Tag: COSO

Categories
Blog

Can Compliance Own Enterprise Resilience?

It has been some time since I checked in with the Harvard Business Review for some blog posts. To remedy this deficiency, I will write this week’s blog posts based on recent HBR articles that caught my interest. Today, we begin with The Case for Hiring a Chief Resilience Officer, which argues that there is a major governance gap inside most organizations. It is that no single executive is accountable for coordinating enterprise-wide resilience and recovery when failures cascade across functions. The article looks at a chief resilience officer (CResO) role which would be responsible for aligning continuity planning, recovery objectives, crisis response, and organizational learning across an enterprise.

The authors begin by noting that the July 2024 CrowdStrike outage will be remembered as more than a technology failure. It was a governance lesson. A routine software update caused cascading operational disruption across airlines, hospitals, logistics systems, and other critical services. The technical root cause mattered, but it was not the only lesson. The larger issue was how quickly a single failure could ripple across functions, third parties, customer obligations, regulatory expectations, and business operations. The article articulated this as the case for a CResO, because many organizations have no single executive accountable for coordinating enterprise-wide resilience and recovery when disruption crosses organizational boundaries.

For the corporate compliance function, that argument should sound familiar. Compliance professionals have spent years explaining that risk does not respect departmental boundaries. Bribery risk can arise from sales incentives, third-party relationships, financial controls, gifts and hospitality, and management pressure. Data risk can sit in technology, privacy, procurement, HR, and customer operations. AI risk can sit in product development, vendor management, legal, cybersecurity, records retention, and board oversight.

Operational resilience is the same kind of problem. It is not only an IT issue. It is not only a business continuity issue. It is not only a risk management issue. It is a governance issue, a controls issue, a documentation issue, a third-party issue, and a board oversight issue. That makes it a compliance issue as well.

The Compliance Significance of Resilience

The central insight behind the CResO role is that most organizations already have pieces of resilience, but they do not always have resilience governance. Risk teams assess exposure. Cybersecurity teams protect systems. Operations teams manage delivery. Business continuity teams write plans and run exercises. Procurement manages vendors. Legal evaluates obligations. Communications handles stakeholders. Compliance monitors controls, policies, reporting, and escalation. Each function may be doing its job. The problem appears when no one owns the integrated answer.

That is why operational resilience has become a regulatory and governance priority. The Basel Committee defines operational resilience as the ability to deliver critical operations through disruption and emphasizes governance, mapping interdependencies, third-party dependency management, business continuity testing, and incident management. The FCA in the UK similarly focuses on important business services, impact tolerances, mapping, testing, vulnerability remediation, lessons learned, and communications planning. In the EU, the Digital Operational Resilience Act (DORA) has elevated digital operational resilience, technology and information third-party risk, incident reporting, and resilience testing into a formal financial sector regulatory framework.

For compliance professionals, the message is clear. Resilience is moving from planning to evidence. Regulators, boards, and senior management will increasingly ask not simply whether the company had a plan, but whether the company knew its critical services, mapped its dependencies, tested severe but plausible scenarios, documented vulnerabilities, assigned accountability, and remediated weaknesses.

That is familiar territory for compliance. The DOJ Evaluation of Corporate Compliance Programs (ECCP) asks whether a compliance program is well designed, adequately resourced and empowered, and works in practice. It also asks whether improvements to compliance and internal controls have been tested to show they would prevent or detect similar misconduct in the future. Those questions are not limited to bribery, fraud, or sanctions. They reflect a broader governance discipline: design, authority, resources, testing, remediation, and proof.

Can Compliance Absorb the CResO Role?

The answer is yes, but only under the right conditions. A compliance function can absorb the resilience governance role if it has the mandate, authority, resources, data access, and board visibility to do the job. It cannot absorb the role if the organization merely adds resilience to the CCO’s already crowded list of responsibilities without giving compliance the ability to coordinate across technology, operations, procurement, cybersecurity, finance, legal, human resources, communications, and business leadership. This distinction matters.

Compliance can own the governance framework for resilience. It can help define standards, require documentation, monitor remediation, test controls, escalate gaps, and report to the board. It can ensure that resilience obligations are embedded into policies, third-party oversight, incident response, investigations, root cause analysis, training, and internal controls.

Compliance should not become the operator of every resilience process. The first line must still own business services. Technology must still own systems. Cybersecurity must still own cyber defense. Procurement must still own vendor contracting and supplier performance. Operations must still own delivery. Legal must still advise on obligations. Communications must still manage stakeholder messaging. The CCO can serve as the enterprise resilience governance leader, but not as a substitute for operational ownership. That is the practical dividing line.

When Compliance Is the Right Home

Compliance is a strong candidate to absorb the CResO function when resilience is framed as an enterprise governance and controls discipline. This is especially true in organizations where the compliance function already has mature capabilities in risk assessment, policy governance, third-party risk management, investigations, remediation tracking, board reporting, training, monitoring, and documentation. In that model, compliance can bring several advantages.

First, compliance understands cross-functional risk. A well-designed compliance program already reaches into the business, finance, procurement, HR, legal, internal audit, IT, and senior leadership. That horizontal view is essential for resilience.

Second, compliance understands evidence. Resilience cannot be built on verbal assurance. It requires inventories, dependency maps, testing records, incident reports, remediation plans, escalation logs, board materials, and lessons learned. Compliance professionals know how to create a record that demonstrates program effectiveness.

Third, compliance understands accountability. A resilience program without accountable owners will become a collection of meetings. Compliance can help define who owns each critical service, each dependency, each recovery objective, and who must act when testing identifies a vulnerability.

Fourth, compliance understands third-party risk. Many resilience failures begin outside the company’s walls. A critical software provider, cloud provider, logistics partner, manufacturer, payroll vendor, or data processor can disrupt the company’s ability to deliver. Compliance can help connect due diligence, contracting, ongoing monitoring, audit rights, incident notification, and exit planning into a resilience framework.

Finally, compliance understands board reporting. Resilience is a board-level issue because disruption can affect customers, investors, regulators, employees, and the company’s license to operate. The FCA has emphasized that boards need enough information to understand the firm’s resilience approach, who is responsible for it, and the organization’s ability to recover important business services within impact tolerances. Those are governance questions. Compliance is built to translate them into a management system.

