Tag: CCO

Categories
Blog

The Warner Bros. Bidding War: Part 3 – The CCO Playbook for Transactions Under Pressure

The Warner Bros. Bidding War: Part 3 – The CCO Playbook for Transactions Under Pressure

The Warner Bros. (WBD) bidding war is not simply a Board story. It is a compliance operating model test. When a superior proposal emerges, the Chief Compliance Officer (CCO) must move from program design to execution discipline. Today, we conclude our short review of the Warner Bros./Netflix/Paramount dance and sale by considering lessons for the compliance professional.

In Part 1, we focused on the deal mechanics that led Warner Bros. Discovery to move from an agreed transaction with Netflix to a superior proposal from Paramount Skydance. In Part 2, the focus shifted to Board governance and fiduciary duty. This final post, Post 3, answers the operational question. What must the Chief Compliance Officer do when the process accelerates and governance must be proven in real time?

The answer is grounded in the DOJ’s Evaluation of Corporate Compliance Programs (ECCP). The core question remains constant. Is the program working in practice? A live transaction provides the answer.

Move Compliance Into the Transaction Control Room

Too many compliance functions treat M&A as a legal and financial activity. That approach fails when the transaction becomes contested. Once a superior proposal is identified, the compliance function must:

  • Participate in transaction governance meetings
  • Map control risks across disclosure, communications, and decision-making
  • Establish escalation pathways for new information

This is consistent with the expectations embedded in the DOJ’s Corporate Enforcement Policy, which rewards companies that demonstrate real-time awareness, escalation, and action. A compliance function that is not present during the decision-making process cannot later demonstrate that controls were effective.

Build and Execute an Evidence Protocol

The most significant compliance failure point in transactions is not misconduct. It is the absence of a reliable evidentiary record. In the WBD process, multiple streams of information were created simultaneously:

  • Board materials
  • Banker communications
  • Draft proposals and revisions
  • Internal analyses and emails

The CCO must ensure that the company has an evidence-based protocol that includes:

  • Centralized collection of transaction-related materials
  • Defined custodians for document integrity
  • Time-stamped records of key decisions and communications

Under the DOJ’s framework, this directly ties to the question of whether the company can demonstrate effectiveness through data and documentation. If the company cannot reconstruct its decision-making process, it cannot defend it.

Treat Disclosure Controls as a Real-Time Compliance System

Post 2 emphasized that disclosure is a governance issue. For the CCO, it is a control system. The compliance function should validate that:

  • The disclosure committee is activated and functioning continuously
  • There is a clear trigger matrix for Form 8-K filings and proxy updates
  • All external communications are coordinated and controlled

This is not theoretical. In a contested transaction, the volume and speed of information create a risk of selective disclosure, inconsistent messaging, or delayed filings. The CCO must ensure that disclosure controls meet the same standard as financial controls. They must be tested, documented, and operational.

Control Third-Party and Advisor Risk

Transactions introduce intense third-party engagement. Investment banks, legal advisors, consultants, and communications firms all operate at speed. In the WBD scenario, third-party actions included:

  • Structuring revised proposals
  • Communicating deal terms
  • Interacting with market participants

The CCO must ensure:

  • Clear protocols for third-party communications
  • Defined boundaries on who can speak on behalf of the company
  • Documentation of all material third-party interactions

This aligns with long-standing expectations under the Foreign Corrupt Practices Act (FCPA) and the broader third-party risk principles embedded in compliance programs. Even in a domestic transaction, third-party risk remains a control issue.

Align Governance With Internal Controls Frameworks

The events described in Parts 1 and 2 map directly onto internal control frameworks such as the COSO Internal Controls Framework. For the CCO, this means:

  • Control Environment: Tone at the top regarding disciplined decision-making
  • Risk Assessment: Identification of disclosure, litigation, and regulatory risks
  • Control Activities: Implementation of approval processes and documentation protocols
  • Information and Communication: Real-time disclosure and coordination
  • Monitoring: Ongoing review of transaction-related controls

This mapping is not academic. It is how the company demonstrates that governance is structured, repeatable, and effective.

Prepare for Day Two Risk

The transaction does not end with signing or closing. It creates a new risk profile. The CCO must plan for:

  • Integration of compliance programs across entities
  • Review of legacy decisions made during the transaction process
  • Preservation of records for litigation or regulatory review

This is where the DOJ’s focus on continuous improvement becomes critical. The company must show that it learns from the transaction and strengthens its program.

Connecting the Lessons Across the Series

Part 1 showed that deal terms, including termination fees and superior proposal mechanics, can change outcomes. Part 2 demonstrated that the Board must govern those changes through documented, disciplined processes. In Part 3, we demonstrated the connections between the two. The compliance function is the mechanism that allows the company to prove that governance worked. Without compliance execution, governance is an assertion. With compliance execution, governance becomes evidence.

Practical Action Steps for CCOs

  1. Embed compliance into the transaction governance structure at the outset of any deal.
  2. Implement an evidence protocol that captures all material transaction activity in real time.
  3. Test disclosure controls under accelerated conditions, including mock 8-K scenarios.
  4. Define and enforce third-party communication protocols.
  5. Map transaction governance to COSO and DOJ ECCP requirements before a contested situation arises.

Questions for the CCO

  1. If a regulator requested the full decision record tomorrow, could the company produce it?
  2. Are disclosure controls capable of operating continuously under transaction pressure?
  3. Is there a single source of truth for transaction-related documentation?
  4. Are third-party interactions fully documented and controlled?
  5. Has the compliance program been stress-tested in a high-speed governance scenario?

Final Thoughts

The Warner Bros. Discovery bidding war is not unique. What is unique is how clearly it illustrates the modern role of the Chief Compliance Officer. Compliance is no longer limited to preventing misconduct. It is responsible for enabling the company to act, decide, and disclose with integrity under pressure and then prove it. That is the standard set by the DOJ. That is the expectation of Boards. And that is the future of the compliance profession.

 

Categories
Blog

The Warner Bros. Bidding War: Part 2 – Board Governance Under Pressure

When a superior proposal emerges, the Board is no longer evaluating strategy. It is proving governance. The Warner Bros. transaction shows how fiduciary duty, disclosure discipline, and control execution must function in real time. We are exploring Warner Bros./Netflix/Paramount’s bidding and purchase processes for lessons for the compliance professional. In Part 1, we focused on what happened. This post focuses on how the Board must respond when events accelerate.

The process moved from a negotiated transaction with Netflix to a contested situation with a rival bidder, Paramount. At that moment, the Board’s role shifted from approving a deal to managing an auction under fiduciary duty. This is the precise moment contemplated by Delaware fiduciary law and the Board oversight obligations often framed through the lens of Caremark duties. The question is no longer whether the Board can approve a transaction. The question becomes whether the Board can demonstrate that it acted on an informed basis, in good faith, and in the best interests of shareholders. That is not a conclusion. It is a record.

Waiver Discipline and the Fiduciary Record

In a live bidding environment, the Board will be asked to consider waiving contractual provisions, including standstill agreements, exclusivity clauses, and information-sharing restrictions. The governance risk is not the waiver itself. The governance risk is undocumented decision-making. A Board must ensure that every waiver is:

  • Reduced to writing with a defined scope and duration
  • Reviewed by counsel with a clear statement of fiduciary rationale
  • Reflected in contemporaneous Board minutes that explain why the waiver was necessary

Under the DOJ’s Evaluation of Corporate Compliance Programs (ECCP) framework, the question is whether the company can demonstrate that its processes work in practice. A waiver without documentation is indistinguishable from a control failure.

Termination Fees as Board-Level Risk

The WBD transaction turned the $2.8 billion termination fee into a live issue. When Paramount agreed to fund the fee, the Board had to evaluate more than price. It had to evaluate:

  • Who ultimately bears the economic and legal risk
  • Whether the funding mechanism introduces new contingencies
  • How the arrangement should be disclosed to shareholders

Termination fees are often treated as deal protections. In a contested process, they serve as mechanisms for risk allocation. That places them squarely within Board oversight. A Board that does not interrogate the assumptions behind a termination fee, including third-party assumptions, is not exercising informed judgment.

