Tag: compliance

Categories
FCPA Compliance Report

FCPA Compliance Report: Matt Ellis on Cartels, FTO Risk, and Corporate Compliance in Latin America

In this episode, Tom Fox welcomes Matt Ellis of Miller & Chevalier about the ACI “Cartels, TCOs and Compliance in Latin America” forum (July 20–21, Washington, DC) and why cartel/TCO/FTO risk is a timely 2026 compliance priority.

Ellis describes the Trump administration’s focus on cartels, fentanyl, China’s influence, and the expanded enforcement toolkit—FCPA guidance linking to cartel activity, sanctions, AML actions (including FinCEN orders against Mexican financial institutions), and cartel FTO designations implicating the Anti-Terrorism Act. They discuss how cartels infiltrate supply chains, creating “material support” exposure, and why due diligence must go beyond traditional screening to on-the-ground intelligence and nuanced red flags. Ellis notes government interest in compliance expectations, extortion-payment considerations, the Lafarge/ISIS example, anticipated investigations, broader regional risk (Mexico, Venezuela, Colombia, Brazil), and increased multi-agency coordination and potential dialogue with U.S. authorities.

Key highlights:

  • Why This Conference Now
  • Due Diligence Goes Deeper
  • Extortion and Self-Reporting
  • Beyond Mexico Regional Risks
  • Whole-of-Government Focus
  • When to Engage Government

Resources:

Cartels, TCOs and Compliance in Latin America, July 20-21

Matt Ellis on LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
Trekking Through Compliance

Trekking Through Compliance: Episode 1 – Compliance Lessons from The Man Trap

In this episode of Trekking Through Compliance, we examine “The Man Trap,” which aired on September 8, 1966, at Star Date 1515.1.

A landing party from the Enterprise beams down to perform an annual checkup of scientist Bob Crater and his wife, Nancy, who have lived on the planet M113 for 5 years. Dr. Crater and Nancy appear to be in good health, but Dr. Crater goes out of his way to request an additional salt supply from the Enterprise’s stores. A crewman wanders off and dies under mysterious circumstances. Further tests show that his body is completely devoid of salt.

Scanning the planet’s surface reveals only a single life form, so Spock and Kirk realize that Nancy must have beamed aboard the Enterprise and start searching for her. They question Dr. Crater and learn that Nancy is dead and that her form has been taken over by the planet’s last remaining indigenous creature, which can assume any form and requires salt to live.

Kirk and Spock then beam Dr. Crater aboard the Enterprise, who prevents Kirk from killing the creature (whom he still sees as Nancy Crater) and then stands idly by as she begins to drain the salt from Kirk’s body. At this juncture, Spock rushes in and demonstrates to McCoy that the woman attacking Kirk could not be Nancy by striking her repeatedly and forcefully. Nancy does not flinch, sending Spock flying across the room with a single counterblow. When the creature attacks Kirk again, its proper alien form is revealed, and Bones kills it with a phaser, even after it reverts to Nancy’s form.

Key highlights:

1. Compliance and Leadership Lessons—The Cost of Denial

🖖 Illustrated by Dr. Crater’s refusal to acknowledge the danger posed by the creature impersonating his wife, Nancy.

Leadership is about facing difficult truths, not indulging in convenient fantasies. Dr. Crater’s emotional attachment blinds him to reality, echoing the risks faced when leaders ignore clear signs of compliance breakdowns. Just as he stalls Kirk and enables the creature’s deception, real-world executives who refuse to confront corruption or misconduct put the entire organization at risk.

2. Character Dynamics—Trust, Bias, and Team Decision-Making

🖖 Illustrated by the landing party’s conflicting views of Nancy, each member sees her in a different light.

This episode reminds us how biases cloud judgment. The creature manipulates the crew’s perceptions, much like a charismatic con artist might deceive auditors or compliance officers. Effective compliance teams must cultivate objectivity and challenge assumptions, especially when red flags appear under familiar disguises.

3. Ethical Decision-Making and Vigilance—When Loyalty Becomes Liability

🖖 Illustrated by McCoy’s inability to act until it’s almost too late.

McCoy’s emotional paralysis shows the danger of misplaced loyalty in corporate settings. Compliance professionals must prioritize facts over feelings. Only when Spock physically assaults the creature and reveals its true nature does McCoy accept the need for lethal action. It’s a painful but powerful lesson in balancing empathy with professional duty.

4. Storytelling and Visual Branding—Make the Message Memorable

🖖 Illustrated by the unforgettable reveal of the creature’s true alien form.