When Compliance Should Not Absorb the Role

Compliance should not assume the CResO role if the function lacks operational authority, technical depth, crisis-management access, or senior-level support. A CCO who is asked to “own resilience” without the resources to do so has not been empowered. That CCO has been handed accountability without control. There are several warning signs.

If compliance does not have direct access to the CEO, executive committee, and board, it cannot coordinate enterprise resilience. If compliance cannot require action from technology, operations, procurement, and business units, it cannot close resilience gaps. If compliance lacks data on critical services, vendor concentration, system dependencies, recovery times, incident history, and testing results, it cannot evaluate resilience in practice. If compliance is already under-resourced, resilience will become another paper responsibility.

That would be a mistake. The worst outcome would be to move resilience into compliance as a label while leaving the real decision-making elsewhere. That creates the appearance of governance without its substance.

A Better Model: Compliance as Resilience Governor

For many companies, the right answer is not a binary choice between a standalone CResO and a compliance-owned resilience function. The better model may be compliance as a resilience governor. Under this approach, the company appoints a senior resilience owner, either as a CResO (chief risk and resilience officer) or as a named executive with enterprise authority. Compliance then provides the governance architecture: standards, controls, testing expectations, third-party requirements, escalation procedures, documentation rules, remediation tracking, and board reporting.

This model preserves first-line ownership while giving the organization a consistent second-line framework. It also allows compliance to ask the questions that matter:

Who owns each critical business service? What are the maximum tolerable disruptions? What systems, people, facilities, data, and third parties support each service? What severe but plausible scenarios have been tested? What vulnerabilities were identified? Who owns remediation? What evidence shows that remediation worked? What has been reported to the board?

These are not theoretical questions. They are the difference between a plan and a program.

Five Lessons for Compliance Professionals

  1. Resilience is now a compliance program issue. It involves governance, controls, accountability, documentation, testing, remediation, and board oversight.
  2. Compliance can absorb the resilience governance role, but not the operational role. The CCO can govern the framework. The business must still own delivery.
  3. Authority matters. A compliance-led resilience function must have CEO support, board visibility, cross-functional access, and the ability to require remediation.
  4. Evidence is essential. Dependency maps, scenario tests, incident reports, remediation records, and board materials are what turn resilience from aspiration into proof.
  5. The board should focus on accountability before structure. Whether the company appoints a CResO, places resilience under risk, or builds a compliance-led governance model, the core question remains the same: who owns the enterprise response when disruption crosses every boundary?

The practical compliance lesson is straightforward. Resilience cannot remain a collection of disconnected plans. It must become an operating discipline. For some companies, that discipline will require a dedicated Chief Resilience Officer. For others, a mature, properly empowered compliance function can assume the governance role. But no company should leave resilience to assumption, informal coordination, or after-the-fact improvisation.

In today’s risk environment, the ability to recover is not only an operational strength. It is evidence of effective governance.

Categories
Blog

From the Tower of Babel to the Boardroom: Part 5 – Workforce Transformation, Third-Party Risk, and Modern Slavery

Artificial intelligence often appears frictionless. A prompt goes in. An answer comes out. A report is summarized. A risk score is generated. A customer interaction is automated. A compliance analyst receives a faster answer. A business process becomes more efficient. Yet there is nothing frictionless about AI.

Behind every AI tool sits a human supply chain. Some workers label data, moderate content, train models, build infrastructure, mine minerals, assemble devices, maintain data centers, write code, manage vendors, and absorb the consequences when automation changes the nature of work. There are third parties, subcontractors, cloud providers, data brokers, model developers, implementation consultants, and business users. There are people whose labor, data, dignity, and livelihoods may be affected long before the board ever sees an AI dashboard. Now we turn to the human supply chain of AI: workforce transformation, third-party risk, and modern slavery.

The Magnifica Humanitas Lesson: AI Is Never Disembodied

Magnifica Humanitas makes a powerful point for compliance professionals: AI is not immaterial or magical. Pope Leo states, “Nothing in the world of AI is immaterial or magical.” That is a moral statement, but it is also a governance statement. The Encyclical explains that AI depends on natural resources, energy infrastructure, digital platforms, and human labor, including data labeling, model training, content moderation, and the extraction of materials needed for devices and microprocessors (Magnifica Humanitas, ¶173).

That is a direct compliance lesson. The risk does not begin when the company deploys an AI tool. The risk begins when the company selects the vendor, approves the use case, provides data, accepts contractual terms, relies on outputs, and fails to ask who and what sits behind the technology. The Encyclical is equally direct that digital systems can amplify hidden forms of exploitation and that supply chains supporting the technology industry should become transparent so competitive advantage is not built on hidden exploitation (Magnifica Humanitas, ¶179).

The document also speaks directly to work. It teaches that work is not simply an instrument, but a setting in which people develop, contribute, cooperate, support their families, and build together (Magnifica Humanitas, ¶148-149). It warns that AI can improve productivity while also de-skilling workers, subjecting them to automated surveillance, forcing them to adapt to the pace of machines, and eroding their agency (Magnifica Humanitas, ¶150). For the CCO, this means AI governance is not only about model risk. It is also about people’s risk.

From Encyclical Principle to Corporate Governance Requirement

The bridge from Magnifica Humanitas to corporate governance is straightforward. Pope Leo calls for human-centred technology, social criteria for innovation, verifiable measures to protect employment, retraining, worker participation, and a corporate commitment to include the quality and dignity of work among the indicators of success (Magnifica Humanitas, ¶156). In corporate governance language, that means AI adoption should include workforce impact assessment, role-based training, human review, bias testing, privacy controls, speak-up protections, and board reporting.

The Encyclical also calls for preventive ethical verification, or due diligence, across the digital economy, with priority given to worker protection, the fight against forced labor, and assessment of the social impact of data-driven business models (Magnifica Humanitas, ¶179). For compliance professionals, that is third-party risk management. It means vendor due diligence, subcontractor transparency, audit rights, data provenance, labor standards, modern slavery review, incident reporting, and ongoing monitoring.

This is where the moral language of Magnifica Humanitas becomes the operating language of compliance. Human dignity becomes human rights due diligence. Shared responsibility becomes cross-functional governance. Transparency becomes supply chain visibility. Accountability includes naming owners, documentation, monitoring, testing, challenge, and remediation.

Workforce Transformation Is a Compliance Issue

AI will change work. That is not speculation. It is already changing how employees draft, analyze, monitor, investigate, review, report, and decide. The question is whether companies will manage this transformation with governance, transparency, and care, or allow automation to wash through the workforce as a cost-reduction exercise.

