Tag: Board Oversight

Categories
Blog

5 Strategic Board Playbooks for AI Risk (and a Bootcamp)

Artificial intelligence is no longer a future-state technology risk. It is a current-state governance issue. If AI is being deployed inside governance, risk, and compliance functions, then it is already shaping how your company detects misconduct, prioritizes investigations, manages regulatory obligations, and measures program effectiveness. That makes AI risk a board agenda item, not a management footnote.

In an innovation-forward organization, the goal is not to slow AI adoption. The goal is to professionalize it. Board of Directors and Chief Compliance Officers (CCOs) should approach AI the way they approached cybersecurity a decade ago: move it from “interesting updates” to a structured reporting cadence with measurable controls, clear accountability, and director education that raises the collective literacy of the room.

Today, we consider 5 strategic playbooks designed for a Board of Directors and a CCO operating in an industry-agnostic environment, building AI in-house, without a model registry yet, and with a cross-functional AI governance committee chaired and owned by Compliance. The program must also work across multiple regulatory regimes, including the DOJ Evaluation of Corporate Compliance Programs (ECCP), the EU AI Act, and a growing patchwork of state laws. We end with a proposal for a Board of Directors Boot Camp on their responsibilities to oversee AI in their organization.

Playbook 1: Put AI Risk on the Calendar, Not on the Wish List

If AI risk is always “important,” it becomes perpetually postponed. The first play is procedural: create a standing quarterly agenda item with a consistent structure.

Quarterly board agenda structure (20–30 minutes):

  1. What changed since last quarter? Items such as new use cases, material model changes, new regulations, and major control exceptions.
  2. AI full Risk Dashboard, with 8–10 board KPIs, trends, and thresholds.
  3. Top risks and mitigations, including three headline risks with actions, owners, and dates.
  4. Assurance and testing, which would include internal audit coverage, red-teaming results, and remediation progress.
  5. Decisions required include policy approvals, risk appetite adjustments, and resourcing.

This cadence does two things. First, it forces repeatability. Second, it creates institutional memory. Boards govern better when they can compare quarter-over-quarter progress, not when they receive one-off deep dives that cannot be benchmarked.

Playbook 2: Build the AI Governance Operating Model Around Compliance Ownership

In your design, Compliance owns AI governance and its use throughout the organization, supported by a cross-functional AI governance committee. That is a strong model, but only if it is explicit about responsibilities.

Three lines of accountability:

  • Compliance (Owner): policy, risk framework, controls, training, and board reporting.
  • AI Governance Committee (Integrator): cross-functional prioritization, approvals, escalation, and issue resolution.
  • Build Teams (Operators): documentation, testing, change control, and implementation evidence.

Boards should ask one simple question each quarter: Who is accountable for AI governance, and how do we know it is working? If the answer is “everyone,” then the real answer is “no one.” Your model makes the answer clear: Compliance owns it, and the committee operationalizes it.

Playbook 3: Create the AI Registry Before You Argue About Controls

You have no model registry yet. That is the first operational gap to close, because you cannot govern what you cannot inventory. In a GRC context, this is not a “nice to have.” Without an inventory, you cannot prove coverage, you cannot scope an audit, you cannot define reporting, and you cannot explain to regulators how you know where AI is influencing decisions.

Minimum viable AI registry fields (start simple):

  • Use case name and business owner;
  • Purpose and decision impact (advisory vs. automated);
  • Data sources and data sensitivity classification;
  • Model type and version, with change log;
  • Key risks (bias, privacy, explainability, security, reliability);
  • Controls mapped to the risk (testing, monitoring, approvals);
  • Deployment status (pilot, production, retired); and
  • Incident history and open issues.

Boards do not need the registry details. They need the coverage metric and the assurance that the registry is complete enough to support governance.

Playbook 4: Align to the ECCP, EU AI Act, and State Laws Without Creating a Paper Program

Many organizations make a predictable mistake: they respond to multiple frameworks by producing multiple binders. That creates activity, not effectiveness. A better approach is to use a single control architecture to map to multiple requirements. The board should see one integrated story:

  • DOJ ECCP lens: effectiveness, testing, continuous improvement, accountability, and resourcing;
  • EU AI Act lens: risk classification, transparency, human oversight, quality management, and post-market monitoring; and
  • State law lens: privacy, consumer protection concepts, discrimination prohibitions, and notice requirements where applicable

This mapping becomes powerful when it ties back to the board dashboard. The board is not there to read statutes. The board is there to govern outcomes.

Playbook 5: Use a Board Dashboard That Measures Coverage, Control Health, and Outcomes

You asked for a combined dashboard and narrative with 8–10 KPIs. Here is a board-level set designed for AI in governance, risk, and compliance functions, with in-house build, internal audit, and red teaming for assurance.

Board AI Governance KPIs (8–10)

1. AI Inventory Coverage Rate

Percentage of AI use cases captured in the registry versus estimated footprint.

