Tag: compliance

Categories
Blog

Speed as a Compliance Decision: Lessons from Amazon’s Andy Jassy

When Andy Jassy succeeded Jeff Bezos as CEO of Amazon in 2021, many questioned whether the company could maintain its legendary momentum. Four years later, Jassy has not only sustained but also accelerated growth, adding more than $230 billion in revenue, expanding AI initiatives, and reinventing the management culture of one of the world’s most complex enterprises. That is why I was intrigued by an article in the Harvard Business Review (HBR) entitled, Speed Is a Leadership Decision,” where reporter Adi Ignatius interviewed Andy Jassy.

For compliance professionals, Jassy’s insights about speed, risk, culture, and innovation offer timely lessons. Too often, compliance leaders fall back on the excuse that “we’re too big, too regulated, too constrained to move quickly.” Jassy flips that script: speed, he insists, is a leadership decision. And the same is true for compliance.

Today, we look at five key lessons compliance professionals can draw from Jassy’s leadership playbook.

1. Speed Is a Leadership Decision

Jassy bluntly states that “speed disproportionately matters in every business at every time”. He challenges leaders to stop accepting bureaucracy and regulation as excuses. Instead, leaders must actively identify and remove barriers, empowering teams to act with urgency.

For compliance professionals, the lesson is clear: do not let the weight of regulations, policies, or oversight structures become a drag on effectiveness. Yes, compliance requires controls, documentation, and approvals, but speed is also important. Think of third-party due diligence reviews, hotline triage, or incident investigations. When compliance moves slowly, it signals indifference or ineffectiveness, and risks fester.

The decision to prioritize speed, backed by streamlined processes, real-time monitoring, and empowered teams, can transform compliance from a bureaucratic bottleneck into a proactive partner to the business.

2. Risk-Taking and Failure Are Essential to Innovation

Jassy observes that as companies grow, they tend to become risk-averse. Achievement-oriented professionals “play not to lose” rather than take chances. He emphasizes that the only way to build something truly unique is to take risks, make mistakes, and learn from them. Compliance teams face this challenge daily. The instinct is to avoid risk entirely, to say “no” rather than take a chance. But compliance innovation, whether adopting AI for monitoring, piloting new training formats, or embedding compliance into business processes, requires taking calculated risks. This means that risk management strategies must be implemented, monitored, and updated as necessary.

Failure in compliance is not about missing a regulatory requirement. It is about learning that a new process does not resonate with employees, or a monitoring tool generates too many false positives. Leaders should create safe zones for experimentation. If you never fail, you are not pushing hard enough. Compliance innovation must be iterative, and tolerance for small, recoverable failures is the price of true progress.

3. Flattening Bureaucracy Fuels Accountability

Jassy highlights Amazon’s initiative to flatten its organization and empower individual contributors. By increasing the ratio of builders to managers, reducing layers of decision-making, and encouraging employees to own “two-way-door decisions”. Those are choices that can easily be reversed. With this strategy, Amazon streamlined processes and accelerated innovation.

Compliance functions are often drowning in pre-meetings and approval chains. A compliance officer identifies a risk, drafts a recommendation, and waits while three levels of committees review it. Meanwhile, the risk festers. The compliance profession should adopt Jassy’s model: empower frontline employees to make two-way decisions in real-time. For example, a compliance manager in Brazil should have the authority to pause a suspicious vendor engagement without waiting for headquarters. Flattening decision-making structures creates accountability, agility, and credibility. Compliance must be a builder’s mindset: see the problem, fix the problem, move forward.

4. Culture Must Be Reinvented Continuously

“Culture is not our birthright,” Jassy warns. As companies scale, their culture stretches and must be deliberately reinforced. At Amazon, this means reasserting ownership, accountability, and a customer-centric approach, even as new layers of management emerge. For compliance professionals, this is a powerful reminder: culture is not static. A “speak-up” culture may flourish in year one and decay by year five if it isn’t nurtured. New geographies, acquisitions, and technologies stretch corporate culture in unpredictable ways.

The compliance function must continuously assess cultural health: are employees still raising concerns? Do managers still model ethical behavior? Are incentive structures still aligned with compliance values? A strong compliance culture requires constant reinvention: new training, new channels, new metrics; so that employees see it as living and evolving, not stale or perfunctory.

