I had the pleasure last week of talking to a top legal officer at a large manufacturer, someone who will be speaking at the Compliance Week 2014 conference next spring about conflict minerals compliance. The program his company has developed so far is excellent, and I won't spoil it by naming him and disclosing all the details here—but our conversation also underlined a headache compliance executives are facing that runs far deeper than conflict minerals, one worth discussing now.

Let's start with our man Smith and his company's first efforts at conflict minerals compliance. The duty fell to Smith because he, in the legal department, oversees all regulatory filings with the Securities and Exchange Commission—which will include conflict minerals disclosure on the agency's new Form SD, starting early next year. So Smith assembled a task force from various company departments: compliance, accounting, IT, and supply chain.

He then described to me how the task force mapped out its goals and the work required to get those goals done, and it all sounded very much like the conversations I had nearly 10 years ago with companies confronting Section 404 compliance with the Sarbanes-Oxley Act. Understand what the SEC wants; find your weak spots; remediate any weaknesses as best you can; disclose what you know and what you don't know, but hope to fix in the following year. Any compliance officer of a certain age will see the parallels.

Smith quickly understood that the company's biggest challenge would be staffing: both manpower to get the work done, and expertise to know how to do the work wisely. Little surprise, then, he turned to his company's external auditor (a Big 4 firm) for help. The company's exposure to conflict-minerals is small, Smith told me, so he knew that its conflict-minerals program could be audited by a small firm. The more important trick would be building the right structure for compliance in the first place, so all those disclosures will be correct—and when you need specialty teams of very bright people, the Big 4 firms genuinely do have that manpower in spades.

“Thankfully this didn't take up too much of my personal time, since I handle a bunch of regulatory issues,” Smith told me. “The ones who really did the work were our supply-chain team; for every four- or five-hour meeting I sat through, I know they were sitting through three or four more. They were just indispensable to this whole process.”

Smith also realized that the company's other difficult problem was IT: namely, how much money to spend on IT dedicated to managing conflict-minerals compliance. “Right now it's going to be something cheap and easy, to get compliance running,” he said. “We know we'll need to do something more long-term within two years. We can't keep imposing on our suppliers like this.”

And with that bit of casual wisdom from Smith, we come to the deeper, much more intractable headache for compliance officers. 

Compliance pressures that hit your third parties are proliferating so rapidly—anti-corruption, conflict minerals, data security, human trafficking, offshore tax havens—that they now exceed your ability to manage them all well, or in any systematic fashion. The result: you keep pestering your third parties one regulation at a time, to the point where they get compliance fatigue and don't want to cooperate with you. As Smith put it when we spoke, “It's a big ask we're imposing on them, and we need to find a way to ease that up.”

Good luck with that. In theory, getting ahead of the problem should not be too hard. These regulations (and more) all ask different questions of your third parties, but the fundamental process of asking for information and verifying its accuracy is the same. You should be able to deploy software that allows you to do those things. Indeed, I have no doubt that any number of vendors reading these words will breathlessly tell me that their very product is perfect for the job.

In practice, the world operates quite differently. Regulations aren't always clear (see: Volcker Rule), and many immediately get mired in court challenges anyway. Software products aren't easy to scope and implement, despite what vendors might say. And above all, the sheer time commitment to install a strong, flexible IT system that works well with your third parties is a multi-year commitment. Persuading CIOs and boards to make that sort of commitment is a tall order, one that borders on hopeless. Companies never want to make strategic shifts without a clear upside on revenue—and right now, effective compliance still doesn't have one.

So at the Compliance Week 2014 conference, our man Smith is going to give an excellent presentation (one among many) about his approach to conflict-minerals compliance. It really does sound like a logical, systematic way to address one of the big compliance challenges facing companies today. At the end, however, if you ask him how his company might leverage its success here with other compliance burdens to come, you'll get an answer something like this.

“We need to simplify what we ask of our suppliers,” Smith told me. “This is all getting to be too much for them or anyone else, and we need something that works.”

We'll look at that problem at Compliance Week 2014 too, but somehow I suspect it will remain on the agenda for years to come.