The creature’s transformation is a visual metaphor for uncovering the truth beneath appearances. For compliance programs, this underscores the importance of storytelling, compelling visuals, and emotional engagement. Dry policies don’t stick—memorable messages do. Think of the salt vampire’s final scene as a compliance training module with a bite.

5. Balancing Security and Compassion—Don’t Let the Monster in the Room Stay Hidden

🖖 Illustrated by the crew’s initial desire to give Nancy space, contrasted with the need for containment.

Compassion is vital—but so is security. The crew’s hesitation to confront “Nancy” creates a vulnerability that costs lives. In corporate compliance, this translates to having the courage to investigate suspicions swiftly and without prejudice. The longer you let a problem impersonate a solution, the greater the risk to your organization.

Resources:

Excruciatingly Detailed Plot Summary by Eric W. Weisstein

MissionLogPodcast.com

Memory Alpha

Categories
Blog

The Muppet C-Suite: A Compliance Professional’s Guide to Culture, Controls, and Chaos Part 4: Animal as Chief Operating Risk Officer: Managing Chaos Before Chaos Manages You

This week we are honoring the return of The Muppets for a 2026 Special Edition. I thought it would be fun to look at business leadership teams through the lens of The Muppets. Every compliance professional has worked with a Kermit, managed a Piggy, worried about a Gonzo, or tried to contain an Animal. Today, we conclude by looking at The Animal problem. This series has used the Muppet executive team as a framework to explore leadership, governance, innovation, operational risk, and corporate compliance through the lens of the DOJ’s Evaluation of Corporate Compliance Programs and modern governance expectations.

Every organization has an Animal. Sometimes it is a person. Sometimes it is a business unit. Sometimes it is a revenue stream so profitable that leadership stops asking difficult questions. But every organization eventually encounters a force that is energetic, productive, volatile, difficult to control, and capable of creating enormous operational damage if left unmanaged. That is Animal.

As Chief Operating Risk Officer, Animal represents a truth many organizations struggle to confront: the greatest operational risks are often tolerated because they generate short-term success. An animal is loud, destructive, impulsive, emotional, and frequently one bad day away from catastrophe. Yet he is also highly effective in the environment for which he was designed. He brings energy, intensity, speed, and momentum.

The problem is not that Animal exists. The problem is when the organization mistakes unmanaged volatility for sustainable performance. That is where compliance, governance, and operational discipline become critical.

Operational Risk Rarely Arrives Quietly

One of the most dangerous assumptions organizations make is that operational failure arrives gradually and predictably. Often, it does not. Operational breakdowns tend to emerge after warning signs have already been normalized:

  • repeated policy exceptions,
  • constant escalation failures,
  • excessive workload pressure,
  • ignored complaints,
  • control fatigue,
  • unmanaged third parties, and
  • and high-performing employees who are allowed to operate outside established expectations.

Animal embodies this normalization problem perfectly. Everyone knows he is dangerous. Everyone knows he is unpredictable. Everyone knows he creates operational instability. Yet the organization repeatedly tolerates the behavior because the show benefits from his energy. This is how many operational crises develop in real organizations. The issue is rarely ignorance. The issue is tolerance.

The Compliance Challenge of High-Performing Risk Creators

One of the DOJ’s most important compliance questions is whether organizations apply discipline consistently, regardless of title, status, or revenue generation. That sounds straightforward. In practice, it is extraordinarily difficult. Organizations routinely create informal exceptions for:

  • top producers,
  • senior executives,
  • innovative teams,
  • politically connected employees, and
  • and operational leaders are perceived as indispensable.

An animal represents this exact governance problem. A mature compliance program recognizes that unmanaged high performers create enterprise risk because they gradually teach the organization that controls are optional for the “right” people. Once that message spreads, culture deteriorates quickly. Employees notice:

  • who gets exceptions,
  • whose misconduct is ignored,
  • whose violations are minimized, and
  • and whether leadership consistently enforces standards.

That is why operational risk is deeply connected to culture. Operational instability rarely begins with a single process failure. It usually begins with accountability failure.

Animal and the Failure of Escalation

Perhaps the most dangerous thing about Animal is not his volatility. The organization tends to underestimate the seriousness of the risk until after damage occurs. This reflects a common corporate governance problem: escalation fatigue. Over time, organizations become accustomed to recurring dysfunction:

  • “That is just how he operates.”
  • “That team is always difficult.”
  • “They are under pressure.”
  • “The business results justify the headaches.”
  • “We can manage around it.”

Those statements are operational-risk warning signs. A mature compliance program must create escalation structures capable of identifying:

  • repeated near misses,
  • recurring control failures,
  • cultural deterioration,
  • operational shortcuts, and
  • and conduct risks before they evolve into crises.

