Navigating the “Cacophonous Mess”: Matt Kelly on Risk, Regulation, and the Trump Administration

The EU as a Regulatory Guidepost Amidst US Retreat

A key theme emerging was the increasing importance of EU regulations as a critical guidepost for US companies, particularly as the US appears to retreat from certain global regulatory consensuses.

Kelly observed that while US and EU regulations were previously “in the same ballpark,” they now seem to be moving in “diametrically different directions.”

This divergence, he argued, means US companies operating globally cannot afford to ignore EU standards, which often remain robust or continue to advance. He cited examples like DORA (Digital Operational Resilience Act), the EU AI Act, and ongoing sanctions against Russia as areas where the EU is likely to maintain a strong stance, regardless of US policy shifts. This makes EU regulations a de facto standard for many international businesses.

The Three Phases of Corporate Response to Deregulation

Kelly outlined a potential “three-phase maturity curve” for how corporations might respond to the Trump administration’s emphasis on deregulation:

1. Phase One (Current): Wait and See. Given the confusion and uncertainty about which regulatory repeals will stick or face legal challenges, many companies are currently adopting a cautious “wait and see” approach, hesitant to make drastic changes to their existing compliance programs. Kelly highlighted a Gartner study showing that “regulatory uncertainty and legal challenges” have become the top stressor for compliance professionals in early 2025, a surprising development given that the election outcome is known.
2. Phase Two: Cynicism and Reduced Investment (Potential). Kelly anticipates a phase where some companies might become cynical about enforcement and consider reducing investment in compliance resources, thinking the risk of regulatory fines is diminished. He acknowledged this as a flawed view but a likely reaction from some.
3. Phase Three: Realization of Inherent Risk. Ultimately, Kelly believes most companies will realize that the risks themselves (e.g., data privacy failures, operational disruptions) persist even if specific regulations are repealed. A major privacy failure, for instance, will still lead to reputational damage and lawsuits. This will lead to a recognition that strong risk management capabilities, closely resembling well-built compliance programs, remain essential. The question, he posed, is how many will learn this “the hard way.”

State-Level Regulation and the “18 Flyweights”

Even if federal deregulation occurs, Kelly emphasized that US businesses will still face a complex regulatory environment. He pointed to the increasing activity of US state regulators and attorneys general who are “happy to fill that vacuum.”

Multiple states are already adopting laws on AI, and state AGs are issuing advisories on consumer protection related to new technologies. Kelly likened this to trading one “heavyweight opponent” (a federal regulator) for “18 flyweight regulators” (the states), suggesting that the overall compliance burden might not necessarily decrease, just shift in nature.

The Future of Compliance Capabilities

Regardless of specific administrative policies, Kelly concluded that companies will continue to need strong data governance, robust risk assessment capabilities, and effective regulatory change management. The core systemic needs for handling risk and compliance remain, even if the arguments made to the board for resource allocation might need reframing.

Longevity and the “Post-Trump” World

The conversation also touched upon the practicalities of the President’s term, his age, and the potential for political setbacks (e.g., in the 2026 midterms) that might influence his agenda or even the duration of his active leadership. Kelly suggested companies must also consider what a “post-Trump” world might look like and whether relaxed regulations would simply be reinstated by a future administration.

Key Takeaways:

• The current US administration has created significant uncertainty and complexity for GRC professionals.
• EU regulations are becoming an increasingly important “strategic compass” for US companies operating globally, as they often represent a stable, high standard.
• Deregulation does not eliminate underlying business risks; companies will still need robust risk management and governance capabilities.
• State-level regulations in the US are likely to fill any voids left by federal deregulation, creating a different type of compliance challenge.
• Integrity and ethical considerations remain important, with potential reputational consequences for companies and their advisors based on their alignment with administrative actions.