Tag: compliance

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 30 – The Foreign Extortion Prevention Act

Welcome to 31 Days to a More Effective Compliance Program. Over this 31-day series in January 2026, Tom Fox will post a key component of a best-practice compliance program each day. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6-8 minutes, with three key takeaways that you can implement at little or no cost to help update your compliance program. I hope you will join each day in January for this exploration of best practices in compliance. In today’s Day 30 episode, we discuss the Foreign Extortion Prevention Act (FEPA), a significant piece of legislation that fills a critical gap in the FCPA.

Key highlights:

  • Filling the Gap in Anti-Corruption Laws
  • Key Features and Implications of FEPA
  • Challenges in Implementing FEPA
  • The Name and Shame List

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Categories
Blog

Returning to Venezuela: Why “Yes, If” Is the Only Defensible Compliance Answer

Most of you readers know that sometimes when I get going on a project, it (the project, not me) just keeps on growing. What started as a podcast with Matt Ellis on the risks of going back into Venezuela expanded out into a series of podcasts on the FCPA Compliance Report and with Mike DeBernardis on All Things Investigations. The podcasts led to a five-part blog post series on the same topic in the FCPA Compliance and Ethics Blog. I then needed to expand the blogs into a book and provide forms, checklists, frameworks, and deployment packs for compliance professionals to help them think through the issues presented in Venezuela and in other similarly high-risk jurisdictions.

All of that has led to the only book on how to return to Venezuela, Returning to Venezuela: The Compliance Guide to Yes, If (Title inspired by Mike DeBernardis). It is available in both print and eBook versions on Amazon.com.

When companies talk about returning to Venezuela, the conversation almost always begins with opportunity. Oil reserves. Market access. First-mover advantage. What the book Returning to Venezuela does is effectively reset that conversation where it belongs for compliance professionals: with reality. It is a disciplined, compliance-first analysis of what it actually means to operate in one of the world’s highest-risk jurisdictions.

The core message is uncompromising but straightforward: Venezuela is not a place for optimism, informal controls, or siloed compliance. It is a stress test. If your compliance program can function there, it can function anywhere. If it cannot, no license, policy, or assurance letter will save you. The book is not a warning label about Venezuela. It is a working manual for how a compliance function should assess risk, design controls, and govern decision-making before commercial momentum takes over.

Step One: Reframing the Risk Assessment

The first way a compliance professional should use Returning to Venezuela is to recalibrate how risk assessments are performed. Traditional country risk assessments often ask abstract questions: corruption perception scores, sanctions status, and enforcement history. Those inputs are necessary, but insufficient. Returning to Venezuela pushes compliance professionals to replace abstract scoring with operational mapping.

Instead of asking whether Venezuela is high risk, the framework asks:

  • Where will government discretion arise?
  • Where can delay be monetized?
  • Where does the business depend on intermediaries?
  • Where does value move, pause, or change form?

This is a critical shift. Risk is no longer treated as a country attribute. It becomes a process attribute. Compliance professionals can use Returning to Venezuela’s structure to redesign their risk assessment around real business steps: procurement, logistics, payment, security, licensing, and dispute resolution.

Step Two: Identifying Pressure Points Before They Become Incidents

Returning to Venezuela is especially useful in helping compliance professionals identify pressure points, not just risk categories. Pressure points are moments where the business is most likely to face demands for improper value, shortcuts, or exceptions. Procurement is one. Customs clearance is another. Security access, utilities, labor approvals, and payment routing are others.

Using Returning to Venezuela, compliance professionals can document:

  • Where pressure is expected;
  • Who owns the decision at that point?
  • What escalation looks like; and
  • When refusal or exit becomes mandatory.

This transforms compliance from a reactive role into a proactive role in designing decision architecture.

Step Three: Using the Checklists as Control Gates, Not Paper Artifacts

A common compliance failure is treating red flags as documentation exercises rather than control mechanisms. One of the strengths of Returning to Venezuela is that its red flags are designed as gates, not records. Each checklist answers a single question: Is this activity governable under our current assumptions?

Compliance professionals can deploy these checklists at defined moments:

  • Market entry discussions
  • Vendor and JV selection
  • Transaction structuring
  • Payment and banking design
  • Security and logistics planning

If a red flag cannot be cleared, the activity cannot proceed. That discipline is what makes the framework defensible. It also protects compliance officers personally, because decisions are anchored in documented governance rather than informal judgment.