An animal should not require an explosion before leadership intervenes. Unfortunately, many organizations wait for exactly that moment.

Root Cause Analysis Matters

When operational failures occur, organizations often focus immediately on the visible event:

  • the failed transaction,
  • the misconduct,
  • the regulatory inquiry,
  • the system failure, and
  • or the public embarrassment.

But effective governance requires deeper analysis. The ECCP specifically emphasizes root cause analysis because sustainable remediation depends on understanding why the failure occurred in the first place. With Animal, the obvious answer might be: “Animal lost control.”

But the real questions are:

  • Why was the risk tolerated repeatedly?
  • Why were escalation signals ignored?
  • Why were controls insufficient?
  • Why did leadership normalize the volatility?
  • Why were prior incidents dismissed as isolated?

Those questions move the organization from blame to governance. A mature compliance function should always ask whether operational failure reflects:

  • incentive problems,
  • leadership failures,
  • staffing pressures,
  • inadequate oversight,
  • resource constraints, and
  • or cultural normalization of misconduct.

Without root cause analysis, organizations simply reset the stage for the next crisis.

Speak-Up Culture and Operational Risk

Animal also highlights the importance of a culture of speaking up. In many organizations, employees recognize operational risk long before leadership does. The problem is that employees often conclude:

  • raising concerns changes nothing,
  • leadership already knows,
  • retaliation risk is too high,
  • or operational pressure outweighs ethical concerns.

That silence becomes dangerous. The DOJ increasingly expects organizations to maintain effective reporting channels, anti-retaliation protections, and meaningful investigative response mechanisms. But a speak-up culture is not merely a hotline issue. It is a credibility issue. Employees must believe:

  • concerns will be heard,
  • escalation will occur,
  • retaliation will not be tolerated,
  • and leadership is willing to intervene even when operational performance is affected.

In Animal’s world, the organization often appears resigned to the chaos. That resignation is itself a governance failure.

Crisis Management Is a Governance Discipline

Animal is also a reminder that crisis management is not public relations. It is governance under pressure. Operational crises test:

  • leadership credibility,
  • escalation systems,
  • internal communication,
  • decision-making discipline,
  • documentation quality, and
  • and organizational resilience.

Strong organizations prepare for operational disruption before it occurs. That means:

  • crisis-management protocols,
  • escalation matrices,
  • tabletop exercises,
  • communication plans,
  • cross-functional coordination, and
  • and clear authority structures.

Animal should never be the organization’s first operational surprise.

Yet many companies operate as though volatility itself is unpredictable when, in reality, warning signs existed for months or years. The question is whether leadership chose to recognize them.

Control Fatigue Is Real

One of the most overlooked operational risks is control fatigue. When organizations operate under constant pressure, employees gradually begin bypassing safeguards:

  • approvals become rushed,
  • documentation becomes incomplete,
  • exceptions become routine,
  • monitoring weakens,
  • and oversight becomes reactive instead of preventive.

Animal accelerates this dynamic because his operational style rewards speed and intensity over discipline and sustainability. That creates a dangerous cycle:

  1. pressure increases,
  2. controls weaken,
  3. near misses increase,
  4. normalization expands, and
  5. and eventually failure becomes inevitable.

A mature compliance program continuously monitors for this pattern because operational collapse rarely occurs without warning.

5 Key Takeaways for the Compliance Professional

1. Operational risk is often tolerated because it produces results.

Organizations must resist creating informal exceptions for high-performing but destabilizing individuals or business units.

2. Escalation failures are early warning signs.

Repeated policy exceptions, ignored concerns, and normalized dysfunction frequently precede major operational breakdowns.

3. Root cause analysis is essential for sustainable remediation.

Organizations should investigate not only what failed, but why leadership and controls allowed the failure to persist.

4. Speak-up culture directly affects operational resilience.

Employees must trust that concerns will be heard, investigated, and acted upon without retaliation.

5. Crisis management is a governance function.

Effective organizations prepare for operational disruption through planning, escalation structures, monitoring, and cross-functional coordination.

The Final Governance Lesson

Across this series, Kermit, Piggy, Gonzo, and Animal together represent the four forces constantly shaping corporate governance:

  • leadership,
  • reputation,
  • innovation,
  • and operational risk.

The lesson is not that organizations should eliminate strong personalities, ambition, experimentation, or intensity. The lesson is that mature governance recognizes these forces early and builds systems capable of channeling them responsibly.

Kermit provides stability.

Piggy creates visibility.

