Author: Admin

Categories
Daily Compliance News

Daily Compliance News: January 22, 2026, The Compliance Officers Fired Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Malaysia charges 2 top military officers with corruption. (Reuters)
  • WH backs off from controlling the new DOJ Fraud Division. (BloombergLaw)
  • CEOs say AI is working; employees are not so sure. (WSJ)
  • Compliance officers fired over trader terminations. (Bloomberg)
Categories
AI Today in 5

AI Today in 5: January 22, 2026, The AI Compliance Blindspot Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. CEOs say AI is working; employees are not so sure. (WSJ)
  2. The AI Compliance Blindspot. (UCToday)
  3. Bots are now making college acceptance decisions. (Bloomberg)
  4. AI is helping mid-market banks meet compliance obligations. (NLR)
  5. Apple is developing a wearable pin. (TheInformation)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
Blog

Returning to Venezuela: Part 4 – From Physical Security to Enterprise Risk

In this five-part series, I have walked through the core compliance risks US energy companies will face as they consider a return to Venezuela. We began with bribery and corruption and the long shadow of PDVSA (Parts 1 & 2), then moved to export controls (Part 3).

Today, we consider the security risks and the broader operational and strategic challenges of working in one of the most complex risk environments in the world. For many compliance professionals, “security” still conjures images of guards, gates, and cameras. It is treated as an operational afterthought or a line item buried somewhere between facilities and travel. The conversation I recently had with Marc Duncan, COO at Salus Solutions, should permanently disabuse compliance officers, boards, and senior executives of that narrow view. As Duncan describes it, security is not a physical function. It is an enterprise risk discipline. It is continuous monitoring at its purest. And it is inseparable from culture, governance, and decision-making authority.

For compliance professionals, especially those operating globally or in volatile environments, this conversation offers a masterclass in how risk really works when theory collides with reality.

The First Compliance Failure: Thinking You Already Know the Risk

One of the most striking observations Duncan makes is also one compliance professionals hear far too often after a failure: “We did not see that coming.” As Duncan notes, that usually means the organization was not looking. They had a preconceived notion of their threats, locked onto a narrow risk model, and failed to challenge their assumptions. This is a classic compliance failure. Risk assessments that confirm management’s beliefs instead of testing them are not risk assessments. They are comfort exercises.

True threat assessment, whether physical, cyber, financial, or reputational, begins with abstraction. You step back, examine the environment holistically, and then break it down across functions. Duncan’s approach mirrors what the DOJ expects from a mature compliance program: financial risk, personnel risk, operational risk, cyber risk, structural risk, and external conditions assessed together, not in silos. Compliance professionals should take note. If your risk assessment is static, annual, and checklist-driven, you are already behind.

An additional framework compliance professionals should consider integrating into this approach is Threat and Hazard Identification and Risk Assessment (THIRA). While THIRA originated in the public sector and homeland security context, its core discipline translates directly to corporate compliance and enterprise risk management. THIRA forces organizations to first identify credible threats and hazards, assess their likelihood and impact, and only then evaluate existing capabilities and gaps. The discipline prevents the most common compliance failure: designing controls around assumed risks rather than actual ones.

A THIRA has three key steps:

  • Identify Threats and Hazards: Identify the threats and hazards that could impact them. These can include natural disasters such as hurricanes and earthquakes, technological hazards such as power outages, and human-caused events such as terrorism.
  • Assess Impacts: Once threats and hazards are identified, assess the potential impacts of these events. This involves understanding how these threats could affect people, property, and the environment.
  • Determine Capabilities: Based on the assessed impacts, determine the capabilities they need to address these threats and hazards. This includes identifying gaps in current capabilities and planning for resource allocation and training.

Used properly, THIRA complements a compliance risk assessment by grounding it in real-world scenarios, stress-testing assumptions, and aligning resources to consequence rather than convenience. In practice, compliance teams can use THIRA-style analysis to model disruptive events, validate whether policies and response plans would function under pressure, and ensure that authority, communications, and escalation protocols actually work in dynamic conditions. Like Duncan’s threat hub, THIRA is most effective when it is iterative, cross-functional, and embedded into daily decision-making rather than treated as a one-time exercise.

