Categories
The Ethics Experts

Episode 242 – Forrest Deegan (Part 1)

In this episode of The Ethics Experts, Nick Gallo welcomes Forrest Deegan.

Forrest Deegan is an accomplished Legal, Risk & Compliance executive who has succeeded by partnering with business leaders to build high performing teams, drive organizational enhancement, and reduce risk. After ten years in private practice with Arnold & Porter, Forrest became the first-ever Chief Ethics & Compliance Officer (CECO) for Abercrombie & Fitch and then Victoria’s Secret. Most recently, Forrest was the CECO for Albemarle Corp. At all three companies, Forrest was a member of the legal leadership team and supported third party risk and supply chain transparency efforts.

Forrest is currently a Lecturer at the University of Chicago School of Law, where he teaches a course entitled “Corporate Compliance and Business Integration” and is the Co-Chair of the ABA’s Corporate Compliance & Ethics Subcommittee of the Business Law Section.

Connect with Forrest on LinkedIn

Categories
FCPA Compliance Report

FCPA Compliance Report – FCPA Enforcement Shifts: Volatility and Uncertainty

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode,  host Tom Fox welcomes Anik Shah, Director & Senior Legal Counsel at Sandisk, for an insightful discussion about the pivotal changes and enforcement actions around the FCPA in 2025 and their implications for 2026.

In 2025, Anik Shah, a preeminent authority on FCPA and anti-corruption enforcement, offers a strategic perspective on the evolving compliance landscape. Given the recent uncertainties following an executive order and the dismissal of high-profile cases, Shah underscores the necessity for companies to maintain robust anti-bribery and anti-corruption controls, especially with potential reprioritization by the Department of Justice. He advocates a proactive risk management approach, emphasizing the importance of third-party risk management and comprehensive training to anticipate and mitigate potential FCPA issues. As enforcement focus shifts toward addressing cartel and transnational criminal organization activities, Shah advises companies to integrate anti-money laundering processes into their compliance strategies to align with global anti-corruption efforts.

Key highlights:

  • 2025 FCPA Enforcement Shifts and Uncertainty
  • Voluntary Self-Disclosure Policy Revolution in 2025
  • Cartel Risk Mitigation through Compliance Integration
  • Central Asia Construction Projects: Anti-Corruption Measures
  • Proactive Measures: Fostering Anti-Corruption Compliance Awareness

Resources:

Anik Shah on LinkedIn

Sandisk

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Returning to Venezuela on Amazon.com

Categories
Daily Compliance News

Daily Compliance News: February 9, 2026, The Is Netflix a Monopoly Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Knock off obesity pill pulled from market. (NYT)
  • Former Norwegian Prime Minister under investigation over corruption from Epstein files. (Politico)
  • Jay Clayton promises a bigger get out of jail free card. (Reuters)
  • DOJ to investigate if Netflix is a monopoly. (WSJ)
Categories
AI Today in 5

AI Today in 5: February 9, 2026, The AI Agents Doing Compliance Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. What to do when AI is forced on compliance. (CW)
  2. Napier AI/AML report is out. (FinTechGlobal)
  3. AI and the accountability gap. (FinTechGlobal)
  4. Where AI is tearing through corporate America. (WSJ)
  5. Goldman is letting AI Agents do compliance. (PYMNTS)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
Blog

From Principle to Proof: Operationalizing AI Governance Through the ECCP and NIST

Artificial intelligence governance has officially crossed the threshold from theory to expectation. The Department of Justice has not issued a standalone “AI rulebook,” but it has provided a framework for compliance professionals to consider the issue: the 2024 Evaluation of Corporate Compliance Programs (ECCP). In this version of the ECCP, the DOJ laid out guidance that any technology capable of creating material business risk must be governed, monitored, and improved like any other compliance risk. That includes artificial intelligence.

Too many organizations still treat AI governance as an ethics exercise, a technical problem, or a future concern. That posture is not defensible. The DOJ does not ask whether your program is fashionable or aspirational. It asks three very old-fashioned questions: Is your compliance program well designed? Is it applied in good faith? Does it work in practice? Those questions apply with full force to AI.

In this post, I want to move the discussion from abstract frameworks to operational reality. I will show how compliance professionals can use the ECCP to structure AI governance, select board-grade KPIs, and demonstrate effectiveness in a way regulators understand. I will also show how the NIST AI Risk Management Framework (NIST Framework) fits neatly underneath this structure as an operating model, not a competing philosophy.

