Categories
Innovation in Compliance

Innovation in Compliance: Rethinking SpeakUp: UX, Trust, and AI in Whistleblowing and Investigations with Tim Morss

Innovation comes in many areas, and compliance professionals need to not only be ready for it but also embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode,  host Tom visits with Tim Morss, CEO at SpeakUp, about the evolution of speak-up systems from the employee perspective.

Morss describes his background in compliance technology and SpeakUp’s global footprint, emphasizing that employee expectations favor frictionless, mobile-first, intuitive reporting with transparency and feedback over 800-number hotlines and complex forms. He notes common program gaps: hard-to-find reporting channels, poor mobile experiences, overreliance on telephony (especially problematic for non-English speakers), insufficient guidance on what to report, and weak trust due to lack of follow-up and perceived inaction. They consider generational preferences, privacy-aware deployment, such as QR code placement, and AI use cases such as multilingual voice intake for illiterate supply-chain workers, while cautioning against unsafe AI practices and autonomous decision-making. Morss highlights investigative management as a major opportunity beyond basic case repositories and forecasts greater AI-driven integration with in-house systems amid geopolitical and regulatory divergence.

Key highlights:

  • Employee Expectations Shift
  • Common SpeakUp Mistakes
  • Trust and Anti-Retaliation
  • Gen Z Reporting Channels
  • AI Voice for Workers
  • One Practical CCO Tip

Resources:

Connect with Tim Morss on LinkedIn

SpeakUp

Innovation in Compliance was recently honored as the Number 4 podcast in Risk Management by 1,000,000 Podcasts

Categories
Blog

The False Alignment Trap in Compliance Transformation

A major compliance initiative rarely fails because the Chief Compliance Officer (CCO) did not work hard enough. It usually fails because the organization never reached a true agreement on what the initiative was supposed to accomplish.

That is the core lesson from The False Alignment Trap by Julia Dhar, Kristy R. Ellmer, and Philip Jameson. The authors argue that many change efforts fail because senior leaders believe they agree on the “why,” “what,” and “how” of change when, in fact, they do not. A stitched-together flower is an apt metaphor for corporate change: from a distance, the initiative may look whole; up close, it may be held together by fragile threads.

For the CCO instituting a major compliance initiative, this insight is critical. Whether the project is a global third-party risk overhaul, a new sanctions screening program, an AI governance framework, a speak-up culture campaign, or a full redesign of the compliance operating model, the CCO cannot settle for polite nods around the executive table. The CCO must secure true agreement.

The authors frame the three questions every change program must answer: why are we changing, what are we changing, and how will the change occur? It also makes an important distinction between “alignment” and “agreement.” Alignment may mean that executives are not actively blocking one another. An agreement means leaders have made a detailed and explicit compact that allows them to move together and hold one another accountable. That distinction should be posted on every CCO’s wall.

Why This Matters to Compliance

A major compliance initiative always changes more than the compliance department. It changes how a sales function approves intermediaries. It changes how procurement selects vendors. It changes how finance reviews payments. It changes how HR handles discipline and incentives. It changes how legal, internal audit, cybersecurity, operations, and the business share data. It may change who can approve a deal, how quickly a transaction can move, and what documentation must be in place before revenue is booked. That means compliance transformation is not simply a compliance project. It is an enterprise change project.

The Department of Justice’s 2024 Evaluation of Corporate Compliance Programs (ECCP) asks three fundamental questions: whether the program is well designed, whether it is applied earnestly and in good faith through adequate resources and empowerment, and whether it works in practice. DOJ also asks whether senior management has articulated standards clearly, disseminated them in unambiguous terms, and demonstrated adherence by example. Those expectations cannot be met if the C-suite is only “conceptually aligned” on compliance.

A CCO may believe the company has agreed to strengthen compliance. The CEO may believe the initiative is about satisfying the board. The CFO may believe it is about reducing investigation costs. The head of sales may believe it is about avoiding bad distributors but not slowing growth. The general counsel may believe it is about reducing enforcement exposure. Operations may believe it is another documentation exercise. HR may believe it is about training completion rates. Everyone says yes. Everyone means something different. That is the false alignment trap.

