Author: Admin

Categories
Daily Compliance News

Daily Compliance News: June 10, 2026, The Integrity is Not Optional Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Hungary is using AI to track down the proceeds of Orbán’s corruption. (FT)
  • US expands list of sanctioned Chinese companies. (WSJ)
  • Italian Court takes over US builder in Italy. (Reuters)
  • Hong Kong head of ABC says integrity is non-negotiable. (SCMP)

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
AI Today in 5

AI Today in 5: June 10, 2026, The End of Legacy Compliance Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. AI and the end of legacy compliance. (FinTechGlobal)
  2. The Great American AI Act. (ClearanceJobs)
  3. AI and cybersecurity risks in healthcare. (Forbes)
  4. Will AI improve the banking experience? (The Conversation)
  5. Will AI help women in financial services? (FinTechMagazine)

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on ⁠Amazon.com⁠.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on ⁠Amazon.com⁠.

Categories
Blog

Why Compliance Gets Branded as the Problem

Every compliance professional has heard the accusation. Compliance is too slow. Compliance does not understand the business. Compliance always says no. Compliance is where deals go to die. That reputation is so common that it has a shorthand: Dr. No from the Land of No.”

Luis Velasquez’s article, Why Effective Leaders Get Branded as Problems, offers an important way for Chief Compliance Officers to think about this challenge. His central point is that when a leader creates friction, organizations often default to one explanation: the leader is the problem. Yet the article argues that friction usually comes from one of four sources: capability, perception, identity, or system. Because those sources may appear similar on the surface, organizations often collapse them into a single behavioral judgment, leading to poor decisions.

That insight maps directly onto compliance. When compliance creates friction, the organization may assume the compliance function is the problem. Sometimes that is true. Sometimes compliance really is slow, unclear, inconsistent, or disconnected from commercial reality. But often, compliance is not the problem. It is exposing the problem. The CCO’s job is to know the difference.

The Evaluation Trap for Compliance

Velasquez calls this dynamic the “evaluation trap.” Organizations overfocus on visible behavior and underweight the context surrounding it. If there is friction, the easy assumption is that the individual leader is the problem. For compliance, the same trap appears when business leaders say some of the following: “Compliance is blocking the deal. Compliance is slowing us down. Compliance is too rigid. Compliance does not understand how we make money.”

Those statements may contain useful feedback, but they are not a diagnosis. They are conclusions. A good CCO should not reject them defensively, but neither should the CCO accept them at face value. The better question is, “What is really causing the friction?”

Is compliance creating unnecessary delays? Is the business bringing compliance in too late? Is the policy unclear? Is the company’s incentive structure encouraging people to push risk downstream? Is the compliance team applying yesterday’s reputation to today’s improved process? Or is the function’s greatest strength, independence, being overused in a way that makes compliance appear detached from the business? The answer matters because each cause requires a different response.

Why “The Land of No” Is Dangerous

Being known as “The Land of No” is more than a branding problem. It is a control problem. When employees believe compliance exists only to stop things, they stop bringing compliance into decisions early. They delay disclosure. They frame facts selectively. They look for workarounds. They ask for forgiveness instead of guidance. The compliance function then receives issues late, with fewer options and higher stakes. That reinforces the perception that compliance is always saying no.

It becomes a vicious cycle. The business avoids compliance because it fears delay. Compliance receives incomplete or late information. Compliance responds with concern or rejection. The business concludes that compliance is a blocker. The next time, the business waits even longer to engage. That is how a compliance function loses influence while still technically having authority.

The Four Sources of Compliance Friction

Velasquez identifies four sources of leadership friction: a true skill deficit, historical reputation, overextension of identity, and the system as a blocker. Each has a direct compliance equivalent.

1. A True Compliance Capability Deficit

Sometimes the criticism is fair. The compliance team may be too slow. It may issue dense legal guidance that no one can use. It may give inconsistent answers across regions. It may lack business knowledge. It may escalate too many routine issues. It may have no clear intake process, no service-level expectations, no decision trees, and no practical playbooks.

The remedy is operational discipline. Build intake channels. Publish response-time expectations. Create risk-tiered approval paths. Train compliance professionals in business acumen. Give the business practical guidance, not abstract warnings. Measure cycle time, quality of advice, repeat questions, escalation frequency, and stakeholder satisfaction. A compliance function that wants credibility must be professionally managed.