Compliance should not attempt to own a workforce strategy. That belongs with management, HR, legal, finance, and business leadership. But compliance should have a voice because workforce transformation creates culture risk, speak-up risk, retaliation risk, discrimination risk, privacy risk, monitoring risk, and internal controls risk. The Encyclical warns that innovation pursued solely for cost reduction and profit can produce job insecurity, inequality, and social instability (Magnifica Humanitas, ¶151).

A company using AI to evaluate employees, monitor productivity, screen applicants, assess performance, recommend discipline, or allocate opportunities should ask hard questions. What data is being used? Has the tool been tested for bias? Are employees informed? Can individuals challenge errors? Is human review required? Are managers trained not to over-rely on AI outputs? Is the tool increasing fairness, or simply making questionable decisions faster?

AI adoption should also include change management. Employees need training on approved AI use, prohibited data inputs, required human review, and escalation of concerns. They also need assurance that raising concerns about AI will not be punished. The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) asks whether companies train employees on emerging technologies such as AI and whether companies have controls to monitor AI trustworthiness, reliability, intended use, human decision-making, and accountability. That is not only a technology expectation. It is a cultural expectation.

Third-Party AI Risk Is Not Ordinary Vendor Risk

AI vendors are not ordinary vendors when they touch sensitive data, influence consequential decisions, support compliance processes, provide core infrastructure, or rely on opaque subcontracting chains. A company may believe it is buying software. In reality, it may be acquiring a new decision system, a new data processor, a new compliance dependency, and a new supply chain exposure.

Magnifica Humanitas warns that major economic and technological actors can exercise de facto power over data, expertise, access, visibility, and opportunity. It calls for transparency, accountability, meaningful participation, independent checks, algorithmic transparency, equitable data access, and avenues for recourse (Magnifica Humanitas, ¶71-72). For the CCO, that is a vendor governance mandate.

The ECCP already provides the compliance architecture. A well-designed compliance program should apply risk-based due diligence to third-party relationships, understand the business rationale, assess the risks posed, include appropriate contract terms, monitor third parties through updated due diligence, training, audits, and certifications, and use data to evaluate vendor risk during the relationship. Apply that directly to AI vendors.

The company should know what the AI tool does, what data it uses, whether company data will train or improve the model, where data is stored, who has access, what subcontractors are involved, whether outputs are explainable, what human review is required, how incidents are reported, and whether the vendor can support audit rights. The company should also ask whether the vendor uses third parties for data labeling, content moderation, model evaluation, or technical support, and what labor standards apply to those providers.

An AI vendor questionnaire should not stop at cybersecurity and privacy. It should cover human rights, labor standards, modern slavery risk, data provenance, subcontractor transparency, model governance, incident reporting, auditability, and exit rights.

Modern Slavery Risk in the AI Supply Chain

The risk of modern slavery may seem far removed from enterprise AI adoption. It is not. Magnifica Humanitas challenges that assumption by reminding us that the digital economy depends on physical infrastructure, extracted resources, hidden labor, and vulnerable workers. It specifically identifies data labeling, model training, content moderation, resource extraction, and trafficking-enabled misuse of digital platforms as part of the moral challenge of AI (Magnifica Humanitas, ¶173).

For compliance professionals, the lesson is straightforward. AI supply chain risk should be folded into third-party risk management and human rights due diligence. The company should not assume that because an AI provider has a sophisticated interface, the underlying chain is clean. Procurement and compliance should ask who performs outsourced labeling, testing, moderation, data enrichment, and support work. They should assess whether workers are paid fairly, protected from exposure to harmful content, free from coercion, and supported by appropriate safeguards.

This is especially important where vendors rely on lower-cost labor markets, opaque subcontracting, high-volume content review, or resource extraction. The issue is not whether every AI vendor is high risk. The issue is whether the company has a defensible process to identify which vendors, services, geographies, and labor practices require enhanced review.

The Encyclical makes this corporate obligation unusually concrete: supply chains underpinning the technology industry and digital economy should become more transparent; companies and investors should adopt clear due diligence criteria; and digital platforms should cooperate to prevent communication, payment, and profiling tools from becoming channels for recruitment and control of victims (Magnifica Humanitas, ¶179). A modern AI third-party program should therefore include labor and human rights due diligence at onboarding, contractual commitments, audit rights, subcontractor approval rights, certifications, incident reporting, and ongoing monitoring.

Frameworks for Governing the Human Supply Chain

NIST and ISO/IEC provide a practical structure for this work. NIST’s Generative AI Profile calls for acceptable use policies that address proprietary and open-source AI technologies, data, contractors, consultants, and other third-party personnel. It also identifies the need to document generative AI value-chain risks, plan for failures or incidents involving third-party data or systems, and continuously monitor third-party AI systems in deployment.

ISO/IEC 42001 provides a management-system approach for organizations that develop, provide, or use AI-based products or services. It supplies the governance discipline compliance professionals understand: policy, roles, risk assessment, controls, monitoring, performance evaluation, corrective action, and continual improvement.

COSO adds the internal controls discipline. COSO’s GenAI guidance emphasizes that generative AI is moving into operations and boardrooms faster than traditional governance models anticipated, and that risks such as cyber exposure, prompt manipulation, opaque reasoning, model drift, and configuration changes can jeopardize operations, reporting, and compliance if not addressed through robust internal controls.

Together, these frameworks point to the same conclusion. AI supply chain governance must be documented, controlled, monitored, tested, and improved.

Board Oversight: The Human Cost Must Be Visible

Boards do not need to manage AI vendors. They do need to oversee the systems management used to identify, assess, monitor, and remediate material AI risks. Under Caremark principles, directors must make a good-faith effort to oversee company operations. The board’s obligation is not technical mastery. It is a reporting and monitoring system that shows management has responded to the Encyclical’s accountability and due diligence mandate.

For AI, the board should ask whether management has visibility into the human supply chain. Which AI vendors are critical? Which tools affect employees, customers, suppliers, or compliance decisions? Which vendors use subcontractors? Which AI tools rely on sensitive data? What labor and human rights risks have been identified? What workforce impacts are expected? What retraining is planned? What AI-related incidents have occurred? What open remediation items remain?