The First Lesson: Never Launch on Slogans Alone

Compliance leaders love phrases such as “culture of compliance,” “tone at the top,” “risk-based approach,” “speak-up culture,” and “doing business the right way.” These phrases are useful, but they are not implementation plans. The authors warn that executives often think they agree because their conversations are insufficiently specific. Leaders may agree on a broad goal, but disagree sharply on the levers, trade-offs, timeline, funding, and operational consequences.

For a CCO, this means “we need a stronger third-party program” is not enough. The leadership team must agree on what that means in practice. Does it mean fewer third parties? More due diligence? More audits? Centralized onboarding? Automated screening? New contractual rights? Mandatory business justification? Enhanced payment controls? A right to terminate non-responsive intermediaries? A slower sales cycle in high-risk markets? Until those questions are answered, the CCO does not have agreement. The CCO has a slogan.

The Second Lesson: Silence Is Not Commitment

One of the most dangerous moments in compliance transformation is the executive meeting where everyone nods. The authors describe the “false consensus effect,” where leaders overestimate the extent to which others share their beliefs. It also describes the tendency of executives to pretend to agree rather than surface disagreement. In one example, executives used vague phrases such as “I am aligned,” “partly aligned,” and “conceptually aligned,” even though real disagreement remained unresolved.

Compliance professionals see this all the time. A regional president says, “We fully support the new due diligence process.” What she may mean is, “We support it unless it slows down strategic distributors.” A sales leader says, “We support compliance training.” What he may mean is, “We support it as long as it does not take people out of the field during the quarter.” A procurement leader says, “We support vendor controls.” What he may mean is, “We support them for new vendors, but not for legacy vendors.”

The CCO’s job is to make those reservations visible before launch. That does not mean creating conflict for conflict’s sake. It means creating a process where disagreement becomes a source of better design.

The Third Lesson: Invite Dissent Early

The authors recommend provoking an early exchange. Leaders should write down what they agree with, what they disagree with, and what they are unsure about. The authors specifically note that written reactions can reduce groupthink. They also recommend asking questions that invite contrary views, such as “What could go wrong with this approach?”

This is directly applicable to compliance. Before launching a major compliance initiative, the CCO should ask each executive to answer, in writing:

What risk are we trying to reduce?

What business process will this initiative change?

What are you worried this initiative will disrupt?

What resources will your function need?

What decisions are you willing to give up or share?

What part of this proposal do you not support?

Where do you believe compliance is underestimating the operational impact?

These questions are uncomfortable. That is the point. A compliance initiative that cannot survive executive-level dissent in a planning meeting will not survive business-level resistance during implementation.

The Fourth Lesson: Deferred Agreement Becomes Compliance Debt

The authors warn against the idea that leaders can “sort out the details later.” That may work for small experiments, but the authors argue that it is dangerous for transformative organizational change because vague or contradictory premises create confusion, delay, and employee frustration. They describe deferred agreement as a debt that leaders expect to repay quickly but often never repay at all. For compliance, deferred agreement is especially costly.

When the CCO launches without a clear executive agreement, the business will find the gaps. If sales and compliance disagree on third-party approval standards, the business will escalate every hard case. If finance and compliance disagree on payment controls, exceptions will multiply. If HR and legal disagree on discipline standards, investigations will produce inconsistent outcomes. If IT and compliance disagree on data ownership, monitoring dashboards will never mature. The result is not simply inefficiency. It is a control failure.

A CCO should treat unresolved executive disagreement as a known risk. It should be tracked, assigned, escalated, and resolved before the initiative moves from design to deployment.

The Fifth Lesson: Watch for the Three Failure Modes

The authors identify three consequences of false alignment: paralysis, hyperactivity, and tunnel vision. These are also classic symptoms of a failing compliance initiative.

Paralysis occurs when teams are stuck between competing executive priorities. In compliance, this looks like endless working groups, repeated risk assessments, draft policies that never finalize, and technology projects that remain in “requirements gathering” for months.

Hyperactivity occurs when teams launch too many initiatives to please too many stakeholders. In compliance, this looks like a dozen training campaigns, multiple dashboards, overlapping third-party reviews, new certifications, new attestations, and new committees, but no meaningful risk reduction.