AI Governance Is Already an ECCP Issue

The DOJ has repeatedly emphasized that compliance programs must evolve as business risks evolve. Artificial intelligence is not a future risk. It is already embedded in pricing, hiring, credit decisions, customer interactions, fraud detection, and third-party screening. If an AI model can influence revenue, customer outcomes, or regulatory exposure, it is a compliance risk. Period.

The ECCP does not require companies to eliminate risk. It requires them to identify, assess, manage, and learn from it. AI governance, therefore, belongs squarely inside the compliance program, not off to the side in an innovation lab or technology committee.

The ECCP as an AI Governance Blueprint

The power of the ECCP is its simplicity. Every enforcement action ultimately traces back to the same three questions. Let us apply them directly to AI.

Is the Program Well Designed?

Design begins with risk assessment. If your organization cannot answer a basic question such as “What AI systems do we have, who owns them, and what decisions they influence,” you do not have a program. You have hope. A well-designed AI compliance program starts with an AI asset inventory that identifies models, tools, vendors, and use cases. Each asset must be risk-classified based on business impact, regulatory exposure, and potential harm.

Board-level KPIs here are coverage metrics. How many AI assets have been identified? What percentage has been risk-classified? How many high-impact models have completed an impact assessment before deployment? If your dashboard does not show near-full coverage, the design is incomplete.

Policies and procedures come next. The DOJ does not care how many policies you have. It cares whether they provide clear guidance for real decisions. AI policies should cover the full lifecycle, from design and data sourcing through deployment, monitoring, and retirement. A practical KPI is policy coverage. What percentage of AI assets operate under current, approved procedures? How often are those procedures refreshed? Annual updates are a reasonable baseline in a rapidly changing risk environment.

Is the Program Applied Earnestly and in Good Faith?

Good faith is demonstrated through action, not intent. Training is a central indicator. The DOJ expects role-based training tailored to actual risk. A generic AI awareness course does not meet this standard. Developers, model owners, compliance reviewers, and business leaders all require different training. Completion rates matter, but so does comprehension. Measuring post-training proficiency improvement is one of the clearest signals that training is more than a box-checking exercise.

Third-party risk management is another critical area. Many organizations rely on external models, data providers, or AI-enabled vendors. If you do not understand how those tools are built, governed, and updated, you are importing risk without controls. Strong programs use standardized AI diligence questionnaires, assign assurance scores, and require contractual safeguards for high-risk vendors. A board-ready KPI here is the percentage of high-risk AI vendors subject to enhanced diligence and contractual controls.

Mergers and acquisitions deserve special attention. AI risk does not wait for post-close integration. The DOJ has been explicit that pre-acquisition diligence matters. A defensible KPI is simple and unforgiving. 100% of acquisition targets with material AI usage must undergo AI due diligence before closing. Anything less invites inherited risk.

Does the Program Work in Practice?

This is where many programs fail. Paper controls do not impress regulators. Outcomes do. Incident reporting is a critical signal. A low number of reported AI issues may indicate fear, confusion, or a lack of safety rather than safety concerns. What matters is whether issues are identified, investigated, and resolved promptly. Mean time to investigate is a powerful metric. If AI-related concerns take months to resolve, the program is not working. Clear escalation paths, defined investigation playbooks, and documented root cause analysis are essential.

Continuous monitoring is equally important. High-risk AI systems must be monitored for performance drift, data changes, and unintended outcomes. The DOJ expects companies to use data analytics to test whether controls are functioning. KPIs here include validation pass rates before deployment, drift-detection coverage for critical models, and corrective action closure rates. These are not technical vanity metrics. They are evidence of effectiveness.

Where NIST Fits and Why It Matters

The NIST AI Risk Management Framework does not compete with the ECCP. It operationalizes it. The ECCP tells you what regulators expect. NIST helps you implement those expectations across governance, mapping, measurement, and management. For example, ECCP risk assessment aligns with NIST’s mapping function. ECCP’s continuous improvement aligns with NIST’s measurement and management functions. Using NIST terminology creates a shared language across compliance, legal, security, and data science teams. That shared language is governance in action.

