Mon, May 5, 2025

Strategic Compliance: Applying Sun Tzu’s Principles to Modern, Risk-Based Due Diligence

By Patricia Marinho, Global Team Leader, Regulatory Compliance, Hamilton Reserve Bank; Patricia Colombo, SVP and Chief Compliance Officer, FUJIFILM Holdings America Corporation; and Emanuel Batista, Managing Director, Kroll Inc.

This article was originally published by the Society of Corporate Compliance and Ethics (SCCE) in Compliance & Ethics Professional® (CEP) Magazine, April 2025 edition.

In today’s complex regulatory environment, a robust compliance program is more than just a set of rules and policies—it is a dynamic strategy that must be continuously adapted to the ever-evolving risks that organizations face. Compliance officers are tasked not just with ensuring their companies adhere to regulations but also with anticipating and mitigating risks before they materialize. This requires strategic foresight and thoughtful resource allocation.

When developing a compliance plan, one of the biggest challenges is determining where to focus efforts. It’s impossible for an organization to focus on every potential compliance issue with the same intensity every year. Therefore, compliance teams must engage in risk-based planning to identify the areas of greatest vulnerability for the business in a given period. For some organizations, sanctions may present the greatest threat; for others, it might be third-party risks or client-related risks, as is often the case with financial institutions like banks. In the insurance sector, for example, sanctions and third-party risks tend to be more prominent, particularly in the context of international operations.

A well-structured compliance plan should assess the specific risks associated with the company’s business model and industry and then allocate resources efficiently to address these high-risk areas. It is crucial to understand that compliance is not just about addressing regulatory requirements; it is also about aligning with broader business objectives to ensure sustainable growth.

With this strategic approach in mind, we can look to Sun Tzu’s principles from The Art of War as a framework for risk-based due diligence, especially in relation to third-party management, where risks can often go unnoticed without proper oversight.

Sun Tzu’s Strategic Insight Applied to Third-Party Risk Management

In compliance, navigating the complex world of third-party relationships requires both strategic foresight and precision. Sun Tzu’s The Art of War offers enduring wisdom that elevates a compliance officer’s approach to managing risks. The foundation of Sun Tzu’s teaching lies in knowing when and how to engage in battle. His principle that “the general who wins the battle makes many calculations before it is fought” directly applies to building a risk-based due diligence process that allocates resources wisely and focuses on high-risk engagements.

The Foundations of Strategic Risk Management

Modern compliance officers must go beyond enforcing rules—they must anticipate risks and deploy resources in ways that ensure compliance and safeguard long-term business goals. Traditional due diligence approaches often lack this strategic depth, which leads to inefficiencies. Sun Tzu’s guidance encourages a tiered, risk-based approach, where third-party engagements are evaluated according to their specific risks. Rather than applying the same level of scrutiny across all parties, Sun Tzu’s strategy teaches us to allocate resources efficiently and fight the battles that matter most.

DOJ 2024 Recommendations: Reinforcing Strategic Risk Management

The U.S. Department of Justice’s (DOJ) September 2024 guidance further supports this strategic approach by emphasizing proportionality and risk-based monitoring. Just as Sun Tzu advocates “knowing the enemy” before engaging, the DOJ underscores the importance of tailored due diligence based on risk. The DOJ recommends enhanced due diligence for high-risk parties, reinforcing the idea that not every third-party relationship requires the same level of scrutiny. For low-risk entities, a streamlined approach is sufficient, which echoes Sun Tzu’s notion of avoiding unnecessary battles.

Identifying Risk Categories with Precision

Categorizing third parties by their risk profile is at the core of risk-based due diligence. Sun Tzu’s principle of “making many calculations” before engagement aligns with conducting initial risk assessments by focusing on:

  • Geographic Exposure: Operating in jurisdictions with high levels of corruption, weak regulatory frameworks, or sanctions risks.
  • Industry-Specific Risks: Certain industries, like financial services, defense, or pharmaceuticals, are more prone to regulatory scrutiny and require enhanced due diligence.
  • Legal Status and Ownership: The legal structure and ownership of a third party, including whether it is publicly traded, privately held, or linked to politically exposed persons (PEPs).
  • Transactional Integrity: Ensuring pricing and market comparisons are in line with industry standards to avoid inflated costs or hidden kickbacks.
  • Operational Transparency: Reviewing whether the third party operates with clear, compliant, and transparent business processes.

The DOJ 2024 recommendations further reinforce this by emphasizing the need for ongoing monitoring and continuous risk assessment—especially for high-risk entities. By adhering to both Sun Tzu’s teachings and the DOJ’s guidelines, compliance officers can better allocate their resources, ensuring maximum impact without overburdening the system with unnecessary oversight.

Balancing Efficiency and Thoroughness

One of Sun Tzu’s key lessons— “he who knows when to fight and when not to fight will win”—highlights the need to apply heightened scrutiny only where it is truly necessary. The DOJ echoes this sentiment by recommending tailored due diligence for high-risk vendors, while avoiding excessive complexity for lower-risk engagements.

This is where Sun Tzu’s principle of efficiency comes into play: A well-constructed compliance framework should focus resources on critical areas without creating unnecessary burdens. For example, low-risk vendors may only need basic verification, while high-risk vendors demand deeper investigation, such as financial audits or site visits.

Applying Control Mechanisms Post-Due Diligence

Once third-party risks are identified, the next step is to implement control mechanisms. Sun Tzu reminds us that knowing oneself and the enemy leads to victory; this applies to compliance officers as they design controls to neutralize risks. The DOJ’s 2024 guidance reinforces this by recommending specific contractual safeguards, payment policies, and ongoing monitoring of high-risk third parties.