Continuous Monitoring Is Not a Buzzword in a Crisis Zone

In compliance circles, we often talk about continuous monitoring and continuous improvement. In high-risk environments, Duncan explains, these are not aspirational concepts. They are daily survival requirements. Threats change by the hour. Routes become unsafe. Infrastructure fails. Information degrades. Misinformation spreads intentionally. As Duncan makes clear, relying on sanitized reports or publicly available data alone is insufficient, particularly in places like Venezuela, where reliable information can be scarce and manipulated.

For compliance professionals, the parallel is obvious. If your organization relies solely on lagging indicators, static dashboards, or once-a-year training, you are operating on yesterday’s intelligence. A mature compliance program must be dynamic, responsive, and empowered to change course quickly.

Authority Matters More Than Policy

One of the most underappreciated insights in the discussion is the emphasis on delegated authority. Duncan is blunt: security teams must be empowered to make changes on the fly. Operations teams often resist this because they have a plan for the day. But rigid plans fail in dynamic environments. Compliance professionals should see themselves clearly in this description. How often does compliance identify a risk, only to be overruled by operational convenience? How often does policy exist without authority to enforce or adapt it?

This is not merely an execution issue. It is a governance failure. If compliance, security, or risk professionals lack real authority, then the program exists in name only.

Boards Are Often the Weakest Link

Perhaps the most candid portion of the conversation is Duncan’s discussion of boards of directors. Boards understand that risk exists, but they often do not understand their lane. Worse, they sometimes overstep based on assumptions rather than expertise, thereby influencing the organization’s security and risk culture to its detriment. This should resonate deeply with compliance professionals. Many compliance failures originate at the policy level. Boards check in periodically, hear a summary, and move on. They rarely engage with the complexity of the operating environment or the second- and third-order consequences of their decisions.

Duncan advocates for an ongoing relationship with boards or policy groups, not episodic briefings. Education is continuous. Risk is dynamic. Governance must keep pace. For compliance officers, this reinforces a critical point: board engagement is not about presentations. It is about sustained dialogue, shared understanding, and clearly articulated risk tolerance.

Culture Is Defined by Accepted Loss

One of the most insightful compliance lessons emerges from Duncan’s discussion of risk acceptance, particularly in the energy sector. Every organization accepts some level of loss. The problem arises when that acceptance is implicit, unexamined, or outdated. Compliance professionals should recognize this immediately. Risk tolerance that is not written down, debated, and revisited becomes invisible policy. It shapes behavior without accountability.

Duncan’s approach is instructive. He pushes organizations to explicitly articulate acceptable loss, document it, and use it as a guideline. When conditions change, that tolerance must be reassessed at the policy level. This is exactly how compliance culture should function. Silence is not neutrality. It is permission.

Security Is Not Just Physical: Insider Threats and Human Risk

If compliance professionals think security stops at the perimeter, Duncan quickly disabuses them of that notion. Insider threats loom large. Alcoholism, substance abuse, personal stressors, and poor life choices can all create vulnerabilities. So can espionage, coercion, and cultural dysfunction.

This is compliance territory. Training that treats employees like mushrooms kept in the dark will fail. Effective programs connect behavior to consequences: personal, professional, financial, and reputational. Duncan’s emphasis on “wholesome” training aligns with modern compliance expectations. Employees must understand not just what is prohibited, but why it matters, how it affects the organization, and how it exposes them personally.

Partnering with Locals: A Lesson in Third-Party Risk

One of the most counterintuitive lessons for many executives is the need to partner with local communities, vendors, and even security forces. Cutting locals out of economic participation breeds sabotage and resentment. Compliance professionals should immediately recognize the parallel to third-party risk management. Isolation does not reduce risk. Engagement does. Oversight, contracts, inspections, and partnerships create shared incentives and stability.

Whether it is food supply, logistics, or perimeter security, Duncan emphasizes layered controls and local investment. This is not unlike building a resilient third-party ecosystem rather than relying on transactional relationships.

The Threat Hub: A Compliance Blueprint

Perhaps the most transferable concept for compliance professionals is the “threat hub.” Duncan describes a cross-functional, daily forum where representatives from legal, finance, operations, security, and other functions review threats, vulnerabilities, and operational changes. This is what an effective compliance program should look like. Not a standalone department issuing policies, but an integrated function embedded across the organization, sharing intelligence, and adapting in real time.

