Ed. Note: over the next three blog posts, I will be running a short series on three recent books by Hemma Lomax and Ashley Dubriwny. There are The Art of Ideation, The Art of Celebration, and The Art of Implementation.
Hemma Lomax and Ashley Dubriwny’s The Art of Ideation is, on one level, a practical guide for culture builders. On another level, it is a challenge to compliance professionals: stop treating compliance as a function that merely publishes rules, delivers training, and waits for reports. Start treating compliance as a discipline of curiosity, engagement, design, and shared intelligence.
The book begins with a simple but powerful premise. Culture builders need ideas, but more importantly, they need the skill to generate better ideas through peer ideation, storytelling, and crowdsourcing intelligence. Lomax and Dubriwny describe the spark that came from compliance professionals exchanging creative approaches at a conference table and then ask why that energy should be limited to a once-a-year event. Their answer is to make ideation intentional, repeatable, and community-based.
For compliance professionals, this is not a soft concept. It goes directly to the DOJ’s Evaluation of Corporate Compliance Programs (ECCP). The ECCP continues to ask whether a program is well-designed, adequately resourced, empowered to function effectively, and working in practice. The compliance lesson from The Art of Ideation is clear: a program that does not ask better questions will not get better answers.
Lesson One: Know Your Audience Before You Design the Control
One of the book’s strongest lessons comes from the São Paulo story. Hemma arrives in Brazil to speak to more than 200 sales executives. Rather than deliver a generic compliance presentation, she uses images and experiences from the city itself to connect with the local audience. The lesson is not simply that visuals work. The deeper lesson is that compliance must demonstrate cultural awareness before it asks for behavioral change.
Too many compliance programs are still designed from the top down. Policies are written in legal language. Training is translated late, if at all. Hotline posters are posted in areas where employees do not work. Codes of Conduct speak to an imagined employee rather than the actual workforce.
The ECCP lens is unforgiving here. A risk-based program must be tailored to the company’s risk profile, business model, workforce, geography, and operations. If field employees, sales teams, or third-party-facing personnel cannot access guidance in the moment of need, the control may exist on paper but fail in practice.
Lesson Two: Storytelling Is a Control Enhancement
Dubriwny’s discussion of training emphasizes that facts alone rarely change behavior. Stories create context, emotion, and recall. In compliance, that matters because most misconduct does not arise from someone misunderstanding a policy title. It arises in moments of pressure, ambiguity, fear, loyalty, or perceived business necessity. A good compliance story can show what a conflict of interest feels like. It can show why a facilitation payment creates risk. It can show how retaliation begins quietly. It can show a manager what it means to receive a concern well.
This is especially important for a culture of speaking up. Employees do not speak up because a poster says they can. They speak up because they believe the organization will listen, protect them, and act. The Art of Ideation repeatedly returns to the need to meet people where they are, involve them, and design engagement pathways that feel safe. That maps directly onto the ECCP’s focus on confidential reporting, anti-retaliation, and investigation processes, as well as employees’ trust in those systems.
Lesson Three: The Code of Conduct Should Be Designed to Work
The book’s chapter on Codes of Conduct is especially useful for CCOs. It asks whether the Code is an external artifact, a regulatory box-checking document, or a decision-making tool for employees. The answer should be all the above, but the priority must be the employee user. That is a powerful compliance point. A code should not merely state values. It should operationalize them. It should be accessible, visually clear, mobile-friendly, translated appropriately, and supported by examples that reflect real roles, geographies, and pressures. The authors argue that a Code should be co-created, tested, and designed so people can see themselves in it.
This has implications for internal controls. A policy no one reads is not a meaningful control. A code no one uses is not a cultural anchor. A decision tree that helps an employee escalate a third-party red flag is more valuable than a beautifully written paragraph no one remembers.
Lesson Four: Crowdsourcing Risk Intelligence Is Compliance Modernization
Perhaps the most compliance-relevant section of the book is the discussion of crowdsourcing intelligence. Lomax and Dubriwny argue that leadership does not have a monopoly on the perspectives needed to identify risk. Employees across functions, geographies, and levels see vulnerabilities long before they appear in formal reporting channels. This is exactly where modern compliance must go. Annual risk assessments remain useful, but they are not enough on their own. A CCO needs real-time, near-real-time, and frontline input. This includes surveys, focus groups, collaboration tools, investigation themes, hotline trends, third-party feedback, and data analytics.
AI governance fits here as well. The book encourages responsible experimentation with AI, including using AI to make policies more accessible, generate first drafts, synthesize information, and provide decision-useful guidance. In compliance terms, AI should not be a gimmick. It should be governed, risk-assessed, monitored, and used to improve the employee experience.
Compliance Application
For the compliance professional, ideation is not brainstorming for its own sake. It is how the CCO identifies gaps, improves controls, tests training, strengthens speak-up systems, modernizes the Code, and uses AI responsibly. It is how compliance moves from headquarters’ assumptions to operational intelligence.
The lesson is also relevant to investigations. The book’s discussion of investigations emphasizes empathy, transparency, gratitude toward participants, and learning from the process. That is an important reminder that investigations are not simply fact-finding exercises. There are moments when employees decide whether the compliance function is credible.
CCO Questions
- Does our compliance function know how employees actually experience our Code, training, reporting channels, investigation process, and third-party controls?
- Are we using peer ideation, frontline feedback, and cross-functional input to improve the program?
- Where are we still relying on headquarters assumptions rather than operational evidence?
- How are we using AI to improve accessibility, consistency, risk sensing, and employee guidance without weakening confidentiality, privacy, or human judgment?
Practical Takeaways
- Redesign one compliance communication from the user’s perspective. Make it shorter, clearer, more accessible, and easier to act on.
- Create an ideation circle around one major compliance risk, such as third-party due diligence, gifts and entertainment, speaking up, or AI use.
- Test your Code of Conduct with employees from different geographies and functions before the next refresh.
- Add crowdsourced risk intelligence to your risk assessment process.
- Treat ideation as a compliance control. Better questions produce better evidence, and better evidence produces a more effective program.
Ideation is where the compliance professional begins to see what is possible. It gives the CCO better questions, stronger engagement, richer risk intelligence, and a more human understanding of how employees experience the program. But ideas alone do not create culture. A redesigned code, a better speak-up message, a sharper AI policy, or a new third-party risk insight only matters if it moves from concept to practice. That is where the second book in the trilogy, The Art of Implementation, takes us next.
Join us tomorrow in Part 2, where we will examine how compliance professionals turn good ideas into operating discipline through alignment, stakeholder ownership, pre-mortems, adoption, incentives, and the hard work of making values real inside the business.
