Author: Admin

Categories
AI Today in 5

AI Today in 5: March 16, 2026, The Who Owns the Decision Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. AI boosts brainstorming. (Earth.com)
  2. The AI Imperative. (Wolters Kluwer)
  3. Who owns compliance decisions? (FinTech Global)
  4. AI opens a new front in the hospitals v. insurers battle. (Reuters)
  5. Embodied AI for manufacturing. (FinanceMagnates)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
Blog

The GenAI Playbook for Compliance

There is a question I continue to hear from compliance professionals, boards, and senior executives alike: “When will generative AI finally be good enough for us to trust it?” As discussed by Bharat Anand and Andy Wu in their recent Harvard Business Review article The GenAI Playbook for Organizations they believe this is the wrong question.

The better question, and the one every Chief Compliance Officer should be asking right now, is this: “Where can we use GenAI effectively today, with the right controls, to make our compliance program more efficient, more resilient, and more business relevant?” This is their core insight, and they argue that leaders should stop obsessing over whether GenAI is perfect and instead focus on where it can create value now and how strategy, not speed alone, wins.

For the compliance profession, that insight lands with particular force. We are not in the business of chasing shiny objects. We are in the business of managing risk, enabling growth, and preserving trust. GenAI is not a parlor trick. It is becoming an operating reality. The question is no longer whether compliance should engage. The question is whether compliance will lead with discipline or lag while the business adopts AI without it.

Stop Asking Whether AI Is Smart. Start Asking Where Errors Matter.

One of the most useful contributions of the article is its simple yet powerful framework: evaluating GenAI use cases through two lenses. First, what is the cost of error? Second, does the task rely primarily on explicit data or on tacit human judgment? That is gold for compliance.

Too many organizations still evaluate AI in sweeping, binary terms. Either they think it is magical or too dangerous to touch. Neither position is helpful. Compliance officers need a more operational lens. We need to break work into tasks and then ask where automation is appropriate, where human oversight is essential, and where human judgment must remain firmly in control. That is exactly how mature compliance programs should approach GenAI. Not with ideology. With risk assessment.

The “No Regrets” Zone for Compliance

The article identifies a “no regrets” zone: low cost of error, explicit knowledge, and high potential for immediate deployment. Examples include summarizing documents, screening resumes, or handling routine inquiries. In compliance, many early wins live here.

Think about policy summarization, training-content adaptation, meeting-note extraction, initial hotline trend coding, third-party questionnaire triage, basic control documentation, and first-draft responses to routine business questions. None of these tasks should be delegated blindly. But many can be accelerated responsibly.

For instance, a compliance team buried under requests from procurement, HR, sales, and legal can use GenAI to produce first-pass summaries of policies, draft FAQs, organize issue logs, and identify recurring themes from employee questions. That does not replace the compliance professional. It frees that professional to focus on what matters most: judgment, influence, escalation, and strategic problem-solving.

This is where many compliance teams have been and continue to be too timid. They have waited for perfection in a space where perfection was never the benchmark. The benchmark should be whether the tool improves speed, lowers administrative friction, and allows compliance personnel to move up the value chain.

The “Quality Control” Zone Is the Compliance Sweet Spot

The article also identifies a “quality control” zone, where the knowledge is explicit but the cost of error is high. In those cases, GenAI can do substantial work, but humans must verify, review, and retain accountability. The authors cite legal drafting, software development, and financial due diligence as examples. That is the very heartland of compliance.

Consider sanctions screening narratives, third-party due diligence memos, internal investigation chronologies, risk assessment documentation, compliance testing workpapers, and board reporting drafts. These are exactly the kinds of tasks where GenAI can accelerate the heavy lifting, but should never be the final word.

This is also where compliance can bring discipline to the rest of the enterprise. The business may want speed. Compliance must insist on verified speed.  A practical model is straightforward: (1)

GenAI drafts  Humans review  Controls document  Leaders own.

That is not anti-innovation. That is responsible innovation. It is also consistent with what regulators increasingly expect: not the absence of AI, but governance around its use. Whether one looks to the DOJ’s emphasis on effective controls and continuous improvement in the Evaluation of Corporate Compliance Programs, the NIST AI Risk Management Framework, or the growing global focus on AI governance, the message is the same: effective AI governance requires continuous improvement. If your company uses AI in a consequential process, you had better know where it is being used, who is checking it, what data feeds it, and how errors are caught.