2. Risk Classification Completion Rate

Percentage of registered use cases risk-classified (EU AI Act style tiers or internal tiers).

3. Pre-Deployment Review Pass Rate

Percentage of deployments that cleared required testing and approvals on first submission.

4. Model Change Control Compliance

Percentage of model changes executed with documented approvals, testing evidence, and rollback plans.

5. Explainability and Documentation Score

Percentage of in-scope use cases with complete documentation, rationale, and user guidance.

6. Monitoring Coverage

Percentage of production use cases with active monitoring for drift, anomalies, and performance degradation.

7. Issue Closure Velocity

Median days to close AI governance issues, by severity.

8. Internal Audit Coverage and Findings Trend

Number of audits completed, rating distribution, repeat findings, and remediation status.

9. Red Team Findings and Remediation Rate

Number of material vulnerabilities identified and percentage remediated within the target time.

10. Escalations and Incident Rate

Number of AI-related incidents or escalations (including near-misses), with severity and lessons learned.

These KPIs do not require vendor controls and align with an in-house build model. They also support both board oversight and compliance management.

AI Director Boot Camp

Your board has a medium level of literacy and needs a boot camp. I agree. Directors do not need to become engineers. They need a common vocabulary and a governance frame. The recommended boot camp design is one-half day, making it highly practical. It should include the following.

  1. AI in the company’s operating model. This means where it touches decisions, risk, and compliance outcomes.
  2. AI risk taxonomy, such as bias, privacy, security, explainability, reliability, third-party, and later.
  3. Regulatory landscape overview, including a variety of laws and regulatory approaches, including the DOJ ECCP approach to effectiveness, the EU AI Act risk framing, and several state law themes approaches.
  4. Governance model walkthrough to ensure the BOD understands the registry, risk classification, controls, monitoring, and escalation.
  5. Tabletop exercises, such as an AI incident in a GRC context with false negatives in monitoring or biased triage.
  6. Board oversight duties. Teach the BOD how they can meet their obligations, including which questions to ask quarterly, which thresholds trigger escalation, and similar insights.

The deliverable from the boot camp should be a one-page “Director AI Oversight Guide” with the KPIs, escalation triggers, and the quarterly agenda structure.

The Bottom Line for Boards and CCOs

This is the moment to treat AI risk like a board-governed discipline. The organizations that get it right will not be the ones with the longest AI policy. They will be the ones with the clearest operating model, the most reliable reporting cadence, and the strongest evidence of control effectiveness.

If Compliance owns AI governance, then Compliance must also own the proof. That proof is delivered through a registry, a quarterly board agenda item, a balanced KPI dashboard, and assurance through internal audit and red teaming. Add a director boot camp to create shared understanding, and you have the beginnings of a program that is innovation-forward and regulator-ready.

That is the strategic playbook: not fear, not hype, but governance.

Categories
Blog

Netflix Acquisition of Warner Brothers: Part 1, Lessons on Board Oversight

I have long been fascinated by non-movie company attempts to break into the film business. I do not know if it is simply the glitz of Hollywood, the glamour of movies, or something else, but history has been littered with attempts by companies as diverse as Gulf & Western and AOL to purchase movie companies. They have almost always ended in unmitigated disaster for the acquirer, with the AOL/Time Warner merger widely viewed as one of the worst mergers of all time.

I was therefore intrigued by the news that Netflix will acquire Warner Bros. This news has sent shockwaves through the entertainment industry and the corporate governance world alike. It is a transformational deal that combines a digital-native streaming powerhouse with one of the most storied legacy studios in American history. For many commentators, the headline is about competition, content libraries, or the future shape of Hollywood. For compliance professionals, the far more important headline is this: governance again reveals itself as the ballast that keeps a company steady when the tides of strategy, technology, and disruption rise together.

Major acquisitions are rarely about the mechanics of financing or the elegance of strategic theory. They are about governance. They test whether the board has the visibility, discipline, controls, and documentation to manage a bet that will define corporate identity for decades. In this sense, the Netflix acquisition of Warner Bros. is a real-time case study for the compliance profession. It shows the growing importance of governance during periods of high-velocity change. It offers essential insights into what compliance teams must do to ensure oversight keeps pace with the moment.

Over the next several days, I will explore the deal from several compliance angles. In today’s Part 1, we look at the role of Board oversight.

The Heightened Governance Duties in Transformational Deals

Transformational deals differ from standard mergers. They cover not only business lines but often entire creative and operational identities. Netflix and Warner Bros. represent two very different eras of entertainment. Netflix is built on a culture of experimentation, transparent metrics, and rapid decision cycles. Warner Bros. carries a century of artistic legacy, union relationships, and long-term production pipelines.

