Tag: CCO

Categories
Blog

Podcasting for Compliance Communications

If there is one truism from the practice of law that translates to the practice of compliance, it is that you are only limited by your own imagination. This holds in the 360-degree realm of communication in compliance, as communications obviously come in many forms. Many compliance practitioners well remember the 2012 Morgan Stanley declination. In this first declination made public, the DOJ recognized Morgan Stanley for emailing 35 compliance reminders to Garth Peterson over a seven-year period. Consider the power of 360-degree communications in the context of compliance reminders. Now imagine the power of short ethics and compliance video training clips being distributed over the same period and the effect it would have on both your employees and regulators.

Podcast Storytelling

Why not tell the story of the compliance program through a podcast? I call it podcast storytelling, and it can be a powerful tool. Each podcast series is a 5-part series and constitutes one story arc. The podcasts are about 10–15 minutes in length. The podcast-storytelling series can feature a variety of interviews led by a noted podcast host, such as the Voice of Compliance, yourself as the CCO, or other key individuals from your organization. It can be an interview with one or more people, or it can be a solo podcast.

While there would be a fully integrated storyline, each podcast and accompanying text would be stand-alone compliance training and communications that anyone at your organization could use. The podcasts can be distributed both internally and through your organization’s social media channels. There is a wide range of podcast sites available, including iTunes, Spotify, iHeartRadio, Google Podcasts, and Amazon. From each podcast, you can create multiple short audio clips or other forms of social media-sharing materials with key quotes and lessons learned that can be made as podcast cover art.

A series like this allows your organization not only to tell a story more effectively but also to reach a much larger audience than in any other format—live, audio-video, or in-person. Yet, there is another reason why you should consider this type of approach for compliance training and communications. It will provide you with the equivalent of market research and feedback. The number of listeners and downloads will provide a reliable source of data that you can use in other communications and training sessions.

Compliance Department Branded Podcasts

Want another option? How about a fully produced, branded podcast series for your internal compliance function? It could be two 25–30-minute episodes per month, with the guest selected by your compliance team. This format enables your corporate compliance function to tell the story of its greatest asset—its people—through interviews. Cannot get out of the country to travel? Still working remotely? Your branded podcasts offer a way to connect with your employees as we continue to navigate the aftermath of the COVID-19 pandemic. You can use the branded podcast to tell the story of compliance successes in your organization. You can also include other departments to share their accomplishments. As with the podcast storytelling series, it would be done collaboratively, working with your communications team.

Compliance News of the Day

Want to create concise and effective compliance communications? How about “Compliance News of the Day”? Have a daily curated news show featuring 3–4 compliance stories, accompanied by a summary of the series and its relevance to a compliance perspective for your organization. Make it fun so that your employees want to check in daily. When the DOJ comes knocking and asks how often you send out compliance communications, you can point to your Compliance News of the Day as a great starting point.

As a compliance practitioner, you should bring more storytelling into your compliance messaging, training, and communications. If you put the employee in the shoes of the person they’re watching, they will remember it because they will see how it applies to their own lives. Such training and communication experiences will last much longer than if you drone on over a written policy or show a PowerPoint slide. Marc Havener has described this storytelling as “expanding your classroom.” Ronnie Feldman calls it bringing memorable storytelling to your compliance communications and training.

Since you are only limited by your imagination in addressing compliance, why not use some of that imagination to be creative in your compliance training and communications?

Using Podcasts to Improve Corporate Culture

One of the biggest benefits of podcasting is that it allows a compliance function to connect with its audience on a more personal level. Unlike traditional forms of advertising, which often come across as impersonal and sales-driven, podcasts enable businesses to build a loyal following by offering valuable and engaging content. This can include interviews with industry experts, behind-the-scenes glimpses of the business, and informative discussions on relevant topics.

Now, apply the same concepts of audience engagement internally to an organization. What do you have? A mechanism to engage your employees, to engender trust, and to improve your overall corporate culture. Do you think this is a crazy way to improve culture? Consider all the advantages podcasting already offers. Podcasting is one of the most intimate forms of communication, and this concept holds for a corporate compliance podcast.

A major U.S. consumer product company launched a podcast featuring corporate executives. Who were the biggest fans of the podcast? It turned out it was the company employees, many of whom had never met their corporate executives. This allowed the executives to be humanized in a way no number of town hall meetings or other similar corporate events could ever achieve.

Categories
Daily Compliance News

Daily Compliance News: November 7, 2025, The Do $1tn Pay Packages Really Incentives You Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, including compliance, ethics, risk management, leadership, or general interest, relevant to the compliance professional.

Top stories include:

  • NBA Reports to Congress on Gambling Probe. (The Athletic)
  • Capula ex-CCO claims retaliation for whistleblowing in termination. (Bloomberg)
  • BaFin slaps a €45 million fine on JPMorgan. (FT)
  • Will Elon Musk really work harder for a $1 trillion pay package? (NYT)

The Daily Compliance News has been honored as No. 2 in the Best Regulatory Compliance Podcasts category.