Gonzo drives innovation.

Animal tests the strength of operational controls.

Every organization contains all four. The real question for compliance professionals is whether the governance structure is strong enough to keep the theater standing when all four are operating at the same time. Because eventually, they will be.

Long Live The Muppets

Categories
Blog

The Muppet C-Suite: A Compliance Professional’s Guide to Culture, Controls, and Chaos Part 3: Gonzo as Chief Innovation Officer: Innovation Without Governance Is Just Operational Risk

This week we are honoring the return of The Muppets for a 2026 Special Edition. I thought it would be fun to look at business leadership teams through the lens of The Muppets. Every compliance professional has worked with a Kermit, managed a Piggy, worried about a Gonzo, or tried to contain an Animal. This series uses the Muppet executive team as a framework to explore leadership, governance, innovation, operational risk, and corporate compliance through the lens of the DOJ’s Evaluation of Corporate Compliance Programs and modern governance expectations.

Every company eventually hires a Gonzo. Not literally, of course. But every organization eventually encounters someone who believes the limits of the possible are merely suggestions waiting to be ignored. That is Gonzo. He is creative, fearless, experimental, unconventional, and absolutely convinced that launching himself out of a cannon remains a reasonable business strategy despite overwhelming evidence to the contrary. Naturally, he becomes the Chief Innovation Officer.

At first glance, Gonzo appears to represent innovation at its most dangerous. He ignores procedure, embraces uncertainty, and treats risk as entertainment. But beneath the chaos sits a lesson that modern compliance professionals urgently need to understand: innovation itself is not the problem. The problem is innovation without governance.

That distinction matters enormously in today’s corporate environment, where organizations face relentless pressure to adopt the following:

  • artificial intelligence,
  • automation,
  • advanced analytics,
  • digital transformation,
  • agentic AI, and
  • and emerging technologies that often evolve faster than governance structures can respond.

In other words, many organizations are currently operating inside a large-scale Gonzo experiment.

Gonzo Represents Innovation Pressure

One overriding instinct: pushing boundaries drives Gonzo. That instinct exists in virtually every modern enterprise. Boards demand innovation. Investors reward disruption. Executives fear being left behind by competitors. Product teams move quickly. Technology leaders promise transformation. Vendors insist their tools are revolutionary. The result is predictable: governance often lags behind implementation.

This is exactly the environment the DOJ’s ECCP increasingly expects organizations to manage. Prosecutors now ask whether compliance programs can identify and respond to evolving risks. They also ask whether organizations adequately understand the technologies they deploy and the risks those technologies create. In practical terms, the government is asking:

Do you know where your Gonzos are? ”Many organizations do not.

The Problem Is Not Innovation. It Is Uncontrolled Innovation.

Too many compliance discussions frame governance and innovation as opposing forces. That is incorrect. Good governance should enable innovation by allowing organizations to experiment responsibly. The objective is not to stop Gonzo from inventing new things. The objective is preventing Gonzo from accidentally detonating the theater during testing. This distinction becomes critical in AI governance.

Consider what often happens inside organizations:

  • business units adopt generative AI tools without approval,
  • employees upload sensitive data into external systems,
  • procurement bypasses security reviews,
  • automated decision systems are deployed without testing,
  • vendors market “AI-powered” solutions nobody fully understands,
  • and leadership assumes innovation itself justifies the risk.

That is not a transformation. That is unmanaged operational exposure. Gonzo would absolutely deploy experimental AI tools without reading the documentation. He would also enthusiastically demonstrate them during a live performance before anyone completed legal review. Many companies are doing exactly that right now.

Shadow AI Is the Modern Gonzo Problem

One of the most significant emerging governance risks is shadow AI: technology adoption occurring outside formal oversight structures. This happens because innovation pressure rarely waits for policy development. Employees want efficiency. Business units want speed. Executives want results. Vendors promise a competitive advantage. Eventually, someone says:

“We cannot afford to fall behind.”

At that point, governance often becomes reactive rather than proactive. The compliance challenge is not preventing experimentation. It is creating governance structures that enable safe experimentation. This is why mature AI governance programs increasingly rely on:

  • approved use-case inventories,
  • risk-tiering frameworks,
  • data-governance protocols,
  • human oversight requirements,
  • testing standards,
  • escalation procedures,
  • and continuous monitoring.

Or, stated differently:

Someone needs to verify whether Gonzo’s cannon is aimed at the audience.

Innovation Requires Documentation

One of Gonzo’s defining traits is enthusiasm without paperwork. That creates a governance problem. The ECCP repeatedly emphasizes documentation, testing, continuous improvement, and evidence-based compliance. Organizations must demonstrate not merely that policies exist, but that controls operate effectively in practice.

