Tag: culture

Categories
Innovation in Compliance

Innovation in Compliance – Healthcare Compliance: Fraud, Waste & Abuse, Culture, and Data-Driven Risk Management with Evan Sampson

Innovation occurs across many areas, and compliance professionals need not only to be ready for it but also to embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode,  host Tom Fox welcomes Evan Sampson, a noted health care compliance attorney.

Sampson traces his path from commercial litigation to representing healthcare practices on HIPAA/privacy and reimbursement matters, then moving in-house at a network of plastic surgery centers, where he managed compliance focused on fraud, waste, and abuse, and on evolving out-of-network billing rules leading into the No Surprises Act. Sampson explains how compliance programs can create business value beyond risk mitigation by uncovering inefficiencies and opportunities, such as identifying downcoding in medical billing and using complaint investigations to spot growth areas. He describes how his litigation background helps him anticipate how issues will unfold over time in investigations and litigation, thereby improving his credibility with business leaders. They discuss building a culture of compliance in fast-growing healthcare organizations, tracking regulatory changes across primary and secondary sources, and leveraging AI and data analytics to detect claim outliers and strengthen compliance.

Key highlights:

  • Healthcare Compliance Shift
  • Fraud, Waste, and Abuse
  • Compliance Creates Value
  • Building Compliance Culture
  • Tracking Regulatory Changes
  • AI in Compliance Analytics

Resources:

Evan Sampson on LinkedIn

Post & Schell

Innovation in Compliance was recently honored as the Number 4 podcast in Risk Management by 1,000,000 Podcasts.

Categories
All Things Investigations

ATI Podcast: Inhouse Insights – Building and Benefiting from a Culture of Compliance

Welcome to the inaugural episode of the newly rebranded ATI Podcast: Inhouse Insights—formerly known as All Things Investigations.

Presented by the Hughes Hubbard & Reed LLP Anti-Corruption & Internal Investigations Practice Group, this premiere episode sets the tone for a bold new chapter—bringing practical, in-house perspectives to today’s most pressing compliance challenges.

Host Michael DeBernardis welcomes Darryl Cyphers Jr., Senior Director of Legal Compliance at Klaviyo, for a candid and forward-looking conversation on how organizations can build—and sustain—a culture of compliance that actually works.

Together, they explore how compliance leaders can move beyond policies on paper to create real organizational impact—through measurable culture metrics, smarter use of AI to drive policy engagement, authentic tone at the top, and meaningful collaboration with HR and business partners. Darryl also shares practical guidance for navigating compliance gray areas and strengthening trust through continuous employee engagement and feedback.

Highlights include:

  • Defining a modern culture of compliance
  • Metrics and tools for measuring cultural effectiveness
  • Employee engagement and feedback that drive results
  • Building partnerships across HR and business teams
  • Innovative and engaging compliance training approaches
  • Navigating gray areas with confidence and credibility

Resources:

Hughes Hubbard & Reed Website

Klaviyo

Darryl Cyphers Jr. on LinkedIn

Categories
Blog

The Starliner, Culture and Compliance: Leadership Lessons from a NASA Investigation Report

Corporate compliance professionals spend a lot of time talking about controls, training, third parties, and investigations. Yet the hard truth is that the most important control environment sits above all of that: leadership behavior and the culture it creates. That is why this NASA investigation report on the Boeing CST-100 Starliner Crewed Flight Test (CFT) is such a useful case study. It is a technical report, to be sure. But it is also a cultural, leadership, and governance report. NASA’s bottom line is unambiguous: technical excellence and safety require transparent communication and clear roles and responsibilities, not as slogans, but as operating requirements that must be institutionalized so safety is never compromised in pursuit of schedule or cost.

If you are a Chief Compliance Officer, General Counsel, or business leader, you should read this report the way you read an enforcement action. Not to gawk. Not to assign blame. But to harvest lessons for your own organization before you have your own high-visibility close call.

The incident(s) that led to the report

The CFT mission launched June 5, 2024, as a pivotal step toward certifying Starliner to transport astronauts to the International Space Station. It was planned as an 8-to-14-day mission but was extended to 93 days after significant propulsion system anomalies emerged. Ultimately, the Starliner capsule returned uncrewed, while astronauts Barry “Butch” Wilmore and Sunita “Suni” Williams returned aboard SpaceX’s Crew-9 Dragon in March 2025. In February 2025, NASA chartered a Program Investigation Team (PIT) to examine the technical, organizational, and cultural factors contributing to the anomalies.

