Author: Admin

Categories
FCPA Compliance Report

FCPA Compliance Report: Navigating Security Threats In Venezuela with Marc Duncan – A Comprehensive Approach to Risk Management

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode, Marc Duncan, Chief Operating Officer at Salus Solutions, joins Tom to discuss security issues that US companies returning to Venezuela need to address upon reentering the country.

They deep dive into understanding and managing security threats across domains such as finance, personnel, corporate structure, and cyber operations. Duncan discusses the importance of viewing problems abstractedly, conducting full-scale threat assessments, and the crucial role of continuous monitoring. He shares insights into working with local communities, ensuring physical and operational security, and developing crisis communication strategies. The conversation also touches on insider threats, technical surveillance countermeasures, and the need for a responsive, flexible security team. Learn how companies, including those operating in high-risk environments such as Venezuela, can effectively prepare for and mitigate risks.

Key highlights:

  • Comprehensive Threat Assessment
  • Corporate Security and Board Involvement
  • Assessing Organizational Risk Culture
  • Insider and External Threats
  • Logistics and Local Partnerships
  • The Importance of Crisis Communication Training
  • Final Thoughts and Recommendations

Resources:

Marc Duncan on LinkedIn

Salus Solutions

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Returning to Venezuela on Amazon.com

Categories
Daily Compliance News

Daily Compliance News: February 2, 2026, The Only 8 Cups of Coffee Per Day Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • How much longer will Mandelson hang on? (FT)
  • Uber Eats ordered to pay $3.5 million in restitution to delivery drivers. (WSJ)
  • The Olympics, the Mafia, and corruption. (TheGuardian)
  • The new Nestlé chief gets by with only 8 cups of coffee per day. (NYT)
Categories
Blog

Roman Philosophers and the Foundations of a Modern Compliance Program: Part 1 Cicero on Duty and Ethics

I recently wrote a series on the direct link between ancient Greek Philosophers and modern corporate compliance programs and compliance professionals. It was so much fun and so well-received that I decided to follow up with a similar series on notable Roman Philosophers. This week, we will continue our exploration of the philosophical underpinnings of modern corporate compliance programs and compliance professionals by looking at five philosophers from Rome, both from the BCE and AD eras.

We will consider Cicero and the duty, law, and the moral limits of business;  Seneca and power, pressure, and ethical decision-making under stress; Marcus Aurelius and ethical leadership and tone at the top; Epictetus and accountability, control, and ethical agency; and we will conclude with Lucretius to explore rationality, fear, and risk perception. Today, we begin with Cicero and the ethical foundations of the compliance program.

I. Cicero in Context: Duty in an Age of Power and Commerce

Marcus Tullius Cicero lived at the intersection of law, politics, and commerce during the final decades of the Roman Republic. Rome was wealthy, expansive, and deeply corrupt. Provincial governors enriched themselves through bribery and extortion. Political power was routinely monetized. Legal technicalities were used to justify conduct that plainly violated any reasonable notion of fairness or justice.

It was in this environment that Cicero wrote De Officiis (On Duties), a work addressed not to philosophers, but to those who held power and responsibility. Cicero was not interested in abstract virtue. He was interested in how people entrusted with authority should behave when tempted by profit, pressure, or expediency.

For Cicero, duty was not optional. It arose from one’s role and the trust placed in that role. Public office, commercial activity, and leadership all carried moral obligations that custom, convenience, or legal loopholes could not waive. Most importantly, Cicero rejected the idea that what was profitable could excuse what was unethical. Where profit and moral duty conflicted, duty had to prevail.

This framing makes Cicero uniquely relevant to modern corporate compliance. Large organizations, like the Roman Republic, operate through delegated authority, complex incentives, and diffuse accountability. Cicero understood that without an ethical foundation grounded in duty, institutions eventually hollow out, even if they remain technically lawful.

II. The Compliance Problem Cicero Illuminates: When Law Becomes the Ceiling

One of the most persistent failures in corporate compliance programs is treating legal compliance as the ultimate objective rather than the minimum requirement. Organizations ask, “Is it legal?” far more often than they ask, “Is it right?” or “Is this consistent with our obligations as stewards of trust?” Cicero would have recognized this failure immediately. In De Officiis, he warned against the misuse of legal form to justify immoral conduct. He argued that clever interpretations of the law, when divorced from justice, ultimately destroy trust in institutions. This is not merely a moral observation. It is an operational one.

