Tag: CCO

Categories
FCPA Compliance Report

FCPA Compliance Report – Navigating Uncertainty: Leading with Courage and Clarity with Jim Massey

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode, Tom welcomes Jim Massey, who has recently released a new book, Risk in Action.

Jim Massey, an accomplished author and behaviorist practitioner, delves into the intricate dynamics of trust within leadership through his book “Risk in Action.” Drawing from his extensive experience in high-stakes boardrooms and executive sessions, Massey emphasizes the crucial role of trust as a foundation for effective action. He explores the interconnected nature of trust, risk, and fear, urging individuals to redefine risk as a prioritization tool that enables progress and bold decision-making. By addressing these themes, Massey aims to spark vital conversations and empower leaders to embrace uncertainty, ultimately encouraging them to take courageous actions that drive growth and innovation.

Key highlights:

  • Navigating Trust, Risk, and Fear in Leadership
  • Enhancing Business Outcomes through Proactive Risk Management
  • Cultivating Innovation Through Compliance Transformation
  • Embracing Fear for Innovative Growth
  • Dynamic Risk Assessment for Compliance Agility
  • Navigating Uncertainty: Leading with Courage and Clarity

Resources:

Risk in Action on Amazon

Jim Massey Website

Jim Massey on LinkedIn

Eastward.ai Website

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

When Maps Become Moral Documents: Why Compliance Must Own the Lines That Shape Risk

In compliance, we spend a great deal of time talking about frameworks, policies, and procedures. Yet some of the most powerful instruments in any governance ecosystem do not look like policies at all. They look like maps. They look like heat grids, risk matrices, shaded zones, and tidy borders that suggest precision even when uncertainty runs underneath them like an underground river.

From FEMA flood panels to enterprise risk heat maps, every organization uses maps to tell itself where danger lies and where safety supposedly begins. But here is the hard truth: maps are not technical artifacts. Maps are moral documents. They allocate duties, distribute the burden, and tell people whether they need to prepare or can relax. They shape budgets, attention, and ultimately accountability. And if the compliance function is not involved in how those maps are created, interpreted, and refreshed, then the organization is making ethical choices without a moral lens.

Today, I want to explore why maps are moral, what that means for governance, and what the compliance professional must do to ensure these documents reflect not only data but also duty.

Maps Allocate Duty

Every map draws lines that determine who must act. A FEMA flood map decides whether a camp, neighborhood, or business must carry flood insurance. A corporate risk heat map determines which business units receive enhanced oversight and which do not. A supply chain risk atlas determines who must perform due diligence and who can move goods without interruption.

Once a line is drawn, responsibility flows from it. A zone marked “high risk” sets expectations for controls, investment, and scrutiny. A zone marked “low risk” effectively signals that no further action is required. These judgments may feel technical, but they are deeply moral. They define the boundaries of duty. Compliance must be at the table when those lines are drawn. Otherwise, risk decisions become engineering exercises that inadvertently shift ethical burdens onto people who did not choose them.

Maps Encode Assumptions

Maps are built on models, thresholds, and historical patterns. But assumptions sit inside those models like coiled springs.

Which data is used?

Which data is excluded?

Which thresholds define severity?

Which events are treated as plausible?

Which sources are considered authoritative?

A map is never neutral. It always privileges certain histories, geographies, and scenarios over others. A corporate misconduct heat map based solely on historical hotline data will inevitably underweight emerging risks. A supply chain map that excludes subcontractors misses where real harm often occurs. A financial crime exposure map that relies solely on official lists will miss high-risk jurisdictions operating in gray zones. When compliance reviews these maps, the question is not whether the data is accurate. The question is whether the assumptions align with the organization’s ethical obligations.

Maps Shape Budgets and Behavior

Color drives capital. If an enterprise risk map identifies three red zones and ten green zones, everyone knows where the money is going. Green becomes the land of the unexamined. Yellow becomes “monitor and report.” Red becomes “fix this yesterday.” The danger arises when risk colors are treated as immutable truth rather than directional guidance. Compliance professionals know that a green box is not safety; it is an artifact of a model. And sometimes, it is an artifact of politics.

When business units understand that the map determines their workload, incentives emerge to influence the color. This is precisely why compliance must defend the integrity of the map and maintain independence in how risks are classified. The ethics are simple: if a map drives budget decisions, then the standards behind it must be transparent, fair, and aligned with the organization’s core mission.

Maps Create Winners and Losers

Every risk map is also a distributional map. Departments inside a red zone receive controls, resources, and escalation routes. Departments outside it may receive none. That inequity can have real consequences. Red zones experience heavy scrutiny but also benefit from board-level attention. Green zones may be left alone, but they also lack the resources needed when a new risk emerges.

Flood maps create similar inequities: one parcel receives insurance, mitigation funds, and federal guidance; the parcel across the street gets nothing until the water rises high enough to erase the line. Compliance must examine whether the “winners” and “losers” created by risk maps reflect risk reality or merely historical artifacts.

Maps Fix Narratives

Once published, maps become the truth. Boards rely on them. Auditors embed them into work plans. Regulators ask about them. Data teams update them. And leaders cite them to explain why certain risks were or were not prioritized. A flawed map can harden into institutional fact. It can shape decision-making for years. It can justify inaction. It can mask brewing crises. And when risk crystallizes into harm, those relying on the map will discover too late that precision was an illusion. Compliance serves as the conscience that returns the organization to humility. Every map should come with a disclaimer: “Here is our best understanding as of today, but all maps are drafts.”