Tunnel vision occurs when teams make progress on the wrong thing. In compliance, this may mean achieving 100% training completion while employees still do not know how to raise concerns. It may mean onboarding vendors faster while missing beneficial ownership risk. It may mean closing investigations more quickly while weakening root cause analysis.

The CCO should use these three symptoms as early warning indicators. If the initiative is stuck, too busy, or moving in the wrong direction, the problem may not be execution. It may be false alignment at the top.

Lessons in Building True Agreement for a Compliance Initiative

The authors offer a five-step path to true agreement: set clear parameters, provoke an early exchange, have a substantive debate, reach a formal verdict, and send a unified message. That framework can be translated directly into a CCO playbook.

  1. Set clear parameters. The CCO should define the decision rights before the project begins. Who decides the risk appetite? Who approves the budget? Who owns business process changes? What decisions require CEO approval? What issues go to the board? What happens if a regional business leader disagrees?
  2. Provoke an early exchange. The CCO should require written input from the CEO, CFO, general counsel, CHRO, CIO, internal audit, procurement, and key business leaders. This is where hidden objections should surface.
  3. Have a quality debate. The CCO should hold one-on-one conversations with executives before the group decision meeting. The point is not to lobby for superficial support. The point is to understand red lines, trade-offs, and operational realities.
  4. Come to a formal verdict. The authors recommend asking for each individual’s agreement, documenting the decision, and creating a formal record of the agreed terms. For a compliance initiative, this should become a written executive charter. It should specify scope, budget, timeline, metrics, decision rights, business obligations, and escalation paths.
  5. Send a unified message. The authors warn against each executive’s team receiving its own version of events. Instead, the decision should be broadcast simultaneously in a single format to everyone who needs to know. For compliance, this is essential. Employees should hear one message: this is why we are changing; this is what will change; this is what will not change; this is who owns what; and this is how success will be measured.

The bottom line is clear. A major compliance initiative is not successful because the CCO announces it, the board approves it, or the executive team says it is “aligned.” It is successful when the company reaches true agreement on the risk, the change, the trade-offs, the ownership, and the evidence of effectiveness.

For the compliance professional, The False Alignment Trap provides a powerful reminder: do not launch a transformation on implied consent. Build the compact first. Then execute.

Categories
Blog

The Miri Mandate: Compliance Lessons in Crisis and Contingency

Show Summary

Today, we explore one of the eeriest and most profound cautionary tales in the Star Trek canon—Miri. When the crew responds to a distress signal from a planet that’s an exact duplicate of Earth, they find a society ravaged by a failed experiment in human longevity. Only children remain, while the adult “grups” have all died from a virulent disease.

This haunting story is not science fiction. It’s a case study of what happens when risk management is treated as an afterthought. We draw parallels between the biohazard breakdowns on the planet and the kinds of failures that modern compliance officers must guard against, whether in public health readiness, supply chain risk, or workforce welfare.

Key Highlights and Risk Management Case Illustrations

1. Disaster Preparedness—A Cure Without a Contingency Plan

Illustrated by: The civilization’s experiment to extend life, which instead wipes out all adults.

This central failure underscores the risks associated with scientific advancement that lacks proper risk assessment. The developers had no fallback, no regulatory oversight, and no crisis management framework. For compliance professionals, this serves as a reminder that innovation must be paired with effective scenario planning and disaster recovery protocols.

2. Environmental and Public Health Compliance—Invisible Risks Become Existential Threats

Illustrated by: The crew’s infection with the disease upon beaming down, with lesions appearing days later.

This serves as a metaphor for health and safety non-compliance. Enterprises must be vigilant about how workplace conditions, unseen hazards, and biological risks can impact staff and operations. Proactive monitoring and rapid-response mechanisms are essential components of any risk management strategy.

3. Data Governance and Early Warning Systems—Responding Too Late

Illustrated by: The automated distress signal continued even though no adult survivors remained.

The signal was still active, but no one was listening until it was far too late. In modern organizations, this is equivalent to ignoring audit logs, internal control alerts, or whistleblower reports that go unread. A culture of attentiveness to data and signals is crucial to catching issues before they cascade.

4. Supply Chain Risk—Critical Resource Shortages in the Field

Illustrated by: The crew’s struggle to develop a cure under limited time, with no labs and deteriorating conditions.

