Compliance is core business
Compliance is Core Business
| Philippe Meyer | December 17, 2012 (expanded & updated) |
Compliance as a Mandatory Pain: A Self-Fulfilling Prophecy
In most financial institutions, compliance projects occupy an uncomfortable corner of the corporate psyche. They are tolerated rather than embraced, funded at the bare minimum needed to satisfy the regulator and shelved as quickly as possible once the box is ticked. Unlike revenue-generating initiatives, which attract the best talent, executive sponsorship, and creative thinking, compliance programs are often quietly handed off to whichever team can absorb them with the least disruption to “real” business.
This attitude is not entirely irrational. Compliance does not directly generate revenue. It does not open new markets or delight customers. And in an environment of constrained budgets and competing priorities, the temptation to do just enough — and no more — is understandable.
But this mindset is also a self-fulfilling prophecy. When compliance is treated as a distraction, it becomes one. Projects are scoped too narrowly, staffed with whoever is available rather than whoever is best, and managed toward a deadline rather than toward an outcome. The result is predictable: money is spent for the sake of being compliant, and not a cent of value is recovered on the other side.
The tragedy is that this need not be the case.
There is Always Something Positive in a Change
It is a truism worth taking seriously: every change, even one imposed from the outside, carries within it the seed of something useful. Regulatory pressure forces organisations to examine processes, governance structures, and risk exposures that might otherwise go unreviewed for years. The question is not whether value exists within a compliance mandate, it almost always does, but whether the organisation has the curiosity and discipline to find it.
This requires a deliberate shift in framing. Rather than asking “how do we satisfy the regulator at minimum cost?”, leaders should ask “what does the regulator’s concern reveal about our business, and what can we do about it that serves us as well as them?” The answer to this second question is rarely obvious, but it is almost always more interesting, and more valuable, than the answer to the first.
Business Continuity Planning: A Case Study in Missed Opportunity
Business Continuity Planning (BCP) is perhaps the clearest illustration of how compliance value goes unrealised. Banks and financial institutions are required to maintain comprehensive continuity plans covering a wide range of disruption scenarios: industrial action, power outages, flooding, critical IT failures, and broader metropolitan crises. The regulatory rationale is straightforward — financial systems are too important to be left vulnerable to foreseeable disruptions.
And yet, the history of BCP in financial services is largely one of underinvestment and minimal effort. Even after events like the September 11 attacks in 2001 demonstrated in the starkest possible terms that catastrophic disruptions are real, not theoretical, the default institutional response has been to treat BCP as an administrative obligation rather than a strategic capability.
The consequences of this attitude show up in predictable ways. BCP programs are delegated to teams that sit outside the core business, ensuring that the people who best understand operational dependencies have limited involvement in designing the plan. Communication around continuity themes is sparse and largely confined to the compliance calendar. Testing, where it occurs at all, tends to be perfunctory, a checkbox exercise that satisfies the auditor without meaningfully stress-testing the organisation’s actual resilience.
The plan that emerges from this process is usually technically compliant but strategically thin. It covers the basics because it has to, but it does not reflect a genuine understanding of how the business actually functions under pressure, or what it would truly take to keep critical services running for customers in an emergency.
Sustainability as a Strategic Asset
Step back from the compliance framing for a moment and consider what a genuinely excellent BCP program would represent. It would mean that the organisation had systematically mapped its critical processes, understood its dependencies, identified its single points of failure, and built credible alternatives for each of them. It would mean that staff across the business understood their roles in a disruption scenario and had practised them. It would mean that customers’ assets and access to services were protected even under severe conditions.
This is not a compliance story. This is a story about organisational resilience and sustainability, and it is a story with real commercial value.
Banks that can demonstrate genuine, tested continuity capability occupy a meaningfully different position than those that cannot. In an environment where institutional trust is fragile and customers are increasingly sophisticated about the risks they take on, the ability to credibly say “we have invested seriously in our ability to serve you under any circumstances” is a differentiator. It can influence the choices of large depositors, institutional clients, and counterparties who care about the creditworthiness and stability of their banking relationships.
