July 8, 2026

Developing Effective Compliance Guardrails with Bill Connolly (Ep. 14)

Developing Effective Compliance Guardrails with Bill Connolly (Ep. 14)
Compliance Chronicles
Developing Effective Compliance Guardrails with Bill Connolly (Ep. 14)
Apple Podcasts podcast player iconGoodpods podcast player iconSpotify podcast player iconPodchaser podcast player iconAmazon Music podcast player iconYouTube podcast player iconiHeartRadio podcast player icon
Apple Podcasts podcast player iconGoodpods podcast player iconSpotify podcast player iconPodchaser podcast player iconAmazon Music podcast player iconYouTube podcast player iconiHeartRadio podcast player icon

Key Takeaways

  • Bill Connolly developed "compliance guardrails" to empower business teams to move quickly within defined parameters, reducing low-value inquiries and protecting second-line teams.
  • Communicating risk in business-understandable terms and understanding the resource impact on the business are crucial for effective collaboration with business partners.
  • Curiosity is key for compliance professionals starting their careers, but it must be coupled with effort and credentials to demonstrate expertise.
  • For those feeling bored or burned out, re-evaluating your role and exploring adjacent areas like digital or operations can unlock new opportunities.
  • Deliberately stepping outside your comfort zone through new challenges is essential for expanding knowledge and growing your professional network.

Stepping into compliance “by accident,” building guardrails that actually help the business, and staying curious enough to reinvent your career—Episode 14 with Bill Connolly is packed with practical lessons for anyone in risk, privacy, or compliance leadership.

In this episode of Compliance Chronicles, host Liisa Thomas talks with Bill Connolly, Head of Resiliency Risk for the U.S. retail bank at HSBC. Bill oversees a broad risk portfolio that spans information risk, business continuity, disaster recovery, operational resilience, and more—all brought together in a single resiliency risk program. He shares how his career evolved from managing TCPA suppressions and customer choice, to vendor risk and privacy, to digital compliance, and ultimately into enterprise resiliency risk.

Bill walks through his “privacy by almost accident” story: starting with do‑not‑call and do‑not‑solicit databases, helping to build practical privacy questionnaires, and being asked to relaunch a new privacy program by writing a privacy policy that actually reflected how the organization worked. That experience led him into digital compliance, where he carried forward his privacy and information risk expertise to tackle cookie compliance, cross‑border data issues, and global data privacy obligations in a large financial institution.

A major theme of the conversation is how to communicate risk in a way the business understands. Bill explains how he created “guardrails” to reduce low‑value questions and empower teams: if people stay within well‑defined parameters on TCPA, privacy, or other rules, they can move quickly; if they step outside those guardrails, that’s when legal and compliance step in. He shares why this kind of tooling not only helps the business move faster but also protects second‑line teams from getting buried in ad‑hoc requests.

They dig into the challenges of new regulatory and resiliency requirements, including “important business services” mapping and the sheer scope of work that often falls on a small group of people in each business unit. Bill talks about translating highly technical topics—like IT vulnerabilities—into business language and compelling risk narratives that management can act on and fund. He emphasizes the importance of understanding both the compliance requirements and the resource impact on the business, so you can prioritize, sequence, and negotiate change effectively.

Bill also shares career advice for compliance, risk, and privacy professionals at different stages. For those starting out, he stresses curiosity—following your interest into areas like digital privacy or information risk, and backing it up with credentials such as CISA and IAPP certifications. For those who are bored or burned out, he suggests re‑examining your role, looking one year ahead at where you want to be, and exploring adjacent areas like digital, operations, or new risk domains where your expertise can be uniquely valuable.

The conversation closes with a focus on growth and reflection: using sabbaticals or mini‑sabbaticals, mentorship, and honest self‑assessment to decide when you need a new challenge. Bill’s parting advice is to deliberately step outside your comfort zone—because no one will do that for you—and to treat each stretch assignment as a way to expand both your knowledge and your network.

If you work in privacy, compliance, operational risk, or resilience at a bank or large corporate and want to become a more effective partner to the business while continuing to grow your own career, this episode is for you.

If you enjoy this conversation, make sure to subscribe to Compliance Chronicles in your favorite podcast app and follow the show so you don’t miss future episodes on privacy, AI, internal audit, and real‑world compliance leadership.

Frequently Asked Questions

What are compliance guardrails Bill Connolly developed?

Bill Connolly developed compliance guardrails as defined parameters that allow business teams to operate efficiently on routine matters without frequent oversight. If teams stay within these guardrails for specific compliance areas like TCPA or privacy, they can proceed quickly; stepping outside them triggers a discussion with legal and compliance.

How does Bill Connolly advise compliance professionals to handle business partners' risk communication?

