Tag: compliance

Categories
Blog

Risk Management and the Board: Why Oversight is Now a Strategic Imperative

In today’s business landscape, boards of directors are navigating a storm of risks that would test even the most resilient organizations. This topic was explored in a recent article titled “Risk Management and the Board of Directors.” Geopolitical uncertainty, economic volatility, cybersecurity threats, climate change, and the uncharted waters of generative AI are no longer background noise. They have moved to the front and center in boardrooms. Against this backdrop, risk management has emerged not just as an operational necessity but as a governance and strategic imperative. For compliance professionals, this raises a critical question: what role should the board play in risk management, and how can compliance officers support them in fulfilling that role effectively?

Oversight, Not Management

A crucial distinction must be made: boards are not responsible for managing risk on a day-to-day basis. That responsibility belongs to management. But boards do carry the weight of oversight. This oversight includes monitoring the most significant corporate risk factors, ensuring that appropriate risk systems are in place, and verifying that those systems function in practice.

Think about the Boeing case. Regulators and auditors identified multiple failures in Boeing’s manufacturing controls and safety processes, resulting in devastating reputational and financial consequences that continue to unfold. The lesson is clear. It is not enough for a board to approve a risk framework and then step away. Boards must oversee, probe, and confirm that those frameworks are embedded in operations across the enterprise.

Compliance officers can support this by providing boards with accurate, timely, and actionable reporting. Minutes, board packets, and oversight documentation are not administrative afterthoughts. They are evidence of diligence that courts, regulators, and investors increasingly scrutinize.

Tone at the Top: Culture as the Foundation

If oversight is the board’s mandate, then culture is the foundation that determines whether risk management succeeds or fails. Boards set the “tone at the top,” and that tone resonates throughout the organization.

Transparency, consistency, and communication are essential. A board that prioritizes ethics, compliance, and stakeholder safety sends a clear message: compliance failures and corner-cutting will not be tolerated. Conversely, when boards tolerate delay or indecision in addressing risks, such as safety lapses, misconduct, or harassment, they erode employee trust, tarnish their reputation, and invite regulatory scrutiny.

Board Readiness in a Dynamic Environment

Boards must prepare not only for the risks they know but for those that are emerging. This means ongoing director training, scenario planning, and recruitment strategies that close knowledge gaps. While no board can house every kind of subject matter expertise, they must know when to bring in advisors, leverage external resources, and engage with stakeholders directly.

A readiness mindset also means anticipating the unexpected. Crisis response plans, covering a range of scenarios from cyberattacks to workplace misconduct, should be in place and regularly tested to ensure their effectiveness. Compliance leaders should be part of these conversations, ensuring that prevention, detection, and remediation are embedded into strategy, not bolted on as afterthoughts.

Investors, regulators, and even the courts of Delaware are sharpening their focus on board-level risk oversight. The Caremark line of cases continues to set a high bar, but boards that fail to engage in good faith with core risks run the risk of liability. Compliance officers can help directors demonstrate that their oversight is active, engaged, and documented.

Practical Recommendations for Compliance Professionals

What does this mean for compliance officers working with boards? Here are four takeaways:

1. Provide Clear, Actionable Risk Reporting

Boards cannot oversee what they cannot see, and too often, directors are presented with overwhelming data that obscures the real risks. Compliance should deliver reporting that distills information into clear, concise insights, showing not just what happened but why it matters. The most effective reports highlight trends, identify root causes, and directly connect risks to business strategy, enabling the board to act with confidence.

2. Integrate Oversight into Strategy

Compliance risk management should never be treated as an afterthought, bolted onto the business after decisions are made. Instead, compliance officers must help boards see how compliance oversight is deeply intertwined with growth, innovation, and operational resilience. By linking compliance considerations to strategy, compliance becomes a driver of sustainable success rather than a box-checking obligation.

