Tag: compliance

Categories
Blog

The Warner Bros. Bidding War: Part 3 – The CCO Playbook for Transactions Under Pressure

The Warner Bros. Bidding War: Part 3 – The CCO Playbook for Transactions Under Pressure

The Warner Bros. (WBD) bidding war is not simply a Board story. It is a compliance operating model test. When a superior proposal emerges, the Chief Compliance Officer (CCO) must move from program design to execution discipline. Today, we conclude our short review of the Warner Bros./Netflix/Paramount dance and sale by considering lessons for the compliance professional.

In Part 1, we focused on the deal mechanics that led Warner Bros. Discovery to move from an agreed transaction with Netflix to a superior proposal from Paramount Skydance. In Part 2, the focus shifted to Board governance and fiduciary duty. This final post, Post 3, answers the operational question. What must the Chief Compliance Officer do when the process accelerates and governance must be proven in real time?

The answer is grounded in the DOJ’s Evaluation of Corporate Compliance Programs (ECCP). The core question remains constant. Is the program working in practice? A live transaction provides the answer.

Move Compliance Into the Transaction Control Room

Too many compliance functions treat M&A as a legal and financial activity. That approach fails when the transaction becomes contested. Once a superior proposal is identified, the compliance function must:

  • Participate in transaction governance meetings
  • Map control risks across disclosure, communications, and decision-making
  • Establish escalation pathways for new information

This is consistent with the expectations embedded in the DOJ’s Corporate Enforcement Policy, which rewards companies that demonstrate real-time awareness, escalation, and action. A compliance function that is not present during the decision-making process cannot later demonstrate that controls were effective.

Build and Execute an Evidence Protocol

The most significant compliance failure point in transactions is not misconduct. It is the absence of a reliable evidentiary record. In the WBD process, multiple streams of information were created simultaneously:

  • Board materials
  • Banker communications
  • Draft proposals and revisions
  • Internal analyses and emails

The CCO must ensure that the company has an evidence-based protocol that includes:

  • Centralized collection of transaction-related materials
  • Defined custodians for document integrity
  • Time-stamped records of key decisions and communications

Under the DOJ’s framework, this directly ties to the question of whether the company can demonstrate effectiveness through data and documentation. If the company cannot reconstruct its decision-making process, it cannot defend it.

Treat Disclosure Controls as a Real-Time Compliance System

Post 2 emphasized that disclosure is a governance issue. For the CCO, it is a control system. The compliance function should validate that:

  • The disclosure committee is activated and functioning continuously
  • There is a clear trigger matrix for Form 8-K filings and proxy updates
  • All external communications are coordinated and controlled

This is not theoretical. In a contested transaction, the volume and speed of information create a risk of selective disclosure, inconsistent messaging, or delayed filings. The CCO must ensure that disclosure controls meet the same standard as financial controls. They must be tested, documented, and operational.

Control Third-Party and Advisor Risk

Transactions introduce intense third-party engagement. Investment banks, legal advisors, consultants, and communications firms all operate at speed. In the WBD scenario, third-party actions included:

  • Structuring revised proposals
  • Communicating deal terms
  • Interacting with market participants

The CCO must ensure:

  • Clear protocols for third-party communications
  • Defined boundaries on who can speak on behalf of the company
  • Documentation of all material third-party interactions

This aligns with long-standing expectations under the Foreign Corrupt Practices Act (FCPA) and the broader third-party risk principles embedded in compliance programs. Even in a domestic transaction, third-party risk remains a control issue.

Align Governance With Internal Controls Frameworks

The events described in Parts 1 and 2 map directly onto internal control frameworks such as the COSO Internal Controls Framework. For the CCO, this means:

  • Control Environment: Tone at the top regarding disciplined decision-making
  • Risk Assessment: Identification of disclosure, litigation, and regulatory risks
  • Control Activities: Implementation of approval processes and documentation protocols
  • Information and Communication: Real-time disclosure and coordination
  • Monitoring: Ongoing review of transaction-related controls

This mapping is not academic. It is how the company demonstrates that governance is structured, repeatable, and effective.

Prepare for Day Two Risk

The transaction does not end with signing or closing. It creates a new risk profile. The CCO must plan for:

  • Integration of compliance programs across entities
  • Review of legacy decisions made during the transaction process
  • Preservation of records for litigation or regulatory review

This is where the DOJ’s focus on continuous improvement becomes critical. The company must show that it learns from the transaction and strengthens its program.

Connecting the Lessons Across the Series

Part 1 showed that deal terms, including termination fees and superior proposal mechanics, can change outcomes. Part 2 demonstrated that the Board must govern those changes through documented, disciplined processes. In Part 3, we demonstrated the connections between the two. The compliance function is the mechanism that allows the company to prove that governance worked. Without compliance execution, governance is an assertion. With compliance execution, governance becomes evidence.

Practical Action Steps for CCOs

  1. Embed compliance into the transaction governance structure at the outset of any deal.
  2. Implement an evidence protocol that captures all material transaction activity in real time.
  3. Test disclosure controls under accelerated conditions, including mock 8-K scenarios.
  4. Define and enforce third-party communication protocols.
  5. Map transaction governance to COSO and DOJ ECCP requirements before a contested situation arises.

Questions for the CCO

  1. If a regulator requested the full decision record tomorrow, could the company produce it?
  2. Are disclosure controls capable of operating continuously under transaction pressure?
  3. Is there a single source of truth for transaction-related documentation?
  4. Are third-party interactions fully documented and controlled?
  5. Has the compliance program been stress-tested in a high-speed governance scenario?

Final Thoughts

The Warner Bros. Discovery bidding war is not unique. What is unique is how clearly it illustrates the modern role of the Chief Compliance Officer. Compliance is no longer limited to preventing misconduct. It is responsible for enabling the company to act, decide, and disclose with integrity under pressure and then prove it. That is the standard set by the DOJ. That is the expectation of Boards. And that is the future of the compliance profession.

