Categories
Blog

The DCRO Institute’s 10 Guiding Principles for Reputation Risk Governance

If the Astronomer imbroglio reminded all corporate types of one thing, it is that a company’s reputation is not just a “soft” asset. It is a core driver of enterprise value and a powerful amplifier of risk. When things go wrong, it is rarely just about bad headlines. It is rather about broken trust, unmet stakeholder expectations, and long-term damage to market credibility.

The DCRO Institute’s Guiding Principles for Reputation Risk Governance (Guiding Principles) make a clear case that reputation must be treated with the same rigor as any other mission-critical risk. This is not the exclusive domain of the communications team. It is a strategic governance imperative that demands board-level oversight, integrated enterprise risk management, and proactive preparation well before a crisis hits.

The document outlines 10 guiding principles, grouped into three themes:

  • Integrated Oversight—reputation as a strategic and material driver of value, rooted in operations and culture, and embedded across the enterprise ecosystem.
  • Outside-In Context and Intelligence—governance that is company-driven, stakeholder-informed, and alert to geopolitical, digital, and technological disruption.
  • Board Readiness—systems, preparation, and agility to respond with credibility under pressure.

The Guiding Principles provide a roadmap for boards to integrate reputation oversight into the core of enterprise risk governance. Today I want to explore the 10 Principles. Tomorrow, we will consider how it applies to the compliance professional. Here is a breakdown of each principle for directors committed to protecting and enhancing stakeholder trust.

1. Reputation is Both a Strategic Asset and a Source of Material Risk

Boards must recognize reputation as a driver of enterprise value and resilience, not merely an intangible “soft” concern. A strong reputation can attract capital, talent, and customers, while a damaged one can accelerate financial losses, regulatory scrutiny, and operational disruption. This means defining a board-level “reputation risk appetite” and ensuring systems are in place to monitor, protect, and enhance reputation. Reputation governance includes aligning all public disclosures with the company’s purpose and operating reality. For directors, the question is not “Do we have a good reputation? ” but “Do we govern it with the same rigor as other strategic assets? ”

2. The Board Oversees Reputation Risk

Reputation risk oversight is ultimately the board’s responsibility. While it may not appear as a standalone item on the risk register, directors must ensure it is systematically addressed and that accountability is clear. This may involve assigning oversight to a specific committee, providing management reports regularly on reputation risk indicators, and probing for vulnerabilities across the enterprise. Globally, regulators and investors expect boards to demonstrate they can anticipate and respond to risks affecting stakeholder trust. Governance failures on this front can lead not just to enterprise harm but also to personal liability for directors.

3. Operations and Culture are the Roots of Reputation

Messaging cannot substitute for reality. Reputation is built on how the organization operates and the culture it sustains. Directors must oversee culture and operational integrity with the same discipline applied to financial performance. This means asking whether incentives support long-term trust, whether operations reflect stated values, and whether the organization maintains a credible speak-up culture. A misaligned culture will eventually undermine trust, regardless of how polished the communications are. Effective governance of culture and operations is governance of reputation at its source.

4. Reputation Risk Governance Must Be Embedded Across the Enterprise Ecosystem

Reputation risk can emerge from any corner of the business—internal operations, third-party relationships, digital ecosystems, or the supply chain. Boards should ensure reputation considerations are embedded into enterprise risk management, strategy, finance, operations, and technology governance. This includes evaluating upstream and downstream dependencies, assessing how vendors and partners affect trust, and stress-testing major decisions for reputational impact before they are executed. The goal is to move from reactive crisis management to proactive resilience-building by embedding reputation governance in the organization’s DNA.

5. Reputation Risk Governance Must Be Company-Driven, Stakeholder-Informed, and Context-Aware

Boards must balance the company’s purpose and strategy with an acute awareness of stakeholder expectations and the external environment. This requires monitoring political, legal, regulatory, and social trends that can affect trust and license to operate. Directors should expect management to integrate stakeholder intelligence into decision-making, identifying potential inflection points before they escalate into crises. Governance here is about foresight—using an outside-in perspective to anticipate risks and opportunities that may not yet be visible from inside the boardroom.

6. Boards Need Early, Integrated Intelligence to Govern Reputation Risk

Reputation can erode quickly in today’s environment, making early detection critical. Boards should insist on receiving integrated intelligence that connects signals from markets, regulators, stakeholders, and digital platforms. This intelligence should be real-time, forward-looking, and actionable—not just retrospective. Integrated reporting allows directors to connect the dots between seemingly isolated developments and spot emerging vulnerabilities. Without this, boards risk being blindsided and forced into reactive, high-stakes decision-making under pressure.

