Tag: compliance

Categories
Blog

From Enforcement-Driven to Purpose-Driven Compliance

For more than two decades, corporate compliance programs have been built around one central organizing principle: enforcement. Where regulators go, compliance resources follow. When the Department of Justice prioritizes anticorruption, companies invest in FCPA controls. When regulators turn to privacy, cybersecurity, or AML, compliance budgets pivot accordingly. This enforcement-driven approach has shaped the modern compliance profession.

Yet, as Veronica Root Martinez persuasively argues in her recent working paper, Purpose-Driven Compliance, this dominant model may be fundamentally flawed, certainly in the era of Trump.  Despite unprecedented investments in compliance infrastructure, corporate misconduct persists. Repeat offenders remain common. Penalties grew larger, but behavior did not meaningfully improve. For compliance professionals, this raises an uncomfortable question: are we optimizing for the wrong objective?

Martinez’s answer is both challenging and clarifying. Compliance programs should not be primarily designed to satisfy enforcement authorities or to maximize mitigation credit after failure. Instead, they should be anchored in the organization’s own purpose, business risks, and ethical standards. In short, it is time to move from enforcement-driven compliance to purpose-driven compliance.

The Limits of Enforcement-Driven Compliance

The enforcement-driven model rests on two assumptions. First, that enforcement priorities reflect a company’s most significant risks. Second, that imperfect compliance is inevitable and acceptable so long as the organization can demonstrate good-faith efforts. Martinez brings both under scrutiny.

Regulatory priorities often lag behind real business risks. Enforcement agencies focus on certain categories of misconduct because they are visible, politically salient, or historically entrenched. But the risks that most threaten an organization’s mission may lie elsewhere. Martinez highlights how firms can become over-invested in compliance areas that attract enforcement attention while under-investing in mission-critical risks to their operations.

The second assumption, that some level of misconduct is acceptable, is even more troubling. Behavioral ethics research suggests that tolerating small violations creates conditions for larger ones. When leaders frame misconduct as statistically insignificant or “within expectations,” they risk normalizing behavior that undermines culture, trust, and ultimately performance. Wells Fargo’s infamous “1% problem” illustrates this danger. Senior leadership took comfort in the idea that only a small fraction of employees were engaging in misconduct, failing to appreciate that those numbers reflected only the misconduct that had been detected.

An enforcement-driven mindset encourages this type of thinking. If the organization is sanctioned, then low detection rates look like success. But if the question is whether the organization is living up to its own purpose and values, the same data tell a very different story. This is not the broken windows theory of enforcement, but something else.

The Cost of Treating Compliance as a Cost of Doing Business

Another weakness of enforcement-driven compliance is that it can turn sanctions into a predictable line item. As firms grow larger and penalties are discounted through cooperation credit, fines risk being internalized as a cost of doing business. Empirical work cited by Martinez suggests that large, repeat offenders often pay penalties that are small relative to their assets and revenues. In that environment, enforcement loses much of its deterrent effect.

For compliance professionals, this dynamic creates a structural tension. Programs may be technically “effective” under DOJ guidance while still failing to prevent misconduct that harms customers, employees, and communities. The distinction between standards of review and standards of conduct becomes critical. Meeting the government’s expectations for leniency is not the same as meeting the organization’s ethical obligations to itself and its stakeholders.

What Is Purpose-Driven Compliance?

Purpose-driven compliance begins with a simple but powerful shift in perspective. Instead of asking, “What does the regulator expect?” the organization asks, “What risks threaten our ability to achieve our purpose and what standards of conduct are required to address them?” Martinez defines purpose-driven compliance as programs directed by three elements: the firm’s purpose, the inherent risks associated with pursuing that purpose, and the ethical standards the organization sets for itself. This approach does not reject enforcement frameworks; rather, it treats them as a floor, not a ceiling.

In practical terms, purpose-driven compliance requires leadership to articulate why the organization exists and how misconduct undermines that mission. For a bank, this may mean focusing on customer trust and market integrity. For a pharmaceutical company, it may mean prioritizing patient safety and scientific integrity. For a university, it may mean safeguarding academic freedom and institutional trust. For a summer camp, it means protecting the campers from flash floods and other storms.

Once the purpose is clearly defined, compliance risk assessments become more meaningful. Risks are evaluated not only by enforcement exposure but by their potential to compromise the organization’s core objectives. This reframing helps compliance leaders resist the temptation to chase regulatory trends at the expense of mission-critical risks.