Innovation functions often struggle here because innovation culture tends to prioritize speed over documentation. This creates dangerous blind spots:

  • unclear accountability,
  • undocumented approvals,
  • undefined ownership,
  • missing testing records,
  • inconsistent monitoring,
  • and inadequate escalation procedures.

If the organization cannot explain:

  • why a technology was adopted,
  • who approved it,
  • how risks were assessed,
  • what controls exist,
  • and how effectiveness is monitored,

Then the organisation does not truly govern the technology. It merely hopes for the best. Hope is not a control.

Gonzo and the Myth of the Brilliant Exception

Another important compliance lesson emerges from Gonzo’s personality itself. Organizations often tolerate elevated risk from highly creative or high-performing individuals because leadership perceives them as uniquely valuable. This is a dangerous governance instinct.

Every major corporate failure eventually contains some version of:

  • “We assumed he knew what he was doing.”
  • “Nobody wanted to challenge the innovation team.”
  • “They moved too fast for the controls.”
  • “The business results were too good to slow down.”

In many organizations, innovation teams become culturally insulated from oversight because questioning them appears anti-progress or anti-growth. That is precisely when governance becomes most necessary. The role of compliance is not to suppress innovation. It is to ensure innovation remains accountable to the enterprise.

Gonzo should absolutely continue inventing things. But somebody must still ask:

  • Was the system tested?
  • Is the data reliable?
  • Who owns the risk?
  • What happens if the model fails?
  • Is there human oversight?
  • Can we explain the outcome?

Those questions are not barriers to innovation. They are what keep innovation from becoming litigation.

Continuous Monitoring: The “Day Two” Problem

One of the most overlooked governance failures occurs after deployment. Organizations frequently focus intensely on implementation but pay far less attention to ongoing monitoring. Yet most technology risks emerge over time through:

  • model drift,
  • scope expansion,
  • vendor changes,
  • data degradation,
  • user workarounds,
  • and control fatigue.

Gonzo perfectly represents this problem because he rarely revisits prior experiments. Once the cannon fires, he is already planning the next stunt. Modern compliance programs cannot operate that way. AI governance, digital governance, and innovation oversight require “Day Two” discipline:

  • continuous testing,
  • ongoing review,
  • updated risk assessments,
  • incident reporting,
  • and remediation protocols.

The question is not merely: “Did the innovation work? ”The real question is:

Does the control environment still work six months later? ”That is where mature governance separates itself from performative governance.

The Board’s Role in Innovation Governance

Boards increasingly face direct oversight expectations regarding technology and innovation risk. That means directors should ask:

  • Do we have formal AI governance?
  • Who owns innovation risk?
  • How are emerging technologies reviewed?
  • What testing standards exist?
  • How do we monitor ongoing performance?
  • What happens when innovation conflicts with compliance requirements?
  • How quickly can issues be escalated?

These questions are no longer theoretical. Regulators increasingly expect boards and senior leadership to demonstrate understanding of operational technology risk, especially where AI, automation, or sensitive data are involved. In governance terms, the age of “let the technology team handle it” is over.

5 Key Takeaways for the Compliance Professional

1. Innovation is not the enemy of compliance.

The real risk is innovation that operates outside governance structures, documentation, and accountability.

2. Shadow AI creates significant operational exposure.

Organizations must identify and govern unauthorized or poorly supervised technology adoption.

3. Documentation is a governance control.

If an organization cannot explain how a technology was approved, tested, monitored, and governed, it does not truly control the risk.

4. High-performing innovators still require oversight.

Organizations should not exempt innovation teams from compliance expectations because they generate results or move quickly.

5. Governance continues after deployment.

Continuous monitoring, testing, escalation, and remediation are essential to managing evolving technology and innovation risk.

From Gonzo to Animal

Gonzo teaches compliance professionals that innovation creates risk when governance cannot keep pace with experimentation. But there is another danger waiting behind the pressure to innovate: the normalisation of unmanaged operational chaos. That is where Animal enters the story.

Because eventually every organization encounters a moment when high-energy operational risk stops being an exception and starts becoming part of the culture itself. In Part 4, we will examine Animal as Chief Operating Risk Officer and what he teaches compliance professionals about operational volatility, escalation failures, crisis management, and the dangers of unmanaged high performers.

