Tag: CCO

Categories
Blog

Returning to Venezuela: Why “Yes, If” Is the Only Defensible Compliance Answer

Most of you readers know that sometimes when I get going on a project, it (the project, not me) just keeps on growing. What started as a podcast with Matt Ellis on the risks of going back into Venezuela expanded out into a series of podcasts on the FCPA Compliance Report and with Mike DeBernardis on All Things Investigations. The podcasts led to a five-part blog post series on the same topic in the FCPA Compliance and Ethics Blog. I then needed to expand the blogs into a book and provide forms, checklists, frameworks, and deployment packs for compliance professionals to help them think through the issues presented in Venezuela and in other similarly high-risk jurisdictions.

All of that has led to the only book on how to return to Venezuela, Returning to Venezuela: The Compliance Guide to Yes, If (Title inspired by Mike DeBernardis). It is available in both print and eBook versions on Amazon.com.

When companies talk about returning to Venezuela, the conversation almost always begins with opportunity. Oil reserves. Market access. First-mover advantage. What the book Returning to Venezuela does is effectively reset that conversation where it belongs for compliance professionals: with reality. It is a disciplined, compliance-first analysis of what it actually means to operate in one of the world’s highest-risk jurisdictions.

The core message is uncompromising but straightforward: Venezuela is not a place for optimism, informal controls, or siloed compliance. It is a stress test. If your compliance program can function there, it can function anywhere. If it cannot, no license, policy, or assurance letter will save you. The book is not a warning label about Venezuela. It is a working manual for how a compliance function should assess risk, design controls, and govern decision-making before commercial momentum takes over.

Step One: Reframing the Risk Assessment

The first way a compliance professional should use Returning to Venezuela is to recalibrate how risk assessments are performed. Traditional country risk assessments often ask abstract questions: corruption perception scores, sanctions status, and enforcement history. Those inputs are necessary, but insufficient. Returning to Venezuela pushes compliance professionals to replace abstract scoring with operational mapping.

Instead of asking whether Venezuela is high risk, the framework asks:

  • Where will government discretion arise?
  • Where can delay be monetized?
  • Where does the business depend on intermediaries?
  • Where does value move, pause, or change form?

This is a critical shift. Risk is no longer treated as a country attribute. It becomes a process attribute. Compliance professionals can use Returning to Venezuela’s structure to redesign their risk assessment around real business steps: procurement, logistics, payment, security, licensing, and dispute resolution.

Step Two: Identifying Pressure Points Before They Become Incidents

Returning to Venezuela is especially useful in helping compliance professionals identify pressure points, not just risk categories. Pressure points are moments where the business is most likely to face demands for improper value, shortcuts, or exceptions. Procurement is one. Customs clearance is another. Security access, utilities, labor approvals, and payment routing are others.

Using Returning to Venezuela, compliance professionals can document:

  • Where pressure is expected;
  • Who owns the decision at that point?
  • What escalation looks like; and
  • When refusal or exit becomes mandatory.

This transforms compliance from a reactive role into a proactive role in designing decision architecture.

Step Three: Using the Checklists as Control Gates, Not Paper Artifacts

A common compliance failure is treating red flags as documentation exercises rather than control mechanisms. One of the strengths of Returning to Venezuela is that its red flags are designed as gates, not records. Each checklist answers a single question: Is this activity governable under our current assumptions?

Compliance professionals can deploy these checklists at defined moments:

  • Market entry discussions
  • Vendor and JV selection
  • Transaction structuring
  • Payment and banking design
  • Security and logistics planning

If a red flag cannot be cleared, the activity cannot proceed. That discipline is what makes the framework defensible. It also protects compliance officers personally, because decisions are anchored in documented governance rather than informal judgment.

Step Four: Integrating Risk Domains Instead of Managing Them in Silos

Another way compliance professionals should use Returning to Venezuela is as a blueprint for breaking down internal silos. The book makes clear that in Venezuela, corruption, export controls, AML, sanctions, security, and extortion are not separate risks. They are interconnected expressions of the same operating pressure. Treating them separately guarantees blind spots.

Practically, this means compliance can use the book to justify:

  • Integrated risk reviews instead of sequential sign-offs;
  • Shared escalation forums across functions;
  • Unified monitoring rather than separate dashboards; and
  • Common exit triggers across risk domains.

This is particularly important for AML. Returning to Venezuela positions money laundering risk not as a standalone compliance obligation, but as the capstone test of whether the entire framework works.

Step Five: Structuring Board Oversight Around Decisions, Not Updates

Too often, boards receive high-level compliance updates that provide comfort but not clarity. Returning to Venezuela gives compliance professionals a way to reframe board oversight around decisions, not reports. Using the board materials and decision templates, compliance can:

  • Force explicit risk acceptance;
  • Document assumptions that underpin approvals;
  • Secure delegated authority to pause or exit operations; and
  • Establish clear revisit and escalation triggers.

