The Survival Guide for Chief Compliance Officers in Uncertain Times

The US may be the most extreme example of regulatory unpredictability. A series of Supreme Court decisions in 2024 upended the regulatory rulemaking process,^[1] leading to the expectation that more regulations would be subject to challenge and litigation. While many financial institutions welcomed what was expected to be a less regulated environment and recent administration pronouncements and leadership changes continue to signal an easing of regulation and enforcement, the uncertainty has made it difficult for CCOs to plan. Questions also remain around whether some regulatory agencies will be merged or even eliminated outright, what the administration means when it says there is the need for a "fundamental refocusing" of how the nation's regulators supervise . . . banks" and what this all implies for regulatory compliance, supervision and enforcement. But it's not just CCOs in the US who are facing uncertainty.

As a result of signals that the US is less inclined to strive for international coordination on issues as diverse as capital adequacy and economic sanctions, multinational banks are concerned about a growing divergence of regulatory requirements, which will complicate compliance efforts.

In addition, CCOs are facing challenges in their own countries and regions. In the United Kingdom, the Prudential Regulation Authority ("PRA") and the Financial Conduct Authority ("FCA") in January reiterated their support for "the Government's focus on delivering a higher rate of sustainable economic growth in the UK, and on encouraging responsible risk-taking in support of that goal." The U.K. Chancellor and HM Treasury have also announced plans to review the U.K. regulatory framework, provide challenge on how regulators are enabling growth and have already announced the closure of the Payments Services Regulator as part of this review. Further changes to the regulatory framework and an expected reduction in regulatory "burdens" are expected in the U.K.

The EU has committed to a simplification agenda designed to enhance European competitiveness, attract investment and reduce regulatory fragmentation across member states and has appointed a new Commissioner for Implementation and Simplification, tasked with coordinating the Commission's response and ensuring that regulatory changes reflect the needs of businesses. A recent example includes the proposal for an Omnibus simplification package in respect of sustainability reporting.

Australian Securities and Investments Commission ("ASIC") chair Joe Longo in a March 2025 speech said that businesses and regulators alike face increasing challenges due to complex and overlapping regulations. ASIC has formed a Simplification Consultative Group to advance the goal of developing recommendations for making regulatory guidance more accessible and practical for businesses and directors. The goal of this initiative was not to deregulate but to "refine regulatory processes to ensure they remain effective and proportionate," according to Longo.

CCOs must find a way to navigate these and many other challenges to survive in an increasingly challenging environment. No doubt seasoned CCOs have faced similar circumstances before, but the magnitude and pace of change today have ushered in a degree of turmoil that seems extraordinary and may require unusual effort to manage.

For CCOs who work in organizations that have strong and immutable cultures of compliance, the period ahead may be chaotic, but they can take comfort in knowing their boards of directors and senior management will support them throughout and make clear that compliance remains a priority.

For those CCOs who are not sure what to expect or for any CCO who expects to encounter institutional challenges, this paper aims to equip you with information for navigating the complexities of your role during uncertain times.

Key elements of a survival kit

Imagine that you are heading out on a trek through the wilderness; what are the important things that you would want to include in your survival kit? They would include items such as:

• Basic necessities - water, food (ideally non-perishable), shelter materials such as a tent or tarp to protect you from the weather, fire-starting tools for warmth and cooking, and insect repellent.
• Navigation tools - a map, a compass and maybe a GPS device.
• Signaling devices - a whistle, a mirror, flares, a hand-held laser.
• First aid - basic supplies needed to treat injuries in a survival situation.
• Other essential gear - Swiss army knife, a flashlight and batteries, and a battery-powered or hand-cranked radio and a weather radio, solar-charged cellphone.

You might not think that the risk of getting lost in the wilderness has much to do with a CCO's surviving a stressful operating environment nor do we intend to suggest that a CCO's challenges are comparable to the life and death situations other survivors may face, but we do think there are some parallels in the way all survivors prepare for and manage their challenges.

The CCO's survival kit

Ask a CCO what she needs to survive in uncertain times, and the response you get will likely point to three basic necessities, namely:

• People - an adaptable, resilient team who understands the business, culture and regulatory environment will respond well in a crisis, knowing that extra vigilance and monitoring are required along with greater risk awareness and reporting. Compliance teams are, however, already stretched, meaning that those who have adopted compliance technology may be better placed to respond.
• Technology - whether it is monitoring emerging risks, conducting risk assessments, or using predictive analysis or scenario planning, technology can make a big difference to assessing and responding to uncertainty. Firms with agile technology can perform continuous monitoring, dynamic risk assessments and respond more quickly and accurately to the changes required, identifying competitive advantages and compliance or reputational risks as they emerge. Those able to harness AI will be able to respond quickly and effectively.
• Data - successful implementation of technology and AI also demands quality data that can be easily interrogated and form an accurate and reliable basis for analytics, risk identification and scenario analysis.

