Tag: compliance

Categories
Blog

Why Every Company Needs a Corporate Relationships Policy

The Coldplay Concert and University of Michigan-Sherrone Moore imbroglios about consensual relationships introduced multiple issues for the compliance professional. While many saw them as romantic issues, others viewed them as corporate governance issues. Corporate compliance professionals spend a great deal of time talking about tone at the top, culture, and ethical leadership. Yet many organizations continue to ignore one of the most predictable sources of ethical failure, litigation exposure, and cultural rot: unmanaged workplace relationships.

Let me be clear at the outset. A corporate relationships policy is not about policing romance, friendship, or personal lives. It is about managing power, influence, and risk. If your organization has people, hierarchies, incentives, and decision-making authority, then you already have relationship risk. The only real question is whether you are managing it or pretending it does not exist.

The DOJ has been consistent on one point in the ECCP. Risks must be identified, assessed, and addressed in a way that reflects how the company actually operates. Relationships are part of how companies operate. Ignoring them is not cultural sensitivity. It is a governance failure.

Relationships Create Risk When Power Is Involved

Not all workplace relationships are problematic. The risk arises when one person can influence another’s pay, promotion, performance evaluation, assignments, or career trajectory. That is where favoritism, coercion, retaliation, and conflicts of interest live.

In enforcement actions, civil litigation, and internal investigations, I have seen the same fact pattern repeated again and again. A relationship is known. No controls are put in place. A complaint is made months or years after the incident. Suddenly, the organization is explaining to regulators, plaintiffs’ lawyers, and the board why it failed to act despite having notice. A corporate relationships policy forces the organization to confront a simple but uncomfortable truth: disclosure alone is meaningless unless it triggers action.

Disclosure Without Structure Is Theater

Many companies comfort themselves with a disclosure requirement that sounds reasonable on paper. Employees are told to disclose relationships, conflicts, or personal connections. After that, very little happens. From a compliance perspective, this is theater, not control.

A mature corporate relationships policy answers several follow-up questions, including “Then what?” and “Who reviews the disclosure?” ” How quickly must influence be removed? What interim controls apply? How is compliance documented and monitored?

Without these answers, disclosure becomes a liability. It creates notice without mitigation. Regulators do not reward that. Courts do not forgive it.

Culture Is Permanently Damaged When Employees Believe the System Is Rigged

One of the most corrosive effects of unmanaged relationships is the cultural one. Employees notice who gets promoted, who gets protected, and who gets opportunities. When relationships appear to trump merit, trust collapses.

This is where a corporate relationships policy becomes a culture document, not merely a legal one. A clear, consistently applied policy sends a powerful message: decisions will be made fairly, transparently, and without hidden influence. When employees believe the system is fair, they report concerns earlier, cooperate with investigations, and remain engaged. When they do not, they disengage or go external. Neither outcome is good for the organization.

Boards and Regulators Expect Speed, Not Intentions

Modern compliance is measured by response time and effectiveness, not good intentions. When a relationship presents a risk, the organization must act quickly to separate influence. That means changing reporting lines, removing decision authority, or imposing interim controls while structural changes are made.

A corporate relationships policy establishes clear timelines, ownership, and accountability. It gives managers a clock, not discretion. It provides a measurable compliance metric to report to the board. It gives the organization defensibility when regulators ask what happened and when it happened. The absence of such a policy almost guarantees inconsistent handling. Inconsistent handling almost guarantees enforcement risk.

This Is Not an HR Policy; instead, it’s a Governance Control

One of the most common mistakes companies make is treating relationships as purely an HR issue. That framing is outdated and dangerous. Relationships intersect with bribery risk, conflicts of interest, retaliation, and abuse of authority. Those are compliance and governance issues. A corporate relationships policy should be owned jointly by compliance, legal, and human resources, with board-level visibility. It should be integrated into investigations, promotions, succession planning, and risk assessments. Anything less is siloed thinking.

The Bottom Line

A corporate relationships policy does three things that every effective compliance program must do. They are:

  1. Identifies a risk that everyone knows exists but few want to name.
  2. Forces timely action instead of passive disclosure.
  3. Protects culture by reinforcing fairness and accountability.

