Day: January 26, 2026

Categories
The Ethics Experts

Episode 240 – James Lindstrom

In this episode of The Ethics Experts, Nick Gallo welcomes James Lindstrom.

James is the founder and CEO of Verdian Insights, a provider of risk and compliance solutions. In recent years, Verdian has grown beyond its data and software solutions for the investment community with the acquisitions of Compliance Week, ECI and other compliance training and certification programs.

James formerly served as CEO of two global publicly-traded companies and CFO of a listed financial services corporation. He has earned a reputation among investors, clients, and employees for generating exceptional shareholder returns, promoting transparency and innovation, and fostering exemplary governance practices.

James began his career at Credit Suisse in 1994. He received his BA from Colby College and his MBA from the Tuck School of Business at Dartmouth.

Connect with James on LinkedIn

Categories
Daily Compliance News

Daily Compliance News: January 26, 2026, The Pardon of Tim Leissner Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • 1MDB lynchpin Tim Leissner wants a pardon. (Bloomberg)
  • Marcos is under impeachment over Philippine corruption. (Bloomberg)
  • UK investigating Meta’s compliance with data requests. (Reuters)
  • China accuses top general of corruption. (WSJ)
Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 26 – Elevating the Role and Independence of the Chief Compliance Officer

Welcome to 31 Days to a More Effective Compliance Program. Over this 31-day series in January 2026, Tom Fox will post a key component of a best-practice compliance program each day. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6-8 minutes, with three key takeaways that you can implement at little or no cost to help update your compliance program. I hope you will join each day in January for this exploration of best practices in compliance. In today’s Day 26 episode, we ponder the evolving stature and authority of the CCO within organizations, as highlighted by recent guidelines and regulations.

Key highlights:

  • Key Inquiries Around the CCO and Compliance Function
  • Importance of CCO Certification and Court Decisions
  • Critical Takeaways for Compliance Professionals

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Categories
FCPA Compliance Report

FCPA Compliance Report – Navigating Export Control and Trade Sanction Challenges in Venezuela: Insights from Brent Carlson

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this inaugural episode of 2026, Tom Fox welcomes back Brent Carlson, a specialist in trade and economic sanctions, focusing on compliance issues related to Venezuela.

Tom and Brent discuss the shifting political landscape, potential business opportunities in the energy sector, and the steps compliance professionals need to take to navigate new regulations and restrictions from the export control and trade sanctions perspective. Brent emphasizes the importance of a robust, business-aligned compliance strategy, a non-siloed approach involving all risk disciplines, and proactive dialogue with regulators. They also discuss the heightened enforcement landscape and the need for companies to remain vigilant and adaptable in a rapidly changing global environment.

Key highlights:

  • Focus on Venezuela: Navigating Export Controls and Sanctions
  • Business Opportunities and Risks in Venezuela
  • Importance of Understanding Business Operations
  • Board of Directors: Asking the Right Questions
  • Geopolitical Changes and Risk Management

Resources:

Brent Carlson on LinkedIn

Red Flags Rising website

Tom Fox

Five-Part Blog Post Series on Doing Business in Venezuela on the FCPA Compliance and Ethics Blog

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
AI Today in 5

AI Today in 5: January 26, 2026, The Overly Affectionate Chatbots Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. The crash of Intel. (WSJ)
  2. How Americans are using AI at work. (AP)
  3. Small business use cases for AI. (Forbes)
  4. Pope Leo warns of ‘overly affectionate’ chatbots. (CNN)
  5. AI can help in KYC compliance. (FinTech Global)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
Blog

Board KPIs for AI Governance: Guidance from the ECCP

Corporate Boards are no longer asking whether their organizations will use artificial intelligence. The business has already answered that question. The only question that matters now is whether AI is being governed well enough to support growth without creating unmanaged risk.

