Tag: Ashley Dubriwny

Categories
Blog

The Culture Builder’s Trilogy: Part 3 – The Art of Celebration: What Compliance Chooses to Honor Becomes Culture

Ed. Note: We conclude our three-part blog post series on three recent books by Hemma Lomax and Ashley Dubriwny. There are The Art of Ideation, The Art of Celebration, and The Art of Implementation.

The final book in Hemma Lomax and Ashley Dubriwny’s trilogy, The Art of Celebration, completes the arc. Ideation imagines what is possible. Implementation gives that possibility form. Celebration sustains the culture by recognizing what matters, reinforcing what works, and creating the memory that carries the organization forward.

For compliance professionals, celebration may sound like the least obvious compliance discipline. That would be a mistake. The authors make clear that celebration is not decorative. It is strategic. It is a feedback system. It teaches people what the culture values. It turns behaviors into norms and norms into identity. The compliance lesson is profound: what the organization celebrates, it multiplies.

Lesson One: Recognition Is a Control Signal

The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) focuses on incentives and consequences, providing compliance professionals with a regulatory rationale to take compliance seriously. The DOJ’s compensation and clawback Pilot Report states that prosecutors consider whether companies use positive incentives for ethical behavior and compliance leadership, whether compensation systems include compliance criteria, and whether companies penalize breaches of the compliance program.

That means recognition is not merely an HR activity. It is part of the control environment. When a company celebrates only sales growth, deal speed, cost reduction, or heroic problem-solving after avoidable chaos, employees learn what really matters. When a company celebrates employees who pause a transaction over a red flag, escalate a concern, improve a control, cooperate in an investigation, or protect a colleague from retaliation, employees learn a different lesson. The question for the CCO is not whether the company celebrates. Every company celebrates something. The question is whether those celebrations are aligned with the Code, controls, risk appetite, and ethical commitments.

Lesson Two: Celebration Can Strengthen Speak-Up Culture

The Art of Celebration explains that appreciation and recognition can foster conditions of trust, belonging, openness, and moral reasoning. The book ties celebration to the willingness to speak up, take healthy risks, protect colleagues, and choose integrity. This has direct compliance relevance. Employees do not report concerns simply because the hotline exists. They report when they believe the organization values truth over comfort. They report when managers respond with care. They report when prior reporters were not punished, isolated, or ignored.

Celebration can reinforce this. A company should not publicly identify confidential reporters, but it can celebrate the behavior of raising concerns, asking hard questions, and improving systems. It can share anonymized stories showing that reports led to meaningful improvements. It can recognize managers who receive concerns well. It can reward teams that identify and remediate control gaps before they become enforcement problems.

Lesson Three: Celebration Must Be Aligned, or It Becomes Dangerous

The authors are careful to address the shadow side of celebration. Misaligned recognition can distort culture. They cite examples where companies celebrated the wrong behaviors, including aggressive sales targets, engineering brilliance without ethical oversight, deal-making over transparency, speed over safety, and ambition over rigor.

This is where compliance professionals should pay close attention. Wells Fargo did not fail because it lacked stated values. It failed because its operating incentives and recognition systems pushed employees to open accounts at any cost. Boeing’s 737 MAX crisis offers another cautionary tale about what can happen when cost, schedule, and production pressure overwhelm engineering judgment and safety culture. Volkswagen shows the risk of celebrating technical performance while ethical guardrails lag. Celebration is therefore not harmless. It is a governance tool. If the company celebrates the wrong thing, it creates evidence of cultural misalignment. If it celebrates the right thing, it demonstrates culture in practice.

Lesson Four: Metrics of Morale Must Be Ethical

One of the most forward-looking sections of The Art of Celebration addresses the “metrics of morale.” The authors explore how organizations can use communications data, sentiment analysis, wearables, AI-assisted pattern recognition, and cultural dashboards better to understand trust, stress, belonging, and burnout. They also warn that these tools must be used as coaching, not surveillance, systems. Participation should be voluntary, data should be aggregated, and insights should improve systems rather than punish individuals.

That is a critical lesson in AI governance. AI can help compliance detect cultural signals, emerging risks, retaliation patterns, training gaps, and control friction. But AI can also chill speech, invade privacy, amplify bias, or turn culture monitoring into employee surveillance. For CCOs, the right framework is clear. Use AI to improve governance, risk sensing, and employee support. Anchor it in transparency, purpose limitation, access controls, human review, and documented risk assessment. Align the work with NIST AI Risk Management Framework, ISO/IEC 42001, privacy principles, and the company’s own AI governance program.