Kirk and McCoy were caught without adequate resources. This scenario mirrors the real-world risks companies face when they lack supply chain redundancy, fail to audit vendor health, or fail to plan for logistical disruptions. A robust compliance framework includes stress-testing the supply chain for resilience under duress.

5. Employee Welfare and Isolation—Psychological and Ethical Concerns in Hazard Zones 

Illustrated by: Spock’s decision not to return to the Enterprise due to the risk of contamination.

Spock’s sacrifice is a model of ethical risk containment. In any risk environment, whether it is a pandemic, a data breach, or financial misconduct, companies must empower employees to make ethically sound decisions while providing mental health support for those isolated by crisis-response roles.

Final ComplianceLog Reflections

Miri is a chilling illustration of what happens when ambition outpaces ethics and planning. The children left behind are the victims of a society that prioritizes progress over protection. For compliance professionals, this episode serves as a vivid reminder that a well-crafted compliance program is not just about preventing misconduct; rather, it is about preparing for the unknown.

Resources:

Excruciatingly Detailed Plot Summary by Eric W. Weisstein

MissionLogPodcast.com

Memory Alpha

Categories
The Ethics Experts

Episode 256 – Maeve O’Neill

In this episode of The Ethics Experts, Nick Gallo welcomes Maeve O’Neill.

Maeve has worked in behavioral health for over 35 years, 20 years in the Washington DC, Maryland and Virginia area, then Texas since 2006, and the last 15 years nationally with jobs covering multiple state locations. Her first 10 years were in direct clinical service with all populations, 10 years in program management with all settings and the last 15 years in executive leadership with national organizations specializing in Ethics and Compliance. As a former Behavioral Health Surveyor with The Joint Commission and a long career committed to excellence, she has a passion for quality and safe care as well as happy and healthy staff.

Combining all her experience and education she most enjoys facilitating staff, team and leadership educational support and development programs for behavioral health professionals to engage staff, empower teams and enhance organizational culture focused on resilience, regulatory and reliability utilizing the research-based work of Brené Brown. Maeve believes this is the roadmap to prevent burnout, detect turnover and correct cultures to ensure healthy and happy staff who are ethical and compliant to provide quality and safe care.

Most importantly, Maeve is a parent to 2 young adult children, Aidan and Delaney who are guides and supports on the journey who inspire her the most. She currently serves as the National Compliance Director at Circa Behavioral Healthcare Solutions!

Connect with Maeve on LinkedIn

Categories
Blog

Can Compliance Own Enterprise Resilience?

It has been some time since I checked in with the Harvard Business Review for some blog posts. To remedy this deficiency, I will write this week’s blog posts based on recent HBR articles that caught my interest. Today, we begin with The Case for Hiring a Chief Resilience Officer, which argues that there is a major governance gap inside most organizations. It is that no single executive is accountable for coordinating enterprise-wide resilience and recovery when failures cascade across functions. The article looks at a chief resilience officer (CResO) role which would be responsible for aligning continuity planning, recovery objectives, crisis response, and organizational learning across an enterprise.

The authors begin by noting that the July 2024 CrowdStrike outage will be remembered as more than a technology failure. It was a governance lesson. A routine software update caused cascading operational disruption across airlines, hospitals, logistics systems, and other critical services. The technical root cause mattered, but it was not the only lesson. The larger issue was how quickly a single failure could ripple across functions, third parties, customer obligations, regulatory expectations, and business operations. The article articulated this as the case for a CResO, because many organizations have no single executive accountable for coordinating enterprise-wide resilience and recovery when disruption crosses organizational boundaries.

For the corporate compliance function, that argument should sound familiar. Compliance professionals have spent years explaining that risk does not respect departmental boundaries. Bribery risk can arise from sales incentives, third-party relationships, financial controls, gifts and hospitality, and management pressure. Data risk can sit in technology, privacy, procurement, HR, and customer operations. AI risk can sit in product development, vendor management, legal, cybersecurity, records retention, and board oversight.

Operational resilience is the same kind of problem. It is not only an IT issue. It is not only a business continuity issue. It is not only a risk management issue. It is a governance issue, a controls issue, a documentation issue, a third-party issue, and a board oversight issue. That makes it a compliance issue as well.

