A practitioner’s perspective on what separates compliance programmes that endure from those that quietly fail.
For too long, ethics and compliance in many African organisations has been treated as an administrative function — something to be satisfied, not something to be lived. A binder on a shelf. A policy uploaded to SharePoint. A training module that staff click through on a Friday afternoon. When the regulator visits, we produce the documents. When the auditor leaves, we file the report. And we call that compliance.
It isn’t.
What we are seeing across Nigeria, across the continent, and increasingly across the global financial system, is a shift in what the word “compliance” actually has to mean. Boards, regulators, customers, and counterparties are demanding programmes that hold up not just under inspection, but under stress — under enforcement, under cyberattack, under public scrutiny, under the kind of cross-border regulatory friction that defines doing business in our markets. They are demanding resilience.
Those at the cutting edge already understand that the conversation has moved on. Drawing from over two decades in cybersecurity — where the same maturity journey was forced upon us nearly a decade earlier — I want to set out what I believe a resilient ethics and compliance programme actually looks like in the African context, and what separates the organisations that will thrive from those that will spend the next ten years firefighting.
What “Resilient” Actually Means
Resilience is one of those words that has been so overused it risks meaning nothing. Let me be precise.
A resilient compliance programme is one that:
- Continues to function when the senior compliance officer leaves.
- Detects problems before regulators do.
- Withstands an enforcement action without imploding.
- Adapts when a new framework is published — not in eighteen months, but in weeks.
- Survives cross-border expansion without being rebuilt from scratch.
- Maintains its integrity when business performance is under pressure.
That is a high bar. Most programmes do not meet it. The good news is that the path is now reasonably well understood. Six things matter.
1. Culture Before Controls
You cannot policy your way to ethical behaviour. Anyone who has run a cybersecurity programme knows this instinctively: the firewall, the SIEM, the access control list — these are necessary, but the actual breaches almost always trace back to human decisions made under pressure. The same is true for compliance.
If your organisation rewards revenue at any cost, no AML programme will save you. If middle managers learn that bad news is unwelcome, your suspicious transaction monitoring will quietly become decorative. If staff watch executives circumvent procurement policy for “urgent” matters, they will draw the obvious conclusion about which rules are real.
Culture eats compliance for breakfast. The work of embedding ethics is unglamorous: it lives in how a manager responds the first time someone raises a concern, in whether the speak-up channel is genuinely confidential, in whether ethical choices that hurt short-term numbers are visibly defended by leadership. Tone from the top matters, but tone from the middle is where culture is actually transmitted.
For Nigerian and African organisations, this is particularly acute. We operate in environments where informal practices are deeply entrenched, where “the way things are done” can quietly override what the policy says. Building a compliance culture here is not a Western import — it is a deliberate, sustained internal project that requires honest conversation about the gap between what we aspire to and what we actually do.
2. Risk-Based, Not Regulation-Led
Compliance teams everywhere face the same trap: an ever-growing list of regulatory requirements, each demanding attention, each with its own deadline, template, and reporting cadence. The instinct is to work through the list. The result is a programme that is wide and shallow — and one that fails in exactly the place a real incident occurs.
Resilient programmes invert this. They start from a clear understanding of where the organisation’s actual risks live — which products, which customer segments, which jurisdictions, which third parties, which transaction flows — and then layer regulatory requirements on top of that risk picture. The CBN cybersecurity framework, the NDPA, AML/CFT obligations, sanctions screening, beneficial ownership transparency — none of these exist in isolation. They are different lenses on a smaller set of underlying risks.
Treating them as one connected fabric, rather than as parallel workstreams, is the single highest-leverage shift a compliance function can make. It also happens to be where technology now genuinely helps, which I will return to shortly.
3. Cross-Border Complexity Is the African Reality, Not the Exception
A Nigerian fintech with a Kenyan licence and a South African subsidiary is no longer unusual. It is increasingly the default growth path. And the moment that happens, the compliance picture changes fundamentally.
Africa’s financial regulatory landscape is genuinely heterogeneous. Twin Peaks regimes in South Africa and Egypt sit alongside integrated single regulators in Tanzania and Rwanda, alongside regional bloc frameworks like CEMAC and WAEMU that bind groups of countries together under shared monetary authorities. Cybersecurity expectations from the CBN look different from those of Kenya’s CBK, which look different again from SARB’s. Data protection regimes are converging on principles but diverging on detail. Operating language shifts between English, French, and Arabic. Reporting calendars never align.
Most institutions respond to this by standing up parallel compliance teams in each jurisdiction, each with their own assessments, their own evidence repositories, their own remediation tracking. The duplication is enormous. The blind spots are worse — because what falls between the teams is exactly what enforcement actions tend to be made of.
The mature approach is to build once and map across many. Identify the shared underlying controls — identity and access management, transaction monitoring, third-party due diligence, incident response, board reporting — and design them to satisfy multiple frameworks simultaneously. Then layer jurisdiction-specific overlays only where genuine local divergence requires it. This is not a theoretical model. It is how the organisations expanding successfully across the continent are already operating.