Lesson Five: Rituals Preserve Culture Under Pressure

The book’s discussion of rituals is especially important for compliance. Rituals are repeated practices that teach a community what to remember. In compliance, rituals can include investigation debriefs, quarterly risk reviews, third-party red-flag meetings, manager speak-up moments, annual code refresh discussions, control-owner certifications, AI use reviews, and post-remediation lessons learned.

A ritual is stronger than a reminder. A reminder tells people to do something. A ritual teaches people who they are. This matters under pressure. When a quarter-end target is at risk, when a sales team faces a red flag, or when a senior leader wants to move quickly, the organization will not live up to the words in its code. It will fall to the level of its practiced rituals. If those rituals include escalation, challenge, documentation, and accountability, the culture has muscle memory.

Compliance Application

Celebration belongs in the compliance program because it helps answer one of the DOJ’s most important practical questions: Does the company incentivize compliance and ethical behavior in a meaningful way? The Criminal Division’s compensation pilot report states that companies that proactively design compensation systems to incentivize ethical behavior and that adopt company policies are better positioned to prevent misconduct, generate reports, address incidents before they escalate, and build a company-wide culture of compliance.

A mature compliance program should therefore examine recognition, promotion, compensation, awards, leadership messaging, and performance management as part of the control environment. The CCO should ask not only what misconduct is punished but also what integrity is honored.

CCO Questions

  • What behaviors does the company currently celebrate, formally and informally?
  • Do performance reviews, promotions, bonuses, and awards reflect ethical leadership and control ownership?
  • Are speak-up, cooperation, remediation, and control improvements recognized as business contributions?
  • Do we use cultural data and AI responsibly, or are we creating surveillance risk?
  • What rituals reinforce the compliance program under pressure?

Practical Takeaways

  1. Inventory what the company celebrates in awards, town halls, performance reviews, and leadership communications.
  2. Align recognition with the Code, internal controls, speak-up expectations, and risk management priorities.
  3. Create anonymized speak-up success stories that show reporting leads to improvement.
  4. Review incentive structures for misconduct risk and compliance-positive behaviors.
  5. Build compliance rituals that preserve culture: pre-mortems, post-investigation lessons learned, recognition of control owners, third-party red-flag reviews, and AI governance check-ins.

Conclusion: The Compliance Culture Builder’s Discipline

Taken together, Hemma Lomax and Ashley Dubriwny’s trilogy offers compliance professionals something more than a culture-building framework. It offers a practical operating model for program effectiveness. The Art of Ideation reminds us that compliance begins with better questions, deeper listening, and the courage to design around employees’ lived experiences. The Art of Implementation shows that even the best ideas fail unless they are operationalized through alignment, ownership, testing, adoption, and iteration. The Art of Celebration completes the cycle by showing that culture is sustained by what the organization chooses to recognize, repeat, and remember. This is the full arc of a mature compliance program: imagine wisely, execute consistently, and reinforce intentionally.

For the CCO, the message is clear. Culture is not an abstraction, and it is not a slogan. It is built through the systems employees use, the controls they trust, the concerns they feel safe raising, the incentives they see rewarded, the investigations they experience as fair, and the stories leaders choose to elevate. The DOJ’s ECCP asks whether a compliance program is well designed, adequately resourced, empowered to function, and working in practice. This trilogy gives compliance professionals a human-centered way to answer those questions with evidence. Ideation creates the insight. Implementation creates the operating discipline. Celebration creates the cultural memory.

The larger lesson is that compliance professionals are not simply policy owners, trainers, investigators, or risk managers. They are culture builders. They help organizations decide what matters, operationalize those commitments, and ensure they endure under pressure. In an era of AI governance, third-party complexity, speak-up expectations, incentive scrutiny, and board oversight, this work is more important than ever. The compliance programs that will matter most are not the ones with the most polished documents. They are the ones where employees know how to act, leaders know what to reinforce, controls work in practice, and the organization honors integrity as a business discipline.

That is the power of the trilogy. It takes us from possibility to practice to permanence. It reminds us that compliance effectiveness is not created in a single policy rollout, annual training event, or investigation report. It is created over time through disciplined attention to what people need, how work happens, and what the organization chooses to celebrate. For the modern compliance professional, this is both the challenge and the opportunity: to build a culture where ethics is not episodic, controls are not ornamental, and integrity is not merely stated. It is lived, reinforced, and carried forward.

