Categories
Blog

Key Boards Issues for 2026: What Compliance and Governance Leaders Must See Coming

Boards entering 2026 are doing so in an environment defined not by stability, but by volatility. Regulatory priorities are shifting rapidly, geopolitical risk is reshaping markets, technology is accelerating faster than governance frameworks can keep pace, and long-standing assumptions about shareholder engagement and corporate oversight are being tested. In this environment, the role of compliance is no longer reactive or advisory at the margins. It is structural.

The Thoughts for Boards: Key Issues for 2026 memorandum from the law firm of Wachtell, Lipton, Rosen & Katz, which appeared in the Harvard Law School Forum on Corporate Governance, provides a valuable roadmap for boards navigating this uncertainty. For compliance professionals, however, the document does something more important: it reveals where governance risk is quietly migrating. The challenge for compliance leaders is not simply to track these developments, but to translate them into oversight, controls, and strategic guidance that boards can use going forward.

A More Permissive SEC Does Not Mean Less Risk

One of the most striking developments outlined in the memorandum is the SEC’s recalibration of its role. From easing reporting burdens to stepping back from adjudication of shareholder proposals under Rule 14a-8, the Commission is signaling greater deference to companies in deciding how and when to engage with shareholders. At first glance, this appears to reduce regulatory pressure. In reality, it shifts risk inward.

When regulators retreat, discretion moves to boards and management. Predictable SEC processes no longer mediate decisions about disclosure cadence, shareholder engagement, and proposal exclusion. They are governance judgments that will be evaluated ex post by investors, courts, activists, and the media. For compliance professionals, this means fewer bright lines and more gray zones.

The potential move toward semi-annual reporting is a prime example. While it may reduce short-termism, it also alters internal disclosure controls, forecasting discipline, and market expectations. Compliance must ensure that reduced frequency does not translate into reduced rigor. Less reporting does not mean less accountability.

DEI and ESG: From Public Messaging to Quiet Risk Management

The memorandum describes sustained political and regulatory pushback against DEI and ESG initiatives, including executive orders, revised SEC guidance, and heightened scrutiny of shareholder proposals. Yet it also notes an important countervailing force: institutional investors have not abandoned interest in these areas. They have become quieter. This creates a compliance paradox.

On one hand, public signaling around DEI and ESG may expose companies to political and regulatory risk. On the other hand, abandoning these initiatives entirely risks alienating long-term shareholders, employees, and business partners. The compliance function sits at the center of this tension. In 2026, DEI and ESG will increasingly be treated less as branding exercises and more as internal governance risks. Compliance leaders should focus on process integrity, consistency, and documentation rather than rhetoric. The question is no longer whether a company “supports” DEI or ESG, but whether its practices align with its stated values and risk disclosures.

Tone at the top matters here more than ever. Boards must understand that silence does not equal neutrality. How a company governs these issues internally will determine its exposure externally.

Government as Shareholder: A New Governance Reality

Perhaps the most underappreciated development highlighted in the memorandum is the Trump Administration’s growing role as an equity holder in public companies deemed critical to national security. These investments vary widely in form, from passive economic stakes to golden shares with veto rights over strategic decisions. For compliance and governance professionals, this raises novel questions.

Government ownership blurs traditional distinctions between regulator and shareholder. It introduces new stakeholders with potentially divergent objectives, including national security, industrial policy, and geopolitical strategy. Even when governance rights are limited, the mere presence of the government on the cap table can alter decision-making dynamics and investor perceptions.

Compliance must be prepared to advise boards on conflicts of interest, disclosure obligations, and fiduciary duties in this new context. The risk is not simply regulatory; it is structural. Companies operating in sensitive sectors must assume that government involvement is no longer exceptional but potentially recurring.

AI Oversight Moves from Optional to Mandatory

Artificial intelligence dominated board agendas in 2025, and there is no indication that attention will diminish in 2026. The memorandum correctly emphasizes that AI is no longer confined to technology companies. It is embedded in products, operations, compliance monitoring, and decision-making across industries. For boards, the oversight challenge is acute. AI introduces opacity, speed, and scale that traditional governance frameworks were not designed to manage. For compliance officers, this creates both opportunity and risk.

