Tag: CCO

Categories
Blog

When Employees Are Drowning in Compliance Change

Compliance professionals know the drill. A new policy is issued. A new training module goes live. A new third-party platform is rolled out. A new AI use standard is announced. A new M&A integration plan hits the field. A new sanctions update requires immediate attention. Each initiative may be defensible on its own. Taken together, they can overwhelm the very employees the compliance program depends upon.

That is the central compliance lesson from David Grossman’s MIT Sloan Management Review article, “When Employees Are Drowning in Change.” Grossman argues that effective leaders do not simply manage change; they manage how people experience change. His article identifies three disciplines that matter: make dialogue nonnegotiable, align leaders around a shared change narrative, and sequence change with employee capacity in mind. For compliance professionals, this is not merely a communications issue. It is a program effectiveness issue.

The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) asks three core questions: Is the program well designed? Is it adequately resourced and empowered? Does it work in practice? The DOJ also makes clear that prosecutors look at whether compliance policies, training, reporting lines, incentives, discipline, and controls are integrated into the company’s operations and workforce. That means a compliance change that employees cannot absorb is not fully implemented. It may exist in a slide deck, an LMS platform, a policy portal, or a board report. But if it does not change behavior, it is not yet operating as a control.

Compliance Fatigue Is a Real Risk

Compliance professionals often think about risk in categories: anti-corruption, sanctions, fraud, conflicts, privacy, cybersecurity, antitrust, money laundering, books and records, and now AI governance. Employees do not experience risk in neat categories. They experience messages, requirements, approvals, certifications, controls, deadlines, and consequences.

That distinction matters. A sales manager may receive anti-bribery training, a gifts-and-hospitality update, a new distributor due diligence process, a revised approval matrix, an AI acceptable use notice, and a speak-up campaign in the same quarter. Compliance may see six separate risk-based initiatives. The employee sees a wall of instructions.

When that happens, the program creates noise. Employees may technically complete training but not internalize it. They may certify to policies but not understand how to apply them. They may attend a town hall but not know what has changed in their daily work. Worse, they may stop asking questions because the system feels too heavy to navigate. That is where Grossman’s change management lessons become directly relevant to the Chief Compliance Officer and the compliance team.

Make Dialogue a Compliance Control

The first discipline is dialogue. In compliance, dialogue should not be treated as a courtesy or a soft engagement tool. It is a control input.

The ECCP asks whether training and communications are tailored to the audience’s size, sophistication, subject matter expertise, needs, interests, and values. It also asks whether employees can ask questions arising out of training and whether the company measures training effectiveness, engagement, learning, and behavioral impact. This is a direct invitation for compliance teams to move beyond “push” communications. A one-way compliance rollout looks like this: publish the policy, assign the training, send three reminder emails, track completion, and report 98% completion to leadership.

A better model looks like this: identify the affected employee groups, ask where the new requirement will create friction, test the message with managers, build scenarios from real operational issues, provide a practical decision tool, hold short Q&A sessions, track questions and exceptions, and adjust the rollout based on what employees tell you.

Dialogue also requires closing the loop. When employees raise concerns about a new control, compliance does not have to accept every suggestion. But it should explain what it heard, what it changed, and what it could not change. Silence breeds skepticism. In compliance, skepticism becomes a workaround.

Build One Compliance Change Narrative

Grossman’s second discipline is alignment around a shared change narrative. This may be the most underused tool in the compliance function. Compliance teams frequently communicate in fragments. Legal explains the law. Compliance explains the policy. Internal audit explains control gaps. HR explains discipline. IT explains system access. Procurement explains third-party onboarding. Finance explains approval requirements. Each message may be accurate. Together, they may feel disconnected.

A compliance change narrative answers four practical questions:

  • Where have we been?
  • Where are we today?
  • Where are we going?
  • What must employees do differently?

For example, an AI governance rollout should not begin with a policy citation. It should begin with the business reality: employees are already using AI tools; the company wants innovation; customer and confidential information must be protected; decisions must remain accountable; and the company needs a consistent control framework. Then the compliance team can explain the required behavior: approved tools, prohibited uses, human review, data restrictions, escalation points, and monitoring.

This is also where middle management becomes essential. The DOJ expects senior leaders to communicate ethical standards clearly and demonstrate adherence by example. It also asks how middle management reinforces those standards and encourages employees to abide by them. In practice, employees often take their cues not from the CCO but from their direct supervisor. If the supervisor treats a new compliance requirement as administrative noise, the employee will do the same. Before any significant program change, compliance should align leaders on the story. Not a script. A shared narrative. What risk are we addressing? Why now? What will be easier? What will be harder? What support will employees receive? What does good look like?

Sequence Change With Capacity in Mind

The third discipline is sequencing. This is where compliance teams can create immediate business value. Grossman’s article notes that organizations often fail not because they are doing too much, but because they are doing too much at the same time without discipline. Compliance is vulnerable to this problem because every risk owner believes their initiative is urgent. The answer is not to do less compliance. The answer is to sequence compliance change with the same rigor applied to capital projects, technology rollouts, or major business transformations.

A mature compliance function should maintain a compliance change calendar. It should show what is hitting which employee population, when, and why. It should identify collision points. It should distinguish regulatory deadlines from preferred deadlines. It should flag high-risk groups that are already carrying heavy control burdens, such as sales, procurement, finance, logistics, government affairs, and third-party management teams.

The ECCP supports this risk-based discipline. Prosecutors ask whether the company deploys compliance resources in a risk-based manner, whether risk assessments are current, and whether updates to policies, procedures, and controls reflect lessons learned and evolving risks. Sequencing is part of that risk-based resource allocation. It is how compliance protects both the business and the control environment.

This is especially important in M&A integration. After closing, compliance must integrate codes, policies, hotline access, third-party controls, financial controls, training, investigation protocols, and audit plans. The DOJ specifically asks about the post-transaction compliance program, compliance oversight of the new business, incorporation into risk assessments, and post-acquisition audits. If compliance imposes all requirements on the acquired business at once, it may create both formal coverage and practical confusion. A sequenced plan gives employees a path from old expectations to new standards.

Measure Whether the Change Landed

Completion rates are not enough. Certifications are not enough. Attendance is not enough. The ECCP asks whether the program works in practice, whether it evolves, whether the company uses data to assess the program’s effectiveness, and whether it measures culture and seeks input from all levels of the organization. That means compliance change management must be measurable.

For training and communication, useful measures include questions asked, policy search data, guidance requests, hotline and speak-up trends, control exceptions, approval delays, audit findings, investigation themes, manager feedback, and pulse survey results. The issue is not simply whether employees received the message. The issue is whether they understood it, trusted it, and used it.

This is the practical bridge between Grossman’s article and the ECCP. Change management is not separate from the effectiveness of the compliance program. It is how effectiveness is achieved.

Practical Takeaways

  1. Create a compliance change inventory. List every major policy, training, system, control, campaign, certification, and reporting change scheduled for the next two quarters.
  2. Map the impact by employee group. Identify who is being asked to absorb the most change and whether those employees sit in high-risk roles.
  3. Require a change narrative for every significant rollout. The narrative should explain the risk, the business rationale, the required behavior, and the available support.
  4. Build dialogue into the process. Use listening sessions, manager huddles, Q&A channels, post-training feedback, and office hours. Then close the loop.
  5. Sequence based on risk and capacity. Not every compliance initiative can be first. Prioritize what is legally required, what addresses the highest risk, and what enables other controls to work.
  6. Measure behavior, not just delivery. Report to leadership on whether the change landed in the business, not merely whether the email was sent or the training was completed.

The compliance lesson is clear. Employees do not fail to follow compliance programs only because they lack information. Sometimes they fail because the organization has given them too much change, too little context, and no practical path to execution. A better compliance program does not simply say more. It listens better, aligns better, sequences better, and measures whether the business can actually do what compliance has asked.

Categories
Blog

Full-Court Compliance: What the Knicks’ Championship Teaches CCOs About Winning the Right Way

While later surpassed by the Michael Jordan Bulls and the back-to-back NBA Champs, my (then) hometown heroes, the Houston Rockets, my favorite NBA team from my teen years was the two-time NBA champs, the New York Knicks. I can still name the starting lineup from the 70-71 champs (Walt Frazier, Dick Barnett, Dave DeBusschere, Bill Bradley, and Willis Reed). So, while I live down the road from San Antonio, I was one of the very few people in Kerrville, TX, rooting for the Knicks.

Today, the New York Knicks are NBA champions for the first time since the 1972-73 season, and for compliance professionals, the story is more than basketball. It is a case study in governance, risk appetite, culture, talent strategy, controls, remediation, and execution under pressure. As reported by ESPN, New York defeated the San Antonio Spurs in five games to win its first NBA championship in 53 years, with Jalen Brunson scoring 45 points in the closeout Game 5 and earning Finals MVP honors.

The scoreboard tells the story of a team that operated under pressure:

Game Score
Game 1 at San Antonio Knicks 105, Spurs 95
Game 2 at San Antonio Knicks 105, Spurs 104
Game 3 at New York Spurs 115, Knicks 111
Game 4 at New York Knicks 107, Spurs 106
Game 5 at San Antonio Knicks 94, Spurs 90

ESPN’s Finals matchup summary listed the Knicks as the 4-1 series winners, based on those five-game results.