More fundamentally, embedding sustainability as a core organisational value changes the nature of BCP work itself. When continuity is seen as a business priority, not a regulatory obligation, it attracts better people, more creative thinking, and genuine executive attention. Plans become more sophisticated. Testing becomes more rigorous. And crucially, the process of thinking seriously about continuity often surfaces improvements to normal operations that would never have been identified otherwise.
Consider a simple example. A bank developing a genuine BCP capability might find that its model for emergency service provision, typically a local backup provider activated only in extremis, is both expensive and fragile. Thinking more broadly, it might instead explore whether existing operations in other geographies could absorb critical workloads on a shared basis, with the necessary process redesign to make this practical day-to-day. The result could be a more resilient operating model that is also more cost-efficient in normal times, a genuine win that emerges directly from taking the compliance mandate seriously.
This is admittedly a simplified illustration, but the underlying logic applies across a wide range of regulatory domains. The organisations that will benefit most from the coming wave of sustainability-focused regulation are those that engage with it as a strategic prompt rather than a compliance burden. The first movers will shape the landscape; the laggards will merely react to it.
Controls Should Emerge from Operational Systems
One of the most persistent inefficiencies in compliance and risk management is the proliferation of separate, parallel systems built in the name of independence. The logic seems sound at first glance: control functions, market risk, credit risk, compliance oversight, need to operate independently of the front office, and independence implies separation. Therefore, build separate systems.
In practice, this reasoning leads to a costly and fragile architecture. Parallel systems must be built, maintained, reconciled, and updated in lockstep with the operational systems they shadow. Data flows between them introduce latency, errors, and points of failure. The teams managing these systems spend significant energy on reconciliation rather than analysis. And when the operational systems evolve — as they inevitably do — the control systems must follow, at additional cost and with additional risk of divergence.
There is a better model, and it does not require sacrificing independence.
The key insight is that independence is a governance property, not an architectural one. What matters is that the data used for control purposes and the algorithms applied to it are owned, managed, and validated by the control functions, not that they run on physically separate infrastructure. These two things are often conflated, but they are not the same.
A well-designed operational system can be partitioned in a way that gives control areas genuine ownership over the data and logic relevant to their function, while still running on shared infrastructure. Market risk teams, for example, can own and control the risk models and parameters used in their calculations, with appropriate access controls ensuring that front-office teams cannot modify them. Credit risk functions can maintain authority over the credit assessment logic embedded in the system, with full audit trails of any changes. The independence is real, it is enforced through governance, access controls, and data lineage, but it does not require duplicating the underlying platform.
The benefits of this approach are significant. A single, well-maintained operational system is inherently more reliable than two parallel systems that must stay in sync. It reduces the total cost of ownership across both the business and control functions. It eliminates reconciliation as a daily operational burden. And it means that when the business evolves, control capability evolves with it automatically, rather than requiring a parallel change programme.
Regulators, for their part, are generally receptive to this model when it is well-designed and clearly governed. What they care about is the integrity and independence of the control function, not the number of servers it runs on. Institutions that can demonstrate robust partitioning, clear ownership, and comprehensive audit capability within a unified architecture will find that regulators are willing to engage with this approach.
The move toward integrated, well-governed operational platforms is also consistent with the broader shift toward treating compliance as a core business capability. Just as BCP becomes more valuable when it is owned by the business rather than delegated to the periphery, control functions become more effective when they are embedded in the operational architecture rather than bolted on alongside it.
Making the Move: What It Takes
Shifting from a compliance-as-cost to a compliance-as-capability mindset is not primarily a technical challenge. It is a leadership and culture challenge.
It requires senior leaders who are willing to make the case — internally and externally — that regulatory engagement is a source of competitive advantage, not merely a tax on doing business. It requires the allocation of genuinely good people to compliance programs, not just available ones. It requires a willingness to scope projects broadly enough to capture the strategic opportunity, not just narrowly enough to satisfy the letter of the requirement.
And it requires patience. The benefits of this approach do not always show up in the next quarter’s numbers. They show up in the quality of the organisation’s risk management over time, in its reputation with regulators and customers, and in its ability to absorb disruption without losing ground.
The organisations that will thrive in an increasingly regulated environment are those that understand this. The ones that continue to treat compliance as a mandatory pain will find, eventually, that the pain is all they get.
The opportunity is there for those willing to take it. Better to move first.