The Odyssey and Compliance, Part 3 – Circe’s Island: Third-Party Influence and Culture Capture

We continue our on our series of compliance lessons from The Odyssey. Today we consider the tale of Circe’s Island and how third parties can not simply influence but also capture organizations.

Odysseus had seen danger before. He had survived war, storms, and the occasional poor travel decision that would have caused any modern risk committee to request an immediate meeting. But then he came to Circe’s island, where the threat did not begin with open violence. It began with hospitality. Circe welcomed Odysseus’s men. She offered food. She offered drink. She offered comfort. Then, in one of the more memorable compliance-adjacent transformations in Greek mythology, she turned them into swine.

Subtle? Not especially. Useful for corporate compliance? Absolutely. In the corporate world, third parties rarely transform employees into literal pigs. That would at least make the investigation easier. The modern version is quieter. A consultant becomes indispensable. A reseller knows “how things work here.” A lobbyist explains that the official process is for amateurs. A distributor normalizes side payments. A strategic partner starts shaping internal decisions. A vendor’s gifts, favors, travel, and access slowly change what employees consider acceptable.

No one wakes up and says, “Today I shall surrender my professional judgment.” Instead, judgment gets softened. Then stretched. Then outsourced. That is Circe’s island.

The Corporate Translation

Circe is the consultant, agent, lobbyist, reseller, distributor, broker, introducer, or strategic partner who makes questionable conduct feel sophisticated. She does not have to say, “Break the rules.” That would be too obvious. She says something more dangerous:

“This is how business is done.”

“Everyone uses this structure.”

“You are being too rigid.”

“The policy was not written for this situation.”

“You can trust me.”

“We have relationships you do not have.”

That is the language of culture capture. The third party does not merely provide a service. The third party begins to influence the organization’s standards. This is why third-party risk is not just a procurement issue. It is not just an anti-bribery issue. It is not just a contracting issue. It is a culture issue. The most dangerous third parties do not always demand a bribe. Sometimes they simply change what your people think is normal.

The Paperwork Trap

Most companies have a third-party process. There is a questionnaire. There is a risk rating. There is a certification. There is a contract clause. Somewhere, there may even be a spreadsheet with conditional formatting, because nothing says “control environment” like a cell turning amber. These tools matter. But paperwork alone does not manage influence.

A company can collect every form and still miss the real risk. Who is this third party influencing? Who inside the company is advocating for them? Why are they needed? What access do they have? What discretion do they exercise? Are they interacting with government officials, customers, healthcare professionals, regulators, state-owned entities, procurement teams, or other sensitive stakeholders? Are they being paid in a way that makes sense? Are they actually doing the work? Are they unusually close to the decision-maker?

The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) asks whether companies apply risk-based due diligence to third-party relationships and understand the qualifications, associations, business rationale, reputation, compensation, and actual services performed by third parties. It also asks whether companies engage in ongoing monitoring through refreshed due diligence, training, audits, or certifications.

That is the point. Third-party compliance is not a one-time onboarding ritual. It is a relationship management discipline. Circe’s danger was not that she existed. The danger was that Odysseus’s men entered her house without understanding the risk.

Gifts, Hospitality, and the Slow Erosion of Judgment

Gifts and hospitality are often discussed as if the only question is whether the amount is above or below a policy threshold. That is too narrow. A meal may be permissible and still influential. A conference invitation may be properly approved and still create pressure. A vendor-sponsored trip may be documented and still tilt the relationship. A series of small favors may do more damage to independence than one obviously improper gift.

Compliance officers understand this. Business leaders sometimes resist it because influence is uncomfortable to discuss. No one wants to admit that lunch, access, flattery, or convenience can affect judgment. We prefer to believe we are all rational actors, floating above human weakness like minor gods with expense reports. We are not.

Behavioral ethics teaches a humbler lesson: people are influenced by relationships, reciprocity, loyalty, fatigue, social norms, and self-interest. A third party who becomes a friend, fixer, sponsor, or “trusted guide” can reshape decisions without issuing a single improper instruction.

That is why gifts and hospitality controls should look beyond monetary value. They should examine frequency, timing, recipient role, pending decisions, public-sector touchpoints, tender activity, regulatory matters, and cumulative patterns. The better question is not only, “Was this gift allowed?” The better question is, “What might this gift be trying to make feel normal?”

Conflicts of Interest: Circe with a Business Card

Conflicts of interest are another form of enchantment. The employee recommends a vendor owned by a family member. A manager hires a consultant who previously employed him. A procurement lead has a side investment in a supplier. A sales executive pushes a reseller because the reseller has promised future employment. A board member has ties to a strategic partner.

