Author: Admin

Categories
Daily Compliance News

Daily Compliance News: April 28, 2026, The Corruption Convictions Upheld Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • The EU is in more corruption trouble. (Euractiv)
  • US to target Mexican politicians in ABC campaign. (LATimes)
  • Former Speaker of the Ohio House loses at the Supreme Court. (KSAT)
  • Mike Madigan conviction upheld by 7th (BloombergLaw)

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
AI Today in 5

AI Today in 5: April 28, 2026, The Barriers to Success in AI Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. Governance and compliance barriers to AI success. (SC Media)
  2. AI in payroll. (Thomson Reuters)
  3. Can AI agents create regulatory risk? (ICAEW Insights)
  4. China blocks Meta takeover of Manus. (CNBC)
  5. OpenAI breaks Microsoft exclusivity. (Reuters)

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
Innovation in Compliance

Innovation in Compliance: Beating Compliance Drift: Why Regulatory Intelligence and Continuous Monitoring Matter with Jeff Kushner

Innovation occurs across many areas, and compliance professionals need not only to be ready for it but also to embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, host Tom visits with Jeff Kushner, a compliance and IT security leader at Allgress.

Jeff talks about “compliance drift,” where external obligations such as laws, frameworks like NIST/ISO/CIS, and customer and licensing requirements fall out of alignment with internal governance policies, procedures, and contracts, creating silent gaps that surface only during audits or incidents. They discuss the added volatility from business and geopolitical changes and identify industries most exposed to hidden compliance risks, including small and mid-sized businesses, AI-focused organizations, behavioral health clinics managing many frameworks across multiple sites with drop-in audits, and small DoD contractors facing CMMC. Jeff argues that traditional spreadsheet-based or audit-centric GRC is static and point-in-time. He describes Reg Watch as a complementary regulatory intelligence layer that continuously monitors 3,000+ global standards, provides real-time alerts, explains changes in plain English, and provides sample policies and implementation steps, along with supporting documentation and follow-up validation.

Key highlights:

  • Compliance Drift Explained
  • Volatility Beyond Regulations
  • Why Old GRC Fails
  • Reg Watch Intelligence Layer
  • Documenting Actions and Proof

Resources:

Jeff Kushner on LinkedIn

Allgress

Innovation in Compliance was recently honored as the Number 4 podcast in Risk Management by 1,000,000 Podcasts.

Categories
The PfBCon Podcast

Bryan Barletta on the Podcast Movement + Sounds Profitable Merger: What Changes for Creators, Brands, and Business Growth

Bryan Barletta discusses why he initiated the merger between Sounds Profitable and Podcast Movement, aiming to better serve the broader podcast ecosystem beyond a few large companies and to reinvent events in a post-COVID world focused on meaningful connections and ROI. He explains that Sounds Profitable will continue its day-to-day research, consulting, and partner network, while Podcast Movement will anchor major events, including a three-day, free-to-the-public program at South by Southwest and an August main event likely based in New York to improve global accessibility and pricing fairness. The conversation covers podcasting’s evolution into a business development and marketing tool, with brands valuing engagement across platforms, not just downloads. Bryan outlines initiatives to improve networking and meeting matchmaking, increase transparency in speaker selection, expand diversity, provide speaker training, and explore honoraria while emphasizing that the real value of events lies in in-room connections.

Key highlights:

  • Why the Merger Happened
  • New Structure and Role
  • Podcasting as a Business Tool
  • Attracting CMOs and Buyers
  • Designing Better Networking
  • Beyond Downloads Metrics
  • South by Southwest Access
  • Future Initiatives and Wrap

Resources:

Follow Sounds Profitable on:

Website

LinkedIn

X (formerly Twitter)

Follow Bryan Barletta on:

LinkedIn

Instagram

Categories
Blog

René Descartes and the Discipline of Internal Investigation

This week, we are moving to Enlightenment Thinkers to see their influence on modern compliance programs. This week’s category is broader than philosophers, as many of these men excelled in numerous fields such as science, mathematics, calculus, and medicine. However, each contributed a key component that relates directly to our modern compliance regimes. In this post, we consider René Descartes and what he teaches as the next step beyond Bacon: that evidence must be rigorously examined.