7. Reputation Oversight Must Consider the Convergence of Cyber, AI, and Digital Threats

The accelerating intersection of cyber risk, artificial intelligence, and digital influence creates a new frontier for reputation governance. Breaches and misinformation campaigns can now undermine trust faster than traditional crisis response can react. Boards must ensure risk, technology, and communications functions are not siloed. Instead, they should be aligned to anticipate and respond to digitally driven threats that can originate far outside the company’s direct control. For directors, this means adding technology fluency to the board’s skill set and integrating digital risk into reputation oversight frameworks.

8. Reputation Resilience Comes from Being Proactive, Systematic, and Adaptive

Resilient reputations are built over time through consistent preparation, not improvised in crisis. Boards should ensure that management maintains playbooks, conducts simulations, and has coordinated response protocols ready. Reputation resilience also includes ensuring that insurance strategies, including reputation insurance where applicable, align with the company’s risk profile. Ultimately, directors must oversee how leadership behaves under pressure and whether stakeholders can trust the organization’s values when it matters most.

9. Reputation Risk Can Create Organizational and Director Liability

Reputation damage can lead to financial losses, regulatory sanctions, and, in some cases, personal liability for directors. Evolving legal standards, such as the U.S. Caremark doctrine, now extend to oversight of culture, conduct, and stakeholder trust. Boards must understand both the organization’s exposure and their own. This includes evaluating whether D&O insurance adequately addresses reputational crises and considering supplemental protections such as reputation insurance. Governance here is as much about legal risk management as it is about stakeholder trust.

10. Overseeing Reputation Risk Requires Being Prepared, Agile, and Emotionally Aware

High-stakes situations often trigger intense emotions and competing instincts. Directors must be able to navigate these moments with emotional intelligence, self-awareness, and clarity. This requires both personal readiness and board-level discipline in applying values and principles under pressure. Boards should practice decision-making in simulated scenarios, ensuring they can maintain tone, empathy, and transparency while protecting the organization’s integrity. In the end, reputation governance is not purely technical; it is about the human capacity to lead under scrutiny.

These ten principles reinforce a truth every board should embrace: reputation is not a peripheral concern but a central pillar of corporate governance. Boards that integrate these principles into their oversight structures will not only better protect enterprise value but also strengthen their company’s capacity to lead with trust in a volatile, transparent world.

Join us tomorrow, where we explain what all this means for a compliance professional.

Categories
The Ethics Experts

Episode 226 – Fabiana Klajner Leschziner

In this episode of The Ethics Experts, Nick welcomes Fabiana Klajner Leschziner.

Fabiana is the Embraer Chief Compliance and Governance Officer since January 2025. From June 2016 to December 2024, she was the Executive Vice President, General Counsel & Chief Compliance Officer of the Company. Prior to joining Embraer, she worked at DuPont in Brazil from September 2002 to June 2016 as Legal Director for Brazil and the Andean Region, responsible for the legal aspects of all businesses of DuPont in Brazil and Colombia, Venezuela, Peru, Ecuador and Bolivia. From June 1998 to December 2001, Fabiana was an associate at Davis Polk & Wardwell in New York.

Fabiana graduated from the University of São Paulo School of Law in 1993 and has an LL.M degree from Cornell Law School, Ithaca, USA, 1998. She specialized in corporate law, corporate finance, capital markets, antitrust, international trade and compliance.

Categories
Corruption, Crime and Compliance

Cadence Systems Pays $140 Million for Trade Violations and Pleads Guilty to Criminal Export Control Conspiracy

What happens when a company tries to outsmart the system – and gets caught red-handed by the DOJ in a $140 million export control scheme tied to Chinese military supercomputers?

In this episode, Michael dives into the DOJ’s criminal enforcement action against Cadence Design Systems – a case that marks yet another major step in the DOJ’s rapidly unfolding trade enforcement strategy. We’re no longer in the FCPA era. This is a whole new ballgame, where national security and trade compliance have collided, and companies that haven’t adjusted are already behind.