When a board approves a deal that fuses these worlds, its oversight responsibilities increase significantly. The fiduciary duty of care requires directors to ask deeper questions, demand clearer scenario planning, and insist on stronger integration plans. Compliance plays a direct role here. Compliance leaders provide critical insight into risk velocity, regulatory exposure, cultural gaps, and integration vulnerabilities. That input helps the board demonstrate that it conducted a thoughtful and well-documented evaluation rather than relying on rosy projections or strategic rhetoric.

Moreover, regulators and shareholders expect boards to show greater rigor when a company expands its scope so dramatically. Documentation becomes more than an internal process. It serves as evidence that the board asked the right questions, sought independent advice, and understood the potential risks, rather than hoping they would resolve themselves.

Industry Volatility Raises the Oversight Stakes

No sector has experienced more disruption over the past decade than entertainment. Business models shift every few years. Distribution platforms multiply and consolidate. Audience expectations evolve faster than production cycles. At the same time, regulatory frameworks for data privacy, antitrust enforcement, worker protections, and digital rights management continue to expand.

A board overseeing a transformational acquisition in this environment must navigate not only the specifics of the deal but also the broader industry volatility. For compliance professionals, this means building risk models that incorporate shifting regulatory landscapes rather than static obligations. It also means framing governance conversations around future-state risks rather than only current compliance requirements.

For instance, combining Netflix’s content libraries and datasets with Warner Bros.’ creates new privacy, antitrust, and market-dominance considerations. These issues are not theoretical. They will sit at the center of regulatory reviews. Compliance teams must therefore ensure that the board has a complete picture of emerging risks in addition to traditional acquisition-related obligations.

Legacy Obligations and Integration Complexity

Warner Bros. carries decades of legacy obligations: union agreements, talent contracts, residual structures, intellectual property commitments, and international distribution deals. Netflix brings a leaner structure but a highly complex ecosystem of global partnerships, digital rights frameworks, and data-driven production strategies.

Where these systems collide, governance risk increases. The board must understand whether integration plans can reconcile the two companies without creating blind spots. Compliance professionals should guide directors through the implications of merging contract systems, production pipelines, distribution frameworks, and content governance models.

A critical governance question is whether the two companies are aligned on their risk tolerances. Netflix has historically embraced rapid iteration and decision agility. Warner Bros. has traditionally embraced predictability rooted in long-standing industry practices. When these two philosophies meet, the board must ensure that the resulting enterprise neither undermines internal controls nor sacrifices necessary governance discipline in the name of speed.

What Regulators, Investors, and Stakeholders Expect

Regulatory expectations are rising across sectors, but particularly in media and technology. When a company expands both content ownership and distribution control, regulators begin to view governance structures as an essential element of market integrity.

Stakeholders will expect the board to have:

  1. Clear documentation of risk assessments;
  2. A detailed integration roadmap;
  3. Independent reviews of operational, cultural, and compliance risks;
  4. Transparent reporting structures that ensure accountability; and
  5. Regular updates on integration progress and risk mitigation.

For compliance professionals, this means preparing governance materials early, establishing a consolidated risk register, and ensuring that directors have access to complete and timely information. Investors will also demand visibility into how risks are evaluated and mitigated, particularly given the significant financial stakes. Compliance leaders must therefore integrate governance reporting into their communication strategy to ensure the board is fully supported in its oversight responsibilities.

How Compliance Shapes Integration Decision-Making

Compliance often gains more responsibility during acquisitions, but the Netflix–Warner Brothers deal highlights a deeper truth. Compliance is no longer a downstream function. It is a front-end strategic voice that helps define the success of integration.

During the first year post-acquisition, compliance must lead or co-lead several critical processes:

  • Harmonization of codes of conduct;
  • Rationalization of policies and procedures;
  • Alignment of reporting channels and speak-up systems;
  • Integration of third-party risk management;
  • Data governance and privacy harmonization; and
  • Internal control updates that reflect new operations.

Boards depend heavily on compliance to ensure that these systems are well designed and monitored. Without strong compliance leadership, integration risks multiply, and the transaction’s strategic goals begin to erode.

Strengthening Governance Protocols During High-Velocity Change

Given the scale of this deal, compliance professionals should view governance as a dynamic system rather than a static structure. The following actions can help support the board throughout the acquisition and integration period:

  1. Produce frequent, concise risk summaries tailored for directors.
  2. Encourage the board to test assumptions through independent validation.
  3. Establish a cross-functional governance working group that includes compliance, legal, HR, finance, and integration management.
  4. Prioritize early detection of cultural friction points.
  5. Maintain meticulous documentation of board engagement, decisions, and follow-up actions.

Governance is most valuable when it is forward-looking, actionable, and transparent. This deal demands that level of rigor.

The Compliance Lesson

The Netflix acquisition of Warner Bros. illustrates a simple but powerful truth: governance is not a corporate formality. It is the anchor that prevents strategic ambition from becoming strategic exposure. For compliance professionals, the mandate is clear. Build governance systems that give directors clarity, give regulators confidence, and give the enterprise the stability it needs to navigate a rapidly changing industry.