2. Historical Reputation

Sometimes, compliance is judged by an old story. Velasquez describes “organizational drift,” where systems rely on outdated narratives rather than current evidence. Feedback may be based on historical reputation rather than recent interactions. Labels harden even when behavior changes.

In that case, behavior change alone may not be enough. The CCO must manage perception as deliberately as performance. That means asking business leaders for specific, recent examples. It means distinguishing current pain from legacy frustration. It means documenting improvements and communicating them repeatedly. It means publicizing examples where compliance helped a team win business the right way, accelerate a transaction, resolve a third-party issue, or design better controls.

3. Overextension of Compliance Identity

Compliance has core strengths: independence, skepticism, discipline, documentation, escalation, and control. Those strengths are essential. But Velasquez warns that a strength can become a habit, then an identity, and then a constraint. The problem is not always the absence of skill; sometimes it is the overuse of a strength in the wrong context. That is a powerful lesson for compliance.

A compliance function that is appropriately skeptical in a bribery investigation may be unnecessarily skeptical in a low-risk gift review. A team that properly demands documentation for a high-risk distributor may over-document a routine vendor. A CCO who must be firm with the board or regulators may unintentionally use the same posture in early-stage business counseling. The answer is not to weaken compliance. The answer is to expand its range.

Compliance should know when to be an investigator, an adviser, a control designer, an educator, and a decision escalater. Not every question requires the same tone, process, or level of scrutiny. A mature compliance function does not say yes to everything. It knows how to say “Yes, if.” That is very different from simply saying no.

4. The System as the Blocker

Velasquez calls the system-as-blocker issue the most misunderstood trap. What looks like a behavior problem may actually be caused by culture, structures, resources, incentives, or decision rights that make the desired behavior difficult to achieve. The article notes that organizations may say they want one thing while rewarding another. This is the most important lesson for the CCO.

Compliance is often blamed for delays caused elsewhere. Sales may bring a high-risk intermediary into compliance two days before a bid deadline. Procurement may onboard vendors before due diligence is complete. Finance may discover payment issues only after an invoice is pending. Legal may escalate a contract after commercial terms have already been promised. Senior leadership may say compliance matters, while compensation plans reward speed and revenue at any cost.

In reality, the system created the bottleneck. Compliance was simply the first function willing to name it. The CCO should identify these systemic blockers and bring them to management. If the business wants faster third-party approvals, it must engage compliance earlier. If the company wants fewer rejected transactions, it must define risk appetite before the deal is negotiated. If leadership wants a speak-up culture, it must protect reporters and discipline those who retaliate. If the

Building a Compliance Function Known for Solutions

The goal is not to become the “Land of Yes.” That would be worse. A compliance function that says yes to everything is not a compliance function. It is a permission slip. The goal is to become the Land of Know: a place where businesses gain clarity, options, risk intelligence, and practical pathways. That requires a different operating model.

  1. Compliance must engage early. The function should be embedded in strategy discussions, product design, market entry planning, third-party selection, M&A activity, data use, AI deployment, and incentive design. Late-stage compliance review is where trust goes to die.
  2. Compliance must define red lines and green lanes. Business teams should know which activities are prohibited, which require escalation, and which can move quickly through preapproved controls. Ambiguity produces both delay and resentment.
  3. Compliance must communicate in business language. “This violates Section X of Policy Y” may be accurate, but it is rarely sufficient. The better explanation is: “This creates an undisclosed conflict, weakens our audit trail, and could make the payment look improper. Here is how we can restructure it.”
  4. Compliance must offer alternatives. A “no” without a path forward should be reserved for real red-line issues. In most cases, compliance should identify a lower-risk route.
  5. Compliance must measure enablement. Do not only track training completions, hotline numbers, or policy attestations. Track advisory response time, time to third-party decision, percentage of matters resolved with conditions, number of early consultations, repeat issues by business unit, and examples where compliance helped preserve business value.

Sixth, compliance must own its mistakes. When compliance is slow, unclear, inconsistent, or overly rigid, the CCO should say so and fix it. Credibility increases when compliance holds itself to the same level of accountability it expects of the business.

