Tag: Compliance Week

Categories
Compliance Into the Weeds

Compliance into the Weeds: Surveying Retaliation Against Compliance Officers

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore it more fully. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly discuss a new anonymous Radical Compliance survey, launched with Case IQ and Compliance Week, to quantify retaliation against compliance officers who raise compliance concerns to senior management.

The survey asks what misconduct was reported, who retaliated, what forms of retaliation occurred, such as firing, demotion, harassment, budget cuts, blacklisting, and what actions followed. Matt also encourages responses from those who have not experienced retaliation. Tom and Matt have previously discussed anecdotally but have not systematically studied, and plan to publish their findings and host a webinar later in the spring, likely in June. They also discuss potential structural protections informed by data, such as disclosure expectations around CCO departures (e.g., 8-K concepts) and contract/regulatory-approval models like those in India’s banking sector, and suggest that the findings could inform DOJ views on compliance autonomy and effective compliance programs.

Key highlights:

  • Survey Launch Explained
  • Retaliation Questions
  • Why This Study Matters
  • Defining Prevalence
  • Using Findings for Change
  • Final Call to Participate

Resources:

Matt on Radical Compliance

Survey on Retaliation Against Compliance Professionals

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

A multi-award-winning podcast, Compliance into the Weeds was most recently honored as one of the Top 25 Regulatory Compliance Podcasts, a Top 10 Business Law Podcast, and a Top 12 Risk Management Podcast. Compliance into the Weeds has been conferred a Davey, a Communicator Award, and a W3 Award, all for podcast excellence.

Categories
From the Editor's Desk

From the Editor’s Desk: Aaron Nicodemus Reflections on March and April in Compliance Week

In this episode of From the Editor’s Desk, Tom Fox sits down with Aaron Nicodemus for a lively and insightful look back at the biggest compliance stories from March, while also previewing the trends, enforcement issues, and events set to shape April. They also begin the countdown to the 2026 Compliance Week National Conference in May.

Tom and Aaron break down the fast-moving, policy-driven shifts in U.S. sanctions on Venezuela, Iran, and Russia, and explore how companies are balancing business opportunities with escalating geopolitical and compliance risks amid a volatile oil market. They spotlight Compliance Week’s feature on illegal mining, unpacking its deep connections to financial crime, corruption, and supply chain exposure. The conversation also examines a notable March FCPA declination under the DOJ’s new Corporate Enforcement Policy, focusing on what it signals about voluntary self-disclosure, remediation, cooperation credit, and the Department’s continued emphasis on prosecuting individuals. Along the way, they consider possible aggravating factors, including payments tied to designated criminal or terrorist groups, and what these developments may mean for the future of cross-border enforcement cooperation.

Looking ahead, Tom and Aaron preview the 2026 Compliance Week National Conference, taking place May 6–8 in Washington, DC, including awards finalists, anticipated remarks from DOJ and SEC officials, and timely sessions on AI, whistleblowers, and emerging compliance challenges. They also highlight the conference’s expanded commitment to new voices and share an early look at the Third Party Risk Management & Supply Chain Summit, coming October 26–28 in Chicago.

 

 Resources:

Aaron Nicodemus on LinkedIn

Compliance Week

Categories
Blog

Aly McDevitt Week: Part 5 – Ransomware, Crisis Response, and the Compliance Imperative to Move Fast

This week, I want to pay tribute to my former Compliance Week colleague, Aly McDevitt, who announced on LinkedIn that she was retiring from CW to become a full-time mother. I wrote a tribute to Aly, which appeared in CW last week. To prepare to write that piece, I re-read her long-form case studies, which she wrote over the years for CW. They are as compelling today as when she wrote them. This week, I will be paying tribute to Aly by reviewing five of her pieces. The schedule for this week is:

Monday: A Tale of Two Storms

Tuesday: Coming Clean

Wednesday: Inside a Dark Pact

Thursday: Reaching Into the Value Chain

Friday: Ransomware Attack: An immersive case study of a cyber event based on real-life scenarios

McDevitt took a different but highly effective approach in this case study. Rather than centering the story on a single historical corporate scandal, she crafted an immersive fictional scenario grounded in real-life attacks, expert interviews, and public guidance. Compliance Week made clear that, while the company and its characters are imagined, the legal, operational, and compliance issues are very real. That makes this piece especially valuable for compliance professionals because it is less a postmortem of one company and more a practical field manual for the next crisis.

McDevitt’s story begins where many cyber incidents begin: with a person, not a machine.

A longtime employee, Betsy, receives an “urgent” email that appears to be from her boss. She clicks a malicious link, lands on a phony, internal-looking site, realizes too late that something is wrong, and then makes the mistake that turns a bad moment into a corporate crisis: she does not report it. Her silence gives the attacker time. Within days, the company, Vulnerable Electric (VE), a private utility serving 1.4 million customers with about 600 employees and $250 million in annual revenue, is facing a full-blown ransomware attack.

That is the first lesson, and McDevitt drives it home with precision. Ransomware is often described as a technology problem, but the first failure is frequently human, organizational, and cultural. Betsy clicked. But more importantly, she hesitated, feared blame, and kept quiet. As McDevitt explains through the expert commentary, her biggest mistake was not simply opening the link. It was actively deciding not to report the incident to the proper internal authority.

