Author: Admin

Categories
Blog

Brewer v. Turner: When Board Delay Becomes Bad Faith

In corporate governance, timing is everything. A board’s oversight failure does not always come from what it does not see; often, it comes from how long it waits to act once the warning lights flash red. This cautionary tale originates from the shareholder action in the case of Brewer v. Turner, a Delaware Court of Chancery decision that permitted a Caremark claim against the directors of Regions Financial Corporation to proceed. The opinion marks another milestone in the court’s expanding interpretation of fiduciary “bad faith.” It offers an unmistakable message to compliance professionals: delay can be fatal, and now it can also lead to exposure.

A New Chapter in Caremark

In the article in the Harvard Law School Forum on Corporate Governance, titled Caremark Claim Survives Board’s Delay in Ending Illegal Practices, lawyers from Fried Frank considered the case. At issue was the board’s handling of a whistleblower complaint from its former Deputy General Counsel, Jeffrey A. Lee, who alleged that Regions’ overdraft-fee practices violated CFPB regulations. Eighteen months after receiving his detailed complaint, the bank finally ended those practices. By then, the Consumer Financial Protection Bureau had investigated and levied $191 million in penalties and restitution.

The court concluded that the board’s delay could itself amount to bad faith. Hiring outside counsel and forming committees did not shield the directors from liability. As Chancellor Kathaleen McCormick wrote, “Everyone knows that delay can be intentional and a tactic to avoid the consequences of acting appropriately.” For compliance officers, this ruling signals that boards can no longer hide behind process if the substance and speed of oversight fall short of expectations.

Today, examine the lessons compliance leaders should take from the case.

1. Red Flags Require Immediate, Documented Response

Historically, Delaware courts were reluctant to treat whistleblower complaints as “red flags.” They often viewed such claims as speculative unless corroborated by concrete evidence of wrongdoing. But in Regions, the whistleblower’s position mattered: he was a lawyer responsible for assessing legal risk. His complaint was detailed, specific, and sent to the Audit Committee, a combination that the court found impossible to ignore. That shift widens the compliance risk perimeter. A whistleblower who possesses subject-matter authority, particularly someone in compliance, legal, risk, or audit, can now trigger a board-level duty to act.

For the CCO:

Implement a rapid-response framework for any internal report that raises concerns about legal or regulatory violations. Require escalation to the board or relevant committee within days, not weeks. Then document every step: receipt, investigation, deliberation, and resolution. When courts review the record, speed and transparency become your strongest defenses.

2. Delay Can Be the New Bad Faith

Perhaps the most groundbreaking element of this case is the court’s recognition that delay itself can constitute bad faith. The board did not ignore the red flag; it simply took 18 months to address the illegal conduct while seeking to offset the lost revenue. That conscious hesitation, prioritizing profits over compliance, transformed a mere oversight lapse into a potential breach of fiduciary duty. This is a paradigm shift. Previously, a board’s response, no matter how sluggish or ineffective, was often enough to defeat Caremark liability. No longer. The court has now drawn a line between discretionary pacing and strategic stalling.

For the CCO:

Build timelines into remediation plans. When an investigation confirms illegality, establish a clear corrective-action schedule, present it to the board, and insist on documented follow-through. If management requests “time to replace lost revenue,” remind them and the board that regulatory risk compounds with every day of delay.

3. Law Firm Engagement Is Not Absolution

The region’s board tried to defend its actions by noting that it had hired a law firm to review the overdraft program. But the court found that “merely hiring an attorney” does not immunize directors from bad faith findings. What mattered was not the hiring, but what the board did with the firm’s advice, and the minutes didn’t say.

For compliance professionals, this point should feel familiar. Retaining outside counsel is prudent, but outsourcing judgment is perilous. A board that commissions a report yet fails to discuss or implement its recommendations appears, in the eyes of Delaware law, to be checking boxes rather than managing risk.

