Tag: CCO

Categories
Sunday Book Review

Sunday Book Review: January 18, 2026, The Top Books on Innovation ’26 Edition

In the Sunday Book Review, Tom Fox considers books that would interest compliance professionals, business executives, or anyone curious. It could be books about business, compliance, history, leadership, current events, or anything else that might interest Tom. In this episode, we look at some of the top books on innovation, both those already published and those scheduled for 2026.

  1. Twin Transformation: A Gripping Tale of How AI and Sustainability Converge, and the Race to Get It Right by Michael Wade & Konstantinos Trantopoulos 
  2. The Innovation Approach: Overcoming the Limitations of Design Thinking and the Lean Startup by David C. Roach
  3. The Shortest History of AI: The Six Essential Ideas That Animate It by Toby Walsh
  4. The Coming Wave: AI, Power, and Our Future by Mustafa Suleyman & Michael Bhaskar
Categories
Blog

Greek Philosophers Week: Part 3 – Aristotle and the Daily Practice of Ethics & Compliance

In Part 3, we continue our exploration of the origins of the modern corporate compliance organization, tracing them back to the ancient Greek philosophers, including Aristotle. Plato teaches compliance professionals how to design ethical governance systems. But anyone who has ever operated a compliance program knows that structure alone does not guarantee ethical behavior. Policies exist. Committees meet. Reporting lines are drawn. And yet misconduct still occurs. That is where Aristotle becomes essential to the modern compliance conversation.

Aristotle was not interested in ideal societies. He was interested in how people actually behave. His philosophy focuses on habit, judgment, incentives, and purpose, all of which are central to daily compliance operations. The DOJ Evaluation of Corporate Compliance Programs (ECCP) reflects this Aristotelian realism. It asks not only whether a program is well designed, but also whether it is implemented in practice and works in reality.

If Plato is the architect of compliance, Aristotle is its operator.

Virtue as Habit, Not Aspiration

Aristotle rejected the idea that ethics is a matter of knowing the right thing. He argued that virtue is formed through repeated action. People become ethical by practicing ethical behavior until it becomes a habit. This insight aligns directly with the ECCP’s focus on implementation and effectiveness. Prosecutors do not evaluate what a company claims to value. They assess how employees actually behave under pressure. Training, policies, and controls matter only to the extent they shape habits.

In daily compliance work, this means moving beyond episodic interventions. Annual training does not create virtue. Consistent reinforcement does. Indeed, the DOJ specifically called out companies that “have invested in shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions.”

Managers who model ethical decision-making, align incentives with values, and apply consequences fairly all shape behavior over time. Aristotle reminds us that culture is built one decision at a time.

Practical Wisdom and Gray-Area Decision Making

Aristotle distinguished between technical knowledge and phronesis, or practical wisdom. Rules cannot anticipate every situation. Judgment fills the gap. The ECCP implicitly recognizes this by emphasizing risk-based decision-making. A compliance program that relies solely on rigid rules will fail in complex environments. Investigations, third-party reviews, and transaction approvals all require judgment informed by experience and context.

For compliance professionals, this means embracing their role as ethical decision-makers rather than just rule enforcers. It also means documenting judgment. Regulators understand discretion, but they expect it to be principled, consistent, and explainable. Aristotle teaches that wisdom is demonstrated through action guided by reason.

The Golden Mean and Proportional Compliance

One of Aristotle’s most enduring ideas is the Golden Mean. Virtue lies between extremes. Courage sits between recklessness and cowardice. The same principle applies to compliance design and operations. The ECCP expects programs to be appropriately tailored to risk. Over-engineered compliance systems create fatigue, false positives, and cynicism. Under-resourced programs invite misconduct. Both extremes are failures.

Daily compliance operations must strike a balance. Monitoring should be robust but targeted. Controls should be strong but workable. Reporting requirements should capture risk without overwhelming employees. Aristotle reminds us that effectiveness lives in proportion, not excess.

Incentives Reveal Character

Aristotle believed character is revealed by what people pursue and what they are rewarded for achieving. This lesson is painfully relevant to compliance failures. This is also the basis for modern due diligence. The ECCP repeatedly asks how companies incentivize compliance and discipline amid misconduct. The ECCP states, “Another hallmark of effective implementation of a compliance program is the establishment of incentives for compliance and disincentives for non-compliance.” Compensation structures that reward results regardless of method undermine every policy on the books. Employees respond to what is rewarded, not what is written.

In practice, compliance professionals must engage with compensation, promotion, and performance management. Ethics cannot be siloed. When high performers are excused from consequences, the organization sends the message that virtue is optional. Aristotle would argue that such systems inevitably produce unethical outcomes, regardless of stated values.

Purpose and the Role of Compliance

Aristotle believed everything has a telos, an ultimate purpose. Understanding purpose guides action and gives coherence to effort. Compliance programs often struggle when their purpose is framed narrowly as avoiding fines or enforcement. The ECCP encourages companies to adopt a broader perspective, emphasizing risk management, trust, and sustainable operations.

In daily work, purpose shapes priorities. Is compliance positioned as a business partner or a policing function? Is it involved early in decision-making or consulted after damage is done? Aristotle teaches that clarity of purpose aligns behavior. When compliance understands and articulates its role as protecting the organization’s long-term health, its influence grows.