AI is increasingly used within compliance itself, from transaction monitoring to proxy voting analytics. But the use of AI does not eliminate accountability. Boards will still be expected to understand how AI systems function, what risks they create, and how those risks are mitigated.

This is why board-level AI literacy is becoming a governance imperative. Compliance leaders should be proactive in helping boards understand AI not as a technical novelty, but as a risk multiplier. Data governance, model bias, explainability, and third-party reliance must all be incorporated into enterprise risk management frameworks.

Crypto and Digital Assets: Strategy First, Compliance Always

The memorandum highlights a friendlier regulatory environment for crypto-assets, alongside growing corporate interest in crypto treasury strategies and asset tokenization. This combination is dangerous if misunderstood. Regulatory friendliness is not regulatory clarity. Crypto engagement introduces risks related to custody, valuation, sanctions, AML, cybersecurity, and financial reporting. Boards that view crypto as a strategic opportunity without fully appreciating these risks are exposing the company to significant downside.

Compliance must insist on strategic discipline. Why is the company engaging with crypto? What problem is it solving? How does it align with the business model? Without clear answers, crypto becomes speculation rather than strategy. In 2026, compliance officers should expect to spend more time explaining why not to move quickly than how to move fast.

Shareholder Engagement Is Becoming More Fragmented, Not Less Important

The memorandum’s discussion of shareholder engagement reflects a fundamental shift. Institutional investors are splintering their stewardship approaches. Retail investors are more organized and more volatile. Proxy advisors are under regulatory and political attack. The result is unpredictability.

Boards can no longer rely on a small set of proxy advisor recommendations or institutional voting norms. Engagement must become more targeted, more frequent, and more informed. Compliance plays a critical role here by ensuring that engagement practices remain consistent with disclosure rules, insider trading controls, and governance policies.

The rise of retail activism and meme-stock dynamics also creates reputational risk that traditional governance tools were not designed to address. Social media is now a governance arena. Compliance must help boards understand that investor relations, communications, and risk management are increasingly inseparable.

Delaware Still Matters, Even as Alternatives Emerge

Finally, the memorandum addresses trends toward reincorporation in Texas and Nevada, as well as Delaware’s legislative response. While high-profile moves grab headlines, the underlying message is continuity rather than disruption. For most public companies, Delaware remains the default for a reason: predictability. Reincorporation carries costs, risks, and uncertainty that often outweigh perceived benefits. Compliance professionals should ensure that boards approach these decisions with discipline rather than reaction to political or cultural trends. Governance arbitrage is rarely a substitute for governance quality.

Conclusion: Compliance as Governance Infrastructure

The overarching lesson from the Key Issues for 2026 memorandum is that governance risk is becoming more diffuse, not less. Regulatory pullbacks, technological acceleration, geopolitical intervention, and fragmented shareholder bases all point to one conclusion: boards will be expected to exercise more judgment with fewer guardrails. As with all things under this Trump Administration, another key concept is volatility. That places compliance at the center of corporate governance.

In 2026, effective compliance will not be measured solely by the absence of enforcement actions. It will be measured by whether boards can navigate volatility and ambiguity without losing coherence, integrity, or trust. Compliance professionals who understand this shift will be indispensable partners in long-term value creation.

Categories
Daily Compliance News

Daily Compliance News: February 11, 2026, The US Plummets on the TI-CPI Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • US plummets on 2026 TI-CPI. (TI)
  • A bitcoin blunder gives away $40bn. (WSJ)
  • Corporate jargon goes mainstream. (FT)
  • Texas attack with anti-ESG law thrown out of court. (Reuters)
Categories
Compliance Into the Weeds

Compliance into the Weeds: NPAs, Escalation and Ethics in Competing

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore it more fully. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly look at three recent stories to draw compliance lessons for the future.

They discuss significant developments in compliance, focusing on Jay Clayton’s recent speech regarding FCPA enforcement and the implications for companies. They also analyze a case involving the termination of compliance officers at Scotiabank for failing to escalate concerns about insider trading. The conversation concludes with a reflection on athlete decision-making in the context of injuries and the lessons for corporate compliance practices.