Step Four: Integrating Risk Domains Instead of Managing Them in Silos

Another way compliance professionals should use Returning to Venezuela is as a blueprint for breaking down internal silos. The book makes clear that in Venezuela, corruption, export controls, AML, sanctions, security, and extortion are not separate risks. They are interconnected expressions of the same operating pressure. Treating them separately guarantees blind spots.

Practically, this means compliance can use the book to justify:

  • Integrated risk reviews instead of sequential sign-offs;
  • Shared escalation forums across functions;
  • Unified monitoring rather than separate dashboards; and
  • Common exit triggers across risk domains.

This is particularly important for AML. Returning to Venezuela positions money laundering risk not as a standalone compliance obligation, but as the capstone test of whether the entire framework works.

Step Five: Structuring Board Oversight Around Decisions, Not Updates

Too often, boards receive high-level compliance updates that provide comfort but not clarity. Returning to Venezuela gives compliance professionals a way to reframe board oversight around decisions, not reports. Using the board materials and decision templates, compliance can:

  • Force explicit risk acceptance;
  • Document assumptions that underpin approvals;
  • Secure delegated authority to pause or exit operations; and
  • Establish clear revisit and escalation triggers.

This protects both the organization and the compliance function. When conditions change, the discussion is no longer “Why did this happen? ” but “Which assumption failed, and what decision does that trigger? ” That is governance functioning as intended.

Step Six: Building a Repeatable Risk Management Framework

The final and most important way to use Returning to Venezuela is as a template, not a one-off Venezuela playbook. While the facts are Venezuela-specific, the framework is portable. Compliance professionals can lift this framework and apply it to:

  • Other high-risk markets;
  • Post-merger integration;
  • Sanctions-heavy environments; and
  • Complex third-party ecosystems.

The Appendices: The Operational Backbone of Returning to Venezuela: Yes, If

One of the defining features of Returning to Venezuela: The Compliance Guide to Yes, If is that it does not stop at analysis. The appendices convert risk identification into governance, decision-making, and operational control. They are not academic supplements. They are the machinery that makes a “yes, if” decision possible in practice.

Taken together, the appendices form an integrated compliance control stack designed for one purpose: to govern decision-making in an environment where corruption, coercion, sanctions, AML exposure, and weak rule of law are not edge cases but daily conditions.

Appendix A: One-Page Operational Checklists

Appendix A contains a series of one-page checklists, each focused on a distinct but interconnected risk domain. These are not policy summaries. They are operational gating tools meant to be used before decisions are made, not after problems occur.

Appendix B: The CCO Deployment Pack

Appendix B is written from the perspective of the Chief Compliance Officer and is explicitly operational. It is designed to be deployed internally to executive leadership, business sponsors, and control functions.

Appendix C: Board of Directors Materials

Appendix C is aimed squarely at directors and audit or compliance committees. Its function is not to educate boards on Venezuela generally but to structure how boards make, record, and revisit risk acceptance decisions.

Appendix D: Decision-Making Frameworks

Appendix D pulls together the logic underlying the entire book. It provides decision-making frameworks that force organizations to confront uncomfortable realities before committing resources.

How the Appendices Work Together

Individually, each appendix addresses a specific audience or function. Collectively, they form an integrated control system that aligns:

  • Operational decision-making.
  • Compliance authority.
  • Board oversight.
  • Exit discipline.

The appendices are designed to prevent the most common failure pattern in high-risk jurisdictions: waiting until conditions deteriorate before asking hard questions. By then, leverage is gone.

Final Thought

The most important contribution of Returning to Venezuela is that it does not accurately describe risk. It shows compliance professionals how to operate in the real world without surrendering control.

Used correctly, the book becomes a working tool:

  • To assess risk honestly;
  • To design controls that hold under pressure;
  • To align management and the board, and finally
  • To decide when “yes” becomes “no.”

For compliance professionals, that is not just risk management. It is about meeting the business in an operational setting with a risk management strategy for literally the highest risk on earth.

You can purchase Returning to Venezuela: The Compliance Guide to Yes, if on Amazon.com.