 

Categories
AI Today in 5

AI Today in 5: May 6, 2026, The Religious Objections to AI Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. Religious objections to AI coming. (HR Dive)
  2. AI healthcare frameworks will become as standard as HIPAA. (Healthcare IT News)
  3. AI is coming to AML compliance. (FinTechGlobal)
  4. Roomba returns with AI. (AP)
  5. AI and shadow crypto markets. (Bloomberg)

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
Great Women in Compliance

Great Women in Compliance: DOJ’s New Fraud Division: Practical Insights for Compliance Professionals

In this episode, Lisa and Ellen speak with Leigha Simonton and Jennifer Beidel, former prosecutors and now partners at Dykema Gossett. They discuss the changes in the U.S. Department of Justice, focusing on the National Fraud Enforcement Division and shifts in enforcement priorities.

They discuss the spotlight on fraud involving federal funds, especially in healthcare, PPP loans, and other government programs. They discuss the new structure of the criminal fraud division and how that may change the government’s approach to prosecuting cases. At the same time, they also note that many experienced prosecutors and agents have left the DOJ, creating a gap between stated priorities and capacity and expertise.

Leigha and Jennifer also provide practical guidance for ethics and compliance professionals. They confirm that a risk assessment is critical and that any company that received federal funds, such as PPP loans, should remain vigilant for possible exposure under the current enforcement trends.

Even with these changes, they reiterate that effective, well-tested compliance programs do matter if the U.S. government is considering (or engaging in) prosecution. A proactive program—not the tick-the-box type—demonstrates implementation and remediation, increasing the likelihood of a declination.

This is a great episode for those of us trying to understand the US DOJ’s current enforcement landscape amid uncertainty.

Categories
Blog

The Warner Bros. Bidding War: Part 2 – Board Governance Under Pressure

When a superior proposal emerges, the Board is no longer evaluating strategy. It is proving governance. The Warner Bros. transaction shows how fiduciary duty, disclosure discipline, and control execution must function in real time. We are exploring Warner Bros./Netflix/Paramount’s bidding and purchase processes for lessons for the compliance professional. In Part 1, we focused on what happened. This post focuses on how the Board must respond when events accelerate.

The process moved from a negotiated transaction with Netflix to a contested situation with a rival bidder, Paramount. At that moment, the Board’s role shifted from approving a deal to managing an auction under fiduciary duty. This is the precise moment contemplated by Delaware fiduciary law and the Board oversight obligations often framed through the lens of Caremark duties. The question is no longer whether the Board can approve a transaction. The question becomes whether the Board can demonstrate that it acted on an informed basis, in good faith, and in the best interests of shareholders. That is not a conclusion. It is a record.

Waiver Discipline and the Fiduciary Record

In a live bidding environment, the Board will be asked to consider waiving contractual provisions, including standstill agreements, exclusivity clauses, and information-sharing restrictions. The governance risk is not the waiver itself. The governance risk is undocumented decision-making. A Board must ensure that every waiver is:

  • Reduced to writing with a defined scope and duration
  • Reviewed by counsel with a clear statement of fiduciary rationale
  • Reflected in contemporaneous Board minutes that explain why the waiver was necessary

Under the DOJ’s Evaluation of Corporate Compliance Programs (ECCP) framework, the question is whether the company can demonstrate that its processes work in practice. A waiver without documentation is indistinguishable from a control failure.

Termination Fees as Board-Level Risk

The WBD transaction turned the $2.8 billion termination fee into a live issue. When Paramount agreed to fund the fee, the Board had to evaluate more than price. It had to evaluate:

  • Who ultimately bears the economic and legal risk
  • Whether the funding mechanism introduces new contingencies
  • How the arrangement should be disclosed to shareholders

Termination fees are often treated as deal protections. In a contested process, they serve as mechanisms for risk allocation. That places them squarely within Board oversight. A Board that does not interrogate the assumptions behind a termination fee, including third-party assumptions, is not exercising informed judgment.

Real-Time Disclosure Controls

Disclosure obligations in a transaction are not periodic. They are continuous. Once a superior proposal is identified, the company must:

  • Update proxy materials where required
  • Ensure that all material information is disclosed without selective leakage
  • Align communications across legal, investor relations, and management

The governance challenge is that information moves faster than process. Emails, banker discussions, draft proposals, and internal analyses all become part of the evidentiary record. Boards must ask whether the company has a real-time disclosure protocol. This includes:

  • A defined disclosure committee process
  • A single point of accountability for filings such as Form 8-K
  • Controls over who can communicate with external stakeholders

This is where governance intersects directly with compliance. Disclosure failures are not merely technical. They can trigger enforcement exposure.

The 8-K and Proxy Playbook

In a fast-moving transaction, the company does not have the luxury of drafting disclosures from scratch. A Board should expect management to have a predefined playbook that includes the following:

  • Trigger thresholds for filing obligations
  • Pre-approved disclosure templates for common scenarios
  • A documented approval chain involving legal, finance, and executive leadership

The absence of such a playbook creates a delay. Delay creates inconsistency. Inconsistency creates risk. From a COSO internal control perspective, this is a failure in control activities and information and communication. From a DOJ perspective, it is evidence that the program is not operationalized.

Regulatory Readiness and Remedy Planning

Both competing transactions carried regulatory risk. The difference was how that risk was allocated and mitigated. A Board must understand the following:

  • The regulatory approval pathways
  • The likelihood of a challenge
  • The remedies available if regulators object

More importantly, the Board must ensure that management has pre-developed the following:

  • Divestiture scenarios
  • Behavioral remedies
  • Escrow or holdback mechanisms tied to regulatory outcomes

This is not theoretical planning. It is part of the decision to determine which proposal is superior. A Board that does not understand regulatory risk is not fully evaluating the transaction’s value.

Post-Termination Control and Evidence Custody

When WBD terminated the agreement with Netflix, the transaction did not end. It transitioned into a new phase of risk. The company must:

  • Ensure proper handling of confidential information shared during the termination process
  • Preserve all records relevant to the decision-making process
  • Maintain audit trails for potential litigation or regulatory review

This is where evidence discipline becomes critical. The record must be complete, organized, and defensible. In the absence of such controls, the company risks being unable to demonstrate how decisions were made.