3. Focus on Emerging Risks

Generative AI, biodiversity loss, and geopolitical fragmentation are no longer distant or theoretical; instead, they are reshaping risk landscapes as we speak. Boards need compliance officers to translate these complex issues into practical implications before they escalate into crises that erode value and reputation. A forward-looking compliance function enables directors to anticipate threats, allocate resources effectively, and avoid being blindsided.

4. Reinforce Culture and Ethics

Tone at the top must resonate throughout the organization, and compliance is the bridge that connects board-level values to everyday business practices. Compliance officers can help embed cultural expectations by weaving red flags, lessons learned, and behavioral standards into training, communications, and accountability structures. When done well, this alignment ensures that ethical behavior is not aspirational but operational, lived out across all levels of the enterprise.

Why It Matters Now

The expectations for board-level risk oversight are higher than ever. Regulators want evidence that boards are engaged. Courts are scrutinizing oversight failures with fresh vigor. Investors are pressing for transparency on ESG, cyber, and DEI risks. And employees, your most important stakeholders, expect boards to prioritize safety, inclusion, and integrity.

For compliance professionals, this creates both a challenge and an opportunity. The challenge is to help boards stay ahead of complex risks in an environment of constant change. The opportunity is to elevate the compliance function as a strategic partner in governance, resilience, and corporate integrity.

Final Thoughts

Risk management is no longer just an operational function; it has become a strategic imperative. It is a governance issue that sits squarely in the boardroom. Boards do not need to manage risk, but they must actively oversee it, document their oversight, and ensure that culture and strategy align with risk management systems.

As compliance professionals, we are uniquely positioned to support this mandate. We provide the frameworks, reporting, and insights that help boards meet their obligations and protect the enterprise. In doing so, we not only maintain compliance but also enhance resilience, protect reputation, and foster trust with stakeholders.

The message is clear: oversight is not optional, culture is not cosmetic, and preparation is not a luxury. For today’s boards and for the compliance professionals who advise them, risk management is a strategic imperative that can no longer be ignored.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Compliance Lessons from Frankenstein

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with concise, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

This week, we have a 5-part series on compliance lessons from the Classic Universal Movie Monsters. Today, in Part 1, we begin with the greatest of all time, Frankenstein.

For more on this topic, check out The Compliance Handbook, a Guide to Operationalizing your Compliance Program, 6th edition, which was recently released by LexisNexis. It is available here.

Categories
All Things Investigations

All Things Investigations – Navigating Tariff Compliance with Sean Reilly

Welcome to the Hughes Hubbard Anti-Corruption & Internal Investigations Practice Group’s podcast, All Things Investigation. In this podcast, host Tom Fox welcomes back Sean Reilly to discuss the complexities of tariffs under the current administration.

Their conversation highlights the dynamic nature of tariff regimes, the importance of maintaining compliance, and the risks of tariff evasion. Sean provides insights into creating effective tariff compliance programs, the potential for False Claims Act liabilities, and the critical role of commercial sense in assessing tariff changes. The episode also touches on enforcement priorities and the strategic importance for boards of directors to remain vigilant about tariff-related risks. As the discussion moves towards the evolving landscape leading into 2026, Sean emphasizes the importance of staying informed and prepared for ongoing tariff regulations.

 

Highlights include:

  • Compliance and Enforcement in Tariff Management
  • Commercial Sense in Tariff Decisions
  • Board Oversight and Tariff Compliance
  • Future of Tariffs and Compliance Going Forward

Resources:

Hughes Hubbard & Reed Website

Sean Reilly

Categories
FCPA Compliance Report

FCPA Compliance Report – Middle Managers Are the Key – Evie Wentink’s Evolution in Compliance

Join Tom Fox as he welcomes back Evie Wentink back to the FCPA Compliance Report. Evie shares her journey from a compliance professional to an innovator in the field, discussing her unique approach to compliance training and the role of middle managers. With nearly two decades of experience, Evie has transformed her career by leveraging social media to create engaging content that inspires compliance professionals worldwide. Discover how Evie’s innovative strategies are reshaping the compliance landscape and learn about her new venture, Ethical Edge Experts LLC.