Magnifica Humanitas closes this portion of its analysis with a shared responsibility principle: innovation must be guided by institutions, businesses, intermediary organizations, educational communities, and citizens so that it serves integral human development rather than becoming a source of exclusion and dominance (Magnifica Humanitas, ¶180-181). The board failure will not be that the directors did not understand every model parameter. The failure would be failing to ask whether management has a reasonable system to govern AI’s human, third-party, and supply chain impacts.

5 Lessons for the CCO
  1. Map the human supply chain. The company should know the vendors, subcontractors, data sources, infrastructure providers, and outsourced labor that support material AI tools.
  2. Treat high-impact AI vendors as high-risk third parties. AI vendors that touch sensitive data, support consequential decisions, or affect compliance processes require enhanced due diligence, contractual protections, and ongoing monitoring.
  3. Build human rights and modern slavery risk into AI due diligence. Vendor reviews should address labor practices, subcontractors, content moderation, data labeling, resource extraction, worker protections, and geographic risk.
  4. Govern workforce transformation. AI adoption should include training, retraining, human review, transparency, privacy protections, bias testing, and speak-up channels for employee concerns.
  5. Report evidence to the board. Boards need visibility into AI vendor risk, workforce impact, supply chain exposure, incidents, remediation, and control testing.
Conclusion: From Babel to Responsible Reconstruction

The AI age will reward companies that innovate. But it will also test whether those companies can govern innovation with discipline, transparency, responsibility, and human primacy. The lesson of Magnifica Humanitas is that AI must remain at the service of the human person. That includes the employee whose job is changing, the worker hidden in the supply chain, the community affected by resource extraction, the customer subject to an automated decision, and the board charged with oversight.

This five-part series began with the Tower of Babel and the boardroom. Babel was power without humility. Nehemiah was rebuilding with responsibility. For the modern compliance professional, that is the AI governance choice. Pope Leo frames the alternative as progress that serves people or progress that subjects them to the mentality of power (Magnifica Humanitas, ¶129). We can allow AI to grow through hidden use, opaque vendors, weak controls, synthetic trust, and invisible human cost. Or we can build an AI governance program grounded in risk assessment, controls, accountability, transparency, human review, third-party diligence, workforce care, and board reporting.

The next step is to convert these five lessons into a practical board-ready AI governance checklist. That checklist should give directors, CCOs, general counsel, audit leaders, risk leaders, and CEOs a structured way to ask the right questions, demand the right evidence, and govern AI before AI governs the enterprise.

Categories
Blog

Thomas Hobbes and Why Every Compliance Program Needs Order

We continue our exploration of Enlightenment Thinkers to see their influence on modern compliance programs. This week’s category is broader than philosophers, as many of these men excelled in numerous fields, including science, mathematics, calculus, and medicine. However, each contributed a key component that relates directly to our modern compliance regimes. In this post, we consider how Thomas Hobbes makes clear in his writings that no institution can function without order.

If Francis Bacon teaches that compliance must be grounded in evidence, René Descartes teaches that evidence must be examined rigorously, and John Locke teaches that a compliance system must be legitimate, Thomas Hobbes takes us to a different but equally important truth about structure.  That is where Hobbes becomes surprisingly relevant to the modern corporate compliance program.

That point can sound severe to modern ears, but compliance professionals understand it instinctively. Good intentions are not enough. Strong values are not enough. Even a trusted culture is not enough. A company also needs structure, clear rules, defined authority, escalation channels, and credible enforcement. Without them, pressure, ambiguity, and self-interest will fill the vacuum.

Hobbes is often remembered for his stark view of human nature and his argument that, in the absence of a strong governing authority, disorder follows. In his political philosophy, institutions exist in part to prevent chaos, conflict, and the breakdown of shared rules. While corporations are not states and employees are not citizens in the political sense, the organizational lesson is powerful. In any complex enterprise, when roles are unclear, rules are weak, exceptions become routine, and accountability is diffuse, people will default to local incentives, personal judgment, and short-term advantage. That is a dangerous environment for compliance.

Why Hobbes Matters to Compliance

Hobbes helps us understand something that compliance officers see every day: misconduct often flourishes not simply because individuals have bad intent, but because the system around them lacks structure. When approval processes are vague, when no one knows who owns a risk, when policies are written but not operationalized, when escalation lines are uncertain, or when managers believe standards are optional if performance is strong, disorder sets in. It may not look dramatic at first. It may look like improvisation, local flexibility, or entrepreneurial speed. But over time, that disorder becomes fertile ground for misconduct. Hobbes would not have been surprised.

His philosophy begins with the recognition that interests, fears, ambitions, and competing claims drive human beings. In the absence of a framework that organizes conduct, conflict, and opportunism follow. Translate that into corporate life, and the message becomes clear. Sales teams under pressure will rationalize shortcuts. Business sponsors will push third parties through onboarding if they believe control functions are merely advisory. Local managers will create informal workarounds if policies lack clear accountability. A company does not become more ethical by leaving such matters to improvisation. It becomes less governable. That is why compliance needs structure. Structure is what turns values into operations.

The DOJ Looks for Structure, Not Slogans

The Department of Justice’s Evaluation of Corporate Compliance Programs (ECCP) reflects this Hobbesian insight throughout. Prosecutors do not simply ask whether a company talks about ethics. They ask whether the compliance function has authority, stature, autonomy, and resources. They ask who owns specific risks, how decisions are made, whether controls are implemented consistently, whether investigations are escalated properly, and whether disciplinary systems are enforced. Those are all questions about institutional order.

This is important because many organizations still overestimate the power of tone. Tone at the top matters. Culture matters. Legitimacy matters. But none of those can substitute for structure. A CEO can deliver a compelling speech about integrity. However, if the company’s third-party onboarding process is fragmented, if financial approvals can be bypassed informally, or if no one knows when a matter must be escalated to legal or compliance, then the organization has created a system in which disorder is likely.

Hobbes helps compliance professionals make this point without apology. Rules are not a sign of distrust. Controls are not bureaucratic excess. Escalation pathways are not obstacles to business. They are the architecture that prevents pressure and self-interest from overwhelming principle. The COSO Internal Controls Framework makes much the same point in a different vocabulary. The control environment, control activities, information and communication, and monitoring all depend on defined roles, clear expectations, and operational discipline. The Federal Sentencing Guidelines likewise assume that compliance requires standards, oversight, training, auditing, reporting, and consistent response. Hobbes would recognize all of that as institutional design for preventing disorder.

