The current wave of deregulatory rhetoric and shifting enforcement priorities has created a dangerous misconception that compliance requirements are becoming optional. FTI Consulting’s Elizaveta Egorova, Melanie Standish and Jonathan Roberts argue that regulatory uncertainty actually amplifies the need for sophisticated risk management, as operational and reputational exposures grow more complex even when visible enforcement appears to diminish.
Recent developments in the US, including court challenges to regulatory actions, deregulatory rhetoric and shifting enforcement agendas have created the perception that compliance requirements and expectations are relaxing. Some businesses may interpret recent regulatory developments as a signal to treat compliance as discretionary. However, the associated risks — legal, reputational and operational — have not disappeared. In fact, they have grown more complex.
Regulatory uncertainty is becoming the norm, both in the US and globally. While legal mandates may shift, operational and reputational risks will remain prominent issues for legal and compliance teams to address. The absence of visible enforcement does not mean the absence of exposure. Therefore, organizations and chief compliance officers still need to “do compliance.”
Accordingly, compliance officers should orient toward a proactive, risk-resilient approach. The current environment presents an opportunity to redefine compliance as a strategic function focused on building adaptive, risk-intelligent systems that protect the business in any regulatory climate.
A risk-resilient compliance organization is, by necessity, a learning organization that is able to collect, synthesize and translate data into actionable insight. Setting this as the goal, compliance leaders should evaluate how well tools and technology enable reporting on key metrics to gauge program performance. What data do those tools aggregate, and is it the right data? Similarly, risk assessment programs should move beyond box-ticking and emphasize the enterprise’s ability to respond to disruption.
Key steps for designing a risk-resilient compliance organization include:
- Regularly refining and tailoring risk assessments so that existing programs, posture and maturity are evaluated against the organization’s operational risk exposure, particularly regarding high-risk jurisdictions. Where enforcement is seen to pull back, shareholder and reputational risk controls can be incorporated to fill gaps.
- Expanding risk assessments to include the reputational and operational risks that result from the issues that matter most to the organization’s customers and investors. For example, shareholders are increasingly demanding “good business” practices that incorporate ethical risk and sustainability in governance, regardless of the regulatory landscape. Poor risk governance that leads to crises of customer trust or shareholder confidence can undermine valuations just as much as regulatory fines.
- Strengthening programs of risk monitoring to ensure transparency and accountability and enable decisive action. Risk scoring and audit procedures should be regularly revised so that top risks are consistently prioritized, tracked and measured. Compliance data and tool maturity should be regularly audited to ensure that the technology in use aggregates data and provides visibility across risk domains and can adapt as new risks emerge.
- Building capacity for “regulatory intelligence” that allows the organization to seamlessly integrate updates to legal guidance or reflect changes to enforcement actions. Emerging tools like AI-enabled monitoring platforms can both centralize and provide dynamic tracking of evolving regulatory and compliance requirements. The most evolved regulatory intelligence programs also leverage predictive analytics to identify emerging enforcement trends, anticipate regulatory focus areas and proactively allocate resources to high-risk domains.
- Integrating risk management that encompasses operational resilience, business continuity, vendor risk management, technology and cybersecurity risk management. Break down siloes to enable cross-functional capability for crisis response and build formal mechanisms for cooperation across key stakeholders within the organization.
- Assessing third-party relationships through rigorous vendor due diligence and ongoing risk-based reviews. Even as US regulatory enforcement shifts, global expectations for corporate accountability remain high. Robust third-party risk management mitigates legal and reputational risks and also demonstrates a proactive commitment to ethical business conduct in a complex global environment.
Inaction, or simply maintaining legacy compliance programs, exposes businesses to growing hidden risks, ranging from shareholder litigation to reputational damage in the wake of failures. Investments made now to strengthen enterprise risk management and mitigation will ultimately save the business money through fewer outlays in crisis response, lower regulatory fines and greater operational efficiency.
By taking deliberate steps today to transform compliance into a strategic function — one actively prepared for disruption — leaders can better demonstrate to boards, investors and customers that the business is built for long-term success. The most resilient organizations treat risk assessments as living tools, continuously refined to reflect shifting legal mandates but also the evolving expectations of regulators, shareholders and customers. The most forward-looking companies act now. Protecting for volatility and adapting with speed, anticipating change and positioning the business to lead.
Elizaveta Egorova 
Melanie Standish 
Jonathan Roberts 
