Tag: CCO

Categories
Great Women in Compliance

Great Women in Compliance – Insight from a Great Gentleman in Compliance with Andrew McBride

In today’s episode, Lisa speaks with a Great Gentleman in Compliance, Andrew McBride, the CEO and founder of Integrity Bridge.

Andrew shares his journey in compliance, from private practice to becoming Chief Compliance Officer at Albemarle to starting Integrity Bridge.

At Albemarle, Andrew built a new ethics and compliance program against the backdrop of an FCPA investigation. The work of Andrew and his team and their cooperation with the US Department of Justice led to a 45% penalty reduction decrease. The program was also awarded Compliance Week’s “Program of the Year” award.

He highlights the importance of having a multifunctional approach to building compliance programs, working closely with various departments such as sales, procurement, and finance. He also emphasizes how ethics and compliance teams are best positioned to succeed if they have different backgrounds and skill sets.

Andrew shares his experience building Integrity Bridge, a consultancy focused on helping companies design and implement holistic compliance programs to proactively use technology and address constantly evolving risks.

Categories
Blog

AI Game-Changing Compliance: Part 3 – Decentralized Compliance with Blockchain Technology

Last week, I looked at five things a Chief Compliance Officer (CCO) or compliance professional could do at little or no cost to ‘Up Their (Compliance) Game.’ I want to continue this theme this week but want to tackle it differently. I will look at five innovations for compliance professionals around Artificial Intelligence (AI). AI has moved from an emerging trend to a fundamental component of modern corporate compliance programs. Today, I want to examine how blockchain can be a game-changer for compliance.

Today, organizations leverage blockchain to enhance transparency, ensure data integrity, and strengthen regulatory adherence. While compliance professionals have historically relied on centralized data repositories and traditional audit methods, blockchain offers a decentralized, tamper-proof alternative that reshapes compliance monitoring. This innovation is crucial in industries where data security, fraud prevention, and ethical sourcing are non-negotiable.

Regulators are increasingly scrutinizing how businesses manage their compliance data, with expectations rising for real-time reporting, immutable record keeping, and enhanced due diligence. Blockchain provides a solution by creating an unalterable digital ledger, enabling compliance teams to verify transactions, track supply chains, and show adherence to environmental, social, and governance (ESG) standards with unprecedented accuracy. Below, we explore how companies across industries utilize blockchain for decentralized compliance, lessons learned for compliance professionals, and important points for corporate leadership.

How Blockchain Enhances Compliance

One of blockchain’s most compelling benefits is its ability to create immutable audit trails. This immutability makes blockchain so revolutionary for compliance. It is not a technological novelty; it has profound implications for all manner of financial reporting, regulatory compliance, and corporate governance. Corporate leaders and compliance professionals must recognize that the traditional data management methods and audit trails are no longer sufficient in an era where every error, manipulation, or fraudulent activity can have dramatic financial and reputational consequences.

The immutable nature of blockchain means that every transaction or piece of data recorded on the chain is permanently etched into the ledger. Unlike traditional databases, which can be subject to human error or deliberate tampering, blockchain uses cryptographic principles to ensure that records remain unchanged once verified. This creates an audit trail that is transparent and verifiable in real-time. For compliance officers, this is a game changer. It fundamentally changes from periodic, retrospective audits to continuous, real-time oversight—a fundamental transformation in how businesses manage risk and adhere to regulatory standards.

The implications are enormous for industries subject to stringent compliance requirements, such as finance, healthcare, and manufacturing. Regulations like the Sarbanes-Oxley Act (SOX), the General Data Protection Regulation (GDPR), and various anti-money laundering (AML) directives demand precise, accurate record-keeping and transparent reporting. Blockchain tamper-proof ledger directly addresses these demands. By integrating blockchain into their compliance frameworks, companies can automatically enforce rules and ensure that all required records are accurate, complete, and accessible to auditors and regulators. This level of reliability reduces the risk of non-compliance and streamlines the entire audit process, saving time and reducing costs.

The decentralization inherent in blockchain technology provides additional layers of security and transparency. A central database may be vulnerable to cyber-attacks or internal manipulation in traditional systems. Blockchain distributes data across a network of nodes. Each node holds a copy of the ledger, meaning tampering with one record would require altering the entire network—a near-impossible feat with current technology. This distributed nature reinforces trust among stakeholders, ensuring that every participant—from internal auditors to external regulatory bodies—can rely on the integrity of the data. For compliance professionals, this translates to a robust, reliable system that minimizes human error and operational risk.

Another significant advantage of blockchain is its capacity to support continuous compliance monitoring. Instead of waiting for end-of-quarter reviews or annual audits, companies can now access real-time data. Regulators, for example, could be granted access to a live, immutable ledger that provides instantaneous insights into financial transactions, supply chain movements, or any other regulated activity. This proactive approach means potential issues can be identified and addressed before they escalate into full-blown compliance breaches. The result is a more agile, responsive compliance system that can adapt to changes in the regulatory landscape almost as soon as they occur.