Key takeaways:

– 🌍 Embrace change and see the world beyond your keyboard.

– 💡 Innovation in compliance through social media and engaging content.

– 🏢 The critical role of middle managers in compliance programs.

– 📚 The importance of continuous learning and professional growth.

– 🎯 Selling compliance by making it personal and relatable.

Key highlights:

  • Embracing Change and Innovation
  • Training and the Role of Middle Managers
  • Bridging the Gap in Compliance Perspectives
  • Utilizing Social Media for Compliance Engagement
  • The Importance of Being Coachable
  • Ethical Edge Experts LLC

Resources:

Evie Wentink

🔸 LinkedIn: Evie Wentink

🔸 Consulting Firm: Ethical Edge Experts

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

For more information on the use of AI in Compliance programs, my new book, Upping Your Game. You can purchase a copy of the book on Amazon.com

Categories
10 For 10

10 For 10: Top Compliance Stories For the Week Ending September 27, 2025

Welcome to 10 For 10, the podcast that brings you the week’s Top 10 compliance stories in one podcast each week. Tom Fox, the Voice of Compliance, brings to you, the compliance professional, the compliance stories you need to be aware of to end your busy week. Sit back, and in 10 minutes, hear about the stories every compliance professional should be aware of from the prior week. Every Saturday, 10 For 10 highlights the most important news, insights, and analysis for the compliance professional, all curated by the Voice of Compliance, Tom Fox. Get your weekly filling of compliance stories with 10 for 10, a podcast produced by the Compliance Podcast Network.

  • A RadioShack Ponzi scheme. (Bloomberg)
  • Former French President Sarkozy received a 5-year sentence. (BBC)
  • Healthcare compliance, the FCA, and AKS. (Reuters)
  • Do you fantasize about leaving compliance?  (EFinancialCareers25)
  • Amber Energy wins CITGO auction. (Reuters)
  • DOJ shuts down bribery investigation of Homan. (HuffPost)
  • Two former Haitian officials were designated for bribery. (DOJ Press Release)
  • Singapore execs found guilty in Wirecard fraud. (FT)
  • Air India crash victims sue Boeing, Honeywell. (BBC)
  • Vietnam jailed a Parliamentary official for corruption. (Bloomberg)

You can check out the Daily Compliance News for four curated compliance and ethics-related stories each day, here.

Connect with Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

You can purchase a copy of my new book, Upping Your Game, on Amazon.com

Categories
Creativity and Compliance

Creativity and Compliance – Using Creativity to Market Compliance

Where does creativity fit into compliance? In more places than you think. Problem-solving, accountability, communication, and connection – they all take creativity. Join Tom Fox and Ronnie Feldman on the award-winning Creativity and Compliance. Ronnie’s company, Learning and Entertainment, leverages the entertainment devices people use to consume information in their everyday, non-work lives and applies them to important topics related to compliance and ethics. It is not only about being funny. It is about changing the tone of your compliance communications and messaging to make your compliance program, policies, and resources more accessible.

Today, Tom and Ronnie discuss the importance of addressing the marketing and PR issues in ethics and compliance programs in this episode of ‘Creativity and Compliance.’ Ronnie introduces his new white paper titled ‘Ethics and Compliance has a Marketing and PR Problem,’ emphasizing the need to revamp compliance programs by adopting marketing strategies. Key strategies discussed include creating a positive brand identity, gaining and maintaining attention, building and nurturing relationships, leveraging influencer status, and measuring the right metrics. Examples and anecdotes illustrate these concepts and practical applications.

Key highlights:

  • Marketing and Compliance: A New Approach
  • Creating a Voice Identity and Brand
  • Gaining and Maintaining Attention
  • Building and Nurturing Relationships
  • Becoming an Influencer
  • The Importance of Measurement

Resources:

Ronnie

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Creativity and Compliance was recently honored as one of the Top 35 Podcasts on Creativity by Feedspot.