If your organization does not have a clear, enforceable corporate relationships policy, you do not have a blind spot. You have a known vulnerability. And known vulnerabilities are exactly what regulators expect compliance professionals to address. That is not about being intrusive. It is about being responsible.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 4 – Building Effective Data Analytics Programs for Compliance

Welcome to 31 Days to a More Effective Compliance Program. Over this 31-day series in January 2026, Tom Fox will post a key component of a best-practice compliance program each day. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6-8 minutes, with three key takeaways that you can implement at little or no cost to help update your compliance program. I hope you will join each day in January for this exploration of best practices in compliance. On Day 4, this episode focuses on defining the specific risks an organization wants to monitor, capturing relevant data creatively, and leveraging internal expertise to build effective data analytics programs.

Key highlights:

  • Defining and Identifying Risks
  • Innovative Data Capture and Internal Collaboration
  • Demonstrating Value to Senior Management

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 2 – The ECCP on Incentives, Consequences, and Clawbacks

Welcome to 31 Days to a More Effective Compliance Program. Over this 31-day series in January 2026, Tom Fox will post a key component of a best-practice compliance program each day. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6-8 minutes, with three key takeaways that you can implement at little or no cost to help update your compliance program. I hope you will join each day in January for this exploration of best practices in compliance. Today, we look at what the ECCP has to say on incentives, consequences, and clawbacks.

Key highlights:

  • Starting with Incentives and Consequences
  • Incentive Program Breakdown
  • Consequence Management Deep Dive

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Categories
FCPA Compliance Report

FCPA Compliance Report-Episode 789 – Reinventing Compliance in 2026: Insights and Strategies with Daniel Zmak

Welcome to the award-winning FCPA Compliance Report, the longest running podcast in compliance. In this episode, Tom welcomes, Daniel Zmak, Senior Director of Product Marketing at Diligent to discuss the evolving landscape of compliance.

They explore the importance of modernizing compliance practices, addressing challenges like fragmentation and fatigue, and leveraging AI and technology to enhance efficiency. Key topics include the compliance maturity journey, connected compliance, and strategies for improving governance and oversight. With actionable insights and practical advice, this session aims to guide compliance professionals through the dynamic changes in the field.

Highlights Include

  • Highs, Lows, and Surprises in Compliance
  • Compliance at an Inflection Point
  • The Compliance Maturity Journey
  • Fragmentation and Fatigue in Compliance
  • Connected Compliance: The Concept, Benefits and Future
  • AI in Compliance: Opportunities and Challenges
  • Dynamic Compliance Programs

Resources

Daniel Zmak on LinkedIn

Diligent Website

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Tip of the Day

Compliance Tip of the Day –Investigative Challenges

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

This week we have considered issues relating to your internal investigations. Today we conclude with a review of some investigative challenges you may face.

For more on this topic, check out The Compliance Handbook, a Guide to Operationalizing your Compliance Program, 6th edition which was recently released by LexisNexis. It is available here.

Categories
AI Today in 5

AI Today in 5: December 19, 2025, The Project Vend Edition

Welcome to AI Today in 5, the newest edition to the Compliance Podcast Network. Each day, I will bring to you 5 stories about AI stories to start your day. Sit back, enjoy a cup of morning coffee and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership or general interest about AI.

  1. Does the Trump EO on AI represent a framework or simply nothing? (America’s Credit Unions)
  2. Increasing need for AI awareness of regulatory requirements. (Wane15)
  3. Compliance AI needs humans. (FinTechWeekly)
  4. Smart AI hiring. (Law.com)
  5. What happens when AI runs the vending machine? (WSJ)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game. You can purchase a copy of the book on Amazon.com

Categories
Blog

A Merry (Compliance) Christmas and Tribute to Jim McGrath

Ed. Note: Jim McGrath was a great friend and a trusted colleague who passed away in 2014. As a tribute to McGrath and for Christmas this year, I submit the post below for your enjoyment, which initially appeared on McGrath’s Internal Investigations Blog on December 24, 2012.