For CCOs, the championship lesson starts with roster construction. Leon Rose, the Knicks’ president of basketball operations and chief roster architect, did not build this team by chasing headlines. He built it the way an effective CCO builds a compliance program: with a clear risk assessment, disciplined resource allocation, cultural fit, control remediation, and continuous monitoring.

Start with Jalen Brunson. The Knicks acquired Brunson through free agency in 2022, and NBA.com described him as the central acquisition in Rose’s rebuild. Brunson later agreed to a below-market extension, which gave the organization flexibility to retain and add other players. That is a compliance principle in the form of basketball. You do not spend all your capital on one control and leave no budget for investigations, training, data analytics, third-party management, and monitoring. Brunson was the control owner, but the program still needed a full system around him.

Then came the risk-based gap analysis. Rose did not simply ask, “Who is available? ” He asked the compliance equivalent of, “What risk remains unmitigated? ”The answer was size, defense, positional versatility, rebounding, and playoff resilience. Karl-Anthony Towns arrived through a 2024 three-team trade with Minnesota, giving the Knicks elite frontcourt skill and passing. OG Anunoby came from Toronto in 2023 because the Knicks needed a high-end defender who could handle elite wings and still contribute offensively. Mikal Bridges came from Brooklyn in 2024 as a multi-position wing who could defend and shoot. Josh Hart arrived in a 2023 trade with Portland, bringing toughness, energy, leadership, and the intangible glue that every good system requires.

That is how a compliance officer should think about program design. Policies alone are not enough. Training alone is not enough. Hotline data alone is not enough. A championship compliance program needs anti-corruption controls, third-party due diligence, internal accounting controls, sanctions screening, speak-up culture, investigation protocols, data testing, and board reporting. Each element has a role. Each element covers a gap. Each element must work under stress.

The Knicks also demonstrated the value of cultural due diligence. Brunson, Bridges, and Hart carried a Villanova connection, but the lesson is not nostalgia. The lesson is known as performance under known pressure. Rose understood that talent without fit is a control failure waiting to happen. Compliance leaders understand this point well. A technically gifted executive who rejects controls, bypasses procurement, bullies internal audit, or treats legal review as an obstacle is not a high performer. That executive is a risk amplifier.

The Bridges trade is especially instructive. Rose paid a significant price, sending multiple first-round assets to Brooklyn. NBA.com described it as one of Rose’s biggest and most questioned risks before Bridges proved his value in the postseason. In terms of compliance, this was not risk avoidance. It was risk governance. The question for any board is not whether a strategy carries risk. All meaningful strategies carry risk. The question is whether management has identified the risk, documented the rationale, designed mitigation, and monitored outcomes.

Game 4 was the stress test. The Knicks trailed by 29 points and still beat the Spurs 107-106, completing the largest comeback in NBA Finals history under modern play-by-play tracking. In compliance, this is where paper programs fail, and real programs prove themselves. A company can look strong during the annual training season. The test comes when a whistleblower allegation arrives before the close of a quarter, a high-risk distributor is tied to a government official, a sanctions rule changes overnight, or a business leader asks for an exception because “the deal is too important.”

The Knicks did not win because they avoided adversity. They won because their controls held when adversity arrived. NBA.com noted that every game in the series was within five points in the last five minutes, and the Knicks erased double-digit deficits throughout the Finals. That is program effectiveness. A compliance program is not effective because the code of conduct is polished. It is effective because people make the right decisions when the score is close, the pressure is high, and the wrong shortcut looks attractive.

Finally, Rose made the coaching decision. Mike Brown replaced Tom Thibodeau in 2025, and NBA.com reported that Brown’s approach helped win over the locker room and make strategic changes during the playoff run. This is remediation. Mature organizations do not confuse past success with future sufficiency. Thibodeau helped move the Knicks forward, but Rose concluded that the next stage required a different operating model. CCOs face the same challenge when a legacy control, legacy investigator, legacy third-party process, or legacy reporting structure no longer fits the risk environment.

The Knicks’ championship was not an accident. It was the result of governance, discipline, culture, and controls. That is why CCOs should study it. Define your risk appetite before the season starts. Build around culture, not just talent. Spend resources where the risk assessment shows the gaps. Treat major decisions as board-defensible governance judgments. Most importantly, test whether your program can perform in the final five minutes, because that is where championships and compliance failures are decided.

Categories
Trekking Through Compliance

Trekking Through Compliance: Episode 14 – Investigative Lessons from Balance of Terror

In this episode of Trekking Through Compliance, we consider the episode Balance of Terror, which aired on December 15, 1966, Star Date 1709.1.

In this episode of Trekking Through Compliance, we analyze “Balance of Terror,” the tense, submarine-style showdown between the Enterprise and a Romulan Bird-of-Prey, which introduces one of Star Trek’s most enduring adversaries. The story unfolds as a mystery: Who attacked the Earth outposts? What is this new weapon? Who are the Romulans? And what do their sudden appearances mean for the Federation?

We review the critical investigative lessons this episode offers for compliance professionals: the importance of situational analysis, managing internal bias, respecting operational security, and knowing when to act and when to wait. In this cat-and-mouse episode, we find the foundations of modern investigative best practices.

Key highlights:

1. Situational Awareness and Evidence Gathering—Don’t Jump to Conclusions

🖖Illustrated by: The destruction of Outposts 2 and 3 and the cryptic communication from Outpost 4.

Captain Kirk begins his investigation without clear evidence, gathering fragmented data from the surviving outpost’s transmissions and assessing the damage patterns. For compliance professionals, this illustrates the importance of establishing a clear fact pattern before reaching a conclusion. Investigations must be driven by objective evidence, not assumptions.

2. Managing Internal Bias—Appearance Is Not Proof

🖖Illustrated by: Lieutenant Stiles’ suspicion of Mr. Spock based on the physical resemblance between Romulans and Vulcans.

Stiles immediately targets Spock as a potential traitor, despite a complete lack of evidence, simply because Romulans and Vulcans share a similar appearance. This moment serves as a cautionary tale about compliance: biases, whether conscious or unconscious, can derail investigations and damage team morale.

3. Strategic Surveillance—Investigate Without Provoking Retaliation

🖖Illustrated by: Kirk shadowing the Romulan ship to determine intent and capabilities before engaging.

Rather than charging into conflict, Kirk chooses to observe the Romulan ship’s behavior. In compliance investigations, particularly those involving fraud or misconduct, covert observation and the secure handling of information are crucial to preventing tip-offs or escalation.

4. Chain of Custody and Documentation—Recording and Communicating the Facts

🖖Illustrated by: The tactical logs Kirk reviews and Spock’s technical input during the confrontation.

Throughout the engagement, Kirk relies on detailed sensor data, eyewitness accounts, and Spock’s analysis to make decisions. Compliance professionals must ensure the proper documentation of interviews, timelines, and data sources for both internal review and external audit.

5. Ethical Leadership During Investigations—Calm in the Face of Conflict

🖖Illustrated by: Kirk’s balance between decisiveness and restraint, even when provoked by Romulan attacks.

Kirk refuses to act out of fear or anger—even as tensions rise. He models ethical leadership by protecting lives, upholding treaty obligations, and maintaining moral clarity. In high-stakes compliance investigations, emotional discipline and ethical consistency are vital.

Final Starlog Reflections

Balance of Terror is a masterclass in investigative poise, procedural discipline, and ethical clarity under pressure. As the Enterprise crew faces a new adversary cloaked in invisibility, we see what real leadership looks like when facts are scarce and risks are high.

For compliance professionals, this episode is a reminder that investigations require patience, vigilance, and integrity. Bias must be checked, facts must be verified, and trust must be earned. The threat may be hidden, but your investigative principles must always remain visible.

Resources:

Excruciatingly Detailed Plot Summary by Eric W. Weisstein

MissionLogPodcast.com

Memory Alpha

Categories
Blog

The CCO as AI Trust Architect

The most important AI risk inside many companies may not be that employees are using AI. It may be that employees are using AI and hiding what they are learning. That is the central compliance lesson from Eric Anicich and Jeslyn Brouwers’ HBR article, Why Employees Aren’t Transparent About Their AI Usage. The authors open with a physician who had built a highly effective prompting template inside an approved, HIPAA-compliant AI tool. His colleagues were struggling with the same tool. He believed his template could help them. Yet he did not share it.

The article reports that a study by KPMG and the University of Melbourne, involving more than 48,000 respondents, found that 57% of employees admitted to hiding their AI use at work. More importantly, the authors argue that concealed use is only part of the issue. What employees are learning privately through prompt sequences, chained tools, and successful workflows may matter even more. AI introduces what the authors call the suppression of solutions: employees may be withholding productivity breakthroughs that could help the entire organization.

For the CCO, this creates a new mandate. The compliance function must help bring AI use into the open without becoming the AI police. The CCO must build a governance system that encourages employees to disclose, share, and improve AI-enabled work while still protecting the company from real risks around confidentiality, privacy, IP, bias, inaccurate outputs, cybersecurity, records retention, regulatory representations, and misuse. That is the function the CCO can fulfill: the AI trust function.

Why Hidden AI Use Is a Compliance Problem

Most compliance professionals instinctively focus on the obvious AI risks. Employees may paste confidential data into public tools. They may use AI to draft customer-facing claims without verification. They may generate code, contracts, marketing copy, investigation summaries, due diligence reports, or regulatory submissions without appropriate review. They may rely on AI outputs that are inaccurate, biased, incomplete, or unsupported. Those risks are real.

