The article warns that speed and forced momentum can amplify inequality. Faster conversations often favor those who already feel entitled to the floor. Those who anticipate interruption compress their thinking, hesitate, or wait for a clear opening. The authors recommend slowing the interaction: let people finish, pause before responding, reinforce the norm when someone is cut off, and rotate facilitation. This is deeply relevant to compliance.

Many corporate failures occur not because no one saw the risk, but because the organization moved past it too quickly. The payment had to go out. The distributor had to be approved. The quarter had to close. The launch date had to be met. The customer had to be retained. In that environment, “speed” can become a cultural value that overwhelms integrity. A CCO should help leaders build an “integrity pause” into decision-making.

Protect the Contribution, Not the Ego

The article also makes an important distinction. Calling out interrupters or turning every interruption into a lesson on etiquette often does not work. It can escalate the moment and personalize the issue. The better approach is to protect the contribution directly. The authors suggest short interventions such as “Let them finish,” “I want to hear the rest of that point,” and “Let’s come back to the idea that was just interrupted.” This is practical guidance for CCOs and compliance professionals.

When someone raises a compliance concern and is interrupted, the compliance professional does not need to accuse anyone of bad intent. This helps to create psychological safety around risk information. They tell the room that compliance concerns are not interruptions to business. They are part of doing business properly.

The CCO as Culture Observer

A CCO cannot improve culture solely by issuing policies. Policies matter, but culture is reinforced through repeated behavior. The DOJ guidance recognizes that policies and procedures must give effect to ethical norms and be integrated into day-to-day operations. That means the CCO must look beyond policy architecture and ask how people actually behave when decisions are being made.

Not every interruption is retaliation. Not every fast-paced meeting is unethical. Not every dominant speaker is a compliance risk. But patterns matter. Repeated interruption of certain people, functions, geographies, or types of concerns is cultural data. A CCO should treat it as such.

Turning the Article into a Compliance Playbook

A practical CCO response could include five steps.

Add meeting behavior to the culture assessment. Ask employees whether they can finish raising concerns in meetings, whether leaders invite dissent, whether objections to risk are credited, and whether certain voices are routinely ignored.
Observe high-risk meetings. Select a sample of decision-making forums and map interruptions, credit, follow-up, and closure. The goal is not surveillance. The goal is to understand whether the company’s values show up when risk is discussed.
Train leaders on protecting concerns. Leadership training should include simple phrases or the preservation of unfinished risk points. A manager does not need to become a compliance expert to say, “Let’s hear the rest of that concern.”
Build structured dissent into key decisions. For high-risk approvals, require a final risk round before the decision. Ask compliance, finance, legal, HR, internal audit, cybersecurity, or local-market leaders whether they see an unresolved issue.
Report cultural signals to the board. Boards should hear more than hotline statistics. They should understand whether the organization’s meeting culture supports candor, dissent, and ethical escalation.

Improving Corporate Culture Around Ethics and Integrity

The broader message for compliance professionals is that ethics and integrity must become observable behaviors. Employees should see integrity in how meetings are run, how concerns are handled, how dissent is credited, how leaders respond to uncertainty, and how the company treats people who slow down a decision for the right reason.

The bottom line is straightforward. The words on the wall do not prove a culture of ethics and integrity. It is proven by who gets to speak, who gets heard, and what happens when someone raises a concern that slows the room down. For the CCO, the lesson from this article is powerful: look at the meetings. That is where the culture is already speaking.

Tags CCO, corporate culture, DOJ, ECCP, HBR, Research: What Interruptions Reveal About Company Culture

Blog

The False Alignment Trap in Compliance Transformation

Post author By Admin
Post date June 9, 2026
No Comments on The False Alignment Trap in Compliance Transformation

A major compliance initiative rarely fails because the Chief Compliance Officer (CCO) did not work hard enough. It usually fails because the organization never reached a true agreement on what the initiative was supposed to accomplish.

That is the core lesson from The False Alignment Trap by Julia Dhar, Kristy R. Ellmer, and Philip Jameson. The authors argue that many change efforts fail because senior leaders believe they agree on the “why,” “what,” and “how” of change when, in fact, they do not. A stitched-together flower is an apt metaphor for corporate change: from a distance, the initiative may look whole; up close, it may be held together by fragile threads.

For the CCO instituting a major compliance initiative, this insight is critical. Whether the project is a global third-party risk overhaul, a new sanctions screening program, an AI governance framework, a speak-up culture campaign, or a full redesign of the compliance operating model, the CCO cannot settle for polite nods around the executive table. The CCO must secure true agreement.

The authors frame the three questions every change program must answer: why are we changing, what are we changing, and how will the change occur? It also makes an important distinction between “alignment” and “agreement.” Alignment may mean that executives are not actively blocking one another. An agreement means leaders have made a detailed and explicit compact that allows them to move together and hold one another accountable. That distinction should be posted on every CCO’s wall.

Why This Matters to Compliance

A major compliance initiative always changes more than the compliance department. It changes how a sales function approves intermediaries. It changes how procurement selects vendors. It changes how finance reviews payments. It changes how HR handles discipline and incentives. It changes how legal, internal audit, cybersecurity, operations, and the business share data. It may change who can approve a deal, how quickly a transaction can move, and what documentation must be in place before revenue is booked. That means compliance transformation is not simply a compliance project. It is an enterprise change project.

The Department of Justice’s 2024 Evaluation of Corporate Compliance Programs (ECCP) asks three fundamental questions: whether the program is well designed, whether it is applied earnestly and in good faith through adequate resources and empowerment, and whether it works in practice. DOJ also asks whether senior management has articulated standards clearly, disseminated them in unambiguous terms, and demonstrated adherence by example. Those expectations cannot be met if the C-suite is only “conceptually aligned” on compliance.

A CCO may believe the company has agreed to strengthen compliance. The CEO may believe the initiative is about satisfying the board. The CFO may believe it is about reducing investigation costs. The head of sales may believe it is about avoiding bad distributors but not slowing growth. The general counsel may believe it is about reducing enforcement exposure. Operations may believe it is another documentation exercise. HR may believe it is about training completion rates. Everyone says yes. Everyone means something different. That is the false alignment trap.

The First Lesson: Never Launch on Slogans Alone

Compliance leaders love phrases such as “culture of compliance,” “tone at the top,” “risk-based approach,” “speak-up culture,” and “doing business the right way.” These phrases are useful, but they are not implementation plans. The authors warn that executives often think they agree because their conversations are insufficiently specific. Leaders may agree on a broad goal, but disagree sharply on the levers, trade-offs, timeline, funding, and operational consequences.

For a CCO, this means “we need a stronger third-party program” is not enough. The leadership team must agree on what that means in practice. Does it mean fewer third parties? More due diligence? More audits? Centralized onboarding? Automated screening? New contractual rights? Mandatory business justification? Enhanced payment controls? A right to terminate non-responsive intermediaries? A slower sales cycle in high-risk markets? Until those questions are answered, the CCO does not have agreement. The CCO has a slogan.

The Second Lesson: Silence Is Not Commitment

One of the most dangerous moments in compliance transformation is the executive meeting where everyone nods. The authors describe the “false consensus effect,” where leaders overestimate the extent to which others share their beliefs. It also describes the tendency of executives to pretend to agree rather than surface disagreement. In one example, executives used vague phrases such as “I am aligned,” “partly aligned,” and “conceptually aligned,” even though real disagreement remained unresolved.

Compliance professionals see this all the time. A regional president says, “We fully support the new due diligence process.” What she may mean is, “We support it unless it slows down strategic distributors.” A sales leader says, “We support compliance training.” What he may mean is, “We support it as long as it does not take people out of the field during the quarter.” A procurement leader says, “We support vendor controls.” What he may mean is, “We support them for new vendors, but not for legacy vendors.”

The CCO’s job is to make those reservations visible before launch. That does not mean creating conflict for conflict’s sake. It means creating a process where disagreement becomes a source of better design.

The Third Lesson: Invite Dissent Early

The authors recommend provoking an early exchange. Leaders should write down what they agree with, what they disagree with, and what they are unsure about. The authors specifically note that written reactions can reduce groupthink. They also recommend asking questions that invite contrary views, such as “What could go wrong with this approach?”

This is directly applicable to compliance. Before launching a major compliance initiative, the CCO should ask each executive to answer, in writing:

What risk are we trying to reduce?

What business process will this initiative change?

What are you worried this initiative will disrupt?

What resources will your function need?

What decisions are you willing to give up or share?

What part of this proposal do you not support?

Where do you believe compliance is underestimating the operational impact?