For the corporate compliance officer, this reality creates both pressure and opportunity. Pressure, because Boards with minimal AI literacy still carry full fiduciary responsibility. Opportunity, because compliance is uniquely positioned to translate complex AI activity into oversight-ready information. The bridge between those two worlds is the right set of Board-level  Key Performance Indicators (KPIs) for AI governance. Moreover, I believe the DOJ’s Evaluation of Corporate Compliance Programs (ECCP) can serve as a framework for developing appropriate KPIs for your Board.

In this blog post, we detail a set of Board-level KPIs for compliance professionals tasked with educating growth-oriented Boards on AI governance using a blended, ECCP-centric framework. It assumes that AI is already deployed across the enterprise, including generative AI, and that governance must enable innovation while enforcing guardrails.

Why Boards Need AI KPIs Now

The ECCP makes one point repeatedly and without ambiguity: regulators care less about written policies and far more about whether controls work in practice. Boards are expected to exercise oversight over risk, including emerging and technology-driven risks. AI is now firmly in that category.

AI governance KPIs are not about teaching directors how models work. They are about answering three questions every Board must be able to answer:

  1. Do we know where AI is being used?
  2. Do we control how AI changes over time?
  3. Can we detect, respond to, and remediate AI-related harm quickly?

If a Board cannot answer those questions with evidence, not narrative reassurance, the organization is exposed. The role of compliance is to ensure those answers are delivered in a form that directors can understand and act upon.

The KPI Philosophy: Enablement With Guardrails

Because this is a growth-oriented Board, the goal is not to slow AI adoption. The goal is to make AI scalable, defensible, and sustainable. KPIs must therefore do three things simultaneously:

  • Demonstrate coverage and control without micromanagement
  • Surface risk early, before incidents become enforcement events
  • Support informed decision-making, not technical debate

This means Boards should receive KPIs, escalation triggers, and narrative context. Numbers alone are insufficient. Context without metrics is worse.

Six Board-Level KPIs for AI Governance

The following six KPIs apply to all AI systems, including generative AI, within a unified governance framework. They are evidence-based, auditable, and aligned with the ECCP expectations for testing, monitoring, and continuous improvement.

1. Risk Inventory Coverage

This KPI measures the percentage of in-scope AI systems with a current, signed risk record documenting use case, data sources, impacts, potential harms, and safeguards. If AI is operating outside the risk inventory, it is operating outside governance. This KPI answers the most basic oversight question: do we know what we have? Any material AI system without a documented risk assessment or with an expired review date should be escalated for review.

The ECCP begins with risk assessment for a reason. Under the ECCP, they are directed to consider whether a company has identified and prioritized its risks, including emerging risks. AI, particularly GenAI, now squarely fits within that expectation. Risk Inventory Coverage directly answers the ECCP question: “What methodology has the company used to identify, analyze, and address the particular risks it faces? ” If AI systems are operating without a documented risk record, the program fails at step one. From an ECCP perspective, undocumented AI use is indistinguishable from unmanaged risk.

2. Model Change Control Adherence

This measures the percentage of AI model changes, including code, data, prompts, parameters, or vendors, that followed the approved change management process. Uncontrolled change is the fastest way for compliant AI to become noncompliant. This KPI assures directors that innovation is disciplined, not chaotic. Any production AI change implemented without pre-deployment testing, approval, or rollback capability should be escalated for review.

ECCP Alignment:

The ECCP explicitly evaluates whether policies are followed in practice, not merely written. Adherence to change control shows whether AI governance has real authority over business and technology decisions. Unapproved model changes undermine every safeguard the company believes it has in place. From the DOJ’s perspective, a control that can be bypassed without consequence is not a control. For your Board, this KPI demonstrates that AI innovation is disciplined and governed, not uncontrolled experimentation that creates hidden compliance exposure.

3. Model Lineage and Provenance Completeness

This KPI measures the percentage of AI systems with end-to-end traceability, enabling the reconstruction of how outputs were generated and decisions were approved. When something goes wrong, regulators and plaintiffs will ask how the AI reached its decision. This KPI determines whether the company can answer. Any high-impact AI system lacking sufficient documentation to support root cause analysis should be escalated for review.