For the CCO:

Whenever outside counsel is engaged, insist on:

  1. The written scope of work aligned with the suspected violation.
  2. Formal delivery of findings to the full board or its committee.
  3. Recorded deliberations on next steps.
  4. Follow-up updates tracking implementation of counsel’s recommendations.

Compliance is not a spectator sport. Documenting action, not merely delegation, demonstrates good faith.

4. Central Compliance Risks Deserve Central Oversight

The court emphasized that overdraft-fee compliance was a “central risk” for a retail bank and thus a board-level responsibility. This reasoning expands the range of risks boards must personally monitor, rather than delegate entirely to management. Each industry has its equivalents: drug safety in the pharmaceutical industry, anti-bribery in global operations, and data security in the tech sector. When violations occur within these core domains, the argument that “management had it under control” will no longer be a sufficient defense for directors.

For the CCO:

Regularly update your board on the organization’s central compliance risks. Tie each risk to explicit board-level monitoring responsibilities. Provide metrics, internal audit findings, incident counts, and regulatory inquiries that show oversight in action. In the post-Brewer v. Turner environment, silence equals exposure.

5. Meeting Minutes Are Compliance Evidence

A striking aspect of the case was the court’s observation that the board minutes were “largely redacted” and recorded only cursory discussions. This absence of detail undermined the directors’ defense that they had acted responsibly. The court essentially inferred neglect from the lack of written proof. Compliance officers should view board minutes as the audit trail of integrity. If your minutes merely note that “the issue was discussed,” you may have built a weak defense for a strong case.

For the CCO:

Work with your corporate secretary to ensure that minutes:

  • Record substantive deliberation, not boilerplate.
  • Reference specific documents reviewed, such as legal opinions or risk assessments.
  • Capture decisions, follow-ups, and accountability for each item.

When regulators or plaintiffs seek evidence of good-faith oversight, well-crafted minutes speak louder than affidavits.

Broader Compliance Takeaways

The Brewer decision reflects a judiciary that is increasingly willing to look beyond formality and assess intent. In the compliance world, this mirrors what the DOJ’s 2024 Evaluation of Corporate Compliance Programs emphasized: that outcomes matter, but so do the timeliness and sincerity of response. A compliance program that detects misconduct yet allows it to persist for months or years cannot claim to be effective.

The ruling also underscores why Caremark risk is a personal matter. Because these claims rest on findings of bad faith, neither the DGCL Section 102(b)(7) exculpation clauses nor most D&O insurance policies will shield directors or officers from liability. The best protection remains proactive compliance, not post-hoc coverage. Finally, note the procedural context: new DGCL amendments restrict shareholder access to corporate books and records, potentially reducing frivolous oversight suits. Yet for legitimate claims supported by detailed facts, as in Brewer, the bar has been lowered. Courts are signaling that they will continue to allow well-pled Caremark cases to proceed when evidence shows a conscious disregard.

What It Means for the Chief Compliance Officer

For the CCO, Brewer v. Turner is both a warning and a roadmap. It is a warning that oversight delay equals liability. You can no longer rely on the board’s procedural comfort—hiring counsel, forming committees, or debating endlessly—to prove good faith. Results and responsiveness now define the legal standard.

But it is also a roadmap for strengthening your partnership with the board. You can help directors stay ahead of Caremark exposure by:

  1. Defining red flags. Work with Audit and Risk Committees to set escalation thresholds for legal-risk incidents.
  2. Accelerating action. Create escalation SLAs with responses within 24 hours for high-severity issues.
  3. Documenting diligence. Ensure every board discussion about misconduct is supported by complete, unredacted minutes.
  4. Tracking remediation. Maintain a dashboard showing when each issue was raised, investigated, and resolved.
  5. Aligning incentives. Reinforce that executive bonuses and promotions depend on compliance performance, not just profitability.

At its heart, Caremark is not about punishing hindsight; rather, it is about enforcing foresight. The compliance professional’s role is to make foresight possible by ensuring that red flags are identified quickly, decisions are properly documented, and illegal conduct is corrected before it metastasizes into corporate trauma.