Categories
AI Today in 5

AI Today in 5: May 27, 2026, The Clock is Ticking Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. AI leading to revenue for compliance. (StartUpHub.ai)
  2. ECB says the clock is ticking for bank cybersecurity. (FinExtra)
  3. AI reshaping the healthcare C-Suite. (Modern Healthcare)
  4. Vertical AI is winning the compliance race. (FinTech Global)
  5. Spotify advocates for AI-generated music. (FT)

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
Blog

The Muppet C-Suite: A Compliance Professional’s Guide to Culture, Controls, and Chaos Part 2: Miss Piggy as CMO: Marketing, Reputation, and the Compliance Risks of Visibility

This week, we are honoring the return of The Muppets for a 2026 Special Edition. I thought it would be fun to look at business leadership teams through the lens of The Muppets. Every compliance professional has worked with a Kermit, managed a Piggy, worried about a Gonzo, or tried to contain an Animal. This series uses the Muppet executive team as a framework to explore leadership, governance, innovation, operational risk, and corporate compliance through the lens of the DOJ’s Evaluation of Corporate Compliance Programs and modern governance expectations.

In Part 2, we consider Miss Piggy, for if Kermit the Frog represents tone at the top, Miss Piggy represents what happens when tone meets brand, ambition, ego, visibility, and commercial pressure. And rest assured, every organization has a Miss Piggy. She is talented, visible, confident, persuasive, and deeply invested in how the enterprise is perceived. She understands audience, image, influence, and reputation. She knows that attention has value. She also knows that if she is not in the spotlight, something has gone terribly wrong.

As Chief Marketing Officer, Miss Piggy would be a powerful business asset. She would elevate the brand, command the room, and make sure the organization was never ignored. But from a compliance perspective, she would also pose a familiar governance challenge: how does a company manage a high-performing, high-visibility executive whose role creates real legal, ethical, and reputational risks? The answer is not to silence her. The answer is to govern the risk.

Marketing Is a Front-Line Compliance Function

Too many organizations still treat marketing as a creative function sitting outside the core compliance risk universe. That is a mistake. Marketing is where corporate promises become public commitments. It is where product claims, customer expectations, sustainability statements, influencer relationships, social media messaging, and reputational positioning move from internal strategy to external representation. That makes marketing a front-line compliance function.

Miss Piggy, as CMO, would own risks tied to:

  • misleading advertising,
  • unsubstantiated claims,
  • endorsement and influencer disclosures,
  • ESG and sustainability messaging,
  • customer communications,
  • crisis response, and
  • and brand conduct.

A best-practices compliance program should recognize marketing as a risk-owning function, not simply a department that occasionally needs legal review. The DOJ’s Evaluation of Corporate Compliance Programs asks whether compliance is operationally integrated into the business. Marketing is one of the places where that question becomes real. If compliance is not in the marketing workflow, it is not fully embedded in the business.

The Danger of Brand Overconfidence

Miss Piggy’s greatest strength is also her greatest risk: confidence. Confidence sells. Confidence builds loyalty. Confidence moves customers, investors, employees, and markets. But when confidence becomes overclaiming, the organization moves from brand leadership to regulatory exposure.

This is especially true in today’s environment, where companies face scrutiny over public statements about the following:

  • product performance,
  • privacy and data use,
  • artificial intelligence,
  • sustainability,
  • diversity and inclusion,
  • supply chain integrity, and
  • and social responsibility.

A CMO may view these statements as brand positioning. Regulators, plaintiffs’ lawyers, customers, and investors may view them as representations. That gap is where risk lives.

Miss Piggy would be very good at bold public messaging. A mature compliance program would make sure ‘bold’ does not become misleading. Every material claim should be substantiated, reviewed, documented, and tied back to actual operational capability. From a compliance perspective, the issue is not whether the brand voice is strong. The issue is whether the company can prove what the brand voice says.

Pre-Clearance Is a Control, Not a Creative Insult

Miss Piggy would not naturally enjoy pre-clearance. No high-performing marketing executive wants to be told that a slogan needs review, a campaign needs substantiation, or a public commitment needs documentation. But a mature compliance program should not approach marketing review as censorship. It should approach it as a risk-based control.

Not every tweet, tagline, or internal graphic requires legal and compliance approval. But high-risk communications do. That includes:

  • comparative advertising,
  • pricing claims,
  • product capability statements,
  • sustainability or ESG commitments,
  • AI-related statements,
  • customer testimonials,
  • influencer content,
  • and statements made during crisis response.

The control should be risk-tiered. Routine materials move quickly. High-risk materials receive enhanced review. Urgent communications have an expedited escalation path. This is the difference between a compliance program that enables the business and one that becomes a bottleneck. Miss Piggy does not need a hall monitor. She needs clear guardrails, fast answers, and a process she can trust.

