This week, I want to pay tribute to my former Compliance Week colleague, Aly McDevitt, who announced on LinkedIn that she was retiring from CW to become a full-time mother. I wrote a tribute to Aly, which appeared in CW last week. To prepare to write that piece, I re-read her long-form case studies, which she wrote over the years for CW. They are as compelling today as when she wrote them. This week, I will be paying tribute to Aly by reviewing five of her pieces. The schedule for this week is:
Monday: A Tale of Two Storms
Tuesday: Coming Clean
Wednesday: Inside a Dark Pact
Thursday: Reaching Into the Value Chain
Friday: Ransomware Attack: An immersive case study of a cyber event based on real-life scenarios
Please note that I will leave her seminal (in my opinion) piece, The Banks Behind the Epstein Enterprise, for a later piece.
In A Tale of Two Storms, it is worth noting at the outset that McDevitt did more than recount a corporate crisis. She captured a company trying to rebuild itself under the eye of a court-appointed monitor just as COVID-19 exploded into a global emergency. As Compliance Week explained, what began as a long-form examination of Carnival’s environmental misconduct and attempted compliance redemption became a far bigger story when one of its ships became an early incubator of the virus outside China.
For the compliance professional, that pivot is the first lesson. A program is not truly tested in the conference room. It is tested when an old crisis collides with a new one.
McDevitt opens at a moment of eerie transition. On February 20, 2020, Carnival was already dealing with a COVID-19 outbreak aboard the Diamond Princess, even as Compliance Week toured the company’s new ethics and compliance function in Miami. That juxtaposition framed the whole case study. Carnival was not simply managing a public health disaster. It was doing so while still carrying the baggage of a long, embarrassing, and very expensive history of environmental misconduct.
That history mattered. Carnival had pleaded guilty in federal court in both 2002 and 2017 to illegal discharges of oily waste and to falsification of records, and the Department of Justice viewed the pattern as evidence of a systemic problem in ethics and culture. This was not a one-off control failure. It was a story of repeated misconduct, insufficient structural reform, and an organization that had not yet fully learned how to turn compliance into culture.
McDevitt shows that the real inflection point came in 2019, after Carnival paid another $20 million for violating the terms of its probation and was ordered to implement corporate structural changes under a tight deadline, with a possible $10 million-per-day late penalty. That is when Carnival hired Peter Anderson as its first chief ethics and compliance officer and began to centralize what had long been fragmented compliance functions.
The importance of that move cannot be overstated. A common problem in large organizations is that compliance is spread across subject-matter silos, each with its own language, priorities, and reporting lines. McDevitt reports that before August 2019, Carnival did not have a centralized ethics and compliance department; environmental, general compliance, and health and safety functions worked independently across its operating companies. That fragmentation is often sold internally as efficiency or business autonomy. In practice, it can become a breeding ground for inconsistent controls, weak escalation, and cultural drift.
Anderson’s mandate was broader than legal remediation. He was brought in to unite the program, strengthen trust, improve information flow, and build a sustainable culture of compliance. McDevitt’s reporting around Anderson is especially valuable because she does not present him as a silver-bullet hero. Rather, she portrays him as an architect trying to build structure, process, and cultural credibility simultaneously.
His four pillars, as reported by McDevitt, were prevention, detection, response, and correction. That framework remains highly useful for any chief compliance officer. It reminds us that compliance is not just about policies or investigations. It is about understanding risk, identifying issues early, responding quickly, and then conducting real root cause analysis so the same failure does not recur. This became critically important once COVID hit.
One of the sharpest observations in McDevitt’s reporting comes from Carnival’s Gerry Ellis, who described the pandemic not as a pure compliance issue but as “compliance with the regulatory aspect of health” in a rapidly shifting battlefield of contradictory requirements across jurisdictions. That is a familiar challenge to modern compliance teams. Whether the issue is sanctions, AI governance, cyber, ESG, or public health, the hardest problems often come when the rules are changing in real time, across borders, with high operational stakes.
The brutal optics of timing also complicated Carnival’s crisis response. McDevitt details how the company faced allegations that it had sufficient warning signs yet continued operating for too long, even as infections spread across multiple vessels. Carnival defended its timing, noting that public health guidance was still evolving and that government advisories had not yet been fully escalated. That explanation may be understandable, but for compliance officers, the point is not merely whether management can defend its judgment after the fact. The point is whether the organization had the governance structure to make fast, documented, risk-based decisions while conditions changed by the hour.
McDevitt’s deeper contribution is to connect the pandemic response to the compliance rebuild already underway. She reports that Carnival’s pre-pandemic investments in a centralized program, better risk assessment, improved training, stronger communications, and closer engagement with the monitor helped the company absorb the shock of COVID more effectively than it otherwise could have. In other words, compliance did not solve the pandemic. But it provided muscle memory. That may be the most important lesson in the entire case study.
The company also understands that the tone at the top must be reinforced through resource allocation. Even amid severe financial pressure, Carnival preserved a larger share of its ethics and compliance team than many other departments, continued environmental investments, and developed a Pause Priorities Plan to sustain compliance momentum during the shutdown. Compliance officers should take note. A company reveals its real priorities not by slogans but by budget, staffing, visibility, and follow-through.
There are other practical insights here as well. McDevitt recounts how Carnival moved from a blame-oriented investigative mindset to “incident analysis” and learning, with Anderson explicitly stating that incidents should be viewed as assets for improvement. She also reports the company’s emphasis on “speak up,” leadership engagement, culture measurements, and the need to make captains and shipboard leaders receptive to challenge from below. That is a direct answer to one of the oldest compliance questions: how do you build trust in high-hierarchy environments where people fear speaking up?
Yet McDevitt does not let Carnival off the hook. The court-appointed monitor remained skeptical, top leadership had to be pushed to engage more deeply, environmental violations persisted, and Judge Patricia Seitz openly questioned whether Carnival was building a robust system that could function without the court’s “training wheels”. That skepticism is healthy. It underscores a hard truth every compliance professional knows: a redesigned program is not the same thing as an effective one. The real test is whether the organization behaves differently over time.
In the end, A Tale of Two Storms is not simply a cruise industry story. Aly McDevitt uses Carnival to show what happens when compliance reform is forced to mature in public, under enforcement pressure, and amid operational chaos. Her reporting demonstrates that while a crisis can expose weakness, it can also accelerate the transition from paper program to operational discipline.
For compliance leaders, that is the heart of the matter. You do not get to choose when your second storm arrives. You only get to choose whether your program is strong enough to meet it.
Join us tomorrow as we move to Aly’s piece on Volkswagen and its journey regarding its corporate soul after its emissions testing scandal. I am a columnist for Compliance Week.