The “Human-First” Zone Must Stay Human

The article is particularly strong in its warning about tasks that require tacit knowledge and carry a high cost of error: strategy, sensitive personnel decisions, crisis leadership, and other matters where judgment, ethics, and context are central. In those cases, GenAI may support, but it should not decide. Compliance professionals should print that out and tape it to the wall.

Some activities must remain human-led. Decisions about discipline, executive accountability, remediation after a serious investigation, disclosure strategy, culture assessment, or whether a business relationship “feels wrong” despite facially acceptable paperwork are not suitable for AI-driven decision-making. They require experience, intuition, moral clarity, and often courage.

That does not mean AI has no role. It can assemble facts, surface patterns, propose draft communications, and model possible outcomes. But it cannot own the judgment. In a compliance function, the more consequential the decision, the more important it is that a human being stands behind it. That is not nostalgia. That is governance.

Broad Access Without Chaos

One of the article’s more provocative arguments is that organizations should mandate broad access to GenAI tools because value creation begins when employees can experiment and discover useful applications. At the same time, the authors warn of bottlenecks that trap innovation in slow approval processes. I agree with the spirit of that point, but from a compliance perspective, there must be an important qualifier: broad access does not mean unmanaged access. This is where the compliance function can truly be a business enabler. Compliance should not be the department of “no AI.” It should be the department of “safe AI at scale.” That means several things.

  1. Build a risk-based use policy for GenAI. Employees need clear guidance on prohibited uses, approved tools, escalation triggers, and data-handling requirements.
  2. Classify use cases. Not every AI use case deserves the same scrutiny. A tool for drafting a training outline is not the same as a tool for assessing third-party bribery risk.
  3. Establish review protocols. High-risk outputs require human validation, documented sign-off, and, in some cases, legal or compliance approval.
  4. Train broadly and repeatedly. AI governance cannot live in a PDF on an intranet site. It has to be operationalized through real examples and practical scenarios.
  5. Monitor and improve. If GenAI is being used across the enterprise, compliance should have visibility into where, how, and with what effect.

That is what a mature AI governance program looks like. It is also the same risk management protocol that every compliance professional uses daily.

Data Is the Real Compliance Story

Another important insight from the article is that competitive advantage will come not merely from adopting GenAI but from pairing it with proprietary data, redesigned workflows, and complementary organizational assets. The authors emphasize centralizing data, identifying what data is not yet being collected, and redesigning the organization around AI-enabled learning loops. For compliance, this should be a wake-up call.

Most compliance functions are sitting on a treasure trove of underused data: hotline reports, training metrics, policy attestations, third-party files, gifts and entertainment data, investigation outcomes, audit findings, HR trends, distributor analytics, and culture survey results. Yet in many companies, that information remains fragmented across systems and functions.

If compliance wants to be strategic in the AI era, it has to take data architecture seriously, not simply for reporting, but for insight. The future compliance advantage will go to organizations that can connect signals across functions and convert them into earlier detection, smarter resource allocation, and more tailored interventions. In other words, the future of compliance is not just controls. It is controls plus intelligence.

Three Questions Every CCO Should Ask This Week

So, where does this leave the compliance officer trying to lead in real time? I suggest three immediate questions. First, which compliance tasks are in the “no regrets” zone and should be piloted now? Second, which tasks sit in the “quality control” zone and require a formal human-in-the-loop process? Third, which decisions are so consequential, contextual, or values-laden that they must remain unmistakably human-first?

If you cannot answer those questions, your company does not yet have a GenAI compliance strategy. It has experimentation without governance or caution without direction. Neither is sustainable.

The GenAI era will not reward the fastest organization. It will reward the organization that best aligns technology, governance, data, and human judgment. That is the compliance challenge. It is also a compliance opportunity. Compliance has always been about more than preventing misconduct. At its best, it helps a company make better decisions, allocate trust wisely, and compete with integrity. GenAI does not change that mission. It sharpens it. The playbook is here. The real question is whether compliance will run it.

Categories
Sunday Book Review

Sunday Book Review: March 15, 2026, The Great Books in March Edition

In the Sunday Book Review, Tom Fox considers books that would interest compliance professionals, business executives, or anyone curious. It could be books about business, compliance, history, leadership, current events, or anything else that might interest Tom. In this episode, we look at 4 top books released in March as reported by the New York Times.

