Tag: CCO

Categories
Trekking Through Compliance

Trekking Through Compliance – Episode 14 – Investigative Lessons from Balance of Terror

In this episode of Trekking Through Compliance, we consider the episode Balance of Terror, which aired on December 15, 1966, Star Date 1709.1.

In this episode of Trekking Through Compliance, we analyze “Balance of Terror,” the tense, submarine-style showdown between the Enterprise and a Romulan Bird-of-Prey, which introduces one of Star Trek’s most enduring adversaries. The story unfolds as a mystery: Who attacked the Earth outposts? What is this new weapon? Who are the Romulans? And what do their sudden appearances mean for the Federation?

We review the critical investigative lessons this episode offers for compliance professionals: the importance of situational analysis, managing internal bias, respecting operational security, and knowing when to act and when to wait. In this cat-and-mouse episode, we find the foundations of modern investigative best practices.

Key highlights:

1. Situational Awareness and Evidence Gathering—Don’t Jump to Conclusions

🖖Illustrated by: The destruction of Outposts 2 and 3 and the cryptic communication from Outpost 4.

Captain Kirk begins his investigation without clear evidence, gathering fragmented data from the surviving outpost’s transmissions and assessing the damage patterns. For compliance professionals, this illustrates the importance of establishing a clear fact pattern before concluding. Investigations must be driven by objective evidence, not assumptions.

2. Managing Internal Bias—Appearance Is Not Proof

🖖Illustrated by: Lieutenant Stiles’ suspicion of Mr. Spock based on the physical resemblance between Romulans and Vulcans.

Stiles immediately targets Spock as a potential traitor, despite a complete lack of evidence, simply because Romulans and Vulcans share a similar appearance. This moment serves as a cautionary tale in terms of compliance: biases, whether conscious or unconscious, can derail investigations and damage team morale.

3. Strategic Surveillance—Investigate Without Provoking Retaliation

🖖Illustrated by: Kirk shadowing the Romulan ship to determine intent and capabilities before engaging.

Rather than charging into conflict, Kirk chooses to observe the Romulan ship’s behavior. In compliance investigations, particularly those involving fraud or misconduct, covert observation and the secure handling of information are crucial to preventing tip-offs or escalation.

4. Chain of Custody and Documentation—Recording and Communicating the Facts

🖖Illustrated by: The tactical logs Kirk reviews and Spock’s technical input during the confrontation.

Throughout the engagement, Kirk relies on detailed sensor data, eyewitness accounts, and Spock’s analysis to make decisions. Compliance professionals must ensure the proper documentation of interviews, timelines, and data sources for both internal review and external audit.

5. Ethical Leadership During Investigations—Calm in the Face of Conflict

🖖Illustrated by: Kirk’s balance between decisiveness and restraint, even when provoked by Romulan attacks.

Kirk refuses to act out of fear or anger—even as tensions rise. He models ethical leadership: protecting lives, preserving treaty obligations, and maintaining moral clarity. In high-stakes compliance investigations, emotional discipline and ethical consistency are vital.

Final Starlog Reflections

Balance of Terror is a masterclass in investigative poise, procedural discipline, and ethical clarity under pressure. As the Enterprise crew faces a new adversary cloaked in invisibility, we see what real leadership looks like when facts are scarce and risks are high.

For compliance professionals, this episode is a reminder that investigations require patience, vigilance, and integrity. Bias must be checked, facts must be verified, and trust must be earned. The threat may be hidden, but your investigative principles must always remain visible.

Resources:

Excruciatingly Detailed Plot Summary by Eric W. Weisstein

MissionLogPodcast.com

Memory Alpha

Categories
Blog

5 Key Strategies For Compliance to Avoid Violating the Caremark Doctrine

The Caremark Doctrine remains one of the foundational pillars of corporate compliance, a pivotal standard that every compliance professional must understand and apply. Originating from the landmark Delaware Chancery Court decision in In re Caremark International Inc. Derivative Litigation (1996), this doctrine revolutionized the way corporate boards are viewed in terms of their oversight duties. As compliance professionals, it’s essential to grasp not only the legal intricacies but also the profound practical implications this doctrine carries for board responsibilities and organizational oversight.