The report describes four major hardware anomaly areas, including Service Module RCS thruster fail-offs that temporarily caused a loss of 6 Degrees of Freedom control during ISS rendezvous and required in-situ troubleshooting to recover enough capability to dock, a Crew Module thruster failure during descent that reduced fault tolerance, and helium manifold leaks where seven of eight Service Module helium manifolds leaked during the mission. The PIT further determined that the 6DOF loss during rendezvous met criteria for a Type A mishap (or at least a high-visibility close call), underscoring how close the program came to a very different ending.

That is the “what.” For compliance professionals, the “so what” is that NASA did not treat this as a purely engineering problem. It treated it as an integrated system failure, in which culture and leadership either reduce risk or magnify it.

Lesson 1: Decision authority is culture, not paperwork

One of the report’s clearest threads is that fragmented roles and responsibilities delayed decision-making and eroded confidence. In the compliance world, unclear decision rights become the breeding ground for “informal governance”: private conversations, end-runs around committees, and decisions that are never fully documented. Over time, that becomes a shadow-control environment that your policies cannot touch.

Compliance action steps

  • Define decision rights for the riskiest calls (high-risk third parties, market entry, major remediation, critical incidents).
  • Require a short, written record of: facts reviewed, options considered, dissent captured, decision made, and owner accountable.
  • Separate “recommendation authority” from “approval authority” so everyone knows where they sit.

Lesson 2: Transparency is a control, and selective data sharing destroys trust

The report explicitly flags that the lack of data access fueled concerns about selective information sharing. Interviewees described frustration that information could be filtered, selectively chosen, or sanitized, which eroded confidence in the process and people. It also notes reports of questions being labeled “too detailed” or “out of scope” without mechanisms to ensure concerns were addressed. That is the compliance danger zone. When teams believe the narrative matters more than the data, they stop escalating early. They start documenting defensively. They seek safety in silence.

Compliance action steps

  • Build “open data” expectations into your incident response and investigative protocols.
  • Create a defined pathway for technical or subject-matter dissent to be logged, reviewed, and dispositioned.
  • Treat meeting notes and decisions as governed records, not optional artifacts.

Lesson 3: Risk acceptance without rigor becomes “unexplained anomaly tolerance”

NASA calls out “anomaly resolution discipline” and warns that repeated acceptance of unexplained anomalies without root cause can lead to recurrence. That single lesson belongs on a poster in every compliance office. In corporate terms, “unexplained anomalies” are recurring control exceptions, repeat hotline themes, repeated third-party red flags, and audit findings that are “managed” rather than fixed. If leadership normalizes that pattern, it teaches the organization that closure is more important than correction.

Compliance action steps

  • Require root cause analysis for repeat issues, not just incident closure.
  • Set escalation thresholds for “repeat with no root cause” findings.
  • Audit remediation quality, not only remediation completion.

Lesson 4: Partnerships fail when “shared accountability” is not operationalized

The report emphasizes that shared accountability in the commercial model was inconsistently understood and applied. It also notes that historical relationships and private conversations outside formal forums created perceptions of blurred boundaries, favoritism, and lack of objectivity, whether or not those perceptions were accurate. Compliance teams have seen this movie. Think distributors, joint ventures, outsourced compliance support, and major technology partners. If accountability is shared in theory but siloed in practice, something will fall through the cracks. Usually, it falls right into your lap when regulators arrive.

Compliance action steps

  • Define “shared accountability” in contracts, governance charters, and escalation protocols.
  • Ensure independence and objectivity are protected by design, not by personality.
  • Create joint forums where data is shared broadly, dissent is recorded, and decisions are made openly.

Lesson 5: Burnout is a risk factor, and meeting chaos is a governance failure

The report’s recommendations recognize the operational reality: high-pressure environments can degrade decision quality. It calls for “pulse checks,” rotation of high-pressure responsibilities, contingency staffing, and time protection for deep work to proactively address burnout and improve decision-making under mission conditions. Compliance professionals should take that to heart. Crisis cadence is sometimes unavoidable. Permanent crisis cadence is a leadership choice. And it carries predictable consequences: shortcuts, missed details, weakened documentation, and poor judgment.

Compliance action steps

  • Build surge staffing plans for investigations and incident response.
  • Rotate incident commander roles when events extend beyond days.
  • Protect time for analysis, not just meetings and status updates.

Lesson 6: Accountability must be visible, not performative

NASA does not bury the human dimension. The report contains leadership recommendations to speak openly with the joint team about leadership accountability, including concurrence with the report and reclassification as a mishap, and to hold a leadership-led stand-down day focused on reflection, accountability concerns, and rebuilding trust. For corporate leaders, this is where trust is won or lost after a crisis. Employees can tolerate a hard outcome. They struggle to tolerate spin. If your organization communicates externally with confidence but internally with vagueness, your culture learns the wrong lesson: optics first, truth second.