If Francis Bacon taught us that a compliance program must be grounded in evidence, René Descartes teaches the next step: evidence must be examined with rigor. That is why Descartes is the natural second installment in this series on what Enlightenment thinkers can teach us about modern corporate compliance. Bacon gave us empiricism. Descartes gives us a method. Bacon tells us to look. Descartes tells us how to think about what we find.

For the compliance professional, that is no small matter. Modern compliance programs do not fail only because they lack information. They often fail because organizations do not ask the right questions, challenge convenient assumptions, or investigate troubling facts with sufficient discipline. A hotline report comes in, and management prematurely dismisses it. A financial anomaly is explained away because the business result looks attractive. A third-party red flag is rationalized because the market opportunity seems too important to slow down. In each case, the problem is not simply a lack of data. The problem is a lack of disciplined inquiry.

That is where Descartes has something important to say to the modern Chief Compliance Officer.

Why Descartes Matters to Compliance

René Descartes is best known for methodical doubt. He believed that if one wanted to arrive at reliable knowledge, one had to strip away weak assumptions and test what could be known. He did not advocate doubt for its own sake. He advocated doubt as a disciplined tool, a way to avoid error and reach sound conclusions. His method required breaking problems into parts, analyzing them carefully, proceeding in an orderly manner, and ensuring nothing important was overlooked. That is remarkably close to what an effective compliance investigation function should do.

The compliance professional cannot assume an allegation is false because it is inconvenient. Nor can one assume it is true because it is emotionally compelling. The task is to examine. What happened? Who knew what, and when? What documents exist? What controls should have operated? Where are the inconsistencies? What explanation fits the evidence, and what explanation merely sounds comforting? Descartes would have recognized this immediately. A sound conclusion requires method, not instinct.

In a corporate environment, that is especially important because organizations are full of narratives. Managers tell stories about performance. Employees tell stories about why something was necessary. Third parties tell stories about local customs or business necessities. The compliance function should listen, but it cannot stop there. It must test those stories against facts.

The DOJ Expects More Than a Quick Answer

The Department of Justice’s Evaluation of Corporate Compliance Programs (ECCP) does not use philosophical language, but its expectations align closely with Cartesian thinking. The ECCP asks whether investigations are properly scoped, whether the company has adequate resources to conduct them, whether the company preserves and analyzes relevant data, whether reporting structures support independence, and whether lessons learned are used to improve the compliance program. That is not a request for superficial closure. It is a demand for disciplined inquiry.

The ECCP is not interested in whether a company can produce a memo that says the matter has been reviewed. It wants to know whether the review was credible. Did the company ask hard questions? Did it follow the evidence even when the evidence was uncomfortable? Did it look at underlying causes or accept a narrow explanation that minimized institutional responsibility? These are Descartes’ questions as much as the DOJ’s.

Method Beats Reaction

One of the most important lessons Descartes offers is that method matters more than reaction. Too many organizations still respond to reports of misconduct in an ad hoc fashion. The identity of the reporter, the subject’s seniority, or the business sensitivity of the issue can distort the process from the outset. Some matters are overreacted to because they are visible. Others are under-investigated because they are politically awkward. That is not a system. That is improvisation. A mature compliance program requires a clear, repeatable investigative method.

That begins with triage. Allegations should be assessed based on risk, scope, subject matter, and potential impact. Matters involving senior leadership, financial controls, corruption risk, retaliation, or systemic process failures may require immediate escalation and greater independence. Low-risk issues may still require attention, but not every matter needs the same level of response. Cartesian thinking does not mean treating every problem identically. It means applying a coherent method to determine what level of inquiry is warranted.

From there, the matter should be broken down into manageable components. What is the allegation? What business process is implicated? What documents are likely relevant? Who are the key custodians? What data sources exist? What is the working timeline? What controls should have operated? What policy provisions may have been implicated? This is classic Descartes: divide complex problems into smaller parts so they can be understood.