At its core, the Caremark Doctrine addresses the fiduciary duty of corporate directors to actively oversee a company’s compliance and risk management practices. Before this case, oversight obligations were seen primarily as passive, reactionary, or even discretionary. Caremark fundamentally shifted this perception, articulating an affirmative duty on directors to establish, maintain, and adequately monitor compliance systems to detect and prevent corporate misconduct.

The significance of the Caremark decision lies in its delineation of two clear pathways where director liability can be triggered: first, when the board utterly fails to implement any reporting or information systems, and second, when, having implemented such systems, the board consciously disregards red flags signaling compliance failures or operational risks. Citing negligence or ignorance as a defense for oversight responsibilities is no longer sufficient. Directors became accountable not only for what they knew but also for what they should have known, emphasizing the importance of proactivity, diligence, and vigilance.

Today, the implications of Caremark resonate strongly within the realm of corporate compliance programs, setting the standards for board engagement expectations. Effective compliance no longer solely involves setting clear policies and robust procedures; instead, it demands ongoing active engagement from the board to ensure these measures are functioning effectively. Boards are expected to scrutinize, test regularly, and challenge management on compliance risks and controls, embedding compliance considerations firmly into the corporate governance structure.

In recent years, corporate compliance officers have faced heightened scrutiny as Delaware courts have increasingly emphasized board accountability through the evolution of the Caremark Doctrine. The evolving jurisprudence surrounding this doctrine, particularly highlighted by cases such as Marchand v. Barnhill and Boeing, underscores the necessity for vigilance, attentiveness, and proactive risk management. Itai Fiegenbaum undertook a thorough examination of the Caremark Doctrine in his 2025 article, “Caremark’s Fractured State.” I use his article as a starting point to outline five essential strategies compliance officers can adopt to ensure their organizations remain firmly compliant with Caremark obligations and avoid potential liability.

1. Establish Robust Monitoring Systems

At the heart of the Caremark Doctrine is the expectation that directors not only establish but also actively oversee effective corporate monitoring systems. Compliance officers must ensure that robust, comprehensive monitoring frameworks are in place, which include clear policies, detailed procedures, and continuous oversight mechanisms. These systems must be designed to identify and escalate potential compliance issues promptly.

Implementing state-of-the-art technology, such as advanced analytics and AI-driven monitoring tools, can significantly enhance the effectiveness of these systems. Such tools enable the real-time analysis of large volumes of data, allowing for the quick identification of anomalies or red flags that indicate potential misconduct. Additionally, compliance officers should regularly review and update these systems to ensure their ongoing effectiveness in response to evolving regulatory requirements and emerging risks.

2. Prioritize Oversight of Mission-Critical Activities

Recent Delaware jurisprudence, particularly the Marchand case, has underscored the need for boards to exercise increased vigilance over “mission-critical” aspects of their operations. Compliance officers must assist directors in identifying these critical functions, which are integral to the organization’s core business operations and profitability, and ensure that enhanced monitoring and reporting practices are implemented.

Regular board-level discussions and reporting on these mission-critical functions must be documented meticulously. Compliance officers should establish routine updates that enable the board to understand the risks, controls, and compliance status related to these critical activities. Such a strategic focus not only aligns with the expectations set by Delaware courts but also significantly mitigates the risk of oversight failures.

3. Ensure Active Board Engagement and Training

Delaware courts have repeatedly emphasized that passive oversight is insufficient; board members must actively engage in compliance monitoring and demonstrate awareness of their fiduciary duties under the Caremark Doctrine. Compliance officers play a crucial role in facilitating active engagement by organizing regular and specialized training sessions for directors, ensuring they fully understand their oversight responsibilities and the specific compliance risks facing the company.

Moreover, compliance officers should encourage directors to challenge management constructively, seek additional information when needed, and demonstrate thoughtful engagement during board meetings. Documenting directors’ active involvement through detailed meeting minutes and clear records of training and discussions can substantially bolster evidence of effective oversight, which is crucial in the event of litigation.