But the authors point to a second problem: the company may also be losing the benefits of compliant AI experimentation. Productivity gains are once scaled through shared systems and standardized processes. With AI, many gains begin as individual discoveries: a better prompt, a workflow shortcut, a way to summarize information, a way to identify anomalies, or a method that reduces a multi-hour task to minutes. That knowledge is portable, private, and easy to conceal.

This means the CCO must avoid a one-dimensional response. A punitive AI governance program may reduce some visible misuse, but it may also drive experimentation underground. Employees who fear being judged, punished, overworked, or replaced will not share what they are doing. They will protect themselves. That creates the worst of both worlds: risk remains hidden, and useful innovation remains trapped inside individual workflows.

The CCO’s New Role: Govern for Trust, Not Just Control

The author’s core finding is highly relevant to compliance. They surveyed 604 U.S.-based employees who used AI at work daily or multiple times per day. Nearly one in three said they had intentionally withheld AI-related knowledge, workflows, or techniques. Employees in the lowest quartile of organizational trust were nearly four times as likely to withhold AI knowledge as those in the highest quartile (47% versus 14%). A similar pattern appeared for psychological safety, 45% versus 17%.

That finding should feel familiar to compliance professionals. Speak-up culture works the same way. Employees report misconduct when they believe the company will listen, protect them, and act fairly. Employees hide misconduct when they believe the company will punish the messenger, ignore the issue, or retaliate indirectly. AI transparency is now a speak-up issue.

The CCO should therefore treat AI disclosure as part of the company’s broader culture of integrity. The question is not merely, “Are employees using approved AI tools? ”The better question is, ‘Do employees trust us enough to tell us how they are using AI, what they have learned, where they are uncertain, and what risks they see? ”

That is where the compliance function can add unique value. Compliance already understands reporting channels, non-retaliation, policy clarity, training, investigation triage, escalation, monitoring, remediation, third-party risk, and board reporting. Those capabilities can be applied to AI governance if the CCO frames the issue correctly.

Distinguish Experimentation from Misconduct

A major insight in the article is that companies often confuse two very different categories of behavior. One is blameworthy deviance: ignoring rules or cutting corners in ways that harm the organization. The other is exploratory testing: experimenting at the edge of what is known in ways that can generate valuable learning. When companies confuse the second with the first, they punish the behavior they need to encourage. This is directly applicable to the CCO.

An employee who uploads customer personal data into an unapproved public AI tool may have created a serious compliance issue. An employee who uses an approved internal AI tool to create a better first draft of a due diligence memo may have created a learning opportunity. An employee who uses AI to fabricate supporting documentation has engaged in misconduct. An employee who uses AI to test a workflow and then asks compliance whether the use is permissible has done exactly what the company should want. The CCO’s job is to build a framework that makes those distinctions clear.

That means creating red lines, green lanes, and gray zones. Red lines are prohibited uses: confidential data in unapproved tools, AI-generated false records, unreviewed regulatory filings, discriminatory automated decision-making, or any use that circumvents required approvals. Green lanes are encouraged for use: approved tools for summarization, first drafts, brainstorming, translation support, policy search, training development, or internal productivity tasks, where appropriate safeguards are in place. Gray zones are uses that require consultation: HR decisions, customer communications, legal analysis, investigation outputs, high-risk third-party reviews, or regulated submissions.

A compliance program that treats every use of AI as suspicious will teach employees to hide. A compliance program that treats every use of AI as harmless will fail in its duty. The CCO must create the middle path: clear, risk-based, practical, and trusted.

Earn the Disclosure You Want

The article advises leaders to “earn the disclosure” they want. Employees need clear guidance on what AI use is encouraged, what is off-limits, and how to handle gray areas. The authors also warn that companies should not force employees to convert a useful prompt into a long process memo. Lightweight templates, short demos, and practical “show me how you built this” sessions are better ways to turn private methods into reusable knowledge.

That is a practical blueprint for the CCO. A CCO should create an AI disclosure process that is easy to use. It should not feel like an investigation request. It should not require a ten-page form. It should not punish employees for asking questions. The goal is to make disclosure normal.

That is enough to begin. The CCO can then partner with IT, Legal, Privacy, Cybersecurity, HR, Internal Audit, and business leaders to determine whether the workflow should be approved, modified, shared, restricted, or escalated. The key is tone. The message should be: “Show us what you are learning so we can help you use AI safely and scale what works.”

Reward Multiplier Behavior

The article warns against rewarding only individual AI productivity. If employees believe that sharing makes them less distinctive while others benefit, they will hide. Instead, companies should reward reusable workflows, peer adoption, quality improvements, and contributions that help others. The authors recommend giving credit in performance reviews, protecting time for continued experimentation, and closing the loop by telling employees where their contribution was used and what improved. This is where a CCO can help turn AI transparency into culture.

Compliance should not run a generic AI leaderboard that encourages unhealthy competition. Instead, the CCO should help build recognition for responsible AI multipliers: employees who find a better way to do their work, disclose it, help validate it, and enable the company to scale it safely. This turns AI governance from a prohibition system into an integrity system. Employees are not just being told what not to do. They are being recognized for helping the company do better.

In compliance terms, that means rewarding employees who:

  • Identify a safe AI workflow that improves the effectiveness of control.
  • Flag a risky AI use before harm occurs.
  • Develop a prompt that improves due diligence quality.
  • Create a monitoring workflow that identifies anomalies faster.
  • Help colleagues use approved tools properly.
  • Document limitations and human review requirements.
  • Share lessons learned from AI experimentation.

Treat Disclosure as a Contribution

One of the article’s most powerful points is that the manager’s reaction in the first thirty seconds after an employee discloses an AI workflow may be the decisive trust signal. If the employee is treated as though they cut corners, they learn to hide. If the disclosure is treated as something worth understanding, they learn that disclosure pays. The authors also warn that disclosure should not amount to unpaid labor; the employee should demonstrate the method once, and the company should then own the documentation, distribution, and support, while the discoverer keeps the credit. This is a direct instruction to compliance professionals.

A CCO should train managers to respond the same way. Most AI disclosures will not go to compliance first. They will happen in team meetings, performance conversations, project reviews, and manager check-ins. If local managers shame employees for using AI, employees will hide. If local managers automatically add more work to anyone who discloses a productivity gain, employees will hide. If local managers give credit and bring compliance in as a partner, employees will share.

The CCO’s AI Trust Playbook

A CCO who wants to fulfill this function should take five practical steps.

  1. Create a risk-based AI use framework. Define prohibited uses, encouraged uses, and uses requiring consultation. Make the guidance short, practical, and example-driven.
  2. Build a safe AI disclosure channel. This should be separate from the hotline in tone, even if connected administratively. Employees need a place to ask, “Can I use AI this way? ”without feeling as if they are self-reporting misconduct.
  3. Launch structured AI learning sessions. Invite employees to demonstrate useful workflows created with approved tools. Keep documentation light. Capture the use case, data inputs, review controls, risks, and adoption potential.
  4. Partner with HR on incentives. Ensure responsible AI sharing is recognized in performance reviews, promotion discussions, and leadership communications. Reward employees who become AI multipliers, not only those who quietly produce more.
  5. Report AI transparency metrics to leadership and the board. Do not only report policy completion or tool adoption. Report the number of disclosed workflows, number approved for broader use, number modified for risk reasons, number rejected, key risk themes, training gaps, and examples where disclosure improved both productivity and control.

Conclusion

The CCO should not try to own every aspect of AI. IT must own infrastructure. Cybersecurity must own security controls. Legal must advise on legal risks.  Privacy must address data protection. HR must address workforce impacts. Business leaders must own operational use cases. Internal audit must test the program. But the CCO can own the trust architecture.

The bottom line is straightforward. AI governance cannot be built only on restriction, monitoring, and fear. That approach may make the company look controlled while driving the most important AI activity underground.

The CCO has a different opportunity: to build an AI trust function that brings use cases, risks, questions, and innovations into the open. The compliance function should not be the department that says, “Do not use AI.” It should be the function that says, “Use it responsibly, show us what you are learning, and let us help the company scale it safely.” That is how compliance fulfills this function. It turns hidden AI use into visible learning, visible learning into governed practice, and governed practice into ethical business value.

Categories
Blog

What Interruptions Reveal About Corporate Culture

Every Chief Compliance Officer talks about culture. Every company claims to value ethics, integrity, respect, inclusion, and speak-up behavior. Those words appear in codes of conduct, CEO messages, training decks, town halls, leadership offsites, and annual ethics campaigns. Yet culture is not built into the code of conduct. It is revealed in the meeting.

That is the central lesson of Research: What Interruptions Reveal About Company Culture by William Degbey, Benjamin Laker, Baniyelme Zoogah, Sanjay Kumar Singh, and Ghulam Murtaza. The authors argue that workplace culture is shaped less by formal statements and engagement programs than by everyday interaction patterns, especially interruptions in meetings. Their research found that interruptions, redirections, and moments where employees were spoken over were not merely interpersonal annoyances. They were signals of whose voice carried weight in the room.

For the CCO, that finding should land with force. A company can have a beautifully written value of “speak up.” Still, if employees learn in ordinary meetings that certain people are cut off, ignored, or not credited for their ideas, the real culture is not to speak up. It is speak-only-if-you-have-power. That is a compliance issue.