The CCO’s Message to the Business

The CCO should be able to say, “We are not here to stop the business. We are here to help the business grow in a way that can withstand scrutiny. Sometimes that means yes. Sometimes that means yes with controls. Sometimes that means no. But every answer should be timely, clear, risk-based, and tied to the company’s values and obligations.”

That message must be backed by behavior. Business leaders will not judge compliance by slogans. They will judge it by how the function behaves when a deal is urgent, a market is risky, a senior executive is involved, or the answer is uncomfortable.

The lesson from Velasquez’s article is simple but profound. Before deciding that the leader is the problem, ask whether the diagnosis is wrong. For CCOs, the parallel lesson is equally important: before accepting that compliance is the problem, determine what the friction is really telling you.

A strong compliance function should never aspire to be popular at all costs. But it should aspire to be trusted. The way to avoid becoming “The Land of No” is not to say yes more often. It is to become clearer, earlier, more practical, more evidence-based, and more courageous about identifying whether the real issue sits in compliance, the business, or the system itself.

Categories
Daily Compliance News

Daily Compliance News: June 9, 2026, The Big Bang Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • New charges against FirstEnergy execs. (Cleveland.com)
  • The court orders answers on why there are no tariff refunds. (NYT)
  • Hormuz Crisis and global compliance. (WSJ)
  • A Big Bang reversal of Brexit. (FT)

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
AI Today in 5

AI Today in 5: June 9, 2026, The OpenAI Files to go Public Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. AI-ready compliance for reg tech. (FinTechGlobal)
  2. AI agents under antitrust scrutiny. (NYT)
  3. Procurement and AI governance. (Observer.com)
  4. Is your bank ready for Agentic AI? (OpenTextBlog)
  5. Transparency is key for AI use in healthcare. (Ohio.Edu)

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on ⁠Amazon.com⁠.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on ⁠Amazon.com⁠.

Categories
Everything Compliance - Shout Outs and Rants

Everything Compliance: Shout Out & Rants – New Season, New Host and New Lineup

Welcome to a revamped Everything Compliance Shout Outs and Rants. We have a new host, Adam Turteltaub, and a new panelist, Rebecca Walker, who joins returning regulars Matt Kelly, Jonathan Armstrong, and Karen Moore for the next iteration of Everything Compliance Shout Outs and Rants.

  • Adam thanks Tom Fox, critiques his own timing, and notes Pope Leo XIV’s AI encyclical urging attention to human factors.
  • Rebecca praises Georgetown University’s Jesuit values—“men and women for others” and cura personalis—as a reminder that compliance is about values and culture, not just enforcement.
  • Matt echoes interest in the Pope’s encyclical, criticizes President Trump’s comments about the Pope, and cites Amazon’s warning against gaming internal AI leaderboards, arguing companies should prioritize productive outcomes over measuring AI usage.
  • Karen describes her gym’s behavior memo and criticizes the shift toward enforcing it on members.
  • Jonathan discusses the SNP embezzlement case involving Peter Murrell and related allegations around Nicola Sturgeon, highlighting compliance lessons: segregation of duties, conflicts of interest, whistleblowers, and culture.

Everything Compliance Shout-Outs and Rants is a production of the Compliance Podcast Network.

Categories
Innovation in Compliance

Innovation in Compliance: Rethinking SpeakUp: UX, Trust, and AI in Whistleblowing and Investigations with Tim Morss

Innovation comes in many areas, and compliance professionals need to not only be ready for it but also embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode,  host Tom visits with Tim Morss, CEO at SpeakUp, about the evolution of speak-up systems from the employee perspective.

Morss describes his background in compliance technology and SpeakUp’s global footprint, emphasizing that employee expectations favor frictionless, mobile-first, intuitive reporting with transparency and feedback over 800-number hotlines and complex forms. He notes common program gaps: hard-to-find reporting channels, poor mobile experiences, overreliance on telephony (especially problematic for non-English speakers), insufficient guidance on what to report, and weak trust due to lack of follow-up and perceived inaction. They consider generational preferences, privacy-aware deployment, such as QR code placement, and AI use cases such as multilingual voice intake for illiterate supply-chain workers, while cautioning against unsafe AI practices and autonomous decision-making. Morss highlights investigative management as a major opportunity beyond basic case repositories and forecasts greater AI-driven integration with in-house systems amid geopolitical and regulatory divergence.

