Categories
Blog

The Odyssey and Compliance, Part 1 – The Trojan Horse: When Cleverness Becomes a Control Failure

There are few works in Western Literature more read than The Odyssey. While a cadre of passionate specialists prefer The Iliad, it is The Odyssey that is most generally taught in US high schools. Part travelogue, part adventure yarn, part social commentary, and part treatise on Greek morals and morality, it is still a rousing tale well worth the time to read. Now, Christopher Nolan is out with another movie version of The Odyssey. I have not yet seen the movie as of this writing.

I wanted to tackle The Odyssey from the compliance perspective. There are many things we can mine from this story. Over the course of this week, I will discuss five of them. Today, we consider where the story begins: the Trojan Horse as a failure of control. On Tuesday, we look at The Lotus-Eaters: Culture Drift and the Comfort of Forgetting. On Wednesday, Circe’s Island: Third-Party Influence and Culture Capture. On Thursday, we look at The Cattle of Helios: Non-Negotiables and Control Breaches. On Friday, we conclude with Odysseus making his way home to Ithaca and to his wife, Penelope, and their son, Telemachus, in the tale of Peace in Ithaca: Building the Program After the Crisis.

Today, we begin with The Odyssey, which directly follows the end of The Iliad. Here are a few business strategies more celebrated than the Trojan Horse. After ten long years of war, he looked at the walls of Troy and realized brute force had failed. The Greeks could not smash their way in. They could not negotiate their way in. They could not outlast their way in. So Odysseus did what clever leaders often do when conventional methods fail: he found a workaround. Build a great wooden horse. Hide soldiers inside it. Leave it outside the gates as a supposed gift. Sail away, or at least appear to. Let the Trojans make the fatal decision themselves.

While it was brilliant from a strategic perspective, it was an absolute nightmare from a compliance perspective. The Trojan Horse is usually remembered as a triumph of strategy. It should also be remembered as the original “trusted vendor attachment.” It arrived looking valuable, symbolic, and harmless. It came wrapped in a compelling story. It appealed to ego, fatigue, and optimism. And someone, somewhere inside Troy, approved bringing it through the gates.

The Gift That Bypassed Governance

Every organization has gates. Some are literal: firewalls, access controls, locked doors, badge readers, and vendor onboarding systems. Others are procedural: approval matrices, procurement rules, due diligence reviews, cybersecurity assessments, conflict checks, and escalation protocols. The problem is that business opportunities rarely arrive wearing a sign that says, “Hello, I am a control failure.”

They arrive as partnerships. Strategic investments. Technology platforms. Emergency exceptions. Pilot programs. Customer demands. Board-level priorities. Innovation initiatives. “Just this once” requests. Special access for a trusted consultant. A new AI tool that someone found useful. A supplier who can solve the problem quickly. A deal too good to slow down.

In other words, they arrive as gifts. The Trojans did not lose because they lacked walls. They lost because they made a poor risk decision at the gate. The control existed. The wall worked. The problem was judgment, governance, and process. A control environment is not only about having policies. It is about whether people use them when the pressure is on and the opportunity looks attractive.

When Cleverness Becomes the Risk

Odysseus was not a fool. He was a strategist. That is what makes this story so useful for compliance professionals and business leaders. Many compliance failures are not born from stupidity. They are born from intelligence used without discipline. A clever workaround can be useful. A clever workaround can also serve as a bypass of governance. The distinction matters.

Think about the employee who finds a faster way to onboard a vendor by skipping required due diligence. The sales executive who routes a discount through an unusual approval path to close the quarter. The business unit that adopts an unsanctioned software tool because IT is “too slow.” The senior leader who asks for an exception because “this is strategically important.” The team that shares sensitive information with a partner before the agreement is fully papered because “we trust them.”

Each decision may have a business rationale. Each may feel practical. Each may even produce a short-term win. But the compliance question is not simply, “Did it work? “The better question is, “What did it bypass? ”

That is the Trojan Horse problem. The horse worked because it bypassed the normal defenses. In a modern company, that may mean bypassing cyber review, procurement checks, legal review, data protection analysis, sanctions screening, financial controls, conflict review, or code of conduct expectations. When leadership celebrates only the result, the organization learns the wrong lesson. It learns that controls are for ordinary days, not important ones. That is how culture begins to drift.

