From the Pitch to the Boardroom: Building a Championship-Level Compliance & Governance System

The 2026 FIFA World Cup men’s soccer tournament demonstrates that elite teams rely on more than talent alone. Modern soccer depends on conditioning, analytics, logistics and robust infrastructure to sustain performance under real-world risks. While individual brilliance remains important, it no longer determines outcomes independently.

Corporate governance is evolving in the same way, with integrity determined not by good intentions but by whether systems work in real-world conditions. Ethics is an operational capability rather than a reflection of character, a distinction reinforced in the DOJ’s “Evaluation of Corporate Compliance Programs.” It must be built with intent, properly resourced and continuously improved through the plan-do-check-act (PDCA) cycle, a four‑step management method well-established in manufacturing, healthcare and project management. 

This systems‑based approach is consistent with ISO 37301, the international standard for compliance management systems, which requires organizations to design, operate and continually improve compliance frameworks capable of functioning under real‑world conditions.

Organizations do not fail from a lack of policies but because policies often fail under complex, fast-moving or opaque conditions, not unlike those players are encountering on the pitch. 

The core issue is whether systems are designed to respond effectively in practice.

Competing on uneven playing fields

This distinction is critical in complex operating environments. In Latin America, business operations are characterized by uneven playing fields, fragmented data, opaque counterparties and overlapping obligations related to anti-corruption, anti-money laundering (AML), sanctions, counterterrorism, privacy, AI governance, labor standards and ESG requirements. These dynamics align with the OECD’s good-practice guidance on internal controls, ethics and compliance, which stresses tailoring compliance systems to geographic exposure, third-party reliance and local operating conditions.

Integrity failures in these contexts seldom result from a single poor decision. They occur when systems cannot withstand pressure from multiple competing demands.

The challenge lies not only in the number of risks but also in their interactions. A single decision, such as onboarding a third party, can simultaneously raise concerns related to anti-corruption, sanctions, AML, privacy and ESG. Companies that address these risks in isolation often detect issues only after a problem has occurred.

Interconnected risks

Effective management requires understanding overlapping exposures across functions, jurisdictions and business operations. Global consistency often breaks down locally, while local adaptation can create global gaps.

The most effective compliance programs standardize principles while allowing flexibility in their application across jurisdictions. A framework effective in North America may encounter distinct challenges in Asia Pacific, Europe, the Middle East, Africa or Latin America due to varying regulatory maturity, business culture, enforcement expectations and data availability.

Organizations that perform well across jurisdictions recognize that effectiveness depends not only on policy design but also on how those policies are implemented, understood and sustained in practice.

In corporate compliance, organizations must establish systems that anticipate stress and sustain performance. High-performing organizations develop core capabilities that operate reliably. 

Developing systems for dynamic risk environments

Soccer previously depended on improvisation and instinct, but today championships are secured through repeatable strategies, such as training load management, recovery science, opponent analysis and disciplined execution. While talent remains important, systems now determine whether talent can endure under pressure. Compliance has evolved in a similar manner. 

Organizations can no longer rely on the “character” of leaders, or the corporate equivalent of a star striker improvising solutions. As operations expand and risks converge, relying solely on individual judgment has become a liability. Modern integrity demands disciplined infrastructure, consistent decision-making and measurable readiness throughout the enterprise.

Successful teams begin by evaluating both the opponent and the pitch. In compliance, the “pitch” represents where risk emerges, such as in third-party relationships or incentive structures. Formal organizational charts rarely indicate where these pressure points truly exist.

In Latin America, exposure frequently extends beyond traditional anti-corruption concerns. Sanctions proximity, organized crime, trade-based money laundering, counterterrorism risks and informal influence frequently intersect with routine commercial activity. Risk is not determined solely by intent. As proximity and dependency increase exposure, the primary governance concern is whether systems function effectively in practice.

Privacy and AI governance obligations have shifted compliance responsibilities to the technology sector. In this context, policy quality and training completion are no longer effective metrics. The primary concern is whether the organization can prevent and detect real-world risks while operating in fast-paced, ambiguous and imperfect conditions. The central governance question is whether systems function effectively in practice, rather than whether policies simply exist.