This protects both the organization and the compliance function. When conditions change, the discussion is no longer “Why did this happen? ” but “Which assumption failed, and what decision does that trigger? ” That is governance functioning as intended.

Step Six: Building a Repeatable Risk Management Framework

The final and most important way to use Returning to Venezuela is as a template, not a one-off Venezuela playbook. While the facts are Venezuela-specific, the framework is portable. Compliance professionals can lift this framework and apply it to:

  • Other high-risk markets;
  • Post-merger integration;
  • Sanctions-heavy environments; and
  • Complex third-party ecosystems.

The Appendices: The Operational Backbone of Returning to Venezuela: Yes, If

One of the defining features of Returning to Venezuela: The Compliance Guide to Yes, If is that it does not stop at analysis. The appendices convert risk identification into governance, decision-making, and operational control. They are not academic supplements. They are the machinery that makes a “yes, if” decision possible in practice.

Taken together, the appendices form an integrated compliance control stack designed for one purpose: to govern decision-making in an environment where corruption, coercion, sanctions, AML exposure, and weak rule of law are not edge cases but daily conditions.

Appendix A: One-Page Operational Checklists

Appendix A contains a series of one-page checklists, each focused on a distinct but interconnected risk domain. These are not policy summaries. They are operational gating tools meant to be used before decisions are made, not after problems occur.

Appendix B: The CCO Deployment Pack

Appendix B is written from the perspective of the Chief Compliance Officer and is explicitly operational. It is designed to be deployed internally to executive leadership, business sponsors, and control functions.

Appendix C: Board of Directors Materials

Appendix C is aimed squarely at directors and audit or compliance committees. Its function is not to educate boards on Venezuela generally but to structure how boards make, record, and revisit risk acceptance decisions.

Appendix D: Decision-Making Frameworks

Appendix D pulls together the logic underlying the entire book. It provides decision-making frameworks that force organizations to confront uncomfortable realities before committing resources.

How the Appendices Work Together

Individually, each appendix addresses a specific audience or function. Collectively, they form an integrated control system that aligns:

  • Operational decision-making.
  • Compliance authority.
  • Board oversight.
  • Exit discipline.

The appendices are designed to prevent the most common failure pattern in high-risk jurisdictions: waiting until conditions deteriorate before asking hard questions. By then, leverage is gone.

Final Thought

The most important contribution of Returning to Venezuela is that it does not accurately describe risk. It shows compliance professionals how to operate in the real world without surrendering control.

Used correctly, the book becomes a working tool:

  • To assess risk honestly;
  • To design controls that hold under pressure;
  • To align management and the board, and finally
  • To decide when “yes” becomes “no.”

For compliance professionals, that is not just risk management. It is about meeting the business in an operational setting with a risk management strategy for literally the highest risk on earth.

You can purchase Returning to Venezuela: The Compliance Guide to Yes, if on Amazon.com.

Categories
Blog

How Compliance Should Show Up Before the Crisis

Recently, my colleague Matt Kelly wrote a blog post about retaliation against Chief Compliance Officers (CCOs). Matt and I explored it in an episode of the podcast Compliance into the Weeds. Matt’s post and our discussion crystallized one of the frustrations of the CCO role: compliance is often experienced solely by senior management as a late-arriving messenger of bad news. When compliance walks into the room, something has already gone wrong. The tone changes. Defenses go up. Trust narrows.

Yet the most consequential moments for a CCO are precisely those situations where the stakes are highest. A potential regulatory disclosure. A decision about whether to notify a government agency. A moment where delay, missteps, or poor coordination can turn a manageable issue into an enterprise-level crisis. If compliance is only visible in those moments, the relationship with the CEO and executive leadership team is already at a disadvantage.

Interestingly, in our podcast, we explored a technique which might be termed “coaching management ahead of time”. Matt picked up the strategy of using a training borrowed from the cyber world of incident training for a cyber-attack. I see this as a very powerful way not only to communicate compliance but also to train on the specific issues senior management will face if a reportable compliance incident occurs. You could train on such hypotheticals by walking the executive leadership team through them so they understand the process, while also providing training on the specific issues.

I think this approach offers practical, repeatable ways to build trust with senior management before a crisis, so that when compliance raises a serious issue, the function is seen as a stabilizing force, not a source of panic.

The Core Problem: Compliance as the Bearer of Bad News

Many compliance officers do excellent technical work but still struggle to earn executive trust. The reason is not competence. It is timing and framing. Senior leaders often experience compliance in three narrow contexts:

  • An investigation has begun.
  • A whistleblower allegation has escalated; and/or
  • A regulator may need to be notified.

In those moments, compliance is necessarily directive. The CCO must slow decisions down, insist on process, and sometimes recommend outcomes executives would prefer to avoid. Without a foundation of trust, those recommendations can feel punitive or overly conservative. The solution is not softer messaging during crises. The solution is familiarity with the compliance process long before the crisis arrives.