Final Thoughts

The Brewer case stands as a modern parable of fiduciary patience gone wrong. A board that meant to deliberate found itself accused of delay; a company that tried to plan found itself punished for profit-driven hesitation. For compliance leaders, the moral is clear: you cannot strategize your way out of illegality. When a red flag rises, the clock starts, and every tick is a test of integrity. The essence of compliance is not preventing failure. It is ensuring you act decisively when failure appears. In the wake of Brewer, that truth has never been more legally or morally binding.

Categories
ACI FCPA Conference 2025

ACI-FCPA Conference Speaker Preview Series – Andrew Bruck on Updating Your Due Diligence Program

In this episode of the ACI-FCPA and Global Anti-Corruption Conference Speaker Podcasts series, Andrew Bruck discusses the workshop he will be a part of at the event, “The Essentials of Updating Your Due-Diligence Playbook: Adapting to New Risks Impacting Your Supply Chains, Third Parties, and M&A Transactions.”

Some of the issues the panel will discuss are:

  • Understanding the new DOJ focus on due diligence;
  • Assessing the risk in your Supply Chain;
  • Recalibrating 3rd party risks.

I hope you can join me at the ACI–FCPA Conference. This year’s event will take place on December 3-4 at the Gaylord National Resort & Convention Center in National Harbor, Maryland, near Washington, D.C. The lineup of this year’s event is simply first-rate, featuring some of the top FCPA professionals, white-collar attorneys, and compliance practitioners in the field.

The 2025 program is being completely redesigned to help your organization stay agile, responsive, and ahead of the curve. Expect a dynamic agenda shaped by real-world priorities, practical takeaways, and the most cutting-edge thinking in compliance—led by a faculty of global practitioners with boots on the ground, encountering the very risks that come across your desk.

Please join me at the event. For information on the event, click here. Listeners of this podcast will receive a discount by using the code D10-999-CPN26.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – NBA Betting Scandal – A Short History of BasketBall Betting Scandals

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with bite-sized, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

This week, we will mine the ongoing NBA betting scandal for compliance lessons. Today in Part 3, we look at the history of sports betting scandals in basketball over the past 60 years.

For more information on this topic, refer to The Compliance Handbook: A Guide to Operationalizing Your Compliance Program, 6th edition, recently released by LexisNexis. It is available here.

Categories
Daily Compliance News

Daily Compliance News: November 5, 2025, The Sex Dolls in Paris Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, including compliance, ethics, risk management, leadership, or general interest, relevant to the compliance professional.

Top stories include:

  • Trump threw a temper tantrum over corruption Q. (Daily Beast)
  • SBF says trial ‘fundamentally unfair’. (FT)
  • State capture and corruption. (The Guardian)
  • Sex dolls, compliance, and Shein. (WSJ)

The Daily Compliance News has been honored as the No. 2 in the Best Regulatory Compliance Podcasts category.

Categories
Great Women in Compliance

Great Women in Compliance: The Art and Science of Compliance: Nicole Rose on Culture, Curiosity, and Change

In this episode of Great Women in Compliance, host Sarah Hadden sits down with Nicole Rose—lawyer, artist, author, and creator of the FRAME Training Method—to explore how human behavior, psychology, and creativity can transform compliance from a checkbox exercise into a movement that drives real change. Nicole shares the story behind her “Moneyball Compliance” approach, showing how small, measurable behaviors can predict integrity, build stronger cultures, and make ethics training finally stick. The two also discuss Nicole’s upcoming book, Told: How In-House Legal and Compliance Professionals Secure Airtime, Gain Traction, and Transform Organizations.

Four Takeaways:

1. Compliance Is About People, Not Policies

Nicole’s journey from lawyer to artist to compliance innovator reveals that effective compliance starts with understanding human behavior and culture—not just ticking boxes or enforcing rules.

2. Behavior Beats Metrics

Traditional compliance programs measure completion rates; Nicole’s “Moneyball Compliance” approach measures behaviors that predict integrity—like speaking up, giving feedback, and practicing micro-activities that build ethical “muscle memory.”