Compliance action steps

  • After a major incident, publish an internal accountability and remediation plan with owners and timelines.
  • Provide regular updates on what has been completed, what is delayed, and why.
  • Make it safe for the workforce to ask questions in interactive forums, as NASA recommends.

Lesson 7: Trust repair requires a plan, not a pep talk

One of the most useful artifacts in the report is a sample Organizational Trust Plan. It sets a goal to rebuild trust by establishing clear expectations, open accountability, and shared commitment to safety and mission success. It includes objectives around transparent communication, acknowledging past challenges, reinforcing shared values, and structured engagement. It then lays out action steps: leadership engagement, facilitated sessions, outward expressions of accountability, teamwide rollout, training and coaching, and communication through a written plan and regular updates.

That is exactly the kind of operational discipline compliance leaders should bring to culture work. Culture does not change because someone gives a speech. Culture changes when the organization changes how it makes decisions, treats dissent, and follows through.

Five key takeaways for the compliance professional

  1. Clarify decision rights before the crisis. Ambiguity becomes politics under pressure.
  2. Make transparency non-negotiable. Perceived filtering of data destroys credibility.
  3. Do not normalize unexplained anomalies. Repeat issues without a root cause are future failures.
  4. Operationalize shared accountability with partners. Otherwise, it is a slogan.
  5. Rebuild trust with a written plan and visible accountability. Trust repair is a managed process.

In the end, the Starliner lesson for compliance is simple: controls matter, but culture decides whether controls work when it counts. If leadership cannot run disagreements well, cannot share data broadly, and cannot demonstrate accountability after the fact, the best-written compliance program in the world will fail the moment the pressure rises.

Categories
Blog

Roman Philosophers and the Foundations of a Modern Compliance Program: Part 4 – Marcus Aurelius and Ethical Leadership

I recently wrote a series on the direct link between ancient Greek Philosophers and modern corporate compliance programs and compliance professionals. It was so much fun and so well-received that I decided to follow up with a similar series on notable Roman Philosophers. This week, we will continue our exploration of the philosophical underpinnings of modern corporate compliance programs and compliance professionals by looking at five philosophers from Rome, both from the BCE and AD eras.

We have considered Cicero and the duties, law, and moral limits of business; Seneca on power, pressure, and ethical decision-making under stress; and Varro on corporate governance. Today, we consider Marcus Aurelius and ethical leadership and tone at the top. Tomorrow, we will conclude with Lucretius to explore rationality, fear, and risk perception. Today, we continue with Marcus Aurelius, Ethical Leadership, and Culture as a Compliance Control

I. Marcus Aurelius in Context: Power with Restraint

Imagine you are the single most powerful person on earth. Are you going to be an unrepentant narcissist in the manner of Donald Trump, who believes he should govern on his own twisted morality based simply on ‘gut instinct’? Or are you going to take a different approach, set out your reasoned approach to governing in a book, and then govern with the moral authority of thousands of years of philosophy?

Marcus Aurelius is often remembered as the philosopher-king, but that description understates the difficulty of his position. He ruled the Roman Empire during a period of war, plague, economic strain, and political instability. Unlike many philosophers, Marcus Aurelius did not write for an audience. His Meditations were private reflections, written to discipline his own thinking while exercising absolute power.

This matters for compliance professionals. Marcus Aurelius did not theorize about ethical leadership from a distance. He lived inside it. He understood that power magnifies temptation, insulates leaders from feedback, and creates opportunities for self-deception. His philosophy is therefore preoccupied with restraint, humility, consistency, and responsibility.

Marcus repeatedly reminded himself that leadership is not a privilege but a burden. Authority did not entitle him to indulgence; it imposed higher expectations. He believed that leaders set moral boundaries through conduct long before they issue instructions. In modern terms, Marcus Aurelius understood that culture flows downward from leadership behavior rather than upward from policy documents.

II. The Compliance Problem Marcus Aurelius Illuminates: Culture Eats Controls

One of the central lessons of modern compliance enforcement is that formal controls cannot compensate for poor culture. Organizations with detailed policies and sophisticated monitoring still fail when leadership behavior signals that results matter more than integrity. The DOJ Evaluation of Corporate Compliance Programs (ECCP) explicitly asks whether senior leaders demonstrate commitment to compliance through actions, not words. Regulators assess whether ethical behavior is encouraged, whether misconduct is addressed consistently, and whether leaders tolerate or reward problematic conduct.

Marcus Aurelius would recognize this dynamic immediately. He believed that people learn how to behave by observing those in power. When leaders act inconsistently with stated values, cynicism follows. When leaders rationalize misconduct, that rationalization spreads. Compliance programs often falter when leadership treats ethics as a communication exercise rather than a lived expectation. Codes of conduct and training sessions cannot overcome the daily signals sent by executive decisions, incentive structures, and responses to failure.