Policies Must Be Operational, Not Aspirational

One of the most common failures in corporate compliance is the belief that policy issuance is itself control. It is not. A policy can express a standard, but unless the company translates that standard into decision rights, workflows, approvals, and accountability, the policy remains aspirational. This is where Hobbes is especially useful. He reminds us that order is created not by declarations, but by mechanisms.

Take a gifts, travel, and entertainment policy. On paper, the policy may clearly prohibit excessive or improperly documented expenses. But the real compliance question is whether the operating system around the policy supports that standard. Who approves the expense? Is there a threshold that triggers additional review? Are government-facing interactions flagged? Is supporting documentation required before reimbursement? Are there analytics to identify unusual patterns? Are exceptions tracked? Can someone ask a friendly manager to sign off without scrutiny? If the answers are weak, the policy is weak, no matter how polished its language.

Internal Controls Are the Language of Order

If one wanted to translate Hobbes into modern corporate practice, one would end up talking about internal controls. Controls are how an organization embeds order into decision-making. They define who can do what, under what conditions, with what approvals, and with what oversight. They reduce discretion where discretion creates unacceptable risk. They separate duties so that no single actor can move money, approve vendors, or override procedures without a second set of eyes. They create documentation so that actions can be reviewed later. They make authority visible.

For compliance professionals, this is a critical point. Compliance is not merely about training people to do the right thing. It is also about designing systems that make the right thing more likely and the wrong thing harder to do. Hobbes would say that the institution failed to create sufficient order to contain foreseeable human behavior.

Escalation Is a Form of Governance

Another Hobbesian lesson for compliance is the importance of escalation. In poorly governed companies, people often know something is wrong but do not know where the issue should go, who owns the decision, or what threshold requires higher review. That uncertainty is one of the most dangerous forms of disorder because it allows time, politics, and convenience to shape the response. A mature compliance program should therefore have clear escalation pathways.

When does a third-party red flag require a compliance sign-off? When must legal be brought into an internal investigation? At what point does a matter involving senior leadership move to the audit committee or board? Who can approve an exception to policy, and what documentation must support it? Who decides whether a substantiated misconduct issue triggers broader control remediation? These are not administrative details. They are the channels through which institutional order is maintained.

The ECCP pays close attention to this issue because escalation is one of the clearest indicators of whether compliance has real authority. If important matters can be contained, softened, or rerouted informally by management, then the program is fragile. Hobbes would have recognized the danger immediately. Where the lines of authority are unclear, competing interests will rush in.

Enforcement Gives Standards Their Weight

No discussion of order would be complete without enforcement. Hobbes understood that rules without consequences are invitations to defection. The same is true in corporate compliance. A company may have excellent policies, robust training, and well-designed procedures, but if employees believe violations will be ignored, minimized, or treated selectively, the system loses force. This is where consistent discipline matters so much. John Locke helped us see discipline as a question of legitimacy and fairness. Hobbes adds a different point. Discipline is also what gives the rule structure its operational credibility. It signals that standards are real, that no one is exempt, and that the organization is willing to defend the order it has established.

This does not mean punitive excess. It means predictability and seriousness. A company should be able to explain how disciplinary outcomes are determined, how similar cases are handled, and how managers are held accountable not only for their own conduct but for the environments they create. High performers cannot be given private exemptions. Senior executives cannot be allowed to negotiate around standards. Informal workarounds cannot become tolerated customs. Hobbes would have called that a dangerous condition.

The Compliance Officer as Architect of Order

If Bacon casts the compliance officer as an institutional scientist, Descartes as a guardian of clear thinking, and Locke as a steward of legitimacy, Hobbes casts the compliance officer as an architect of order. The compliance officer helps turn principle into process. The compliance officer asks where authority sits, where decisions are made, where controls can be bypassed, where exceptions accumulate, where roles are unclear, and where escalation can fail. That work is not separate from ethics. It is one of the main ways ethics becomes operational inside a large organization.

This is especially important during periods of growth, restructuring, acquisitions, digital transformation, or market stress. Disorder often enters through change. New business lines are launched before roles are clarified. AI tools are deployed before governance is assigned. Third parties are engaged before diligence and monitoring are fully operational. Incentives are revised without understanding how they affect conduct. Hobbes reminds us that institutional order is not self-sustaining. It must be built, maintained, and defended.

Thomas Hobbes may seem like an austere companion for the modern compliance professional, but his lesson is both practical and urgent. Institutions do not drift into integrity. They require order.

Five Lessons from Thomas Hobbes for the Modern Compliance Professional

First, culture and values are essential, but they cannot substitute for structure. A company needs clear rules, defined roles, and operating discipline.

Second, policies are not controls unless they are translated into workflows, approvals, documentation, and accountability.

Third, internal controls are the mechanisms by which institutional order is embedded in business operations. They make the right behavior more likely and the wrong behavior harder to execute.

Fourth, escalation pathways are critical. Employees and managers must know when and how risk moves upward for review and decision.

Fifth, enforcement gives standards their weight. Rules without consistent consequences will eventually be overtaken by convenience and local incentives.

Coming Next: Isaac Newton and the Hidden Forces Behind Misconduct

If Thomas Hobbes teaches us why every compliance program needs order, Isaac Newton will help us understand something even deeper: misconduct is rarely random. It is produced by forces, incentives, pressures, and patterns that can be studied and addressed. In Part 5, I will explore how Newton’s systems-based way of thinking offers a powerful framework for root cause analysis, incentive review, compliance analytics, and proactive prevention. A mature compliance program does not simply respond to failure. It learns to understand the forces that make failure more likely.

Categories
Blog

Enlightenment Philosophers Week: Part 1 – Francis Bacon and the Compliance Program That Works in Practice

I have explored the work of ancient Greek and Roman philosophers to understand the underpinnings of the modern corporate compliance program. This week, I want to move to Enlightenment Thinkers. Our category is broader than that of philosophers, as many of these men excelled in numerous fields, including science, mathematics, calculus, and medicine. However, each contributed a key component that relates directly to our modern compliance regimes.

The five we will explore are Francis Bacon, René Descartes, John Locke, Thomas Hobbes, and Issac Newton. Today, we begin with Francis Bacon and the design of a compliance program that works not simply in theory but in practice.