Key highlights:

  • Jay Clayton’s Speech and White Collar Crime Prosecution
  • Compliance Officers and Escalation Failures at Scotiabank
  • Ethics in Sports: Decision-Making and Compliance Lessons

Resources:

Matt in Radical Compliance

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

A multi-award-winning podcast, Compliance into the Weeds was most recently honored as one of the Top 25 Regulatory Compliance Podcasts, a Top 10 Business Law Podcast, and a Top 12 Risk Management Podcast. Compliance into the Weeds has been conferred a Davey, a Communicator Award, and a W3 Award, all for podcast excellence.

Categories
AI Today in 5

AI Today in 5: February 11, 2026, The Hits and Misses Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. Hits and misses in compliance using AI. (CW)
  2. Turning AI into a competitive advantage. (IBS Intelligence)
  3. Preparing for AI-powered investigations. (CCI)
  4. How AI intensifies work. (HBR)
  5. Deploying AI against financial crime. (PYMNTS)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
Blog

AI, Compliance, and the Missing “Why”: Highlights from the Compliance Week AI Conference

If there was one clear message coming out of Compliance Week’s January 2026 AI conference, The Leading Edge: Applying AI and Data Analytics in E&C, it was not about tools, vendors, or futuristic promises. It was about discipline. More specifically, it was about something compliance professionals have preached for decades and are now being pressured to skip: the “why.”

In a recent episode of the podcast From the Editor’s Desk, I sat down with Compliance Week Editor in Chief Aaron Nicodemus to gather his reflections on the conference and its implications for compliance leaders. What emerged was not a story about artificial intelligence replacing compliance, but about AI exposing weaknesses in how organizations make decisions, manage pressure from the top, and integrate ethics into innovation. For compliance professionals, the discussion was a reminder that AI is not a technology problem. It is a governance problem.

The Step Everyone Is Skipping: Why Before What

One of the most striking takeaways from the conference came from Jen Gennai, former AI Ethics and Compliance Advisor at Google. Her message was deceptively simple: companies are skipping the “why.” Organizations are rushing to implement AI tools without first articulating what problem they are trying to solve or why AI is the appropriate solution. Instead of defining the use case and then selecting the right tool, teams are buying technology first and hoping value emerges later.

For compliance professionals, this should sound uncomfortably familiar. Risk management, third-party due diligence, investigations; every mature compliance process begins with a defined purpose. There is a reason the first step in the third-party risk management process is the Business Rationale. This is the ‘why’, requiring a business sponsor to explain why your organization needs a new or different business partner. Yet when AI enters the picture, that discipline often evaporates. The result is experimentation without accountability and pilots without strategy.

The irony is that compliance already knows how to do this. The failure is not a lack of knowledge; it is pressure.

Tone at the Top, Revisited: Pressure Without Direction

According to a recent Compliance Week and konaAI study released at the conference, more than 60 percent of compliance officers feel pressure from the board or C-suite to “use AI.” Not to use it in a specific way. Not to achieve a defined outcome. To use it. This top-down mandate creates a new kind of compliance risk. When leadership demands adoption without guidance, teams feel compelled to move quickly, sometimes cutting corners they would never cut in other risk domains.

This is not inherently nefarious. Boards are doing what they believe is necessary to keep their organizations competitive. But pressure without clarity creates the conditions for poor governance. Compliance leaders must recognize this moment not as a threat, but as an opening. Because when leadership says “use AI,” compliance has an opportunity to respond with structure: identify manual pain points, define defensible use cases, and align AI deployment with existing policies and ethical standards. The mandate may be broad, but the implementation can and should be deliberate.

Humans in the Loop: Why Oversight Is Not Optional

Another recurring theme from the conference was the danger of letting AI evaluate AI. Scaling tools without human oversight compounds error. One flawed assumption becomes many. Bias multiplies. Outputs drift. The lesson here is not anti-technology; it is pro-governance. AI works best when humans remain embedded throughout the lifecycle: selecting tools, defining scope, reviewing outputs, and deciding whether the system is working at all.