This KPI is derived from the ECCP sections on Continuous Improvement, Periodic Testing, and Review, as well as Investigation, Analysis, and Remediation of Misconduct. The ECCP asks whether a company can understand why something went wrong and conduct effective root cause analysis. Without lineage and provenance, AI decisions cannot be reconstructed, tested, or explained. This KPI directly supports DOJ’s expectation that companies can investigate incidents, identify systemic weaknesses, and remediate effectively. For your Board, this KPI determines whether the organization can defend its AI decisions after the fact or whether it will be forced into speculation and guesswork.

4. Third-Party Model Assurance Coverage

This KPI measures the percentage of third-party AI tools and services that have completed due diligence, contractual controls, and periodic reassessment. Most AI risk now enters organizations through vendors. Boards must know whether those risks are being actively managed. Any use of third-party AI without completion of onboarding or with unresolved high-risk findings should be escalated for review.

This ties to the ECCP section around Third-Party Management. The ECCP is unambiguous on third parties. Companies are expected to conduct risk-based due diligence, impose contractual controls, and monitor third-party performance over time. Most AI risk now enters through vendors, platforms, APIs, and embedded models. Treating third-party AI differently from other third-party risks would be inconsistent with DOJ guidance. For your Board, this KPI shows that AI vendor risk is governed with the same rigor as bribery, sanctions, or data security risks.

5. AI Incident Mean Time to Resolution (MTTR)

This KPI measures the median time from detection of an AI incident to containment and recovery. Incidents are inevitable. What matters is how fast the organization responds. This KPI demonstrates operational resilience. Repeated incidents with increasing resolution times or incomplete remediation should be escalated.

This ties to the ECCP sections on Investigation, Analysis, and Remediation of Misconduct. The ECCP focuses heavily on how quickly and effectively companies respond to detected issues. Speed matters. Delayed containment signals weak controls and inadequate monitoring. AI Incident MTTR translates this expectation into a measurable operational outcome. It demonstrates whether the company can detect, contain, and remediate AI-related harm before it escalates into regulatory or reputational damage. For your Board, the key takeaway is that this KPI demonstrates operational resilience and governance maturity, not merely technical incident response.

6. Fairness and Robustness Pass Rate

This KPI measures the percentage of AI systems passing predefined fairness, bias, and robustness tests across relevant segments and use cases. It connects AI governance to ethical outcomes and reputational risk. Any material AI system deployed with known fairness or robustness failures should be escalated for review.

This ties to the ECCP sections on Continuous Improvement, Periodic Testing, and Review. The ECCP repeatedly asks whether companies test their controls and whether those controls work in practice. Fairness and robustness testing is the AI equivalent of transaction testing in anti-corruption or sanctions compliance. This KPI shows that AI systems are not only reviewed at launch but are continuously validated against defined risk thresholds. For your Board, the key takeaway is that this KPI demonstrates that ethical and legal AI commitments are enforced through testing, not slogans.

Board Oversight Questions Tied to AI KPIs

To close, here are Board-level questions compliance officers should encourage directors to ask:

  1. Which AI systems fall outside our current risk inventory, and why?
  2. Where have we accepted AI risk, and what safeguards justify that decision?
  3. Are AI changes happening faster than our governance can keep up with?
  4. How quickly can we detect and contain AI-related harm?
  5. Which third-party AI risks would cause us to pause or exit a deployment?
  6. How do these KPIs support growth rather than restrict it?

AI governance KPIs are not about slowing innovation. They are about making growth durable. For compliance professionals, delivering these metrics in a clear, disciplined, and Board-ready way is how AI governance becomes a strategic asset rather than a regulatory afterthought.

If you would like specific KPIs based on this blog, go over and subscribe to my Substack. At this point, it is free. Check it out here.