4. Foster a Strong Compliance Culture

An organization’s compliance culture has a significant impact on its ability to effectively uphold Caremark obligations. A strong compliance culture ensures that employees at all levels recognize the importance of compliance, feel empowered to raise concerns without fear of retaliation, and understand that ethical conduct is integral to organizational success.

Compliance officers should proactively foster such a culture through comprehensive ethics training, regular communications reinforcing compliance messages, and visible support from top leadership. Mechanisms such as confidential reporting channels, whistleblower protections, and prompt investigation of reported issues further strengthen this culture, ensuring that potential misconduct is identified and addressed before it escalates into larger problems.

5. Conduct Regular and Thorough Risk Assessments

Proactive risk assessments are essential under the Caremark framework, providing boards with the necessary information to effectively oversee compliance. Compliance officers must ensure that these risk assessments are comprehensive, covering both traditional risks, such as fraud and corruption, as well as emerging threats related to cybersecurity, data privacy, and geopolitical changes.

Regular risk assessments not only inform the board’s oversight activities but also allow compliance officers to adjust monitoring and controls in response to identified vulnerabilities. Documented risk assessment processes, along with clear remediation actions, demonstrate due diligence and provide robust defenses against claims of insufficient oversight.

Conclusion

The Caremark Doctrine continues to evolve, setting increasingly stringent standards for corporate oversight. Compliance officers play a pivotal role in guiding boards to meet these expectations through robust monitoring systems, prioritized oversight, active engagement, a strong culture of compliance, and proactive risk management. By implementing these five strategies, compliance officers can significantly reduce their companies’ risk of violating the Caremark Doctrine, safeguard their organizations, and protect directors from potential liability. Now more than ever, proactive compliance is not only prudent but also imperative.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Design Objectives for Compliance Training

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

What are the design objectives for your compliance training program?

For more on this topic, check out The Compliance Handbook, a Guide to Operationalizing Your Compliance Program, 6th Edition, which was recently released by LexisNexis and is available here.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Multiplying the Influence of Compliance

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Use multipliers to extend the influence of your compliance regime.

For more on this topic, check out The Compliance Handbook, a Guide to Operationalizing Your Compliance Program, 6th edition, which LexisNexis recently released. It is available here.

Categories
Creativity and Compliance

Creativity and Compliance – From Compliance Enforcers to Trusted Advisors: The Path Forward

Where does creativity fit into compliance? It can be found in more places than you might expect. Problem-solving, accountability, communication, and connection – they all take creativity. Join Tom Fox and Ronnie Feldman on Creativity and Compliance, part of the award-winning Compliance Podcast Network.

Ronnie’s company, Learnings and Entertainment, utilizes the entertainment devices people use to consume information in their everyday, non-work lives and applies it to important topics around compliance and ethics. It is not only about being funny. It is about changing the tone of your compliance communications and messaging to make your compliance program, policies, and resources more accessible.

In this episode, Tom and Ronnie discuss the evolution of compliance roles from merely cleaning up messes to becoming integral business advisors and coaches. They emphasize the necessity of showcasing value through proactive, positive communication and using creative, engaging methods. They highlight insights from the Global Ethics Summit and delve into the importance of humor, human connection, and innovative compliance training and interaction approaches. The episode points out the importance of transitioning compliance perceptions within organizations and offers practical, cost-effective ways for compliance officers to engage, educate, and support their colleagues.

Key highlights:

  • From Cleaning Up Messes to Becoming Advisors
  • The Role of AI in Compliance
  • Advertising Your Role as Advisors
  • Using Humor and Creativity in Compliance
  • Engaging Communication Strategies
  • Low-Cost, High-Impact Compliance Ideas

Resources:

 Ronnie

  • Learnings & Entertainments (Website)
  • Compliance Confessions – inspired by “Mean Tweets” these 90-second commercials address misconceptions and excuses to promote speak up culture and the E&C team as positive and helpful.
  • E&C Training Jams – a soulful singer banters with ethics & compliance explaining policies, sharing examples and debunking excuses. 
  • Tales from the Hotline – Real speak up-themed stories about workplace behavior gone wrong.
  • Workplace Tonight Show! – E&C meets SNL Weekend Update explaining corporate risk topics and why employees should care.
  • 60-Second Communication & Awareness Shorts – A variety of short, customizable, music and multimedia, quick-hitter “commercials” promoting integrity, compliance, speaking up and the E&C team as helpful advisors and coaches.
  • Custom Live & Digital Programing – Custom creative programming that balances the seriousness of the subject matter with a more engaging delivery. After all, you can’t bore people into learning.

 Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Tariff Week, Part 1 – Navigating Uncertainty: The Compliance Professional’s Guide to Trump’s Tariffs

This week, we will examine the macroeconomic implications of President Trump’s recent tariff hikes and suspensions, a critical issue reverberating across boardrooms globally. Business leaders and compliance professionals are grappling with navigating this unprecedented landscape, and understanding the nuances of this evolving situation is crucial for corporate strategy and compliance preparedness. Today, we will take a macroeconomic view.

Last week, President Trump dramatically escalated tariffs on U.S. trading partners, elevating the average effective tariff rate to approximately 23%. This sharp increase has left markets reeling and businesses scrambling to adapt. Just as quickly (within 48 hours), he brought the tariffs back to their original amount by suspending them. This situation illustrates the growing complexity and volatility that executives must manage, highlighting the vital role that corporate compliance teams play in preparing businesses for macroeconomic shocks.

I was therefore interested in a recent Harvard Business Review article entitled Understanding the Global Macroeconomic Impacts of Trump’s Tariffs by authors Philipp Carlsson-Szlezak, Paul Swartz, and Martin Reeves. In this article, they considered how Trump’s tariff imposition and roll-back moves “have jolted markets and thrust business leaders into deep uncertainty. Developing a better understanding of tariffs’ primary and secondary macroeconomic effects and any plausible long-term consequences will allow executives to assess the impact on their markets and businesses continuously. With so much in flux, leaders must ditch rigid plans and build flexible, analytical muscle to navigate this turbulent new landscape.”

At its core, this situation underscores the asymmetrical nature of trade wars. The United States, due to its significant trade deficit, initially seemed well-positioned to engage in targeted trade disputes. However, by initiating a comprehensive, 360-degree trade war affecting virtually all global trading partners simultaneously, the U.S. has dramatically altered the landscape of risk and opportunity. This asymmetry is critical; while the U.S. experiences cumulative impacts from numerous trade disputes, its trading partners face singular impacts from the U.S. alone.

Understanding the primary effects of tariffs requires compliance professionals to differentiate clearly between supply and demand shocks. For U.S. businesses, supply shocks are particularly pertinent. Tariffs, effectively taxes on imports, invariably translate into higher consumer prices, fueling inflation. This scenario is reminiscent of the post-pandemic supply chain disruptions we have navigated, curtailing real incomes and restraining economic growth. Analysts predict these new tariffs could slash U.S. GDP growth by approximately 1.4%, significantly impacting corporate forecasts and strategic planning.

Trade partners face their own challenges. Retaliatory tariffs, already implemented by China and under consideration by others, inflict similar inflationary pressures and consumption downturns, albeit typically on a smaller scale, estimated between a 0.1% to 0.3% GDP reduction. However, demand shocks to these trading partners could be more severe, depending on the price sensitivity of U.S. imports. Countries heavily dependent on the U.S. market, such as Vietnam, might witness GDP contractions exceeding 6%, illustrating the profound impact that tariff-induced demand disruptions can have on certain economies.

Compliance teams must also monitor and prepare for secondary impacts. The five critical secondary channels to watch are confidence erosion, ROI effects, monetary policy errors, diminished competitiveness, and potential new financial and other shocks. Decreased consumer and business confidence could dampen spending, hiring, and investment behaviors. Additionally, while historically not always leading to recession, equity market volatility poses tangible threats to corporate balance sheets and overall financial stability.

