Tag: continuous improvement

Categories
Blog

Roman Philosophers and the Foundations of a Modern Compliance Program: Part 5 – Lucretius, Rationality, and Continuous Improvement in Compliance

Welcome to our concluding blog post on notable Roman Philosophers and the philosophical underpinnings of modern corporate compliance programs and compliance professionals, focusing on five philosophers from Rome spanning the end of the Roman Republic to the Roman Empire.

We have considered Cicero and the duty, law, and the moral limits of business; Seneca on power, pressure, and ethical decision-making under stress; Varro on corporate governance; and Marcus Aurelius on ethical leadership and tone at the top. Today, we conclude with Lucretius to explore rationality, fear, and risk perception.

I. Lucretius in Context: Seeing the World Clearly

Titus Lucretius Carus is the outlier in the Roman philosophical tradition, and that is precisely why he matters to compliance professionals. In De Rerum Natura (On the Nature of Things), Lucretius set out to explain the world as it actually is, stripped of superstition, fear, and comforting illusions. He believed that human suffering and bad decision-making were driven less by malice than by misunderstanding.

Lucretius lived in a Roman world gripped by fear of divine punishment, fate, and unseen forces. He argued that when people attribute events to superstition or rumor rather than observation and evidence, they lose the ability to respond rationally. Fear, in his view, was the enemy of clear judgment. Only through disciplined observation and reason could individuals and institutions act wisely.

For modern compliance professionals, Lucretius offers a final and essential lesson. Even the best-designed compliance program, staffed by accountable individuals and supported by ethical leadership, will fail if it cannot see itself clearly. Programs that rely on assumptions, anecdotes, or reputation rather than evidence inevitably drift. Lucretius teaches that rational observation is not merely a scientific virtue. It is an ethical one.

II. The Compliance Problem Lucretius Illuminates: Blind Spots and Compliance Theater

Many compliance programs operate on belief rather than proof. Leaders believe the culture is strong. Boards believe controls are effective. Compliance teams believe training is working. Yet enforcement actions routinely reveal blind spots that persisted for years, unnoticed or unchallenged. This gap between belief and reality is what Lucretius would have called superstition. In compliance, it takes the form of compliance theater: dashboards that look reassuring, certifications that go unquestioned, and metrics that measure activity rather than effectiveness.

The DOJ Evaluation of Corporate Compliance Programs (ECCP) repeatedly asks whether companies test, monitor, and improve their programs. Prosecutors are explicit that assumptions are insufficient. They want evidence that the program detects misconduct, adapts to change, and evolves based on lessons learned. Fear plays a central role here. Organizations fear discovering problems. They fear bad news reaching the board. They fear regulatory scrutiny. Lucretius warned that fear distorts perception. In compliance terms, fear leads to underreporting, superficial audits, and avoidance of uncomfortable data.

A compliance program that cannot tolerate evidence of weakness cannot improve. Lucretius insists that rational systems must prefer truth over comfort.

III. Modern Corporate Application: Lucretius, DOJ Expectations, and Evidence-Based Compliance

Applying Lucretius to modern compliance highlights the central role of monitoring, testing, and continuous improvement.

First, compliance monitoring must focus on effectiveness, not volume. Counting training completions or hotline calls says little about whether the program works. Lucretius would insist on asking harder questions. Are issues detected early? Are repeat risks declining? Are controls changing behavior?

Second, data must be interpreted without fear. DOJ guidance emphasizes learning from misconduct and near misses. Yet many organizations treat incidents as anomalies rather than signals. Lucretius teaches that patterns matter more than isolated events. Compliance teams should analyze trends across regions, functions, and time, even when results are uncomfortable.

Third, programs must adapt to changing risk. Lucretius rejected static explanations of the world. The DOJ similarly asks whether compliance programs evolve as business models, markets, and technologies change. A program designed for yesterday’s risks becomes a liability when conditions shift.

Fourth, monitoring must include culture and behavior, not just transactions. Culture surveys, exit interviews, and speak-up analytics provide insight into employees’ trust in the system. Lucretius would caution against ignoring qualitative data simply because it is harder to measure.

Fifth, continuous improvement must be documented and demonstrable. The DOJ evaluates whether companies close the loop by updating controls, training, and governance in response to findings. Rational compliance requires not only seeing clearly but acting on what is seen.

Finally, compliance leaders must resist narrative-driven assurance. Statements such as “this has never happened before” or “we trust our people” are not evidence. Lucretius reminds us that trust is strengthened, not weakened, by verification.

IV. Key Takeaways for Compliance Professionals

1. Father of CM/CI. Compliance professionals should view Lucretius as the philosophical foundation of monitoring and continuous improvement. Lucretius grounds compliance in disciplined observation rather than comfort or tradition. He reminds compliance professionals that a program cannot improve what it refuses to examine honestly. Monitoring and continuous improvement are not technical exercises but ethical commitments to see the organization as it truly operates.

2. Fact-based. Compliance should privilege evidence over assumption. Assumptions about culture, control effectiveness, or employee behavior create blind spots that persist until a failure forces attention. Lucretius warns that belief without verification is a form of self-deception. An effective compliance program insists on data, testing, and validation rather than reassurance.

3. Measure outcomes, not activity. Compliance should design metrics that measure effectiveness, not activity. Counting trainings delivered or policies acknowledged does not demonstrate that misconduct is being prevented or detected. Lucretius would reject metrics that comfort leadership without revealing reality. Compliance metrics must answer whether controls change behavior and reduce risk, not merely whether processes occurred.

4. Information is data. Compliance should treat incidents and near misses as data, not embarrassment. Organizations often hide or minimize incidents out of fear of reputational harm or internal scrutiny. Lucretius teaches that fear distorts judgment and delays learning. A mature compliance program uses incidents and near misses as signals for improvement rather than reasons for denial.