5 Key Takeaways for the Compliance Professional

1. Ethical behavior is formed through habit, not intention.

Aristotle teaches that virtue develops through repeated action. Compliance programs must therefore consistently reinforce ethical behavior, not just episodically. The ECCP emphasizes implementation because policies alone do not shape conduct. Daily reinforcement through leadership behavior, aligned incentives, and consistent consequences builds habits that endure. Compliance professionals should evaluate whether their programs influence how employees actually act under pressure, not just what they acknowledge in training.

2. Judgment is a core compliance competency.

Rules cannot anticipate every scenario. Aristotle’s concept of practical wisdom aligns with the ECCP’s expectation of risk-based decision-making. Compliance professionals must exercise and document judgment in investigations, approvals, and remediation. This requires experience, training, and independence. Ethical compliance is not mechanical. It is reasoned, contextual, and defensible when challenged by regulators or boards.

3. Proportion matters in compliance design.

The Golden Mean teaches that extremes undermine effectiveness. Overly burdensome controls create fatigue and workarounds. Weak controls invite abuse. The ECCP expects tailoring based on risk, geography, and business model. Compliance leaders must design right-sized programs that employees can follow and that management can support. Balance is not compromise. It is effective.

4. Incentives define culture more than policies.

Aristotle understood that character is shaped by what is rewarded. Compliance failures often stem from misaligned incentives. The ECCP scrutinizes compensation and discipline for this reason. Daily compliance operations must engage with HR and leadership to ensure ethics are embedded in performance evaluations, promotions, and bonuses. Culture follows incentives, not slogans.

5. Compliance must have a clear purpose.

Aristotle’s concept of telos reminds us that purpose guides action—compliance programs framed solely as legal defense lose credibility. The ECCP encourages a broader view of compliance as a risk-management and trust-building approach. When compliance professionals articulate their purpose clearly, they gain influence, resources, and early involvement in decisions that matter.

From Aristotle to Pythagoras: From Judgment to Measurement

Aristotle grounds compliance in habit, judgment, and proportion. But judgment alone is not enough in modern organizations operating at scale. As programs mature, leaders ask how to measure effectiveness, detect patterns, and anticipate risk.

That transition leads naturally to Pythagoras. Where Aristotle focuses on ethical action, Pythagoras focuses on number, proportion, and harmony. In compliance terms, this is the shift toward data analytics, metrics, and AI. If Aristotle teaches us how people should behave within ethical systems, Pythagoras teaches us how to observe, measure, and test whether they actually do.

Aristotle teaches us how ethical compliance is lived day to day. Pythagoras will push the conversation further, asking how data, analytics, and AI can measure, test, and strengthen those ethical systems without losing proportion or judgment. Join us tomorrow in Part 4 to find out how.

 

Categories
Innovation in Compliance

Innovation in Compliance – The Strategic Evolution of Compliance: Insights from Angie McPhail

Innovation comes in many forms, and compliance professionals need not only to be ready for it but also to embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, host Tom Fox welcomes Angie McPhail to discuss the transformation of compliance from a regulatory function to a strategic business imperative.

Angie shares her professional background, having led the Integrity and Compliance group for the Americas at Juniper Networks before its acquisition by HPE. Key discussions include the evolving role of compliance as a strategic influencer within organizations, the intersection of ethics and integrity with ESG, and the importance of trust in building effective compliance programs. Angie emphasizes the need for compliance professionals to understand business strategy, leverage technology, and build trust to drive sustainable growth. The talk also covers the future outlook for compliance leaders and provides advice on preparing the next generation of compliance professionals.

Key highlights:

  • Compliance as a Strategic Business Function
  • Influence and Trust in Compliance
  • Compliance as a Driver of Business Success
  • Managing Reputational Risk
  • Future of Compliance Leadership

Resources:

Angie McPhail on LinkedIn

Innovation in Compliance was recently ranked 4th among Risk Management podcasts by 1,000,000 Podcasts.

Categories
Blog

Greek Philosophers Week: Part 1 – Socrates and the Asking Questions

I have long wanted to trace the origins of the modern corporate compliance organization back to the ancient Greek philosophers, drawing lessons for compliance and ethics in 2026 and beyond. Today, I begin a five-part series where I do just that. In this series, we will consider Socrates, Plato, Aristotle, Pythagoras, and Euclid. We start with Socrates.

Socrates left no writings of his own. What he left was a method. He believed wisdom began with recognizing what one did not know and then relentlessly testing assumptions through disciplined questioning. That approach maps directly onto the daily work of the compliance professional. Risk assessments, investigations, root cause analysis, culture reviews, and even board reporting all rise or fall based on the quality of the questions asked.

Every effective compliance program begins with a question. Not a policy. Not a control. Not a dashboard. A question. That insight alone makes Socrates the right place to start any serious discussion about the influence of ancient Greek philosophy on modern corporate compliance and ethics programs.

The Department of Justice’s Evaluation of Corporate Compliance Programs (ECCP) does not use the word “Socratic,” but its expectations are unmistakably aligned with Socratic inquiry. Prosecutors repeatedly ask whether a company understands its risks, tests its assumptions, challenges its controls, and adapts when reality changes. A compliance program that does not ask hard questions is not mature. It is merely quiet. Indeed, Hui Chen, the author of the original ECCP, has said that a key purpose of the ECCP was to get compliance professionals to ‘ask questions’.