Moving Beyond Mitigation to Aspirational Standards

A key insight in Martinez’s work is that firms often confuse mitigation with excellence. Compliance programs are designed to minimize penalties rather than to maximize ethical performance. Purpose-driven compliance challenges that mindset by encouraging organizations to adopt high, ethical, and aspirational standards of conduct.

This does not mean pursuing perfection through draconian controls or internal criminalization. Martinez rightly warns against overdeterrence and strict liability regimes that incentivize concealment rather than transparency. Instead, purpose-driven compliance emphasizes ethical framing, employee voice, and organizational learning. Compliance should never be Dr. No, sitting in the Department of Business Non-Development.

The examples of Wells Fargo and Novartis are instructive. Both organizations suffered repeated compliance failures under enforcement-driven regimes. Their subsequent reforms went beyond addressing the specific violations that triggered enforcement. They re-examined culture, leadership incentives, and ethical expectations. In Novartis’s case, tying bonuses to ethical performance and co-creating a new code of ethics signaled a shift from box-checking to values anchored in purpose.

Why Purpose-Driven Compliance Matters for the Modern CCO

For today’s chief compliance officer, Martinez believes purpose-driven compliance offers three critical benefits.

First, it creates durability. Enforcement priorities shift with administrations. Indeed, this Administration has signaled a cutback in white-collar enforcement by offering essentially get-out-of-jail-free cards to companies that self-disclose early. This underscores the importance of compliance programs. A compliance program anchored solely in regulatory expectations will always be reactive. Purpose-driven programs are more stable because they are tied to the organization’s identity rather than external politics.

Second, it improves the quality of compliance metrics. Measuring effectiveness against internal standards allows organizations to ask harder questions about culture, decision-making, and root causes. Not every initiative will succeed, but a willingness to acknowledge failure is itself a sign of program maturity.

Third, it enhances credibility with boards and senior leadership. When compliance is framed as a strategic partner in achieving the organization’s mission, rather than as a defensive function, it earns a more meaningful seat at the table.

Conclusion

Compliance has never been more sophisticated, expensive, or visible. Yet sophistication alone does not guarantee effectiveness. Martinez’s Purpose-Driven Compliance challenges compliance professionals to rethink the foundations of their programs. Enforcement-driven compliance has taken us far, but it cannot take us far enough.

The next evolution of compliance requires organizations to define their own standards of conduct, grounded in purpose, risk, and ethics. That shift is not easy. It requires courage from compliance leaders and commitment from boards and executives. But if compliance is truly about preventing harm and sustaining trust, purpose-driven compliance is not optional. It is essential.

Categories
FCPA Compliance Report

FCPA Compliance Report – FCPA Enforcement Shifts: Volatility and Uncertainty

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode,  host Tom Fox welcomes Anik Shah, Director & Senior Legal Counsel at Sandisk, for an insightful discussion about the pivotal changes and enforcement actions around the FCPA in 2025 and their implications for 2026.

In 2025, Anik Shah, a preeminent authority on FCPA and anti-corruption enforcement, offers a strategic perspective on the evolving compliance landscape. Given the recent uncertainties following an executive order and the dismissal of high-profile cases, Shah underscores the necessity for companies to maintain robust anti-bribery and anti-corruption controls, especially with potential reprioritization by the Department of Justice. He advocates a proactive risk management approach, emphasizing the importance of third-party risk management and comprehensive training to anticipate and mitigate potential FCPA issues. As enforcement focus shifts toward addressing cartel and transnational criminal organization activities, Shah advises companies to integrate anti-money laundering processes into their compliance strategies to align with global anti-corruption efforts.

