Day one of Donald Trump’s second presidency made it resoundingly clear: The Trump-Vance administration is prioritizing deregulation. He has announced a freeze on new federal regulations, an executive order requiring agencies to repeal at least 10 rules or regulations for each new one they adopt, and “initial rescissions” of 80-plus Biden actions, including easing rules around AI. Meanwhile, Elon Musk’s Department of Government Efficiency (DOGE) has been taking charge of government agencies like the Treasury Department and reducing staff. And we’re less than two months in.
In organizations that have long felt the financial and administrative burdens of regulatory compliance, it’s only natural for board members and C-Suite leaders to regard this change with a collective sigh of relief. Less regulation means less budget and personnel allocated to auditing and compliance activities. But don’t start reallocating your compliance dollars yet. Many of the actions are already being challenged in court, and most regulations won’t be easy to do away with given the numerous requirements and time restraints it takes.
That won’t stop the administration from trying—and succeeding in many cases. The new administration will keep pushing to reduce existing federal oversight and issue fewer new regulations. We are moving into an era in which government regulation will be de-emphasized, whatever the eventual specifics.
Risk mitigation
There are two schools of thought among business leaders. One point of view is that this is exactly how risk management should work, reflecting the long-held notion among many business leaders that “governments that govern best govern least”—and in this context, regulate least. Nonprofits, along with environmental and consumer protection groups, see regulation as a positive development, fostering increased corporate social responsibility while helping to reduce overall risk in key areas (e.g., cybersecurity, fraud, climate change). The deregulators won at the ballot box, and we can anticipate a very different regulatory landscape as a result.
Regardless of which side you’re on, there is no question that deregulation actually makes your organization's risk management strategy more important. Just because a compliance requirement disappears, it doesn’t mean the underlying risk does. It simply means it will be up to your organization to decide how to manage the risk. And the consequences of failure under deregulation can be much more dire than when regulation exists.
As history attests, government regulatory intervention is most often driven by the underlying risks. A series of high-profile financial reporting frauds and bankruptcies created a push to improve internal controls over financial reporting, eventually manifesting in the Sarbanes-Oxley Act (SOX) of 2002. Risk management failures in the U.S. banking system spurred the financial crisis of 2007–2008 and subsequent recession, ultimately leading to the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010. The U.S. Securities and Exchange Commission (SEC) cited the rising prevalence of cybersecurity incidents, the potential for “systemic effects on the economy as a whole,” and recent AI developments that may exacerbate cybersecurity threats when enacting 2023’s SEC cybersecurity disclosure rules.
Rather than letting the market bear these risks—and stakeholders and citizens bear the consequences—the government sought to create regulations that would protect everyone. Whether their regulations are effective in doing so isn’t the point. The point is that the regulations are driven by the risks, and the intent of regulations is risk mitigation.
Fostering good habits
Government regulations, at their best, aim to instill good habits in the organizations they regulate. Metaphorically speaking, they make sure you eat your vegetables, drink your milk, wash your hands, and cultivate other habits that reduce risk while promoting health and safety. Many organizations haven’t had to think deeply about managing certain risks because the government was telling them what to do. Accordingly, increasing deregulation should force greater reflection: What are the real risks facing your organization, and how can you ensure you’re managing them effectively?
However, board members and C-suite leaders have an understandable tendency to assume that where no compliance requirements exist, organizations can afford to invest fewer resources. This may be true in some areas, such as environmental regulations, data protection, and cyber disclosure requirements.
But now is not the time to act fast on these assumptions. Before you take action to curtail or roll back the risk management and compliance investments your organization has made, you need a strategic plan to protect the company. This would start with purposeful conversations between the board and C-suite and their internal audit, risk management, infosec, and compliance teams. Questions leadership needs to ask include:
- What inherent and residual risks does your organization face, even when compliance requirements have gone away? Are investments adequate to help the organization avoid, mitigate, or lean into those risks in the right ways?
- How can freed-up resources be strategically redeployed?
- How are risk and assurance teams monitoring changing regulations and shifting risks?
- How will trade and tariff policies impact your supply chain and materials/goods costs?
- How could the rollback of energy and environmental policies create longer-term risks for your organization (e.g., potential inflationary effects of lower energy prices, legal liabilities, international trade/policy challenges, investor/stakeholder pressures)?
- Will immigration policies impact your industry/organization’s labor pool and costs?
An era of deregulation is both an imperative and an opportunity for organizations to look at the risks they face with fresh scrutiny. It’s also a chance to reassess risk management and oversight.
I’ve written a great deal about how the ongoing age of permacrisis mandates risk management transformation. Deregulation only ups the ante, putting the onus on your organization. Just because you don’t have to manage a risk doesn’t mean you shouldn’t. Make sure your organization’s key stakeholders maintain a strategic view of the road ahead.
The opinions expressed in Fortune.com commentary pieces are solely the views of their authors and do not necessarily reflect the opinions and beliefs of Fortune.