5. Risks Change. Compliance should evolve as risks, markets, and technologies change. Static compliance programs assume the world remains stable, an assumption Lucretius would view as fundamentally irrational. This is certainly not true in the age of Trump. Business models, geopolitical risks, and technologies shift faster than policy cycles. Continuous adaptation is the only rational response to an environment in constant motion.

6. Embrace Observation. Compliance should embrace rational observation as an ethical obligation. Seeing clearly is not morally neutral; it is a responsibility owed to stakeholders and institutions. Lucretius argued that ignorance sustained by fear causes harm. In compliance, choosing not to look is itself an ethical failure.

7. Evidence-based. Finally, Lucretius teaches that organizations fail not because reality is unknowable, but because they choose not to look. This is the capstone lesson of the compliance lifecycle. Organizations that avoid uncomfortable facts drift into compliance theater and false confidence. Rational, evidence-based compliance treats truth as an asset, even when it reveals weakness.

V. Conclusion: Roman Philosophy and the Compliance Program That Actually Works

Taken together, these five Roman philosophers describe the full lifecycle of a modern compliance program as it exists in the real world, not as it appears in policy manuals. Cicero establishes why compliance must exist at all, grounding the program in duty rather than expediency and reminding organizations that law is only the starting point. Seneca then confronts the reality that ethical commitments are tested under pressure, exposing how fear, ambition, and rationalization undermine even well-designed systems. Epictetus moves the analysis to the individual, insisting that ethical responsibility does not disappear inside hierarchy and that compliance ultimately depends on personal agency. Marcus Aurelius elevates that responsibility to leadership, showing how culture is formed through example and how ethical expectations live or die by the behavior of executives. Finally, Lucretius closes the loop, demanding rational observation, evidence, and continuous improvement so that compliance programs do not drift into assumption, superstition, or complacency.

What makes the Roman philosophers uniquely valuable to compliance professionals is their focus on institutions, power, and human behavior under constraint. The Greeks gave us ethical ideals. The Romans showed us how those ideals survive, or fail, inside complex systems. This mirrors the Department of Justice’s modern approach to compliance, which increasingly evaluates not whether a program exists, but whether it operates, adapts, and functions under real-world conditions.

For the compliance professional, the lesson of this series is both sobering and empowering. No single control, policy, or training module is sufficient. Effective compliance requires ethical foundations, behavioral awareness, individual accountability, principled leadership, and disciplined monitoring working together as an integrated system. Remove any one of these elements, and the program weakens. Align them, and compliance becomes not a defensive function, but a durable governance capability.

In combining these Roman insights with the earlier Greek philosophical foundations, the compliance professional gains more than historical perspective. They gain a framework for building programs that withstand pressure, earn trust, and evolve. In the end, that is the measure of a compliance program that actually works.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 9 – Continuous Monitoring and Continuous Improvement

Welcome to 31 Days to a More Effective Compliance Program. Over this 31-day series in January 2026, Tom Fox will post a key component of a best-practice compliance program each day. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6-8 minutes, with three key takeaways that you can implement at little or no cost to help update your compliance program. I hope you will join each day in January for this exploration of best practices in compliance. Today, Day 9, we discuss continuous monitoring and continuous improvement.

Key highlights:

  • Understanding Changes in Company Risks
  • Continuous Monitoring and Improvement
  • External Information Sources for Compliance

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Categories
Blog

Failure to Prevent Fraud Mastery: Enhancing Due Diligence, Training, and Improvement

We conclude our deep dive into the Economic Crime and Corporate Transparency Act 2023, which has elevated the expectations for senior leadership and boards across large organizations. Our guide in this journey has been the UK government, which has put out a document entitled “Economic Crime and Corporate Transparency Act 2023: Guidance to organisations on the offence of failure to prevent fraud.” (The Guidance) Today, we conclude with the final three sections on Due Diligence, Training, Ongoing Monitoring, and Continuous Improvement.

As compliance professionals prepare diligently for the upcoming implementation of the Failure to Prevent Fraud (FTPF) offense, it becomes imperative to understand and apply comprehensive fraud prevention measures effectively. Central to a robust anti-fraud framework are due diligence, training, monitoring, and review processes. Each of these areas must be executed diligently, proportionately, and tailored specifically to address the unique risks faced by an organization.

Due Diligence: Building Trust Through Vigilance

Due diligence is a cornerstone of an effective fraud prevention strategy. Organizations must apply meticulous and proportionate due diligence procedures to mitigate fraud risks associated with individuals or entities performing services on their behalf.

For organizations facing heightened fraud risks, standard due diligence might not suffice. Comprehensive screening, including the use of technology-driven third-party risk management tools and vetting checks, becomes vital. Contracts should explicitly state compliance obligations and consequences of non-compliance, while mergers and acquisitions must include rigorous assessments of criminal, regulatory, and tax backgrounds.

Moreover, ongoing due diligence is essential; periodic reviews and updates ensure that an organization remains alert to emerging risks or changes in the status of associated persons. Continuous monitoring can detect potential red flags that may arise post-engagement, such as sudden changes in financial stability, reputation issues, or new regulatory concerns. Additionally, organizations should ensure transparency in their due diligence processes, clearly documenting their methods and findings. This not only enhances accountability but also ensures readiness in demonstrating compliance to regulatory bodies or stakeholders during audits or investigations.

Organizations might also consider collaboration with external experts or industry peers to refine their due diligence methodologies, leveraging collective insights to strengthen their anti-fraud defenses. Regular training and awareness sessions about due diligence expectations can further embed vigilance into organizational culture, ensuring that all stakeholders understand and uphold their roles in fraud prevention.

Five Key Takeaways on Due Diligence:

  1. Leverage Technology: Use advanced screening tools and third-party risk management platforms to enhance due diligence effectiveness.
  2. Contract Clarity: Clearly articulate compliance obligations and termination clauses for fraud breaches within contracts.
  3. Monitor Employee Well-being: Regular monitoring to identify stressors or workload issues that might increase susceptibility to fraud.
  4. Mergers and Acquisitions Scrutiny: Conduct thorough fraud prevention assessments during acquisitions, integrating robust prevention measures post-acquisition.
  5. Dynamic Review: Keep due diligence processes proportionate, up-to-date, and responsive to evolving risks.