For compliance officers, that point should sound very familiar. Whether the issue is corruption, harassment, sanctions, safety, or cyber, organizations do not fail only because something bad happens. They fail because people do not feel safe reporting it quickly.

McDevitt also lays out why this issue matters so much now. She notes that ransomware payments in 2020 reached roughly $350 million, a more than 300 percent increase from the prior year, and that proactive prevention is no longer optional. She further situates the case study in the context of critical infrastructure, noting that entities such as utilities are subject to heightened scrutiny and are encouraged to align with the NIST cybersecurity framework. In other words, ransomware is not just an IT nuisance. It is an enterprise risk, a regulatory risk, and in some sectors a national security risk.

Once the attack is recognized, McDevitt shows the company doing something right: it moves into a structured response. The CEO activates the full cyber incident response team, or CIRT, and the war room includes not only technical leaders and legal counsel, but also the chief compliance officer, the head of communications, external incident response professionals, and other essential decision-makers. This is exactly what a mature response should look like. Cyber incidents do not fall under a single function. They are enterprise events.

I particularly appreciated how McDevitt uses the case study to underline the role of compliance. The CCO is not there as decoration. The article makes clear that if employee data has been exfiltrated, the incident constitutes a personal data disclosure with potentially local, state, and international notification consequences, and that compliance and legal personnel should be in the room from the start. That is a crucial point for corporate compliance professionals. Cyber risk management is not separate from compliance. It is now one of compliance’s core operating terrains.

McDevitt also captures the psychology of the first 36 hours. Anthony Ferrante says those hours are extremely stressful for a CEO, who is simultaneously thinking about operations, data, reputation, and people. That observation matters because it explains why preparation before an attack is so important. You do not want your executives inventing a process under duress. McDevitt reports that VE had already created an incident playbook with roles, escalation steps, and a five-part response framework: facts, business impact, root cause, corrective actions, and lessons learned. That is the kind of disciplined structure compliance leaders should insist upon.

Another strength of McDevitt’s reporting is her treatment of communications. Too many organizations still believe communications should be brought in late, after the lawyers and technologists finish their work. McDevitt, through multiple expert voices, makes the opposite case. Communications should have a seat at the table, not at the back wall. The reason is straightforward: stakeholders will forgive many things, but they will not forgive caginess. VE’s communications lead rightly argues that employees and customers should hear from the company first, not from the media or the attacker.

This point becomes even sharper when McDevitt contrasts VE’s approach with the real-life story of “Melvin,” an employee at another firm that remained offline for 10 days with no formal communication and did not disclose the sensitive data breach to employees in a timely or transparent way. That section may be the most important communications lesson in the entire piece. Employees are not bystanders. They are among the primary victims of a data breach, and they know when something is wrong. Silence destroys trust.

Then comes the hard question at the center of nearly every ransomware story: Do you pay?

McDevitt wisely resists easy moralizing. She notes the FBI’s official position is not to pay, because payment fuels the criminal business model and does not guarantee restoration. Yet she also reports the practical view of experienced practitioners: payment is not illegal per se, and companies often face a grim choice among bad options. The anonymous chief compliance officer quoted in the case study says it best: there are no good options, only the least bad option.

McDevitt’s two parallel paths, pay and do not pay, are particularly useful because they show that neither choice is clean. In Path A, VE pays $5 million, gets imperfect decryption support, recovers faster, but then faces scrutiny over whether it should have consulted OFAC before payment and whether it may have paid a sanctioned party. In Path B, VE does not pay, endures a longer recovery, suffers a data breach, and still faces reputational and legal fallout. McDevitt’s point is not that one route is right and one is wrong. Her point is that ransomware decision-making is governance under pressure.

That is why the postmortem matters so much. McDevitt closes the case study by emphasizing that the long-term impacts fall into three risk buckets: reputational, legal, and regulatory. She then turns to practical lessons: train the workforce, strengthen spam filters, run tabletop exercises, isolate infected devices immediately, secure backups offline, contact law enforcement quickly, do not rush engagement with the attacker, and communicate with each stakeholder group in a timely and tailored way. She also adds smart recommendations on canary files, forensic retainers, access reviews, logging, threat intelligence monitoring, and industry information sharing.

Finally, McDevitt ends on a note that compliance professionals should not miss. Betsy is not scapegoated. She is thanked for telling the truth and invited to participate in a phishing-resilience campaign for other employees. That is not sentimentality. That is culture. If your response to human error is humiliation, people will hide problems. If your response is accountability plus learning, people will surface them.

That may be the most important compliance lesson of all. Ransomware is a cyber crisis, but surviving it depends on culture, governance, and trust just as much as on technology.

I hope you have enjoyed reading about Aly’s case studies for CW. I am a columnist for Compliance Week.

