Tag: compliance

Categories
Blog

Aly McDevitt Week: Part 4 – Flex, Scope 3, and the New Frontier of Compliance Beyond the Four Walls

This week, I want to pay tribute to my former Compliance Week colleague, Aly McDevitt, who announced on LinkedIn that she was retiring from CW to become a full-time mother. I wrote a tribute to Aly, which appeared in CW last week. To prepare to write that piece, I re-read her long-form case studies, which she wrote over the years for CW. They are as compelling today as when she wrote them. This week, I will be paying tribute to Aly by reviewing five of her pieces. The schedule for this week is:

Monday: A Tale of Two Storms

Tuesday: Coming Clean

Wednesday: Inside a Dark Pact

Thursday: Reaching Into the Value Chain

Friday: Ransomware Attack: An immersive case study of a cyber event based on real-life scenarios

Once again, McDevitt showed why strong compliance journalism matters. She did not write a generic ESG success story. She examined how a global manufacturer sought to address a problem largely outside its direct control while still building governance, accountability, and measurable progress around it. For compliance professionals, that is the heart of the story. Flex is not simply trying to improve what happens inside its factories. It is trying to influence what happens across a value chain that is vastly larger than the company itself.

That challenge begins with scale. As McDevitt reports, Flex generates $26 billion in annual revenue, has about 170,000 employees, operates in more than 100 facilities across 30 countries, serves 1,000 customers, and works with 16,000 global suppliers. It is the kind of company that many end users do not recognize by name, but that sits squarely in the middle of countless supply chains. That middle position is precisely what makes the case study so relevant to corporate compliance. Many modern compliance risks do not stop at the company boundary. They sit upstream in sourcing, downstream in product use, and sideways in third-party relationships.

In environmental terms, this means Scope 3 emissions. McDevitt explains that while Scope 1 and Scope 2 emissions are relatively easier to quantify and manage, Scope 3 emissions, meaning indirect emissions across the value chain, are much harder. At Flex, Scope 3 emissions accounted for 99 percent of total gross emissions in 2019, 2020, and 2021. That single fact should get every compliance professional’s attention. If 99 percent of your footprint sits outside your direct operating control, then governance cannot be limited to internal operations. It must extend outward through influence, incentives, transparency, and partnerships.

That is why I find McDevitt’s reporting on Flex so useful. She shows that the company understood the compliance-like problem embedded in sustainability. Scope 3 is not just an environmental accounting challenge. It is a governance challenge. It asks whether a company can establish expectations, escalation paths, reporting systems, and controls for conduct and performance that rely heavily on third parties.

McDevitt presents 2019 as a hinge point for the company. That was the year Revathi Advaithi became Chief Executive Officer (CEO), and the year Flex adopted a more ambitious sustainability posture. Andy Powell, Flex’s Chief Ethics and Compliance Officer, told McDevitt that before Advaithi’s arrival, the culture needed a turnaround, and that her leadership changed the tone at the top and the company culture. For compliance officers, this is a familiar lesson. Every durable transformation begins with tone at the top, but it cannot stop there. Tone only matters when it is translated into goals, structures, and incentives.

Flex did that by making 2019 its baseline year for future targets and by setting three major 2030 goals: cut Scope 1 and 2 emissions by 50 percent from the 2019 base year; ensure 50 percent of preferred suppliers set their own GHG reduction targets by 2025 and 100 percent by 2030; and have 70 percent of specified customers set science-based targets by 2025. In its first year, the company reported a 14 percent reduction in operational emissions and said 29 percent of preferred suppliers and 48 percent of specified customers had already set GHG-reduction or science-based targets.

Those numbers matter, but for compliance professionals, what matters more is how Flex operationalized the effort. McDevitt reports that the company did not leave sustainability as a free-floating corporate aspiration. It built governance around it. Barjouth Aguilar, who leads the global sustainability program, described a tight-knit team that tracks a broad range of KPIs across more than 100 sites, runs materiality assessments, designs goals with area owners, conducts site training, and communicates performance across the organization. She emphasized that her team serves as “the connectors,” a phrase every compliance officer will appreciate. The modern compliance function is increasingly a connector function. It brings together legal, operations, procurement, finance, IT, HR, and business leadership around shared risk and accountability.

Flex has also gotten one structural issue right. McDevitt reports that its sustainability program management sits within the company’s LMS, legal, marketing, and security teams, all of which report to the general counsel. Andy Powell said that the arrangement creates tight cross-functional collaboration with the ethics and compliance program because it is “all in the same family”. That is not a trivial point. Too many organizations allow ESG, compliance, procurement, and operations to operate on parallel tracks. Flex’s structure suggests a more mature model, one where sustainability is treated as a governance issue rather than a branding exercise.

McDevitt also highlights the program’s operational discipline. Site-level representatives across more than 100 facilities participate in a sustainability network, report local progress, escalate issues, and use monthly scorecards tied to company-wide goals. This is where the case study becomes particularly instructive for compliance practitioners. Flex is not merely talking about targets. It is using cadence, scorecards, escalation, and localized accountability. In other words, it treats sustainability as a management system.

That is exactly how a compliance officer should think about ESG. The challenge is not just about the announced goal. The challenge is whether the company has a process to monitor performance, surface problems, and drive remedial action.