Risk

L.A. in the Spotlight: The Risk & Reward of Hosting the 2028 Olympics

by Warren Koshofer

July 29, 2025

A new wage ordinance and chances of civil unrest top roster of risks

Read moreDetails

AI-driven decision governance

AI is already shaping decisions for which organizations are accountable. Organizations are deploying AI tools in recruiting, procurement, customer service, monitoring and investigations, often outpacing the development of governance frameworks. Boards should consider the following:

• AI is shaping high-risk decisions in healthcare, finance, national security, criminal justice and autonomous transportation.
• Can those decisions be explained and verified?
• Who is responsible for inaccurate output?

AI tools in third-party screening can accelerate due diligence, but weak or incomplete data may create a false sense of security rather than reduce risk. This highlights the importance of integrity due diligence. Traditional screening processes are insufficient in environments where risks are evolving and often hidden. Organizations must understand the parties with whom they do business and how those relationships might create broader exposure. This is particularly important when third-party relationships involve sanctioned entities or foreign terrorist organizations, as incomplete or outdated information can result in serious blind spots. In these cases, risk-based integrity due diligence is essential. It is no longer just a procedural step but a proactive effort to identify risks that may not be immediately apparent.

Compliance now centers on an organization’s ability to explain, monitor and govern AI usage, rather than on whether AI will be deployed. As global regulators introduce AI-specific requirements, boards should identify where AI systems influence decisions, understand their data sources and ensure accountability for unexpected outcomes resulting from automated processes. This challenge is particularly acute for multinational organizations facing emerging regulations in Europe, evolving guidance in the U.S. and varying governance expectations across Asia Pacific and Latin America.

Preparing for unforeseen regulatory changes

When FIFA introduced revised handball rules and implemented semi-automated offside technology before recent tournaments, teams that did not internalize these changes conceded goals and received red cards for unanticipated infractions. Compliance operates in a comparable manner. New disclosure regimes, shifting sanctions programs, AI-related obligations and expanding privacy enforcement provide no advance warning. Preparedness is shown through testing and performance under stress, not through written policies.

The focus has shifted from the existence of compliance programs within organizations to the effectiveness of those programs under operational pressure.

In complex environments, many companies realize that their assumptions about regulatory expectations are outdated and that previously effective compliance programs are now inadequate. True preparedness requires scenario planning and escalation drills, not just issuing a memo.

Defense, midfield & VAR: Structure of a resilient program

Elite teams win championships through rigorous conditioning, repetition and preparation. Such preparation is essential in the decisive moments of a match when pressure and stakes are highest. In compliance, preparation centers on developing preventive controls. If personnel are unprepared for the pace of global operations, the organization must rely on hope. Culture becomes tangible when it is practiced until it becomes reflexive. This outcome is the result of intentional design, not chance.

Third-party risk management is an organization’s main defense. In Latin America, reliance on vendors and consultants is essential but introduces significant risk. In data-limited environments, missing information should serve as a warning rather than instill confidence. Effective defense must address ESG issues and supply chain transparency, which often exceed the scope of traditional controls.

In many emerging markets, organizations both operate through and depend on third parties. Distributors, customs brokers, consultants, logistics providers and local representatives often serve as the organization’s operational front line. As a result, third-party governance should be considered a core component of enterprise risk management, not merely a procurement exercise.

Organizations should understand the identities of their third parties and the significance of these relationships for business continuity, regulatory exposure and reputation. In many jurisdictions, third parties represent an organization’s greatest compliance risk, as they operate at the intersection of commercial growth and regulatory risk.

Boards should require third-party governance to comply with specific standards:

• Integrity due diligence should be integrated into strategic decisions, not limited to procurement.
• Data gaps should be viewed as risk signals, not resolved with assumptions.
• Diligence criteria should cover sanctions, ESG exposure, data handling and reputational risk.

Game control through coordination

Effective teams maintain control by recognizing patterns and managing tempo. Compliance teams must likewise recognize patterns and manage complexity across anti-corruption, AML, sanctions, counterterrorism, ESG, privacy, AI governance and labor compliance.

Nearshoring illustrates this convergence clearly. A single shift in a manufacturing location can simultaneously introduce labor risk, customs exposure, third-party dependency, sanctions proximity and supply-chain transparency obligations. These signals are rarely isolated incidents. They emerge as patterns that become visible only when functions share information and assess risk collaboratively. Managing these intersecting exposures reflects the principles set out by COSO, which treats risk as an enterprise‑wide factor affecting strategic execution.

Midfield control relies on effective coordination, shared visibility, aligned incentives and clear ownership at risk intersections, rather than additional rules. However, effective coordination requires robust supporting infrastructure. At this stage, the video assistant referee (VAR) system is essential.