Categories
Blog

Aly McDevitt Week: Part 3 – Lafarge, Syria, and When “Business Continuity” Becomes Criminality

This week, I want to pay tribute to my former Compliance Week colleague, Aly McDevitt, who announced on LinkedIn that she was retiring from CW to become a full-time mother. I wrote a tribute to Aly, which appeared in CW last week. To prepare to write that piece, I re-read her long-form case studies, which she wrote over the years for CW. They are as compelling today as when she wrote them. This week, I will be paying tribute to Aly by reviewing five of her pieces. The schedule for this week is:

Monday: A Tale of Two Storms

Tuesday: Coming Clean

Wednesday: Inside a Dark Pact

Thursday: Reaching Into the Value Chain

Friday: Ransomware Attack: An immersive case study of a cyber event based on real-life scenarios

In this case study, Aly took a scandal that could easily be reduced to a shocking headline and showed how misconduct often grows incrementally, decision by decision, concession by concession, until a company crosses a line it can no longer explain away. As McDevitt framed it, Lafarge’s collapse into criminal conduct was not sudden. What began as “local concessions” in a war zone ended in terrorist financing, a guilty plea, and a historic compliance disaster.

For the corporate compliance professional, that is where this story starts. Not with ISIS. Not with the guilty plea. Not even with Syria’s descent into civil war. It starts with a corporate mindset that treats business continuity as a value higher than legal and ethical boundaries.

McDevitt lays out the core facts with devastating clarity. Lafarge built a $680 million cement plant in the Jalabiyeh region of Syria in 2010, just as the Arab Spring began to reshape the region. The plant, Lafarge Cement Syria, was strategically important, but it also operated in an increasingly unstable environment. By 2011, political unrest in Syria had become a violent conflict. By 2012, the area around the plant was plagued by kidnappings, hijackings, and the killing of a contractor at a checkpoint. Most companies would view those developments as bright red stop signs. Lafarge saw them as obstacles to manage.

That is the first major lesson of the case study. The most dangerous compliance failures often arise not from ignorance of risk but from a conscious decision to keep operating despite it. McDevitt shows that while other companies pulled out of Syria, Lafarge kept the plant running and shifted management of Syrian operations to Cairo after evacuating European employees. That decision set the stage for the next step: negotiating through intermediaries with armed factions to permit continued operations. By then, the moral and legal slope was already slippery. The question was no longer whether the company faced risk. The question was how much compromise leadership was willing to tolerate to avoid writing off a major investment.

McDevitt’s reporting is especially effective because it captures the gradualism of the wrongdoing. She writes that Lafarge executives did not wake up one day and decide to fund terrorists. It happened slowly, one deal after another, as the company tried to preserve operations in a deteriorating war zone. This is a point every compliance professional should sit with. Catastrophic misconduct often results from the accumulation of rationalized, smaller acts. Each one is framed as temporary, practical, or necessary. Each one moves the line. Eventually, there is no line left.

The Justice Department ultimately found that Lafarge routed about $5.92 million in illicit payments to the al-Nusra Front and ISIS. In 2022, Lafarge pleaded guilty in the United States to providing material support to terrorist organizations, the first case of its kind against a corporation in the U.S. Former Deputy Attorney General Lisa Monaco said the company “paid millions of dollars to both terrorist groups and benefited from their brutality to the tune of $70 million in revenue,” and the company paid $778 million in fines and forfeitures as part of the plea agreement.

That number alone should command the attention of boards and executive teams. Lafarge tried to avoid the business pain of shutting down a troubled asset and ended up paying more than the original investment in penalties, while also suffering deep reputational damage, legal exposure in multiple jurisdictions, and criminal proceedings against former executives. There is a brutal irony in that outcome. The Syrian plant accounted for less than 1% of Lafarge’s total sales at the time of the Holcim merger, yet the consequences of non-compliance proved vastly disproportionate to the asset’s commercial importance. That is the second lesson. The smaller the business rationale, the less defensible the compliance compromise.

McDevitt also explains why the U.S. Department of Justice had jurisdiction. Lafarge used U.S.-based email services to avoid using company email addresses, and some payments linked to terrorist groups were made in U.S. dollars through New York banks. This should resonate with every multinational company. Jurisdiction in modern enforcement is not limited by headquarters location. It is created through systems, currency flows, communications infrastructure, and business touchpoints. In a global company, you can be hauled into a U.S. enforcement action because you used the plumbing of U.S. commerce.

McDevitt’s account also reveals something even more troubling. By September 2013, Lafarge executives were already acknowledging the reality in their own meeting minutes, stating that it was becoming harder and harder to operate without directly or indirectly negotiating with networks designated as terrorists by international organizations and the United States. That line should stop every compliance officer in their tracks. At that moment, the risk was no longer ambiguous. It was known, articulated, and documented. The failure thereafter was not one of detection. It was one of the decision-making processes.

And that brings us to the heart of the compliance lesson. Once a company understands the legal and ethical nature of the risk, the compliance function is not merely to record the issue. The job is to create a decision architecture that can force the right outcome, even when business leadership hates it.

McDevitt reinforces this through the voice of Marcia Narine Weldon, who said, “business continuity can’t be an excuse for abandoning core legal and ethical principles” and even more pointedly, “When you’re dealing with potential terrorism financing, neutrality isn’t an option. You either stop it or you become complicit”. That is exactly right. There are categories of risk where compromise is not prudent; balancing is complicity. Terrorist financing sits squarely in that category.