Key highlights:

  • Employee Expectations Shift
  • Common SpeakUp Mistakes
  • Trust and Anti-Retaliation
  • Gen Z Reporting Channels
  • AI Voice for Workers
  • One Practical CCO Tip

Resources:

Connect with Tim Morss on LinkedIn

SpeakUp

Innovation in Compliance was recently honored as the Number 4 podcast in Risk Management by 1,000,000 Podcasts

Categories
Blog

The False Alignment Trap in Compliance Transformation

A major compliance initiative rarely fails because the Chief Compliance Officer (CCO) did not work hard enough. It usually fails because the organization never reached a true agreement on what the initiative was supposed to accomplish.

That is the core lesson from The False Alignment Trap by Julia Dhar, Kristy R. Ellmer, and Philip Jameson. The authors argue that many change efforts fail because senior leaders believe they agree on the “why,” “what,” and “how” of change when, in fact, they do not. A stitched-together flower is an apt metaphor for corporate change: from a distance, the initiative may look whole; up close, it may be held together by fragile threads.

For the CCO instituting a major compliance initiative, this insight is critical. Whether the project is a global third-party risk overhaul, a new sanctions screening program, an AI governance framework, a speak-up culture campaign, or a full redesign of the compliance operating model, the CCO cannot settle for polite nods around the executive table. The CCO must secure true agreement.

The authors frame the three questions every change program must answer: why are we changing, what are we changing, and how will the change occur? It also makes an important distinction between “alignment” and “agreement.” Alignment may mean that executives are not actively blocking one another. An agreement means leaders have made a detailed and explicit compact that allows them to move together and hold one another accountable. That distinction should be posted on every CCO’s wall.

Why This Matters to Compliance

A major compliance initiative always changes more than the compliance department. It changes how a sales function approves intermediaries. It changes how procurement selects vendors. It changes how finance reviews payments. It changes how HR handles discipline and incentives. It changes how legal, internal audit, cybersecurity, operations, and the business share data. It may change who can approve a deal, how quickly a transaction can move, and what documentation must be in place before revenue is booked. That means compliance transformation is not simply a compliance project. It is an enterprise change project.

The Department of Justice’s 2024 Evaluation of Corporate Compliance Programs (ECCP) asks three fundamental questions: whether the program is well designed, whether it is applied earnestly and in good faith through adequate resources and empowerment, and whether it works in practice. DOJ also asks whether senior management has articulated standards clearly, disseminated them in unambiguous terms, and demonstrated adherence by example. Those expectations cannot be met if the C-suite is only “conceptually aligned” on compliance.

A CCO may believe the company has agreed to strengthen compliance. The CEO may believe the initiative is about satisfying the board. The CFO may believe it is about reducing investigation costs. The head of sales may believe it is about avoiding bad distributors but not slowing growth. The general counsel may believe it is about reducing enforcement exposure. Operations may believe it is another documentation exercise. HR may believe it is about training completion rates. Everyone says yes. Everyone means something different. That is the false alignment trap.

The First Lesson: Never Launch on Slogans Alone

Compliance leaders love phrases such as “culture of compliance,” “tone at the top,” “risk-based approach,” “speak-up culture,” and “doing business the right way.” These phrases are useful, but they are not implementation plans. The authors warn that executives often think they agree because their conversations are insufficiently specific. Leaders may agree on a broad goal, but disagree sharply on the levers, trade-offs, timeline, funding, and operational consequences.

For a CCO, this means “we need a stronger third-party program” is not enough. The leadership team must agree on what that means in practice. Does it mean fewer third parties? More due diligence? More audits? Centralized onboarding? Automated screening? New contractual rights? Mandatory business justification? Enhanced payment controls? A right to terminate non-responsive intermediaries? A slower sales cycle in high-risk markets? Until those questions are answered, the CCO does not have agreement. The CCO has a slogan.