Why This Matters for Boards

The WBD process illustrates that governance is tested when conditions change rapidly. A Board cannot build governance in the middle of a transaction. It must already exist. The DOJ and SEC will not evaluate the Board based on the outcome. They will evaluate the Board based on the effectiveness of its processes, documentation, and controls. This is the essence of modern corporate governance. It is not about whether the Board chose Netflix or Paramount. It is about whether the Board can prove how and why it made that choice.

Practical Takeaways for Boards

  1. Ensure that superior proposal mechanics are understood at the Board level before a transaction is signed.
  2. Treat termination fees and regulatory protections as governance issues requiring full Board engagement.
  3. Demand real-time disclosure controls with clear ownership and escalation protocols.
  4. Require a pre-built 8-K and proxy playbook to manage disclosure risk under time pressure.
  5. Mandate regulatory scenario planning as part of transaction evaluation.

Questions for the Board

  1. Can the Board demonstrate, through contemporaneous documentation, how it evaluated a superior proposal?
  2. Does the company have a real-time disclosure control framework that supports rapid filings and updates?
  3. Are termination fee structures and third-party funding arrangements fully understood and documented?
  4. Has the Board reviewed regulatory risk scenarios and approved a default remedy strategy?
  5. Who is accountable for evidence preservation and record integrity during and after the transaction?

Please join us tomorrow; in our final post, we’ll focus on the Chief Compliance Officer. The question will be direct. What must a CCO do, in operational terms, to ensure that the company can execute governance under pressure and prove it after the fact?

 

Categories
Innovation in Compliance

Innovation in Compliance: Invitational Leadership for Employee Engagement Success With Dr. Dennis Cummins

Innovation comes in many forms, and compliance professionals need not only to be ready for it but also to embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, host Tom visits with Dr. Dennis Cummins to discuss his new book, “Invitational Selling: The Human Connection Advantage.”

Dr. Dennis Cummins, a globally recognized authority on invitational selling, champions a sales approach that prioritizes building authentic connections over traditional hard-sell techniques. Rooted in his extensive experience selling from the stage, Dr. Cummins believes in the transformative power of meaningful conversations to understand and effectively meet customer needs. His philosophy is detailed in his new book, “Invitational Selling: The Human Connection Advantage,” which promotes inviting customers to engage rather than pressuring them into a purchase, fostering authentic relationships that extend beyond mere transactions. Proceeds from the book benefit the Make-A-Wish Foundation. His book also underscores the potential of invitational selling to inspire collaboration within organizations and families, reflecting his commitment to empowering others through shared skills and talents.

Key highlights:

  • Relationship-Driven Sales Approach
  • Invitational Leadership for Employee Engagement
  • Profitability through Open Communication Culture
  • Humanizing AI to Build Trust and Connection
  • Invitational Selling: Creating Authentic Business Connections

Resources:

Dr. Dennis Cummins on LinkedIn

Dr. Dennis Cummins Website

Invitational Selling: click here 

Innovation in Compliance was recently honored as the Number 4 podcast in Risk Management by 1,000,000 Podcasts.

Categories
Blog

The Warner Bros. Bidding War: Part 1 – What Happened and Why Compliance Professionals Should Care

A fast-moving corporate auction shows how deal terms, fiduciary duties, disclosure controls, regulatory risk, and evidence discipline can determine the outcome of a major transaction. Over the rest of this week, I will be exploring the Warner Bros./Netflix/Paramount bidding war, which

The Deal That Changed Direction

The Warner Bros./Netflix/Paramount bidding war is one of those corporate stories that looks like Hollywood drama on the surface but is really a governance story underneath. At first, Warner Bros. (WBD) had an agreed transaction with Netflix. That deal carried a $2.8 billion company termination fee payable by WBD under specified circumstances, including termination to enter into a superior proposal. The proxy materials also disclosed a $5.8 billion regulatory termination fee payable by Netflix if the deal failed for certain regulatory reasons. (SEC)

Then Paramount Skydance (Paramount) came back with a revised proposal. It raised the bid to $31 per WBD share in cash, added a ticking fee, offered a $7 billion regulatory termination fee, and agreed to fund the $2.8 billion termination fee owed to Netflix. (SEC) Reuters reported that WBD said the revised Paramount proposal could be considered superior, which set the process in motion. (Reuters)

By February 27, 2026, WBD terminated the Netflix agreement and entered into a merger agreement with Paramount Skydance. WBD later disclosed that Paramount Skydance paid the $2.8 billion Netflix termination fee on WBD’s behalf. (SEC)

That is the transaction story. The compliance story is deeper.

This Was Not Merely a Higher Price

In M&A, price matters. But price is rarely the only issue. Boards also look at certainty of closing, regulatory risk, financing, timing, shareholder value, legal exposure, and execution risk. Paramount did not merely increase the cash price. It addressed several deal objections at once. It offered to cover the Netflix break fee. It added a ticking fee if closing was delayed. It increased regulatory risk protection. It positioned its offer as cleaner, faster, and more certain than the existing transaction. (SEC)

That matters because boards do not evaluate superior proposals in a vacuum. They evaluate the entire package. The better governance question is not simply, “Which offer is higher? ”It is, “Which offer delivers the best risk-adjusted value to shareholders, and can the Board prove how it reached that conclusion? ”

The Termination Fee Became a Governance Issue

The $2.8 billion termination fee is an important part of the story. In ordinary conversation, that number sounds like a barrier. In this transaction, it became part of the competitive bidding structure. Paramount agreed to fund the termination fee, which changed the economics for WBD shareholders. WBD’s own annual report language later stated that, after the Board determined it had received a Company Superior Proposal and Netflix waived its right to propose revisions, WBD terminated the Netflix agreement and Paramount paid Netflix the $2.8 billion fee on WBD’s behalf. (SEC)

For compliance and governance professionals, this is the control point: when a large termination fee can be assumed, reimbursed, funded, or otherwise neutralized by a rival bidder, the company needs clear documentation showing who approved that structure, how it was analyzed, how it was disclosed, and how conflicts were managed.