Another important aspect of McDevitt’s case study is the timeline of internal response. Holcim, after its merger with Lafarge, became aware in 2016 of allegations that Lafarge had negotiated with ISIS and made payments to it. The head of compliance informed the Chief Legal and Compliance Officer that outside counsel had been engaged for legal analysis, and the board’s finance and audit committee directed an investigation. This sequence shows what a post-discovery escalation should look like. But it also highlights a painful truth: escalation after the fact is not the same as prevention. The best board briefing in 2016 could not undo the wrong choices made years earlier.

For compliance leaders, the Lafarge matter is therefore a case study in the limits of retrospective governance. Once the organization has crossed the line into criminal conduct, the role of compliance shifts from prevention to damage containment.

McDevitt weaves this throughout the piece with precision. She does not sensationalize the conduct. She shows how a company operating in a volatile, high-risk environment allowed ethics and compliance to take a back seat to business survival. That is what makes the article so valuable. It reminds us that in high-pressure environments, compliance is not a support function sitting politely on the sidelines. It is the adult in the room. Sometimes that means telling management to shut down an operation. Sometimes it means escalating to the board. Sometimes it means resigning rather than participating in the unambiguously wrong.

In the end, Inside a Dark Pact is one of Aly McDevitt’s strongest cautionary tales because it strips away comforting myths. It tells us that smart people can rationalize the indefensible. It tells us that local concessions can become global crimes. And it tells us that when a company places asset preservation above values, it may preserve neither.

Join us tomorrow when we review Aly’s piece on Flex and its ESG journey. I am a columnist for Compliance Week.

Categories
Blog

Aly McDevitt Week: Part 2 – VW, Dieselgate, and the Long Road from Fear to Integrity

This week, I want to pay tribute to my former Compliance Week colleague, Aly McDevitt, who announced on LinkedIn that she was retiring from CW to become a full-time mother. I wrote a tribute to Aly, which appeared in CW last week. To prepare to write that piece, I re-read her long-form case studies, which she wrote over the years for CW. They are as compelling today as when she wrote them. This week, I will be paying tribute to Aly by reviewing five of her pieces. The schedule for this week is:

Monday: A Tale of Two Storms

Tuesday: Coming Clean

Wednesday: Inside a Dark Pact

Thursday: Reaching Into the Value Chain

Friday: Ransomware Attack: An immersive case study of a cyber event based on real-life scenarios

In this story, Aly’s reporting did what the best compliance journalism always does: it moved beyond the headline scandal to examine the operating mechanics of cultural repair. McDevitt did not simply retell Dieselgate. She walked through how Volkswagen tried to recover from one of the great corporate compliance failures of modern times through a U.S. monitorship, structural reform, and a sustained effort to replace fear with integrity.

For the corporate compliance professional,  Coming Clean is more than a case study about emissions cheating. It is a case study on whether a company permeated by misconduct can rebuild trust in a credible, measurable, and durable way.

McDevitt begins with the plain truth. Dieselgate was not the act of a single rogue employee or a single bad executive. The defeat device was developed, installed, and concealed by many. Volkswagen’s diesel vehicles used software that sensed when emissions testing was underway and shifted performance to produce compliant results; during normal operations, emissions controls underperformed, resulting in nitrogen oxide pollution up to 40 times above permitted levels, according to U.S. officials. In total, Volkswagen sold approximately 590,000 such vehicles in the United States and roughly 11 million worldwide.

That alone would have made this a historic scandal. But the deeper compliance failure was cultural. McDevitt reports that the company did not come clean voluntarily. It admitted wrongdoing only after regulatory pressure forced the issue. As she recounts, former New York Attorney General Eric Schneiderman alleged that hundreds of senior executives and engineers knew what was happening and that no one was willing to say, “Maybe we should not do this” or “This is against the law,” a devastating indictment of the company’s ethical environment.

That is the first lesson for compliance officers. Compliance breakdowns at this scale are rarely caused by one missing policy. They come from pressure, silence, and a culture that normalizes rationalization.

Volkswagen’s business ambition played a central role. McDevitt notes that the company’s push to become the world’s most successful automaker was accompanied by an integrity deficit, unrealistic goals, and a culture of fear. Later in the case study, she connects this to Strategy 2018, a corporate objective that sought market dominance and, in many observers’ view, created unbearable pressure to deliver results. This is an old lesson, but it remains evergreen. When growth goals are decoupled from ethics, misconduct begins to look like problem-solving.

Volkswagen’s 2017 guilty plea resulted in $4.3 billion in criminal and civil penalties and a three-year U.S. monitorship. McDevitt rightly focuses on the monitorship not as a humiliation ritual, but as an instrument of recovery. Former Deputy Attorney General Larry Thompson was appointed independent compliance monitor and auditor, and Hiltrud Werner became the executive on the Volkswagen side responsible for integrity, legal affairs, and much of the internal reform effort.

One of McDevitt’s great strengths in this piece is her attention to the relationship between monitor and company. Too often, practitioners think of monitorships as adversarial. Volkswagen’s experience suggests something more nuanced. Werner explicitly framed the monitor as an investment in Volkswagen’s future, not merely a punishment for its past, and she stressed that having someone on-site who knew the required standard was a positive element of reform. That is a practical insight. External oversight works best when the organization treats it as a pathway to transformation rather than a box-checking burden.