These questions are uncomfortable. That is the point. A compliance initiative that cannot survive executive-level dissent in a planning meeting will not survive business-level resistance during implementation.

The Fourth Lesson: Deferred Agreement Becomes Compliance Debt

The authors warn against the idea that leaders can “sort out the details later.” That may work for small experiments, but the authors argue that it is dangerous for transformative organizational change because vague or contradictory premises create confusion, delay, and employee frustration. They describe deferred agreement as a debt that leaders expect to repay quickly but often never repay at all. For compliance, deferred agreement is especially costly.

When the CCO launches without a clear executive agreement, the business will find the gaps. If sales and compliance disagree on third-party approval standards, the business will escalate every hard case. If finance and compliance disagree on payment controls, exceptions will multiply. If HR and legal disagree on discipline standards, investigations will produce inconsistent outcomes. If IT and compliance disagree on data ownership, monitoring dashboards will never mature. The result is not simply inefficiency. It is a control failure.

A CCO should treat unresolved executive disagreement as a known risk. It should be tracked, assigned, escalated, and resolved before the initiative moves from design to deployment.

The Fifth Lesson: Watch for the Three Failure Modes

The authors identify three consequences of false alignment: paralysis, hyperactivity, and tunnel vision. These are also classic symptoms of a failing compliance initiative.

Paralysis occurs when teams are stuck between competing executive priorities. In compliance, this looks like endless working groups, repeated risk assessments, draft policies that never finalize, and technology projects that remain in “requirements gathering” for months.

Hyperactivity occurs when teams launch too many initiatives to please too many stakeholders. In compliance, this looks like a dozen training campaigns, multiple dashboards, overlapping third-party reviews, new certifications, new attestations, and new committees, but no meaningful risk reduction.

Tunnel vision occurs when teams make progress on the wrong thing. In compliance, this may mean achieving 100% training completion while employees still do not know how to raise concerns. It may mean onboarding vendors faster while missing beneficial ownership risk. It may mean closing investigations more quickly while weakening root cause analysis.

The CCO should use these three symptoms as early warning indicators. If the initiative is stuck, too busy, or moving in the wrong direction, the problem may not be execution. It may be false alignment at the top.

Lessons in Building True Agreement for a Compliance Initiative

The authors offer a five-step path to true agreement: set clear parameters, provoke an early exchange, have a substantive debate, reach a formal verdict, and send a unified message. That framework can be translated directly into a CCO playbook.

Set clear parameters. The CCO should define the decision rights before the project begins. Who decides the risk appetite? Who approves the budget? Who owns business process changes? What decisions require CEO approval? What issues go to the board? What happens if a regional business leader disagrees?
Provoke an early exchange. The CCO should require written input from the CEO, CFO, general counsel, CHRO, CIO, internal audit, procurement, and key business leaders. This is where hidden objections should surface.
Have a quality debate. The CCO should hold one-on-one conversations with executives before the group decision meeting. The point is not to lobby for superficial support. The point is to understand red lines, trade-offs, and operational realities.
Come to a formal verdict. The authors recommend asking for each individual’s agreement, documenting the decision, and creating a formal record of the agreed terms. For a compliance initiative, this should become a written executive charter. It should specify scope, budget, timeline, metrics, decision rights, business obligations, and escalation paths.
Send a unified message. The authors warn against each executive’s team receiving its own version of events. Instead, the decision should be broadcast simultaneously in a single format to everyone who needs to know. For compliance, this is essential. Employees should hear one message: this is why we are changing; this is what will change; this is what will not change; this is who owns what; and this is how success will be measured.

The bottom line is clear. A major compliance initiative is not successful because the CCO announces it, the board approves it, or the executive team says it is “aligned.” It is successful when the company reaches true agreement on the risk, the change, the trade-offs, the ownership, and the evidence of effectiveness.

For the compliance professional, The False Alignment Trap provides a powerful reminder: do not launch a transformation on implied consent. Build the compact first. Then execute.

Tags CCO, compliance, DOJ, ECCP, HBR, Leadership, The False Alignment Trap

Blog

Can Compliance Own Enterprise Resilience?

Post author By Admin
Post date June 8, 2026
No Comments on Can Compliance Own Enterprise Resilience?

It has been some time since I checked in with the Harvard Business Review for some blog posts. To remedy this deficiency, I will write this week’s blog posts based on recent HBR articles that caught my interest. Today, we begin with The Case for Hiring a Chief Resilience Officer, which argues that there is a major governance gap inside most organizations. It is that no single executive is accountable for coordinating enterprise-wide resilience and recovery when failures cascade across functions. The article looks at a chief resilience officer (CResO) role which would be responsible for aligning continuity planning, recovery objectives, crisis response, and organizational learning across an enterprise.

The authors begin by noting that the July 2024 CrowdStrike outage will be remembered as more than a technology failure. It was a governance lesson. A routine software update caused cascading operational disruption across airlines, hospitals, logistics systems, and other critical services. The technical root cause mattered, but it was not the only lesson. The larger issue was how quickly a single failure could ripple across functions, third parties, customer obligations, regulatory expectations, and business operations. The article articulated this as the case for a CResO, because many organizations have no single executive accountable for coordinating enterprise-wide resilience and recovery when disruption crosses organizational boundaries.

For the corporate compliance function, that argument should sound familiar. Compliance professionals have spent years explaining that risk does not respect departmental boundaries. Bribery risk can arise from sales incentives, third-party relationships, financial controls, gifts and hospitality, and management pressure. Data risk can sit in technology, privacy, procurement, HR, and customer operations. AI risk can sit in product development, vendor management, legal, cybersecurity, records retention, and board oversight.

Operational resilience is the same kind of problem. It is not only an IT issue. It is not only a business continuity issue. It is not only a risk management issue. It is a governance issue, a controls issue, a documentation issue, a third-party issue, and a board oversight issue. That makes it a compliance issue as well.

The Compliance Significance of Resilience

The central insight behind the CResO role is that most organizations already have pieces of resilience, but they do not always have resilience governance. Risk teams assess exposure. Cybersecurity teams protect systems. Operations teams manage delivery. Business continuity teams write plans and run exercises. Procurement manages vendors. Legal evaluates obligations. Communications handles stakeholders. Compliance monitors controls, policies, reporting, and escalation. Each function may be doing its job. The problem appears when no one owns the integrated answer.

That is why operational resilience has become a regulatory and governance priority. The Basel Committee defines operational resilience as the ability to deliver critical operations through disruption and emphasizes governance, mapping interdependencies, third-party dependency management, business continuity testing, and incident management. The FCA in the UK similarly focuses on important business services, impact tolerances, mapping, testing, vulnerability remediation, lessons learned, and communications planning. In the EU, the Digital Operational Resilience Act (DORA) has elevated digital operational resilience, technology and information third-party risk, incident reporting, and resilience testing into a formal financial sector regulatory framework.

For compliance professionals, the message is clear. Resilience is moving from planning to evidence. Regulators, boards, and senior management will increasingly ask not simply whether the company had a plan, but whether the company knew its critical services, mapped its dependencies, tested severe but plausible scenarios, documented vulnerabilities, assigned accountability, and remediated weaknesses.

That is familiar territory for compliance. The DOJ Evaluation of Corporate Compliance Programs (ECCP) asks whether a compliance program is well designed, adequately resourced and empowered, and works in practice. It also asks whether improvements to compliance and internal controls have been tested to show they would prevent or detect similar misconduct in the future. Those questions are not limited to bribery, fraud, or sanctions. They reflect a broader governance discipline: design, authority, resources, testing, remediation, and proof.

Can Compliance Absorb the CResO Role?

The answer is yes, but only under the right conditions. A compliance function can absorb the resilience governance role if it has the mandate, authority, resources, data access, and board visibility to do the job. It cannot absorb the role if the organization merely adds resilience to the CCO’s already crowded list of responsibilities without giving compliance the ability to coordinate across technology, operations, procurement, cybersecurity, finance, legal, human resources, communications, and business leadership. This distinction matters.

Compliance can own the governance framework for resilience. It can help define standards, require documentation, monitor remediation, test controls, escalate gaps, and report to the board. It can ensure that resilience obligations are embedded into policies, third-party oversight, incident response, investigations, root cause analysis, training, and internal controls.

Compliance should not become the operator of every resilience process. The first line must still own business services. Technology must still own systems. Cybersecurity must still own cyber defense. Procurement must still own vendor contracting and supplier performance. Operations must still own delivery. Legal must still advise on obligations. Communications must still manage stakeholder messaging. The CCO can serve as the enterprise resilience governance leader, but not as a substitute for operational ownership. That is the practical dividing line.