Ethical Inquiry as a Compliance Obligation

Socrates believed that unexamined beliefs were dangerous. He challenged Athenian leaders not because he enjoyed disruption, but because false confidence creates harm. In a corporate setting, the same risk exists when executives assume that a policy equals compliance or that training completion equals ethical behavior.

  1. Is the corporation’s compliance program well designed?
  2. Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
  3. Does the corporation’s compliance program work in practice?

These questions are fundamentally Socratic. It demands inquiry into how the business actually operates, where pressure points exist, and how misconduct could realistically occur. A compliance function that accepts management narratives at face value fails this test.

Daily compliance operations depend on this discipline. When reviewing third-party relationships, a Socratic compliance officer does not ask whether due diligence was performed. They ask whether it was sufficient, whether red flags were rationalized, and whether business incentives distorted judgment. That is inquiry, not administration.

Challenging Assumptions Without Becoming the Enemy

Socrates was executed because his questioning made powerful people uncomfortable. Compliance professionals face a less dramatic, but no less real, version of that tension. The role requires challenging assumptions, even when doing so slows deals, complicates reporting lines, or disrupts revenue projections.

The ECCP specifically evaluates whether a corporate compliance function has sufficient staff to audit, document, analyze, and utilize the results of the corporation’s compliance efforts. Prosecutors should also determine “whether the corporation’s employees are adequately informed about the compliance program and are convinced of the corporation’s commitment to it. Does the company’s culture of compliance, including awareness among employees that any criminal conduct, including the conduct underlying the investigation, will not be tolerated.”

Those structural questions exist because DOJ understands that inquiry without protection is performative. If compliance professionals cannot safely ask uncomfortable questions, the program is cosmetic.

In daily operations, this plays out in subtle ways. Does compliance have the authority to pause a transaction? Can investigators follow evidence wherever it leads? Are audit findings welcomed or explained away? A Socratic approach demands that compliance leaders test these realities rather than assume the answer.

The Socratic Method in Investigations and Root Cause Analysis

Socrates did not accept the first answer offered. He pushed deeper, often exposing contradictions or incomplete reasoning. That approach is directly applicable to investigations and root cause analysis. The ECCP places significant emphasis on whether companies understand why misconduct occurred and whether remediation addresses underlying causes. Too many investigations stop at identifying who violated a policy. Echoing Jonathan Marks, Socratic investigation asks why the violation made sense to the individual at the time. What pressures existed? What incentives misaligned behavior? What controls failed or were bypassed?

This type of inquiry requires patience and courage. It also involves trust from leadership. Findings may implicate management decisions, cultural signals, or compensation structures. Socrates reminds us that truth-seeking is rarely comfortable, but it is essential to ethical improvement.

Culture Is Revealed by the Questions You Allow

Socrates believed that a society’s health could be measured by its openness to questioning. The same is true for corporate culture. The questions employees feel safe asking reveal more than any values statement. The ECCP now explicitly asks companies to explain how they measure and address culture. The ECCP states, “Prosecutors should also assess how the company has leveraged its data to gain insights into the effectiveness of its compliance program and otherwise sought to promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” Surveys, hotline data, and exit interviews are tools, but they are meaningless without inquiry. Key questions include: Are employees encouraged to speak up? Are concerns investigated thoroughly? Are outcomes communicated? Is retaliation punished?

In daily compliance practice, this means listening as much as enforcing. A Socratic compliance program does not treat employee concerns as noise to be managed. It treats them as data points to be explored. The quality of questions asked in response to a report often determines whether trust is strengthened or destroyed.

5 Key Takeaways for the Compliance Professional

1. Effective compliance begins with inquiry, not documentation.

A compliance program does not become effective simply because policies exist or training is completed. Effectiveness begins when compliance professionals consistently ask how misconduct could realistically occur within their organization. This requires challenging business assumptions, pressure points, and incentive structures. The ECCP repeatedly emphasizes the importance of understanding risk in context, which is impossible without disciplined questioning. A Socratic approach positions inquiry as an operational obligation, not an intellectual exercise, ensuring the program remains dynamic, responsive, and grounded in reality rather than formalism.

2. Risk assessments are living Socratic exercises, not static reports.

Too many organizations treat risk assessments as periodic documentation rather than ongoing inquiry. A Socratic risk assessment tests assumptions continuously as business models, geographies, and incentives evolve. Compliance professionals should revisit risk hypotheses, ask whether controls still function as intended, and challenge comfort-driven conclusions. Under the ECCP, regulators expect risk assessments to inform program design and resource allocation. Socratic inquiry ensures risk assessments remain relevant, credible, and capable of identifying emerging threats before they mature into enforcement issues.

3. Investigations must pursue understanding, not merely attribution.

Identifying who violated a policy is rarely sufficient to prevent recurrence. A Socratic investigation asks why the misconduct occurred, what pressures or incentives influenced behavior, and how organizational systems failed. This aligns directly with the ECCP’s focus on root cause analysis and remediation. When compliance professionals ask deeper questions, investigations become tools for program improvement rather than disciplinary endpoints. This approach strengthens controls, enhances credibility with regulators, and reduces the likelihood of repeat misconduct driven by unresolved systemic weaknesses.