McDevitt also highlights the mechanics of making that relationship work. Volkswagen held a pre-monitorship “boot camp” in May 2017 to accelerate understanding, create transparency, and build human relationships between the monitor team and company personnel. Werner’s takeaway was one every compliance professional should write down: do not focus only on process; focus on people, too. I find that insight especially powerful because compliance functions often overinvest in control language and underinvest in trust architecture.

That same lesson appears in Volkswagen’s Project Management Office. McDevitt reports that the company created a neutral PMO to coordinate the monitorship across departments, manage over 1 million pages of documents and more than 8,000 meetings, and connect the monitor team to knowledgeable personnel across the enterprise. The PMO was not clerical support. It was organizational muscle. It mirrored the monitor’s work streams, established clear lines of contact, and brought together 80 staff from the first, second, and third lines of defense. That is another lesson worth underlining. In a major remediation project, project management is not ancillary to compliance. It is compliance.

McDevitt then turned to one of the most significant reforms: a single Code of Conduct for all employees across all 12 brands and companies, the first such common code in Volkswagen’s history. Hiltrud Werner described it as the company’s first stable anchor for culture. The Code was not meant to be an abstract statement. It included case studies and examples, and the training was updated to include “Dieselgate Lessons Learned” on compliance, integrity, culture, realism, personal responsibility, and speak-up expectations. Every employee and all board members received training on those lessons. For compliance professionals, this is exactly right. If your code cannot explain what went wrong in your own organization, then it is not yet a living document.

McDevitt’s reporting on Together4Integrity (T4I) is especially useful for practitioners. T4I emerged from the ashes of the failed growth-at-all-costs model and was built on two pillars: designing processes and positively influencing them, and inspiring employees to do the right thing out of conviction. It was not a one-size-fits-all rollout. Volkswagen recognized that a global organization with strong local identities needed both centralized standards and local ownership.

I particularly appreciated how McDevitt showed the practical texture of this effort. Local managers were empowered to choose engagement formats, from discussion breakfasts to integrity activities designed to reduce the distance between managers and employees and support a more open speak-up culture. Stephanie Davis, Volkswagen Group of America’s CECO, put it plainly: serious topics cannot be so scary that employees refuse to engage with them. Demystifying the work is part of the work.

The company also understood that culture had to be measured. This is perhaps the most practical part of McDevitt’s analysis. Volkswagen used perception workshops and its annual Stimmungs barometer survey to assess whether employees believed integrity was possible within their organizational units, identify weak areas, and build risk-based action plans. Werner reported that these measures showed year-over-year improvement, and the company used them to target workshops and resources where risk was greatest.

This is where many companies still fall short. They conduct training and communications, but they do not build a credible measurement framework for whether culture is actually changing. Volkswagen’s approach, as McDevitt presents it, offers a more mature model.

She also addresses the root causes of silence. Volkswagen identified “chimney careers,” or promotion paths entirely within one silo, as a structural factor that discouraged speaking up, as employees became too dependent on a single chain of command. That diagnosis is remarkably important. Speak-up culture is not only about hotline posters or anti-retaliation language. It is also about mobility, organizational design, and whether employees believe dissent will end their careers.

Finally, McDevitt looks at trust. Internally, Volkswagen viewed the increase in non-anonymous whistleblower reports as evidence that fear had begun to recede. In 2020, the company received 2,800 whistleblower tips, 90 percent of which were non-anonymous, a figure Werner said was unusually high and a signal that employees no longer felt the same degree of fear. Externally, regaining customer trust was slower and more difficult. Volkswagen repositioned around electric vehicles, carbon neutrality, and Electrify America, but Werner candidly admitted that rebuilding credibility was still a long process.

That candor may be the final lesson. After a scandal of this magnitude, a campaign cannot restore trust. It is restored by years of disciplined conduct, transparent accountability, and evidence that the company has truly understood what went wrong. Aly McDevitt’s Coming Clean is therefore not simply a story about Volkswagen. It is a guide to the difficult middle stage of compliance work: what happens after the plea, after the headlines, after the first promises. That is where the real labor begins.

Join us tomorrow, where we review Aly’s piece on Lafarge in Syria. I am a columnist for Compliance Week.

Categories
Blog

Aly McDevitt Week: Part 1 – Carnival and the Hard Truth About Crisis-Tested Compliance

This week, I want to pay tribute to my former Compliance Week colleague, Aly McDevitt, who announced on LinkedIn that she was retiring from CW to become a full-time mother. I wrote a tribute to Aly, which appeared in CW last week. To prepare to write that piece, I re-read her long-form case studies, which she wrote over the years for CW. They are as compelling today as when she wrote them. This week, I will be paying tribute to Aly by reviewing five of her pieces. The schedule for this week is:

Monday: A Tale of Two Storms

Tuesday: Coming Clean

Wednesday: Inside a Dark Pact

Thursday: Reaching Into the Value Chain

Friday: Ransomware Attack: An immersive case study of a cyber event based on real-life scenarios

Please note that I will leave her seminal (in my opinion) piece, The Banks Behind the Epstein Enterprise, for a later piece.

In A Tale of Two Storms, it is worth noting at the outset that McDevitt did more than recount a corporate crisis. She captured a company trying to rebuild itself under the eye of a court-appointed monitor just as COVID-19 exploded into a global emergency. As Compliance Week explained, what began as a long-form examination of Carnival’s environmental misconduct and attempted compliance redemption became a far bigger story when one of its ships became an early incubator of the virus outside China.