Culture Is What Happens Before the Hotline

Compliance professionals often think about speak-up culture in terms of hotline reports, investigation data, employee surveys, and anti-retaliation policies. Those are important. The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) asks whether a company has a trusted reporting mechanism, whether employees feel comfortable using it, whether reporting is encouraged or chilled, and whether employees can raise concerns without fear of retaliation.

But by the time an employee reaches the hotline, the culture has already taught that person a great deal. It has taught them that if management listens. It has taught them whether disagreement is welcome. It has taught them whether bad news is punished. It has taught them whether junior employees can challenge senior leaders. It has taught them whether women, employees from underrepresented groups, remote employees, finance staff, compliance staff, or local market employees are taken seriously.

The author’s most important compliance lesson is that interruptions are cultural data. They are small, repeated, observable signals that show whether the company’s stated values are protected in daily business interactions or suspended when authority, speed, revenue, or hierarchy enters the room.

Why This Matters to Ethics and Integrity

Ethics and integrity depend on voice. Employees must be willing to raise concerns, ask questions, challenge assumptions, and slow down decisions when something does not look right. If the organization’s meeting culture teaches employees that unfinished concerns can be interrupted, redirected, or appropriated, then the company is training people not to speak.

The authors found that many senior leaders interpreted interruptions as signs of efficiency and engagement. They saw energetic cross-talk as evidence of a productive culture. Yet the follow-up study found that others experienced the same conduct as exclusionary and predictable. Interruptions were disproportionately directed at women and employees from underrepresented racial and ethnic groups. In the follow-up study, 19 of 27 interviewees described women being interrupted more frequently than men; all seven Black women interviewed described early-stage interruptions, and five said others later resurfaced their ideas without attribution.

For compliance, that is not simply an inclusion issue, though it certainly is. It is also a risk-detection issue. If certain voices are routinely cut off, then certain risks will be underreported. If certain employees must speak faster, more defensively, or only when explicitly invited, the company loses early warning signals. If some ideas are accepted only when repeated by someone with greater status, then the company is not evaluating risk on its merits. It is evaluating risk through hierarchy. That is how ethical blind spots form.

The Silent Cost of Being Interrupted

One of the most powerful findings in the article is that interruptions changed employee behavior. Twenty-one of the 27 participants in the follow-up study said they changed how they contributed to meetings. Some spoke faster or more defensively. Some pre-structured arguments to avoid being cut off. Some waited for explicit permission to speak. Others stopped contributing unless necessary. That is exactly what a CCO should worry about.

A healthy compliance culture does not require employees to perform perfectly polished courage. It gives employees room to raise half-formed concerns, ask awkward questions, and test whether something feels wrong before they have built a legal brief around it. Many compliance issues begin as fragments: “Something about this consultant does not feel right.” “The customer is asking for unusual documentation.” “The timing of this payment seems odd.” “Why are we routing this through that entity? ”I am not sure the data use matches what we told customers.” Those are early-stage compliance signals. They need space.

If the meeting culture rewards only fast, polished, confident speech, then employees who need time to frame a concern may never get the chance. The authors note that faster and more confident-sounding speech was often treated as more authoritative. In comparison, slower or less forceful speech was treated as incomplete and therefore easier to interrupt. For a CCO, the lesson is clear: do not build a compliance program that only works for the loudest person in the room.

From Tone at the Top to Conduct in the Room

Compliance professionals have long emphasized “tone at the top.” That remains important. But this article reminds us that tone at the top is incomplete unless it becomes conduct in the room.

The DOJ expects companies to demonstrate that compliance policies and procedures are integrated into operations and that a culture of compliance is embedded in day-to-day activities. That is precisely where meeting behavior matters. Meetings are where risk appetite becomes real. They are where employees learn whether the company actually values integrity when there is a deal to close, a target to hit, or a senior executive to satisfy.

A CCO should, therefore, ask:

What happens when ethics enters the meeting?

Does the room slow down?

Does the leader protect the person raising the concern?

Does someone capture the issue and assign a follow-up?

Does the business discuss controls and alternatives?

Or does the concern get interrupted, minimized, joked away, or pushed offline?

The answers will tell you more about culture than a slogan.

Reading Interruptions as Compliance Data

The authors recommend that leaders stop treating interruptions as isolated incidents and begin reading them as data. It suggests observing who gets interrupted, when the interruption occurs, and what happens to the idea afterward. Is the idea acknowledged? Is it dropped? Is it later picked up without credit? That framework can be directly adapted into a compliance culture assessment.

A CCO can ask compliance, internal audit, HR, or an outside facilitator to observe selected meetings where risk decisions are made. These might include third-party approval committees, deal review meetings, product governance meetings, investigations triage meetings, M&A diligence sessions, safety committees, privacy reviews, or regional leadership calls.

The observer should not simply count who speaks. This is not about policing manners. It is about understanding whether the company’s ethical culture allows risk information to travel upward and across the organization.

Slow the Meeting to Surface the Risk

The article warns that speed and forced momentum can amplify inequality. Faster conversations often favor those who already feel entitled to the floor. Those who anticipate interruption compress their thinking, hesitate, or wait for a clear opening. The authors recommend slowing the interaction: let people finish, pause before responding, reinforce the norm when someone is cut off, and rotate facilitation. This is deeply relevant to compliance.

Many corporate failures occur not because no one saw the risk, but because the organization moved past it too quickly. The payment had to go out. The distributor had to be approved. The quarter had to close. The launch date had to be met. The customer had to be retained. In that environment, “speed” can become a cultural value that overwhelms integrity. A CCO should help leaders build an “integrity pause” into decision-making.

Protect the Contribution, Not the Ego

The article also makes an important distinction. Calling out interrupters or turning every interruption into a lesson on etiquette often does not work. It can escalate the moment and personalize the issue. The better approach is to protect the contribution directly. The authors suggest short interventions such as “Let them finish,” “I want to hear the rest of that point,” and “Let’s come back to the idea that was just interrupted.” This is practical guidance for CCOs and compliance professionals.

When someone raises a compliance concern and is interrupted, the compliance professional does not need to accuse anyone of bad intent. This helps to create psychological safety around risk information. They tell the room that compliance concerns are not interruptions to business. They are part of doing business properly.

The CCO as Culture Observer

A CCO cannot improve culture solely by issuing policies. Policies matter, but culture is reinforced through repeated behavior. The DOJ guidance recognizes that policies and procedures must give effect to ethical norms and be integrated into day-to-day operations. That means the CCO must look beyond policy architecture and ask how people actually behave when decisions are being made.

Not every interruption is retaliation. Not every fast-paced meeting is unethical. Not every dominant speaker is a compliance risk. But patterns matter. Repeated interruption of certain people, functions, geographies, or types of concerns is cultural data. A CCO should treat it as such.

Turning the Article into a Compliance Playbook

A practical CCO response could include five steps.

  1. Add meeting behavior to the culture assessment. Ask employees whether they can finish raising concerns in meetings, whether leaders invite dissent, whether objections to risk are credited, and whether certain voices are routinely ignored.
  2. Observe high-risk meetings. Select a sample of decision-making forums and map interruptions, credit, follow-up, and closure. The goal is not surveillance. The goal is to understand whether the company’s values show up when risk is discussed.
  3. Train leaders on protecting concerns. Leadership training should include simple phrases or the preservation of unfinished risk points. A manager does not need to become a compliance expert to say, “Let’s hear the rest of that concern.”
  4. Build structured dissent into key decisions. For high-risk approvals, require a final risk round before the decision. Ask compliance, finance, legal, HR, internal audit, cybersecurity, or local-market leaders whether they see an unresolved issue.
  5. Report cultural signals to the board. Boards should hear more than hotline statistics. They should understand whether the organization’s meeting culture supports candor, dissent, and ethical escalation.

Improving Corporate Culture Around Ethics and Integrity

The broader message for compliance professionals is that ethics and integrity must become observable behaviors. Employees should see integrity in how meetings are run, how concerns are handled, how dissent is credited, how leaders respond to uncertainty, and how the company treats people who slow down a decision for the right reason.

The bottom line is straightforward. The words on the wall do not prove a culture of ethics and integrity. It is proven by who gets to speak, who gets heard, and what happens when someone raises a concern that slows the room down. For the CCO, the lesson from this article is powerful: look at the meetings. That is where the culture is already speaking.

Categories
Blog

Why Compliance Gets Branded as the Problem

Every compliance professional has heard the accusation. Compliance is too slow. Compliance does not understand the business. Compliance always says no. Compliance is where deals go to die. That reputation is so common that it has a shorthand: Dr. No from the Land of No.”

Luis Velasquez’s article, Why Effective Leaders Get Branded as Problems, offers an important way for Chief Compliance Officers to think about this challenge. His central point is that when a leader creates friction, organizations often default to one explanation: the leader is the problem. Yet the article argues that friction usually comes from one of four sources: capability, perception, identity, or system. Because those sources may appear similar on the surface, organizations often collapse them into a single behavioral judgment, leading to poor decisions.

That insight maps directly onto compliance. When compliance creates friction, the organization may assume the compliance function is the problem. Sometimes that is true. Sometimes compliance really is slow, unclear, inconsistent, or disconnected from commercial reality. But often, compliance is not the problem. It is exposing the problem. The CCO’s job is to know the difference.