Governance Checklist for Ethical Mapping

Compliance can bring discipline and transparency by treating maps like policies. They require version control, authorship, documented assumptions, and scheduled refresh cycles. Here is a governance lens for any map that influences risk:

  1. Provenance
  2. Who created the map, with what data, and what was deliberately excluded? If exclusion changes the ethical calculus, it must be surfaced.
  3. Alignment to Risk Appetite
  4. Are thresholds tied to enterprise risk appetite, the ECCP, and regulatory expectations? Or did the model make them convenient?
  5. Equity Across Stakeholders
  6. Who bears the residual risk outside the lines? What does the map fail to capture about vulnerable populations, small sites, or contractors?
  7. Scenario Overlays
  8. Have low-probability, high-impact events been tested against the map? Compliance should insist on stress testing.
  9. Update Cadence
  10. Does the map have an expiration date? Every risk map should.
  11. Auditability
  12. Can the map be reconstructed from its inputs and assumptions? If not, it is a narrative, not a control.
  13. Communication Duty
  14. Every map must include plain-language guidance, escalation paths, and explicit caveats for those adjacent to but outside the risk zones.
  15. Budget Connection
  16. Colors must correspond to predetermined actions. Otherwise, resource allocation becomes politics by palette.

What Compliance Must Do

Compliance does not need to own the model. Compliance must own the ethical underpinnings of the model. That means three responsibilities:

  • Own the legend.
  • The color definitions, thresholds, and assumptions must reflect ethical and legal duties, not convenience.
  • Bring the board a map-ethics memo.
  • One page: assumptions, blind spots, intended uses, and the refresh cadence.
  • Ground-truth everything.
  • Walk the sites, review complaints, and test whether green zones reflect lived reality.

Maps guide action. Compliance ensures that the action they guide aligns with the organization’s values, obligations, and responsibilities to its stakeholders.

Conclusion

Maps are powerful. They shape perception, allocation, and accountability. But they are not neutral. They are moral documents and, therefore, compliance documents. When compliance embraces that role, maps become more than diagrams. They become tools for fairness, integrity, and informed oversight.

Categories
Blog

Listen Up: Why Voice – Driven Storytelling Is Compliance’s Most Underused Tool

In the modern corporate environment, we face a paradox: we have never had more tools to communicate, yet employees have never felt more overwhelmed by the sheer volume of communication. Emails drown in inboxes. Slide decks gather dust. Policy updates are skimmed at best and ignored at worst. For compliance officers trying to connect with a global workforce, the problem is not merely volume; rather, it is attention, trust, and retention.

That is where audio communications comes into play. Increasingly, forward-leaning companies are turning to voice-driven communication, which includes short audio messages, internal podcasts, and narrative voice notes, as a powerful way to reach employees where they are. And if you’re not already leveraging the human voice as part of your compliance toolkit, you are missing a deeply effective channel hiding in plain sight.

Because voice is not just another medium; voice is human. Voice conveys credibility, vulnerability, and intention. Voice cuts through noise in ways no written communication can match. And for compliance programs striving to build cultures of ethics and accountability, that authenticity is invaluable.

This makes it an ideal tool for compliance professionals to use in their communications. You can use it in long-form podcasts or short, bite-sized espresso shots of compliance.

Why Voice Still Wins in a Digitized World

Every compliance officer knows that trust is the currency of influence. Trust is built not only through facts but also through perceived sincerity. When employees hear a leader’s voice, it is unpolished, direct, and unfiltered. Corporate employees react differently when listening to a sanitized corporate memo than when reading it.

Tone becomes a tool. Cadence becomes emphasized. A pause invites reflection. A shift in pitch signals seriousness or warmth. These cues are often overlooked in text but are essential when navigating complex ethical issues, gray areas, and behavioral expectations. Voice also supports what I call the narrative advantage. Humans remember stories far better than bullet points. An audio message with a real-world dilemma—“Let me tell you about a call I got last Friday…”—lands with more impact than a list of rules ever will. For compliance, where the goal is not mere knowledge but behavioral change, this is rocket fuel.

Five High-Impact Voice Formats for Compliance Leaders

You do not need an internal studio or a communications team to use voice effectively. You need structure, intention, and consistency. Here are five proven formats I encourage compliance professionals to adopt:

1. Two-Minute Ethics Drops

A weekly, two-minute audio memo from the CCO or another senior leader can reshape how employees perceive compliance. These are not policy recitations. They are reminders, insights, or reflections on real events, brief enough to consume during a commute, meaningful enough to spark thought. Imagine this as the compliance equivalent of a coach’s pre-game talk.

2. Manager Voice Notes

Compliance does not scale unless managers become compliance multipliers. Provide managers with scripts or talking points, and then ask them to record brief voice notes for their teams. Local leaders speaking in their own words create a sense of intimacy and authenticity. People listen differently when the speaker is their direct leader, rather than a representative from headquarters.

3. Decision Diaries

These short, story-based audio segments illustrate how hard decisions are made inside the organization. They highlight the tension between competing priorities—sales versus safety, growth versus due diligence, and speed versus accuracy—and guide employees through the reasoning process. Employees learn not only what decision was made, but also why it was made.

4. Speak-Up Spotlights

One of the most underutilized voice tools is the anonymized “speak-up journey” segment. These episodes take listeners inside the lifecycle of a report without revealing identities. This builds trust in the system, demystifies investigations, and demonstrates action. It is one of the fastest ways to strengthen your speak-up culture.

5. The Board-Level Fireside

A quarterly voice conversation between the CCO and board chair (or audit committee lead) is incredibly powerful. Hearing the board speak directly to employees about ethics and risk sends a crystal-clear message: this topic matters at the highest levels. This is tone-from-the-top in its purest form.

How to Craft Voice Messages That Actually Land

There is an art and a discipline to creating voice content that resonates and drives behavior. Based on what I’ve seen across leading compliance programs worldwide, here are the five principles that matter most.