4. Third-Party Risk Is Where Programmes Quietly Fail
If I had to name the single most under-invested area of compliance in the African market, it would be third-party risk. We outsource technology, customer onboarding, payment processing, debt collection, marketing, agent networks, and increasingly parts of compliance itself — and we then assume that a signed contract and an annual questionnaire constitute oversight.
They do not.
The enforcement actions and incidents that have damaged institutions across our markets in recent years overwhelmingly involve third parties: a vendor breach exposing customer data, a sub-agent network running unscreened transactions, an outsourced KYC provider operating to weaker standards than the institution that hired them. Regulators have become increasingly explicit that the responsibility cannot be outsourced even when the activity is. The CBN’s expectations on third-party and outsourcing risk for financial institutions have sharpened materially, and similar tightening is visible across the continent.
A resilient programme treats third parties as part of its own attack surface. That means tiered due diligence based on actual risk exposure, not vendor size. Continuous monitoring rather than annual reviews. Contractual rights to audit and to terminate. Clear internal ownership for each material relationship. And — critically — a tested plan for what happens when a key third party fails, because eventually one will.
5. Technology Is an Enabler, Not the Programme
Every serious conversation about modern compliance now turns to technology, and rightly so. The volume, velocity, and complexity of obligations have outrun what any spreadsheet-and-email operation can sustainably handle. AI-assisted regulatory mapping, automated evidence collection, continuous control monitoring, intelligent transaction screening — these tools are no longer aspirational. They are how serious institutions are operating today.
But — and this matters — technology is not the programme. I have seen organisations buy expensive GRC platforms and then operate them as glorified document repositories. I have seen others deploy screening tools without ever tuning them to the actual risk profile of their customer base, generating either alert fatigue or false confidence. The tool amplifies whatever programme it is dropped into. A weak programme with a sophisticated platform produces sophisticated weakness.
The right sequencing is: get the risk picture honest, get the operating model right, get the people and culture aligned — and then layer technology to scale and accelerate what is already working. Done in that order, the productivity gains are real and substantial. Compliance teams that were drowning in framework duplication can genuinely move from defensive box-ticking to forward-looking risk advisory. Done in the wrong order, technology investment becomes another line item the board questions in two years.
This is precisely the problem we built RiskCanvasIQ to address — unifying the multiple cybersecurity frameworks African FSIs face into a single assess-once, map-across-many platform — but the principle holds whatever tooling an institution chooses. Buy the tool that fits the programme you actually have, not the programme the vendor demonstration assumed.
6. The Board Has to Genuinely Own This
The phrase “tone from the top” is one of the most ritualised in our profession, and one of the least examined in practice. In many institutions, the board sees compliance reporting as a quarterly hygiene exercise. Heatmaps. Dashboards. A polite presentation. The questions are predictable. The answers are reassuring. Everyone moves on.
A resilient programme has a board that actively interrogates it. Boards that ask which controls were tested, which failed, what was done about it. Boards that understand the difference between a control existing on paper and a control operating effectively. Boards that view compliance budget not as a cost to minimise but as a risk-adjusted investment to optimise. Boards that know what their organisation’s most likely enforcement scenario looks like and have stress-tested the response.
Boards in Nigerian and African institutions are evolving in this direction, but unevenly. The conference’s emphasis on bringing board members into the same room as regulators, compliance officers, and risk professionals is not incidental. The shared vocabulary that produces — and the shared expectations — is one of the more valuable things any of us can take away from these conversations.
What Cybersecurity Has Already Taught Us
I will close with an observation from my own discipline. Cybersecurity went through this same transition roughly a decade ahead of compliance. We started as a back-office IT function focused on box-ticking against checklists. We were forced — by attackers, by regulators, by boards that finally started paying attention after enough incidents — to mature into a strategic, risk-led, continuously-monitored function with direct executive ownership. The institutions that made that transition early are now markedly more resilient than those that did not. The institutions that resisted it are still being breached in entirely predictable ways.
Ethics and compliance is on the same trajectory. The forcing functions are different — enforcement actions, ESG expectations, cross-border scrutiny, customer trust, the rising bar that comes with accessing international capital — but the destination is the same. Programmes that are risk-led, culture-grounded, technology-enabled, board-owned, and designed to operate continuously rather than episodically. Programmes built for resilience.
Africa’s financial services sector has the opportunity to skip several stages of the journey older markets had to walk through painfully. The regulatory ambition across our jurisdictions is real. The talent in our compliance functions is increasingly world-class. The technology is now accessible. What remains is the institutional decision — at board level, at executive level, at compliance leadership level — to treat resilience as a deliverable, not an aspiration.
The author is CEO of Metropolitan Networks Nigeria — Deji Orekoya, an Africa-focused MSSP, and the architect behind RiskCanvasIQ — a pan-African GRC compliance platform purpose-built for financial services institutions, scheduled for public launch in Q3 2026. He has spent 24 years in cybersecurity, including six as CTO of an MSSP, and has led compliance programmes spanning ISO 27001, ISO 9001, and multiple FSI regulatory frameworks across Africa, the UK, and beyond.