Categories
AI Today in 5

AI Today in 5: January 29, 2026, The AI Has Competitive Advantage Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. Turning AI governance into a competitive advantage. (FinTechGlobal)
  2. AI is rewriting compliance. (BleepingComputer)
  3. Decoding the human genome with AI. (NYT)
  4. Who is training AI to do your job? (FT)
  5. One way to keep AI out of the classroom. (NPR)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 29 – Enhancing Compliance through Automation

Welcome to 31 Days to a More Effective Compliance Program. Over this 31-day series in January 2026, Tom Fox will post a key component of a best-practice compliance program each day. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6-8 minutes, with three key takeaways that you can implement at little or no cost to help update your compliance program. I hope you will join each day in January for this exploration of best practices in compliance. In today’s Day 29 episode, we explore how Chief Compliance Officers and compliance professionals can enhance their programs through automation.

Key highlights:

  • Challenges in Traditional Compliance Reporting
  • The Role of Reg Ops in Compliance
  • Integrating Tools for Real-Time Compliance

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Categories
Blog

Is there a FEPA Future in Venezuela?

For U.S. compliance professionals, few jurisdictions raise as many red flags as Venezuela. Decades of entrenched corruption, state capture of key industries, economic collapse, weak rule of law, and the legacy of PdVSA have made the country a case study in what happens when corruption becomes systemic rather than episodic. Now that geopolitical and energy realities are shifting, some U.S. companies are again evaluating whether and how to reenter the Venezuelan market.

Against that backdrop, the passage of the Foreign Extortion Prevention Act (FEPA) represents one of the most significant developments in anti-corruption enforcement in nearly half a century. The question compliance officers are now asking is a practical one: can FEPA actually be used to prevent bribery and corruption for U.S. companies returning to Venezuela, or is it merely a symbolic addition to an already strained enforcement framework?

The answer, as with most compliance questions, is nuanced. FEPA is not a silver bullet. But when properly understood and operationalized, it can meaningfully change the risk calculus for companies operating in high-extortion environments like Venezuela.

The Historic Gap in the FCPA

For decades, the compliance community has lived with a fundamental asymmetry in U.S. anti-corruption law. The Foreign Corrupt Practices Act is a supply-side statute. It criminalizes the offering or payment of bribes by U.S. companies and individuals, but it does not criminalize the demand for those bribes by foreign officials. This gap has long distorted incentives on the ground.

In jurisdictions such as Venezuela, bribery is rarely framed as a voluntary transaction. It is far more often presented as a demand, a condition of doing business, or even a threat, as in the case of extortion. Officials do not ask politely. They delay permits, block shipments, threaten arrests, or endanger employee safety. Until FEPA, U.S. law largely treated this as background noise rather than a prosecutable offense.

FEPA directly addresses that gap by criminalizing the solicitation or acceptance of bribes by foreign officials from U.S. persons or companies. In doing so, it finally targets the demand side of corruption and aligns U.S. law more closely with how bribery actually operates in high-risk countries.

Why Venezuela Is the Ultimate Test Case

If FEPA can work anywhere, it should work in Venezuela. The country’s corruption ecosystem is characterized by pervasive extortion across customs, energy, transportation, security, immigration, and tax authorities. Payments are often demanded not to gain an advantage but to avoid harm. This distinction matters. In Venezuela, the compliance challenge is not simply rogue employees paying bribes. It is employees facing credible threats to liberty, safety, or health. FEPA explicitly recognizes this reality by treating extortion by a foreign official as a criminal act rather than merely a compliance failure by the company.

That framing gives compliance officers something they have long lacked: a legal backbone to support a firm refusal posture. Companies can now say, with credibility, that the demand itself is illegal under U.S. law and subject to DOJ enforcement, even if the official is located abroad.

Extortion, Facilitation, and the Compliance Trap

One of the most dangerous compliance traps in Venezuela has always been the mislabeling of extortion payments. Under the FCPA, facilitation payments occupy a narrow and controversial exception. Extortion payments, however, were never facilitation payments. They were survival payments. FEPA eliminates any lingering ambiguity. Extortion payments involving threats to life, liberty, or health are now clearly illegal, not merely discouraged. This forces compliance programs to confront uncomfortable operational realities.

Policies must explicitly distinguish facilitation from extortion. Employees must be trained that the company will support them if they are threatened, but that any such payment must be immediately documented, accurately recorded, and escalated. Book and record accuracy becomes critical. Mischaracterizing extortion as a routine expense is now a standalone risk under FEPA, not merely an FCPA accounting issue.

