A few weeks ago, I found myself at the top of Salesforce Tower in Chicago, standing before a room of compliance, legal, HR, and finance folks from a leading investment firm. The view of the river below was stunning, but what really struck me was the level of engagement in the room.

This wasn’t my first time with this group. I’ve spoken at their annual symposium twice over the past few years. And this session was different — it came about because one of my former coaching clients, a senior executive, had read a piece in my newsletter about the strategic importance of how leaders communicate to boards.

She reached out and said, “We need this. Can you come teach it to our team?”

So, I built a custom workshop. As I interviewed board members and discussed what makes some resonate while others fall flat, a clear theme emerged: Boards are drowning in information but starving for insight.

They don’t need more process updates or policy counts. They need clarity, brevity, and a clear line of sight to business impact.

That’s why I created the Strategic Compliance Communication Model. It centers around three key questions every board update should answer:

1. What’s the business impact?

2. What’s at risk or protected?

3. What decision do you need from us?

4. 
   

Let’s break down each one.

1. What’s the business impact?

Every risk issue has a business impact — financial, reputational, or strategic. Yet too often, that’s buried under layers of detail.

When presenting to a board, I encourage leaders to start with the “so what.” Instead of walking through every task your team completed, tell the story of how those actions protected or created value.

With a compliance regulatory change, that might sound like:

“This quarter, we updated our portfolio compliance framework to align with new SEC marketing rules. As a result, we avoided potential penalties and positioned ourselves to market three new funds more aggressively — supporting a projected $500M in additional inflows.”

See the difference? The focus is on outcome, not activity. 

Compare that to a typical “before” example:

Before: “Compliance updated 12 policies, completed two audits, and reviewed our advertising disclosures.”

After: “We ensured 100% adherence to SEC marketing rule changes by updating 12 policies and completing two audits. This prevented potential enforcement actions and enabled faster go-to-market for new funds.”

The second version ties effort directly to business results, which is what boards care about.

This aligns with what I heard repeatedly from board members in Chicago: “I always pay attention if they understand ROI.”

The 2024 Edelman Trust Barometer echoes that sentiment. Audiences — including investors and directors — expect leaders to communicate how their actions create both business and societal value.

When you start with business impact, you show the board that compliance is a driver of performance, resilience, and trust.

2. What’s at risk or protected?

Boards are responsible for overseeing risk, but they can only do that effectively when risk is communicated clearly.

Too often, compliance leaders share exhaustive risk matrices that overwhelm rather than inform or they sanitize the message to avoid sounding alarmist. The balance is transparency with context.

In the workshop, we analyzed examples of how to frame risk discussions with clarity and confidence. Consider this one:

“By implementing an automated trade surveillance system, we reduced exposure to potential insider trading incidents by 40%, protecting approximately $2.5M in potential regulatory and reputational losses.”

Notice how this statement quantifies both the risk mitigated and the value protected.

When you connect risk management directly to business strategy — portfolio performance, investor confidence, regulatory positioning — your message becomes far more powerful.

For instance:

“We identified a gap in ESG reporting alignment that could affect our eligibility for two major institutional investors. Addressing it now protects approximately $1.2B in potential commitments.”

It’s no surprise that boards lean in when you can clearly articulate both what’s at stake and what’s being safeguarded. As one director told me during the session: “It’s not the mistake — it’s the cover-up that gets remembered.”

Being proactive, transparent, and data-driven about risk is what builds board confidence.

3. What decision do you need?

The final question is deceptively simple: What do you need from the board?

Yet it’s the one most frequently missed.

Too many presentations end without a clear ask, leaving directors to guess what action (if any) is expected of them. Every effective board update should end with a direct, actionable request.

For example:

“We request approval for a $250K investment in cybersecurity infrastructure to address vulnerabilities identified in our latest third-party audit. This investment reduces our potential exposure to financial data breaches by 80% and ensures compliance with SEC disclosure requirements.”

This approach respects the board’s time and makes their role in governance crystal clear.

It’s also vital to be concise. During the workshop’s mock presentation exercise, teams practiced delivering their “ask” in under three minutes. Several realized how quickly a discussion can be derailed if the key point isn’t front-loaded.

Remember: boards can only act on what they understand. Be direct. Use concrete language. Tie your ask to strategy and risk.

Bringing It Together: The Strategic Compliance Communication Model in Action

When you answer these three questions — business impact, risk/protection, and decision needed — your reporting shifts from tactical to strategic. Consider the process-heavy version that many boards still receive:

“This quarter, compliance reviewed 15 privacy policies, held four team meetings, completed 12 training modules, and engaged external counsel to review new state data laws.”

And here’s what a full update might sound like when you apply the Strategic Compliance Communication Model:

“This quarter, our internal audit identified gaps in our data privacy processes across two high-value investment portfolios. Remediation efforts closed 90% of those gaps, reducing potential regulatory exposure by $3M. We’re requesting board approval to expand our compliance analytics dashboard to include automated tracking for privacy and ESG metrics, ensuring consistent oversight and reporting transparency.”

In a few sentences, this update communicates:

• The business impact (reduced exposure and improved efficiency),

• The risk mitigated (data privacy gaps worth millions), and

• The decision required (approval for a scalable improvement).

  
  

The difference is night and day. The first tells a story of strategy, stewardship, and foresight. The second reads like a to-do list.

And that’s exactly the shift we practiced in Chicago — from reporting to communicating, from process to outcomes, from compliance to business impact, from information to dialogue.

Want these articles sent directly to your inbox, plus other behind-the-scenes tidbits? Join 4,000+ people on my free newsletter!