Compliance professionals know the drill. A new policy is issued. A new training module goes live. A new third-party platform is rolled out. A new AI use standard is announced. A new M&A integration plan hits the field. A new sanctions update requires immediate attention. Each initiative may be defensible on its own. Taken together, they can overwhelm the very employees the compliance program depends upon.

That is the central compliance lesson from David Grossman’s MIT Sloan Management Review article, “When Employees Are Drowning in Change.” Grossman argues that effective leaders do not simply manage change; they manage how people experience change. His article identifies three disciplines that matter: make dialogue nonnegotiable, align leaders around a shared change narrative, and sequence change with employee capacity in mind. For compliance professionals, this is not merely a communications issue. It is a program effectiveness issue.

The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) asks three core questions: Is the program well designed? Is it adequately resourced and empowered? Does it work in practice? The DOJ also makes clear that prosecutors look at whether compliance policies, training, reporting lines, incentives, discipline, and controls are integrated into the company’s operations and workforce. That means a compliance change that employees cannot absorb is not fully implemented. It may exist in a slide deck, an LMS platform, a policy portal, or a board report. But if it does not change behavior, it is not yet operating as a control.

Compliance Fatigue Is a Real Risk

Compliance professionals often think about risk in categories: anti-corruption, sanctions, fraud, conflicts, privacy, cybersecurity, antitrust, money laundering, books and records, and now AI governance. Employees do not experience risk in neat categories. They experience messages, requirements, approvals, certifications, controls, deadlines, and consequences.

That distinction matters. A sales manager may receive anti-bribery training, a gifts-and-hospitality update, a new distributor due diligence process, a revised approval matrix, an AI acceptable use notice, and a speak-up campaign in the same quarter. Compliance may see six separate risk-based initiatives. The employee sees a wall of instructions.

When that happens, the program creates noise. Employees may technically complete training but not internalize it. They may certify to policies but not understand how to apply them. They may attend a town hall but not know what has changed in their daily work. Worse, they may stop asking questions because the system feels too heavy to navigate. That is where Grossman’s change management lessons become directly relevant to the Chief Compliance Officer and the compliance team.

Make Dialogue a Compliance Control

The first discipline is dialogue. In compliance, dialogue should not be treated as a courtesy or a soft engagement tool. It is a control input.

The ECCP asks whether training and communications are tailored to the audience’s size, sophistication, subject matter expertise, needs, interests, and values. It also asks whether employees can ask questions arising out of training and whether the company measures training effectiveness, engagement, learning, and behavioral impact. This is a direct invitation for compliance teams to move beyond “push” communications. A one-way compliance rollout looks like this: publish the policy, assign the training, send three reminder emails, track completion, and report 98% completion to leadership.

A better model looks like this: identify the affected employee groups, ask where the new requirement will create friction, test the message with managers, build scenarios from real operational issues, provide a practical decision tool, hold short Q&A sessions, track questions and exceptions, and adjust the rollout based on what employees tell you.

Dialogue also requires closing the loop. When employees raise concerns about a new control, compliance does not have to accept every suggestion. But it should explain what it heard, what it changed, and what it could not change. Silence breeds skepticism. In compliance, skepticism becomes a workaround.

Build One Compliance Change Narrative

Grossman’s second discipline is alignment around a shared change narrative. This may be the most underused tool in the compliance function. Compliance teams frequently communicate in fragments. Legal explains the law. Compliance explains the policy. Internal audit explains control gaps. HR explains discipline. IT explains system access. Procurement explains third-party onboarding. Finance explains approval requirements. Each message may be accurate. Together, they may feel disconnected.

A compliance change narrative answers four practical questions:

• Where have we been?
• Where are we today?
• Where are we going?
• What must employees do differently?

For example, an AI governance rollout should not begin with a policy citation. It should begin with the business reality: employees are already using AI tools; the company wants innovation; customer and confidential information must be protected; decisions must remain accountable; and the company needs a consistent control framework. Then the compliance team can explain the required behavior: approved tools, prohibited uses, human review, data restrictions, escalation points, and monitoring.