The Cybersecurity Lesson Inside the Horse

The Trojan Horse is one of the oldest stories in Western literature, but it feels remarkably current in an age of cyber risk and social engineering. A malicious file. A fake vendor invoice. A compromised supplier account. A phishing email that appears to come from a trusted executive. A third-party platform with excessive access. A contractor credential that is never disabled. A software update from a source no one properly vetted. These are modern Trojan Horses.

They do not always break the wall. They persuade someone to open the gate. This is why cybersecurity is not merely an IT function. It is a governance issue. NIST’s Cybersecurity Framework 2.0 places significant emphasis on the Governance function, which addresses how an organization establishes, communicates, and monitors its cybersecurity risk management strategy, expectations, and policies.

That is compliance language as much as cyber language. Who owns the risk? Who approves exceptions? Who monitors access? Who understands the business context? Who has the authority to say no? Who makes sure the organization learns from near misses? If no one can answer those questions clearly, the horse is already inside the gate.

Attractive Risks Test the Control Environment

It is easy to say no to obviously bad ideas. The real test comes when the risk is attached to something the business wants. A lucrative customer. A prestigious partner. A promising technology. A powerful executive sponsor. A deadline. A crisis. A competitor is moving faster. A board presentation next week. That is when the control environment reveals itself.

In a strong control environment, the organization can move quickly without becoming careless. It can evaluate risk without killing innovation. It can escalate concerns without making people feel disloyal. It can approve exceptions, but only with transparency, documentation, and accountability.

In a weak control environment, speed becomes the excuse for opacity. Trust becomes the substitute for diligence. Seniority becomes the overriding control. Documentation comes later, which usually means never. Compliance is invited after the decision has already been made. That is not innovation. That is improvisation with a budget.

The code of conduct should matter most when the business case is compelling. Internal controls should matter most when the pressure is real. Cybersecurity should matter most when the new tool looks exciting. Risk assessment should matter most when everyone is tired of waiting. Troy did not need a better wall. Troy needed a better approval process.

The Insider Threat Dimension

There is another uncomfortable lesson in the Trojan Horse. The Greeks got inside Troy because the Trojans cooperated with the plan. Not intentionally, perhaps. Not corruptly, necessarily. But they cooperated all the same. That is the nature of many insider threats.

The insider is not always a villain. Sometimes the insider is rushed, flattered, distracted, pressured, or insufficiently trained. Sometimes the insider believes they are helping. Sometimes they trust the wrong person. Sometimes they assume someone else has checked. That is why compliance programs cannot rely solely on good intentions.

Good people need good systems. They need clear policies, practical training, escalation paths, and a culture that rewards thoughtful skepticism. They need permission to ask, “Why are we bringing this inside the walls? ”

This is especially important in organizations where questioning a business opportunity is viewed negatively. Compliance should not be the Department of No, but neither should the business become the Department of Please Do Not Ask Too Many Questions. Healthy skepticism is not cynicism. It is stewardship.

What a Better Program Does

A better compliance program does not ban wooden horses. It asks better questions before opening the gate. Who sent it? Why now? What access does it require? What data will it touch? What assumptions are we making? Has the vendor been reviewed? Has the technology been tested? Is there a conflict? Is there a regulatory issue? What is the worst-case scenario? Who approved the exception? How will we monitor it after approval?

The point is not to slow down every decision. The point is to prevent charm, urgency, and executive enthusiasm from replacing governance. A strong program also makes risk ownership visible. If the business wants to accept a risk, that decision should be documented. If a control is bypassed, there should be a reason, an approver, a time limit, and compensating controls. If a new tool, vendor, or relationship is brought inside the organization, someone should be accountable for monitoring it. The Trojan Horse teaches that the most dangerous risks are not always those from outside. Sometimes they are the ones we invite in because they look like success.

The Compliance Takeaway

Odysseus won because he understood human nature. He knew the Trojans would see what they wanted to see: victory, tribute, closure, and a symbol of their own endurance. That is the uncomfortable lesson for corporate compliance. Risk often enters through desire. The desire to win. To move fast. To close the deal. To trust the familiar. To avoid friction. To believe the story makes the opportunity easier to approve.

Not every gift is a threat. Not every workaround is misconduct. Not every clever idea is a control failure. But every organization needs the discipline to ask whether cleverness is serving governance or bypassing it. The horse may be beautiful. The story may be compelling. The business sponsor may be persuasive. Open the gate only after the controls have done their work.