You’ll hear him discuss:

  • Why Cadence’s plea deal – not a DPA or NPA – is such a big deal
  • How the DOJ and BIS coordinated to secure over $140 million in criminal and civil penalties
  • The simple, sloppy scheme that involved fake names, hidden aliases, and blatant attempts to skirt export controls
  • Why partial cooperation didn’t earn Cadence a full credit reduction – and what they failed to do
  • The shocking compliance gap: only one export control officer handling global risk
  • What this case signals about the DOJ’s growing focus on national security and semiconductor enforcement
  • Why ethics, due diligence, and transaction monitoring are still your best defense
  • How companies can avoid getting blindsided by embracing the new trade enforcement landscape

Resources

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

Categories
AI Today in 5

AI Today in 5: August 11, 2025, The ACHILLES Project Episode

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

  • Will the ACHILLES Project simplify AI regs in the EU? (InnovationNewsNetwork)
  • AI – data privacy and governance in pharma. (EPR)
  • Compliance risks with AI integration. (InsuranceBusinessMag)
  • GenAI for tax and customs compliance. (IMF)
  • Will GenAI end ‘check the box’ compliance? (CCI)

For more information on the use of AI in compliance programs, see Tom Fox’s new book, Upping Your Game. You can purchase a copy of the book on Amazon.com.

Categories
FCPA Compliance Report

FCPA Compliance Report – Episode 770 – Integrating ESG in Global Outsourcing: Insights from Inge Zwick

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode, Tom Fox welcomes Inge Zwick, ESG lead at Emapta Global, to discuss how the global outsourcing company integrates environmental, social, and governance (ESG) practices into its operations.

Inge explains Emapta Global’s presence, compliance strategies, and the importance of ESG in improving business efficiency. The conversation delves into the regional differences in ESG priorities and provides insights into how Emapta meets diverse client expectations across the globe. Inge also shares her passion for ESG, strategies for embedding ESG in corporate culture, and the benefits of ESG as a business differentiator. The episode concludes with practical takeaways for integrating ESG authentically into outsourcing models.

Key highlights:

  • Inge’s Journey into ESG Leadership
  • Understanding ESG Frameworks
  • Regional Differences in ESG Practices
  • Implementing ESG Across Global Markets
  • ESG as a Business Differentiator
  • Embedding ESG into Corporate Culture

Resources:

Connect with Inge Zwick

Connect with Emapta Global

 Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

For more information on the use of AI in compliance programs, Tom Fox’s new book is Upping Your Game. You can purchase a copy of the book on Amazon.com.

Categories
Adventures in Compliance

Adventures in Compliance: The Novels – The Valley of Fear, Sherlock Holmes’ Investigative Techniques for Today’s Challenges

In this new season of Adventures in Compliance, host Tom Fox takes a deep dive into the Sherlock Holmes novels. Over this season, Tom will take a deep dive into each novel over a four-part series. The four novels we will consider from the ethics and compliance perspective are A Study in Scarlet, The Sign of Four, The Hound of the Baskervilles, and The Valley of Fear. For the month of August, we conclude this Season with a deep dive into the least well-known of the Sherlock Holmes novels, The Valley of Fear.

In Part 2, Timothy and Fiona return to continue our exploration of The Valley of Fear, where we delve into five key investigative lessons from Sherlock Holmes. Discover how Holmes’ methods of questioning initial facts, emphasizing collaborative efforts, maintaining patience, keeping a big-picture perspective, and communicating findings effectively can be applied to modern corporate and personal challenges. Learn to approach information gathering with meticulous scrutiny and uncover bigger truths hidden in the details.

Key highlights:

  • Sherlock Holmes’ Relevance Today
  • Lesson 1: Question Everything
  • Lesson 2: Investigative Cooperation
  • Lesson 3: Patience and Persistence
  • Lesson 4: Big Picture Perspective
  • Lesson 5: Effective Communication

Resources:

The New Annotated Sherlock Holmes

Sherlock Holmes FAQ by Dave Thompson

Connect with Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Trekking Through Compliance

Trekking Through Compliance: Episode 71 – Surviving the Unknown: Risk Management Lessons from “That Which Survives”

In compliance, risk management is more than a checklist. It is the ongoing discipline of identifying threats, assessing their potential impact, and implementing measures to mitigate or neutralize them before they cause harm.

Few Star Trek episodes illustrate the escalating consequences of underestimated risks as effectively as That Which Survives. In it, the Enterprise crew encounters a seemingly lifeless planet guarded by Losira, an alien projection who can kill with a single touch. Her purpose is to protect the planet’s secrets, but her method is indiscriminate, deadly, and poorly aligned to the situation at hand.

For compliance professionals, this episode offers five important lessons on anticipating, assessing, and responding to risks, both known and unknown, within an organization.

Lesson 1: Identify Risks Before Engaging in New Ventures

Illustrated By: The Enterprise arrives at an uncharted planet. Within moments, a mysterious woman materializes and kills a crew member simply by touching him.

Compliance Lesson. Too often, companies rush into new markets, partnerships, or projects without conducting a thorough risk assessment. This can expose the organization to sanctions violations, corruption risks, cybersecurity vulnerabilities, or operational failures.