Disciplined Skepticism Is a Compliance Strength

Compliance professionals sometimes worry that skepticism will be perceived as mistrust. But disciplined skepticism is not cynicism. It is not hostility. It is professional rigor. It is the recognition that people often explain events in self-protective ways, that organizations prefer neat stories to messy truths, and that important facts are often buried inside routine processes. Descartes would have understood that skepticism is a necessary safeguard against error.

Consider a common internal reporting scenario. A manager says that a questionable payment was simply an administrative oversight. Perhaps that is true. But a compliance professional guided by Descartes would ask several follow-up questions. Was it really isolated? Have similar payments occurred before? Were approval thresholds bypassed? Was the vendor properly vetted? Were invoice descriptions vague or coded? Did someone raise concerns earlier? Was the explanation consistent across all available records? None of those questions accuse. They clarify.

Documentation Turns Inquiry Into Credibility

Another Cartesian lesson for compliance is the importance of orderly reasoning. An investigation cannot simply be sound in substance. It must also be documented in a way that shows how the conclusion was reached. This is essential for institutional memory, for regulatory defensibility, and for credibility with boards and senior management.

A well-documented investigation answers basic but vital questions. What was alleged? Who handled the matter? What evidence was reviewed? Which witnesses were interviewed? What facts were established? What policy or control failures were identified? What conclusion was reached, and why? What remediation followed? This kind of documentation is not bureaucratic excess. It is proof of intellectual discipline.

Without it, the company cannot show that it acted reasonably. It cannot identify patterns across matters. It cannot demonstrate consistency. It cannot revisit earlier decisions when new facts emerge. Most importantly, it cannot turn an individual case into organizational learning. Descartes’ method was about structured thinking. In corporate compliance, documentation is how structured thinking becomes durable.

Independence Matters When the Facts Get Uncomfortable

No discussion of investigations would be complete without addressing independence. The most elegant methodology in the world will not help if investigators are pressured to protect favored executives, minimize business disruption, or avoid awkward findings. Cartesian rigor requires a willingness to follow the facts wherever they lead. That, in turn, requires real autonomy.

The ECCP addresses this directly through its focus on stature, authority, resources, and access. Can the compliance function investigate senior personnel? Can it escalate concerns to the board or audit committee when necessary? Is it empowered to challenge management narratives? These are not secondary governance questions. They are central to whether the investigation process can produce reliable conclusions.

There is a reason so many compliance failures involve not merely misconduct, but management interference with the review of misconduct. When power shapes the investigation, facts become negotiable. Descartes would have seen that as a fundamental corruption of method.

Investigations Must Lead to Remediation

A Cartesian compliance program does not end with a finding. It asks what the finding means for the system. That is why investigations must connect to remediation and root cause analysis. If an allegation is substantiated, the question is not simply who violated what rule. The question is what enabled the failure.

Was the training insufficient? Were incentives pushing employees toward bad decisions? Was a manager creating pressure that undermined ethical judgment? Did the approval process invite shortcuts? Was the policy too vague to guide real-world conduct? These questions push the company from conclusion to improvement.

This is where Descartes connects back to Bacon. Bacon teaches that we need evidence. Descartes teaches that we must reason carefully from the evidence. Together, they create a powerful model for compliance effectiveness. The company observes, investigates, documents, learns, and improves.

The Compliance Officer as a Guardian of Clear Thinking

If Bacon cast the compliance officer as an institutional scientist, Descartes casts the compliance officer as a guardian of clear thinking. In a corporation full of pressure, narrative, hierarchy, and urgency, that role is vital. Someone must insist that facts be tested, that assumptions be challenged, that conclusions be explained, and that the process remain disciplined when the easier path is to settle for a quick answer.

That is not merely an investigative skill. It is a governance function. It protects employee fairness, the board’s credibility, and the company’s defensibility. It also builds trust over time, because people learn that reports are taken seriously, that outcomes are reasoned rather than political, and that the system values truth over convenience.

René Descartes may seem an unlikely guide for corporate compliance. Yet his method of doubt, order, and careful reasoning belongs squarely within the modern best-practices compliance program. In an era where companies are judged not simply on whether they responded, but on how they responded, Descartes offers an enduring lesson: clear thinking is a control.