5. AI, Innovation, and Responsibility Must Go Hand in Hand

Jassy views AI as the biggest transformation since the internet, with the power to reinvent every customer experience. He emphasizes that progress is inevitable, so leaders must focus on using AI responsibly and productively.

Compliance professionals face the same dual imperative. On the one hand, AI tools, such as automated transaction monitoring, predictive analytics, and natural language chatbots, can make compliance faster, smarter, and more effective. On the other hand, AI introduces new risks, including bias, opacity, privacy breaches, and increased regulatory scrutiny.

The compliance leader’s role is not to resist AI but to guide its responsible adoption. Establish AI governance frameworks. Ensure transparency and explainability. Audit data inputs and outputs. Partner with business units to embed compliance guardrails into AI development. If compliance can keep pace with AI’s speed while safeguarding ethics, it will become indispensable to the business.

Compliance at the Speed of Leadership

Andy Jassy’s mantra, “speed is a leadership decision,” rings true far beyond Amazon. For compliance professionals, it reframes the mission. Compliance does not require slow responses, being bureaucratic, or being risk-averse. (Always remember, you do not have brakes on a car to drive slowly; instead, you have brakes on a car to drive fast.) Leaders can choose speed by empowering their teams, flattening the decision-making process, fostering a culture of ownership, tolerating smart failures, and embracing technology responsibly.

The stakes are high. Compliance must move at the same speed as the business, not the other way around. Regulators expect swift detection and remediation. Employees expect rapid answers to ethics and compliance questions. Boards expect real-time risk visibility. Compliance that lags will be seen as irrelevant or ineffective.

The lesson from Amazon’s Jassy is that compliance speed is not about cutting corners. It is about clarity of leadership, empowerment of people, and continuous cultural reinvention. In an era of accelerating technology and mounting risk, compliance professionals must embrace speed as a core leadership choice.

Categories
Blog

Agentic AI, Data Discipline, and Cross-Functional Governance: Compliance Insights for the Modern Era

As compliance professionals, we often inherit the boundaries that IT, Legal, and Security established long before we arrived. But what happens when those lines are out of date? I recently had a far-ranging conversation with cybersecurity author and educator Robert Meyers, who has spent more than three decades transitioning from “plain IT” to a world where cybersecurity and privacy have become distinct, high-impact disciplines. He explains why the old map no longer matches the terrain. Meyers’ vantage point spans early dial-up remote access fiascos, modern breach response, philosophical differences between U.S. and EU privacy regimes, and the tidal shift that agentic AI is bringing to accountability and data governance.

This blog post distills that conversation for a corporate compliance audience, focusing on practical, board-relevant governance and the day-to-day tactics that make privacy and security work together before, during, and after incidents.

From “IT Does Everything” to “Risk, Roles, and Accountability”

Meyers started in an era when “cybersecurity” did not exist. There was just “IT,” and everyone did everything. That lack of specialization produced preventable harm;  misconfigured remote access where a “guest” credential quietly had admin rights, cavalier attitudes toward email and user surveillance (Remember when “I read your email” bumper stickers were a thing.), and a culture that treated privacy as a corporate secrecy issue rather than a people-protection mandate. The lesson for compliance? Risk thrives in ambiguity. When roles and ownership are unclear and authority is not defined, controls are merely a facade.

Meyer contrasts the U.S. and EU not as a legal vs. legal comparison, but as a philosophical split. In Europe, privacy is government-centric and procedurally channeled through regulators; in the U.S., it is more individual-centric and notification-driven. California’s rules can even exceed the practical strictness of the GDPR in certain respects. For compliance leaders, that means your privacy posture must be designed around intent (IE., who is protected), governance (IE., who decides), and operational execution (IE., who does the work) and not just a citation list.

Data Has a Life Cycle—Treat It That Way

One of Meyers’ most pointed critiques is that organizations hoard data without a purpose or end-of-life discipline. If you keep 30 years of email, do not be surprised when eDiscovery asks for all 30. The habit of “keep it all, we might need it” is the enemy of proportional risk. Compliance should drive a business-backed data minimization program with explicit retention schedules tied to legal, operational, and risk rationales and then audit for enforcement. If the business cannot articulate why it needs a dataset today and in the future, that data is a liability, not an asset.