The Second Lesson: Silence Is Not Commitment

One of the most dangerous moments in compliance transformation is the executive meeting where everyone nods. The authors describe the “false consensus effect,” where leaders overestimate the extent to which others share their beliefs. It also describes the tendency of executives to pretend to agree rather than surface disagreement. In one example, executives used vague phrases such as “I am aligned,” “partly aligned,” and “conceptually aligned,” even though real disagreement remained unresolved.

Compliance professionals see this all the time. A regional president says, “We fully support the new due diligence process.” What she may mean is, “We support it unless it slows down strategic distributors.” A sales leader says, “We support compliance training.” What he may mean is, “We support it as long as it does not take people out of the field during the quarter.” A procurement leader says, “We support vendor controls.” What he may mean is, “We support them for new vendors, but not for legacy vendors.”

The CCO’s job is to make those reservations visible before launch. That does not mean creating conflict for conflict’s sake. It means creating a process where disagreement becomes a source of better design.

The Third Lesson: Invite Dissent Early

The authors recommend provoking an early exchange. Leaders should write down what they agree with, what they disagree with, and what they are unsure about. The authors specifically note that written reactions can reduce groupthink. They also recommend asking questions that invite contrary views, such as “What could go wrong with this approach?”

This is directly applicable to compliance. Before launching a major compliance initiative, the CCO should ask each executive to answer, in writing:

What risk are we trying to reduce?

What business process will this initiative change?

What are you worried this initiative will disrupt?

What resources will your function need?

What decisions are you willing to give up or share?

What part of this proposal do you not support?

Where do you believe compliance is underestimating the operational impact?

These questions are uncomfortable. That is the point. A compliance initiative that cannot survive executive-level dissent in a planning meeting will not survive business-level resistance during implementation.

The Fourth Lesson: Deferred Agreement Becomes Compliance Debt

The authors warn against the idea that leaders can “sort out the details later.” That may work for small experiments, but the authors argue that it is dangerous for transformative organizational change because vague or contradictory premises create confusion, delay, and employee frustration. They describe deferred agreement as a debt that leaders expect to repay quickly but often never repay at all. For compliance, deferred agreement is especially costly.

When the CCO launches without a clear executive agreement, the business will find the gaps. If sales and compliance disagree on third-party approval standards, the business will escalate every hard case. If finance and compliance disagree on payment controls, exceptions will multiply. If HR and legal disagree on discipline standards, investigations will produce inconsistent outcomes. If IT and compliance disagree on data ownership, monitoring dashboards will never mature. The result is not simply inefficiency. It is a control failure.

A CCO should treat unresolved executive disagreement as a known risk. It should be tracked, assigned, escalated, and resolved before the initiative moves from design to deployment.

The Fifth Lesson: Watch for the Three Failure Modes

The authors identify three consequences of false alignment: paralysis, hyperactivity, and tunnel vision. These are also classic symptoms of a failing compliance initiative.

Paralysis occurs when teams are stuck between competing executive priorities. In compliance, this looks like endless working groups, repeated risk assessments, draft policies that never finalize, and technology projects that remain in “requirements gathering” for months.

Hyperactivity occurs when teams launch too many initiatives to please too many stakeholders. In compliance, this looks like a dozen training campaigns, multiple dashboards, overlapping third-party reviews, new certifications, new attestations, and new committees, but no meaningful risk reduction.

Tunnel vision occurs when teams make progress on the wrong thing. In compliance, this may mean achieving 100% training completion while employees still do not know how to raise concerns. It may mean onboarding vendors faster while missing beneficial ownership risk. It may mean closing investigations more quickly while weakening root cause analysis.

The CCO should use these three symptoms as early warning indicators. If the initiative is stuck, too busy, or moving in the wrong direction, the problem may not be execution. It may be false alignment at the top.

Lessons in Building True Agreement for a Compliance Initiative

The authors offer a five-step path to true agreement: set clear parameters, provoke an early exchange, have a substantive debate, reach a formal verdict, and send a unified message. That framework can be translated directly into a CCO playbook.

