Tag: Board of Directors

Categories
Blog

5 Strategic Board Playbooks for AI Risk (and a Bootcamp)

Artificial intelligence is no longer a future-state technology risk. It is a current-state governance issue. If AI is being deployed inside governance, risk, and compliance functions, then it is already shaping how your company detects misconduct, prioritizes investigations, manages regulatory obligations, and measures program effectiveness. That makes AI risk a board agenda item, not a management footnote.

In an innovation-forward organization, the goal is not to slow AI adoption. The goal is to professionalize it. Board of Directors and Chief Compliance Officers (CCOs) should approach AI the way they approached cybersecurity a decade ago: move it from “interesting updates” to a structured reporting cadence with measurable controls, clear accountability, and director education that raises the collective literacy of the room.

Today, we consider 5 strategic playbooks designed for a Board of Directors and a CCO operating in an industry-agnostic environment, building AI in-house, without a model registry yet, and with a cross-functional AI governance committee chaired and owned by Compliance. The program must also work across multiple regulatory regimes, including the DOJ Evaluation of Corporate Compliance Programs (ECCP), the EU AI Act, and a growing patchwork of state laws. We end with a proposal for a Board of Directors Boot Camp on their responsibilities to oversee AI in their organization.

Playbook 1: Put AI Risk on the Calendar, Not on the Wish List

If AI risk is always “important,” it becomes perpetually postponed. The first play is procedural: create a standing quarterly agenda item with a consistent structure.

Quarterly board agenda structure (20–30 minutes):

  1. What changed since last quarter? Items such as new use cases, material model changes, new regulations, and major control exceptions.
  2. AI full Risk Dashboard, with 8–10 board KPIs, trends, and thresholds.
  3. Top risks and mitigations, including three headline risks with actions, owners, and dates.
  4. Assurance and testing, which would include internal audit coverage, red-teaming results, and remediation progress.
  5. Decisions required include policy approvals, risk appetite adjustments, and resourcing.

This cadence does two things. First, it forces repeatability. Second, it creates institutional memory. Boards govern better when they can compare quarter-over-quarter progress, not when they receive one-off deep dives that cannot be benchmarked.

Playbook 2: Build the AI Governance Operating Model Around Compliance Ownership

In your design, Compliance owns AI governance and its use throughout the organization, supported by a cross-functional AI governance committee. That is a strong model, but only if it is explicit about responsibilities.

Three lines of accountability:

  • Compliance (Owner): policy, risk framework, controls, training, and board reporting.
  • AI Governance Committee (Integrator): cross-functional prioritization, approvals, escalation, and issue resolution.
  • Build Teams (Operators): documentation, testing, change control, and implementation evidence.

Boards should ask one simple question each quarter: Who is accountable for AI governance, and how do we know it is working? If the answer is “everyone,” then the real answer is “no one.” Your model makes the answer clear: Compliance owns it, and the committee operationalizes it.

Playbook 3: Create the AI Registry Before You Argue About Controls

You have no model registry yet. That is the first operational gap to close, because you cannot govern what you cannot inventory. In a GRC context, this is not a “nice to have.” Without an inventory, you cannot prove coverage, you cannot scope an audit, you cannot define reporting, and you cannot explain to regulators how you know where AI is influencing decisions.

Minimum viable AI registry fields (start simple):

  • Use case name and business owner;
  • Purpose and decision impact (advisory vs. automated);
  • Data sources and data sensitivity classification;
  • Model type and version, with change log;
  • Key risks (bias, privacy, explainability, security, reliability);
  • Controls mapped to the risk (testing, monitoring, approvals);
  • Deployment status (pilot, production, retired); and
  • Incident history and open issues.

Boards do not need the registry details. They need the coverage metric and the assurance that the registry is complete enough to support governance.

Playbook 4: Align to the ECCP, EU AI Act, and State Laws Without Creating a Paper Program

Many organizations make a predictable mistake: they respond to multiple frameworks by producing multiple binders. That creates activity, not effectiveness. A better approach is to use a single control architecture to map to multiple requirements. The board should see one integrated story:

  • DOJ ECCP lens: effectiveness, testing, continuous improvement, accountability, and resourcing;
  • EU AI Act lens: risk classification, transparency, human oversight, quality management, and post-market monitoring; and
  • State law lens: privacy, consumer protection concepts, discrimination prohibitions, and notice requirements where applicable

This mapping becomes powerful when it ties back to the board dashboard. The board is not there to read statutes. The board is there to govern outcomes.

Playbook 5: Use a Board Dashboard That Measures Coverage, Control Health, and Outcomes

You asked for a combined dashboard and narrative with 8–10 KPIs. Here is a board-level set designed for AI in governance, risk, and compliance functions, with in-house build, internal audit, and red teaming for assurance.

Board AI Governance KPIs (8–10)

1. AI Inventory Coverage Rate

Percentage of AI use cases captured in the registry versus estimated footprint.

2. Risk Classification Completion Rate

Percentage of registered use cases risk-classified (EU AI Act style tiers or internal tiers).

3. Pre-Deployment Review Pass Rate

Percentage of deployments that cleared required testing and approvals on first submission.

4. Model Change Control Compliance

Percentage of model changes executed with documented approvals, testing evidence, and rollback plans.

5. Explainability and Documentation Score

Percentage of in-scope use cases with complete documentation, rationale, and user guidance.

6. Monitoring Coverage

Percentage of production use cases with active monitoring for drift, anomalies, and performance degradation.

7. Issue Closure Velocity

Median days to close AI governance issues, by severity.

8. Internal Audit Coverage and Findings Trend

Number of audits completed, rating distribution, repeat findings, and remediation status.

9. Red Team Findings and Remediation Rate

Number of material vulnerabilities identified and percentage remediated within the target time.

10. Escalations and Incident Rate

Number of AI-related incidents or escalations (including near-misses), with severity and lessons learned.

These KPIs do not require vendor controls and align with an in-house build model. They also support both board oversight and compliance management.

AI Director Boot Camp

Your board has a medium level of literacy and needs a boot camp. I agree. Directors do not need to become engineers. They need a common vocabulary and a governance frame. The recommended boot camp design is one-half day, making it highly practical. It should include the following.

  1. AI in the company’s operating model. This means where it touches decisions, risk, and compliance outcomes.
  2. AI risk taxonomy, such as bias, privacy, security, explainability, reliability, third-party, and later.
  3. Regulatory landscape overview, including a variety of laws and regulatory approaches, including the DOJ ECCP approach to effectiveness, the EU AI Act risk framing, and several state law themes approaches.
  4. Governance model walkthrough to ensure the BOD understands the registry, risk classification, controls, monitoring, and escalation.
  5. Tabletop exercises, such as an AI incident in a GRC context with false negatives in monitoring or biased triage.
  6. Board oversight duties. Teach the BOD how they can meet their obligations, including which questions to ask quarterly, which thresholds trigger escalation, and similar insights.

The deliverable from the boot camp should be a one-page “Director AI Oversight Guide” with the KPIs, escalation triggers, and the quarterly agenda structure.

The Bottom Line for Boards and CCOs

This is the moment to treat AI risk like a board-governed discipline. The organizations that get it right will not be the ones with the longest AI policy. They will be the ones with the clearest operating model, the most reliable reporting cadence, and the strongest evidence of control effectiveness.

If Compliance owns AI governance, then Compliance must also own the proof. That proof is delivered through a registry, a quarterly board agenda item, a balanced KPI dashboard, and assurance through internal audit and red teaming. Add a director boot camp to create shared understanding, and you have the beginnings of a program that is innovation-forward and regulator-ready.

That is the strategic playbook: not fear, not hype, but governance.

Categories
Blog

Key Boards Issues for 2026: What Compliance and Governance Leaders Must See Coming

Boards entering 2026 are doing so in an environment defined not by stability, but by volatility. Regulatory priorities are shifting rapidly, geopolitical risk is reshaping markets, technology is accelerating faster than governance frameworks can keep pace, and long-standing assumptions about shareholder engagement and corporate oversight are being tested. In this environment, the role of compliance is no longer reactive or advisory at the margins. It is structural.

The Thoughts for Boards: Key Issues for 2026 memorandum from the law firm of Wachtell, Lipton, Rosen & Katz, which appeared in the Harvard Law School Forum on Corporate Governance, provides a valuable roadmap for boards navigating this uncertainty. For compliance professionals, however, the document does something more important: it reveals where governance risk is quietly migrating. The challenge for compliance leaders is not simply to track these developments, but to translate them into oversight, controls, and strategic guidance that boards can use going forward.

A More Permissive SEC Does Not Mean Less Risk

One of the most striking developments outlined in the memorandum is the SEC’s recalibration of its role. From easing reporting burdens to stepping back from adjudication of shareholder proposals under Rule 14a-8, the Commission is signaling greater deference to companies in deciding how and when to engage with shareholders. At first glance, this appears to reduce regulatory pressure. In reality, it shifts risk inward.