The acquisition is a strategic announcement. The governance behind it is the actual risk management.

Join us tomorrow in Part 2, where we will consider the potential culture clash.

Categories
Blog

Building a Compliance Playbook for AI: Board – Level Lessons in Cybersecurity Oversight

Artificial intelligence (AI) has been heralded as one of the most transformative technologies of our time. It promises efficiency, productivity, and entirely new business models. Yet, as with any tool of such power, AI is both a friend and a foe. For corporate directors, compliance officers, and risk professionals, AI presents a dual challenge: leveraging its defensive strengths while preparing for its potential weaponization by malicious actors.

The National Association of Corporate Directors (NACD), in partnership with the Internet Security Alliance (ISA), has released a special supplement to its Directors’ Handbook on Cyber-Risk Oversight devoted entirely to AI in cybersecurity. It is a timely publication. As adoption rates soar, 72% of companies were already using AI in 2024, and the risks are accelerating just as fast. For the compliance community, the report provides a roadmap for oversight, governance, and practical questions boards must ask management.

AI as Both Force Multiplier and Risk Multiplier

On one side of the ledger, AI enhances cybersecurity by automating threat detection, reducing false positives, identifying malware, and analyzing oceans of log data. Used wisely, AI allows companies to “get ahead of theft”. This includes identifying vulnerabilities before criminals exploit them. Generative AI and large language models (LLMs), in particular, can speed detection, enrich threat indicators, and even suggest remediation steps.

However, these same capabilities are available to cybercriminals. AI lowers the barrier of entry for less sophisticated hackers, turbocharges phishing and social engineering campaigns, and allows nation-states to refine cyberattacks at scale. This duality makes AI unique: it amplifies both opportunity and risk simultaneously.

Oversight Imperatives for Boards

The handbook identifies four key imperatives for boards responsible for overseeing AI and cybersecurity.

1. Director of Education – Boards must commit to continuous learning about AI’s risks, benefits, and regulatory developments. Few leaders yet possess the technical grounding needed to appreciate AI’s implications.

2. Threat and Opportunity Awareness – Directors must understand not just the dangers but also the strategic benefits AI can bring.

3. Regulation and Disclosure – Boards must anticipate evolving rules and disclosure obligations. AI oversight will require the same level of rigor as financial and ESG reporting.

4. Board Readiness – Boards must ensure management builds governance structures, ethical use frameworks, and clear communication channels about AI’s role.

Compliance Lessons from the NACD AI in Cybersecurity Handbook

1. Third-Party and Supply Chain Risk Will Intensify

Boards are advised to scrutinize vendors’ AI tools and data sources. As the handbook emphasizes, AI models can be trained on data with questionable provenance, intellectual property, personally identifiable information, or even classified information. Using such models can expose organizations to liability. For compliance professionals, this means conducting enhanced due diligence on third-party AI systems. Ask vendors how they source training data, what models they use, and whether they have human oversight mechanisms in place to ensure quality. AI risk is now a key component of supply chain risk.

2. Transparency Is a Non-Negotiable

AI systems often function as “black boxes.” Their lack of explainability poses reputational and legal risks when decisions cannot be justified. Boards are urged to push for transparency in AI deployment, both internally and in customer-facing applications. For compliance professionals, this means incorporating explainability into your AI governance framework. Require documentation of training data, decision-making logic, and model limitations. If regulators ask, you must be able to demonstrate your homework.

3. Continuous Monitoring Is the New Standard

As highlighted in the AI Seven-Step Governance Program, AI oversight requires more than pre-deployment testing. Continuous monitoring, auditing, and retraining must occur throughout the lifecycle of AI tools to ensure their effective use. For the compliance professional, this means your program must move beyond “check-the-box” vendor certifications. Build ongoing monitoring and assurance processes. Think of AI oversight as dynamic, not static.

4. Regulation Will Come Fast and Furious

The NACD warns that while regulators often lag innovation by three to five years, the window for AI is already shortening. Boards relying on a “wait and see” approach will find themselves overwhelmed when rules arrive. Clearly, the compliance function must do more than wait for the regulators. Even if the US government were inclined to do so, the necessary political will would not exist to allow for an agreement. This means you should align your approach today with emerging frameworks, such as the EU AI Act, the NIST AI Risk Management Framework, and OECD principles. Position your company to demonstrate proactive governance.

5. Disclosure Expectations Will Rise

AI adoption carries disclosure obligations across transparency, risk assessment, and incident reporting. Boards must assume that regulators and investors alike will demand clear, timely disclosure of AI-related incidents and governance practices. Compliance must lead the way in your corporation to build AI into your disclosure controls and procedures now. Ensure incidents involving AI failures are reported with the same rigor as material cybersecurity breaches.