Join us tomorrow, where we consider The Lotus-Eaters: Culture Drift and the Comfort of Forgetting.

Categories
Compliance Into the Weeds

Compliance into the Weeds: The Atlanta Hawks Scandal: Lessons in Financial Misconduct

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly discuss the basics of fraud prevention with headlines torn from the NBA and a FinServ enforcement action.

The embezzlement scandal at the Atlanta Hawks has drawn attention to critical weaknesses in corporate governance and internal control systems, serving as a cautionary tale for organizations everywhere. They view the scandal as a glaring example of the consequences of neglecting internal controls and the segregation of duties, where an executive, Leslie Jones, exploited their finance role to embezzle funds for personal indulgences. His experience underscores the value of routine audits, which, despite their perceived monotony, are essential for uncovering fraud. Meanwhile, Matt is equally concerned, focusing on the need for robust internal controls and the principle of least privilege, warning against granting excessive access to employees to prevent misuse of power and safeguard organizational integrity.

Key Highlights

  • Lessons from Atlanta Hawks Fraud Case
  • Least Privilege Access for Preventing Financial Fraud
  • Financial Data Examination for Fraud Detection
  • Executives’ Lavish Misconduct: Lessons in Ethics

Resources

Matt in Radical Compliance

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

A multi-award winning podcast, Compliance into the Weeds was most recently honored as one of a Top 25 Regulatory Compliance Podcast and a Top 10 Business Law Podcast, and a Top 12 Risk Management Podcast. Compliance into the Weeds has been conferred a Davey, Communicator and w3 Award, all for podcast excellence.

Categories
Blog

From Controls to Culture: Building Anti-Corruption Programs that Address Fraud, Waste, and Abuse

Fraud, waste, and abuse are not just buzzwords in the government sector. They represent a real continuum of risk that every private sector company must confront. In fact, when designing or refreshing an anti-corruption compliance program, these three categories should not be seen as separate from bribery and corruption risks; they are integral to them. Bribery schemes thrive in environments where fraud is unchecked, where waste is tolerated, and where abuse of authority is normalized.

A truly effective anti-corruption compliance program, therefore, must address fraud, waste, and abuse head-on. Each requires different tools, but all rest on the same foundation: clear expectations, adequate controls, data-driven monitoring, and a culture of accountability. Yesterday, we took a deep dive into the three concepts behind fraud, waste, and abuse. Today, we continue our primer on fraud, waste, and abuse for the compliance professional by exploring how compliance professionals can operationalize their ABC framework to help fight these corporate scourges.

1. Fraud Prevention: Strengthening the Control Environment

Fraud sits at the heart of most corruption schemes. Bribery rarely occurs without the use of falsified invoices, fraudulent expense reports, or deceptive third-party contracts. That’s why fraud prevention measures must be embedded directly into your anti-corruption compliance program.

Practical steps include:

  • Segregation of duties. No single employee should have the authority to control both vendor approval and invoice payment. Splitting responsibilities closes off avenues for concealment.
  • Mandatory rotations or vacations. Employees in high-risk positions, such as procurement or finance, should be required to take periodic breaks. This not only reduces burnout but also increases the chance of uncovering irregularities.
  • Third-party due diligence. Vendors, distributors, and consultants are often used as conduits for corrupt payments. Screening them for red flags of fraud and corruption is essential.
  • Hotlines and reporting mechanisms. Anonymous channels encourage employees to report fraudulent or corrupt activity before it escalates.

Finally, modern fraud prevention is inseparable from data analytics. Reviewing transactions for anomalies in billing, procurement, or travel can help compliance officers identify both fraudulent activity and corruption red flags early.

2. Waste Reduction: Linking Efficiency to Integrity

Waste may not sound like a corruption risk at first, but it often creates the environment in which corrupt practices thrive. When organizations tolerate careless spending or redundant processes, they signal that accountability is optional. Waste becomes the fertile soil in which corruption can take root.

Practical steps include:

  • Cross-functional accountability. Compliance should collaborate with finance, procurement, and operations to ensure efficient allocation of resources.
  • Tracking key waste indicators. Duplicate software licenses, unnecessary travel expenses, or high energy consumption may not be fraudulent, but they represent vulnerabilities that can be exploited. Left unchecked, they normalize sloppy practices that corrupt employees can exploit.
  • Integrating waste metrics into compliance dashboards. If a business unit consistently demonstrates waste, it may also be vulnerable to bribery risks, particularly in operations that are heavily reliant on procurement.