The Compliance Significance of Resilience

The central insight behind the CResO role is that most organizations already have pieces of resilience, but they do not always have resilience governance. Risk teams assess exposure. Cybersecurity teams protect systems. Operations teams manage delivery. Business continuity teams write plans and run exercises. Procurement manages vendors. Legal evaluates obligations. Communications handles stakeholders. Compliance monitors controls, policies, reporting, and escalation. Each function may be doing its job. The problem appears when no one owns the integrated answer.

That is why operational resilience has become a regulatory and governance priority. The Basel Committee defines operational resilience as the ability to deliver critical operations through disruption and emphasizes governance, mapping interdependencies, third-party dependency management, business continuity testing, and incident management. The FCA in the UK similarly focuses on important business services, impact tolerances, mapping, testing, vulnerability remediation, lessons learned, and communications planning. In the EU, the Digital Operational Resilience Act (DORA) has elevated digital operational resilience, technology and information third-party risk, incident reporting, and resilience testing into a formal financial sector regulatory framework.

For compliance professionals, the message is clear. Resilience is moving from planning to evidence. Regulators, boards, and senior management will increasingly ask not simply whether the company had a plan, but whether the company knew its critical services, mapped its dependencies, tested severe but plausible scenarios, documented vulnerabilities, assigned accountability, and remediated weaknesses.

That is familiar territory for compliance. The DOJ Evaluation of Corporate Compliance Programs (ECCP) asks whether a compliance program is well designed, adequately resourced and empowered, and works in practice. It also asks whether improvements to compliance and internal controls have been tested to show they would prevent or detect similar misconduct in the future. Those questions are not limited to bribery, fraud, or sanctions. They reflect a broader governance discipline: design, authority, resources, testing, remediation, and proof.

Can Compliance Absorb the CResO Role?

The answer is yes, but only under the right conditions. A compliance function can absorb the resilience governance role if it has the mandate, authority, resources, data access, and board visibility to do the job. It cannot absorb the role if the organization merely adds resilience to the CCO’s already crowded list of responsibilities without giving compliance the ability to coordinate across technology, operations, procurement, cybersecurity, finance, legal, human resources, communications, and business leadership. This distinction matters.

Compliance can own the governance framework for resilience. It can help define standards, require documentation, monitor remediation, test controls, escalate gaps, and report to the board. It can ensure that resilience obligations are embedded into policies, third-party oversight, incident response, investigations, root cause analysis, training, and internal controls.

Compliance should not become the operator of every resilience process. The first line must still own business services. Technology must still own systems. Cybersecurity must still own cyber defense. Procurement must still own vendor contracting and supplier performance. Operations must still own delivery. Legal must still advise on obligations. Communications must still manage stakeholder messaging. The CCO can serve as the enterprise resilience governance leader, but not as a substitute for operational ownership. That is the practical dividing line.

When Compliance Is the Right Home

Compliance is a strong candidate to absorb the CResO function when resilience is framed as an enterprise governance and controls discipline. This is especially true in organizations where the compliance function already has mature capabilities in risk assessment, policy governance, third-party risk management, investigations, remediation tracking, board reporting, training, monitoring, and documentation. In that model, compliance can bring several advantages.

First, compliance understands cross-functional risk. A well-designed compliance program already reaches into the business, finance, procurement, HR, legal, internal audit, IT, and senior leadership. That horizontal view is essential for resilience.

Second, compliance understands evidence. Resilience cannot be built on verbal assurance. It requires inventories, dependency maps, testing records, incident reports, remediation plans, escalation logs, board materials, and lessons learned. Compliance professionals know how to create a record that demonstrates program effectiveness.

Third, compliance understands accountability. A resilience program without accountable owners will become a collection of meetings. Compliance can help define who owns each critical service, each dependency, each recovery objective, and who must act when testing identifies a vulnerability.

Fourth, compliance understands third-party risk. Many resilience failures begin outside the company’s walls. A critical software provider, cloud provider, logistics partner, manufacturer, payroll vendor, or data processor can disrupt the company’s ability to deliver. Compliance can help connect due diligence, contracting, ongoing monitoring, audit rights, incident notification, and exit planning into a resilience framework.