Categories
AI Today in 5

AI Today in 5: September 26, 2025, The Of Mice and AI Edition

Welcome to AI Today in 5, the newest edition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI, so start your day, sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5, all from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest related to AI.

Top AI stories include:

  • India and Venezuela sign AI pact. (Coingeek)
  • Little difference between the neural networks of mice and AI. (TechXplore)
  • xAI snags the US government. (NYT)
  • 85% of execs expect compliance gains with AI. (PYMNTS)
  • AI could accelerate clinical gains. (MIT News)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game. You can purchase a copy of the book on Amazon.com.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – The Mock Audit

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with bite-sized, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

This week, we have a 5-part series on audits adjacent to compliance, and today, in this concluding Part 5, we consider the Mock Audit.

For more on this topic, check out The Compliance Handbook, a Guide to Operationalizing your Compliance Program, 6th edition, which was recently released by LexisNexis. It is available here.

Categories
Daily Compliance News

Daily Compliance News: September 26, 2025, The Quantum Trading Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, including compliance, ethics, risk management, leadership, or general interest, relevant to the compliance professional.

Top stories include:

  • A RadioShack Ponzi scheme. (Bloomberg)
  • Former French President Sarkozy received a 5-year sentence. (BBC)
  • Healthcare compliance, the FCA, and AKS. (Reuters)
  • Quantum trading on the bond market. (FT)
Categories
Blog

Cybersecurity Oversight at the Boards

Cybersecurity risk is no longer a back-office IT issue. It is a board-level governance priority, a regulatory compliance challenge, and a reputational minefield. From ransomware attacks to regulatory enforcement actions, the stakes have never been higher. In an article in the Harvard Law School Forum on Corporate Governance, titled “Risk Management and the Board of Directors,” the review focused on the NACD’s 2025 survey. It showed that over three-quarters of boards now discuss the material and financial implications of cyber incidents. While that is progress, awareness alone is not enough.

For compliance professionals, the message is unmistakable: cybersecurity oversight is now a central pillar of governance. In this post, I will explore the evolving regulatory landscape, lessons from enforcement actions, and practical steps compliance teams can take to help boards discharge their responsibilities effectively.

A National Priority with Global Reach

Cybersecurity has moved to the top of national agendas. The Biden Administration’s 2023 National Cybersecurity Strategy set the tone, and the Trump Administration’s 2025 Executive Order reinforced it, emphasizing protections against foreign cyber threats and secure technology practices. But this is not just a U.S. issue. The EU’s GDPR, California’s CCPA, Virginia’s CDPA, and Illinois’s biometric data laws all impose sweeping obligations with high-stakes enforcement. Settlements under Illinois’s biometric privacy law alone have reached into the hundreds of millions.

For compliance professionals, this expanding patchwork of regulation means that cyber oversight cannot be siloed by geography or business unit. Boards must ensure management understands and complies with both domestic and international requirements.

The SEC Steps into the Spotlight

If boards needed any reminder of their cyber responsibilities, the SEC has provided it. In 2023, the SEC finalized disclosure rules requiring companies to report material cyber incidents on Form 8-K within four business days (subject to limited delays approved by the Attorney General). Companies must also disclose in their 10-Ks their processes for identifying and managing cyber risks, the material impacts of prior incidents, and, critically, the board’s role in oversight.

The SEC has coupled disclosure mandates with enforcement actions. From Robinhood in 2025 (failure to implement identity theft protections) to SolarWinds in 2023 (alleged fraud and internal control failures), to Blackbaud’s ransomware misrepresentations and Morgan Stanley’s vendor monitoring failures, the Commission is signaling that cyber lapses are securities law violations. The key takeaway for compliance is that disclosures must be accurate, controls must be effective, and boards must demonstrate active oversight. Anything less may well invite regulatory scrutiny.