Key highlights:

  • 2025 FCPA Enforcement Shifts and Uncertainty
  • Voluntary Self-Disclosure Policy Revolution in 2025
  • Cartel Risk Mitigation through Compliance Integration
  • Central Asia Construction Projects: Anti-Corruption Measures
  • Proactive Measures: Fostering Anti-Corruption Compliance Awareness

Resources:

Anik Shah on LinkedIn

Sandisk

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Returning to Venezuela on Amazon.com

Categories
AI Today in 5

AI Today in 5: February 9, 2026, The AI Agents Doing Compliance Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. What to do when AI is forced on compliance. (CW)
  2. Napier AI/AML report is out. (FinTechGlobal)
  3. AI and the accountability gap. (FinTechGlobal)
  4. Where AI is tearing through corporate America. (WSJ)
  5. Goldman is letting AI Agents do compliance. (PYMNTS)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
Blog

From Principle to Proof: Operationalizing AI Governance Through the ECCP and NIST

Artificial intelligence governance has officially crossed the threshold from theory to expectation. The Department of Justice has not issued a standalone “AI rulebook,” but it has provided a framework for compliance professionals to consider the issue: the 2024 Evaluation of Corporate Compliance Programs (ECCP). In this version of the ECCP, the DOJ laid out guidance that any technology capable of creating material business risk must be governed, monitored, and improved like any other compliance risk. That includes artificial intelligence.

Too many organizations still treat AI governance as an ethics exercise, a technical problem, or a future concern. That posture is not defensible. The DOJ does not ask whether your program is fashionable or aspirational. It asks three very old-fashioned questions: Is your compliance program well designed? Is it applied in good faith? Does it work in practice? Those questions apply with full force to AI.

In this post, I want to move the discussion from abstract frameworks to operational reality. I will show how compliance professionals can use the ECCP to structure AI governance, select board-grade KPIs, and demonstrate effectiveness in a way regulators understand. I will also show how the NIST AI Risk Management Framework (NIST Framework) fits neatly underneath this structure as an operating model, not a competing philosophy.

AI Governance Is Already an ECCP Issue

The DOJ has repeatedly emphasized that compliance programs must evolve as business risks evolve. Artificial intelligence is not a future risk. It is already embedded in pricing, hiring, credit decisions, customer interactions, fraud detection, and third-party screening. If an AI model can influence revenue, customer outcomes, or regulatory exposure, it is a compliance risk. Period.

The ECCP does not require companies to eliminate risk. It requires them to identify, assess, manage, and learn from it. AI governance, therefore, belongs squarely inside the compliance program, not off to the side in an innovation lab or technology committee.

The ECCP as an AI Governance Blueprint

The power of the ECCP is its simplicity. Every enforcement action ultimately traces back to the same three questions. Let us apply them directly to AI.

Is the Program Well Designed?

Design begins with risk assessment. If your organization cannot answer a basic question such as “What AI systems do we have, who owns them, and what decisions they influence,” you do not have a program. You have hope. A well-designed AI compliance program starts with an AI asset inventory that identifies models, tools, vendors, and use cases. Each asset must be risk-classified based on business impact, regulatory exposure, and potential harm.

Board-level KPIs here are coverage metrics. How many AI assets have been identified? What percentage has been risk-classified? How many high-impact models have completed an impact assessment before deployment? If your dashboard does not show near-full coverage, the design is incomplete.

Policies and procedures come next. The DOJ does not care how many policies you have. It cares whether they provide clear guidance for real decisions. AI policies should cover the full lifecycle, from design and data sourcing through deployment, monitoring, and retirement. A practical KPI is policy coverage. What percentage of AI assets operate under current, approved procedures? How often are those procedures refreshed? Annual updates are a reasonable baseline in a rapidly changing risk environment.

Is the Program Applied Earnestly and in Good Faith?

Good faith is demonstrated through action, not intent. Training is a central indicator. The DOJ expects role-based training tailored to actual risk. A generic AI awareness course does not meet this standard. Developers, model owners, compliance reviewers, and business leaders all require different training. Completion rates matter, but so does comprehension. Measuring post-training proficiency improvement is one of the clearest signals that training is more than a box-checking exercise.

Third-party risk management is another critical area. Many organizations rely on external models, data providers, or AI-enabled vendors. If you do not understand how those tools are built, governed, and updated, you are importing risk without controls. Strong programs use standardized AI diligence questionnaires, assign assurance scores, and require contractual safeguards for high-risk vendors. A board-ready KPI here is the percentage of high-risk AI vendors subject to enhanced diligence and contractual controls.

Mergers and acquisitions deserve special attention. AI risk does not wait for post-close integration. The DOJ has been explicit that pre-acquisition diligence matters. A defensible KPI is simple and unforgiving. 100% of acquisition targets with material AI usage must undergo AI due diligence before closing. Anything less invites inherited risk.

Does the Program Work in Practice?