Finally, Duncan issues a challenge that every compliance officer should take seriously: crisis exercises will break you. They expose gaps in policy, logistics, communications, authority, and preparedness that no binder ever reveals. Compliance professionals often assume crisis plans are adequate because they exist. Duncan’s experience says otherwise. Without realistic testing, organizations are unprepared when it matters most.

Final Thoughts

This conversation makes clear that security, compliance, and risk are not separate disciplines. They are different lenses on the same problem: how organizations survive and succeed in uncertain environments.

For compliance professionals, the takeaway is simple but uncomfortable. Static programs fail. Assumptions kill preparedness—authority matters. Culture is shaped by what leaders tolerate. And boards must be educated partners, not distant overseers. In high-threat environments, failure is immediate and unforgiving. In corporate compliance, it is slower, but no less certain.

The choice, as always, is whether to learn before the crisis or after it.

Join us tomorrow for Part 5 as we conclude our series by looking at AML risks associated with returning to Venezuela.

Categories
It's art

It’s Art, Let’s Talk About It – Unveiling the Timeless Art of A.R. Mitchell: An In-Depth Conversation with Allyson Sheumaker

In this episode of ‘It’s Art. Let’s Talk About It,’ Darrell Beauchamp engages with Allyson Sheumaker, the Executive Director of the A.R. Mitchell Museum of Western Art in Trinidad, Colorado.

They dive deep into the history, legacy, and incredible body of work of Arthur Roy Mitchell, fondly known as Mitch. Known for his striking and vibrant illustrations for pulp Western magazines in the early 20th century, Mitchell’s art is celebrated for its vivid color and unique style. Allyson offers a fascinating look at Mitchell’s life, his reluctance to sell his art, and his significant contributions to the art world. The discussion explores the journey of putting together an extensive exhibition showcasing Mitchell’s works, which include illustrations, landscapes, nocturnes, and personal memorabilia. This in-depth conversation provides listeners with insights into the importance of preserving and promoting the work of lesser-known yet significant artists like A.R. Mitchell.

Key highlights:

  • The Legacy of A.R. Mitchell
  • R. Mitchell’s Early Life and Career
  • Mitchell’s Art and Illustrations
  • The A.R. Mitchell Museum: Origins and Mission
  • The Mac Cowboys and Their Connection to Trinidad
  • The Exhibition: Development, Highlights, and Visitor Experience

Resources:

Follow A.R. Mitchell Museum of Western Art

Categories
AI Today in 5

AI Today in 5: January 21, 2026, The 9 AI Risks Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. 9 AI risks you should be aware of. (The News Tribune)
  2. The US is a global FinTech hub. (FinTech Global)
  3. The memory crunch is real. (Bloomberg)
  4. Clio was hit with a countersuit. (Reuters)
  5. Healthcare, AI, and pharma. (CNBC)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
Great Women in Compliance

Great Women in Compliance: Don’t Freak Out: Compliance from a Prosecutor-Defense Lens

Dive into the world of compliance and high-stakes investigations!

In this episode of #GWIC, Hemma Lomax talks with Jamie Hoxie Solano, Partner at Dynamis LLP and former federal prosecutor, about how compliance and legal teams can lead with precision when incidents become investigations—especially where cyber risk and digital assets raise the stakes and the speed.

We cover:

  • What prosecutors look for when assessing credibility and cooperation
  • The “first 72 hours” of an internal investigation: triage, scope, evidence, and governance
  • Why cyber and digital assets matter in changing the evidence trail and the decision timeline
  • How to protect privilege while still moving fast
  • Practical guidance for cross-functional leadership under pressure

Jamie’s Bio

Jamie Hoxie Solano is a Partner at Dynamis LLP and a former federal prosecutor. She represents individuals and companies in high-stakes matters spanning government and internal investigationswhite-collar and regulatory defense, and cybercrime and digital asset disputes.

Before returning to private practice, Jamie served as an Assistant U.S. Attorney in both the Northern District of Texas and the District of New Jersey, working in units including cybercrime and national security, and serving (among other leadership roles) as the Digital Asset Coordinator for the District of New Jersey

She is also an adjunct professor at Seton Hall Law School, where she teaches Persuasion and Advocacy.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 21 – Managing Third Parties

Welcome to 31 Days to a More Effective Compliance Program. Over this 31-day series in January 2026, Tom Fox will post a key component of a best-practice compliance program each day. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6-8 minutes, with three key takeaways that you can implement at little or no cost to help update your compliance program. I hope you will join each day in January for this exploration of best practices in compliance. In today’s Day 21 episode, we dive into the essential strategies for managing third-party relationships in a compliance program.

