Tag: CCO

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Why Compliance Professionals Should Not Overlook Board Oversight

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with concise, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

In this 5-part series, we will consider several questions about compliance officers working with or on the Board. Today, we begin with a look at why compliance officers need to embrace Board Oversight.

For more on this topic, check out The Compliance Handbook, a Guide to Operationalizing your Compliance Program, 6th edition, which was recently released by LexisNexis. It is available here.

Categories
Blog

Culture, Controls, and Consequences: Why Compliance Should Address Abuse Before It Escalates

When we discuss “fraud, waste, and abuse” in the corporate compliance world, fraud often takes center stage. Fraud is the deliberate deception of knowingly submitting false information for personal or corporate gain. Waste is easier to define: the careless or inefficient use of resources. But abuse? Abuse sits in that murky middle ground. It may not rise to the level of criminal fraud. Still, it represents conduct that undermines the ethical framework of the organization and erodes trust in systems designed to manage risk.

In many ways, abuse is the most insidious of the three. It thrives in the shadows, often justified by employees as “harmless” or “making up for what the company owes me.” Yet left unchecked, abuse not only costs organizations real money but also paves the way for outright fraud. One of the clearest examples of abuse today lies in employee expense reimbursement, a process now under siege by the rise of AI-generated fake receipts.

Today, we continue our week-long exploration of the role of a Chief Compliance Officer (CC) and corporate compliance function in fighting fraud, waste, and abuse. Today, we explore what abuse means, how expense reimbursement schemes illustrate the problem, why weak controls allow abuse to metastasize into fraud, and what compliance professionals can do to address it. We use a real-world example of AI creating fraudulent expense reimbursements to demonstrate how the task has become more difficult and why a corporate compliance function must be even more vigilant.

Defining Abuse in the Compliance Framework

Abuse is often defined as the use of authority, processes, or resources in a manner that is inconsistent with accepted business practices, resulting in unnecessary costs or unfair advantages. Unlike fraud, abuse does not always involve intent to deceive. Instead, it often reflects opportunistic behavior, such as stretching policies to personal advantage, exploiting loopholes, or rationalizing misconduct.

In the context of compliance, abuse is the “gateway drug” to fraud. An employee who casually exploits the expense system, rounding up mileage, submitting duplicate claims, or fabricating receipts for lost expenses, may start with small infractions. But over time, the lack of consequences emboldens greater misconduct.

One only needs to look back at the sordid story of GSK in China to recall that employee expense reimbursement can lead to catastrophic consequences for an organization.

Expense Reimbursement Abuse: The AI-Receipt Problem

As the New York Times (NYT) recently reported, employees are increasingly turning to generative AI tools to create realistic fake receipts. This is abuse in action. It often begins innocently enough: an employee loses a legitimate receipt and turns to an AI chatbot to recreate it. They may even rationalize the act as necessary to be reimbursed for actual money spent.

But the abuse does not stop there. Once the employee realizes the system can be gamed and that compliance or finance fails to detect the fraud, they repeat the behavior. In one case, an employee submitted AI-generated receipts for hotels and airfare in Bangkok, despite never traveling there.

The ACFE in its most recent Report to the Nations confirms the scale of the issue:

  • 13% of occupational fraud cases involve inflated or invented expenses.
  • Median loss per case: $50,000.
  • 30% of fraudulent receipts detected by one major auditing tool are now AI-generated.

What makes this a prime example of abuse is not just the false documentation. It is the culture of permissiveness that allows employees to cross the line between mistake, abuse, and eventually fraud.

How Lack of Controls Fuels Greater Fraud

The absence of strong internal controls around expense reimbursement is fertile ground for abuse. Companies that rely on manual review or outdated systems may not be equipped to detect sophisticated fakes. AI has supercharged this risk. Where once an employee might need Photoshop skills to doctor a receipt, now anyone with a chatbot can generate a convincing fake in seconds.

Weak controls create three distinct risks for compliance:

1. Normalization of Misconduct

Employees who “get away” with small abuses normalize this behavior, eroding ethical culture. “Everyone does it” becomes the rallying cry.

2. Escalation to Fraud

Abuse begets fraud. What begins as recreating a lost taxi receipt morphs into fabricating entire trips, complete with hotels, meals, and airfare never taken.

