Harri Spolander (Kesko): “A good compliance culture is the foundation for everything”

Leaders League: What does the expression “compliance as value creation” mean to you, in concrete terms?
Harri Spolander: To me, “compliance as value creation” means recognizing compliance as a business-minded function that protects the company while enabling responsible decision-making. The starting point is how compliance is positioned within the three lines of defense model ‒ and how orthodox the organization wants to be in applying that model. In the corporate world, this is typically less rigid than in the financial sector for regulatory reasons, and that flexibility should be used wisely.

A value-creating compliance department understands the business strategy, business model and practical realities of the organization. It works with the business, not around it. A risk-based approach is essential: the compliance program must be dynamic enough to respond to a changing regulatory and business environment. A rolling 18-month compliance program can be a powerful tool for this, helping the organization prioritize the most important actions and maintain focus on what matters most.

The COSO model also offers a useful structure for compliance: control environment, risk assessment, control activities, training and communication and monitoring and reporting. But the key is not the model itself ‒ it is how the model is brought to life. Training and communication must be solutions-oriented. The role of compliance is not simply to say “no”, but to help the business understand “how” things can be done responsibly.

What is good compliance culture?
A good compliance culture is the foundation for everything else. Compliance and ethics impact everyone in the organization, even though much of the theory and terminology is developed for professional communities. The challenge is therefore not only to design good frameworks, but to make compliance understandable, practical and relevant for everyday decision-making.

I often describe this as a “do the right thing” culture. Such a culture is built through strong company values, a clear code of conduct and consistent tone from the top. Without that foundation, processes and controls remain mechanical. A sound compliance culture is what turns formal requirements into real behavior ‒ and real behavior is what ultimately protects the organization.

How does technology impact compliance?
Technology and integration with business processes are becoming increasingly important for compliance. But technology is not a substitute for ownership, process discipline or organizational adoption. Compliance thinking must come first. If that thinking is missing, a system will not solve the problem; in the worst case, it may create unreliable data and a false sense of control.

AI will nevertheless create major opportunities for compliance. Regulatory monitoring is one clear example: AI can help identify relevant developments faster, improve efficiency and support better prioritization. The real value of technology comes when it strengthens an already sound compliance model ‒ not when it is expected to compensate for the absence of one.

What should the scope of compliance be?
The scope of compliance is a question I receive often. My view is that compliance should cover regulatory areas where the process for handling the matter is as important as the legal interpretation itself. This is often what distinguishes compliance work from traditional legal work.

In that sense, compliance is not only about understanding rules. It is about creating a control environment, assessing risks, defining controls, communicating expectations, training people and monitoring how the organization performs. This is where compliance maturity becomes visible: not in policy documents alone, but in whether people know what is expected from them and can act accordingly.

What is the most underrated source of value your department creates that the C-suite does not yet see?
The value of compliance is not always visible in a simple or immediate way. I see compliance as risk management from a regulatory point of view. Much of the most valuable work happens under the radar, together with the business, long before matters reach executive leadership. When compliance works well, proposals brought to C-level are already more balanced, better tested and more resilient.

At its best, compliance is like housekeeping in a five-star hotel: when it works well, people may not notice it, but its value becomes very clear when it is missing. Assurance and reporting to executive management and C-level are the more visible parts of the function, but the most impactful work is often proactive and preventive. I tend to say “Compliance is expensive, non-compliance is more expensive”