By spotlighting waste, compliance leaders not only save the company money but also reinforce a culture of stewardship and integrity, two qualities that reduce the likelihood of corruption.

3. Abuse Control: Guarding Against the Gray Areas

Abuse often serves as the gateway to corruption. It thrives in gray zones, where managers stretch policies, exploit loopholes, or turn a blind eye to questionable behavior. Abuse may not always cross a legal line, but it corrodes culture and opens the door to bribery and unethical decision-making.

Practical steps include:

  • Tone from the top and middle. Executives and line managers alike must model integrity. If leaders exploit perks or bend rules, employees will assume similar behavior is acceptable in dealing with third parties.
  • Policy clarity. Abusive practices often hide in vague policies. For example, a travel policy that allows “reasonable upgrades” without definition invites abuse. Aligning policies with anti-corruption standards closes these loopholes.
  • Incentive structures. Embedding transparency and fairness into performance reviews and rewards ensures managers do not cut ethical corners to hit financial targets.

By shrinking the space in which abuse can thrive, companies make it more difficult for corrupt practices to become normalized.

4. Leverage Data Analytics: Uncovering Patterns Across Risk Categories

Corruption schemes are rarely isolated. They often weave together fraud, waste, and abuse. That’s why analytics should not be siloed. A robust anti-corruption program integrates monitoring across multiple risk vectors.

Practical applications include:

  • Travel and entertainment analytics. Reviewing expense reports can uncover fraudulent receipts, wasteful spending, or abusive upgrades. These same reports may also reveal bribery risks if entertainment involves government officials or high-risk clients.
  • Procurement analytics. Comparing vendor pricing across regions may reveal fraudulent invoicing, excessive costs (resulting in wasteful spending), or favoritism (abuse of power). It can also reveal third parties that may be used as conduits for corruption.
  • Cross-data integration. Linking procurement, HR, and finance data highlights unusual patterns. For example, a sudden spike in overtime in a high-risk market may flag both payroll abuse and potential red flags for corruption.

Data analytics transforms compliance from a reactive to a proactive discipline, catching issues before they metastasize into a full-blown corruption scandal.

5. Whistleblower Empowerment: The Human Early Warning System

Even the most advanced controls and analytics cannot replace human intelligence. Employees are the first to notice when fraud, waste, or abuse is occurring. But unless they feel safe speaking up, those observations remain hidden.

Practical steps include:

  • Robust reporting channels. Multiple options, including hotlines, digital portals, or direct reporting to compliance, all make it easier for employees to raise concerns.
  • Protection against retaliation. Employees must trust that speaking up won’t cost them their careers. Policies must be clear, and enforcement consistent.
  • Timely follow-up. When employees report fraud, waste, or abuse, prompt investigation and feedback demonstrate that the company takes reports seriously.

In the context of anti-corruption compliance, whistleblowers are invaluable. They can flag bribery schemes before external regulators or auditors uncover them.

Building Resilience by Tackling All Three

An anti-corruption compliance program that focuses only on bribery risks but ignores fraud, waste, and abuse is incomplete. Fraud fuels corruption, waste fosters the conditions where it flourishes, and abuse normalizes the behavior that enables it.

By embedding fraud prevention, waste reduction, abuse control, data analytics, and whistleblower empowerment into your anti-corruption framework, you create a resilient program that goes beyond compliance checklists. You demonstrate stewardship to shareholders, accountability to employees, and integrity to regulators.

The fight against corruption is not won by policing bribery alone. It is won by creating a culture where fraud, waste, and abuse cannot survive and where transparency, efficiency, and fairness are the norm. That is the true mandate for today’s compliance professional.

Categories
Compliance Into the Weeds

Compliance Lessons from Uvalde

Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. In perhaps our most somber podcast ever, Matt and Tom take a deep dive into some of the failures which led to the tragedy in Uvalde, TX, and lessons for the compliance professional. Highlights include:

  • Why have controls?
  • How can a control over-ride impact safety?
  • How can you prepare for emergencies?
  • Thought-out lines of communication were created before the emergency.
  • When leadership is tested.
  • What is the difference between ethical values and ethical priorities?

Resources

Matt in Radical Compliance