3. Regulatory and Legal Exposure

Inflated or fabricated expense claims, especially involving government contracts or international operations, can trigger False Claims Act liability, FCPA scrutiny, or other regulatory action.

Ultimately, compliance officers should view expense reimbursement abuse as more than an administrative nuisance. It is a leading indicator of deeper cultural weakness and a flashing red light for greater fraud risk.

Building a Compliance Response

How should compliance professionals address abuse in expense reimbursement systems? Three principles stand out:

  • Leverage Data and Technology: Just as employees use AI to fabricate receipts, compliance teams must deploy AI to detect them. Expense auditing platforms now compare metadata, font spacing, and behavioral patterns to identify suspicious submissions.
  • Strengthen Policy and Training: Clear guidance is essential. Employees should know that even “recreating” a lost receipt is prohibited, and repeated violations will trigger disciplinary action. Training should emphasize that abuse is not a victimless act; it drains resources and undermines trust.
  • Promote a Speak-Up Culture: Abuse thrives in silence. Anonymous hotlines, visible accountability, and consistent follow-through on reports send the message that integrity matters.

Five Key Takeaways for Compliance Professionals

1. Abuse Is the Gateway to Fraud

Abuse often sits in the gray space between negligence and intentional misconduct. An employee may rationalize using a fake receipt as a harmless way to recover legitimate expenses, but once this behavior is accepted, it erodes the organization’s integrity. Abuse teaches employees that rules can be bent without consequence. Over time, this rationalization escalates, leading to outright fraud. Compliance professionals must recognize abuse not as minor misconduct but as the earliest sign of a deeper cultural problem. Treating abuse seriously, through policy, training, and accountability, prevents small acts of dishonesty from snowballing into systemic fraud that damages the enterprise.

2. Expense Reimbursement Abuse Is Rising

Expense abuse has always been a problem, but the introduction of generative AI has made it easier and more scalable. Employees no longer need technical expertise in Photoshop to fabricate documents. Today, they can generate convincing receipts in seconds, often indistinguishable to the human eye. Cases of employees submitting AI-generated receipts for trips never taken highlight just how quickly this abuse can escalate. For compliance teams, this shift means that traditional manual review is no longer enough. Organizations must anticipate that abuse in expense systems is increasing both in volume and sophistication, and they must respond accordingly.

3. Weak Controls Enable Misconduct

Compliance professionals recognize that robust internal controls are the foundation of effective fraud prevention. When expense systems lack proper oversight, they create opportunities for abuse to thrive. Employees quickly learn where controls are lax, whether through inconsistent auditing, inadequate documentation requirements, or poor segregation of duties. Without strong controls, small abuses go unchecked, and employees feel emboldened to escalate their misconduct. Worse still, regulators may interpret weak controls as evidence of willful blindness or negligence, thereby exposing companies to additional liability. Compliance officers must ensure expense reimbursement processes are fortified with modern controls that prevent, detect, and remediate abuse at every level.

4. Technology Must Match the Threat

The same tools employees use to commit expense abuse can be harnessed by compliance to stop it. AI-generated receipts may look convincing, but advanced auditing tools can detect subtle inconsistencies in formatting, metadata, and behavioral patterns. Expense management platforms now deploy machine learning to flag unusual submissions, such as repeating server names or meals in fabricated restaurant receipts. Compliance professionals must advocate for investment in these technologies to stay ahead of evolving threats. Without matching technology to the risk, organizations remain vulnerable. Ultimately, AI must be part of the compliance toolbox to counteract the AI-enabled abuse already occurring.

5. Culture Is the Ultimate Control

No amount of technology or policy will succeed without a culture that values accountability. Abuse thrives in environments where misconduct is ignored, rationalized, or dismissed as “just the cost of doing business.” By contrast, cultures where leadership models ethical behavior, encourages reporting, and rewards integrity create natural barriers to abuse. Compliance must work hand in hand with leadership to embed accountability into daily operations. When employees see that even small abuses are addressed, they understand the seriousness of compliance expectations. A healthy culture sends the clearest message: abuse will not be tolerated, and integrity is non-negotiable.

Abuse Is Fraud’s Precursor

Fraud, waste, and abuse are often discussed as a package, but compliance professionals must pay special attention to abuse. It is the gray zone where rationalizations take root, where misconduct begins small, and where organizational culture is tested. Expense reimbursement systems offer a cautionary tale: without proper controls and accountability, abuse can quickly evolve into systemic fraud.