Bill Connolly emphasizes translating highly technical topics into business language that management can understand and act upon. Understanding both compliance requirements and their resource impact on the business allows for more meaningful conversations and effective prioritization of change.

What advice does Bill Connolly give for career growth in compliance?

Bill Connolly advises professionals to follow their curiosity, back it up with certifications, and deliberately step outside their comfort zones. He suggests re-examining roles if bored and exploring adjacent fields where their expertise can be valuable.

How did Bill Connolly get into privacy and compliance?

Bill Connolly describes his entry into privacy as "by almost accident," starting with managing TCPA suppressions and customer choice databases. This evolved into information risk, then vendor risk, and eventually leading a new privacy program by writing a privacy policy, which then led to digital compliance and resiliency risk roles.

speaker-0: Welcome to Compliance Chronicles, we learn from professionals shaping the world of compliance. ⁓ your host, Liisa Thomas, ⁓ Privacy and Compliance counsel an professor at Northwestern Law School, and a lifelong learner of organizational change. ⁓ From journeys to hard-earned ⁓ these are Chronicles that inspire and guide. ⁓ Let's dive ⁓ So welcome We are here for another conversation. ⁓ We are joined by Bill Connolly and Bill and I have known each other for a long time and Bill I'm really excited to welcome you and I'd like to turn it over to you to tell us a little bit about what your job is and what you do right now.


speaker-1: Well, right now, I am head of resiliency risk for our retail bank at HSBC USA. That basically means just about every risk stack you can think of comes into one vertical, so to speak. And we oversee not privacy, ⁓ information risk, business continuity, disaster recovery, all these come together into one program now. I love it because I get to go. a little bit deeper than I normally would and all these different verticals, but not be the Smee, which I'm not. But this gives you the opportunity to see what they do, how they manage risk. I love it.


speaker-0: Let's turn to your personal journey and how you got to where you are.


speaker-1: call it privacy by almost accident, right? So I'll probably start when I used to manage all the suppressions for our legacy household business unit. TCPA came along. had all these do not call, do not solicit databases you had to bring in, suppress them against your active campaigns, take in new ones. That was my first experience with customer choice. And then that kind of migrated off. started to do information risks. So that was the next kind of thing that came into our business is. We have to own our own information risk. And so that got me kind of touching privacy a little. I was able to kind of see from the outside what privacy was. And at the time for me, it was managing our privacy mailing. That goes way back to a whole different kind of suppression management. And I went over to the risk department and I started doing vendor risk. And vendor risk... It was my job to make sure that all the risk stacks were assessed. And one of the things I had to specifically do at that time was work with privacy to build out our privacy questionnaire and the 125 questions we had to peer down. think I got it down to 10 and they said, cut it in half. And so, you know, from there though, I got a call from a person you might know, Mike Smith. And he said, you know, we've got this new privacy program. have to relaunch and. Kind of like you'd come over and say, well, what will I do? Because I need you to write a privacy policy. And that was not really high on my motivation list. But I'll tell you what, it was Mike. I knew him well. I knew we could have fun and build things. And we did. I went over there. I wrote a privacy policy. And if you want to know how privacy manifests itself in your organization, you need to write a privacy policy. Because if you write one that doesn't fit, everybody's going to tell you. From there, they wanted me to into and lead out this new digital compliance function. So now after about three years in privacy, they moved me over to digital compliance. And I carried all that with me because I was digital privacy, you know, dealing with EU cookie mandates, all those things that we had to include because we are a very large global organization. And so we have to consider all the region's data privacy. and cross border considerations. So that carried with me. And from there, I did bring a lot of that privacy knowledge over with me. And it really helped me because I was able to manifest what the risks are to the business in a much clearer way that they could understand. And the way I did that is I built them guardrails, right? I don't want, I started to get peppered with. all these questions every day. And I thought, how can I get rid of these little low hanging fruit questions? And so we built guardrails. So if you stay within these guardrails for, you know, TCPA or whatever you're, whatever you're doing, you don't have to come to me. But if you go outside the guardrails, we have to have a discussion. And so that was one of the first times I realized that these tools that you can build, not just help the business, I help yourself. And then since then, you know, the compliance side of what I was doing kept getting bigger. And so I was spending a little less time on the privacy side because I started to have mortgage compliance, deposits, cards, compliance as well. And then not so long ago, they moved me into this residual resilience risk role in which all these things have been doing over the last 15, 20 years come to play in one role. It was almost written for me.


speaker-0: some of the biggest challenges and how have you managed it, how have you navigated those, and I wonder if you're going to bring up some guardrails again.