Incentives Drive Marketing Behavior

The ECCP places significant emphasis on incentives and discipline. That principle applies directly to marketing. If Miss Piggy is rewarded only for reach, growth, visibility, impressions, engagement, and market buzz, then the compliance program should not be surprised when risk increases. People respond to what the organization measures and rewards. A mature organization would include compliance-sensitive measures in the CMO’s performance evaluation, such as:

  • accuracy of public claims,
  • adherence to review protocols,
  • cooperation with Legal and Compliance,
  • quality of campaign documentation,
  • responsible use of influencers and third parties,
  • and responsiveness to identified risks.

This does not mean making marketing timid. It means making marketing accountable. A high-performing CMO should be rewarded not simply for attention, but for trustworthy attention. In a mature company, brand value and compliance discipline should reinforce each other.

Reputation Risk Is Enterprise Risk

Miss Piggy understands reputation instinctively. She knows that perception matters. Compliance professionals should understand the same thing. Reputation risk is not soft risk. It can affect:

  • customer trust,
  • employee morale,
  • investor confidence,
  • regulatory scrutiny,
  • litigation exposure,
  • and board credibility.

Marketing sits at the center of that risk. A company may have excellent internal policies, strong controls, and thoughtful governance. But if its public messaging outruns its operational reality, the entire enterprise becomes exposed.

That is why marketing claims must be connected to internal controls. If the company says it has a rigorous third-party due diligence program, Compliance should be able to prove it. If the company says its AI is responsible, explainable, or human-supervised, Legal, Compliance, IT, and Risk should be able to document the governance structure behind that claim. The brand cannot promise what the control environment cannot support.

Miss Piggy as a Culture Carrier

Miss Piggy is not merely a marketing executive. She is a culture carrier. People watch her. They follow her cues. They imitate her confidence, her urgency, and sometimes her impatience. In many organizations, highly visible commercial leaders shape culture more powerfully than formal ethics statements. This creates opportunity.

If Miss Piggy publicly supports ethical marketing, substantiation of claims, customer transparency, and responsible branding, she becomes a compliance multiplier. She can make compliance feel commercially relevant rather than bureaucratic. But if she treats review processes as obstacles, dismisses concerns as negativity, or celebrates outcomes without regard to the methods used, the message to the organization is equally clear. Tone at the top matters. So does tone from the spotlight.

The CMO and the Board

Boards should care deeply about marketing risk. That does not mean the board should review every campaign. It means the board should understand whether the company has governance over high-risk communications and reputation-sensitive claims.

Board-level questions might include:

  • What public claims are we making that could create legal or regulatory exposure?
  • Are ESG, AI, privacy, and product claims substantiated?
  • Who approves high-risk public statements?
  • How do Legal, Compliance, and Marketing coordinate?
  • Do incentives reward responsible growth or merely visibility?
  • What reputational risks are emerging from social media, influencers, or public commitments?

These are not academic questions. They go directly to governance, controls, and oversight.

5 Key Takeaways for the Compliance Professional

1. Marketing is a risk-owning function.

Brand messaging, public claims, influencer relationships, and reputation management must be part of the compliance risk assessment.

2. Public claims require proof.

Companies should be able to substantiate material statements about products, ESG, AI, privacy, supply chains, and corporate responsibility.

3. Pre-clearance should be risk-based.

Compliance should not review everything, but it must review high-risk communications through a clear and efficient process.

4. Incentives shape marketing risk.

CMOs should be evaluated not only on visibility and growth but also on accuracy, cooperation, documentation, and responsible brand conduct.

5. Reputation risk is governance risk.

Boards and senior leaders should treat marketing claims as enterprise risk when those claims affect trust, regulatory exposure, or corporate credibility.

From Piggy to Gonzo

Miss Piggy teaches compliance professionals that visibility must be governed. Brand power creates opportunity, but it also creates exposure when public messaging runs ahead of facts, controls, or operational capability. In Part 3, we turn from reputation risk to innovation risk. Gonzo, as Chief Innovation Officer, will take us into the world of experimentation, emerging technologies, AI governance, and the compliance challenge of ensuring that innovation does not outrun accountability.

Because every company eventually faces its Gonzo moment: the moment when someone says, “What could go wrong? ”

Categories
Innovation in Compliance

Innovation in Compliance: Capability without Governance Leads to Instability: Integrated GRC with Noor Aziz

Innovation spans many areas, and compliance professionals need not only to be ready for it but also to embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode,  host Tom visits with Noor Aziz, a Saudi Arabia–based governance, risk, and compliance professional with extensive ISO lead auditor credentials, internal audit and controls experience, and a growing focus on AI governance.