This aligns squarely with long-standing compliance principles. Judgment-heavy decisions, investigations, escalations, and remediations must remain human. Attempting to automate them introduces fairness and defensibility risks that no compliance program can explain away after the fact. AI should accelerate compliance work, not absolve responsibility for it.

Trust and Integrity: The Core Compliance Tension with AI

The most profound tension discussed at the conference was philosophical. Compliance programs are built on trust and integrity. AI, by contrast, is often perceived as opaque, untrustworthy, and occasionally wrong. This creates a credibility problem.

Why would a compliance function that spends years telling employees to act ethically, verify sources, and question assumptions deploy a tool that fabricates answers or cannot explain its reasoning? If compliance cannot articulate why an AI system aligns with the organization’s ethical standards, it should not be deployed, no matter how efficient it appears to be. Trust is not just about outputs. It extends to inputs, data quality, and understanding how systems interact with information. AI amplifies what it is given. Bad data does not improve through automation; it spreads faster.

Iteration Over Perfection: Learning Is Part of the Process

A healthy counterpoint emerged as well: AI is not a one-shot deployment. It requires iteration. Early failures are not proof that AI does not work; they are evidence that learning has begun. Several speakers emphasized that AI improves through feedback. Teams must be willing to correct it, teach it, and refine its outputs over time. Compliance professionals who abandon tools after one or two imperfect attempts misunderstand how the technology functions.

That said, iteration does not excuse carelessness. Learning must occur within guardrails: governance frameworks, usage boundaries, and documentation matter more, not less, when tools evolve.

Compliance as Value Creator, Not Speed Bump

One of the most encouraging insights from the conference was how AI is reshaping compliance’s role inside organizations. When compliance is involved early, before tools are rolled out, it becomes a partner in innovation rather than an obstacle.

Nicodemus pointed out companies like Robinhood, and Hemma Lomax, Deputy General Counsel, Vice President, and Head of Business Integrity at DocuSign, illustrated this point clearly. Compliance teams that embed themselves in product development and operational change help shape tools that work within ethical and regulatory boundaries from the start. That credibility compounds.

Lomax noted that at DocuSign, she and her compliance teams have gone further, creating AI agents that perform defined tasks continuously, with built-in ethical guardrails. When these tools are handed to new users, the hard questions have already been answered. This is how compliance becomes a competitive advantage; not by saying no, but by helping the business say yes safely.

No Experts, Only Practitioners

Another refreshing theme from the conference was humility. No one claimed to be an AI expert. Especially not in compliance. That matters. When technologies move quickly, false certainty is dangerous. Compliance professionals should not be intimidated by those who claim mastery. Instead, they should lean into their strengths: skepticism, documentation, and principled decision-making. AI does not require omniscience. It requires informed judgment.

The Vibe Shift: From Fear to Engagement

Perhaps the most telling insight came not from the stage, but from the hallways. Compared to earlier events, the mood around AI has shifted. Compliance professionals are no longer crossing their arms in resistance. They recognize the benefits and risks and want to engage. No one believes AI will disappear. The debate is no longer whether to use it, but how. Some organizations will lean in aggressively. Others will move cautiously. All will need compliance to guide those choices. The most effective analogy offered was this: AI is like a very confident intern. Smart. Fast. Occasionally wrong. Useful, but never in charge.

Conclusion: AI Is a Compliance Opportunity, If Compliance Leads

The Compliance Week AI conference made one thing clear: AI is not undermining compliance. It is testing it. Programs that lack clarity, governance, or confidence will struggle. Programs that know who they are, what they stand for, and how they make decisions will thrive. For compliance professionals, the question is not whether AI belongs at the table. It already sits there. The real question is whether compliance will claim its seat, not as a roadblock, but as the function that ensures innovation aligns with integrity. That is not a burden. It is an opportunity.