Marcus teaches that culture is not accidental. It is created continuously by leadership choices, especially under pressure.

III. Modern Corporate Application: Marcus Aurelius, DOJ Expectations, and Leadership Accountability

Applying Marcus Aurelius to modern compliance reveals several concrete expectations that closely align with DOJ guidance.

First, leadership behavior must be consistent. Marcus believed hypocrisy was corrosive to authority. The DOJ similarly evaluates whether leaders follow the same rules they impose on others. Exceptions for senior executives undermine program credibility and weaken deterrence.

Second, leadership must respond to misconduct with moral clarity. Marcus wrote that anger and denial cloud judgment. In compliance terms, this means addressing issues promptly, transparently, and proportionately. Delayed or defensive responses signal tolerance, even when discipline eventually occurs.

Third, middle management matters. Marcus understood that culture is transmitted through layers of authority. DOJ guidance emphasizes the role of middle managers as culture carriers. Compliance programs should equip managers with the tools and incentives to reinforce ethical behavior, not merely deliver targets.

Fourth, incentives must reflect values. Marcus warned against leaders who chase reputation or reward at the expense of principle. Modern compliance programs must ensure compensation structures do not reward outcomes achieved through questionable means. The DOJ has repeatedly cited incentive misalignment as a root cause of misconduct.

Finally, leadership must create psychological safety. Marcus believed leaders should listen more than they speak. In compliance terms, this translates into openness to bad news, encouragement of dissent, and protection for those who raise concerns. A culture that punishes truth-telling cannot sustain compliance.

IV. Key Takeaways for Compliance Professionals

1. The Blueprint. Compliance professionals should view Marcus Aurelius and his writings as the blueprint for culture-based compliance. You can draw a direct line from the Meditations to both your compliance program and the leadership skills a CCO needs. Compliance should evaluate leadership behavior as a primary control, not a soft factor. This means not only reviewing employees who are promoted to management, but also a deep dive into their backgrounds. Also, thorough due diligence for any senior management hires from outside your organization.

2. Higher Standards. Compliance should hold senior leaders to higher standards of consistency and accountability.

3. Institutional Justice. Compliance should focus on how leaders respond to misconduct, not just how they prevent it. This is the CCO’s charge, and it must include an institutional fairness component in your compliance program.

  1. Compliance should ensure incentives reinforce ethical behavior at every level. The DOJ has consistently discussed the role of incentives in any compliance program, as far back as the 1st edition of the FCPA Guidance in 2012.
  2. Compliance should treat culture as an operational risk area subject to oversight and testing. Culture should be assessed, monitored, and improved. Simply because it is seen as a ‘soft’ part of an organization does not mean it should be treated differently.

4. Walk the Walk. Finally, Marcus Aurelius reminds us that ethical leadership is not performative. It is visible, daily, and decisive. In organizations, culture follows leadership long before it follows policy.

V. Conclusion

Marcus Aurelius brings the compliance lifecycle to its cultural apex. He shows that leadership behavior is not merely influential but determinative, shaping whether ethical expectations are taken seriously or quietly dismissed. Yet even the strongest ethical culture is not self-sustaining. Leaders are human, memory fades, and good intentions erode without reinforcement. This is where culture must be supported by systems that observe, test, and correct.

Marcus Aurelius teaches us how leaders should behave; Lucretius challenges us to examine how organizations think. If Marcus focuses on moral example, Lucretius turns our attention to rational observation, warning against fear, superstition, and self-deception. The transition from Marcus Aurelius to Lucretius mirrors the shift from cultural leadership to continuous improvement, from ethical intent to empirical verification. In compliance terms, it is the move from assuming the program works to proving that it does, using data, monitoring, and clear-eyed analysis rather than hope or habit.

Join us tomorrow for our concluding article on Lucretius and Rationality in Monitoring and Continuous Improvement. We will consider where culture gives way to systems, data, and the discipline of seeing risk clearly rather than through fear or superstition.

Categories
Blog

Greek Philosophers Week: Part 1 – Socrates and the Asking Questions

I have long wanted to trace the origins of the modern corporate compliance organization back to the ancient Greek philosophers, drawing lessons for compliance and ethics in 2026 and beyond. Today, I begin a five-part series where I do just that. In this series, we will consider Socrates, Plato, Aristotle, Pythagoras, and Euclid. We start with Socrates.

Socrates left no writings of his own. What he left was a method. He believed wisdom began with recognizing what one did not know and then relentlessly testing assumptions through disciplined questioning. That approach maps directly onto the daily work of the compliance professional. Risk assessments, investigations, root cause analysis, culture reviews, and even board reporting all rise or fall based on the quality of the questions asked.