Another strong section in McDevitt’s reporting concerns greenwashing. Aguilar recommends a three-pronged approach: materiality assessment, data verification, and transparency. This is sound advice for any corporate compliance program. Materiality assessment aligns the strategy with business realities and stakeholder expectations. Verification creates integrity in reported data. Transparency preserves trust, especially when progress falls short. McDevitt notes that Flex has used third-party verification of environmental data through DNV since its 2018 sustainability report. That kind of external validation is increasingly important in a world where ESG claims are scrutinized by customers, investors, regulators, and plaintiffs’ lawyers.

I also appreciated McDevitt’s discussion of how Flex manages suppliers. The company’s supplier-side target focuses on preferred suppliers, about 500 companies out of a total supply base of 16,000, but that group receives 50 percent of Flex’s $7 billion annual spend on commodity sourcing. Some might criticize that as narrow. I think it is practical. Compliance professionals know that risk-based prioritization is not a weakness. It is maturity. You begin where the leverage is greatest.

Flex did not stop with expectations alone. McDevitt reports that it created a yearlong process for suppliers that includes education, webinars, training, disclosures through CDP, follow-up support, and internal review of results. In one year, Flex trained 424 suppliers and 695 supplier personnel. That is what third-party compliance looks like in practice. Not merely contract clauses, but enablement.

There is also a sober realism in the case study that I admire. David Gessler acknowledged that the closer Flex gets to its deadlines, the harder it will be to motivate the remaining suppliers, particularly smaller ones in regions where ESG language may still be foreign or where supplier resources are limited. He also noted that regulatory expectations are moving quickly and that customer demands are already outrunning some of the company’s original plans. That is another useful lesson. A modern compliance program cannot be static. It must evolve as stakeholder expectations, regulations, and commercial realities change.

Finally, McDevitt shows that Flex is thinking not only about suppliers but also about customers and the product lifecycle. The company is trying to help customers design more sustainable products, extend product lifespans, support repair and remanufacturing, and build circular-economy solutions. This matters because the largest share of Flex’s Scope 3 emissions comes from “use of sold products,” which accounted for 93 percent of total Scope 3 emissions in 2021. In plain English, the biggest sustainability issue is not simply what Flex does in manufacturing. It is what happens after the product leaves.

That, to me, is the broader compliance insight. The future of compliance will increasingly require professionals to think in systems, not silos. Whether the topic is anti-corruption, human rights, cyber, AI, or ESG, the key question is no longer only, “What happens inside our company?” It is also, “How do we govern what we influence but do not fully control?”

Aly McDevitt’s Reaching into the Value Chain answers that question with a practical and realistic example. Flex may not control every node of its value chain, but it is building a framework to influence it with structure, data, accountability, and persistence. For compliance professionals, that is a model worth studying.

Join us tomorrow as we conclude our 5-blog-post tribute to Aly McDevitt by reviewing her case study on a Ransomware attack and a corporate response. I am a columnist for Compliance Week.

Categories
Blog

Aly McDevitt Week: Part 3 – Lafarge, Syria, and When “Business Continuity” Becomes Criminality

This week, I want to pay tribute to my former Compliance Week colleague, Aly McDevitt, who announced on LinkedIn that she was retiring from CW to become a full-time mother. I wrote a tribute to Aly, which appeared in CW last week. To prepare to write that piece, I re-read her long-form case studies, which she wrote over the years for CW. They are as compelling today as when she wrote them. This week, I will be paying tribute to Aly by reviewing five of her pieces. The schedule for this week is:

Monday: A Tale of Two Storms

Tuesday: Coming Clean

Wednesday: Inside a Dark Pact

Thursday: Reaching Into the Value Chain

Friday: Ransomware Attack: An immersive case study of a cyber event based on real-life scenarios

In this case study, Aly took a scandal that could easily be reduced to a shocking headline and showed how misconduct often grows incrementally, decision by decision, concession by concession, until a company crosses a line it can no longer explain away. As McDevitt framed it, Lafarge’s collapse into criminal conduct was not sudden. What began as “local concessions” in a war zone ended in terrorist financing, a guilty plea, and a historic compliance disaster.

For the corporate compliance professional, that is where this story starts. Not with ISIS. Not with the guilty plea. Not even with Syria’s descent into civil war. It starts with a corporate mindset that treats business continuity as a value higher than legal and ethical boundaries.

McDevitt lays out the core facts with devastating clarity. Lafarge built a $680 million cement plant in the Jalabiyeh region of Syria in 2010, just as the Arab Spring began to reshape the region. The plant, Lafarge Cement Syria, was strategically important, but it also operated in an increasingly unstable environment. By 2011, political unrest in Syria had become a violent conflict. By 2012, the area around the plant was plagued by kidnappings, hijackings, and the killing of a contractor at a checkpoint. Most companies would view those developments as bright red stop signs. Lafarge saw them as obstacles to manage.

That is the first major lesson of the case study. The most dangerous compliance failures often arise not from ignorance of risk but from a conscious decision to keep operating despite it. McDevitt shows that while other companies pulled out of Syria, Lafarge kept the plant running and shifted management of Syrian operations to Cairo after evacuating European employees. That decision set the stage for the next step: negotiating through intermediaries with armed factions to permit continued operations. By then, the moral and legal slope was already slippery. The question was no longer whether the company faced risk. The question was how much compromise leadership was willing to tolerate to avoid writing off a major investment.