Blockchain also facilitates automated compliance through smart contracts and self-executing digital agreements where the contract terms are written into code. These contracts can be programmed to enforce compliance rules automatically. For example, a smart contract might automatically trigger a compliance review if a transaction exceeds a predetermined threshold, or it could enforce that certain conditions are met before a transaction is finalized. This automation reduces the administrative burden on compliance teams and ensures that rules are applied consistently without the variability introduced by manual processes. For corporate leaders, this means fewer errors, faster processing times, and a more secure regulatory environment.

The Future is Now in AI-Blockchain as a Compliance Imperative

A prime example of blockchain’s efficacy in this arena is illustrated by the World Bank’s Blockchain-Based Financial Transparency Initiative. This initiative leverages blockchain to fortify transparency in government contracts and aid disbursements. Utilizing blockchain’s inherent qualities, the World Bank can ensure that funds are allocated and tracked in real-time, significantly reducing the risk of mismanagement. Every disbursement, every contractual change, and every transaction is logged on the blockchain, creating a tamper-proof audit trail that meets stringent anti-corruption and financial accountability standards. For organizations engaged in high-stakes financial operations, mainly those subject to intense regulatory scrutiny, such an initiative serves as both a preventive measure against corruption and a robust tool for regulatory compliance.

Using blockchain in anti-corruption strategies extends far beyond the realm of government aid. In regions where corruption is endemic, companies can employ blockchain to monitor financial flows and contractual obligations with unprecedented precision. The technology is a powerful deterrent against illicit behavior because it leaves no room for the discreet manipulation of records. The decentralized ledger enhances internal controls and fosters a culture of transparency that is difficult to subvert. With blockchain, every stakeholder—from auditors and compliance officers to regulators and investors—can access a clear, real-time snapshot of all transactions. This visibility is crucial for building trust and ensuring that every participant in the financial ecosystem adheres to ethical and legal standards.

For compliance teams, blockchain’s real-time monitoring capability is a game changer. Instead of relying on periodic audits that may only uncover discrepancies after the fact, organizations can continuously track financial activities as they occur. This proactive monitoring helps identify suspicious activities almost instantly, enabling swift remedial action before potential violations escalate. By automating routine compliance processes through smart contracts, blockchain minimizes human intervention, reducing the risks associated with manual errors or intentional tampering.

In summary, blockchain’s ability to improve anti-corruption and fraud prevention significantly advances corporate compliance. Its decentralized nature ensures that every transaction is transparent, verifiable, and resistant to tampering—a feature especially valuable in high-risk environments. The World Bank’s initiative is a compelling example of how blockchain can be harnessed to enforce rigorous financial transparency and accountability standards. For companies worldwide, embracing blockchain technology is not merely an option but an essential step toward fostering a secure, compliant, and ethical operational framework in an increasingly complex regulatory environment.

The benefits of blockchain also extend to fostering greater trust between companies and their regulators. By providing a transparent, real-time audit trail, blockchain diminishes the adversarial nature of regulatory inspections. Instead of a scenario where regulators must rely on a company’s internal reports, they have direct access to an independent, tamper-proof ledger. This shared transparency builds confidence in the integrity of the data and encourages a more collaborative relationship between businesses and regulatory authorities. In today’s highly scrutinized regulatory environment, such trust is invaluable.

Blockchain technology is revolutionizing corporate compliance by providing a secure, immutable record-keeping system that directly addresses many of the challenges associated with traditional audit and reporting practices. Its decentralized, tamper-proof ledger ensures data integrity and supports continuous, real-time monitoring and automated compliance through smart contracts. These capabilities help reduce fraud, human error, and the overall cost of compliance while enhancing transparency and trust among stakeholders.

The message for compliance professionals and corporate leaders is clear: embracing blockchain is no longer optional but a strategic imperative. As regulatory frameworks become more demanding and the risks associated with non-compliance increase, blockchain offers a powerful tool to meet and exceed these challenges. It empowers organizations to move away from outdated manual processes and toward a more efficient, proactive compliance model. In doing so, companies safeguard their operations and build a foundation of trust and reliability that can drive long-term success in an increasingly complex regulatory landscape.

Categories
FCPA Compliance Report

FCPA Compliance Report – The Role of Internal Audit in Export Controls

Welcome to the award-winning FCPA Compliance Report, the longest-running compliance podcast. In this episode, Tom welcomes Jonathan Marks, who discusses the role of internal audit in export control compliance.

Jonathan starts by defining export controls and their significance: regulations governing the export, re-export, and transfer of goods, technology, and services across borders to protect national security and enforce foreign policy. As a Compliance Profession, you should recognize the severe impacts of operational disruptions, supply chain issues, and national security risks resulting from non-compliance, emphasizing the need for comprehensive compliance frameworks. Internal audit responsibilities are expanded, stressing the necessity of robust policies, clear responsibilities, consistent employee training, and thorough risk assessments.

Jonathan discusses practical internal audit strategies, including evaluating high-risk transactions, identifying compliance gaps, and regularly monitoring and testing compliance controls through transaction testing, data analytics, third-party due diligence, and incident response mechanisms. Jonathan underscores the importance of collaboration between internal audit, legal, compliance, and supply chain teams to ensure an integrated and proactive compliance approach, thereby mitigating risks and strengthening corporate governance.