Real-Time Disclosure Controls

Disclosure obligations in a transaction are not periodic. They are continuous. Once a superior proposal is identified, the company must:

  • Update proxy materials where required
  • Ensure that all material information is disclosed without selective leakage
  • Align communications across legal, investor relations, and management

The governance challenge is that information moves faster than process. Emails, banker discussions, draft proposals, and internal analyses all become part of the evidentiary record. Boards must ask whether the company has a real-time disclosure protocol. This includes:

  • A defined disclosure committee process
  • A single point of accountability for filings such as Form 8-K
  • Controls over who can communicate with external stakeholders

This is where governance intersects directly with compliance. Disclosure failures are not merely technical. They can trigger enforcement exposure.

The 8-K and Proxy Playbook

In a fast-moving transaction, the company does not have the luxury of drafting disclosures from scratch. A Board should expect management to have a predefined playbook that includes the following:

  • Trigger thresholds for filing obligations
  • Pre-approved disclosure templates for common scenarios
  • A documented approval chain involving legal, finance, and executive leadership

The absence of such a playbook creates a delay. Delay creates inconsistency. Inconsistency creates risk. From a COSO internal control perspective, this is a failure in control activities and information and communication. From a DOJ perspective, it is evidence that the program is not operationalized.

Regulatory Readiness and Remedy Planning

Both competing transactions carried regulatory risk. The difference was how that risk was allocated and mitigated. A Board must understand the following:

  • The regulatory approval pathways
  • The likelihood of a challenge
  • The remedies available if regulators object

More importantly, the Board must ensure that management has pre-developed the following:

  • Divestiture scenarios
  • Behavioral remedies
  • Escrow or holdback mechanisms tied to regulatory outcomes

This is not theoretical planning. It is part of the decision to determine which proposal is superior. A Board that does not understand regulatory risk is not fully evaluating the transaction’s value.

Post-Termination Control and Evidence Custody

When WBD terminated the agreement with Netflix, the transaction did not end. It transitioned into a new phase of risk. The company must:

  • Ensure proper handling of confidential information shared during the termination process
  • Preserve all records relevant to the decision-making process
  • Maintain audit trails for potential litigation or regulatory review

This is where evidence discipline becomes critical. The record must be complete, organized, and defensible. In the absence of such controls, the company risks being unable to demonstrate how decisions were made.

Why This Matters for Boards

The WBD process illustrates that governance is tested when conditions change rapidly. A Board cannot build governance in the middle of a transaction. It must already exist. The DOJ and SEC will not evaluate the Board based on the outcome. They will evaluate the Board based on the effectiveness of its processes, documentation, and controls. This is the essence of modern corporate governance. It is not about whether the Board chose Netflix or Paramount. It is about whether the Board can prove how and why it made that choice.

Practical Takeaways for Boards

  1. Ensure that superior proposal mechanics are understood at the Board level before a transaction is signed.
  2. Treat termination fees and regulatory protections as governance issues requiring full Board engagement.
  3. Demand real-time disclosure controls with clear ownership and escalation protocols.
  4. Require a pre-built 8-K and proxy playbook to manage disclosure risk under time pressure.
  5. Mandate regulatory scenario planning as part of transaction evaluation.

Questions for the Board

  1. Can the Board demonstrate, through contemporaneous documentation, how it evaluated a superior proposal?
  2. Does the company have a real-time disclosure control framework that supports rapid filings and updates?
  3. Are termination fee structures and third-party funding arrangements fully understood and documented?
  4. Has the Board reviewed regulatory risk scenarios and approved a default remedy strategy?
  5. Who is accountable for evidence preservation and record integrity during and after the transaction?

Please join us tomorrow; in our final post, we’ll focus on the Chief Compliance Officer. The question will be direct. What must a CCO do, in operational terms, to ensure that the company can execute governance under pressure and prove it after the fact?

 

Categories
Innovation in Compliance

Innovation in Compliance: Invitational Leadership for Employee Engagement Success With Dr. Dennis Cummins

Innovation comes in many forms, and compliance professionals need not only to be ready for it but also to embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, host Tom visits with Dr. Dennis Cummins to discuss his new book, “Invitational Selling: The Human Connection Advantage.”

Dr. Dennis Cummins, a globally recognized authority on invitational selling, champions a sales approach that prioritizes building authentic connections over traditional hard-sell techniques. Rooted in his extensive experience selling from the stage, Dr. Cummins believes in the transformative power of meaningful conversations to understand and effectively meet customer needs. His philosophy is detailed in his new book, “Invitational Selling: The Human Connection Advantage,” which promotes inviting customers to engage rather than pressuring them into a purchase, fostering authentic relationships that extend beyond mere transactions. Proceeds from the book benefit the Make-A-Wish Foundation. His book also underscores the potential of invitational selling to inspire collaboration within organizations and families, reflecting his commitment to empowering others through shared skills and talents.

Key highlights:

  • Relationship-Driven Sales Approach
  • Invitational Leadership for Employee Engagement
  • Profitability through Open Communication Culture
  • Humanizing AI to Build Trust and Connection
  • Invitational Selling: Creating Authentic Business Connections

Resources:

Dr. Dennis Cummins on LinkedIn

Dr. Dennis Cummins Website

Invitational Selling: click here 

Innovation in Compliance was recently honored as the Number 4 podcast in Risk Management by 1,000,000 Podcasts.

Categories
Blog

The Warner Bros. Bidding War: Part 1 – What Happened and Why Compliance Professionals Should Care

A fast-moving corporate auction shows how deal terms, fiduciary duties, disclosure controls, regulatory risk, and evidence discipline can determine the outcome of a major transaction. Over the rest of this week, I will be exploring the Warner Bros./Netflix/Paramount bidding war, which

The Deal That Changed Direction

The Warner Bros./Netflix/Paramount bidding war is one of those corporate stories that looks like Hollywood drama on the surface but is really a governance story underneath. At first, Warner Bros. (WBD) had an agreed transaction with Netflix. That deal carried a $2.8 billion company termination fee payable by WBD under specified circumstances, including termination to enter into a superior proposal. The proxy materials also disclosed a $5.8 billion regulatory termination fee payable by Netflix if the deal failed for certain regulatory reasons. (SEC)

Then Paramount Skydance (Paramount) came back with a revised proposal. It raised the bid to $31 per WBD share in cash, added a ticking fee, offered a $7 billion regulatory termination fee, and agreed to fund the $2.8 billion termination fee owed to Netflix. (SEC) Reuters reported that WBD said the revised Paramount proposal could be considered superior, which set the process in motion. (Reuters)

By February 27, 2026, WBD terminated the Netflix agreement and entered into a merger agreement with Paramount Skydance. WBD later disclosed that Paramount Skydance paid the $2.8 billion Netflix termination fee on WBD’s behalf. (SEC)

That is the transaction story. The compliance story is deeper.

This Was Not Merely a Higher Price

In M&A, price matters. But price is rarely the only issue. Boards also look at certainty of closing, regulatory risk, financing, timing, shareholder value, legal exposure, and execution risk. Paramount did not merely increase the cash price. It addressed several deal objections at once. It offered to cover the Netflix break fee. It added a ticking fee if closing was delayed. It increased regulatory risk protection. It positioned its offer as cleaner, faster, and more certain than the existing transaction. (SEC)

That matters because boards do not evaluate superior proposals in a vacuum. They evaluate the entire package. The better governance question is not simply, “Which offer is higher? ”It is, “Which offer delivers the best risk-adjusted value to shareholders, and can the Board prove how it reached that conclusion? ”

The Termination Fee Became a Governance Issue

The $2.8 billion termination fee is an important part of the story. In ordinary conversation, that number sounds like a barrier. In this transaction, it became part of the competitive bidding structure. Paramount agreed to fund the termination fee, which changed the economics for WBD shareholders. WBD’s own annual report language later stated that, after the Board determined it had received a Company Superior Proposal and Netflix waived its right to propose revisions, WBD terminated the Netflix agreement and Paramount paid Netflix the $2.8 billion fee on WBD’s behalf. (SEC)

For compliance and governance professionals, this is the control point: when a large termination fee can be assumed, reimbursed, funded, or otherwise neutralized by a rival bidder, the company needs clear documentation showing who approved that structure, how it was analyzed, how it was disclosed, and how conflicts were managed.