  1. Stay Alive by Ian Buruma
  2. How Flowers Made Our World by David George Haskell
  3. Salt Lakes by Caroline Tracey
  4. A Scandal in Konigsberg by Christopher Clark

Resources:

27 New Books to Read in March

Categories
AI Today in 5

AI Today in 5: March 13, 2026, The KYA Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. From KYC to Know Your Agent. (PYMNTS)
  2. Big Tech’s entire AI operations under EU scrutiny. (Bloomberg)
  3. Using Napier AI in transaction monitoring. (FinTechGlobal)
  4. Retail banks are putting AI to use. (BCG)
  5. Embodied AI for manufacturing. (Automate)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 72 – The Kristy in London Edition

What happens when two top compliance commentators get together? They talk compliance, of course. Join Tom Fox and Kristy Grant-Hart in 2 Gurus Talk Compliance as they discuss the latest compliance issues in this week’s episode!

Stories this week include:

  • What did the FCPA pause do? (JustSecurity)
  • Wells Fargo is free from the Consent Order. (WSJ)
  • Senator flags White House corruption for betting markets. (Decrypt)
  • A DOJ lawyer quit before the hearing on the use of false AI-generated cases. (Bloomberg-Law)
  • DOJ wants authority over state bar discipline. (NYT)
  • Discussion: SCCE Europe Keynote
  • Target’s ICE Arrests Expose the Gap Between Legal Compliance & Duty of Care – Corporate Compliance Insights
  • Dems Propose ‘FCPA Reinforcement Act’ – Radical Compliance
  • International agents take down major site where criminals traded stolen corporate info – Compliance Week
  • Woman Dressed In Hot Dog Costume Busted For Toilet Paper Caper – The Smoking Gun

 Resources:

Kristy Grant-Hart on LinkedIn

Prove Your Worth

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Daily Compliance News

Daily Compliance News: March 13, 2026, The Unfair Trade Practices Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Trump Administration says tariff refunds ‘will take years”. (NYT)
  • Anthropic has a strong case against the ‘Supply Chain Risk’ listing. (Reuters)
  • Collapse of the DOJ white-collar prosecution practice. (BloombergLaw)
  • Trump Administration to investigate Section 301 UTPs. (WSJ)
Categories
Blog

Aly McDevitt Week: Part 5 – Ransomware, Crisis Response, and the Compliance Imperative to Move Fast

This week, I want to pay tribute to my former Compliance Week colleague, Aly McDevitt, who announced on LinkedIn that she was retiring from CW to become a full-time mother. I wrote a tribute to Aly, which appeared in CW last week. To prepare to write that piece, I re-read her long-form case studies, which she wrote over the years for CW. They are as compelling today as when she wrote them. This week, I will be paying tribute to Aly by reviewing five of her pieces. The schedule for this week is:

Monday: A Tale of Two Storms

Tuesday: Coming Clean

Wednesday: Inside a Dark Pact

Thursday: Reaching Into the Value Chain

Friday: Ransomware Attack: An immersive case study of a cyber event based on real-life scenarios

McDevitt took a different but highly effective approach in this case study. Rather than centering the story on a single historical corporate scandal, she crafted an immersive fictional scenario grounded in real-life attacks, expert interviews, and public guidance. Compliance Week made clear that, while the company and its characters are imagined, the legal, operational, and compliance issues are very real. That makes this piece especially valuable for compliance professionals because it is less a postmortem of one company and more a practical field manual for the next crisis.

McDevitt’s story begins where many cyber incidents begin: with a person, not a machine.

A longtime employee, Betsy, receives an “urgent” email that appears to be from her boss. She clicks a malicious link, lands on a phony, internal-looking site, realizes too late that something is wrong, and then makes the mistake that turns a bad moment into a corporate crisis: she does not report it. Her silence gives the attacker time. Within days, the company, Vulnerable Electric (VE), a private utility serving 1.4 million customers with about 600 employees and $250 million in annual revenue, is facing a full-blown ransomware attack.

That is the first lesson, and McDevitt drives it home with precision. Ransomware is often described as a technology problem, but the first failure is frequently human, organizational, and cultural. Betsy clicked. But more importantly, she hesitated, feared blame, and kept quiet. As McDevitt explains through the expert commentary, her biggest mistake was not simply opening the link. It was actively deciding not to report the incident to the proper internal authority.

For compliance officers, that point should sound very familiar. Whether the issue is corruption, harassment, sanctions, safety, or cyber, organizations do not fail only because something bad happens. They fail because people do not feel safe reporting it quickly.