6. The Board Must Get Educated—and Fast

The handbook emphasizes director education. Boards that lack AI fluency will struggle to provide proper oversight. Worse, they may overestimate management’s ability to mitigate AI risks. You should encourage board training through NACD, Carnegie Mellon’s CERT program, or trusted third-party advisors. Education is no longer optional; it may well become a fiduciary duty.

7. Governance Structures Must Evolve

Some companies are considering dedicated AI committees, while others integrate AI oversight into existing audit or risk committees. Either way, boards need clear lines of accountability. The questions boards should be asking management are listed extensively in the handbook, including:

  • How are competitors using AI?
  • Do we need a Chief AI Officer?
  • What is our exposure if adversaries use AI against us?
  • Have we segregated training data to know its provenance?
  • Are our policies aligned with the EU AI Act’s risk classifications?

Start these conversations today. Board agendas must include AI oversight as a recurring topic.

Building a Compliance Playbook for AI

The compliance professional can translate the NACD’s recommendations into a practical playbook for your program, incorporating the following key concepts.

  • Embed AI governance early – Don’t bolt compliance onto AI projects after the fact. Integrate governance into design and procurement stages.
  • Adopt a human-centered AI approach – Ensure AI is aligned with corporate values and ethical principles, not just efficiency goals.
  • Use risk quantification – Treat AI risk like any other enterprise risk: quantify, compare, and integrate into ERM frameworks.
  • Demand accountability – Require clear responsibility for AI oversight, whether it sits with the Chief Compliance Officer, CIO, or a new Chief AI Officer role.
  • Engage regulators early – Use disclosure and transparency as tools to build trust with regulators and stakeholders.

The Handbook makes clear that AI in cybersecurity is not just a technology issue. It is an enterprise risk, a boardroom issue, and a compliance mandate. For compliance professionals, this means you must step into the AI oversight conversation.

As with the FCPA decades ago, regulators and stakeholders will expect companies to transition from a reactive to a proactive approach. The time to build frameworks, train directors, and embed oversight is now. AI, like every disruptive technology before it, will reward the prepared and punish the complacent. Compliance professionals are uniquely positioned to bridge the technical and governance divide. By applying lessons from the NACD handbook, we can ensure that AI becomes not just a tool for criminals but a force multiplier for integrity, trust, and resilience in the digital age.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Why Compliance Professionals Should Not Overlook Board Oversight

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with concise, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

In this 5-part series, we will consider several questions about compliance officers working with or on the Board. Today, we begin with a look at why compliance officers need to embrace Board Oversight.

For more on this topic, check out The Compliance Handbook, a Guide to Operationalizing your Compliance Program, 6th edition, which was recently released by LexisNexis. It is available here.

Categories
Blog

Board Week, Part 1: Governance Matters – Why Compliance Professionals Should Not Overlook Board Oversight

In the world of corporate governance, certain responsibilities of boards of directors are well understood. Boards are expected to oversee management, safeguard shareholder interests, and set a company’s long-term strategic direction. But one of the most overlooked aspects of board governance—at least in the day-to-day discussions of compliance professionals—is the degree of oversight that boards themselves receive. A recent article in the Harvard Law School Forum on Corporate Governance, entitled “Governance Matters, Don’t Overlook Board Oversight,” addressed this issue. I have used it as a starting point to explore the role of a compliance professional in Board oversight.

Too often, boards operate with a degree of insulation, shielded by tradition or by the assumption that their strategic decisions are unassailable. Yet as the recent research and findings by AllianceBernstein highlight, board oversight is not only critical but also directly correlated with corporate performance. Put, effective boards create more value; ineffective boards destroy it. And this is where compliance professionals must bring their focus.

If you are a compliance officer, general counsel, or governance leader, you cannot afford to treat the board as outside your scope of influence. In fact, the oversight of boards, particularly through director elections and ongoing accountability mechanisms, is where compliance intersects most directly with corporate governance and shareholder value.

The Power of Director Elections

Shareholder proposals and debates over executive compensation often dominate the headlines of the proxy season. Yet the real power lies in director elections. Voting for or against directors, especially those who chair key committees such as governance, compensation, or audit, is the single strongest way investors hold boards accountable.

In the 2024 proxy season, directors who chaired their nominating and governance committees received 5% more dissenting votes than their peers. This statistic is telling. Investors are no longer content to observe board performance passively; they are sending direct messages when governance is misaligned or oversight is ineffective.

For compliance professionals, this matters because director elections can be used as a form of leverage. They are a barometer of investor confidence in the board’s ability to manage risk, oversee strategy, and deliver long-term value. If investors are expressing dissent, compliance leaders should view this as an opportunity to engage with both the board and management about governance improvements.

