For the past ten years, compliance leaders have been judged by a single question:
“Will we survive the next crisis?”
The next decade will demand a different question:
“Are we helping to build value before the next crisis even exists?”
I remember a room, years ago, where an audit surfaced a risk the organization itself had already known about for months. No one had lied. No one had hidden anything on purpose. The risk simply hadn’t reached the right table in time. Do you know why? Back then, compliance was still seen as the function called in after the decision had already been made — the function that showed up to put out the fire. That was when I understood, with clarity I still carry today, that the problem is rarely a lack of information. It is the decision-making architecture that keeps that information away from those who could act on it.
This article makes a simple argument: governance and risk-culture shortcomings are not isolated technical failures, but latent liabilities that become acute at exactly the moment an organization can least afford to improvise. The question is not whether compliance should have a seat at the decision-making table. It is how long an organization can afford to keep it out of the room.
Over more than a decade of my career, I have taken part in some of the most complex corporate transformations in Latin America. I went through post-Lava Jato remediation alongside regulators such as the U.S. Department of Justice, the World Bank, and the IDB. I faced socio-environmental crises that permanently changed how I see operational risk. I built integrity programs across sectors as different as construction, mining, and petrochemicals, and today I continue that path leading Compliance at Zamp S.A., the House of Brands of Mubadala Capital, responsible for brands such as Burger King, Starbucks, Popeyes, and Subway.
The main lesson I learned from these experiences was not about corruption.
It was not about investigations.
It was not about fines.
It was about leadership.
The companies that survived were not, necessarily, the ones with the most controls. They were the ones that managed to turn integrity into strategy and understood that, in the end, it is all about people.
1. What corporate crises have been trying to teach us
The crises were different. The failures, surprisingly, were similar.
Lava Jato was the largest anti-corruption investigation in Latin American history, with impacts that reshaped corporate governance across the continent. Mariana and Brumadinho showed what happens when known risks turn into human tragedies. Geological crises, such as the one in Alagoas, revealed the social and reputational cost of operational decisions made over decades — decisions that, in isolation, seemed reasonable.
As different as these crises were in “nature,” they shared the same patterns:
- organizational silos
- a culture of silence
- known risks left unaddressed
- excessive focus on short-term results
- a disconnect between strategy, risk, and culture
These patterns have not disappeared; they have only become more dangerous. Today’s business environment is far more dynamic and unpredictable than it was a decade ago. Beyond traditional regulatory risks, we now contend simultaneously with international economic sanctions, export controls, artificial intelligence, human rights, geopolitics, transnational organized crime, information security, data privacy, and psychosocial risks. Global supply chains can be disrupted overnight; reputational events can destroy value in a matter of hours. The same silos and the same culture of silence that explained yesterday’s crises now operate across a far greater number of risk fronts at the same time.
Organizational culture works like a company’s immune system: it silently defines what is tolerated and what is unthinkable. No risk map, however sophisticated, can replace that system once it has been compromised.
The most recent data confirms that this pattern is not intuition, it is fact. The EY Global Integrity Report 2024 shows that one in five organizations experienced a significant integrity incident in the past two years, and a third party was involved in 68% of those cases. Even more telling risk is not concentrated at the operational front line, as intuition might suggest. While 25% of employees admit they would act unethically for personal gain, that number rises to 51% among senior leadership and reaches 67% among board members. And only 47% of leaders frequently communicate to their teams why integrity matters. Silos and cultures of silence, therefore, are not born from the shop floor upward, in most cases, they are born from the top down.
That is why I now believe that, even more than “tone from the top,” compliance must also prioritize middle management, because that is where the key to cultural change lies, and where strategic decision-making power already resides.
Crises rarely stem from a lack of information. They arise when an organization chooses to ignore the information it already has.
2. Why traditional compliance is no longer enough
The traditional compliance model was designed to respond to the past: policies, training, investigations, controls, and checklists. It is a necessary role, but an insufficient one for what lies ahead.
Many organizations still see compliance as a policing function. The future demands the opposite: professionals capable of influencing decisions before risks materialize, moving away from “you can’t” and toward “here’s how to do it safely.”
Part of the problem lies in how we measure the function’s success. A significant share of organizations still evaluate compliance using essentially quantitative indicators: number of investigations conducted, due diligence opinions issued, training sessions held, policies published. These indicators matter, but they measure only the function’s activity, not the value it generates for the business. Compliance should instead be evaluated by the quality of the strategic decisions it helped enable, the material risks it anticipated and mitigated, and its ability to build resilience mechanisms that allow the company to grow sustainably, including in scenarios of high uncertainty.