Modern enforcement actions repeatedly demonstrate that misconduct often occurs in plain sight, enabled by policies, approvals, and structures that technically comply with written rules. The Department of Justice has been explicit that a compliance program that exists only on paper, or that focuses solely on technical adherence, will not be viewed as effective. The DOJ Evaluation of Corporate Compliance Programs (ECCP) asks whether a company’s program is “well designed,” “applied in good faith,” and “actually works in practice.” These questions implicitly echo Cicero’s concern. A program that treats legality as the ceiling rather than the floor may satisfy internal counsel, but it fails as an ethical governance system.

Cicero teaches that compliance programs must be grounded in duty: to customers, markets, employees, shareholders, and society. Without that grounding, rules become tools for avoidance rather than instruments of integrity.

III. Modern Corporate Application: Cicero, DOJ Expectations, and Real-World Failures

The ECCP places increased emphasis on culture, leadership accountability, and the role of the board. These expectations align closely with Cicero’s insistence that those in power bear heightened ethical responsibility.

Consider enforcement actions involving bribery, corruption, or fraud in which senior leaders claimed ignorance while benefiting from the outcomes. In multiple Foreign Corrupt Practices Act resolutions, the DOJ has rejected arguments that misconduct occurred despite policies, rather than because governance systems tolerated or incentivized it. In cases such as Airbus and Goldman Sachs, regulators highlighted failures in oversight, escalation, and ethical decision-making at senior levels. From a Cicero-inspired perspective, these are failures of duty. Leaders accepted the benefits of authority without fully embracing its obligations. Compliance programs existed, but they were not anchored in a shared understanding that ethical duty limits what is acceptable in profit-seeking behavior.

Applying Cicero to modern compliance design suggests several concrete actions:

First, the code of conduct should be framed as a statement of duties rather than merely a list of prohibitions. Employees should understand not only what is forbidden, but why certain conduct violates the organization’s obligations to stakeholders.

Second, senior leadership accountability must be explicit. Cicero believed that authority magnifies moral responsibility. The DOJ now expects boards and executives to actively oversee compliance, not passively receive reports. A compliance program that cannot demonstrate meaningful leadership engagement will struggle under scrutiny.

Third, incentives matter. Cicero warned that when institutions reward success without regard to means, they invite corruption. Modern compliance programs must align compensation, promotion, and recognition with ethical behavior, not merely financial outcomes. The DOJ has repeatedly emphasized incentives and discipline as indicators of program effectiveness.

Finally, compliance should be positioned as a governance function, not a technical one. Cicero understood law as a moral instrument, not a procedural shield. Compliance professionals should frame their role as guardians of institutional duty, helping the organization navigate gray areas where legal guidance alone is insufficient.

Key Takeaways for Compliance Professionals

1. Ethical Foundation. Compliance professionals should view Cicero as the ethical foundation of a modern compliance program. Cicero establishes that compliance must be grounded in duty rather than fear of enforcement. He frames ethical behavior as an obligation arising from trust and authority, not as a discretionary choice. A compliance program without this foundation risks becoming a technical exercise divorced from purpose.

2. Law as a Floor. Compliance should treat law as the minimum standard, not the ultimate objective. Cicero warned against using legal formality to justify conduct that violates justice and fairness. Modern compliance failures often arise when organizations ask only whether conduct is legal rather than whether it is right. Effective compliance programs must push beyond legality to reinforce ethical judgment.

3. Governance and Stewardship. Compliance should be positioned as a core governance function. Cicero believed that those entrusted with authority act as stewards, not owners, of institutional power. Compliance should therefore be integrated into governance structures rather than treated as a peripheral control function. This positioning reinforces accountability to stakeholders and long-term institutional integrity.

4. Leadership Duty. Compliance should impose heightened ethical obligations on those with power. Cicero argued that authority magnifies moral responsibility rather than diminishing it. Senior leaders and boards must therefore be held to higher compliance expectations, not exempted for performance or status. Ethical leadership is essential to a program’s legitimacy.

  • Compliance should align incentives with integrity, not just results.
  • Cicero warned that rewarding success without regard to means invites corruption. Modern compliance programs fail when compensation and promotion structures undermine stated values. Incentive alignment is a critical control, not a human resources afterthought.

5. Cultural Legitimacy. Compliance should reinforce trust as an institutional asset.

Cicero understood that institutions survive only so long as they retain public and internal trust. A compliance program grounded in duty strengthens credibility with employees, regulators, and stakeholders alike. Trust is not a soft concept; it is the currency of effective governance.

6. Duty Over Expediency. Finally, Cicero teaches that ethical systems collapse when expediency displaces duty. A compliance program that exists only to manage risk or avoid penalties will eventually lose legitimacy. Compliance grounded in duty, by contrast, becomes a stabilizing force for the institution itself.