Lead with humanity, not rules.

Start with a lived moment or recognizable scenario. “I got a call last week that stopped me cold…” is a more effective opening than “According to Policy 3.4.”

Use language meant for the ear.

Short sentences. Natural phrasing. Conversational tone. You are having a hallway conversation, not reading a legal memo.

Deliver one idea per recording.

If your message attempts to cover five policies, employees will remember none of them. Focus on a single behavior change or risk awareness point.

Tie every story to a specific action.

Compliance storytelling without a call to action is entertainment. You want transformation.

Examples:

  • “If you see a third party offering to ‘open doors,’ log it today.”
  • “If a customer requests data access, use the Data Transfer Checklist before responding.”

Close with a choice

End with clarity: “If X happens, do Y by Z.” Employees appreciate explicit guidance. Regulators notice it too.

Measuring Impact: Voice Is Still Data

Even though voice feels personal and human-centered, it does not escape measurement. In fact, the metrics are straightforward and incredibly useful:

  • Reach—How many employees pressed play?
  • Completion—Do people listen past the first minute?
  • Reflections—Capture a one-question pulse: “What would you do now? ”
  • Action proxies—Did advisory requests or help tickets increase after the episode?

When we combine voice with smart analytics, we get a clear picture of engagement and behavioral shifts. This turns compliance storytelling into compliance intelligence.

Governance, Structure, and Safety

Voice communication must be treated like any other formal compliance communication channel. That means:

  • Pre-clearance of scripts with Legal and HR
  • Transcripts stored in your compliance file system
  • Tagging episodes to policy numbers and risk areas
  • Version control
  • Localization using local leaders, not HQ dubbing

Done right, voice enhances governance. Done poorly, it creates unnecessary risk. The good news? A solid process solves that problem.

The Fastest Path to Launch: A Ready-Made Starter Kit

If you want to bring voice storytelling into your program quickly, here’s a simple template:

Series title: Choices We Make

Cadence: Weekly, two minutes

Structure:

  • Hook (10 sec)
  • Context (30 sec)
  • Dilemma (30 sec)
  • Decision (30 sec)
  • Outcome (20 sec)
  • Call to action (20 sec)

Three great starter topics for your first episodes:

  1. A conflict of interest dilemma
  2. A third-party red flag escalation
  3. A speak-up report that led to a positive safety change

This is the simplest, fastest, and lowest-cost compliance communication upgrade you can implement.

Closing Thoughts: The Future of Compliance Is Human

We talk endlessly about systems, controls, and technology, and all of those matter. However, at the end of the day, compliance remains a human discipline. It relies on trust, judgment, empathy, and courage—written policies guide. Training informs. If you want your workforce to act with integrity when no one is watching, they need to hear your voice when it matters. Now is the moment to step behind the microphone. Audio connects, but more importantly, voice connects.

Categories
Blog

Podcasting for Compliance Communications

If there is one truism from the practice of law that translates to the practice of compliance, it is that you are only limited by your own imagination. This holds in the 360-degree realm of communication in compliance, as communications obviously come in many forms. Many compliance practitioners well remember the 2012 Morgan Stanley declination. In this first declination made public, the DOJ recognized Morgan Stanley for emailing 35 compliance reminders to Garth Peterson over a seven-year period. Consider the power of 360-degree communications in the context of compliance reminders. Now imagine the power of short ethics and compliance video training clips being distributed over the same period and the effect it would have on both your employees and regulators.

Podcast Storytelling

Why not tell the story of the compliance program through a podcast? I call it podcast storytelling, and it can be a powerful tool. Each podcast series is a 5-part series and constitutes one story arc. The podcasts are about 10–15 minutes in length. The podcast-storytelling series can feature a variety of interviews led by a noted podcast host, such as the Voice of Compliance, yourself as the CCO, or other key individuals from your organization. It can be an interview with one or more people, or it can be a solo podcast.

While there would be a fully integrated storyline, each podcast and accompanying text would be stand-alone compliance training and communications that anyone at your organization could use. The podcasts can be distributed both internally and through your organization’s social media channels. There is a wide range of podcast sites available, including iTunes, Spotify, iHeartRadio, Google Podcasts, and Amazon. From each podcast, you can create multiple short audio clips or other forms of social media-sharing materials with key quotes and lessons learned that can be made as podcast cover art.

A series like this allows your organization not only to tell a story more effectively but also to reach a much larger audience than in any other format—live, audio-video, or in-person. Yet, there is another reason why you should consider this type of approach for compliance training and communications. It will provide you with the equivalent of market research and feedback. The number of listeners and downloads will provide a reliable source of data that you can use in other communications and training sessions.

Compliance Department Branded Podcasts

Want another option? How about a fully produced, branded podcast series for your internal compliance function? It could be two 25–30-minute episodes per month, with the guest selected by your compliance team. This format enables your corporate compliance function to tell the story of its greatest asset—its people—through interviews. Cannot get out of the country to travel? Still working remotely? Your branded podcasts offer a way to connect with your employees as we continue to navigate the aftermath of the COVID-19 pandemic. You can use the branded podcast to tell the story of compliance successes in your organization. You can also include other departments to share their accomplishments. As with the podcast storytelling series, it would be done collaboratively, working with your communications team.

Compliance News of the Day

Want to create concise and effective compliance communications? How about “Compliance News of the Day”? Have a daily curated news show featuring 3–4 compliance stories, accompanied by a summary of the series and its relevance to a compliance perspective for your organization. Make it fun so that your employees want to check in daily. When the DOJ comes knocking and asks how often you send out compliance communications, you can point to your Compliance News of the Day as a great starting point.