This is where many programs fail. Paper controls do not impress regulators. Outcomes do. Incident reporting is a critical signal. A low number of reported AI issues may indicate fear, confusion, or a lack of safety rather than safety concerns. What matters is whether issues are identified, investigated, and resolved promptly. Mean time to investigate is a powerful metric. If AI-related concerns take months to resolve, the program is not working. Clear escalation paths, defined investigation playbooks, and documented root cause analysis are essential.

Continuous monitoring is equally important. High-risk AI systems must be monitored for performance drift, data changes, and unintended outcomes. The DOJ expects companies to use data analytics to test whether controls are functioning. KPIs here include validation pass rates before deployment, drift-detection coverage for critical models, and corrective action closure rates. These are not technical vanity metrics. They are evidence of effectiveness.

Where NIST Fits and Why It Matters

The NIST AI Risk Management Framework does not compete with the ECCP. It operationalizes it. The ECCP tells you what regulators expect. NIST helps you implement those expectations across governance, mapping, measurement, and management. For example, ECCP risk assessment aligns with NIST’s mapping function. ECCP’s continuous improvement aligns with NIST’s measurement and management functions. Using NIST terminology creates a shared language across compliance, legal, security, and data science teams. That shared language is governance in action.

Reporting AI Risk to the Board

Boards do not want technical detail. They want assurance. The most effective AI governance dashboards focus on a small set of indicators that answer the DOJ’s three questions: coverage, quality, responsiveness, and learning. Examples include the percentage of AI assets risk-classified, validation pass rates, investigation cycle times, and corrective action closure rates. When these metrics move in the right direction, they tell a credible story of control. More importantly, they show that compliance is not reacting to AI. It is governing it.

Five Key Takeaways for Compliance Professionals

  1. AI as Risk. Artificial intelligence is already within the scope of the ECCP. If AI can influence business outcomes, it must be governed like any other compliance risk.
  2. Risk Management Program. A well-designed AI compliance program begins with complete asset identification and risk classification. Coverage metrics are the first signal regulators will examine.
  3. Implementation. Good faith implementation is demonstrated through role-based training, disciplined third-party oversight, and pre-acquisition AI diligence. Intent without execution does not count.
  4. Outcomes, not Inputs. Effectiveness is proven through outcomes. Investigation speed, monitoring coverage, and corrective action closure rates matter more than policy volume.
  5. Complementary. The NIST Framework complements the ECCP by providing an operating model that compliance, legal, and technical teams can share. Together, they turn principles into proof.

Final Thoughts

AI governance is not about predicting the future. It is about demonstrating discipline in the present. The DOJ is not asking compliance professionals to become data scientists. It is asking us to do what they have always done well: identify risk, establish controls, test effectiveness, and improve continuously. The ECCP already gives you the framework. The only question is applying it.

Categories
From the Editor's Desk

From the Editor’s Desk – Aaron Nicodemus on the CW AI Conference Insights: Navigating the Practical Use of AI in Compliance

In this episode of ‘From the Editor’s Desk,’ Tom Fox visits with Aaron Nicodemus to discuss highlights from the recent Compliance Week AI Conference. Key takeaways include the importance of understanding the purpose and practical use of AI tools before implementation, the pressures from C-suite and boards to adopt AI, and the necessity of a human-in-the-loop approach. The conversation also touches on integrating trust and integrity into AI adoption, the evolving role of compliance as a trusted partner in AI initiatives, and the collective willingness to learn and apply AI across compliance operations.

Key highlights:

  • Importance of Understanding AI Implementation
  • Pressure from the Top: Compliance and AI
  • Human Oversight in AI Processes
  • Trust and Integrity in AI
  • Compliance as a Competitive Advantage
  • Real-World Examples: Robinhood and DocuSign
  • The Evolving Role of Compliance in AI
  • Conference Vibes and Final Thoughts

Resources:

Aaron Nicodemus on LinkedIn

Compliance Week

Categories
Blog

Roman Philosophers and the Foundations of a Modern Compliance Program: Part 4 – Marcus Aurelius and Ethical Leadership

I recently wrote a series on the direct link between ancient Greek Philosophers and modern corporate compliance programs and compliance professionals. It was so much fun and so well-received that I decided to follow up with a similar series on notable Roman Philosophers. This week, we will continue our exploration of the philosophical underpinnings of modern corporate compliance programs and compliance professionals by looking at five philosophers from Rome, both from the BCE and AD eras.