Training: Empowering Prevention Through Knowledge

Training is critical to embedding an anti-fraud culture within an organization. A clear and regular communication strategy ensures all associated persons fully understand and internalize the organization’s fraud prevention policies and procedures.

Proportionate training tailored to the specific risks of roles within the organization, especially high-risk positions, is essential. Training must detail the nature of the FTPF offense, the particular procedures required, and the clear protocols for whistleblowing. Continuous evaluation and updates ensure training remains practical and relevant, particularly as personnel change. Effective training should also encompass interactive and engaging methods such as workshops, simulations, and scenario-based exercises, which help employees understand the real-world implications of fraud and the critical importance of adhering to procedures.

Incorporating case studies of relevant fraud incidents can significantly enhance learning by illustrating practical examples and reinforcing key lessons. Organizations should also regularly evaluate the impact of training through assessments, quizzes, and feedback surveys, ensuring that employees retain the information and can effectively apply it in their roles. Integrating fraud prevention messages into routine communications, such as team meetings and newsletters, can further reinforce an anti-fraud mindset. Ultimately, a robust training program not only builds awareness but also empowers employees to identify and address potential fraud risks proactively.

Five Key Takeaways on Training:

  1. Risk-Based Training: Deliver bespoke training programs specifically targeted at roles identified as high risk.
  2. Integration with Existing Programs: Leverage and integrate fraud prevention messages into broader financial crime training initiatives.
  3. Effective Communication: Communicate internal policies, the importance of whistleblowing, and the procedures to follow.
  4. Regular Updates: Keep training modules current with evolving fraud risks, regulatory updates, and personnel changes.
  5. Monitoring Effectiveness: Regularly assess and monitor training efficacy through feedback and performance evaluations.

Monitoring and Review: Continuous Improvement and Adaptation

Monitoring and review constitute the continuous feedback loop critical to fraud prevention. Organizations must regularly assess and refine fraud detection systems and response protocols based on real-world performance and evolving risks.

Monitoring involves detecting fraud, conducting robust investigations, and assessing the effectiveness of preventative measures. Organizations should ensure that sophisticated data analytics and AI-driven detection tools are employed effectively. Investigations must be independent, well-resourced, fair, and transparent, with results communicated to stakeholders.

Review processes ensure organizations adapt and improve continuously. Regularly scheduled reviews, supplemented by event-driven assessments in response to incidents or significant changes in risk, underpin an agile and resilient fraud prevention strategy. Utilizing external feedback and industry-wide insights, organizations can benchmark their strategies and implement best practices.

Five Key Takeaways on Monitoring and Review:

  1. Regular and Responsive Reviews: Schedule regular evaluations, complemented by prompt reviews triggered by specific fraud incidents or risk changes.
  2. Data-Driven Detection: Invest in advanced data analytics and AI tools to proactively detect fraud and fraud attempts.
  3. Independent Investigations: Ensure fraud investigations are conducted independently and transparently, with clearly documented processes and outcomes.
  4. Continuous Adaptation: Maintain flexibility in fraud prevention measures, promptly adapting strategies based on review outcomes and industry developments.
  5. Sectoral Benchmarking: Collaborate and engage with external entities and industry peers to adopt best practices and maintain practical fraud prevention standards.

Concluding Thoughts

As the countdown to the FTPF offense go-live continues, compliance professionals are tasked with a critical responsibility: to ensure their organization’s preparedness through meticulous due diligence, targeted training, and robust monitoring and review practices. Each component is integral to creating an effective, proportionate, and responsive fraud prevention strategy. By embedding these practices into the organizational fabric, compliance professionals not only safeguard their organizations but also reinforce ethical standards, protecting both reputation and long-term sustainability.

Categories
Blog

Creating a Compliance Monitoring Plan

Compliance professionals recognize that robust compliance programs do not simply happen; they require meticulous planning, thoughtful execution, and continual enhancement. Central to any thriving compliance framework is a solid compliance monitoring plan. Even seasoned compliance practitioners occasionally encounter challenges when constructing a monitoring strategy capable of effectively identifying, assessing, and mitigating compliance risks. In this guide explicitly tailored for corporate compliance professionals, we will explore key steps toward creating an effective compliance monitoring plan, drawing on the foundational principles outlined in the Hallmarks of an Effective Compliance Program from the FCPA Resource Guide, 2nd edition.

Compliance monitoring is the ongoing process of assessing and verifying a company’s adherence to applicable laws, regulations, and internal policies. Unlike reactive investigations, compliance monitoring proactively identifies potential issues before they evolve into significant problems or compliance violations.

Step 1: Define Objectives and Scope

Once you have identified your organization’s primary compliance risks through a comprehensive risk assessment, you must define clear and measurable objectives for your compliance monitoring activities. These objectives align directly with your broader compliance strategy, corporate mission, and risk appetite. Begin by establishing what success looks like for your compliance monitoring initiative. Is your primary goal to prevent regulatory breaches, detect internal misconduct promptly, or validate the effectiveness of internal controls? Articulated objectives enable your compliance function to measure progress accurately and demonstrate accountability to stakeholders.

Objectives should be SMART, specific, measurable, achievable, relevant, and time-bound to facilitate clear monitoring and reporting. Next, explicitly outline the scope of your monitoring activities. Determine whether you will monitor all compliance areas equally or strategically prioritize areas of heightened risk, such as international operations, third-party relationships, or high-risk transactions. Defining scope effectively helps allocate your finite compliance resources to the highest impact areas, thus maximizing your monitoring effectiveness. Incorporate feedback from cross-functional teams and relevant business units to ensure your defined scope aligns closely with organizational realities and practical constraints. Regularly revisiting and refining these objectives and scope based on evolving risks and business circumstances keeps your compliance monitoring plan relevant, flexible, and responsive. According to the Hallmarks, clear policies, procedures, and thorough risk assessment underpin a successful compliance program. Thus, ensure your objectives remain tightly integrated with identified risks and documented compliance standards.