Categories
Blog

The Culture Builder’s Trilogy: Part 2 – The Art of Implementation: Where Compliance Culture Lives or Dies

Ed. Note: We are in the midst of a three-part blog post series on three recent books by Hemma Lomax and Ashley Dubriwny. There are The Art of Ideation, The Art of Celebration, and The Art of Implementation.

If The Art of Ideation is about imagining better compliance, The Art of Implementation is about making it real. Hemma Lomax and Ashley Dubriwny write that implementation is where culture lives or dies. That single sentence could serve as a mission statement for every Chief Compliance Officer.

Compliance professionals know this problem well. A program can include a strong code of conduct, a comprehensive policy inventory, a well-designed training calendar, a hotline, third-party procedures, and investigation protocols. Yet the DOJ does not ask whether a company has merely created compliance artifacts. It asks whether the program works in practice. It goes directly to the DOJ’s Evaluation of Corporate Compliance Programs (ECCP). The ECCP continues to ask whether a program is well-designed, adequately resourced, empowered to function effectively, and working in practice. That is why The Art of Implementation matters. It moves from aspiration to action. It asks how values become systems, how ideas become habits, and how culture becomes durable.

Lesson One: Mindset Before Method

The book begins with a critical insight: implementation begins with how you think. Lomax and Dubriwny identify four commitments of the culture builder’s mindset: empathy before enforcement, curiosity over control, influence rather than insistence, and legacy as a lens. For compliance professionals, this is not a rejection of enforcement. It is a recognition that enforcement without trust creates fear, not culture. A CCO must enforce standards, discipline misconduct, and protect the company. But a CCO must also understand why employees resist, where controls create friction, and how people make decisions under pressure.

This is the difference between a compliance function that says “no” and one that helps the business get to “yes, with controls.” The former may be respected in moments of crisis. The latter is trusted before the crisis arrives.

Lesson Two: Think, Build, Ship, Adopt, Tweak

One of the strongest frameworks in the book is the five forces of implementation: think, build, ship, see it adopted, and tweak. The model is practical and deeply consistent with the ECCP. “Think” means design the change with empathy. “Build” means operationalize the intention. A ship means starting before every detail is perfect. Adoption means embedding the practice into the culture. “Tweak” means to learn, adjust, and improve.

This is what compliance program effectiveness should look like. A CCO should not wait three years to discover that annual training did not change behavior. A third-party control should not remain unchanged after repeated red flags. An AI acceptable use policy should not sit static while employees quietly adopt new tools. A speak-up program should not wait for a scandal before testing whether employees trust it. The compliance application is straightforward. Build compliance like a product. Test. Measure. Listen. Improve.

Lesson Three: Alignment Accelerates Implementation

The book’s discussion of alignment is essential for compliance. Lomax and Dubriwny use Ocean’s Eleven as a cultural reference point. The plan works not because one person is brilliant, but because purpose, people, and process are aligned. Implementation fails when a good idea lacks the right coalition, operational fit, or timing.

This is a core challenge for the CCO. Compliance cannot implement an effective third-party program without the support of procurement, finance, legal, sales, audit, and business leadership. Compliance cannot govern AI without IT, data science, privacy, cybersecurity, HR, legal, and business users. Compliance cannot build a speak-up culture without managers. Stakeholder mapping is therefore not an administrative exercise. It is a governance control. It identifies who can accelerate the initiative, who can block it, who must own it, and who must maintain it after launch.

Lesson Four: Find Failure First

The pre-mortem section of The Art of Implementation is one of the most useful tools for compliance professionals. The authors ask teams to imagine that an initiative has failed and then work backward to identify why. This is precisely how CCOs should approach major program changes. Before launching a new hotline platform, ask why employees might still avoid reporting. Before deploying AI-assisted monitoring, ask about potential privacy, bias, transparency, and explainability concerns. Before rolling out a third-party due diligence platform, ask why business teams might work around it. Before redesigning incentives, ask what unintended behaviors the new metrics could create.

Pre-mortems are internal controls in action. They force the organization to identify failure modes before the market, the regulator, the whistleblower, or the plaintiff does. They can be and are a powerful tool at your disposal as a CCO or compliance professional.

Lesson Five: Movements Beat Mandates

A particularly powerful theme in the book is the distinction between mandates and movements. Mandates may produce obedience. Movements produce ownership. For compliance professionals, this is a critical distinction.

The Wells Fargo fake sale scandal remains a cautionary tale about mandates, metrics, and fear-based performance pressure. Employees may comply with the apparent demand for results while violating the organization’s deeper values. That is why incentives matter. The DOJ has emphasized that companies should use both incentives and consequences to promote compliance. Its compensation and clawback pilot report states that affirmative metrics and benchmarks can reward compliance-promoting behavior and that financial penalties can deter risky behavior.