Disclosure Was Not a Back-Office Exercise

In a contested transaction, disclosure is part of the control environment. The company must update shareholders, respond to rival communications, track proxy statements, preserve drafts, document board deliberations, and avoid selective disclosure. The Netflix proxy materials laid out the termination fee structure and the circumstances under which the fee could become payable. (SEC) Paramount’s revised proposal was also publicly communicated through SEC filings, including the increased $31-per-share cash price and the regulatory termination fee. (SEC)

This is where compliance should pay attention. A transaction can move faster than the company’s document discipline. Emails, banker calls, board materials, draft press releases, proxy supplements, and negotiation notes can become evidence. If the company doesn’t have a real-time evidence protocol, the record will build itself, which isn’t ideal.

Why Compliance Professionals Should Care

Some believe this is a board-and-banker story. That is too narrow. It is also a compliance story because compliance is about governance, controls, documentation, accountability, escalation, and evidence. A high-stakes transaction tests whether the company’s control environment holds up under the highest pressure. It tests whether the Board receives complete information. It tests whether management understands escalation obligations. It tests whether legal, finance, communications, investor relations, and compliance can coordinate without losing the record.

This is exactly the kind of moment when the DOJ’s Evaluation of Corporate Compliance Programs is relevant, even outside an enforcement action. The central question is familiar: is the program well-designed, adequately resourced, empowered to function, and working in practice? In M&A, that means the compliance function should understand how deal governance intersects with disclosure controls, third-party risk, regulatory commitments, document preservation, and post-closing integration.

The Larger Lesson

The WBD bidding war shows that corporate governance is not theoretical. It is operational. A superior proposal clause is not just legal drafting. A termination fee is not just a financial number. A proxy supplement is not just a filing. Each is a control point. The companies that manage these moments well do three things. They make decisions through disciplined processes. They document the basis for those decisions in real time. They align governance, legal, finance, disclosure, and compliance before the crisis point arrives.

Practical Takeaways for Compliance Professionals

  1. Major transactions require evidence discipline from day one.
  2. Disclosure controls must be ready before a rival bidder appears.
  3. Termination fees and regulatory commitments should be treated as governance issues, not simply deal terms.
  4. Board minutes and waiver records must tell the fiduciary story.
  5. Compliance should have a seat at the broader transaction control table, especially when regulatory, third-party, data access, communications, and post-closing integration risks are implicated.

That is the lesson for every CCO. You may not be running the auction, but your program should help the company prove that it made decisions with integrity, evidence, and accountability.

Categories
Blog

May the Controls Be With You: Compliance Lessons from Star Wars: Episode IV – A New Hope

Every May 4, the business world pauses, smiles, and says, “May the Fourth be with you.” For compliance professionals, that phrase carries more than nostalgia. It can also remind us that every organization faces a recurring struggle between power and accountability, command and control, culture and fear, risk and resilience.

Star Wars: Episode IV – A New Hope is not simply a space adventure. It is a story about governance failure, ethical courage, institutional blindness, weak controls, overconfidence, and the power of a small group committed to a mission larger than themselves. In other words, it is fertile ground for the modern compliance professional.

The Galactic Empire had scale, resources, technology, command authority, and a massive enforcement apparatus. What it lacked was ethics, accountability, transparency, and trust. The Rebel Alliance had far fewer resources, but it had purpose, shared values, disciplined intelligence, and a willingness to challenge a system that had become corrupt at its core.

That is the compliance lesson. Size is not strength if governance fails. Technology is not protection if culture is broken. Authority is not leadership if fear replaces trust. And no control environment is effective if the people inside the system are afraid to speak, unwilling to escalate, or conditioned to obey without question.

The Empire as a Case Study in Governance Failure

The Empire offers a powerful example of what happens when power operates without accountability. Its leadership model is command-driven, opaque, and fear-based. Decisions flow from the top, dissent is punished, and risk information is filtered through hierarchy rather than tested through independent challenge.

This is not a sustainable operating model for any corporation. It may produce short-term compliance with directives, but it does not produce ethical performance. Employees may follow orders, but they will not raise concerns. Managers may execute instructions, but they will not challenge flawed assumptions. Leaders may believe they are in control, but they are really operating inside an echo chamber.

That is a classic governance breakdown. Under the DOJ’s Evaluation of Corporate Compliance Programs (ECCP), prosecutors ask whether compliance has adequate authority, access, and resources. They also ask whether the company’s culture encourages ethical conduct and whether employees can report concerns without fear of retaliation. The Empire would fail that test before the first audit interview began. A culture of fear is not control. It is a risk multiplier.

The Death Star and the Danger of Overconfidence

The Death Star is the ultimate symbol of institutional overconfidence. It is massive, technologically advanced, expensive, and terrifying. It is also vulnerable because its designers and leaders failed to take a critical weakness in the system seriously.

For compliance professionals, this is a familiar issue. Organizations often build impressive frameworks: policies, systems, committees, dashboards, training platforms, risk registers, and reporting structures. Yet one untested assumption, one ignored warning, one undocumented exception, or one poorly monitored third party can create a vulnerability that undermines the entire program. The lesson is not that complexity is bad. The lesson is that complexity must be tested.

A compliance program cannot be judged solely by its architecture. It must be judged by whether it works in practice. Do controls operate as designed? Are exceptions reviewed? Are risk assessments updated? Are third-party red flags escalated? Are investigations tied to root cause analysis? Are lessons learned incorporated back into the program? The Death Star failed because its leadership confused scale with effectiveness. Compliance leaders should never make the same mistake.

Princess Leia and the Importance of Speak-Up Culture

Princess Leia is one of the great figures to speak up in popular culture. She sees the Empire’s reality clearly, acts with courage, preserves critical information, and refuses to be intimidated by power. In a corporate setting, she represents the employee, executive, or compliance professional who raises a concern when the organization would rather look the other way. She also reminds us that a speak-up culture is not built by having a hotline. It is built by protecting those who use it.

A company can have a hotline, a Code of Conduct, annual training, and posters in every break room. None of that matters if employees believe reporting will lead to retaliation, career damage, isolation, or indifference. The real measure of a speak-up culture is whether people trust the system enough to use it before a problem becomes a crisis. Leia’s courage mattered. But in a corporation, courage should not be the only control. The system itself must make reporting safe, trusted, and effective.

