
Sign up to save your podcasts
Or


Stepping into compliance “by accident,” building guardrails that actually help the business, and staying curious enough to reinvent your career—Episode 14 with Bill Connolly is packed with practical lessons for anyone in risk, privacy, or compliance leadership.
In this episode of Compliance Chronicles, host Liisa Thomas talks with Bill Connolly, Head of Resiliency Risk for the U.S. retail bank at HSBC. Bill oversees a broad risk portfolio that spans information risk, business continuity, disaster recovery, operational resilience, and more—all brought together in a single resiliency risk program. He shares how his career evolved from managing TCPA suppressions and customer choice, to vendor risk and privacy, to digital compliance, and ultimately into enterprise resiliency risk.
Bill walks through his “privacy by almost accident” story: starting with do‑not‑call and do‑not‑solicit databases, helping to build practical privacy questionnaires, and being asked to relaunch a new privacy program by writing a privacy policy that actually reflected how the organization worked. That experience led him into digital compliance, where he carried forward his privacy and information risk expertise to tackle cookie compliance, cross‑border data issues, and global data privacy obligations in a large financial institution.
A major theme of the conversation is how to communicate risk in a way the business understands. Bill explains how he created “guardrails” to reduce low‑value questions and empower teams: if people stay within well‑defined parameters on TCPA, privacy, or other rules, they can move quickly; if they step outside those guardrails, that’s when legal and compliance step in. He shares why this kind of tooling not only helps the business move faster but also protects second‑line teams from getting buried in ad‑hoc requests.
They dig into the challenges of new regulatory and resiliency requirements, including “important business services” mapping and the sheer scope of work that often falls on a small group of people in each business unit. Bill talks about translating highly technical topics—like IT vulnerabilities—into business language and compelling risk narratives that management can act on and fund. He emphasizes the importance of understanding both the compliance requirements and the resource impact on the business, so you can prioritize, sequence, and negotiate change effectively.
Bill also shares career advice for compliance, risk, and privacy professionals at different stages. For those starting out, he stresses curiosity—following your interest into areas like digital privacy or information risk, and backing it up with credentials such as CISA and IAPP certifications. For those who are bored or burned out, he suggests re‑examining your role, looking one year ahead at where you want to be, and exploring adjacent areas like digital, operations, or new risk domains where your expertise can be uniquely valuable.
The conversation closes with a focus on growth and reflection: using sabbaticals or mini‑sabbaticals, mentorship, and honest self‑assessment to decide when you need a new challenge. Bill’s parting advice is to deliberately step outside your comfort zone—because no one will do that for you—and to treat each stretch assignment as a way to expand both your knowledge and your network.
If you work in privacy, compliance, operational risk, or resilience at a bank or large corporate and want to become a more effective partner to the business while continuing to grow your own career, this episode is for you.
If you enjoy this conversation, make sure to subscribe to Compliance Chronicles in your favorite podcast app and follow the show so you don’t miss future episodes on privacy, AI, internal audit, and real‑world compliance leadership.
By Liisa ThomasStepping into compliance “by accident,” building guardrails that actually help the business, and staying curious enough to reinvent your career—Episode 14 with Bill Connolly is packed with practical lessons for anyone in risk, privacy, or compliance leadership.
In this episode of Compliance Chronicles, host Liisa Thomas talks with Bill Connolly, Head of Resiliency Risk for the U.S. retail bank at HSBC. Bill oversees a broad risk portfolio that spans information risk, business continuity, disaster recovery, operational resilience, and more—all brought together in a single resiliency risk program. He shares how his career evolved from managing TCPA suppressions and customer choice, to vendor risk and privacy, to digital compliance, and ultimately into enterprise resiliency risk.
Bill walks through his “privacy by almost accident” story: starting with do‑not‑call and do‑not‑solicit databases, helping to build practical privacy questionnaires, and being asked to relaunch a new privacy program by writing a privacy policy that actually reflected how the organization worked. That experience led him into digital compliance, where he carried forward his privacy and information risk expertise to tackle cookie compliance, cross‑border data issues, and global data privacy obligations in a large financial institution.
A major theme of the conversation is how to communicate risk in a way the business understands. Bill explains how he created “guardrails” to reduce low‑value questions and empower teams: if people stay within well‑defined parameters on TCPA, privacy, or other rules, they can move quickly; if they step outside those guardrails, that’s when legal and compliance step in. He shares why this kind of tooling not only helps the business move faster but also protects second‑line teams from getting buried in ad‑hoc requests.
They dig into the challenges of new regulatory and resiliency requirements, including “important business services” mapping and the sheer scope of work that often falls on a small group of people in each business unit. Bill talks about translating highly technical topics—like IT vulnerabilities—into business language and compelling risk narratives that management can act on and fund. He emphasizes the importance of understanding both the compliance requirements and the resource impact on the business, so you can prioritize, sequence, and negotiate change effectively.
Bill also shares career advice for compliance, risk, and privacy professionals at different stages. For those starting out, he stresses curiosity—following your interest into areas like digital privacy or information risk, and backing it up with credentials such as CISA and IAPP certifications. For those who are bored or burned out, he suggests re‑examining your role, looking one year ahead at where you want to be, and exploring adjacent areas like digital, operations, or new risk domains where your expertise can be uniquely valuable.
The conversation closes with a focus on growth and reflection: using sabbaticals or mini‑sabbaticals, mentorship, and honest self‑assessment to decide when you need a new challenge. Bill’s parting advice is to deliberately step outside your comfort zone—because no one will do that for you—and to treat each stretch assignment as a way to expand both your knowledge and your network.
If you work in privacy, compliance, operational risk, or resilience at a bank or large corporate and want to become a more effective partner to the business while continuing to grow your own career, this episode is for you.
If you enjoy this conversation, make sure to subscribe to Compliance Chronicles in your favorite podcast app and follow the show so you don’t miss future episodes on privacy, AI, internal audit, and real‑world compliance leadership.