Noor argues that effective compliance must be practical and business-friendly—clear ownership, escalation, accountability, and evidence—so it still functions under operational pressure rather than becoming bypassed. She emphasizes leadership commitment, culture shaped by observed behavior, and integrated GRC to reduce silos that create duplication, inconsistent reporting, and “governance fatigue.” On AI, she frames governance as a board-level issue because adoption is outpacing accountability, creating future scrutiny around oversight, traceability, and defensibility; she notes, “capability without governance eventually creates instability.” She recommends change management, micro-learning, and ongoing communications, and concludes that governance is organizational infrastructure, not administrative overhead.

Key highlights:

  • Integrating Controls Audit and Risk
  • Breaking Down GRC Silos
  • Why AI Governance Is Board Level
  • Culture When Nobody’s Watching
  • Training That Actually Works: Microlearning and Ongoing Comms
  • Why Frameworks Fail in Execution
  • Maturing Governance for Business Value

Resources:

Connect with Noor Aziz on LinkedIn

Innovation in Compliance was recently ranked Number 4 in Risk Management by 1,000,000 Podcasts.

Categories
Red Flags Rising

Red Flags Rising: S01 E40: Jeff Stitt on the Craft of Compliance

Mike and Brent welcome to the podcast Jeff Stitt, the President of Acacia Trail Consulting. Jeff walks through how he went from becoming an engineer to being an on-the-spot chief compliance offer appointee in 1992 (01:36), to doing compliance at a bank (05:51), to having the opportunity to build and run a compliance program across Sub-Saharan Africa (08:00), and then to integrating a major acquisition into his company’s compliance program (12:10). Jeff explains how compliance programs are really “underwriting” the business’s activities (14:00) and then talks about the opportunity to build-out a global compliance program at a publicly traded company (16:30). Jeff concludes with a discussion about Acacia Trail (19:28) and what he’s seeing in the trade compliance space today (21:14). Mike and Brent then conclude with another edition of Brent Carlson’s Managing-Up (22:11).

Contact Jeff: jeff@acaciatrail.com

More about Jeff: https://www.linkedin.com/in/jeffreylstitt/

Contact Brent: brent@redflagsrising.com

More about Brent: www.redflagsrising.com

Contact Mike: michael.huneke@morganlewis.com

More about Mike: https://www.morganlewis.com/bios/michaelhuneke

Categories
Great Women in Compliance

Great Women in Compliance: Compliance Week 2026 Highlights with Nick Gallo

Team #GWIC and the #GWICfam were out in full force at the 2026 Compliance Week conference in Washington, DC.  Nick Gallo, a Great Gentleman in Compliance, was gracious enough (or agreed when he was “voluntold”) to be our roving reporter, asking people about their conference highlights, practical takeaways, and about AI in compliance, as that was one key event focus.

The episode also highlights the importance of collaboration, mentorship, and authentic connections in our community, and Compliance Week is such a great reminder of that. From discussions about everything from culture to analytics to celebrating Joe Murphy’s Lifetime Achievement Award, the conference reinforced both the rapid evolution of compliance and the generosity of the people working in it. You will hear the themes of friendships, learning, and shared purpose that continue to define the compliance community from our friends and colleagues.

Categories
Creativity and Compliance

Creativity and Compliance: Compliance 6-Pack: Part 4 – Using “Yes, And”

Tom and Ronnie continue their six-part series highlighting the role of improv in compliance.  This series links improv lessons to corporate compliance and some of the key tools and strategies Ronnie has brought from his former world of improv to the corporate compliance communications realm. In today’s Improv & Compliance Lesson 3, they focus on using “Yes, And” to Shift Compliance from the Office of No to a Collaborative Advisor.

Tom and Ronnie discuss the improv principle “Yes, and,” which means agreeing with the reality presented, dropping one’s agenda, and adding a new piece of information to build collaboratively. They explain how this mindset helps compliance move beyond the “office of no” by affirming and acknowledging business requests, then bridging to relevant risks, laws, and policies (e.g., gifts and entertainment, conflicts of interest) to problem-solve together without immediately shutting ideas down. Ronnie emphasizes “Yes, and” as both a personal communication technique and an organizational philosophy: learn the business, speak its language, and design simple, action-oriented, accessible policies and training that provide timely, embedded guidance. The episode ends with a preview of the next lesson on truth in comedy.

Resources:

Ronnie

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Creativity and Compliance is a multiple-award-winning podcast and was recently honored as one of the Top 35 Podcasts on Creativity by Feedspot.