Reporting AI Risk to the Board

Boards do not want technical detail. They want assurance. The most effective AI governance dashboards focus on a small set of indicators that answer the DOJ’s three questions: coverage, quality, responsiveness, and learning. Examples include the percentage of AI assets risk-classified, validation pass rates, investigation cycle times, and corrective action closure rates. When these metrics move in the right direction, they tell a credible story of control. More importantly, they show that compliance is not reacting to AI. It is governing it.

Five Key Takeaways for Compliance Professionals

  1. AI as Risk. Artificial intelligence is already within the scope of the ECCP. If AI can influence business outcomes, it must be governed like any other compliance risk.
  2. Risk Management Program. A well-designed AI compliance program begins with complete asset identification and risk classification. Coverage metrics are the first signal regulators will examine.
  3. Implementation. Good faith implementation is demonstrated through role-based training, disciplined third-party oversight, and pre-acquisition AI diligence. Intent without execution does not count.
  4. Outcomes, not Inputs. Effectiveness is proven through outcomes. Investigation speed, monitoring coverage, and corrective action closure rates matter more than policy volume.
  5. Complementary. The NIST Framework complements the ECCP by providing an operating model that compliance, legal, and technical teams can share. Together, they turn principles into proof.

Final Thoughts

AI governance is not about predicting the future. It is about demonstrating discipline in the present. The DOJ is not asking compliance professionals to become data scientists. It is asking us to do what they have always done well: identify risk, establish controls, test effectiveness, and improve continuously. The ECCP already gives you the framework. The only question is applying it.

Categories
Sunday Book Review

Sunday Book Review: February 8, 2026, The Books on Creativity Edition

In the Sunday Book Review, Tom Fox considers books that would interest compliance professionals, business executives, or anyone curious. It could be books about business, compliance, history, leadership, current events, or anything else that might interest Tom. In this episode, we look at⁠ the 5 top books on creativity.

  1. Our Band Could Be Your Life: Scenes from the American Indie Underground 1981-1991 by Michael Azerrad
  2. On Writing: A Memoir of the Craft  by Stephen King
  3. Just Kids by Patti Smith
  4. Cat’s Eye by Margaret Atwood
  5. The Midnight Disease: The Drive to Write, Writer’s Block, and the Creative Brain by Alice Flaherty

Resources:

Five Best: Books on the Creative Spark in the ⁠WSJ

Categories
From the Editor's Desk

From the Editor’s Desk – Aaron Nicodemus on the CW AI Conference Insights: Navigating the Practical Use of AI in Compliance

In this episode of ‘From the Editor’s Desk,’ Tom Fox visits with Aaron Nicodemus to discuss highlights from the recent Compliance Week AI Conference. Key takeaways include the importance of understanding the purpose and practical use of AI tools before implementation, the pressures from C-suite and boards to adopt AI, and the necessity of a human-in-the-loop approach. The conversation also touches on integrating trust and integrity into AI adoption, the evolving role of compliance as a trusted partner in AI initiatives, and the collective willingness to learn and apply AI across compliance operations.

Key highlights:

  • Importance of Understanding AI Implementation
  • Pressure from the Top: Compliance and AI
  • Human Oversight in AI Processes
  • Trust and Integrity in AI
  • Compliance as a Competitive Advantage
  • Real-World Examples: Robinhood and DocuSign
  • The Evolving Role of Compliance in AI
  • Conference Vibes and Final Thoughts

Resources:

Aaron Nicodemus on LinkedIn

Compliance Week

Categories
Daily Compliance News

Daily Compliance News: February 6, 2026, The Chief BS Officer Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Opening arguments in the FirstEnergy corruption trial. (News5Cleveland)
  • Brad Karp, the leader of Paul Weiss, resigns amid revelations from the Epstein files. (WSJ)
  • Corruption is cheaper in the UK than in the US. (TheGuardian)
  • Do you need a Chief BS officer? (FT)
Categories
AI Today in 5

AI Today in 5: February 6, 2026, The Trillion $$ Wipeout Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. EU AI group establishes task force to foster compliance. (Babl)
  2. AI diligence tool rollout. (InvestmentNews)
  3. AI in healthcare is driving greater accountability. (FastCompany)
  4. The compliance convergence challenge. (SecurityBlvd.)
  5. AI fears wipe out tech stock values. (Bloomberg)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
Blog

Roman Philosophers and the Foundations of a Modern Compliance Program: Part 5 – Lucretius, Rationality, and Continuous Improvement in Compliance

Welcome to our concluding blog post on notable Roman Philosophers and the philosophical underpinnings of modern corporate compliance programs and compliance professionals, focusing on five philosophers from Rome spanning the end of the Roman Republic to the Roman Empire.