This is where compliance culture becomes real. Employees need to see that ethical leadership, controlled discipline, speaking up, and responsible business performance are recognized, promoted, and rewarded. They also need to see that misconduct, retaliation, and willful blindness have consequences.

Compliance Application

The CCO’s implementation challenge is to convert program design into operational evidence. That evidence includes adoption data, control testing, investigation metrics, remediation tracking, third-party monitoring, AI use inventories, exception reporting, and incentive alignment. Implementation also requires courage. A CCO must be willing to ship pilots, gather feedback, and make changes. The compliance function must stop equating launch with success. Launch is the beginning. Adoption, evidence, and improvement are the proof.

CCO Questions

  • Which compliance initiatives have been launched but not adopted?
  • Do we have stakeholder maps for our most important compliance priorities?
  • Are we running pre-mortems before major program changes, including AI governance, third-party risk, speak-up enhancements, and incentive redesign?
  • Do our incentives reward ethical behavior, promote control over ownership, and ensure transparency?
  • What compliance practices would continue if the current CCO left tomorrow?

Practical Takeaways

  1. Identify one compliance initiative that stalled and run a pre-mortem on why it failed.
  2. Build a stakeholder map for AI governance or third-party risk.
  3. Convert one compliance aspiration into a measurable operating practice.
  4. Review incentives and promotion criteria for compliance signals.
  5. Treat implementation as the evidence layer of the compliance program. Regulators do not reward intentions. They evaluate what works.

Implementation is where compliance culture is tested. It is where the organization discovers whether its ideas can survive business pressure, competing priorities, operational friction, and human resistance. Yet even the best-implemented program must still be sustained. Controls must be reinforced. Speak-ups must be protected. Ethical behavior must be recognized. Employees should see that integrity, not just performance, is valued by the organization. That is the work of the third book in the trilogy, The Art of Celebration.

Join us tomorrow for Part 3, where we will turn to celebration as a compliance discipline and explore how recognition, incentives, rituals, morale metrics, and cultural memory shape what employees believe the company truly values.

Categories
Blog

The Culture Builder’s Trilogy: Part 1 – The Art of Ideation: Compliance Begins with Better Questions

Ed. Note: over the next three blog posts, I will be running a short series on three recent books by Hemma Lomax and Ashley Dubriwny. There are The Art of Ideation, The Art of Celebration, and The Art of Implementation.

Hemma Lomax and Ashley Dubriwny’s The Art of Ideation is, on one level, a practical guide for culture builders. On another level, it is a challenge to compliance professionals: stop treating compliance as a function that merely publishes rules, delivers training, and waits for reports. Start treating compliance as a discipline of curiosity, engagement, design, and shared intelligence.

The book begins with a simple but powerful premise. Culture builders need ideas, but more importantly, they need the skill to generate better ideas through peer ideation, storytelling, and crowdsourcing intelligence. Lomax and Dubriwny describe the spark that came from compliance professionals exchanging creative approaches at a conference table and then ask why that energy should be limited to a once-a-year event. Their answer is to make ideation intentional, repeatable, and community-based.

For compliance professionals, this is not a soft concept. It goes directly to the DOJ’s Evaluation of Corporate Compliance Programs (ECCP). The ECCP continues to ask whether a program is well-designed, adequately resourced, empowered to function effectively, and working in practice. The compliance lesson from The Art of Ideation is clear: a program that does not ask better questions will not get better answers.

Lesson One: Know Your Audience Before You Design the Control

One of the book’s strongest lessons comes from the São Paulo story. Hemma arrives in Brazil to speak to more than 200 sales executives. Rather than deliver a generic compliance presentation, she uses images and experiences from the city itself to connect with the local audience. The lesson is not simply that visuals work. The deeper lesson is that compliance must demonstrate cultural awareness before it asks for behavioral change.

Too many compliance programs are still designed from the top down. Policies are written in legal language. Training is translated late, if at all. Hotline posters are posted in areas where employees do not work. Codes of Conduct speak to an imagined employee rather than the actual workforce.

The ECCP lens is unforgiving here. A risk-based program must be tailored to the company’s risk profile, business model, workforce, geography, and operations. If field employees, sales teams, or third-party-facing personnel cannot access guidance in the moment of need, the control may exist on paper but fail in practice.