Obi-Wan Kenobi and the Role of Ethical Leadership

Obi-Wan Kenobi does not lead through fear. He leads through wisdom, restraint, discipline, and example. He understands risk. He understands history. He understands that values must be taught, modeled, and passed forward. That is the leadership lesson. Slogans do not create an ethical culture. It is transmitted through conduct. Employees watch what leaders reward, tolerate, ignore, and punish. They listen to speeches, but they believe in actions.

For boards and senior executives, this is a central compliance obligation. Tone at the top must be matched by conduct at the top. Middle management must reinforce the message. Incentives must align with ethical behavior. Discipline must be consistent. Performance pressure must not overwhelm controls. Obi-Wan understood that leadership is stewardship. Compliance leaders should view their work the same way.

Luke Skywalker and the Development of Compliance Judgment

Luke Skywalker begins as inexperienced, impatient, and uncertain. He does not yet understand the broader conflict, the risks, or his own role. Over time, he learns judgment. He listens, observes, trains, fails, and grows. That is how compliance capability develops inside a company. Employees don’t come to work knowing about conflicts of interest, third-party risk, gifts and hospitality, data governance, sanctions exposure, procurement controls, or escalation protocols. They must be trained, guided, and supported.

Effective compliance training is not a once-a-year exercise in legal coverage. It is a business process for building judgment. The goal is not simply to tell employees the rules. The goal is to help them recognize risk in real time, pause before acting, ask better questions, and escalate when necessary. Compliance is not merely knowledge. It is judgment under pressure.

Han Solo and the Third-Party Risk Lesson

Han Solo is charismatic, capable, and useful. He is also a third-party risk case study waiting to happen. He has unclear loyalties, questionable business relationships, financial pressure, and a complicated history with counterparties. Every compliance professional knows this profile. The company needs a third party because that party can get things done. The business sponsor trusts the relationship. The third party knows the market, has access

to it, and can move quickly. But the risk indicators are visible: opaque ownership, unusual payment terms, reluctance to provide documentation, government touchpoints, reputation concerns, or unexplained urgency.

The answer is not to avoid all third parties. The answer is to manage them. Due diligence must be risk-based. Contracts must include compliance obligations, audit rights, and termination rights. Payment controls must be disciplined. Services must be documented. Red flags must be resolved before onboarding and monitored after onboarding. Han Solo eventually becomes aligned with the mission. In corporate life, however, hope is not a third-party control. Documentation is.

The Rebel Alliance and the Power of Mission

The Rebel Alliance wins not because it is larger, better funded, or more technologically sophisticated. It wins because it has clarity of mission, trust, shared purpose, and the ability to turn intelligence into action. That is the best compliance program at work. They are not bureaucratic overlays. They are mission-aligned business systems. They help the organization grow the right way. They identify risk earlier. They protect trust. They support better decisions. They turn values into controls and controls into evidence.

A mature compliance program should operate like the best parts of the Rebel Alliance: focused, informed, agile, disciplined, and mission-driven. It should gather information from across the enterprise, analyze risk, escalate concerns, and act before the organization faces regulatory, reputational, or operational harm. Compliance is not the department of “no.” It is the discipline of sustainable performance.

Five Key Takeaways for Compliance Professionals

  1. Fear is not a compliance culture. It may produce silence, but it will not produce trust, transparency, or early reporting.
  2. Scale is not effective. A large compliance program must still prove that its controls work in practice.
  3. Speak-up systems must be trusted. Employees need safe channels, anti-retaliation protections, and confidence that concerns will be addressed.
  4. Third-party risk requires discipline. Useful intermediaries can also create serious exposure if diligence, contracts, payments, and monitoring are weak.
  5. Governance must challenge overconfidence. Boards and executives should ask hard questions about assumptions, vulnerabilities, escalation, and control testing.

Final Thought

On May 4, we can enjoy Star Wars Day. But for compliance professionals, A New Hope offers something more durable than a pop culture reference. It reminds us that ethics, accountability, controls, culture, and courage matter. The Empire had power. The Rebels had purpose. In compliance, purpose supported by controls is the real force multiplier.

May the Fourth be with you.

Categories
Blog

Isaac Newton and the Hidden Forces Behind Misconduct

Today, we conclude our exploration of Enlightenment Thinkers to see their influence on modern compliance programs. This week’s category is broader than philosophers, as many of these men excelled in numerous fields, including science, mathematics, calculus, and medicine. However, each contributed a key component that relates directly to our modern compliance regimes. In this concluding post, we consider Isaac Newton’s theorem that misconduct is rarely random.

If Francis Bacon taught us that a compliance program must be grounded in evidence, René Descartes taught us that evidence must be examined with rigor, John Locke taught us that the system must be legitimate, and Thomas Hobbes taught us that institutions need order, Isaac Newton brings this series to its final and perhaps most powerful insight: misconduct is rarely random. Forces drive it. Pressures. Incentives. Structural weaknesses. Repeated patterns. Hidden relationships. The most mature compliance programs understand that reality and act on it.

Newton is remembered as the great scientist of motion, force, and causation. He gave the world a way to understand that observable events are often the result of underlying principles that can be identified, studied, and predicted. His work was not simply about describing what happened. It was about explaining why it happened and how the same forces might operate again. For the compliance professional, that is a profoundly useful way to think. A hotline complaint, a bribery incident, a books-and-records failure, a retaliation claim, or a control breakdown should never be seen as a one-off event. The real question is Newtonian: what forces produced this result? In a best practices compliance program, that question is the bridge from reaction to prevention.

Why Newton Matters to Compliance

Newton helps compliance professionals move beyond event-based thinking. Too often, organizations respond to misconduct by focusing only on the visible incident. Someone violated policy. Someone approved a bad payment. Someone ignored a red flag. Someone retaliated against a whistleblower. Those facts matter, of course, but they are usually only the surface expression of deeper conditions. Newton would urge us to ask what was acting beneath the surface.