The problem is not only what we measure, but also what we ask. Boards and committees tend to ask Compliance questions that sound rigorous but are, in practice, easy to answer without revealing anything: “Do you have a strong risk culture?”, “Is a compliance system in place?” These are questions any experienced executive can answer fluently and without hesitation, and precisely for that reason they say almost nothing about how the organization behaves under pressure. The questions that generate value are more specific and more uncomfortable: When was the last time a project stopped for being deemed too risky? Has Compliance ever been excluded from a material decision, and what was done about it? These questions are hard to answer with a cliché, which is exactly why they reveal the real culture, not the institutional one. A board that only asks easy questions is, without realizing it, buying into the same illusion of control we discussed in the context of a culture of silence.
This traditional model also tends to be reactive to regulatory enforcement cycles, more investment when enforcement intensifies, less priority when it eases. Mature organizations do the opposite: they structure their compliance programs around long-term horizons, not the probability of enforcement at any given moment. They understand that integrity programs reduce uncertainty, improve decision-making, and increase organizational resilience regardless of the prevailing regulatory cycle.
The compliance of the future will not be measured by how many risks it identified, nor by the intensity of enforcement at any given moment. It will be measured by the quality of the decisions it helped build, in any cycle.
3. The rise of the strategic Compliance leader
The next generation of compliance leaders will need to understand the business as deeply as they understand risk.
That means fluency in EBITDA, valuation, M&A, and shareholder value creation, along with a strategic view of international expansion, reputational management, supply chains, ESG, and corporate governance.
When that happens, compliance stops being a cost and becomes an accelerator: early involvement in strategic decisions, certifications and integrity programs as a competitive advantage, access to international markets, credibility with investors, and a lower cost of capital.
In practice, this changes the very question the Compliance Officer asks. Faced with a critical supplier, the question is no longer just “is it approved from a reputational and regulatory standpoint?” but rather: what is the financial impact if this supplier stops operating? How long can the company keep running its operations? Are there already-vetted alternatives to ensure business continuity? These are the questions, not the due diligence checklist that directly shape a company’s operational resilience and capacity to grow. Formal compliance with a requirement was never a guarantee of integrity; it is healthy skepticism questioning the obvious, investigating the weak signal, that separates reactive compliance from strategic compliance.
The Compliance leader is no longer just the guardian of integrity. Today, their main mission is to help the company make better decisions, grow safely, and turn risk into competitive advantage.
4. The human risk most companies still underestimate
The next major corporate crisis may not stem from corruption, a control failure, or a natural disaster. It may stem from human exhaustion.
The France Télécom case, an aggressive organizational restructuring, institutionalized pressure, and the conviction of executives for organizational moral harassment, is a warning the compliance community has yet to fully absorb. It was not an isolated labor dispute: the company and its former executives were criminally convicted, with prison sentences and fines, in a ruling that redefined, in France and beyond, what leadership accountability for employees’ mental health means. Burnout, anxiety, and psychosocial risks have stopped being an HR topic and become a governance one, as regulators and investors increasingly demand greater transparency about organizational culture.
This redefines the role of compliance: culture as a prevention mechanism, reporting channels as tools for genuine listening, monitoring of human indicators, integrity that goes far beyond corruption. In practice, this means building consequence-management policies that distinguish genuine error from willful misconduct, and that treat self-reporting as an act of courage and professional maturity, not a confession to be punished. When people believe that disclosing a failure will result in automatic punishment, the organization ends up operating under an illusion of control, masking vulnerabilities until they become crises.
A toxic culture can destroy value just as quickly as fraud.
5. My prediction for the next decade
We are witnessing the birth of a new generation of compliance leaders: professionals capable of protecting reputation, accelerating growth, strengthening culture, anticipating crises, supporting strategic decisions, and building trust with investors and other stakeholders all at the same time.
Ten years from now, the most successful organizations will not be the ones with the largest compliance departments. They will be the ones where compliance is fully integrated into the value creation process.
A final provocation
For years, we asked: “What happens when the authorities knock on our door?”
Perhaps the more important question now is a different one:
“What are we doing today to make our organization stronger, more ethical, and more valuable before anyone needs to knock?”
Because the future of compliance will not be defined by the crises we managed to avoid. It will be defined by the value we managed to build.
About the Author:
Karina Figueiredo has been nominated for the Legal Honor Global Awards 2026, in the Leading Compliance Expert of the Year category, by LexTalk World , in recognition of her career in governance, compliance, integrity, and risk and crisis management — currently leading Compliance at ZAMP S.A.
Karina Figueiredo Costa Garcia is a Senior Compliance and Governance executive with over 10 years of experience leading ethics, integrity, risk management, and regulatory compliance programs across highly regulated industries. She currently serves as Head of Compliance at Zamp, the operator of Starbucks, Burger King, Subway, and Popeyes in Brazil. Throughout her career at Braskem, CBMM, Odebrecht Engenharia & Construção, and Zamp, she has led major compliance transformations, internal investigations, and governance initiatives. Karina also played a key role in post-Lava Jato remediation alongside international regulators and is recognized for her expertise in compliance, AI-driven due diligence, crisis management, and governance frameworks.