Step 2: Develop Monitoring Procedures

With objectives and scope set, the next step is crafting detailed compliance monitoring procedures. Effective procedures must specify the methods, frequency, and tools you’ll use to assess compliance adherence systematically. Procedures should integrate various manual and automated methods to create comprehensive oversight. Regular audits, randomized sampling, targeted employee interviews, and comprehensive documentation reviews form the procedural baseline. It is crucial to identify precisely how each monitoring activity will be executed, who will perform these tasks, and how frequently they will occur. Additionally, incorporating continuous monitoring technologies provides proactive, real-time insights, enhancing the immediacy of your responses to potential compliance breaches.

Documenting these monitoring procedures meticulously ensures consistency, transparency, and accountability, aligning directly with the emphasis on rigorous oversight and robust internal controls. Incorporating clear documentation standards into these procedures provides evidence of compliance activity during internal and external reviews, establishing credibility and trust with stakeholders and regulators. Regularly review and update your monitoring procedures to reflect evolving regulatory requirements, emerging risks, and insights gained from previous monitoring activities. Such periodic reassessments are vital to maintaining effective monitoring practices that meet industry best practices and regulatory expectations, preparing your organization to respond confidently to regulatory scrutiny and internal audits.

Step 3: Assign Roles and Responsibilities

Clearly defining roles and responsibilities within your compliance monitoring plan is fundamental for seamless execution. Compliance team members must understand their duties, expectations, and associated deadlines. Designate who will conduct monitoring activities, evaluate monitoring results, and initiate necessary corrective actions. Assigning these roles based on individual expertise, experience, and authority helps ensure tasks are completed effectively and efficiently. Explicitly document these roles within your compliance governance framework, ensuring clarity and transparency.

The FCPA Resource Guide underscores the importance of adequate autonomy, authority, and resources allocated to compliance functions. Ensuring compliance personnel have delineated responsibilities enhances accountability, promotes clear communication, and supports rapid decision-making. Regular training and communication sessions reinforce these responsibilities, helping compliance team members remain informed and prepared to execute their roles effectively. Furthermore, clearly defined roles and responsibilities empower compliance personnel to act decisively, enhancing responsiveness and ensuring effective intervention when issues arise. Continually reassess and refine these roles as your compliance program evolves, ensuring they remain relevant, efficient, and aligned with organizational goals and regulatory requirements.

Step 4: Implement Continuous Monitoring and Reporting

Effective compliance monitoring must be continuous rather than episodic. Continuous monitoring provides regular, real-time insights into compliance performance, significantly improving your ability to identify and address issues promptly. Implementing technological tools such as data analytics software, automated alerts, and compliance dashboards can greatly enhance continuous monitoring efforts. These technologies provide real-time data, facilitating immediate recognition of compliance deviations and swift corrective action. Establish clear, comprehensive reporting frameworks to communicate monitoring results effectively across all organizational levels, from operational managers to senior executives and board members.

Reporting frameworks must include clearly defined frequency, format, and content, ensuring consistent and relevant information distribution. Transparent reporting aligns directly with the FCPA Resource Guide’s emphasis on adequate internal controls, fostering organizational transparency and accountability. Effective reporting frameworks facilitate informed decision-making, enable quick interventions, and promote organizational trust. Regularly revising reporting protocols based on feedback and evolving compliance needs ensures ongoing effectiveness and relevance.

Step 5: Follow-Up and Remediation

The final crucial step in your compliance monitoring plan involves structured processes for follow-up and remediation. When non-compliance is identified through monitoring efforts, promptly implement a clearly defined process for addressing such issues. The first action is to perform a thorough root cause analysis to comprehend the underlying factors contributing to the compliance violation fully. This analytical step is vital because addressing only superficial symptoms may allow systemic issues to persist, increasing the likelihood of recurrence. After identifying the root cause, develop targeted remediation plans to rectify these foundational weaknesses. These plans should detail precise actions, timelines, responsible parties, and required resources. Communicate these remediation actions throughout the organization, ensuring transparency and clarity among all stakeholders.

Verification processes must be robust and systematic, designed to rigorously assess the effectiveness of implemented remedial actions. Monitoring the outcomes of remediation activities is essential in demonstrating that the organization takes compliance failures seriously and is committed to continuous improvement. Regularly scheduled follow-up evaluations should be conducted, and the results communicated to compliance and senior management. Transparency during this phase is critical, as it builds credibility with regulators and stakeholders by clearly demonstrating that the organization learns from its mistakes and proactively takes corrective action.

Additionally, documenting every step of the follow-up and remediation process provides valuable evidence during external audits and reviews, showcasing organizational accountability. Adopting a disciplined approach to follow-up and remediation aligns directly with the FCPA Resource Guide’s emphasis on ensuring effective responses to compliance risks and issues. This structured approach mitigates risks and cultivates a culture of integrity, accountability, and continuous improvement within your organization, significantly enhancing the resilience and credibility of your compliance program.

Lessons for Compliance Professionals

If all of this sounds like a continuous improvement loop, there is a reason. Developing a comprehensive compliance monitoring plan is foundational in cultivating and sustaining an effective compliance program. Compliance professionals must ensure monitoring is proactive, continuous, and aligned with broader organizational objectives and compliance strategies. Documented procedures, defined roles, continuous monitoring technology, transparent reporting, and rigorous follow-up constitute essential pillars supporting ongoing compliance effectiveness. Aligning these strategies with the Hallmarks of an Effective Compliance Program from the FCPA Resource Guide further solidifies your compliance initiatives, positioning your organization for long-term success, resilience, and integrity.