Process Transparency as a Trust-Building Strategy

Trust is built through predictability. Senior executives are far more comfortable with difficult outcomes when they understand the process that leads there. This is where scenario-based training becomes one of the most underused tools in the compliance arsenal. Instead of waiting for a live issue, the CCO can walk the executive leadership team through realistic hypotheticals:

  • A fact pattern that suggests regulatory notification may be required
  • How compliance evaluates credibility and materiality
  • Who is involved at each stage and why
  • What decisions will management be asked to make
  • What actions help, and what actions make things worse

These sessions are not about assigning blame or rehearsing fear. They are about demystifying how compliance operates when the stakes are high.

Why Scenario-Based Training Works With Executives

Scenario-based discussions resonate with executive teams for several reasons. First, they are practical. Executives do not need another policy overview. They want to know what actually happens when something goes wrong. Second, they are respectful of executive time and intelligence. A well-designed hypothetical treats leadership as decision-makers, not students. Third, they normalize compliance involvement.

When executives have already walked through a compliance-led process in a low-pressure setting, that process feels familiar rather than threatening during a real event. Most importantly, scenario-based training reframes compliance from a reactive function to a preparedness function.

The Strategic Role of Informal Engagement

These conversations do not need to occur only in formal training sessions. In fact, some of the most effective trust-building happens outside structured settings.

  • A short walkthrough during an executive offsite.
  • A tabletop discussion over lunch.
  • A casual conversation that begins with, “Let me show you how we would handle this if it ever happened.”

These informal touchpoints matter because they remove fear from the equation. They allow executives to ask questions they might not ask during a live issue. They also allow compliance to show judgment, nuance, and business awareness. This is not a charm offensive. It is a deliberate relationship strategy.

Training on What Not to Do

One of the most valuable elements of scenario-based transparency is the ability to explain mistakes before they occur. Executives often want to help in a crisis. That instinct, while well-intentioned, can create problems. Premature document reviews. Side conversations. Incomplete recollections. Overconfident assurances.

Scenario training allows the CCO to say, in advance, “Here is what helps us protect the company,” and just as importantly, “Here is what can unintentionally make things worse.” When executives understand these boundaries ahead of time, compliance interventions during a real issue feel protective rather than restrictive.

From Messenger of Doom to Stabilizing Force

When compliance has invested in transparency and education, something important shifts. When the CCO later says, “We believe this may require regulatory notification,” that recommendation is no longer heard in isolation. It is understood as part of a known, previously discussed process.

Executives may not like the conclusion, but they trust the path that led there. That trust allows compliance to do its job effectively. It reduces friction. It shortens response time. It improves decision quality. Most importantly, it positions compliance as an advisor whose presence brings structure and clarity to uncertainty.

What Compliance Officers Should Take Away

For compliance officers, the lesson is not about presentation skills or tone management. It is about timing and familiarity. If senior management only experiences compliance during moments of stress, compliance will always feel adversarial. If senior management understands the compliance process before the stress arrives, compliance becomes a stabilizing influence.

Scenario-based training, informal engagement, and process transparency are not “nice to have” activities. They are strategic tools for relationship-building at the highest levels of the organization. The most trusted CCOs are not those who avoid bringing bad news. They are the ones who ensure that when bad news arrives, it is delivered within a framework everyone already understands. That is how compliance earns trust before the crisis and credibility during it.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 26 – Elevating the Role and Independence of the Chief Compliance Officer

Welcome to 31 Days to a More Effective Compliance Program. Over this 31-day series in January 2026, Tom Fox will post a key component of a best-practice compliance program each day. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6-8 minutes, with three key takeaways that you can implement at little or no cost to help update your compliance program. I hope you will join each day in January for this exploration of best practices in compliance. In today’s Day 26 episode, we ponder the evolving stature and authority of the CCO within organizations, as highlighted by recent guidelines and regulations.

Key highlights:

  • Key Inquiries Around the CCO and Compliance Function
  • Importance of CCO Certification and Court Decisions
  • Critical Takeaways for Compliance Professionals

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Categories
Compliance Into the Weeds

Compliance into the Weeds: Addressing Retaliation Against Compliance Officers: Strategies and Insights

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore it more fully. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly look at the challenges of retaliation against Chief Compliance Officers (CCOs).

They highlight the need for ongoing communication between compliance officers and senior management and share strategies for CCOs to mitigate personal risk. The discussion includes real-world examples, the role of senior management in fostering a compliant culture, and the importance of scenario planning and training to prepare for potential issues. The episode emphasizes proactive measures such as charm offensives and preemptive remediation plans to navigate and defuse potential retaliatory scenarios.