Disclosure Was Not a Back-Office Exercise

In a contested transaction, disclosure is part of the control environment. The company must update shareholders, respond to rival communications, track proxy statements, preserve drafts, document board deliberations, and avoid selective disclosure. The Netflix proxy materials laid out the termination fee structure and the circumstances under which the fee could become payable. (SEC) Paramount’s revised proposal was also publicly communicated through SEC filings, including the increased $31-per-share cash price and the regulatory termination fee. (SEC)

This is where compliance should pay attention. A transaction can move faster than the company’s document discipline. Emails, banker calls, board materials, draft press releases, proxy supplements, and negotiation notes can become evidence. If the company doesn’t have a real-time evidence protocol, the record will build itself, which isn’t ideal.

Why Compliance Professionals Should Care

Some believe this is a board-and-banker story. That is too narrow. It is also a compliance story because compliance is about governance, controls, documentation, accountability, escalation, and evidence. A high-stakes transaction tests whether the company’s control environment holds up under the highest pressure. It tests whether the Board receives complete information. It tests whether management understands escalation obligations. It tests whether legal, finance, communications, investor relations, and compliance can coordinate without losing the record.

This is exactly the kind of moment when the DOJ’s Evaluation of Corporate Compliance Programs is relevant, even outside an enforcement action. The central question is familiar: is the program well-designed, adequately resourced, empowered to function, and working in practice? In M&A, that means the compliance function should understand how deal governance intersects with disclosure controls, third-party risk, regulatory commitments, document preservation, and post-closing integration.

The Larger Lesson

The WBD bidding war shows that corporate governance is not theoretical. It is operational. A superior proposal clause is not just legal drafting. A termination fee is not just a financial number. A proxy supplement is not just a filing. Each is a control point. The companies that manage these moments well do three things. They make decisions through disciplined processes. They document the basis for those decisions in real time. They align governance, legal, finance, disclosure, and compliance before the crisis point arrives.

Practical Takeaways for Compliance Professionals

  1. Major transactions require evidence discipline from day one.
  2. Disclosure controls must be ready before a rival bidder appears.
  3. Termination fees and regulatory commitments should be treated as governance issues, not simply deal terms.
  4. Board minutes and waiver records must tell the fiduciary story.
  5. Compliance should have a seat at the broader transaction control table, especially when regulatory, third-party, data access, communications, and post-closing integration risks are implicated.

That is the lesson for every CCO. You may not be running the auction, but your program should help the company prove that it made decisions with integrity, evidence, and accountability.

Categories
Blog

Thomas Hobbes and Why Every Compliance Program Needs Order

We continue our exploration of Enlightenment Thinkers to see their influence on modern compliance programs. This week’s category is broader than philosophers, as many of these men excelled in numerous fields, including science, mathematics, calculus, and medicine. However, each contributed a key component that relates directly to our modern compliance regimes. In this post, we consider how Thomas Hobbes makes clear in his writings that no institution can function without order.

If Francis Bacon teaches that compliance must be grounded in evidence, René Descartes teaches that evidence must be examined rigorously, and John Locke teaches that a compliance system must be legitimate, Thomas Hobbes takes us to a different but equally important truth about structure.  That is where Hobbes becomes surprisingly relevant to the modern corporate compliance program.

That point can sound severe to modern ears, but compliance professionals understand it instinctively. Good intentions are not enough. Strong values are not enough. Even a trusted culture is not enough. A company also needs structure, clear rules, defined authority, escalation channels, and credible enforcement. Without them, pressure, ambiguity, and self-interest will fill the vacuum.

Hobbes is often remembered for his stark view of human nature and his argument that, in the absence of a strong governing authority, disorder follows. In his political philosophy, institutions exist in part to prevent chaos, conflict, and the breakdown of shared rules. While corporations are not states and employees are not citizens in the political sense, the organizational lesson is powerful. In any complex enterprise, when roles are unclear, rules are weak, exceptions become routine, and accountability is diffuse, people will default to local incentives, personal judgment, and short-term advantage. That is a dangerous environment for compliance.

Why Hobbes Matters to Compliance

Hobbes helps us understand something that compliance officers see every day: misconduct often flourishes not simply because individuals have bad intent, but because the system around them lacks structure. When approval processes are vague, when no one knows who owns a risk, when policies are written but not operationalized, when escalation lines are uncertain, or when managers believe standards are optional if performance is strong, disorder sets in. It may not look dramatic at first. It may look like improvisation, local flexibility, or entrepreneurial speed. But over time, that disorder becomes fertile ground for misconduct. Hobbes would not have been surprised.

His philosophy begins with the recognition that interests, fears, ambitions, and competing claims drive human beings. In the absence of a framework that organizes conduct, conflict, and opportunism follow. Translate that into corporate life, and the message becomes clear. Sales teams under pressure will rationalize shortcuts. Business sponsors will push third parties through onboarding if they believe control functions are merely advisory. Local managers will create informal workarounds if policies lack clear accountability. A company does not become more ethical by leaving such matters to improvisation. It becomes less governable. That is why compliance needs structure. Structure is what turns values into operations.

The DOJ Looks for Structure, Not Slogans

The Department of Justice’s Evaluation of Corporate Compliance Programs (ECCP) reflects this Hobbesian insight throughout. Prosecutors do not simply ask whether a company talks about ethics. They ask whether the compliance function has authority, stature, autonomy, and resources. They ask who owns specific risks, how decisions are made, whether controls are implemented consistently, whether investigations are escalated properly, and whether disciplinary systems are enforced. Those are all questions about institutional order.

This is important because many organizations still overestimate the power of tone. Tone at the top matters. Culture matters. Legitimacy matters. But none of those can substitute for structure. A CEO can deliver a compelling speech about integrity. However, if the company’s third-party onboarding process is fragmented, if financial approvals can be bypassed informally, or if no one knows when a matter must be escalated to legal or compliance, then the organization has created a system in which disorder is likely.

Hobbes helps compliance professionals make this point without apology. Rules are not a sign of distrust. Controls are not bureaucratic excess. Escalation pathways are not obstacles to business. They are the architecture that prevents pressure and self-interest from overwhelming principle. The COSO Internal Controls Framework makes much the same point in a different vocabulary. The control environment, control activities, information and communication, and monitoring all depend on defined roles, clear expectations, and operational discipline. The Federal Sentencing Guidelines likewise assume that compliance requires standards, oversight, training, auditing, reporting, and consistent response. Hobbes would recognize all of that as institutional design for preventing disorder.

Policies Must Be Operational, Not Aspirational

One of the most common failures in corporate compliance is the belief that policy issuance is itself control. It is not. A policy can express a standard, but unless the company translates that standard into decision rights, workflows, approvals, and accountability, the policy remains aspirational. This is where Hobbes is especially useful. He reminds us that order is created not by declarations, but by mechanisms.

Take a gifts, travel, and entertainment policy. On paper, the policy may clearly prohibit excessive or improperly documented expenses. But the real compliance question is whether the operating system around the policy supports that standard. Who approves the expense? Is there a threshold that triggers additional review? Are government-facing interactions flagged? Is supporting documentation required before reimbursement? Are there analytics to identify unusual patterns? Are exceptions tracked? Can someone ask a friendly manager to sign off without scrutiny? If the answers are weak, the policy is weak, no matter how polished its language.