Knowing when and how to progress when the road ahead is less clear may test a CCO's navigation skills. CCOs are used to having to make decisions based on less than perfect information. But conflicting or frequently changing views from politicians, regulators, the market and customers make that more challenging. When changes to the regulatory landscape render existing maps ineffective, CCOs will need to draw on their ethical and moral compass and consider the risks and impacts of potential changes, knowing that these form effective guardrails for many regulatory decisions. It will be important for CCOs to have as full a view of the environment as possible, and regular discussions with peers, industry groups and regulators will provide helpful directions, warnings and information as to when and how others are responding.

CCOs know the importance of compliance culture in responding to uncertainties. The CCO will want to report to senior management and the Board on how the organization is dealing with uncertainty, noting the specific regulatory changes, emerging risks and the additional help and support, whether budgetary, strategic or moral, that may be required to deal with the changes. While it may be harder to get management's attention due to an increased need for financial or business focus, the CCO will need to signal for help by being persistent, providing clear direction of the way forward and risks, and by raising concerns in a variety of fora. Keeping management aware of emerging risks and uncertainties may help prepare the ground for when leadership, decisions and support are required.

Of course, there are times when it's all gone wrong, and an emergency response is required! An early warning system of risk identification can help identify when course correction is needed and the CCO applying first aid will need to reassess the corrective action required, advise management and potentially discuss with regulators. Strong and trusted relationships and effective communication will make this process much easier.

What essential gear will a CCO need in her kit? We suggest that horizon scanning capabilities come into their own in periods of uncertainty or rapid and sometimes contradictory changes. Being able to identify new and emerging trends, changes or regulatory expectations is critical. The move from peripheral vision to central vision has been very rapid on topics such as deregulation, potential sanction changes and reduction in consumer protection. A robust risk assessment methodology is also essential kit to enable rapid analysis and determination of how to respond.

The world is noisy and messy. You need to deal with the noise and uncertainty.

The survivor's mentality

Just having a survival kit does not guarantee a positive outcome. Other factors such as physical health, and even luck, can play important roles, especially for someone trapped in the wilderness.

But if you are facing a survival crisis, no matter the type, having mental fortitude - a survivor's mentality - can also significantly enhance your ability to confront and overcome challenges.

A survivor's mentality is characterized by the following:

• Purpose - a reason to survive. For CCOs that means not forgetting the important role you play as the conscience of the organization, a role that is pivotal to promoting ethical behavior, accountability, and adherence to laws and regulations, and to maintaining the organization's reputation with its customers and community.
• Positive mindset - focusing on what you can control, setting realistic goals, staying connected to like-minded people who understand the situation you are in and can offer guidance, and viewing challenges as a learning experience are some of the strategies that can help maintain a positive outlook.
• Confidence - an "I'll figure it out" approach that reflects confidence in your ability to overcome challenges and solve problems even if the solution is not immediately apparent. CCOs who have been through these situations before can draw confidence from their prior experiences.
• Courage - being willing to challenge a decision that you think is wrong.
• Adaptability - being able to change course without great difficulty when circumstances warrant.
• Empathy - having situational awareness and understanding the feelings of others can have broad benefits, including improving the ability to navigate and resolve conflicts and finding more effective solutions to problems because decisions consider the views of and impacts on all involved. Remember that the way you want to resolve something is not always the only way to do it. For CCOs, practicing empathy also requires continually being mindful of the effects of the current circumstances on your team, some of whom may not fully understand or may not have experienced a significant shift in compliance priorities and/or institutional commitment.

And finally, the characteristic that many would suggest is most critical to success:

• Tenacity/Resilience - an unwavering determination to succeed, no matter the challenges. This doesn't mean there aren't days when you want to give up; it means that after a setback, you shake it off and commit anew.

Giving up the fight

As important as empathy is to the survival process, you shouldn't excuse people's behavior simply because you understand their motivation; it doesn't change the damage they are doing. Within that context, there may come a time when a CCO should give up the fight. The circumstances that might give rise to such a decision would include a CCO finding herself in a situation where the organization ignores her advice or warnings and engages in unethical practices or illegal activities, or the organization's non-compliance or illegal activities expose the CCO to personal liability. Under these conditions, resignation and even whistleblowing could be options, though these actions should be a last resort and should come only after careful consideration and consultation with trusted advisors and legal counsel. In some jurisdictions, CCOs who resign can expect to be contacted by the organization's regulator who will want to understand the circumstances.

In the middle of difficulty lies opportunity.