Fix the Operating Model: Privacy Is Not a Side Gig for Security

Meyers has observed the exact misalignment play out repeatedly: privacy responsibility is often assigned to Legal or Compliance, but Cybersecurity typically handles the work and associated expectations. CISOs are asked to “own” controls for which they lack budgetary authority or policy ownership. Legal “owns” privacy on paper, but it is not integrated into cyber operations. Meyer is clear that the cure is governance, not heroics: establish a cross-functional steering committee (including Legal, Security, Compliance, IT Ops, and the business) with clear charters, shared KPIs, and defined decision rights. Diversity matters here; mix senior leaders with younger employees and varied backgrounds to avoid blind spots. The first agenda item of that committee should be ruthless purpose-alignment: “Why do we have this data? Do we still need it?”

Put Risks on One Page—and Make It Everyone’s Page

While cybersecurity tooling is often automated and technical, Meyers recommends one deceptively simple instrument to unite the disciplines: a shared risk register. GRC teams already live in this world. You should bring Security into it and treat security events, control weaknesses, and privacy exposures as entries that share owners, mitigations, and review cadences. If the CISO, Chief Compliance Officer, and General Counsel are not reading, updating, and arguing over the same risk register, you do not have a single source of truth or a shared sense of urgency.

Breach Reality: Precision Beats Blanket Notification

“Assume breach” is not fatalism; it is a sign of professional maturity. Meyers highlights the emergence of data security posture management (DSPM) solutions that not only identify exposures but also determine who actually owns the data that was accessed. That allows for targeted notifications — “these 15 people, not 500,000 customers” — and saves both real money and reputation. For the compliance function, the key point is proportionality; your incident playbook should pair legal thresholds with data lineage and ownership maps, ensuring a fast, accurate, and respectful response to individuals.

Agentic AI: Accountability Without a Face

Agentic AI changes the rules. Agents act without asking, talk to other agents, and traverse systems and data at machine speed. They also obscure accountability because the human “operator” may interact with one agent while three others are making consequential decisions out of view. This breaks the legacy consent and audit paradigms, demanding new guardrails: identity and authorization that can follow agents, granular logging of agent-to-agent interactions, and data lineage that respects privacy scopes. From a compliance lens, agentic AI requires you to rewrite playbooks on consent, purpose limitation, and lawful processing, before deployment, not after the first mishap.

Storytelling: The Culture Carrier for Security and Privacy

Meyers’ long connection to San Diego Comic-Con may seem far removed from cybersecurity. Yet when you see a cybersecurity team finally “get it” when you swap a nameless attacker for “Lex Luthor” in a tabletop. That is not playing to pop culture; rather, it is cultural engineering. Humans adopt guardrails that they emotionally understand. If your privacy training or AI oversight policy can be told as a story, with villains, flawed heroes, and a clear “why,”  you improve retention, reduce resistance, and create connective tissue across silos. Compliance is, at its core, applied storytelling backed by controls.

Robert Meyers traces the evolution from undifferentiated IT to today’s specialized privacy and cybersecurity disciplines, emphasizing how poor role clarity and indiscriminate data retention have caused preventable harm for decades. He frames the U.S.–EU divide as a philosophical one, between individual-centric versus regulator-centric approaches, while urging companies to stop treating privacy as a side project for Security when Legal nominally “owns” it. The solution involves a cross-functional steering committee, a shared risk register, and purpose-driven data lifecycle governance.

Meyers underscores “assume breach” realism and highlights new DSPM tooling that enables precise, owner-level breach notification instead of blanket, costly responses. Looking ahead, agentic AI creates accountability gaps as autonomous agents act and collaborate out of human view, demanding fresh guardrails for identity, consent, lineage, and logging. Finally, Meyers champions storytelling (yes, even Comic-Con-style narratives) to make security and privacy relatable, and advocates for cross-training, with privacy professionals learning security and vice versa, so organizations can speak a single operational language from the boardroom to the SOC.