Five Lessons Learned for the Modern Compliance Professional

First, allegations should trigger a method, not a reaction. A repeatable investigative framework reduces bias and improves consistency.

Second, disciplined skepticism is a professional obligation. Compliance must test explanations against facts rather than accept convenient narratives.

Third, complex matters should be broken into parts. Scoping, evidence review, interviews, control mapping, and timeline construction all improve rigor.

Fourth, documentation is essential. It is how the company proves that its inquiry was credible and how it preserves institutional learning.

Fifth, an investigation is not complete until it informs remediation. Findings should lead to enhancements in control, policy changes, training updates, or broader governance improvements.

Coming Next: John Locke and the Legitimacy of Compliance Governance

If Francis Bacon teaches us to gather evidence and René Descartes teaches us to examine it rigorously, John Locke asks an equally important question: why should anyone trust the system in the first place? In Part 3, I will explore how Locke’s ideas about legitimacy, rights, and accountable authority provide a powerful framework for speak-up culture, non-retaliation, fairness, and board oversight. In the world of compliance, authority alone is never enough. It must also be credible.

Categories
AI Today in 5

AI Today in 5: April 27, 2026, The AI Takes Over Retail Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. Current status of state AI laws. (Cooley)
  2. Building defensible intelligence into your workflow. (Wolters Kluwer)
  3. Otter.ai is under legal scrutiny. (UC Today)
  4. AI takes over a store. (Bloomberg)
  5. Will Junior talent disrupt Goldman Sachs? (Business Insider)

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
Daily Compliance News

Daily Compliance News: April 27, 2026, The Good Judgment Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • What is good judgment? (FT)
  • Is the MACC fostering corruption? (Bloomberg)
  • Israeli President wants a deal. (NDTV World)
  • What’s in the US government supply chain? (NYT)

For more information on the use of AI in compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out my latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
FCPA Compliance Report

FCPA Compliance Report: Awakening the Advocate: Matt Friedman on Fighting Modern Slavery and Building Corporate Action

In this episode, Tom Fox welcomes Matt Friedman, founder and CEO of The Mekong Club, to discuss his book “Awakening the Advocate,” which explains his career in the fight against human trafficking.

Matt tells his journey through survivor/NGO stories, traces his personal journey from a shy child in Connecticut to 35 years of anti-slavery work across 35+ countries, and shows that ordinary people can become advocates. He assesses progress as limited relative to the scale of the problem (50 million in modern slavery; 110,000 helped; 6,000 convictions; $236B in profits vs. $400M, now $250M, to fight it), arguing that awareness is the main gap. He outlines how companies, especially banks, can start internally via leadership briefings, policies, awareness, targeted training, red flags, procurement review, and baseline assessments, linking efforts to ESG, business value, and reputational/regulatory risk. Matt also discusses AI’s emerging role in detecting patterns across supply chains and transactions and emphasizes individual actions, pro bono support, and the importance of compliance work.

Key highlights:

  • Why He Wrote It
  • Turning Awareness Into Action
  • Building a Corporate Program
  • AI and the Next Wave
  • Hope and Practical Steps
  • Rapid Fire Takeaways

Resources:

Matt Friedman on LinkedIn

The Mekong Club

Awakening the Advocate on Amazon.com

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
Blog

Enlightenment Philosophers Week: Part 1 – Francis Bacon and the Compliance Program That Works in Practice

I have explored the work of ancient Greek and Roman philosophers to understand the underpinnings of the modern corporate compliance program. This week, I want to move to Enlightenment Thinkers. Our category is broader than that of philosophers, as many of these men excelled in numerous fields, including science, mathematics, calculus, and medicine. However, each contributed a key component that relates directly to our modern compliance regimes.

The five we will explore are Francis Bacon, René Descartes, John Locke, Thomas Hobbes, and Issac Newton. Today, we begin with Francis Bacon and the design of a compliance program that works not simply in theory but in practice.

