When Leadership Becomes the Control
For years, compliance effectiveness has been judged by the strength of formal frameworks: policies, disclosures, surveillance, escalation procedures. Those elements remain essential—but recent enforcement actions suggest they are no longer sufficient on their own.
Yet in conversations with compliance leaders, I often hear a familiar pause when this topic comes up. There’s broad agreement that leadership behavior matters, but also a quiet recognition that acting on that insight can feel risky. Not because it’s wrong, but because naming leadership behavior as part of the control environment can push beyond where compliance leaders feel empowered or protected to operate. That tension - between knowing what’s true and knowing what’s safe - is where many of these discussions stall.
Increasingly, regulators are less focused on whether controls exist and more focused on how leadership behavior activates, or neutralizes, those controls when risk surfaces.
This pattern is evident across recent SEC, FINRA, and DOJ enforcement actions involving conflicts of interest and material nonpublic information. In many cases, firms had well-documented programs in place. Yet enforcement narratives consistently point to the same root causes: failure to escalate, ignored red flags, and ineffective supervision.
The implication is subtle but important. Leadership behavior itself is now being evaluated as part of the control environment.
A shift in how effectiveness is judged
FINRA’s recent exam priorities and supervision commentary emphasize that “reasonable supervision” must adapt as business models, deal velocity, and information flows evolve. Static controls are no longer sufficient in dynamic environments.
Similarly, DOJ guidance on evaluating corporate compliance programs continues to stress not just design, but effectiveness in practice - particularly whether leadership reinforces compliance through timely escalation and follow-through.
Taken together, the message is clear: regulators are examining what leaders did once risk became visible, not simply whether a process existed.
Why this creates tension for compliance leaders
Many compliance leaders recognize this reality immediately - and hesitate just as quickly. They don’t control incentives, staffing levels, or business pace. Asking them to address leadership behavior directly can feel unrealistic or unsafe. Compliance professionals are risk-aware by design, and few are eager to absorb additional personal exposure by reframing leadership decisions as compliance issues.
That hesitation doesn’t reflect disagreement. It reflects realism.
The question, then, is not whether leadership behavior matters, but how compliance leaders can engage this shift without overstepping their authority.
From culture critique to control effectiveness
A more practical approach is to treat leadership behavior as a control effectiveness signal, not a cultural judgment. Compliance leaders already understand that a control can exist and still fail. Surveillance systems generate alerts that go unreviewed. Escalation paths collapse under time pressure. Documentation captures outcomes but not judgment.
Leadership behavior fits squarely within that same framework. When issues surface late, repeat across business lines, or escalate only after damage occurs, regulators increasingly view that as a failure of supervision - not a tooling gap.
Seen this way, leadership behavior becomes a leading indicator of whether risk is surfaced early or allowed to compound quietly.
I know that at this point, some CCOs may be thinking: I don’t disagree with any of this, but I also know where the limits of my authority are. I’m accountable for the program, not for how senior leaders behave under pressure, and I’m not eager to absorb more personal risk by turning leadership behavior into a compliance issue. That concern is not resistance; it’s realism. This shift isn’t about asking compliance leaders to police leadership. It’s about recognizing how regulators already assess leadership decisions after the fact - and helping the organization be better prepared when that scrutiny comes.
What can realistically move the needle
For compliance leaders operating within real constraints, progress doesn’t require confrontation or cultural crusades. Here’s how you can approach the organization.
Frame observations around systems, not individuals. Patterns like: late escalation, repeated issues, and inconsistent follow-through, are easier to discuss and defend than personality critiques.
Anchor conversations in regulatory defensibility. Asking whether the firm could clearly demonstrate how issues moved through leadership once risk surfaced is a practical, low-friction way to engage senior stakeholders, and finally
Encourage teams to evidence judgment, not just outcomes. Capturing moments of challenge, pause, and tradeoff strengthens both supervision and audit readiness over time, without requiring a wholesale change in culture.
An opportunity, not an indictment
Regulators are not asking compliance leaders to take on more personal risk. They are asking firms to demonstrate that leadership behavior makes controls work in practice.