When Compliance Is the Right Home

Compliance is a strong candidate to absorb the CResO function when resilience is framed as an enterprise governance and controls discipline. This is especially true in organizations where the compliance function already has mature capabilities in risk assessment, policy governance, third-party risk management, investigations, remediation tracking, board reporting, training, monitoring, and documentation. In that model, compliance can bring several advantages.

First, compliance understands cross-functional risk. A well-designed compliance program already reaches into the business, finance, procurement, HR, legal, internal audit, IT, and senior leadership. That horizontal view is essential for resilience.

Second, compliance understands evidence. Resilience cannot be built on verbal assurance. It requires inventories, dependency maps, testing records, incident reports, remediation plans, escalation logs, board materials, and lessons learned. Compliance professionals know how to create a record that demonstrates program effectiveness.

Third, compliance understands accountability. A resilience program without accountable owners will become a collection of meetings. Compliance can help define who owns each critical service, each dependency, each recovery objective, and who must act when testing identifies a vulnerability.

Fourth, compliance understands third-party risk. Many resilience failures begin outside the company’s walls. A critical software provider, cloud provider, logistics partner, manufacturer, payroll vendor, or data processor can disrupt the company’s ability to deliver. Compliance can help connect due diligence, contracting, ongoing monitoring, audit rights, incident notification, and exit planning into a resilience framework.

Finally, compliance understands board reporting. Resilience is a board-level issue because disruption can affect customers, investors, regulators, employees, and the company’s license to operate. The FCA has emphasized that boards need enough information to understand the firm’s resilience approach, who is responsible for it, and the organization’s ability to recover important business services within impact tolerances. Those are governance questions. Compliance is built to translate them into a management system.

When Compliance Should Not Absorb the Role

Compliance should not assume the CResO role if the function lacks operational authority, technical depth, crisis-management access, or senior-level support. A CCO who is asked to “own resilience” without the resources to do so has not been empowered. That CCO has been handed accountability without control. There are several warning signs.

If compliance does not have direct access to the CEO, executive committee, and board, it cannot coordinate enterprise resilience. If compliance cannot require action from technology, operations, procurement, and business units, it cannot close resilience gaps. If compliance lacks data on critical services, vendor concentration, system dependencies, recovery times, incident history, and testing results, it cannot evaluate resilience in practice. If compliance is already under-resourced, resilience will become another paper responsibility.

That would be a mistake. The worst outcome would be to move resilience into compliance as a label while leaving the real decision-making elsewhere. That creates the appearance of governance without its substance.

A Better Model: Compliance as Resilience Governor

For many companies, the right answer is not a binary choice between a standalone CResO and a compliance-owned resilience function. The better model may be compliance as a resilience governor. Under this approach, the company appoints a senior resilience owner, either as a CResO (chief risk and resilience officer) or as a named executive with enterprise authority. Compliance then provides the governance architecture: standards, controls, testing expectations, third-party requirements, escalation procedures, documentation rules, remediation tracking, and board reporting.

This model preserves first-line ownership while giving the organization a consistent second-line framework. It also allows compliance to ask the questions that matter:

Who owns each critical business service? What are the maximum tolerable disruptions? What systems, people, facilities, data, and third parties support each service? What severe but plausible scenarios have been tested? What vulnerabilities were identified? Who owns remediation? What evidence shows that remediation worked? What has been reported to the board?

These are not theoretical questions. They are the difference between a plan and a program.

Five Lessons for Compliance Professionals

Resilience is now a compliance program issue. It involves governance, controls, accountability, documentation, testing, remediation, and board oversight.
Compliance can absorb the resilience governance role, but not the operational role. The CCO can govern the framework. The business must still own delivery.
Authority matters. A compliance-led resilience function must have CEO support, board visibility, cross-functional access, and the ability to require remediation.
Evidence is essential. Dependency maps, scenario tests, incident reports, remediation records, and board materials are what turn resilience from aspiration into proof.
The board should focus on accountability before structure. Whether the company appoints a CResO, places resilience under risk, or builds a compliance-led governance model, the core question remains the same: who owns the enterprise response when disruption crosses every boundary?

The practical compliance lesson is straightforward. Resilience cannot remain a collection of disconnected plans. It must become an operating discipline. For some companies, that discipline will require a dedicated Chief Resilience Officer. For others, a mature, properly empowered compliance function can assume the governance role. But no company should leave resilience to assumption, informal coordination, or after-the-fact improvisation.

In today’s risk environment, the ability to recover is not only an operational strength. It is evidence of effective governance.

Tags Basel Committee, Chief Resilience Officer, compliance, COSO, ECCP, HBR, ISO, IT, NIST, The Case for Hiring a Chief Resilience Officer

Blog

AI and Work Intensification – The Compliance Response

Post author By Admin
Post date February 18, 2026
No Comments on AI and Work Intensification – The Compliance Response

There is a comforting myth circulating in corporate hallways and boardrooms: if we deploy AI across governance, risk, and compliance, the work will shrink. Investigations will move faster. Monitoring will get smarter. Policies will draft themselves. Third-party diligence will become push-button. The compliance function will finally “do more with less.” That myth was challenged in a recent Harvard Business Review article, “AI Doesn’t Reduce Work—It Intensifies It” by Aruna Ranganathan and Xingqi Maggie Ye.

The authors believe that what happens is work intensification. AI expands throughput, increases expectations, and generates more outputs that still require human judgment, verification, and accountability. Instead of fewer tasks, you get more tasks. Instead of simpler work, you get faster cycles, more iterations, and new forms of quality risk. For the Chief Compliance Officer (CCO) leading AI governance, this is not a side effect. It is a core operating model issue.

If compliance owns AI governance across the enterprise, compliance must also own the discipline of how humans and AI work together. I call that discipline an AI practice standard, management guidance that sets expectations for pace, quality, verification, escalation, and sustainable workload.

Today, we consider how to consider this issue as a compliance operating model challenge across all GRC workflows: policy management, investigations, hotline intake, monitoring and surveillance, third-party due diligence, regulatory change management, audit planning, training, and reporting. The tone is cautionary because the risk is real: a compliance function that mistakes AI output volume for compliance effectiveness.

The Compliance Operating Model Problem: More Output, More Review, More Risk

Compliance work is not manufacturing. It is judgment work. It requires discretion, context, and defensible decisions. AI can accelerate inputs and draft outputs, but it does not accept responsibility. The CCO does. The business does. The board does. When AI enters GRC workflows, it tends to create four pressure points:

1. Compression of timelines. If a draft can be produced in five minutes, someone will ask why it cannot be finalized in five more.

2. Explosion of options. AI generates multiple versions, scenarios, and recommendations, which expands decision load and review cycles.

3. Higher volume of “signals.” AI-enabled monitoring produces more alerts, more pattern matches, and more anomalies. Much will be noise. All require triage.

4. Illusion of completion. Teams begin to treat a plausible AI answer as a finished work product. That is how quality defects are born.

The result is a compliance function that looks “faster” while becoming more fragile. Burnout rises. Rework increases. Errors creep into documentation. Controls become less reliable because the humans operating them are overwhelmed by the sheer volume AI makes possible.

All this means the question for the CCO is not, “How do we roll out AI?” The question is, “How do we govern the human work that AI intensifies?”

Five KPIs for Work Intensification Risk

Next, we consider five KPIs specifically designed to measure work intensification. These are board-credible, compliance-owned, and operationally measurable.

1. After-Hours Compliance Work Index

Percentage of compliance work activity occurring outside standard business hours (for example, 6 p.m. to 7 a.m.), measured across key systems (case management, GRC platform activity logs, email metadata, collaboration tool usage). This matters because AI compresses timelines and pushes work into nights and weekends. This index serves as an early warning for burnout and quality failures.

2. AI Rework Rate

Percentage of AI-assisted work products requiring material revision after human review (policies, investigation summaries, risk narratives, diligence reports). This matters because

if AI increases speed but doubles rework, you are not gaining productivity. You are shifting effort downstream.

3. Cycle Time Compression vs. Quality Defect Ratio

Track cycle time reductions alongside quality defects (corrections, escalations, documentation gaps, audit findings). You can express this KPI as Cycle Time Improvement / Defect Increase.

This matters because faster is not better if defects rise. This ratio keeps leadership honest.

4. Alert-to-Action Conversion Rate

Percentage of AI-generated alerts that result in a confirmed issue, investigation, remediation, or control enhancement. This matters because AI intensifies monitoring. This KPI exposes whether you are drowning in noise or generating actionable intelligence.