Compliance officers who ignore abuse risk far more than inflated receipts. They risk cultivating an environment that fosters fraud. The lesson is clear: treat abuse as seriously as fraud, because in practice, one leads inexorably to the other.

Categories
Blog

Agentic AI, Data Discipline, and Cross-Functional Governance: Compliance Insights for the Modern Era

As compliance professionals, we often inherit the boundaries that IT, Legal, and Security established long before we arrived. But what happens when those lines are out of date? I recently had a far-ranging conversation with cybersecurity author and educator Robert Meyers, who has spent more than three decades transitioning from “plain IT” to a world where cybersecurity and privacy have become distinct, high-impact disciplines. He explains why the old map no longer matches the terrain. Meyers’ vantage point spans early dial-up remote access fiascos, modern breach response, philosophical differences between U.S. and EU privacy regimes, and the tidal shift that agentic AI is bringing to accountability and data governance.

This blog post distills that conversation for a corporate compliance audience, focusing on practical, board-relevant governance and the day-to-day tactics that make privacy and security work together before, during, and after incidents.

From “IT Does Everything” to “Risk, Roles, and Accountability”

Meyers started in an era when “cybersecurity” did not exist. There was just “IT,” and everyone did everything. That lack of specialization produced preventable harm;  misconfigured remote access where a “guest” credential quietly had admin rights, cavalier attitudes toward email and user surveillance (Remember when “I read your email” bumper stickers were a thing.), and a culture that treated privacy as a corporate secrecy issue rather than a people-protection mandate. The lesson for compliance? Risk thrives in ambiguity. When roles and ownership are unclear and authority is not defined, controls are merely a facade.

Meyer contrasts the U.S. and EU not as a legal vs. legal comparison, but as a philosophical split. In Europe, privacy is government-centric and procedurally channeled through regulators; in the U.S., it is more individual-centric and notification-driven. California’s rules can even exceed the practical strictness of the GDPR in certain respects. For compliance leaders, that means your privacy posture must be designed around intent (IE., who is protected), governance (IE., who decides), and operational execution (IE., who does the work) and not just a citation list.

Data Has a Life Cycle—Treat It That Way

One of Meyers’ most pointed critiques is that organizations hoard data without a purpose or end-of-life discipline. If you keep 30 years of email, do not be surprised when eDiscovery asks for all 30. The habit of “keep it all, we might need it” is the enemy of proportional risk. Compliance should drive a business-backed data minimization program with explicit retention schedules tied to legal, operational, and risk rationales and then audit for enforcement. If the business cannot articulate why it needs a dataset today and in the future, that data is a liability, not an asset.

Fix the Operating Model: Privacy Is Not a Side Gig for Security

Meyers has observed the exact misalignment play out repeatedly: privacy responsibility is often assigned to Legal or Compliance, but Cybersecurity typically handles the work and associated expectations. CISOs are asked to “own” controls for which they lack budgetary authority or policy ownership. Legal “owns” privacy on paper, but it is not integrated into cyber operations. Meyer is clear that the cure is governance, not heroics: establish a cross-functional steering committee (including Legal, Security, Compliance, IT Ops, and the business) with clear charters, shared KPIs, and defined decision rights. Diversity matters here; mix senior leaders with younger employees and varied backgrounds to avoid blind spots. The first agenda item of that committee should be ruthless purpose-alignment: “Why do we have this data? Do we still need it?”

Put Risks on One Page—and Make It Everyone’s Page

While cybersecurity tooling is often automated and technical, Meyers recommends one deceptively simple instrument to unite the disciplines: a shared risk register. GRC teams already live in this world. You should bring Security into it and treat security events, control weaknesses, and privacy exposures as entries that share owners, mitigations, and review cadences. If the CISO, Chief Compliance Officer, and General Counsel are not reading, updating, and arguing over the same risk register, you do not have a single source of truth or a shared sense of urgency.

Breach Reality: Precision Beats Blanket Notification

“Assume breach” is not fatalism; it is a sign of professional maturity. Meyers highlights the emergence of data security posture management (DSPM) solutions that not only identify exposures but also determine who actually owns the data that was accessed. That allows for targeted notifications — “these 15 people, not 500,000 customers” — and saves both real money and reputation. For the compliance function, the key point is proportionality; your incident playbook should pair legal thresholds with data lineage and ownership maps, ensuring a fast, accurate, and respectful response to individuals.

