Why Compliance Doesn’t End with the Rulebook
Risk and compliance never stand still. In this Vanguard Risk Network session, leaders shared candid insights on ownership, coordination, and keeping enterprise risk in clear focus.
There’s always that one uncomfortable moment at the start of a Zoom call. You adjust your camera, realize you’re framed like a headless statue, tilt your screen, lower your chair—until finally someone says, “Perfect, we can see you now.” It reminds me a bit of how organizations handle risk and compliance: a lot of shifting and adjusting until the picture finally comes into focus. And even then, clarity is fleeting.
In a recent Vanguard Risk Network session, we explored just that: how senior leaders are wrestling with the coordination and ownership of risk and compliance in a world where nothing stays still for long. I was joined by several accomplished leaders, including Jay Cohen, Chief Compliance Officer for QBE North America, and Stephen Gauster, CEO of the Beekman Estate Property Group and former General Counsel of MetLife. The conversation was wide-ranging, candid, and - to be honest - refreshing in its realism.
A World in Flux
One of the most resounding themes: don’t mistake political deregulation for reduced risk. “Risk has gotten harder and more complex rather than easier,” Jay emphasized. On paper, it may look like compliance is loosening in the U.S. - but that’s only part of the story. “States, foreign regulators, even customers are stepping into the enforcement void,” Steven added. In some ways, we’re seeing risk management multiplied, not diminished.
The compliance landscape no longer ends at government borders or statutes. It moves with headlines, lawsuits, algorithms, and user reviews. Even more troubling, Steven warned, “There’s a new category emerging - political risk - not just reputational or regulatory. And it’s far less predictable.”
Who Owns Risk?
This unpredictability poses an internal coordination challenge. By now, it’s cliché to call cross-functional risk oversight “cat herding,” but the underlying issue is real. Compliance might sit in legal today, or under the CRO tomorrow. Some advocated for a separate compliance function reporting directly to the CEO - in keeping with today’s rapidly evolving threat environment. Others defended a tightly integrated approach within legal or risk, particularly for smaller organizations where collaboration can happen dynamically.
Jay, whose role sits within risk rather than legal, offered a particularly compelling take: “Compliance is a risk management function, wherever it sits in the organization. It’s about more than laws; it’s about values, outcomes, and trust.” That perspective reshapes compliance from a checklist to a compass.
When the Business Leads the Way
One attendee, a senior counsel at a global publishing house, shared a fascinating story: “We were struggling to get clarity on a new EU deforestation law. Legal advice was murky. Then a major customer said, ‘If you aren’t compliant, we won’t buy from you.’ Suddenly everyone was on board.”
It’s a reminder that sometimes risk, especially reputational risk, isn’t driven top-down but pulled forward by market gravity. The same holds true for emerging disciplines like AI governance, where timeless legal frameworks are no help, and business urgency forces innovation.
The Language of Risk
Whether housed in risk, legal, or as a standalone, compliance must speak in the language of risk. That means using taxonomies, heat maps, and risk appetite frameworks that transcend function and make sense across the company. It also means confronting the “grey areas”—those moments when the rules say one thing, but the company values demand another.
“If you think regulation is gone, you’re missing the point,” Jay said at one point. “Regulators may change, but customer expectations, stakeholder scrutiny, and organizational values don’t disappear. Those are risks too—and often the kind that make headlines.”
The Takeaway: Mindsets Matter More Than Org Charts
The session ended with a case study: a fictional global tech company rethinking where compliance fits. Should it stay under legal? Move to risk? Or become its own vertical? The real answer, as Steven wisely noted, depends. But only if we ask the right questions: What are our actual risks? What skill sets do we need? Who will lead with trust and accountability, not just structure?
Because in the end, compliance done right isn’t just about checking boxes. It’s about keeping our enterprise in full frame—clear, centered, and responsible—even when the world around us is moving fast.
These insights are drawn from a recent Risk Management Exchange hosted by the Vanguard Network. This monthly gathering of 30 plus risk management leaders explores the most pressing leadership and risk challenges in a confidential, candid setting. In keeping with the Chatham House Rule, none of the quotes can be attributed to specific participants unless they are approved prior to publishing. For more information, click here.