Key highlights:

  • Strategic Approach to Third-Party Relationships
  • Auditing and Ongoing Management
  • Key Takeaways

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Categories
Compliance Into the Weeds

Compliance into the Weeds: Addressing Retaliation Against Compliance Officers: Strategies and Insights

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore it more fully. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly look at the challenges of retaliation against Chief Compliance Officers (CCOs).

They highlight the need for ongoing communication between compliance officers and senior management and share strategies for CCOs to mitigate personal risk. The discussion includes real-world examples, the role of senior management in fostering a compliant culture, and the importance of scenario planning and training to prepare for potential issues. The episode emphasizes proactive measures such as charm offensives and preemptive remediation plans to navigate and defuse potential retaliatory scenarios.

Key highlights:

  • Real-Life Examples of Retaliation
  • Management’s Perception and Compliance Challenges
  • Building Relationships with Senior Management
  • Proactive Compliance Strategies to Prevent Retaliation
  • Framing Compliance Training Like Cybersecurity Drills

Resources:

Matt in Radical Compliance

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

A multi-award-winning podcast, Compliance into the Weeds was most recently honored as one of the Top 25 Regulatory Compliance Podcasts, a Top 10 Business Law Podcast, and a Top 12 Risk Management Podcast. Compliance into the Weeds has been conferred a Davey, a Communicator Award, and a W3 Award, all for podcast excellence.

Categories
Daily Compliance News

Daily Compliance News: January 21, 2026, The Excellence in Compliance Awards Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Delaware Supreme Court sides with Moelis. (Reuters)
  • CW entries for its Excellence in Compliance are now open. (CW)
  • The Philippines moves to shore up investor sentiment. (Bloomberg)
  • Goldman Sachs’ top lawyer and Epstein. (WSJ)
Categories
Blog

Returning to Venezuela: Part 3 – Export Controls and the Illusion of “Reopening”

We continue to explore what the ‘reopening’ of Venezuela to US energy companies means for the compliance professional. Over the last two days, we considered the corruption issues in Parts One and Two of this blog post series. Today in Part 3, we look at export control and trade sanction issues. I spoke with Brent Carlson, founder of Red Flags Rising Solutions LLC, for his insights.

When the White House announces that U.S. oil companies may be returning to Venezuela, the business press immediately begins talking about opportunities. Compliance professionals should be talking about risk. Not hypothetical risk. Not academic risk. Real, layered, enterprise-threatening risk that sits at the intersection of export controls, sanctions, geopolitics, corruption, security, and board oversight. The conversation I recently had with Carlson makes one thing abundantly clear: Venezuela is not “opening.” It is recalibrating. And compliance programs that treat this moment as a return to business as usual will fail.

Venezuela Remains a High-Risk Jurisdiction by Design

Let us start with first principles. Venezuela remains designated as a D:5 country under the Export Administration Regulations (EAR). That places it in the most restrictive category, alongside jurisdictions such as Iran and North Korea. Even the shipment of EAR99 items can be problematic under the current framework.

That legal reality did not change simply because the President met with U.S. energy executives. Carlson is clear on this point. Whatever policy adjustments may come will be sector-specific, narrowly tailored, and aligned with geopolitical priorities, particularly oil production. There will not be a wholesale rollback of export controls or sanctions. For compliance professionals, this means one thing: the law today is the law as it existed yesterday. Until the Bureau of Industry and Security (BIS) and OFAC issue formal guidance, licenses, or regulatory amendments, nothing has changed.

Regulatory Enforcement Follows Politics, but Law Follows Process

One of the most important compliance insights Carlson offers is that regulatory enforcement follows political drivers, which in turn follow geopolitical drivers. That is undoubtedly true. But it is also where companies get themselves into trouble. Political signaling is not legal authorization. Tweets, speeches, and press briefings do not override the Export Administration Regulations, OFAC sanctions, or anti-money laundering laws. Compliance programs must be built to withstand whiplash, not chase headlines.

This is especially critical in Venezuela, where any meaningful restart of oil production will require billions of dollars, long project timelines, complex infrastructure, and sustained government engagement. These are not quick deals. They are multi-year commitments that must be compliant from day one.