When regulators retreat, discretion moves to boards and management. Predictable SEC processes no longer mediate decisions about disclosure cadence, shareholder engagement, and proposal exclusion. They are governance judgments that will be evaluated ex post by investors, courts, activists, and the media. For compliance professionals, this means fewer bright lines and more gray zones.

The potential move toward semi-annual reporting is a prime example. While it may reduce short-termism, it also alters internal disclosure controls, forecasting discipline, and market expectations. Compliance must ensure that reduced frequency does not translate into reduced rigor. Less reporting does not mean less accountability.

DEI and ESG: From Public Messaging to Quiet Risk Management

The memorandum describes sustained political and regulatory pushback against DEI and ESG initiatives, including executive orders, revised SEC guidance, and heightened scrutiny of shareholder proposals. Yet it also notes an important countervailing force: institutional investors have not abandoned interest in these areas. They have become quieter. This creates a compliance paradox.

On one hand, public signaling around DEI and ESG may expose companies to political and regulatory risk. On the other hand, abandoning these initiatives entirely risks alienating long-term shareholders, employees, and business partners. The compliance function sits at the center of this tension. In 2026, DEI and ESG will increasingly be treated less as branding exercises and more as internal governance risks. Compliance leaders should focus on process integrity, consistency, and documentation rather than rhetoric. The question is no longer whether a company “supports” DEI or ESG, but whether its practices align with its stated values and risk disclosures.

Tone at the top matters here more than ever. Boards must understand that silence does not equal neutrality. How a company governs these issues internally will determine its exposure externally.

Government as Shareholder: A New Governance Reality

Perhaps the most underappreciated development highlighted in the memorandum is the Trump Administration’s growing role as an equity holder in public companies deemed critical to national security. These investments vary widely in form, from passive economic stakes to golden shares with veto rights over strategic decisions. For compliance and governance professionals, this raises novel questions.

Government ownership blurs traditional distinctions between regulator and shareholder. It introduces new stakeholders with potentially divergent objectives, including national security, industrial policy, and geopolitical strategy. Even when governance rights are limited, the mere presence of the government on the cap table can alter decision-making dynamics and investor perceptions.

Compliance must be prepared to advise boards on conflicts of interest, disclosure obligations, and fiduciary duties in this new context. The risk is not simply regulatory; it is structural. Companies operating in sensitive sectors must assume that government involvement is no longer exceptional but potentially recurring.

AI Oversight Moves from Optional to Mandatory

Artificial intelligence dominated board agendas in 2025, and there is no indication that attention will diminish in 2026. The memorandum correctly emphasizes that AI is no longer confined to technology companies. It is embedded in products, operations, compliance monitoring, and decision-making across industries. For boards, the oversight challenge is acute. AI introduces opacity, speed, and scale that traditional governance frameworks were not designed to manage. For compliance officers, this creates both opportunity and risk.

AI is increasingly used within compliance itself, from transaction monitoring to proxy voting analytics. But the use of AI does not eliminate accountability. Boards will still be expected to understand how AI systems function, what risks they create, and how those risks are mitigated.

This is why board-level AI literacy is becoming a governance imperative. Compliance leaders should be proactive in helping boards understand AI not as a technical novelty, but as a risk multiplier. Data governance, model bias, explainability, and third-party reliance must all be incorporated into enterprise risk management frameworks.

Crypto and Digital Assets: Strategy First, Compliance Always

The memorandum highlights a friendlier regulatory environment for crypto-assets, alongside growing corporate interest in crypto treasury strategies and asset tokenization. This combination is dangerous if misunderstood. Regulatory friendliness is not regulatory clarity. Crypto engagement introduces risks related to custody, valuation, sanctions, AML, cybersecurity, and financial reporting. Boards that view crypto as a strategic opportunity without fully appreciating these risks are exposing the company to significant downside.

Compliance must insist on strategic discipline. Why is the company engaging with crypto? What problem is it solving? How does it align with the business model? Without clear answers, crypto becomes speculation rather than strategy. In 2026, compliance officers should expect to spend more time explaining why not to move quickly than how to move fast.

Shareholder Engagement Is Becoming More Fragmented, Not Less Important

The memorandum’s discussion of shareholder engagement reflects a fundamental shift. Institutional investors are splintering their stewardship approaches. Retail investors are more organized and more volatile. Proxy advisors are under regulatory and political attack. The result is unpredictability.

Boards can no longer rely on a small set of proxy advisor recommendations or institutional voting norms. Engagement must become more targeted, more frequent, and more informed. Compliance plays a critical role here by ensuring that engagement practices remain consistent with disclosure rules, insider trading controls, and governance policies.

The rise of retail activism and meme-stock dynamics also creates reputational risk that traditional governance tools were not designed to address. Social media is now a governance arena. Compliance must help boards understand that investor relations, communications, and risk management are increasingly inseparable.

Delaware Still Matters, Even as Alternatives Emerge

Finally, the memorandum addresses trends toward reincorporation in Texas and Nevada, as well as Delaware’s legislative response. While high-profile moves grab headlines, the underlying message is continuity rather than disruption. For most public companies, Delaware remains the default for a reason: predictability. Reincorporation carries costs, risks, and uncertainty that often outweigh perceived benefits. Compliance professionals should ensure that boards approach these decisions with discipline rather than reaction to political or cultural trends. Governance arbitrage is rarely a substitute for governance quality.

Conclusion: Compliance as Governance Infrastructure

The overarching lesson from the Key Issues for 2026 memorandum is that governance risk is becoming more diffuse, not less. Regulatory pullbacks, technological acceleration, geopolitical intervention, and fragmented shareholder bases all point to one conclusion: boards will be expected to exercise more judgment with fewer guardrails. As with all things under this Trump Administration, another key concept is volatility. That places compliance at the center of corporate governance.

In 2026, effective compliance will not be measured solely by the absence of enforcement actions. It will be measured by whether boards can navigate volatility and ambiguity without losing coherence, integrity, or trust. Compliance professionals who understand this shift will be indispensable partners in long-term value creation.

Categories
Blog

Returning to Venezuela: Why “Yes, If” Is the Only Defensible Compliance Answer

Most of you readers know that sometimes when I get going on a project, it (the project, not me) just keeps on growing. What started as a podcast with Matt Ellis on the risks of going back into Venezuela expanded out into a series of podcasts on the FCPA Compliance Report and with Mike DeBernardis on All Things Investigations. The podcasts led to a five-part blog post series on the same topic in the FCPA Compliance and Ethics Blog. I then needed to expand the blogs into a book and provide forms, checklists, frameworks, and deployment packs for compliance professionals to help them think through the issues presented in Venezuela and in other similarly high-risk jurisdictions.

All of that has led to the only book on how to return to Venezuela, Returning to Venezuela: The Compliance Guide to Yes, If (Title inspired by Mike DeBernardis). It is available in both print and eBook versions on Amazon.com.

When companies talk about returning to Venezuela, the conversation almost always begins with opportunity. Oil reserves. Market access. First-mover advantage. What the book Returning to Venezuela does is effectively reset that conversation where it belongs for compliance professionals: with reality. It is a disciplined, compliance-first analysis of what it actually means to operate in one of the world’s highest-risk jurisdictions.

The core message is uncompromising but straightforward: Venezuela is not a place for optimism, informal controls, or siloed compliance. It is a stress test. If your compliance program can function there, it can function anywhere. If it cannot, no license, policy, or assurance letter will save you. The book is not a warning label about Venezuela. It is a working manual for how a compliance function should assess risk, design controls, and govern decision-making before commercial momentum takes over.

Step One: Reframing the Risk Assessment

The first way a compliance professional should use Returning to Venezuela is to recalibrate how risk assessments are performed. Traditional country risk assessments often ask abstract questions: corruption perception scores, sanctions status, and enforcement history. Those inputs are necessary, but insufficient. Returning to Venezuela pushes compliance professionals to replace abstract scoring with operational mapping.

Instead of asking whether Venezuela is high risk, the framework asks:

  • Where will government discretion arise?
  • Where can delay be monetized?
  • Where does the business depend on intermediaries?
  • Where does value move, pause, or change form?

This is a critical shift. Risk is no longer treated as a country attribute. It becomes a process attribute. Compliance professionals can use Returning to Venezuela’s structure to redesign their risk assessment around real business steps: procurement, logistics, payment, security, licensing, and dispute resolution.

Step Two: Identifying Pressure Points Before They Become Incidents

Returning to Venezuela is especially useful in helping compliance professionals identify pressure points, not just risk categories. Pressure points are moments where the business is most likely to face demands for improper value, shortcuts, or exceptions. Procurement is one. Customs clearance is another. Security access, utilities, labor approvals, and payment routing are others.

Using Returning to Venezuela, compliance professionals can document:

  • Where pressure is expected;
  • Who owns the decision at that point?
  • What escalation looks like; and
  • When refusal or exit becomes mandatory.

This transforms compliance from a reactive role into a proactive role in designing decision architecture.

Step Three: Using the Checklists as Control Gates, Not Paper Artifacts

A common compliance failure is treating red flags as documentation exercises rather than control mechanisms. One of the strengths of Returning to Venezuela is that its red flags are designed as gates, not records. Each checklist answers a single question: Is this activity governable under our current assumptions?