FEPA as a Deterrent Tool, Not Just an Enforcement Tool

One of the most overlooked aspects of FEPA is its potential deterrent effect. The statute introduces the possibility of DOJ investigations targeting foreign officials, including public naming and reporting requirements. For officials who interact with U.S. companies, this creates reputational and diplomatic risk that did not previously exist. In Venezuela, where many officials rely on international travel, financial access, and political legitimacy, even the threat of U.S. scrutiny can matter. FEPA does not require immediate extradition to have an impact. The mere existence of a credible enforcement pathway can alter behavior at the margins.

For compliance officers, this means FEPA can be used proactively. Risk assessments should explicitly incorporate FEPA exposure. Third-party due diligence should assess patterns of extortion, not just a history of bribery. Contractual language should reference the reporting obligations for extortion. Training should include scenario-based exercises where employees practice refusing demands and escalating threats.

The Limits of FEPA in Venezuela

None of this should be overstated. FEPA will not cleanse Venezuela of corruption. Extradition of Venezuelan officials is unlikely. Local enforcement cooperation will be minimal. Many officials operate with de facto immunity. But compliance effectiveness has never depended on perfect enforcement. It depends on shifting incentives, setting expectations, and protecting employees. FEPA strengthens all three. From a DOJ perspective, FEPA also changes cooperation dynamics. Companies that proactively document extortion demands, preserve evidence, and report credible threats may be viewed very differently from companies that quietly pay and rationalize. In a Venezuela reentry scenario, that distinction could be outcome-determinative.

What Compliance Officers Should Do Now

For companies considering Venezuela, FEPA must be embedded into program design from day one. This includes updating anti-corruption policies, revising travel and security protocols, enhancing incident reporting mechanisms, and briefing boards on the new enforcement landscape. Most importantly, compliance officers must be realistic. FEPA does not eliminate the need for robust internal controls. It heightens the consequences of getting them wrong. Venezuela will remain a high-risk jurisdiction regardless of statutory innovation.

Five Key Takeaways for the Compliance Professional

1. FEPA Changes the Risk Conversation, Not Just the Law

FEPA fundamentally alters how compliance officers should frame corruption risk in high-extortion jurisdictions like Venezuela. It is no longer only about preventing improper employee payments. It is now about recognizing, documenting, and escalating illegal demands by foreign officials. This allows compliance to move from a defensive posture to a principled refusal backed by U.S. law.

2. Extortion Must Be Explicitly Addressed in Policies and Training

Companies can no longer afford vague language that blurs the distinction between facilitation payments and extortion. Compliance programs must clearly define extortion as illegal, explain how it differs from facilitation payments, and provide step-by-step guidance for employees facing threats to health, safety, or liberty. Scenario-based training is no longer optional in Venezuela risk operations.

3. Books and Records Exposure Has Increased Under FEPA

Accurate documentation is now a frontline compliance control. Any payment made under duress must be recorded precisely and transparently. Mischaracterizing extortion payments as routine expenses or facilitation payments creates a separate and serious compliance failure. Accounting controls, escalation protocols, and audit reviews must be aligned accordingly.

4. FEPA Should Be Embedded in Risk Assessments and Third-Party Due Diligence

Venezuela reentry assessments should explicitly evaluate extortion risk, not merely bribery history. Third parties, customs brokers, security providers, and logistics partners are often the point of pressure. FEPA requires compliance officers to assess whether business partners operate in ways that expose the company to extortion demands and reporting failures.

5. FEPA Strengthens Compliance’s Role as a Strategic Advisor

FEPA gives compliance professionals a credible legal framework to advise management and the board on when and how business can be conducted safely. It reinforces the message that walking away from certain transactions is not risk aversion but risk management. In Venezuela, FEPA can help compliance professionals draw clearer red lines and protect both the company and its people.

The Bottom Line

So, could FEPA be used to prevent bribery and corruption for U.S. companies returning to Venezuela? Not entirely. But it can materially reduce risk, empower employees, and change how companies engage with corrupt systems. For the first time, U.S. law squarely acknowledges what compliance professionals have always known: bribery often begins with a demand. By criminalizing that demand, FEPA gives companies a stronger legal and ethical foundation to say no.

