Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Overreacting to risk can ruin a compliance program

In-house counsel, compliance officers and the external counsel who support them are trained to be risk averse when it comes to anti-corruption and other types of compliance, and with good reason.

The enforcement stakes in the United States and beyond are increasingly high, as the bar for attracting regulatory and law enforcement scrutiny seems to be increasingly low. 

But there is a balance to be struck between mitigating risks and maximizing profits. Unless and until you find that balance, even the most well-intentioned compliance efforts are at risk of failure.

In the rush to address compliance risks, one can forget that law enforcement and regulators repeatedly advise that their expectation is that companies will take risk-based steps to implement compliance programs and internal controls.  Hard as it may be to believe at times, the law enforcement standard is not perfection, and it can be all too easy in managing compliance to let perfection be the enemy of the good. 

But the following guidelines can help you measure and manage risk, while supporting and facilitating both business and compliance success:

  • You can’t be effective if you are “Dr. No.” If the business you support knows that your answer will always be “No,” business people will eventually stop asking the questions. When challenging compliance issues arise, it is important to engage and educate the business, while partnering to try and find a workable solution that alleviates compliance concern while allowing the business to move forward. Show that you share the same goal, or you are likely to be isolated and circumvented. 
  • Compliance is about risk mitigation, not risk eliminationIf humans are involved, you cannot eliminate all risk. If you try to do so, you will become an obstacle the business will seek to avoid, rather than an advisor the business trusts and seeks out for counsel.
  • Government interactions are not a red flag, but do require thoughtfulness. Interactions with government officials are an inevitable part of any business, particularly when operating across borders. They are also high-risk from an anti-corruption perspective, and therefore merit close attention. But their presence in business activities is not a red flag in and of itself. Approach them with care, but respect that they are often part of the business as usual.
  • Red flags are not by definition insurmountable. As the name suggests, a red flag is a warning sign, not a sign of surrender. The key is to examine the facts and circumstances, dig as necessary to gain the full picture, and assess whether you can move forward comfortably. In many circumstances, what at first blush may appear to be a significant issue can be easily addressed through contract terms, certifications, training, staffing decisions or other modifications that mitigate the risk in a demonstrable and well-documented manner.      
  • There is almost always a path to the desired result. When a legitimate business initiative conflicts with a compliance concern, there is likely some solution that can accomplish the goals of all involved. Any well-trained lawyer or compliance professional can create hard-and-fast rules or take the easy path to “No.” Those who are most effective will take the business’ goal as their own, and seek a way around the potential impasse that maintains their standards of risk aversion while supporting the success of the enterprise. 

Compliance professionals, like the businesses they support, must constantly evolve and adapt as their environments change. That includes periodically assessing whether their approach to risk management is tuned appropriately to the needs, initiatives and footprints of the business at issue. That is never easy, but it is vital because overcorrecting in either direction can lead to the same result — failure of your program to prevent, detect and respond to the risks it is designed to address. 


Alex Brackett is a partner in the government investigations and white collar litigation practice of McGuireWoods LLP. He is co-leader of the firm’s strategic risk and compliance team and advises corporate and individual clients on white-collar criminal defense, internal investigations and compliance program development and maintenance. Based in the Richmond, Virginia office, he has a particular focus on anti-corruption laws such as the FCPA, as well as export controls, sanctions and other trade restrictions.

Share this post



  1. Thank you Alex for the well reasoned reminder that we should seek to maintain good balance in all things. It's a "best practice" to temper the tendency to, "When in worry, when in doubt, run in circles, scream and shout." It's also good to avoid Chicken Little's sky that tends to fall too often around compliance and regulation and the horror stories we tell and hear.

  2. What a sensible blog! Thank you Alex. Having been a business ethics adviser for many years, I quickly learned that understanding the business and getting the trust of the business is essential for them to come to see you with their plans at an early stage. Quite of ten at that point, their ideas can be molded in a way that is fully compliant AND meets their business needs. Later on in the process, that often becomes difficult.
    A straight NO is seldom required: instead the response is, let's see what you want to achieve and how we can make sure it confirms with the company values and (thus) the law. And to do so, my business colleagues said that it was helpful that I was knowledgeable on compliance, but not a lawyer. Sorry to have to say, but legalese and business English are two rather different languages!

Comments are closed for this article!