How companies position themselves successfully in dynamic risk landscapes
The international compliance landscape is in flux. The US FCPA enforcement has shifted its focus – at first glance, the threat scenarios that have characterized it for decades appear weakened. Instead, new regulatory challenges are coming to the fore and other old and new authorities and task forces are announcing that they will be consistently enforced. The various emerging requirements often have a simultaneous effect, overlapping and sometimes contradicting each other. Particularly in the area of DEI requirements, diametrically changing requirements from the U.S. administration mean that measures that until recently were considered part of HR compliance are now considered a compliance risk or even a compliance violation.
Compliance risks today are broadly defined and are dynamic, networked and interdependent. Traditional, reactive compliance is not enough in this environment. Instead, a holistic resilience model is needed: value-based, risk-oriented and integrated. Companies need structures that not only ensure compliance, but also strengthen value awareness, anticipate and actively manage systemic risks and create crisis resilience through well-prepared processes and effective communication.
U.S. enforcement trends are a hook, but not a strategy
The US Foreign Corrupt Practices Act (FCPA) and the associated regulations on sentencing, prevention and remediation have shaped global compliance practice for decades. Major proceedings, particularly against European companies, have made the US Department of Justice (DoJ) and its compliance memos and guidelines the best-practice authority worldwide. US enforcement was considered drastic, assertive and deterrent in its extraterritorial reach – a benchmark against which many companies around the world have aligned their compliance efforts.
With the temporary FCPA enforcement pause¹ ordered by the Trump administration in spring 2025 and the new FCPA Enforcement Guidelines published in June 2025, the tone appears to have softened. In future, according to the Blanche Memorandum², FCPA investigations are to be prioritized more strategically – for example, where clearly identifiable US economic interests are at risk or in connection with transnational organized crime.
Many companies saw this realignment as an all-clear signal. As a result, there has been an increase in voices questioning the scope of existing compliance programs, limiting resources or stopping planned further developments for the time being – a reaction that appears premature and potentially risky. After all, despite the US administration’s changed priorities, foreign companies, especially those with points of contact to US interests, still appear to be in focus.³ And it is also uncertain whether the supposed restraint will last beyond the Trump administration. Individual states have already made it clear shortly after the FCPA enforcement pause that they continue to regard FCPA violations as illegal and will also prosecute them within their jurisdiction.⁴
“FCPA enforcement trends may therefore provide orientation in the short term, but they are not sufficient as a basis for a sustainable, company-specific compliance strategy – and this is precisely what is needed more than ever these days.”
Nicole Willms, Partner
Regulatory U-turns turn compliance measures into the opposite
The Trump administration’s abrupt departure from legal support for measures to promote diversity, equality and inclusion (DEI) also has a particular impact on internationally active companies. While the previous administration under President Biden actively promoted DEI initiatives and in some cases even made them mandatory – particularly in the public sector and at state-funded companies – the USA is now making a clear U-turn here. Since the change of government in the USA, several executive orders promoting DEI measures have been withdrawn. Executive Order 14173⁵ created explicit requirements for federal agencies to end compensatory measures for disadvantaged groups. At the same time, measures were taken to “encourage” private sector companies to eliminate their DEI efforts, including DOJ investigation and litigation rights. International companies operating in the US now face a dilemma: on the one hand, DEI initiatives are a key component of modern corporate responsibility and are expected by employees and investors; in many cases, diversity and inclusion measures have been adopted as part of compliance and ESG strategies. On the other hand, there is now a threat of regulatory risks, particularly for public contracts in the USA. This development is not limited to the United States, but reflects a global trend: human rights and environmental regulation, which has increased significantly in recent years, is increasingly being restricted or even withdrawn.
At European level, not only the European Supply Chain Directive⁶ , but also the EU Green Deal as a whole are under increasing political pressure. Although the (self-)commitment of companies to human rights standards in the supply chain remains legally permissible, without a clear legal basis, this commitment will become significantly less important than other principles within the supply chain, such as the protection of trade secrets or the risk of restrictive exchanges of information.