Key highlights:

  • Understanding Export Controls and Compliance
  • Role of Internal Audit in Export Controls
  • Key Areas for Internal Audit Focus
  • Testing and Monitoring Controls

Resources:

Jonathan Marks on LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – A Roadmap for Compliance

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we discuss creating a roadmap for improving your compliance program.

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Categories
Creativity and Compliance

Creativity and Compliance – Upping Your Compliance Game

Where does creativity fit into compliance? In more places than you think. Problem-solving, accountability, communication, and connection—they all take creativity. Join Tom Fox and Ronnie Feldman on Creativity and Compliance, part of the award-winning Compliance Podcast Network.

Ronnie’s company, Learnings and Entertainment, utilizes the entertainment devices people use to consume information in their everyday, non-work lives and apply it to important topics around compliance and ethics. It is not only about being funny. It is about changing the tone of your compliance communications and messaging to make your compliance program, policies, and resources more accessible. In this episode of Creativity and Compliance, Tom Fox and Ronnie Feldman take up the challenge handed down by Hui Chen in light of the administration’s suspension of FCPA enforcement to up their compliance game.

Ronnie begins by advocating for a transformation in compliance training, suggesting a shift from traditional e-learning methods to engaging communication campaigns emphasizing a Speak Up Culture and seamlessly integrating compliance into daily business operations. He believes that by using short, entertaining formats and training leaders to present content playfully, compliance can become more interesting and effective, positioning compliance professionals as valuable assets through proactive engagement and collaboration. Tom underscores the importance of compliance professionals being approachable and communicative, serving as problem solvers who collaborate with business units to achieve unexpected, beneficial outcomes. Both experts agree that by humanizing the compliance function and focusing on values and behaviors, compliance professionals can enhance their programs and contribute significantly to organizational success.

Key highlights:

  • Engaging Communication Campaigns for Compliance Training
  • Strategic Communication for Compliance Professionals
  • Cultivating Proactive Compliance Culture through Training Programs
  • Strategic Engagement for Compliance Professionals

Resources:

Ronnie

  • Learnings & Entertainments (Website)
  • Compliance Confessions – inspired by “Mean Tweets” these 90-second commercials address misconceptions and excuses to promote speak up culture and the E&C team as positive and helpful.
  • E&C Training Jams – a soulful singer banters with ethics & compliance explaining policies, sharing examples and debunking excuses. 
  • Tales from the Hotline – Real speak up-themed stories about workplace behavior gone wrong.
  • Workplace Tonight Show! – E&C meets SNL Weekend Update explaining corporate risk topics and why employees should care.
  • 60-Second Communication & Awareness Shorts – A variety of short, customizable, music and multimedia, quick-hitter “commercials” promoting integrity, compliance, speaking up and the E&C team as helpful advisors and coaches.
  • Custom Live & Digital Programing – Custom creative programming that balances the seriousness of the subject matter with a more engaging delivery. After all, you can’t bore people into learning.

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

Creativity and Compliance was recently honored as one of the Top 35 Podcasts on Creativity by Feedspot.

Categories
Blog

Upping Your Compliance Game, Part 4 – Compliance and Building Corporate Resiliency

The Trump Administration has suspended FCPA enforcement for the foreseeable future. What does that mean for compliance professionals? Hui Chen has suggested that this is an opportunity for compliance, but to do so, “It’s time to up your game . . . Instead of selling insurance for FCPA enforcement, become leaders that help your organizations perform.” Based on this challenge by perhaps the most imminent compliance commentator, I am devoting this week’s blog posts to ways compliance professionals can indeed up their collective game. Today, we explore how effective compliance can help lead to greater business resiliency.

Resilience must be a core feature of every corporate compliance program. The reason is simple: compliance programs will inevitably face crises in today’s volatile and uncertain world. It could be from the Trump Administration’s suspension of Foreign Corrupt Practices Act (FCPA) enforcement, a natural disaster disrupting operations, the discovery of human rights abuses within the supply chain, activist shareholders pushing for corporate change, or new competitors leveraging technology to upend an industry. Recent history has shown us that global pandemics and social justice movements can also emerge to reshape the business landscape overnight.

In their article “6 Types of Resilience Companies Need Today,” Paul Polman and Andrew Winston explore how multinational corporations like Unilever have built resilience through both traditional and innovative strategies. Their insights offer valuable lessons for Chief Compliance Officers (CCOs) and compliance professionals seeking to fortify their organizations against future challenges.

Traditional Foundations of Corporate Resiliency

Polman and Winston highlight three traditional building blocks of corporate resiliency: financial flexibility, portfolio diversity, and organizational agility. These elements are critical in preparing companies for sudden shocks and long-term crises.

For compliance professionals, this means ensuring that the business remains functional during disruptions by embedding compliance within these foundational areas:

  • Financial Flexibility: Compliance contributes to financial stability by preventing costly legal issues, regulatory fines, and reputational damage. Strong compliance programs also help organizations maintain favorable relationships with investors, regulators, and business partners.
  • Portfolio Diversity: Just as businesses diversify revenue streams, compliance must diversify its approach to third-party risk management. This includes thoroughly vetting sales agents, distributors, and supply chain vendors to mitigate exposure to compliance failures.
  • Organizational Agility: Compliance agility allows teams to respond rapidly to emerging risks. By fostering real-time feedback from regional offices, compliance professionals can identify potential problems before they escalate into crises.