We have considered Cicero and the duties, law, and moral limits of business; Seneca on power, pressure, and ethical decision-making under stress; and Varro on corporate governance. Today, we consider Marcus Aurelius and ethical leadership and tone at the top. Tomorrow, we will conclude with Lucretius to explore rationality, fear, and risk perception. Today, we continue with Marcus Aurelius, Ethical Leadership, and Culture as a Compliance Control

I. Marcus Aurelius in Context: Power with Restraint

Imagine you are the single most powerful person on earth. Are you going to be an unrepentant narcissist in the manner of Donald Trump, who believes he should govern on his own twisted morality based simply on ‘gut instinct’? Or are you going to take a different approach, set out your reasoned approach to governing in a book, and then govern with the moral authority of thousands of years of philosophy?

Marcus Aurelius is often remembered as the philosopher-king, but that description understates the difficulty of his position. He ruled the Roman Empire during a period of war, plague, economic strain, and political instability. Unlike many philosophers, Marcus Aurelius did not write for an audience. His Meditations were private reflections, written to discipline his own thinking while exercising absolute power.

This matters for compliance professionals. Marcus Aurelius did not theorize about ethical leadership from a distance. He lived inside it. He understood that power magnifies temptation, insulates leaders from feedback, and creates opportunities for self-deception. His philosophy is therefore preoccupied with restraint, humility, consistency, and responsibility.

Marcus repeatedly reminded himself that leadership is not a privilege but a burden. Authority did not entitle him to indulgence; it imposed higher expectations. He believed that leaders set moral boundaries through conduct long before they issue instructions. In modern terms, Marcus Aurelius understood that culture flows downward from leadership behavior rather than upward from policy documents.

II. The Compliance Problem Marcus Aurelius Illuminates: Culture Eats Controls

One of the central lessons of modern compliance enforcement is that formal controls cannot compensate for poor culture. Organizations with detailed policies and sophisticated monitoring still fail when leadership behavior signals that results matter more than integrity. The DOJ Evaluation of Corporate Compliance Programs (ECCP) explicitly asks whether senior leaders demonstrate commitment to compliance through actions, not words. Regulators assess whether ethical behavior is encouraged, whether misconduct is addressed consistently, and whether leaders tolerate or reward problematic conduct.

Marcus Aurelius would recognize this dynamic immediately. He believed that people learn how to behave by observing those in power. When leaders act inconsistently with stated values, cynicism follows. When leaders rationalize misconduct, that rationalization spreads. Compliance programs often falter when leadership treats ethics as a communication exercise rather than a lived expectation. Codes of conduct and training sessions cannot overcome the daily signals sent by executive decisions, incentive structures, and responses to failure.

Marcus teaches that culture is not accidental. It is created continuously by leadership choices, especially under pressure.

III. Modern Corporate Application: Marcus Aurelius, DOJ Expectations, and Leadership Accountability

Applying Marcus Aurelius to modern compliance reveals several concrete expectations that closely align with DOJ guidance.

First, leadership behavior must be consistent. Marcus believed hypocrisy was corrosive to authority. The DOJ similarly evaluates whether leaders follow the same rules they impose on others. Exceptions for senior executives undermine program credibility and weaken deterrence.

Second, leadership must respond to misconduct with moral clarity. Marcus wrote that anger and denial cloud judgment. In compliance terms, this means addressing issues promptly, transparently, and proportionately. Delayed or defensive responses signal tolerance, even when discipline eventually occurs.

Third, middle management matters. Marcus understood that culture is transmitted through layers of authority. DOJ guidance emphasizes the role of middle managers as culture carriers. Compliance programs should equip managers with the tools and incentives to reinforce ethical behavior, not merely deliver targets.

Fourth, incentives must reflect values. Marcus warned against leaders who chase reputation or reward at the expense of principle. Modern compliance programs must ensure compensation structures do not reward outcomes achieved through questionable means. The DOJ has repeatedly cited incentive misalignment as a root cause of misconduct.

Finally, leadership must create psychological safety. Marcus believed leaders should listen more than they speak. In compliance terms, this translates into openness to bad news, encouragement of dissent, and protection for those who raise concerns. A culture that punishes truth-telling cannot sustain compliance.