Every effective compliance program begins with a question. Not a policy. Not a control. Not a dashboard. A question. That insight alone makes Socrates the right place to start any serious discussion about the influence of ancient Greek philosophy on modern corporate compliance and ethics programs.

The Department of Justice’s Evaluation of Corporate Compliance Programs (ECCP) does not use the word “Socratic,” but its expectations are unmistakably aligned with Socratic inquiry. Prosecutors repeatedly ask whether a company understands its risks, tests its assumptions, challenges its controls, and adapts when reality changes. A compliance program that does not ask hard questions is not mature. It is merely quiet. Indeed, Hui Chen, the author of the original ECCP, has said that a key purpose of the ECCP was to get compliance professionals to ‘ask questions’.

Ethical Inquiry as a Compliance Obligation

Socrates believed that unexamined beliefs were dangerous. He challenged Athenian leaders not because he enjoyed disruption, but because false confidence creates harm. In a corporate setting, the same risk exists when executives assume that a policy equals compliance or that training completion equals ethical behavior.

  1. Is the corporation’s compliance program well designed?
  2. Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
  3. Does the corporation’s compliance program work in practice?

These questions are fundamentally Socratic. It demands inquiry into how the business actually operates, where pressure points exist, and how misconduct could realistically occur. A compliance function that accepts management narratives at face value fails this test.

Daily compliance operations depend on this discipline. When reviewing third-party relationships, a Socratic compliance officer does not ask whether due diligence was performed. They ask whether it was sufficient, whether red flags were rationalized, and whether business incentives distorted judgment. That is inquiry, not administration.

Challenging Assumptions Without Becoming the Enemy

Socrates was executed because his questioning made powerful people uncomfortable. Compliance professionals face a less dramatic, but no less real, version of that tension. The role requires challenging assumptions, even when doing so slows deals, complicates reporting lines, or disrupts revenue projections.

The ECCP specifically evaluates whether a corporate compliance function has sufficient staff to audit, document, analyze, and utilize the results of the corporation’s compliance efforts. Prosecutors should also determine “whether the corporation’s employees are adequately informed about the compliance program and are convinced of the corporation’s commitment to it. Does the company’s culture of compliance, including awareness among employees that any criminal conduct, including the conduct underlying the investigation, will not be tolerated.”

Those structural questions exist because DOJ understands that inquiry without protection is performative. If compliance professionals cannot safely ask uncomfortable questions, the program is cosmetic.

In daily operations, this plays out in subtle ways. Does compliance have the authority to pause a transaction? Can investigators follow evidence wherever it leads? Are audit findings welcomed or explained away? A Socratic approach demands that compliance leaders test these realities rather than assume the answer.

The Socratic Method in Investigations and Root Cause Analysis

Socrates did not accept the first answer offered. He pushed deeper, often exposing contradictions or incomplete reasoning. That approach is directly applicable to investigations and root cause analysis. The ECCP places significant emphasis on whether companies understand why misconduct occurred and whether remediation addresses underlying causes. Too many investigations stop at identifying who violated a policy. Echoing Jonathan Marks, Socratic investigation asks why the violation made sense to the individual at the time. What pressures existed? What incentives misaligned behavior? What controls failed or were bypassed?

This type of inquiry requires patience and courage. It also involves trust from leadership. Findings may implicate management decisions, cultural signals, or compensation structures. Socrates reminds us that truth-seeking is rarely comfortable, but it is essential to ethical improvement.

Culture Is Revealed by the Questions You Allow

Socrates believed that a society’s health could be measured by its openness to questioning. The same is true for corporate culture. The questions employees feel safe asking reveal more than any values statement. The ECCP now explicitly asks companies to explain how they measure and address culture. The ECCP states, “Prosecutors should also assess how the company has leveraged its data to gain insights into the effectiveness of its compliance program and otherwise sought to promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” Surveys, hotline data, and exit interviews are tools, but they are meaningless without inquiry. Key questions include: Are employees encouraged to speak up? Are concerns investigated thoroughly? Are outcomes communicated? Is retaliation punished?

In daily compliance practice, this means listening as much as enforcing. A Socratic compliance program does not treat employee concerns as noise to be managed. It treats them as data points to be explored. The quality of questions asked in response to a report often determines whether trust is strengthened or destroyed.

5 Key Takeaways for the Compliance Professional

1. Effective compliance begins with inquiry, not documentation.

A compliance program does not become effective simply because policies exist or training is completed. Effectiveness begins when compliance professionals consistently ask how misconduct could realistically occur within their organization. This requires challenging business assumptions, pressure points, and incentive structures. The ECCP repeatedly emphasizes the importance of understanding risk in context, which is impossible without disciplined questioning. A Socratic approach positions inquiry as an operational obligation, not an intellectual exercise, ensuring the program remains dynamic, responsive, and grounded in reality rather than formalism.