Effective Boards Drive Better Performance

The AllianceBernstein findings are clear: companies with boards deemed “effective” by director election outcomes consistently deliver stronger stock returns than those with underperforming boards. The article notes that U.S. companies whose boards received full investor support showed an annualized average total return of 12.8% between 2018 and mid-2025. By contrast, companies where multiple directors were opposed delivered a paltry 1.2% median return.

This is not a coincidence. Effective boards ask the right questions, challenge management when necessary, and ensure alignment between corporate strategy and the interests of shareholders. Ineffective boards rubber-stamp poor decisions, fail to check management excesses, and ultimately allow risks, whether operational, financial, or cultural, to metastasize. Compliance professionals should take note: the effectiveness of your board is not just a governance issue; it is also a compliance and risk management issue.

What Makes a Board Effective?

What separates effective boards from ineffective ones? According to the research, three factors are most important: composition, structure, and actions.

  • Composition: High-quality boards are majority-independent, diverse in skills and backgrounds, and free from chronic attendance issues or overcommitments. A board packed with insiders or directors stretched too thin across other boards is a recipe for groupthink and poor oversight.
  • Structure: Strong boards have formal committees, majority-vote standards, and annual elections of directors. These structural mechanisms ensure accountability and prevent entrenchment.
  • Actions: Ultimately, boards must prove their effectiveness through their behavior—aligning executive pay with performance, ensuring disciplined capital allocation, and actively engaging with shareholders.

This framework is highly relevant for compliance professionals. For instance, when conducting governance risk assessments, evaluating board composition and independence should be part of the exercise. Likewise, compliance leaders can advocate for structural safeguards, such as mandatory annual elections, as part of governance reforms.

Case Study: Oversight Failures at a Major U.S. Bank

The research cites a major U.S. bank where historical governance failures, ranging from fraud and risk management breakdowns to workplace misconduct, were tied directly to board shortcomings. For years, these issues went unchecked, undermining trust and shareholder value.

AllianceBernstein engaged in a multiyear dialogue with the bank’s board and senior leaders, consistently voting against relevant directors until changes were made. Over time, this pressure led the bank to implement improved oversight mechanisms and make management incentives more accountable.

For compliance professionals, the lesson is clear: governance failures at the board level often cascade into compliance risks throughout the entire organization. Weak boards allow cultural rot to take hold. Strong boards reinforce accountability and create an environment where compliance programs can thrive.

Lessons for Compliance Professionals

What does all this mean for those of us in the compliance profession? I see five clear lessons:

  1. Board Oversight Is Part of Compliance Oversight
  2. Compliance programs cannot exist in a vacuum. They are only as strong as the board that oversees them. If a board is disengaged, conflicted, or ineffective, compliance initiatives will falter.
  3. Use Data to Evaluate Governance Risks
  4. Just as compliance uses data analytics to detect fraud or waste, governance effectiveness can be monitored through director election outcomes, shareholder dissent levels, and engagement activity. These are risk indicators for board oversight.
  5. Engage with Investors as Allies
  6. Investors are increasingly using their voting power to hold boards accountable. Compliance professionals should view this as an opportunity to align governance reforms with investor expectations.
  7. Advocate for Structural Safeguards
  8. Push for board practices such as annual elections, majority-vote standards, and the recruitment of diverse directors. These mechanisms prevent stagnation and strengthen oversight.
  9. Link Culture to Governance
  10. A board that tolerates poor oversight also tolerates poor culture. Compliance professionals should emphasize that governance effectiveness is not just about strategy; it is about setting the cultural tone for the entire organization.

Keep Your Eye on the Board

As the authors conclude, investors and stakeholders should ask one simple question: Is the board delivering for shareholders? Disappointing boards often yield disappointing results. Boards that earn full investor confidence, by contrast, consistently outperform.

For compliance professionals, this insight is invaluable. Governance effectiveness is not a secondary issue; rather, it is central to the organization’s resilience and performance. Director elections may not grab headlines, but they are where the battle for governance accountability is truly fought.

Boards perform best when they know investors, employees, and compliance leaders are watching. When compliance functions collaborate with shareholders and regulators to demand accountability at the board level, organizations are stronger, cultures are healthier, and risks are mitigated.

Elevating Compliance Through Governance Oversight

Effective boards drive better corporate performance, safeguard shareholder interests, and provide the necessary oversight to ensure management accountability. Ineffective boards, by contrast, create fertile ground for governance failures, compliance breaches, and cultural erosion.

For compliance professionals, this means that governance oversight must be viewed as part of the compliance mandate. Compliance is not simply about monitoring transactions or training employees; it is about ensuring that the board itself is fit for purpose. By applying the same rigor we bring to anti-corruption or fraud prevention to board governance, we elevate the compliance function into a true partner in corporate value creation.

Director elections are a powerful mechanism for accountability. But they are only the beginning. Compliance leaders should engage proactively with investors, advocate for robust board structures, and ensure cultural alignment from the top.