The Evaluation Trap for Compliance

Velasquez calls this dynamic the “evaluation trap.” Organizations overfocus on visible behavior and underweight the context surrounding it. If there is friction, the easy assumption is that the individual leader is the problem. For compliance, the same trap appears when business leaders say some of the following: “Compliance is blocking the deal. Compliance is slowing us down. Compliance is too rigid. Compliance does not understand how we make money.”

Those statements may contain useful feedback, but they are not a diagnosis. They are conclusions. A good CCO should not reject them defensively, but neither should the CCO accept them at face value. The better question is, “What is really causing the friction?”

Is compliance creating unnecessary delays? Is the business bringing compliance in too late? Is the policy unclear? Is the company’s incentive structure encouraging people to push risk downstream? Is the compliance team applying yesterday’s reputation to today’s improved process? Or is the function’s greatest strength, independence, being overused in a way that makes compliance appear detached from the business? The answer matters because each cause requires a different response.

Why “The Land of No” Is Dangerous

Being known as “The Land of No” is more than a branding problem. It is a control problem. When employees believe compliance exists only to stop things, they stop bringing compliance into decisions early. They delay disclosure. They frame facts selectively. They look for workarounds. They ask for forgiveness instead of guidance. The compliance function then receives issues late, with fewer options and higher stakes. That reinforces the perception that compliance is always saying no.

It becomes a vicious cycle. The business avoids compliance because it fears delay. Compliance receives incomplete or late information. Compliance responds with concern or rejection. The business concludes that compliance is a blocker. The next time, the business waits even longer to engage. That is how a compliance function loses influence while still technically having authority.

The Four Sources of Compliance Friction

Velasquez identifies four sources of leadership friction: a true skill deficit, historical reputation, overextension of identity, and the system as a blocker. Each has a direct compliance equivalent.

1. A True Compliance Capability Deficit

Sometimes the criticism is fair. The compliance team may be too slow. It may issue dense legal guidance that no one can use. It may give inconsistent answers across regions. It may lack business knowledge. It may escalate too many routine issues. It may have no clear intake process, no service-level expectations, no decision trees, and no practical playbooks.

The remedy is operational discipline. Build intake channels. Publish response-time expectations. Create risk-tiered approval paths. Train compliance professionals in business acumen. Give the business practical guidance, not abstract warnings. Measure cycle time, quality of advice, repeat questions, escalation frequency, and stakeholder satisfaction. A compliance function that wants credibility must be professionally managed.

2. Historical Reputation

Sometimes, compliance is judged by an old story. Velasquez describes “organizational drift,” where systems rely on outdated narratives rather than current evidence. Feedback may be based on historical reputation rather than recent interactions. Labels harden even when behavior changes.

In that case, behavior change alone may not be enough. The CCO must manage perception as deliberately as performance. That means asking business leaders for specific, recent examples. It means distinguishing current pain from legacy frustration. It means documenting improvements and communicating them repeatedly. It means publicizing examples where compliance helped a team win business the right way, accelerate a transaction, resolve a third-party issue, or design better controls.

3. Overextension of Compliance Identity

Compliance has core strengths: independence, skepticism, discipline, documentation, escalation, and control. Those strengths are essential. But Velasquez warns that a strength can become a habit, then an identity, and then a constraint. The problem is not always the absence of skill; sometimes it is the overuse of a strength in the wrong context. That is a powerful lesson for compliance.

A compliance function that is appropriately skeptical in a bribery investigation may be unnecessarily skeptical in a low-risk gift review. A team that properly demands documentation for a high-risk distributor may over-document a routine vendor. A CCO who must be firm with the board or regulators may unintentionally use the same posture in early-stage business counseling. The answer is not to weaken compliance. The answer is to expand its range.

Compliance should know when to be an investigator, an adviser, a control designer, an educator, and a decision escalater. Not every question requires the same tone, process, or level of scrutiny. A mature compliance function does not say yes to everything. It knows how to say “Yes, if.” That is very different from simply saying no.

4. The System as the Blocker

Velasquez calls the system-as-blocker issue the most misunderstood trap. What looks like a behavior problem may actually be caused by culture, structures, resources, incentives, or decision rights that make the desired behavior difficult to achieve. The article notes that organizations may say they want one thing while rewarding another. This is the most important lesson for the CCO.

Compliance is often blamed for delays caused elsewhere. Sales may bring a high-risk intermediary into compliance two days before a bid deadline. Procurement may onboard vendors before due diligence is complete. Finance may discover payment issues only after an invoice is pending. Legal may escalate a contract after commercial terms have already been promised. Senior leadership may say compliance matters, while compensation plans reward speed and revenue at any cost.

In reality, the system created the bottleneck. Compliance was simply the first function willing to name it. The CCO should identify these systemic blockers and bring them to management. If the business wants faster third-party approvals, it must engage compliance earlier. If the company wants fewer rejected transactions, it must define risk appetite before the deal is negotiated. If leadership wants a speak-up culture, it must protect reporters and discipline those who retaliate. If the

Building a Compliance Function Known for Solutions

The goal is not to become the “Land of Yes.” That would be worse. A compliance function that says yes to everything is not a compliance function. It is a permission slip. The goal is to become the Land of Know: a place where businesses gain clarity, options, risk intelligence, and practical pathways. That requires a different operating model.

  1. Compliance must engage early. The function should be embedded in strategy discussions, product design, market entry planning, third-party selection, M&A activity, data use, AI deployment, and incentive design. Late-stage compliance review is where trust goes to die.
  2. Compliance must define red lines and green lanes. Business teams should know which activities are prohibited, which require escalation, and which can move quickly through preapproved controls. Ambiguity produces both delay and resentment.
  3. Compliance must communicate in business language. “This violates Section X of Policy Y” may be accurate, but it is rarely sufficient. The better explanation is: “This creates an undisclosed conflict, weakens our audit trail, and could make the payment look improper. Here is how we can restructure it.”
  4. Compliance must offer alternatives. A “no” without a path forward should be reserved for real red-line issues. In most cases, compliance should identify a lower-risk route.
  5. Compliance must measure enablement. Do not only track training completions, hotline numbers, or policy attestations. Track advisory response time, time to third-party decision, percentage of matters resolved with conditions, number of early consultations, repeat issues by business unit, and examples where compliance helped preserve business value.

Sixth, compliance must own its mistakes. When compliance is slow, unclear, inconsistent, or overly rigid, the CCO should say so and fix it. Credibility increases when compliance holds itself to the same level of accountability it expects of the business.

The CCO’s Message to the Business

The CCO should be able to say, “We are not here to stop the business. We are here to help the business grow in a way that can withstand scrutiny. Sometimes that means yes. Sometimes that means yes with controls. Sometimes that means no. But every answer should be timely, clear, risk-based, and tied to the company’s values and obligations.”

That message must be backed by behavior. Business leaders will not judge compliance by slogans. They will judge it by how the function behaves when a deal is urgent, a market is risky, a senior executive is involved, or the answer is uncomfortable.

The lesson from Velasquez’s article is simple but profound. Before deciding that the leader is the problem, ask whether the diagnosis is wrong. For CCOs, the parallel lesson is equally important: before accepting that compliance is the problem, determine what the friction is really telling you.

A strong compliance function should never aspire to be popular at all costs. But it should aspire to be trusted. The way to avoid becoming “The Land of No” is not to say yes more often. It is to become clearer, earlier, more practical, more evidence-based, and more courageous about identifying whether the real issue sits in compliance, the business, or the system itself.

Categories
Blog

The False Alignment Trap in Compliance Transformation

A major compliance initiative rarely fails because the Chief Compliance Officer (CCO) did not work hard enough. It usually fails because the organization never reached a true agreement on what the initiative was supposed to accomplish.

That is the core lesson from The False Alignment Trap by Julia Dhar, Kristy R. Ellmer, and Philip Jameson. The authors argue that many change efforts fail because senior leaders believe they agree on the “why,” “what,” and “how” of change when, in fact, they do not. A stitched-together flower is an apt metaphor for corporate change: from a distance, the initiative may look whole; up close, it may be held together by fragile threads.

For the CCO instituting a major compliance initiative, this insight is critical. Whether the project is a global third-party risk overhaul, a new sanctions screening program, an AI governance framework, a speak-up culture campaign, or a full redesign of the compliance operating model, the CCO cannot settle for polite nods around the executive table. The CCO must secure true agreement.

The authors frame the three questions every change program must answer: why are we changing, what are we changing, and how will the change occur? It also makes an important distinction between “alignment” and “agreement.” Alignment may mean that executives are not actively blocking one another. An agreement means leaders have made a detailed and explicit compact that allows them to move together and hold one another accountable. That distinction should be posted on every CCO’s wall.

Why This Matters to Compliance

A major compliance initiative always changes more than the compliance department. It changes how a sales function approves intermediaries. It changes how procurement selects vendors. It changes how finance reviews payments. It changes how HR handles discipline and incentives. It changes how legal, internal audit, cybersecurity, operations, and the business share data. It may change who can approve a deal, how quickly a transaction can move, and what documentation must be in place before revenue is booked. That means compliance transformation is not simply a compliance project. It is an enterprise change project.

The Department of Justice’s 2024 Evaluation of Corporate Compliance Programs (ECCP) asks three fundamental questions: whether the program is well designed, whether it is applied earnestly and in good faith through adequate resources and empowerment, and whether it works in practice. DOJ also asks whether senior management has articulated standards clearly, disseminated them in unambiguous terms, and demonstrated adherence by example. Those expectations cannot be met if the C-suite is only “conceptually aligned” on compliance.