DOJ, FTC, and State Regulators Join In

The SEC is not alone. The DOJ has used the False Claims Act to address software vulnerabilities sold to government agencies. The FTC has pursued cases against GoDaddy and other providers for failing to implement adequate protections. The New York Department of Financial Services (NYDFS) has enforced its prescriptive cybersecurity rules since 2019, with actions as recent as August 2025. And globally, regulators like Ireland’s Data Protection Commission have issued blockbuster fines, such as the €530 million penalty against TikTok for unlawful data transfers.

The compliance implication is clear: multi-layered enforcement is now the norm. Cybersecurity and data privacy risks span agencies, jurisdictions, and statutes. Boards must assume that regulators will coordinate, cross-reference, and pursue failures aggressively.

Frameworks That Matter

With enforcement risk high, companies need a structured approach. The National Institute of Standards and Technology (NIST) framework has become the de facto benchmark, with its five core functions: identify, protect, detect, respond, and recover. Both the SEC and FTC endorse it, and boards should expect management to benchmark their programs against it.

At the governance level, the NACD’s Director’s Handbook on Cyber-Risk Oversight and guidance from the Cybersecurity & Infrastructure Security Agency (CISA) provide clear expectations: boards should not manage cyber risk, but they must oversee management’s handling of it.

Lessons from Enforcement Actions

Every enforcement case tells a story, and compliance professionals should use these as teaching tools:

  • Vendor Oversight Matters – Morgan Stanley’s Failure to Monitor Vendors Exposed Data from 15 Million Customers.. Boards must ensure that vendor cyber risk is integrated into their oversight.
  • Accurate Disclosures Are Non-Negotiable – SolarWinds and Blackbaud faced allegations of misrepresentation around breaches. Boards must verify that management’s cyber disclosures are truthful and complete.
  • Controls Must Be Tested – Robinhood’s identity theft control failures remind us that having policies on paper is not enough. Boards should require evidence that controls work in practice.

Practical Steps for Compliance Professionals

So how can compliance officers help boards meet their obligations in this complex cyber landscape? Four steps stand out:

1. Educate and Engage the Board

Boards need ongoing, tailored education on cyber risks. Compliance should arrange regular briefings from CISOs, external experts, and regulators. This ensures directors can ask informed questions and challenge management effectively.

2. Strengthen Incident Response Preparedness

An incident response plan is only as strong as its execution. Compliance must test plans through tabletop exercises, ensure disclosure obligations are understood, and coordinate with law enforcement and advisors. Boards should be briefed on lessons learned after every drill or real incident.

3. Integrate Cyber Risk into Enterprise Risk Management

Cyber risk cannot be isolated from strategy, finance, and operations. Compliance should help boards see cyber threats as part of enterprise risk management, aligned with business goals and resilience planning.

4. Monitor Third-Party and Supply Chain Risk

Vendors, cloud providers, and contractors are often the weak link. Compliance should implement due diligence, ongoing monitoring, and contract requirements that address cyber obligations. Boards should receive visibility into these risks and the company’s mitigation strategies.

Why This Matters for Boards and Compliance

Cybersecurity is not just an IT challenge; it is a governance imperative. Regulators, courts, and investors expect boards to demonstrate active, documented oversight. For compliance professionals, the mandate is to help boards meet that expectation with clarity, structure, and evidence.

The reality is stark that a single breach can devastate a company’s reputation, stock price, and stakeholder trust. But boards that embrace active oversight, guided by compliance professionals, can transform cybersecurity from a vulnerability into a competitive advantage.

Final Thoughts

The cyber landscape is evolving faster than most organizations can keep pace. But boards do not have the luxury of waiting. As recent regulations and enforcement actions demonstrate, oversight failures will be punished, sometimes harshly.

For compliance professionals, this is both a challenge and an opportunity. By educating boards, strengthening incident response, integrating cyber into enterprise risk, and addressing third-party exposures, compliance can elevate its role from policy enforcer to strategic partner.

The bottom line: Cybersecurity oversight is no longer optional. It is the frontline of governance, and compliance professionals are the essential guides helping boards navigate it.