The Diagnosis

In many organisations, the Compliance function operates at the margins of decision-making.

Rather than being involved when decisions are made, it reviews them after the fact. This makes Compliance’s contribution reactive and procedural, focused on documentation and box-ticking rather than on insight drawn and conclusions made from real data.

Over time, this leads to siloed operations and a growing detachment from the rest of the business. The consequence is a diminished impact of Compliance’s work and heightened compliance risks for the organisation.

This raises the question of why Compliance is often so little integrated into the business.

A disintegrated approach, involving Compliance too late and too little, can lead to products and projects not being priced accurately. Business cases that initially appear commercially attractive may later fail to meet commercial or budget expectations once compliance requirements, risks, and mitigation measures are properly factored in. (Editorial Comment)

Potential Causes

Cognitive Ease Bias

Integrating Compliance into business decisions increases complexity for both Compliance and business teams. It requires more information-sharing and a willingness to discuss risks before the business outcome is fully defined.

For business teams, this can feel like an additional layer of scrutiny and a potential for delay.

For Compliance, it requires moving beyond predefined checks and engaging with commercial realities, incomplete information and uncertain risk scenarios.

This can feel harder and slower than relying on familiar approval processes.

When decision-making becomes more complex, people often seek ways to reduce that complexity. This is referred to as the “cognitive ease bias.” Humans gravitate toward solutions that are familiar and intuitive, simple to process, low in effort and low in ambiguity.

As Daniel Kahneman describes in Thinking, Fast and Slow the pursuit of cognitive ease leads to a reliance on fast, automatic thinking (“System 1”), often at the expense of deeper, analytical reasoning (“System 2”). This preference for cognitive ease shapes how ideas are evaluated and accepted:

• Low-effort / high-certainty approach → triggers cognitive ease → Conclusion: the idea is perceived as true or correct
• High-effort / high-ambiguity approach → triggers discomfort → Conclusion: the idea is perceived as too complicated and is often rejected

This is why familiar ideas are often accepted more readily than new or innovative ones, and why short-term results tend to be favoured over effort-intensive analysis. Moreover, intuitive, off-the-cuff explanations often feel more convincing than data-driven reasoning.

This reinforces the appeal of a checklist-based approach to Compliance: a low-effort, tick-the-box process combined with high-certainty pass/fail outcomes creates cognitive ease. Embedded compliance, by contrast, demands more iterative engagement, closer judgement and a willingness to work through nuance rather than reduce issues to simple pass/fail outcomes.

Simple is different from superficial. Organisations should not use the pursuit of “simplicity” as a reason to avoid building the basic compliance structures needed to protect the business. In fact, maintaining a superficial approach when more effort is required may well lead to greater and avoidable complexity and risks in the long run.

Structural Avoidance of Complexity

Another set of reasons lies in how Compliance teams typically operate within an organisation:

• Risk aversion. There is often a general culture of risk aversion and fear of being wrong. This can make Compliance teams hesitant to engage early, when facts are incomplete and the risk picture is still developing. Instead, they may prefer to wait until the business proposal is more mature and the legal or procedural questions are clearer.
• Lack of incentives. There are often few incentives for deep analysis and experimentation by Compliance, as results are expected quickly because compliance issues are perceived as “non-productive” and decisions are time-sensitive. This encourages Compliance teams to rely on standard answers, templates and familiar approval processes rather than investing time in understanding the commercial context or underlying risk dynamics.

The result is a gradual distancing between Compliance and the business. Compliance becomes involved later, works with less context and is rewarded for speed and consistency rather than for insight.

Business teams, in turn, experience Compliance as a procedural checkpoint rather than as a function that helps them navigate uncertainty. This reinforces the perception that Compliance adds process, not value.

This is where superficiality often enters. Instead of treating uncertainty as a signal to investigate further, organisations may treat it as a reason to fall back on what is already familiar: existing controls that may be obsolete, standard risk categories that are too rigid, prior experience grounded in assumptions no longer valid, or generic assurances. The unknown is not resolved; it is simply absorbed into existing frameworks.

Misclassification of Problems

Finally, a critical issue is how compliance challenges are framed. Many compliance challenges are incorrectly treated as straightforward when, in fact, they require expertise, analysis and sometimes experimentation.

Drawing on the Cynefin framework, many compliance issues are treated as “obvious” and approached through standard best practices, when they actually belong in the “complicated” or “complex” domains.

This misframing leads to:

• narrowly scoped reviews that miss root causes;
• “paper compliance” focused on confirming expectations rather than testing reality;
• overreliance on qualitative judgement and anecdotal evidence instead of real data.

When complexity is avoided, Compliance risks becoming reactive, procedural and peripheral.

Solution: Structured analysis, increased engagement, constructive challenge

To increase its impact, Compliance must deliberately counteract these root causes. This requires moving beyond reactive, checklist-based work and building a function that is analytical, engaged with the business and comfortable working through complexity.

First, Compliance should introduce more structured analytical approaches. This means using consistent methodologies for root cause analysis, risk assessments and complex problem-solving. Conclusions should be evidence-based rather than driven primarily by heuristics, intuition, or assumptions. In practice, this requires Compliance to:

• apply defined formats for root cause analysis and risk assessments;
• standardise processes for complex problem-solving;
• ensure that conclusions are supported by evidence, not merely by experience or instinct.

Second, Compliance should increase its engagement with the business. Rather than reviewing decisions retrospectively, Compliance should be embedded in key decision-making processes at an early stage. This enables Compliance to collaborate before positions become fixed and before risks are difficult to address.

Third, Compliance should encourage constructive challenge. Effective compliance work requires space for dissenting views, especially where assumptions are weak, data is incomplete, or decisions are being made under time pressure. Compliance should actively test assumptions, scrutinise incomplete evidence and avoid premature conclusions. This helps prevent superficial agreement and ensures that important risks are not overlooked simply because the initial explanation feels intuitive or convenient.

Finally, Compliance should embrace complexity and ambiguity. Some issues cannot be reduced immediately to simple answers, and temporary discomfort may be necessary where deeper analysis is required.

How to avoid complexity without becoming superficial? Create a control, if it does not work or you discover that it is too burdensome, adjust. That iterative process is part of systemic thinking and complex problem-solving.

Compliance leads should make sure their teams have the right expertise and emotional competence to influence without formal authority. They should also work with the business to build a culture that supports effective engagement. (Editorial Comment)‍

Efficiency: Applying Effort Where It Matters

While compliance must engage with complexity, it must not increase effort indiscriminately. Focus effort on areas where complexity materially affects risk and decision-making; apply effort proportionately based on risk and impact.

Distinguish clearly between simple, complicated and complex issues.

• Simple and low impact issues should be standardised and automated wherever possible. What is considered “simple” or “low impact” is often judged intuitively and minimum assessment standards can help avoid misclassification.
• For complicated issues, structured analysis, data and defined methodologies can help create consistency.
• For complex issues, i.e. issues that the organisation does not yet fully understand (e.g., new legislation), the focus should be on standardising and automating the routine elements, such as data collection, checks, and documentation, while preserving space for judgement, analysis, and iteration.

Beware that technology is less useful where a problem is still truly complex. In those cases, the first task is to create the conditions for better analysis before automation or AI can be applied effectively. Decision frameworks can help clarify when escalation or deeper analysis is required.

The key is to simplify deliberately, not by default.

Complex thinking may be necessary to create genuinely simple compliance. Avoid simplifying problems prematurely.

Organisational laziness can actually be beneficial where it prevents unnecessarily complex processes and bureaucracy. While the efficiency principle itself is not wrong, implementation often suffers because of competency gaps. Employees often do not understand the requirements well enough. This creates blind spots, where risks are not identified at all; tunnel vision, where risks are only considered in areas in which people feel confident; and box-ticking, where uncertainty leads people to follow processes mechanically without identifying the actual material risks. (Editorial Comment)

Conclusion

The effectiveness of Compliance is determined by its willingness to engage with complexity and challenge cognitive comfort.

When Compliance optimises for ease and certainty, it risks misclassifying problems and overlooking the root causes of compliance risks. It can also become disconnected from business decision-making. Over time, such a function remains procedural, reactive, and ultimately risks becoming irrelevant.

By contrast, when Compliance integrates with the business, embraces the uncertainty this creates, and deliberately applies analytical rigour to address it, it becomes a meaningful contributor to organisational performance and better decision-making.

A note on staffing the Compliance function: the function needs a practical mix of business experience and legal analytical skills. Compliance is the second line in a three-lines model. Its role is to advise on frameworks and boundaries, highlight grey areas, and recommend mitigations so the business, as the first line, can make informed decisions. This means compliance often requires judgement in ambiguous situations, not just legal analysis. To keep this in mind is particularly important where compliance sits under Legal, as it often does. (Editorial Comment)

‍

20Minds thanks Ana Flávia Azevedo Pereira for sharing this short essay. We sincerely thank Rauno Hoffmann, Reinhard Mahn, Thomas Neumeier and Dr. Hendrik Schulze for their editorial advice.