5. Burnout Signal Composite

A quarterly composite score built from pulse surveys such as fatigue, workload, autonomy, attrition in compliance roles, sick leave usage trends, and employee assistance program utilization patterns. This matters because compliance effectiveness depends on people. Burnout is a control failure risk.

These five metrics give the CCO and board a shared view of whether AI is improving the compliance function or simply accelerating it toward exhaustion.

How to Measure the Leading Indicators

You requested practical recommendations for measuring after-hours work, cycle time, quality defects, and burnout indicators. Here is a measurement approach that is realistic and defensible.

After-Hours Work

Use system log data from the case management, GRC, and document management platforms to track timestamped activity.
Supplement with email and collaboration metadata to measure volume outside standard hours.
Report trends by team and workflow, not individuals. This is about operating model health, not surveillance.

Cycle Time

Establish “start” and “stop” definitions for each workflow:
- Investigations: intake date to closure date
- Due diligence: request date to clearance date
- Policy updates: drafting starts from the published version
- Regulatory change: trigger identification to implementation
Track AI-assisted versus non-AI-assisted cycle times to isolate the impact.

Quality Defects

Define defects as “items requiring material correction after initial completion,” including:
- Incomplete documentation
- Wrong risk rating or missing rationale
- Incorrect regulatory mapping
- Reopened cases due to insufficient analysis
- Audit findings tied to workflow execution
Capture defects through QA sampling, supervisor review logs, audit results, and post-incident reviews.

Burnout Indicators

Run a quarterly pulse survey with 5–7 questions on workload, pace, clarity, and ability to disconnect.
Track voluntary attrition and vacancy duration for compliance roles.
Include aggregate HR indicators such as overtime trends or sick leave usage, where available.
Use a composite score and trend it. The trend line is what matters.

The key is to build instrumentation without creating a culture of monitoring employees. Your goal is not to watch people. Your goal is to protect the control environment.

Adopt an Enterprise AI Practice Standard Now

For an innovation-forward company, the right move is not to slow down. The right move is to govern how you speed up. Your call to action is simple and strong: to adopt an enterprise AI practice standard as management guidance, owned by Compliance, implemented across all GRC workflows, measured by five work-intensification KPIs, and tested by internal audit and red teaming.

If you do that, you gain three things immediately:

1. A sustainable operating model

2. Defensible governance for regulators and boards

3. A compliance function that remains credible under pressure

AI can make compliance better. But only if the humans who run compliance can still breathe.

Tags CCO, compliance, HBR, work intensification

Blog

Co-Thinking with AI: A New Frontier for Compliance Problem-Solving

Post author By Admin
Post date August 21, 2025
No Comments on Co-Thinking with AI: A New Frontier for Compliance Problem-Solving

Ed. Note: This week, we present a week-long series on the use of GenAI in a best practices compliance program. Every other day this week, I have created a one-page checklist for each article that you can use in presentations or for easier reference. However, for today’s blog post, I have made a Compliance AI Dialogue Playbook to illustrate the concepts discussed. If you would like a copy, email my EA, Jaja, at jaja@compliancepodcastnetwork.net.

Compliance officers are, at their core, problem-solvers. We wrestle with thorny questions every day: How do we implement a global gifts-and-entertainment policy across jurisdictions with vastly different cultural norms? How do we balance business pressures with anti-corruption obligations? How do we address new risks like AI itself? Traditionally, compliance officers have relied on their teams, external counsel, and regulators for perspective. But now, there is another partner available: AI as a co-thinker.

Elisa Farri and Gabriele Rosani, in their HBR article, How AI Can Help Managers Think Through Problems, argue that generative AI is not simply a productivity booster but a thought partner that can help managers frame problems, weigh trade-offs, and refine decision-making. For compliance professionals, this opens an exciting frontier. Instead of seeing AI as just a summarization or monitoring tool, we can use it to think with us about compliance challenges.

Today, we consider five key takeaways for compliance professionals, each exploring how AI can and should be trusted as a structured co-thinker in corporate compliance problem-solving.

1. AI Can Help Frame Compliance Problems More Clearly

One of the hardest parts of compliance work is problem framing. Regulators do not hand us neat checklists; instead, they give us principles, expectations, and enforcement actions. It’s up to us to translate these into workable policies and controls.

The authors highlight how AI can act as a sounding board, asking clarifying questions, offering perspectives, and reframing issues. In compliance, this is invaluable. For example, when confronting a possible books-and-records violation, you can ask AI to outline the problem from different angles: the DOJ’s perspective, the auditor’s lens, or the business unit’s operational concerns.

This “co-thinking” dialogue helps compliance officers avoid blind spots. By articulating context and criteria while AI proposes reframings or stakeholder perspectives, the problem becomes clearer. Often, clarity is half the solution.

The compliance lesson: Don’t just throw a problem at AI and expect an answer. Use it to refine the question. A well-framed compliance issue is easier to analyze, explain, and ultimately solve.

2. AI Strengthens Root Cause Analysis in Compliance Investigations

Root cause analysis is central to modern compliance. Regulators do not just want misconduct identified; they want to know why it happened and how you’ll prevent it going forward. Yet too often, root cause analysis gets bogged down in assumptions or limited perspectives.

Farri and Rosani cite managers who use AI dialogues to explore underlying causes systematically. For compliance officers, this can be a game-changer. Imagine an investigation into repeated expense-report fraud. AI can walk you through potential cultural drivers (“tone at the top,” sales pressure), structural flaws (weak approval workflows), and training gaps. It can then push back: “Are you overlooking incentives?” or “What if the issue is inadequate third-party vetting?”

By iterating through hypotheses in a structured dialogue, compliance professionals can avoid premature conclusions and dig deeper. This not only strengthens remediation but also demonstrates to regulators that the company engaged in a thorough, multi-perspective analysis.

The compliance lesson: AI co-thinking transforms root cause analysis from a static checklist into a dynamic dialogue, driving richer insights and more defensible conclusions.

3. AI Helps Anticipate Stakeholder Reactions to Compliance Decisions

Compliance isn’t just about rules; it’s about relationships. A compliance policy that looks perfect on paper can fail if stakeholders resist or misunderstand it. That’s why anticipating reactions is essential.

The article describes a communications manager who used AI to role-play stakeholder perspectives. Compliance teams can apply the same method. Suppose you’re rolling out a new third-party due diligence system. You could ask AI to simulate how sales might react (“This slows down deal velocity“), how finance might respond (“We lack resources for added checks“), and how regulators would view the process (“Demonstrates good faith risk management“).

This kind of dialogue allows compliance officers to refine messaging, anticipate objections, and design mitigation strategies before rollout. It’s essentially stakeholder mapping on steroids.

The compliance lesson: Use AI to run “compliance fire drills.” Let it act as different stakeholders, challenge your assumptions, and highlight where communication or process gaps may derail implementation. Better to hear objections from an AI simulation than from the DOJ or your workforce, after the fact.

4. AI Supports Compliance Leadership and Mindset Shifts

Compliance is not static; it evolves as risks and expectations change. One of the hardest parts of leadership is helping teams adopt new mindsets. Whether it’s embedding ESG into compliance or shifting from reactive investigations to proactive risk management, change is as much about people as it is about rules.

The authors point to managers using AI to coach teams through mindset shifts. Compliance officers can replicate this by designing AI dialogues that help teams reflect on change. For example: “Act as a compliance coach guiding a regional manager through adopting a risk-based mindset for third-party approvals.” AI can then walk the manager through scenarios, pose self-assessment questions, and suggest daily practices to internalize the change.

This turns AI into a scalable leadership development tool for compliance. It’s not replacing human mentorship but supplementing it, ensuring employees across geographies get consistent coaching.

The compliance lesson is straightforward: AI can democratize leadership development in compliance. By embedding coaching into AI assistants, compliance leaders can scale mindset change while reinforcing culture across the enterprise.

5. AI Encourages Reflective and Ethical Decision-Making

Finally, compliance is about judgment. Not every decision can be reduced to a policy or rulebook. Whether deciding how to respond to a gray-area hospitality offer or whether to self-disclose a violation, compliance officers must weigh trade-offs.

Farri and Rosani emphasize that AI, when engaged as a co-thinker, can enhance reflective decision-making. It does so by slowing us down, asking probing questions, and challenging quick assumptions. This is especially important because compliance officers are often under pressure to deliver fast answers to complex problems.