Categories
Blog

Kaizen 2.0: Leveraging AI for Continuous Improvement in Compliance

In the late 1940s, engineer Taiichi Ohno introduced the world to the Toyota Production System, an operational approach rooted in the Japanese principle of Kaizen or, as we call it today, continuous improvement. By prioritizing incremental enhancements and engaging employees at all levels, Toyota transformed manufacturing with concepts like worker empowerment, just-in-time manufacturing, root-cause analysis, and total quality management. The result? Toyota became the largest automaker in the world and a gold standard for process excellence. All this and much more was found in a recent Harvard Business Review article, The Secret to Successful AI-Driven Process Redesign, by H. James Wilson and Paul R. Daugherty.

I use their article as a starting point to explore where Kaizen meets the transformative power of artificial intelligence (AI) in the compliance realm. Kaizen 2.0 empowers employees with AI tools to make data-driven decisions, streamline processes, and elevate organizational performance in this new era. For compliance professionals, the principles behind this transformation offer a powerful roadmap for managing risk, embedding compliance into your business processes, and creating resilient risk management structures.

From Kaizen to Kaizen 2.0: The Role of AI in Compliance 

At its core, Kaizen is about empowering employees to improve processes continuously. Kaizen 2.0 amplifies this with AI, making advanced tools accessible to non-technical employees and enabling them to synthesize complex data for actionable insights. For compliance teams, this means using AI not to replace human judgment but to enhance it, whether by automating routine tasks, detecting risks, or uncovering inefficiencies.

Mercedes-Benz provides an interesting example. The company’s MO360 Data Platform democratizes data access across its global production network, enabling employees at every level to make data-driven decisions. A frontline worker can query AI about assembly-line bottlenecks or supply chain delays and receive actionable real-time recommendations. Imagine a compliance professional leveraging similar tools to identify patterns in third-party transactions or track policy adherence across business units.

This democratization of information underscores a key lesson for compliance professionals. AI tools are most effective when they empower teams rather than replace them. By augmenting human expertise, compliance programs can scale their impact while fostering a culture of accountability and engagement.

AI-Driven Tools: Unlocking New Compliance Opportunities 

Incorporating AI into compliance frameworks opens the door to new possibilities. Consider the following applications for the compliance function.

  • Root-Cause Analysis

Root-cause analysis can become more powerful with AI. Generative AI tools can analyze vast amounts of data to pinpoint the underlying root causes of compliance failures. For example, training AI on high-quality data can reduce false positives in transaction monitoring, allowing teams to focus on genuine risks. Using AI in the root-cause process could allow a compliance professional to determine the root cause of every compliance failure, whether simply a hiccup or a major system failure.

  • Just-in-Time Compliance

Borrowing from Toyota’s just-in-time manufacturing, compliance teams can use AI to implement “just-in-time compliance.” AI tools can monitor real-time transactions, communications, or activities, flagging issues as they occur rather than after the fact. This proactive approach aligns with regulators’ increasing focus on continuous monitoring. Also, consider how you could send a personalized compliance message to an employee who is about to travel to a high-risk country or engage in a high-risk activity.

  • Employee Empowerment

AI-enabled compliance platforms can empower employees across the organization to identify and address risks. This offers a great opportunity to move a compliance tool directly to the first line of defense. A generative AI tool could help employees draft accurate disclosures, navigate complex policies, or report concerns anonymously and securely. By embedding compliance tools into day-to-day workflows, organizations can create a proactive compliance culture and make the process more efficient.

Reshaping Risk Management: Lessons from Kaizen 2.0 

One of the most transformative aspects of Kaizen 2.0 is how it redefines risk management. Merck uses generative AI to improve quality control in drug inspection processes in the pharmaceutical industry. By creating synthetic defect-image data, AI reduces false rejects by over 50%, cutting waste and enhancing efficiency.

Compliance professionals can take inspiration from this approach by leveraging AI to address data quality issues. For instance, AI-powered tools can identify inconsistencies in due diligence data, streamline third-party risk assessments, and ensure consistent policy application across global operations.

Similarly, companies like Colgate-Palmolive and Nestlé are using AI to drive innovation in product development. For compliance teams, these advancements signal the potential for AI to transform regulatory reporting, training, and monitoring by making these processes more adaptive and aligned with business goals.

Overcoming Challenges: Ensuring Human-Centric AI Adoption 

While AI offers immense potential, successful adoption requires careful planning and execution. Compliance professionals must address the following challenges:

  1. Employee Training and Engagement. Like Mercedes-Benz’s Turn2Learn initiative, compliance teams should invest in training employees in AI in compliance programs. Educating staff on using AI tools effectively ensures they can take part in compliance initiatives and take ownership of risk management.
  2. Data Quality and Integration. High-quality data is the foundation of effective AI tools. Compliance leaders must champion data governance initiatives to eliminate silos, standardize data formats, and ensure accuracy. This has been on the Department of Justice’s (DOJ) mind since 2020 and was reiterated in the 2024 Evaluation of Corporate Compliance Programs.
  3. Ethical AI Usage. Compliance teams must lead efforts to ensure AI tools are used ethically and transparently. This includes validating AI outputs, addressing biases, and maintaining accountability for decisions informed by AI.

The Future of Kaizen 2.0 in Compliance

The convergence of AI, digital twins, and autonomous agents will redefine process management in compliance. Autonomous agents powered by generative AI can independently execute tasks, adapt strategies, and continuously improve their performance. This means a shift from routine oversight to strategic leadership for compliance professionals.

Walmart uses autonomous agents for inventory management. Compliance teams could deploy similar agents to monitor real-time regulatory changes, update policies, and notify stakeholders of critical updates.

Looking ahead, digital twins, which are virtual models of real-world systems, could revolutionize compliance training and testing. A digital twin of an organization’s compliance framework could simulate the impact of regulatory changes, test the effectiveness of controls, and identify vulnerabilities before they become liabilities.