A resilient compliance function helps businesses survive crises but positions them to recover more effectively.

The Net-Positive Approach to Resilience

The authors emphasize that true corporate resilience goes beyond surviving crises. It involves creating a long-term, crisis-resistant organization that benefits all stakeholders. They advocate for a “net-positive” company model that seeks to improve the well-being of everyone it touches through its operations, value chain, products, services, and influence. This concept aligns closely with the goals of corporate compliance programs.

Purpose-Driven Compliance

Companies that understand their purpose and integrate it into their operations are more resilient in times of crisis. Purpose-driven organizations don’t see compliance as a regulatory obligation but as a strategic advantage. Compliance professionals reinforce this purpose by embedding ethical business practices into corporate strategy.

The Business Roundtable’s Statement on the Purpose of a Corporation emphasizes stakeholder engagement beyond shareholders. Compliance can advance this vision by aligning business operations with ethical principles, incorporating feedback from employees, customers, and suppliers, and reinforcing a corporate culture of integrity.

Aligning compliance controls with the COSO 2013 Framework for Internal Controls helps build a strong ethical foundation, ensuring compliance is woven into the company’s operational backbone rather than treated as an afterthought.

Trust: The Cornerstone of Compliance

Trust is an absolute necessity for any compliance program. Internally, trust is built through institutional fairness, due process, and a commitment to ethical leadership. However, compliance must also extend trust-building beyond the organization, fostering transparent relationships with external stakeholders.

Modern compliance programs must embrace a level of transparency that many organizations have historically resisted. This includes proactively disclosing compliance efforts, engaging in open dialogue with regulators, and embracing external scrutiny. Polman and Winston note, “Transparency is a great tool to ensure consistency and engender trust. Rather than rebelling against tough questions and pressure, business leaders should embrace and use them to build a stronger organization.”

By fostering a culture of transparency and accountability, compliance teams can help their organizations navigate crises with credibility and resilience.

Engaging All Stakeholders in Compliance

Compliance is traditionally seen as a back-office function, primarily engaging with internal departments and regulators. However, leading companies are increasingly expanding compliance’s role to include broader stakeholder engagement.

Polman and Winston argue that “net-positive companies build better connections with stakeholders besides employees.” Compliance functions can drive this by engaging customers, investors, supply chain partners, and local communities. This shift aligns with compliance’s growing role in third-party risk management and due diligence processes.

For example, companies that conduct rigorous due diligence on supply chain partners mitigate risk and foster stronger, trust-based relationships with ethical suppliers. Compliance’s role in these engagements ensures that ethical business practices extend beyond corporate walls, creating a network of partners who support the company’s long-term resilience.

The Compliance Function as a Driver of Resilience

When major crises strike, whether compliance-related or otherwise, organizations with resilient compliance programs can respond swiftly and effectively. Polman and Winston conclude, “No company can prepare for every outcome, but these six forms of resilience, put together, can provide a serious buffer. They also allow organizations to work in larger coalitions on the biggest issues, such as climate change and income inequality.”

Compliance functions are uniquely positioned to help businesses anticipate and prevent crises rather than merely reacting. By integrating compliance into the core fabric of corporate resilience strategies, organizations can:

  1. Prevent crises through proactive compliance risk management
  2. Build a strong ethical culture that fosters long-term stability
  3. Enhance stakeholder trust and engagement
  4. Ensure business continuity in the face of regulatory changes
  5. Support innovation by creating ethical frameworks for emerging technologies

These strategies are not just compliance best practices but essential components of building a company that thrives in times of change and uncertainty.

The best compliance programs do more than mitigate risk; they build corporate resilience. By aligning compliance with financial stability, organizational agility, and a broader net-positive vision, companies can prepare for the challenges of an unpredictable world.

Compliance professionals should seize the opportunity to lead this transformation, ensuring that their organizations endure crises and emerge stronger from them. In doing so, compliance becomes a function of risk avoidance and a strategic driver of long-term business success.

Categories
Blog

Upping Your Compliance Game, Part 3 – Engaging Leadership

We continue exploring what the Trump Administration’s suspension of FCPA enforcement means for the compliance professional. Hui Chen has suggested that this is an opportunity for compliance, but to do so, “It’s time to up your game . . . Instead of selling insurance for FCPA enforcement, become leaders that help your organizations perform.” Based upon this prompting from her, I am writing this week on issues that compliance professionals can use to ‘up their [compliance] game so that when the questions come from your senior executives or Board of Directors come down about your compliance program, you will be able to point to clear business advantages to doing business ethically and in compliance.

Today, we consider how a chief compliance officer (CCO) or compliance professional can personally up their leadership game and move their compliance program to a more collaborative and integrated business function. The shift is driven by changes in corporate power dynamics, new values that prioritize transparency and collaboration, and an increasing emphasis on engagement with business units. In their Harvard Business Review article, Understanding “New Power,” Jeremy Heimans and Henry Timms explore how leadership models change. I have adapted their insights for Chief Compliance Officers (CCOs) and compliance practitioners who seek to enhance their function’s role within an organization.