There is a reason Francis Bacon is the right place to begin a series on what Enlightenment thinkers can teach us about modern corporate compliance. Bacon did not simply advance a philosophical idea. He changed the way serious people were supposed to think. He pushed inquiry away from inherited assumptions and abstract theorizing and toward observation, testing, evidence, and disciplined learning from experience. In many ways, that is the same journey corporate compliance has had to take.

For too long, compliance programs were judged by what they had on paper. Did the company have a code of conduct? Did it conduct annual training? Did it maintain a hotline? Did it have policies and procedures? Those questions still matter, of course, but they are no longer enough. The Department of Justice has made that point repeatedly through its Evaluation of Corporate Compliance Programs. The DOJ does not simply ask whether a company has a program. It asks whether the program is well designed, whether it is being applied earnestly and in good faith, and whether it works in practice. That final phrase could have been written by Bacon himself.

Why Bacon Matters to Compliance

Francis Bacon is most closely associated with empiricism, the idea that knowledge should be grounded in observation and experience rather than assumption or pure deduction. He believed that if you want to understand the world, you do not begin with what you hope is true. You begin with facts. You gather information. You test propositions. You challenge your own biases. Then you refine your conclusions based on the evidence. That mindset is at the heart of every effective compliance program.

A Chief Compliance Officer cannot assume that a policy is effective because it was well-drafted. A board cannot assume that a training program changes behavior because employees clicked through an online module. A legal department cannot assume that third-party due diligence is functioning because questionnaires are being completed. In each case, the real question is Baconian: what evidence do you have that the control is working as intended?

This is where philosophy becomes practice. Bacon gives compliance professionals a method. He reminds us that the difference between performative compliance and effective compliance is proof.

The DOJ Standard Is a Baconian Standard

The modern DOJ approach is deeply consistent with Bacon’s philosophy. The ECCP has moved the compliance conversation away from formalism and toward effectiveness. Prosecutors are instructed to consider whether a company has access to relevant data, whether it uses that data to monitor performance, whether it investigates red flags, whether it adapts the program based on lessons learned, and whether it performs root-cause analysis after misconduct occurs. That is not a paper exercise. That is evidence-based governance.

The DOJ is effectively saying that compliance must be a living system of observation, testing, response, and continuous improvement. In Bacon’s world, knowledge advances by disciplined interaction with reality. In the DOJ’s world, compliance credibility advances the same way. A company earns trust not because it announces a program, but because it can demonstrate through data, testing, and response that the program actually functions.

From Risk Assessment to Real Measurement

A Bacon-inspired compliance program begins with risk assessment, but it does not end there. Too many organizations treat the risk assessment as an annual exercise that produces a polished heat map and then disappears into a slide deck. Bacon would reject that approach. A risk assessment should be a working hypothesis about where misconduct and control failure are most likely to occur. That hypothesis must then be tested through monitoring, internal reporting, auditing, and data review.

Consider a company that identifies third-party risk as a top concern. A paper-based approach might stop with enhanced due diligence procedures and contract clauses. A Baconian approach goes further. It asks whether third parties are actually being onboarded according to policy, whether approvals are properly documented, whether high-risk distributors are subject to enhanced monitoring, whether payments match contractual terms, whether red flags are closed or merely noted, and whether the company can identify trends across geographies, business units, or product lines. That is where compliance becomes operational.

Monitoring Is How a Program Proves Itself

One of the clearest lessons Bacon offers is that observation must be ongoing. In compliance terms, that means monitoring is not an optional add-on. It is how the program proves itself. COSO has long emphasized monitoring as a core element of an effective internal control framework. The same logic applies to compliance more broadly. Monitoring tells a company whether its controls are operating consistently, whether local business practices are drifting from policy expectations, and whether emerging risks are being detected early enough to matter.

Hotline data is a good example. Many organizations report the number of calls received, but that is only the beginning. A Baconian compliance officer looks beneath the surface. Are certain allegations rising in a specific region? Are retaliation claims increasing after a business reorganization? Are reports being substantiated at a lower rate because employees do not understand what should be reported? Are investigation closure times lengthening in a way that undermines confidence in the process? Those are not just operational questions. There are questions about whether the compliance system is learning.

Root Cause Analysis Is Bacon in Action

If there is one area where Bacon’s influence should be explicit, it is root cause analysis. When misconduct happens, the least useful response is to identify the wrongdoer, discipline the individual, and move on. That may satisfy a desire for closure, but it does not satisfy the demands of an effective compliance program.

Bacon would ask a different set of questions. What conditions allowed this to happen? What signals were missed? Were incentives misaligned? Was a manager pressuring a sales team in ways that made policy noncompliance more likely? Did the control exist on paper but fail in operation? Was a prior warning sign identified but not escalated?

Those questions matter because substantive compliance violations are never random. It is often the product of pressure, weak controls, poor communication, bad assumptions, or failures to learn from earlier warning signs. Root cause analysis is the process by which a company examines the conditions that led to a failure and turns that failure into institutional knowledge.

Culture Needs Evidence Too

Compliance professionals often speak about culture, and they should. But here, too, Bacon has a warning for us. Culture cannot be measured only by slogans or tone-at-the-top statements. A company that wants to claim a strong ethical culture should be able to point to supporting evidence.

Do employees raise concerns without fear of retaliation? Are managers evaluated in part on ethical leadership? Do exit interviews reveal pressure points that formal reporting channels miss? Are discipline outcomes consistent across levels of seniority? Does the organization respond to bad news constructively or defensively? These are empirical questions. They require information, not aspiration.

This is where compliance, internal audit, legal, and HR can work together in a mature governance model. Surveys, hotline trends, investigation data, audit findings, and employee feedback all become part of the evidence base. Culture, in this framework, is not soft. It is observable. It can be tested, assessed, and strengthened.

The Compliance Officer as Institutional Scientist

Perhaps Bacon’s greatest gift to the compliance profession is this: he offers a model for what the compliance officer should be. Not merely a policy custodian. Not merely a trainer. Not merely an investigator. The modern compliance leader is, in part, an institutional scientist.

That phrase may sound grand, but it captures something important. The CCO studies how the organization really works. Which incentives shape conduct? Which controls hold under pressure? Where are the blind spots? What do the data show? What must change? In that sense, the compliance function is not external to the business. It is one of the primary ways the business learns about itself.

That is why evidence matters so much. It is the basis for credibility with the board, with regulators, and with employees. It is how a program shows that it is more than a collection of good intentions. Francis Bacon would have understood that immediately.