Compliance professionals can deploy these checklists at defined moments:

  • Market entry discussions
  • Vendor and JV selection
  • Transaction structuring
  • Payment and banking design
  • Security and logistics planning

If a red flag cannot be cleared, the activity cannot proceed. That discipline is what makes the framework defensible. It also protects compliance officers personally, because decisions are anchored in documented governance rather than informal judgment.

Step Four: Integrating Risk Domains Instead of Managing Them in Silos

Another way compliance professionals should use Returning to Venezuela is as a blueprint for breaking down internal silos. The book makes clear that in Venezuela, corruption, export controls, AML, sanctions, security, and extortion are not separate risks. They are interconnected expressions of the same operating pressure. Treating them separately guarantees blind spots.

Practically, this means compliance can use the book to justify:

  • Integrated risk reviews instead of sequential sign-offs;
  • Shared escalation forums across functions;
  • Unified monitoring rather than separate dashboards; and
  • Common exit triggers across risk domains.

This is particularly important for AML. Returning to Venezuela positions money laundering risk not as a standalone compliance obligation, but as the capstone test of whether the entire framework works.

Step Five: Structuring Board Oversight Around Decisions, Not Updates

Too often, boards receive high-level compliance updates that provide comfort but not clarity. Returning to Venezuela gives compliance professionals a way to reframe board oversight around decisions, not reports. Using the board materials and decision templates, compliance can:

  • Force explicit risk acceptance;
  • Document assumptions that underpin approvals;
  • Secure delegated authority to pause or exit operations; and
  • Establish clear revisit and escalation triggers.

This protects both the organization and the compliance function. When conditions change, the discussion is no longer “Why did this happen? ” but “Which assumption failed, and what decision does that trigger? ” That is governance functioning as intended.

Step Six: Building a Repeatable Risk Management Framework

The final and most important way to use Returning to Venezuela is as a template, not a one-off Venezuela playbook. While the facts are Venezuela-specific, the framework is portable. Compliance professionals can lift this framework and apply it to:

  • Other high-risk markets;
  • Post-merger integration;
  • Sanctions-heavy environments; and
  • Complex third-party ecosystems.

The Appendices: The Operational Backbone of Returning to Venezuela: Yes, If

One of the defining features of Returning to Venezuela: The Compliance Guide to Yes, If is that it does not stop at analysis. The appendices convert risk identification into governance, decision-making, and operational control. They are not academic supplements. They are the machinery that makes a “yes, if” decision possible in practice.

Taken together, the appendices form an integrated compliance control stack designed for one purpose: to govern decision-making in an environment where corruption, coercion, sanctions, AML exposure, and weak rule of law are not edge cases but daily conditions.

Appendix A: One-Page Operational Checklists

Appendix A contains a series of one-page checklists, each focused on a distinct but interconnected risk domain. These are not policy summaries. They are operational gating tools meant to be used before decisions are made, not after problems occur.

Appendix B: The CCO Deployment Pack

Appendix B is written from the perspective of the Chief Compliance Officer and is explicitly operational. It is designed to be deployed internally to executive leadership, business sponsors, and control functions.

Appendix C: Board of Directors Materials

Appendix C is aimed squarely at directors and audit or compliance committees. Its function is not to educate boards on Venezuela generally but to structure how boards make, record, and revisit risk acceptance decisions.

Appendix D: Decision-Making Frameworks

Appendix D pulls together the logic underlying the entire book. It provides decision-making frameworks that force organizations to confront uncomfortable realities before committing resources.

How the Appendices Work Together

Individually, each appendix addresses a specific audience or function. Collectively, they form an integrated control system that aligns:

  • Operational decision-making.
  • Compliance authority.
  • Board oversight.
  • Exit discipline.

The appendices are designed to prevent the most common failure pattern in high-risk jurisdictions: waiting until conditions deteriorate before asking hard questions. By then, leverage is gone.

Final Thought

The most important contribution of Returning to Venezuela is that it does not accurately describe risk. It shows compliance professionals how to operate in the real world without surrendering control.

Used correctly, the book becomes a working tool:

  • To assess risk honestly;
  • To design controls that hold under pressure;
  • To align management and the board, and finally
  • To decide when “yes” becomes “no.”

For compliance professionals, that is not just risk management. It is about meeting the business in an operational setting with a risk management strategy for literally the highest risk on earth.

You can purchase Returning to Venezuela: The Compliance Guide to Yes, if on Amazon.com.

Categories
Blog

Board KPIs for AI Governance: Guidance from the ECCP

Corporate Boards are no longer asking whether their organizations will use artificial intelligence. The business has already answered that question. The only question that matters now is whether AI is being governed well enough to support growth without creating unmanaged risk.

For the corporate compliance officer, this reality creates both pressure and opportunity. Pressure, because Boards with minimal AI literacy still carry full fiduciary responsibility. Opportunity, because compliance is uniquely positioned to translate complex AI activity into oversight-ready information. The bridge between those two worlds is the right set of Board-level  Key Performance Indicators (KPIs) for AI governance. Moreover, I believe the DOJ’s Evaluation of Corporate Compliance Programs (ECCP) can serve as a framework for developing appropriate KPIs for your Board.

In this blog post, we detail a set of Board-level KPIs for compliance professionals tasked with educating growth-oriented Boards on AI governance using a blended, ECCP-centric framework. It assumes that AI is already deployed across the enterprise, including generative AI, and that governance must enable innovation while enforcing guardrails.

Why Boards Need AI KPIs Now

The ECCP makes one point repeatedly and without ambiguity: regulators care less about written policies and far more about whether controls work in practice. Boards are expected to exercise oversight over risk, including emerging and technology-driven risks. AI is now firmly in that category.

AI governance KPIs are not about teaching directors how models work. They are about answering three questions every Board must be able to answer:

  1. Do we know where AI is being used?
  2. Do we control how AI changes over time?
  3. Can we detect, respond to, and remediate AI-related harm quickly?

If a Board cannot answer those questions with evidence, not narrative reassurance, the organization is exposed. The role of compliance is to ensure those answers are delivered in a form that directors can understand and act upon.

The KPI Philosophy: Enablement With Guardrails

Because this is a growth-oriented Board, the goal is not to slow AI adoption. The goal is to make AI scalable, defensible, and sustainable. KPIs must therefore do three things simultaneously:

  • Demonstrate coverage and control without micromanagement
  • Surface risk early, before incidents become enforcement events
  • Support informed decision-making, not technical debate

This means Boards should receive KPIs, escalation triggers, and narrative context. Numbers alone are insufficient. Context without metrics is worse.

Six Board-Level KPIs for AI Governance

The following six KPIs apply to all AI systems, including generative AI, within a unified governance framework. They are evidence-based, auditable, and aligned with the ECCP expectations for testing, monitoring, and continuous improvement.

1. Risk Inventory Coverage

This KPI measures the percentage of in-scope AI systems with a current, signed risk record documenting use case, data sources, impacts, potential harms, and safeguards. If AI is operating outside the risk inventory, it is operating outside governance. This KPI answers the most basic oversight question: do we know what we have? Any material AI system without a documented risk assessment or with an expired review date should be escalated for review.

The ECCP begins with risk assessment for a reason. Under the ECCP, they are directed to consider whether a company has identified and prioritized its risks, including emerging risks. AI, particularly GenAI, now squarely fits within that expectation. Risk Inventory Coverage directly answers the ECCP question: “What methodology has the company used to identify, analyze, and address the particular risks it faces? ” If AI systems are operating without a documented risk record, the program fails at step one. From an ECCP perspective, undocumented AI use is indistinguishable from unmanaged risk.

2. Model Change Control Adherence

This measures the percentage of AI model changes, including code, data, prompts, parameters, or vendors, that followed the approved change management process. Uncontrolled change is the fastest way for compliant AI to become noncompliant. This KPI assures directors that innovation is disciplined, not chaotic. Any production AI change implemented without pre-deployment testing, approval, or rollback capability should be escalated for review.

ECCP Alignment:

The ECCP explicitly evaluates whether policies are followed in practice, not merely written. Adherence to change control shows whether AI governance has real authority over business and technology decisions. Unapproved model changes undermine every safeguard the company believes it has in place. From the DOJ’s perspective, a control that can be bypassed without consequence is not a control. For your Board, this KPI demonstrates that AI innovation is disciplined and governed, not uncontrolled experimentation that creates hidden compliance exposure.

3. Model Lineage and Provenance Completeness

This KPI measures the percentage of AI systems with end-to-end traceability, enabling the reconstruction of how outputs were generated and decisions were approved. When something goes wrong, regulators and plaintiffs will ask how the AI reached its decision. This KPI determines whether the company can answer. Any high-impact AI system lacking sufficient documentation to support root cause analysis should be escalated for review.