Was the employee under intense sales pressure? Were performance incentives designed in a way that rewarded output but ignored process? Was a business unit growing so quickly that controls were bypassed in the name of speed? Did management tolerate workarounds because the local market was too important to slow down? Was the company relying on outdated monitoring tools in a rapidly changing business model? Were risk signals present but scattered across functions with no one connecting them?

That is Newton’s great gift to compliance. He reminds us that forces shape behavior, and if you want to reduce misconduct, you must understand and address the forces that make misconduct more likely.

The DOJ Expects Companies to Understand Causes, Not Just Outcomes

The Department of Justice’s Evaluation of Corporate Compliance Programs (ECCP) reflects this Newtonian logic with remarkable consistency. The ECCP asks whether a company performs root cause analysis, adapts its program based on lessons learned, uses data to identify patterns, aligns incentives with ethical conduct, and can demonstrate that controls are responsive to emerging risks. These are not narrow enforcement questions. There are questions about causation.

The ECCP is not satisfied when a company says it found the bad actor and imposed discipline. Regulators want to know what the company learned. Why did the misconduct happen? Were there prior warning signs? Was the conduct enabled by poor oversight, flawed incentives, weak middle management, insufficient resources, or ineffective controls? Did the company identify those drivers and change the system? That is exactly the sort of inquiry Newton would have appreciated.

Root Cause Analysis Is Newton in Practice

If there is one place where Newton’s influence should be front and center, it is root cause analysis. In compliance, root cause analysis is the discipline of looking beyond the immediate violation to identify the pressures, structures, incentives, and system weaknesses that created the conditions for failure. This is where many companies still fall short.

A company uncovers improper payments and concludes that an employee acted dishonestly. Perhaps that is true. But Newton would ask what else was in motion. Was there a compensation model that encouraged aggressive behavior without corresponding control discipline? Were finance and compliance understaffed relative to expansion? Did business leadership send signals that revenue mattered more than process? Had similar concerns surfaced in audit findings or prior investigations? Was a third-party oversight process designed for a smaller and less risky operating model? A true root cause analysis keeps asking until the organization understands the forces at work.

Incentives Are Among the Strongest Forces in Any Organization

Newton’s framework is especially valuable when thinking about incentives. Every organization generates motion through what it rewards, measures, and celebrates. If those incentives are poorly designed, they can push employees and managers toward decisions that undermine the compliance program even when the formal policy language is sound. This is one of the most underappreciated truths in compliance.

A company may say all the right things about integrity, but if promotions, bonuses, and recognition go disproportionately to people who hit aggressive numbers regardless of how they achieved them, employees receive a different message. If managers are evaluated on speed and volume but not on control discipline, they will often treat process as friction. If local market leaders are given extraordinary flexibility without matching oversight, the organization may create precisely the pressures and blind spots that breed misconduct.

The ECCP has increasingly focused on compensation structures, clawbacks, and incentive alignment for precisely this reason. Regulators understand that culture is shaped not only by leadership’s words, but also by tangible rewards that guide daily conduct. Newton helps compliance professionals explain why this matters. Incentives are not background conditions. They are active forces inside the corporate system.

Analytics Help the Company See What the Eye Misses

A Newtonian compliance program also leverages analytics more effectively. Newton’s work showed that patterns in motion could be identified through disciplined observation and analysis. Modern compliance can do something similar. Data analytics, trend reviews, and integrated monitoring allow a company to detect patterns that an isolated human review might miss. That does not mean technology replaces judgment. It means technology can help reveal the forces and relationships that judgment must then interpret.

Consider a multinational company reviewing third-party spend, travel, and entertainment data, hotline trends, and investigation outcomes. Each data set alone may show only limited information. But when viewed together, patterns may emerge. A particular region may show above-average use of high-risk intermediaries, greater discounting, delayed documentation, and increased employee complaints about management pressure. No single data point proves misconduct. But together they may reveal a system under strain.

This is where Newton connects back to Bacon. Bacon tells us to gather evidence. Newton tells us to study how patterns and causes operate across the system. Together, they produce a compliance function that is empirical, analytical, and forward-looking.

Misconduct Is Often a Systems Failure, Not Merely an Individual Failure

One of the most valuable lessons Newton offers the compliance profession is that misconduct is frequently systemic. This does not excuse individual wrongdoing. Personal accountability remains essential. But if a company stops with personal accountability, it may miss the broader organizational truth.

An employee may make an improper payment, but the surrounding system may have made that outcome easier, more predictable, or more likely. A senior manager may retaliate against a reporter, but the broader culture may have conditioned leaders to treat bad news as disloyalty. A financial control breakdown may involve one approving official, but the deeper problem may be a long-standing tolerance for informal overrides. In each case, the misconduct event should prompt a systems review.

This is particularly important in fast-changing environments. Growth, acquisitions, digital transformation, remote work, AI deployment, and market stress all alter the forces acting on the organization. Controls designed for one operating model may not be sufficient for the next. A Newtonian compliance officer understands that governance must evolve as the system changes. The question is never just whether the policy still exists. The question is whether the underlying forces have shifted in ways the compliance program has not yet caught up to.

Newton and the Future of Compliance

Newton is particularly relevant today because the modern compliance landscape is increasingly defined by complexity. Third-party ecosystems are larger. Data flows are faster. Business models shift more quickly. AI and automated decision-making create new risks that can change over time through drift, scale, and changing use cases. In that world, static compliance is not enough. A company needs to understand how moving systems work.

This is where frameworks like NIST and ISO/IEC 42001 become useful companions to Newtonian thinking. They emphasize lifecycle governance, ongoing monitoring, documented accountability, testing, and adaptation. In the AI context, especially, the lesson is clear: a control that works on day one may not be enough on day two. Risks evolve—inputs change. Vendors change. User behavior changes. Governance must therefore be dynamic, evidence-based, and attentive to emerging forces.

The same is true across compliance more broadly. Companies cannot assume that yesterday’s control environment will manage tomorrow’s pressures. Newton teaches that motion continues unless acted upon, and in the corporate setting, that means risk patterns will continue to develop unless governance actively intervenes.