We have considered Cicero and the duty, law, and the moral limits of business; Seneca on power, pressure, and ethical decision-making under stress; Varro on corporate governance; and Marcus Aurelius on ethical leadership and tone at the top. Today, we conclude with Lucretius to explore rationality, fear, and risk perception.

I. Lucretius in Context: Seeing the World Clearly

Titus Lucretius Carus is the outlier in the Roman philosophical tradition, and that is precisely why he matters to compliance professionals. In De Rerum Natura (On the Nature of Things), Lucretius set out to explain the world as it actually is, stripped of superstition, fear, and comforting illusions. He believed that human suffering and bad decision-making were driven less by malice than by misunderstanding.

Lucretius lived in a Roman world gripped by fear of divine punishment, fate, and unseen forces. He argued that when people attribute events to superstition or rumor rather than observation and evidence, they lose the ability to respond rationally. Fear, in his view, was the enemy of clear judgment. Only through disciplined observation and reason could individuals and institutions act wisely.

For modern compliance professionals, Lucretius offers a final and essential lesson. Even the best-designed compliance program, staffed by accountable individuals and supported by ethical leadership, will fail if it cannot see itself clearly. Programs that rely on assumptions, anecdotes, or reputation rather than evidence inevitably drift. Lucretius teaches that rational observation is not merely a scientific virtue. It is an ethical one.

II. The Compliance Problem Lucretius Illuminates: Blind Spots and Compliance Theater

Many compliance programs operate on belief rather than proof. Leaders believe the culture is strong. Boards believe controls are effective. Compliance teams believe training is working. Yet enforcement actions routinely reveal blind spots that persisted for years, unnoticed or unchallenged. This gap between belief and reality is what Lucretius would have called superstition. In compliance, it takes the form of compliance theater: dashboards that look reassuring, certifications that go unquestioned, and metrics that measure activity rather than effectiveness.

The DOJ Evaluation of Corporate Compliance Programs (ECCP) repeatedly asks whether companies test, monitor, and improve their programs. Prosecutors are explicit that assumptions are insufficient. They want evidence that the program detects misconduct, adapts to change, and evolves based on lessons learned. Fear plays a central role here. Organizations fear discovering problems. They fear bad news reaching the board. They fear regulatory scrutiny. Lucretius warned that fear distorts perception. In compliance terms, fear leads to underreporting, superficial audits, and avoidance of uncomfortable data.

A compliance program that cannot tolerate evidence of weakness cannot improve. Lucretius insists that rational systems must prefer truth over comfort.

III. Modern Corporate Application: Lucretius, DOJ Expectations, and Evidence-Based Compliance

Applying Lucretius to modern compliance highlights the central role of monitoring, testing, and continuous improvement.

First, compliance monitoring must focus on effectiveness, not volume. Counting training completions or hotline calls says little about whether the program works. Lucretius would insist on asking harder questions. Are issues detected early? Are repeat risks declining? Are controls changing behavior?

Second, data must be interpreted without fear. DOJ guidance emphasizes learning from misconduct and near misses. Yet many organizations treat incidents as anomalies rather than signals. Lucretius teaches that patterns matter more than isolated events. Compliance teams should analyze trends across regions, functions, and time, even when results are uncomfortable.

Third, programs must adapt to changing risk. Lucretius rejected static explanations of the world. The DOJ similarly asks whether compliance programs evolve as business models, markets, and technologies change. A program designed for yesterday’s risks becomes a liability when conditions shift.

Fourth, monitoring must include culture and behavior, not just transactions. Culture surveys, exit interviews, and speak-up analytics provide insight into employees’ trust in the system. Lucretius would caution against ignoring qualitative data simply because it is harder to measure.

Fifth, continuous improvement must be documented and demonstrable. The DOJ evaluates whether companies close the loop by updating controls, training, and governance in response to findings. Rational compliance requires not only seeing clearly but acting on what is seen.