There is a reason Francis Bacon is the right place to begin a series on what Enlightenment thinkers can teach us about modern corporate compliance. Bacon did not simply advance a philosophical idea. He changed the way serious people were supposed to think. He pushed inquiry away from inherited assumptions and abstract theorizing and toward observation, testing, evidence, and disciplined learning from experience. In many ways, that is the same journey corporate compliance has had to take.

For too long, compliance programs were judged by what they had on paper. Did the company have a code of conduct? Did it conduct annual training? Did it maintain a hotline? Did it have policies and procedures? Those questions still matter, of course, but they are no longer enough. The Department of Justice has made that point repeatedly through its Evaluation of Corporate Compliance Programs. The DOJ does not simply ask whether a company has a program. It asks whether the program is well designed, whether it is being applied earnestly and in good faith, and whether it works in practice. That final phrase could have been written by Bacon himself.

Why Bacon Matters to Compliance

Francis Bacon is most closely associated with empiricism, the idea that knowledge should be grounded in observation and experience rather than assumption or pure deduction. He believed that if you want to understand the world, you do not begin with what you hope is true. You begin with facts. You gather information. You test propositions. You challenge your own biases. Then you refine your conclusions based on the evidence. That mindset is at the heart of every effective compliance program.

A Chief Compliance Officer cannot assume that a policy is effective because it was well-drafted. A board cannot assume that a training program changes behavior because employees clicked through an online module. A legal department cannot assume that third-party due diligence is functioning because questionnaires are being completed. In each case, the real question is Baconian: what evidence do you have that the control is working as intended?

This is where philosophy becomes practice. Bacon gives compliance professionals a method. He reminds us that the difference between performative compliance and effective compliance is proof.

The DOJ Standard Is a Baconian Standard

The modern DOJ approach is deeply consistent with Bacon’s philosophy. The ECCP has moved the compliance conversation away from formalism and toward effectiveness. Prosecutors are instructed to consider whether a company has access to relevant data, whether it uses that data to monitor performance, whether it investigates red flags, whether it adapts the program based on lessons learned, and whether it performs root-cause analysis after misconduct occurs. That is not a paper exercise. That is evidence-based governance.

The DOJ is effectively saying that compliance must be a living system of observation, testing, response, and continuous improvement. In Bacon’s world, knowledge advances by disciplined interaction with reality. In the DOJ’s world, compliance credibility advances the same way. A company earns trust not because it announces a program, but because it can demonstrate through data, testing, and response that the program actually functions.

From Risk Assessment to Real Measurement

A Bacon-inspired compliance program begins with risk assessment, but it does not end there. Too many organizations treat the risk assessment as an annual exercise that produces a polished heat map and then disappears into a slide deck. Bacon would reject that approach. A risk assessment should be a working hypothesis about where misconduct and control failure are most likely to occur. That hypothesis must then be tested through monitoring, internal reporting, auditing, and data review.

Consider a company that identifies third-party risk as a top concern. A paper-based approach might stop with enhanced due diligence procedures and contract clauses. A Baconian approach goes further. It asks whether third parties are actually being onboarded according to policy, whether approvals are properly documented, whether high-risk distributors are subject to enhanced monitoring, whether payments match contractual terms, whether red flags are closed or merely noted, and whether the company can identify trends across geographies, business units, or product lines. That is where compliance becomes operational.

Monitoring Is How a Program Proves Itself

One of the clearest lessons Bacon offers is that observation must be ongoing. In compliance terms, that means monitoring is not an optional add-on. It is how the program proves itself. COSO has long emphasized monitoring as a core element of an effective internal control framework. The same logic applies to compliance more broadly. Monitoring tells a company whether its controls are operating consistently, whether local business practices are drifting from policy expectations, and whether emerging risks are being detected early enough to matter.

Hotline data is a good example. Many organizations report the number of calls received, but that is only the beginning. A Baconian compliance officer looks beneath the surface. Are certain allegations rising in a specific region? Are retaliation claims increasing after a business reorganization? Are reports being substantiated at a lower rate because employees do not understand what should be reported? Are investigation closure times lengthening in a way that undermines confidence in the process? Those are not just operational questions. There are questions about whether the compliance system is learning.