  1. Set clear parameters. The CCO should define the decision rights before the project begins. Who decides the risk appetite? Who approves the budget? Who owns business process changes? What decisions require CEO approval? What issues go to the board? What happens if a regional business leader disagrees?
  2. Provoke an early exchange. The CCO should require written input from the CEO, CFO, general counsel, CHRO, CIO, internal audit, procurement, and key business leaders. This is where hidden objections should surface.
  3. Have a quality debate. The CCO should hold one-on-one conversations with executives before the group decision meeting. The point is not to lobby for superficial support. The point is to understand red lines, trade-offs, and operational realities.
  4. Come to a formal verdict. The authors recommend asking for each individual’s agreement, documenting the decision, and creating a formal record of the agreed terms. For a compliance initiative, this should become a written executive charter. It should specify scope, budget, timeline, metrics, decision rights, business obligations, and escalation paths.
  5. Send a unified message. The authors warn against each executive’s team receiving its own version of events. Instead, the decision should be broadcast simultaneously in a single format to everyone who needs to know. For compliance, this is essential. Employees should hear one message: this is why we are changing; this is what will change; this is what will not change; this is who owns what; and this is how success will be measured.

The bottom line is clear. A major compliance initiative is not successful because the CCO announces it, the board approves it, or the executive team says it is “aligned.” It is successful when the company reaches true agreement on the risk, the change, the trade-offs, the ownership, and the evidence of effectiveness.

For the compliance professional, The False Alignment Trap provides a powerful reminder: do not launch a transformation on implied consent. Build the compact first. Then execute.

Categories
Blog

Can Compliance Own Enterprise Resilience?

It has been some time since I checked in with the Harvard Business Review for some blog posts. To remedy this deficiency, I will write this week’s blog posts based on recent HBR articles that caught my interest. Today, we begin with The Case for Hiring a Chief Resilience Officer, which argues that there is a major governance gap inside most organizations. It is that no single executive is accountable for coordinating enterprise-wide resilience and recovery when failures cascade across functions. The article looks at a chief resilience officer (CResO) role which would be responsible for aligning continuity planning, recovery objectives, crisis response, and organizational learning across an enterprise.

The authors begin by noting that the July 2024 CrowdStrike outage will be remembered as more than a technology failure. It was a governance lesson. A routine software update caused cascading operational disruption across airlines, hospitals, logistics systems, and other critical services. The technical root cause mattered, but it was not the only lesson. The larger issue was how quickly a single failure could ripple across functions, third parties, customer obligations, regulatory expectations, and business operations. The article articulated this as the case for a CResO, because many organizations have no single executive accountable for coordinating enterprise-wide resilience and recovery when disruption crosses organizational boundaries.

For the corporate compliance function, that argument should sound familiar. Compliance professionals have spent years explaining that risk does not respect departmental boundaries. Bribery risk can arise from sales incentives, third-party relationships, financial controls, gifts and hospitality, and management pressure. Data risk can sit in technology, privacy, procurement, HR, and customer operations. AI risk can sit in product development, vendor management, legal, cybersecurity, records retention, and board oversight.

Operational resilience is the same kind of problem. It is not only an IT issue. It is not only a business continuity issue. It is not only a risk management issue. It is a governance issue, a controls issue, a documentation issue, a third-party issue, and a board oversight issue. That makes it a compliance issue as well.

The Compliance Significance of Resilience

The central insight behind the CResO role is that most organizations already have pieces of resilience, but they do not always have resilience governance. Risk teams assess exposure. Cybersecurity teams protect systems. Operations teams manage delivery. Business continuity teams write plans and run exercises. Procurement manages vendors. Legal evaluates obligations. Communications handles stakeholders. Compliance monitors controls, policies, reporting, and escalation. Each function may be doing its job. The problem appears when no one owns the integrated answer.

That is why operational resilience has become a regulatory and governance priority. The Basel Committee defines operational resilience as the ability to deliver critical operations through disruption and emphasizes governance, mapping interdependencies, third-party dependency management, business continuity testing, and incident management. The FCA in the UK similarly focuses on important business services, impact tolerances, mapping, testing, vulnerability remediation, lessons learned, and communications planning. In the EU, the Digital Operational Resilience Act (DORA) has elevated digital operational resilience, technology and information third-party risk, incident reporting, and resilience testing into a formal financial sector regulatory framework.