Categories
AI Today in 5

AI Today in 5: September 4, 2025, The Better Coffee with AI Episode

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories:

  • AI-led drones enter the battlefield. (WSJ)
  • Crypto cannot scale without AI. (CoinTelegraph)
  • Army CIO issues guidelines on AI compliance. (ExecutiveGov)
  • Is the dream of superintelligence breaking? (NYT)
  • Starbucks is using AI to enhance the coffee experience. (Starbucks)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game. You can purchase a copy of the book on Amazon.com

Categories
Great Women in Compliance

Great Women in Compliance – Catching Up with the OG GWIC with Mary Shirley

Welcome to the Great Women in Compliance podcast with Hemma Lomax and Lisa Fine, sponsored by Corporate Compliance Insight and a part of the Compliance Podcast Network.  My guest today isn’t really a guest; she’s so much more.  She is an architect of GWIC, my first partner in compliance, and my first compliance friend, who remains a dear friend to this day.  She coined the phrase “Send the Elevator Back Down,” taught me about tall poppy syndrome, and I am still using her cheat codes.  Of course, it’s Mary Shirley!

Mary, can you update everyone on all the cool things that have been happening since you became, as we call it, #GWICemerita?

As a global compliance leader who has lived in several countries and now three very different states in the US, what do you see as the principles of a “culture of integrity” that apply to any business, regardless of geography or industry?

  • While there have been changes in US laws, particularly the FCPA, and newer laws in the EU and the UK, among others, are you seeing any shifts in how to define – or communicate – a culture of integrity?
  • You have compiled a list of questions for job seekers to ask about the terms of compliance programs and a culture of integrity. What do you think is the most revealing one and why?
    • Mine is “Can I talk to my predecessor?”

I look forward to seeing you very soon at SCCE CEI.  You and Matt Kelly are presenting “AI Governance for N00bs: A Beginner’s Guide for the Non-Tech Compliance Practitioner” on Sunday to kick off the event.

  • What do you see as the biggest opportunities for compliance professionals to use AI and machine learning?
  • What challenges do you see for integrating AI and machine learning into their compliance program, and how should we approach it?
  • What about the algorithmic bias?
  • It seems like ethics and compliance are being welcomed as “partners” at the AI governance table. What do you think is the most significant reason for this shift, and what can a compliance professional do to ensure they maintain that strategic seat at the table?

When you think about the first 200 episodes, do you have a specific non-substantive, non-podcast memory that sticks out to you?  Besides the origin story – which I still tell!

Categories
Compliance Into the Weeds

Compliance into the Weeds: Examining the Impact of Reducing Middle Management on Corporate Culture

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more fully. Seeking insightful perspectives on compliance? Look no further than Compliance into the Weeds! In this episode, Tom Fox and Matt Kelly discuss the implications of reducing the number of middle managers in corporate America.

Kelly’s blog post, inspired by a Wall Street Journal article, serves as the foundation for a broader discussion on how the reduction of managers impacts corporate culture, employee dynamics, and compliance programs. They explore the reasons behind this trend, such as the desire for agility or cost-cutting, and its effects on communication, institutional knowledge, and the role of compliance officers. They also explore potential solutions, including the use of AI, enhanced training, and adaptive compliance strategies, to mitigate the risks associated with fewer middle managers.

Key highlights:

  • Corporate America’s Managerial Shift
  • Implications for Corporate Culture
  • AI and Compliance Solutions
  • Institutional Knowledge and Risks
  • Compliance Takeaways and Final Thoughts

Resources:

Matt on Radical Compliance

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

A multi-award-winning podcast, Compliance into the Weeds was most recently honored as one of the Top 25 Regulatory Compliance Podcasts, a Top 10 Business Law Podcast, and a Top 12 Risk Management Podcast. Compliance into the Weeds has been conferred the Davey, Communicator, and W3 Awards for podcast excellence.

Categories
AI Today in 5

AI Today in 5: September 3, 2025, The Human in the Loop Episode

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories:

For more information on the use of AI in Compliance programs, my new book, Upping Your Game. You can purchase a copy of the book on Amazon.com.