Key highlights:

  • Real-Life Examples of Retaliation
  • Management’s Perception and Compliance Challenges
  • Building Relationships with Senior Management
  • Proactive Compliance Strategies to Prevent Retaliation
  • Framing Compliance Training Like Cybersecurity Drills

Resources:

Matt in Radical Compliance

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

A multi-award-winning podcast, Compliance into the Weeds was most recently honored as one of the Top 25 Regulatory Compliance Podcasts, a Top 10 Business Law Podcast, and a Top 12 Risk Management Podcast. Compliance into the Weeds has been conferred a Davey, a Communicator Award, and a W3 Award, all for podcast excellence.

Categories
Sunday Book Review

Sunday Book Review: January 18, 2026, The Top Books on Innovation ’26 Edition

In the Sunday Book Review, Tom Fox considers books that would interest compliance professionals, business executives, or anyone curious. It could be books about business, compliance, history, leadership, current events, or anything else that might interest Tom. In this episode, we look at some of the top books on innovation, both those already published and those scheduled for 2026.

  1. Twin Transformation: A Gripping Tale of How AI and Sustainability Converge, and the Race to Get It Right by Michael Wade & Konstantinos Trantopoulos 
  2. The Innovation Approach: Overcoming the Limitations of Design Thinking and the Lean Startup by David C. Roach
  3. The Shortest History of AI: The Six Essential Ideas That Animate It by Toby Walsh
  4. The Coming Wave: AI, Power, and Our Future by Mustafa Suleyman & Michael Bhaskar
Categories
Blog

Greek Philosophers Week: Part 3 – Aristotle and the Daily Practice of Ethics & Compliance

In Part 3, we continue our exploration of the origins of the modern corporate compliance organization, tracing them back to the ancient Greek philosophers, including Aristotle. Plato teaches compliance professionals how to design ethical governance systems. But anyone who has ever operated a compliance program knows that structure alone does not guarantee ethical behavior. Policies exist. Committees meet. Reporting lines are drawn. And yet misconduct still occurs. That is where Aristotle becomes essential to the modern compliance conversation.

Aristotle was not interested in ideal societies. He was interested in how people actually behave. His philosophy focuses on habit, judgment, incentives, and purpose, all of which are central to daily compliance operations. The DOJ Evaluation of Corporate Compliance Programs (ECCP) reflects this Aristotelian realism. It asks not only whether a program is well designed, but also whether it is implemented in practice and works in reality.

If Plato is the architect of compliance, Aristotle is its operator.

Virtue as Habit, Not Aspiration

Aristotle rejected the idea that ethics is a matter of knowing the right thing. He argued that virtue is formed through repeated action. People become ethical by practicing ethical behavior until it becomes a habit. This insight aligns directly with the ECCP’s focus on implementation and effectiveness. Prosecutors do not evaluate what a company claims to value. They assess how employees actually behave under pressure. Training, policies, and controls matter only to the extent they shape habits.

In daily compliance work, this means moving beyond episodic interventions. Annual training does not create virtue. Consistent reinforcement does. Indeed, the DOJ specifically called out companies that “have invested in shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions.”

Managers who model ethical decision-making, align incentives with values, and apply consequences fairly all shape behavior over time. Aristotle reminds us that culture is built one decision at a time.

Practical Wisdom and Gray-Area Decision Making

Aristotle distinguished between technical knowledge and phronesis, or practical wisdom. Rules cannot anticipate every situation. Judgment fills the gap. The ECCP implicitly recognizes this by emphasizing risk-based decision-making. A compliance program that relies solely on rigid rules will fail in complex environments. Investigations, third-party reviews, and transaction approvals all require judgment informed by experience and context.

For compliance professionals, this means embracing their role as ethical decision-makers rather than just rule enforcers. It also means documenting judgment. Regulators understand discretion, but they expect it to be principled, consistent, and explainable. Aristotle teaches that wisdom is demonstrated through action guided by reason.

The Golden Mean and Proportional Compliance

One of Aristotle’s most enduring ideas is the Golden Mean. Virtue lies between extremes. Courage sits between recklessness and cowardice. The same principle applies to compliance design and operations. The ECCP expects programs to be appropriately tailored to risk. Over-engineered compliance systems create fatigue, false positives, and cynicism. Under-resourced programs invite misconduct. Both extremes are failures.

Daily compliance operations must strike a balance. Monitoring should be robust but targeted. Controls should be strong but workable. Reporting requirements should capture risk without overwhelming employees. Aristotle reminds us that effectiveness lives in proportion, not excess.

Incentives Reveal Character

Aristotle believed character is revealed by what people pursue and what they are rewarded for achieving. This lesson is painfully relevant to compliance failures. This is also the basis for modern due diligence. The ECCP repeatedly asks how companies incentivize compliance and discipline amid misconduct. The ECCP states, “Another hallmark of effective implementation of a compliance program is the establishment of incentives for compliance and disincentives for non-compliance.” Compensation structures that reward results regardless of method undermine every policy on the books. Employees respond to what is rewarded, not what is written.

In practice, compliance professionals must engage with compensation, promotion, and performance management. Ethics cannot be siloed. When high performers are excused from consequences, the organization sends the message that virtue is optional. Aristotle would argue that such systems inevitably produce unethical outcomes, regardless of stated values.