4. Speak-up culture is defined by response quality, not hotline volume.

Organizations often measure speak-up culture by the number of reports received, but Socrates teaches that the real measure lies in how questions are received and addressed. Employees quickly learn whether raising concerns leads to thoughtful inquiry or defensive dismissal. The ECCP evaluates whether companies encourage reporting, protect against retaliation, and communicate outcomes appropriately. A Socratic compliance function listens carefully, asks clarifying questions, and treats concerns as signals worth examining. That discipline builds trust and reinforces ethical accountability across the organization.

5. Socratic questioning requires independence, authority, and protection.

Inquiry without authority is performative. Socrates paid the ultimate price for challenging power, but modern compliance professionals should not. The ECCP explicitly assesses whether compliance functions have sufficient independence, resources, and access to leadership. Without these safeguards, difficult questions go unasked or unanswered. A Socratic compliance program empowers professionals to challenge decisions, pause transactions, and escalate concerns without fear of retaliation. That structural support transforms ethical inquiry from individual courage into institutional practice.

From Socrates to Plato: From Inquiry to Structure

Socrates gives us the starting point. He teaches the compliance professional how to think, question, and resist complacency. But inquiry alone is not enough. Questions must eventually lead to structure, governance, and systems that translate insight into action.

That transition sets the stage for Plato. Where Socrates focuses on method, Plato focuses on design. The movement from Socrates to Plato mirrors the evolution of a compliance program itself, from asking whether risks exist to building governance structures capable of addressing them. In that sense, Socrates is the conscience of the compliance function. He reminds us that effectiveness begins with intellectual honesty and ethical curiosity. Without those traits, even the most sophisticated compliance architecture will rest on shaky ground.

Join us tomorrow for Part 2 and learn about Plato’s role in today’s compliance and ethics programs.

Categories
Innovation in Compliance

Innovation in Compliance – Exploring Fractional and Adjunct Risk Professionals with Gerry Zack

Innovation occurs across many areas, and compliance professionals need not only to be ready for it but also to embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, host Tom Fox welcomes back Gerry Zack to discuss a novel service offering in the compliance and risk management community: fractional and adjunct risk professionals.

Zack explains how these roles can supplement companies that lack certain expertise or can’t afford full-time positions, particularly highlighting the benefits of long-term relationships. The discussion also covers the distinctions between compliance and broader risk management, the flexibility of fractional contracts, and the importance of alignment in risk management practices across different organizational departments.

Key highlights:

  • Exploring the Concept of Fractional CCO
  • Long-term Benefits of Fractional Roles
  • Risk Professional Services vs. Compliance
  • Applications and Benefits of Fractional Roles
  • Challenges and Considerations

Resources:

Gerry Zack on LinkedIn

RiskTrek website

Innovation in Compliance was recently ranked 4th among Risk Management podcasts by 1,000,000 Podcasts.

Categories
Blog

Millicom Cellular, Part 2: Lessons Learned on Cartels, Cash, and Control Failures

The Millicom Cellular FCPA enforcement action is not just another FCPA case. It is a case that signals a new frontier for compliance risk. It blends classic corrupt-payment schemes with organized crime, narcotrafficking proceeds, obstructed governance, and aggressive legislative capture. It is a wake-up call for compliance officers that the threat landscape is expanding in ways that require deeper operational controls, broader due diligence frameworks, and more sophisticated cross-functional collaboration.

In Part 1, we considered the underlying facts and FCPA violations of this matter. In Part 2, we examine what compliance professionals must take away from the case.

Lesson 1: Joint-Venture Governance Failures Are Not a Defense

Millicom Cellular held a 55 percent ownership stake in TIGO Guatemala, but the local partner exercised operational control and blocked Millicom Cellular from information and cooperation. The DOJ notes that Millicom Cellular voluntarily disclosed early concerns in 2015 but was unable to compel cooperation from local executives or obtain complete data. The result is a clear message:

Ownership without operational control equals enormous FCPA exposure.

Compliance professionals must:

  • Implement JV governance protocols that require access rights, audit rights, and cooperation language in shareholder agreements. Try to place your company’s representative as the CFO of the joint venture.
  • Establish escalation pathways if a partner obstructs investigations.
  • Treat “majority ownership without control” as a high-risk structure in compliance risk assessments.

Yet notwithstanding the foregoing, DOJ has made clear it will not accept a lack of control as an excuse for failing to detect corruption, especially when red flags are visible.

Lesson 2: Cash-Based Bribery Ecosystems Require a Different Kind of Monitoring

The bribery scheme ran almost entirely on cash: cash in duffel bags delivered by helicopter, cash laundered through drug traffickers, cash moved through shell companies, and cash withdrawn from banks in plastic bags. Traditional financial controls are almost useless in the face of an off-books cash economy. Compliance must be enhanced:

  • Controls around cash withdrawals
  • Monitoring of cash-intensive vendors
  • Patterns of invoicing irregularities
  • Real-time analytics on deviations in expense and procurement behavior

This is not a theoretical exercise. It is an operational reality for companies in high-risk jurisdictions.

Lesson 3: Cartel Exposure Is Emerging as a Corporate Compliance Obligation

This case represents one of the most explicit linkages between FCPA violations and narco-trafficking cash flows. The scheme not only involved bribes; it also involved bribes financed by organized crime. Compliance officers must now assume that criminal networks may view legitimate multinationals as conduits for illicit financial flows. This demands:

  • Enhanced beneficial-ownership checks
  • Screening for cartel-linked financial intermediaries
  • Deeper diligence on bankers, lawyers, and consultants
  • Country-level threat mapping that includes cartel and organized crime indicators

The DOJ has increasingly emphasized convergence risk between corruption, money laundering, and organized crime. The Millicom Cellular enforcement action is a prime example.