This KPI is derived from the ECCP sections on Continuous Improvement, Periodic Testing, and Review, as well as Investigation, Analysis, and Remediation of Misconduct. The ECCP asks whether a company can understand why something went wrong and conduct effective root cause analysis. Without lineage and provenance, AI decisions cannot be reconstructed, tested, or explained. This KPI directly supports DOJ’s expectation that companies can investigate incidents, identify systemic weaknesses, and remediate effectively. For your Board, this KPI determines whether the organization can defend its AI decisions after the fact or whether it will be forced into speculation and guesswork.

4. Third-Party Model Assurance Coverage

This KPI measures the percentage of third-party AI tools and services that have completed due diligence, contractual controls, and periodic reassessment. Most AI risk now enters organizations through vendors. Boards must know whether those risks are being actively managed. Any use of third-party AI without completion of onboarding or with unresolved high-risk findings should be escalated for review.

This ties to the ECCP section around Third-Party Management. The ECCP is unambiguous on third parties. Companies are expected to conduct risk-based due diligence, impose contractual controls, and monitor third-party performance over time. Most AI risk now enters through vendors, platforms, APIs, and embedded models. Treating third-party AI differently from other third-party risks would be inconsistent with DOJ guidance. For your Board, this KPI shows that AI vendor risk is governed with the same rigor as bribery, sanctions, or data security risks.

5. AI Incident Mean Time to Resolution (MTTR)

This KPI measures the median time from detection of an AI incident to containment and recovery. Incidents are inevitable. What matters is how fast the organization responds. This KPI demonstrates operational resilience. Repeated incidents with increasing resolution times or incomplete remediation should be escalated.

This ties to the ECCP sections on Investigation, Analysis, and Remediation of Misconduct. The ECCP focuses heavily on how quickly and effectively companies respond to detected issues. Speed matters. Delayed containment signals weak controls and inadequate monitoring. AI Incident MTTR translates this expectation into a measurable operational outcome. It demonstrates whether the company can detect, contain, and remediate AI-related harm before it escalates into regulatory or reputational damage. For your Board, the key takeaway is that this KPI demonstrates operational resilience and governance maturity, not merely technical incident response.

6. Fairness and Robustness Pass Rate

This KPI measures the percentage of AI systems passing predefined fairness, bias, and robustness tests across relevant segments and use cases. It connects AI governance to ethical outcomes and reputational risk. Any material AI system deployed with known fairness or robustness failures should be escalated for review.

This ties to the ECCP sections on Continuous Improvement, Periodic Testing, and Review. The ECCP repeatedly asks whether companies test their controls and whether those controls work in practice. Fairness and robustness testing is the AI equivalent of transaction testing in anti-corruption or sanctions compliance. This KPI shows that AI systems are not only reviewed at launch but are continuously validated against defined risk thresholds. For your Board, the key takeaway is that this KPI demonstrates that ethical and legal AI commitments are enforced through testing, not slogans.

Board Oversight Questions Tied to AI KPIs

To close, here are Board-level questions compliance officers should encourage directors to ask:

  1. Which AI systems fall outside our current risk inventory, and why?
  2. Where have we accepted AI risk, and what safeguards justify that decision?
  3. Are AI changes happening faster than our governance can keep up with?
  4. How quickly can we detect and contain AI-related harm?
  5. Which third-party AI risks would cause us to pause or exit a deployment?
  6. How do these KPIs support growth rather than restrict it?

AI governance KPIs are not about slowing innovation. They are about making growth durable. For compliance professionals, delivering these metrics in a clear, disciplined, and Board-ready way is how AI governance becomes a strategic asset rather than a regulatory afterthought.

If you would like specific KPIs based on this blog, go over and subscribe to my Substack. At this point, it is free. Check it out here.

Categories
Blog

20 Questions Every Board Should Ask About AI

In boardrooms around the world, one theme now appears with more regularity than cyber risk, M&A uncertainty, or even financial performance. That topic is artificial intelligence. Not the lofty philosophical debate about whether machines will overtake human judgment, but the immediate, pragmatic question every director is trying to solve: How do we oversee AI in a way that protects the enterprise, unlocks value, and keeps regulators out of the boardroom?

For compliance professionals, this is a defining moment. AI risk has become the newest frontier where the board relies heavily on the compliance function to guide them. Sometimes with clarity, sometimes with guardrails, and occasionally with a well-timed reality check. This is the type of risk that exposes governance gaps quickly, and the questions the board asks, or fails to ask, will determine whether the company thrives in the age of AI or becomes the following cautionary tale.

Today, I outline 20 critical questions that every board should ask about AI. Think of them not simply as oversight prompts but as governance accelerators. Each one creates visibility, accountability, and structure. Those three elements are the foundation of every effective compliance program.

1. What are our highest-impact AI use cases, and who owns them?

Boards cannot oversee what they cannot see. The first and arguably most crucial step is obtaining a clear inventory of where AI is embedded in operations, not at a conceptual level, but with owners, systems, and risk ratings attached. When accountability is vague, risk grows quietly in the background.

2. How does AI support our strategic objectives and create measurable value?

AI is not a magic wand. It must support strategy, not distract from it. Boards should ask whether AI materially improves revenue, reduces cost, enhances safety, increases accuracy, or strengthens customer outcomes. If the answer is ambiguous, the company may be deploying AI for the wrong reasons.

3. What data powers these systems, and do we have the legal and ethical rights to use it?

Data is the fuel for AI, but not all data is created or sourced equally. Boards should expect clarity on licensing rights, privacy implications, and any limitations on the use and reuse of data. If data lineage is unclear, the company’s regulatory exposure may be far greater than it realizes.

4. How are we assessing and mitigating bias in both data and outcomes?

Bias is not only a fairness issue. It poses operational, legal, and reputational risks. Boards should see a methodology, not simply an aspiration. That includes periodic testing, remediation procedures, and documentation that can withstand scrutiny from regulators, auditors, or litigators.

5. What guardrails prevent employees from entering sensitive information into generative AI tools?

Most AI failures begin with human error. Boards should understand which safeguards are currently in place, including policies, training programs, and technical restrictions, and how the company tests their effectiveness.

6. What is our model validation process before deployment?

Deploying unvalidated models, or worse, models validated exclusively by developers, invites significant risk. Boards should confirm that model validation includes accuracy testing, robustness checks, and cross-functional review involving compliance, legal, risk, and data science.

7. How do we monitor for model drift or degraded performance over time?

AI is not static. Models evolve, environments shift, and accuracy degrades. Ongoing monitoring is essential. Boards should request a drift detection plan that includes clear thresholds, well-defined triggers, designated responsible owners, and documented response actions.

8. What is our incident response plan for AI failures, hallucinations, or data leakage?

AI failures rarely resemble traditional IT outages. They can be subtle, gradual, or hidden until significant damage occurs. A strong incident response plan clarifies roles, timelines, escalation paths, and expectations for communication with customers and regulators. Boards should insist on a rehearsal, not merely a promise.

9. How are we documenting AI-related decisions?

When regulators come calling, documentation becomes destiny. Boards should ensure that decisions tied to high-impact AI models are recorded in a manner that demonstrates thoughtful oversight, rather than blind reliance on automation.

10. Which AI regulatory regimes apply to us across global markets?

The regulatory landscape is evolving rapidly. The EU AI Act, sector-specific guidance from the United States, China’s AI regulations, and new frameworks emerging in Australia, Brazil, Singapore, and the United Kingdom are just a few examples. Boards should expect a regulatory heat map that outlines exposure, obligations, and enforcement priorities.

11. How do we manage the risk associated with third-party AI vendors and model providers?

Vendors introduce significant risk, particularly when foundation models or APIs change without notice. Contracts must include audit rights, IP protections, confidentiality provisions, and mechanisms for monitoring downstream risk. Boards should look for a vendor governance framework, not a spreadsheet with logos.

12. What training have employees received on the responsible use of AI?

Employees cannot follow principles they do not understand. Boards should expect role-based training with regular refreshers, testing, and usage monitoring, rather than one-time videos or superficial check-the-box modules.

13. How do we ensure human oversight for high-impact or high-risk decisions?

This is where compliance delivers real value. “Human in the loop” cannot simply mean that a person glanced at a dashboard. It means the right individuals reviewed the right decisions with clarity on when they are obligated to intervene.

14. What KPIs tell us whether our AI systems are performing safely and as intended?

Boards should expect dashboards containing more than accuracy scores. KPIs should include incident counts, time-to-remediation, drift flags, bias findings, and operational impacts. What the company measures reveals what the company values.

15. What controls protect AI models and proprietary data from cyber threats?

AI significantly expands the attack surface. Models can be stolen, manipulated, or poisoned. Boards should see evidence of hardened access controls, encryption, logging, and monitoring, along with procedures for handling prompt-injection attacks and adversarial inputs.

16. How do we ensure transparency with customers, employees, and regulators when AI is used?

Transparency is becoming a regulatory expectation in many jurisdictions. Boards should verify whether AI disclosures are clear, accurate, and accessible to users, rather than being hidden in dense terms of service.

17. Are we over-relying on AI in any mission-critical processes?

AI concentration risk is real. When too many decisions or functions depend on a single model or vendor, the entire enterprise becomes fragile. Boards should evaluate whether redundancies exist and whether a single point of AI failure could create systemic risk.