Five Lessons Learned for the Modern Compliance Professional

First, a compliance program must be judged by evidence, not by appearance. Policies and training matter, but proof of effectiveness matters more.

Second, risk assessments should be treated as working hypotheses that must be tested through monitoring, auditing, and ongoing review.

Third, data is central to the credibility of compliance. Hotline trends, investigation outcomes, audit findings, and control testing demonstrate that a company’s program works in practice.

Fourth, root cause analysis is essential. Misconduct should trigger institutional learning, not merely individual discipline.

Fifth, culture itself must be supported by evidence. Speak-up, non-retaliation, consistency in discipline, and employee trust are all observable markers of program health.

Coming Next: René Descartes and the Discipline of Internal Investigation

If Francis Bacon teaches us how to gather evidence, René Descartes teaches us what to do with it. In Part 2, I will examine how Descartes’ method of disciplined doubt provides a blueprint for internal investigations, allegation triage, and rigorous compliance inquiry. In a world of management narratives, incomplete facts, and pressure to reach quick conclusions, Descartes reminds us that the compliance professional’s first duty is not comfort. It is clear thinking.

Categories
Blog

COSO Meets GenAI: The Internal Controls Playbook for Compliance

If you are a compliance professional looking at your company’s GenAI rollout and wondering when the grown-ups will finally arrive, I have good news. They just did.

COSO has now stepped directly into the GenAI conversation with its new paper, Achieving Effective Internal Control Over Generative AI, and that matters a great deal. For those of us in compliance, internal audit, risk, and governance, COSO is not a shiny new acronym trying to catch the latest tech train. COSO is the train schedule. It is the framework that boards, auditors, controllers, and compliance professionals already understand. And with this publication, COSO has done something very important: it has translated GenAI risk into the language of internal control. That is exactly what the market needed.

Because up until now, too much of the GenAI discussion has lived in one of two places. Either it sat in the innovation lab with people talking breathlessly about transformation, or it sat in the legal department where everyone worried, quite correctly, about hallucinations, privacy, and bias. What has often been missing is the operational bridge between aspiration and assurance. COSO gives us that bridge. It says, in effect, GenAI is not outside your control environment. It is now part of it. And if it is part of it, then it must be governed, tested, monitored, and documented like any other significant business capability.

GenAI Does Not Change the Need for Control. It Changes the Terrain

One of the most important points in the COSO paper is that GenAI does not upend the COSO Internal Control-Integrated Framework. Rather, it changes the environment in which those controls operate. The five familiar COSO components remain the same: control environment, risk assessment, control activities, information and communication, and monitoring activities. What changes is the nature of the underlying risk. GenAI introduces probabilistic outputs, model drift, prompt injection, opaque reasoning, rapid configuration changes, and the adoption of shadow AI outside normal approval channels. That is a very useful framing for compliance officers.

It means we should stop treating AI governance as some exotic side project. If GenAI is used in operations, legal, finance, HR, procurement, investigations, or reporting, it belongs within your existing governance architecture. You do not need to invent a new religion. You need to apply the old disciplines to a new set of facts.

This is where compliance can and should lead. We understand what it means to build controls around fast-moving risk. We understand escalation, role clarity, training, monitoring, and accountability. COSO is effectively telling compliance professionals, “You already know more about governing GenAI than you think. Now apply that muscle memory with precision.”

A Capability-First Approach Is a Game Changer

The most practically useful innovation in the COSO guidance is its capability-first taxonomy. Rather than organizing AI controls by vendor, product name, or technical buzzwords, COSO focuses on what the GenAI system actually does. It identifies eight capability types: data extraction and ingestion; data transformation and integration; automated transaction processing and reconciliation; workflow orchestration; judgment, forecasting, and insight generation; AI-powered monitoring and continuous review; knowledge retrieval and summarization; and human-AI collaboration. That is enormously helpful because it is how compliance people actually work.

We do not manage risk by admiring the label on the software box. We manage risk by understanding what a tool does in a process, what can go wrong, how fast it can go wrong, and how the error propagates downstream. A GenAI tool that summarizes policies creates one set of risks. A GenAI agent that routes approvals, posts transactions, or helps shape regulatory disclosures creates another. COSO provides organizations with a common language for distinguishing among use cases and calibrating controls accordingly. That is not just elegant. It is actionable.

The Five Foundational Truths Every CCO Should Memorize

COSO also offers five foundational characteristics for GenAI internal control, and each should be printed and posted on the wall of every compliance office.

First, GenAI is probabilistic, not deterministic. In plain English, it can sound authoritative and still be wrong. Therefore, outputs must be treated as claims requiring validation, not facts to be accepted by default. Second, GenAI is dynamic. Models, prompts, and retrieval data evolve quickly, so controls and monitoring must keep pace. Third, GenAI is easily scalable, meaning it can scale both productivity and error rates. Fourth, it has a low barrier to entry, which is why shadow AI is such a real problem. Fifth, and perhaps most interestingly, GenAI can help govern GenAI through pattern detection, validation, and monitoring.

There is a lot packed into those five points. For compliance, the biggest takeaway is this: static governance will fail in a dynamic AI environment. Annual reviews will not cut it. A once-a-year policy refresh will not cut it. A single training session on acceptable use will not cut it. GenAI governance has to be living governance.

What COSO Says About the Control Environment

COSO starts where it should: tone, structure, and accountability. The paper says organizations need a GenAI acceptable use policy, clear ethical boundaries, oversight and accountability responsibilities, named owners for each AI tool or platform, role-based training, and accountability mechanisms tied not only to adoption but also to safety, compliance, and performance. Boards and cross-functional oversight groups need visibility into adoption, incidents, changes, and risk indicators.

That is a direct message to compliance leaders. If nobody owns the prompts, the retrieval connectors, the model configurations, the escalation path, or the approval structure, then nobody owns the risk. And in a regulatory environment moving steadily toward AI accountability, “nobody owned it” is not a defense. It is an indictment.

I particularly liked COSO’s emphasis that prompts, system prompts, and retrieval connectors should be treated as governed configurations. That is exactly right. Too many companies still treat prompting like an informal user habit rather than a control-relevant configuration choice. In a high-impact context, the prompt is not casual. It is part of the system.

