This blog continues our series on the ACI Forum on Cartels, TCOs, and Compliance in Latin America and why it is so timely. What we are seeing across the region is not simply another enforcement trend. It is a structural change in the way compliance officers, boards, legal departments, security teams, and business leaders must assess and manage risk. The issue is where security, extortion, compliance, and enterprise risk management now sit at the same table.
The key point is one that every compliance professional has heard after a failure: “We did not see that coming.” In most cases, that statement does not mean the risk was invisible. It means the organization was not looking in the right way. It had a preconceived view of its threat environment. It relied on familiar dashboards. It accepted old assumptions. It conducted a risk assessment that confirmed management’s beliefs rather than testing them. That is not a security problem alone. That is a compliance failure.
Cartel Risk Is Now an Enterprise Risk
The designation of certain cartels and criminal organizations as Foreign Terrorist Organizations and Specially Designated Global Terrorists has changed the risk conversation. Executive Order 14157 created a process for certain international cartels and other organizations to be designated as FTOs or SDGTs, and the order described international cartels as a national security threat beyond traditional organized crime, including through infiltration into governments across the Western Hemisphere. OFAC also lists an alert on international cartels designated as FTOs and SDGTs as part of its counterterrorism sanctions resources. (OFAC)
For CCOs, this means cartel and TCO exposure cannot be treated as a regional security issue or as a one-time sanctions-screening exercise. It must be integrated into risk assessments, third-party management, contract review, internal controls, HR, community relations, logistics, government affairs, and crisis response.
True threat assessment begins by stepping back, looking across the full operating environment, and then breaking the risk down across functions. The Department of Justice has made clear that compliance programs must be robust, well-resourced, and empowered, and that companies are expected to continuously review and update compliance programs to account for emerging risk factors. A static, annual, checklist-driven risk assessment is not fit for a cartel-driven operating environment.
THIRA as a Compliance Tool
One of the most useful concepts in the attached article is the use of Threat and Hazard Identification and Risk Assessment, or THIRA. THIRA began in the public-sector preparedness world, but its discipline translates well into corporate compliance. FEMA describes THIRA as a three-step risk assessment process that helps communities identify risks of greatest concern and determine the capabilities needed to address those risks. FEMA also notes that identifying and assessing risk should be a key input into planning and that plans must be risk-informed.
For compliance professionals, that is the point. Do not begin with the control. Begin with the threat. What could happen? Who could exploit the business model? What routes, facilities, vendors, unions, brokers, security providers, customers, or local officials create exposure? What happens if a logistics route becomes unsafe, a vendor is coerced, a local union is compromised, a government permit is delayed unless a payment is made, or a security provider is connected to criminal actors?
THIRA-style analysis forces a company to model realistic scenarios, assess consequences, and then determine whether it has the capability to respond. That means authority, communications, escalation, training, legal review, security protocols, financial controls, and board reporting must all be stress-tested before the crisis.
Continuous Monitoring Is Not Optional
In ordinary compliance discussions, “continuous monitoring” can sound like a best practice phrase. In a high-threat environment, it is an operating necessity. The attached article notes that threats can change by the hour, routes can become unsafe, infrastructure can fail, and misinformation can spread intentionally.
The compliance parallel is direct. A company cannot rely only on lagging indicators, annual certifications, or publicly available reports. In cartel-influenced markets, yesterday’s intelligence can create today’s exposure. The risk function must have access to live operational data, hotline reports, security intelligence, payment anomalies, logistics disruptions, vendor changes, law enforcement alerts, and local business intelligence.
This also requires delegated authority. If compliance or security sees a threat but lacks authority to pause activity, reroute shipments, reject a vendor, escalate a payment, or stop a transaction, the program is underpowered. Policies without authority are not controls. They are artifacts.
The Board’s Role: Oversight, Not Assumption
Boards must also recalibrate. Duncan’s point that boards often understand risk exists but do not always understand their lane should resonate with every CCO. The board’s role is not to manage routes, approve security plans, or second-guess local threat intelligence. Its role is to ensure that management has identified the risk, defined risk tolerance, resourced the response, assigned authority, and created reliable reporting.
In cartel-driven markets, the board should ask: Where are we operating in areas of criminal influence? Which third parties are essential to those operations? How do we know they are not compromised? What payments, donations, sponsorships, logistics arrangements, or security relationships create exposure? What is our escalation protocol if an employee, vendor, union representative, community leader, or government official signals coercion?
Risk tolerance must be written, debated, approved, and revisited. Silence is not neutrality. It is permission.
Security Is a Compliance Function
The attached article makes another crucial point: security is not just physical. Insider threats, personal vulnerabilities, substance abuse, coercion, espionage, poor training, and cultural dysfunction all create compliance exposure. Employees must understand not only what the rules are, but why the rules matter and how criminal organizations exploit weak points.
In Venezuela, the State Department’s June 27, 2026 advisory tells travelers to reconsider travel because of crime, kidnapping, terrorism, poor health infrastructure, and natural disaster risk, and it identifies Tren de Aragua and Cartel de los Soles as FTOs that started in Venezuela and continue to operate. The same advisory states that the U.S. government is extremely limited in its ability to provide emergency services to U.S. citizens, especially outside Caracas. That is a board-level fact pattern. It affects duty of care, insurance, crisis response, employee travel, third-party security, incident reporting, and operational continuity.
Build the Threat Hub
The most practical recommendation is the creation of a threat hub. It should be a cross-functional forum where legal, finance, operations, security, compliance, and other functions review threats, vulnerabilities, and operational changes. This is precisely what mature compliance should look like in a high-risk market.
The threat hub should review incidents, routes, payments, vendor changes, customer anomalies, government interactions, community demands, employee reports, and security intelligence. It should have authority to escalate. It should report to management and the board. It should test crisis plans through realistic exercises.
Practical takeaways
First, refresh the risk assessment now. Second, add THIRA-style scenario planning to cartel and TCO risk. Third, empower compliance and security to act in real time. Fourth, review third parties, major contracts, customers, logistics providers, unions, community intermediaries, and security vendors. Fifth, educate the board on its oversight role and require explicit risk tolerance.
The final lesson is simple. In high-threat markets, static programs fail. Assumptions kill preparedness. Authority matters. Culture is defined by what leaders tolerate. The choice for every company is whether to learn before the crisis or after it.
What this conversation makes clear is that security, compliance, and risk are not separate disciplines. They are different lenses on the same problem: how organizations survive and succeed in uncertain environments. Security has taken on even greater importance in Venezuela as President Trump has announced the US will not provide any security to US companies returning to the country.
For compliance professionals, the takeaway is simple but uncomfortable. Static programs fail. Assumptions kill preparedness. Authority matters. Culture is shaped by what leaders tolerate. And boards must be educated partners, not distant overseers. In high-threat environments, failure is immediate and unforgiving. In corporate compliance, it is slower, but no less certain.
The choice, as always, is whether to learn before the crisis or after it.
The Cartels, TCOs & Compliance in Latin American conference will feature these topics and many more. For information and registration, click here. For a complete list of the agenda, click here. You can receive a 10% off the price by using the Discount Code is D10-999-CPN26.
ACI is the sponsor of today’s blog.