The Shift from Old Power to New Power

Heimans and Timms describe the transition from “old power” to “new power” as a shift in the models used to exercise power and the values organizations embrace. Traditional compliance programs often operated under old power models, centralized, top-down structures that relied on authority and rigid governance. In contrast, new power models emphasize distributed, collaborative, and participatory leadership.

  1. Sharing and Shaping. In this new era under Trump, companies increasingly engage stakeholders, including employees and supply chain partners, in shaping compliance strategies. This shift recognizes that compliance is not just about adherence to regulations but about embedding ethical considerations into everyday decision-making. Companies that actively solicit input from their workforce and external partners create stronger, more effective compliance cultures.
  2. Organizations are using creative financial structures to embed compliance into business operations rather than treating it as a standalone cost center. Instead of viewing compliance as an overhead expense, forward-thinking businesses integrate compliance into investment decisions, allocate resources for proactive risk management, and leverage compliance to drive operational efficiencies and innovation.
  3. Employees and third-party stakeholders actively contribute to compliance initiatives rather than passively following directives. This participatory approach ensures that compliance is not merely a function of the legal or risk department but is embraced across the organization. Companies encourage employees to report issues, contribute to compliance improvements, and take ownership of ethical behavior.
  4. Co-Ownership. Compliance is decentralized, empowering employees at all levels to take ownership of ethical behavior. When employees and third parties feel personally responsible for compliance, adherence to ethical standards becomes more organic. Businesses that create opportunities for co-ownership in compliance initiatives through peer-led training, employee-driven reporting mechanisms, and cross-functional ethics committees build a more resilient ethical culture.

This shift makes compliance less about enforcing rules and more about embedding ethical business practices into the corporate culture. Organizations that embrace new power structures are better positioned to handle complex regulatory environments, foster innovation, and build trust among employees, customers, and stakeholders.

New Compliance Values: A Guide for Leadership

Beyond structural changes, Heimans and Timms identify new values that organizations must embrace to remain effective. These values directly apply to compliance professionals, who must ensure compliance is embedded within the organization’s broader culture and governance structures.

  • Decision-making is becoming more informal and network-driven, requiring compliance professionals to work across functions. Instead of a strict top-down enforcement model, modern compliance programs emphasize collaboration across departments, ensuring compliance is seamlessly integrated into everyday business activities.
  • Compliance programs must reward those who share best practices and improve existing compliance structures. Organizations that foster a collaborative compliance culture encourage employees to speak up about risks, participate in ethics initiatives, and help improve compliance processes.
  • Do It Ourselves (DIO). Employees expect to participate in ethical decision-making rather than be dictated to by top leadership. Empowering employees to take initiative in compliance—whether through peer-led training, ethics committees, or compliance ambassadors—creates a more engaged workforce and a stronger culture of accountability.
  • Organizations must foster open communication about compliance issues, internally and externally. A transparent compliance program builds trust with employees, investors, and customers. Companies that proactively disclose compliance efforts, encourage whistleblowing, and provide clear guidelines for ethical decision-making strengthen their credibility and resilience.
  • Younger employees are less likely to maintain long-term relationships with institutions, making an agile and adaptive compliance function essential. Compliance teams must develop dynamic and engaging strategies to connect with employees, including leveraging technology, social media, and innovative training programs to maintain engagement and adherence to ethical standards.

To succeed in this environment, compliance leaders must embrace these principles and adapt their approach accordingly. Compliance functions prioritized engagement, empowerment, and innovation will be better equipped to navigate the complexities of modern business environments.

Three Steps for Engaging Compliance Leadership

To fully integrate compliance into business strategy, CCOs and compliance practitioners should consider three key actions:

1. Assess Your Role in a Changing Power Environment

A compliance risk assessment has traditionally focused on external threats, but today’s CCOs must also assess their function internally. Where does your compliance program stand on the power spectrum, and where do you want it to be in five years?

  • Conduct an internal assessment to evaluate how compliance is perceived across departments.
  • Benchmark against industry leaders and best practices to identify areas for growth.
  • Engage in strategic conversations with executives and employees to understand their compliance expectations and challenges.
  • Develop a vision for the future of compliance in the organization, ensuring alignment with business objectives.

Organizations can proactively identify gaps and opportunities to enhance their compliance function by assessing compliance through a broader lens.

2. Incorporate Business Unit Interests (The UX)

To be effective, compliance should not operate in a silo or, as Carsten Tams continually reminds us, “It’s all about the UX.” Business units should have a voice in shaping compliance policies. This means:

  • Conduct honest conversations with employees and leadership about compliance’s impact on business operations.
  • Soliciting feedback from business units before imposing compliance requirements.
  • Recognizing compliance as a business enabler, not just a risk mitigation function.
  • Encouraging cross-departmental collaboration on compliance initiatives.

As Heimans and Timms note, introspection and engagement must precede any investment in compliance initiatives. Organizations that fail to engage business units in compliance discussions risk resistance, non-compliance, and inefficiencies.

3. Mobilize Compliance Capacity Across the Organization

Compliance leaders must proactively engage third parties and business ventures, such as joint ventures and supply chain partners, to extend compliance influence beyond internal teams.

  • Establish compliance training programs tailored to third-party vendors and supply chain partners.
  • Implement robust third-party due diligence processes to ensure compliance throughout the supply chain.
  • Develop reporting mechanisms that allow external partners to flag compliance concerns.
  • Build alliances with industry groups and regulators to stay ahead of evolving compliance trends.