3. Curiosity Is the Secret Ingredient

Engagement happens when employees are curious. Nicole emphasizes creating “pre-frames” that connect compliance messages to what people already know and care about, making training meaningful and memorable.

4. Make It Real, Not Funny

Humor has its place in presentations, but when it comes to serious topics like bribery, privacy, or human rights, authenticity and relatability are far more powerful than laughs. Real characters and relatable stories drive real change.

Categories
The Hill Country Podcast

The Hill Country Podcast – Celebrating the Hill Country Youth Orchestras and the High Tea Event

Welcome to the award-winning The Hill Country Podcast. The Texas Hill Country is one of the most beautiful places on earth. In this podcast, Hill Country resident Tom Fox visits with the people and organizations that make this area of Texas so unique. This week, Tom welcomes fellow Hill Country Youth Orchestra board member, Greg Shrader.

They discuss their shared passion for the youth orchestras and highlight their major annual fundraiser, the High Tea event, scheduled for December 6th at the Museum of Western Art. Greg shares insights into the significance and charm of the High Tea and its role in supporting the youth orchestra. He recounts its origins after Robert Earl Keen retired from performing benefit concerts. They also explore the impact of youth orchestras on students from grades K-12, including success stories of students advancing to prestigious institutions such as Interlochen and Juilliard. The episode concludes with information on how to support and get involved with the Hill Country Youth Orchestras.

Key highlights:

  • The High Tea Fundraiser: Origins and Importance
  • Musical Performances and Youth Orchestra Impact
  • The Venue: Museum of Western Art

Resources:

Hill Country Youth Orchestras

High Tea Fundraiser

Other Hill Country Focused Podcasts

Hill Country Authors Podcast

Hill Country Artists Podcast

Texas Hill Country Podcast Network

Cover Art

Nancy Huffman

Categories
AI Today in 5

AI Today in 5: November 5, 2025, The Another One Bites the Dust Edition

Welcome to AI Today in 5, the newest edition of the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest related to AI.

Top AI stories include:

  1. Enterprise-grade compliance with AI. (FinTech Global)
  2. Amazon tells Perplexity no more bot purchasers. (Yahoo!Finance)
  3. Hidden risk in hiring and AI. (JDSupra)
  4. Will AI mean the end of call centers? (BBC)
  5. FOMO risk is real in AI investing. (Bloomberg)

For more information on the use of AI in compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
Compliance Into the Weeds

Compliance into the Weeds: Incentives in Compliance: Structuring Effective Compensation Plans

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more fully. Seeking insightful perspectives on compliance? Look no further than Compliance into the Weeds! In this episode, Tom Fox and Matt Kelly discuss the intricacies of integrating incentives into corporate compliance programs.

Matt shares insights from a recent webinar and blog posts, discussing how companies can encourage ethical behavior through executive compensation plans, performance bonuses, and other incentive schemes. The conversation explores the Justice Department’s guidelines on executive compensation, the intricacies of designing these programs to align with industry-specific risks, and the implications for various levels of management. They also examine the challenges of establishing meaningful compliance metrics and striking a balance between compliance incentives and overall business objectives across multiple sectors.

Key highlights:

  • The Role of Incentives in Compliance Programs
  • Structuring Executive Compensation for Compliance
  • Challenges and Nuances in Incentive Programs
  • Incentives for Different Business Models
  • Compensation Types and Ethical Behavior

Resources:

Matt in Radical Compliance

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

A multi-award-winning podcast, Compliance into the Weeds was most recently honored as one of the Top 25 Regulatory Compliance Podcasts, a Top 10 Business Law Podcast, and a Top 12 Risk Management Podcast. Compliance into the Weeds has been honored with a Davey, Communicator, and W3 Award, all for excellence in podcasting.

Categories
Blog

Who Is an Officer? The D&O Implications of an Evolving Compliance Title

If you are a Chief Compliance Officer (CCO), you have likely spent countless hours parsing language in policies, contracts, and regulations. Words matter, especially when those words define responsibility, liability, and protection. Few words in the D&O insurance world carry as much significance or ambiguity as officer.