Conclusion

Cicero provides the compliance professional with the ethical foundation for a program: duty, legitimacy, and moral purpose. But he largely assumes that once duty is understood, it will be followed. Experience tells us otherwise. Modern compliance failures rarely occur because people do not know the rules or the obligations. They occur because pressure, fear, ambition, and rationalization overwhelm judgment at precisely the moments when duty matters most. That is where Cicero necessarily gives way to Seneca.

If Cicero explains why a compliance program must exist and what it must stand for, Seneca confronts the harder question of how ethical commitments erode under stress. The transition from Cicero to Seneca mirrors the transition from program design to real-world operation, when incentives tighten, stakes rise, and ethical clarity is tested. This is where compliance programs are no longer theoretical and where many begin to fail.

Join us tomorrow as we explore Seneca and compliance under pressure, using Cicero’s foundation as the explicit point of departure.

Categories
Sunday Book Review

Sunday Book Review: February 1, 2026, The Top Books on Whistleblowers Edition

In the Sunday Book Review, Tom Fox considers books that would interest compliance professionals, business executives, or anyone curious. It could be books about business, compliance, history, leadership, current events, or anything else that might interest Tom. In this episode, we look at 4 top books on whistleblowers and whistleblowing.

  1. Whistleblowing for Change: Exposing Systems of Power and Injustice by Tatiana Bazzichelli
  2. Extraordinary Circumstances: The Journey of a Corporate Whistleblower by Cynthia Cooper
  3. Whistleblower: My Journey to Silicon Valley and Fight for Justice at Uber by Susan Fowler
  4. Exposure: Inside the Olympus Scandal: How I Went from CEO to Whistleblower by Michael Woodford

Resources:

Whistleblower Must-Reads: Eleven Essential Books about Whistleblowers and the Whistleblowing Experience found in the Constantine Cannon blog.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 31 – Leveraging Root Cause Analysis for Effective Compliance

Welcome to 31 Days to a More Effective Compliance Program. Over this 31-day series in January 2026, Tom Fox will post a key component of a best-practice compliance program each day. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6-8 minutes, with three key takeaways that you can implement at little or no cost to help update your compliance program. I hope you will join each day in January for this exploration of best practices in compliance. In today’s Day 31 episode, and our final day in this 2026 update to 31 Days to a More Effective Compliance Program, we end with a review of root cause analysis.

Key highlights:

  • Integrating Root Cause Analysis into Solutions
  • Regulatory Expectations and Internal Controls
  • Performing Effective Root Cause Analysis
  • Developing and Implementing Solutions

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Categories
AI Today in 5

AI Today in 5: January 30, 2026, The Building Regulatory Trust Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. Building an AI that regulators can trust. (FinTechGlobal)
  2. EU preparing to provide Digital Competition Playbook. (WSJ)
  3. AI agents shattering compliance foundations? (WebProNews)
  4. Can shopping chatbots change e-commerce? (FT)
  5. Manufacturers lead in AI adoption (SupplyChainManagementReview)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 30 – The Foreign Extortion Prevention Act

Welcome to 31 Days to a More Effective Compliance Program. Over this 31-day series in January 2026, Tom Fox will post a key component of a best-practice compliance program each day. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6-8 minutes, with three key takeaways that you can implement at little or no cost to help update your compliance program. I hope you will join each day in January for this exploration of best practices in compliance. In today’s Day 30 episode, we discuss the Foreign Extortion Prevention Act (FEPA), a significant piece of legislation that fills a critical gap in the FCPA.

Key highlights:

  • Filling the Gap in Anti-Corruption Laws
  • Key Features and Implications of FEPA
  • Challenges in Implementing FEPA
  • The Name and Shame List

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 69 – The Wind Kristy Up Edition

What happens when two top compliance commentators get together? They talk compliance, of course. Join Tom Fox and Kristy Grant-Hart in 2 Gurus Talk Compliance as they discuss the latest compliance issues in this week’s episode!

Stories this week include:

  • Tim Leissner wants a pardon.
  • The Pope says watch out for an affectionate chatbot.
  • Discrimination against white males.
  • 9 AI Risks you should be aware of.
  • Compliance officers fired for failing to escalate investigative findings.
  • Tungston rod importer pays $54.4M to settle DOJ tariff fraud allegations
  • The EU AI Act Change That No One Is Talking About
  • Are We Losing Ground? The State of Ethics & Compliance Independence
  • Will Leaving My Terrible Job Make Me Look Flaky?
  • Florida man arrested after trying TikTok challenge inside Walmart

Resources:

Kristy Grant-Hart on LinkedIn

Prove Your Worth

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance and AI

Compliance and AI: Understanding AI and Cyber Risk Management with Yakir Golan

What is the intersection of AI and compliance? What about Machine Learning? Are you using ChatGPT? These questions are just three of the many we will explore in this cutting-edge podcast series, Compliance and AI, hosted by Tom Fox, the award-winning Voice of Compliance. Today, Tom visits with Yakir Golan, CEO & Co-Founder at Kovrr, who shares his professional journey from the Israeli intelligence community to his current role at Kovrr.