For compliance professionals, the message is clear. Resilience is moving from planning to evidence. Regulators, boards, and senior management will increasingly ask not simply whether the company had a plan, but whether the company knew its critical services, mapped its dependencies, tested severe but plausible scenarios, documented vulnerabilities, assigned accountability, and remediated weaknesses.

That is familiar territory for compliance. The DOJ Evaluation of Corporate Compliance Programs (ECCP) asks whether a compliance program is well designed, adequately resourced and empowered, and works in practice. It also asks whether improvements to compliance and internal controls have been tested to show they would prevent or detect similar misconduct in the future. Those questions are not limited to bribery, fraud, or sanctions. They reflect a broader governance discipline: design, authority, resources, testing, remediation, and proof.

Can Compliance Absorb the CResO Role?

The answer is yes, but only under the right conditions. A compliance function can absorb the resilience governance role if it has the mandate, authority, resources, data access, and board visibility to do the job. It cannot absorb the role if the organization merely adds resilience to the CCO’s already crowded list of responsibilities without giving compliance the ability to coordinate across technology, operations, procurement, cybersecurity, finance, legal, human resources, communications, and business leadership. This distinction matters.

Compliance can own the governance framework for resilience. It can help define standards, require documentation, monitor remediation, test controls, escalate gaps, and report to the board. It can ensure that resilience obligations are embedded into policies, third-party oversight, incident response, investigations, root cause analysis, training, and internal controls.

Compliance should not become the operator of every resilience process. The first line must still own business services. Technology must still own systems. Cybersecurity must still own cyber defense. Procurement must still own vendor contracting and supplier performance. Operations must still own delivery. Legal must still advise on obligations. Communications must still manage stakeholder messaging. The CCO can serve as the enterprise resilience governance leader, but not as a substitute for operational ownership. That is the practical dividing line.

When Compliance Is the Right Home

Compliance is a strong candidate to absorb the CResO function when resilience is framed as an enterprise governance and controls discipline. This is especially true in organizations where the compliance function already has mature capabilities in risk assessment, policy governance, third-party risk management, investigations, remediation tracking, board reporting, training, monitoring, and documentation. In that model, compliance can bring several advantages.

First, compliance understands cross-functional risk. A well-designed compliance program already reaches into the business, finance, procurement, HR, legal, internal audit, IT, and senior leadership. That horizontal view is essential for resilience.

Second, compliance understands evidence. Resilience cannot be built on verbal assurance. It requires inventories, dependency maps, testing records, incident reports, remediation plans, escalation logs, board materials, and lessons learned. Compliance professionals know how to create a record that demonstrates program effectiveness.

Third, compliance understands accountability. A resilience program without accountable owners will become a collection of meetings. Compliance can help define who owns each critical service, each dependency, each recovery objective, and who must act when testing identifies a vulnerability.

Fourth, compliance understands third-party risk. Many resilience failures begin outside the company’s walls. A critical software provider, cloud provider, logistics partner, manufacturer, payroll vendor, or data processor can disrupt the company’s ability to deliver. Compliance can help connect due diligence, contracting, ongoing monitoring, audit rights, incident notification, and exit planning into a resilience framework.

Finally, compliance understands board reporting. Resilience is a board-level issue because disruption can affect customers, investors, regulators, employees, and the company’s license to operate. The FCA has emphasized that boards need enough information to understand the firm’s resilience approach, who is responsible for it, and the organization’s ability to recover important business services within impact tolerances. Those are governance questions. Compliance is built to translate them into a management system.

When Compliance Should Not Absorb the Role

Compliance should not assume the CResO role if the function lacks operational authority, technical depth, crisis-management access, or senior-level support. A CCO who is asked to “own resilience” without the resources to do so has not been empowered. That CCO has been handed accountability without control. There are several warning signs.

If compliance does not have direct access to the CEO, executive committee, and board, it cannot coordinate enterprise resilience. If compliance cannot require action from technology, operations, procurement, and business units, it cannot close resilience gaps. If compliance lacks data on critical services, vendor concentration, system dependencies, recovery times, incident history, and testing results, it cannot evaluate resilience in practice. If compliance is already under-resourced, resilience will become another paper responsibility.

That would be a mistake. The worst outcome would be to move resilience into compliance as a label while leaving the real decision-making elsewhere. That creates the appearance of governance without its substance.