2. Risk assessments are living Socratic exercises, not static reports.

Too many organizations treat risk assessments as periodic documentation rather than ongoing inquiry. A Socratic risk assessment tests assumptions continuously as business models, geographies, and incentives evolve. Compliance professionals should revisit risk hypotheses, ask whether controls still function as intended, and challenge comfort-driven conclusions. Under the ECCP, regulators expect risk assessments to inform program design and resource allocation. Socratic inquiry ensures risk assessments remain relevant, credible, and capable of identifying emerging threats before they mature into enforcement issues.

3. Investigations must pursue understanding, not merely attribution.

Identifying who violated a policy is rarely sufficient to prevent recurrence. A Socratic investigation asks why the misconduct occurred, what pressures or incentives influenced behavior, and how organizational systems failed. This aligns directly with the ECCP’s focus on root cause analysis and remediation. When compliance professionals ask deeper questions, investigations become tools for program improvement rather than disciplinary endpoints. This approach strengthens controls, enhances credibility with regulators, and reduces the likelihood of repeat misconduct driven by unresolved systemic weaknesses.

4. Speak-up culture is defined by response quality, not hotline volume.

Organizations often measure speak-up culture by the number of reports received, but Socrates teaches that the real measure lies in how questions are received and addressed. Employees quickly learn whether raising concerns leads to thoughtful inquiry or defensive dismissal. The ECCP evaluates whether companies encourage reporting, protect against retaliation, and communicate outcomes appropriately. A Socratic compliance function listens carefully, asks clarifying questions, and treats concerns as signals worth examining. That discipline builds trust and reinforces ethical accountability across the organization.

5. Socratic questioning requires independence, authority, and protection.

Inquiry without authority is performative. Socrates paid the ultimate price for challenging power, but modern compliance professionals should not. The ECCP explicitly assesses whether compliance functions have sufficient independence, resources, and access to leadership. Without these safeguards, difficult questions go unasked or unanswered. A Socratic compliance program empowers professionals to challenge decisions, pause transactions, and escalate concerns without fear of retaliation. That structural support transforms ethical inquiry from individual courage into institutional practice.

From Socrates to Plato: From Inquiry to Structure

Socrates gives us the starting point. He teaches the compliance professional how to think, question, and resist complacency. But inquiry alone is not enough. Questions must eventually lead to structure, governance, and systems that translate insight into action.

That transition sets the stage for Plato. Where Socrates focuses on method, Plato focuses on design. The movement from Socrates to Plato mirrors the evolution of a compliance program itself, from asking whether risks exist to building governance structures capable of addressing them. In that sense, Socrates is the conscience of the compliance function. He reminds us that effectiveness begins with intellectual honesty and ethical curiosity. Without those traits, even the most sophisticated compliance architecture will rest on shaky ground.

Join us tomorrow for Part 2 and learn about Plato’s role in today’s compliance and ethics programs.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 10 – Leadership’s Role in Shaping Corporate Culture and Compliance

Welcome to 31 Days to a More Effective Compliance Program. Over this 31-day series in January 2026, Tom Fox will post a key component of a best-practice compliance program each day. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6-8 minutes, with three key takeaways that you can implement at little or no cost to help update your compliance program. I hope you will join each day in January for this exploration of best practices in compliance. In today’s episode, Day 10, we dive into the critical role of senior management in fostering a strong corporate culture of compliance.

Key highlights:

  • The Importance of Corporate Culture
  • DOJ’s Expectations for Senior Management
  • Five Factors for Effective Leadership

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 67 – Our Favorite Stories Edition

What happens when two top compliance commentators get together? They talk compliance, of course. In this episode, Kristy Grant-Hart and Tom Fox delve into their top ten most compelling compliance stories from 2025. The discussion includes controversial presidential pardons, the impact of the Trump administration on the American justice system, and shifts in the EU’s regulatory landscape. They also explore the complexities of managing a multigenerational workforce, the implications of AI as a potential whistleblower, and reflections on the importance of maintaining trust in safety protocols at organizations like NASA. The episode wraps up with an amusingly bizarre ‘Florida Man’ story. Tune in for a blend of compliance insights and entertaining anecdotes.