Categories
Great Women in Compliance

Great Women in Compliance: Why Decision Rubrics Matter in the Age of AI with Hemma Lomax and Shalini Rajoo

In this conversation, GWIC host Dr. Hemma R. Lomax and Shalini Rajoo explore the critical role of decision rubrics in governance, accountability, and trust, especially in the context of AI. Shalini shares her journey from law to compliance, emphasizing the importance of understanding systems and the impact of leadership on decision-making processes. They discuss how transparency and clarity in decision-making can build trust within organizations and the necessity of responsible AI governance. Practical tips for improving decision quality are also provided, highlighting the importance of self-awareness and critical thinking in leadership.

Takeaways:

  • The biggest risk in governance is unclear decisions.
  • AI amplifies existing clarity or confusion in decision-making.
  • Systems and rules reflect the identities of their architects.
  • Everyone has an impact on those around them every day.
  • Leadership is about improving the people around you.
  • It’s not just about rules; it’s about how people behave.
  • Decision rubrics provide consistency and predictability in outcomes.
  • Transparency in decision-making processes builds trust.
  • Slowing down to ask questions can lead to better decision-making.
  • Writing down the reasons for decisions brings clarity and accountability.

Sound bites:

“Systems and rules are not inherently neutral.”

“Transparency in decision making builds trust.”

“Slow is smooth, and smooth is fast.”

Chapters:

00:00 Introduction to Decision Rubrics and Governance

02:55 Shalini’s Journey: From Law to Governance

06:09 The Impact of Systems on Leadership and Accountability

09:09 Transitioning to Compliance and Ethics

11:49 Understanding Decision Rubrics in Compliance

15:06 The Role of Leadership in Decision Making

18:03 Designing Conditions for Effective Decision Making

20:47 The Importance of Transparency in Decision Processes

24:09 Decision Rubrics: Building Trust in Organizations

26:49 AI and Governance: Leadership Infrastructure Failures

29:47 Responsible AI: The Role of Ethics and Compliance

32:55 Practical Tips for Improving Decision Quality

36:00 Conclusion: The Future of Decision Making in AI

Guest Biography:

Shalini Rajoo is the Founder and Principal Consultant of Shalini Rajoo Advisory, LLC, where she partners with organizations to design governance, compliance, and decision-making systems that are resilient, trustworthy, and aligned to real operational pressures. Across more than two decades in law, compliance, HR, and organizational leadership, Shalini has helped companies and leaders move beyond check-the-box frameworks to build structures that embed accountability, clarity, and performance into everyday decisions.

She began her career in South Africa, first as a public prosecutor and then leading regulatory work with the Department of Trade and Industry, collaborating with legislative and executive stakeholders on corporate, competition, and consumer law. After relocating to the U.S., Shalini practiced commercial litigation. She later served as Director of Global Business Conduct for a Fortune 500 company, where she redesigned ethics and compliance systems, led global risk assessments, and championed psychological safety and integrity-based practices.

Today, Shalini’s work centers on helping leaders clarify decision rights, governance architectures, and accountability pathways — especially as organizations adopt AI and automation. She recently spoke at the Opal Group’s Corporate Governance & Ethics in the Age of AI conference, where she reframed AI governance as a leadership-infrastructure challenge rather than a purely technical or compliance one.

Categories
AI Today in 5

AI Today in 5: February 10, 2026, The AI Redefining GRC Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. How AI is redefining GRC. (GulfNews)
  2. AI-assisted workforce leave compliance program. (USAToday)
  3. How to integrate AI into your compliance workflows. (AOL)
  4. How AI can speed compliance research. (FedScoop)
  5. Data sovereignty for AI compliance. (TechTarget)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
Daily Compliance News

Daily Compliance News: February 10, 2026, The Athletes, Injuries and Ethics Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Prediction markets v. casinos at war over gambling. (NYT)
  • Banks want ‘pound of flesh’ in RTO. (FT)
  • Who gets to decide when athletes should not compete? (Reuters)
  • Google staff call for the company to cut ties with ICE. (BBC)
Categories
Innovation in Compliance

Innovation in Compliance – Proactive Compliance Frameworks for Evolving AI Regulations with Yakir Golan

Innovation occurs across many areas, and compliance professionals need not only to be ready for it but also to embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, host Tom Fox welcomes Yakir Golan, CEO & Co-founder at Kovrr, who shares his professional journey from the Israeli intelligence community to his current role at Kovrr.