McDevitt’s reporting is especially effective because it captures the gradualism of the wrongdoing. She writes that Lafarge executives did not wake up one day and decide to fund terrorists. It happened slowly, one deal after another, as the company tried to preserve operations in a deteriorating war zone. This is a point every compliance professional should sit with. Catastrophic misconduct often results from the accumulation of rationalized, smaller acts. Each one is framed as temporary, practical, or necessary. Each one moves the line. Eventually, there is no line left.

The Justice Department ultimately found that Lafarge routed about $5.92 million in illicit payments to the al-Nusra Front and ISIS. In 2022, Lafarge pleaded guilty in the United States to providing material support to terrorist organizations, the first case of its kind against a corporation in the U.S. Former Deputy Attorney General Lisa Monaco said the company “paid millions of dollars to both terrorist groups and benefited from their brutality to the tune of $70 million in revenue,” and the company paid $778 million in fines and forfeitures as part of the plea agreement.

That number alone should command the attention of boards and executive teams. Lafarge tried to avoid the business pain of shutting down a troubled asset and ended up paying more than the original investment in penalties, while also suffering deep reputational damage, legal exposure in multiple jurisdictions, and criminal proceedings against former executives. There is a brutal irony in that outcome. The Syrian plant accounted for less than 1% of Lafarge’s total sales at the time of the Holcim merger, yet the consequences of non-compliance proved vastly disproportionate to the asset’s commercial importance. That is the second lesson. The smaller the business rationale, the less defensible the compliance compromise.

McDevitt also explains why the U.S. Department of Justice had jurisdiction. Lafarge used U.S.-based email services to avoid using company email addresses, and some payments linked to terrorist groups were made in U.S. dollars through New York banks. This should resonate with every multinational company. Jurisdiction in modern enforcement is not limited by headquarters location. It is created through systems, currency flows, communications infrastructure, and business touchpoints. In a global company, you can be hauled into a U.S. enforcement action because you used the plumbing of U.S. commerce.

McDevitt’s account also reveals something even more troubling. By September 2013, Lafarge executives were already acknowledging the reality in their own meeting minutes, stating that it was becoming harder and harder to operate without directly or indirectly negotiating with networks designated as terrorists by international organizations and the United States. That line should stop every compliance officer in their tracks. At that moment, the risk was no longer ambiguous. It was known, articulated, and documented. The failure thereafter was not one of detection. It was one of the decision-making processes.

And that brings us to the heart of the compliance lesson. Once a company understands the legal and ethical nature of the risk, the compliance function is not merely to record the issue. The job is to create a decision architecture that can force the right outcome, even when business leadership hates it.

McDevitt reinforces this through the voice of Marcia Narine Weldon, who said, “business continuity can’t be an excuse for abandoning core legal and ethical principles” and even more pointedly, “When you’re dealing with potential terrorism financing, neutrality isn’t an option. You either stop it or you become complicit”. That is exactly right. There are categories of risk where compromise is not prudent; balancing is complicity. Terrorist financing sits squarely in that category.

Another important aspect of McDevitt’s case study is the timeline of internal response. Holcim, after its merger with Lafarge, became aware in 2016 of allegations that Lafarge had negotiated with ISIS and made payments to it. The head of compliance informed the Chief Legal and Compliance Officer that outside counsel had been engaged for legal analysis, and the board’s finance and audit committee directed an investigation. This sequence shows what a post-discovery escalation should look like. But it also highlights a painful truth: escalation after the fact is not the same as prevention. The best board briefing in 2016 could not undo the wrong choices made years earlier.

For compliance leaders, the Lafarge matter is therefore a case study in the limits of retrospective governance. Once the organization has crossed the line into criminal conduct, the role of compliance shifts from prevention to damage containment.

McDevitt weaves this throughout the piece with precision. She does not sensationalize the conduct. She shows how a company operating in a volatile, high-risk environment allowed ethics and compliance to take a back seat to business survival. That is what makes the article so valuable. It reminds us that in high-pressure environments, compliance is not a support function sitting politely on the sidelines. It is the adult in the room. Sometimes that means telling management to shut down an operation. Sometimes it means escalating to the board. Sometimes it means resigning rather than participating in the unambiguously wrong.

In the end, Inside a Dark Pact is one of Aly McDevitt’s strongest cautionary tales because it strips away comforting myths. It tells us that smart people can rationalize the indefensible. It tells us that local concessions can become global crimes. And it tells us that when a company places asset preservation above values, it may preserve neither.

Join us tomorrow when we review Aly’s piece on Flex and its ESG journey. I am a columnist for Compliance Week.

Categories
Great Women in Compliance

Great Women in Compliance: Reflections on Investigations, Culture and the Future

In this episode of Great Women in Compliance, Lisa Fine speaks with Becky Rohr, Chief Compliance Officer and Head of Investigations at Ericsson. Becky talks about how her career journey led her to join Ericsson during a monitorship to strengthen their investigations function.

To do that, she focused on conducting fair, thorough, and efficient investigations, enhancing investigator training, and improving processes for collecting and reviewing digital evidence within a global organization. This led to her being named Chief Compliance Officer at Ericsson and to the benefits of integrating investigations and compliance.  Not only did this lead to the continued evolution of their compliance function, but it also connected hotline reports, investigations, and remediation by using creative approaches to reinforcing ethics at Ericcson.

Lisa and Becky also discuss how the Ericcson team has addressed workplace misconduct globally, sustaining compliance improvements after a monitorship ends, and the importance of leadership communication in maintaining a strong ethical culture.