For example, compliance expert Mary Jones, former Director of Compliance at Global Industries Ltd., emphasized the importance of training third parties. She traveled to supplier locations to conduct in-person compliance training, fostering stronger relationships and enhancing compliance effectiveness. This proactive approach strengthened Global Industries’ compliance function and positioned their suppliers as allies in the compliance journey.

A successful compliance function does more than enforce rules; it builds a network of ethical partners who actively support compliance objectives.

Categories
Adventures in Compliance

Adventures in Compliance – Institutional Justice and Institutional Fairness Lessons from The Adventure of the Veiled Lodger

In this new season of Adventures in Compliance, host Tom Fox takes a deep dive into Arthur Conan Doyle’s Sherlock Holmes collection, The Case-Book of Sherlock Holmes. It is the final set of twelve Sherlock Holmes short stories, first published in the Strand Magazine between October 1921 and April 1927. In this episode, we consider the story The Adventure of the Veiled Lodger.

Tom emphasizes the importance of fairness and transparency in compliance investigations, accountability without retaliation, encouraging whistleblowers, and addressing systemic failures. The episode also highlights how ethics and compliance must be ingrained in corporate culture, reflecting principles from the Department of Justice’s 2020 and 2024 updates to the Evaluation of Corporate Compliance Programs. Through Holmes’ empathetic approach, compliance professionals can learn the importance of contextual investigations and the pursuit of institutional justice. Tom invites Sherlock Holmes enthusiasts to engage in discussions about the stories and underscores the role of compliance in fostering a fair and ethical workplace.

Highlights include:

  • The Story of the Veiled Lodger
  • Lessons on Institutional Justice and Fairness
  • Lessons for CCOs

Resources:

The New Annotated Sherlock Holmes

Sherlock Holmes FAQ by Dave Thompson

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

 Connect with Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Right is Right/Wrong is Wrong: Trump, The FCPA and Effective Compliance

In a surprise to no one, President Trump said he was suspending Foreign Corrupt Practices Act (FCPA) enforcement. Why is it no surprise? Because the FCPA commits illegal bribery and corruption against foreign officials and employees of state-owned enterprises outside the US. Trump wants to make such business tactics legal for US companies, as he thinks US companies cannot compete with other international actors without engaging in such illegal conduct. But the reality is that Mark Twain was correct; ‘right is right and wrong is wrong,’ and Trump’s pronouncement of non-enforcement did not make bribery and corruption of foreign officials and employees of state-owned enterprises outside the US legal. This announcement also puts more US companies at risk for shakedowns by corrupt foreign officials.

For the compliance professional, this suspension of FCPA enforcement will make having an effective corporate compliance program even more important for the upcoming 3+ years of Trump’s final term. I want to break down the reasons for continued effective compliance into legal and business.

Criminal Reasons

A. 5-Year Statute

The FCPA is still the law of the US. Any company or person who now engages in bribery and corruption of foreign officials and employees of state-owned enterprises outside the US will violate the FCPA. There is a five-year statute of limitation on FCPA enforcement, so even if your organization decided to start bribing today, there would be a five-year window of potential liability. Moreover, it is five years from the discovery of the illegal conduct, so unless your organization affirmatively states via its books and records that it has engaged in illegal activities and violated the FCPA, there will be an even longer tail for investigation and prosecution.

B. SEC and Books and Records

Remember, the FCPA has two basic provisions. One, thou shalt not bribe foreign officials and employees of state-owned enterprises outside the US. Second, thou shalt have accurate books and records. The Securities and Exchange Commission (SEC) enforces this second component of the FCPA. It has two parts: (a) financial books and records that accurately reflect the financial condition of the organization and (b) effective internal controls that prevent bribery and corruption. Is the SEC now going to turn its back by allowing companies that engage in illegal actions to puff up their profits to defraud the American public?

C. Individual Prosecutions Outside the US

The stakes are even higher for the individual corporate employee doing business outside the US. NO country in the world says that bribing our government officials is legal. That makes any such bribe illegal. This is not about an extra-territorial law such as the FCPA, where China or Nigeria would come to the US and arrest a US citizen for actions in China or Nigeria. Instead, it is about China or Nigeria enforcing their domestic laws. Remember the GlaxoSmithKline PLC (GSK) bribery conviction in China in 2014. A Chinese court fined the company nearly $500 million dollars. Equally significant was the criminal conviction of the Country Manager and several of his direct reports. With the Trump Administration aiming more tariffs and other trade sanctions at China, does anyone not think the Chinese government may well open investigations, warranted or not, at US corporations doing business in China and US individuals working in China? (For a full discussion of the entire sordid affair of GSK in China, read my book on it, available on Amazon.com)

What about detaining US businesspersons on more trumped-up charges? Just look at what purported US ally Nigeria did to Binance compliance officer Tigran Gambaryan in 2024. According to the New York Times (NYT), the “Nigerian government charged Mr. Gambaryan and Binance itself with tax evasion and money laundering — effectively accusing the company and a midlevel employee of the same crimes.” He was held in custody for eight months in a Nigerian prison in Abuja. Both the GSK matter and Gambaryan’s case point to the real risks that US businesspersons may now well face if they engage in bribery and corruption outside the US. Wherever you want to be, a prison in China or Nigeria is not one of those places.