The allegations under investigation involve gifts given by individual businessmen to the family of an Israeli government official several years ago. These businessmen, Mr. Balthasar, Mr. Gaspar, and Mr. Melchior, supposedly provided a family in the royal line of King David with significant gifts, including gold, frankincense, and myrrh, in return for favorable consideration of an as-yet undetermined project in the Middle East.

The three men are believed to be third-party intermediaries for many Christian church organizations in the United States, and, if verified, any jurisdictional nexus would appear to be based on this fact.

Whether any family member who received the gifts was or is a “government official”—as the DOJ has expansively defined that term—is unverified but likely. While Transparency International’s Corruption Perceptions Index does not list them in its annual rankings, a large body of other sources appears to establish one or more of them as linked to the ruling family in Israel.

Regardless of the strength of the government’s case in these respects, there remains the hurdle posed by the age of the alleged violations.  They are reported to have occurred approximately 2,012 years ago.  The DOJ could be expected to assert that the clock did not begin to run until the government recently became aware of Balthazar’s, Gaspar’s, and Melchior’s conduct. However, there appears to be a strong argument that voluntary self-disclosure occurred some time ago, thereby commencing the statutory period’s running and its expiration.

I hope you and your family have a wonderful Holiday Season and Merry Christmas.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Your Investigative Team

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

This week we continue our consideration of issues relating to your internal investigations. Today we consider who should be on your investigative team.

For more on this topic, check out The Compliance Handbook, a Guide to Operationalizing your Compliance Program, 6th edition which was recently released by LexisNexis. It is available here.

Categories
Blog

Michigan Man, Part 4 – Lessons Learned: What This Crisis Teaches Compliance Professionals

Every major compliance failure eventually reaches the same destination: a moment when leadership says, “How did we not see this coming? ” The answer is almost always the same. The warning signs were visible. They were rationalized, minimized, or overridden in the name of performance, continuity, or institutional pride.

The Sherrone Moore crisis at the University of Michigan is not a college football anomaly. It is a case study in how compliance programs fail when they are structurally subordinated, culturally discounted, or selectively enforced. For compliance professionals, the value of this case lies not in outrage but in extraction: extracting lessons that can be operationalized before the next crisis unfolds.

Lesson 1: Compliance Authority Must Be Structural, Not Aspirational

Michigan’s experience demonstrates that access to leadership is meaningless without authority. The compliance function may have been consulted, investigations commissioned, and policies in place. None of that mattered when the athletic department retained de facto control over outcomes. For compliance professionals, the lesson is clear. Compliance must have defined escalation rights and veto authority over high-risk decisions, including promotions, discipline, and crisis response. If a business unit can override compliance based on performance or legacy, compliance is not independent. It is decorative.

The Department of Justice has repeatedly emphasized that effective compliance programs require empowered compliance functions. That empowerment must be written into governance documents, reinforced by boards, and tested in practice.

Lesson 2: Past Dishonesty Is a Permanent Risk Factor

One of the most glaring failures in this case was the organization’s willingness to treat Moore’s prior dishonesty during the sign-stealing investigation as a closed chapter. It was not. It was predictive. Compliance professionals must internalize a hard truth: once credibility is damaged, it does not reset. Individuals who have lied to investigators, deleted records, or misrepresented facts should never again be treated as presumptively reliable. Enhanced monitoring, corroboration, and scrutiny are not punitive. They are risk management.

Organizations that ignore this lesson inevitably relearn it at a higher cost.

Lesson 3: Promotions Are Compliance Decisions

The elevation of Moore to head coach was framed as a football decision. In reality, it was one of the most consequential compliance decisions the university made.

Any promotion into a role with significant authority, visibility, and discretion is a compliance event. Risk-based due diligence should include:

  • Review of prior investigations and disciplinary history
  • Assessment of truthfulness and cooperation during past inquiries
  • Evaluation of behavioral and reputational risk, not just technical violations

In corporate terms, Michigan promoted an executive with unresolved compliance issues and a clear lack of an ethical grounding into a CEO-equivalent role. That decision alone dramatically increased institutional risk. But the consequences will reverberate for a long time to come.