The conversation also touches on culture change, addressing workplace misconduct globally, and how organizations can sustain strong compliance programs even after regulatory oversight ends.

Finally, Becky reflects on her decision to leave Ericsson and take a “power of the pause” moment before deciding on her next chapter—an approach that highlights the value of reflection and intentional career choices.

Categories
AI Today in 5

AI Today in 5: March 10, 2026, The Good, The Bad and The Ugly Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. Texas goes TRAIGA. (JD Supra)
  2. AI to reshape compliance. (FinTech Global)
  3. The Good, Bad, and Ugly of AI in healthcare. (ZDNet)
  4. The AI Literacy gap is a compliance risk. (Complex Discovery)
  5. How to use AI without getting dumber. (Business Insider Africa)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
Innovation in Compliance

Innovation in Compliance: Jim Massey on Risk in Action

Innovation spans many areas, and compliance professionals need not only to be ready for it but also to embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode,  host Tom visits with Jim Massey about his latest book, Risk in Action: The Leader’s Guide to Act with Clarity.

Jim Massey is a distinguished figure in risk management, known for translating complex ideas into practical strategies that empower business leaders. With a wealth of experience from boardrooms to executive sessions, he is a highly sought-after keynote speaker who enlightens audiences on how to navigate risks in high-pressure situations. Through his books, including his prior work, Trust in Action, Jim champions prioritizing and understanding risks, focusing on critical gaps and opportunities rather than attempting to address all risks equally. He is a proponent of using AI to streamline and revolutionize risk assessment processes, advocating a proactive approach in which leaders view risk as a potential driver of innovation and growth rather than merely a hurdle to overcome.

 

Key highlights:

  • Transforming Compliance Professionals into Risk Advisors
  • Adaptive Decision-Making in Uncertain Environments
  • Real-time AI Risk Cards for Executives
  • Embracing Risk as Catalyst for Innovation in Business
  • Embracing Risk as an Innovation Catalyst

Resources:

Jim Massey on LinkedIn

Jim Massey Website

Risk in Action: The Leader’s Guide to Act with Clarity

Innovation in Compliance was recently honored as the Number 4 podcast in Risk Management by 1,000,000 Podcasts

Categories
Blog

Aly McDevitt Week: Part 2 – VW, Dieselgate, and the Long Road from Fear to Integrity

This week, I want to pay tribute to my former Compliance Week colleague, Aly McDevitt, who announced on LinkedIn that she was retiring from CW to become a full-time mother. I wrote a tribute to Aly, which appeared in CW last week. To prepare to write that piece, I re-read her long-form case studies, which she wrote over the years for CW. They are as compelling today as when she wrote them. This week, I will be paying tribute to Aly by reviewing five of her pieces. The schedule for this week is:

Monday: A Tale of Two Storms

Tuesday: Coming Clean

Wednesday: Inside a Dark Pact

Thursday: Reaching Into the Value Chain

Friday: Ransomware Attack: An immersive case study of a cyber event based on real-life scenarios

In this story, Aly’s reporting did what the best compliance journalism always does: it moved beyond the headline scandal to examine the operating mechanics of cultural repair. McDevitt did not simply retell Dieselgate. She walked through how Volkswagen tried to recover from one of the great corporate compliance failures of modern times through a U.S. monitorship, structural reform, and a sustained effort to replace fear with integrity.

For the corporate compliance professional,  Coming Clean is more than a case study about emissions cheating. It is a case study on whether a company permeated by misconduct can rebuild trust in a credible, measurable, and durable way.

McDevitt begins with the plain truth. Dieselgate was not the act of a single rogue employee or a single bad executive. The defeat device was developed, installed, and concealed by many. Volkswagen’s diesel vehicles used software that sensed when emissions testing was underway and shifted performance to produce compliant results; during normal operations, emissions controls underperformed, resulting in nitrogen oxide pollution up to 40 times above permitted levels, according to U.S. officials. In total, Volkswagen sold approximately 590,000 such vehicles in the United States and roughly 11 million worldwide.

That alone would have made this a historic scandal. But the deeper compliance failure was cultural. McDevitt reports that the company did not come clean voluntarily. It admitted wrongdoing only after regulatory pressure forced the issue. As she recounts, former New York Attorney General Eric Schneiderman alleged that hundreds of senior executives and engineers knew what was happening and that no one was willing to say, “Maybe we should not do this” or “This is against the law,” a devastating indictment of the company’s ethical environment.

That is the first lesson for compliance officers. Compliance breakdowns at this scale are rarely caused by one missing policy. They come from pressure, silence, and a culture that normalizes rationalization.

Volkswagen’s business ambition played a central role. McDevitt notes that the company’s push to become the world’s most successful automaker was accompanied by an integrity deficit, unrealistic goals, and a culture of fear. Later in the case study, she connects this to Strategy 2018, a corporate objective that sought market dominance and, in many observers’ view, created unbearable pressure to deliver results. This is an old lesson, but it remains evergreen. When growth goals are decoupled from ethics, misconduct begins to look like problem-solving.

Volkswagen’s 2017 guilty plea resulted in $4.3 billion in criminal and civil penalties and a three-year U.S. monitorship. McDevitt rightly focuses on the monitorship not as a humiliation ritual, but as an instrument of recovery. Former Deputy Attorney General Larry Thompson was appointed independent compliance monitor and auditor, and Hiltrud Werner became the executive on the Volkswagen side responsible for integrity, legal affairs, and much of the internal reform effort.

