This week, I want to pay tribute to my former Compliance Week colleague, Aly McDevitt, who announced on LinkedIn that she was retiring from CW to become a full-time mother. I wrote a tribute to Aly, which appeared in CW last week. To prepare to write that piece, I re-read her long-form case studies, which she wrote over the years for CW. They are as compelling today as when she wrote them. This week, I will be paying tribute to Aly by reviewing five of her pieces. The schedule for this week is:

Monday: A Tale of Two Storms

Tuesday: Coming Clean

Wednesday: Inside a Dark Pact

Thursday: Reaching Into the Value Chain

Friday: Ransomware Attack: An immersive case study of a cyber event based on real-life scenarios

In this case study, Aly took a scandal that could easily be reduced to a shocking headline and showed how misconduct often grows incrementally, decision by decision, concession by concession, until a company crosses a line it can no longer explain away. As McDevitt framed it, Lafarge’s collapse into criminal conduct was not sudden. What began as “local concessions” in a war zone ended in terrorist financing, a guilty plea, and a historic compliance disaster.

For the corporate compliance professional, that is where this story starts. Not with ISIS. Not with the guilty plea. Not even with Syria’s descent into civil war. It starts with a corporate mindset that treats business continuity as a value higher than legal and ethical boundaries.

McDevitt lays out the core facts with devastating clarity. Lafarge built a $680 million cement plant in the Jalabiyeh region of Syria in 2010, just as the Arab Spring began to reshape the region. The plant, Lafarge Cement Syria, was strategically important, but it also operated in an increasingly unstable environment. By 2011, political unrest in Syria had become a violent conflict. By 2012, the area around the plant was plagued by kidnappings, hijackings, and the killing of a contractor at a checkpoint. Most companies would view those developments as bright red stop signs. Lafarge saw them as obstacles to manage.

That is the first major lesson of the case study. The most dangerous compliance failures often arise not from ignorance of risk but from a conscious decision to keep operating despite it. McDevitt shows that while other companies pulled out of Syria, Lafarge kept the plant running and shifted management of Syrian operations to Cairo after evacuating European employees. That decision set the stage for the next step: negotiating through intermediaries with armed factions to permit continued operations. By then, the moral and legal slope was already slippery. The question was no longer whether the company faced risk. The question was how much compromise leadership was willing to tolerate to avoid writing off a major investment.

McDevitt’s reporting is especially effective because it captures the gradualism of the wrongdoing. She writes that Lafarge executives did not wake up one day and decide to fund terrorists. It happened slowly, one deal after another, as the company tried to preserve operations in a deteriorating war zone. This is a point every compliance professional should sit with. Catastrophic misconduct often results from the accumulation of rationalized, smaller acts. Each one is framed as temporary, practical, or necessary. Each one moves the line. Eventually, there is no line left.

The Justice Department ultimately found that Lafarge routed about $5.92 million in illicit payments to the al-Nusra Front and ISIS. In 2022, Lafarge pleaded guilty in the United States to providing material support to terrorist organizations, the first case of its kind against a corporation in the U.S. Former Deputy Attorney General Lisa Monaco said the company “paid millions of dollars to both terrorist groups and benefited from their brutality to the tune of $70 million in revenue,” and the company paid $778 million in fines and forfeitures as part of the plea agreement.

That number alone should command the attention of boards and executive teams. Lafarge tried to avoid the business pain of shutting down a troubled asset and ended up paying more than the original investment in penalties, while also suffering deep reputational damage, legal exposure in multiple jurisdictions, and criminal proceedings against former executives. There is a brutal irony in that outcome. The Syrian plant accounted for less than 1% of Lafarge’s total sales at the time of the Holcim merger, yet the consequences of non-compliance proved vastly disproportionate to the asset’s commercial importance. That is the second lesson. The smaller the business rationale, the less defensible the compliance compromise.

McDevitt also explains why the U.S. Department of Justice had jurisdiction. Lafarge used U.S.-based email services to avoid using company email addresses, and some payments linked to terrorist groups were made in U.S. dollars through New York banks. This should resonate with every multinational company. Jurisdiction in modern enforcement is not limited by headquarters location. It is created through systems, currency flows, communications infrastructure, and business touchpoints. In a global company, you can be hauled into a U.S. enforcement action because you used the plumbing of U.S. commerce.

McDevitt’s account also reveals something even more troubling. By September 2013, Lafarge executives were already acknowledging the reality in their own meeting minutes, stating that it was becoming harder and harder to operate without directly or indirectly negotiating with networks designated as terrorists by international organizations and the United States. That line should stop every compliance officer in their tracks. At that moment, the risk was no longer ambiguous. It was known, articulated, and documented. The failure thereafter was not one of detection. It was one of the decision-making processes.

And that brings us to the heart of the compliance lesson. Once a company understands the legal and ethical nature of the risk, the compliance function is not merely to record the issue. The job is to create a decision architecture that can force the right outcome, even when business leadership hates it.

McDevitt reinforces this through the voice of Marcia Narine Weldon, who said, “business continuity can’t be an excuse for abandoning core legal and ethical principles” and even more pointedly, “When you’re dealing with potential terrorism financing, neutrality isn’t an option. You either stop it or you become complicit”. That is exactly right. There are categories of risk where compromise is not prudent; balancing is complicity. Terrorist financing sits squarely in that category.

Another important aspect of McDevitt’s case study is the timeline of internal response. Holcim, after its merger with Lafarge, became aware in 2016 of allegations that Lafarge had negotiated with ISIS and made payments to it. The head of compliance informed the Chief Legal and Compliance Officer that outside counsel had been engaged for legal analysis, and the board’s finance and audit committee directed an investigation. This sequence shows what a post-discovery escalation should look like. But it also highlights a painful truth: escalation after the fact is not the same as prevention. The best board briefing in 2016 could not undo the wrong choices made years earlier.

For compliance leaders, the Lafarge matter is therefore a case study in the limits of retrospective governance. Once the organization has crossed the line into criminal conduct, the role of compliance shifts from prevention to damage containment.

McDevitt weaves this throughout the piece with precision. She does not sensationalize the conduct. She shows how a company operating in a volatile, high-risk environment allowed ethics and compliance to take a back seat to business survival. That is what makes the article so valuable. It reminds us that in high-pressure environments, compliance is not a support function sitting politely on the sidelines. It is the adult in the room. Sometimes that means telling management to shut down an operation. Sometimes it means escalating to the board. Sometimes it means resigning rather than participating in the unambiguously wrong.

In the end, Inside a Dark Pact is one of Aly McDevitt’s strongest cautionary tales because it strips away comforting myths. It tells us that smart people can rationalize the indefensible. It tells us that local concessions can become global crimes. And it tells us that when a company places asset preservation above values, it may preserve neither.

Join us tomorrow when we review Aly’s piece on Flex and its ESG journey. I am a columnist for Compliance Week.