Finally, compliance understands board reporting. Resilience is a board-level issue because disruption can affect customers, investors, regulators, employees, and the company’s license to operate. The FCA has emphasized that boards need enough information to understand the firm’s resilience approach, who is responsible for it, and the organization’s ability to recover important business services within impact tolerances. Those are governance questions. Compliance is built to translate them into a management system.

When Compliance Should Not Absorb the Role

Compliance should not assume the CResO role if the function lacks operational authority, technical depth, crisis-management access, or senior-level support. A CCO who is asked to “own resilience” without the resources to do so has not been empowered. That CCO has been handed accountability without control. There are several warning signs.

If compliance does not have direct access to the CEO, executive committee, and board, it cannot coordinate enterprise resilience. If compliance cannot require action from technology, operations, procurement, and business units, it cannot close resilience gaps. If compliance lacks data on critical services, vendor concentration, system dependencies, recovery times, incident history, and testing results, it cannot evaluate resilience in practice. If compliance is already under-resourced, resilience will become another paper responsibility.

That would be a mistake. The worst outcome would be to move resilience into compliance as a label while leaving the real decision-making elsewhere. That creates the appearance of governance without its substance.

A Better Model: Compliance as Resilience Governor

For many companies, the right answer is not a binary choice between a standalone CResO and a compliance-owned resilience function. The better model may be compliance as a resilience governor. Under this approach, the company appoints a senior resilience owner, either as a CResO (chief risk and resilience officer) or as a named executive with enterprise authority. Compliance then provides the governance architecture: standards, controls, testing expectations, third-party requirements, escalation procedures, documentation rules, remediation tracking, and board reporting.

This model preserves first-line ownership while giving the organization a consistent second-line framework. It also allows compliance to ask the questions that matter:

Who owns each critical business service? What are the maximum tolerable disruptions? What systems, people, facilities, data, and third parties support each service? What severe but plausible scenarios have been tested? What vulnerabilities were identified? Who owns remediation? What evidence shows that remediation worked? What has been reported to the board?

These are not theoretical questions. They are the difference between a plan and a program.

Five Lessons for Compliance Professionals

  1. Resilience is now a compliance program issue. It involves governance, controls, accountability, documentation, testing, remediation, and board oversight.
  2. Compliance can absorb the resilience governance role, but not the operational role. The CCO can govern the framework. The business must still own delivery.
  3. Authority matters. A compliance-led resilience function must have CEO support, board visibility, cross-functional access, and the ability to require remediation.
  4. Evidence is essential. Dependency maps, scenario tests, incident reports, remediation records, and board materials are what turn resilience from aspiration into proof.
  5. The board should focus on accountability before structure. Whether the company appoints a CResO, places resilience under risk, or builds a compliance-led governance model, the core question remains the same: who owns the enterprise response when disruption crosses every boundary?

The practical compliance lesson is straightforward. Resilience cannot remain a collection of disconnected plans. It must become an operating discipline. For some companies, that discipline will require a dedicated Chief Resilience Officer. For others, a mature, properly empowered compliance function can assume the governance role. But no company should leave resilience to assumption, informal coordination, or after-the-fact improvisation.

In today’s risk environment, the ability to recover is not only an operational strength. It is evidence of effective governance.

Categories
FCPA Compliance Report

FCPA Compliance Report: Leading with Invitation: Communications, Leadership, and Compliance with Dr. Dennis Cummins

In this episode, Tom Fox welcomes Dr. Dennis Cummins to discuss his latest book, Invitational Selling: The Human Connection Advantage. Dr. Cummins is a renowned expert in the field of invitational selling, with extensive experience presenting and selling from the stage globally. He discovered that prioritizing conversations and genuine connections over high-pressure sales tactics not only aligned with his values but also enhanced his effectiveness in sales. This led him to develop the concept of invitational selling, which emphasizes sharing one’s gifts and talents to empower others and help them benefit from available services. Dr. Cummins encapsulated his philosophy in his new book, leveraging his global speaking engagements and interactions with various companies.