One of McDevitt’s great strengths in this piece is her attention to the relationship between monitor and company. Too often, practitioners think of monitorships as adversarial. Volkswagen’s experience suggests something more nuanced. Werner explicitly framed the monitor as an investment in Volkswagen’s future, not merely a punishment for its past, and she stressed that having someone on-site who knew the required standard was a positive element of reform. That is a practical insight. External oversight works best when the organization treats it as a pathway to transformation rather than a box-checking burden.

McDevitt also highlights the mechanics of making that relationship work. Volkswagen held a pre-monitorship “boot camp” in May 2017 to accelerate understanding, create transparency, and build human relationships between the monitor team and company personnel. Werner’s takeaway was one every compliance professional should write down: do not focus only on process; focus on people, too. I find that insight especially powerful because compliance functions often overinvest in control language and underinvest in trust architecture.

That same lesson appears in Volkswagen’s Project Management Office. McDevitt reports that the company created a neutral PMO to coordinate the monitorship across departments, manage over 1 million pages of documents and more than 8,000 meetings, and connect the monitor team to knowledgeable personnel across the enterprise. The PMO was not clerical support. It was organizational muscle. It mirrored the monitor’s work streams, established clear lines of contact, and brought together 80 staff from the first, second, and third lines of defense. That is another lesson worth underlining. In a major remediation project, project management is not ancillary to compliance. It is compliance.

McDevitt then turned to one of the most significant reforms: a single Code of Conduct for all employees across all 12 brands and companies, the first such common code in Volkswagen’s history. Hiltrud Werner described it as the company’s first stable anchor for culture. The Code was not meant to be an abstract statement. It included case studies and examples, and the training was updated to include “Dieselgate Lessons Learned” on compliance, integrity, culture, realism, personal responsibility, and speak-up expectations. Every employee and all board members received training on those lessons. For compliance professionals, this is exactly right. If your code cannot explain what went wrong in your own organization, then it is not yet a living document.

McDevitt’s reporting on Together4Integrity (T4I) is especially useful for practitioners. T4I emerged from the ashes of the failed growth-at-all-costs model and was built on two pillars: designing processes and positively influencing them, and inspiring employees to do the right thing out of conviction. It was not a one-size-fits-all rollout. Volkswagen recognized that a global organization with strong local identities needed both centralized standards and local ownership.

I particularly appreciated how McDevitt showed the practical texture of this effort. Local managers were empowered to choose engagement formats, from discussion breakfasts to integrity activities designed to reduce the distance between managers and employees and support a more open speak-up culture. Stephanie Davis, Volkswagen Group of America’s CECO, put it plainly: serious topics cannot be so scary that employees refuse to engage with them. Demystifying the work is part of the work.

The company also understood that culture had to be measured. This is perhaps the most practical part of McDevitt’s analysis. Volkswagen used perception workshops and its annual Stimmungs barometer survey to assess whether employees believed integrity was possible within their organizational units, identify weak areas, and build risk-based action plans. Werner reported that these measures showed year-over-year improvement, and the company used them to target workshops and resources where risk was greatest.

This is where many companies still fall short. They conduct training and communications, but they do not build a credible measurement framework for whether culture is actually changing. Volkswagen’s approach, as McDevitt presents it, offers a more mature model.

She also addresses the root causes of silence. Volkswagen identified “chimney careers,” or promotion paths entirely within one silo, as a structural factor that discouraged speaking up, as employees became too dependent on a single chain of command. That diagnosis is remarkably important. Speak-up culture is not only about hotline posters or anti-retaliation language. It is also about mobility, organizational design, and whether employees believe dissent will end their careers.

Finally, McDevitt looks at trust. Internally, Volkswagen viewed the increase in non-anonymous whistleblower reports as evidence that fear had begun to recede. In 2020, the company received 2,800 whistleblower tips, 90 percent of which were non-anonymous, a figure Werner said was unusually high and a signal that employees no longer felt the same degree of fear. Externally, regaining customer trust was slower and more difficult. Volkswagen repositioned around electric vehicles, carbon neutrality, and Electrify America, but Werner candidly admitted that rebuilding credibility was still a long process.

That candor may be the final lesson. After a scandal of this magnitude, a campaign cannot restore trust. It is restored by years of disciplined conduct, transparent accountability, and evidence that the company has truly understood what went wrong. Aly McDevitt’s Coming Clean is therefore not simply a story about Volkswagen. It is a guide to the difficult middle stage of compliance work: what happens after the plea, after the headlines, after the first promises. That is where the real labor begins.

Join us tomorrow, where we review Aly’s piece on Lafarge in Syria. I am a columnist for Compliance Week.

Categories
Blog

Aly McDevitt Week: Part 1 – Carnival and the Hard Truth About Crisis-Tested Compliance

This week, I want to pay tribute to my former Compliance Week colleague, Aly McDevitt, who announced on LinkedIn that she was retiring from CW to become a full-time mother. I wrote a tribute to Aly, which appeared in CW last week. To prepare to write that piece, I re-read her long-form case studies, which she wrote over the years for CW. They are as compelling today as when she wrote them. This week, I will be paying tribute to Aly by reviewing five of her pieces. The schedule for this week is:

Monday: A Tale of Two Storms

Tuesday: Coming Clean

Wednesday: Inside a Dark Pact

Thursday: Reaching Into the Value Chain

Friday: Ransomware Attack: An immersive case study of a cyber event based on real-life scenarios

Please note that I will leave her seminal (in my opinion) piece, The Banks Behind the Epstein Enterprise, for a later piece.