Internal Controls Are the Language of Order

If one wanted to translate Hobbes into modern corporate practice, one would end up talking about internal controls. Controls are how an organization embeds order into decision-making. They define who can do what, under what conditions, with what approvals, and with what oversight. They reduce discretion where discretion creates unacceptable risk. They separate duties so that no single actor can move money, approve vendors, or override procedures without a second set of eyes. They create documentation so that actions can be reviewed later. They make authority visible.

For compliance professionals, this is a critical point. Compliance is not merely about training people to do the right thing. It is also about designing systems that make the right thing more likely and the wrong thing harder to do. Hobbes would say that the institution failed to create sufficient order to contain foreseeable human behavior.

Escalation Is a Form of Governance

Another Hobbesian lesson for compliance is the importance of escalation. In poorly governed companies, people often know something is wrong but do not know where the issue should go, who owns the decision, or what threshold requires higher review. That uncertainty is one of the most dangerous forms of disorder because it allows time, politics, and convenience to shape the response. A mature compliance program should therefore have clear escalation pathways.

When does a third-party red flag require a compliance sign-off? When must legal be brought into an internal investigation? At what point does a matter involving senior leadership move to the audit committee or board? Who can approve an exception to policy, and what documentation must support it? Who decides whether a substantiated misconduct issue triggers broader control remediation? These are not administrative details. They are the channels through which institutional order is maintained.

The ECCP pays close attention to this issue because escalation is one of the clearest indicators of whether compliance has real authority. If important matters can be contained, softened, or rerouted informally by management, then the program is fragile. Hobbes would have recognized the danger immediately. Where the lines of authority are unclear, competing interests will rush in.

Enforcement Gives Standards Their Weight

No discussion of order would be complete without enforcement. Hobbes understood that rules without consequences are invitations to defection. The same is true in corporate compliance. A company may have excellent policies, robust training, and well-designed procedures, but if employees believe violations will be ignored, minimized, or treated selectively, the system loses force. This is where consistent discipline matters so much. John Locke helped us see discipline as a question of legitimacy and fairness. Hobbes adds a different point. Discipline is also what gives the rule structure its operational credibility. It signals that standards are real, that no one is exempt, and that the organization is willing to defend the order it has established.

This does not mean punitive excess. It means predictability and seriousness. A company should be able to explain how disciplinary outcomes are determined, how similar cases are handled, and how managers are held accountable not only for their own conduct but for the environments they create. High performers cannot be given private exemptions. Senior executives cannot be allowed to negotiate around standards. Informal workarounds cannot become tolerated customs. Hobbes would have called that a dangerous condition.

The Compliance Officer as Architect of Order

If Bacon casts the compliance officer as an institutional scientist, Descartes as a guardian of clear thinking, and Locke as a steward of legitimacy, Hobbes casts the compliance officer as an architect of order. The compliance officer helps turn principle into process. The compliance officer asks where authority sits, where decisions are made, where controls can be bypassed, where exceptions accumulate, where roles are unclear, and where escalation can fail. That work is not separate from ethics. It is one of the main ways ethics becomes operational inside a large organization.

This is especially important during periods of growth, restructuring, acquisitions, digital transformation, or market stress. Disorder often enters through change. New business lines are launched before roles are clarified. AI tools are deployed before governance is assigned. Third parties are engaged before diligence and monitoring are fully operational. Incentives are revised without understanding how they affect conduct. Hobbes reminds us that institutional order is not self-sustaining. It must be built, maintained, and defended.

Thomas Hobbes may seem like an austere companion for the modern compliance professional, but his lesson is both practical and urgent. Institutions do not drift into integrity. They require order.

Five Lessons from Thomas Hobbes for the Modern Compliance Professional

First, culture and values are essential, but they cannot substitute for structure. A company needs clear rules, defined roles, and operating discipline.

Second, policies are not controls unless they are translated into workflows, approvals, documentation, and accountability.

Third, internal controls are the mechanisms by which institutional order is embedded in business operations. They make the right behavior more likely and the wrong behavior harder to execute.

Fourth, escalation pathways are critical. Employees and managers must know when and how risk moves upward for review and decision.

Fifth, enforcement gives standards their weight. Rules without consistent consequences will eventually be overtaken by convenience and local incentives.

Coming Next: Isaac Newton and the Hidden Forces Behind Misconduct

If Thomas Hobbes teaches us why every compliance program needs order, Isaac Newton will help us understand something even deeper: misconduct is rarely random. It is produced by forces, incentives, pressures, and patterns that can be studied and addressed. In Part 5, I will explore how Newton’s systems-based way of thinking offers a powerful framework for root cause analysis, incentive review, compliance analytics, and proactive prevention. A mature compliance program does not simply respond to failure. It learns to understand the forces that make failure more likely.

Categories
Great Women in Compliance

Great Women in Compliance: Risk as a Leadership Discipline: Lessons from Internal Audit

Guest Bio:

Michelle Wagner is Vice President and Head of Internal Audit at DocuSign, where she leads global audit strategy and helps the organization strengthen governance, risk management, and internal controls while supporting a culture of integrity and accountability.

With more than 25 years of experience across consulting and industry,

Michelle has held leadership roles at Deloitte, Costco, and SAP, where she led large audit portfolios, built high-performing teams, and drove governance and risk transformation initiatives across complex global organizations.

Michelle is known for her practical, people-centered approach to risk leadership and for translating complex risk insights into clear, actionable guidance. She is passionate about mentoring emerging leaders and helping organizations move from reactive risk management to proactive, insight-driven decision-making.

Show Notes:

Risk is often framed as technical work, but at its core, it is deeply human.

In this episode of Great Women in Compliance, Dr. Hemma Lomax sits down with Michelle Wagner, Head of Internal Audit at DocuSign, to explore how curiosity, empathy, and partnership help organizations manage risk more effectively and build stronger ethical cultures.

Michelle shares insights from a career spanning consulting and global leadership roles, reflecting on the moments that shaped her leadership philosophy and the lessons she has learned about influencing without authority, building trust, and helping teams see risks as opportunities to improve rather than problems to avoid.

Together, they discuss the evolving role of internal audit, the importance of collaboration across risk functions, and how emerging technologies such as AI can help leaders identify patterns and generate insights while reinforcing the need for human judgment.

This conversation is a reminder that great risk leaders don’t just protect organizations — they help them succeed.

Episode highlights:

  • Why risk management is fundamentally a leadership discipline
  • Lessons from moving from consulting to executive leadership roles
  • What makes an internal audit function truly valuable
  • How audit, compliance, and business teams can partner effectively
  • The role of curiosity and psychological safety in surfacing risks
  • Michelle’s perspective on AI and the future of risk management
  • Leadership lessons from mentoring and building teams
Categories
Blog

René Descartes and the Discipline of Internal Investigation

This week, we are moving to Enlightenment Thinkers to see their influence on modern compliance programs. This week’s category is broader than philosophers, as many of these men excelled in numerous fields such as science, mathematics, calculus, and medicine. However, each contributed a key component that relates directly to our modern compliance regimes. In this post, we consider René Descartes and what he teaches as the next step beyond Bacon: that evidence must be rigorously examined.

If Francis Bacon taught us that a compliance program must be grounded in evidence, René Descartes teaches the next step: evidence must be examined with rigor. That is why Descartes is the natural second installment in this series on what Enlightenment thinkers can teach us about modern corporate compliance. Bacon gave us empiricism. Descartes gives us a method. Bacon tells us to look. Descartes tells us how to think about what we find.