In today’s environment of heightened scrutiny, where investors demand stewardship and regulators demand accountability, compliance professionals have a unique opportunity. By stepping into the governance conversation and making board oversight part of the compliance agenda, we can help build organizations that are not only compliant but resilient, trusted, and positioned for long-term success.

That is the mandate for the modern compliance professional.

Categories
Compliance Into the Weeds

Compliance into the Weeds: What Are Boards Doing About AI (Hint: Not Much)

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject.

Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt look into corporate reports on their Boards’ oversight of AI.

As the world ventures deeper into the age of artificial intelligence (AI), the issue of corporate governance over AI is emerging as a crucial point of discussion. Tech giants such as Google are facing demands for more board-level attention to AI risk management due to concerns about the lack of transparency and oversight.

Tom highlights this lack of detailed consideration of AI at the board level, raising doubts about whether boards are suitably prepared for AI’s rapid development and potential enforcement risks. His concerns are rooted in limited mentions of AI in proxy statements of S&P 500 companies, suggesting current practices might not be sufficient for the future.

Meanwhile, Matt emphasizes the need for boards to start considering staffing, expertise, and risk management related to AI without necessarily forming dedicated AI committees at present. Kelly’s concerns stem from the lack of detail in proxy statements about what boards are currently doing with AI, especially in tech-heavy companies like Google, indicating the need for potential formation of dedicated committees or sub-specializations in the future.

 Key Highlights:

  • AI Risk Management: Tech vs. Non-Tech Perspectives
  • Enhancing Corporate Governance Through AI Oversight
  • Technology Risk Oversight in Evolving Companies
  • AI Oversight for Corporate Boards: Future Risks

Resources:

Matt on Radical Compliance

 Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program with Boards – Board Governance and Risk Oversight

One of the ongoing questions from members of the Board of Directors is how to resolve the tension between oversight and management. I recently had the opportunity to visit with Joe Howell, former Executive Vice President (EVP) of Workiva, Inc., on this subject. Howell has worked on and with Boards of Directors at various companies, and I wanted to garner his understanding of the role of a Board, senior management, and a Chief Compliance Officer (CCO). Howell’s short response was an excellent starting point for understanding the role; put sand in management’s shoes.

The key to such a metaphor succeeding is that a Board of Directors, “by continuing to challenge management on these scenarios that management has considered and the stories management is telling itself about what could go wrong,” can “help get management out of its comfort zone by and large executive teams begin to believe themselves when they talk about how well they’re doing. The independent challenge that the board can offer is putting a little bit of sand in the shoe to make sure you’re thinking about things carefully can cause you to step back and focus your resources where they’re needed.”

Howell noted that the role of the Board is not management but oversight, focusing on governance. To do so, an effective Board should challenge senior management not only on what they have planned for but what they may not have considered or may not even know about. He said, “One perfect example is the reputation of those stakeholders involved in the company, and that can be the management team itself, the employees, and the board members themselves.” This is because reputational damage hurts everyone. Howell stated, “It’s essential as we go through some ways the Board can help management in that role. I think the things that make a difference to management is when the Board can be an effective devil’s advocate. Not managing management but helping them in their governing role by helping management to step back and think critically of their underlying assumptions and biases.”

A Board is more than just there to be a rubber stamp for senior management. It must exercise independent judgment, action, and oversight. Further, it is the Board’s role to ask hard, difficult, and probing questions to ensure management is doing its job and has considered other risk possibilities.

Three Key Takeaways:

  1. Boards should force management to open up the company to itself.
  2. Boards should be a grain of sand in the shoe of management.
  3. Boards should ensure senior management is aware of and planning for known and unknown risks.
Categories
Innovation in Compliance

Entrepreneurship and Risk Management with Adrienne Bellehumeur

Tom Fox’s guest in this episode of Innovation In compliance is Adrienne Bellehumeur. They discuss the significance of gap analysis in the design of internal controls, and why having a thorough understanding of design is critical to the success of gap analysis. They emphasize the importance of continuous improvement and avoiding a “pass-fail” approach to internal control programs. Adrienne also shares her five principles for creating high-value compliance programs.

Adrienne Bellehumeur is the Director and Co-owner of Risk Oversight, a firm specializing in internal controls, internal audit, and compliance programs. She has written a book called The 24-Hour Rule and Other Secrets for Smarter Organizations: Including the 6 Steps of Dynamic Documentation, which is set to be published on March 7th and is geared towards managers who are seeking solutions through documentation. This book aims to provide a fun and foundational approach to documentation for the modern knowledge workforce and is the first mass-market book on documentation best practices.