As a compliance practitioner, you should bring more storytelling into your compliance messaging, training, and communications. If you put the employee in the shoes of the person they’re watching, they will remember it because they will see how it applies to their own lives. Such training and communication experiences will last much longer than if you drone on over a written policy or show a PowerPoint slide. Marc Havener has described this storytelling as “expanding your classroom.” Ronnie Feldman calls it bringing memorable storytelling to your compliance communications and training.

Since you are only limited by your imagination in addressing compliance, why not use some of that imagination to be creative in your compliance training and communications?

Using Podcasts to Improve Corporate Culture

One of the biggest benefits of podcasting is that it allows a compliance function to connect with its audience on a more personal level. Unlike traditional forms of advertising, which often come across as impersonal and sales-driven, podcasts enable businesses to build a loyal following by offering valuable and engaging content. This can include interviews with industry experts, behind-the-scenes glimpses of the business, and informative discussions on relevant topics.

Now, apply the same concepts of audience engagement internally to an organization. What do you have? A mechanism to engage your employees, to engender trust, and to improve your overall corporate culture. Do you think this is a crazy way to improve culture? Consider all the advantages podcasting already offers. Podcasting is one of the most intimate forms of communication, and this concept holds for a corporate compliance podcast.

A major U.S. consumer product company launched a podcast featuring corporate executives. Who were the biggest fans of the podcast? It turned out it was the company employees, many of whom had never met their corporate executives. This allowed the executives to be humanized in a way no number of town hall meetings or other similar corporate events could ever achieve.

Categories
Daily Compliance News

Daily Compliance News: November 7, 2025, The Do $1tn Pay Packages Really Incentives You Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, including compliance, ethics, risk management, leadership, or general interest, relevant to the compliance professional.

Top stories include:

  • NBA Reports to Congress on Gambling Probe. (The Athletic)
  • Capula ex-CCO claims retaliation for whistleblowing in termination. (Bloomberg)
  • BaFin slaps a €45 million fine on JPMorgan. (FT)
  • Will Elon Musk really work harder for a $1 trillion pay package? (NYT)

The Daily Compliance News has been honored as No. 2 in the Best Regulatory Compliance Podcasts category.

Categories
Blog

Compliance and Building Resilient Boards

In today’s volatile world, the word “resilience” has become the boardroom’s rallying cry. From geopolitical risk to technological disruption, boards and C-suites are being asked to navigate what Deloitte calls a “multiverse” of parallel realities, balancing short-term shocks with long-term strategy. But BOD resilience is not just about surviving turbulence. It is about thriving through uncertainty. And that is where the corporate compliance function, often underestimated as a back-office monitor, can emerge as a strategic partner in building board-level resilience. This is the key message that resonates from a recent article in the Harvard Law School Forum on Corporate Governance, How Board and C-Suite Collaboration Can Build Organizational Resilience.

Effective collaboration between boards and executive teams strengthens organizational adaptability, foresight, and integrity. Resilience is not the absence of risk; rather, it is the ability to master a response. Today, we consider this article and mine it for lessons for compliance leaders seeking to help their boards become more resilient, responsive, and ready for the future.

1. Compliance as the Early-Warning System for the Board

The Deloitte survey highlights a growing reality: boards are increasingly overwhelmed by short-term risks, ranging from cyberattacks to economic volatility. They may overlook longer-term imperatives such as innovation and human capital development. Compliance professionals are uniquely positioned to serve as an early warning system for emerging risks. Through monitoring, testing, and continuous improvement, compliance provides data-driven insight into what is actually happening inside the business before it becomes a headline or regulatory crisis.

A resilient board depends on credible information flow. That means compliance must extend beyond reporting incidents to providing actionable intelligence. By translating risk data into actionable insight and identifying patterns in third-party due diligence, supply chain vulnerabilities, or employee reporting trends, the compliance function helps directors see around corners. As Gordon Nixon, chair of BCE Inc., put it, leadership today requires the ability to “synthesize complexity into decisive action.” Compliance gives boards the tools to do just that.

2. Turning Oversight Into Scenario Planning

According to Deloitte’s data, 86% of boards have increased their focus on risk monitoring and scenario planning, with 39% significantly stepping up their efforts. That is good news, but only if those exercises move beyond hypotheticals. This is where compliance can play a catalytic role. Scenario planning is most effective when it draws from real operational data, and no function gathers more cross-enterprise data than compliance. Every whistleblower report, transaction review, and training completion rate tells part of a story about how the organization will respond when tested.

A compliance leader should therefore help transform board discussions from abstract governance into strategic foresight. When boards examine potential crises, such as cyber breaches, sanctions violations, or ESG missteps, compliance can provide not just the risk but also the response map, including who is responsible, how escalation works, what past data reveals about reaction speed, and how remediation was measured.

3. Strengthening the Board–C-Suite Communication Loop

The Deloitte study finds that open, transparent communication between the board and CEO is the single most important factor in organizational resilience, cited by 66% of respondents. That transparency must extend beyond financial performance; it must include culture, ethics, and conduct. Compliance officers can serve as trusted interpreters between management and directors. Often, executives filter messages to the board, softening bad news or emphasizing short-term wins. A strong compliance function ensures that uncomfortable truths, emerging investigations, cultural risks, or weak control environments are brought to the board’s attention promptly and accurately.

Moreover, compliance officers can help foster “psychological safety,” a quality Deloitte found lacking on many boards. When executives and directors feel safe discussing failures and near misses, they can act more decisively and learn faster. Compliance teams, with their neutral and process-driven perspective, can facilitate those candid conversations.