Agentic AI: Accountability Without a Face

Agentic AI changes the rules. Agents act without asking, talk to other agents, and traverse systems and data at machine speed. They also obscure accountability because the human “operator” may interact with one agent while three others are making consequential decisions out of view. This breaks the legacy consent and audit paradigms, demanding new guardrails: identity and authorization that can follow agents, granular logging of agent-to-agent interactions, and data lineage that respects privacy scopes. From a compliance lens, agentic AI requires you to rewrite playbooks on consent, purpose limitation, and lawful processing, before deployment, not after the first mishap.

Storytelling: The Culture Carrier for Security and Privacy

Meyers’ long connection to San Diego Comic-Con may seem far removed from cybersecurity. Yet when you see a cybersecurity team finally “get it” when you swap a nameless attacker for “Lex Luthor” in a tabletop. That is not playing to pop culture; rather, it is cultural engineering. Humans adopt guardrails that they emotionally understand. If your privacy training or AI oversight policy can be told as a story, with villains, flawed heroes, and a clear “why,”  you improve retention, reduce resistance, and create connective tissue across silos. Compliance is, at its core, applied storytelling backed by controls.

Robert Meyers traces the evolution from undifferentiated IT to today’s specialized privacy and cybersecurity disciplines, emphasizing how poor role clarity and indiscriminate data retention have caused preventable harm for decades. He frames the U.S.–EU divide as a philosophical one, between individual-centric versus regulator-centric approaches, while urging companies to stop treating privacy as a side project for Security when Legal nominally “owns” it. The solution involves a cross-functional steering committee, a shared risk register, and purpose-driven data lifecycle governance.

Meyers underscores “assume breach” realism and highlights new DSPM tooling that enables precise, owner-level breach notification instead of blanket, costly responses. Looking ahead, agentic AI creates accountability gaps as autonomous agents act and collaborate out of human view, demanding fresh guardrails for identity, consent, lineage, and logging. Finally, Meyers champions storytelling (yes, even Comic-Con-style narratives) to make security and privacy relatable, and advocates for cross-training, with privacy professionals learning security and vice versa, so organizations can speak a single operational language from the boardroom to the SOC.

Categories
Great Women in Compliance

Great Women in Compliance – Catching Up with the OG GWIC with Mary Shirley

Welcome to the Great Women in Compliance podcast with Hemma Lomax and Lisa Fine, sponsored by Corporate Compliance Insight and a part of the Compliance Podcast Network.  My guest today isn’t really a guest; she’s so much more.  She is an architect of GWIC, my first partner in compliance, and my first compliance friend, who remains a dear friend to this day.  She coined the phrase “Send the Elevator Back Down,” taught me about tall poppy syndrome, and I am still using her cheat codes.  Of course, it’s Mary Shirley!

Mary, can you update everyone on all the cool things that have been happening since you became, as we call it, #GWICemerita?

As a global compliance leader who has lived in several countries and now three very different states in the US, what do you see as the principles of a “culture of integrity” that apply to any business, regardless of geography or industry?

  • While there have been changes in US laws, particularly the FCPA, and newer laws in the EU and the UK, among others, are you seeing any shifts in how to define – or communicate – a culture of integrity?
  • You have compiled a list of questions for job seekers to ask about the terms of compliance programs and a culture of integrity. What do you think is the most revealing one and why?
    • Mine is “Can I talk to my predecessor?”

I look forward to seeing you very soon at SCCE CEI.  You and Matt Kelly are presenting “AI Governance for N00bs: A Beginner’s Guide for the Non-Tech Compliance Practitioner” on Sunday to kick off the event.

  • What do you see as the biggest opportunities for compliance professionals to use AI and machine learning?
  • What challenges do you see for integrating AI and machine learning into their compliance program, and how should we approach it?
  • What about the algorithmic bias?
  • It seems like ethics and compliance are being welcomed as “partners” at the AI governance table. What do you think is the most significant reason for this shift, and what can a compliance professional do to ensure they maintain that strategic seat at the table?

When you think about the first 200 episodes, do you have a specific non-substantive, non-podcast memory that sticks out to you?  Besides the origin story – which I still tell!