They discuss Kovrr’s business, focusing on Cyber Risk Quantification (CRQ) and recent developments in AI risk governance. Yakir explains the evolution of AI’s impact on business workflows and the risks posed by generative AI, including ‘insider AI scenarios.’ He emphasizes the importance of a proactive approach to managing AI risks and of using financial models to report them to executives. The conversation also touches on balancing innovation with global regulatory requirements and the need for robust governance frameworks. Yakir underscores the importance of ongoing risk assessments, sound analytics, and communication strategies to enable compliance officers and corporate leaders to manage AI and cyber risks effectively.

Key highlights:

  • Impact of AI on Cyber Risk
  • Insider AI Scenarios and Risks
  • Proactive AI Risk Management
  • Compliance Beyond Regulations
  • Future of AI and Compliance

Resources:

Yakir Golan on LinkedIn

Kovrr

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Returning to Venezuela: Why “Yes, If” Is the Only Defensible Compliance Answer

Most of you readers know that sometimes when I get going on a project, it (the project, not me) just keeps on growing. What started as a podcast with Matt Ellis on the risks of going back into Venezuela expanded out into a series of podcasts on the FCPA Compliance Report and with Mike DeBernardis on All Things Investigations. The podcasts led to a five-part blog post series on the same topic in the FCPA Compliance and Ethics Blog. I then needed to expand the blogs into a book and provide forms, checklists, frameworks, and deployment packs for compliance professionals to help them think through the issues presented in Venezuela and in other similarly high-risk jurisdictions.

All of that has led to the only book on how to return to Venezuela, Returning to Venezuela: The Compliance Guide to Yes, If (Title inspired by Mike DeBernardis). It is available in both print and eBook versions on Amazon.com.

When companies talk about returning to Venezuela, the conversation almost always begins with opportunity. Oil reserves. Market access. First-mover advantage. What the book Returning to Venezuela does is effectively reset that conversation where it belongs for compliance professionals: with reality. It is a disciplined, compliance-first analysis of what it actually means to operate in one of the world’s highest-risk jurisdictions.

The core message is uncompromising but straightforward: Venezuela is not a place for optimism, informal controls, or siloed compliance. It is a stress test. If your compliance program can function there, it can function anywhere. If it cannot, no license, policy, or assurance letter will save you. The book is not a warning label about Venezuela. It is a working manual for how a compliance function should assess risk, design controls, and govern decision-making before commercial momentum takes over.

Step One: Reframing the Risk Assessment

The first way a compliance professional should use Returning to Venezuela is to recalibrate how risk assessments are performed. Traditional country risk assessments often ask abstract questions: corruption perception scores, sanctions status, and enforcement history. Those inputs are necessary, but insufficient. Returning to Venezuela pushes compliance professionals to replace abstract scoring with operational mapping.

Instead of asking whether Venezuela is high risk, the framework asks:

  • Where will government discretion arise?
  • Where can delay be monetized?
  • Where does the business depend on intermediaries?
  • Where does value move, pause, or change form?

This is a critical shift. Risk is no longer treated as a country attribute. It becomes a process attribute. Compliance professionals can use Returning to Venezuela’s structure to redesign their risk assessment around real business steps: procurement, logistics, payment, security, licensing, and dispute resolution.

Step Two: Identifying Pressure Points Before They Become Incidents

Returning to Venezuela is especially useful in helping compliance professionals identify pressure points, not just risk categories. Pressure points are moments where the business is most likely to face demands for improper value, shortcuts, or exceptions. Procurement is one. Customs clearance is another. Security access, utilities, labor approvals, and payment routing are others.

Using Returning to Venezuela, compliance professionals can document:

  • Where pressure is expected;
  • Who owns the decision at that point?
  • What escalation looks like; and
  • When refusal or exit becomes mandatory.

This transforms compliance from a reactive role into a proactive role in designing decision architecture.

Step Three: Using the Checklists as Control Gates, Not Paper Artifacts

A common compliance failure is treating red flags as documentation exercises rather than control mechanisms. One of the strengths of Returning to Venezuela is that its red flags are designed as gates, not records. Each checklist answers a single question: Is this activity governable under our current assumptions?