Lesson Two: Storytelling Is a Control Enhancement

Dubriwny’s discussion of training emphasizes that facts alone rarely change behavior. Stories create context, emotion, and recall. In compliance, that matters because most misconduct does not arise from someone misunderstanding a policy title. It arises in moments of pressure, ambiguity, fear, loyalty, or perceived business necessity. A good compliance story can show what a conflict of interest feels like. It can show why a facilitation payment creates risk. It can show how retaliation begins quietly. It can show a manager what it means to receive a concern well.

This is especially important for a culture of speaking up. Employees do not speak up because a poster says they can. They speak up because they believe the organization will listen, protect them, and act. The Art of Ideation repeatedly returns to the need to meet people where they are, involve them, and design engagement pathways that feel safe. That maps directly onto the ECCP’s focus on confidential reporting, anti-retaliation, and investigation processes, as well as employees’ trust in those systems.

Lesson Three: The Code of Conduct Should Be Designed to Work

The book’s chapter on Codes of Conduct is especially useful for CCOs. It asks whether the Code is an external artifact, a regulatory box-checking document, or a decision-making tool for employees. The answer should be all the above, but the priority must be the employee user. That is a powerful compliance point. A code should not merely state values. It should operationalize them. It should be accessible, visually clear, mobile-friendly, translated appropriately, and supported by examples that reflect real roles, geographies, and pressures. The authors argue that a Code should be co-created, tested, and designed so people can see themselves in it.

This has implications for internal controls. A policy no one reads is not a meaningful control. A code no one uses is not a cultural anchor. A decision tree that helps an employee escalate a third-party red flag is more valuable than a beautifully written paragraph no one remembers.

Lesson Four: Crowdsourcing Risk Intelligence Is Compliance Modernization

Perhaps the most compliance-relevant section of the book is the discussion of crowdsourcing intelligence. Lomax and Dubriwny argue that leadership does not have a monopoly on the perspectives needed to identify risk. Employees across functions, geographies, and levels see vulnerabilities long before they appear in formal reporting channels. This is exactly where modern compliance must go. Annual risk assessments remain useful, but they are not enough on their own. A CCO needs real-time, near-real-time, and frontline input. This includes surveys, focus groups, collaboration tools, investigation themes, hotline trends, third-party feedback, and data analytics.

AI governance fits here as well. The book encourages responsible experimentation with AI, including using AI to make policies more accessible, generate first drafts, synthesize information, and provide decision-useful guidance. In compliance terms, AI should not be a gimmick. It should be governed, risk-assessed, monitored, and used to improve the employee experience.

Compliance Application

For the compliance professional, ideation is not brainstorming for its own sake. It is how the CCO identifies gaps, improves controls, tests training, strengthens speak-up systems, modernizes the Code, and uses AI responsibly. It is how compliance moves from headquarters’ assumptions to operational intelligence.

The lesson is also relevant to investigations. The book’s discussion of investigations emphasizes empathy, transparency, gratitude toward participants, and learning from the process. That is an important reminder that investigations are not simply fact-finding exercises. There are moments when employees decide whether the compliance function is credible.

CCO Questions

  • Does our compliance function know how employees actually experience our Code, training, reporting channels, investigation process, and third-party controls?
  • Are we using peer ideation, frontline feedback, and cross-functional input to improve the program?
  • Where are we still relying on headquarters assumptions rather than operational evidence?
  • How are we using AI to improve accessibility, consistency, risk sensing, and employee guidance without weakening confidentiality, privacy, or human judgment?

Practical Takeaways

  1. Redesign one compliance communication from the user’s perspective. Make it shorter, clearer, more accessible, and easier to act on.
  2. Create an ideation circle around one major compliance risk, such as third-party due diligence, gifts and entertainment, speaking up, or AI use.
  3. Test your Code of Conduct with employees from different geographies and functions before the next refresh.
  4. Add crowdsourced risk intelligence to your risk assessment process.
  5. Treat ideation as a compliance control. Better questions produce better evidence, and better evidence produces a more effective program.

Ideation is where the compliance professional begins to see what is possible. It gives the CCO better questions, stronger engagement, richer risk intelligence, and a more human understanding of how employees experience the program. But ideas alone do not create culture. A redesigned code, a better speak-up message, a sharper AI policy, or a new third-party risk insight only matters if it moves from concept to practice. That is where the second book in the trilogy, The Art of Implementation, takes us next.

Join us tomorrow in Part 2, where we will examine how compliance professionals turn good ideas into operating discipline through alignment, stakeholder ownership, pre-mortems, adoption, incentives, and the hard work of making values real inside the business.