McDevitt also lays out why this issue matters so much now. She notes that ransomware payments in 2020 reached roughly $350 million, a more than 300 percent increase from the prior year, and that proactive prevention is no longer optional. She further situates the case study in the context of critical infrastructure, noting that entities such as utilities are subject to heightened scrutiny and are encouraged to align with the NIST cybersecurity framework. In other words, ransomware is not just an IT nuisance. It is an enterprise risk, a regulatory risk, and in some sectors a national security risk.

Once the attack is recognized, McDevitt shows the company doing something right: it moves into a structured response. The CEO activates the full cyber incident response team, or CIRT, and the war room includes not only technical leaders and legal counsel, but also the chief compliance officer, the head of communications, external incident response professionals, and other essential decision-makers. This is exactly what a mature response should look like. Cyber incidents do not fall under a single function. They are enterprise events.

I particularly appreciated how McDevitt uses the case study to underline the role of compliance. The CCO is not there as decoration. The article makes clear that if employee data has been exfiltrated, the incident constitutes a personal data disclosure with potentially local, state, and international notification consequences, and that compliance and legal personnel should be in the room from the start. That is a crucial point for corporate compliance professionals. Cyber risk management is not separate from compliance. It is now one of compliance’s core operating terrains.

McDevitt also captures the psychology of the first 36 hours. Anthony Ferrante says those hours are extremely stressful for a CEO, who is simultaneously thinking about operations, data, reputation, and people. That observation matters because it explains why preparation before an attack is so important. You do not want your executives inventing a process under duress. McDevitt reports that VE had already created an incident playbook with roles, escalation steps, and a five-part response framework: facts, business impact, root cause, corrective actions, and lessons learned. That is the kind of disciplined structure compliance leaders should insist upon.

Another strength of McDevitt’s reporting is her treatment of communications. Too many organizations still believe communications should be brought in late, after the lawyers and technologists finish their work. McDevitt, through multiple expert voices, makes the opposite case. Communications should have a seat at the table, not at the back wall. The reason is straightforward: stakeholders will forgive many things, but they will not forgive caginess. VE’s communications lead rightly argues that employees and customers should hear from the company first, not from the media or the attacker.

This point becomes even sharper when McDevitt contrasts VE’s approach with the real-life story of “Melvin,” an employee at another firm that remained offline for 10 days with no formal communication and did not disclose the sensitive data breach to employees in a timely or transparent way. That section may be the most important communications lesson in the entire piece. Employees are not bystanders. They are among the primary victims of a data breach, and they know when something is wrong. Silence destroys trust.

Then comes the hard question at the center of nearly every ransomware story: Do you pay?

McDevitt wisely resists easy moralizing. She notes the FBI’s official position is not to pay, because payment fuels the criminal business model and does not guarantee restoration. Yet she also reports the practical view of experienced practitioners: payment is not illegal per se, and companies often face a grim choice among bad options. The anonymous chief compliance officer quoted in the case study says it best: there are no good options, only the least bad option.

McDevitt’s two parallel paths, pay and do not pay, are particularly useful because they show that neither choice is clean. In Path A, VE pays $5 million, gets imperfect decryption support, recovers faster, but then faces scrutiny over whether it should have consulted OFAC before payment and whether it may have paid a sanctioned party. In Path B, VE does not pay, endures a longer recovery, suffers a data breach, and still faces reputational and legal fallout. McDevitt’s point is not that one route is right and one is wrong. Her point is that ransomware decision-making is governance under pressure.

That is why the postmortem matters so much. McDevitt closes the case study by emphasizing that the long-term impacts fall into three risk buckets: reputational, legal, and regulatory. She then turns to practical lessons: train the workforce, strengthen spam filters, run tabletop exercises, isolate infected devices immediately, secure backups offline, contact law enforcement quickly, do not rush engagement with the attacker, and communicate with each stakeholder group in a timely and tailored way. She also adds smart recommendations on canary files, forensic retainers, access reviews, logging, threat intelligence monitoring, and industry information sharing.

Finally, McDevitt ends on a note that compliance professionals should not miss. Betsy is not scapegoated. She is thanked for telling the truth and invited to participate in a phishing-resilience campaign for other employees. That is not sentimentality. That is culture. If your response to human error is humiliation, people will hide problems. If your response is accountability plus learning, people will surface them.

That may be the most important compliance lesson of all. Ransomware is a cyber crisis, but surviving it depends on culture, governance, and trust just as much as on technology.

I hope you have enjoyed reading about Aly’s case studies for CW. I am a columnist for Compliance Week.

