An interview with Kerry Thomson, Chief Risk and Compliance Officer, Thomson Reuters
Kerry shares how compliance is shifting from a function that checks decisions at the end of the process to becoming a strategic business partner that enables safe, confident growth.
Kerry’s remit spans enterprise risk governance, compliance, third-party and customer risk, privacy, and organizational resilience. In practice, that means leading a team that manages risk across products, partners, and geographies from customer onboarding and due diligence to privacy operations, crisis response, and business continuity.
Q: Compliance has traditionally been seen as a control function. How has that role evolved, and what does compliance cover today?
Kerry: That model simply doesn’t work anymore. Compliance can’t sit on the sidelines and step in late. Risk shows up far too early and far too often for that. Today, risk is everywhere: in data, in AI, in customer expectations, in geopolitics, and in the speed at which organisations need to move. I often describe it as building guardrails, not roadblocks. When the right guardrails are in place, people can move faster, make better decisions, and avoid risks that would slow the business down later.
The other major shift is that the remit has expanded significantly, and that’s intentional. Today, it spans enterprise risk governance, regulatory compliance, third-party risk, privacy, and organizational resilience. That includes everything from regulatory intelligence and data protection to crisis management and business continuity. That breadth reflects reality: risk cuts across products, people, customers, markets, and partners
Q: What’s changed most in the regulatory environment?
Kerry: The biggest shift is fragmentation. We’ve moved away from global alignment toward more national and regional approaches, while new areas like AI regulation continue to evolve very quickly. That pace creates uncertainty, not just about what the rules are, but how they’ll be interpreted and enforced across markets.
Trying to chase every regulation isn’t realistic. Instead, we focus on building common compliance frameworks and controls that can scale across the business and adapt as requirements change. That’s what gives us consistency, even when the rules themselves keep shifting.
Q: Where is compliance pressure coming from today, beyond regulators?
Kerry: Increasingly, it’s coming from customers. Many of our customers are highly regulated themselves, and they push expectations down through their supply chains, particularly around data usage, AI governance, and privacy. So even when something isn’t a formal regulatory requirement yet, it can become a very real commercial requirement quickly.
At the same time, generative AI has changed how much data organizations ingest and how quickly decisions are made. That combination introduces new complexity and new risk, which means compliance leaders need to be much closer to how products and services are designed and delivered.
Culture is also a multiplier. Risk decisions are being made far beyond traditional control functions. Sales teams, product managers, and engineers all make choices every day that have compliance implications, whether they realise it or not. That’s why I say everyone is in risk and compliance now.
If people don’t understand that, risk gets created long before compliance ever sees it. Culture is what determines whether those everyday decisions are made with the right context and confidence, and whether people know when to escalate.
This shift has important implications for how compliance partners with teams beyond legal and risk, particularly functions like HR that routinely handle sensitive decisions but don’t always sit at the center of traditional compliance models.
Q: How are technology and AI helping you collaborate more effectively and make better decisions across teams?
Kerry: The biggest shift is using shared data and tools so teams can spot patterns earlier and make decisions with more confidence. Instead of working from fragmented spreadsheets, leaders can challenge assumptions using consistent, real-time insight.
We enable this in a few ways: through SaaS platforms the team uses, and through automation that connects workflows end to end. We’ve invested heavily in AI-enabled workflows in areas like third-party risk, automating intake, screening, and triage, so teams get scale and consistency without losing human judgment.
In practice, that shift has shortened timelines in areas like customer onboarding, from around five days to two or three, while freeing specialists to focus on complex calls. We’ve also built agentic, real-time monitoring, using a combination of our own tooling and solutions like OneSource DPS for denied party screening and CLEAR for customer and third-party due diligence.
Infographic
How does AI‑enabled compliance unify legal, risk, tax, and trade workflows?
View infographic ↗Q: What does “compliance by design” mean in practice?
Kerry: It means embedding compliance into workflows, systems, and even code, not bolting it on at the end.
We start by looking at where the business feels the most friction. Third-party risk and privacy touch almost every workflow, and when those processes are fragmented, they slow everything down. Fixing those areas creates value far beyond compliance itself, because it helps the entire organisation operate more smoothly. In practice, that means giving teams “in-the-flow” prompts and controls while they build, and monitoring for drift when products change
Q: How does collaboration with HR, and other teams working closely with legal change the compliance model?
Kerry: HR teams deal with sensitive issues every day, from contracts to internal investigations. When they’re supported with the right tools, playbooks, and training, they can resolve many issues independently.
This is critical as organizations look to empower teams that rely on legal expertise without overburdening legal teams themselves. That doesn’t remove oversight; it makes it more effective. It reduces low-value work and allows specialists to focus on complex, high-risk issues where judgment really matters. The key is clear boundaries and escalation paths, so people know when to involve experts.
Q: Looking ahead, what will define strong compliance leadership?
Kerry: Two forces sit beneath almost everything right now: AI and geopolitics. Neither is fully controllable, and both create uncertainty.
“The goal isn’t more compliance. It’s faster decisions, with fewer surprises”
Compliance works best when it enables informed decision-making at speed and at scale. In a world shaped by AI and geopolitical uncertainty, it becomes a strategic business function; connecting trusted data, intelligent automation, and human judgement so leaders can move forward with confidence, not caution.
Learn more about how Thomson Reuters helps turn compliance into a strategic growth driver.
This interview has been edited for clarity and length.