18. What ethical principles guide our AI development and deployment?

Ethical frameworks only matter when they are embedded in daily processes and decision-making. Boards should expect evidence that ethical considerations influenced model selection, data sourcing, vendor evaluation, and deployment controls.

19. How is Internal Audit providing independent assurance over AI?

Internal Audit must play a role. AI risk touches processes, data, controls, vendors, and governance. These are areas Internal Audit already understands well. Boards should expect AI to be included in the annual audit plan, supported by a structured methodology.

20. What investments are required to manage AI risk in the next 12 months?

Boards appreciate transparency, not surprises. AI governance necessitates ongoing investment in personnel, skills, monitoring tools, testing environments, and data management capabilities. If AI grows without proportional governance funding, the company creates risk rather than value.

Why These Questions Matter Now

We are entering an era in which regulators expect boards to demonstrate active oversight of AI, just as they do for cybersecurity, financial controls, and data privacy. Gone are the days when AI could be treated as an IT experiment or a futuristic curiosity. Today, it sits squarely in the center of corporate governance. This means compliance oversight is required. For compliance professionals, this is an opportunity to step forward and provide structure. We can shape the conversation, establish frameworks, and guide leadership toward responsible adoption and implementation. These 20 questions give the boards the clarity they need and ensure compliance with the influence it deserves.

AI presents extraordinary potential, but potential without oversight becomes risk. Compliance professionals can ensure that the board asks the right questions, receives the necessary information, and establishes the appropriate controls to ensure effective oversight. In the age of AI, strong governance is not simply a competitive advantage. It is a survival strategy.

If you would like the whole 20 Question list, please leave us a Voicemail.

Categories
Blog

Compliance and Building Resilient Boards

In today’s volatile world, the word “resilience” has become the boardroom’s rallying cry. From geopolitical risk to technological disruption, boards and C-suites are being asked to navigate what Deloitte calls a “multiverse” of parallel realities, balancing short-term shocks with long-term strategy. But BOD resilience is not just about surviving turbulence. It is about thriving through uncertainty. And that is where the corporate compliance function, often underestimated as a back-office monitor, can emerge as a strategic partner in building board-level resilience. This is the key message that resonates from a recent article in the Harvard Law School Forum on Corporate Governance, How Board and C-Suite Collaboration Can Build Organizational Resilience.

Effective collaboration between boards and executive teams strengthens organizational adaptability, foresight, and integrity. Resilience is not the absence of risk; rather, it is the ability to master a response. Today, we consider this article and mine it for lessons for compliance leaders seeking to help their boards become more resilient, responsive, and ready for the future.

1. Compliance as the Early-Warning System for the Board

The Deloitte survey highlights a growing reality: boards are increasingly overwhelmed by short-term risks, ranging from cyberattacks to economic volatility. They may overlook longer-term imperatives such as innovation and human capital development. Compliance professionals are uniquely positioned to serve as an early warning system for emerging risks. Through monitoring, testing, and continuous improvement, compliance provides data-driven insight into what is actually happening inside the business before it becomes a headline or regulatory crisis.

A resilient board depends on credible information flow. That means compliance must extend beyond reporting incidents to providing actionable intelligence. By translating risk data into actionable insight and identifying patterns in third-party due diligence, supply chain vulnerabilities, or employee reporting trends, the compliance function helps directors see around corners. As Gordon Nixon, chair of BCE Inc., put it, leadership today requires the ability to “synthesize complexity into decisive action.” Compliance gives boards the tools to do just that.

2. Turning Oversight Into Scenario Planning

According to Deloitte’s data, 86% of boards have increased their focus on risk monitoring and scenario planning, with 39% significantly stepping up their efforts. That is good news, but only if those exercises move beyond hypotheticals. This is where compliance can play a catalytic role. Scenario planning is most effective when it draws from real operational data, and no function gathers more cross-enterprise data than compliance. Every whistleblower report, transaction review, and training completion rate tells part of a story about how the organization will respond when tested.

A compliance leader should therefore help transform board discussions from abstract governance into strategic foresight. When boards examine potential crises, such as cyber breaches, sanctions violations, or ESG missteps, compliance can provide not just the risk but also the response map, including who is responsible, how escalation works, what past data reveals about reaction speed, and how remediation was measured.

3. Strengthening the Board–C-Suite Communication Loop

The Deloitte study finds that open, transparent communication between the board and CEO is the single most important factor in organizational resilience, cited by 66% of respondents. That transparency must extend beyond financial performance; it must include culture, ethics, and conduct. Compliance officers can serve as trusted interpreters between management and directors. Often, executives filter messages to the board, softening bad news or emphasizing short-term wins. A strong compliance function ensures that uncomfortable truths, emerging investigations, cultural risks, or weak control environments are brought to the board’s attention promptly and accurately.

Moreover, compliance officers can help foster “psychological safety,” a quality Deloitte found lacking on many boards. When executives and directors feel safe discussing failures and near misses, they can act more decisively and learn faster. Compliance teams, with their neutral and process-driven perspective, can facilitate those candid conversations.

4. Building the Skill Base for Resilient Oversight

One of the report’s most striking findings is a gap between board and C-suite perceptions of readiness. While 86% of directors believe they are providing the right support to management, only 73% of executives agree. The gap is even wider in terms of skill composition. Nearly half of C-suite respondents say boards lack the necessary expertise to guide them through today’s environment.

That is a call to action for compliance leaders. The modern compliance function serves as a knowledge hub, continuously monitoring global regulatory trends, AI governance frameworks, and emerging ESG risks. Boards can leverage this intelligence to refresh their own competencies. For example, compliance-led workshops on anti-corruption enforcement trends, cybersecurity reporting requirements, or AI ethics can help directors stay informed and prepared to challenge management with the right questions.

Sheila Murray, chair of Teck Resources, put it best: “If somebody’s coming to meetings and not participating, that’s on me. I’ve got to bring out the best in them.” Compliance can help by providing the content that sparks meaningful participation.

5. Embedding Agility and Integrity Into Board Culture

According to Deloitte, the most resilient organizations strike a balance between governance and agility. That’s easier said than done. Rigid board processes can impede responsiveness, while overly informal structures risk undermining accountability. Compliance can help build the right balance by institutionalizing agility without sacrificing integrity.

For instance, compliance can work with corporate secretaries to ensure that board minutes document not just decisions but also the rationale behind them. That strengthens the record for regulators and demonstrates that directors acted in good faith. Similarly, compliance can help shape board procedures to allow for rapid, ethics-aligned decisions in crisis conditions.

Roy Dunbar, an independent director at McKesson and Duke Energy, describes it this way: “What you want is to go deeper and ask more challenging questions around, ‘What are the threats? What are the opportunities? Where is growth going to come from? ” Those deeper questions about sustainability, AI, and ethical governance are exactly where compliance expertise can bring clarity.

From Reactive Oversight to Proactive Partnership

The Deloitte report concludes with a vision of co-creation between boards and management, transitioning from rigid oversight to a synergistic partnership. That’s also the next frontier for compliance. No longer confined to detection and discipline, the compliance function can become the architect of organizational resilience.

How? By helping boards connect the dots between ethics and performance. A resilient board is one that not only identifies risk but also ensures that values drive decision-making at every level. When compliance embeds those values into strategic planning, linking ethical conduct to innovation, transparency to investor trust, and governance to growth, the board’s resilience becomes systemic, not situational.

In a world where, as Anjali Bansal observed, “the level of uncertainty today is absolutely unprecedented,” resilience will depend less on predicting the next crisis and more on ensuring the integrity of the response. That is the mission compliance was born to serve.

What It Means for the Chief Compliance Officer

For the CCO, this moment represents both an invitation and a mandate. The board needs a partner who can translate regulatory language into strategic value and who can help bridge the trust gap between directors and management.

Here is how the CCO can deliver:

  1. Be the Board’s Barometer: Regularly update directors on the ethical health of the organization, including hotline data, investigation closure rates, and culture metrics, so that they can gauge the tone and trust across business units.
  2. Champion Cross-Functional Risk Alignment: Ensure that compliance, internal audit, and enterprise risk functions speak with one voice in board reporting. Fragmented risk narratives breed confusion, not confidence.
  3. Embed Compliance Into Resilience Planning: Collaborate with HR, IT, and finance to map how regulatory compliance underpins business continuity and crisis management.
  4. Educate for Anticipation, Not Reaction: Keep the board informed about emerging compliance trends, such as AI ethics, ESG reporting, or sanctions enforcement, so directors are prepared to govern the risks of tomorrow.
  5. Strengthen the Ethical Reflex: Make ethics an instinct, not an initiative, by integrating compliance into strategy discussions, M&A reviews, and innovation frameworks.

When the compliance function evolves from a rule enforcer to a resilience partner, it transforms board oversight from passive to proactive. It gives directors not just the confidence to govern but the courage to lead.