Categories
Blog

The Sound of Compliance: Using Branded Podcasts to Build Culture and Trust

One of the greatest challenges in corporate compliance is not merely writing policies, conducting investigations, or designing training, but instead effectively implementing these measures. The real challenge is communication. That is finding ways to connect compliance messages with employees in a way that resonates, sticks, and inspires action (IE., engaging and targeted). For years, compliance officers have experimented with email newsletters, intranet portals, and short training videos. These have their place, but the question remains: how do you make compliance messages memorable?

Enter branded podcasts. While businesses often view podcasts as marketing tools, they represent an underutilized resource for compliance professionals. Branded podcasts combine the power of long-form storytelling, intimacy, and authenticity. They don’t just tell employees what the rules are; they let compliance leaders engage directly with their workforce in ways that build trust and credibility.

Consider how branded podcast strategies, borrowed from the marketing world, can be integrated into your compliance communications toolkit.

Why Branded Podcasts Work for Compliance

Marketing research shows that branded podcasts can:

  • Lift brand awareness by 89%
  • Improve brand favorability by 61%
  • Increase brand consideration by 57%
  • Drive purchase intent by 14%

Now, translate those metrics into the compliance world. Awareness means employees are aware of the Code of Conduct’s existence. Favorability equals trust in the compliance function. Consideration equals employees being willing to pick up the phone and ask a question. Purchase intent equals employees actually following the guidance you’ve laid out.

Podcasts offer compliance officers something that other tools rarely do: extended attention from an audience. Employees may skim an email or fast-forward through a training video, but a podcast, whether listened to on a commute, while exercising, or during lunch, can create space for employees to hear the compliance message truly.

Strategy 1: Control the Narrative

Compliance often struggles with being framed as the “Department of No.” Podcasts flip that narrative by letting compliance officers control the storytelling. Imagine a compliance podcast series titled Decisions That Matter. Each episode could feature leaders across the organization discussing how they navigated ethical dilemmas, or employees telling stories about how compliance policies guided their work. This does not simply reinforce policy; it makes compliance part of the corporate identity.

Owning the narrative also means controlling distribution. Just like marketers, compliance teams can utilize multiple channels, including internal podcast feeds, company intranets, email blasts, and even short video clips posted on collaboration tools like Microsoft Teams or Slack.

Strategy 2: Leverage the Intimacy of Audio

There’s a reason people often describe listening to their favorite podcasts as “hanging out with smart, funny friends.” That sense of closeness and familiarity is one of audio’s greatest strengths—and one compliance officers can harness. Unlike fleeting interactions with TV spots, email blasts, or even in-person announcements, podcasts hold an audience’s attention for extended periods. This creates a deeper, more personal connection between compliance and employees.

The BBC’s Audio Activated Study (2019) demonstrated this effect, showing that branded podcasts build uniquely strong engagement and trust. For compliance professionals, the implications are significant: podcasts enable you to move beyond transactional reminders of policy and instead foster authentic conversations about values, ethics, and decision-making.

Consider this: while an employee may forget the details of an email announcing a new anti-retaliation policy, if they hear the Chief Compliance Officer (CCO) discussing real-world examples in a conversational podcast format, they are far more likely to remember and internalize the message. Podcasts enable compliance leaders to “enter the room” with employees in a trusted, low-pressure manner. One that builds credibility and reinforces the culture of compliance over time.

Strategy 3: Use the Right Voices to Build Authenticity

Compliance communication is often top-down, but podcasts allow you to broaden the voices employees hear. A charismatic host, whether it is the compliance officer themselves or a skilled internal communicator, can create an authentic connection.

Guests matter too. Bring in diverse voices, such as regional managers, data privacy specialists, whistleblower program champions, or outside experts. Each guest not only injects energy but also shows that compliance is a broad, collaborative effort. The key to all this is authenticity. Employees are far more likely to engage with compliance messaging if they perceive it as genuine, rather than scripted.

Strategy 4: Make Compliance Entertaining

You may not think that phrase “compliance podcast” naturally screams entertainment, but I can assure you, it does. But if employees do not enjoy listening, they will not return.

Think about different formats:

  • Narratives: Tell true stories of corporate scandals (Bre-X, Enron, or Theranos) and extract compliance lessons.
  • Deep Dives: Break down a single risk topic like sanctions, data privacy, or conflicts of interest in an accessible, story-driven way.
  • Interviews: Feature executives discussing how compliance enables them to lead effectively.