Categories
Blog

Compliance and Building Resilient Boards

In today’s volatile world, the word “resilience” has become the boardroom’s rallying cry. From geopolitical risk to technological disruption, boards and C-suites are being asked to navigate what Deloitte calls a “multiverse” of parallel realities, balancing short-term shocks with long-term strategy. But BOD resilience is not just about surviving turbulence. It is about thriving through uncertainty. And that is where the corporate compliance function, often underestimated as a back-office monitor, can emerge as a strategic partner in building board-level resilience. This is the key message that resonates from a recent article in the Harvard Law School Forum on Corporate Governance, How Board and C-Suite Collaboration Can Build Organizational Resilience.

Effective collaboration between boards and executive teams strengthens organizational adaptability, foresight, and integrity. Resilience is not the absence of risk; rather, it is the ability to master a response. Today, we consider this article and mine it for lessons for compliance leaders seeking to help their boards become more resilient, responsive, and ready for the future.

1. Compliance as the Early-Warning System for the Board

The Deloitte survey highlights a growing reality: boards are increasingly overwhelmed by short-term risks, ranging from cyberattacks to economic volatility. They may overlook longer-term imperatives such as innovation and human capital development. Compliance professionals are uniquely positioned to serve as an early warning system for emerging risks. Through monitoring, testing, and continuous improvement, compliance provides data-driven insight into what is actually happening inside the business before it becomes a headline or regulatory crisis.

A resilient board depends on credible information flow. That means compliance must extend beyond reporting incidents to providing actionable intelligence. By translating risk data into actionable insight and identifying patterns in third-party due diligence, supply chain vulnerabilities, or employee reporting trends, the compliance function helps directors see around corners. As Gordon Nixon, chair of BCE Inc., put it, leadership today requires the ability to “synthesize complexity into decisive action.” Compliance gives boards the tools to do just that.

2. Turning Oversight Into Scenario Planning

According to Deloitte’s data, 86% of boards have increased their focus on risk monitoring and scenario planning, with 39% significantly stepping up their efforts. That is good news, but only if those exercises move beyond hypotheticals. This is where compliance can play a catalytic role. Scenario planning is most effective when it draws from real operational data, and no function gathers more cross-enterprise data than compliance. Every whistleblower report, transaction review, and training completion rate tells part of a story about how the organization will respond when tested.

A compliance leader should therefore help transform board discussions from abstract governance into strategic foresight. When boards examine potential crises, such as cyber breaches, sanctions violations, or ESG missteps, compliance can provide not just the risk but also the response map, including who is responsible, how escalation works, what past data reveals about reaction speed, and how remediation was measured.

3. Strengthening the Board–C-Suite Communication Loop

The Deloitte study finds that open, transparent communication between the board and CEO is the single most important factor in organizational resilience, cited by 66% of respondents. That transparency must extend beyond financial performance; it must include culture, ethics, and conduct. Compliance officers can serve as trusted interpreters between management and directors. Often, executives filter messages to the board, softening bad news or emphasizing short-term wins. A strong compliance function ensures that uncomfortable truths, emerging investigations, cultural risks, or weak control environments are brought to the board’s attention promptly and accurately.

Moreover, compliance officers can help foster “psychological safety,” a quality Deloitte found lacking on many boards. When executives and directors feel safe discussing failures and near misses, they can act more decisively and learn faster. Compliance teams, with their neutral and process-driven perspective, can facilitate those candid conversations.

4. Building the Skill Base for Resilient Oversight

One of the report’s most striking findings is a gap between board and C-suite perceptions of readiness. While 86% of directors believe they are providing the right support to management, only 73% of executives agree. The gap is even wider in terms of skill composition. Nearly half of C-suite respondents say boards lack the necessary expertise to guide them through today’s environment.

That is a call to action for compliance leaders. The modern compliance function serves as a knowledge hub, continuously monitoring global regulatory trends, AI governance frameworks, and emerging ESG risks. Boards can leverage this intelligence to refresh their own competencies. For example, compliance-led workshops on anti-corruption enforcement trends, cybersecurity reporting requirements, or AI ethics can help directors stay informed and prepared to challenge management with the right questions.

Sheila Murray, chair of Teck Resources, put it best: “If somebody’s coming to meetings and not participating, that’s on me. I’ve got to bring out the best in them.” Compliance can help by providing the content that sparks meaningful participation.

5. Embedding Agility and Integrity Into Board Culture

According to Deloitte, the most resilient organizations strike a balance between governance and agility. That’s easier said than done. Rigid board processes can impede responsiveness, while overly informal structures risk undermining accountability. Compliance can help build the right balance by institutionalizing agility without sacrificing integrity.

For instance, compliance can work with corporate secretaries to ensure that board minutes document not just decisions but also the rationale behind them. That strengthens the record for regulators and demonstrates that directors acted in good faith. Similarly, compliance can help shape board procedures to allow for rapid, ethics-aligned decisions in crisis conditions.