Moreover, the tariffs significantly affect competitiveness. Approximately half of U.S. imports consist of production inputs essential for domestic manufacturing, such as steel and machine tools. Increased production costs stemming from tariffs could, therefore, undermine U.S. businesses’ competitive positions globally, an area where compliance teams must remain vigilant and advise on risk mitigation strategies.

The long-term impacts of these tariffs also warrant consideration. The Trump administration aims to reallocate global production to bolster U.S. manufacturing and employment. Unlike the Biden administration’s CHIPS Act, which strategically incentivized high-productivity sectors like semiconductors, the broad scope of Trump’s tariffs risks fostering lower-productivity industries domestically. This shift could crowd out higher-value sectors due to competition for already scarce labor resources, diminishing overall economic productivity and potential.

This scenario demands that compliance professionals embrace continuous learning and adaptability. The volatility and complexity introduced by the tariff situation reinforce the necessity of dynamic analytical capabilities over static compliance strategies. Compliance leaders must ensure their organizations develop robust analytical frameworks to assess and respond continuously to evolving macroeconomic conditions.

Organizations must regularly revisit their risk assumptions, factoring in the potential global reshuffling of trade flows. If major exporters redirect goods previously destined for the U.S. to other markets, it could trigger a broader global trade conflict, requiring compliance officers to adjust corporate risk assessments and response strategies rapidly.

Finally, executives and compliance professionals should approach this situation with a dual lens, balancing tactical short-term responses with strategic long-term considerations. Immediate tactical decisions are necessary, but it is equally critical to analyze potential structural changes in global trade dynamics that may unfold over the coming decade.

Managing macroeconomic uncertainty, such as the ongoing 360-degree trade war, is increasingly becoming an essential competency for compliance professionals. Those who proactively develop sophisticated, agile analytical capabilities will be better equipped to navigate these uncertain waters, providing their organizations with strategic advantage in tumultuous economic conditions.

Categories
Blog

A Strategic AI Playbook for Compliance Professionals

Artificial intelligence (AI) isn’t just knocking on our doors; it is already here, shaking up traditional processes, reshaping business operations, and redefining compliance. Yet, many organizations still find themselves stuck between tentative experimentation and strategic implementation, uncertain about how to move confidently forward. This shift is especially critical for the compliance professional: AI carries unprecedented opportunities but equally significant risks. Compliance teams must become integral in guiding organizations through this seismic change. Today, I want to explore the recent MIT Sloan article, “Leading the AI-driven Organization,” by Beth Stackpole. I will apply your prescriptions for business leaders to Chief Compliance Officers (CCOs) and other compliance leaders.

AI’s Strategic Potential and the Compliance Agenda

First, understanding the overarching message from MIT Sloan’s perspective is essential: effective AI implementation is not just a tech or business initiative. Instead, it should be seen as a comprehensive compliance strategy. Senior lecturer Paul McDonagh-Smith emphasizes the necessity of aligning AI projects directly with organizational priorities, data strategy, and employee skill sets. He warns of the gap between numerous AI experiments and cohesive, mature strategy, highlighting the urgent need for strategic alignment​.

For compliance officers, this means more than simply checking regulatory boxes. Compliance must be front and center, deeply integrated into AI strategies from the inception. The author advises compliance leaders to start by articulating how AI technologies can address specific compliance challenges and business strategies. Without this direct linkage, AI can become a distracting, costly investment rather than a value driver.

AI-Readiness: Data Quality and Governance

AI-driven compliance programs are only as strong as the data they use. Data integrity, accuracy, and governance are pillars of responsible AI applications. McDonagh-Smith poses a key question: “Is your organization’s data AI-ready?” Compliance teams must lead the charge to ensure the organization’s data is comprehensive, reliable, and managed adequately with stringent governance standards​.

Compliance professionals should champion initiatives that elevate data quality and establish rigorous governance frameworks. This is essential for operational success and regulatory compliance, particularly as privacy laws and data regulations rapidly evolve. For example, proactive data cleansing and structured data governance initiatives can preempt issues that AI might magnify, such as inadvertent biases or privacy violations.