Categories
Daily Compliance News

Daily Compliance News: March 12, 2026, The All Corruption Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Top 10 most corrupt states in the US. (How Stuff Works)
  • Ohio Senator testifies for defense in FirstEnergy trial. (Yahoo!News)
  • Former South African minister jailed for state capture. (FT)
  • Binance is under renewed federal scrutiny. (WSJ)
Categories
AI Today in 5

AI Today in 5: March 12, 2026, The Attorneys and AI Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. How AI forensics is helping compliance gridlock. (PYMNTS)
  2. Creating responsible AI governance standards. (mycarrollcountynews)
  3. AI agents cannot open bank accounts. (FinTechWeekly)
  4. The court castigated an attorney using AI to write briefs. (TheNews&Observer)
  5. 3 key principles for AI use in businesses. (BusinessInsider)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
Blog

Aly McDevitt Week: Part 4 – Flex, Scope 3, and the New Frontier of Compliance Beyond the Four Walls

This week, I want to pay tribute to my former Compliance Week colleague, Aly McDevitt, who announced on LinkedIn that she was retiring from CW to become a full-time mother. I wrote a tribute to Aly, which appeared in CW last week. To prepare to write that piece, I re-read her long-form case studies, which she wrote over the years for CW. They are as compelling today as when she wrote them. This week, I will be paying tribute to Aly by reviewing five of her pieces. The schedule for this week is:

Monday: A Tale of Two Storms

Tuesday: Coming Clean

Wednesday: Inside a Dark Pact

Thursday: Reaching Into the Value Chain

Friday: Ransomware Attack: An immersive case study of a cyber event based on real-life scenarios

Once again, McDevitt showed why strong compliance journalism matters. She did not write a generic ESG success story. She examined how a global manufacturer sought to address a problem largely outside its direct control while still building governance, accountability, and measurable progress around it. For compliance professionals, that is the heart of the story. Flex is not simply trying to improve what happens inside its factories. It is trying to influence what happens across a value chain that is vastly larger than the company itself.

That challenge begins with scale. As McDevitt reports, Flex generates $26 billion in annual revenue, has about 170,000 employees, operates in more than 100 facilities across 30 countries, serves 1,000 customers, and works with 16,000 global suppliers. It is the kind of company that many end users do not recognize by name, but that sits squarely in the middle of countless supply chains. That middle position is precisely what makes the case study so relevant to corporate compliance. Many modern compliance risks do not stop at the company boundary. They sit upstream in sourcing, downstream in product use, and sideways in third-party relationships.

In environmental terms, this means Scope 3 emissions. McDevitt explains that while Scope 1 and Scope 2 emissions are relatively easier to quantify and manage, Scope 3 emissions, meaning indirect emissions across the value chain, are much harder. At Flex, Scope 3 emissions accounted for 99 percent of total gross emissions in 2019, 2020, and 2021. That single fact should get every compliance professional’s attention. If 99 percent of your footprint sits outside your direct operating control, then governance cannot be limited to internal operations. It must extend outward through influence, incentives, transparency, and partnerships.

That is why I find McDevitt’s reporting on Flex so useful. She shows that the company understood the compliance-like problem embedded in sustainability. Scope 3 is not just an environmental accounting challenge. It is a governance challenge. It asks whether a company can establish expectations, escalation paths, reporting systems, and controls for conduct and performance that rely heavily on third parties.

McDevitt presents 2019 as a hinge point for the company. That was the year Revathi Advaithi became Chief Executive Officer (CEO), and the year Flex adopted a more ambitious sustainability posture. Andy Powell, Flex’s Chief Ethics and Compliance Officer, told McDevitt that before Advaithi’s arrival, the culture needed a turnaround, and that her leadership changed the tone at the top and the company culture. For compliance officers, this is a familiar lesson. Every durable transformation begins with tone at the top, but it cannot stop there. Tone only matters when it is translated into goals, structures, and incentives.

Flex did that by making 2019 its baseline year for future targets and by setting three major 2030 goals: cut Scope 1 and 2 emissions by 50 percent from the 2019 base year; ensure 50 percent of preferred suppliers set their own GHG reduction targets by 2025 and 100 percent by 2030; and have 70 percent of specified customers set science-based targets by 2025. In its first year, the company reported a 14 percent reduction in operational emissions and said 29 percent of preferred suppliers and 48 percent of specified customers had already set GHG-reduction or science-based targets.