Categories
Blog

Brewer v. Turner: When Board Delay Becomes Bad Faith

In corporate governance, timing is everything. A board’s oversight failure does not always come from what it does not see; often, it comes from how long it waits to act once the warning lights flash red. This cautionary tale originates from the shareholder action in the case of Brewer v. Turner, a Delaware Court of Chancery decision that permitted a Caremark claim against the directors of Regions Financial Corporation to proceed. The opinion marks another milestone in the court’s expanding interpretation of fiduciary “bad faith.” It offers an unmistakable message to compliance professionals: delay can be fatal, and now it can also lead to exposure.

A New Chapter in Caremark

In the article in the Harvard Law School Forum on Corporate Governance, titled Caremark Claim Survives Board’s Delay in Ending Illegal Practices, lawyers from Fried Frank considered the case. At issue was the board’s handling of a whistleblower complaint from its former Deputy General Counsel, Jeffrey A. Lee, who alleged that Regions’ overdraft-fee practices violated CFPB regulations. Eighteen months after receiving his detailed complaint, the bank finally ended those practices. By then, the Consumer Financial Protection Bureau had investigated and levied $191 million in penalties and restitution.

The court concluded that the board’s delay could itself amount to bad faith. Hiring outside counsel and forming committees did not shield the directors from liability. As Chancellor Kathaleen McCormick wrote, “Everyone knows that delay can be intentional and a tactic to avoid the consequences of acting appropriately.” For compliance officers, this ruling signals that boards can no longer hide behind process if the substance and speed of oversight fall short of expectations.

Today, examine the lessons compliance leaders should take from the case.

1. Red Flags Require Immediate, Documented Response

Historically, Delaware courts were reluctant to treat whistleblower complaints as “red flags.” They often viewed such claims as speculative unless corroborated by concrete evidence of wrongdoing. But in Regions, the whistleblower’s position mattered: he was a lawyer responsible for assessing legal risk. His complaint was detailed, specific, and sent to the Audit Committee, a combination that the court found impossible to ignore. That shift widens the compliance risk perimeter. A whistleblower who possesses subject-matter authority, particularly someone in compliance, legal, risk, or audit, can now trigger a board-level duty to act.

For the CCO:

Implement a rapid-response framework for any internal report that raises concerns about legal or regulatory violations. Require escalation to the board or relevant committee within days, not weeks. Then document every step: receipt, investigation, deliberation, and resolution. When courts review the record, speed and transparency become your strongest defenses.

2. Delay Can Be the New Bad Faith

Perhaps the most groundbreaking element of this case is the court’s recognition that delay itself can constitute bad faith. The board did not ignore the red flag; it simply took 18 months to address the illegal conduct while seeking to offset the lost revenue. That conscious hesitation, prioritizing profits over compliance, transformed a mere oversight lapse into a potential breach of fiduciary duty. This is a paradigm shift. Previously, a board’s response, no matter how sluggish or ineffective, was often enough to defeat Caremark liability. No longer. The court has now drawn a line between discretionary pacing and strategic stalling.

For the CCO:

Build timelines into remediation plans. When an investigation confirms illegality, establish a clear corrective-action schedule, present it to the board, and insist on documented follow-through. If management requests “time to replace lost revenue,” remind them and the board that regulatory risk compounds with every day of delay.

3. Law Firm Engagement Is Not Absolution

The region’s board tried to defend its actions by noting that it had hired a law firm to review the overdraft program. But the court found that “merely hiring an attorney” does not immunize directors from bad faith findings. What mattered was not the hiring, but what the board did with the firm’s advice, and the minutes didn’t say.

For compliance professionals, this point should feel familiar. Retaining outside counsel is prudent, but outsourcing judgment is perilous. A board that commissions a report yet fails to discuss or implement its recommendations appears, in the eyes of Delaware law, to be checking boxes rather than managing risk.

For the CCO:

Whenever outside counsel is engaged, insist on:

  1. The written scope of work aligned with the suspected violation.
  2. Formal delivery of findings to the full board or its committee.
  3. Recorded deliberations on next steps.
  4. Follow-up updates tracking implementation of counsel’s recommendations.

Compliance is not a spectator sport. Documenting action, not merely delegation, demonstrates good faith.

4. Central Compliance Risks Deserve Central Oversight

The court emphasized that overdraft-fee compliance was a “central risk” for a retail bank and thus a board-level responsibility. This reasoning expands the range of risks boards must personally monitor, rather than delegate entirely to management. Each industry has its equivalents: drug safety in the pharmaceutical industry, anti-bribery in global operations, and data security in the tech sector. When violations occur within these core domains, the argument that “management had it under control” will no longer be a sufficient defense for directors.

For the CCO:

Regularly update your board on the organization’s central compliance risks. Tie each risk to explicit board-level monitoring responsibilities. Provide metrics, internal audit findings, incident counts, and regulatory inquiries that show oversight in action. In the post-Brewer v. Turner environment, silence equals exposure.

5. Meeting Minutes Are Compliance Evidence

A striking aspect of the case was the court’s observation that the board minutes were “largely redacted” and recorded only cursory discussions. This absence of detail undermined the directors’ defense that they had acted responsibly. The court essentially inferred neglect from the lack of written proof. Compliance officers should view board minutes as the audit trail of integrity. If your minutes merely note that “the issue was discussed,” you may have built a weak defense for a strong case.

For the CCO:

Work with your corporate secretary to ensure that minutes:

  • Record substantive deliberation, not boilerplate.
  • Reference specific documents reviewed, such as legal opinions or risk assessments.
  • Capture decisions, follow-ups, and accountability for each item.

When regulators or plaintiffs seek evidence of good-faith oversight, well-crafted minutes speak louder than affidavits.

Broader Compliance Takeaways

The Brewer decision reflects a judiciary that is increasingly willing to look beyond formality and assess intent. In the compliance world, this mirrors what the DOJ’s 2024 Evaluation of Corporate Compliance Programs emphasized: that outcomes matter, but so do the timeliness and sincerity of response. A compliance program that detects misconduct yet allows it to persist for months or years cannot claim to be effective.

The ruling also underscores why Caremark risk is a personal matter. Because these claims rest on findings of bad faith, neither the DGCL Section 102(b)(7) exculpation clauses nor most D&O insurance policies will shield directors or officers from liability. The best protection remains proactive compliance, not post-hoc coverage. Finally, note the procedural context: new DGCL amendments restrict shareholder access to corporate books and records, potentially reducing frivolous oversight suits. Yet for legitimate claims supported by detailed facts, as in Brewer, the bar has been lowered. Courts are signaling that they will continue to allow well-pled Caremark cases to proceed when evidence shows a conscious disregard.

What It Means for the Chief Compliance Officer

For the CCO, Brewer v. Turner is both a warning and a roadmap. It is a warning that oversight delay equals liability. You can no longer rely on the board’s procedural comfort—hiring counsel, forming committees, or debating endlessly—to prove good faith. Results and responsiveness now define the legal standard.

But it is also a roadmap for strengthening your partnership with the board. You can help directors stay ahead of Caremark exposure by:

  1. Defining red flags. Work with Audit and Risk Committees to set escalation thresholds for legal-risk incidents.
  2. Accelerating action. Create escalation SLAs with responses within 24 hours for high-severity issues.
  3. Documenting diligence. Ensure every board discussion about misconduct is supported by complete, unredacted minutes.
  4. Tracking remediation. Maintain a dashboard showing when each issue was raised, investigated, and resolved.
  5. Aligning incentives. Reinforce that executive bonuses and promotions depend on compliance performance, not just profitability.

At its heart, Caremark is not about punishing hindsight; rather, it is about enforcing foresight. The compliance professional’s role is to make foresight possible by ensuring that red flags are identified quickly, decisions are properly documented, and illegal conduct is corrected before it metastasizes into corporate trauma.

Final Thoughts

The Brewer case stands as a modern parable of fiduciary patience gone wrong. A board that meant to deliberate found itself accused of delay; a company that tried to plan found itself punished for profit-driven hesitation. For compliance leaders, the moral is clear: you cannot strategize your way out of illegality. When a red flag rises, the clock starts, and every tick is a test of integrity. The essence of compliance is not preventing failure. It is ensuring you act decisively when failure appears. In the wake of Brewer, that truth has never been more legally or morally binding.

Categories
Blog

From Good to Great Governance: How Aspiring Directors Can Master the Art of Board Leadership

Exceptional boards do not happen by accident. They are the result of disciplined, emotionally intelligent, and strategically minded leadership —the kind that transforms oversight from a duty into an engine of organizational performance.

For anyone seeking a seat at the board table, the message from PwC in their Harvard Law School Forum on Corporate Governance article Effective Board Leadership: The Art of Doing It Well and the Risks of Getting It Wrong could not be clearer: you are not applying for a title;  instead, you are accepting a stewardship. Board leadership is about building trust, balancing competing priorities, and guiding organizations through uncertainty with integrity and foresight.

Today, I want to explore what aspiring board leaders can learn from PwC’s insights and how you can start cultivating the mindset and behaviors that distinguish a “good” director from a transformative one.