Lesson 2: Understand That Some Risks Are Intelligent and Adaptive

Illustrated By: Losira targets specific individuals and adapts her approach to their vulnerabilities.

Compliance Lesson. Not all risks are static. Fraudsters change tactics, cyber threats evolve, and corrupt third parties find new ways to conceal misconduct. A compliance program must anticipate that some risks will actively seek to bypass controls.

Lesson 3: Don’t Dismiss Low-Probability, High-Impact Threats

Illustrated By: At first, the crew assumes Losira’s appearances are isolated incidents, but they quickly realize she poses an existential threat.

Compliance Lesson. Rare events, such as a single high-value bribery transaction, a lone rogue employee, or a targeted cyberattack, can have catastrophic consequences. Organizations sometimes underprepare for these scenarios because they seem unlikely.

Lesson 4: Risk Mitigation Requires Cross-Functional Coordination

Illustrated By: The landing party on the planet and the Enterprise crew in orbit are each facing threats from Losira, but their survival depends on sharing information and coordinating responses. Without clear communication, both groups would be doomed.

Compliance Lesson. Compliance cannot manage risk in isolation. It must work with legal, internal audit, operations, IT, and HR to identify threats and implement controls.

Lesson 5: Address the Root Cause, Not Just the Symptoms

Illustrated By: The crew eventually discovers that Losira is an automated defense mechanism left behind by an extinct race. Once the crew understands her origin and purpose, they can neutralize the threat.

Compliance Lesson. In risk management, addressing surface-level problems without finding the underlying cause only delays future incidents. Compliance should integrate root cause analysis into all investigations.

Final ComplianceLog Reflections

That Which Survives is more than a suspense episode; it is a cautionary tale about the dangers of underestimating risk. Losira was not inherently evil; she was a misunderstood, unexamined part of an environment the crew did not fully assess before engagement.

The compliance officer’s mandate is to ensure the company doesn’t make the same mistake: to scan for threats before beaming in, to adapt to risks that evolve, to prepare for unlikely but devastating events, to coordinate across the enterprise, and to address the root cause when problems arise. Risk management is not just about surviving; it is about ensuring that your organization thrives in any environment, whether it’s an unexplored planet or a rapidly changing market.

Resources:

⁠⁠Excruciatingly Detailed Plot Summary by Eric W. Weisstein⁠⁠

⁠⁠MissionLogPodcast.com⁠⁠

⁠⁠Memory Alpha

Categories
Compliance Tip of the Day

Compliance Tip of the Day – The ROI of Compliance

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide you with bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we begin a multipart look at thinking through the ROI of your compliance program.

For more on this topic, check out The Compliance Handbook, a Guide to Operationalizing Your Compliance Program, 6th edition, which LexisNexis recently released. It is available here.

Categories
Blog

Risk Management in Compliance: Five Lessons from Star Trek’s That Which Survives

In compliance, risk management is more than a checklist. It is the ongoing discipline of identifying threats, assessing their potential impact, and implementing measures to mitigate or neutralize them before they cause harm.

Few Star Trek episodes illustrate the escalating consequences of underestimated risks as effectively as That Which Survives. In it, the Enterprise crew encounters a seemingly lifeless planet guarded by Losira, an alien projection who can kill with a single touch. Her purpose is to protect the planet’s secrets, but her method is indiscriminate, deadly, and poorly aligned to the situation at hand.

For compliance professionals, this episode offers five important lessons on anticipating, assessing, and responding to risks, both known and unknown, within an organization.

Lesson 1: Identify Risks Before Engaging in New Ventures

Illustrated By: The Enterprise arrives at an uncharted planet, scans it briefly, and beams down a landing party. Within moments, a mysterious woman materializes and kills a crew member simply by touching him.

Compliance Lesson. Too often, companies rush into new markets, partnerships, or projects without conducting a thorough risk assessment. This can expose the organization to sanctions violations, corruption risks, cybersecurity vulnerabilities, or operational failures. Compliance should lead or be deeply involved in pre-engagement risk assessments. Before “beaming down” into a new business environment, map potential threats—regulatory, operational, reputational—and identify safeguards. Skipping this step can lead to preventable harm and costly remediation.

Lesson 2: Understand That Some Risks Are Intelligent and Adaptive

Illustrated By: Losira’s ability to appear anywhere, both on the planet and aboard the Enterprise, shows she is not a passive hazard. She targets specific individuals and adapts her approach to their vulnerabilities.

