There are few works in Western Literature more read than The Odyssey. While a cadre of passionate specialists prefer The Iliad, it is The Odyssey which is most generally taught in US high schools. Part travelogue, part adventure yarn, part social commentary and part treatise on Greek morals and morality; it is still a rising tale well worth the time to read. Now Christopher Nolan is out with another movie version of The Odyssey. I have not yet seen the movie as of the writing of this blog post series.
I wanted to tackle The Odyssey from the compliance perspective. There are many things we can mine from this story. Over this week, I will discuss five of them. Today we consider where the story begins, The Trojan Horse as a control failure. On Tuesday, we look at The Lotus-Eaters: Culture Drift and the Comfort of Forgetting. On Wednesday, Circe’s Island: Third-Party Influence and Culture Capture. On Thursday we look at The Cattle of Helios: Non-Negotiables and Control Breaches. On Friday we conclude as Odysseus makes his way home to Ithaca and his wife Penelope and their son Telemachus in the tale of Peace in Ithaca: Building the Program After the Crisis.
Today we begin at the start of The Odyssey which directly follows the end of The Iliad. here are few business strategies more celebrated than the Trojan Horse. After ten long years of war, looked at the walls of Troy and realized brute force had failed. The Greeks could not smash their way in. They could not negotiate their way in. They could not outlast their way in. So Odysseus did what clever leaders often do when conventional methods fail: he found a workaround. Build a great wooden horse. Hide soldiers inside it. Leave it outside the gates as a supposed gift. Sail away, or at least appear to. Let the Trojans make the fatal decision themselves.
While from a strategic perspective, it was brilliant from a compliance perspective, an absolute nightmare. The Trojan Horse is usually remembered as a triumph of strategy. It should also be remembered as the original “trusted vendor attachment.” It arrived looking valuable, symbolic, and harmless. It came wrapped in a compelling story. It appealed to ego, fatigue, and optimism. And someone, somewhere inside Troy, approved bringing it through the gates.
The Gift That Bypassed Governance
Every organization has gates. Some are literal: firewalls, access controls, locked doors, badge readers, vendor onboarding systems. Others are procedural: approval matrices, procurement rules, due diligence reviews, cybersecurity assessments, conflict checks, and escalation protocols. The problem is that business opportunities rarely arrive wearing a sign that says, “Hello, I am a control failure.”
They arrive as partnerships. Strategic investments. Technology platforms. Emergency exceptions. Pilot programs. Customer demands. Board-level priorities. Innovation initiatives. “Just this once” requests. Special access for a trusted consultant. A new AI tool someone found useful. A supplier who can solve the problem quickly. A deal too good to slow down.
In other words, they arrive as gifts. The Trojans did not lose because they lacked walls. They lost because they made a poor risk decision at the gate. The control existed. The wall worked. The problem was judgment, governance, and process. A control environment is not only about having policies. It is about whether people use them when the pressure is on and the opportunity looks attractive.
When Cleverness Becomes the Risk
Odysseus was not a fool. He was a strategist. That is what makes this story so useful for compliance professionals and business leaders. Many compliance failures are not born from stupidity. They are born from intelligence used without discipline. A clever workaround can be useful. A clever workaround can also become a bypass around governance. The distinction matters.
Think about the employee who finds a faster way to onboard a vendor by skipping required due diligence. The sales executive who routes a discount through an unusual approval path to close the quarter. The business unit that adopts an unsanctioned software tool because IT is “too slow.” The senior leader who asks for an exception because “this is strategically important.” The team that shares sensitive information with a partner before the agreement is fully papered because “we trust them.”
Each decision may have a business rationale. Each may feel practical. Each may even produce a short-term win. But the compliance question is not simply, “Did it work?” The better question is, “What did it bypass?”
That is the Trojan Horse problem. The horse worked because it bypassed the normal defenses. In a modern company, that may mean bypassing cyber review, procurement checks, legal review, data protection analysis, sanctions screening, financial controls, conflict review, or code-of-conduct expectations. When leadership celebrates only the result, the organization learns the wrong lesson. It learns that controls are for ordinary days, not important ones. That is how culture begins to drift.
The Cybersecurity Lesson Inside the Horse
The Trojan Horse is one of the oldest stories in Western literature, but it feels remarkably current in an age of cyber risk and social engineering. A malicious file. A fake vendor invoice. A compromised supplier account. A phishing email that appears to come from a trusted executive. A third-party platform with excessive access. A contractor credential that is never disabled. A software update from a source no one properly vetted. These are modern Trojan Horses.