Purpose and the Role of Compliance

Aristotle believed everything has a telos, an ultimate purpose. Understanding purpose guides action and gives coherence to effort. Compliance programs often struggle when their purpose is framed narrowly as avoiding fines or enforcement. The ECCP encourages companies to adopt a broader perspective, emphasizing risk management, trust, and sustainable operations.

In daily work, purpose shapes priorities. Is compliance positioned as a business partner or a policing function? Is it involved early in decision-making or consulted after damage is done? Aristotle teaches that clarity of purpose aligns behavior. When compliance understands and articulates its role as protecting the organization’s long-term health, its influence grows.

5 Key Takeaways for the Compliance Professional

1. Ethical behavior is formed through habit, not intention.

Aristotle teaches that virtue develops through repeated action. Compliance programs must therefore consistently reinforce ethical behavior, not just episodically. The ECCP emphasizes implementation because policies alone do not shape conduct. Daily reinforcement through leadership behavior, aligned incentives, and consistent consequences builds habits that endure. Compliance professionals should evaluate whether their programs influence how employees actually act under pressure, not just what they acknowledge in training.

2. Judgment is a core compliance competency.

Rules cannot anticipate every scenario. Aristotle’s concept of practical wisdom aligns with the ECCP’s expectation of risk-based decision-making. Compliance professionals must exercise and document judgment in investigations, approvals, and remediation. This requires experience, training, and independence. Ethical compliance is not mechanical. It is reasoned, contextual, and defensible when challenged by regulators or boards.

3. Proportion matters in compliance design.

The Golden Mean teaches that extremes undermine effectiveness. Overly burdensome controls create fatigue and workarounds. Weak controls invite abuse. The ECCP expects tailoring based on risk, geography, and business model. Compliance leaders must design right-sized programs that employees can follow and that management can support. Balance is not compromise. It is effective.

4. Incentives define culture more than policies.

Aristotle understood that character is shaped by what is rewarded. Compliance failures often stem from misaligned incentives. The ECCP scrutinizes compensation and discipline for this reason. Daily compliance operations must engage with HR and leadership to ensure ethics are embedded in performance evaluations, promotions, and bonuses. Culture follows incentives, not slogans.

5. Compliance must have a clear purpose.

Aristotle’s concept of telos reminds us that purpose guides action—compliance programs framed solely as legal defense lose credibility. The ECCP encourages a broader view of compliance as a risk-management and trust-building approach. When compliance professionals articulate their purpose clearly, they gain influence, resources, and early involvement in decisions that matter.

From Aristotle to Pythagoras: From Judgment to Measurement

Aristotle grounds compliance in habit, judgment, and proportion. But judgment alone is not enough in modern organizations operating at scale. As programs mature, leaders ask how to measure effectiveness, detect patterns, and anticipate risk.

That transition leads naturally to Pythagoras. Where Aristotle focuses on ethical action, Pythagoras focuses on number, proportion, and harmony. In compliance terms, this is the shift toward data analytics, metrics, and AI. If Aristotle teaches us how people should behave within ethical systems, Pythagoras teaches us how to observe, measure, and test whether they actually do.

Aristotle teaches us how ethical compliance is lived day to day. Pythagoras will push the conversation further, asking how data, analytics, and AI can measure, test, and strengthen those ethical systems without losing proportion or judgment. Join us tomorrow in Part 4 to find out how.

 

Categories
Innovation in Compliance

Innovation in Compliance – The Strategic Evolution of Compliance: Insights from Angie McPhail

Innovation comes in many forms, and compliance professionals need not only to be ready for it but also to embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, host Tom Fox welcomes Angie McPhail to discuss the transformation of compliance from a regulatory function to a strategic business imperative.

Angie shares her professional background, having led the Integrity and Compliance group for the Americas at Juniper Networks before its acquisition by HPE. Key discussions include the evolving role of compliance as a strategic influencer within organizations, the intersection of ethics and integrity with ESG, and the importance of trust in building effective compliance programs. Angie emphasizes the need for compliance professionals to understand business strategy, leverage technology, and build trust to drive sustainable growth. The talk also covers the future outlook for compliance leaders and provides advice on preparing the next generation of compliance professionals.

Key highlights:

  • Compliance as a Strategic Business Function
  • Influence and Trust in Compliance
  • Compliance as a Driver of Business Success
  • Managing Reputational Risk
  • Future of Compliance Leadership

Resources:

Angie McPhail on LinkedIn

Innovation in Compliance was recently ranked 4th among Risk Management podcasts by 1,000,000 Podcasts.

Categories
Blog

Greek Philosophers Week: Part 1 – Socrates and the Asking Questions

I have long wanted to trace the origins of the modern corporate compliance organization back to the ancient Greek philosophers, drawing lessons for compliance and ethics in 2026 and beyond. Today, I begin a five-part series where I do just that. In this series, we will consider Socrates, Plato, Aristotle, Pythagoras, and Euclid. We start with Socrates.