For the compliance professional, that pivot is the first lesson. A program is not truly tested in the conference room. It is tested when an old crisis collides with a new one.

McDevitt opens at a moment of eerie transition. On February 20, 2020, Carnival was already dealing with a COVID-19 outbreak aboard the Diamond Princess, even as Compliance Week toured the company’s new ethics and compliance function in Miami. That juxtaposition framed the whole case study. Carnival was not simply managing a public health disaster. It was doing so while still carrying the baggage of a long, embarrassing, and very expensive history of environmental misconduct.

That history mattered. Carnival had pleaded guilty in federal court in both 2002 and 2017 to illegal discharges of oily waste and to falsification of records, and the Department of Justice viewed the pattern as evidence of a systemic problem in ethics and culture. This was not a one-off control failure. It was a story of repeated misconduct, insufficient structural reform, and an organization that had not yet fully learned how to turn compliance into culture.

McDevitt shows that the real inflection point came in 2019, after Carnival paid another $20 million for violating the terms of its probation and was ordered to implement corporate structural changes under a tight deadline, with a possible $10 million-per-day late penalty. That is when Carnival hired Peter Anderson as its first chief ethics and compliance officer and began to centralize what had long been fragmented compliance functions.

The importance of that move cannot be overstated. A common problem in large organizations is that compliance is spread across subject-matter silos, each with its own language, priorities, and reporting lines. McDevitt reports that before August 2019, Carnival did not have a centralized ethics and compliance department; environmental, general compliance, and health and safety functions worked independently across its operating companies. That fragmentation is often sold internally as efficiency or business autonomy. In practice, it can become a breeding ground for inconsistent controls, weak escalation, and cultural drift.

Anderson’s mandate was broader than legal remediation. He was brought in to unite the program, strengthen trust, improve information flow, and build a sustainable culture of compliance. McDevitt’s reporting around Anderson is especially valuable because she does not present him as a silver-bullet hero. Rather, she portrays him as an architect trying to build structure, process, and cultural credibility simultaneously.

His four pillars, as reported by McDevitt, were prevention, detection, response, and correction. That framework remains highly useful for any chief compliance officer. It reminds us that compliance is not just about policies or investigations. It is about understanding risk, identifying issues early, responding quickly, and then conducting real root cause analysis so the same failure does not recur. This became critically important once COVID hit.

One of the sharpest observations in McDevitt’s reporting comes from Carnival’s Gerry Ellis, who described the pandemic not as a pure compliance issue but as “compliance with the regulatory aspect of health” in a rapidly shifting battlefield of contradictory requirements across jurisdictions. That is a familiar challenge to modern compliance teams. Whether the issue is sanctions, AI governance, cyber, ESG, or public health, the hardest problems often come when the rules are changing in real time, across borders, with high operational stakes.

The brutal optics of timing also complicated Carnival’s crisis response. McDevitt details how the company faced allegations that it had sufficient warning signs yet continued operating for too long, even as infections spread across multiple vessels. Carnival defended its timing, noting that public health guidance was still evolving and that government advisories had not yet been fully escalated. That explanation may be understandable, but for compliance officers, the point is not merely whether management can defend its judgment after the fact. The point is whether the organization had the governance structure to make fast, documented, risk-based decisions while conditions changed by the hour.

McDevitt’s deeper contribution is to connect the pandemic response to the compliance rebuild already underway. She reports that Carnival’s pre-pandemic investments in a centralized program, better risk assessment, improved training, stronger communications, and closer engagement with the monitor helped the company absorb the shock of COVID more effectively than it otherwise could have. In other words, compliance did not solve the pandemic. But it provided muscle memory. That may be the most important lesson in the entire case study.

The company also understands that the tone at the top must be reinforced through resource allocation. Even amid severe financial pressure, Carnival preserved a larger share of its ethics and compliance team than many other departments, continued environmental investments, and developed a Pause Priorities Plan to sustain compliance momentum during the shutdown. Compliance officers should take note. A company reveals its real priorities not by slogans but by budget, staffing, visibility, and follow-through.

There are other practical insights here as well. McDevitt recounts how Carnival moved from a blame-oriented investigative mindset to “incident analysis” and learning, with Anderson explicitly stating that incidents should be viewed as assets for improvement. She also reports the company’s emphasis on “speak up,” leadership engagement, culture measurements, and the need to make captains and shipboard leaders receptive to challenge from below. That is a direct answer to one of the oldest compliance questions: how do you build trust in high-hierarchy environments where people fear speaking up?

Yet McDevitt does not let Carnival off the hook. The court-appointed monitor remained skeptical, top leadership had to be pushed to engage more deeply, environmental violations persisted, and Judge Patricia Seitz openly questioned whether Carnival was building a robust system that could function without the court’s “training wheels”. That skepticism is healthy. It underscores a hard truth every compliance professional knows: a redesigned program is not the same thing as an effective one. The real test is whether the organization behaves differently over time.

In the end, A Tale of Two Storms is not simply a cruise industry story. Aly McDevitt uses Carnival to show what happens when compliance reform is forced to mature in public, under enforcement pressure, and amid operational chaos. Her reporting demonstrates that while a crisis can expose weakness, it can also accelerate the transition from paper program to operational discipline.

