Putting controls in place isn’t enough if you want people to actually do good behavior. Tegan Gebert, Chris Audet and Doug Eckstein of Gartner argue that it’s up to compliance leaders to be coaches for the business rather than just system engineers.
Despite strong motivation among business leaders to manage risk and compliance, Gartner research suggests that only one-third feels confident in their ability to do so. Traditional approaches, such as policy distribution and annual training, are falling short of building the muscle memory organizations need to keep pace with today’s fast-changing regulatory landscape.
The traditional approach to risk management is being challenged by the increasing speed, complexity and cross-functional nature of modern risks. This shifting environment calls for compliance teams to do more than oversee controls; they must empower business, risk and control owners to work together more proactively and effectively.
It’s important to build “risk reflex,” a culture where risk ownership and response are instinctive across the organization. For compliance, this means making it harder for the business to bypass the right behaviors by embedding controls more directly into business platforms or workflows, encouraging the business to think critically by asking thought-provoking questions or delivering more specific insights and reinforcing the “right” business behaviors through proper recognition.
The future of compliance isn’t about adding more oversight. It’s about engineering systems that encourage the right behaviors. Compliance leaders need to act less like enforcers and more like high-performance coaches, guiding their teams to make compliance instinctive. To achieve this. Compliance leaders should focus on three core approaches.
1. Integrate compliance into daily operations
Engineer “hard to avoid” compliance. This means not only embedding controls directly into platforms or everyday workflows but also ensuring those workflows are so clearly useful, with such great visibility, that wanting to circumvent them would be unlikely. When compliance tasks are seamlessly integrated into routine business processes, it becomes easier and more natural for teams to do the right thing.
For example, by building due diligence requirements into a contract renewal process, organizations can ensure that compliance checks cannot be skipped. Similarly, embedding approval checkpoints within project management tools helps guarantee that regulatory steps are addressed at the right time, making noncompliance harder than compliance itself. The goal is to design systems where the right actions are visible, expected and reinforced by how the work gets done. Ensuring compliance is hard to avoid is not just about technology but about creating workflows and social norms that make the right behaviors prominent and difficult to bypass.
2. Foster risk ownership through meaningful dialogue
This strategy centers on provoking critical thinking. Rather than simply asking leaders if they are compliant, organizations should prompt them to consider whether they truly understand the risks and exposures they face. This shift encourages business leaders to take ownership of risk instead of viewing it as the sole responsibility of legal or compliance teams whom they report to.
By redesigning risk assessments and everyday conversations, compliance leaders can spark deeper engagement and more thoughtful responses. Ask questions to encourage business leaders to think about real-world effects and scenarios rather than just policy adherence. For example, instead of asking, “Have you done this compliance activity?” ask “What could go wrong for the business here?” This helps embed risk awareness and accountability across the organization. The quality of risk dialogue, whereby colleagues challenge assumptions, share insights and prompt reflection, is central to building reflexive risk ownership.
3. Celebrate and reward proactive behaviors
Finally, reinforcing the right behaviors is essential for building a culture of compliance. The focus must not only be on identifying the negative but acknowledging the positive.
Compliance leaders tend to report on violations; the emphasis is on what not to do. The counterbalance is giving greater recognition to people who do what they should be doing, reinforcing the actions or behaviors you want to see more often. Public recognition of teams and individuals who surface issues early or demonstrate proactive risk management can go a long way in shaping organizational culture. Sharing success stories and lessons learned helps normalize speaking up and continuous improvement, fostering an environment where compliance is valued and celebrated. Recognizing effort and openness, even when things go wrong, can spark a broader culture of learning and resilience.
The pace and complexity of today’s regulatory environment require a mindset shift from policing to coaching. Engineering compliance into daily operations, encouraging critical thinking and recognizing positive behaviors can close the confidence gap, empowering risk owners to better manage risk and compliance. Organizations who achieve this can make the right behaviors more automatic and more responsive to change. This creates lasting value.
The journey to reflexive risk ownership starts now, and every business leader has an opportunity to shape a more resilient and responsive compliance culture.
Tegan Gebert
Chris Audet
Doug Eckstein