In A Tale of Two Storms, it is worth noting at the outset that McDevitt did more than recount a corporate crisis. She captured a company trying to rebuild itself under the eye of a court-appointed monitor just as COVID-19 exploded into a global emergency. As Compliance Week explained, what began as a long-form examination of Carnival’s environmental misconduct and attempted compliance redemption became a far bigger story when one of its ships became an early incubator of the virus outside China.

For the compliance professional, that pivot is the first lesson. A program is not truly tested in the conference room. It is tested when an old crisis collides with a new one.

McDevitt opens at a moment of eerie transition. On February 20, 2020, Carnival was already dealing with a COVID-19 outbreak aboard the Diamond Princess, even as Compliance Week toured the company’s new ethics and compliance function in Miami. That juxtaposition framed the whole case study. Carnival was not simply managing a public health disaster. It was doing so while still carrying the baggage of a long, embarrassing, and very expensive history of environmental misconduct.

That history mattered. Carnival had pleaded guilty in federal court in both 2002 and 2017 to illegal discharges of oily waste and to falsification of records, and the Department of Justice viewed the pattern as evidence of a systemic problem in ethics and culture. This was not a one-off control failure. It was a story of repeated misconduct, insufficient structural reform, and an organization that had not yet fully learned how to turn compliance into culture.

McDevitt shows that the real inflection point came in 2019, after Carnival paid another $20 million for violating the terms of its probation and was ordered to implement corporate structural changes under a tight deadline, with a possible $10 million-per-day late penalty. That is when Carnival hired Peter Anderson as its first chief ethics and compliance officer and began to centralize what had long been fragmented compliance functions.

The importance of that move cannot be overstated. A common problem in large organizations is that compliance is spread across subject-matter silos, each with its own language, priorities, and reporting lines. McDevitt reports that before August 2019, Carnival did not have a centralized ethics and compliance department; environmental, general compliance, and health and safety functions worked independently across its operating companies. That fragmentation is often sold internally as efficiency or business autonomy. In practice, it can become a breeding ground for inconsistent controls, weak escalation, and cultural drift.

Anderson’s mandate was broader than legal remediation. He was brought in to unite the program, strengthen trust, improve information flow, and build a sustainable culture of compliance. McDevitt’s reporting around Anderson is especially valuable because she does not present him as a silver-bullet hero. Rather, she portrays him as an architect trying to build structure, process, and cultural credibility simultaneously.

His four pillars, as reported by McDevitt, were prevention, detection, response, and correction. That framework remains highly useful for any chief compliance officer. It reminds us that compliance is not just about policies or investigations. It is about understanding risk, identifying issues early, responding quickly, and then conducting real root cause analysis so the same failure does not recur. This became critically important once COVID hit.

One of the sharpest observations in McDevitt’s reporting comes from Carnival’s Gerry Ellis, who described the pandemic not as a pure compliance issue but as “compliance with the regulatory aspect of health” in a rapidly shifting battlefield of contradictory requirements across jurisdictions. That is a familiar challenge to modern compliance teams. Whether the issue is sanctions, AI governance, cyber, ESG, or public health, the hardest problems often come when the rules are changing in real time, across borders, with high operational stakes.

The brutal optics of timing also complicated Carnival’s crisis response. McDevitt details how the company faced allegations that it had sufficient warning signs yet continued operating for too long, even as infections spread across multiple vessels. Carnival defended its timing, noting that public health guidance was still evolving and that government advisories had not yet been fully escalated. That explanation may be understandable, but for compliance officers, the point is not merely whether management can defend its judgment after the fact. The point is whether the organization had the governance structure to make fast, documented, risk-based decisions while conditions changed by the hour.

McDevitt’s deeper contribution is to connect the pandemic response to the compliance rebuild already underway. She reports that Carnival’s pre-pandemic investments in a centralized program, better risk assessment, improved training, stronger communications, and closer engagement with the monitor helped the company absorb the shock of COVID more effectively than it otherwise could have. In other words, compliance did not solve the pandemic. But it provided muscle memory. That may be the most important lesson in the entire case study.

The company also understands that the tone at the top must be reinforced through resource allocation. Even amid severe financial pressure, Carnival preserved a larger share of its ethics and compliance team than many other departments, continued environmental investments, and developed a Pause Priorities Plan to sustain compliance momentum during the shutdown. Compliance officers should take note. A company reveals its real priorities not by slogans but by budget, staffing, visibility, and follow-through.

There are other practical insights here as well. McDevitt recounts how Carnival moved from a blame-oriented investigative mindset to “incident analysis” and learning, with Anderson explicitly stating that incidents should be viewed as assets for improvement. She also reports the company’s emphasis on “speak up,” leadership engagement, culture measurements, and the need to make captains and shipboard leaders receptive to challenge from below. That is a direct answer to one of the oldest compliance questions: how do you build trust in high-hierarchy environments where people fear speaking up?

Yet McDevitt does not let Carnival off the hook. The court-appointed monitor remained skeptical, top leadership had to be pushed to engage more deeply, environmental violations persisted, and Judge Patricia Seitz openly questioned whether Carnival was building a robust system that could function without the court’s “training wheels”. That skepticism is healthy. It underscores a hard truth every compliance professional knows: a redesigned program is not the same thing as an effective one. The real test is whether the organization behaves differently over time.