Regulatory density, geopolitical uncertainty and the end of reactive compliance
As a result, companies today are faced with a multitude of far-reaching risks – not only regulatory, but also geopolitical, social and technological. The risk landscape has become more complex, more dynamic and less predictable. Global conflicts, fragmented markets, technological upheaval and social change are creating new expectations – not only from criminal and supervisory authorities, but also from investors, customers and employees alike.
- Geopolitical fragmentation: trade conflicts, sanctions, regional regulation and protectionism make international business models more difficult. Events such as the war in Ukraine or tensions in the Indo-Pacific harbor risks with a global impact and often sudden escalation.
- Technological dynamism and digital dependency: AI, big data and automation open up numerous new opportunities – but also control risks and ethical dilemmas.
- Ecological, social and societal change: ” Issues such as climate change, remote work, MeToo, diversity & inclusion and the exploitation of natural resources are bringing new non-financial requirements into focus. Companies increasingly bear public responsibility for social standards and an inclusive corporate culture.
All of these topics not only affect individual specialist areas such as compliance, legal or HR – they have a cross-sectional impact on processes, values, structures and ultimately the strategic management capability of the entire organization.
From the Compliance Paper Program to the resilience model
And yet, many compliance programs and governance structures are created in response to regulatory requirements or specific enforcement cases – and are often heavily rule-based and formalized. Rules and control systems that are not anchored in the value system and day-to-day business rarely achieve the desired effect. This is all the more true when the rules themselves are increasingly questioned or even fundamentally changed by politicians.
There is no doubt that standards and guidelines such as those of the German Institute for Compliance (DICO)⁷ or those of the DoJ on the effectiveness of compliance programs⁸ provide orientation when setting up and developing your own compliance structures. They provide helpful impulses, but should by no means be understood as abstract guidelines, rigid checklists or standardized blueprints.
Sustainable compliance cannot be established as an abstract set of specifications, but only as a company-specific, living and integrated system. The decisive factor here is the control question aptly formulated by the DoJ:“Does it work in practice?”
A rapidly changing regulatory environment means, effective compliance is not only based on rules, but also on attitude. It not only strengthens control, but also self-responsibility and integrity. It does not manifest itself in a plethora of documents, but in the culture, decision-making processes and lived practice of a company. This shift does not develop its effect through formal completeness, but through genuine relevance to the business and its risks.
Corporate resilience – robust governance through integrity, integrated control and preparatory crisis management
Corporate resilience in this sense means a clear, value-based approach on the part of the company (“integrity“), the development of cross-functional governance risk and compliance (GRC) structures¹⁹or integrated assurance models¹⁰(“integrated assurance“) and robust preparation for any enforcement measures (“crisis preparation“).
Integrity
The starting point for any compliance strategy should be a values-based approach. Companies should define minimum standards that characterize their global activities and are expected to be adhered to throughout – such as fundamental human rights in the supply chain or anti-discrimination rules. Such standards can and may take local legal peculiarities into account.
Corporate integrity is the foundation of all compliance. It encompasses not only adherence to rules, but also a consistent focus on one’s own values. Employees who experience the company values as authentic and seriously anchored often act in accordance with the rules of their own accord. In such a culture, simple, ethically based appeals are often more effective than complex sets of rules. A strong culture of integrity not only promotes compliance, but also strengthens the trust of employees, partners and investors.
Integrated Assurance
Our complex, interconnected world with an potentially contradictory risk landscape, compliance programs should no longer be thought of in isolation. Systemic risks are more than the sum of individual incidents – they arise from interactions between regulatory requirements, technologies, processes and people. Companies that want to build resilience in this context must recognize and manage their various risks in context – systematically, in a coordinated manner and across individual corporate functions.
Operational areas, risk, legal and compliance functions and, if applicable, the internal audit department should work closely together. The aim is not only a clear allocation of tasks – but also a shared understanding of risks, coordinated measures and targeted control impulses. Important elements of integrated management are
- clearly defined roles along the three assurance lines (business, governance functions, audit);
- common understanding of risk, holistic risk analyses and coordinated testing and control plans;
- uniform standards for (consolidated) reporting, decision-making, escalations and tracking; and a
- ideally platform-supported collaboration in structured committees.