For the compliance professional, that is no small matter. Modern compliance programs do not fail only because they lack information. They often fail because organizations do not ask the right questions, challenge convenient assumptions, or investigate troubling facts with sufficient discipline. A hotline report comes in, and management prematurely dismisses it. A financial anomaly is explained away because the business result looks attractive. A third-party red flag is rationalized because the market opportunity seems too important to slow down. In each case, the problem is not simply a lack of data. The problem is a lack of disciplined inquiry.

That is where Descartes has something important to say to the modern Chief Compliance Officer.

Why Descartes Matters to Compliance

René Descartes is best known for methodical doubt. He believed that if one wanted to arrive at reliable knowledge, one had to strip away weak assumptions and test what could be known. He did not advocate doubt for its own sake. He advocated doubt as a disciplined tool, a way to avoid error and reach sound conclusions. His method required breaking problems into parts, analyzing them carefully, proceeding in an orderly manner, and ensuring nothing important was overlooked. That is remarkably close to what an effective compliance investigation function should do.

The compliance professional cannot assume an allegation is false because it is inconvenient. Nor can one assume it is true because it is emotionally compelling. The task is to examine. What happened? Who knew what, and when? What documents exist? What controls should have operated? Where are the inconsistencies? What explanation fits the evidence, and what explanation merely sounds comforting? Descartes would have recognized this immediately. A sound conclusion requires method, not instinct.

In a corporate environment, that is especially important because organizations are full of narratives. Managers tell stories about performance. Employees tell stories about why something was necessary. Third parties tell stories about local customs or business necessities. The compliance function should listen, but it cannot stop there. It must test those stories against facts.

The DOJ Expects More Than a Quick Answer

The Department of Justice’s Evaluation of Corporate Compliance Programs (ECCP) does not use philosophical language, but its expectations align closely with Cartesian thinking. The ECCP asks whether investigations are properly scoped, whether the company has adequate resources to conduct them, whether the company preserves and analyzes relevant data, whether reporting structures support independence, and whether lessons learned are used to improve the compliance program. That is not a request for superficial closure. It is a demand for disciplined inquiry.

The ECCP is not interested in whether a company can produce a memo that says the matter has been reviewed. It wants to know whether the review was credible. Did the company ask hard questions? Did it follow the evidence even when the evidence was uncomfortable? Did it look at underlying causes or accept a narrow explanation that minimized institutional responsibility? These are Descartes’ questions as much as the DOJ’s.

Method Beats Reaction

One of the most important lessons Descartes offers is that method matters more than reaction. Too many organizations still respond to reports of misconduct in an ad hoc fashion. The identity of the reporter, the subject’s seniority, or the business sensitivity of the issue can distort the process from the outset. Some matters are overreacted to because they are visible. Others are under-investigated because they are politically awkward. That is not a system. That is improvisation. A mature compliance program requires a clear, repeatable investigative method.

That begins with triage. Allegations should be assessed based on risk, scope, subject matter, and potential impact. Matters involving senior leadership, financial controls, corruption risk, retaliation, or systemic process failures may require immediate escalation and greater independence. Low-risk issues may still require attention, but not every matter needs the same level of response. Cartesian thinking does not mean treating every problem identically. It means applying a coherent method to determine what level of inquiry is warranted.

From there, the matter should be broken down into manageable components. What is the allegation? What business process is implicated? What documents are likely relevant? Who are the key custodians? What data sources exist? What is the working timeline? What controls should have operated? What policy provisions may have been implicated? This is classic Descartes: divide complex problems into smaller parts so they can be understood.

Disciplined Skepticism Is a Compliance Strength

Compliance professionals sometimes worry that skepticism will be perceived as mistrust. But disciplined skepticism is not cynicism. It is not hostility. It is professional rigor. It is the recognition that people often explain events in self-protective ways, that organizations prefer neat stories to messy truths, and that important facts are often buried inside routine processes. Descartes would have understood that skepticism is a necessary safeguard against error.

Consider a common internal reporting scenario. A manager says that a questionable payment was simply an administrative oversight. Perhaps that is true. But a compliance professional guided by Descartes would ask several follow-up questions. Was it really isolated? Have similar payments occurred before? Were approval thresholds bypassed? Was the vendor properly vetted? Were invoice descriptions vague or coded? Did someone raise concerns earlier? Was the explanation consistent across all available records? None of those questions accuse. They clarify.

Documentation Turns Inquiry Into Credibility

Another Cartesian lesson for compliance is the importance of orderly reasoning. An investigation cannot simply be sound in substance. It must also be documented in a way that shows how the conclusion was reached. This is essential for institutional memory, for regulatory defensibility, and for credibility with boards and senior management.

A well-documented investigation answers basic but vital questions. What was alleged? Who handled the matter? What evidence was reviewed? Which witnesses were interviewed? What facts were established? What policy or control failures were identified? What conclusion was reached, and why? What remediation followed? This kind of documentation is not bureaucratic excess. It is proof of intellectual discipline.

Without it, the company cannot show that it acted reasonably. It cannot identify patterns across matters. It cannot demonstrate consistency. It cannot revisit earlier decisions when new facts emerge. Most importantly, it cannot turn an individual case into organizational learning. Descartes’ method was about structured thinking. In corporate compliance, documentation is how structured thinking becomes durable.

Independence Matters When the Facts Get Uncomfortable

No discussion of investigations would be complete without addressing independence. The most elegant methodology in the world will not help if investigators are pressured to protect favored executives, minimize business disruption, or avoid awkward findings. Cartesian rigor requires a willingness to follow the facts wherever they lead. That, in turn, requires real autonomy.

The ECCP addresses this directly through its focus on stature, authority, resources, and access. Can the compliance function investigate senior personnel? Can it escalate concerns to the board or audit committee when necessary? Is it empowered to challenge management narratives? These are not secondary governance questions. They are central to whether the investigation process can produce reliable conclusions.

There is a reason so many compliance failures involve not merely misconduct, but management interference with the review of misconduct. When power shapes the investigation, facts become negotiable. Descartes would have seen that as a fundamental corruption of method.

Investigations Must Lead to Remediation

A Cartesian compliance program does not end with a finding. It asks what the finding means for the system. That is why investigations must connect to remediation and root cause analysis. If an allegation is substantiated, the question is not simply who violated what rule. The question is what enabled the failure.

Was the training insufficient? Were incentives pushing employees toward bad decisions? Was a manager creating pressure that undermined ethical judgment? Did the approval process invite shortcuts? Was the policy too vague to guide real-world conduct? These questions push the company from conclusion to improvement.

This is where Descartes connects back to Bacon. Bacon teaches that we need evidence. Descartes teaches that we must reason carefully from the evidence. Together, they create a powerful model for compliance effectiveness. The company observes, investigates, documents, learns, and improves.

The Compliance Officer as a Guardian of Clear Thinking

If Bacon cast the compliance officer as an institutional scientist, Descartes casts the compliance officer as a guardian of clear thinking. In a corporation full of pressure, narrative, hierarchy, and urgency, that role is vital. Someone must insist that facts be tested, that assumptions be challenged, that conclusions be explained, and that the process remain disciplined when the easier path is to settle for a quick answer.

That is not merely an investigative skill. It is a governance function. It protects employee fairness, the board’s credibility, and the company’s defensibility. It also builds trust over time, because people learn that reports are taken seriously, that outcomes are reasoned rather than political, and that the system values truth over convenience.

René Descartes may seem an unlikely guide for corporate compliance. Yet his method of doubt, order, and careful reasoning belongs squarely within the modern best-practices compliance program. In an era where companies are judged not simply on whether they responded, but on how they responded, Descartes offers an enduring lesson: clear thinking is a control.

Five Lessons Learned for the Modern Compliance Professional

First, allegations should trigger a method, not a reaction. A repeatable investigative framework reduces bias and improves consistency.

Second, disciplined skepticism is a professional obligation. Compliance must test explanations against facts rather than accept convenient narratives.

Third, complex matters should be broken into parts. Scoping, evidence review, interviews, control mapping, and timeline construction all improve rigor.

