The pace of change in today’s global business environment is breathtaking. Events that unfold over a weekend can have massive implications for corporate compliance professionals by Monday morning. When there is a business change, risks constantly change. Over the past week, this was demonstrated with two seemingly unrelated but equally impactful developments:
- The U.S. is imposing sanctions on Colombia because of its alleged failure to take back migrants, including a 25% tariff on goods imported from the country.
- The emergence of DeepSeek, a Chinese AI company that has developed a large language model rivaling OpenAI’s ChatGPT—at a fraction of the cost.
For the compliance professional, what do these risks mean for your organization? What do you think about a framework for assessing and managing these risks as they raise critical compliance concerns spanning sanctions enforcement, export controls, supply chain transparency, and regulatory readiness? In the most recent episode of the FCPA Compliance Report, I explored these issues with Jag Lamba, CEO at Certa.ai. We focused on the Department of Justice (DOJ) framework in its 2024 Update to the Evaluation of Corporate Compliance Programs (2024 Update) to make sense of and respond to these rapid developments.
The DOJ’s framework in the 2024 Update is broken down into three key components:
- Is the compliance program well-designed?
- Is the compliance program adequately resourced and empowered to function effectively?
- Does the compliance program work in practice?
We applied these elements to the recent developments and explored how compliance professionals can prepare for similar shocks in the future.
- Is Your Compliance Program Well-Designed to Handle Rapidly Emerging Risks?
The first test of a compliance program is whether it is designed to assess, identify, and mitigate risks promptly. The DOJ has emphasized real-time risk assessment—a shift from static, once-a-year reviews to continuous monitoring.
Take the U.S. sanctions against Colombia. This was not a predictable, drawn-out regulatory action. It happened over a weekend, and by Monday, businesses importing Colombian goods faced a 25% tariff with little time to prepare. Compliance officers had to:
- Quickly identify how much of their supply chain relied on Colombian imports.
- Determine if alternatives existed to mitigate the cost impact.
- Communicate rapidly with leadership to ensure the company could pivot operations where needed.
A traditional, slow-moving risk assessment process would have left companies flat-footed. Instead, an agile risk management system, leveraging real-time data analytics and automated monitoring, can help companies proactively spot emerging risks before they become crises.
The same logic applies to export controls in the tech sector, especially in light of the DeepSeek development. Compliance officers at major AI and semiconductor companies must now be asking:
- Who are our customers in Singapore and neighboring markets?
- Are our chips being resold or rerouted to sanctioned entities in China?
- Do we have automated tools to track and verify shipments to ensure compliance with U.S. export control laws?
It may be too late to prevent regulatory scrutiny if a company relies on manual risk assessments and outdated compliance processes.
- Is Your Compliance Program Adequately Resourced and Empowered?
The DOJ has clarified that a compliance program is only as good as the resources allocated to it. Ten years ago, the conversation centered around whether compliance officers had direct access to the board. The conversation then shifted to the quality of your Chief Compliance Officer (CCO) and compliance personnel. Today, the discussion is shifting to whether compliance has the technology, data, and personnel necessary to operate effectively.
Consider the situation with NVIDIA and its skyrocketing sales in Singapore—a market that, while business-friendly, is geographically close to countries facing strict U.S. export controls. Regulators are undoubtedly scrutinizing this data. The question for NVIDIA’s compliance team is:
- Do they have the visibility to track where these chips are ending up?
- Are they able to monitor sales intermediaries in real time?
- Can they preemptively flag anomalies—such as a single country purchasing a huge volume of restricted technology?
Without AI-driven compliance monitoring and data analytics, even the best compliance teams risk being overwhelmed by the sheer volume of transactions and regulatory changes.
Similarly, companies impacted by the Colombian tariffs must ensure their compliance programs have the right supply chain monitoring tools to:
- Identify impacted suppliers instantly.
- Assess alternative sourcing options without regulatory hurdles.
- Develop contingency plans to mitigate financial and operational risks.
This compliance function cannot be effectively run using spreadsheets and email chains. Companies must invest in data automation, AI-driven analytics, and cross-functional collaboration tools to avoid such fast-moving regulatory changes.
- Does Your Compliance Program Work in Practice?
Finally, compliance programs must not exist solely on paper but must demonstrate real-world effectiveness. The DOJ’s 2024 Update mandates data-driven evidence to assess whether a compliance program is functional and effective.
This means compliance teams must be able to show:
- How many third-party vendors and intermediaries have been vetted and monitored?
- How export controls are enforced in practice—not just documented in policy.
- How quickly can the company respond to a sudden regulatory change, such as the Colombian sanctions?
One of the best ways to demonstrate effectiveness is through compliance storytelling. A compliance officer should be able to present:
- This is a clear narrative backed by data showing how the company detected and addressed a regulatory risk before it became a crisis.
- These are case studies of how compliance actions have improved business outcomes—for example, reducing onboarding time for sales intermediaries without compromising compliance integrity.
- Tangible evidence includes video training logs, compliance dashboards, and documented decision-making trails.
A powerful example comes from a Fortune 100 company that secured five years of compliance funding in one go rather than having to renegotiate budgets annually. How? By presenting compliance in business terms:
- Demonstrating how compliance efficiencies improved sales and reduced onboarding delays.
- Showing the financial impact of proactive risk management.
- Using data-driven evidence to justify long-term compliance investments.
This is the future of compliance: a function that prevents regulatory risk and actively contributes to business strategy and growth.
The CCO as a Strategic Risk Navigator
The recent developments with Colombian sanctions and DeepSeek’s AI breakthrough highlight how fast compliance risks can evolve. Sanctions, export controls, and regulatory enforcement actions are no longer slow-moving threats—they can materialize overnight.
The DOJ’s 2024 Update provides a clear roadmap for compliance professionals to navigate these challenges:
- Risk assessment must be dynamic and continuous. Compliance programs must be designed to identify risks in real-time, not just during annual reviews.
- Compliance must be adequately resourced. Companies must invest in technology, data analytics, and automation to meet regulatory changes.
- Compliance must demonstrate real-world effectiveness. Data-driven evidence, compelling narratives, and tangible business impact must back compliance programs.
Compliance professionals who embrace data-driven decision-making, automation, and proactive risk management will not only survive but thrive in this era of regulatory volatility. The question is: Is your compliance program ready for the next unexpected headline?