Categories
Blog

The Sound of Compliance: Using Branded Podcasts to Build Culture and Trust

One of the greatest challenges in corporate compliance is not merely writing policies, conducting investigations, or designing training, but instead effectively implementing these measures. The real challenge is communication. That is finding ways to connect compliance messages with employees in a way that resonates, sticks, and inspires action (IE., engaging and targeted). For years, compliance officers have experimented with email newsletters, intranet portals, and short training videos. These have their place, but the question remains: how do you make compliance messages memorable?

Enter branded podcasts. While businesses often view podcasts as marketing tools, they represent an underutilized resource for compliance professionals. Branded podcasts combine the power of long-form storytelling, intimacy, and authenticity. They don’t just tell employees what the rules are; they let compliance leaders engage directly with their workforce in ways that build trust and credibility.

Consider how branded podcast strategies, borrowed from the marketing world, can be integrated into your compliance communications toolkit.

Why Branded Podcasts Work for Compliance

Marketing research shows that branded podcasts can:

  • Lift brand awareness by 89%
  • Improve brand favorability by 61%
  • Increase brand consideration by 57%
  • Drive purchase intent by 14%

Now, translate those metrics into the compliance world. Awareness means employees are aware of the Code of Conduct’s existence. Favorability equals trust in the compliance function. Consideration equals employees being willing to pick up the phone and ask a question. Purchase intent equals employees actually following the guidance you’ve laid out.

Podcasts offer compliance officers something that other tools rarely do: extended attention from an audience. Employees may skim an email or fast-forward through a training video, but a podcast, whether listened to on a commute, while exercising, or during lunch, can create space for employees to hear the compliance message truly.

Strategy 1: Control the Narrative

Compliance often struggles with being framed as the “Department of No.” Podcasts flip that narrative by letting compliance officers control the storytelling. Imagine a compliance podcast series titled Decisions That Matter. Each episode could feature leaders across the organization discussing how they navigated ethical dilemmas, or employees telling stories about how compliance policies guided their work. This does not simply reinforce policy; it makes compliance part of the corporate identity.

Owning the narrative also means controlling distribution. Just like marketers, compliance teams can utilize multiple channels, including internal podcast feeds, company intranets, email blasts, and even short video clips posted on collaboration tools like Microsoft Teams or Slack.

Strategy 2: Leverage the Intimacy of Audio

There’s a reason people often describe listening to their favorite podcasts as “hanging out with smart, funny friends.” That sense of closeness and familiarity is one of audio’s greatest strengths—and one compliance officers can harness. Unlike fleeting interactions with TV spots, email blasts, or even in-person announcements, podcasts hold an audience’s attention for extended periods. This creates a deeper, more personal connection between compliance and employees.

The BBC’s Audio Activated Study (2019) demonstrated this effect, showing that branded podcasts build uniquely strong engagement and trust. For compliance professionals, the implications are significant: podcasts enable you to move beyond transactional reminders of policy and instead foster authentic conversations about values, ethics, and decision-making.

Consider this: while an employee may forget the details of an email announcing a new anti-retaliation policy, if they hear the Chief Compliance Officer (CCO) discussing real-world examples in a conversational podcast format, they are far more likely to remember and internalize the message. Podcasts enable compliance leaders to “enter the room” with employees in a trusted, low-pressure manner. One that builds credibility and reinforces the culture of compliance over time.

Strategy 3: Use the Right Voices to Build Authenticity

Compliance communication is often top-down, but podcasts allow you to broaden the voices employees hear. A charismatic host, whether it is the compliance officer themselves or a skilled internal communicator, can create an authentic connection.

Guests matter too. Bring in diverse voices, such as regional managers, data privacy specialists, whistleblower program champions, or outside experts. Each guest not only injects energy but also shows that compliance is a broad, collaborative effort. The key to all this is authenticity. Employees are far more likely to engage with compliance messaging if they perceive it as genuine, rather than scripted.

Strategy 4: Make Compliance Entertaining

You may not think that phrase “compliance podcast” naturally screams entertainment, but I can assure you, it does. But if employees do not enjoy listening, they will not return.

Think about different formats:

  • Narratives: Tell true stories of corporate scandals (Bre-X, Enron, or Theranos) and extract compliance lessons.
  • Deep Dives: Break down a single risk topic like sanctions, data privacy, or conflicts of interest in an accessible, story-driven way.
  • Interviews: Feature executives discussing how compliance enables them to lead effectively.