Business Reasons

A. The Bribery Tax

Paying bribes is a cost. Once you pay a bribe, corrupt officials have you in their collective back pockets. Multiple FCPA enforcement actions over the years have demonstrated that corruption officials are never shy about demanding more illegal payments during the life of a business relationship. Does an organization think a one-time bribe payment will secure your contract? Once corrupt government officials eat at the trough of a corrupt company, they always come back for more. Churchill said, ‘One, we have established your morals; now it’s just a question of the amount.’

Bribery can be a one-time payment or much more ongoing. Bribes are a percentage of the overall contract value and can go up or down. Who is going to keep those records, and how does an organization engage in such negotiations? It sounds like trying to negotiate with organized crime. The bottom line is that bribes are a tax that any organization subjects itself to when it engages in corruption.

B. Negative Impact on Revenue

Not only does paying bribes put an individual and organizations at criminal risk, but it can also be more costly and a less effective business strategy in the long run. A CFO.com article reported that George Serafeim and Paul Healy of Harvard Business School released a paper in the American Accounting Association journal The Accounting Review that the business impact of paying bribes “overall effect on a company’s finances is nil—a poor result, given that the practice could trigger damaging media. Yet bribes are costly. The low returns on equity on incremental sales in high-corruption markets for firms [that commit bribery] imply that the costs are not fully recovered through higher prices on corrupt contracts or through scale economies from increased sales.”

Statistically, the authors reviewed some “480 large multinational companies from 32 countries; those with strong anticorruption programs had average sales growth over three years of 2.6% in high-bribery countries or regions, far below the 14.1% achieved by anticorruption laggards. Yet, that didn’t translate to a greater gain in return on equity for the latter group compared with the former. “On average, the sales growth and ROE effects are offsetting.”

C. Department of Bribery and Corruption

Now, think about the business impact of how bribes might be paid. Will your organization go full Siemens or Odebrecht and create an entire department dedicated to bribery and corruption? Will your organization change its Code of Conduct to say that now that the Trump Administration has suspended FCPA enforcement, your company will engage in illegal acts? Are you going to try to hide your newfound business strategy? If so, what is the cost of announcing that your organization believes in unlawful acts to gain business? What business executive will lead this organization and put their head on the chopping block for directing illegal activity?

Your organization would be skewered in the court of public opinion. Just as consumers have no interest in purchasing clothing or other products created by slaves or forced labor, they would have zero interest in companies that pay bribes to garner business. Such actions could also lead to more civil actions for anti-competitive behavior brought by private parties.

But here, the greater risk is internal for companies. After 20 years of training on not paying bribes, how to spot a bribe, and who not to do business with, the Trump Administration expects US companies to change course. What will this do to a culture of doing business ethically and in compliance? If corporate execs set up a Department of Bribery and Corruption or try to hide it, what message does that send to employees? It sends the message that engaging in bribery, corruption, and fraud is acceptable in our organization.

This fraud component may be the most important business reason for robust compliance. Every ACFE Report to the Nations makes clear that corruption is a subset of fraud. Any company that supports bribery and corruption will be more susceptible to employees engaging in fraud. After all, if a company is willing to violate the law to make money, why shouldn’t employees do so as well?

III. Compliance is the Key

I have set out all of these scenarios to explain why compliance will become even more important during this second Trump administration. If doing ethics is doing the right thing when no one is looking, then compliance should be seen as the business process that follows up to ensure it is all happening. Going forward, the need for effective compliance will only increase, and the pressure on compliance professionals will intensify. An effective compliance program will make your business run more efficiently and more profitably. It will protect your organization from various woes brought on by the current administration.

Categories
Blog

The Rising Tide of CCO and CISO Liability

The issue of personal liability for Chief Compliance Officers (CCOs) and Chief Information Security Officers (CISOs) is not new, but as we move into 2025, it is becoming an increasingly pressing concern. The regulatory environment is evolving, and enforcement trends indicate a growing willingness among prosecutors to target individual executives. The cases of Joe Sullivan, Carlos Abarca, and Tim Brown highlight critical lessons for compliance professionals. These cases—and the broader regulatory framework—underscore the importance of proactive risk management, clear governance structures, and a strong compliance culture. Jonathan Armstrong and I explored these cases, their issues, and the lessons learned from them in a recent episode of the award-winning podcast Life with GDPR.

Personal Liability: A Trend That’s Here to Stay

The SEC has long embraced the idea of holding individuals accountable for corporate misconduct. The rationale is simple: corporations may treat fines as a cost of doing business, while individual prosecutions create a stronger deterrent effect. This approach is particularly evident in cybersecurity failures, data breaches, and financial misrepresentation. Indeed, former SEC Director of Enforcement Gurbir Grewal, in a speech to the New York City Association Compliance Institute in 2023, said that there were “three situations where the Commission typically brings enforcement actions against compliance personnel.” These three are:

  1. Where compliance personnel affirmatively participated in misconduct unrelated to the compliance function;
  2. Where they misled regulators, and
  3. They had a wholesale failure to carry out their compliance responsibilities.