4. Building the Skill Base for Resilient Oversight

One of the report’s most striking findings is a gap between board and C-suite perceptions of readiness. While 86% of directors believe they are providing the right support to management, only 73% of executives agree. The gap is even wider in terms of skill composition. Nearly half of C-suite respondents say boards lack the necessary expertise to guide them through today’s environment.

That is a call to action for compliance leaders. The modern compliance function serves as a knowledge hub, continuously monitoring global regulatory trends, AI governance frameworks, and emerging ESG risks. Boards can leverage this intelligence to refresh their own competencies. For example, compliance-led workshops on anti-corruption enforcement trends, cybersecurity reporting requirements, or AI ethics can help directors stay informed and prepared to challenge management with the right questions.

Sheila Murray, chair of Teck Resources, put it best: “If somebody’s coming to meetings and not participating, that’s on me. I’ve got to bring out the best in them.” Compliance can help by providing the content that sparks meaningful participation.

5. Embedding Agility and Integrity Into Board Culture

According to Deloitte, the most resilient organizations strike a balance between governance and agility. That’s easier said than done. Rigid board processes can impede responsiveness, while overly informal structures risk undermining accountability. Compliance can help build the right balance by institutionalizing agility without sacrificing integrity.

For instance, compliance can work with corporate secretaries to ensure that board minutes document not just decisions but also the rationale behind them. That strengthens the record for regulators and demonstrates that directors acted in good faith. Similarly, compliance can help shape board procedures to allow for rapid, ethics-aligned decisions in crisis conditions.

Roy Dunbar, an independent director at McKesson and Duke Energy, describes it this way: “What you want is to go deeper and ask more challenging questions around, ‘What are the threats? What are the opportunities? Where is growth going to come from? ” Those deeper questions about sustainability, AI, and ethical governance are exactly where compliance expertise can bring clarity.

From Reactive Oversight to Proactive Partnership

The Deloitte report concludes with a vision of co-creation between boards and management, transitioning from rigid oversight to a synergistic partnership. That’s also the next frontier for compliance. No longer confined to detection and discipline, the compliance function can become the architect of organizational resilience.

How? By helping boards connect the dots between ethics and performance. A resilient board is one that not only identifies risk but also ensures that values drive decision-making at every level. When compliance embeds those values into strategic planning, linking ethical conduct to innovation, transparency to investor trust, and governance to growth, the board’s resilience becomes systemic, not situational.

In a world where, as Anjali Bansal observed, “the level of uncertainty today is absolutely unprecedented,” resilience will depend less on predicting the next crisis and more on ensuring the integrity of the response. That is the mission compliance was born to serve.

What It Means for the Chief Compliance Officer

For the CCO, this moment represents both an invitation and a mandate. The board needs a partner who can translate regulatory language into strategic value and who can help bridge the trust gap between directors and management.

Here is how the CCO can deliver:

  1. Be the Board’s Barometer: Regularly update directors on the ethical health of the organization, including hotline data, investigation closure rates, and culture metrics, so that they can gauge the tone and trust across business units.
  2. Champion Cross-Functional Risk Alignment: Ensure that compliance, internal audit, and enterprise risk functions speak with one voice in board reporting. Fragmented risk narratives breed confusion, not confidence.
  3. Embed Compliance Into Resilience Planning: Collaborate with HR, IT, and finance to map how regulatory compliance underpins business continuity and crisis management.
  4. Educate for Anticipation, Not Reaction: Keep the board informed about emerging compliance trends, such as AI ethics, ESG reporting, or sanctions enforcement, so directors are prepared to govern the risks of tomorrow.
  5. Strengthen the Ethical Reflex: Make ethics an instinct, not an initiative, by integrating compliance into strategy discussions, M&A reviews, and innovation frameworks.

When the compliance function evolves from a rule enforcer to a resilience partner, it transforms board oversight from passive to proactive. It gives directors not just the confidence to govern but the courage to lead.

Categories
Blog

Brewer v. Turner: When Board Delay Becomes Bad Faith

In corporate governance, timing is everything. A board’s oversight failure does not always come from what it does not see; often, it comes from how long it waits to act once the warning lights flash red. This cautionary tale originates from the shareholder action in the case of Brewer v. Turner, a Delaware Court of Chancery decision that permitted a Caremark claim against the directors of Regions Financial Corporation to proceed. The opinion marks another milestone in the court’s expanding interpretation of fiduciary “bad faith.” It offers an unmistakable message to compliance professionals: delay can be fatal, and now it can also lead to exposure.

A New Chapter in Caremark

In the article in the Harvard Law School Forum on Corporate Governance, titled Caremark Claim Survives Board’s Delay in Ending Illegal Practices, lawyers from Fried Frank considered the case. At issue was the board’s handling of a whistleblower complaint from its former Deputy General Counsel, Jeffrey A. Lee, who alleged that Regions’ overdraft-fee practices violated CFPB regulations. Eighteen months after receiving his detailed complaint, the bank finally ended those practices. By then, the Consumer Financial Protection Bureau had investigated and levied $191 million in penalties and restitution.

The court concluded that the board’s delay could itself amount to bad faith. Hiring outside counsel and forming committees did not shield the directors from liability. As Chancellor Kathaleen McCormick wrote, “Everyone knows that delay can be intentional and a tactic to avoid the consequences of acting appropriately.” For compliance officers, this ruling signals that boards can no longer hide behind process if the substance and speed of oversight fall short of expectations.

Today, examine the lessons compliance leaders should take from the case.