Lesson 4: “Influencing Legislation” Is a Red Flag, Not a Business Strategy

TIGO Guatemala sought legislative outcomes that would alter the national telecom law. That in itself is not illegal. What is unlawful is tying legislative outcomes to cash bribes, helicopter deliveries, and cartel-funded transactions. Compliance teams must scrutinize:

  • Payments to lobbyists, political consultants, and intermediaries
  • Relationships with legislators and political parties
  • Sponsorships, charitable donations, and community programs with political beneficiaries

Any effort to “shape legislation” must come with strict controls.

Lesson 5: Data Gaps Are Compliance Gaps

Millicom’s inability to obtain information access within its own joint venture delayed detection and undermined the credibility of its initial self-disclosure. Compliance professionals must demand:

  • Rights to data
  • Rights to conduct investigations
  • Rights to interview employees
  • The right to require cooperation from partners

A partner who denies access creates liability.

Lesson 6: Remediation Must Be Conducted Like a Corporate Transformation

Millicom’s remediation was extensive. It included:

  • Replacing senior personnel
  • Centralizing compliance oversight
  • Enhancing third-party onboarding and continuous monitoring
  • Adding data analytics
  • Conducting control testing across more than 250 transactions
  • Creating an ephemeral-messaging retention policy
  • Increasing compliance headcount by 800 percent (pages 5–6)

The DOJ’s description reads less like remediation and more like organizational reinvention. That is the expectation now. Compliance must treat remediation as a fully integrated operational overhaul.

Lesson 7: The DOJ Will Reopen Cases When New Evidence Emerges

The DOJ initially closed the investigation in 2018. It reopened the case in 2020 after uncovering new evidence from outside sources, including cartel-linked transactions. The message is clear:

  • Self-disclosure is not a shield when the company lacks visibility into misconduct.
  • Failure to detect ongoing wrongdoing can undermine trust and credit for cooperation.
  • Compliance must ensure continuous monitoring even after perceived risk has been reduced.

Conclusion: The New Compliance Mandate

The Millicom Cellular enforcement action demonstrates that compliance risk is no longer confined to corrupt payments. It now involves organized crime, cash-based bribery systems, cross-border laundering, political capture, and governance obstructions. Compliance professionals must operate with a broader risk lens, encompassing cartel risk, cash-economy vulnerabilities, high-risk political interactions, and joint-venture control structures. This is a key enforcement effort of the Trump Administration.

The future of compliance is not about preventing bribery alone. It is about defending the corporation from becoming an unwitting partner in a criminal enterprise.

Categories
FCPA Compliance Report

FCPA Compliance Report – Navigating Uncertainty: Leading with Courage and Clarity with Jim Massey

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode, Tom welcomes Jim Massey, who has recently released a new book, Risk in Action.

Jim Massey, an accomplished author and behaviorist practitioner, delves into the intricate dynamics of trust within leadership through his book “Risk in Action.” Drawing from his extensive experience in high-stakes boardrooms and executive sessions, Massey emphasizes the crucial role of trust as a foundation for effective action. He explores the interconnected nature of trust, risk, and fear, urging individuals to redefine risk as a prioritization tool that enables progress and bold decision-making. By addressing these themes, Massey aims to spark vital conversations and empower leaders to embrace uncertainty, ultimately encouraging them to take courageous actions that drive growth and innovation.

Key highlights:

  • Navigating Trust, Risk, and Fear in Leadership
  • Enhancing Business Outcomes through Proactive Risk Management
  • Cultivating Innovation Through Compliance Transformation
  • Embracing Fear for Innovative Growth
  • Dynamic Risk Assessment for Compliance Agility
  • Navigating Uncertainty: Leading with Courage and Clarity

Resources:

Risk in Action on Amazon

Jim Massey Website

Jim Massey on LinkedIn

Eastward.ai Website

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

When Maps Become Moral Documents: Why Compliance Must Own the Lines That Shape Risk

In compliance, we spend a great deal of time talking about frameworks, policies, and procedures. Yet some of the most powerful instruments in any governance ecosystem do not look like policies at all. They look like maps. They look like heat grids, risk matrices, shaded zones, and tidy borders that suggest precision even when uncertainty runs underneath them like an underground river.

From FEMA flood panels to enterprise risk heat maps, every organization uses maps to tell itself where danger lies and where safety supposedly begins. But here is the hard truth: maps are not technical artifacts. Maps are moral documents. They allocate duties, distribute the burden, and tell people whether they need to prepare or can relax. They shape budgets, attention, and ultimately accountability. And if the compliance function is not involved in how those maps are created, interpreted, and refreshed, then the organization is making ethical choices without a moral lens.

Today, I want to explore why maps are moral, what that means for governance, and what the compliance professional must do to ensure these documents reflect not only data but also duty.

Maps Allocate Duty

Every map draws lines that determine who must act. A FEMA flood map decides whether a camp, neighborhood, or business must carry flood insurance. A corporate risk heat map determines which business units receive enhanced oversight and which do not. A supply chain risk atlas determines who must perform due diligence and who can move goods without interruption.