In his book Dr. Cummins emphasizes the importance of building authentic connections in sales rather than relying on high-pressure tactics. He introduces the concept of ‘Invitational Selling,’ which involves connecting with customers, conveying the benefits, and inviting them to engage, thereby fostering genuine relationships and enhancing sales effectiveness. This approach is applicable not only in sales but also in leadership and family dynamics, promoting engagement and collaboration through invitation rather than coercion. As customers are inundated with sales messages and wary due to information overload, prioritizing empathy and understanding separates successful sales professionals in a technology-driven world. Real-life examples, such as Lauren’s bead bracelets, highlight that product value extends beyond materials to the emotional connections and meanings they hold for customers. Committed to giving back, he has pledged all proceeds from the book’s initial launch to the Make-A-Wish Foundation.

Key highlights:

  • Authentic connections in sales enhance effectiveness and drive sales growth.
  • Invitational selling focuses on connecting, conveying, and converting to inspire buy-in from employees and foster collaboration.
  • Maintaining a personal touch and understanding customer needs sets sales professionals apart in a technology-driven world.
  • Balancing AI efficiency with personal elements is crucial to overcoming trust issues and fostering genuine connections.
  • The true value of a product lies in the emotions, connections, and meanings it represents to individuals.

Resources:

Invitational Selling: The Human Connection Advantage

Dr. Dennis Cummins on LinkedIn

 Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
Trekking Through Compliance

Trekking Through Compliance: Miri: Crisis and Disaster Preparedness

In this episode of Trekking Through Compliance, we consider the episode Miri, which aired on October 27, 1966, Star Date 2713.5. In this episode of Trekking Through Compliance, we delve into one of the eeriest and most profound cautionary tales in the Star Trek canon: Miri. When the crew responds to a distress signal from a planet that’s an exact duplicate of Earth, they find a society ravaged by a failed experiment in human longevity. Only children remain, while the adults, the “grups,” have all died from a virulent disease.

This haunting story is not simply science fiction. It is a case study of what happens when risk management is treated as an afterthought. We draw parallels between the biohazard breakdowns on the planet and the kinds of failures that modern compliance officers must guard against, whether in public health readiness, supply chain risk, or workforce welfare.

Key highlights:

1. Disaster Preparedness – A Cure Without a Contingency Plan

🖖Illustrated by: The civilization’s experiment to extend life that instead wipes out all adults.

This central failure highlights the risks associated with scientific advancement without proper risk assessment. For compliance professionals, this serves as a reminder that innovation must be paired with effective scenario planning and disaster recovery protocols.

2. Environmental and Public Health Compliance – Invisible Risks Become Existential Threats

🖖Illustrated by: The crew’s infection with the disease upon beaming down, with lesions appearing days later.

This serves as a metaphor for health and safety non-compliance. Proactive monitoring and rapid-response mechanisms are essential components of any risk management strategy.

3. Data Governance and Early Warning Systems – Responding Too Late

🖖Illustrated by: The automated distress signal continued even though no adult survivors remained.

The signal was still active—but no one was listening until it was far too late. A culture of attentiveness to data and signals is crucial to catching issues before they cascade.

4. Supply Chain Risk – Critical Resource Shortages in the Field

🖖Illustrated by: The crew’s struggle to develop a cure under limited time, with no labs and deteriorating conditions.

Kirk and McCoy were caught without adequate resources. This scenario mirrors the real-world risks companies face when they lack redundancy in their supply chains, fail to audit vendor health, or fail to plan for logistical disruptions. A robust compliance framework includes stress-testing the supply chain for resilience under duress.

5. Employee Welfare and Isolation – Psychological and Ethical Concerns in Hazard Zones

🖖Illustrated by: Spock’s decision not to return to the Enterprise due to the risk of contamination.

Spock’s sacrifice is a model of ethical risk containment. In any risk environment—whether it’s a pandemic, a data breach, or financial misconduct—companies must empower employees to make ethically sound decisions while providing mental health support for those isolated by crisis-response roles.

Final Starlog Reflections

Miri is a chilling illustration of what happens when ambition outpaces ethics and planning. The children left behind are the victims of a society that prioritizes progress over protection. For compliance professionals, this episode serves as a vivid reminder that a well-crafted compliance program is not just about preventing misconduct—it’s about preparing for the unknown.