Compliance professionals can deploy these checklists at defined moments:

  • Market entry discussions
  • Vendor and JV selection
  • Transaction structuring
  • Payment and banking design
  • Security and logistics planning

If a red flag cannot be cleared, the activity cannot proceed. That discipline is what makes the framework defensible. It also protects compliance officers personally, because decisions are anchored in documented governance rather than informal judgment.

Step Four: Integrating Risk Domains Instead of Managing Them in Silos

Another way compliance professionals should use Returning to Venezuela is as a blueprint for breaking down internal silos. The book makes clear that in Venezuela, corruption, export controls, AML, sanctions, security, and extortion are not separate risks. They are interconnected expressions of the same operating pressure. Treating them separately guarantees blind spots.

Practically, this means compliance can use the book to justify:

  • Integrated risk reviews instead of sequential sign-offs;
  • Shared escalation forums across functions;
  • Unified monitoring rather than separate dashboards; and
  • Common exit triggers across risk domains.

This is particularly important for AML. Returning to Venezuela positions money laundering risk not as a standalone compliance obligation, but as the capstone test of whether the entire framework works.

Step Five: Structuring Board Oversight Around Decisions, Not Updates

Too often, boards receive high-level compliance updates that provide comfort but not clarity. Returning to Venezuela gives compliance professionals a way to reframe board oversight around decisions, not reports. Using the board materials and decision templates, compliance can:

  • Force explicit risk acceptance;
  • Document assumptions that underpin approvals;
  • Secure delegated authority to pause or exit operations; and
  • Establish clear revisit and escalation triggers.

This protects both the organization and the compliance function. When conditions change, the discussion is no longer “Why did this happen? ” but “Which assumption failed, and what decision does that trigger? ” That is governance functioning as intended.

Step Six: Building a Repeatable Risk Management Framework

The final and most important way to use Returning to Venezuela is as a template, not a one-off Venezuela playbook. While the facts are Venezuela-specific, the framework is portable. Compliance professionals can lift this framework and apply it to:

  • Other high-risk markets;
  • Post-merger integration;
  • Sanctions-heavy environments; and
  • Complex third-party ecosystems.

The Appendices: The Operational Backbone of Returning to Venezuela: Yes, If

One of the defining features of Returning to Venezuela: The Compliance Guide to Yes, If is that it does not stop at analysis. The appendices convert risk identification into governance, decision-making, and operational control. They are not academic supplements. They are the machinery that makes a “yes, if” decision possible in practice.

Taken together, the appendices form an integrated compliance control stack designed for one purpose: to govern decision-making in an environment where corruption, coercion, sanctions, AML exposure, and weak rule of law are not edge cases but daily conditions.

Appendix A: One-Page Operational Checklists

Appendix A contains a series of one-page checklists, each focused on a distinct but interconnected risk domain. These are not policy summaries. They are operational gating tools meant to be used before decisions are made, not after problems occur.

Appendix B: The CCO Deployment Pack

Appendix B is written from the perspective of the Chief Compliance Officer and is explicitly operational. It is designed to be deployed internally to executive leadership, business sponsors, and control functions.

Appendix C: Board of Directors Materials

Appendix C is aimed squarely at directors and audit or compliance committees. Its function is not to educate boards on Venezuela generally but to structure how boards make, record, and revisit risk acceptance decisions.

Appendix D: Decision-Making Frameworks

Appendix D pulls together the logic underlying the entire book. It provides decision-making frameworks that force organizations to confront uncomfortable realities before committing resources.

How the Appendices Work Together

Individually, each appendix addresses a specific audience or function. Collectively, they form an integrated control system that aligns:

  • Operational decision-making.
  • Compliance authority.
  • Board oversight.
  • Exit discipline.

The appendices are designed to prevent the most common failure pattern in high-risk jurisdictions: waiting until conditions deteriorate before asking hard questions. By then, leverage is gone.

Final Thought

The most important contribution of Returning to Venezuela is that it does not accurately describe risk. It shows compliance professionals how to operate in the real world without surrendering control.

Used correctly, the book becomes a working tool:

  • To assess risk honestly;
  • To design controls that hold under pressure;
  • To align management and the board, and finally
  • To decide when “yes” becomes “no.”

For compliance professionals, that is not just risk management. It is about meeting the business in an operational setting with a risk management strategy for literally the highest risk on earth.

You can purchase Returning to Venezuela: The Compliance Guide to Yes, if on Amazon.com.