With a rich background in Israel’s intelligence community and significant experience with cybersecurity vendors, Golan champions integrating frameworks with analytics to effectively assess and navigate risks, emphasizing governance as a vital component for sustained innovation. He advocates proactive measures to address AI-enabled insider threats, urging businesses not to wait for perfect regulatory clarity amid the fast-paced evolution of AI technologies. Golan’s holistic approach to compliance transcends mere regulatory adherence, focusing on business-driven proficiency in cybersecurity and AI to meet the dynamic demands of the business landscape.

 

Key highlights:

  • Financial Models for AI Risk Governance
  • Enhancing AI Governance with Adaptive Frameworks
  • Empowering Innovation Through Strategic Governance and Compliance
  • Unified Approach: AI-Cybersecurity in Enterprise Risk Management

Resources:

Yakir Golan on LinkedIn

Kovrr 

Innovation in Compliance was recently ranked Number 4 in Risk Management by 1,000,000 Podcasts.

Categories
Blog

From Enforcement-Driven to Purpose-Driven Compliance

For more than two decades, corporate compliance programs have been built around one central organizing principle: enforcement. Where regulators go, compliance resources follow. When the Department of Justice prioritizes anticorruption, companies invest in FCPA controls. When regulators turn to privacy, cybersecurity, or AML, compliance budgets pivot accordingly. This enforcement-driven approach has shaped the modern compliance profession.

Yet, as Veronica Root Martinez persuasively argues in her recent working paper, Purpose-Driven Compliance, this dominant model may be fundamentally flawed, certainly in the era of Trump.  Despite unprecedented investments in compliance infrastructure, corporate misconduct persists. Repeat offenders remain common. Penalties grew larger, but behavior did not meaningfully improve. For compliance professionals, this raises an uncomfortable question: are we optimizing for the wrong objective?

Martinez’s answer is both challenging and clarifying. Compliance programs should not be primarily designed to satisfy enforcement authorities or to maximize mitigation credit after failure. Instead, they should be anchored in the organization’s own purpose, business risks, and ethical standards. In short, it is time to move from enforcement-driven compliance to purpose-driven compliance.

The Limits of Enforcement-Driven Compliance

The enforcement-driven model rests on two assumptions. First, that enforcement priorities reflect a company’s most significant risks. Second, that imperfect compliance is inevitable and acceptable so long as the organization can demonstrate good-faith efforts. Martinez brings both under scrutiny.

Regulatory priorities often lag behind real business risks. Enforcement agencies focus on certain categories of misconduct because they are visible, politically salient, or historically entrenched. But the risks that most threaten an organization’s mission may lie elsewhere. Martinez highlights how firms can become over-invested in compliance areas that attract enforcement attention while under-investing in mission-critical risks to their operations.

The second assumption, that some level of misconduct is acceptable, is even more troubling. Behavioral ethics research suggests that tolerating small violations creates conditions for larger ones. When leaders frame misconduct as statistically insignificant or “within expectations,” they risk normalizing behavior that undermines culture, trust, and ultimately performance. Wells Fargo’s infamous “1% problem” illustrates this danger. Senior leadership took comfort in the idea that only a small fraction of employees were engaging in misconduct, failing to appreciate that those numbers reflected only the misconduct that had been detected.

An enforcement-driven mindset encourages this type of thinking. If the organization is sanctioned, then low detection rates look like success. But if the question is whether the organization is living up to its own purpose and values, the same data tell a very different story. This is not the broken windows theory of enforcement, but something else.

The Cost of Treating Compliance as a Cost of Doing Business

Another weakness of enforcement-driven compliance is that it can turn sanctions into a predictable line item. As firms grow larger and penalties are discounted through cooperation credit, fines risk being internalized as a cost of doing business. Empirical work cited by Martinez suggests that large, repeat offenders often pay penalties that are small relative to their assets and revenues. In that environment, enforcement loses much of its deterrent effect.