Resources:

Excruciatingly Detailed Plot Summary by Eric W. Weisstein

MissionLogPodcast.com

Memory Alpha

Timothy is an AI-generated voice

Categories
Daily Compliance News

Daily Compliance News: June 8, 2026, The Manipulative Creep Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Hungary to unveil ABC initiatives.  (Reuters)
  • How to deal with a ‘manipulative creep’ at work. (NYT)
  • The other me of cattle and Ponzi schemes. (WSJ)
  • What happens when you don’t reveal penalties? (FT)

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
AI Today in 5

AI Today in 5: June 8, 2026, The 4 Harsh Realities Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. A single AML regime for the EU. ⁠(FinTech Global)⁠
  2. AI agents under anti-trust scrutiny. (⁠Hogan Lovells)⁠
  3. Compliance hiring: AI governance skills needed. (⁠Law.Com⁠)
  4. AI gets 76% of healthcare inquiries correct. (⁠PennState Health)⁠
  5. 4 harsh realities of the AI business. (Axios⁠)⁠

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on ⁠Amazon.com⁠.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on ⁠Amazon.com⁠.

Categories
Blog

What Are Little Girls Made Of: Androids, Ethics, and the Limits of Compliance Programming

Show Summary

Today, we descend into the icy caverns of Exo III in the Star Trek classic What Are Little Girls Made Of?, where Dr. Roger Corby has gone far beyond the boundaries of ethical science. His discovery of an ancient technology for creating androids opens a chilling debate on artificial intelligence, identity duplication, and the ethics of replication.

We explore how Corby’s desire to replace flawed humans with perfect androids reflects modern dilemmas surrounding automation, transparency, data integrity, and the compliance risks posed by technology run amok. As we watch Kirk’s doppelgänger roam the Enterprise, the question becomes clear: when does innovation cross the ethical line?

Key Highlights and Compliance Lessons:

1. Transparency and Disclosure—Trust Dies in the Shadows

Illustrated by: Corby failing to disclose that he is no longer human—and is, in fact, an android.

This fundamental breach of transparency is at the heart of the compliance risk. Corby’s hidden identity violates the trust of those he engages with. Just as companies hide material facts or fail to disclose conflicts of interest, his omission threatens not only ethical standards but also operational integrity. For compliance professionals, transparency must always be a first principle.

2. Data Privacy and Identity Misuse—The Ethics of Replication

Illustrated by: The creation of a perfect android duplicate of Captain Kirk.

This raises a powerful metaphor for today’s concerns about biometric data and identity cloning. What happens when your digital or physical likeness is copied without consent? Compliance teams must ensure privacy protections are in place for employee, consumer, and partner data, particularly when AI and automation are involved.

3. Risk Assessment and Program Governance—The Fallacy of ‘Perfect Control’

Illustrated by: Corby’s belief that androids can eliminate human error and thus build a better civilization.

Corby’s fatal flaw is the assumption that perfection through programming eliminates the need for oversight. In corporate compliance, this mirrors the belief that strong policies alone prevent misconduct. As Corby and Rok demonstrate, even perfectly programmed systems break down when values clash with situational complexity.

4. Third-Party Risk—The Vendor You Don’t Know Is the One That Destroys You

Illustrated by: The lethal android Ruk, a legacy remnant of a prior civilization Corby could not fully control.

Ruk represents an inherited third-party vendor, which is technologically capable but poorly understood. This highlights the risk of using legacy systems or foreign vendors without adequate due diligence. Compliance programs must have protocols for onboarding, monitoring, and retiring high-risk third parties.

5. Ethical Limits of Innovation—Because You Can Doesn’t Mean You Should.

Illustrated by: Corby’s vision of a galaxy populated by androids, with human flaws “corrected” by machine logic.

Compliance professionals must always ask, What is the ethical boundary of our innovation? Whether it’s in AI, product safety, or marketing tactics, organizations that pursue progress without ethical guardrails are just one bad decision away from crisis. Corby’s demise is a cautionary tale of ambition eclipsing accountability.

Final ComplianceLog Reflections

“What Are Little Girls Made Of?” teaches us that replication without reflection is a road to ruin. Dr. Corby wanted control, certainty, and a frictionless future, but he lost sight of the ethical foundation that gives those goals meaning. In a world where technology evolves faster than regulation, compliance professionals must serve as stewards of ethical innovation.

Resources:

Excruciatingly Detailed Plot Summary by Eric W. Weisstein

MissionLogPodcast.com

Memory Alpha