A CCO may believe the company has agreed to strengthen compliance. The CEO may believe the initiative is about satisfying the board. The CFO may believe it is about reducing investigation costs. The head of sales may believe it is about avoiding bad distributors but not slowing growth. The general counsel may believe it is about reducing enforcement exposure. Operations may believe it is another documentation exercise. HR may believe it is about training completion rates. Everyone says yes. Everyone means something different. That is the false alignment trap.

The First Lesson: Never Launch on Slogans Alone

Compliance leaders love phrases such as “culture of compliance,” “tone at the top,” “risk-based approach,” “speak-up culture,” and “doing business the right way.” These phrases are useful, but they are not implementation plans. The authors warn that executives often think they agree because their conversations are insufficiently specific. Leaders may agree on a broad goal, but disagree sharply on the levers, trade-offs, timeline, funding, and operational consequences.

For a CCO, this means “we need a stronger third-party program” is not enough. The leadership team must agree on what that means in practice. Does it mean fewer third parties? More due diligence? More audits? Centralized onboarding? Automated screening? New contractual rights? Mandatory business justification? Enhanced payment controls? A right to terminate non-responsive intermediaries? A slower sales cycle in high-risk markets? Until those questions are answered, the CCO does not have agreement. The CCO has a slogan.

The Second Lesson: Silence Is Not Commitment

One of the most dangerous moments in compliance transformation is the executive meeting where everyone nods. The authors describe the “false consensus effect,” where leaders overestimate the extent to which others share their beliefs. It also describes the tendency of executives to pretend to agree rather than surface disagreement. In one example, executives used vague phrases such as “I am aligned,” “partly aligned,” and “conceptually aligned,” even though real disagreement remained unresolved.

Compliance professionals see this all the time. A regional president says, “We fully support the new due diligence process.” What she may mean is, “We support it unless it slows down strategic distributors.” A sales leader says, “We support compliance training.” What he may mean is, “We support it as long as it does not take people out of the field during the quarter.” A procurement leader says, “We support vendor controls.” What he may mean is, “We support them for new vendors, but not for legacy vendors.”

The CCO’s job is to make those reservations visible before launch. That does not mean creating conflict for conflict’s sake. It means creating a process where disagreement becomes a source of better design.

The Third Lesson: Invite Dissent Early

The authors recommend provoking an early exchange. Leaders should write down what they agree with, what they disagree with, and what they are unsure about. The authors specifically note that written reactions can reduce groupthink. They also recommend asking questions that invite contrary views, such as “What could go wrong with this approach?”

This is directly applicable to compliance. Before launching a major compliance initiative, the CCO should ask each executive to answer, in writing:

What risk are we trying to reduce?

What business process will this initiative change?

What are you worried this initiative will disrupt?

What resources will your function need?

What decisions are you willing to give up or share?

What part of this proposal do you not support?

Where do you believe compliance is underestimating the operational impact?

These questions are uncomfortable. That is the point. A compliance initiative that cannot survive executive-level dissent in a planning meeting will not survive business-level resistance during implementation.

The Fourth Lesson: Deferred Agreement Becomes Compliance Debt

The authors warn against the idea that leaders can “sort out the details later.” That may work for small experiments, but the authors argue that it is dangerous for transformative organizational change because vague or contradictory premises create confusion, delay, and employee frustration. They describe deferred agreement as a debt that leaders expect to repay quickly but often never repay at all. For compliance, deferred agreement is especially costly.

When the CCO launches without a clear executive agreement, the business will find the gaps. If sales and compliance disagree on third-party approval standards, the business will escalate every hard case. If finance and compliance disagree on payment controls, exceptions will multiply. If HR and legal disagree on discipline standards, investigations will produce inconsistent outcomes. If IT and compliance disagree on data ownership, monitoring dashboards will never mature. The result is not simply inefficiency. It is a control failure.

A CCO should treat unresolved executive disagreement as a known risk. It should be tracked, assigned, escalated, and resolved before the initiative moves from design to deployment.

The Fifth Lesson: Watch for the Three Failure Modes

The authors identify three consequences of false alignment: paralysis, hyperactivity, and tunnel vision. These are also classic symptoms of a failing compliance initiative.

Paralysis occurs when teams are stuck between competing executive priorities. In compliance, this looks like endless working groups, repeated risk assessments, draft policies that never finalize, and technology projects that remain in “requirements gathering” for months.

Hyperactivity occurs when teams launch too many initiatives to please too many stakeholders. In compliance, this looks like a dozen training campaigns, multiple dashboards, overlapping third-party reviews, new certifications, new attestations, and new committees, but no meaningful risk reduction.

Tunnel vision occurs when teams make progress on the wrong thing. In compliance, this may mean achieving 100% training completion while employees still do not know how to raise concerns. It may mean onboarding vendors faster while missing beneficial ownership risk. It may mean closing investigations more quickly while weakening root cause analysis.

The CCO should use these three symptoms as early warning indicators. If the initiative is stuck, too busy, or moving in the wrong direction, the problem may not be execution. It may be false alignment at the top.

Lessons in Building True Agreement for a Compliance Initiative

The authors offer a five-step path to true agreement: set clear parameters, provoke an early exchange, have a substantive debate, reach a formal verdict, and send a unified message. That framework can be translated directly into a CCO playbook.

  1. Set clear parameters. The CCO should define the decision rights before the project begins. Who decides the risk appetite? Who approves the budget? Who owns business process changes? What decisions require CEO approval? What issues go to the board? What happens if a regional business leader disagrees?
  2. Provoke an early exchange. The CCO should require written input from the CEO, CFO, general counsel, CHRO, CIO, internal audit, procurement, and key business leaders. This is where hidden objections should surface.
  3. Have a quality debate. The CCO should hold one-on-one conversations with executives before the group decision meeting. The point is not to lobby for superficial support. The point is to understand red lines, trade-offs, and operational realities.
  4. Come to a formal verdict. The authors recommend asking for each individual’s agreement, documenting the decision, and creating a formal record of the agreed terms. For a compliance initiative, this should become a written executive charter. It should specify scope, budget, timeline, metrics, decision rights, business obligations, and escalation paths.
  5. Send a unified message. The authors warn against each executive’s team receiving its own version of events. Instead, the decision should be broadcast simultaneously in a single format to everyone who needs to know. For compliance, this is essential. Employees should hear one message: this is why we are changing; this is what will change; this is what will not change; this is who owns what; and this is how success will be measured.

The bottom line is clear. A major compliance initiative is not successful because the CCO announces it, the board approves it, or the executive team says it is “aligned.” It is successful when the company reaches true agreement on the risk, the change, the trade-offs, the ownership, and the evidence of effectiveness.

For the compliance professional, The False Alignment Trap provides a powerful reminder: do not launch a transformation on implied consent. Build the compact first. Then execute.

Categories
Blog

From the Tower of Babel to the Boardroom: Part 4 – AI, Truth, and Corporate Trust

Employees trust that leadership will tell them the truth. Investors trust that disclosures are accurate. Customers trust that representations are reliable. Boards trust that management reporting is complete. Compliance officers trust that records, interviews, hotline reports, emails, chats, invoices, certifications, and audit findings reflect reality.

Artificial intelligence now challenges that foundation. AI can generate text, audio, images, video, records, summaries, identities, and narratives at speed and scale. It can help a compliance function become more effective. It can also make falsehood more convincing, fraud more sophisticated, and manipulation harder to detect.

In the first three posts in this series, we used Magnifica Humanitas to move from governance principle to compliance program design and then to internal controls for shadow AI. In this fourth post, we turn to one of the most important themes in the Encyclical Letter: truth. Pope Leo XIV says the digital transformation requires us to rediscover truth as a common good, protect the dignity of work, and safeguard freedom against dependence and commercialization (Magnifica Humanitas, ¶131). For boards and compliance leaders, that is a powerful governance lesson. Without truth, there is no trust. Without trust, there is no culture. Without culture, no compliance program can be effective.

Truth as a Common Good

Magnifica Humanitas warns that digital platforms and AI systems are transforming public and institutional communication. The Encyclical identifies a core risk: AI can construct distorted narratives, blur the boundary between truth and falsehood, mix facts with opinions, and manipulate content, images, and video (Magnifica Humanitas, ¶132). It also reminds us that truthful information requires verification, cross-checking of sources, responsible argument, and shared practices of trust (Magnifica Humanitas, ¶132).

For the compliance professional, this is not abstract philosophy. It is an operational reality. A corporation is built on records and representations. A company’s compliance program depends on accurate policies, reliable data, trustworthy reporting, credible investigations, authentic communications, and truthful escalation to leadership and the board. If AI weakens the company’s ability to know what is real, AI becomes a compliance risk.

The issue is not only misinformation in public discourse. It is misinformation inside the enterprise. AI-generated falsehood can appear in emails, invoices, employee complaints, due diligence materials, contracts, investigation files, synthetic images, training materials, board reports, and financial documentation. Truth is no longer only an ethical value. It is a control objective.

From Encyclical Principle to Corporate Trust Requirement

The corporate translation is direct. If truth is a common good, information integrity is a governance requirement. If AI can distort narratives and manipulate content, companies need verification controls. If truthful information depends on cross-checking and responsible argument, compliance cannot treat AI outputs as self-authenticating. If communication creates culture, as Magnifica Humanitas teaches, then AI-generated communications must be governed because they shape how employees, customers, investors, and directors understand the company (Magnifica Humanitas, ¶135).