Our Favorite Stories:

  • Top Story: Presidential Pardons and Their Impact
  • Geopolitical Turmoil and Business Risks
  • Trump as CEO: Implications for US Corporations
  • Shifts in EU Legislation and Regulation
  • Generational Differences in the Workplace
  • AI in Compliance: Risks and Ethical Considerations
  • Engagement Surveys and Corporate Culture
  • NASA Safety Concerns and Compliance
  • Florida Man: The Best Story of 2025

Resources:

Kristy Grant-Hart on LinkedIn

Prove Your Worth

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Michigan Man, Part 4 – Lessons Learned: What This Crisis Teaches Compliance Professionals

Every major compliance failure eventually reaches the same destination: a moment when leadership says, “How did we not see this coming? ” The answer is almost always the same. The warning signs were visible. They were rationalized, minimized, or overridden in the name of performance, continuity, or institutional pride.

The Sherrone Moore crisis at the University of Michigan is not a college football anomaly. It is a case study in how compliance programs fail when they are structurally subordinated, culturally discounted, or selectively enforced. For compliance professionals, the value of this case lies not in outrage but in extraction: extracting lessons that can be operationalized before the next crisis unfolds.

Lesson 1: Compliance Authority Must Be Structural, Not Aspirational

Michigan’s experience demonstrates that access to leadership is meaningless without authority. The compliance function may have been consulted, investigations commissioned, and policies in place. None of that mattered when the athletic department retained de facto control over outcomes. For compliance professionals, the lesson is clear. Compliance must have defined escalation rights and veto authority over high-risk decisions, including promotions, discipline, and crisis response. If a business unit can override compliance based on performance or legacy, compliance is not independent. It is decorative.

The Department of Justice has repeatedly emphasized that effective compliance programs require empowered compliance functions. That empowerment must be written into governance documents, reinforced by boards, and tested in practice.

Lesson 2: Past Dishonesty Is a Permanent Risk Factor

One of the most glaring failures in this case was the organization’s willingness to treat Moore’s prior dishonesty during the sign-stealing investigation as a closed chapter. It was not. It was predictive. Compliance professionals must internalize a hard truth: once credibility is damaged, it does not reset. Individuals who have lied to investigators, deleted records, or misrepresented facts should never again be treated as presumptively reliable. Enhanced monitoring, corroboration, and scrutiny are not punitive. They are risk management.

Organizations that ignore this lesson inevitably relearn it at a higher cost.

Lesson 3: Promotions Are Compliance Decisions

The elevation of Moore to head coach was framed as a football decision. In reality, it was one of the most consequential compliance decisions the university made.

Any promotion into a role with significant authority, visibility, and discretion is a compliance event. Risk-based due diligence should include:

  • Review of prior investigations and disciplinary history
  • Assessment of truthfulness and cooperation during past inquiries
  • Evaluation of behavioral and reputational risk, not just technical violations

In corporate terms, Michigan promoted an executive with unresolved compliance issues and a clear lack of an ethical grounding into a CEO-equivalent role. That decision alone dramatically increased institutional risk. But the consequences will reverberate for a long time to come.

Lesson 4: Investigations Involving Power Imbalances Require Heightened Standards

The initial investigation into Moore’s relationship with a staffer failed predictably. When both parties denied the relationship and the evidence was limited, the inquiry stalled. That outcome reflects a misunderstanding of power dynamics. Compliance professionals know that power imbalance distorts disclosure. Subordinates may deny relationships out of fear, loyalty, or uncertainty. Senior leaders may deny wrongdoing out of self-preservation. Effective investigations account for this reality by expanding evidence collection, conducting pattern analysis, and implementing interim safeguards.

Neutrality is not passivity. When allegations involve senior leadership, the standard of diligence must rise, not fall.

Lesson 5: Star Performers Are the Highest-Risk Population

One of the most enduring myths in organizational life is that high performers deserve flexibility. In reality, they deserve even greater scrutiny. Star performers operate with autonomy, influence culture, and often shape informal norms. Moore’s trajectory illustrates how repeated exceptions create a sense of entitlement. Each time misconduct is reframed as survivable, the individual learns that boundaries are negotiable. Compliance professionals must relentlessly resist this dynamic.

Rules applied selectively are not rules. They are invitations.

Lesson 6: Pattern Risk Demands Pattern Response

Perhaps the most damning aspect of the Michigan case is that it unfolded amid repeated scandals within the athletic department. When misconduct clusters, the correct response is not incremental fixes. It is a structural intervention. Compliance professionals must recognize pattern risk early and escalate it aggressively. That escalation should include:

  • Enterprise-wide risk assessments
  • Cultural diagnostics
  • Leadership accountability reviews
  • Board-level engagement

Waiting for the next incident is not caution. It is abdication.

Lesson 7: Culture Is Set by What Leadership Tolerates

Michigan’s long-standing deference to athletic success and legacy culture created an environment where misconduct was rationalized rather than confronted. This is not unique to sports. It appears in sales-driven organizations, founder-led companies, and high-growth environments. Culture is not what leadership says. It is what leadership allows. From the Board of Regents to the UM President on down, compliance professionals must evaluate actions, not rhetoric, when assessing culture risk.