Fourth, documentation is essential. It is how the company proves that its inquiry was credible and how it preserves institutional learning.

Fifth, an investigation is not complete until it informs remediation. Findings should lead to enhancements in control, policy changes, training updates, or broader governance improvements.

Coming Next: John Locke and the Legitimacy of Compliance Governance

If Francis Bacon teaches us to gather evidence and René Descartes teaches us to examine it rigorously, John Locke asks an equally important question: why should anyone trust the system in the first place? In Part 3, I will explore how Locke’s ideas about legitimacy, rights, and accountable authority provide a powerful framework for speak-up culture, non-retaliation, fairness, and board oversight. In the world of compliance, authority alone is never enough. It must also be credible.

Categories
Blog

Enlightenment Philosophers Week: Part 1 – Francis Bacon and the Compliance Program That Works in Practice

I have explored the work of ancient Greek and Roman philosophers to understand the underpinnings of the modern corporate compliance program. This week, I want to move to Enlightenment Thinkers. Our category is broader than that of philosophers, as many of these men excelled in numerous fields, including science, mathematics, calculus, and medicine. However, each contributed a key component that relates directly to our modern compliance regimes.

The five we will explore are Francis Bacon, René Descartes, John Locke, Thomas Hobbes, and Issac Newton. Today, we begin with Francis Bacon and the design of a compliance program that works not simply in theory but in practice.

There is a reason Francis Bacon is the right place to begin a series on what Enlightenment thinkers can teach us about modern corporate compliance. Bacon did not simply advance a philosophical idea. He changed the way serious people were supposed to think. He pushed inquiry away from inherited assumptions and abstract theorizing and toward observation, testing, evidence, and disciplined learning from experience. In many ways, that is the same journey corporate compliance has had to take.

For too long, compliance programs were judged by what they had on paper. Did the company have a code of conduct? Did it conduct annual training? Did it maintain a hotline? Did it have policies and procedures? Those questions still matter, of course, but they are no longer enough. The Department of Justice has made that point repeatedly through its Evaluation of Corporate Compliance Programs. The DOJ does not simply ask whether a company has a program. It asks whether the program is well designed, whether it is being applied earnestly and in good faith, and whether it works in practice. That final phrase could have been written by Bacon himself.

Why Bacon Matters to Compliance

Francis Bacon is most closely associated with empiricism, the idea that knowledge should be grounded in observation and experience rather than assumption or pure deduction. He believed that if you want to understand the world, you do not begin with what you hope is true. You begin with facts. You gather information. You test propositions. You challenge your own biases. Then you refine your conclusions based on the evidence. That mindset is at the heart of every effective compliance program.

A Chief Compliance Officer cannot assume that a policy is effective because it was well-drafted. A board cannot assume that a training program changes behavior because employees clicked through an online module. A legal department cannot assume that third-party due diligence is functioning because questionnaires are being completed. In each case, the real question is Baconian: what evidence do you have that the control is working as intended?

This is where philosophy becomes practice. Bacon gives compliance professionals a method. He reminds us that the difference between performative compliance and effective compliance is proof.

The DOJ Standard Is a Baconian Standard

The modern DOJ approach is deeply consistent with Bacon’s philosophy. The ECCP has moved the compliance conversation away from formalism and toward effectiveness. Prosecutors are instructed to consider whether a company has access to relevant data, whether it uses that data to monitor performance, whether it investigates red flags, whether it adapts the program based on lessons learned, and whether it performs root-cause analysis after misconduct occurs. That is not a paper exercise. That is evidence-based governance.

The DOJ is effectively saying that compliance must be a living system of observation, testing, response, and continuous improvement. In Bacon’s world, knowledge advances by disciplined interaction with reality. In the DOJ’s world, compliance credibility advances the same way. A company earns trust not because it announces a program, but because it can demonstrate through data, testing, and response that the program actually functions.

From Risk Assessment to Real Measurement

A Bacon-inspired compliance program begins with risk assessment, but it does not end there. Too many organizations treat the risk assessment as an annual exercise that produces a polished heat map and then disappears into a slide deck. Bacon would reject that approach. A risk assessment should be a working hypothesis about where misconduct and control failure are most likely to occur. That hypothesis must then be tested through monitoring, internal reporting, auditing, and data review.

Consider a company that identifies third-party risk as a top concern. A paper-based approach might stop with enhanced due diligence procedures and contract clauses. A Baconian approach goes further. It asks whether third parties are actually being onboarded according to policy, whether approvals are properly documented, whether high-risk distributors are subject to enhanced monitoring, whether payments match contractual terms, whether red flags are closed or merely noted, and whether the company can identify trends across geographies, business units, or product lines. That is where compliance becomes operational.

Monitoring Is How a Program Proves Itself

One of the clearest lessons Bacon offers is that observation must be ongoing. In compliance terms, that means monitoring is not an optional add-on. It is how the program proves itself. COSO has long emphasized monitoring as a core element of an effective internal control framework. The same logic applies to compliance more broadly. Monitoring tells a company whether its controls are operating consistently, whether local business practices are drifting from policy expectations, and whether emerging risks are being detected early enough to matter.

Hotline data is a good example. Many organizations report the number of calls received, but that is only the beginning. A Baconian compliance officer looks beneath the surface. Are certain allegations rising in a specific region? Are retaliation claims increasing after a business reorganization? Are reports being substantiated at a lower rate because employees do not understand what should be reported? Are investigation closure times lengthening in a way that undermines confidence in the process? Those are not just operational questions. There are questions about whether the compliance system is learning.

Root Cause Analysis Is Bacon in Action

If there is one area where Bacon’s influence should be explicit, it is root cause analysis. When misconduct happens, the least useful response is to identify the wrongdoer, discipline the individual, and move on. That may satisfy a desire for closure, but it does not satisfy the demands of an effective compliance program.

Bacon would ask a different set of questions. What conditions allowed this to happen? What signals were missed? Were incentives misaligned? Was a manager pressuring a sales team in ways that made policy noncompliance more likely? Did the control exist on paper but fail in operation? Was a prior warning sign identified but not escalated?

Those questions matter because substantive compliance violations are never random. It is often the product of pressure, weak controls, poor communication, bad assumptions, or failures to learn from earlier warning signs. Root cause analysis is the process by which a company examines the conditions that led to a failure and turns that failure into institutional knowledge.

Culture Needs Evidence Too

Compliance professionals often speak about culture, and they should. But here, too, Bacon has a warning for us. Culture cannot be measured only by slogans or tone-at-the-top statements. A company that wants to claim a strong ethical culture should be able to point to supporting evidence.

Do employees raise concerns without fear of retaliation? Are managers evaluated in part on ethical leadership? Do exit interviews reveal pressure points that formal reporting channels miss? Are discipline outcomes consistent across levels of seniority? Does the organization respond to bad news constructively or defensively? These are empirical questions. They require information, not aspiration.

This is where compliance, internal audit, legal, and HR can work together in a mature governance model. Surveys, hotline trends, investigation data, audit findings, and employee feedback all become part of the evidence base. Culture, in this framework, is not soft. It is observable. It can be tested, assessed, and strengthened.

The Compliance Officer as Institutional Scientist

Perhaps Bacon’s greatest gift to the compliance profession is this: he offers a model for what the compliance officer should be. Not merely a policy custodian. Not merely a trainer. Not merely an investigator. The modern compliance leader is, in part, an institutional scientist.

That phrase may sound grand, but it captures something important. The CCO studies how the organization really works. Which incentives shape conduct? Which controls hold under pressure? Where are the blind spots? What do the data show? What must change? In that sense, the compliance function is not external to the business. It is one of the primary ways the business learns about itself.

That is why evidence matters so much. It is the basis for credibility with the board, with regulators, and with employees. It is how a program shows that it is more than a collection of good intentions. Francis Bacon would have understood that immediately.