Entertainment does not mean fluff. It means packaging compliance in a way that keeps employees engaged long enough to absorb the lesson. When employees enjoy compliance content, they will not simply listen once; they come back and recommend it to colleagues.

Strategy 5: Promotion and Distribution

Even the best compliance podcast fails if no one listens. That’s why promotion is critical. Here’s where compliance can borrow from marketing:

  • Internal channels: Feature podcast links in company newsletters, Slack channels, or employee portals.
  • Cross-promotion: Play snippets during training modules or town halls.
  • Teasers: Create short audio or video trailers to spark interest.
  • Executive sponsorship: Ask senior leaders to endorse the podcast in their communications and social media posts.

The lesson from marketing is clear: consistent, multi-channel promotion builds an audience. For compliance, that means embedding your podcast into the rhythm of corporate communications.

Strategy 6: Measure the Impact

Marketers measure branded podcast success in downloads and brand lift. Compliance officers should measure the impact on awareness and behavior.

Metrics could include:

  • Number of downloads or streams
  • Average listening time (are employees finishing episodes?)
  • Employee surveys on awareness and trust in compliance
  • Increases in questions to the hotline or requests for compliance guidance

Suppose you show that podcast listeners are more likely to engage with compliance programs. If you prove the value, you will elevate compliance into a strategic communications leader.

Case Study Inspiration

Consider the success of Century 21 Real Estate’s branded podcast The Relentless. Rather than simply promoting properties or agents, the series focused on the broader themes of persistence, innovation, and personal growth. These are the very qualities that drive success in the competitive world of real estate. Each episode highlighted stories of entrepreneurs, industry leaders, and business visionaries who embodied the “relentless” mindset that Century 21 sought to represent.

The strategy worked. Over the course of three seasons, The Relentless not only amplified Century 21’s brand identity but also resonated deeply with its audience, ultimately placing the show in the top 1% of all podcasts with more than 1.5 million downloads.

Now translate that model into compliance communications. Imagine a compliance podcast that tells compelling stories of ethical leadership, employee resilience in the face of ethical dilemmas, or how teams have navigated complex regulatory challenges. Instead of compliance being framed as rules and restrictions, it becomes a series of stories about persistence, integrity, and doing the right thing under pressure.

If a compliance function could achieve even a fraction of The Relentless’s engagement, it would no longer be seen as the department of “no,” but rather as a trusted, sought-after source of inspiration and guidance for the workforce.

Conclusion

Branded podcasts are not just for marketing departments. For compliance professionals, they represent an untapped frontier in employee engagement.

By controlling the narrative, leveraging the intimacy of audio, building authenticity through diverse voices, making compliance entertaining, promoting aggressively, and measuring outcomes, compliance officers can transform the way they communicate.

In a world where regulators emphasize culture, communication, and engagement, podcasts may be one of the most effective tools available for achieving these goals. The time has come for compliance leaders to borrow a page from the marketing playbook and make branded podcasts a cornerstone of their communication strategy.

Because at the end of the day, compliance is not simply about rules on paper. Instead, it is about conversations. And podcasts give compliance a voice.

Categories
Great Women in Compliance

Great Women in Compliance – Navigating Risk, Culture, and Compliance with Teri Cotton Santos

✨ New Episode Alert! ✨

On this special episode of #GWIC, guest host Ellen Hunt talks with the incredible Teri Cotton Santos, Chief Compliance Officer at Phillips 66.

Teri shares her inspiring journey—from serving as General Counsel in Asia at Eli Lilly to leading compliance at HF Sinclair, and now shaping the culture of ethics and compliance at Phillips 66.

🔑 Key takeaways from this conversation:

  • Why trust is the foundation of every effective compliance program
  • How to integrate risk, ethics, and strategy to create impact
  • Lessons in resilience and resourcefulness when leading with limited resources
  • Building compliance programs that are truly fit-for-purpose and built to scale
  • The growing importance of data, technology, and behavioral science in compliance work

Teri also reflects on #leadership, #mentorship, and the power of community in the compliance profession.

🎧 Tune in for an honest, thoughtful, and inspiring discussion about leading with purpose and integrity in today’s evolving regulatory environment.