Entertainment does not mean fluff. It means packaging compliance in a way that keeps employees engaged long enough to absorb the lesson. When employees enjoy compliance content, they will not simply listen once; they come back and recommend it to colleagues.

Strategy 5: Promotion and Distribution

Even the best compliance podcast fails if no one listens. That’s why promotion is critical. Here’s where compliance can borrow from marketing:

  • Internal channels: Feature podcast links in company newsletters, Slack channels, or employee portals.
  • Cross-promotion: Play snippets during training modules or town halls.
  • Teasers: Create short audio or video trailers to spark interest.
  • Executive sponsorship: Ask senior leaders to endorse the podcast in their communications and social media posts.

The lesson from marketing is clear: consistent, multi-channel promotion builds an audience. For compliance, that means embedding your podcast into the rhythm of corporate communications.

Strategy 6: Measure the Impact

Marketers measure branded podcast success in downloads and brand lift. Compliance officers should measure the impact on awareness and behavior.

Metrics could include:

  • Number of downloads or streams
  • Average listening time (are employees finishing episodes?)
  • Employee surveys on awareness and trust in compliance
  • Increases in questions to the hotline or requests for compliance guidance

Suppose you show that podcast listeners are more likely to engage with compliance programs. If you prove the value, you will elevate compliance into a strategic communications leader.

Case Study Inspiration

Consider the success of Century 21 Real Estate’s branded podcast The Relentless. Rather than simply promoting properties or agents, the series focused on the broader themes of persistence, innovation, and personal growth. These are the very qualities that drive success in the competitive world of real estate. Each episode highlighted stories of entrepreneurs, industry leaders, and business visionaries who embodied the “relentless” mindset that Century 21 sought to represent.

The strategy worked. Over the course of three seasons, The Relentless not only amplified Century 21’s brand identity but also resonated deeply with its audience, ultimately placing the show in the top 1% of all podcasts with more than 1.5 million downloads.

Now translate that model into compliance communications. Imagine a compliance podcast that tells compelling stories of ethical leadership, employee resilience in the face of ethical dilemmas, or how teams have navigated complex regulatory challenges. Instead of compliance being framed as rules and restrictions, it becomes a series of stories about persistence, integrity, and doing the right thing under pressure.

If a compliance function could achieve even a fraction of The Relentless’s engagement, it would no longer be seen as the department of “no,” but rather as a trusted, sought-after source of inspiration and guidance for the workforce.

Conclusion

Branded podcasts are not just for marketing departments. For compliance professionals, they represent an untapped frontier in employee engagement.

By controlling the narrative, leveraging the intimacy of audio, building authenticity through diverse voices, making compliance entertaining, promoting aggressively, and measuring outcomes, compliance officers can transform the way they communicate.

In a world where regulators emphasize culture, communication, and engagement, podcasts may be one of the most effective tools available for achieving these goals. The time has come for compliance leaders to borrow a page from the marketing playbook and make branded podcasts a cornerstone of their communication strategy.

Because at the end of the day, compliance is not simply about rules on paper. Instead, it is about conversations. And podcasts give compliance a voice.

Categories
Innovation in Compliance

Innovation in Compliance – Cybersecurity Challenges and Solutions: An In-Depth Interview with Robert Meyers

Innovation comes in many areas, and compliance professionals need to be ready for it and embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, Tom Fox interviews Robert Meyers, a cybersecurity and privacy expert with over 30 years of experience.

Meyers shares his journey from starting in IT to becoming a prominent figure in cybersecurity, privacy, and M&A security. He recounts the evolution of cybersecurity from the 1980s to the present day, highlighting key lessons learned along the way. He discusses the philosophical divide between U.S. and European attitudes toward data privacy, the importance of a cross-functional approach to cybersecurity and privacy within companies, and how emerging technologies like agentic AI are reshaping the industry. He also shares insights from his new book, ‘Privacy Snippets for the Cybersecurity Professional,’ aimed at helping professionals bridge the gap between cybersecurity and privacy. Additionally, Meyers’s passion for Comic-Con offers a unique perspective on how creativity and community engagement can inform and enrich professional practices.