The Compliance Officer as Interpreter of Organizational Forces

If Bacon casts the compliance officer as an institutional scientist, Descartes as a guardian of clear thinking, Locke as a steward of legitimacy, and Hobbes as an architect of order, Newton casts the compliance officer as an interpreter of organizational forces. That is a sophisticated and necessary role.

The compliance officer must ask what is really driving conduct across the enterprise. Which incentives are shaping decisions? Which processes are creating blind spots? Which managers are transmitting pressure? Which data trends suggest a deeper problem? Which repeated “isolated incidents” are no longer isolated at all? Which changes in the business model have altered the risk environment without corresponding updates to governance?

Those are not merely compliance questions. They are strategic governance questions. That is why Newton is such a fitting conclusion to this series. He pulls together all that came before. Evidence matters. Rigor matters. Legitimacy matters. Order matters. But ultimately, the mature compliance program does something more. It understands how these elements interact inside a living system. It seems that misconduct does not fall from the sky. It emerges from forces that can be studied, anticipated, and changed. Isaac Newton would have understood that a well-governed institution learns to read its own motion.

Five Lessons Learned for the Modern Compliance Professional

First, misconduct is rarely random. It is usually the product of identifiable pressures, incentives, weaknesses, and structural conditions.

Second, root cause analysis must go beyond the visible event. The goal is to understand the forces that made the event more likely.

Third, incentives are among the strongest drivers of conduct. A company must align compensation, promotion, and recognition systems with ethical and compliant behavior.

Fourth, analytics and trend analysis are essential tools for seeing patterns across the system. They help the company detect pressure points before they become crises.

Fifth, the most mature compliance programs are systemic and preventive. They do not simply respond to incidents. They study the organization well enough to reduce the conditions that produce misconduct.

Closing It Out

This five-part journey through Bacon, Descartes, Locke, Hobbes, and Newton shows that the architecture of a modern compliance program is not merely legal or procedural. It is intellectual. Bacon teaches us to demand evidence. Descartes teaches us to examine it with discipline. Locke teaches us that the system must be legitimate. Hobbes teaches us that institutions require order. Newton teaches us to understand the forces that shape outcomes.

Together, they offer a powerful framework for the compliance professional, the board, internal audit, legal, and business leadership. A best practices compliance program is not simply a collection of policies. It is a way to see the organization clearly, govern it credibly, and continuously improve it. That is as true now as it would have been revolutionary in their own time.

 

Categories
AI Today in 5

AI Today in 5: April 30, 2026, The Last Mile Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. AI drives demand for cybersecurity compliance. (Security Brief)
  2. The last mile problem in AI security. (FinTech Global)
  3. AI redefining AML. (AML Intelligence)
  4. AI driving compliance from static to living. (The National Law Review)
  5. EU AI Act reform stalling. (IAPP)

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
Blog

Thomas Hobbes and Why Every Compliance Program Needs Order

We continue our exploration of Enlightenment Thinkers to see their influence on modern compliance programs. This week’s category is broader than philosophers, as many of these men excelled in numerous fields, including science, mathematics, calculus, and medicine. However, each contributed a key component that relates directly to our modern compliance regimes. In this post, we consider how Thomas Hobbes makes clear in his writings that no institution can function without order.

If Francis Bacon teaches that compliance must be grounded in evidence, René Descartes teaches that evidence must be examined rigorously, and John Locke teaches that a compliance system must be legitimate, Thomas Hobbes takes us to a different but equally important truth about structure.  That is where Hobbes becomes surprisingly relevant to the modern corporate compliance program.

That point can sound severe to modern ears, but compliance professionals understand it instinctively. Good intentions are not enough. Strong values are not enough. Even a trusted culture is not enough. A company also needs structure, clear rules, defined authority, escalation channels, and credible enforcement. Without them, pressure, ambiguity, and self-interest will fill the vacuum.

Hobbes is often remembered for his stark view of human nature and his argument that, in the absence of a strong governing authority, disorder follows. In his political philosophy, institutions exist in part to prevent chaos, conflict, and the breakdown of shared rules. While corporations are not states and employees are not citizens in the political sense, the organizational lesson is powerful. In any complex enterprise, when roles are unclear, rules are weak, exceptions become routine, and accountability is diffuse, people will default to local incentives, personal judgment, and short-term advantage. That is a dangerous environment for compliance.

Why Hobbes Matters to Compliance

Hobbes helps us understand something that compliance officers see every day: misconduct often flourishes not simply because individuals have bad intent, but because the system around them lacks structure. When approval processes are vague, when no one knows who owns a risk, when policies are written but not operationalized, when escalation lines are uncertain, or when managers believe standards are optional if performance is strong, disorder sets in. It may not look dramatic at first. It may look like improvisation, local flexibility, or entrepreneurial speed. But over time, that disorder becomes fertile ground for misconduct. Hobbes would not have been surprised.

His philosophy begins with the recognition that interests, fears, ambitions, and competing claims drive human beings. In the absence of a framework that organizes conduct, conflict, and opportunism follow. Translate that into corporate life, and the message becomes clear. Sales teams under pressure will rationalize shortcuts. Business sponsors will push third parties through onboarding if they believe control functions are merely advisory. Local managers will create informal workarounds if policies lack clear accountability. A company does not become more ethical by leaving such matters to improvisation. It becomes less governable. That is why compliance needs structure. Structure is what turns values into operations.

The DOJ Looks for Structure, Not Slogans

The Department of Justice’s Evaluation of Corporate Compliance Programs (ECCP) reflects this Hobbesian insight throughout. Prosecutors do not simply ask whether a company talks about ethics. They ask whether the compliance function has authority, stature, autonomy, and resources. They ask who owns specific risks, how decisions are made, whether controls are implemented consistently, whether investigations are escalated properly, and whether disciplinary systems are enforced. Those are all questions about institutional order.

This is important because many organizations still overestimate the power of tone. Tone at the top matters. Culture matters. Legitimacy matters. But none of those can substitute for structure. A CEO can deliver a compelling speech about integrity. However, if the company’s third-party onboarding process is fragmented, if financial approvals can be bypassed informally, or if no one knows when a matter must be escalated to legal or compliance, then the organization has created a system in which disorder is likely.