Roy Dunbar, an independent director at McKesson and Duke Energy, describes it this way: “What you want is to go deeper and ask more challenging questions around, ‘What are the threats? What are the opportunities? Where is growth going to come from? ” Those deeper questions about sustainability, AI, and ethical governance are exactly where compliance expertise can bring clarity.

From Reactive Oversight to Proactive Partnership

The Deloitte report concludes with a vision of co-creation between boards and management, transitioning from rigid oversight to a synergistic partnership. That’s also the next frontier for compliance. No longer confined to detection and discipline, the compliance function can become the architect of organizational resilience.

How? By helping boards connect the dots between ethics and performance. A resilient board is one that not only identifies risk but also ensures that values drive decision-making at every level. When compliance embeds those values into strategic planning, linking ethical conduct to innovation, transparency to investor trust, and governance to growth, the board’s resilience becomes systemic, not situational.

In a world where, as Anjali Bansal observed, “the level of uncertainty today is absolutely unprecedented,” resilience will depend less on predicting the next crisis and more on ensuring the integrity of the response. That is the mission compliance was born to serve.

What It Means for the Chief Compliance Officer

For the CCO, this moment represents both an invitation and a mandate. The board needs a partner who can translate regulatory language into strategic value and who can help bridge the trust gap between directors and management.

Here is how the CCO can deliver:

  1. Be the Board’s Barometer: Regularly update directors on the ethical health of the organization, including hotline data, investigation closure rates, and culture metrics, so that they can gauge the tone and trust across business units.
  2. Champion Cross-Functional Risk Alignment: Ensure that compliance, internal audit, and enterprise risk functions speak with one voice in board reporting. Fragmented risk narratives breed confusion, not confidence.
  3. Embed Compliance Into Resilience Planning: Collaborate with HR, IT, and finance to map how regulatory compliance underpins business continuity and crisis management.
  4. Educate for Anticipation, Not Reaction: Keep the board informed about emerging compliance trends, such as AI ethics, ESG reporting, or sanctions enforcement, so directors are prepared to govern the risks of tomorrow.
  5. Strengthen the Ethical Reflex: Make ethics an instinct, not an initiative, by integrating compliance into strategy discussions, M&A reviews, and innovation frameworks.

When the compliance function evolves from a rule enforcer to a resilience partner, it transforms board oversight from passive to proactive. It gives directors not just the confidence to govern but the courage to lead.

Categories
Blog

Brewer v. Turner: When Board Delay Becomes Bad Faith

In corporate governance, timing is everything. A board’s oversight failure does not always come from what it does not see; often, it comes from how long it waits to act once the warning lights flash red. This cautionary tale originates from the shareholder action in the case of Brewer v. Turner, a Delaware Court of Chancery decision that permitted a Caremark claim against the directors of Regions Financial Corporation to proceed. The opinion marks another milestone in the court’s expanding interpretation of fiduciary “bad faith.” It offers an unmistakable message to compliance professionals: delay can be fatal, and now it can also lead to exposure.

A New Chapter in Caremark

In the article in the Harvard Law School Forum on Corporate Governance, titled Caremark Claim Survives Board’s Delay in Ending Illegal Practices, lawyers from Fried Frank considered the case. At issue was the board’s handling of a whistleblower complaint from its former Deputy General Counsel, Jeffrey A. Lee, who alleged that Regions’ overdraft-fee practices violated CFPB regulations. Eighteen months after receiving his detailed complaint, the bank finally ended those practices. By then, the Consumer Financial Protection Bureau had investigated and levied $191 million in penalties and restitution.

The court concluded that the board’s delay could itself amount to bad faith. Hiring outside counsel and forming committees did not shield the directors from liability. As Chancellor Kathaleen McCormick wrote, “Everyone knows that delay can be intentional and a tactic to avoid the consequences of acting appropriately.” For compliance officers, this ruling signals that boards can no longer hide behind process if the substance and speed of oversight fall short of expectations.

Today, examine the lessons compliance leaders should take from the case.

1. Red Flags Require Immediate, Documented Response

Historically, Delaware courts were reluctant to treat whistleblower complaints as “red flags.” They often viewed such claims as speculative unless corroborated by concrete evidence of wrongdoing. But in Regions, the whistleblower’s position mattered: he was a lawyer responsible for assessing legal risk. His complaint was detailed, specific, and sent to the Audit Committee, a combination that the court found impossible to ignore. That shift widens the compliance risk perimeter. A whistleblower who possesses subject-matter authority, particularly someone in compliance, legal, risk, or audit, can now trigger a board-level duty to act.

For the CCO:

Implement a rapid-response framework for any internal report that raises concerns about legal or regulatory violations. Require escalation to the board or relevant committee within days, not weeks. Then document every step: receipt, investigation, deliberation, and resolution. When courts review the record, speed and transparency become your strongest defenses.