Lesson 4: Investigations Involving Power Imbalances Require Heightened Standards

The initial investigation into Moore’s relationship with a staffer failed predictably. When both parties denied the relationship and the evidence was limited, the inquiry stalled. That outcome reflects a misunderstanding of power dynamics. Compliance professionals know that power imbalance distorts disclosure. Subordinates may deny relationships out of fear, loyalty, or uncertainty. Senior leaders may deny wrongdoing out of self-preservation. Effective investigations account for this reality by expanding evidence collection, conducting pattern analysis, and implementing interim safeguards.

Neutrality is not passivity. When allegations involve senior leadership, the standard of diligence must rise, not fall.

Lesson 5: Star Performers Are the Highest-Risk Population

One of the most enduring myths in organizational life is that high performers deserve flexibility. In reality, they deserve even greater scrutiny. Star performers operate with autonomy, influence culture, and often shape informal norms. Moore’s trajectory illustrates how repeated exceptions create a sense of entitlement. Each time misconduct is reframed as survivable, the individual learns that boundaries are negotiable. Compliance professionals must relentlessly resist this dynamic.

Rules applied selectively are not rules. They are invitations.

Lesson 6: Pattern Risk Demands Pattern Response

Perhaps the most damning aspect of the Michigan case is that it unfolded amid repeated scandals within the athletic department. When misconduct clusters, the correct response is not incremental fixes. It is a structural intervention. Compliance professionals must recognize pattern risk early and escalate it aggressively. That escalation should include:

  • Enterprise-wide risk assessments
  • Cultural diagnostics
  • Leadership accountability reviews
  • Board-level engagement

Waiting for the next incident is not caution. It is abdication.

Lesson 7: Culture Is Set by What Leadership Tolerates

Michigan’s long-standing deference to athletic success and legacy culture created an environment where misconduct was rationalized rather than confronted. This is not unique to sports. It appears in sales-driven organizations, founder-led companies, and high-growth environments. Culture is not what leadership says. It is what leadership allows. From the Board of Regents to the UM President on down, compliance professionals must evaluate actions, not rhetoric, when assessing culture risk.

Lesson 8: Human Impact Is the Ultimate Compliance Metric

It is easy, especially for lawyers and compliance officers, to focus on policy breaches and enforcement exposure. The Moore crisis is a reminder that compliance failures produce human harm. Families are destabilized. Employees feel unsafe. Stakeholders lose trust. Effective compliance programs exist not only to prevent fines but also to prevent damage. When that purpose is forgotten, compliance becomes performative.

Final Thought: Compliance Is Tested at the Top

The Sherrone Moore crisis did not originate with a junior employee. It originated at the top of a powerful institution. That is where compliance programs are always tested. For compliance professionals, the final lesson is this: if your program cannot stop, slow, or surface misconduct by your most powerful leaders, it will eventually fail when it matters most.

The University of Michigan now faces years of rebuilding trust, governance, and credibility. Compliance professionals elsewhere should treat this case as a warning, not a curiosity. The cost of ignoring these lessons is never hypothetical. It is only deferred. This takeaway is stark but actionable. Compliance failures are rarely a surprise. They are choices made over time. The question for every compliance professional is whether those choices will be challenged early or explained later.

As always, prevention is less visible than a crisis. It is also far less costly.

Resources:

The Terrible Mess at Michigan Football, by Jason Gay, writing in the Wall Street Journal.

Ex-Michigan coach Sherrone Moore charged with home invasion, stalking, breaking—Austin Meek and Sam Jane writing in The Athletic.

Fire Everybody—Alex Kirshner, writing in Slate.

Source: Michigan begins a review of the athletic department, by Dan Wetzel and Pete Thamel, writing for ESPN.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Selection of Investigative Counsel

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

This week are considering issues relating to your internal investigations. Today we review your decision of selection of your investigative counsel.

For more on this topic, check out The Compliance Handbook, a Guide to Operationalizing your Compliance Program, 6th edition which was recently released by LexisNexis. It is available here.