1. Red Flags Require Immediate, Documented Response

Historically, Delaware courts were reluctant to treat whistleblower complaints as “red flags.” They often viewed such claims as speculative unless corroborated by concrete evidence of wrongdoing. But in Regions, the whistleblower’s position mattered: he was a lawyer responsible for assessing legal risk. His complaint was detailed, specific, and sent to the Audit Committee, a combination that the court found impossible to ignore. That shift widens the compliance risk perimeter. A whistleblower who possesses subject-matter authority, particularly someone in compliance, legal, risk, or audit, can now trigger a board-level duty to act.

For the CCO:

Implement a rapid-response framework for any internal report that raises concerns about legal or regulatory violations. Require escalation to the board or relevant committee within days, not weeks. Then document every step: receipt, investigation, deliberation, and resolution. When courts review the record, speed and transparency become your strongest defenses.

2. Delay Can Be the New Bad Faith

Perhaps the most groundbreaking element of this case is the court’s recognition that delay itself can constitute bad faith. The board did not ignore the red flag; it simply took 18 months to address the illegal conduct while seeking to offset the lost revenue. That conscious hesitation, prioritizing profits over compliance, transformed a mere oversight lapse into a potential breach of fiduciary duty. This is a paradigm shift. Previously, a board’s response, no matter how sluggish or ineffective, was often enough to defeat Caremark liability. No longer. The court has now drawn a line between discretionary pacing and strategic stalling.

For the CCO:

Build timelines into remediation plans. When an investigation confirms illegality, establish a clear corrective-action schedule, present it to the board, and insist on documented follow-through. If management requests “time to replace lost revenue,” remind them and the board that regulatory risk compounds with every day of delay.

3. Law Firm Engagement Is Not Absolution

The region’s board tried to defend its actions by noting that it had hired a law firm to review the overdraft program. But the court found that “merely hiring an attorney” does not immunize directors from bad faith findings. What mattered was not the hiring, but what the board did with the firm’s advice, and the minutes didn’t say.

For compliance professionals, this point should feel familiar. Retaining outside counsel is prudent, but outsourcing judgment is perilous. A board that commissions a report yet fails to discuss or implement its recommendations appears, in the eyes of Delaware law, to be checking boxes rather than managing risk.

For the CCO:

Whenever outside counsel is engaged, insist on:

  1. The written scope of work aligned with the suspected violation.
  2. Formal delivery of findings to the full board or its committee.
  3. Recorded deliberations on next steps.
  4. Follow-up updates tracking implementation of counsel’s recommendations.

Compliance is not a spectator sport. Documenting action, not merely delegation, demonstrates good faith.

4. Central Compliance Risks Deserve Central Oversight

The court emphasized that overdraft-fee compliance was a “central risk” for a retail bank and thus a board-level responsibility. This reasoning expands the range of risks boards must personally monitor, rather than delegate entirely to management. Each industry has its equivalents: drug safety in the pharmaceutical industry, anti-bribery in global operations, and data security in the tech sector. When violations occur within these core domains, the argument that “management had it under control” will no longer be a sufficient defense for directors.

For the CCO:

Regularly update your board on the organization’s central compliance risks. Tie each risk to explicit board-level monitoring responsibilities. Provide metrics, internal audit findings, incident counts, and regulatory inquiries that show oversight in action. In the post-Brewer v. Turner environment, silence equals exposure.

5. Meeting Minutes Are Compliance Evidence

A striking aspect of the case was the court’s observation that the board minutes were “largely redacted” and recorded only cursory discussions. This absence of detail undermined the directors’ defense that they had acted responsibly. The court essentially inferred neglect from the lack of written proof. Compliance officers should view board minutes as the audit trail of integrity. If your minutes merely note that “the issue was discussed,” you may have built a weak defense for a strong case.

For the CCO:

Work with your corporate secretary to ensure that minutes:

  • Record substantive deliberation, not boilerplate.
  • Reference specific documents reviewed, such as legal opinions or risk assessments.
  • Capture decisions, follow-ups, and accountability for each item.

When regulators or plaintiffs seek evidence of good-faith oversight, well-crafted minutes speak louder than affidavits.

Broader Compliance Takeaways

The Brewer decision reflects a judiciary that is increasingly willing to look beyond formality and assess intent. In the compliance world, this mirrors what the DOJ’s 2024 Evaluation of Corporate Compliance Programs emphasized: that outcomes matter, but so do the timeliness and sincerity of response. A compliance program that detects misconduct yet allows it to persist for months or years cannot claim to be effective.

The ruling also underscores why Caremark risk is a personal matter. Because these claims rest on findings of bad faith, neither the DGCL Section 102(b)(7) exculpation clauses nor most D&O insurance policies will shield directors or officers from liability. The best protection remains proactive compliance, not post-hoc coverage. Finally, note the procedural context: new DGCL amendments restrict shareholder access to corporate books and records, potentially reducing frivolous oversight suits. Yet for legitimate claims supported by detailed facts, as in Brewer, the bar has been lowered. Courts are signaling that they will continue to allow well-pled Caremark cases to proceed when evidence shows a conscious disregard.

What It Means for the Chief Compliance Officer

For the CCO, Brewer v. Turner is both a warning and a roadmap. It is a warning that oversight delay equals liability. You can no longer rely on the board’s procedural comfort—hiring counsel, forming committees, or debating endlessly—to prove good faith. Results and responsiveness now define the legal standard.

But it is also a roadmap for strengthening your partnership with the board. You can help directors stay ahead of Caremark exposure by:

  1. Defining red flags. Work with Audit and Risk Committees to set escalation thresholds for legal-risk incidents.
  2. Accelerating action. Create escalation SLAs with responses within 24 hours for high-severity issues.
  3. Documenting diligence. Ensure every board discussion about misconduct is supported by complete, unredacted minutes.
  4. Tracking remediation. Maintain a dashboard showing when each issue was raised, investigated, and resolved.
  5. Aligning incentives. Reinforce that executive bonuses and promotions depend on compliance performance, not just profitability.