The Leadership Mindset: From Governance to Guidance

A company’s long-term health depends as much on its board as on its CEO. In a world of activist investors, digital disruption, and ESG scrutiny, the boardroom is no longer a ceremonial space. It’s where strategy, risk, and purpose intersect, and that intersection demands leaders who are curious, decisive, and adaptable. Board leaders, whether they are chairs, lead directors, or committee heads, do not lead by authority. They lead by influence. They unite peers, challenge management constructively, and maintain independence while working together with executives to deliver sustainable value.

For those preparing to join a board, it is important to understand early that governance is not about “watching management.” It’s about partnering with management to ensure that the organization not only complies but thrives. The most successful board leaders approach oversight like coaches, not referees, creating the conditions where CEOs and directors alike can perform at their best.

Emotional Intelligence Is a Strategic Advantage

PwC’s research emphasizes a trait too often overlooked in governance: emotional intelligence (EQ). Great board leaders cultivate psychological safety, encourage diverse viewpoints, and model humility. They admit when they do not know something. Aspiring directors should take note. Technical expertise, such as in finance, law, or operations, may get you into the boardroom. But EQ keeps you there. The best chairs and lead directors are skilled listeners who can defuse conflict, mediate divergent views, and maintain composure under pressure.

In practice, that means building trust one conversation at a time. It’s asking the right questions without posturing, pushing back without condescension, and fostering a tone of curiosity over certainty. When you can balance empathy with accountability, you create what PwC calls a “high-functioning relationship” between the board and CEO, one where issues are addressed early, tensions are managed constructively, and decisions are made with confidence.

Strategic Foresight: Thinking Beyond the Quarter

Boards exist to safeguard long-term value creation. Yet too many still fall into the trap of quarterly thinking, consumed by immediate performance metrics rather than strategic trajectory. Exceptional board leadership requires foresight: setting agendas that focus on the future, integrating strategy into CEO evaluation and succession planning, and regularly revisiting assumptions about risk and opportunity.

For future board members, this means you should always be thinking beyond compliance. During your candidacy, articulate how your experience contributes to forward-looking oversight. Can you connect market trends to strategic implications? Can you help a board think differently about innovation, sustainability, or geopolitical risk? Directors who elevate the conversation from “what happened” to “what’s next” are the ones who stand out and make a difference.

The Discipline of Continuous Improvement

The PwC framework underscores a powerful truth: even great boards can stagnate. Effective leadership is not static; it must evolve with the organization, industry, and stakeholder landscape. That’s why outstanding boards embrace structured self-assessment and external evaluation. They seek feedback not as a formality but as a growth mechanism. PwC’s data reveals that while 59% of directors believe their leadership manages board assessments well, only 34% think their leaders effectively address underperforming directors. That gap is where complacency grows.

For those aspiring to join boards, this insight is gold. It means that the best directors are learners, not lecturers. They reflect on their own blind spots, solicit feedback, and model a growth mindset. As a future board leader, consider developing a personal feedback practice now, whether through executive coaching, peer mentorship, or 360° reviews. Self-awareness today is preparation for stewardship tomorrow.

Balancing Oversight and Partnership

Every new director eventually faces a defining moment when the line between governance and management blurs. Do you step in or step back? The authors remind us that great board leadership maintains clarity of role. Directors exist to guide, not to manage. The best board chairs coordinate with the CEO regularly but avoid micromanaging execution. They set thoughtful agendas, focus discussions on outcomes, and intervene only when governance or ethics are at stake.

For those aiming for the boardroom, influence comes from credibility and restraint. You’ll need to learn when to question, when to support, and when to challenge, all while preserving trust. The art of board leadership lies in that balance; firm yet fair, supportive yet independent.

Building and Refreshing the Board Itself

A strong board is not just a collection of impressive resumes. It is a living organism that must evolve with the company’s mission. Outstanding board leaders take ownership of composition and succession. They identify skills gaps, coach underperformers, and bring in fresh perspectives to maintain energy and relevance. They also plan their own exits. PwC suggests that leadership roles should peak within five years and refresh within eight to ten years. This timeframe should allow enough time to build mastery without stagnating new ideas. Aspiring directors should see this as an invitation, not a warning. Governance needs renewal, and you may be the fresh perspective a board needs. Bring both humility and courage to that opportunity.

Navigating Stakeholders and Reputation Risk

Today’s directors must be diplomats as much as strategists. Shareholders, employees, regulators, activists, and the public all expect transparency and accountability. PwC highlights that effective board leaders help define who matters most, coordinate messaging with management, and ensure the board’s voice aligns with corporate purpose. They understand that trust is not a given but rather is earned through credibility, communication, and consistency. If you are pursuing a board role, develop your own credibility now. Contribute thoughtfully in your industry, write, speak, and mentor. Build a reputation for substance over self-promotion. Boards increasingly seek directors who can represent them confidently in complex stakeholder environments.

When Leadership Fails — And How to Fix It

Even the best boards occasionally lose their rhythm. Groupthink sets in. The CEO relationship frays. Performance lags. PwC’s guidance here is pragmatic: act early. Use governance processes such as evaluations, nominating committees, and role clarifications to diagnose and correct the course before a crisis strikes. For future board members, this means understanding that courage is part of the job. You must be willing to speak uncomfortable truths, advocate for leadership transitions, and uphold the board’s fiduciary duty even when it is personally difficult. As one seasoned chair told PwC researchers, “An ounce of prevention is worth a pound of cure.” Effective directors prevent dysfunction through vigilance, not intervention after the fact.

The Final Lesson: Leadership as Legacy

At its core, Effective Board Leadership offers a simple but profound insight: governance is leadership at its highest level. It is about service over status, stewardship over self-interest, and purpose over politics. For those aspiring to board roles, the path forward is clear. Cultivate emotional intelligence, strategic foresight, and moral courage. Learn to listen as well as lead. And above all, remember that the board’s greatest power lies not in authority but in example.

Because great governance, like great leadership, is never accidental. It’s intentional, exacting, and indispensable.

Categories
Blog

Risk Management and the Board: Why Oversight is Now a Strategic Imperative

In today’s business landscape, boards of directors are navigating a storm of risks that would test even the most resilient organizations. This topic was explored in a recent article titled “Risk Management and the Board of Directors.” Geopolitical uncertainty, economic volatility, cybersecurity threats, climate change, and the uncharted waters of generative AI are no longer background noise. They have moved to the front and center in boardrooms. Against this backdrop, risk management has emerged not just as an operational necessity but as a governance and strategic imperative. For compliance professionals, this raises a critical question: what role should the board play in risk management, and how can compliance officers support them in fulfilling that role effectively?

Oversight, Not Management

A crucial distinction must be made: boards are not responsible for managing risk on a day-to-day basis. That responsibility belongs to management. But boards do carry the weight of oversight. This oversight includes monitoring the most significant corporate risk factors, ensuring that appropriate risk systems are in place, and verifying that those systems function in practice.

Think about the Boeing case. Regulators and auditors identified multiple failures in Boeing’s manufacturing controls and safety processes, resulting in devastating reputational and financial consequences that continue to unfold. The lesson is clear. It is not enough for a board to approve a risk framework and then step away. Boards must oversee, probe, and confirm that those frameworks are embedded in operations across the enterprise.

Compliance officers can support this by providing boards with accurate, timely, and actionable reporting. Minutes, board packets, and oversight documentation are not administrative afterthoughts. They are evidence of diligence that courts, regulators, and investors increasingly scrutinize.

Tone at the Top: Culture as the Foundation

If oversight is the board’s mandate, then culture is the foundation that determines whether risk management succeeds or fails. Boards set the “tone at the top,” and that tone resonates throughout the organization.

Transparency, consistency, and communication are essential. A board that prioritizes ethics, compliance, and stakeholder safety sends a clear message: compliance failures and corner-cutting will not be tolerated. Conversely, when boards tolerate delay or indecision in addressing risks, such as safety lapses, misconduct, or harassment, they erode employee trust, tarnish their reputation, and invite regulatory scrutiny.

Board Readiness in a Dynamic Environment

Boards must prepare not only for the risks they know but for those that are emerging. This means ongoing director training, scenario planning, and recruitment strategies that close knowledge gaps. While no board can house every kind of subject matter expertise, they must know when to bring in advisors, leverage external resources, and engage with stakeholders directly.

A readiness mindset also means anticipating the unexpected. Crisis response plans, covering a range of scenarios from cyberattacks to workplace misconduct, should be in place and regularly tested to ensure their effectiveness. Compliance leaders should be part of these conversations, ensuring that prevention, detection, and remediation are embedded into strategy, not bolted on as afterthoughts.

Investors, regulators, and even the courts of Delaware are sharpening their focus on board-level risk oversight. The Caremark line of cases continues to set a high bar, but boards that fail to engage in good faith with core risks run the risk of liability. Compliance officers can help directors demonstrate that their oversight is active, engaged, and documented.