Five Lessons Learned for the Modern Compliance Professional

First, a compliance program must be judged by evidence, not by appearance. Policies and training matter, but proof of effectiveness matters more.

Second, risk assessments should be treated as working hypotheses that must be tested through monitoring, auditing, and ongoing review.

Third, data is central to the credibility of compliance. Hotline trends, investigation outcomes, audit findings, and control testing demonstrate that a company’s program works in practice.

Fourth, root cause analysis is essential. Misconduct should trigger institutional learning, not merely individual discipline.

Fifth, culture itself must be supported by evidence. Speak-up, non-retaliation, consistency in discipline, and employee trust are all observable markers of program health.

Coming Next: René Descartes and the Discipline of Internal Investigation

If Francis Bacon teaches us how to gather evidence, René Descartes teaches us what to do with it. In Part 2, I will examine how Descartes’ method of disciplined doubt provides a blueprint for internal investigations, allegation triage, and rigorous compliance inquiry. In a world of management narratives, incomplete facts, and pressure to reach quick conclusions, Descartes reminds us that the compliance professional’s first duty is not comfort. It is clear thinking.

Categories
Blog

Trust Is Not a Control: The Drop-In AI Audit

There is a hard truth at the center of modern AI governance that every compliance professional needs to confront: trust is not a control. For too long, organizations have approached AI oversight with a familiar but outdated mindset. They collect a vendor certification. They review a policy statement. They ask whether a third party is “aligned” with a recognized framework. Then they move on, assuming the governance box has been checked. In today’s enforcement and risk environment, that approach is no longer good enough.

The Department of Justice has repeatedly made this point in its Evaluation of Corporate Compliance Programs. The DOJ does not ask whether a company has a policy on paper. It asks whether the program is well designed, whether it is applied earnestly and in good faith, and, most importantly, whether it works in practice. That final phrase matters. Works in practice. It is the dividing line between performative governance and effective governance.

That is why every compliance program now needs a drop-in AI audit. It is not simply another diligence exercise. It is a mechanism for proving that governance is real. It is a practical third-party risk tool. And it is one of the clearest ways to operationalize the ECCP in the age of artificial intelligence.

The Problem: Third-Party AI Risk Is Moving Faster Than Oversight

Most companies do not build every AI capability internally. They rely on vendors, service providers, cloud platforms, embedded applications, analytics partners, and other third parties whose tools increasingly shape business processes and compliance outcomes. In many organizations, these third parties now influence investigations, due diligence, monitoring, onboarding, reporting, customer interactions, and internal decision-making. That creates a new class of third-party risk.

The problem is not only whether a vendor has responsible AI language in its contract or whether it can point to a certification. The problem is whether your organization can verify that the relevant controls are functioning as represented in the real-world use case affecting your business. That is where too many compliance programs still fall short.

Under the ECCP, the DOJ asks whether a company’s risk assessment is updated and informed by lessons learned. It asks whether the company has a process for managing risks presented by third parties. It asks whether controls have been tested, whether data is available to compliance personnel, and whether the company can demonstrate continuous improvement. These are not abstract questions. They go directly to how you oversee AI-enabled third parties. If your third-party AI governance begins and ends with a questionnaire and a PDF certification, you do not have evidence of governance. You have evidence of intake.

What a Drop-In Audit Really Does

A drop-in AI audit changes the question from “What does the third party say?” to “What can the third party prove?” That is a profound shift.

The value of the drop-in audit is that it brings compliance discipline directly into third-party AI oversight. Instead of accepting broad claims about safety, control, and alignment, you examine operational evidence. Instead of relying solely on design statements, you test for performance in practice. Instead of treating governance as a one-time approval event, treat it as a repeatable audit process. In that sense, the drop-in audit becomes proof of governance.

It also becomes a far more mature third-party risk tool. You are no longer merely assessing whether a vendor appears sophisticated. You are assessing whether a third party can withstand scrutiny on the questions that matter most: scope, controls, traceability, escalation, and evidence.

And from an ECCP perspective, that is precisely the point. The DOJ has emphasized that compliance programs must move beyond paper design into operational reality. A drop-in audit is one of the few mechanisms that let you do that in a disciplined, documentable way.

From Vendor Oversight to Third-Party Governance

This discipline should not be limited only to classic vendors. The better view is to expand the concept across all third parties that provide, influence, host, or materially shape AI-enabled services. That includes software providers, outsourced service partners, embedded AI functionality in enterprise tools, cloud-based analytics environments, compliance technology vendors, and any external party whose systems affect business-critical decisions or regulated processes.

Risk does not care about the label on the contract. If the third party’s AI affects your organization’s screening, monitoring, investigations, decision support, or disclosures, the compliance risk is real. Your governance process must be equally real. This is why “trust but verify” is no longer just a slogan. It is a design principle for third-party oversight of AI.

The Core Elements of the Drop-In Audit

A strong drop-in audit has three features: sampling, contradiction testing, and escalation.

1. Sampling: Evidence of Operation, Not Merely Design

Sampling is where governance becomes tangible. A company requests specific artifacts tied to actual use cases and actual control operations. This may include scope documents, Statements of Applicability, system documentation, training data summaries, access controls, incident records, runtime logs, or evidence of human review. The point is simple: operational evidence is what matters.

This is where a compliance function moves from hearing about controls to seeing them in action. It is also where internal audit can add real value by testing whether the evidence supports the stated control environment.

2. Contradiction Testing: Where Real Risk Emerges

This is one of the most important and underused concepts in third-party AI oversight. Inconsistencies between claims and reality are where governance failures emerge. If a third party says its certification covers a given service, does the scope document confirm it? If it claims strong incident response, does the record back it up? If it represents strong human oversight, do the runtime traces show meaningful intervention or only theoretical review points?

Contradiction testing is powerful because it goes to credibility. It tests whether the governance narrative matches the operating reality. Under the ECCP, that is exactly the kind of inquiry prosecutors and regulators will care about. It speaks to effectiveness, honesty, and control discipline.

3. Escalation: Governance in Action

Governance without consequences is not governance. A drop-in audit must include clear escalation triggers. Missing evidence, mismatched certification scope, unexplained gaps, unresolved incidents, or inconsistent remediation should not be noted in isolation. They should trigger action.

That action may include enhanced diligence, contractual remediation, independent validation, temporary use restrictions, or deeper audit review. The important point is that the program responds. This is where the drop-in audit becomes operationalizing the ECCP. It demonstrates that the company not only identifies risk but also acts on it.

How the Drop-In Audit Maps to the ECCP

The drop-in audit aligns tightly with the DOJ’s framework for an effective compliance program. Risk assessment is addressed because the audit focuses attention on where AI-enabled third parties create actual operational and control exposure. Policies and procedures are tested because the company does not merely accept them at face value. It assesses whether the stated controls are supported by evidence. Third-party management is strengthened by making oversight continuous, risk-based, and verifiable. Testing and continuous improvement are built into the audit process, which identifies gaps, contradictions, and corrective actions. Investigation and remediation principles are reinforced by documenting, escalating, and using findings to improve the control environment.

Most importantly, the audit answers the ECCP’s central practical question: Does the program work in practice?

How the Drop-In Audit Maps to NIST AI RMF

The NIST AI Risk Management Framework provides a highly useful structure for the drop-in audit, especially through its Govern, Map, Measure, and Manage functions.

  1. Governance is reflected in defined ownership, accountability, and escalation when issues are identified.
  2. A map is reflected in understanding the third party’s actual AI use case, scope, dependencies, and business impact.
  3. The measure is reflected in the use of evidence, runtime observations, contradiction testing, and performance assessment.
  4. Management is reflected in remediation, ongoing oversight, and updates to controls based on audit findings.

In this way, the drop-in audit becomes a practical tool for taking the NIST AI RMF from concept to execution.