In a recent D&O Diary guest post, John Orr, D&O Liability Product Leader for Willis FINEX North America, tackled a deceptively simple question: Who qualifies as an “officer” under a directors and officers (D&O) insurance policy? His analysis extends beyond an insurance issue. As organizations evolve, titles proliferate, and regulatory exposure expands, the boundaries of who counts as an “officer” and thus who bears personal risk are blurring.

In today’s compliance landscape, the CCO cannot afford to let that ambiguity go unexamined. Because, as Orr notes, “titles no longer define exposure; functions do.” And that statement carries profound implications for how we manage risk, structure accountability, and design compliance frameworks in the era of AI, ESG, and cybersecurity. It also puts CCOs directly in the line of fire for shareholder litigation based upon a Caremark claim, which was expanded to include officers in the In re McDonald’s Corporation Stockholder Derivative Litigation case.

Today, explore five key lessons compliance officers should take away from this discussion.

1. The Old Definition No Longer Fits the New Enterprise

For decades, D&O insurance policies defined “officer” narrowly: those “duly elected or appointed” under corporate bylaws, which typically included the CEO, CFO, COO, and General Counsel. That made sense when corporate structures were simple and hierarchies clear.

But those days are gone. Modern organizations are matrixed, decentralized, and global. Entire risk domains, such as cybersecurity, compliance, sustainability, and AI governance, now have leaders whose decisions can expose the company to significant regulatory, reputational, or legal peril. Orr points out that after the SEC charged the CISO of SolarWinds in 2023, companies began asking a new question: Is my CISO actually covered under our D&O policy?

That question should not just keep risk managers up at night. It should jolt every compliance leader. Because if your peers in cybersecurity, privacy, or ESG can face personal liability for organizational failures, and if their roles fall outside traditional definitions of “officer,” then your compliance architecture is incomplete.

2. Titles Cannot Shield You from Risk, and They Should Not Define Protection.

Orr rightly criticizes what he calls the “legacy efforts at deliberate ambiguity” in defining who counts as an officer. Historically, this ambiguity offered flexibility to insurers and policyholders. But now it provides uncertainty; if your coverage depends on whether someone’s title happens to include “officer,” you are one reorganization away from being uninsured.

For compliance professionals, this echoes a familiar theme: form versus substance. Regulators, from the DOJ to the SEC, are increasingly looking beyond the organizational chart to assess who truly exercises authority and control. The same principle should apply internally when defining who merits D&O coverage or corporate indemnification in civil litigation.

If a CISO, Chief People Officer, or Head of AI Governance makes risk-laden decisions equivalent in impact to those of a CFO, should they not receive equivalent protection? Orr argues for a shift from title-based to function-based definitions, a position entirely consistent with modern compliance thinking. Accountability should flow from influence, not nomenclature.

3. Endorsements Are Band-Aids, Not Blueprints

As ambiguity around “officer” status has grown, companies have sought quick fixes, such as endorsements listing specific titles or individuals to be covered under D&O policies. Orr concedes that while these endorsements “address the need,” they are not scalable or sustainable. Compliance officers should recognize the analogy to policy exceptions and one-off approvals. Every time you bolt on an endorsement, you introduce friction, inconsistency, and the potential for oversight. It’s a reactive, not proactive, form of risk management.

Endorsements also fail the foresight test. They require organizations to predict which roles might become legally exposed next year, a nearly impossible task in a fast-evolving regulatory landscape. Who foresaw five years ago that ESG directors or AI governance leads would be in the crosshairs of regulators? For compliance, the takeaway is clear: tactical fixes can’t substitute for structural reform. Instead of adding endorsements to patch the definition, align the policy’s logic with the company’s real-world indemnification practices, a concept Orr calls using indemnification as the “North Star.”