By prompting reflections such as “What risks might we be missing? What would regulators expect? What precedent are we setting? AI ensures compliance officers approach decisions with greater ethical clarity. It’s the Socratic method in digital form.

The compliance lesson: AI should not be seen as replacing compliance judgment but as sharpening it. By making space for reflection, AI helps ensure that compliance decisions are thoughtful, principled, and defensible.

From Automation to Co-Thinking

For too long, compliance has viewed AI as a back-office automation tool: summarizing, monitoring, and drafting. Farri and Rosani remind us that AI can do much more: it can think with us.

By helping frame problems, strengthening root cause analysis, anticipating stakeholder reactions, supporting mindset shifts, and fostering reflective decision-making, AI becomes not just a tool but a thought partner. For compliance officers under increasing pressure from regulators and boards, that partnership could be transformative.

The path forward is clear: stop asking “What can AI do for compliance?” and start asking “How can AI help compliance think better?”

Tags AI, compliance, GenAI, HBR, How AI Can Help Managers Think Through Problem

Blog

Building Your Own AI Assistant: Compliance Lessons in Customization

Post author By Admin
Post date August 19, 2025
No Comments on Building Your Own AI Assistant: Compliance Lessons in Customization

Ed. Note: This week, we present a week-long series on the use of GenAI in a best practices compliance program. Additionally, for each blog post, I have created a one-page checklist for each article that you can use in presentations or for easier reference. Email my EA Jaja at jaja@compliancepodcastnetwork.net for a complimentary copy.

In the ever-changing world of compliance, resource constraints remain one of our biggest hurdles. Whether you’re drafting policies, conducting risk assessments, or preparing investigation summaries, the work is often repetitive, labor-intensive, and subject to tight deadlines. Enter the AI assistant, not as a futuristic dream, but as a practical, buildable tool available to compliance professionals right now.

Alexandra Samuel’s article in Harvard Business Review titled How to Build Your Own AI Assistant, makes one point crystal clear: if you can describe a project in plain English, you can build your own AI assistant. And for compliance professionals, this represents a transformative opportunity to reduce administrative burdens while increasing consistency, accuracy, and adaptability.

But building your compliance AI assistant isn’t about chasing efficiency alone—it’s about making intentional design choices that reinforce compliance objectives, protect corporate culture, and ensure regulatory defensibility. Today, we consider five key takeaways for compliance professionals, each showing how you can harness AI assistants to enhance, not replace, your compliance program.

1. Start with the Right Use Cases

Before building, compliance leaders must ask: What problems do we want AI to solve? Samuel notes that AI assistants excel in four domains: writing and communications, troubleshooting, project management, and strategic coaching. For compliance, this translates into use cases like:

Drafting first-pass policy updates aligned with global regulations.
Summarizing enforcement actions for Board reporting.
Automating responses to routine employee compliance questions (e.g., “Can I accept this client gift?”).
Tracking investigation timelines and automatically extracting action items from meeting transcripts.

Choosing the right use case ensures your AI assistant is a force multiplier rather than a shiny distraction. Importantly, you want to start with low-risk, high-volume tasks. Drafting an anti-corruption annual training memo? AI can handle the boilerplate. Deciding whether to disclose a potential FCPA violation to the DOJ? That still belongs squarely in the human domain.

The real lesson here: compliance officers should not let “AI hype” dictate priorities. Instead, define pain points within your compliance workflow and build assistants targeted at those specific, recurring problems. Start small, iterate, and scale responsibly.

2. Design Clear Instructions—Your Assistant Is Only as Good as Its Guidance

According to Samuel, the “heart” of a custom AI assistant is the set of instructions you provide. For compliance teams, this is where risk and opportunity intersect. If your assistant doesn’t know who it is, what standards to apply, and what tone to use, it will produce outputs that undermine your credibility.

Think of instructions as your assistant’s Code of Conduct. Instead of saying “you are a compliance assistant,” you can be more precise:

“You are a corporate compliance officer drafting policies for a multinational company. You must ensure all content aligns with DOJ guidance on effective compliance programs, uses a professional but approachable tone, and provides practical examples for employees.”

These custom instructions allow you to “bake in” compliance frameworks from day one. For example, you can require the assistant to reference the COSO Framework for Internal Controls, ISO 37001, or the DOJ’s Evaluation of Corporate Compliance Programs whenever relevant.

The key compliance insight: good AI assistants reflect great compliance design. Just as vague compliance policies create ambiguity, vague AI instructions create unreliable outputs. Invest time in precise persona-building for your assistant, and you’ll reap consistent, defensible results.

3. Feed It Knowledge—Without Losing Control of Sensitive Data

Samuel emphasizes that AI assistants become truly powerful when equipped with background documents, such as policies, reports, contracts, or training decks. For compliance, this is both a gold mine and a minefield.

On one hand, uploading prior investigation reports, risk assessments, or compliance training modules allows your assistant to generate outputs that reflect your company’s real history and regulatory environment. Imagine an assistant that can instantly pull together a cross-border risk assessment using your own prior filings and internal guidance.

On the other hand, compliance officers must stay vigilant about data protection, privilege, and confidentiality. Sensitive HR records, whistleblower reports, and privileged investigation materials should never be indiscriminately fed into a platform without proper safeguards.

Here lies the balancing act: compliance teams must create AI assistants that are well-informed but tightly governed. This may involve anonymizing data, working through secure enterprise-grade AI platforms, or restricting inputs to public and non-sensitive internal documents.

The compliance lesson is simple but non-negotiable: context matters, but confidentiality reigns supreme. Building a compliance AI assistant means establishing protocols for what can and cannot be shared.

4. Iterate Constantly—Think Like a Compliance Monitor

Just as compliance programs require continuous improvement, so too do AI assistants. Samuel makes it clear that assistants won’t be perfect out of the box. They require ongoing feedback, refinement, and adjustment.

For compliance professionals, this is second nature. We already think in terms of monitoring, auditing, and revising. Apply the same discipline to your AI assistant:

Audit its outputs for accuracy, tone, and regulatory defensibility.
Track where it consistently underperforms (e.g., misinterpreting data privacy rules) and feed corrective instructions.
Periodically, “refresh” its context files to reflect updated regulations, new enforcement actions, or changes in corporate policy.

Samuel suggests asking your assistant to write their own revised instructions based on your feedback. That’s a compliance monitoring exercise in itself—your assistant becomes both subject and participant in continuous improvement.

The compliance takeaway: treat your AI assistant as a dynamic system, not a static tool. Just as DOJ expects ongoing risk assessments and remediation, regulators will expect that AI tools in compliance are actively managed, not blindly trusted.

5. Embed Ethical Guardrails and Accountability

The most important compliance lesson in building your own AI assistant is ensuring accountability. As Samuel warns, assistants can hallucinate or produce flawed outputs. In compliance, this is not simply an annoyance; more importantly, it is a potential liability.

That means your assistant must operate under ethical guardrails:

Always include a human-in-the-loop review before any AI-generated compliance document is finalized.
Require disclosures when AI was used in drafting policies, reports, or training.
Train employees not to treat AI outputs as gospel but as drafts for critical evaluation.
Align your assistant’s objectives with compliance KPIs, accuracy, transparency, and defensibility, rather than raw speed.

This mirrors the DOJ’s emphasis on corporate accountability. An AI assistant may help draft your gifts and entertainment policy, but it cannot stand before prosecutors and defend your compliance program. That responsibility remains squarely with leadership.

The compliance lesson here is unmistakable: AI is a tool, not a scapegoat. Build it to augment compliance decision-making, not to absolve it.

From Experiment to Integration

Building your own AI assistant is not a technical challenge. It is a compliance design challenge. As Alexandra Samuel reminds us, if you can describe your project, you can build your assistant. For compliance officers, that means thinking intentionally about use cases, precision in instructions, safeguards for sensitive data, iteration, and ethical guardrails.

The opportunity is immense. With thoughtfully designed AI assistants, compliance professionals can shift their focus from repetitive drafting to higher-order strategy, from administrative overload to proactive risk management. But the responsibility is equally immense. An AI assistant reflects the design choices of its creators, choices that must always prioritize compliance culture, accountability, and trust.

Tags AI Assistant, compliance, DOJ, ECCP, GenAI, HBR

Blog

Recalculating AI: Compliance Lessons in Weighing Costs and Benefits of GenAI

Post author By Admin
Post date August 18, 2025
No Comments on Recalculating AI: Compliance Lessons in Weighing Costs and Benefits of GenAI

For compliance professionals, the rise of generative AI (GenAI) feels like déjà vu. We’ve been here before—with ERP rollouts, e-discovery software, and data analytics tools. Each new technology comes with the same pitch: faster, smarter, cheaper. And each time, compliance officers are tasked with answering a more difficult question: At what cost?