Once a line is drawn, responsibility flows from it. A zone marked “high risk” sets expectations for controls, investment, and scrutiny. A zone marked “low risk” effectively signals that no further action is required. These judgments may feel technical, but they are deeply moral. They define the boundaries of duty. Compliance must be at the table when those lines are drawn. Otherwise, risk decisions become engineering exercises that inadvertently shift ethical burdens onto people who did not choose them.

Maps Encode Assumptions

Maps are built on models, thresholds, and historical patterns. But assumptions sit inside those models like coiled springs.

Which data is used?

Which data is excluded?

Which thresholds define severity?

Which events are treated as plausible?

Which sources are considered authoritative?

A map is never neutral. It always privileges certain histories, geographies, and scenarios over others. A corporate misconduct heat map based solely on historical hotline data will inevitably underweight emerging risks. A supply chain map that excludes subcontractors misses where real harm often occurs. A financial crime exposure map that relies solely on official lists will miss high-risk jurisdictions operating in gray zones. When compliance reviews these maps, the question is not whether the data is accurate. The question is whether the assumptions align with the organization’s ethical obligations.

Maps Shape Budgets and Behavior

Color drives capital. If an enterprise risk map identifies three red zones and ten green zones, everyone knows where the money is going. Green becomes the land of the unexamined. Yellow becomes “monitor and report.” Red becomes “fix this yesterday.” The danger arises when risk colors are treated as immutable truth rather than directional guidance. Compliance professionals know that a green box is not safety; it is an artifact of a model. And sometimes, it is an artifact of politics.

When business units understand that the map determines their workload, incentives emerge to influence the color. This is precisely why compliance must defend the integrity of the map and maintain independence in how risks are classified. The ethics are simple: if a map drives budget decisions, then the standards behind it must be transparent, fair, and aligned with the organization’s core mission.

Maps Create Winners and Losers

Every risk map is also a distributional map. Departments inside a red zone receive controls, resources, and escalation routes. Departments outside it may receive none. That inequity can have real consequences. Red zones experience heavy scrutiny but also benefit from board-level attention. Green zones may be left alone, but they also lack the resources needed when a new risk emerges.

Flood maps create similar inequities: one parcel receives insurance, mitigation funds, and federal guidance; the parcel across the street gets nothing until the water rises high enough to erase the line. Compliance must examine whether the “winners” and “losers” created by risk maps reflect risk reality or merely historical artifacts.

Maps Fix Narratives

Once published, maps become the truth. Boards rely on them. Auditors embed them into work plans. Regulators ask about them. Data teams update them. And leaders cite them to explain why certain risks were or were not prioritized. A flawed map can harden into institutional fact. It can shape decision-making for years. It can justify inaction. It can mask brewing crises. And when risk crystallizes into harm, those relying on the map will discover too late that precision was an illusion. Compliance serves as the conscience that returns the organization to humility. Every map should come with a disclaimer: “Here is our best understanding as of today, but all maps are drafts.”

Governance Checklist for Ethical Mapping

Compliance can bring discipline and transparency by treating maps like policies. They require version control, authorship, documented assumptions, and scheduled refresh cycles. Here is a governance lens for any map that influences risk:

  1. Provenance
  2. Who created the map, with what data, and what was deliberately excluded? If exclusion changes the ethical calculus, it must be surfaced.
  3. Alignment to Risk Appetite
  4. Are thresholds tied to enterprise risk appetite, the ECCP, and regulatory expectations? Or did the model make them convenient?
  5. Equity Across Stakeholders
  6. Who bears the residual risk outside the lines? What does the map fail to capture about vulnerable populations, small sites, or contractors?
  7. Scenario Overlays
  8. Have low-probability, high-impact events been tested against the map? Compliance should insist on stress testing.
  9. Update Cadence
  10. Does the map have an expiration date? Every risk map should.
  11. Auditability
  12. Can the map be reconstructed from its inputs and assumptions? If not, it is a narrative, not a control.
  13. Communication Duty
  14. Every map must include plain-language guidance, escalation paths, and explicit caveats for those adjacent to but outside the risk zones.
  15. Budget Connection
  16. Colors must correspond to predetermined actions. Otherwise, resource allocation becomes politics by palette.

What Compliance Must Do

Compliance does not need to own the model. Compliance must own the ethical underpinnings of the model. That means three responsibilities:

  • Own the legend.
  • The color definitions, thresholds, and assumptions must reflect ethical and legal duties, not convenience.
  • Bring the board a map-ethics memo.
  • One page: assumptions, blind spots, intended uses, and the refresh cadence.
  • Ground-truth everything.
  • Walk the sites, review complaints, and test whether green zones reflect lived reality.

Maps guide action. Compliance ensures that the action they guide aligns with the organization’s values, obligations, and responsibilities to its stakeholders.

Conclusion

Maps are powerful. They shape perception, allocation, and accountability. But they are not neutral. They are moral documents and, therefore, compliance documents. When compliance embraces that role, maps become more than diagrams. They become tools for fairness, integrity, and informed oversight.

Categories
Blog

Listen Up: Why Voice – Driven Storytelling Is Compliance’s Most Underused Tool

In the modern corporate environment, we face a paradox: we have never had more tools to communicate, yet employees have never felt more overwhelmed by the sheer volume of communication. Emails drown in inboxes. Slide decks gather dust. Policy updates are skimmed at best and ignored at worst. For compliance officers trying to connect with a global workforce, the problem is not merely volume; rather, it is attention, trust, and retention.