4. Indemnification Is the True Test of Officer Status

Orr’s most compelling insight is his proposed “indemnification-based” solution. Under this model, anyone whom the company indemnifies or would have indemnified but for insolvency or other barriers qualifies as an officer under the D&O policy.

This approach elegantly ties together governance, insurance, and compliance. It shifts the focus from job titles to actual corporate behavior: if your organization considers someone important enough to indemnify for their decisions, they are important enough to insure. It also harmonizes coverage with reality, reducing uncertainty during a claim and ensuring consistency across corporate structures.

From a compliance standpoint, this is a governance revolution. It aligns with what the DOJ has repeatedly emphasized in its most recent Evaluation of Corporate Compliance Programs (2024 Ed.): policies must reflect “the actual day-to-day functioning” of the organization, not theoretical constructs. Indemnification as a coverage anchor reflects the compliance principle that responsibility should align with decision-making authority. If someone makes risk-bearing decisions, your compliance and D&O frameworks should converge to support and monitor that role.

5. Modern Risk Requires Modern Coverage and Modern Collaboration

The concluding insight from Orr’s piece should resonate deeply with every compliance officer: “This is not about expanding coverage. It’s about modernizing coverage to address the way companies operate today.”

That statement could serve as the mission of compliance itself. As emerging technologies and global expectations reshape the corporate landscape, the boundaries of responsibility shift daily. AI, ESG reporting, data ethics, and cybersecurity aren’t just technical or operational concerns; instead, they are compliance risks with individual accountability attached.

If your D&O policy does not reflect those realities, neither does your compliance program. The modern CCO must therefore work closely with risk management, finance, and HR to ensure alignment between the forms of protection (insurance, indemnification) and the functions of oversight (compliance, ethics, governance). The article also hints at an opportunity for insurers: innovation. Just as compliance leaders must find new ways to embed ethical decision-making, insurers must design products that reflect the fluid nature of modern corporate risk. Both fields, compliance and D&O, are being asked the same fundamental question: Are you structured for yesterday’s risks or tomorrow’s realities?

What It Means for the Chief Compliance Officer

For the CCO, this discussion is not simply an academic exercise. The question “Who is an officer? ” is really a question about who bears the moral and legal weight of corporate decision-making. As compliance matures into a strategic function, the CCO’s role increasingly resembles that of the “modern officer,” as Orr describes it: not just a gatekeeper, but a guardian of integrity, transparency, and accountability.

Here’s what that means in practice:

  • Map functional authority. Identify which roles across your enterprise carry significant compliance or legal exposure, regardless of title.
  • Engage with risk management. Ensure your D&O policy reflects the true landscape of decision-making authority.
  • Revisit indemnification practices. Advocate for parity between those granted indemnity and those exposed to regulatory risk.
  • Educate the C-suite and Board. Clarify that modern risk is horizontal, not vertical, and coverage must follow function, not hierarchy.
  • Champion continuous evolution. Compliance, like D&O coverage, must adapt as corporate structures evolve. Stasis is not a strategy.

Ultimately, the compliance function exists to ensure that individuals are accountable for their actions and protected for acting in good faith. That dual mandate, accountability and protection, lies at the heart of Orr’s argument and at the soul of every effective compliance program.

Compliance is not about saying no; it is about creating the conditions where doing the right thing is easy. In this context, that means ensuring your organization’s structure, policies, and insurance mechanisms make ethical leadership a safe and supported choice. The term “officer” may seem like a semantic detail, but as John Orr reminds us, it reflects how corporations define responsibility in an era of constant change. For compliance professionals, the challenge and the opportunity are to make sure that the mirror reflects reality.

 

Categories
Compliance Tip of the Day

Compliance Tip of the Day – NBA Betting Scandal – Prop Bets and Sports Books

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with bite-sized, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

This week, we will mine the ongoing NBA betting scandal for compliance lessons. Today in Part 2, we look at the role of prop bets and sports books in the scandal.

For more information on this topic, refer to The Compliance Handbook: A Guide to Operationalizing Your Compliance Program, 6th edition, recently released by LexisNexis. It is available here.