The Encyclical also calls for an ecology of communication grounded in transparency, personal data protection, rigorous verification, and the proper use of digital tools (Magnifica Humanitas, ¶137). In corporate terms, that means controls over high-risk communications, rules for AI-generated content, validation of AI-assisted summaries, protection of the integrity of investigations, and reporting systems that enable the board to trust what it receives.

Synthetic Reality and Corporate Risk

We are entering the age of synthetic reality. Companies must assume that audio may be cloned, video may be fabricated, documents may be AI-generated, and digital identities may be false. This does not mean every communication is suspect. It means the company must build verification protocols for high-risk decisions.

The Arup deepfake fraud demonstrates the corporate risk. The Guardian reported that in 2024, public reporting stated that engineering firm Arup was victimized in a deepfake scam involving its Hong Kong office, where fraudsters reportedly used AI-generated video impersonations in a call that led to the transfer of approximately $25 million. That incident should be understood as more than a cyber story. It is a governance story, a finance controls story, a human factors story, and a compliance story.

A traditional approval process may fail when a trusted executive appears to be present on a video call. A fraud-prevention control may fail when an employee believes their identity has already been verified. A payment control may fail when urgency, authority, secrecy, and synthetic trust converge. The compliance lesson is clear: in an AI-enabled environment, trust must be verified when the risk is high.

AI and the Integrity of Corporate Information

Boards and CCOs should treat the integrity of corporate information as part of AI governance. This includes information created by AI, information summarized by AI, and information used to make AI-supported decisions.

Consider internal investigations. AI can help summarize documents, cluster communications, identify patterns, and organize timelines. But Magnifica Humanitas reminds us that AI lacks moral conscience, does not understand what it produces, and does not bear responsibility for its consequences (Magnifica Humanitas, ¶99). A compliance investigator cannot delegate credibility findings to a machine. AI can support the investigation record. It cannot become the investigation record.

Consider hotline reporting. AI may help triage allegations, identify themes, translate complaints, and route issues. But if the system misclassifies a serious allegation as low risk, strips away nuance, or fails to identify indicators of retaliation, the company may miss a critical signal. Consider board reporting. A polished AI-generated report may look authoritative while masking weak data, incomplete controls, or unsupported conclusions. In compliance, elegance is not evidence.

The DOJ ECCP and Trustworthy AI

The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) now asks how companies identify and manage emerging technology risks, including AI. It asks how companies govern AI in commercial operations and in their compliance programs; whether controls monitor trustworthiness and reliability; whether AI is limited to intended uses; what human decision-making baseline is used; how accountability is enforced; and how employees are trained.

This is where the Encyclical’s moral mandate and the DOJ’s compliance test meet. Magnifica Humanitas says responsibility must be clearly defined at every stage and that accountability requires identifying who must account for decisions, justify them, monitor them, challenge them, and remedy harm (Magnifica Humanitas, ¶105). The ECCP asks whether a company has converted that accountability into governance, controls, training, monitoring, and evidence. For CCOs, the question is not whether AI can help compliance. It can. The question is whether compliance can explain how AI-supported information is validated, reviewed, escalated, corrected, and documented.

NIST, COSO, and the Control Language of Trust

NIST provides a practical vocabulary for this discussion. The NIST AI Risk Management Framework identifies trustworthy AI characteristics, including validity and reliability; safety, security, and resilience; accountability and transparency; explainability and interpretability; privacy enhancement; and fairness, with harmful bias managed. For this post, reliability and transparency matter most. Reliability asks whether an output can be trusted for the intended purpose. Transparency asks whether the company can understand, explain, and govern the system.

COSO also matters here. COSO’s internal control framework is designed to help organizations achieve operations, reporting, and compliance objectives, and COSO’s GenAI guidance translates that internal-control discipline into AI governance. In the AI context, companies need controls over the creation, use, review, approval, and communication of AI-generated or AI-assisted information. This is where CCOs, internal audit, finance, legal, and IT must work together. The company should identify where authenticity matters most and design controls accordingly.

Practical Controls for AI, Truth, and Trust

A practical compliance program should include controls for AI-enabled truth risk.

First, companies should adopt verification protocols for high-risk communications. Payment instructions, executive requests, wire transfers, confidential transactions, changes to vendor banking information, M&A activity, crisis communications, and sensitive employment decisions should require independent verification outside the original communication channel.

Second, companies should require labeling or disclosure where AI-generated content is used in official corporate communications and authenticity matters. Third, companies should protect investigations from unverified AI outputs. AI-generated summaries should be treated as work aids, not evidence. Investigators should validate source documents, preserve original records, and document human review.

Fourth, companies should train employees on synthetic fraud. Magnifica Humanitas warns that AI-enabled manipulation of images and videos can make exploitation and deception more insidious (Magnifica Humanitas, ¶141). Employees should learn the red flags: urgency, secrecy, unusual payment instructions, refusal to use normal channels, unexpected video calls, requests to bypass controls, and pressure from apparent senior leaders.

Fifth, companies should create an incident response process for AI-enabled deception. A deepfake attempt, a synthetic invoice, a cloned executive voice, a fake employee profile, or an AI-generated document should be reportable, investigated, tracked, and remediated.

Board Oversight and Corporate Trust

For boards, AI and truth raise a serious oversight issue. Directors rely on management reporting to fulfill their duties. If AI affects the integrity of that reporting, boards need to understand the control environment.

The Caremark lesson is not that directors must become forensic AI experts. Directors must make a good-faith effort to ensure that reasonable information and reporting systems are in place for central compliance risks. In Marchand v. Barnhill (Bluebell Ice Cream), the Delaware Supreme Court emphasized the importance of board-level monitoring and reporting systems for mission-critical compliance risks.

Magnifica Humanitas gives this oversight obligation a deeper accountability mandate. It says AI governance requires defined responsibility, justification of decisions, monitoring, challenge, and remediation (Magnifica Humanitas, ¶105). The board’s obligation is not technical mastery. It is a reporting and monitoring system that shows management can authenticate what matters, identify AI-enabled truth risks, escalate concerns, and remediate failures.

5 Lessons for the CCO
  1. Treat truth as a compliance control. Accurate records, authentic communications, validated reports, and reliable investigation files are essential to the effectiveness of compliance programs. Truth must be designed into the control environment.
  2. Build verification into high-risk processes. Payment approvals, executive instructions, vendor bank changes, crisis communications, and sensitive decisions should require independent verification.
  3. Govern AI-assisted evidence. AI can support investigations and reporting, but human review, source validation, preservation of original records, and documentation must remain mandatory.
  4. Train employees to challenge synthetic reality. Deepfakes, cloned voices, fake identities, and AI-generated documents should be part of fraud, cyber, finance, and compliance training.
  5. Report information integrity risk to the board. Boards need evidence that management has identified AI-enabled truth risks and designed controls to prevent, detect, respond to, and remediate them.
Conclusion: Corporate Trust Must Be Protected

Magnifica Humanitas reminds us that truth is a common good. That is a moral principle, but it is also a compliance principle. A company cannot govern itself if it cannot trust its information. A board cannot oversee what management cannot verify. A CCO cannot certify program effectiveness if the underlying records, reports, and communications are unreliable.

Compliance professionals should embrace AI. It can improve risk detection, strengthen monitoring, support investigations, and expand analytical capacity. But AI also requires vigilance, responsibility, transparency, governance, and human primacy. In the age of synthetic reality, compliance must help the company protect truth as part of the control environment.

In the next and final post in this five-part series, we will broaden the lens again. We will examine the Human Supply Chain of AI: Workforce Transformation, Third-Party Risk, and Modern Slavery. That post will tie together the human impact of AI, the dignity of work, vendor risk, data governance, and the compliance responsibility to look beyond the visible interface to the people, suppliers, and systems that make AI possible.

Categories
Blog

From the Tower of Babel to the Boardroom: Part 1 – Governing AI

Artificial intelligence is no longer a future issue for boards, CEOs, general counsel, chief compliance officers, audit leaders, or risk professionals. It is already inside the enterprise. It is in employee workflows, vendor platforms, data analytics, customer engagement, monitoring tools, investigations support, training design, due diligence, and decision-making processes. The compliance question is no longer whether the company will use AI. The real question is whether the company will govern AI before AI becomes embedded into the business without accountability, transparency, controls, or human judgment.

That is the danger of the modern Tower of Babel. Babel was not a failure of engineering. It was a failure of purpose, humility, and governance. It was a project built on power without accountability and ambition without restraint. For modern corporations, ungoverned AI can become a similar project. It may promise efficiency, scale, speed, and competitive advantage. Yet without proper governance, it can also produce bias, opacity, data misuse, weakened accountability, employee overreliance, vendor risk, and board blind spots.

What Is Magnifica Humanitas?

Magnifica Humanitas is an Encyclical Letter issued by Pope Leo XIV on May 15, 2026, titled “On Safeguarding the Human Person in the Time of Artificial Intelligence.” (Magnifica Humanitas herein). The document places AI within the long tradition of Catholic social teaching and asks how humanity should respond to the “new things” of the digital age. Pope Leo frames AI not as a narrow technology issue but as a profound question about human dignity, work, truth, freedom, power, data, social justice, and the common good. The letter opens with two biblical images, the Tower of Babel and the rebuilding of Jerusalem under Nehemiah, to present the central choice of the AI age: will we construct systems of domination, or will we build communities of shared responsibility? (Magnifica Humanitas, paras. 1, 7-10).