Governance, in this form, can be transformed from a pure control framework into an active and dynamic steering instance and also make complex, systemic risks visible and address them at an early stage.
Crisis Preparation
Where a values-based approach with clearly defined minimum standards forms the foundation of compliance, this can also mean accepting a certain minimum level of non-compliance in a divergent regulatory landscape. This can lead to regulatory countermeasures and official enforcement, for which companies must be prepared.
Part of this preparation must be an effective and practiced crisis management concept that includes effective reporting channels, responsibilities and preventive countermeasures. A key component of this concept is prepared strategic communication, which ensures that the value-based approach and the resulting integrated management measures are communicated clearly and transparently both internally and externally in order to gain support in the event of a crisis
Conclusion: resilience needs an attitude
Regulation is volatile – integrity is stable!
Growing uncertainty in a world of fragmented regulation, resilience is becoming a core business competence – and governance a question of leadership. However, real management strength is not created by reacting to external pressure and enforcement trends, but only on the basis of an honest, value-based foundation.
Compliance and governance can only be effective in the long term if they are not formally “fulfilled”, but are anchored in the company and visibly practiced. In the face of complex challenges, structures are needed that provide orientation, effectively manage risks and promote integrity
Companies that follow this path consistently benefit in several ways:
- They are more adaptable in times of crisis,
- gain the trust of investors, customers, employees and authorities,
- recognize risks earlier – and make them manageable,
- strengthen their reputation as responsible, sustainable companies.
At Pohlmann & Company, we understand that true steering power does not come from merely reacting to external pressure, but from a corporate resilience program consisting of a properly anchored, value-based foundation, integrated management aligned with it and comprehensive crisis preparation. As an experienced partner at your side, we offer many years of expertise in establishing and reviewing integrated risk analyses, effective compliance management programs through to innovative ESG management approaches and integrated assurance models, which we can combine into a corporate resilience approach. With experience in supporting international companies through systemic compliance and cultural crises and subsequent transformation processes, we are at your side with regulatory expertise, methodological depth and a clear focus on what is feasible.
¹Executive Order of February 10, 2025 (“Pausing Foreign Corrupt Practices Act Enforcement to Further American Economic and National Security.”), https://www.whitehouse.gov/presidential-actions/2025/02/pausing-foreign-corrupt-practices-act-enforcement-to-further-american-economic-and-national-security/.
² Memorandum on “Guidelines for Investigations and Enforcement of Foreign Corrupt Practices” (FCPA), https://www.justice.gov/dag/media/1403031/dl?inline.
³ Cf. Willms/ Beer, America First – Also in FCPA Enforcement, ESGZ 08/2025,
⁴ See the press release of the Attorney General of California, Rob Bonta, dated April 2, 2025 “It remains illegal to bribe foreign-government officials”, https://oag.ca.gov/news/press-releases/attorney-general-bonta-alerts-businesses-it-remains-illegal-bribe-foreign
⁵ Executive Order 14173 of January 21, 2025 (“Ending illegal discrimination and restoring merit-based opportunity“). https://www.whitehouse.gov/presidential-actions/2025/01/ending-illegal-discrimination-and-restoring-merit-based-opportunity/
⁶ Directive (EU) 2024/1760 of the European Parliament and of the Council of June 13, 2024 on corporate sustainability due diligence and amending Directive € 2019/1937 and Regulation (EU) 2023/2859, Corporate Sustainability Due Diligence Directive, CSDDD.
⁷ German Institute for Compliance (DICO), Press & Publications, https://www.dico-ev.de/publikationen/.
⁸ US Department of Justice(DoJ) Guidance Paper on theEvaluation of Corporate Compliance Programs, https://www.justice.gov/criminal/criminal-fraud/page/file/937501/dl.
⁹ See Willms, in: Bürkle/Hauschka/Schieffer, Der Compliance-Officer, 2nd edition 2024, Section 5 para. 34 et seq.
¹⁰ See Willms, in: Bürkle/Hauschka/Schieffer, Der Compliance-Officer, 2nd edition 2024, Section 5 para. 34 et seq.