Why Mitigation Should Be a Dirty Word

The implications of a compliance industry evolving away from risk and towards strategy

It used to be a compliance officer’s primary job could be boiled down to two words: risk mitigation. This was true of General Counsels, Chief Compliance Officers, Chief Legal Officers, and other C-level leaders.

Mitigation (noun):
1. The act of lessening the impact or intensity of something unpleasant.
2. The process of making a condition or consequence less severe.

Here are some of the articles geared towards compliance officers, from Compliance Week:

  • Internal Investigations Just Got a Lot More Complicated
  • Flying the Unfriendly Skies of Investigations and Resignations
  • Human Trafficking Lawsuits Expose Supply Chain Risks
  • Preparing for the Economic Risks That Come Next
  • How Policy and Corporate Culture Can Collide

Notice the words in bold. It’s called GRC, after all, so risk is literally part of the job.

A decade ago, Enron and WorldCom set the business world on notice that doing the wrong thing could do more than bankrupt your business – it could land you in jail. Risk mitigation and compliance have evolved in the aftermath, in a world of tighter regulations. Yet forward-looking compliance officers have started to realize that compliance can be about a lot more than just avoiding problems.


Compliance has evolved to include not just overt legal risks but reputational ones as well. The reason is obvious to any compliance officer it today’s market: the erosion of a company’s reputation has been proven to impact customers and business partners negatively.[1] In short, a bad reputation is bad for business. Some companies, like Apple, have been able to prevent what could be PR disasters from damaging their brand.

This is why ethics, gifts and expenses, hotlines and whistleblower policies, and so much more must be watched over by today’s compliance leadership. Reports to the board and CEO usually include the ways a company is being protected from both legal and ethical breaches, sometimes with proactive policies and sometimes by being able to prove to regulatory agencies that a bad apple acted more-or-less alone – or at least without senior management’s knowledge.

This can significantly lessen fines and the impact of wrongdoing, and protect a company’s larger brand image, but it’s still not taking full advantage of what today’s technology can allow.


Compliance’s roots are in the legal profession, of course. General Counsel’s and CLO’s are attorneys, and are thusly trained to look at the world through the eyes of risk, tort, and criminality. This is vitally important for the safeguarding of any large corporation doing business on the world stage.

This is a reactive mindset – sometimes brilliantly so — trained to limit exposure and to mitigate risk. We liken this to a modern firefighter, trained to step in when needed to prevent something bad from becoming something catastrophic.

But in today’s fast-paced business environments spanning multiple countries and thousands of laws, it’s quickly becoming apparent that avoiding risk can translate into missing opportunities.

Remember those headlines at the beginning of this article? Notice the focus isn’t on opportunity. Yet many of the companies dominating today’s markets take strategic risks all the time – the Apple watch, the Tesla Powerwall, Google Glass. Not all of them pan out (remember “glassholes”?), but they show the spirit of risk-taking and innovation that is vital to saying vibrant and successful.

GRC + O (Opportunity)

Compliance officers today have two things that weren’t available until very recently: Reliable, up-to-the-minute intelligent data, and a simple way of understanding its implications.

This makes the CCO more like a fire manager than a firefighter – his or her job success is defined by the overall health of the forest, not just in fighting fires. Because the CCO can see real data in real time, from areas as disparate as HR, accounting, talent management, trainings, and incident reports, they can provide both benchmarks and solutions to potentially problematic areas, long before actual problems break out. They can also help to pinpoint positives, like superstar employees who may be under-compensated (and thus at risk for being lured away), or departments that consistently and repeatedly outperform others in vital metrics that have broad implications for training.

Compliance used to be about mitigation, company-wide, generic trainings and policies, and the management of risk. It still needs to do these things, but today it’s also about using data to help steer companies into greater profitability, and into the opportunities that always come along with the risks.

[1] Perry, Jason, and Patrick de Fontnouvelle. October 2005. “Measuring Reputational Risk: The Market Reaction to Operational Risk Announcements.” Federal Reserve Bank of Boston.