They do not always break the wall. They persuade someone to open the gate. This is why cybersecurity is not merely an IT function. It is a governance issue. NIST’s Cybersecurity Framework 2.0 places significant emphasis on the Govern function, which addresses how an organization establishes, communicates, and monitors its cybersecurity risk management strategy, expectations, and policy.
That is compliance language as much as cyber language. Who owns the risk? Who approves exceptions? Who monitors access? Who understands the business context? Who has authority to say no? Who makes sure the organization learns from near misses? If no one can answer those questions clearly, the horse is already inside the gate.
The Control Environment Is Tested by Attractive Risks
It is easy to say no to obviously bad ideas. The real test comes when the risk is attached to something the business wants. A lucrative customer. A prestigious partner. A promising technology. A powerful executive sponsor. A deadline. A crisis. A competitor moving faster. A board presentation next week. That is when the control environment reveals itself.
In a strong control environment, the organization can move quickly without becoming careless. It can evaluate risk without killing innovation. It can escalate concerns without making people feel disloyal. It can approve exceptions, but only with transparency, documentation, and accountability.
In a weak control environment, speed becomes the excuse for opacity. Trust becomes the substitute for diligence. Seniority becomes the override control. Documentation comes later, which usually means never. Compliance is invited after the decision has already been made. That is not innovation. That is improvisation with a budget.
The code of conduct should matter most when the business case is compelling. Internal controls should matter most when the pressure is real. Cybersecurity should matter most when the new tool looks exciting. Risk assessment should matter most when everyone is tired of waiting. Troy did not need a better wall. Troy needed a better approval process.
The Insider Threat Dimension
There is another uncomfortable lesson in the Trojan Horse. The Greeks got inside Troy because the Trojans cooperated with the plan. Not intentionally, perhaps. Not corruptly, necessarily. But they cooperated all the same. That is the nature of many insider threats.
The insider is not always a villain. Sometimes the insider is rushed, flattered, distracted, pressured, or insufficiently trained. Sometimes the insider believes they are helping. Sometimes they trust the wrong person. Sometimes they assume someone else has checked. That is why compliance programs cannot rely solely on good intentions.
Good people need good systems. They need clear policies, practical training, escalation paths, and a culture that rewards thoughtful skepticism. They need permission to ask: “Why are we bringing this inside the walls?”
This is especially important in organizations where questioning a business opportunity is seen as negativity. Compliance should not be the Department of No, but neither should the business become the Department of Please Do Not Ask Too Many Questions. Healthy skepticism is not cynicism. It is stewardship.
What a Better Program Does
A better compliance program does not ban wooden horses. It asks better questions before opening the gate. Who sent it? Why now? What access does it require? What data will it touch? What assumptions are we making? Has the vendor been reviewed? Has the technology been tested? Is there a conflict? Is there a regulatory issue? What is the worst-case scenario? Who approved the exception? How will we monitor it after approval?
The point is not to slow every decision. The point is to prevent charm, urgency, and executive enthusiasm from replacing governance. A strong program also makes risk ownership visible. If the business wants to accept a risk, that decision should be documented. If a control is bypassed, there should be a reason, an approver, a time limit, and compensating controls. If a new tool, vendor, or relationship is brought inside the organization, someone should be accountable for monitoring it. The Trojan Horse teaches that the most dangerous risks are not always the ones attacking from outside. Sometimes they are the ones we invite in because they look like success.
The Compliance Takeaway
Odysseus won because he understood human nature. He knew the Trojans would see what they wanted to see: victory, tribute, closure, and a symbol of their own endurance. That is the uncomfortable lesson for corporate compliance. Risk often enters through desire. The desire to win. To move fast. To close the deal. To trust the familiar. To avoid friction. To believe the story that makes the opportunity easier to approve.
Not every gift is a threat. Not every workaround is misconduct. Not every clever idea is a control failure. But every organization needs the discipline to ask whether cleverness is serving governance or bypassing it. The horse may be beautiful. The story may be compelling. The business sponsor may be persuasive. Open the gate only after the controls have done their work.
Join us tomorrow where we consider The Lotus-Eaters: Culture Drift and the Comfort of Forgetting.