Modern sporting events use systems like VAR or instant replay in the NFL to improve integrity and ensure accurate decisions. Elite teams identify problems before the final whistle. Coaches rely on continuous communication from players who recognize weaknesses, threats and breakdowns before they become decisive.

Organizations require similar capabilities. The effectiveness of a compliance program depends not only on the volume of hotline reports but also on employee trust in the reporting process and the consistent and fair resolution of concerns.

Serious integrity failures rarely happen without warning and are often preceded by ignored concerns, delayed escalation or a workplace culture where employees believe speaking up is riskier than remaining silent.

Boards and executives should periodically assess the reliability of reporting channels, the timeliness and adequacy of investigation resources, the identification and remediation of root causes and the incorporation of lessons learned into operational improvements.

An investigation does not necessarily indicate failure of a compliance program; it often demonstrates that the system is functioning as intended.

Reporting mechanisms and investigations, such as VAR in modern soccer, provide organizations with a structured process to identify concerns, verify facts and address issues before they escalate into major failures.

Compliance operates as an organizational VAR, with reporting channels, investigations, remediation protocols, audit trails, escalation processes and documentation that preserve integrity despite human error. These expectations mirror those in the World Bank Group’s integrity compliance guidelines, which assess whether organizations can prevent, detect, investigate and remediate misconduct under real‑world operating conditions.

Regulators and boards now expect organizations to show not only which decisions were made but also how and why they were made. Many compliance failures result from accumulated blind spots, ignored warnings and undocumented decisions, which often go unnoticed until scrutiny exposes structural weaknesses, rather than from a single catastrophic event. The inability to reconstruct and explain a decision presents a governance risk, even if the outcome is favorable.

Technology has transformed integrity programs but may create a false sense of certainty in data-constrained environments. Algorithms rely on data quality and cannot interpret local nuances without human judgment. The most effective model is a hybrid approach that leverages technology to scale oversight while relying on people to interpret context. Technology should serve as an assistant referee, not as the coach. It augments, rather than replaces, human intelligence.

The captain’s armband: Board leadership and disciplined growth

Successful teams discern when to act decisively and when to exercise restraint. In Latin America, increased regulatory scrutiny reduces the margin for error. In the region, organizations frequently identify promising acquisition targets or distribution partners, only to discover during due diligence that the counterparty has unresolved beneficial ownership issues, informal government connections and limited data availability.

Both the commercial opportunity and risk are genuine. Strategic restraint — such as pausing the transaction, conditioning approval on enhanced monitoring or withdrawing entirely — does not indicate a lack of ambition. It demonstrates sound governance.

Effective leaders establish tactical standards and maintain composure during operational stress. In 2026, boards are expected to consider integrity as an organization-wide responsibility, not solely a function of the compliance department. This responsibility encompasses not only legal and regulatory compliance, but also technology governance, supply-chain oversight and organizational resilience.

Boards are evaluated on incident occurrence and their systems’ effectiveness in detecting incidents. Ultimately, wearing the armband signifies responsibility as the ultimate point of accountability. To assess the practical effectiveness of governance systems, boards should consider the following questions:

• Where does integrity risk arise in our day-to-day operations?
• Which third-party relationships result in the highest dependency and exposure?
• Are our escalation and reporting processes effective in practice?
• Do we have adequate resources and infrastructure to manage high-risk scenarios?

Wearing the armband signifies accountability. Boards are responsible for ensuring that governance frameworks are established and function effectively when tested.

The final whistle does not mark the end of the tournament

Modern soccer demonstrates that teams win championships through reliable systems rather than isolated moments of brilliance. Organizational integrity follows the same principle. Successful organizations prioritize defensive depth, manage oversight systematically and pursue disciplined growth rather than impulsive expansion.

The final whistle does not mark the end of the tournament. The next match follows almost immediately, often under increased scrutiny and with higher stakes. The objective is not simply to win a single game but to develop a system that consistently performs amid complexity and uncertainty.

Integrity relies on organizational resilience. Successful organizations in complex regulatory environments do not avoid every mistake; instead, they promptly identify issues, respond effectively and continuously improve.

In the coming years, integrity will be defined by how organizations respond to complex, high-pressure situations, rather than by the number of policies or training sessions. The most successful companies will be those whose systems endure under pressure, not those with the most rules.

Boards and executives should evaluate whether their compliance programs function effectively in real-world conditions rather than simply fulfilling formal requirements. Priority should shift from documenting compliance to ensuring that systems can anticipate, withstand and adapt to evolving risks.