How the Drop-In Audit Maps to ISO/IEC 42001

ISO/IEC 42001 adds the management-system discipline that compliance programs need. Its value lies in documented scope, role clarity, control applicability, monitoring, corrective action, and continual improvement. A drop-in audit fits naturally into that structure because it tests whether those elements are visible in operation, not merely stated in documentation.

The Statement of Applicability becomes meaningful when the company verifies that the controls identified there actually correspond to the deployed service. Monitoring becomes meaningful when evidence is examined. Corrective action becomes meaningful when gaps trigger follow-up. Continual improvement becomes meaningful when findings are fed back into governance. That is why the documentation you generate should serve your board, regulators, and internal stakeholders without additional work. Producing evidence that travel is one of the most strategic benefits of this approach.

Why Every Compliance Program Needs This Now

The strategic payoff is straightforward. Strong AI governance is not a drag on innovation. It is what allows innovation to scale with trust. A drop-in audit gives compliance and internal audit a mechanism to test what matters, document their findings, and create evidence that withstands scrutiny. It moves governance from assertion to proof. It transforms third-party diligence into a repeatable, auditable process. It helps ensure that when regulators, boards, or business leaders ask how the company knows its third-party AI governance is working, there is a real answer.

Because, in the end, evidence of governance matters. Not narratives. Not slide decks. Evidence. President Reagan was right in the 1980s, and he is still right today: “Trust but verify.”

Categories
Blog

AI Disclosures, Controls, and D&O Coverage: Closing the Governance Gap Around Artificial Intelligence

A new governance gap is emerging around artificial intelligence, and it is one that Chief Compliance Officers, compliance professionals, and boards need to confront now. It sits at the intersection of three areas that too many companies still treat separately: public disclosures, internal controls, and insurance coverage. That siloed approach is no longer sustainable.

As companies speak more confidently about their AI strategies, insurers are becoming more cautious about the risks those strategies create. That tension matters. It signals that the market is beginning to see something many organizations have not yet fully addressed: when a company’s statements about AI outpace its actual governance, the exposure is not merely operational or reputational. It can become a disclosure issue, a board oversight issue, and ultimately a proof-of-governance issue under the Department of Justice’s Evaluation of Corporate Compliance Programs (ECCP).

For the compliance professional, this is not simply an insurance story. It is a compliance integration story. The question is whether the company can align its statements about AI, the controls it has in place, and the protections it believes it has in place if something goes wrong.

The New Governance Gap

Many organizations are eager to describe AI as a source of innovation, efficiency, better decision-making, or competitive advantage. Those messages increasingly appear in earnings calls, investor decks, public filings, marketing materials, and board presentations. Yet the underlying governance structures often remain immature. That disconnect is the governance gap.

It appears when management speaks broadly about responsible AI but has not built a complete inventory of AI use cases. It appears when companies discuss oversight but cannot show testing, documentation, or monitoring. It appears that boards assume that insurance will respond to AI-related claims without understanding how new policy language may narrow coverage.

This is where D&O coverage becomes so important. It is not the center of the story, but it is a revealing signal. If insurers are revisiting policy language and introducing exclusions or limitations tied to AI-related conduct, it suggests the market sees governance risk. In other words, the insurance market is sending a message: AI-related claims are no longer hypothetical, and companies that cannot demonstrate disciplined oversight may find that risk transfer is less available than they assumed.

Why the ECCP Should Be the Primary Lens

The DOJ’s ECCP remains the most useful framework for analyzing this issue because it asks exactly the right questions.

Has the company conducted a risk assessment that accounts for emerging risks? Are policies and procedures aligned with actual business practice? Are controls working in practice? Is there proper oversight, accountability, and continuous improvement? Can the company demonstrate all of this with evidence? Those are compliance questions, but they are also the right AI governance questions.

If a company makes public statements about AI capability, oversight, or reliability, the ECCP lens requires more than aspiration. It requires substantiation. Can the company show who owns the AI risk? Can it demonstrate how models or systems are tested? Can it show escalation procedures when problems arise? Can it document how AI-related decisions are monitored, reviewed, and improved over time?

If the answer is no, then the issue is not simply that the company may have overpromised. The issue is that its compliance program may not be adequately addressing a material emerging risk. That is why CCOs should view AI as a cross-functional challenge requiring integration across legal, compliance, technology, risk, audit, investor relations, and the board.

AI Disclosure Must Be Evidence-Based

One of the most practical steps a compliance function can take is to push for an evidence-based disclosure process around AI. This means that public statements about AI should not be driven solely by enthusiasm, market pressure, or executive optimism. They should be grounded in underlying documentation. If the company says it uses AI responsibly, where is the governance framework? If it claims AI improves decision-making, what testing supports that assertion? If it says it has safeguards, where are the control descriptions, monitoring results, and escalation records?

This is not about suppressing innovation. It is about ensuring that disclosure discipline keeps pace with technological ambition. For boards, this means asking harder questions before approving or relying on public AI narratives. For compliance officers, it means helping management build the evidentiary record that turns broad statements into defensible representations.

Controls Must Catch Up to Strategy

This is where the “how-to” work begins. Compliance professionals should begin by creating a structured inventory of AI use cases across the enterprise. That inventory should identify where AI is being used, what decisions it informs, what data it relies on, who owns it, and what risks it entails.

Once that inventory exists, risk tiering should follow. Not every AI use case carries the same compliance significance. A low-risk productivity tool does not need the same oversight as a system that affects investigations, third-party due diligence, customer interactions, financial reporting, or core operational decisions.

From there, the company can design controls proportionate to risk. High-impact uses of AI should have documented governance, human review where appropriate, testing protocols, escalation triggers, and monitoring requirements. The compliance team should be able to answer a simple question: where are the controls, and how do we know they work? That is the heart of the ECCP inquiry.

Where NIST AI RMF and ISO/IEC 42001 Fit

This is also where the NIST AI Risk Management Framework and ISO/IEC 42001 become highly practical tools. NIST AI RMF helps organizations govern, map, measure, and manage AI risks. For compliance professionals, this provides a disciplined structure for identifying AI use cases, understanding impacts, assessing reliability, and managing response. It is especially useful in linking abstract AI risk to operational decision-making.

ISO/IEC 42001 brings management system discipline to AI governance. It focuses on defined roles, documented processes, control implementation, monitoring, internal review, and continual improvement. That makes it an excellent bridge between policy and execution. Together, these frameworks help operationalize the ECCP. The ECCP tells you what an effective compliance program should be able to demonstrate. NIST AI RMF helps structure the risk analysis. ISO 42001 helps embed those requirements into a repeatable governance process.

For CCOs, the practical lesson is clear: use these frameworks not as academic overlays, but as working tools to build ownership, documentation, testing, and accountability.

Insurance Is a Governance Input

Companies also need to stop treating insurance as an afterthought. D&O coverage should be considered a governance input, not merely a downstream purchase. If policy language is narrowing around AI-related claims, boards and compliance leaders need to understand what that means. What scenarios might raise disclosure-related allegations? Where is ambiguity in coverage? What assumptions has management made about protection that may no longer hold?

Compliance does not need to become an insurance specialist. But it does need to ensure that disclosure, governance, and risk transfer are aligned. If the company is making strong public claims about AI while carrying unexamined governance weaknesses and uncertain coverage, that is precisely the kind of mismatch that can trigger a crisis.

Closing the Gap Before It Becomes a Failure

The larger lesson is straightforward. AI governance is not simply about technology controls. It is about integration. It is about ensuring that what the company says, what it does, and what it can prove all line up. That is why the governance gap matters so much. It is the space where strategy outruns structure, where disclosure outruns evidence, and where confidence outruns control. For boards and compliance professionals, the task is to close that gap before it becomes a failure.

The companies that do this well will not necessarily be the ones moving the fastest. They will be the ones building documented, tested, monitored, and governed AI programs that stand up to regulatory scrutiny, investor pressure, and real-world disruption. That is not bureaucracy. That is the price of sustainable innovation.