Socrates left no writings of his own. What he left was a method. He believed wisdom began with recognizing what one did not know and then relentlessly testing assumptions through disciplined questioning. That approach maps directly onto the daily work of the compliance professional. Risk assessments, investigations, root cause analysis, culture reviews, and even board reporting all rise or fall based on the quality of the questions asked.

Every effective compliance program begins with a question. Not a policy. Not a control. Not a dashboard. A question. That insight alone makes Socrates the right place to start any serious discussion about the influence of ancient Greek philosophy on modern corporate compliance and ethics programs.

The Department of Justice’s Evaluation of Corporate Compliance Programs (ECCP) does not use the word “Socratic,” but its expectations are unmistakably aligned with Socratic inquiry. Prosecutors repeatedly ask whether a company understands its risks, tests its assumptions, challenges its controls, and adapts when reality changes. A compliance program that does not ask hard questions is not mature. It is merely quiet. Indeed, Hui Chen, the author of the original ECCP, has said that a key purpose of the ECCP was to get compliance professionals to ‘ask questions’.

Ethical Inquiry as a Compliance Obligation

Socrates believed that unexamined beliefs were dangerous. He challenged Athenian leaders not because he enjoyed disruption, but because false confidence creates harm. In a corporate setting, the same risk exists when executives assume that a policy equals compliance or that training completion equals ethical behavior.

  1. Is the corporation’s compliance program well designed?
  2. Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
  3. Does the corporation’s compliance program work in practice?

These questions are fundamentally Socratic. It demands inquiry into how the business actually operates, where pressure points exist, and how misconduct could realistically occur. A compliance function that accepts management narratives at face value fails this test.

Daily compliance operations depend on this discipline. When reviewing third-party relationships, a Socratic compliance officer does not ask whether due diligence was performed. They ask whether it was sufficient, whether red flags were rationalized, and whether business incentives distorted judgment. That is inquiry, not administration.

Challenging Assumptions Without Becoming the Enemy

Socrates was executed because his questioning made powerful people uncomfortable. Compliance professionals face a less dramatic, but no less real, version of that tension. The role requires challenging assumptions, even when doing so slows deals, complicates reporting lines, or disrupts revenue projections.

The ECCP specifically evaluates whether a corporate compliance function has sufficient staff to audit, document, analyze, and utilize the results of the corporation’s compliance efforts. Prosecutors should also determine “whether the corporation’s employees are adequately informed about the compliance program and are convinced of the corporation’s commitment to it. Does the company’s culture of compliance, including awareness among employees that any criminal conduct, including the conduct underlying the investigation, will not be tolerated.”

Those structural questions exist because DOJ understands that inquiry without protection is performative. If compliance professionals cannot safely ask uncomfortable questions, the program is cosmetic.

In daily operations, this plays out in subtle ways. Does compliance have the authority to pause a transaction? Can investigators follow evidence wherever it leads? Are audit findings welcomed or explained away? A Socratic approach demands that compliance leaders test these realities rather than assume the answer.

The Socratic Method in Investigations and Root Cause Analysis

Socrates did not accept the first answer offered. He pushed deeper, often exposing contradictions or incomplete reasoning. That approach is directly applicable to investigations and root cause analysis. The ECCP places significant emphasis on whether companies understand why misconduct occurred and whether remediation addresses underlying causes. Too many investigations stop at identifying who violated a policy. Echoing Jonathan Marks, Socratic investigation asks why the violation made sense to the individual at the time. What pressures existed? What incentives misaligned behavior? What controls failed or were bypassed?

This type of inquiry requires patience and courage. It also involves trust from leadership. Findings may implicate management decisions, cultural signals, or compensation structures. Socrates reminds us that truth-seeking is rarely comfortable, but it is essential to ethical improvement.

Culture Is Revealed by the Questions You Allow

Socrates believed that a society’s health could be measured by its openness to questioning. The same is true for corporate culture. The questions employees feel safe asking reveal more than any values statement. The ECCP now explicitly asks companies to explain how they measure and address culture. The ECCP states, “Prosecutors should also assess how the company has leveraged its data to gain insights into the effectiveness of its compliance program and otherwise sought to promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” Surveys, hotline data, and exit interviews are tools, but they are meaningless without inquiry. Key questions include: Are employees encouraged to speak up? Are concerns investigated thoroughly? Are outcomes communicated? Is retaliation punished?

In daily compliance practice, this means listening as much as enforcing. A Socratic compliance program does not treat employee concerns as noise to be managed. It treats them as data points to be explored. The quality of questions asked in response to a report often determines whether trust is strengthened or destroyed.