Key highlights:

  • Robert Meyers’ Professional Background
  • Early Cybersecurity Challenges
  • Evolution of Privacy and Security
  • Roles and Responsibilities in Cybersecurity
  • Agentic AI and Future Challenges
  • Comic-Con and Personal Interests
  • Advice for Aspiring Professionals

Resources:

Privacy Snippets for the Cybersecurity Professional on Amazon

Robert Meyers’ Profile on Amazon

Robert Meyers ‘on LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
From the Editor's Desk

Compliance Week’s Reflections from August and Insights into September 2025

In this episode of ‘From The Editor’s Desk’ podcast, hosts Tom Fox and Aaron Nicodemus delve into key compliance issues featured in Compliance Week. They discuss the heightened risks for companies doing business in Mexico due to connections with cartels, recent enforcement actions stemming from these connections, and the Trump administration’s first FCPA bribery case. They also preview an upcoming case study on Lafarge’s operations in Syria and introduce new website features, including CW Connect, designed to foster meaningful conversations among compliance officers. Additionally, they highlight best practices and preview articles planned for National Compliance Officer Day.

Highlights include:

  • Top Compliance Stories in August 2025
  • Risks of Doing Business in Mexico
  • FCPA Enforcement Actions and Investigations
  • Upcoming Case Study on Lafarge
  • Website Redesign and New Features

Resources:

Aaron Nicodemus on LinkedIn

Compliance Week

Categories
Blog

UM Cheating Scandal, Part 5: Compliance Lessons Learned

In August 2025, the NCAA released its long-awaited Report on infractions committed by and for the University of Michigan football program. For compliance professionals, this case should be viewed not merely as a college sports story but as a case study in organizational misconduct, leadership failure, and cultural breakdown. Just as an FCPA enforcement action lays bare how companies slip into non-compliance, this NCAA decision reveals how one of the country’s premier football programs allowed systemic misconduct to flourish.

In Part 1, we examined the background facts, the elaborate scouting scheme, recruiting inducements, and failures to cooperate. In Part 2, we discussed the deeper issue of culture, where the football program viewed compliance as an adversary. In Part 3, we analyzed the violations and penalties, focusing on the sanctions imposed on Michigan and its staff. Finally, in Part 4, we considered what happens when an enforcement agency is stripped of its ability to enforce by asking whether the NCAA itself has become a toothless enforcement agency after declining to vacate wins or strip Michigan of its 2023 national championship.

Together, these four posts tell a story that is both uniquely collegiate and universally corporate: a tale of rules violated, compliance sidelined, culture corrupted, penalties imposed, and a regulator under fire. For corporate compliance professionals, the lessons are clear.

The Background: What Happened at Michigan

At the heart of the Michigan case was Connor Stalions, a staffer who orchestrated an elaborate sign-stealing operation. Using a network of interns, acquaintances, and even student-athletes, Stalions purchased tickets, filmed opponents’ sidelines, and created a “Master Chart” of signals. Over the course of three seasons, there were 56 instances of impermissible in-person scouting across 52 games.

The violations went beyond scouting. Coaches and staff provided improper inducements, including meals, gear, and even attempts at social media “blue check” verification. Nearly 100 impermissible text messages were sent to a recruit before the allowable date.

Head coach Jim Harbaugh was charged with head coach responsibility violations, having failed to promote compliance or monitor his staff. To make matters worse, multiple individuals failed to cooperate once the investigation began; devices were destroyed, evidence was deleted, and investigators were misled.

This was Michigan’s second infractions case in as many years, making it a repeat violator.

The Cultural Breakdown

But the facts alone do not explain how this misconduct flourished. The real story was cultural.

Michigan football had a contentious relationship with compliance. Coaches dismissed the compliance staff as “roadblocks” and even “true scum of the earth.” The Chief Compliance Officer, a respected industry leader, testified that she was seen as “a thorn in [Harbaugh’s] side.”

This hostility created an environment of willful blindness. Staff admitted they “went out of their way not to know” what Stalions was doing, so long as results were delivered. Red flags raised by interns or opponents were ignored or brushed aside.

Compliance education was lacking, especially for interns, many of whom played key roles in the scheme but received no targeted training. The compliance office could not even get into the room unless it forced its way in.