🔗 Sponsored by Corporate Compliance Insights

#Compliance #Leadership #WomenInCompliance #GreatWomenInCompliance #Ethics #Trust

Categories
Compliance Tip of the Day

Compliance Tip of the Day – How a CFO Views Compliance and Risk

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide you with bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we conclude our multipart look at thinking through the ROI of your compliance program by considering how a CFO might well view compliance.

For more on this topic, check out The Compliance Handbook, a Guide to Operationalizing Your Compliance Program, 6th edition, which LexisNexis recently released. It is available here.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Investment Strategies for Compliance

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide you with bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we discuss the key investment strategies for a CCO to use when presenting to a CFO.

For more on this topic, check out The Compliance Handbook, a Guide to Operationalizing Your Compliance Program, 6th edition, which LexisNexis recently released. It is available here.

Categories
Blog

Top 10 Prompts for Improving Tone at the Top

Today, we continue our series on the top 10 prompts for compliance professionals to use to improve their compliance program. Today, we focus on the Top 10 Prompts for Compliance Professionals on “Tone at the Top,” each followed by a detailed explanation highlighting its critical importance. Each prompt should begin with a description of who the author is, who the audience is, and information on your organization. Something like “You are a Chief Compliance Officer for a company in the energy industry. You want a list of things your senior executives can do to help improve your compliance program, based on their list and one or more of the specific prompts below.

1. “What strategies can senior leadership use to effectively set and communicate a strong ethical tone? ”

Explanation:

The “Tone at the Top” is foundational to an effective compliance program, reflecting the ethical values and integrity promoted by an organization’s leadership. This prompt helps compliance professionals outline actionable strategies for senior leaders, including clear messaging, personal accountability, regular ethical communication, and visible actions demonstrating integrity. Such methods ensure employees clearly understand and trust leadership’s ethical commitments. Regulators, especially the DOJ, frequently assess the authenticity of the leadership’s tone as a key indicator of an effective compliance program. Robust leadership strategies help embed compliance deeply into organizational culture, ensuring long-term adherence to ethical standards.

2. “Draft a communication from the CEO emphasizing the organization’s commitment to compliance and ethics.”

Explanation:

Direct and clear communication from the CEO significantly impacts employees’ perception of compliance as a core corporate value. This prompt allows compliance professionals to draft powerful, meaningful messages that reflect a genuine commitment from leadership. Such communications affirm the organization’s ethical stance, reinforce expectations, and provide reassurance that ethical concerns will be addressed seriously. Regulators often view direct communications from top executives as strong evidence of organizational commitment, making this prompt critical for maintaining credibility with employees and regulatory bodies alike.

3. “Explain best practices for integrating the tone at the top into compliance training programs.”

Explanation:

Effective compliance training programs must align closely with the ethical tone set by senior management. This prompt guides compliance professionals in developing training content that incorporates clear messages from leadership, examples of ethical decision-making by executives, and practical scenarios reflecting top-level expectations. Integrating the “Tone at the Top” into training underscores the authenticity and seriousness of compliance messages, significantly increasing employee awareness and internalization of ethical standards. Regulators assess the integration of leadership’s ethical messaging in training as evidence of a genuine commitment to compliance, rendering this practice essential.

4. “Identify metrics or indicators to measure the effectiveness of the tone set by senior leadership.”

Explanation:

Establishing measurable metrics to evaluate leadership’s ethical influence is critical for compliance accountability. This prompt helps compliance professionals determine practical indicators such as employee survey responses, whistleblower report frequency, internal reporting trends, and leadership communications frequency and clarity. Measuring effectiveness validates leadership’s ethical influence and provides essential data for regulatory reviews and internal audits. Organizations using these metrics demonstrate proactive compliance management and continuous improvement. Moreover, metrics provide leaders with clear feedback, helping them reinforce, adjust, or amplify their ethical messaging and behaviors, thus enhancing overall compliance.

5. “Provide examples of effective and ineffective leadership behaviors influencing compliance culture.”

Explanation:

Compliance professionals require concrete examples to illustrate how leadership behaviors shape organizational compliance culture. This prompt supports clear distinctions between positive behaviors—such as transparency, accountability, and active ethical advocacy—and negative behaviors—such as inconsistent messaging, tolerance of unethical actions, or retaliation against whistleblowers. Effective examples educate senior leadership about desirable behaviors while highlighting the compliance risks of ineffective conduct. Identifying behavioral examples helps senior executives avoid unintentional undermining of compliance initiatives and significantly strengthens the credibility and authenticity of the “Tone at the Top.”