2. Delay Can Be the New Bad Faith

Perhaps the most groundbreaking element of this case is the court’s recognition that delay itself can constitute bad faith. The board did not ignore the red flag; it simply took 18 months to address the illegal conduct while seeking to offset the lost revenue. That conscious hesitation, prioritizing profits over compliance, transformed a mere oversight lapse into a potential breach of fiduciary duty. This is a paradigm shift. Previously, a board’s response, no matter how sluggish or ineffective, was often enough to defeat Caremark liability. No longer. The court has now drawn a line between discretionary pacing and strategic stalling.

For the CCO:

Build timelines into remediation plans. When an investigation confirms illegality, establish a clear corrective-action schedule, present it to the board, and insist on documented follow-through. If management requests “time to replace lost revenue,” remind them and the board that regulatory risk compounds with every day of delay.

3. Law Firm Engagement Is Not Absolution

The region’s board tried to defend its actions by noting that it had hired a law firm to review the overdraft program. But the court found that “merely hiring an attorney” does not immunize directors from bad faith findings. What mattered was not the hiring, but what the board did with the firm’s advice, and the minutes didn’t say.

For compliance professionals, this point should feel familiar. Retaining outside counsel is prudent, but outsourcing judgment is perilous. A board that commissions a report yet fails to discuss or implement its recommendations appears, in the eyes of Delaware law, to be checking boxes rather than managing risk.

For the CCO:

Whenever outside counsel is engaged, insist on:

  1. The written scope of work aligned with the suspected violation.
  2. Formal delivery of findings to the full board or its committee.
  3. Recorded deliberations on next steps.
  4. Follow-up updates tracking implementation of counsel’s recommendations.

Compliance is not a spectator sport. Documenting action, not merely delegation, demonstrates good faith.

4. Central Compliance Risks Deserve Central Oversight

The court emphasized that overdraft-fee compliance was a “central risk” for a retail bank and thus a board-level responsibility. This reasoning expands the range of risks boards must personally monitor, rather than delegate entirely to management. Each industry has its equivalents: drug safety in the pharmaceutical industry, anti-bribery in global operations, and data security in the tech sector. When violations occur within these core domains, the argument that “management had it under control” will no longer be a sufficient defense for directors.

For the CCO:

Regularly update your board on the organization’s central compliance risks. Tie each risk to explicit board-level monitoring responsibilities. Provide metrics, internal audit findings, incident counts, and regulatory inquiries that show oversight in action. In the post-Brewer v. Turner environment, silence equals exposure.

5. Meeting Minutes Are Compliance Evidence

A striking aspect of the case was the court’s observation that the board minutes were “largely redacted” and recorded only cursory discussions. This absence of detail undermined the directors’ defense that they had acted responsibly. The court essentially inferred neglect from the lack of written proof. Compliance officers should view board minutes as the audit trail of integrity. If your minutes merely note that “the issue was discussed,” you may have built a weak defense for a strong case.

For the CCO:

Work with your corporate secretary to ensure that minutes:

  • Record substantive deliberation, not boilerplate.
  • Reference specific documents reviewed, such as legal opinions or risk assessments.
  • Capture decisions, follow-ups, and accountability for each item.

When regulators or plaintiffs seek evidence of good-faith oversight, well-crafted minutes speak louder than affidavits.

Broader Compliance Takeaways

The Brewer decision reflects a judiciary that is increasingly willing to look beyond formality and assess intent. In the compliance world, this mirrors what the DOJ’s 2024 Evaluation of Corporate Compliance Programs emphasized: that outcomes matter, but so do the timeliness and sincerity of response. A compliance program that detects misconduct yet allows it to persist for months or years cannot claim to be effective.

The ruling also underscores why Caremark risk is a personal matter. Because these claims rest on findings of bad faith, neither the DGCL Section 102(b)(7) exculpation clauses nor most D&O insurance policies will shield directors or officers from liability. The best protection remains proactive compliance, not post-hoc coverage. Finally, note the procedural context: new DGCL amendments restrict shareholder access to corporate books and records, potentially reducing frivolous oversight suits. Yet for legitimate claims supported by detailed facts, as in Brewer, the bar has been lowered. Courts are signaling that they will continue to allow well-pled Caremark cases to proceed when evidence shows a conscious disregard.

What It Means for the Chief Compliance Officer

For the CCO, Brewer v. Turner is both a warning and a roadmap. It is a warning that oversight delay equals liability. You can no longer rely on the board’s procedural comfort—hiring counsel, forming committees, or debating endlessly—to prove good faith. Results and responsiveness now define the legal standard.

But it is also a roadmap for strengthening your partnership with the board. You can help directors stay ahead of Caremark exposure by:

  1. Defining red flags. Work with Audit and Risk Committees to set escalation thresholds for legal-risk incidents.
  2. Accelerating action. Create escalation SLAs with responses within 24 hours for high-severity issues.
  3. Documenting diligence. Ensure every board discussion about misconduct is supported by complete, unredacted minutes.
  4. Tracking remediation. Maintain a dashboard showing when each issue was raised, investigated, and resolved.
  5. Aligning incentives. Reinforce that executive bonuses and promotions depend on compliance performance, not just profitability.