The following control mechanisms ensure that once risks are understood, appropriate measures are in place to prevent issues before they escalate.

Contractual Safeguards

For high-risk third parties, such as those with connections to PEPs or operating in corruption-prone industries, the inclusion of specific compliance clauses in contracts is crucial. These might include requirements for full disclosure of beneficial ownership, restrictions on government interactions, and compliance with anti-bribery laws.

Payment Policies

Payments that deviate from normal patterns, such as requests to funnel funds through offshore accounts, can signal higher financial risk. Implementing stringent policies that require payments to align with operational geography and approved conditions helps reduce exposure to money laundering or tax evasion schemes.

Ongoing Monitoring

Risk-based due diligence is not a one-time process. High-risk third parties require continuous oversight, which may include annual audits, periodic risk assessments, or transactional reviews. This proactive stance ensures that any shifts in the risk profile are addressed before they lead to compliance violations.

Aligning Compliance with Strategic Business Goals

Just as Sun Tzu advises selecting battles strategically, compliance officers must align their due diligence processes with broader business objectives. The DOJ’s emphasis on continuous monitoring and senior management involvement mirrors Sun Tzu’s advice to “keep your friends close and your enemies closer.” Securing senior leadership’s engagement ensures compliance efforts have the authority and resources to succeed, while transparency fosters a culture of accountability across teams.

Sun Tzu’s Legacy in Modern Compliance

Ultimately, Sun Tzu’s lessons remind us that strategic preparation and calculated risk assessment are key to success. The DOJ’s 2024 recommendations enhance this approach by formalizing the need for proportional due diligence, ensuring that resources are applied where they are needed most. Together these principles offer a roadmap for modern compliance officers to navigate the complexities of third-party risk management and avoid unnecessary battles, while ensuring high-risk areas are addressed with precision and efficiency.

Expanding the Strategic Principles

Sun Tzu’s work is replete with strategic insights that can further enhance compliance efforts. His emphasis on flexibility and adaptability is crucial in today’s dynamic regulatory environment. He states, “In the midst of chaos, there is also opportunity.” Compliance officers should embrace this mindset, turning regulatory changes into opportunities for strengthening their frameworks.

Flexibility and Adaptability

Regulatory landscapes are not static; they evolve with political, economic, and social changes. Compliance frameworks must be adaptable and capable of responding to new regulations, emerging risks, and shifting market conditions. Sun Tzu’s advice to “be extremely subtle, even to the point of formlessness. Be extremely mysterious, even to the point of soundlessness. Thereby you can be the director of the opponent’s fate” underscores the need for a flexible approach.

For compliance officers, this translates to:

  • Implementing adaptable policies that can be quickly modified in response to new regulatory requirements
  • Training staff continuously to ensure they are aware of and can respond to changes in the regulatory environment
  • Maintaining open lines of communication with regulators to stay informed about upcoming changes and expectations

Proactive Risk Management

Sun Tzu’s principle that “attack is the secret of defense; defense is the planning of an attack” highlights the importance of proactive risk management. Compliance officers should not wait for risks to materialize; they should actively seek out potential vulnerabilities and address them before they become issues.

Key proactive strategies include:

  • Regularly conducting risk assessments to identify and quantify potential risks
  • Establishing a robust internal audit function to monitor compliance and identify areas for improvement
  • Engaging with third-party experts for independent assessments and recommendations
  • Developing a culture of compliance where employees are encouraged to report potential risks and compliance breaches

Continuous Improvement

In keeping with Sun Tzu’s wisdom that “opportunities multiply as they are seized,” compliance officers should adopt a mindset of continuous improvement. Learning from past experiences—both successes and failures¬—is essential to refining compliance processes and enhancing risk management strategies.

Conclusion

The application of Sun Tzu’s principles to the compliance world serves as a reminder that effective due diligence is not about exhaustive efforts but about strategic preparation, calculated risk assessment, and efficient resource allocation. By adopting a risk-based approach to third-party due diligence, compliance officers can avoid the common pitfalls of excessive oversight and focus their efforts where they will yield the most benefit.

In a world where the regulatory landscape is continuously evolving, the ability to “know the enemy and know yourself” remains as relevant as ever. Compliance officers who apply this ancient wisdom to modern challenges will find themselves better equipped to navigate the complexities of third-party risk management, safeguarding their organizations from potential threats while enabling sustainable growth.

 

References:

Tzu, Sun. The Art of War. Capstone Publishing, 2010.
U.S. Department of Justice, Criminal Division. “Evaluation of Corporate Compliance Programs.” Updated September 2024. https://www.justice.gov/criminal/criminal-fraud/page/file/937501/dl.


Compliance Risk and Diligence

The Kroll Investigations, Diligence and Compliance team partners with clients to anticipate, detect and manage regulatory and reputational risks associated with global ethics and compliance obligations.

Investigative Due Diligence

Customized investigations providing actionable intelligence to help make critical decisions.

Forensic Investigations and Intelligence

The Kroll Investigations, Diligence and Compliance team consists of experts in forensic investigations and intelligence, delivering actionable data and insights that help clients worldwide make critical decisions and mitigate risk.


Kroll Compliance Portal

Efficiently Manage, Mitigate, and Monitor Third Party and Customer Risks

Background Screening and Due Diligence

Comprehensive spectrum of background checks, screening and due diligence services.