Building AI Competency and Culture

One critical insight revolves around the skill readiness and cultural alignment necessary for AI adoption. Employees’ AI maturity levels directly affect the success of an AI strategy. Leaders must assess their teams’ current competencies, identify skill gaps, and strategically invest in training programs to build technical AI capabilities​.

For compliance leaders, this step is doubly significant. Your team needs proficiency in AI technology and an understanding of AI’s regulatory implications. Upskilling compliance professionals in data analysis, AI ethical principles, and evolving regulatory landscapes will ensure they can effectively govern the technology’s use within the enterprise.

Moreover, AI has profound cultural implications. A compliance-aware culture needs to evolve, fostering collaboration, transparency, and accountability. The author underscores the importance of creating silo-busting teams and encouraging an environment where experimentation and failure are permissible. Within compliance, this means promoting a culture of open discussion about AI risks, encouraging cross-functional collaboration, and integrating compliance considerations early in AI development.

The ‘Fast and Slow’ AI Approach

Drawing on the groundbreaking work of Nobel Prize-winning economist Daniel Kahneman, the author recommends that organizations adopt a dual-speed approach to AI strategy. Compliance programs should embrace ‘thinking fast and slow,’ where rapid experiments and quick wins coexist with careful, analytical, long-term planning​.

This approach is particularly apt from a compliance standpoint. Quick, iterative AI pilot programs can inform more strategic, enterprise-wide compliance frameworks. Compliance teams must balance agility and strategic vision, capturing and analyzing insights from pilots to inform comprehensive compliance structures capable of effectively managing AI-related risks.

Embrace Experimentation Responsibly

Experimentation is crucial, but compliance must ensure it’s done responsibly. As organizations increasingly rely on AI, enterprise risk multiplies. The author cautions that organizations must have a clear view of AI’s potential for promise and peril. Companies must adopt strong ethical frameworks, accountability mechanisms, and proactive risk mitigation strategies to ensure responsible AI use. These safeguards protect against risks like reputational harm, privacy infractions, or the proliferation of biased or incorrect information​.

Compliance professionals have an essential role in designing and maintaining these frameworks. They must act as vigilant watchdogs, ensuring the enterprise remains alert to ethical considerations and risk mitigation strategies at every step of AI implementation.

Positioning Compliance as Strategic AI Partners

Compliance teams are uniquely positioned to guide organizations through AI’s transformative landscape. The insights from this piece illuminate the tactical requirements and the strategic mindset compliance leaders need to cultivate. This is not merely about reacting to AI-driven changes; it is about proactively shaping an ethical, sustainable future where compliance is integrated at every juncture of AI’s adoption and development.

Compliance professionals must boldly step into roles as strategic AI partners, equipped with clarity of purpose, sophisticated data governance strategies, robust training programs, and rigorous ethical frameworks. In doing so, compliance safeguards the enterprise and amplifies AI’s potential to deliver real, sustainable value.

As compliance evangelists, we are privileged to lead these conversations, building a culture of responsible, strategic innovation that aligns business priorities with compliance excellence. AI isn’t merely a wave to ride but a journey to lead.

It is time for compliance to embrace this challenge and set the standard for AI-driven excellence in the corporate world.

Categories
Blog

The Role of Compliance in Auditing AI

As compliance professionals, our roles evolve constantly, shaped by new technologies and emerging risks. One of the most significant developments in recent years has been the rapid growth of artificial intelligence (AI) and machine learning systems in the corporate environment. The 2024 Evaluation of Corporate Compliance Programs (2024 ECCP), under the Management of Emerging Risks to Ensure Compliance with Applicable Law section, asked several key questions.

  • What is the company’s approach to governance regarding the use of new technologies, such as AI, in its commercial business and compliance program?
  • How is the company curbing any potential adverse or unintended consequences resulting from using technologies, both in its commercial business and its compliance program?
  • How is the company mitigating the potential for deliberate or reckless misuse of technologies, including by company insiders?
  • To the extent that the company uses AI and similar technologies in its business or as part of its compliance program, are controls in place to monitor and ensure its trustworthiness, reliability, and use in compliance with applicable law and the company’s code of conduct?
  • Do controls exist to ensure the technology is used only for its intended purposes?
  • What baseline of human decision-making is used to assess AI?
  • How is accountability over the use of AI monitored and enforced?