Hobbes helps compliance professionals make this point without apology. Rules are not a sign of distrust. Controls are not bureaucratic excess. Escalation pathways are not obstacles to business. They are the architecture that prevents pressure and self-interest from overwhelming principle. The COSO Internal Controls Framework makes much the same point in a different vocabulary. The control environment, control activities, information and communication, and monitoring all depend on defined roles, clear expectations, and operational discipline. The Federal Sentencing Guidelines likewise assume that compliance requires standards, oversight, training, auditing, reporting, and consistent response. Hobbes would recognize all of that as institutional design for preventing disorder.

Policies Must Be Operational, Not Aspirational

One of the most common failures in corporate compliance is the belief that policy issuance is itself control. It is not. A policy can express a standard, but unless the company translates that standard into decision rights, workflows, approvals, and accountability, the policy remains aspirational. This is where Hobbes is especially useful. He reminds us that order is created not by declarations, but by mechanisms.

Take a gifts, travel, and entertainment policy. On paper, the policy may clearly prohibit excessive or improperly documented expenses. But the real compliance question is whether the operating system around the policy supports that standard. Who approves the expense? Is there a threshold that triggers additional review? Are government-facing interactions flagged? Is supporting documentation required before reimbursement? Are there analytics to identify unusual patterns? Are exceptions tracked? Can someone ask a friendly manager to sign off without scrutiny? If the answers are weak, the policy is weak, no matter how polished its language.

Internal Controls Are the Language of Order

If one wanted to translate Hobbes into modern corporate practice, one would end up talking about internal controls. Controls are how an organization embeds order into decision-making. They define who can do what, under what conditions, with what approvals, and with what oversight. They reduce discretion where discretion creates unacceptable risk. They separate duties so that no single actor can move money, approve vendors, or override procedures without a second set of eyes. They create documentation so that actions can be reviewed later. They make authority visible.

For compliance professionals, this is a critical point. Compliance is not merely about training people to do the right thing. It is also about designing systems that make the right thing more likely and the wrong thing harder to do. Hobbes would say that the institution failed to create sufficient order to contain foreseeable human behavior.

Escalation Is a Form of Governance

Another Hobbesian lesson for compliance is the importance of escalation. In poorly governed companies, people often know something is wrong but do not know where the issue should go, who owns the decision, or what threshold requires higher review. That uncertainty is one of the most dangerous forms of disorder because it allows time, politics, and convenience to shape the response. A mature compliance program should therefore have clear escalation pathways.

When does a third-party red flag require a compliance sign-off? When must legal be brought into an internal investigation? At what point does a matter involving senior leadership move to the audit committee or board? Who can approve an exception to policy, and what documentation must support it? Who decides whether a substantiated misconduct issue triggers broader control remediation? These are not administrative details. They are the channels through which institutional order is maintained.

The ECCP pays close attention to this issue because escalation is one of the clearest indicators of whether compliance has real authority. If important matters can be contained, softened, or rerouted informally by management, then the program is fragile. Hobbes would have recognized the danger immediately. Where the lines of authority are unclear, competing interests will rush in.

Enforcement Gives Standards Their Weight

No discussion of order would be complete without enforcement. Hobbes understood that rules without consequences are invitations to defection. The same is true in corporate compliance. A company may have excellent policies, robust training, and well-designed procedures, but if employees believe violations will be ignored, minimized, or treated selectively, the system loses force. This is where consistent discipline matters so much. John Locke helped us see discipline as a question of legitimacy and fairness. Hobbes adds a different point. Discipline is also what gives the rule structure its operational credibility. It signals that standards are real, that no one is exempt, and that the organization is willing to defend the order it has established.

This does not mean punitive excess. It means predictability and seriousness. A company should be able to explain how disciplinary outcomes are determined, how similar cases are handled, and how managers are held accountable not only for their own conduct but for the environments they create. High performers cannot be given private exemptions. Senior executives cannot be allowed to negotiate around standards. Informal workarounds cannot become tolerated customs. Hobbes would have called that a dangerous condition.

The Compliance Officer as Architect of Order

If Bacon casts the compliance officer as an institutional scientist, Descartes as a guardian of clear thinking, and Locke as a steward of legitimacy, Hobbes casts the compliance officer as an architect of order. The compliance officer helps turn principle into process. The compliance officer asks where authority sits, where decisions are made, where controls can be bypassed, where exceptions accumulate, where roles are unclear, and where escalation can fail. That work is not separate from ethics. It is one of the main ways ethics becomes operational inside a large organization.

This is especially important during periods of growth, restructuring, acquisitions, digital transformation, or market stress. Disorder often enters through change. New business lines are launched before roles are clarified. AI tools are deployed before governance is assigned. Third parties are engaged before diligence and monitoring are fully operational. Incentives are revised without understanding how they affect conduct. Hobbes reminds us that institutional order is not self-sustaining. It must be built, maintained, and defended.

Thomas Hobbes may seem like an austere companion for the modern compliance professional, but his lesson is both practical and urgent. Institutions do not drift into integrity. They require order.

Five Lessons from Thomas Hobbes for the Modern Compliance Professional

First, culture and values are essential, but they cannot substitute for structure. A company needs clear rules, defined roles, and operating discipline.

Second, policies are not controls unless they are translated into workflows, approvals, documentation, and accountability.

Third, internal controls are the mechanisms by which institutional order is embedded in business operations. They make the right behavior more likely and the wrong behavior harder to execute.

Fourth, escalation pathways are critical. Employees and managers must know when and how risk moves upward for review and decision.

Fifth, enforcement gives standards their weight. Rules without consistent consequences will eventually be overtaken by convenience and local incentives.

Coming Next: Isaac Newton and the Hidden Forces Behind Misconduct

If Thomas Hobbes teaches us why every compliance program needs order, Isaac Newton will help us understand something even deeper: misconduct is rarely random. It is produced by forces, incentives, pressures, and patterns that can be studied and addressed. In Part 5, I will explore how Newton’s systems-based way of thinking offers a powerful framework for root cause analysis, incentive review, compliance analytics, and proactive prevention. A mature compliance program does not simply respond to failure. It learns to understand the forces that make failure more likely.