Resilience in corporate compliance is not a byproduct of good intentions. It is the result of boards asking the right questions before the crisis arrives rather than after. Teri Cotton Santos, Chief Compliance Officer with over two decades of advising boards and leadership teams across highly regulated industries on legal risk, compliance, and ethics, has seen the difference that board-level engagement makes when it is rigorous and the damage it fails to prevent when it is not. “When it comes to corporate compliance, readiness is everything,” Santos says. “Compliance resilience does not happen by accident. It is built with intention.”
How Well Do We Understand Our Risk Landscape?
The first question Santos challenges boards to ask exposes the gap between compliance reporting and compliance intelligence. Quarterly updates create the appearance of oversight. They rarely create the depth of understanding required to anticipate risk before it becomes a regulatory or reputational event. “Boards should push for dynamic, real-time insights of compliance risks across operations, third parties, and emerging regulations,” Santos says.
The distinction she draws is between organizations that report incidents and organizations that anticipate them. A compliance program built around incident reporting is structurally reactive. By the time the report reaches the board, the exposure has already materialized. Proactive compliance intelligence changes the timeline entirely, giving leadership the visibility to intervene before risk compounds into consequence. The question boards need to be asking is not what happened last quarter. It is what is developing right now and what the organization is doing about it before it becomes a problem.
Do We Have the Right Tone at the Top and the Middle?
The second question Santos raises addresses the most common failure point in compliance culture. Boards understand that tone at the top matters. What they underestimate is the distance between the boardroom and the day-to-day decisions where compliance culture is actually expressed. “Culture starts in the boardroom, but it lives in the day-to-day,” Santos says. “Boards should ask how ethical behavior is being reinforced at every level of leadership.”
The middle layer of management is where compliance programs succeed or quietly fail. Managers who are not equipped and empowered to model compliant behavior create a gap between the organization’s stated values and its operational reality – one no policy document can close.
“Are managers equipped and empowered to model compliance?” Santos asks. “The answers to these questions often reveal the true strength of a compliance program.” Boards that limit their culture assessment to executive behavior are measuring the policy, not the practice.
Are We Investing in the People and Tools That Make Compliance Stick?
The third question determines whether a compliance program has the resources to function as a strategic asset or is constrained to operate as a reactive cost center. Technology enhances compliance capability. It does not substitute for the human judgment and organizational investment that make compliance programs genuinely effective.
“Technology helps, but it is only as strong as the people using it,” Santos says. Boards need to ensure compliance teams are not under-resourced relative to the risk environment in which the organization operates. That means asking whether training is effective, whether data analytics are being used to identify patterns before they become problems, and whether the compliance function has the organizational standing to influence decisions rather than simply document them. “The compliance team should be a strategic partner, not a cost center,” Santos says. Organizations that treat compliance as overhead consistently discover the cost of that framing at the worst possible moment.
The questions boards ask about compliance determine the quality of the compliance program the organization builds. Boards that accept quarterly summaries without probing the risk landscape, culture, and resource adequacy are providing the appearance of governance rather than it• s substance.
“Compliance resilience starts when boards ask sharper, smarter questions,” Santos says. The organizations that build genuine compliance resilience are the ones where the boardroom sets a standard of inquiry that drives proactive risk management, genuine cultural accountability, and strategic investment in the function responsible for protecting the organization’s integrity.
Follow Teri Cotton Santos on LinkedIn for more insights on compliance leadership, board governance, and building resilient ethics and compliance programs.