Start With the Business, but Do Not Stop There

Carlson emphasizes that compliance analysis must begin with the business opportunity itself. What is the company actually trying to do? What products or services will be provided? Who will operate them? Where will the equipment go? Who will maintain it? For compliance professionals, this requires operational fluency that goes far beyond policy review. You must understand the business process step by step. Not in the abstract. Literally, transaction by transaction.

This exercise does more than identify export control risks. It exposes corruption, diversion, money laundering, security, and reputational risks. Venezuela is not a jurisdiction where silos survive.

Dual-Use Risk Is Not Theoretical in Venezuela

Any company operating in the energy sector must assume heightened scrutiny around dual-use items. Control systems, industrial machinery, software, and communications technology can all be repurposed. Carlson makes an important point here. Companies that manufacture or deploy these items already know where the risks are. The issue is not ignorance. The problem is prioritization and escalation.

This is where proactive engagement with the BIS becomes essential. Unlike some areas of compliance, export controls encourage dialogue with regulators. Companies can and should engage BIS field offices early to discuss proposed transactions, licensing pathways, and regulatory obstacles. This is not lobbying. It is compliance.

One of the most powerful insights in our discussion is the call for compliance professionals to sit down with business operations and map every operational step. This is not busywork. It is risk triage. Too often, compliance reviews occur after a deal is already emotionally committed. At that point, compliance becomes the obstacle rather than the enabler. Carlson is explicit: sales and operations teams do not want to waste time on deals that will collapse under regulatory scrutiny. When compliance is embedded early, it improves deal quality. It filters out bad opportunities and strengthens good ones. That is value creation.

Siloed Compliance Will Fail in Venezuela

If there is one jurisdiction where compliance silos are fatal, it is Venezuela. Export controls intersect with sanctions. Sanctions intersect with AML. AML intersects with corruption. Corruption intersects with security. Security intersects with human rights and ESG. Carlson cites enforcement actions where companies failed because information did not flow across functions. Finance saw one risk. Operations saw another. Compliance saw a third. No one saw the whole picture.

For Venezuela, companies must adopt a non-siloed, enterprise-wide risk model. Export control specialists must talk to anti-corruption teams. Treasury must talk to security. Legal must talk to operations. This is not optional.

Board Oversight Must Evolve Beyond Periodic Updates

Boards of directors will play a decisive role in whether companies succeed or fail in Venezuela. Carlson is clear that boards must demand updated, transaction-specific risk assessments focused on central compliance risks, not generic program health. This is not about micromanagement. It is about governance. Boards must understand that Venezuela presents a dynamic risk environment where geopolitical shifts can occur overnight. The right board questions are not “Do we have a compliance program? ” They are:

  • What export control risks are central to this opportunity?
  • What sanctions exposure remains?
  • How are we monitoring changes in real time?
  • What is our exit strategy if conditions reverse?

The Case for a Standing Enterprise Risk Committee

Carlson raises a critical governance concept: the need for a standing, cross-functional risk committee empowered to act quickly. Not an ad hoc task force. Not an annual review. A permanent capability. We are no longer in a stable geopolitical environment. Long-trusted partners can become sanctioned entities within weeks. Supply chains built over decades can collapse overnight. For compliance professionals, this reinforces the need for real-time risk sensing, escalation protocols, and decision authority. Venezuela is simply the proving ground.

Enforcement Is Coming, Not Fading

The most sobering warning Carlson offers is about enforcement. The U.S. government has been signaling for some time that export control enforcement will increase. DOJ’s Trade Fraud Task Force, BIS outreach visits, and expanded definitions of “knowledge” under the EAR all point in the same direction. Compliance professionals should recognize the parallel to early FCPA enforcement. Policies alone are not enough. Programs must demonstrate that they identify high-probability risks, escalate them, and act. Testing matters. Documentation matters. Integration matters.

Final Thoughts

The prospect of renewed oil activity in Venezuela is not a green light for compliance. It is a stress test. Companies that approach this moment with discipline, humility, and integrated risk management can create value while protecting themselves. Companies that treat it as a political reopening will find themselves exposed on multiple fronts. For compliance professionals, this is a defining moment. The question is not whether Venezuela is open for business. The question is whether your compliance program is ready for the real world.