For compliance leaders, that is the heart of the matter. You do not get to choose when your second storm arrives. You only get to choose whether your program is strong enough to meet it.

Join us tomorrow as we move to Aly’s piece on Volkswagen and its journey regarding its corporate soul after its emissions testing scandal. I am a columnist for Compliance Week.

Categories
Blog

AI, Compliance, and the Missing “Why”: Highlights from the Compliance Week AI Conference

If there was one clear message coming out of Compliance Week’s January 2026 AI conference, The Leading Edge: Applying AI and Data Analytics in E&C, it was not about tools, vendors, or futuristic promises. It was about discipline. More specifically, it was about something compliance professionals have preached for decades and are now being pressured to skip: the “why.”

In a recent episode of the podcast From the Editor’s Desk, I sat down with Compliance Week Editor in Chief Aaron Nicodemus to gather his reflections on the conference and its implications for compliance leaders. What emerged was not a story about artificial intelligence replacing compliance, but about AI exposing weaknesses in how organizations make decisions, manage pressure from the top, and integrate ethics into innovation. For compliance professionals, the discussion was a reminder that AI is not a technology problem. It is a governance problem.

The Step Everyone Is Skipping: Why Before What

One of the most striking takeaways from the conference came from Jen Gennai, former AI Ethics and Compliance Advisor at Google. Her message was deceptively simple: companies are skipping the “why.” Organizations are rushing to implement AI tools without first articulating what problem they are trying to solve or why AI is the appropriate solution. Instead of defining the use case and then selecting the right tool, teams are buying technology first and hoping value emerges later.

For compliance professionals, this should sound uncomfortably familiar. Risk management, third-party due diligence, investigations; every mature compliance process begins with a defined purpose. There is a reason the first step in the third-party risk management process is the Business Rationale. This is the ‘why’, requiring a business sponsor to explain why your organization needs a new or different business partner. Yet when AI enters the picture, that discipline often evaporates. The result is experimentation without accountability and pilots without strategy.

The irony is that compliance already knows how to do this. The failure is not a lack of knowledge; it is pressure.

Tone at the Top, Revisited: Pressure Without Direction

According to a recent Compliance Week and konaAI study released at the conference, more than 60 percent of compliance officers feel pressure from the board or C-suite to “use AI.” Not to use it in a specific way. Not to achieve a defined outcome. To use it. This top-down mandate creates a new kind of compliance risk. When leadership demands adoption without guidance, teams feel compelled to move quickly, sometimes cutting corners they would never cut in other risk domains.

This is not inherently nefarious. Boards are doing what they believe is necessary to keep their organizations competitive. But pressure without clarity creates the conditions for poor governance. Compliance leaders must recognize this moment not as a threat, but as an opening. Because when leadership says “use AI,” compliance has an opportunity to respond with structure: identify manual pain points, define defensible use cases, and align AI deployment with existing policies and ethical standards. The mandate may be broad, but the implementation can and should be deliberate.

Humans in the Loop: Why Oversight Is Not Optional

Another recurring theme from the conference was the danger of letting AI evaluate AI. Scaling tools without human oversight compounds error. One flawed assumption becomes many. Bias multiplies. Outputs drift. The lesson here is not anti-technology; it is pro-governance. AI works best when humans remain embedded throughout the lifecycle: selecting tools, defining scope, reviewing outputs, and deciding whether the system is working at all.

This aligns squarely with long-standing compliance principles. Judgment-heavy decisions, investigations, escalations, and remediations must remain human. Attempting to automate them introduces fairness and defensibility risks that no compliance program can explain away after the fact. AI should accelerate compliance work, not absolve responsibility for it.

Trust and Integrity: The Core Compliance Tension with AI

The most profound tension discussed at the conference was philosophical. Compliance programs are built on trust and integrity. AI, by contrast, is often perceived as opaque, untrustworthy, and occasionally wrong. This creates a credibility problem.

Why would a compliance function that spends years telling employees to act ethically, verify sources, and question assumptions deploy a tool that fabricates answers or cannot explain its reasoning? If compliance cannot articulate why an AI system aligns with the organization’s ethical standards, it should not be deployed, no matter how efficient it appears to be. Trust is not just about outputs. It extends to inputs, data quality, and understanding how systems interact with information. AI amplifies what it is given. Bad data does not improve through automation; it spreads faster.

Iteration Over Perfection: Learning Is Part of the Process

A healthy counterpoint emerged as well: AI is not a one-shot deployment. It requires iteration. Early failures are not proof that AI does not work; they are evidence that learning has begun. Several speakers emphasized that AI improves through feedback. Teams must be willing to correct it, teach it, and refine its outputs over time. Compliance professionals who abandon tools after one or two imperfect attempts misunderstand how the technology functions.

That said, iteration does not excuse carelessness. Learning must occur within guardrails: governance frameworks, usage boundaries, and documentation matter more, not less, when tools evolve.

Compliance as Value Creator, Not Speed Bump

One of the most encouraging insights from the conference was how AI is reshaping compliance’s role inside organizations. When compliance is involved early, before tools are rolled out, it becomes a partner in innovation rather than an obstacle.