A Call to Action for Compliance Professionals

The principles of Kaizen 2.0 offer a roadmap for transforming compliance programs. By embracing AI and empowering employees, compliance leaders can foster a culture of continuous improvement that meets DOJ requirements and drives business success. Three key steps help the compliance professional begin.

The first is to identify opportunities for AI integration in both your compliance program and overall compliance function. You should begin by mapping compliance processes and identifying areas where AI can add value, such as risk monitoring, policy management, or training. Next is engagement with employees by fostering a culture of collaboration by involving employees in AI-driven compliance initiatives. Provide training and resources to help them contribute to continuous improvement.  The final step is to monitor and continuously improve. Establish clear metrics for compliance performance and use AI to monitor progress. Review and refine processes to ensure they remain effective and aligned with business goals. Update, refine, and improve as the data becomes available to you.

Compliance professionals have a unique opportunity to lead our organizations into the future. By leveraging Kaizen 2.0 principles and AI tools, we can create compliance programs that are effective, resilient, adaptive, and aligned with organizational values. Let’s make continuous improvement the cornerstone of a fully operationalized compliance program and demonstrate to your organization that effective compliance leads to more efficient processes, which leads to greater ROI and profitability.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 9 – Continuous Monitoring and Continuous Improvement

Welcome to a special podcast series on the Compliance Podcast Network, 31 Days to a More Effective Compliance Program. Over these 31 days of the series in January 2025, Tom Fox will post a key part of a best practices compliance program daily. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6-8 minutes, and will include three key takeaways you can implement at little or no cost to help update your compliance program. I hope you will join us each day in January for this exploration of best practices in compliance.

Continuous monitoring and improvement are essential in developing effective compliance programs, serving as a dynamic approach to addressing and adapting to evolving risks. This underscores the critical nature of these concepts, particularly highlighted in the 2023 update to evaluating corporate compliance programs, and emphasizes the necessity for organizations to integrate real-time data and maintain comprehensive documentation in their decision-making processes. This approach ensures compliance and fosters agility and resilience in navigating the complexities of modern business landscapes.

Key highlights:

  • Understanding Changes in Company Risks
  • Continuous Monitoring and Improvement
  • External Information Sources for Compliance

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 5th edition, by clicking here.

Categories
Blog

2024 ECCP – Embracing Continuous Improvement

In her recent speech at the Society of Corporate Compliance and Ethics 23rd Annual Compliance & Ethics Institute, Principal Deputy Assistant Attorney General Nicole M. Argentieri discussed the Evaluation of Corporate Compliance Programs (2024 ECCP). (A copy of her remarks can be found here.) Today, I want to consider her remarks and the 2024 ECCP on continuous improvement.

Continuous Improvement: A Foundational Pillar

The ability to adapt and evolve is at the heart of any successful compliance program. Deputy Attorney General Lanny Breuer said that in 2009, which is still true today. Continuous improvement ensures compliance programs remain agile and responsive to internal and external pressures. The DOJ’s 2024 ECCP clarified that there is no one-size-fits-all approach to compliance. Instead, companies must tailor their programs to reflect their specific risk profiles, industries, and operational footprints. The three key questions the DOJ asks when evaluating a company’s compliance program are pivotal:

  1. Is the program well-designed?
  2. Is it applied in good faith and adequately resourced?
  3. Does it work in practice?

The answers to these questions must evolve as the company grows, its risk environment changes and new technologies or regulatory frameworks emerge. In other words, continuous improvement should be ingrained in the DNA of the compliance function.

Focus on Emerging Risks and Technology

A critical aspect of the 2024 ECCP update is its emphasis on emerging risks, particularly those related to artificial intelligence (AI) and other disruptive technologies. The DOJ has clarified that prosecutors will closely examine how companies assess and mitigate risks associated with AI and technology-enabled schemes. In an age where AI is increasingly used in business operations, compliance professionals must ensure that their companies are leveraging these technologies ethically and implementing robust controls to monitor for potential misuse.

For instance, as AI systems are deployed in decision-making processes—such as approving financial transactions or conducting due diligence—companies must have mechanisms to validate AI-generated data’s accuracy and reliability. This includes periodic testing, ongoing monitoring, and ensuring that human oversight remains an integral part of the compliance process.

Moreover, continuous improvement in this area involves staying ahead of technological trends. Compliance professionals must regularly update risk assessments for new technological developments, ensuring their controls and policies remain relevant. The ability to proactively manage these emerging risks is a hallmark of a forward-thinking compliance program.

Encouraging a Speak-Up Culture

Another critical update to the ECCP addresses the importance of fostering a “speak-up” culture within organizations. The DOJ’s increased scrutiny of whistleblower protections underscores the need for companies to encourage internal reporting of misconduct without fear of retaliation. Compliance programs must be designed to detect wrongdoing and provide employees with the tools and confidence to report issues when they arise.

Continuous improvement in this area means regularly testing and refining internal reporting mechanisms. Companies should ask themselves: Are our employees aware of how to report misconduct? Do they trust the process? Are we doing enough to protect whistleblowers? The ECCP now explicitly evaluates whether companies have anti-retaliation policies and whether they promote a culture encouraging employees to come forward.

It is also worth noting that companies can earn significant benefits by prioritizing internal reporting. Under the DOJ’s whistleblower pilot program, companies that receive an internal report and then self-disclose misconduct to the DOJ within 120 days can qualify for a presumption of a declination of prosecution. This sends a powerful message that promoting a speak-up culture is the right thing to do and strategically advantageous.

Leveraging Data for Compliance Effectiveness

The 2024 ECCP also strongly emphasizes the role of data in compliance programs. Companies are expected to use data to identify misconduct and assess the effectiveness of their compliance programs. Compliance professionals must ensure adequate access to relevant data sources and the resources to analyze that data effectively.

Continuous improvement in data management involves regularly auditing the sources and quality of data used in the compliance program. Are compliance personnel receiving timely and relevant data? Are there gaps in data collection that could hinder the detection of misconduct? By addressing these questions and implementing the necessary improvements, companies can ensure that their compliance programs function efficiently.