5 Key Takeaways for the Compliance Professional

1. Effective compliance begins with inquiry, not documentation.

A compliance program does not become effective simply because policies exist or training is completed. Effectiveness begins when compliance professionals consistently ask how misconduct could realistically occur within their organization. This requires challenging business assumptions, pressure points, and incentive structures. The ECCP repeatedly emphasizes the importance of understanding risk in context, which is impossible without disciplined questioning. A Socratic approach positions inquiry as an operational obligation, not an intellectual exercise, ensuring the program remains dynamic, responsive, and grounded in reality rather than formalism.

2. Risk assessments are living Socratic exercises, not static reports.

Too many organizations treat risk assessments as periodic documentation rather than ongoing inquiry. A Socratic risk assessment tests assumptions continuously as business models, geographies, and incentives evolve. Compliance professionals should revisit risk hypotheses, ask whether controls still function as intended, and challenge comfort-driven conclusions. Under the ECCP, regulators expect risk assessments to inform program design and resource allocation. Socratic inquiry ensures risk assessments remain relevant, credible, and capable of identifying emerging threats before they mature into enforcement issues.

3. Investigations must pursue understanding, not merely attribution.

Identifying who violated a policy is rarely sufficient to prevent recurrence. A Socratic investigation asks why the misconduct occurred, what pressures or incentives influenced behavior, and how organizational systems failed. This aligns directly with the ECCP’s focus on root cause analysis and remediation. When compliance professionals ask deeper questions, investigations become tools for program improvement rather than disciplinary endpoints. This approach strengthens controls, enhances credibility with regulators, and reduces the likelihood of repeat misconduct driven by unresolved systemic weaknesses.

4. Speak-up culture is defined by response quality, not hotline volume.

Organizations often measure speak-up culture by the number of reports received, but Socrates teaches that the real measure lies in how questions are received and addressed. Employees quickly learn whether raising concerns leads to thoughtful inquiry or defensive dismissal. The ECCP evaluates whether companies encourage reporting, protect against retaliation, and communicate outcomes appropriately. A Socratic compliance function listens carefully, asks clarifying questions, and treats concerns as signals worth examining. That discipline builds trust and reinforces ethical accountability across the organization.

5. Socratic questioning requires independence, authority, and protection.

Inquiry without authority is performative. Socrates paid the ultimate price for challenging power, but modern compliance professionals should not. The ECCP explicitly assesses whether compliance functions have sufficient independence, resources, and access to leadership. Without these safeguards, difficult questions go unasked or unanswered. A Socratic compliance program empowers professionals to challenge decisions, pause transactions, and escalate concerns without fear of retaliation. That structural support transforms ethical inquiry from individual courage into institutional practice.

From Socrates to Plato: From Inquiry to Structure

Socrates gives us the starting point. He teaches the compliance professional how to think, question, and resist complacency. But inquiry alone is not enough. Questions must eventually lead to structure, governance, and systems that translate insight into action.

That transition sets the stage for Plato. Where Socrates focuses on method, Plato focuses on design. The movement from Socrates to Plato mirrors the evolution of a compliance program itself, from asking whether risks exist to building governance structures capable of addressing them. In that sense, Socrates is the conscience of the compliance function. He reminds us that effectiveness begins with intellectual honesty and ethical curiosity. Without those traits, even the most sophisticated compliance architecture will rest on shaky ground.

Join us tomorrow for Part 2 and learn about Plato’s role in today’s compliance and ethics programs.

Categories
Innovation in Compliance

Innovation in Compliance – Exploring Fractional and Adjunct Risk Professionals with Gerry Zack

Innovation occurs across many areas, and compliance professionals need not only to be ready for it but also to embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, host Tom Fox welcomes back Gerry Zack to discuss a novel service offering in the compliance and risk management community: fractional and adjunct risk professionals.

Zack explains how these roles can supplement companies that lack certain expertise or can’t afford full-time positions, particularly highlighting the benefits of long-term relationships. The discussion also covers the distinctions between compliance and broader risk management, the flexibility of fractional contracts, and the importance of alignment in risk management practices across different organizational departments.

Key highlights:

  • Exploring the Concept of Fractional CCO
  • Long-term Benefits of Fractional Roles
  • Risk Professional Services vs. Compliance
  • Applications and Benefits of Fractional Roles
  • Challenges and Considerations

Resources:

Gerry Zack on LinkedIn

RiskTrek website

Innovation in Compliance was recently ranked 4th among Risk Management podcasts by 1,000,000 Podcasts.

Categories
Blog

Millicom Cellular, Part 2: Lessons Learned on Cartels, Cash, and Control Failures

The Millicom Cellular FCPA enforcement action is not just another FCPA case. It is a case that signals a new frontier for compliance risk. It blends classic corrupt-payment schemes with organized crime, narcotrafficking proceeds, obstructed governance, and aggressive legislative capture. It is a wake-up call for compliance officers that the threat landscape is expanding in ways that require deeper operational controls, broader due diligence frameworks, and more sophisticated cross-functional collaboration.