In a country like Venezuela, that may be the most important compliance tool of all.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 28 – The Importance of Data Governance

Welcome to 31 Days to a More Effective Compliance Program. Over this 31-day series in January 2026, Tom Fox will post a key component of a best-practice compliance program each day. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6-8 minutes, with three key takeaways that you can implement at little or no cost to help update your compliance program. I hope you will join each day in January for this exploration of best practices in compliance. In today’s Day 28 episode, we look into the crucial importance of data governance in the realms of compliance and cybersecurity.

Key highlights:

  • The Role of Data Governance in Compliance and Cybersecurity
  • Data Governance and ESG
  • Understanding Data Privacy Laws

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Categories
Great Women in Compliance

Great Women in Compliance: A Next-Gen Video of Ethics and Compliance

In this episode of the Great Women in Compliance Podcast, Lisa Fine and Sarah Hadden (Gen X) are joined by Rebecca Anker and Emily Frank for an engaging conversation on what the next generation needs from ethics and compliance. Rebecca, Gen-Z, and Emily, a millennial, share candid insights shaped by their experiences as part of the emerging workforce.

The discussion explores the real-life impact of generational influences—from questioning hierarchy and outdated practices to prioritizing transparency, usability, and minimizing the traditional reliance on hierarchy. Rebecca and Emily discuss how the rising stars in the profession are taking the evolution to a collaborative, service-oriented function that partners with the business and clearly explains the why behind policies and decisions to new levels.

They also discuss current topics, including creative, shorter training approaches, balancing regulatory requirements with innovation, responsible AI use, and rethinking speak-up programs. They discuss why language matters, why “whistleblower” may no longer resonate, and how normalizing the act of raising concerns can strengthen speak-up culture across generations.

The episode wraps with practical advice from Rebecca and Emily for more “seasoned” compliance professionals to stay curious and engage with new voices and ideas. It is exciting to see where they and their peers will take the profession. 

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 27 – The Compliance Function in an Organization

Welcome to 31 Days to a More Effective Compliance Program. Over this 31-day series in January 2026, Tom Fox will post a key component of a best-practice compliance program each day. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6-8 minutes, with three key takeaways that you can implement at little or no cost to help update your compliance program. I hope you will join each day in January for this exploration of best practices in compliance. In today’s Day 27 episode, we explore the growing importance and responsibilities of the compliance function within corporations, emphasizing the need for adequate staffing, resources, and independence.

Key highlights:

  • DOJ’s Expectations for Compliance Programs
  • Funding and Resources for Compliance
  • Compliance Program Structure and Authority

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Categories
Blog

How Compliance Should Show Up Before the Crisis

Recently, my colleague Matt Kelly wrote a blog post about retaliation against Chief Compliance Officers (CCOs). Matt and I explored it in an episode of the podcast Compliance into the Weeds. Matt’s post and our discussion crystallized one of the frustrations of the CCO role: compliance is often experienced solely by senior management as a late-arriving messenger of bad news. When compliance walks into the room, something has already gone wrong. The tone changes. Defenses go up. Trust narrows.

Yet the most consequential moments for a CCO are precisely those situations where the stakes are highest. A potential regulatory disclosure. A decision about whether to notify a government agency. A moment where delay, missteps, or poor coordination can turn a manageable issue into an enterprise-level crisis. If compliance is only visible in those moments, the relationship with the CEO and executive leadership team is already at a disadvantage.

Interestingly, in our podcast, we explored a technique which might be termed “coaching management ahead of time”. Matt picked up the strategy of using a training borrowed from the cyber world of incident training for a cyber-attack. I see this as a very powerful way not only to communicate compliance but also to train on the specific issues senior management will face if a reportable compliance incident occurs. You could train on such hypotheticals by walking the executive leadership team through them so they understand the process, while also providing training on the specific issues.

I think this approach offers practical, repeatable ways to build trust with senior management before a crisis, so that when compliance raises a serious issue, the function is seen as a stabilizing force, not a source of panic.

The Core Problem: Compliance as the Bearer of Bad News

Many compliance officers do excellent technical work but still struggle to earn executive trust. The reason is not competence. It is timing and framing. Senior leaders often experience compliance in three narrow contexts:

  • An investigation has begun.
  • A whistleblower allegation has escalated; and/or
  • A regulator may need to be notified.