At its heart, Caremark is not about punishing hindsight; rather, it is about enforcing foresight. The compliance professional’s role is to make foresight possible by ensuring that red flags are identified quickly, decisions are properly documented, and illegal conduct is corrected before it metastasizes into corporate trauma.

Final Thoughts

The Brewer case stands as a modern parable of fiduciary patience gone wrong. A board that meant to deliberate found itself accused of delay; a company that tried to plan found itself punished for profit-driven hesitation. For compliance leaders, the moral is clear: you cannot strategize your way out of illegality. When a red flag rises, the clock starts, and every tick is a test of integrity. The essence of compliance is not preventing failure. It is ensuring you act decisively when failure appears. In the wake of Brewer, that truth has never been more legally or morally binding.

Categories
Blog

Who Is an Officer? The D&O Implications of an Evolving Compliance Title

If you are a Chief Compliance Officer (CCO), you have likely spent countless hours parsing language in policies, contracts, and regulations. Words matter, especially when those words define responsibility, liability, and protection. Few words in the D&O insurance world carry as much significance or ambiguity as officer.

In a recent D&O Diary guest post, John Orr, D&O Liability Product Leader for Willis FINEX North America, tackled a deceptively simple question: Who qualifies as an “officer” under a directors and officers (D&O) insurance policy? His analysis extends beyond an insurance issue. As organizations evolve, titles proliferate, and regulatory exposure expands, the boundaries of who counts as an “officer” and thus who bears personal risk are blurring.

In today’s compliance landscape, the CCO cannot afford to let that ambiguity go unexamined. Because, as Orr notes, “titles no longer define exposure; functions do.” And that statement carries profound implications for how we manage risk, structure accountability, and design compliance frameworks in the era of AI, ESG, and cybersecurity. It also puts CCOs directly in the line of fire for shareholder litigation based upon a Caremark claim, which was expanded to include officers in the In re McDonald’s Corporation Stockholder Derivative Litigation case.

Today, explore five key lessons compliance officers should take away from this discussion.

1. The Old Definition No Longer Fits the New Enterprise

For decades, D&O insurance policies defined “officer” narrowly: those “duly elected or appointed” under corporate bylaws, which typically included the CEO, CFO, COO, and General Counsel. That made sense when corporate structures were simple and hierarchies clear.

But those days are gone. Modern organizations are matrixed, decentralized, and global. Entire risk domains, such as cybersecurity, compliance, sustainability, and AI governance, now have leaders whose decisions can expose the company to significant regulatory, reputational, or legal peril. Orr points out that after the SEC charged the CISO of SolarWinds in 2023, companies began asking a new question: Is my CISO actually covered under our D&O policy?

That question should not just keep risk managers up at night. It should jolt every compliance leader. Because if your peers in cybersecurity, privacy, or ESG can face personal liability for organizational failures, and if their roles fall outside traditional definitions of “officer,” then your compliance architecture is incomplete.

2. Titles Cannot Shield You from Risk, and They Should Not Define Protection.

Orr rightly criticizes what he calls the “legacy efforts at deliberate ambiguity” in defining who counts as an officer. Historically, this ambiguity offered flexibility to insurers and policyholders. But now it provides uncertainty; if your coverage depends on whether someone’s title happens to include “officer,” you are one reorganization away from being uninsured.

For compliance professionals, this echoes a familiar theme: form versus substance. Regulators, from the DOJ to the SEC, are increasingly looking beyond the organizational chart to assess who truly exercises authority and control. The same principle should apply internally when defining who merits D&O coverage or corporate indemnification in civil litigation.

If a CISO, Chief People Officer, or Head of AI Governance makes risk-laden decisions equivalent in impact to those of a CFO, should they not receive equivalent protection? Orr argues for a shift from title-based to function-based definitions, a position entirely consistent with modern compliance thinking. Accountability should flow from influence, not nomenclature.

3. Endorsements Are Band-Aids, Not Blueprints

As ambiguity around “officer” status has grown, companies have sought quick fixes, such as endorsements listing specific titles or individuals to be covered under D&O policies. Orr concedes that while these endorsements “address the need,” they are not scalable or sustainable. Compliance officers should recognize the analogy to policy exceptions and one-off approvals. Every time you bolt on an endorsement, you introduce friction, inconsistency, and the potential for oversight. It’s a reactive, not proactive, form of risk management.

Endorsements also fail the foresight test. They require organizations to predict which roles might become legally exposed next year, a nearly impossible task in a fast-evolving regulatory landscape. Who foresaw five years ago that ESG directors or AI governance leads would be in the crosshairs of regulators? For compliance, the takeaway is clear: tactical fixes can’t substitute for structural reform. Instead of adding endorsements to patch the definition, align the policy’s logic with the company’s real-world indemnification practices, a concept Orr calls using indemnification as the “North Star.”

4. Indemnification Is the True Test of Officer Status

Orr’s most compelling insight is his proposed “indemnification-based” solution. Under this model, anyone whom the company indemnifies or would have indemnified but for insolvency or other barriers qualifies as an officer under the D&O policy.

This approach elegantly ties together governance, insurance, and compliance. It shifts the focus from job titles to actual corporate behavior: if your organization considers someone important enough to indemnify for their decisions, they are important enough to insure. It also harmonizes coverage with reality, reducing uncertainty during a claim and ensuring consistency across corporate structures.

From a compliance standpoint, this is a governance revolution. It aligns with what the DOJ has repeatedly emphasized in its most recent Evaluation of Corporate Compliance Programs (2024 Ed.): policies must reflect “the actual day-to-day functioning” of the organization, not theoretical constructs. Indemnification as a coverage anchor reflects the compliance principle that responsibility should align with decision-making authority. If someone makes risk-bearing decisions, your compliance and D&O frameworks should converge to support and monitor that role.