Finally, compliance leaders must resist narrative-driven assurance. Statements such as “this has never happened before” or “we trust our people” are not evidence. Lucretius reminds us that trust is strengthened, not weakened, by verification.

IV. Key Takeaways for Compliance Professionals

1. Father of CM/CI. Compliance professionals should view Lucretius as the philosophical foundation of monitoring and continuous improvement. Lucretius grounds compliance in disciplined observation rather than comfort or tradition. He reminds compliance professionals that a program cannot improve what it refuses to examine honestly. Monitoring and continuous improvement are not technical exercises but ethical commitments to see the organization as it truly operates.

2. Fact-based. Compliance should privilege evidence over assumption. Assumptions about culture, control effectiveness, or employee behavior create blind spots that persist until a failure forces attention. Lucretius warns that belief without verification is a form of self-deception. An effective compliance program insists on data, testing, and validation rather than reassurance.

3. Measure outcomes, not activity. Compliance should design metrics that measure effectiveness, not activity. Counting trainings delivered or policies acknowledged does not demonstrate that misconduct is being prevented or detected. Lucretius would reject metrics that comfort leadership without revealing reality. Compliance metrics must answer whether controls change behavior and reduce risk, not merely whether processes occurred.

4. Information is data. Compliance should treat incidents and near misses as data, not embarrassment. Organizations often hide or minimize incidents out of fear of reputational harm or internal scrutiny. Lucretius teaches that fear distorts judgment and delays learning. A mature compliance program uses incidents and near misses as signals for improvement rather than reasons for denial.

5. Risks Change. Compliance should evolve as risks, markets, and technologies change. Static compliance programs assume the world remains stable, an assumption Lucretius would view as fundamentally irrational. This is certainly not true in the age of Trump. Business models, geopolitical risks, and technologies shift faster than policy cycles. Continuous adaptation is the only rational response to an environment in constant motion.

6. Embrace Observation. Compliance should embrace rational observation as an ethical obligation. Seeing clearly is not morally neutral; it is a responsibility owed to stakeholders and institutions. Lucretius argued that ignorance sustained by fear causes harm. In compliance, choosing not to look is itself an ethical failure.

7. Evidence-based. Finally, Lucretius teaches that organizations fail not because reality is unknowable, but because they choose not to look. This is the capstone lesson of the compliance lifecycle. Organizations that avoid uncomfortable facts drift into compliance theater and false confidence. Rational, evidence-based compliance treats truth as an asset, even when it reveals weakness.

V. Conclusion: Roman Philosophy and the Compliance Program That Actually Works

Taken together, these five Roman philosophers describe the full lifecycle of a modern compliance program as it exists in the real world, not as it appears in policy manuals. Cicero establishes why compliance must exist at all, grounding the program in duty rather than expediency and reminding organizations that law is only the starting point. Seneca then confronts the reality that ethical commitments are tested under pressure, exposing how fear, ambition, and rationalization undermine even well-designed systems. Epictetus moves the analysis to the individual, insisting that ethical responsibility does not disappear inside hierarchy and that compliance ultimately depends on personal agency. Marcus Aurelius elevates that responsibility to leadership, showing how culture is formed through example and how ethical expectations live or die by the behavior of executives. Finally, Lucretius closes the loop, demanding rational observation, evidence, and continuous improvement so that compliance programs do not drift into assumption, superstition, or complacency.

What makes the Roman philosophers uniquely valuable to compliance professionals is their focus on institutions, power, and human behavior under constraint. The Greeks gave us ethical ideals. The Romans showed us how those ideals survive, or fail, inside complex systems. This mirrors the Department of Justice’s modern approach to compliance, which increasingly evaluates not whether a program exists, but whether it operates, adapts, and functions under real-world conditions.

For the compliance professional, the lesson of this series is both sobering and empowering. No single control, policy, or training module is sufficient. Effective compliance requires ethical foundations, behavioral awareness, individual accountability, principled leadership, and disciplined monitoring working together as an integrated system. Remove any one of these elements, and the program weakens. Align them, and compliance becomes not a defensive function, but a durable governance capability.

In combining these Roman insights with the earlier Greek philosophical foundations, the compliance professional gains more than historical perspective. They gain a framework for building programs that withstand pressure, earn trust, and evolve. In the end, that is the measure of a compliance program that actually works.