Practical Recommendations for Compliance Professionals

What does this mean for compliance officers working with boards? Here are four takeaways:

1. Provide Clear, Actionable Risk Reporting

Boards cannot oversee what they cannot see, and too often, directors are presented with overwhelming data that obscures the real risks. Compliance should deliver reporting that distills information into clear, concise insights, showing not just what happened but why it matters. The most effective reports highlight trends, identify root causes, and directly connect risks to business strategy, enabling the board to act with confidence.

2. Integrate Oversight into Strategy

Compliance risk management should never be treated as an afterthought, bolted onto the business after decisions are made. Instead, compliance officers must help boards see how compliance oversight is deeply intertwined with growth, innovation, and operational resilience. By linking compliance considerations to strategy, compliance becomes a driver of sustainable success rather than a box-checking obligation.

3. Focus on Emerging Risks

Generative AI, biodiversity loss, and geopolitical fragmentation are no longer distant or theoretical; instead, they are reshaping risk landscapes as we speak. Boards need compliance officers to translate these complex issues into practical implications before they escalate into crises that erode value and reputation. A forward-looking compliance function enables directors to anticipate threats, allocate resources effectively, and avoid being blindsided.

4. Reinforce Culture and Ethics

Tone at the top must resonate throughout the organization, and compliance is the bridge that connects board-level values to everyday business practices. Compliance officers can help embed cultural expectations by weaving red flags, lessons learned, and behavioral standards into training, communications, and accountability structures. When done well, this alignment ensures that ethical behavior is not aspirational but operational, lived out across all levels of the enterprise.

Why It Matters Now

The expectations for board-level risk oversight are higher than ever. Regulators want evidence that boards are engaged. Courts are scrutinizing oversight failures with fresh vigor. Investors are pressing for transparency on ESG, cyber, and DEI risks. And employees, your most important stakeholders, expect boards to prioritize safety, inclusion, and integrity.

For compliance professionals, this creates both a challenge and an opportunity. The challenge is to help boards stay ahead of complex risks in an environment of constant change. The opportunity is to elevate the compliance function as a strategic partner in governance, resilience, and corporate integrity.

Final Thoughts

Risk management is no longer just an operational function; it has become a strategic imperative. It is a governance issue that sits squarely in the boardroom. Boards do not need to manage risk, but they must actively oversee it, document their oversight, and ensure that culture and strategy align with risk management systems.

As compliance professionals, we are uniquely positioned to support this mandate. We provide the frameworks, reporting, and insights that help boards meet their obligations and protect the enterprise. In doing so, we not only maintain compliance but also enhance resilience, protect reputation, and foster trust with stakeholders.

The message is clear: oversight is not optional, culture is not cosmetic, and preparation is not a luxury. For today’s boards and for the compliance professionals who advise them, risk management is a strategic imperative that can no longer be ignored.

Categories
Blog

Cybersecurity Oversight at the Boards

Cybersecurity risk is no longer a back-office IT issue. It is a board-level governance priority, a regulatory compliance challenge, and a reputational minefield. From ransomware attacks to regulatory enforcement actions, the stakes have never been higher. In an article in the Harvard Law School Forum on Corporate Governance, titled “Risk Management and the Board of Directors,” the review focused on the NACD’s 2025 survey. It showed that over three-quarters of boards now discuss the material and financial implications of cyber incidents. While that is progress, awareness alone is not enough.

For compliance professionals, the message is unmistakable: cybersecurity oversight is now a central pillar of governance. In this post, I will explore the evolving regulatory landscape, lessons from enforcement actions, and practical steps compliance teams can take to help boards discharge their responsibilities effectively.

A National Priority with Global Reach

Cybersecurity has moved to the top of national agendas. The Biden Administration’s 2023 National Cybersecurity Strategy set the tone, and the Trump Administration’s 2025 Executive Order reinforced it, emphasizing protections against foreign cyber threats and secure technology practices. But this is not just a U.S. issue. The EU’s GDPR, California’s CCPA, Virginia’s CDPA, and Illinois’s biometric data laws all impose sweeping obligations with high-stakes enforcement. Settlements under Illinois’s biometric privacy law alone have reached into the hundreds of millions.

For compliance professionals, this expanding patchwork of regulation means that cyber oversight cannot be siloed by geography or business unit. Boards must ensure management understands and complies with both domestic and international requirements.

The SEC Steps into the Spotlight

If boards needed any reminder of their cyber responsibilities, the SEC has provided it. In 2023, the SEC finalized disclosure rules requiring companies to report material cyber incidents on Form 8-K within four business days (subject to limited delays approved by the Attorney General). Companies must also disclose in their 10-Ks their processes for identifying and managing cyber risks, the material impacts of prior incidents, and, critically, the board’s role in oversight.

The SEC has coupled disclosure mandates with enforcement actions. From Robinhood in 2025 (failure to implement identity theft protections) to SolarWinds in 2023 (alleged fraud and internal control failures), to Blackbaud’s ransomware misrepresentations and Morgan Stanley’s vendor monitoring failures, the Commission is signaling that cyber lapses are securities law violations. The key takeaway for compliance is that disclosures must be accurate, controls must be effective, and boards must demonstrate active oversight. Anything less may well invite regulatory scrutiny.

DOJ, FTC, and State Regulators Join In

The SEC is not alone. The DOJ has used the False Claims Act to address software vulnerabilities sold to government agencies. The FTC has pursued cases against GoDaddy and other providers for failing to implement adequate protections. The New York Department of Financial Services (NYDFS) has enforced its prescriptive cybersecurity rules since 2019, with actions as recent as August 2025. And globally, regulators like Ireland’s Data Protection Commission have issued blockbuster fines, such as the €530 million penalty against TikTok for unlawful data transfers.

The compliance implication is clear: multi-layered enforcement is now the norm. Cybersecurity and data privacy risks span agencies, jurisdictions, and statutes. Boards must assume that regulators will coordinate, cross-reference, and pursue failures aggressively.

Frameworks That Matter

With enforcement risk high, companies need a structured approach. The National Institute of Standards and Technology (NIST) framework has become the de facto benchmark, with its five core functions: identify, protect, detect, respond, and recover. Both the SEC and FTC endorse it, and boards should expect management to benchmark their programs against it.

At the governance level, the NACD’s Director’s Handbook on Cyber-Risk Oversight and guidance from the Cybersecurity & Infrastructure Security Agency (CISA) provide clear expectations: boards should not manage cyber risk, but they must oversee management’s handling of it.

Lessons from Enforcement Actions

Every enforcement case tells a story, and compliance professionals should use these as teaching tools:

  • Vendor Oversight Matters – Morgan Stanley’s Failure to Monitor Vendors Exposed Data from 15 Million Customers.. Boards must ensure that vendor cyber risk is integrated into their oversight.
  • Accurate Disclosures Are Non-Negotiable – SolarWinds and Blackbaud faced allegations of misrepresentation around breaches. Boards must verify that management’s cyber disclosures are truthful and complete.
  • Controls Must Be Tested – Robinhood’s identity theft control failures remind us that having policies on paper is not enough. Boards should require evidence that controls work in practice.

Practical Steps for Compliance Professionals

So how can compliance officers help boards meet their obligations in this complex cyber landscape? Four steps stand out:

1. Educate and Engage the Board

Boards need ongoing, tailored education on cyber risks. Compliance should arrange regular briefings from CISOs, external experts, and regulators. This ensures directors can ask informed questions and challenge management effectively.

2. Strengthen Incident Response Preparedness

An incident response plan is only as strong as its execution. Compliance must test plans through tabletop exercises, ensure disclosure obligations are understood, and coordinate with law enforcement and advisors. Boards should be briefed on lessons learned after every drill or real incident.

3. Integrate Cyber Risk into Enterprise Risk Management

Cyber risk cannot be isolated from strategy, finance, and operations. Compliance should help boards see cyber threats as part of enterprise risk management, aligned with business goals and resilience planning.

4. Monitor Third-Party and Supply Chain Risk

Vendors, cloud providers, and contractors are often the weak link. Compliance should implement due diligence, ongoing monitoring, and contract requirements that address cyber obligations. Boards should receive visibility into these risks and the company’s mitigation strategies.

Why This Matters for Boards and Compliance

Cybersecurity is not just an IT challenge; it is a governance imperative. Regulators, courts, and investors expect boards to demonstrate active, documented oversight. For compliance professionals, the mandate is to help boards meet that expectation with clarity, structure, and evidence.

The reality is stark that a single breach can devastate a company’s reputation, stock price, and stakeholder trust. But boards that embrace active oversight, guided by compliance professionals, can transform cybersecurity from a vulnerability into a competitive advantage.

Final Thoughts

The cyber landscape is evolving faster than most organizations can keep pace. But boards do not have the luxury of waiting. As recent regulations and enforcement actions demonstrate, oversight failures will be punished, sometimes harshly.

For compliance professionals, this is both a challenge and an opportunity. By educating boards, strengthening incident response, integrating cyber into enterprise risk, and addressing third-party exposures, compliance can elevate its role from policy enforcer to strategic partner.

The bottom line: Cybersecurity oversight is no longer optional. It is the frontline of governance, and compliance professionals are the essential guides helping boards navigate it.