Often, the conflicted person does not experience the conflict as corruption. They experience it as trust.

“I know them.”

“They are good people.”

“They understand our business.”

“This will move faster.”

That may all be true. It may also be irrelevant. Conflicts do not require proof that someone acted dishonestly. A conflict means personal interest may interfere, or appear to interfere, with professional judgment. In compliance, appearance matters because trust matters. Circe did not need to tell the crew they were compromised. They simply became something other than what they had been. That is what unmanaged conflicts do. They transform decision-makers into advocates for interests they may not even fully recognize.

Risk-Based Due Diligence Means Asking Better Questions

A strong third-party program should be risk-based. That does not mean treating every vendor like a potential international crime syndicate. It means applying the right level of scrutiny to the right relationship. The office coffee supplier probably does not need the same review as a customs broker, government-facing consultant, high-commission sales agent, data processor, clinical partner, reseller, lobbyist, or distributor in a high-risk market.

Risk-based due diligence should ask direct questions:

What will this third party do for us?

Why do we need them?

Who selected them?

What relationships do they bring?

How will they be paid?

What access will they receive?

What decisions can they influence?

What laws, regulations, or policy areas do they touch?

What red flags appeared, and how were they resolved?

The ECCP also emphasizes risk assessment across factors such as business partners, use of third parties, gifts, travel, entertainment, and other areas that may shape misconduct risk. That is a useful reminder: third-party risk rarely travels alone. It often brings friends. Gifts risk. Conflicts risk. Books-and-records risk. Data risk. Sanctions risk. Cyber risk. Antitrust risk. Fraud risk. Reputational risk. Circe’s island is crowded.

Training the People Who Meet Circe

Third-party policies are necessary, but people need training before they are sitting across the table from Circe. Sales teams need to understand reseller and agent red flags. Procurement teams need to spot conflicts and unusual payment terms. Finance needs to recognize vague invoices, round-dollar payments, split payments, and services that cannot be verified. Legal needs to ensure contracts describe real services and include audit, termination, compliance, and cooperation rights. Business sponsors need to understand that “I trust them” is not due diligence.

The ECCP asks whether training and communications are tailored to the audience and whether companies provide practical guidance, case studies, and ways for employees to get ethics advice as issues arise. It also contemplates training for appropriate agents and business partners. That is exactly right.

Do not train employees only on the policy. Train them on the moment. The moment when the consultant says the invoice needs to be vague. The moment when the distributor asks for payment to an offshore account. The moment when the lobbyist says no one can know about the meeting. The moment when the vendor offers to fly the team to a “strategy session” at a resort suspiciously light on strategy. The moment when the business sponsor says, “Compliance is slowing this down.” That is where the program either works or becomes decorative.

What a Better Program Does

A better third-party program examines influence, not just paperwork. It connects due diligence, contracting, training, payment controls, gifts and hospitality, conflicts disclosures, monitoring, audits, and termination rights. It reviews third-party activity after onboarding. It checks whether services were actually performed. It compares compensation to market value. It looks for unusual payment structures. It refreshes diligence when risk changes. It trains business sponsors, not just compliance staff. It monitors the internal champions who may become too close to the third party they manage.

Most importantly, it gives employees permission to be skeptical. Not cynical. Skeptical. There is a difference. Cynicism says everyone is corrupt. Skepticism says trust should be supported by facts, controls, and accountability. Odysseus survived Circe because he received warning, protection, and guidance before walking into the risk. Your employees need the same. Preferably without needing Hermes to appear with magical herbs.

The Compliance Takeaway

Circe’s island is not just a story about transformation. It is a story about influence. Third parties can help companies grow, enter new markets, solve complex problems, and operate more effectively. Many are essential. Many are ethical. Many know things the company genuinely needs to know. But a third party should never become a substitute for the company’s judgment. When a consultant, agent, reseller, lobbyist, vendor, or strategic partner begins to redefine what is acceptable, the company has moved from third-party management to third-party capture.

That is the lesson for compliance officers and business leaders. Do not ask only whether the forms are complete. Ask whether the relationship is changing behavior. Ask whether gifts, conflicts, access, dependence, or pressure are making questionable conduct feel normal. Ask whether employees still know where the company’s standards end and Circe’s influence begins. Because in business, as in mythology, transformation rarely announces itself. One day your people are professionals exercising independent judgment. The next day they are defending the island.

Join us on Thursday for Post 4 where we consider The Cattle of Helios: Non-Negotiables and Control Breaches.

Leave a Reply

Your email address will not be published. Required fields are marked *

What are you looking for?