This article was republished with permission from Tom Fox’s FCPA Compliance and Ethics Blog.

It’s often difficult for Chief Compliance Officers (CCOs) to look at compliance strategy rather than the tactical aspects of compliance. This is because it is usually the day-to-day aspects of doing compliance that are your full time job. However, the more you can think strategically about your compliance program, the more you and your company will benefit going forward. I thought about this as I read an article in the MIT Sloan Management Review entitled “Mastering Strategy,” in which Editorial Director Martha Mangelsdorf spoke with David Yoffie and Michael A. Cusumano, who recently released the book, “Strategy Rules: Timeless Lessons From Bill Gates, Andy Grove and Steve Jobs.” These men headed Microsoft, Intel and Apple, respectively.

One of the more interesting initial observations was “that strategic thinking is a capability that leaders develop over time — and that these executives, whom we know as having made some great decisions, didn’t necessarily start off as such accomplished strategists.” Grove began as a scientist, working in a laboratory, then moved into operations and became Intel’s Chief Executive Officer (CEO). The authors viewed Gates as a natural strategist, yet he learned about “execution and organization. He learned he couldn’t personally run whole areas of the company.” The authors viewed Jobs as having “great product instincts, but he had to learn to master strategy in a high tech world.”

The meat of the book is five important strategic lessons the authors learned from studying these individuals. I will use them as a jumping-off point for their application for the CCO or compliance practitioner.


As a lawyer, I certainly understand studying the past to try and learn about the future, or at least prevent the mistakes of the past. However, the authors believe “real strategists are like great chess players or great game theorists: They need to think several steps ahead towards the end of the game and then reason back to what that means about what they need to do today. As a strategist, you need to think about where you want your business to be two, three, five, seven years down the road and then figure out what are the priorities and boundaries of what you need to do as a company today to get there.”

Stephen Martin, now a partner at Arnold & Porter LLP, often talks about having a 1-3-5 year compliance strategic plan. He says this gives you a guidepost to aim for and a track record for documentation purposes. Martin believes this is a disciplined way of thinking through both several steps ahead and what they might mean for the company.


The authors note that all three executives made “big bets, but they never really bet the company.” For the CCO or compliance practitioner, the corollary is that with an effective compliance program, the business can move very fast and take risks it might not otherwise be able to do so safely. I once heard former Citibank CEO John Reed say the reason you have brakes on a car is so you can go fast, not simply to slow the car down. This is what compliance can provide if you not only think strategically, but also manage your compliance program thoroughly.


For the CCO or compliance practitioner, I can think of no better example here than to cite to Jon Rydberg, head of Orchid Advisers, and his innovations around the term “compliance ecosystem.” Rydberg developed a lifecycle of compliance around the integration of written policies and procedures, personnel and technologies. While this sounds close to a formulation such as the 10 Hallmarks of an Effective Compliance Program, Rydberg takes the concept into the realm of strategic thinking by demonstrating that by putting an entire ecosystem in place, a company could move towards replicating each step in the process without reinventing the wheel or with additional costs. The authors point to Gates, who understood that a computer was a platform and that Microsoft operating system was the key element of that platform.

The Volkswagen (VW) emissions-testing scandal is the most current example I can posit where if an effective compliance program had been in place it may well have helped to prevent, detect and remediate the issues, which came before the company. However, for any competitor, compliance would have been required to demonstrate, with transparency, compliance with applicable laws. That is using compliance strategically.


I found this rule quite interesting as it might apply to the compliance arena. The authors noted, “If you’re going to be a great strategist, you’ve got to be able to execute at the tactical level. The things that you do every day, day-to-day with your customers, with your competitors and with your partners become critical in your ability to execute your longer-term strategy.” For the CCO or compliance practitioner, I think this translates into the requirement that you deliver on the tactical or day-to-day slogging of compliance. You have to work to put the written code of conduct, policies and procedures in place, train on them and monitor them going forward. This gives you the ability to move forward strategically because you will have the strength of credibility.


Here the authors noted a distinct paradox: “You want to dive deep into the things you’re really good at, but at the same time stay at a high level and always keep the big picture in mind. You have to know yourself, know what you are good at and know your weak spots. It doesn’t matter whether you’re an entrepreneur or running a $50 billion company; the key thing is figuring out how to compensate for your weaknesses in order to make the organization execute effectively. We think that’s true regardless of company size; any CEO has to do that. In the case of Grove and Gates, they knew very early on in their careers what they were good at and what they weren’t; their crisp execution depended on finding ways to get the right people around them to compensate for areas that weren’t their personal strengths.”

For many CCOs or compliance practitioners who came to the role from the in-house legal department or with a legal training, this is particularly true. The legal department is more generally focused on protecting the company. The compliance department is more generally focused on preventing, finding and fixing problems. Second is the use of technology and, more particularly, data analytics. When asked about the COSO 2013 Framework and its application, you cannot simply point down the hall and say something like “I am a lawyer, those people in internal audit use COSO, not me.” If you cannot or do not work well with numbers, pair up with someone in your organization or company who does. Usually that is finance, internal audit or some other corporate discipline. The same is true for the COSO Framework.

Last week, I wrote that management≠leadership. One of the other key differences is that managing is about executing tactical concerns. Leadership is more about strategy. As you move to leadership in your compliance function, these lessons on strategy from some very good leaders over the past 25 years are excellent guideposts for you to incorporate into your skill set.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business advice, legal advice or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The author gives his permission to link, post, distribute or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

Download File