Mark Mortensen’s recent piece in Harvard Business Review titled Calculating the Costs and Benefits of GenAI, provides a framework for thinking about this balancing act. While AI undeniably creates efficiency, Mortensen cautions that organizations risk losing knowledge, engagement, and trust if they fail to evaluate adoption carefully. For compliance leaders, the implications are profound.

Today, we consider five key takeaways from the article for compliance professionals—each one an area where AI’s promise and peril intersect.

1. Efficiency Gains Must Be Weighed Against Knowledge Loss

One of AI’s greatest selling points is speed. It can review contracts in minutes, summarize regulatory changes instantly, and generate risk assessments that previously took weeks. For perpetually under-resourced compliance departments, this is a tantalizing offer.

Yet here lies the first hidden cost: learning. Mortensen reminds us that the process of struggling with a problem involves the back-and-forth revisions of a policy draft, iterative risk-mapping discussions, and even the time spent combing through dense regulations. This cements knowledge and deepens institutional expertise. If compliance teams begin to outsource too much of that process to AI, the organization risks eroding the very expertise it relies on to interpret nuance.

Consider this: an AI might draft your anti-bribery training materials, but without human engagement in the process, your team loses the chance to sharpen its understanding of new FCPA enforcement trends. Over time, this erodes your compliance program’s intellectual resilience.

The lesson for compliance leaders is clear: use AI to accelerate, not replace, your team’s learning. Make sure staff remain actively engaged in the interpretive process. AI should provide information, not serve as the final arbiter of compliance knowledge.

2. Short-Term Problem Solving Can Inhibit Long-Term Skill Development

“Practice makes perfect” is more than just a proverb; it is a professional truth. Drafting compliance reports builds writing skills, testing control frameworks sharpens analytical ability, and grappling with regulatory ambiguity builds judgment.

But if compliance teams lean too heavily on AI to generate audit memos or to identify anomalies in financial data, they risk undermining their development. Mortensen points out that when we hand tasks to AI, we sacrifice the chance to strengthen the very skills we will need tomorrow.

Consider a scenario where AI consistently handles first drafts of risk assessments. Compliance officers may grow accustomed to editing AI output rather than developing their structured thinking. Over time, the skill gap widens. This leaves organizations dependent on tools that cannot be held accountable when regulators ask tough questions.

From a compliance standpoint, this has a direct connection to sustainability. DOJ guidance emphasizes the need for continuous program improvement and the development of compliance capabilities. A department that loses skills to AI outsourcing may look efficient on paper, but it becomes brittle in practice.

Compliance leaders should strike a balance by reserving certain core tasks, like drafting root cause analyses or preparing investigation reports, for human-led execution, even if AI could technically do them faster. These are the muscle-building exercises of compliance, and like any workout, skipping them leads to long-term weakness.

3. AI Risks Weakening Relationships and Organizational Trust

Compliance does not happen in a vacuum. It thrives or fails based on relationships. Internal trust with business units, credibility with senior leadership, and even informal rapport built during brainstorming sessions all matter.

AI, however, threatens to reduce these interactions. Mortensen notes that the computational power of AI allows individuals to solve problems alone that previously required teams. While efficient, this independence comes at a cost: fewer interpersonal touchpoints, weaker social ties, and ultimately, reduced trust.

For compliance, this risk is especially acute. Much of our effectiveness hinges on being seen as collaborative partners, not bureaucratic enforcers. If AI reduces the frequency of conversations around risk assessments, policy updates, or investigations, compliance officers may lose opportunities to build influence. Worse, an “AI does it all” approach may reinforce perceptions that compliance is transactional rather than relational.

The takeaway here is that AI should never replace human dialogue in compliance. Use it to free up time so compliance officers can spend more energy building relationships with line managers, auditors, and employees, rather than less. The culture of compliance is rooted in trust, and no algorithm can generate that.

4. Engagement and Ownership Can Decline with Over-Automation

Engagement matters. Mortensen defines it as being psychologically present in the work. For compliance professionals, engagement translates into vigilance: spotting red flags, questioning anomalies, and challenging assumptions.

But AI introduces a risk of disengagement. When it summarizes investigation interviews or drafts compliance dashboards, humans can become passive consumers rather than active participants. Over time, “good enough” replaces “deep enough.”

This erosion of ownership is dangerous for compliance. Regulators increasingly expect companies to demonstrate not only robust processes but also genuine cultural buy-in. If compliance staff are disengaged because AI has taken over too many cognitive functions, the program risks becoming a paper tiger, form without substance.

To counter this, compliance leaders should intentionally design workflows where humans must interpret and add value to AI outputs. For example, AI can generate a first-pass risk heat map, but compliance officers should validate and adjust it based on local context and business realities. That layer of judgment keeps engagement alive and maintains a sense of accountability.

Ultimately, compliance is about judgment, not just information. AI can support but never substitute for human ownership of ethical decision-making.

5. Homogenization Threatens Compliance Program Uniqueness

Every compliance program reflects its company’s unique culture, risks, and leadership voice. Mortensen warns that because large language models are convergent technologies, they produce standardized answers. Leaders who rely on AI for memos, presentations, or policies risk erasing their distinctive tone and voice.

For compliance professionals, this risk translates into a loss of authenticity. Regulators, employees, and stakeholders can quickly tell the difference between a policy that reflects real company values and one that reads like a generic AI template. Over time, over-reliance on AI can strip a compliance program of its personality and with it, credibility.

The danger goes deeper. If multiple companies rely on AI to draft similar codes of conduct, policies may look indistinguishable. That creates industry-wide convergence at a time when regulators are looking for tailored programs that reflect specific risks. In effect, AI could make compliance programs less defensible, not more.

The path forward is to use AI as a scaffolding tool, not as a finished product. Compliance officers should inject their organization’s unique voice, industry-specific risks, and leadership tone into every AI-assisted document. Authenticity is non-negotiable in compliance. AI can never be allowed to flatten it.

AI Audits for Compliance Leaders

Mortensen’s framework for an “AI value audit” is particularly relevant for compliance. He suggests three steps: (1) determine the types of value a task creates, (2) prioritize and optimize them, and (3) continually reassess with a “milk test” to ensure the value hasn’t expired.

For compliance, this means asking: Does AI enhance our program without undermining knowledge, skills, trust, engagement, or authenticity? If not, the short-term benefits may not be worth the long-term costs.

AI is here to stay, and compliance officers must learn to harness it. But like every tool before it, AI is not a replacement for judgment, culture, and leadership. It is an assistant, not the evangelist for compliance.

Tags compliance, GenAI, HBR

Blog

How Generative AI is Transforming Business and Compliance in 2025

Post author By Admin
Post date July 21, 2025
No Comments on How Generative AI is Transforming Business and Compliance in 2025

One thing I have learned from the digital age is that to stay ahead, we must stay informed and proactive about how new technologies impact corporate governance, ethics, and operational compliance. In this context, generative AI (Gen AI) is no longer a futuristic concept; it is embedded deeply in our everyday activities. Marc Zao-Sanders’ article in Harvard Business Review (HBR), “How People Are Really Using Gen AI in 2025,” presents an excellent opportunity to reflect on how these developments impact compliance, governance, and risk management.

Zao-Sanders highlights a critical shift in how generative AI is utilized: from purely technical assistance towards significantly more personal and emotive applications. With “Therapy/Companionship,” “Organizing my life,” and “Finding purpose” emerging as the top three use cases, it’s clear that users seek emotional and organizational support, demonstrating Gen AI’s versatility beyond traditional technological roles.

Compliance professionals must recognize that as AI increasingly becomes integral to both professional services and personal well-being, the accompanying risk and compliance implications magnify exponentially. The nature of these interactions, often intimate or deeply personal, demands robust data privacy protections and stringent ethical governance frameworks. Businesses integrating these technologies need precise, transparent policies and effective oversight mechanisms to mitigate new compliance risks.

Implications for Compliance Professionals

Enhanced Data Privacy and Ethical Considerations

Zao-Sanders emphasizes the rising prominence of personal and professional support through Gen AI, especially in areas such as AI-based therapy, emotional companionship, and life organization. As users entrust AI with highly sensitive personal data, compliance professionals face increased responsibilities regarding data privacy, security, and the ethical use of data. This scenario elevates the stakes considerably. He notes, “data safety is not a concern when your health is deteriorating,” highlighting users’ willingness to sacrifice privacy for crucial emotional or medical support. Such conditions can quickly lead to ethical and compliance vulnerabilities if businesses fail to manage and protect sensitive user data rigorously.