At its heart, Caremark is not about punishing hindsight; rather, it is about enforcing foresight. The compliance professional’s role is to make foresight possible by ensuring that red flags are identified quickly, decisions are properly documented, and illegal conduct is corrected before it metastasizes into corporate trauma.

Final Thoughts

The Brewer case stands as a modern parable of fiduciary patience gone wrong. A board that meant to deliberate found itself accused of delay; a company that tried to plan found itself punished for profit-driven hesitation. For compliance leaders, the moral is clear: you cannot strategize your way out of illegality. When a red flag rises, the clock starts, and every tick is a test of integrity. The essence of compliance is not preventing failure. It is ensuring you act decisively when failure appears. In the wake of Brewer, that truth has never been more legally or morally binding.

Categories
Blog

Who Is an Officer? The D&O Implications of an Evolving Compliance Title

If you are a Chief Compliance Officer (CCO), you have likely spent countless hours parsing language in policies, contracts, and regulations. Words matter, especially when those words define responsibility, liability, and protection. Few words in the D&O insurance world carry as much significance or ambiguity as officer.

In a recent D&O Diary guest post, John Orr, D&O Liability Product Leader for Willis FINEX North America, tackled a deceptively simple question: Who qualifies as an “officer” under a directors and officers (D&O) insurance policy? His analysis extends beyond an insurance issue. As organizations evolve, titles proliferate, and regulatory exposure expands, the boundaries of who counts as an “officer” and thus who bears personal risk are blurring.

In today’s compliance landscape, the CCO cannot afford to let that ambiguity go unexamined. Because, as Orr notes, “titles no longer define exposure; functions do.” And that statement carries profound implications for how we manage risk, structure accountability, and design compliance frameworks in the era of AI, ESG, and cybersecurity. It also puts CCOs directly in the line of fire for shareholder litigation based upon a Caremark claim, which was expanded to include officers in the In re McDonald’s Corporation Stockholder Derivative Litigation case.

Today, explore five key lessons compliance officers should take away from this discussion.

1. The Old Definition No Longer Fits the New Enterprise

For decades, D&O insurance policies defined “officer” narrowly: those “duly elected or appointed” under corporate bylaws, which typically included the CEO, CFO, COO, and General Counsel. That made sense when corporate structures were simple and hierarchies clear.

But those days are gone. Modern organizations are matrixed, decentralized, and global. Entire risk domains, such as cybersecurity, compliance, sustainability, and AI governance, now have leaders whose decisions can expose the company to significant regulatory, reputational, or legal peril. Orr points out that after the SEC charged the CISO of SolarWinds in 2023, companies began asking a new question: Is my CISO actually covered under our D&O policy?

That question should not just keep risk managers up at night. It should jolt every compliance leader. Because if your peers in cybersecurity, privacy, or ESG can face personal liability for organizational failures, and if their roles fall outside traditional definitions of “officer,” then your compliance architecture is incomplete.

2. Titles Cannot Shield You from Risk, and They Should Not Define Protection.

Orr rightly criticizes what he calls the “legacy efforts at deliberate ambiguity” in defining who counts as an officer. Historically, this ambiguity offered flexibility to insurers and policyholders. But now it provides uncertainty; if your coverage depends on whether someone’s title happens to include “officer,” you are one reorganization away from being uninsured.

For compliance professionals, this echoes a familiar theme: form versus substance. Regulators, from the DOJ to the SEC, are increasingly looking beyond the organizational chart to assess who truly exercises authority and control. The same principle should apply internally when defining who merits D&O coverage or corporate indemnification in civil litigation.

If a CISO, Chief People Officer, or Head of AI Governance makes risk-laden decisions equivalent in impact to those of a CFO, should they not receive equivalent protection? Orr argues for a shift from title-based to function-based definitions, a position entirely consistent with modern compliance thinking. Accountability should flow from influence, not nomenclature.

3. Endorsements Are Band-Aids, Not Blueprints

As ambiguity around “officer” status has grown, companies have sought quick fixes, such as endorsements listing specific titles or individuals to be covered under D&O policies. Orr concedes that while these endorsements “address the need,” they are not scalable or sustainable. Compliance officers should recognize the analogy to policy exceptions and one-off approvals. Every time you bolt on an endorsement, you introduce friction, inconsistency, and the potential for oversight. It’s a reactive, not proactive, form of risk management.

Endorsements also fail the foresight test. They require organizations to predict which roles might become legally exposed next year, a nearly impossible task in a fast-evolving regulatory landscape. Who foresaw five years ago that ESG directors or AI governance leads would be in the crosshairs of regulators? For compliance, the takeaway is clear: tactical fixes can’t substitute for structural reform. Instead of adding endorsements to patch the definition, align the policy’s logic with the company’s real-world indemnification practices, a concept Orr calls using indemnification as the “North Star.”