Nicodemus pointed out companies like Robinhood, and Hemma Lomax, Deputy General Counsel, Vice President, and Head of Business Integrity at DocuSign, illustrated this point clearly. Compliance teams that embed themselves in product development and operational change help shape tools that work within ethical and regulatory boundaries from the start. That credibility compounds.

Lomax noted that at DocuSign, she and her compliance teams have gone further, creating AI agents that perform defined tasks continuously, with built-in ethical guardrails. When these tools are handed to new users, the hard questions have already been answered. This is how compliance becomes a competitive advantage; not by saying no, but by helping the business say yes safely.

No Experts, Only Practitioners

Another refreshing theme from the conference was humility. No one claimed to be an AI expert. Especially not in compliance. That matters. When technologies move quickly, false certainty is dangerous. Compliance professionals should not be intimidated by those who claim mastery. Instead, they should lean into their strengths: skepticism, documentation, and principled decision-making. AI does not require omniscience. It requires informed judgment.

The Vibe Shift: From Fear to Engagement

Perhaps the most telling insight came not from the stage, but from the hallways. Compared to earlier events, the mood around AI has shifted. Compliance professionals are no longer crossing their arms in resistance. They recognize the benefits and risks and want to engage. No one believes AI will disappear. The debate is no longer whether to use it, but how. Some organizations will lean in aggressively. Others will move cautiously. All will need compliance to guide those choices. The most effective analogy offered was this: AI is like a very confident intern. Smart. Fast. Occasionally wrong. Useful, but never in charge.

Conclusion: AI Is a Compliance Opportunity, If Compliance Leads

The Compliance Week AI conference made one thing clear: AI is not undermining compliance. It is testing it. Programs that lack clarity, governance, or confidence will struggle. Programs that know who they are, what they stand for, and how they make decisions will thrive. For compliance professionals, the question is not whether AI belongs at the table. It already sits there. The real question is whether compliance will claim its seat, not as a roadblock, but as the function that ensures innovation aligns with integrity. That is not a burden. It is an opportunity.

Categories
From the Editor's Desk

From the Editor’s Desk – Aaron Nicodemus on the CW AI Conference Insights: Navigating the Practical Use of AI in Compliance

In this episode of ‘From the Editor’s Desk,’ Tom Fox visits with Aaron Nicodemus to discuss highlights from the recent Compliance Week AI Conference. Key takeaways include the importance of understanding the purpose and practical use of AI tools before implementation, the pressures from C-suite and boards to adopt AI, and the necessity of a human-in-the-loop approach. The conversation also touches on integrating trust and integrity into AI adoption, the evolving role of compliance as a trusted partner in AI initiatives, and the collective willingness to learn and apply AI across compliance operations.

Key highlights:

  • Importance of Understanding AI Implementation
  • Pressure from the Top: Compliance and AI
  • Human Oversight in AI Processes
  • Trust and Integrity in AI
  • Compliance as a Competitive Advantage
  • Real-World Examples: Robinhood and DocuSign
  • The Evolving Role of Compliance in AI
  • Conference Vibes and Final Thoughts

Resources:

Aaron Nicodemus on LinkedIn

Compliance Week

Categories
Daily Compliance News

Daily Compliance News: January 21, 2026, The Excellence in Compliance Awards Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Delaware Supreme Court sides with Moelis. (Reuters)
  • CW entries for its Excellence in Compliance are now open. (CW)
  • The Philippines moves to shore up investor sentiment. (Bloomberg)
  • Goldman Sachs’ top lawyer and Epstein. (WSJ)
Categories
FCPA Compliance Report

FCPA Compliance Report: The Role of AI and Data Analytics in Compliance: Preview of The Leading Edge with Roxanne Bras Petraeus and Andrew McBride

Today, we have a special edition of the FCPA Compliance Report, previewing speakers and presentations at the upcoming Compliance Week event, The Leading Edge: Applying AI and Data Analytics in E&C, to be held at The Westin Fort Lauderdale on January 28 and 29. In this episode, Tom Fox is joined by Roxanne Bras Petraeus, CEO of Ethena, and Andrew McBride, Founder & CEO of Integrity Bridge LLC, to discuss their presentation, “Seeing is Believing: Live AI Demos for Ethics and Compliance Leaders.

Roxanne emphasizes the practical integration of AI within Ethena’s services and its utility for compliance leaders, while Andrew shares insights from his extensive experience in risk and compliance consulting. They highlight their upcoming presentation at The Leading Edge conference, where they will demonstrate 10 AI tools and discuss real-life use cases, opportunities, and limitations of AI in compliance. They also reflect on the evolving role of AI in data analytics and the need for transparency and data validation. Both guests express their eagerness to engage with compliance professionals and share practical insights to enhance the industry’s AI adoption.

Key highlights:

  • Preview of the Compliance Week Presentation
  • The Importance of Effective Training
  • AI’s Impact on Data Analytics in Compliance
  • Expectations for the Conference

Resources:

Compliance Week

The Leading Edge: Applying AI and Data Analytics in E&C conference, click here. Compliance Week is offering a 20% discount to the event for listeners of this podcast. Use the discount code TFOX at registration.

 Guests

Roxanne Bras Petraeus on LinkedIn

Ethena

Andrew McBride on LinkedIn

Integrity Bridge

Host

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn