Clearing a Path: Anticipating Disruptive Innovation With an Eye Toward Compliance

A word association exercise with the phrase “disruptive innovation” may yield concepts such as cutting-edge technology, increased speed and scale, new market reach, or the adoption of entirely new business models. It could be a while before compliance enters the conversation. Indeed, innovation vs. compliance is one of the trickier balancing acts that any organization must attempt. However, smart enterprises look at compliance risk early and often when investing in disruptive (or potentially disruptive) innovation. Compliance risk is the possibility that a particular business activity may violate regulations, industry standards, or enterprise policies—and of course that risk carries potential legal, financial, and reputational impacts.

At first glance, it may seem that when there is less regulation, there will also be less compliance risk. However, the opposite is often true: Compliance risk is usually lower when well-established organizational processes have mature regulations and guardrails around them. Conversely, compliance risk may be Is chief compliance officer at Integral Ad Science. He leads the company’s regulatory and industry standards compliance initiatives, spanning its global ad verification products and services. high when there is little to no regulation in place. This is because sooner or later, there will be. Data privacy regulation is an example of this. As consumer demand for increased transparency and privacy concerning personal data drove new regulation, this caused disruption, and in some cases existential threat, to enterprises. Today, though it is still taking form, data privacy regulation has normalized to the point that most organizations can take basic, well-understood steps to ensure that they are managing compliance risk effectively.

Earlier this year, the United States Department of Justice indicated that it will now consider the integration and assessment of disruptive technologies as a pivotal component in evaluating enterprise compliance efforts.¹ This underscores the importance of the compliance function in the organization’s overall approach to disruptive innovation. There are some key actions the compliance function should take to help make sure the risk of disruption is assessed effectively.

These best practices can also be applied to the IT audit function, depending on its overlap with compliance within the organizational structure. The audit function must provide verification and assurance to demonstrate compliance with regulations, standards, and organizational policies.

Engage Early

Ignoring disruptive innovations can have detrimental effects on an organization. “It is not just an unconscious blind spot” that causes successful enterprises to be undone by disruptive innovations, according to the MIT Sloan Management Review.² “[Some] successful companies make conscious decisions to deemphasize or seemingly ignore those innovations until it is too late.”

Compliance risk related to disruptive technologies should be assessed early and often. In the early 2000s, for example, analysts would have been correct in thinking that the disruptive potential from the digital music market faced significant compliance-related obstacles stemming from copyright law as well as contractual agreements between artists, labels, and distribution channels. Indeed, roughly three years after its 1999 launch, the popular audio file-sharing site Napster ceased operation and filed for bankruptcy after losing multiple lawsuits related to copyright infringement.³ However, consumer demand for digital media and advancements in technology ultimately led to the revolutionizing of the music industry. The book retailer, Borders, which ceased operations in 2011, famously failed to reinvent itself based on this changing reality, while its competitor, Barnes & Noble, fared better by investing in its online sales presence and developing its e-reader, the Nook, anticipating growth in digital media consumption.⁴

The sooner the organization begins to get a read on where the disruption is headed and how it might challenge the status quo, the better, and that involves the compliance function. The reason is that compliance considerations form part of the overall risk profile for emerging technologies, whether that innovation is occurring within or from outside the organization. For example, an emerging technology may enable a business process to be executed faster, however, if that speed does not permit time for mandated quality assurance procedures to take place, that impacts the disruptive potential of the new technology.

Meanwhile, no organization wants to play catchup from a regulatory compliance standpoint, which is another good reason to begin looking at the compliance aspect of a potentially disruptive innovation as early as possible. When new technologies gain traction, compliance leaders should engage early with:

• Standard-setting bodies
• Industry associations
• Third parties that aid enterprises with maintaining compliance

Getting in on the ground floor of emerging regulations (and corresponding compliance frameworks) is the best way to protect the organization against future compliance risk. If organizations participate in the early stages of new regulation and framework development, there is less chance they will be surprised by regulatory actions later on. Participating in regulatory discussions may also allow an organization to help shape the rules that will govern a new paradigm.

Know Yourself

“Knowing others is intelligence; knowing yourself is true wisdom,” a quote traditionally attributed to Lao Tzu,⁵ is a great mindset when addressing potentially disruptive innovations. To properly address a perceived disruption, it is important for employees to firmly understand the mission, strengths, and values of their workplace. The goal is for all staff to possess a shared, ongoing understanding of who they are as an organization. This is why training and awareness, culture, and cross-departmental communication are so vital when making decisions about technological implementations.

This can become murky in the context of enterprise IT, where there are many different stakeholders’ perspectives to consider and the focus is likely to be more on capability, engineering, and security than compatibility with organizational culture. Still, those technical considerations, and even compliance ramifications, should take a backseat to a higher-level assessment of cultural compatibility. It is certainly possible that leadership could determine that the organization needs to change in some way to coexist with disruptive innovation, but fit must be evaluated, nonetheless.

As PricewaterhouseCoopers (PwC) noted in a recent report on risk management, “An overly strong compliance culture can stifle innovation…while too weak of a compliance focus can impact brand and reputation. An effective risk culture enables business leaders and risk managers to have a clear understanding of the organization’s risk appetite. This provides the board and senior executives confidence that risk will be identified and managed as desired across the organization. When strategy, risk appetite, and risk culture are aligned, business leaders can take decisive action.”⁶

Pick up the Pace

A surefire way for the compliance function to position itself as a hindrance to innovation is by slowing the process down. To be clear, applying the brakes when the organization is heading for danger is what functions such as audit, legal, and compliance are supposed to do—but that is different from getting mired in bureaucracy and overly complex procedures. The latter may result in the organization proceeding recklessly (i.e., bypassing compliance) or being overly patient to the point of missing time-sensitive opportunities and exposing itself to faster-moving competitors or disruptors. It is important to examine several areas where quickness matters most.

Training and Awareness
When dealing with disruptive innovation, it is expected that internal messaging is going to change over time. For example, enterprises may have implemented training in the past as it relates to using (or not using) open-source artificial intelligence (AI) apps such as ChatGPT. Now, as more enterprises are partnering with these disruptors (a change that has occurred rapidly), more nuanced training is required to cover acceptable and unacceptable uses, risk, regulations, and organizational strategy.

From a compliance perspective, training and awareness are essential components of responsible AI implementation. Therefore, auditors and compliance personnel should be concerned with whether there is a process in place to update and disseminate training quickly and responsively.

Policy
Disruptive innovations, and the regulations that accompany them, sometimes dictate that organizations update existing policies or implement new ones. Therefore, it may be beneficial for the audit and compliance functions to look at who is responsible for creating, reviewing, approving, and owning policies (i.e., conduct an end-to-end review) to determine if the process is responsive enough for the organization to be able to put new policies in place in a timely manner. If it is an overly protracted process, then the risk introduced by having no policy in place might outweigh the risk of having a policy that requires some fine tuning.

Risk Assessment
When performing risk assessments for disruptive innovations, which are likely to change rapidly, speed and frequency are critical. Rigor and precision are still important, of course, however, with the rate at which enterprises are investing in new technology and new regulations are emerging, leadership often cannot afford to wait weeks or months for the results of a risk assessment. It is more useful to adopt an approach that gives management the information they need to know at that moment and repeat assessments quickly and frequently to facilitate a more thorough and current understanding. As opposed to quarterly, semiannual, or annual risk assessments in more stabilized areas, the mindset toward risk assessment related to disruptive innovation should be as close to continuous as possible.

Skills and Expertise
In a profile of high-performing internal audit teams, the audit firm Wolters Kluwer determined that “High performance internal audit teams understand the business they are auditing. This means an intimate understanding of its products, customers, risk, and competition.”⁷ To achieve this understanding, the report states that the audit function can recruit directly from the business areas, or they can invest in the ongoing development of the team through training and certification programs and/or some form of rotational experience in the organization.

The same principle applies to compliance teams. The compliance function must possess the skill and expertise to provide actionable guidance—in a timely manner—to management with regard to potentially disruptive innovations. Compliance personnel cannot be experts in everything, but a strong technical understanding of the enterprise greatly increases the speed with which they can evaluate potentially disruptive innovations.

As noted by Foley & Lardner, LLP, “To effectively navigate the intersection of technology and compliance, businesses should invest in building technological literacy and expertise within their compliance teams.”⁸

BuildTrust

Sometimes the compliance function is perceived as a blocker to the organization’s need to respond (e.g., adopt, acquire, collaborate) to disruptive innovation, but this does not have to be the case. Indeed, as KPMG noted in a recent report on the role of internal audit, “When you earn the trust of your stakeholders—from customers and regulators to employees, suppliers, investors, and the communities where you operate—it gives you the permission to innovate boldly, grow responsibly, and create a new future.”⁹

Audit and compliance practitioners must present themselves as collaborators who are keen to help the organization achieve its objectives responsibly. This requires proactive communication. Compliance should not always be waiting for management to come to them and ask, “Can we do this?” Instead, compliance should be involved at the early stages of assessment: ideation, testing, procurement, etc. It is not always easy to know how or when to communicate proactively, but for starters, many government agencies and leading industry organizations regularly publish guidance on emerging topics that can be great conversation starters between compliance and other teams. Subscribing to those and digesting them for management in a way that summarizes impact and relevance is a great way to impart added value. This encourages management that compliance is about scouting ahead to help make sure the path is clear, not putting up roadblocks.

Conclusion

Perhaps some organizations have become desensitized to the specter of disruptive innovation following years of rapid change marked by a global pandemic and the persistent drumbeat surrounding the transformative power of AI. However, diligence is still required to spot, assess, and respond to potential disruptive innovations. Organizations need their compliance teams to be proactive, curious, and engaged with key stakeholders so that they can help management accurately assess threats and opportunities from disruption on an ongoing basis. For compliance leaders, increasing the speed and frequency of risk assessments, strengthening the compliance team’s technology expertise, and being intentional about building trust and rapport across the organization are good places to start to help ensure that their enterprise does not end up like those who failed to effectively assess and respond to potential disruption.

Endnotes

¹ Mehta, J.; et al.; “Integrating Disruptive Technologies: DOJ’s New Approach to Corporate Compliance Evaluation,” Foley and Lardner LLP, 8 March 2024,
² Gans, J.S.; “Keep Calm and Manage Disruption,” MIT Sloan Management Review, February 2016
³ Harris, M.; “A Short History of Napster,” Lifewire, 16 February 2023
⁴ Noguchi, Y.; “Why Borders Failed While Barnes & Noble Survived,” 19 July 2011, NPR
⁵ Mitchell, S.; Tao Te Ching–A New English Version With Foreword and Notes, Harper Perennial, USA
⁶ PricewaterhouseCoopers (PwC), PwC’s 2022 Global Risk Survey: Embracing Risk in the Face of Disruption, 2022
⁷ Chapman, J.; “High Performance Internal Audit Teams: Business Alignment,” Wolter Kluwer, 19 July 2023
⁸ Mehta, J.; “Integrating Disruptive Technologies”
⁹ KMPG, Internal Audit—Trusted and Disrupted, 2022

KEVIN M. ALVERO | CISA, CDPSE, CFE

Is chief compliance officer at Integral Ad Science. He leads the company’sregulatory and industry standards compliance initiatives, spanning its global ad verification products and services.