4. Indemnification Is the True Test of Officer Status

Orr’s most compelling insight is his proposed “indemnification-based” solution. Under this model, anyone whom the company indemnifies or would have indemnified but for insolvency or other barriers qualifies as an officer under the D&O policy.

This approach elegantly ties together governance, insurance, and compliance. It shifts the focus from job titles to actual corporate behavior: if your organization considers someone important enough to indemnify for their decisions, they are important enough to insure. It also harmonizes coverage with reality, reducing uncertainty during a claim and ensuring consistency across corporate structures.

From a compliance standpoint, this is a governance revolution. It aligns with what the DOJ has repeatedly emphasized in its most recent Evaluation of Corporate Compliance Programs (2024 Ed.): policies must reflect “the actual day-to-day functioning” of the organization, not theoretical constructs. Indemnification as a coverage anchor reflects the compliance principle that responsibility should align with decision-making authority. If someone makes risk-bearing decisions, your compliance and D&O frameworks should converge to support and monitor that role.

5. Modern Risk Requires Modern Coverage and Modern Collaboration

The concluding insight from Orr’s piece should resonate deeply with every compliance officer: “This is not about expanding coverage. It’s about modernizing coverage to address the way companies operate today.”

That statement could serve as the mission of compliance itself. As emerging technologies and global expectations reshape the corporate landscape, the boundaries of responsibility shift daily. AI, ESG reporting, data ethics, and cybersecurity aren’t just technical or operational concerns; instead, they are compliance risks with individual accountability attached.

If your D&O policy does not reflect those realities, neither does your compliance program. The modern CCO must therefore work closely with risk management, finance, and HR to ensure alignment between the forms of protection (insurance, indemnification) and the functions of oversight (compliance, ethics, governance). The article also hints at an opportunity for insurers: innovation. Just as compliance leaders must find new ways to embed ethical decision-making, insurers must design products that reflect the fluid nature of modern corporate risk. Both fields, compliance and D&O, are being asked the same fundamental question: Are you structured for yesterday’s risks or tomorrow’s realities?

What It Means for the Chief Compliance Officer

For the CCO, this discussion is not simply an academic exercise. The question “Who is an officer? ” is really a question about who bears the moral and legal weight of corporate decision-making. As compliance matures into a strategic function, the CCO’s role increasingly resembles that of the “modern officer,” as Orr describes it: not just a gatekeeper, but a guardian of integrity, transparency, and accountability.

Here’s what that means in practice:

  • Map functional authority. Identify which roles across your enterprise carry significant compliance or legal exposure, regardless of title.
  • Engage with risk management. Ensure your D&O policy reflects the true landscape of decision-making authority.
  • Revisit indemnification practices. Advocate for parity between those granted indemnity and those exposed to regulatory risk.
  • Educate the C-suite and Board. Clarify that modern risk is horizontal, not vertical, and coverage must follow function, not hierarchy.
  • Champion continuous evolution. Compliance, like D&O coverage, must adapt as corporate structures evolve. Stasis is not a strategy.

Ultimately, the compliance function exists to ensure that individuals are accountable for their actions and protected for acting in good faith. That dual mandate, accountability and protection, lies at the heart of Orr’s argument and at the soul of every effective compliance program.

Compliance is not about saying no; it is about creating the conditions where doing the right thing is easy. In this context, that means ensuring your organization’s structure, policies, and insurance mechanisms make ethical leadership a safe and supported choice. The term “officer” may seem like a semantic detail, but as John Orr reminds us, it reflects how corporations define responsibility in an era of constant change. For compliance professionals, the challenge and the opportunity are to make sure that the mirror reflects reality.

 

Categories
From the Editor's Desk

From the Editor’s Desk: Compliance Week’s Insights and Reflections for October and into November 2025

In this episode of ‘From The Editor’s Desk’ podcast, hosts Tom Fox and Aaron Nicodemus delve into key compliance issues featured in Compliance Week. Tom and Aaron discuss the top stories from Compliance Week in October, look at some stories that will appear in November, and provide a preview of upcoming content and events.

They discuss the insights from a case study on Lafarge’s anti-bribery issues linked to cartels and terrorist organizations, as well as challenges in business due diligence in high-risk areas. The episode also covers recent trends around DOJ compliance monitorship under different administrations, insights into Foreign Corrupt Practices Act (FCPA) enforcement, and evolving compliance issues related to artificial intelligence (AI). Finally, they highlight upcoming Compliance Week initiatives and webinars, focusing on career pathways in compliance, the importance of due diligence in high-risk environments, and the practical applications of AI in the compliance field.

Resources:

Aaron Nicodemus on LinkedIn

Compliance Week

Categories
Upping Your Game

Upping Your Game: Episode 9 – Leveraging Chatbots for Enhanced Compliance Efficiency

In February, the Trump Administration suspended investigations under and enforcement of the FCPA. Many compliance professionals have since wondered what this will mean for corporate compliance programs going forward. Hui Chen challenged compliance professionals with the statement, “It’s time to up your game.”