In Part 1, we considered the underlying facts and FCPA violations of this matter. In Part 2, we examine what compliance professionals must take away from the case.

Lesson 1: Joint-Venture Governance Failures Are Not a Defense

Millicom Cellular held a 55 percent ownership stake in TIGO Guatemala, but the local partner exercised operational control and blocked Millicom Cellular from information and cooperation. The DOJ notes that Millicom Cellular voluntarily disclosed early concerns in 2015 but was unable to compel cooperation from local executives or obtain complete data. The result is a clear message:

Ownership without operational control equals enormous FCPA exposure.

Compliance professionals must:

  • Implement JV governance protocols that require access rights, audit rights, and cooperation language in shareholder agreements. Try to place your company’s representative as the CFO of the joint venture.
  • Establish escalation pathways if a partner obstructs investigations.
  • Treat “majority ownership without control” as a high-risk structure in compliance risk assessments.

Yet notwithstanding the foregoing, DOJ has made clear it will not accept a lack of control as an excuse for failing to detect corruption, especially when red flags are visible.

Lesson 2: Cash-Based Bribery Ecosystems Require a Different Kind of Monitoring

The bribery scheme ran almost entirely on cash: cash in duffel bags delivered by helicopter, cash laundered through drug traffickers, cash moved through shell companies, and cash withdrawn from banks in plastic bags. Traditional financial controls are almost useless in the face of an off-books cash economy. Compliance must be enhanced:

  • Controls around cash withdrawals
  • Monitoring of cash-intensive vendors
  • Patterns of invoicing irregularities
  • Real-time analytics on deviations in expense and procurement behavior

This is not a theoretical exercise. It is an operational reality for companies in high-risk jurisdictions.

Lesson 3: Cartel Exposure Is Emerging as a Corporate Compliance Obligation

This case represents one of the most explicit linkages between FCPA violations and narco-trafficking cash flows. The scheme not only involved bribes; it also involved bribes financed by organized crime. Compliance officers must now assume that criminal networks may view legitimate multinationals as conduits for illicit financial flows. This demands:

  • Enhanced beneficial-ownership checks
  • Screening for cartel-linked financial intermediaries
  • Deeper diligence on bankers, lawyers, and consultants
  • Country-level threat mapping that includes cartel and organized crime indicators

The DOJ has increasingly emphasized convergence risk between corruption, money laundering, and organized crime. The Millicom Cellular enforcement action is a prime example.

Lesson 4: “Influencing Legislation” Is a Red Flag, Not a Business Strategy

TIGO Guatemala sought legislative outcomes that would alter the national telecom law. That in itself is not illegal. What is unlawful is tying legislative outcomes to cash bribes, helicopter deliveries, and cartel-funded transactions. Compliance teams must scrutinize:

  • Payments to lobbyists, political consultants, and intermediaries
  • Relationships with legislators and political parties
  • Sponsorships, charitable donations, and community programs with political beneficiaries

Any effort to “shape legislation” must come with strict controls.

Lesson 5: Data Gaps Are Compliance Gaps

Millicom’s inability to obtain information access within its own joint venture delayed detection and undermined the credibility of its initial self-disclosure. Compliance professionals must demand:

  • Rights to data
  • Rights to conduct investigations
  • Rights to interview employees
  • The right to require cooperation from partners

A partner who denies access creates liability.

Lesson 6: Remediation Must Be Conducted Like a Corporate Transformation

Millicom’s remediation was extensive. It included:

  • Replacing senior personnel
  • Centralizing compliance oversight
  • Enhancing third-party onboarding and continuous monitoring
  • Adding data analytics
  • Conducting control testing across more than 250 transactions
  • Creating an ephemeral-messaging retention policy
  • Increasing compliance headcount by 800 percent (pages 5–6)

The DOJ’s description reads less like remediation and more like organizational reinvention. That is the expectation now. Compliance must treat remediation as a fully integrated operational overhaul.

Lesson 7: The DOJ Will Reopen Cases When New Evidence Emerges

The DOJ initially closed the investigation in 2018. It reopened the case in 2020 after uncovering new evidence from outside sources, including cartel-linked transactions. The message is clear:

  • Self-disclosure is not a shield when the company lacks visibility into misconduct.
  • Failure to detect ongoing wrongdoing can undermine trust and credit for cooperation.
  • Compliance must ensure continuous monitoring even after perceived risk has been reduced.

Conclusion: The New Compliance Mandate

The Millicom Cellular enforcement action demonstrates that compliance risk is no longer confined to corrupt payments. It now involves organized crime, cash-based bribery systems, cross-border laundering, political capture, and governance obstructions. Compliance professionals must operate with a broader risk lens, encompassing cartel risk, cash-economy vulnerabilities, high-risk political interactions, and joint-venture control structures. This is a key enforcement effort of the Trump Administration.

The future of compliance is not about preventing bribery alone. It is about defending the corporation from becoming an unwitting partner in a criminal enterprise.