5. Modern Risk Requires Modern Coverage and Modern Collaboration

The concluding insight from Orr’s piece should resonate deeply with every compliance officer: “This is not about expanding coverage. It’s about modernizing coverage to address the way companies operate today.”

That statement could serve as the mission of compliance itself. As emerging technologies and global expectations reshape the corporate landscape, the boundaries of responsibility shift daily. AI, ESG reporting, data ethics, and cybersecurity aren’t just technical or operational concerns; instead, they are compliance risks with individual accountability attached.

If your D&O policy does not reflect those realities, neither does your compliance program. The modern CCO must therefore work closely with risk management, finance, and HR to ensure alignment between the forms of protection (insurance, indemnification) and the functions of oversight (compliance, ethics, governance). The article also hints at an opportunity for insurers: innovation. Just as compliance leaders must find new ways to embed ethical decision-making, insurers must design products that reflect the fluid nature of modern corporate risk. Both fields, compliance and D&O, are being asked the same fundamental question: Are you structured for yesterday’s risks or tomorrow’s realities?

What It Means for the Chief Compliance Officer

For the CCO, this discussion is not simply an academic exercise. The question “Who is an officer? ” is really a question about who bears the moral and legal weight of corporate decision-making. As compliance matures into a strategic function, the CCO’s role increasingly resembles that of the “modern officer,” as Orr describes it: not just a gatekeeper, but a guardian of integrity, transparency, and accountability.

Here’s what that means in practice:

  • Map functional authority. Identify which roles across your enterprise carry significant compliance or legal exposure, regardless of title.
  • Engage with risk management. Ensure your D&O policy reflects the true landscape of decision-making authority.
  • Revisit indemnification practices. Advocate for parity between those granted indemnity and those exposed to regulatory risk.
  • Educate the C-suite and Board. Clarify that modern risk is horizontal, not vertical, and coverage must follow function, not hierarchy.
  • Champion continuous evolution. Compliance, like D&O coverage, must adapt as corporate structures evolve. Stasis is not a strategy.

Ultimately, the compliance function exists to ensure that individuals are accountable for their actions and protected for acting in good faith. That dual mandate, accountability and protection, lies at the heart of Orr’s argument and at the soul of every effective compliance program.

Compliance is not about saying no; it is about creating the conditions where doing the right thing is easy. In this context, that means ensuring your organization’s structure, policies, and insurance mechanisms make ethical leadership a safe and supported choice. The term “officer” may seem like a semantic detail, but as John Orr reminds us, it reflects how corporations define responsibility in an era of constant change. For compliance professionals, the challenge and the opportunity are to make sure that the mirror reflects reality.

 

Categories
From the Editor's Desk

From the Editor’s Desk: Compliance Week’s Insights and Reflections for October and into November 2025

In this episode of ‘From The Editor’s Desk’ podcast, hosts Tom Fox and Aaron Nicodemus delve into key compliance issues featured in Compliance Week. Tom and Aaron discuss the top stories from Compliance Week in October, look at some stories that will appear in November, and provide a preview of upcoming content and events.

They discuss the insights from a case study on Lafarge’s anti-bribery issues linked to cartels and terrorist organizations, as well as challenges in business due diligence in high-risk areas. The episode also covers recent trends around DOJ compliance monitorship under different administrations, insights into Foreign Corrupt Practices Act (FCPA) enforcement, and evolving compliance issues related to artificial intelligence (AI). Finally, they highlight upcoming Compliance Week initiatives and webinars, focusing on career pathways in compliance, the importance of due diligence in high-risk environments, and the practical applications of AI in the compliance field.

Resources:

Aaron Nicodemus on LinkedIn

Compliance Week

Categories
Upping Your Game

Upping Your Game: Episode 9 – Leveraging Chatbots for Enhanced Compliance Efficiency

In February, the Trump Administration suspended investigations under and enforcement of the FCPA. Many compliance professionals have since wondered what this will mean for corporate compliance programs going forward. Hui Chen challenged compliance professionals with the statement, “It’s time to up your game.”

This podcast series, sponsored by Ethico and co-hosted with Ethico co-CEO Nick Gallo, hopes to meet Hui Chen’s challenge. We will discuss how compliance professionals can ‘Up Their Game’ by utilizing currently existing Generative AI (GenAI) tools to significantly improve their compliance programs. As compliance professionals, it is critical to recognize that this moment is not merely about incremental improvements but about elevating our profession to an entirely new level of effectiveness, efficiency, and organizational value.

In this episode, Tom and Nick discuss the rising use of chatbots in corporate compliance programs. They explore how chatbots can serve as a powerful tool for addressing policies, procedures, and FAQs, thereby increasing efficiency and reducing the burden on compliance departments. The conversation explores the benefits of chatbots, including improved data collection, enhanced consistency, and democratized access to information. They also discuss practical strategies for implementing chatbots, including focusing on specific use cases, maintaining human oversight, rigorous testing, and continuous improvement. Real-world examples from both large corporations and smaller entities illustrate the practical applications and significant advantages of adopting chatbot technology in compliance operations.

Key highlights:

  • Implementing Chatbots for Internal Use
  • Benefits and Challenges of Chatbots
  • Building Effective Chatbots
  • Meeting Employees Where They Are
  • Ethico’s Approach to Chatbots

Resources:

Upping Your Game-How Compliance and Risk Management Move to 2030 and Beyond on Amazon.com

Nick Gallo on LinkedIn

Ethico

Tom Fox

Instagram

Facebook

YouTube