This podcast series, sponsored by Ethico and co-hosted with Ethico co-CEO Nick Gallo, hopes to meet Hui Chen’s challenge. We will discuss how compliance professionals can ‘Up Their Game’ by utilizing currently existing Generative AI (GenAI) tools to significantly improve their compliance programs. As compliance professionals, it is critical to recognize that this moment is not merely about incremental improvements but about elevating our profession to an entirely new level of effectiveness, efficiency, and organizational value.

In this episode, Tom and Nick discuss the rising use of chatbots in corporate compliance programs. They explore how chatbots can serve as a powerful tool for addressing policies, procedures, and FAQs, thereby increasing efficiency and reducing the burden on compliance departments. The conversation explores the benefits of chatbots, including improved data collection, enhanced consistency, and democratized access to information. They also discuss practical strategies for implementing chatbots, including focusing on specific use cases, maintaining human oversight, rigorous testing, and continuous improvement. Real-world examples from both large corporations and smaller entities illustrate the practical applications and significant advantages of adopting chatbot technology in compliance operations.

Key highlights:

  • Implementing Chatbots for Internal Use
  • Benefits and Challenges of Chatbots
  • Building Effective Chatbots
  • Meeting Employees Where They Are
  • Ethico’s Approach to Chatbots

Resources:

Upping Your Game-How Compliance and Risk Management Move to 2030 and Beyond on Amazon.com

Nick Gallo on LinkedIn

Ethico

Tom Fox

Instagram

Facebook

YouTube

Categories
Innovation in Compliance

Innovation in Compliance: Mastering Compliance Branding on LinkedIn: Insights from Carol Kaemmerer

Innovation comes in many areas, and compliance professionals need to be ready for it and embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, Tom Fox is joined by returning guest Carol Kaemmerer, author of ‘LinkedIn for the Savvy Executive.’

Carol shares valuable insights on how compliance professionals can leverage LinkedIn to build their personal brand and gain credibility with senior management. She introduces her Brilliance Framework, which includes strategies such as leading with authenticity, utilizing the rule of three for memorable branding, maximizing digital real estate, and emphasizing the importance of engagement. Tune in to enhance your LinkedIn strategy and make a lasting impression in your career.

Key highlights:

  • Building a Compliance Professional’s Brand
  • Reframing Compliance Communication
  • Introducing the LinkedIn Brilliance Framework
  • Maximizing LinkedIn’s Digital Real Estate
  • The Importance of Visuals on LinkedIn
  • Engagement: The Gold of LinkedIn

Resources:

Carol Kaemmerer on LinkedIn

Carol Kaemmerer Website

LinkedIn for the Savvy Executive Second Edition

The LinkedIn Brilliance Framework™: Amplify Your Professional Presence

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Great Women in Compliance

Great Women in Compliance – Civility Counts: Fostering Respect & Voice at Work with Jelahn Stewart and Katharine Manning

New #GWIC Roundtable Episode

Civility isn’t just about being polite—it’s about trust, belonging, and creating workplaces where people feel safe to speak up. In this roundtable, hosts Lisa Fine and Ellen Hunt welcome:

  • Jelahn Stewart, SVP, Deputy GC & CCO at Leidos
  • Katharine Manning, President of Blackbird DC and author of The Empathetic Workplace

They share stories and strategies on:

  • How civility impacts performance, creativity, and resilience
  • Why incivility silences women more than men
  • Practical steps leaders and teams can take to build civil, ethical cultures
  • Healthy ways to respond when civility breaks down

The Great Women in Compliance Podcast, hosted by Hemma Lomax and Lisa Fine, shares the stories of women in the field of ethics and compliance, proudly sponsored by Corporate Compliance Insights.

Connect with us:

Great Women in Compliance, hosted by Hemma Lomax and Lisa Fine, is sponsored by Corporate Compliance Insights.

#Leadership #WorkplaceCulture #RespectAtWork #Civility #InclusiveLeadership

Categories
Blog

Directors and AI: Do’s, Don’ts, and Compliance Lessons

Artificial intelligence (AI) has rapidly become embedded in the daily workflows of executives, employees, and, increasingly, board directors. From drafting strategy summaries to analyzing industry data, directors are turning to AI chatbots and transcription tools in the same way they once adopted email, spreadsheets, or virtual board portals. However, unlike those earlier technologies, AI presents new risks, and for directors, these risks intersect directly with fiduciary duties and corporate governance obligations.

A recent memorandum by Skadden, Arps, Slate, Meagher & Flom LLP, published through the Harvard Law School Forum on Corporate Governance, outlines practical dos and don’ts for directors using AI in their board roles. The message is clear: while AI offers great promise, directors must use it with caution. For compliance professionals, this guidance provides important lessons not only for boardrooms but also for the governance structures that surround them.