Reflect on the lessons learned

Talk to CCOs who have managed through uncertain and challenging times and they will tell you that they learned a lot from the experience, including:

• The importance of building a resilient compliance framework that can adapt to both new requirements and changes in interpretation and enforcement of existing requirements.
• The need to lead by example and demonstrate an unwavering commitment to ethical behavior and integrity even - especially - if others are tempted to alter their behavior because no one seems to be watching.
• The heightened need to communicate effectively with all stakeholders (board of directors, senior management, employees, customers and regulators) to set and manage expectations.
• While perceived regulatory risk may be lower, the reputational risk of unethical behavior is still high, and significant damage can be done in the court of public opinion with the resulting loss of trust in the financial system.
• The Great Financial Crisis taught us that CCOs need to be able to defend and justify decisions taken in times of uncertainty. Remember that the regulators will have the benefit of hindsight - keeping records on how a suitable course of action was decided makes it much easier and more credible to explain those choices to regulators.

CCOs who have managed through periods of lighter touch supervision and regulation - and those of us who have witnessed them - will also tell you that such periods are often marked by increased risk-taking and weakening of an organization's compliance culture, which lead to unacceptable and sometimes systemic risk, followed by market volatility, loss of customer and market confidence, regulatory backlash and reforms, and an increased volume of enforcement actions. Individual institutions that take their eye off compliance by reducing investments in necessary resources and tools and otherwise deemphasizing the importance of a culture of compliance follow a similar path of increased risk-taking followed by regulatory and customer repercussions.

Sharing this history, however, is an inconvenient truth that many people do not want to hear because it requires a change in their outlook and behavior. But that doesn't mean that you shouldn't explain this pattern to decision-makers in your organization.

If regulatory pressures do ease . . . take advantage

While the immediate environment is fraught with uncertainty, we expect that greater clarity of the new regulatory expectations will eventually emerge. When it does, CCOs will want to take advantage by taking stock of how the business and the compliance function are responding to the new world. For example:

• Whether some reduction in regulatory requirements might be retained as best practice due to their value to the business. For example, in the UK the FCA has said that a Consumer Champion at Board level is no longer required, but many organizations see significant value from this role and have decided to retain this "voice of the customer" in strategic decision making.
• Where regulations become more principles-based and less prescriptive, CCOs should take the opportunity to assess how to implement the requirements in a way that is most beneficial to customers, the market and the organization, taking advantage of the opportunity to interpret the requirements in a way best suited to the business strategy and customer base. This may also afford CCOs a much-needed opportunity to revisit and redesign cumbersome processes and programs that were developed rapidly, sometimes haphazardly and almost always less than efficiently in response to time-bound regulatory criticism or directives. By focusing on outcomes rather than processes, CCOs can refine regulatory risk assessments, improve risk management and refocus compliance monitoring and testing.
• Changes in the economic environment and regulatory outlook may bring strategic and commercial opportunities. CCOs should be keen to get involved in the development of new products and services or business acquisitions from an early stage, to ensure they are designed with compliance in mind.
• Uncertainty brings opportunity! Whether it is to hire talented compliance staff who are unexpectedly in the market, or to take advantage of market volatilities in capital raising or refinancing, CCOs will be looking for surprising short-term opportunities.
• Regulators are dealing with uncertainty too; regulators welcome CCOs' views on areas of consulted changes, how the regulatory framework could be improved and overly burdensome requirements. Responding to such requests and developing a helpful dialogue with regulators during times of uncertainty can improve relationships and lead to a greater understanding of the firm's position on key issues.

Call to action

Even the most experienced CCO can benefit from preparing for a survival challenge by:

• Staying informed and aware: Closely monitor regulatory developments and changes in the organization's business that may signal a deemphasis on compliance.
• Preparing your team: Give your team a heads up that the time ahead may be more chaotic than usual and that they may need to adapt quickly to changes in direction. Make sure you keep them informed as the situation unfolds.
• Readying your survival kit and survival mindset: Assess your preparedness for dealing with heightened challenges, reinforcing, to the extent possible, areas of weakness that make it easier for compliance requirements to be circumvented.
• Identifying your survival buddies: Consult with a mentor or peers who have successfully maneuvered difficult times to learn what worked well for them.
• Defining the boundaries: Understand where the line is, what actions would prompt you to consider walking away from the organization.
• Optimizing the compliance function: Consider how any regulatory changes can best be implemented to meet the long-term needs of the organization.

Closing comment

For boards and senior management, it's important to remember that the CCO's role extends beyond mere compliance; it is about ensuring that the organization operates in a manner that builds and sustains trust with all of its stakeholders. In doing so, CCOs contribute significantly to the long-term success and sustainability of the organizations. But a CCO can only be effective with your steadfast support.

Ethics is about knowing the difference between what you have a right to do and what is right to do

See our latest Compliance Insights Newsletter

Learn More

1. US Supreme Court reshapes the regulatory landscape, Protiviti, July 8, 2024: https://www.protiviti.com/us-en/in-focus/us-supreme-court-reshapes-regulatory-landscape.