One key tool for answering many of these questions is auditing. In his recent article in the Harvard Business Review, What Leaders Need to Know About Auditing AI, author Luca Belli outlines crucial insights that business leaders must understand about auditing AI. I have adapted his thoughts for a Chief Compliance Officer and compliance professional.

While audits are becoming a core feature of working with AI, they do not have a predetermined process that follows a straight line; rather, they are a web of different decisions, both from the business and the technical side. Specifically, audits often face four core challenges: 1) they do not follow a straight line, 2) data governance is messy, 3) they require internal trust, and 4) they focus on the past. Leaders can take steps to help audits succeed. Compliance professionals can help instill the right culture and incentives and help design the audit. During the audit, they can shape the process and remove red tape.

AI is no longer confined to back-end analytics. It has stepped confidently into customer-facing roles, making decisions in critical areas such as finance, healthcare, and housing. With such reach and influence, AI poses significant ethical, reputational, and legal risks if left unchecked. Audits of AI systems, therefore, have become a cornerstone of modern compliance frameworks. Policymakers worldwide, including through the EU’s Digital Services Act and New York City’s AI bias law, are mandating external audits of AI systems. Even where not mandated, businesses voluntarily engage in audits to manage risk, mitigate potential crises, and anticipate regulatory developments.

However, auditing of AI is not straightforward. Compliance professionals must understand four fundamental challenges inherent in AI audits.

1. Non-linear Audit Processes

AI audits rarely follow a straight, predictable path. Instead, they often resemble a “random walk,” as auditors must continually adjust their focus based on emerging data and shifting business needs. Consider an audit to detect racial bias in decision-making algorithms where direct data on race is unavailable. Auditors may pivot to proxy measures like zip codes to approximate racial data. This approach, while practical, introduces discrepancies and limitations that must be carefully managed and transparently documented.

2. Complex Data Governance

Effective auditing relies heavily on data governance practices, yet data management often resembles an “old building” layered with historical inefficiencies rather than a clean, structured system. Many organizations struggle to locate and interpret data due to outdated documentation or employee turnover. Compliance teams must actively collaborate with technical teams to ensure data accuracy and completeness. As Belli suggests, robust internal documentation and dedicated data custodians can significantly ease this challenge.

3. Building Internal Trust

Audits can strain internal team dynamics, particularly if audit results lead to perceived criticisms of operational decisions. Compliance professionals must proactively foster a culture of trust, reinforcing that audits are not punitive but integral to operational excellence. As Belli notes, incentives should align accordingly: supporting audits should positively influence personal and professional evaluations, signaling organizational value in transparency and continuous improvement.

4. Historical Focus and Technical Limitations

Most audits evaluate past performance, and evolving AI systems and datasets pose challenges in replicating historical conditions. A user deleting their profile data or changes in system algorithms can complicate audits significantly. Compliance professionals must advocate for real-time monitoring or, at minimum, detailed record-keeping, ensuring auditors have sufficient context to interpret their findings and recommendations accurately.

Given these complexities, how can corporate compliance officers effectively lead their organizations through AI audits? Belli provides several practical steps:

  • Proactive Preparation: Companies should not wait for external mandates to build auditing capabilities. By establishing internal audit teams or clearly defined points of contact within existing teams, organizations can swiftly respond to audit needs while minimizing operational disruption.
  • Cultural Alignment: Corporate culture profoundly impacts audit effectiveness. Compliance professionals must champion transparency and accountability at the highest organizational levels, ensuring that audits are critical to long-term business success rather than occasional inconveniences.
  • Strategic Audit Design: Choosing between external auditors and internal audit teams requires careful consideration of organizational dynamics. Internal teams offer in-depth institutional knowledge, while external auditors provide objective perspectives without internal friction. Belli suggests a hybrid model, often ideal, balancing centralized expertise with distributed operational familiarity.
  • Leadership Engagement: Active, informed involvement by senior leadership during audits can clarify organizational priorities and remove operational roadblocks. Leaders should regularly engage with technical teams to understand key decisions, encourage thorough documentation, and ensure audit findings align clearly with broader business objectives.