Organizations must reinforce their compliance strategies to manage ethical risks inherent in AI-human interactions. As Zao-Sanders indicates, professional services, including medical, legal, and financial advisement, are increasingly relying on generative AI, pushing regulatory boundaries. Notably, EY’s deployment of 150 AI agents specifically for tax-related tasks highlights the profound impact of generative AI on professional services, adding layers of complexity to compliance strategies.

Regulatory Response and Enforcement Trends

The article briefly touches on the growing regulatory scrutiny that Gen AI is attracting globally, noting explicitly that governments are “taking more emphatic and explicit positions” due to heightened stakes surrounding AI technology. For compliance professionals, this should serve as a clarion call: regulatory oversight is intensifying. Preparing for audits, demonstrating compliance, and actively engaging with regulatory developments will be essential. The rapid pace of AI adoption necessitates an agile and proactive approach to compliance management that anticipates, rather than merely reacts to, regulatory shifts.

Balancing AI Dependence with Human Oversight

A striking tension highlighted in the article is the debate over the impact of generative AI on human cognitive abilities, decision-making, and ethical judgment. Users express genuine concern about becoming overly reliant on AI, which could erode their ability to think critically and make independent, ethical decisions.

This reliance poses significant implications for compliance officers charged with safeguarding ethical decision-making. Effective compliance programs must emphasize human oversight, cultivating a culture where AI supports rather than supplants human judgment. Investing in AI literacy among employees can mitigate potential over-reliance, fostering an environment where staff understand both the capabilities and limitations of AI.

Compliance in AI-Driven Professional Services

Zao-Sanders illustrates how AI integration into professional tasks is increasingly sophisticated. For instance, the transformation underway at EY, training employees extensively in generative AI, reflects broader industry trends. Compliance officers must respond to these developments by establishing clear standards and compliance checkpoints. It is crucial to determine whether AI outputs meet professional standards, remain unbiased, and do not inadvertently violate regulatory obligations.

Given AI’s pervasive integration into professional judgments (such as tax preparation, legal advice, and medical diagnosis), the accuracy and regulatory compliance of AI-driven outputs become paramount. Compliance programs must integrate AI auditability, accountability, and transparency deeply into corporate governance frameworks.

Practical Compliance Steps in the Gen AI Era

1. Proactive Policy Development and Training

Develop clear policies that outline the acceptable use of generative AI, including specific guidelines on data handling, ethical considerations, and regulatory obligations. Embed these policies into your organization’s culture through rigorous training and communication strategies.

2. Rigorous Risk Assessment and Ongoing Monitoring

Gen AI compliance must adopt continuous monitoring. Regular risk assessments and periodic audits of AI systems will promptly detect and rectify issues. Compliance officers should remain actively involved in assessing new AI technologies for ethical, privacy, and regulatory considerations before full-scale implementation.

3. Transparent Data Practices

Given the heightened public sensitivity to data privacy concerns, as noted by Zao-Sanders’ mention of users’ concerns around data privacy and their cynicism toward Big Tech, companies must prioritize transparent data practices. Clear communication about data usage, consent, and protection measures will foster trust and reduce compliance risks.

4. Ethical AI Governance Frameworks

Design and deploy ethical AI governance frameworks that address algorithmic fairness, transparency, and accountability, ensuring responsible use of AI. These frameworks ensure generative AI tools are deployed responsibly and ethically, aligning with stakeholder expectations and regulatory standards.

5. Encourage Human-AI Collaboration

Foster a balanced approach between AI-driven solutions and human judgment. Reinforce the importance of human oversight to ensure compliance, accuracy, and ethical decision-making, thus minimizing over-dependence on AI.

Looking Ahead—The Compliance Imperative in the Gen AI Landscape

As we approach a future increasingly defined by AI integration, compliance professionals have a unique opportunity to lead their organizations proactively. Understanding and managing the compliance and ethical dimensions of Gen AI is now critical, not optional. The risks and opportunities outlined in Zao-Sanders’ article underscore the urgent need for a strategic, well-informed approach to integrating generative AI into corporate compliance frameworks.

Compliance professionals should view this moment as an opportunity to demonstrate thought leadership, to guide ethical AI adoption, and to establish robust frameworks that enable businesses to thrive responsibly. By proactively addressing the compliance and moral challenges presented by generative AI, we not only fulfill our professional obligations but also position our organizations as ethical, forward-thinking leaders in the digital age. The compliance journey ahead is demanding, but equally, it offers profound opportunities to influence and shape a responsible, compliant, and ethically robust AI-driven future.

Tags compliance, GenAI, HBR

Blog

Tariff Week, Part 1 – Navigating Uncertainty: The Compliance Professional’s Guide to Trump’s Tariffs

Post author By admin
Post date April 14, 2025
No Comments on Tariff Week, Part 1 – Navigating Uncertainty: The Compliance Professional’s Guide to Trump’s Tariffs

This week, we will examine the macroeconomic implications of President Trump’s recent tariff hikes and suspensions, a critical issue reverberating across boardrooms globally. Business leaders and compliance professionals are grappling with navigating this unprecedented landscape, and understanding the nuances of this evolving situation is crucial for corporate strategy and compliance preparedness. Today, we will take a macroeconomic view.

Last week, President Trump dramatically escalated tariffs on U.S. trading partners, elevating the average effective tariff rate to approximately 23%. This sharp increase has left markets reeling and businesses scrambling to adapt. Just as quickly (within 48 hours), he brought the tariffs back to their original amount by suspending them. This situation illustrates the growing complexity and volatility that executives must manage, highlighting the vital role that corporate compliance teams play in preparing businesses for macroeconomic shocks.

I was therefore interested in a recent Harvard Business Review article entitled Understanding the Global Macroeconomic Impacts of Trump’s Tariffs by authors Philipp Carlsson-Szlezak, Paul Swartz, and Martin Reeves. In this article, they considered how Trump’s tariff imposition and roll-back moves “have jolted markets and thrust business leaders into deep uncertainty. Developing a better understanding of tariffs’ primary and secondary macroeconomic effects and any plausible long-term consequences will allow executives to assess the impact on their markets and businesses continuously. With so much in flux, leaders must ditch rigid plans and build flexible, analytical muscle to navigate this turbulent new landscape.”

At its core, this situation underscores the asymmetrical nature of trade wars. The United States, due to its significant trade deficit, initially seemed well-positioned to engage in targeted trade disputes. However, by initiating a comprehensive, 360-degree trade war affecting virtually all global trading partners simultaneously, the U.S. has dramatically altered the landscape of risk and opportunity. This asymmetry is critical; while the U.S. experiences cumulative impacts from numerous trade disputes, its trading partners face singular impacts from the U.S. alone.

Understanding the primary effects of tariffs requires compliance professionals to differentiate clearly between supply and demand shocks. For U.S. businesses, supply shocks are particularly pertinent. Tariffs, effectively taxes on imports, invariably translate into higher consumer prices, fueling inflation. This scenario is reminiscent of the post-pandemic supply chain disruptions we have navigated, curtailing real incomes and restraining economic growth. Analysts predict these new tariffs could slash U.S. GDP growth by approximately 1.4%, significantly impacting corporate forecasts and strategic planning.

Trade partners face their own challenges. Retaliatory tariffs, already implemented by China and under consideration by others, inflict similar inflationary pressures and consumption downturns, albeit typically on a smaller scale, estimated between a 0.1% to 0.3% GDP reduction. However, demand shocks to these trading partners could be more severe, depending on the price sensitivity of U.S. imports. Countries heavily dependent on the U.S. market, such as Vietnam, might witness GDP contractions exceeding 6%, illustrating the profound impact that tariff-induced demand disruptions can have on certain economies.

Compliance teams must also monitor and prepare for secondary impacts. The five critical secondary channels to watch are confidence erosion, ROI effects, monetary policy errors, diminished competitiveness, and potential new financial and other shocks. Decreased consumer and business confidence could dampen spending, hiring, and investment behaviors. Additionally, while historically not always leading to recession, equity market volatility poses tangible threats to corporate balance sheets and overall financial stability.

Moreover, the tariffs significantly affect competitiveness. Approximately half of U.S. imports consist of production inputs essential for domestic manufacturing, such as steel and machine tools. Increased production costs stemming from tariffs could, therefore, undermine U.S. businesses’ competitive positions globally, an area where compliance teams must remain vigilant and advise on risk mitigation strategies.