IV. Key Takeaways for Compliance Professionals

1. The Blueprint. Compliance professionals should view Marcus Aurelius and his writings as the blueprint for culture-based compliance. You can draw a direct line from the Meditations to both your compliance program and the leadership skills a CCO needs. Compliance should evaluate leadership behavior as a primary control, not a soft factor. This means not only reviewing employees who are promoted to management, but also a deep dive into their backgrounds. Also, thorough due diligence for any senior management hires from outside your organization.

2. Higher Standards. Compliance should hold senior leaders to higher standards of consistency and accountability.

3. Institutional Justice. Compliance should focus on how leaders respond to misconduct, not just how they prevent it. This is the CCO’s charge, and it must include an institutional fairness component in your compliance program.

  1. Compliance should ensure incentives reinforce ethical behavior at every level. The DOJ has consistently discussed the role of incentives in any compliance program, as far back as the 1st edition of the FCPA Guidance in 2012.
  2. Compliance should treat culture as an operational risk area subject to oversight and testing. Culture should be assessed, monitored, and improved. Simply because it is seen as a ‘soft’ part of an organization does not mean it should be treated differently.

4. Walk the Walk. Finally, Marcus Aurelius reminds us that ethical leadership is not performative. It is visible, daily, and decisive. In organizations, culture follows leadership long before it follows policy.

V. Conclusion

Marcus Aurelius brings the compliance lifecycle to its cultural apex. He shows that leadership behavior is not merely influential but determinative, shaping whether ethical expectations are taken seriously or quietly dismissed. Yet even the strongest ethical culture is not self-sustaining. Leaders are human, memory fades, and good intentions erode without reinforcement. This is where culture must be supported by systems that observe, test, and correct.

Marcus Aurelius teaches us how leaders should behave; Lucretius challenges us to examine how organizations think. If Marcus focuses on moral example, Lucretius turns our attention to rational observation, warning against fear, superstition, and self-deception. The transition from Marcus Aurelius to Lucretius mirrors the shift from cultural leadership to continuous improvement, from ethical intent to empirical verification. In compliance terms, it is the move from assuming the program works to proving that it does, using data, monitoring, and clear-eyed analysis rather than hope or habit.

Join us tomorrow for our concluding article on Lucretius and Rationality in Monitoring and Continuous Improvement. We will consider where culture gives way to systems, data, and the discipline of seeing risk clearly rather than through fear or superstition.

Categories
Compliance Into the Weeds

Compliance into the Weeds: The Reality of AI Adoption in Corporate Compliance

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore it more fully. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly examine three recent surveys that examine the real-world impact of AI adoption in corporate environments.

Recording from Alexandria, Virginia, where Matt is attending a conference on ethical governance of AI, Matt and Tom discuss the differing perceptions of AI’s benefits between senior executives and other employees. They explore findings from PWC, Section, and Workday surveys, uncovering a significant gap in AI’s perceived value. The discussion highlights the challenges of integrating AI, the significant rework required by employees, and the struggle to build trust in AI tools. They also debate whether enterprise-scale AI deployment or incremental, point-specific adoption is the best path forward.

Key highlights:

  • Conference on Ethical AI Governance
  • Reality Checks on AI Adoption
  • AI Rework and Employee Training Concerns
  • Trust Issues with AI

Resources:

Matt in Radical Compliance

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

A multi-award-winning podcast, Compliance into the Weeds was most recently honored as one of the Top 25 Regulatory Compliance Podcasts, a Top 10 Business Law Podcast, and a Top 12 Risk Management Podcast. Compliance into the Weeds has been conferred a Davey, a Communicator Award, and a W3 Award, all for podcast excellence.

Categories
Blog

Roman Philosophers and the Foundations of a Modern Compliance Program: Part 3 Varro, System Design, and Making Compliance Governable

I recently wrote a series on the direct link between ancient Greek Philosophers and modern corporate compliance programs and compliance professionals. It was so much fun and so well-received that I decided to follow up with a similar series on notable Roman Philosophers. This week, we will continue our exploration of the philosophical underpinnings of modern corporate compliance programs and compliance professionals by looking at five philosophers from Rome, both from the Roman Republic and the Roman Empire.