The Power of Adaptation

One of the most insightful aspects of the 2024 ECCP is its focus on learning from past mistakes—whether those mistakes occurred within the company or elsewhere in the industry. The DOJ encourages companies to conduct thorough root cause analyses after incidents of misconduct, using those insights to inform and improve compliance policies and procedures

Incorporating lessons learned into a compliance program is key to continuous improvement. Companies should routinely review their own experiences and external enforcement actions to identify weaknesses and strengthen their controls. For example, a company that uncovers a gap in its third-party due diligence process should take immediate action to address it and prevent similar issues.

Compensation and Clawbacks: A Shift Toward Accountability

Finally, the DOJ’s Compensation Incentives and Clawbacks Pilot Program is another area where continuous improvement can drive compliance excellence. By aligning compensation structures with ethical behavior, companies can incentivize employees to prioritize compliance. The DOJ now requires that compensation systems include criteria for promoting compliance and deterring misconduct, and early indications suggest that this positively impacts corporate behavior.

Continuous improvement in this area means regularly assessing whether the metrics used to evaluate employee performance are aligned with compliance objectives. Companies should also ensure that their compensation structures provide clear consequences for misconduct, such as clawing back bonuses or withholding future compensation from culpable employees.

In 2024 and as we move to 2025, continuous improvement is not a luxury but a necessity. Compliance professionals must remain vigilant, regularly evaluating and updating their programs to address new risks, leverage emerging technologies, and promote a strong culture of ethics. The DOJ’s 2024 ECCP provides a roadmap for how companies can achieve these goals, but the responsibility ultimately falls on compliance professionals to ensure that their programs are well-designed and effective in practice.

As we progress, the key to success lies in our ability to embrace continuous improvement. We must make the necessary investments in compliance to prevent, detect, and remediate misconduct. By doing so, we protect our organizations from legal and financial risk and foster a corporate culture that values integrity and ethical leadership.

Categories
Compliance Tip of the Day

Compliance tip of the Day: Embracing Continuous Improvement in Compliance Programs

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law.

Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we explore why the DOJ’s emphasis on continuous improvement in compliance programs is a call to action for all of us.

Categories
Blog

Lessons on Ongoing Monitoring and Continuous Improvement from Star Trek: Spectre of the Gun

Last month, I wrote a blog post on the tone at the top, exemplified in Star Trek’s Original Series episode, Devil in the Dark. Based on the response, some passionate Star Trek fans are out there. I decided to write a series of blog posts exploring Star Trek: The Original Series episodes as guides to the Hallmarks of an Effective Compliance program set out in the FCPA Resources Guide, 2nd edition. Today, I will continue my two-week series by looking at the following Hallmarks of an Effective Compliance Program laid out by the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) in the FCPA Resources Guide, 2nd edition. Today, we look at lessons learned about ongoing monitoring and continuous improvement from the episode Spectre of the Gun, which provides a compelling narrative to explore the compliance concepts of ongoing monitoring and continuous improvement within a best practices compliance program.

In “Spectre of the Gun,” Captain Kirk and his crew are sent to make contact with the Melkotians, a reclusive alien species. Despite a warning buoy advising them to leave, the crew presses forward, and as a result, the Melkotians transport them into a surreal, incomplete version of the American Wild West. The crew finds themselves in a reenactment of the infamous Gunfight at the O.K. Corral, with Kirk, Spock, McCoy, Scotty, and Chekov cast as the doomed Clanton gang. The situation forces the crew to adapt rapidly, relying on their ingenuity and continuous assessment of their circumstances to survive. This scenario provides valuable lessons for compliance professionals on monitoring and constant improvement.

Lesson 1. Ongoing Monitoring and Continuous Assessment

In the Melkotian scenario, the Enterprise crew must continuously assess their environment to understand its limitations and potential dangers. The partial nature of the setting indicates that their perceptions can influence outcomes, requiring constant vigilance and situational awareness.

Continuous assessment is crucial for effective compliance programs. Organizations must be keenly aware of their regulatory environment and internal operations to identify potential risks and changes affecting compliance. This involves regular audits, risk assessments, and monitoring of key performance indicators to detect issues early. By maintaining situational awareness, compliance teams can proactively address emerging risks and ensure adherence to policies and regulations.

Lesson 2. Adapting Strategies Based on Feedback

Throughout the episode, the crew receives feedback from their interactions within the environment, leading them to adjust their strategies. Spock’s logical deductions and Kirk’s leadership guide the crew in adapting their actions to overcome the perceived threat.

Adaptability and flexibility are essential components of continuous improvement in compliance programs. Organizations should encourage a culture where feedback is sought and used to refine compliance strategies and controls. Implementing regular reviews and updates to compliance policies based on feedback and lessons learned ensures that the program remains effective and responsive to changes. Continuous improvement processes, such as after-action reviews and root cause analyses, enable organizations to refine their approaches and enhance compliance outcomes.

Lesson 3. Leveraging Expertise and Collaboration

The crew relies on Spock’s logical analysis and each member’s unique skills to navigate the challenges of the scenario. Their ability to collaborate and leverage individual strengths is key to their survival.

Effective compliance programs rely on the expertise and collaboration of diverse teams. Organizations should foster cross-functional collaboration, bringing together individuals from different departments to address compliance challenges comprehensively. Leveraging expertise from legal, risk management, operations, and other areas enhances the organization’s ability to monitor compliance effectively and implement improvements. Encouraging open communication and teamwork ensures that diverse perspectives contribute to developing robust compliance solutions.

Lesson 4. Proactive Problem-Solving and Innovation

The crew’s success in the scenario depends on their ability to innovate and develop creative solutions to their challenges. Spock realizes that the bullets are not real, and the crew’s collective belief in this fact allows them to avoid harm.