Those numbers matter, but for compliance professionals, what matters more is how Flex operationalized the effort. McDevitt reports that the company did not leave sustainability as a free-floating corporate aspiration. It built governance around it. Barjouth Aguilar, who leads the global sustainability program, described a tight-knit team that tracks a broad range of KPIs across more than 100 sites, runs materiality assessments, designs goals with area owners, conducts site training, and communicates performance across the organization. She emphasized that her team serves as “the connectors,” a phrase every compliance officer will appreciate. The modern compliance function is increasingly a connector function. It brings together legal, operations, procurement, finance, IT, HR, and business leadership around shared risk and accountability.

Flex has also gotten one structural issue right. McDevitt reports that its sustainability program management sits within the company’s LMS, legal, marketing, and security teams, all of which report to the general counsel. Andy Powell said that the arrangement creates tight cross-functional collaboration with the ethics and compliance program because it is “all in the same family”. That is not a trivial point. Too many organizations allow ESG, compliance, procurement, and operations to operate on parallel tracks. Flex’s structure suggests a more mature model, one where sustainability is treated as a governance issue rather than a branding exercise.

McDevitt also highlights the program’s operational discipline. Site-level representatives across more than 100 facilities participate in a sustainability network, report local progress, escalate issues, and use monthly scorecards tied to company-wide goals. This is where the case study becomes particularly instructive for compliance practitioners. Flex is not merely talking about targets. It is using cadence, scorecards, escalation, and localized accountability. In other words, it treats sustainability as a management system.

That is exactly how a compliance officer should think about ESG. The challenge is not just about the announced goal. The challenge is whether the company has a process to monitor performance, surface problems, and drive remedial action.

Another strong section in McDevitt’s reporting concerns greenwashing. Aguilar recommends a three-pronged approach: materiality assessment, data verification, and transparency. This is sound advice for any corporate compliance program. Materiality assessment aligns the strategy with business realities and stakeholder expectations. Verification creates integrity in reported data. Transparency preserves trust, especially when progress falls short. McDevitt notes that Flex has used third-party verification of environmental data through DNV since its 2018 sustainability report. That kind of external validation is increasingly important in a world where ESG claims are scrutinized by customers, investors, regulators, and plaintiffs’ lawyers.

I also appreciated McDevitt’s discussion of how Flex manages suppliers. The company’s supplier-side target focuses on preferred suppliers, about 500 companies out of a total supply base of 16,000, but that group receives 50 percent of Flex’s $7 billion annual spend on commodity sourcing. Some might criticize that as narrow. I think it is practical. Compliance professionals know that risk-based prioritization is not a weakness. It is maturity. You begin where the leverage is greatest.

Flex did not stop with expectations alone. McDevitt reports that it created a yearlong process for suppliers that includes education, webinars, training, disclosures through CDP, follow-up support, and internal review of results. In one year, Flex trained 424 suppliers and 695 supplier personnel. That is what third-party compliance looks like in practice. Not merely contract clauses, but enablement.

There is also a sober realism in the case study that I admire. David Gessler acknowledged that the closer Flex gets to its deadlines, the harder it will be to motivate the remaining suppliers, particularly smaller ones in regions where ESG language may still be foreign or where supplier resources are limited. He also noted that regulatory expectations are moving quickly and that customer demands are already outrunning some of the company’s original plans. That is another useful lesson. A modern compliance program cannot be static. It must evolve as stakeholder expectations, regulations, and commercial realities change.

Finally, McDevitt shows that Flex is thinking not only about suppliers but also about customers and the product lifecycle. The company is trying to help customers design more sustainable products, extend product lifespans, support repair and remanufacturing, and build circular-economy solutions. This matters because the largest share of Flex’s Scope 3 emissions comes from “use of sold products,” which accounted for 93 percent of total Scope 3 emissions in 2021. In plain English, the biggest sustainability issue is not simply what Flex does in manufacturing. It is what happens after the product leaves.

That, to me, is the broader compliance insight. The future of compliance will increasingly require professionals to think in systems, not silos. Whether the topic is anti-corruption, human rights, cyber, AI, or ESG, the key question is no longer only, “What happens inside our company?” It is also, “How do we govern what we influence but do not fully control?”

Aly McDevitt’s Reaching into the Value Chain answers that question with a practical and realistic example. Flex may not control every node of its value chain, but it is building a framework to influence it with structure, data, accountability, and persistence. For compliance professionals, that is a model worth studying.

Join us tomorrow as we conclude our 5-blog-post tribute to Aly McDevitt by reviewing her case study on a Ransomware attack and a corporate response. I am a columnist for Compliance Week.