In the end, A Tale of Two Storms is not simply a cruise industry story. Aly McDevitt uses Carnival to show what happens when compliance reform is forced to mature in public, under enforcement pressure, and amid operational chaos. Her reporting demonstrates that while a crisis can expose weakness, it can also accelerate the transition from paper program to operational discipline.

For compliance leaders, that is the heart of the matter. You do not get to choose when your second storm arrives. You only get to choose whether your program is strong enough to meet it.

Join us tomorrow as we move to Aly’s piece on Volkswagen and its journey regarding its corporate soul after its emissions testing scandal. I am a columnist for Compliance Week.

Categories
Blog

AI Compliance as a Competitive Advantage: Turning Governance Into ROI

In too many organizations, “AI compliance” is treated like a speed bump. Something to route around, manage after launch, or outsource to a vendor deck and a policy that nobody reads. That mindset is not only outdated but also expensive. In 2026, mature AI governance is becoming a commercial differentiator because customers, regulators, employees, and business partners increasingly ask the same question: Can you prove your system is trustworthy?

The most underappreciated truth is that AI risk is not “an AI team problem.” It is a business-process problem, expressed through data, decisions, third parties, and change control. The Department of Justice Evaluation of Corporate Compliance Programs (ECCP) has never been about perfect paperwork; it has been about whether a program is designed, implemented, resourced, tested, and improved. If you can translate that posture into AI, you can convert “compliance cost” into “credibility capital.”

A cautionary backdrop shows why. The EEOC’s 2023 settlement with iTutorGroup serves as a cautionary tale: automated hiring screening that disadvantages older workers can lead to legal exposure, remediation costs, and reputational damage. The details matter less than the pattern; when algorithmic decisions are not governed, the business eventually pays the bill. The compliance professional should see the pivot clearly; governance is the mechanism that lets you move fast without becoming reckless.

From a build-from-scratch, low-to-medium maturity posture, the win is not sophistication. The win is repeatability. If you build an AI governance framework aligned to NIST AI RMF (govern, map, measure, manage), structured through ISO/IEC 42001’s management-system discipline, and cognizant of EU AI Act risk tiering, you get something the business loves: a predictable path from idea to deployment. Today, I will explore five ways mature AI compliance can become a competitive advantage, each with a practical view of how a compliance-focused GenAI assistant can support business processes.

1) Sales and Customer Trust

Trust is a sales feature now, even when marketing refuses to call it that. Customers increasingly ask about data use, model behavior, security controls, and human oversight, and they are doing it in procurement questionnaires and contract negotiations. A mature governance framework lets you answer quickly, consistently, and with evidence, thereby shortening sales cycles and reducing late-stage deal friction. A compliance GenAI can support this by drafting standardized responses from approved trust artifacts such as policies, model cards, DPIAs, and audit summaries; flagging gaps, and routing exceptions to Legal and Compliance before the business overpromises.

For compliance professionals, this lesson is even more stark, as the ‘customers’ of a corporate compliance program are your employees. Some key KPIs you can track are average time to complete AI security and compliance questionnaires; percentage of deals requiring AI-related contractual concessions; number of customer-facing AI disclosures issued with approved templates; and percentage of AI systems with current model documentation and ownership attestations.

2) Regulatory Credibility

Regulators are not impressed by ambition; controls persuade them. NIST AI RMF provides a common language to demonstrate that you mapped use cases, measured risks, and managed them over time, while ISO/IEC 42001 imposes discipline on accountability, documentation, and continual improvement. The EU AI Act’s risk-based approach adds an organizing principle: classify systems, apply controls proportionate to risk, and prove that you did it. A compliance GenAI can help by maintaining a living inventory, prompting owners to complete quarterly attestations, drafting control narratives aligned with the frameworks, and assembling regulator-ready “evidence packs” that demonstrate governance in operation rather than on paper.

For compliance professionals, this lesson is about your gap analysis. You have not aligned your current internal controls with GenAI, governance, or other controls. You should do so. Some key KPIs you can track are percentage of AI systems risk-tiered and documented; time to produce an evidence pack for a high-impact system; number of material control exceptions and time-to-remediation; and frequency of risk reviews for high-impact systems.

3) Faster Product Approvals and Safer Deployment

Speed comes from clarity, not from cutting corners. When decision rights, review thresholds, and required artifacts are defined up front, product teams stop guessing what Compliance will require at the end. That is the management-system advantage: ISO/IEC 42001 treats AI governance like a repeatable operational process with gates, owners, and records, rather than a series of one-off debates. A compliance GenAI can support the workflow by pre-screening new use-case intake forms, recommending the correct risk tier under EU AI Act concepts, suggesting required testing (bias, privacy, safety), and generating the first draft of a launch checklist that the product team can execute.

For compliance professionals, this lesson is that you must run compliance at the speed of your business operations. Some key KPIs you can track are: cycle time from AI intake to approval; percent of launches that pass on first review; number of post-launch “surprise” issues tied to missing pre-launch controls; and percentage of models with human-in-the-loop controls when required.