The significance of Pope Leo issuing Magnifica Humanitas is that he places AI in the same broad moral and social category as prior industrial and economic disruptions. He expressly connects the document to the legacy of Pope Leo XIII and Rerum Novarum, the 1891 encyclical that responded to the labor, capital, and social disruptions of the industrial age. Pope Leo writes that digitalization, AI, and robotics are rapidly transforming the world, shaping decision-making and affecting both human dignity and the common good (Magnifica Humanitas, paras. 3-4). For this five-part series, we will use Magnifica Humanitas as the foundation for translating its core concepts into practical lessons for the modern compliance professional, the board, and the executive leadership team. This will not be a theological series. It will be a governance series. We will apply the moral force of the Encyclical Letter to compliance program design, board oversight, internal controls, data governance, third-party risk, workforce transformation, and corporate trust.

The Compliance Lesson of Babel

The Tower of Babel is a powerful compliance metaphor because it shows what happens when a project has capability but lacks discipline. Pope Leo describes Babel as an impressive feat with “a single language, a single technology, a single direction,” yet one that sacrificed human dignity for efficiency and sought power through self-sufficiency (Magnifica Humanitas, para. 7). In corporate language, Babel is the business transformation project that mistakes technical capability for good governance.

Pope Leo’s warning is direct: technology is never neutral because it takes on the characteristics of those who design, finance, regulate, and use it (Magnifica Humanitas, para. 9). That sentence should sit in every boardroom AI discussion. AI is not neutral in the compliance sense either. It reflects data, design, deployment, vendor, incentive, and governance choices. The first board question is therefore simple: What are we building?

Nehemiah as the Governance Model

If Babel is the warning, Nehemiah is the governance model. In Magnifica Humanitas, Pope Leo contrasts Babel with the rebuilding of Jerusalem. Nehemiah listens, inspects the damage, assigns responsibility, coordinates work, addresses opposition, and rebuilds section by section. The city is reborn through shared responsibility, not through the initiative of a single person (Magnifica Humanitas, para. 8).

That is the model compliance professionals should bring to AI governance. The CCO does not need to become a data scientist. The board does not need to manage model architecture. But the organization needs a disciplined governance structure that brings together compliance, legal, privacy, cybersecurity, IT, HR, internal audit, procurement, finance, and the business. AI governance cannot sit in a silo. It must be cross-functional because AI risk is cross-functional.

For compliance, that means asking practical questions. Where is AI being used? What problem is it solving? What data does it access? Who approved it? What risks were identified? What controls were designed? What human review is required? What could go wrong? How would we know? Who is accountable if the AI produces a harmful or unlawful result? Those are not anti-innovation questions. They are business discipline questions.

From Encyclical Principle to Corporate Governance Requirement

The bridge from Magnifica Humanitas to corporate governance is straightforward. Human dignity becomes a human impact assessment. The common good becomes enterprise risk governance and stakeholder impact. Subsidiarity becomes cross-functional governance, meaningful participation, and decision-making as close as possible to the affected process. Transparency becomes documentation, explainability, board reporting, and auditability. Accountability includes named owners, escalation rights, challenge mechanisms, and remediation.

Pope Leo makes this bridge explicit when he calls for responsible planning, human and social impact assessment, inclusion of the vulnerable, digital literacy, and guiding research and industry toward justice and peace (Magnifica Humanitas, para. 14). He also warns that control over platforms, infrastructure, data, and computing power can become opaque and evade oversight, producing dependency, exclusion, manipulation, and inequality (Magnifica Humanitas, para. 95). For the CCO and the board, that is the language of AI inventory, data governance, vendor management, access controls, model oversight, incident response, and internal audit testing. That is not only a moral framework. It is a corporate governance requirement.

AI Governance and the DOJ ECCP

The Department of Justice has already made AI a compliance program issue. The logic now runs together. Pope Leo provides the mandate for moral governance. The DOJ Evaluation of Corporate Compliance Programs (ECCP) supplies the compliance program test. The ECCP asks whether companies have a process for identifying and managing emerging risks, including risks related to new technologies such as AI; whether AI risk is integrated into enterprise risk management; how AI is governed in the business and in the compliance program; whether controls monitor trustworthiness and reliability; whether AI is limited to intended uses; what human decision-making baseline exists; how accountability is enforced; and how employees are trained.

That is a roadmap for the CCO. AI governance should be part of the compliance risk assessment. It should be reflected in policies and procedures. It should include training and communications. It should be monitored, audited, and improved. It should generate evidence. The company should be able to show not only that it has an AI policy but also that the policy has an operational effect. In other words, AI governance must move from aspiration to controls.

Board Oversight and Caremark

For boards, AI governance also raises Caremark oversight considerations. Directors are not expected to run the company’s AI systems. They are expected to make a good-faith effort to ensure that reasonable reporting and monitoring systems are in place for central compliance risks. In Marchand v. Barnhill (Bluebell Ice Cream), the Delaware Supreme Court emphasized that boards must make a good-faith effort to put in place a reasonable board-level system of monitoring and reporting around central compliance risks.

The board obligation is not technical mastery. It is a reporting and monitoring system that shows management has responded to the Encyclical’s accountability mandate. If Pope Leo requires that responsibility be defined, decisions be justified, systems be monitored, harms be challenged, and errors be remedied (Magnifica Humanitas, para. 105), then the board must ask whether management has built a governance system capable of producing that evidence. The board does not need technical comfort. It needs governance confidence.

Human Primacy as a Control

One of the most important lessons from Magnifica Humanitas is that AI is a tool, not a moral actor. Pope Leo explains that AI systems may imitate language, analysis, behavior, and even empathy, but they do not possess lived experience, conscience, wisdom, moral responsibility, or the capacity to understand what they produce (Magnifica Humanitas, para. 99). That matters deeply when AI affects employment, reputation, access, rights, opportunities, or treatment.

For compliance professionals, human primacy must be designed into AI governance. Human review is not a bureaucratic obstacle. It is a control. Pope Leo warns that sensitive decisions concerning employment, credit, access to services, and reputational risk are being delegated to automated systems that lack compassion, mercy, forgiveness, or the hope that people can change (Magnifica Humanitas, para. 102). The company should decide which AI outputs can be used automatically, which require review, which require escalation, and which uses should be prohibited altogether. The more consequential the decision, the stronger the human oversight must be.

5 Lessons for the CCO
  1. Treat AI as a human dignity and compliance risk. AI should be included in the compliance risk assessment, enterprise risk management process, and board reporting because it can affect rights, opportunities, status, freedom, privacy, and trust.
  2. Build an AI inventory because governance begins with visibility. The company cannot govern what it cannot see. The inventory should include business tools, vendor tools, embedded AI, compliance tools, and employee use of public AI.
  3. Require controls before scale because technology is never neutral. AI policies must be supported by approval processes, data controls, access controls, monitoring, testing, escalation, and remediation.
  4. Preserve human judgment because accountability cannot be outsourced. Human review should be required for high-risk and consequential decisions. Accountability must remain with people, not systems.
  5. Give the board evidence because governance requires reporting, monitoring, and remediation. Boards need dashboards, metrics, incident reporting, audit findings, risk rankings, and documentation that AI governance is working.
Conclusion: From Babel to Compliance Program Design

The lesson of Babel is not that building is wrong. The lesson is that building without humility, accountability, and purpose leads to fracture. AI is here to stay, and compliance professionals should embrace its promise. AI can improve monitoring, strengthen risk analysis, support investigations, enhance training, and identify patterns that humans might miss. But it must be governed with vigilance, responsibility, transparency, and human primacy.

Magnifica Humanitas gives us the mandate for moral governance. The ECCP gives us the compliance program questions. Caremark gives boards the oversight framework. Together, they point to the same conclusion: AI governance must be built before AI risk becomes unmanageable.

In the next post, we will move from principle to program design. We will examine why AI governance is a compliance program issue, how the CCO should help structure AI oversight, and how compliance can use AI responsibly while governing the risks AI creates.

Categories
Creativity and Compliance

Creativity and Compliance: Compliance 6-Pack: Part 4 – Using “Yes, And”

Tom and Ronnie continue their six-part series highlighting the role of improv in compliance.  This series links improv lessons to corporate compliance and some of the key tools and strategies Ronnie has brought from his former world of improv to the corporate compliance communications realm. In today’s Improv & Compliance Lesson 3, they focus on using “Yes, And” to Shift Compliance from the Office of No to a Collaborative Advisor.

Tom and Ronnie discuss the improv principle “Yes, and,” which means agreeing with the reality presented, dropping one’s agenda, and adding a new piece of information to build collaboratively. They explain how this mindset helps compliance move beyond the “office of no” by affirming and acknowledging business requests, then bridging to relevant risks, laws, and policies (e.g., gifts and entertainment, conflicts of interest) to problem-solve together without immediately shutting ideas down. Ronnie emphasizes “Yes, and” as both a personal communication technique and an organizational philosophy: learn the business, speak its language, and design simple, action-oriented, accessible policies and training that provide timely, embedded guidance. The episode ends with a preview of the next lesson on truth in comedy.

Resources:

Ronnie

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Creativity and Compliance is a multiple-award-winning podcast and was recently honored as one of the Top 35 Podcasts on Creativity by Feedspot.