The question facing compliance professionals is no longer whether they could be held personally liable but how to mitigate that risk. We then turned to three key individual cases to see what lessons might be drawn.

Case Studies in Individual Accountability

  • Joe Sullivan and the Uber Case

Joe Sullivan, a former federal prosecutor and Uber’s CISO, was convicted for his role in covering up a data breach. When hackers exploited Uber’s system, Sullivan arranged a $100,000 payment through Uber’s bug bounty program, framing it as a legitimate transaction rather than a ransom payment. The prosecutors argued that he misled regulators and obstructed justice. Though Sullivan avoided prison and received a sentence of three years probation, the judge clarified that future cases might not be met with such leniency. The lesson here? Transparency is non-negotiable. Attempting to manage a breach in secret, even with good intentions, can result in severe personal consequences.

  • Carlos Abarca and the TSB Bank Migration Failure

Carlos Abarca, former CIO of TSB Bank, oversaw an IT migration project that ultimately failed, leading to widespread customer service outages. During board meetings, Abarca assured directors that the project was on track. However, regulators scrutinized his statements when the migration went awry due to supplier failures. He was fined nearly $100,000, with investigators even citing his LinkedIn profile, where he described himself as an expert in change management. The key takeaway? CCOs and CISOs must ensure that their public and internal statements accurately reflect organizational realities. Overstating capabilities—or underreporting risks—can become evidence of liability.

  • Tim Brown and the SolarWinds SEC Action

Tim Brown, SolarWinds’ CISO, faced SEC charges for allegedly misleading investors about the company’s cybersecurity posture. The SEC contended that Brown downplayed known security risks, making generic statements such as “we could be attacked” while failing to disclose specific vulnerabilities that were internally documented. Though these charges were eventually dismissed, it highlighted the increasing role of securities regulators in policing cybersecurity disclosures. For compliance professionals, this underscores the importance of precise, fact-based reporting. Vague assurances will not suffice when regulators uncover internal evidence of known risks.

Regulatory and Legislative Trends: A Tougher Landscape Ahead

The move toward personal liability is not just a U.S. phenomenon. The EU’s Digital Operational Resilience Act (DORA), the Cyber Resilience Act, and similar regulations introduce new accountability mechanisms for compliance and security professionals. These laws emphasize:

  1. Personal responsibility for cybersecurity and compliance failures
  2. Heightened reporting obligations for executives
  3. Potential fines and bans from holding future positions

Furthermore, changes in corporate listing rules, especially regarding cybersecurity disclosures, suggest that more CCOs and CISOs will be in the regulatory crosshairs. With shareholder lawsuits also on the rise, particularly in the U.S., individuals may face government enforcement and private litigation.

Mitigating Personal Risk: What Compliance Officers Can Do

Given these trends, compliance professionals must take proactive steps to protect themselves. We reviewed the following steps a CCO/CISO could take.

  • Due Diligence Before Accepting a Role

If you are considering a new compliance or security leadership position, conduct thorough due diligence on the organization:

  1. Investigate past compliance failures or regulatory issues.
  2. Assess the board’s composition and governance practices.
  3. Evaluate the company’s historical commitment to compliance and cybersecurity.

A company with a poor compliance track record or a weak board structure may pose significant personal risks.

  • Clarify Your Role and Responsibilities

Clearly define your job responsibilities, ensuring that you supervise compliance rather than solely being responsible for it. A well-drafted job description should:

  1. Specify oversight responsibilities rather than direct operational duties.
  2. Ensure a direct reporting line to senior leadership or the board.
  3. Include indemnification clauses in cases of legal action.
  • Secure Adequate D&O Insurance

Directors and Officers (D&O) insurance is a critical safeguard. Compliance professionals should:

  1. Confirm that D&O insurance covers regulatory and enforcement actions.
  2. Negotiate for personal indemnification clauses in employment contracts.
  3. Ensure coverage is broad enough to include cybersecurity incidents and regulatory fines.
  • Strengthen Internal Reporting and Documentation

Proper documentation is one of the best defenses against liability.

  1. Ensure board minutes accurately reflect discussions about compliance and risk.
  2. Maintain records of risk assessments and mitigation efforts.
  3. Encourage formal reporting mechanisms rather than informal communications.
  • Be Cautious with Communications

Emails and internal memos can become evidence in investigations. Best practices include:

  1. Avoid speculative discussions about compliance risks.
  2. Stick to factual reporting and avoid overly optimistic statements.
  3. Encourage employees to use formal reporting channels rather than casual email exchanges.

Looking Ahead: What to Expect in 2025

As regulatory scrutiny increases, compliance and security professionals must remain vigilant. We can expect:

  1. More enforcement actions targeting individuals rather than just corporations.
  2. Greater regulatory focus on cybersecurity disclosures in public filings.
  3. Stronger whistleblower protections increase the likelihood of internal reports leading to investigations.
  4. Continued expansion of liability under new European and U.S. regulations.

The era of heightened personal liability for compliance and security executives stays here. The best defense is a strong offense: conducting due diligence before taking a role, clearly defining responsibilities, securing proper insurance, maintaining meticulous documentation, and ensuring precise internal and external reporting. In this new environment, compliance professionals must not only safeguard their companies but also themselves.