We have considered Cicero and the duty, law, and the moral limits of business; and Seneca and power, pressure, and ethical decision-making under stress. Today, we consider Varro and corporate governance; upcoming blog posts include Marcus Aurelius and ethical leadership and tone at the top, and we will conclude with Lucretius to explore rationality, fear, and risk perception. Today, we continue our discussion of Varro and compliance governance structures.

I. Varro in Context: Order as Institutional Survival

Marcus Terentius Varro was not a moralist in the way Cicero was, nor a psychological observer like Seneca. He was Rome’s great systematizer. Varro cataloged language, religion, agriculture, history, and civic life with a single objective: to make complex institutions intelligible and durable. He believed that civilizations fail not first from immorality, but from disorder. Although very little of his writings survives, Plutarch described him as “Rome’s Third Great Light” behind Virgil and Cicero.

Varro lived through the collapse of the Roman Republic. He watched institutions grow so complex, fragmented, and inconsistent that they could no longer govern themselves. His response was not exhortation or outrage, but classification. By defining categories, standardizing language, and organizing knowledge, Varro sought to preserve Rome’s ability to function even as political pressures mounted.

For modern compliance professionals, Varro is essential precisely because he does not begin with ethics. He starts with structure. He understood that values cannot operate within incoherent systems. Before leadership can model ethics and before culture can reinforce integrity, the institution must be governable.

II. The Compliance Problem Varro Illuminates: Program Sprawl and Structural Entropy

Modern compliance programs rarely fail because they lack policies or commitment. They fail because they become structurally unmanageable.

Over time, compliance programs accumulate:

  • Policies written for different risks, jurisdictions, and moments in time
  • Risk assessments that do not align with controls
  • Training modules disconnected from decision-making
  • Escalation paths that vary by function or geography
  • Metrics that track activity but do not integrate

This is compliance sprawl. No one intentionally designs it. It emerges gradually as organizations respond to enforcement actions, audits, mergers, new regulations, and internal incidents. Eventually, the program exists everywhere and nowhere at once. Varro would recognize this immediately. He believed that when systems grow faster than understanding, governance becomes ceremonial. Rules exist, but they do not guide behavior. Oversight exists, but it cannot see clearly.

The DOJ Evaluation of Corporate Compliance Programs (ECCP) reflects Varro’s concern by asking whether a program is well-designed, consistently applied, and understood by employees. These are not ethical questions. They are structural ones.

III. Modern Corporate Application: Varro, DOJ Expectations, and Compliance Architecture

Applying Varro to modern compliance highlights the importance of architecture over accumulation.

First, compliance programs must classify risk consistently. Varro believed that naming and categorizing were a form of control. In compliance terms, this means standardized risk taxonomies, consistent issue classifications, and shared definitions across legal, compliance, audit, and HR. Without this, trend analysis and root cause assessment become unreliable.

Second, integration must replace layering. Varro linked systems rather than allowing them to multiply independently. Modern compliance programs should map risks to controls, controls to training, training to behavior, and behavior to metrics. The DOJ increasingly expects compliance to be embedded in business operations rather than treated as a parallel system.

Third, ownership must be explicit. Varro rejected ambiguity about responsibility. In compliance programs, unclear ownership of controls, investigations, and remediation creates delay and finger-pointing. A governable program clearly and visibly assigns responsibility.

Fourth, institutional memory must be preserved. Varro understood that institutions that forget repeat mistakes. Compliance programs must retain investigation outcomes, remediation decisions, and lessons learned to inform future risk assessments and controls. DOJ guidance increasingly focuses on learning and continuous improvement, which cannot occur without memory.

Finally, language discipline matters. Varro studied language because confused language produces confused action. In compliance, inconsistent terminology across policies, reports, and board materials undermines oversight. Precision is not pedantry. It is governance.