In those moments, compliance is necessarily directive. The CCO must slow decisions down, insist on process, and sometimes recommend outcomes executives would prefer to avoid. Without a foundation of trust, those recommendations can feel punitive or overly conservative. The solution is not softer messaging during crises. The solution is familiarity with the compliance process long before the crisis arrives.

Process Transparency as a Trust-Building Strategy

Trust is built through predictability. Senior executives are far more comfortable with difficult outcomes when they understand the process that leads there. This is where scenario-based training becomes one of the most underused tools in the compliance arsenal. Instead of waiting for a live issue, the CCO can walk the executive leadership team through realistic hypotheticals:

  • A fact pattern that suggests regulatory notification may be required
  • How compliance evaluates credibility and materiality
  • Who is involved at each stage and why
  • What decisions will management be asked to make
  • What actions help, and what actions make things worse

These sessions are not about assigning blame or rehearsing fear. They are about demystifying how compliance operates when the stakes are high.

Why Scenario-Based Training Works With Executives

Scenario-based discussions resonate with executive teams for several reasons. First, they are practical. Executives do not need another policy overview. They want to know what actually happens when something goes wrong. Second, they are respectful of executive time and intelligence. A well-designed hypothetical treats leadership as decision-makers, not students. Third, they normalize compliance involvement.

When executives have already walked through a compliance-led process in a low-pressure setting, that process feels familiar rather than threatening during a real event. Most importantly, scenario-based training reframes compliance from a reactive function to a preparedness function.

The Strategic Role of Informal Engagement

These conversations do not need to occur only in formal training sessions. In fact, some of the most effective trust-building happens outside structured settings.

  • A short walkthrough during an executive offsite.
  • A tabletop discussion over lunch.
  • A casual conversation that begins with, “Let me show you how we would handle this if it ever happened.”

These informal touchpoints matter because they remove fear from the equation. They allow executives to ask questions they might not ask during a live issue. They also allow compliance to show judgment, nuance, and business awareness. This is not a charm offensive. It is a deliberate relationship strategy.

Training on What Not to Do

One of the most valuable elements of scenario-based transparency is the ability to explain mistakes before they occur. Executives often want to help in a crisis. That instinct, while well-intentioned, can create problems. Premature document reviews. Side conversations. Incomplete recollections. Overconfident assurances.

Scenario training allows the CCO to say, in advance, “Here is what helps us protect the company,” and just as importantly, “Here is what can unintentionally make things worse.” When executives understand these boundaries ahead of time, compliance interventions during a real issue feel protective rather than restrictive.

From Messenger of Doom to Stabilizing Force

When compliance has invested in transparency and education, something important shifts. When the CCO later says, “We believe this may require regulatory notification,” that recommendation is no longer heard in isolation. It is understood as part of a known, previously discussed process.

Executives may not like the conclusion, but they trust the path that led there. That trust allows compliance to do its job effectively. It reduces friction. It shortens response time. It improves decision quality. Most importantly, it positions compliance as an advisor whose presence brings structure and clarity to uncertainty.

What Compliance Officers Should Take Away

For compliance officers, the lesson is not about presentation skills or tone management. It is about timing and familiarity. If senior management only experiences compliance during moments of stress, compliance will always feel adversarial. If senior management understands the compliance process before the stress arrives, compliance becomes a stabilizing influence.

Scenario-based training, informal engagement, and process transparency are not “nice to have” activities. They are strategic tools for relationship-building at the highest levels of the organization. The most trusted CCOs are not those who avoid bringing bad news. They are the ones who ensure that when bad news arrives, it is delivered within a framework everyone already understands. That is how compliance earns trust before the crisis and credibility during it.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 26 – Elevating the Role and Independence of the Chief Compliance Officer

Welcome to 31 Days to a More Effective Compliance Program. Over this 31-day series in January 2026, Tom Fox will post a key component of a best-practice compliance program each day. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6-8 minutes, with three key takeaways that you can implement at little or no cost to help update your compliance program. I hope you will join each day in January for this exploration of best practices in compliance. In today’s Day 26 episode, we ponder the evolving stature and authority of the CCO within organizations, as highlighted by recent guidelines and regulations.

Key highlights:

  • Key Inquiries Around the CCO and Compliance Function
  • Importance of CCO Certification and Court Decisions
  • Critical Takeaways for Compliance Professionals

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.