speaker-1: Well, yeah, that's part of it, right? But I think that educating your business partners and awareness are big challenges. And I don't think it's unique to privacy. Advising them what the risks are and putting it into terms they understand and can contextualize are important to what I would say a second line steward success. So if you understand what they're facing, the challenges both from just complying, but also the resources it takes to comply. If you could put those two together, you have really meaningful conversations with your business partners. I'll give you the example of resilience risk. have a new process we call important business services. Take your most important business service, whether that is, you know, making a payment or taking a payment or onboarding a loan, whatever that is. You have to map everything to it. IT services, have map the customer journey into it, ⁓ vendors into it, right? These all come together into one mass and it is massive effort that usually falls on three to four people in a business unit. And so that wasn't in their plan at the beginning of 2023, let's say. And so they had to create this not knowing that they had to do it at the start of the year. And so those are real examples of how new programs, new compliance requirements can really put pressure on a business. If you have a good change execution framework, you could decide what's more important and move it in and shuffle funds around as well. Those two things are very important to the success of any regulatory requirements.


speaker-0: So other challenges? Because I interrupted you, because I wanted to go back to the resource.


speaker-1: Yeah, the resource, think that I'll take myself as an example. So when we had to roll out this new important business services, I didn't have anybody on my team that was skilled and resource to do this. And it gets quite technical when you get into, let's say one of the things you have to look at is IT vulnerabilities, you know, and it's some of these vulnerabilities are. are very technical, but you have to be able to now understand them in business terminology and explain them to your management why you need to pay to fix it, right? And so that's been an education for us in uplifting our skill sets. And that takes time and it takes effort.


speaker-0: things have you learned along the way, key lessons that you could share with someone just starting out or maybe someone who is a long way into their journey and looking for a little bit of uplift?


speaker-1: I think for the person starting out is curiosity, right? Follow your curiosity. Cause that can lead you places. You know, when I first started in privacy, the digital side of privacy just took over my, my brain power for about a year. And I wanted to read everything about cookie compliance all the way to location use. Curiosity will carry you a long way, but it comes with a little bit of a price. You have to be able to put the work in to get, let's say certified. So yeah, I came into privacy in 2012, got my IIPP in 2012. And you know, before that I took information risk and I did that for a while and I got my CISA. You have to follow up your curiosity with something that shows and demonstrates, you know what you're talking about and you're familiar with the baseline understanding of things. For somebody who's kind of been doing something and they're maybe they're bored. I think that one thing, if you're just plain bored, one person once told me, because I said I was bored once and I was early on in my career and I got this advice and it was pretty curt, but they said, well, if you're bored, maybe you're boring, change that. And so it really made me think, yeah. And so it really made me think, okay, maybe I am bored because I'm not doing something that I need to change. And so look around what you're working on. Look at what you want to do maybe in a year, the whole five year thing, I don't know, I would say look out a year, right? Look out a year and say, you know, let's say I've been doing privacy for 10 years and I really want to try something else. Why not try going into digital, right? Digital office. Those people need people who know privacy and you could be the one person in that team that steers them. And there's opportunities like that. especially in large corporates, they're always moving towards. So that's one example I think that people can carry forward is just think outside the box.


speaker-0: Okay, well and you know they say like what I tell my children is if you're bored that's fantastic because that's when creativity starts. So okay so you're a lifelong learner, you talk about like what we could do if we're bored but what if we're burned out or overwhelmed and looking for inspiration?


speaker-1: If you can try sabbatical, you know, some, know people that have gone on sabbaticals and they've come back with a totally different look at what they've been doing because they took a six month break from it. Right. But they came back to the same role or one similar to it. But sabbaticals give you a really good chance to look into yourself and kind of reevaluate what you want to do and your priorities and maybe get some clarity. I think mentors. Mentors are a great way to find out if you're in the right spot right now. And if you're, if you feel like you're in a funk, how to move out of it.


speaker-0: Maybe if you can't take a sabbatical, then taking that time to reflect.


speaker-1: That's the root of it, right? Reflecting on what you're doing and you might be the best at what you're doing, but you're just not challenged anymore, right? And so sometimes that requires an action on our part.


speaker-0: Any parting advice that you can share with others in this space as they navigate their own journey?


speaker-1: I think that you have to challenge your own self to move outside of your comfort zone. If you don't do that, nobody's going to do it for you. And that's the one action you can take for growth. Find something that makes you feel uncomfortable and be comfortable about it. You'll come out the other side knowing something you didn't do before. you'll, you'll, your knowledge base is going to grow. Your network's going to grow, certainly. And I think that that's one of the things that I remind myself every now and then when I get to feel like I could do this in my sleep type of role, right? And then you start thinking that's about the time where I want to start branching out.


speaker-0: All right, well, we heard it here, Bill. We're going to be lifelong learners. We're going to take ourselves out of our comfort zone. Thank you. I hope you enjoyed this episode of Compliance Chronicles, where we look for guidance and inspiration from the personal journeys of compliance professionals.