4) Talent, Recruiting, and Internal Confidence

Top performers do not want to work in a company that treats AI like a toy and compliance like a nuisance. Mature governance creates psychological safety inside the organization: employees know what is permitted, what is prohibited, and how to raise concerns. It also improves recruiting because candidates, especially in technical roles, ask about responsible AI practices, data governance, and ethical guardrails. A compliance GenAI can support internal confidence by serving as the first-line “policy concierge,” answering questions with approved guidance, directing employees to the correct procedures, and logging common questions so Compliance can improve training and communications.

For compliance professionals, this fits squarely within the DOJ mandate for compliance to lead efforts in institutional justice and fairness. Some key KPIs you can track include training completion and comprehension metrics for AI use; the number of AI-related helpline inquiries and their resolution times; employee survey results on comfort raising AI concerns; and the percentage of AI use cases with documented business-owner accountability.

5) Lower Cost of Incidents and More Resilient Operations

AI incidents are rarely just “bad outputs.” They are process failures: poor data lineage, uncontrolled model changes, vendor opacity, missing logs, weak access controls, or no escalation path when harm appears. NIST AI RMF’s “measure” and “manage” functions emphasize monitoring, drift detection, incident response, and continuous improvement, which is precisely how you reduce the frequency and severity of failures. A compliance GenAI can support incident resilience by guiding teams through an AI incident response playbook, helping triage severity, ensuring evidence is preserved (audit logs, prompts, outputs, approvals), and generating lessons-learned reports that connect root cause to control enhancements.

For compliance professionals, this lesson is even more stark, as the ‘customers’ of a corporate compliance program are your employees. Some key KPIs you can track include the number of AI incidents by severity tier; mean time to detect and mean time to remediate; the percentage of high-impact models with drift-monitoring and alert thresholds; and the percentage of third-party AI providers subject to change-control notification requirements.

What “Mature Governance” Looks Like When You Are Building From Scratch

Do not start with a 60-page policy. Start with a few non-negotiables that scale:

  • Inventory and classification: Create a single inventory of GenAI assistants, ML models, and automated decision systems. Classify them by impact using EU AI Act concepts (high-impact versus low-impact) and your own business context.
  • Accountability and decision rights: Assign an owner for each system and require periodic attestations for the highest-risk categories.
  • Standard artifacts: Use lightweight model documentation, data lineage notes, and disclosure templates. If it is not documented, it does not exist for governance.
  • Human oversight and logging: Define when human-in-the-loop is mandatory and ensure logs capture who approved what, when, and why.
  • Third-party AI controls: Contract for transparency, audit support, change notification, and security requirements. Vendor opacity is not a strategy.

This is where ECCP thinking helps. The question is not whether you have a policy. The question is whether the policy is operationalized, tested, and improved. That is the bridge from compliance to competitive advantage.

If you want AI compliance to be a competitive advantage, treat it like a management system that produces evidence, not like a policy library that produces comfort. When governance becomes repeatable, the business can move faster, regulators become more confident, and customers see the difference. That is not a cost center. That is credibility you can take to the bank.

Categories
AI Today in 5

AI Today in 5: March 5, 2026, The AI ‘s Biggest Test Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. Ending compliance bottlenecks with AI. (FinTechGlobal)
  2. AI surge will reshape compliance. (FinTechGlobal)
  3. Compliance first AI. (Cyberscoop)
  4. Trump, AI Data Centers, and the midterms. (CNBC)
  5. Healthcare is AI’s biggest test. (Time)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
Red Flags Rising

Red Flags Rising: S01 E38: “Fallen Chips” – GIR’s Estelle Atkinson on her Three-Part Report

Mike Huneke and Brent Carlson welcome Estelle Atkinson, a reporter with Global Investigations Review (GIR), to speak about her recent three-part series, “Fallen Chips,” published on January 26, 27, and 28, 2026 (linked in the show notes). They discuss how Estelle learned of the U.S. government investigation of Zenith Semiconductor in Chandler, Arizona (01:14); that company’s background (06:03); when employees started to realize that things were not quite right at the company and how that led to employees going to the FBI (08:19); how Estelle got to know the employees and why they were willing to help her with her story (10:30); how her experience illustrates more broadly the challenge companies have in responding to whistleblower reports or allegations (11:48); how diversion starts close to home, and is not always in some exotic “offshore” location (15:31); how U.S. administration policies to promote the export of the U.S. AI “stack” are not without controls or national security considerations (15:58); why success under America’s AI Action Plan and the American AI Export initiative will depend on effective, risk-based export controls compliance programs (16:21); the role of media in American life (19:14); why the standard PR or IR “playbook” of asserting “full compliance with the law” creates risks if companies aren’t expressly incorporating the full definition of “knowledge,” to include “an awareness of a high probability,” into export controls compliance (20:14); and what GIR readers can expect to see (or read) next from Estelle (20:49). Mike and Brent conclude with yet another installment of Brent Carlson’s “Managing Up” (22:39).

Resources:

GIR 

Fallen Chips Part I: Inside the FBI Raid that Rocked an Arizona Chip Start-Up (Jan. 26, 2026)

Fallen Chips Part II: Silicon Secrets and the Risks Hiding in Plain Sight (Jan. 27, 2026)

Fallen Chips Part III: The Fault Lines of the US-China Tech War (Jan. 28, 2026)

More about:

Estelle: https://globalinvestigationsreview.com/authors/estelle-atkinson

Contact Estelle: estelle.atkinson@globalinvestigationsreview.com

Contact Brent: brent@redflagsrising.com

Contact Mike: michael.huneke@morganlewis.com