The long-term impacts of these tariffs also warrant consideration. The Trump administration aims to reallocate global production to bolster U.S. manufacturing and employment. Unlike the Biden administration’s CHIPS Act, which strategically incentivized high-productivity sectors like semiconductors, the broad scope of Trump’s tariffs risks fostering lower-productivity industries domestically. This shift could crowd out higher-value sectors due to competition for already scarce labor resources, diminishing overall economic productivity and potential.

This scenario demands that compliance professionals embrace continuous learning and adaptability. The volatility and complexity introduced by the tariff situation reinforce the necessity of dynamic analytical capabilities over static compliance strategies. Compliance leaders must ensure their organizations develop robust analytical frameworks to assess and respond continuously to evolving macroeconomic conditions.

Organizations must regularly revisit their risk assumptions, factoring in the potential global reshuffling of trade flows. If major exporters redirect goods previously destined for the U.S. to other markets, it could trigger a broader global trade conflict, requiring compliance officers to adjust corporate risk assessments and response strategies rapidly.

Finally, executives and compliance professionals should approach this situation with a dual lens, balancing tactical short-term responses with strategic long-term considerations. Immediate tactical decisions are necessary, but it is equally critical to analyze potential structural changes in global trade dynamics that may unfold over the coming decade.

Managing macroeconomic uncertainty, such as the ongoing 360-degree trade war, is increasingly becoming an essential competency for compliance professionals. Those who proactively develop sophisticated, agile analytical capabilities will be better equipped to navigate these uncertain waters, providing their organizations with strategic advantage in tumultuous economic conditions.

Tags CCO, compliance, HBR, President Trump, tariffs

Blog

The Compliance Frontier the AI Era, Part 1 – Navigating Strategy in the AI Era

Post author By admin
Post date April 7, 2025
No Comments on The Compliance Frontier the AI Era, Part 1 – Navigating Strategy in the AI Era

Compliance is early in the AI era, and the technology is quickly evolving. Many service providers are introducing AI “copilots,” “bots,” and “assistants” into applications to augment compliance workflows. These compliance tools have been trained on various data sources and possess expansive expertise in many domains. The level of knowledge in these tools is still growing rapidly while the cost of accessing them is decreasing. In an article in the Harvard Business Review (HBR), authors Bobby Yerramilli-Rao, John Corwin, Yang Li, and Karim R. Lakhani posit that shortly, there will be “more advanced “AI agents” equipped with greater capability and broader expertise that will be operating on behalf of users with their permission. Companies that benefit from AI can conduct business more efficiently, innovate more nimbly, and grow with sharpened vision and focus.”

Their article, “Strategy in an Era of Abundant Expertise,” provides crucial insights into how artificial intelligence (AI) transforms the competitive landscape by reshaping how businesses leverage expertise. The authors argue convincingly that we have entered an era defined by two compelling forces: the exponentially increasing volume of knowledge and the dramatically reduced cost of accessing it. Today, we begin a two-part exploration of their article and how their insights apply to compliance. In Part 1, we consider how this transformation in expertise accessibility is fundamentally altering business strategies and operational models. Tomorrow, in Part 2, we will consider their article’s lessons for the compliance profession.

The Transformation of Expertise

At its core, expertise is the deep theoretical knowledge and practical know-how necessary to perform specific tasks effectively. Historically, businesses succeeded by developing unique expertise that differentiated them from competitors. Examples such as Toyota’s mastery of lean manufacturing and Walmart’s superior distribution capability illustrate how critical specialized knowledge has been to corporate dominance.

However, AI is now dramatically changing this traditional paradigm. Today, specialized expertise, once costly and confined within the walls of large organizations, is becoming broadly available at much lower costs. AI-powered tools are emerging as pivotal “copilots,” augmenting human capabilities across numerous business functions. This shift means companies no longer need extensive internal expertise in all areas but can strategically access external AI-powered resources to fill gaps and streamline operations.

The Dual Forces of AI

The authors pinpoint two fundamental forces driving the AI-era transformation: (1) the continuous expansion of global expertise and (2) the decreasing cost of access. These intertwined forces have a profound influence on corporate strategy and organizational structure.

The expanding body of global expertise means businesses now face the impossible task of staying ahead in all relevant knowledge domains. For example, the article highlights biotech firms, where AI applications for drug discovery have surged astronomically, making it impossible for any firm to master all available knowledge independently. Simultaneously, the cost of accessing this ever-growing expertise is plummeting, lowering barriers to market entry and significantly changing competitive dynamics.

Companies such as Instagram and TikTok illustrate this trend vividly. They provide content creators with advanced tools formerly reserved for industry professionals, leveling the playing field and democratizing expertise.

Strategic Implications of AI Adoption

The authors argue convincingly that businesses leveraging AI effectively will see a “triple product” return characterized by more efficient operations, increased workforce productivity, and sharper strategic focus. Specifically, AI enables companies to refine their focus on core strategic activities, using AI-driven solutions to manage non-core functions efficiently.

A notable example is Moderna, which employed AI to create more than 900 specialized internal assistants, dramatically improving the speed and accuracy of business processes across its operations. Such integration of AI significantly raises organizational productivity and effectiveness by automating routine tasks and freeing human expertise for more complex strategic considerations.

Reallocating Resources and Refining Focus

A critical benefit of AI highlighted in the article is resource reallocation toward activities that generate maximum value. Companies can now clearly identify core processes where they excel and leverage AI-powered platforms for support activities. The startup FocusFuel, a manufacturer of caffeinated gummies, effectively demonstrates this approach. By strategically outsourcing non-core activities such as market analysis, packaging design, and logistics to AI-enabled platforms, FocusFuel rapidly established itself, achieving significant revenue growth within months of launch.

This trend signifies a paradigm shift in business operations. Organizations increasingly realize that sustaining competitive advantage means intensifying their efforts in select, strategically valuable areas rather than attempting to excel broadly. This approach enables businesses to achieve greater agility, efficiency, and responsiveness in rapidly evolving markets.

Organizational Change and Cultural Adaptation

The authors emphasize that successfully adopting AI is not merely a technological upgrade; it requires significant organizational and cultural change. Companies must prepare their employees to operate effectively alongside AI tools, embedding AI expertise into everyday processes. This preparation involves substantial investments in training and education, exemplified by Moderna’s successful establishment of an “AI academy,” offering mandatory AI education to all employees.

Furthermore, managing organizational change requires a proactive approach to cultivating internal AI champions who can accelerate adoption and encourage widespread acceptance. Coursera is a leading example, swiftly integrating AI capabilities into multiple operational facets after initially embracing AI for coding tasks. This rapid adaptation showcases the profound impact of investing in technology and human capabilities.

Future-Proofing Strategic Advantages

Companies must continually reassess their strategic foundations as AI continues its rapid advancement. Three critical questions outlined by the authors guide strategic reevaluation:

What UX problems will AI soon allow the users to solve independently? As AI increasingly empowers customers directly, businesses must rethink their value propositions and reinvent user (customer/employee/supplier) interactions.
What existing expertise must companies evolve to remain ahead of advancing AI capabilities? As AI matches or surpasses human capabilities in numerous tasks, companies must strengthen inherently human competencies such as empathy, creativity, and strategic judgment to differentiate themselves effectively.
What strategic assets can companies leverage to maintain competitive advantages against advancing AI? Businesses must identify durable sources of advantage less susceptible to AI disruption, such as strong brand identities, deep customer relationships, proprietary physical assets, or potent network effects.

These questions illustrate the strategic depth required to successfully navigate the evolving AI landscape. They underline that the future will reward companies leveraging unique human capabilities and durable competitive advantages alongside AI expertise.

Embracing the AI-Driven Future

Ultimately, the article provides an incisive and timely exploration of the strategic implications of AI’s ascendancy. Companies facing today’s competitive realities must recognize AI’s transformative power and strategically integrate it into their operational and competitive frameworks.

For compliance professionals, whose effectiveness increasingly depends on understanding broader strategic developments, grasping these AI-driven shifts is vital. The emerging landscape characterized by abundant and accessible expertise demands a strategic response that embraces the combined strengths of AI and uniquely human insights.

As businesses move forward in this transformative era, the organizations that adeptly balance AI-driven operational efficiencies with strategic differentiation will undoubtedly emerge as leaders in their respective markets. The insights provided by the authors serve as a compelling call to action for all professionals, compliance included, highlighting the strategic imperative of integrating AI effectively to thrive in the rapidly evolving future of business.

Tags AI, compliance, HBR

Recent Posts

Recent Comments

Categories

What are you looking for?