Compliance Lesson. Not all risks are static. Fraudsters change tactics, cyber threats evolve, and corrupt third parties find new ways to conceal misconduct. A compliance program must anticipate that some risks will actively seek to bypass controls. Build adaptive monitoring into your compliance systems. Use continuous transaction monitoring, real-time alerts, and data analytics to detect changes in patterns. A one-time risk assessment is not enough—ongoing vigilance is essential.

Lesson 3: Don’t Dismiss Low-Probability, High-Impact Threats

Illustrated By: At first, the crew assumes Losira’s appearances are isolated incidents, but they quickly realize she poses an existential threat. Even though she is only one individual, her capabilities could destroy the Enterprise if not addressed.

Compliance Lesson. Rare events, such as a single high-value bribery transaction, a lone rogue employee, or a targeted cyberattack, can have catastrophic consequences. Organizations sometimes underprepare for these scenarios because they seem unlikely. Compliance departments should incorporate low-probability, high-impact risks into the risk register. Conduct tabletop exercises to simulate rare but potentially devastating events, ensuring the organization has both prevention and response plans in place.

Lesson 4: Risk Mitigation Requires Cross-Functional Coordination

Illustrated By: The landing party on the planet and the Enterprise crew in orbit are each facing threats from Losira, but their survival depends on sharing information and coordinating responses. Without clear communication, both groups would be doomed.

Compliance Lesson. Compliance cannot manage risk in isolation. It must work with legal, internal audit, operations, IT, and HR to identify threats and implement controls. Silos breed blind spots, and blind spots breed crises. Establish cross-functional risk committees or working groups. Ensure that incident reporting and escalation procedures are well understood across departments. Make compliance the hub of a collaborative risk network, not a separate spoke.

Lesson 5: Address the Root Cause, Not Just the Symptoms

Illustrated By: The crew eventually discovers that Losira is an automated defense mechanism left behind by an extinct race. She’s not malicious—she’s simply executing a program without context or adaptability. Once the crew understands her origin and purpose, they can neutralize the threat.

Compliance Lesson. In risk management, addressing surface-level problems without finding the underlying cause only delays future incidents. For example, punishing an employee for violating a policy without examining why the policy was ignored leaves the organization vulnerable to repeat violations. Compliance should integrate root cause analysis into all investigations. Whether it’s a process flaw, cultural issue, or oversight gap, solving the real problem is the only way to reduce recurrence.

The Enterprise as a Risk Management Model

Captain Kirk and his crew succeed not because they are lucky, but because they adapt quickly, share intelligence, and dig deeper to understand the nature of the threat. These are precisely the attributes a corporate compliance department needs to lead risk management:

  • Proactive assessment before engagement.
  • Adaptive controls that respond to evolving risks.
  • Preparation for rare but high-impact events.
  • Collaboration across organizational functions.
  • Root cause remediation for lasting solutions.

Practical Compliance Takeaways

From That Which Survives, compliance professionals can draw these operational insights:

  1. Integrate Compliance Early—Risk management starts before contracts are signed or operations begin, not after.
  2. Invest in Technology—Data analytics, AI monitoring, and continuous auditing tools make adaptive risk management possible.
  3. Conduct Scenario Planning—Practice responding to “Losira-like” threats: targeted, intelligent, and hard to predict.
  4. Build Risk Alliances—Partner with all departments to create a unified threat picture.
  5. Close the Loop—Use each incident to strengthen your program against future threats.

Final ComplianceLog Reflections

That Which Survives is more than a suspense episode; it is a cautionary tale about the dangers of underestimating risk. Losira was not inherently evil; she was a misunderstood, unexamined part of an environment the crew did not fully assess before engagement.

The compliance officer’s mandate is to ensure the company doesn’t make the same mistake: to scan for threats before beaming in, to adapt to risks that evolve, to prepare for unlikely but devastating events, to coordinate across the enterprise, and to address the root cause when problems arise.

In other words, risk management is not just about surviving; it is about ensuring that your organization thrives in any environment, whether it’s an unexplored planet or a rapidly changing market.

Resources:

⁠⁠Excruciatingly Detailed Plot Summary by Eric W. Weisstein⁠⁠

⁠⁠MissionLogPodcast.com⁠⁠

⁠⁠Memory Alpha

Categories
Daily Compliance News

Daily Compliance News: August 11, 2025, The Boss Doesn’t Work Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Piston’s Malik Beasley is facing gambling allegations. (NYPost)
  • The US wants Nigerians to comply with visa obligations. (ChannelsTV)
  • What happens when the boss doesn’t work? (NYT)
  • How about a secure workplace to facilitate compliance? (KXAN)

You can donate to flood relief for victims of the Kerr County flooding by going to the Hill Country Flood Relief here.