IV. Key Takeaways for Compliance Professionals

  1. Compliance Governance. Compliance professionals should view Varro as the architect of governable compliance. Varro teaches that ethics cannot function without a structure that allows oversight, consistency, and understanding. A compliance program that cannot be clearly explained cannot be effectively governed. Governable compliance is the prerequisite for ethical leadership, accountability, and continuous improvement.
  2. Well Designed. Compliance should prioritize coherence over accumulation. Adding more policies, controls, and tools does not strengthen a compliance program if they do not align with one another. Varro would warn that unchecked accumulation creates confusion rather than protection. Coherence ensures that each element of the program reinforces the others instead of competing for attention.
  3. Risk Measurement. Compliance should standardize risk classification and language across functions. Varro understood that shared language is essential for coordinated action. When legal, compliance, audit, and business teams describe the same risk differently, oversight becomes fragmented. Standardized terminology allows trends to be identified, lessons to be learned, and governance to function effectively.
  4. Written Program. Your compliance should integrate policies, controls, training, and metrics into a single operating model. Varro rejected isolated systems in favor of interconnected ones. A compliance program works only when policies inform controls, controls shape training, and training influences measurable behavior. Integration transforms compliance from a collection of activities into an operational system.
  5. Remember. Compliance should preserve institutional memory to prevent repeat failures. Varro believed institutions must remember their own history to avoid repeating mistakes. Compliance programs fail when lessons learned from investigations or audits are lost with personnel changes or reorganizations. Preserving institutional memory enables trend analysis, informed risk assessments, and durable remediation.
  6. Enabler. Compliance should treat structure as an ethical enabler, not a bureaucratic burden. Structure is often misunderstood as red tape rather than support. Varro shows that clear structure empowers ethical action by reducing ambiguity and inconsistency. Well-designed systems make it easier for individuals and leaders to do the right thing.
  7. Simplicity. Finally, Varro reminds us that ethical intent cannot survive inside incoherent systems. Compliance programs do not fail only because people act under pressure. They fail because the system itself becomes too complex to operate. Ethical breakdown is often preceded by structural breakdown. When compliance systems become fragmented, opaque, or unmanageable, even well-intentioned actors struggle to act responsibly. Varro’s lesson is that simplicity, clarity, and integration are not administrative preferences but governance necessities.

V. Conclusion

Varro’s enduring contribution to modern compliance is his insistence that ethics cannot function in systems that cannot be understood, managed, or governed. He reminds compliance professionals that before culture can shape behavior and before leadership can model integrity, the program itself must be coherent, integrated, and durable. In an era where compliance programs risk collapsing under their own complexity, Varro offers a sobering but practical lesson: clarity is not a luxury, simplicity is not weakness, and structure is not bureaucracy. They are the conditions that allow ethical intent to survive pressure, scale, and time.

Varro stabilizes the compliance program by making it governable. But structure alone does not produce integrity. A well-organized system can still fail if those who lead it do not model ethical restraint. This is where Varro yields to Marcus Aurelius. If Varro ensures that the compliance program holds together, Marcus Aurelius determines how it behaves. The transition from Varro to Marcus Aurelius mirrors the shift from system design to ethical leadership, from architecture to example. Compliance becomes durable only when principled leaders animate coherent systems.

Join us tomorrow in Part 4 for a look at Marcus Aurelius, stoicism, and leadership.

Categories
AI Today in 5

AI Today in 5: February 3, 2026, The AI Undergrad Degree Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. UW-Whitewater offers an undergraduate degree in AI. (Channel3000)
  2. The race to build an operating system for investment advisors. (InvestmentNews)
  3. Cramer says AI changing companies fortunes. (YahooFinanceSingapore)
  4. Is your business’s speed a risk? (FinTechGlobal)
  5. Where is AI taking us? 8 thinkers report. (NYT)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
Red Flags Rising

Red Flags Rising: S01 E36: How to Prepare for 2026 – The Fraud Diamond Framework (SM) Applied

Mike Huneke and Brent Carlson return for the new year with a refresher on The Fraud Diamond Framework (SM) introduced in Episode 34 and an explanation of how it would apply in practice as trade compliance professionals try to expect the unexpected in 2026. They discuss the importance of designing and implementing “compliance backstops” as geopolitical guardrails (01:47), how Stoic philosophy and the good work of Mo Bunnell (CEO and Founder of Bunnell Idea Group, author of Give to Grow) help build resiliency (03:40), review The Fraud Diamond Framework(SM) (05:57), describe how the framework can help trade compliance personnel to make and defend triage decisions (10:59), the implications of many trade compliance programs reaching a point in their evolution where they need to be able to demonstrate true integrity and effectiveness (13:45), the new 25% tariffs on certain semiconductors (14:38), and notable economic sanctions enforcement decisions related to lawyers’ advice or lawyers themselves (15:56). They conclude with Brent’s first Managing Up of 2026 (21:04).

Resources:

Brent’s email: brent@redflagsrising.com

Mike’s email: michael.huneke@morganlewis.com