The author underscores the CCO’s crucial role in navigating the nuanced landscape of AI auditing. As technology’s reach expands, compliance teams must proactively address these emerging complexities, continually adapting their oversight frameworks to meet the dynamic challenges presented by AI systems. By fostering robust internal collaboration, aligning incentives, and strategically preparing audit infrastructure, compliance professionals not only mitigate risks but also enable their organizations to harness AI’s transformative potential responsibly and ethically.

Categories
Sunday Book Review

Sunday Book Review: April 6, 2025, The Books on Culture Edition

In the Sunday Book Review, Tom Fox considers books that would interest the compliance professional, the business executive, or anyone who might be curious. These could be books about business, compliance, history, leadership, current events, or anything else that might interest Tom. Today, we look at four books on culture.

  1. The Power of Culture by Laura Hamill
  2. Culture is Everything by Jeff Veyera
  3. Culture by Design by David Friedman
  4. Culture Is The New Leadership by Benjamin Ortlip
Categories
Creativity and Compliance

Creativity and Compliance – Bringing Joy to Compliance: A Conversation with Virginia MacSuibhne

Where does creativity fit into compliance? In more places than you think. Problem-solving, accountability, communication, and connection – they all take creativity. Join Tom Fox and Ronnie Feldman on Creativity and Compliance, part of the award-winning Compliance Podcast Network.

Ronnie’s company, Learnings, and Entertainment, utilizes the entertainment devices people use to consume information in their everyday, non-work lives and apply it to important topics around compliance and ethics. It is not only about being funny. It is about changing the tone of your compliance communications and messaging to make your compliance program, policies, and resources more accessible. In this episode of Creativity and Compliance, Tom Fox and Ronnie Feldman are joined by Virginia MacSuibhne, former Chief Compliance Officer for Roche and Agilent Technologies.

Virginia shares her unique approach to making compliance accessible, engaging, and fun. Emphasizing the importance of a personal brand, she discusses her philosophy of authenticity and how it translates into creating clear, actionable, and enjoyable guidance. Her unconventional methods, including using infographics, breaking down complex policies, and injecting humor and personal interests, have significantly impacted employee engagement and compliance culture.

Virginia highlights the critical role of user experience (UX) in compliance, urging practitioners to rethink their policies and communication strategies. She shares anecdotes of her creative initiatives, such as wearing a unicorn costume to training sessions, integrating compliance messages into existing training programs, and making hotline experiences as user-friendly as possible. Her mantra, ‘What makes you weird makes you wonderful,’ encourages compliance professionals to bring their unique selves to their work to foster a more approachable and effective compliance environment.

Key highlights:

  • Virginia’s Philosophy on Compliance
  • Creating an Engaging Compliance Program
  • Simplifying Policies and Procedures
  • Innovative Training and Communication Techniques
  • Overcoming Pushback and Building a Business Case

Resources:

Virginia MacSuibhne on LinkedIn

Ronnie:

  • Learnings & Entertainments (Website)
  • Compliance Confessions – inspired by “Mean Tweets,” these 90-second commercials address misconceptions and excuses to promote speak-up culture and the E&C team as positive and helpful.
  • E&C Training Jams – a soulful singer banters with ethics & compliance, explaining policies, sharing examples, and debunking excuses. 
  • Tales from the Hotline – Real speak up-themed stories about workplace behavior gone wrong.
  • Workplace Tonight Show! – E&C meets SNL Weekend Update, explaining corporate risk topics and why employees should care.
  • 60-Second Communication & Awareness Shorts – A variety of short, customizable, music and multimedia, quick-hitter “commercials” promoting integrity, compliance, speaking up, and the E&C team as helpful advisors and coaches.
  • Custom Live & Digital Programing – Custom creative programming that balances the seriousness of the subject matter with a more engaging delivery. After all, you can’t bore people into learning.

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Creativity and Compliance was recently honored as one of the Top 35 Podcasts on Creativity by Feedspot.