The Temptation of AI in the Boardroom

Boards are expected to absorb massive amounts of information, such as financial results, strategy papers, compliance reports, cybersecurity dashboards, and often under tight timelines. It is easy to see why a director might feed these materials into an AI tool to produce summaries or ask for red flags. Similarly, transcription services appear attractive for documenting complex board meetings and discussions. But here lies the trap: not all AI tools are created equal. Publicly available chatbots often train on user inputs, meaning that confidential board information could be incorporated into the system and potentially regurgitated to other users, including competitors.

Just as you would never allow directors to send board books through unsecured email, AI tools need guardrails.

Key Risks Identified in the Director’s Guide

The Skadden memorandum outlines several risks directors must consider when using AI in their corporate capacities:

  1. Confidentiality and Data Leakage – Uploading sensitive materials into public AI systems risks exposing trade secrets or personal data. Even if the information is deleted from a user’s history, the AI vendor may still retain and train on it.
  2. Discovery and Litigation Risks – AI chats are records. Like emails, they may be discoverable in litigation or regulatory reviews. Regulators could demand access to AI interactions if they involve matters under scrutiny, such as antitrust reviews of mergers and acquisitions (M&A) activity.
  3. Loss of Privilege – Using AI to transcribe board meetings or communications with counsel risks waiving attorney-client privilege. Once third parties have access, privilege may be lost forever.
  4. Accuracy and Hallucinations – AI outputs can be wrong, biased, or outdated. Treating AI results as authoritative without verification exposes directors to poor decision-making and potential breaches of fiduciary duties.
  5. Erosion of Human Judgment – Over-reliance on AI to make HR, strategy, or other critical decisions risks abdicating the duty of care and loyalty. Directors must remain firmly “in the loop”.

Compliance Lessons for Professionals

From these risks, we can distill key lessons for compliance officers advising boards and executives on AI governance.

1. Confidential Information Must Stay Inside the Perimeter

Compliance professionals should establish clear rules: no uploading of board materials, personal data, or trade secrets into public AI tools. Instead, direct the board to company-approved platforms that are vetted for security and configured to prevent training on sensitive inputs. This is not just a best practice; it may also be required to comply with contractual obligations, privacy laws, and internal data-protection policies.

2. Treat AI Chats as Discoverable Records

Boards should assume that anything shared with AI may one day be discoverable by others. Compliance professionals must include AI chats and transcripts in records-retention policies and advise directors to avoid discussing sensitive legal or competitive issues in public AI systems. This lesson mirrors earlier corporate missteps with text messages and messaging apps. AI is the new frontier for discoverability.

3. Preserve Privilege by Avoiding AI for Legal Matters

Directors must not use AI to record privileged discussions with counsel or board meetings, as this would violate the attorney-client privilege. Compliance officers should make this an explicit policy. Approved transcription tools may be used for training sessions or customer service calls, but never for board-level deliberations. Losing privilege could cripple a company’s defense in litigation. Compliance officers should hammer this home during board training.

4. Verify Before You Trust

AI has a well-documented tendency to “hallucinate.” Directors must be reminded: AI is not a single source of truth. Compliance programs should emphasize verification. Encourage directors to cross-check AI outputs against trusted sources and ensure management reviews AI-generated analyses before relying on them for decision-making.

5. AI Is a Tool, Not a Decision-Maker

The most important compliance lesson: AI augments but does not replace human judgment. Directors remain bound by duties of care and loyalty. Compliance professionals must make clear that delegating decision-making to AI tools could not only harm the company but also expose directors to personal liability.

Building a Compliance Framework for Board Use of AI

The Skadden guide closes by urging boards to develop clear policies for AI use, including approved tools, acceptable uses, and required disclosures. For compliance officers, this is an opportunity to lead.

Here are key framework elements to consider:

  • Approved Tools List – Maintain a list of AI platforms validated by IT and legal for security and compliance.
  • Acceptable Use Policy – Define when and how directors may use AI (e.g., industry research, summarizing public filings) versus prohibited uses (e.g., uploading board decks, transcribing meetings).
  • Training and Awareness – Provide directors with training on AI risks, including confidentiality, discoverability, and hallucinations.
  • Monitoring and Audit – Periodically review the use of AI by directors to ensure compliance with relevant policies and regulations.
  • Disclosure Requirements – Require directors to disclose if AI tools were used to generate or summarize board-related materials.

Final Thoughts

The “Do’s and Don’ts of Using AI” is a timely reminder: AI governance is not only about company-wide adoption. It also starts at the top, with the board itself. Directors tempted to use AI in their own roles face unique risks. These risks could compromise confidentiality, destroy privilege, or erode fiduciary oversight.

For compliance professionals, this presents an opportunity to serve as both educator and enforcer. Just as compliance led the charge on insider trading policies, conflicts of interest, and anti-bribery training, so too must we lead on AI governance.

The bottom line is that AI can be an extraordinary tool for directors. But without compliance guardrails, it can also be a governance trap. Our role is to ensure the boardroom and the company stay on the right side of that line.