That is where audio communications comes into play. Increasingly, forward-leaning companies are turning to voice-driven communication, which includes short audio messages, internal podcasts, and narrative voice notes, as a powerful way to reach employees where they are. And if you’re not already leveraging the human voice as part of your compliance toolkit, you are missing a deeply effective channel hiding in plain sight.

Because voice is not just another medium; voice is human. Voice conveys credibility, vulnerability, and intention. Voice cuts through noise in ways no written communication can match. And for compliance programs striving to build cultures of ethics and accountability, that authenticity is invaluable.

This makes it an ideal tool for compliance professionals to use in their communications. You can use it in long-form podcasts or short, bite-sized espresso shots of compliance.

Why Voice Still Wins in a Digitized World

Every compliance officer knows that trust is the currency of influence. Trust is built not only through facts but also through perceived sincerity. When employees hear a leader’s voice, it is unpolished, direct, and unfiltered. Corporate employees react differently when listening to a sanitized corporate memo than when reading it.

Tone becomes a tool. Cadence becomes emphasized. A pause invites reflection. A shift in pitch signals seriousness or warmth. These cues are often overlooked in text but are essential when navigating complex ethical issues, gray areas, and behavioral expectations. Voice also supports what I call the narrative advantage. Humans remember stories far better than bullet points. An audio message with a real-world dilemma—“Let me tell you about a call I got last Friday…”—lands with more impact than a list of rules ever will. For compliance, where the goal is not mere knowledge but behavioral change, this is rocket fuel.

Five High-Impact Voice Formats for Compliance Leaders

You do not need an internal studio or a communications team to use voice effectively. You need structure, intention, and consistency. Here are five proven formats I encourage compliance professionals to adopt:

1. Two-Minute Ethics Drops

A weekly, two-minute audio memo from the CCO or another senior leader can reshape how employees perceive compliance. These are not policy recitations. They are reminders, insights, or reflections on real events, brief enough to consume during a commute, meaningful enough to spark thought. Imagine this as the compliance equivalent of a coach’s pre-game talk.

2. Manager Voice Notes

Compliance does not scale unless managers become compliance multipliers. Provide managers with scripts or talking points, and then ask them to record brief voice notes for their teams. Local leaders speaking in their own words create a sense of intimacy and authenticity. People listen differently when the speaker is their direct leader, rather than a representative from headquarters.

3. Decision Diaries

These short, story-based audio segments illustrate how hard decisions are made inside the organization. They highlight the tension between competing priorities—sales versus safety, growth versus due diligence, and speed versus accuracy—and guide employees through the reasoning process. Employees learn not only what decision was made, but also why it was made.

4. Speak-Up Spotlights

One of the most underutilized voice tools is the anonymized “speak-up journey” segment. These episodes take listeners inside the lifecycle of a report without revealing identities. This builds trust in the system, demystifies investigations, and demonstrates action. It is one of the fastest ways to strengthen your speak-up culture.

5. The Board-Level Fireside

A quarterly voice conversation between the CCO and board chair (or audit committee lead) is incredibly powerful. Hearing the board speak directly to employees about ethics and risk sends a crystal-clear message: this topic matters at the highest levels. This is tone-from-the-top in its purest form.

How to Craft Voice Messages That Actually Land

There is an art and a discipline to creating voice content that resonates and drives behavior. Based on what I’ve seen across leading compliance programs worldwide, here are the five principles that matter most.

Lead with humanity, not rules.

Start with a lived moment or recognizable scenario. “I got a call last week that stopped me cold…” is a more effective opening than “According to Policy 3.4.”

Use language meant for the ear.

Short sentences. Natural phrasing. Conversational tone. You are having a hallway conversation, not reading a legal memo.

Deliver one idea per recording.

If your message attempts to cover five policies, employees will remember none of them. Focus on a single behavior change or risk awareness point.

Tie every story to a specific action.

Compliance storytelling without a call to action is entertainment. You want transformation.

Examples:

  • “If you see a third party offering to ‘open doors,’ log it today.”
  • “If a customer requests data access, use the Data Transfer Checklist before responding.”

Close with a choice

End with clarity: “If X happens, do Y by Z.” Employees appreciate explicit guidance. Regulators notice it too.

Measuring Impact: Voice Is Still Data

Even though voice feels personal and human-centered, it does not escape measurement. In fact, the metrics are straightforward and incredibly useful:

  • Reach—How many employees pressed play?
  • Completion—Do people listen past the first minute?
  • Reflections—Capture a one-question pulse: “What would you do now? ”
  • Action proxies—Did advisory requests or help tickets increase after the episode?

When we combine voice with smart analytics, we get a clear picture of engagement and behavioral shifts. This turns compliance storytelling into compliance intelligence.

Governance, Structure, and Safety

Voice communication must be treated like any other formal compliance communication channel. That means:

  • Pre-clearance of scripts with Legal and HR
  • Transcripts stored in your compliance file system
  • Tagging episodes to policy numbers and risk areas
  • Version control
  • Localization using local leaders, not HQ dubbing

Done right, voice enhances governance. Done poorly, it creates unnecessary risk. The good news? A solid process solves that problem.