Ultimately, the NCAA concluded that “Michigan failed to create a culture of compliance in the football program.” For compliance professionals, this is a cautionary tale: no matter how effective your compliance office is, culture will ultimately prevail if leadership undermines it.

The Penalties: What Was Possible, What Was Imposed

The violations — Level I for the most serious. They were for scouting, head coach responsibility, and failures to cooperate, and Level II for recruiting and monitoring, which carried potentially devastating penalties. As a repeat violator, Michigan could have faced multi-year postseason bans, scholarship reductions, and the vacating of wins.

Instead, the NCAA opted for a different approach:

  • For Michigan: Four more years of probation, multi-million-dollar fines, loss of postseason revenue, recruiting restrictions, and public posting of the infractions’ decision.
  • For Individuals: Career-altering show-cause orders and doling out 10 years for Harbaugh, 8 years for Stalions, 3 years for Robinson, and 2 years for Moore. Negotiated resolutions added show-cause penalties for Clinkscale and Minter.

But the NCAA declined to impose a postseason ban or vacate Michigan’s 2023 national championship. Instead, it substituted financial penalties, citing fairness to current athletes who were not involved in the violations.

The NCAA’s Credibility Crisis

This decision has sparked a broader debate: Is the NCAA now a toothless enforcement agency? By choosing not to vacate wins, not to impose a postseason ban, and not to strip the national championship, the NCAA sent a message: even the most serious Level I–Aggravated violations can be survived without meaningful on-field consequences.

The NCAA justified its choice by citing the need for fairness to current athletes. But the effect was to undercut deterrence. If Michigan can commit widespread violations, win a championship during the scheme, and keep both the wins and the trophy, what message does that send? For compliance professionals, this is equivalent to a regulator declining to debar a repeat corporate offender or refusing to impose a monitor after repeated bribery scandals have occurred. Enforcement without teeth creates cynicism, undermines culture, and emboldens violators.

Five Lessons for Corporate Compliance Professionals

From the four perspectives we have explored — facts, culture, penalties, and the regulator’s credibility — come five key lessons for corporate compliance officers.

1. Culture Will Always Trump Policy

Michigan had a compliance office, policies, and training. Yet the football program treated compliance as the enemy. Harbaugh’s tone at the top set a culture where results mattered more than rules. Compliance professionals must remember that culture is the real driver of behavior. Policies without culture are paper tigers.

2. Repeat Offenders Face Escalating Consequences

Michigan’s repeat violator status magnified its penalties. In the corporate world, companies with prior FCPA or sanctions violations are judged far more harshly when caught again. Building credibility requires not just resolving past cases but sustaining reform over time.

3. Individual Accountability is Here to Stay

The NCAA’s most severe sanctions fell on individuals, Harbaugh and Stalions in particular. This mirrors the DOJ’s emphasis on individual liability. Compliance officers must ensure executives understand that they will personally bear responsibility for compliance failures.

4. Cooperation is Non-Negotiable

The obstruction made this case far worse. Destroying evidence and refusing to cooperate turned a bad situation into a career-ending one for multiple individuals. In corporate enforcement, cooperation credit can significantly reduce penalties; obstruction can magnify them.

5. Regulators Must Enforce Meaningfully — or Risk Irrelevance

The most sobering lesson is about the NCAA itself. By declining to vacate wins or strip championships, the NCAA undermined its own credibility. For compliance officers, this underscores the importance of strong, consistent enforcement. If your regulator is weak, it makes your job harder because the business will treat compliance as optional.

The Broader Meaning

The Michigan case is about more than football. It is about how organizations treat compliance, how regulators enforce rules, and how culture drives outcomes. For compliance professionals, it offers a sobering parable. When leadership undermines compliance, culture tolerates misconduct, violations are repeated, and regulators fail to enforce penalties meaningfully, the result is inevitable: misconduct flourishes, penalties escalate, and credibility erodes.

The job of the compliance professional is to resist that cycle: to build cultures that embrace compliance, to insist on accountability, to promote cooperation, and to hold leadership accountable for setting the tone at the top. And when regulators fail to act, compliance officers must redouble their efforts internally because rules without enforcement may be just suggestions, but culture without compliance is a guaranteed recipe for disaster.