This is also where middle management becomes essential. The DOJ expects senior leaders to communicate ethical standards clearly and demonstrate adherence by example. It also asks how middle management reinforces those standards and encourages employees to abide by them. In practice, employees often take their cues not from the CCO but from their direct supervisor. If the supervisor treats a new compliance requirement as administrative noise, the employee will do the same. Before any significant program change, compliance should align leaders on the story. Not a script. A shared narrative. What risk are we addressing? Why now? What will be easier? What will be harder? What support will employees receive? What does good look like?

Sequence Change With Capacity in Mind

The third discipline is sequencing. This is where compliance teams can create immediate business value. Grossman’s article notes that organizations often fail not because they are doing too much, but because they are doing too much at the same time without discipline. Compliance is vulnerable to this problem because every risk owner believes their initiative is urgent. The answer is not to do less compliance. The answer is to sequence compliance change with the same rigor applied to capital projects, technology rollouts, or major business transformations.

A mature compliance function should maintain a compliance change calendar. It should show what is hitting which employee population, when, and why. It should identify collision points. It should distinguish regulatory deadlines from preferred deadlines. It should flag high-risk groups that are already carrying heavy control burdens, such as sales, procurement, finance, logistics, government affairs, and third-party management teams.

The ECCP supports this risk-based discipline. Prosecutors ask whether the company deploys compliance resources in a risk-based manner, whether risk assessments are current, and whether updates to policies, procedures, and controls reflect lessons learned and evolving risks. Sequencing is part of that risk-based resource allocation. It is how compliance protects both the business and the control environment.

This is especially important in M&A integration. After closing, compliance must integrate codes, policies, hotline access, third-party controls, financial controls, training, investigation protocols, and audit plans. The DOJ specifically asks about the post-transaction compliance program, compliance oversight of the new business, incorporation into risk assessments, and post-acquisition audits. If compliance imposes all requirements on the acquired business at once, it may create both formal coverage and practical confusion. A sequenced plan gives employees a path from old expectations to new standards.

Measure Whether the Change Landed

Completion rates are not enough. Certifications are not enough. Attendance is not enough. The ECCP asks whether the program works in practice, whether it evolves, whether the company uses data to assess the program’s effectiveness, and whether it measures culture and seeks input from all levels of the organization. That means compliance change management must be measurable.

For training and communication, useful measures include questions asked, policy search data, guidance requests, hotline and speak-up trends, control exceptions, approval delays, audit findings, investigation themes, manager feedback, and pulse survey results. The issue is not simply whether employees received the message. The issue is whether they understood it, trusted it, and used it.

This is the practical bridge between Grossman’s article and the ECCP. Change management is not separate from the effectiveness of the compliance program. It is how effectiveness is achieved.

Practical Takeaways

1. Create a compliance change inventory. List every major policy, training, system, control, campaign, certification, and reporting change scheduled for the next two quarters.
2. Map the impact by employee group. Identify who is being asked to absorb the most change and whether those employees sit in high-risk roles.
3. Require a change narrative for every significant rollout. The narrative should explain the risk, the business rationale, the required behavior, and the available support.
4. Build dialogue into the process. Use listening sessions, manager huddles, Q&A channels, post-training feedback, and office hours. Then close the loop.
5. Sequence based on risk and capacity. Not every compliance initiative can be first. Prioritize what is legally required, what addresses the highest risk, and what enables other controls to work.
6. Measure behavior, not just delivery. Report to leadership on whether the change landed in the business, not merely whether the email was sent or the training was completed.

The compliance lesson is clear. Employees do not fail to follow compliance programs only because they lack information. Sometimes they fail because the organization has given them too much change, too little context, and no practical path to execution. A better compliance program does not simply say more. It listens better, aligns better, sequences better, and measures whether the business can actually do what compliance has asked.