A Better Model: Compliance as Resilience Governor

For many companies, the right answer is not a binary choice between a standalone CResO and a compliance-owned resilience function. The better model may be compliance as a resilience governor. Under this approach, the company appoints a senior resilience owner, either as a CResO (chief risk and resilience officer) or as a named executive with enterprise authority. Compliance then provides the governance architecture: standards, controls, testing expectations, third-party requirements, escalation procedures, documentation rules, remediation tracking, and board reporting.

This model preserves first-line ownership while giving the organization a consistent second-line framework. It also allows compliance to ask the questions that matter:

Who owns each critical business service? What are the maximum tolerable disruptions? What systems, people, facilities, data, and third parties support each service? What severe but plausible scenarios have been tested? What vulnerabilities were identified? Who owns remediation? What evidence shows that remediation worked? What has been reported to the board?

These are not theoretical questions. They are the difference between a plan and a program.

Five Lessons for Compliance Professionals

  1. Resilience is now a compliance program issue. It involves governance, controls, accountability, documentation, testing, remediation, and board oversight.
  2. Compliance can absorb the resilience governance role, but not the operational role. The CCO can govern the framework. The business must still own delivery.
  3. Authority matters. A compliance-led resilience function must have CEO support, board visibility, cross-functional access, and the ability to require remediation.
  4. Evidence is essential. Dependency maps, scenario tests, incident reports, remediation records, and board materials are what turn resilience from aspiration into proof.
  5. The board should focus on accountability before structure. Whether the company appoints a CResO, places resilience under risk, or builds a compliance-led governance model, the core question remains the same: who owns the enterprise response when disruption crosses every boundary?

The practical compliance lesson is straightforward. Resilience cannot remain a collection of disconnected plans. It must become an operating discipline. For some companies, that discipline will require a dedicated Chief Resilience Officer. For others, a mature, properly empowered compliance function can assume the governance role. But no company should leave resilience to assumption, informal coordination, or after-the-fact improvisation.

In today’s risk environment, the ability to recover is not only an operational strength. It is evidence of effective governance.

Categories
FCPA Compliance Report

FCPA Compliance Report: Leading with Invitation: Communications, Leadership, and Compliance with Dr. Dennis Cummins

In this episode, Tom Fox welcomes Dr. Dennis Cummins to discuss his latest book, Invitational Selling: The Human Connection Advantage. Dr. Cummins is a renowned expert in the field of invitational selling, with extensive experience presenting and selling from the stage globally. He discovered that prioritizing conversations and genuine connections over high-pressure sales tactics not only aligned with his values but also enhanced his effectiveness in sales. This led him to develop the concept of invitational selling, which emphasizes sharing one’s gifts and talents to empower others and help them benefit from available services. Dr. Cummins encapsulated his philosophy in his new book, leveraging his global speaking engagements and interactions with various companies.

In his book Dr. Cummins emphasizes the importance of building authentic connections in sales rather than relying on high-pressure tactics. He introduces the concept of ‘Invitational Selling,’ which involves connecting with customers, conveying the benefits, and inviting them to engage, thereby fostering genuine relationships and enhancing sales effectiveness. This approach is applicable not only in sales but also in leadership and family dynamics, promoting engagement and collaboration through invitation rather than coercion. As customers are inundated with sales messages and wary due to information overload, prioritizing empathy and understanding separates successful sales professionals in a technology-driven world. Real-life examples, such as Lauren’s bead bracelets, highlight that product value extends beyond materials to the emotional connections and meanings they hold for customers. Committed to giving back, he has pledged all proceeds from the book’s initial launch to the Make-A-Wish Foundation.

Key highlights:

  • Authentic connections in sales enhance effectiveness and drive sales growth.
  • Invitational selling focuses on connecting, conveying, and converting to inspire buy-in from employees and foster collaboration.
  • Maintaining a personal touch and understanding customer needs sets sales professionals apart in a technology-driven world.
  • Balancing AI efficiency with personal elements is crucial to overcoming trust issues and fostering genuine connections.
  • The true value of a product lies in the emotions, connections, and meanings it represents to individuals.

Resources:

Invitational Selling: The Human Connection Advantage

Dr. Dennis Cummins on LinkedIn

 Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.