Proactive problem-solving and innovation are critical for continuous improvement in compliance programs. Organizations should encourage employees to think creatively and explore innovative solutions to compliance challenges. This involves fostering a culture that supports experimentation and learning from successes and failures. By empowering employees to propose and test new approaches, organizations can continuously enhance their compliance programs and remain agile in the face of change.

Lesson 5. Staying Vigilant

In the episode, the Enterprise crew is transported to an alternate reality where they must participate in a deadly reenactment of the O.K. Corral shootout. The crew must constantly adapt their strategies and tactics as the scenario changes. Similarly, compliance professionals need to remain vigilant and be prepared to adjust their compliance programs to address evolving risks, regulations, and business environments. Compliance professionals should take a comprehensive approach, conducting holistic risk assessments that consider obvious and obscure compliance risks across the organization.

As the crew faces new challenges in the alternate reality, they must quickly learn from their experiences and refine their strategies. Compliance professionals should similarly adopt an iterative approach to improving their programs, constantly evaluating their effectiveness and making adjustments as needed. By drawing these parallels between the lessons from “The Spectre of the Gun” and the practices of effective compliance management, compliance professionals can strengthen their programs and foster a culture of continuous improvement within their organizations.

Spectre of the Gun provides valuable insights into ongoing monitoring and continuous improvement compliance concepts. The episode highlights the importance of constant assessment, adaptability, collaboration, and proactive problem-solving in navigating complex and dynamic challenges. For compliance professionals, the key takeaway is the need to establish robust monitoring systems, encourage adaptability and innovation, and foster a culture of collaboration and continuous improvement. By applying these principles, organizations can enhance compliance programs, effectively manage risks, and achieve sustainable success in an ever-evolving regulatory landscape. Just as the Enterprise crew adapted to and overcame the challenges presented by the Melkotians, compliance professionals must remain vigilant and proactive in navigating the complexities of modern compliance environments.

Join us tomorrow as we consider the lessons on mergers and acquisitions from the Star Trek episode The Ultimate Computer.

Categories
Blog

Transforming Culture: Part 5 – Ongoing Monitoring and Continuous Improvement of Culture

Boeing is not the first company to find itself amid a massive scandal. You can think of Siemens’ bribery and corruption scandal, the VW emissions-testing scandal, the Wells Fargo fraudulent accounts scandal, or any other myriad of corporate scandals where culture failed and created a toxic culture. The question for any organization in such a situation is how to transform its culture. Currently running on the Culture Crafters podcast on the Compliance Podcast Network is a 5–part of podcast series with myself and Sam Silverstein, the most trusted voice in America on accountability. (The Culture Audit™ is the sponsor of this blog post series.)

In this companion, 5-part blog post series, we have looked at how a company in the depths of such a toxic culture can begin to make a comeback by planning and taking concrete steps to turn around and rebuild its culture. In this concluding Part 5, we show why you must not simply stop after implementation but must monitor your culture continuously and work to improve it continuously. It is an ongoing work in progress, and you can always continue working on your corporate culture.

Ongoing monitoring is not something compliance professionals are unaware of or have never heard about. This concept must be used in your culture management strategy as well. You must assess how your culture management strategy is doing continuously. This is one of the power outcomes of The Culture Audit™ (the sponsor of this blog post series). Not only have you created a baseline of where your culture is at any point in time, but through ongoing use of the Culture Audit, you can measure your specific indices of culture on a go-forward or ongoing basis. You can then continually work to update as appropriate. If your organization needs greater trust, you can put further work into this through your speak-up culture.

Creating an organization’s speak-up culture is essential for fostering open communication, transparency, and employee trust. Such a culture encourages individuals to raise concerns, flag potential issues, and contribute to a safer and more accountable work environment. By prioritizing a speak-up culture, companies can proactively address challenges, prevent safety risks, and promote a culture of continuous improvement.

The significance of a speak-up culture must be balanced as a critical factor in ensuring organizational success and psychological safety. Silverstein emphasized the need for employees to feel safe, valued, and empowered to voice their opinions without fear of reprisal. He highlighted the role of trust and psychological safety in enabling individuals to speak up, noting that a culture that supports open communication leads to better decision-making processes and overall performance. The insights shared underscored the pivotal role of a speak-up culture in shaping a positive and proactive organizational environment.

Accountability in leadership is fundamental in setting the tone for organizational culture and fostering a sense of responsibility and integrity among team members. Leaders who demonstrate accountability model desired behaviors and create a culture where individuals take ownership of their actions and outcomes. By holding themselves and others accountable for their commitments and decisions, leaders cultivate a culture of trust, respect, and ethical conduct.

Leadership will always have a transformative impact on organizational dynamics. Emphasizing that accountability is a way of life rather than a mere task demonstrates leaders’ profound influence in shaping the values and norms within their teams. There must be consistency and fairness in holding individuals accountable. Leaders play a pivotal role in setting expectations and driving cultural change. The discussion underscores the critical role of leadership accountability in fostering a culture of integrity and excellence within organizations.

Changing organizational culture is a complex and multifaceted endeavor that requires a deliberate and strategic approach. Organizations seeking to shift their culture must assess the existing norms, values, and behaviors that shape their environment. By identifying areas for improvement and aligning cultural practices with desired outcomes, companies can embark on a journey of cultural transformation that enhances employee engagement, performance, and overall organizational success.

Companies can initiate meaningful change by defining and measuring the current culture, investing in training and education, and holding individuals accountable for upholding cultural values. You must align cultural initiatives with business objectives and ensure that cultural transformation efforts are embedded in every aspect of the organization. Organizations face challenges and opportunities when navigating cultural change, highlighting the critical role of leadership in driving lasting transformation.

The crucial role of leadership in shaping organizational culture provided valuable insights into the steps leaders can take to create a positive and thriving workplace environment. By prioritizing values, fostering open discussions about culture, and making data-driven decisions, organizations can pave the way for long-term success and employee well-being.