6. “Develop an action plan for senior management to demonstrate their commitment to compliance and ethics visibly.”

Explanation:

A tangible, actionable plan ensures that senior executives visibly demonstrate their commitment to ethical practices. This prompt enables compliance professionals to suggest specific actions such as regular town hall meetings, ethical roundtables, personal involvement in compliance events, and transparent communication on ethical issues. Visible commitment reassures employees that compliance is genuinely valued, thereby fostering greater organizational trust and cooperation. Regulators strongly emphasize tangible evidence of top-level commitment, and documented action plans provide essential records for demonstrating sustained ethical leadership, regulatory compliance, and internal alignment with compliance objectives.

7. “Suggest methods for senior leadership to encourage ethical reporting and protect whistleblowers actively.”

Explanation:

Leadership’s role in whistleblower protection significantly impacts an organization’s compliance culture. This prompt guides compliance professionals in outlining best practices for senior leadership, including public support for whistleblower programs, transparent whistleblower policy communications, visible zero-tolerance policies against retaliation, and proactive engagement with ethical reporting mechanisms. Encouraging ethical reporting at the highest levels demonstrates a commitment to transparency, accountability, and continuous improvement. Regulators such as the DOJ explicitly assess leadership’s commitment to whistleblower protection as crucial evidence of an effective compliance program, making this prompt critical.

8. “Explain how senior management can reinforce the tone at the top during crises or significant compliance incidents.”

Explanation:

Leadership’s response during crises significantly shapes organizational perceptions of ethical integrity. This prompt allows compliance professionals to prepare senior leaders to handle compliance incidents transparently, responsibly, and decisively, maintaining consistency with the stated “Tone at the Top.” Effective crisis management involves clear communication, timely acknowledgment, thorough root cause analyses, and visible accountability measures. Reinforcing ethical commitments during difficult times strengthens internal trust, enhances external credibility, and fulfills regulatory expectations for transparent crisis responses. Compliance programs that maintain consistent ethical messaging during crises demonstrate resilience, integrity, and maturity in the compliance framework.

9. “Outline techniques senior management can use to evaluate and refresh the organization’s ethical tone regularly.”

Explanation:

The ethical tone from leadership should remain dynamic, reflective of evolving organizational needs, risks, and regulatory expectations. This prompt equips compliance professionals with techniques such as annual reviews, employee focus groups, ethical climate surveys, and executive ethics workshops. Regular evaluation and periodic refreshment of ethical messaging ensure ongoing alignment between leadership’s stated values and actual organizational culture. Demonstrating regular evaluations and responsive adjustments shows regulators an active commitment to maintaining a relevant, meaningful “Tone at the Top,” enhancing compliance credibility, operational effectiveness, and overall organizational resilience in ethics and compliance matters.

10. “Draft board of director communications emphasizing oversight responsibilities related to the tone at the top and compliance culture.”

Explanation:

Boards play a vital role in overseeing senior management’s ethical leadership. This prompt enables compliance professionals to communicate board-level responsibilities, regulatory expectations, and specific oversight tasks such as ethical audits, regular interactions with compliance leaders, and scrutiny of senior management’s ethical performance. Effective board oversight reinforces the accountability of senior leaders, provides critical external validation of ethical messaging, and ensures alignment with regulatory guidelines from bodies such as the SEC and DOJ. Clear board communications underscore a top-down commitment to compliance, further embedding ethics throughout organizational culture.

Effectively establishing, reinforcing, and communicating the “Tone at the Top” remains a cornerstone of compliance excellence. Leveraging these prompts enables compliance professionals to proactively equip senior leaders, executives, and boards with actionable tools, clear communication strategies, and visible demonstration opportunities. Successfully executing these prompts not only strengthens an organization’s compliance culture but also significantly mitigates compliance risks, reinforces internal trust, and provides compelling evidence of ethical rigor and commitment to external regulators.

If you have some favorite prompts you utilize in the area of Tone at the Top, please send them to me, and I will start a Prompt List to share with all compliance professionals.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Finance Models for Compliance

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide you with bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we consider how the risk analysis for compliance is different for a CFO and why you need to take this into account in your budgeting process.

For more on this topic, check out The Compliance Handbook, a Guide to Operationalizing Your Compliance Program, 6th edition, which LexisNexis recently released. It is available here.