The Fastest Path to Launch: A Ready-Made Starter Kit

If you want to bring voice storytelling into your program quickly, here’s a simple template:

Series title: Choices We Make

Cadence: Weekly, two minutes

Structure:

  • Hook (10 sec)
  • Context (30 sec)
  • Dilemma (30 sec)
  • Decision (30 sec)
  • Outcome (20 sec)
  • Call to action (20 sec)

Three great starter topics for your first episodes:

  1. A conflict of interest dilemma
  2. A third-party red flag escalation
  3. A speak-up report that led to a positive safety change

This is the simplest, fastest, and lowest-cost compliance communication upgrade you can implement.

Closing Thoughts: The Future of Compliance Is Human

We talk endlessly about systems, controls, and technology, and all of those matter. However, at the end of the day, compliance remains a human discipline. It relies on trust, judgment, empathy, and courage—written policies guide. Training informs. If you want your workforce to act with integrity when no one is watching, they need to hear your voice when it matters. Now is the moment to step behind the microphone. Audio connects, but more importantly, voice connects.

Categories
Blog

Podcasting for Compliance Communications

If there is one truism from the practice of law that translates to the practice of compliance, it is that you are only limited by your own imagination. This holds in the 360-degree realm of communication in compliance, as communications obviously come in many forms. Many compliance practitioners well remember the 2012 Morgan Stanley declination. In this first declination made public, the DOJ recognized Morgan Stanley for emailing 35 compliance reminders to Garth Peterson over a seven-year period. Consider the power of 360-degree communications in the context of compliance reminders. Now imagine the power of short ethics and compliance video training clips being distributed over the same period and the effect it would have on both your employees and regulators.

Podcast Storytelling

Why not tell the story of the compliance program through a podcast? I call it podcast storytelling, and it can be a powerful tool. Each podcast series is a 5-part series and constitutes one story arc. The podcasts are about 10–15 minutes in length. The podcast-storytelling series can feature a variety of interviews led by a noted podcast host, such as the Voice of Compliance, yourself as the CCO, or other key individuals from your organization. It can be an interview with one or more people, or it can be a solo podcast.

While there would be a fully integrated storyline, each podcast and accompanying text would be stand-alone compliance training and communications that anyone at your organization could use. The podcasts can be distributed both internally and through your organization’s social media channels. There is a wide range of podcast sites available, including iTunes, Spotify, iHeartRadio, Google Podcasts, and Amazon. From each podcast, you can create multiple short audio clips or other forms of social media-sharing materials with key quotes and lessons learned that can be made as podcast cover art.

A series like this allows your organization not only to tell a story more effectively but also to reach a much larger audience than in any other format—live, audio-video, or in-person. Yet, there is another reason why you should consider this type of approach for compliance training and communications. It will provide you with the equivalent of market research and feedback. The number of listeners and downloads will provide a reliable source of data that you can use in other communications and training sessions.

Compliance Department Branded Podcasts

Want another option? How about a fully produced, branded podcast series for your internal compliance function? It could be two 25–30-minute episodes per month, with the guest selected by your compliance team. This format enables your corporate compliance function to tell the story of its greatest asset—its people—through interviews. Cannot get out of the country to travel? Still working remotely? Your branded podcasts offer a way to connect with your employees as we continue to navigate the aftermath of the COVID-19 pandemic. You can use the branded podcast to tell the story of compliance successes in your organization. You can also include other departments to share their accomplishments. As with the podcast storytelling series, it would be done collaboratively, working with your communications team.

Compliance News of the Day

Want to create concise and effective compliance communications? How about “Compliance News of the Day”? Have a daily curated news show featuring 3–4 compliance stories, accompanied by a summary of the series and its relevance to a compliance perspective for your organization. Make it fun so that your employees want to check in daily. When the DOJ comes knocking and asks how often you send out compliance communications, you can point to your Compliance News of the Day as a great starting point.

As a compliance practitioner, you should bring more storytelling into your compliance messaging, training, and communications. If you put the employee in the shoes of the person they’re watching, they will remember it because they will see how it applies to their own lives. Such training and communication experiences will last much longer than if you drone on over a written policy or show a PowerPoint slide. Marc Havener has described this storytelling as “expanding your classroom.” Ronnie Feldman calls it bringing memorable storytelling to your compliance communications and training.

Since you are only limited by your imagination in addressing compliance, why not use some of that imagination to be creative in your compliance training and communications?

Using Podcasts to Improve Corporate Culture

One of the biggest benefits of podcasting is that it allows a compliance function to connect with its audience on a more personal level. Unlike traditional forms of advertising, which often come across as impersonal and sales-driven, podcasts enable businesses to build a loyal following by offering valuable and engaging content. This can include interviews with industry experts, behind-the-scenes glimpses of the business, and informative discussions on relevant topics.

Now, apply the same concepts of audience engagement internally to an organization. What do you have? A mechanism to engage your employees, to engender trust, and to improve your overall corporate culture. Do you think this is a crazy way to improve culture? Consider all the advantages podcasting already offers. Podcasting is one of the most intimate forms of communication, and this concept holds for a corporate compliance podcast.

A major U.S. consumer product company launched a podcast featuring corporate executives. Who were the biggest fans of the podcast? It turned out it was the company employees, many of whom had never met their corporate executives. This allowed the executives to be humanized in a way no number of town hall meetings or other similar corporate events could ever achieve.