Root Cause Analysis Is Bacon in Action

If there is one area where Bacon’s influence should be explicit, it is root cause analysis. When misconduct happens, the least useful response is to identify the wrongdoer, discipline the individual, and move on. That may satisfy a desire for closure, but it does not satisfy the demands of an effective compliance program.

Bacon would ask a different set of questions. What conditions allowed this to happen? What signals were missed? Were incentives misaligned? Was a manager pressuring a sales team in ways that made policy noncompliance more likely? Did the control exist on paper but fail in operation? Was a prior warning sign identified but not escalated?

Those questions matter because substantive compliance violations are never random. It is often the product of pressure, weak controls, poor communication, bad assumptions, or failures to learn from earlier warning signs. Root cause analysis is the process by which a company examines the conditions that led to a failure and turns that failure into institutional knowledge.

Culture Needs Evidence Too

Compliance professionals often speak about culture, and they should. But here, too, Bacon has a warning for us. Culture cannot be measured only by slogans or tone-at-the-top statements. A company that wants to claim a strong ethical culture should be able to point to supporting evidence.

Do employees raise concerns without fear of retaliation? Are managers evaluated in part on ethical leadership? Do exit interviews reveal pressure points that formal reporting channels miss? Are discipline outcomes consistent across levels of seniority? Does the organization respond to bad news constructively or defensively? These are empirical questions. They require information, not aspiration.

This is where compliance, internal audit, legal, and HR can work together in a mature governance model. Surveys, hotline trends, investigation data, audit findings, and employee feedback all become part of the evidence base. Culture, in this framework, is not soft. It is observable. It can be tested, assessed, and strengthened.

The Compliance Officer as Institutional Scientist

Perhaps Bacon’s greatest gift to the compliance profession is this: he offers a model for what the compliance officer should be. Not merely a policy custodian. Not merely a trainer. Not merely an investigator. The modern compliance leader is, in part, an institutional scientist.

That phrase may sound grand, but it captures something important. The CCO studies how the organization really works. Which incentives shape conduct? Which controls hold under pressure? Where are the blind spots? What do the data show? What must change? In that sense, the compliance function is not external to the business. It is one of the primary ways the business learns about itself.

That is why evidence matters so much. It is the basis for credibility with the board, with regulators, and with employees. It is how a program shows that it is more than a collection of good intentions. Francis Bacon would have understood that immediately.

Five Lessons Learned for the Modern Compliance Professional

First, a compliance program must be judged by evidence, not by appearance. Policies and training matter, but proof of effectiveness matters more.

Second, risk assessments should be treated as working hypotheses that must be tested through monitoring, auditing, and ongoing review.

Third, data is central to the credibility of compliance. Hotline trends, investigation outcomes, audit findings, and control testing demonstrate that a company’s program works in practice.

Fourth, root cause analysis is essential. Misconduct should trigger institutional learning, not merely individual discipline.

Fifth, culture itself must be supported by evidence. Speak-up, non-retaliation, consistency in discipline, and employee trust are all observable markers of program health.

Coming Next: René Descartes and the Discipline of Internal Investigation

If Francis Bacon teaches us how to gather evidence, René Descartes teaches us what to do with it. In Part 2, I will examine how Descartes’ method of disciplined doubt provides a blueprint for internal investigations, allegation triage, and rigorous compliance inquiry. In a world of management narratives, incomplete facts, and pressure to reach quick conclusions, Descartes reminds us that the compliance professional’s first duty is not comfort. It is clear thinking.

Categories
Sunday Book Review

Sunday Book Review: April 26, 2026, The Yale University Press Edition

In the Sunday Book Review, Tom Fox considers books that would interest compliance professionals, business executives, or anyone curious. It could be books about business, compliance, history, leadership, current events, or anything else that might interest Tom. In this episode, we look at 4 top books recently released by Yale University Press.

  1. Josephine Baker’s Secret War – by Hanna Diamond
  2. Carol King – by Jane Eisner
  3. Philip Roth – by Steven Zipperstein
  4. Storyteller – by Leo Damrosch

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out my latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.