 

Some of the key points discussed during the show include:

  • Adrienne’s background and current role at her company, Risk Oversight, which specializes in delivering services to mid-sized oil and gas companies in the engineering sectors.
  • The purpose of gap analysis is to identify areas for improvement in processes and controls to support operational effectiveness.
  • Adrienne’s belief that internal controls should focus on good habits, accountability, and continuous improvement rather than just ticking boxes.
  • How Risk Oversight helps companies fulfill their obligation of oversight by providing entity-level control review and understanding best practices in governance.
  • The two best practices for board minutes, the “Goldilocks principle” and the “business judgment rule.”
  • The Caremark doctrine in Delaware and the importance of documentation of major risk management decisions.
  • Adrienne’s book The 24-Hour Rule, which is a mass-market book on documentation aimed at managers looking to solve problems through documentation and is applicable to various industries.

 

KEY QUOTATION:

“Risk management is about action.” – Adrienne Bellehumeur 

 

Resources 

Adrienne Bellehumeur | LinkedIn | Twitter 

Risk OversightThe 24-Hour Rule and Other Secrets for Smarter Organizations: Including the 6 Steps of Dynamic Documentation

Categories
This Week in FCPA

Episode 299 – the Yankees Cheated and Lost edition


The Yankees cheated and lost. The Astros and Red Sox cheated and won. What’s the lesson? Tom and Jay are back to look at some of the week’s top compliance and ethics stories.
 Stories

  1. More on using behavioral psych to make compliance changes. Vera Cherepanova in the FCPA Blog.
  2. Tackling money-laundering in real estate transactions? Ella Hawkins in GAB.
  3. Archegos founder indicted for fraud. Jaclyn Jaeger in Compliance Week. (sub req’d)
  4. Testing culture. Dylan Tokar in WSJ Risk and Compliance Journal.
  5. Renewed need for Board oversight of compliance. Mike Peregrine in CCI.
  6. Economic sanctions now national security issue. Dylan Tokar in WSJ Risk and Compliance Journal.
  7. Why compliance is a competitive advantage. Navex’s Risk and Compliance Matters.
  8. Toll Holdings and export control compliance failures? Matt Kelly in Radical Compliance.
  9. Boards making decisions under a stakeholder model. Robert Miller in Harvard Law School Forum on Corporate Governance.
  10. What to measure in DEI. Ngozi Okeh in practicalESG.

 Podcasts and More

  1. How can baking cookies get your through grief? Find out on this episode of The Hill Country Podcast as Kerrville Cookie Lady, Julia Cardoshinsky talks about her lifelong love affair with baking cookies.
  2. What is the only podcast dedicated to the intersection of Compliance and ESG? It’s the Compliance ESG Podcaston the CPN. Check out this week’s episode with Travis Miller and Jared Connors of Assent Compliance on the role of Supply Chain in ESG. For your added viewing pleasure check out the video pod on YouTube.
  3. This month on the Compliance Life, I visit with Susan Divers, Director of Thought Leadership at LRN. In Part 1, academic life and early professional career. In Part 2, she moves to the corporate world. In Part 3, Susan moves into the CCO chairs at AECOM. In the final episode this month, Part 4, Susan details her move to and work at LRN.
  4. Why should you attend Compliance Week 2022? Find out in this podcast series featuring speakers at CW 2022. Listeners get a $200 discount to CW 2022 with the discount code TFLAW $200 OFF. Registration and agenda here.
  5. From the Editor’s Desk welcomes the new Compliance Editor in Chief, Kyle Brasseur to the podcast. Check out Kyle’s inaugural episode here.

Tom Fox is the Voice of Compliance and can be reached at tfox@tfoxlaw.com. Jay Rosen is Mr. Monitor and can be reached at jrosen@affiliatedmonitors.com.

Categories
Adventures in Compliance

The Creeping Man and Risk Management by the Board

We are back with another podcast on Adventures in Compliance, where we consider the intersection of Sherlock Holmes and Compliance. Today, I visit The Adventure of the Creeping Man. From this story we take the Holmes utterance to Watson “Come at once if convenient—if inconvenient come all the same”. This informs today’s discussion how Boards of Directors can be more involved in compliance through more effective oversight of risk management.
Compliance Takeaways

  1. What is the role of a company’s Board in a compliance program?
  2. A Board should not engage in management but should engage in oversight of the Chief Compliance Officer. The Board does this through asking hard questions, particularly around risk assessment, risk identification and risk management.
  3. What are 6 principles for Board oversight of compliance?
  4. Define the Board’s role.

A.Foster a culture of compliance risk management.
B. Incorporate risk management directly into a compliance strategy.
C. Define the company’s appetite for risk around compliance.
D. Execute the compliance risk management process.
E. Benchmark and evaluate the compliance process.
5. CCO reporting to the Audit/Compliance Committee must be structured carefully to promote ethics and compliance. Here are five best practices to help guide the reporting.
a. Quarterly reports.
b. Executive session.
c. Sitting in on other reports.
d. Informal relationship.
e. Annual report to full board.
Join us tomorrow as we mine the story of The Lion’s Mane for its compliance lessons.