Risk Assessment Must Get More Dynamic

COSO’s discussion of risk assessment is equally strong. It calls for use cases to have clearly defined objectives, acceptable and unacceptable boundaries, and success criteria. It also warns that organizations must first ask whether GenAI is even the right tool for the task. In some cases, traditional automation or deterministic systems may be safer and more reliable. The risk assessment should account for hallucinations, drift, provenance gaps, prompt injection, bias, third-party dependencies, and significant changes such as vendor updates, connector changes, or evolving regulations.

This is where compliance earns its keep. We are the ones who should be asking: What if the model changes quietly? What if the source data becomes stale? What if the retrieval layer excludes a critical policy update? What if the system routes something to the wrong approver? What if the tool is used in a context where a simpler and safer solution would do the job better?

COSO is right to emphasize scenario analysis and living risk registers. In the GenAI era, risk registers that only update annually are museum pieces.

Human-in-the-Loop Is Not Optional

When COSO turns to control activities, it gets very practical. It says GenAI outputs should be subject to human corroboration proportionate to risk, and in high-impact business, legal, or regulatory contexts, AI assistance should be segregated from authoritative decision-making. The paper also calls for version control, audit trails, access restrictions, change management, source citation requirements, segregation of duties, confidence thresholds, and documented approvals for configuration changes. That is the heart of responsible AI governance.

I was also struck by COSO’s discussion of reliance in an ICFR setting. The paper draws an important distinction between situations in which management relies on AI output as evidence of control effectiveness and situations in which a human independently re-performs the work. When true reliance exists, the evidentiary expectations rise: documented prompts, model versions, sampling rationale, exception resolution, and retained evidence.

Even beyond financial reporting, that concept is vital for compliance. The moment your team starts relying on GenAI output for sanctions reviews, due diligence summaries, monitoring alerts, investigative chronology, or policy interpretation, you have to ask a simple question: What is our evidence that this output was reliable enough to trust?

Monitoring Is Where the Real Work Begins

COSO’s final major lesson is that monitoring GenAI is not a one-and-done exercise. Organizations need continuous metrics and periodic deep reviews. They need to track precision, recall, exception volumes, latency, fairness, drift, and outcome quality. They need retraining triggers, rollback protocols, remediation logs, and playbooks for common AI control failures. COSO also makes the excellent point that in probabilistic systems, control failure may no longer be a simple pass-fail matter. Organizations may need multi-metric tolerance ranges across dimensions such as accuracy, bias, leakage, explainability, and change velocity.

That is a sophisticated and realistic view. Compliance teams should take it seriously because it reflects the world we are moving into. AI control effectiveness will not be judged solely by whether a control exists on paper. It will be judged by whether the organization can show that it monitors performance, investigates deviations, remediates failures, and adapts as the technology changes.

The Bottom Line

The real genius of the COSO GenAI framework is that it takes AI out of the abstract and puts it where it belongs: inside the machinery of governance. It turns the conversation from “Do we have an AI policy?” to “Do we have effective internal control over AI use?” That is a far better question.

For compliance officers, the action items are clear. Inventory your GenAI use cases. Classify them by capability. Identify owners. Assess risk dynamically. Put human review where the stakes justify it. Govern prompts and configurations, such as controlled assets. Monitor continuously. And do not let your AI strategy outrun your control environment.

Because in the end, the organizations that benefit most from GenAI will not be the ones that moved fastest with the fewest guardrails. They will be the ones who figured out how to innovate with discipline. That is not bureaucracy. That is a competitive advantage.

Categories
10 For 10

10 For 10: Top Compliance Stories For the Week Ending July 19, 2025

Welcome to 10 For 10, the podcast that brings you the week’s top 10 compliance stories in one episode each week. Tom Fox, the Voice of Compliance, brings to you, the compliance professional, the compliance stories you need to be aware of to end your busy week. Sit back, and in 10 minutes, hear about the stories every compliance professional should be aware of from the prior week. Every Saturday, 10 For 10 highlights the most important news, insights, and analysis for the compliance professional, all curated by the Voice of Compliance, Tom Fox. Get your weekly filling of compliance stories with 10 for 10, a podcast produced by the Compliance Podcast Network.

  • SEC sanctions CCO who altered documents. (SEC Order)
  • The SEC grants $5 million in whistleblower awards. (Law360)
  • Meta settles shareholder claims on data privacy violations. (WSJ)
  • A Wells Fargo employee was denied departure from China. (WSJ)
  • ABC heads to the BVI to find out why it is dragging its feet. (The Guardian)
  • COSO pulls its Corporate Governance Framework (Radical Compliance)
  • Corruption comes to the Cannes Film Festival. (Ad Age)
  • SEC drops case against former Cognizant execs. (SEC Press Release)
  • FCA to take on workplace bullying. (FT)
  • Ramaphosa opens corruption investigation. (NYT)

You can donate to flood relief for victims of the Kerr County flooding by going to the Hill Country Flood Relief here.

Connect with Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Daily Compliance News

Daily Compliance News: July 17, 2025, The COSO Yanked Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, including compliance, ethics, risk management, leadership, or general interest, relevant to the compliance professional.

Top compliance stories:

  • DOJ fires Maxwell prosecutor. (WSJ)
  • ABC heads to the BVI to find out why it is dragging its feet. (The Guardian)
  • COSO pulls its Corporate Governance Framework (Radical Compliance)
  • Samsung boss cleared of fraud charges. (BBC)

You can donate to flood relief for victims of the Kerr County flooding by going to the Hill Country Flood Relief here.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Assessing Internal Controls

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with bite-sized, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we look at how to assess your internal controls under COSO.

For more information on this topic, refer to The Compliance Handbook: A Guide to Operationalizing Your Compliance Program, 6th edition, recently released by LexisNexis. It is available here.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – COSO Objective 5 – Monitoring Activities

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with concise, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we conclude our look at the 5 COSO Objectives: Number V—Monitoring Activities.

For more information on this topic, refer to The Compliance Handbook: A Guide to Operationalizing Your Compliance Program, 6th edition, recently released by LexisNexis. It is available here: https://bit.ly/433bKre

Categories
Compliance Tip of the Day

Compliance Tip of the Day – COSO Objective 4 – Control Information and Communication

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with bite-sized, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we continue our look at the 5 COSO Objectives. Today, Number IV—Control Information and Communication.

For more information on this topic, refer to The Compliance Handbook: A Guide to Operationalizing Your Compliance Program, 6th edition, recently released by LexisNexis. It is available here.