For compliance professionals, this dynamic creates a structural tension. Programs may be technically “effective” under DOJ guidance while still failing to prevent misconduct that harms customers, employees, and communities. The distinction between standards of review and standards of conduct becomes critical. Meeting the government’s expectations for leniency is not the same as meeting the organization’s ethical obligations to itself and its stakeholders.

What Is Purpose-Driven Compliance?

Purpose-driven compliance begins with a simple but powerful shift in perspective. Instead of asking, “What does the regulator expect?” the organization asks, “What risks threaten our ability to achieve our purpose and what standards of conduct are required to address them?” Martinez defines purpose-driven compliance as programs directed by three elements: the firm’s purpose, the inherent risks associated with pursuing that purpose, and the ethical standards the organization sets for itself. This approach does not reject enforcement frameworks; rather, it treats them as a floor, not a ceiling.

In practical terms, purpose-driven compliance requires leadership to articulate why the organization exists and how misconduct undermines that mission. For a bank, this may mean focusing on customer trust and market integrity. For a pharmaceutical company, it may mean prioritizing patient safety and scientific integrity. For a university, it may mean safeguarding academic freedom and institutional trust. For a summer camp, it means protecting the campers from flash floods and other storms.

Once the purpose is clearly defined, compliance risk assessments become more meaningful. Risks are evaluated not only by enforcement exposure but by their potential to compromise the organization’s core objectives. This reframing helps compliance leaders resist the temptation to chase regulatory trends at the expense of mission-critical risks.

Moving Beyond Mitigation to Aspirational Standards

A key insight in Martinez’s work is that firms often confuse mitigation with excellence. Compliance programs are designed to minimize penalties rather than to maximize ethical performance. Purpose-driven compliance challenges that mindset by encouraging organizations to adopt high, ethical, and aspirational standards of conduct.

This does not mean pursuing perfection through draconian controls or internal criminalization. Martinez rightly warns against overdeterrence and strict liability regimes that incentivize concealment rather than transparency. Instead, purpose-driven compliance emphasizes ethical framing, employee voice, and organizational learning. Compliance should never be Dr. No, sitting in the Department of Business Non-Development.

The examples of Wells Fargo and Novartis are instructive. Both organizations suffered repeated compliance failures under enforcement-driven regimes. Their subsequent reforms went beyond addressing the specific violations that triggered enforcement. They re-examined culture, leadership incentives, and ethical expectations. In Novartis’s case, tying bonuses to ethical performance and co-creating a new code of ethics signaled a shift from box-checking to values anchored in purpose.

Why Purpose-Driven Compliance Matters for the Modern CCO

For today’s chief compliance officer, Martinez believes purpose-driven compliance offers three critical benefits.

First, it creates durability. Enforcement priorities shift with administrations. Indeed, this Administration has signaled a cutback in white-collar enforcement by offering essentially get-out-of-jail-free cards to companies that self-disclose early. This underscores the importance of compliance programs. A compliance program anchored solely in regulatory expectations will always be reactive. Purpose-driven programs are more stable because they are tied to the organization’s identity rather than external politics.

Second, it improves the quality of compliance metrics. Measuring effectiveness against internal standards allows organizations to ask harder questions about culture, decision-making, and root causes. Not every initiative will succeed, but a willingness to acknowledge failure is itself a sign of program maturity.

Third, it enhances credibility with boards and senior leadership. When compliance is framed as a strategic partner in achieving the organization’s mission, rather than as a defensive function, it earns a more meaningful seat at the table.

Conclusion

Compliance has never been more sophisticated, expensive, or visible. Yet sophistication alone does not guarantee effectiveness. Martinez’s Purpose-Driven Compliance challenges compliance professionals to rethink the foundations of their programs. Enforcement-driven compliance has taken us far, but it cannot take us far enough.

The next evolution of compliance requires organizations to define their own standards of conduct, grounded in purpose, risk, and ethics. That shift is not easy. It requires courage from compliance leaders and commitment from boards and executives. But if compliance is truly about preventing harm and sustaining trust, purpose-driven compliance is not optional. It is essential.