Lesson 8: Human Impact Is the Ultimate Compliance Metric

It is easy, especially for lawyers and compliance officers, to focus on policy breaches and enforcement exposure. The Moore crisis is a reminder that compliance failures produce human harm. Families are destabilized. Employees feel unsafe. Stakeholders lose trust. Effective compliance programs exist not only to prevent fines but also to prevent damage. When that purpose is forgotten, compliance becomes performative.

Final Thought: Compliance Is Tested at the Top

The Sherrone Moore crisis did not originate with a junior employee. It originated at the top of a powerful institution. That is where compliance programs are always tested. For compliance professionals, the final lesson is this: if your program cannot stop, slow, or surface misconduct by your most powerful leaders, it will eventually fail when it matters most.

The University of Michigan now faces years of rebuilding trust, governance, and credibility. Compliance professionals elsewhere should treat this case as a warning, not a curiosity. The cost of ignoring these lessons is never hypothetical. It is only deferred. This takeaway is stark but actionable. Compliance failures are rarely a surprise. They are choices made over time. The question for every compliance professional is whether those choices will be challenged early or explained later.

As always, prevention is less visible than a crisis. It is also far less costly.

Resources:

The Terrible Mess at Michigan Football, by Jason Gay, writing in the Wall Street Journal.

Ex-Michigan coach Sherrone Moore charged with home invasion, stalking, breaking—Austin Meek and Sam Jane writing in The Athletic.

Fire Everybody—Alex Kirshner, writing in Slate.

Source: Michigan begins a review of the athletic department, by Dan Wetzel and Pete Thamel, writing for ESPN.

Categories
Blog

Netflix Acquisition of Warner Brothers: Part 2, Culture Clash and Culture Opportunity

When Netflix announced its acquisition of Warner Brothers, some industry observers immediately reached for superlatives. It is rare to witness the merging of two companies that so powerfully define the past and future of entertainment. Netflix represents the digital era’s relentless velocity. Warner Brothers represents a century-long tradition of filmmaking, artistry, and institutional memory. Many analysts have framed this transaction as a battle between new and old Hollywood. For compliance professionals, the more important reality is that culture will determine whether the combined enterprise thrives or falters.

Every acquisition carries cultural implications, but few present such a stark contrast. Netflix’s culture has long been described as radical transparency, high accountability, and a willingness to experiment without fear of failure. Warner Brothers has its own culture, marked by legacy practices, powerful creative guilds, long-standing production hierarchies, and a deep reverence for the studio system. When two creative ecosystems operating on fundamentally different rhythms are forced together, cultural friction is inevitable. The question is not whether tensions will emerge. The question is whether compliance, ethics, and governance leaders recognize the early signals and guide the organization through them.

Today, in Part 2, we explore whether the acquisition will be a clash of cultures or a cultural opportunity. Culture is not a soft concept. It is a compliance risk vector. Culture shapes decision-making, reporting behavior, ethical judgment, and employees’ willingness to raise concerns. Culture determines whether a problem surfaces early or metastasizes quietly. A transaction of this magnitude requires compliance professionals to approach culture not as a slogan to harmonize, but as an operational system that requires disciplined stewardship.

Why Culture Drives Compliance Outcomes in Creative Enterprises

Entertainment companies operate differently from many corporate environments. The creative process is inherently subjective. Decision-making is distributed across talent, producers, executives, and technical teams. Informal norms often guide behavior more powerfully than written policies. In this context, culture determines not only how work gets done but also how risks are managed.

Netflix has built a culture that embraces candid feedback, open decision frameworks, and data-driven experimentation. This environment reduces the risk that ethical concerns remain unspoken because communication channels are normalized around transparency. Warner Brothers, in contrast, operates in a world where relationships, tradition, and lineage carry weight. Legacy contracts, industry customs, and the tacit expectations between studios and talent can influence decisions.

Both cultures have strengths. Both cultures have vulnerabilities. Compliance professionals must understand that the goal of integration is not to erase one culture and impose another. The goal is to create a culture aligned with the company’s values that supports ethical decision-making and enables employees to speak up without hesitation. This is particularly important during a merger, when uncertainty heightens risk.

Two Different Operating Systems

Culture is an operating system. Netflix’s operating system prizes agility and real-time feedback loops. Warner Brothers’ operating system prizes craft, tradition, and continuity. When these systems converge, the risk is not that one replaces the other. The risk is that both weaken simultaneously without strong governance.

Netflix’s rapid decision cycles may clash with Warner Brothers’ structured production processes, where approvals, guild rules, and contractual obligations often slow the pace by design. If Netflix attempts to accelerate processes without a deep understanding of these obligations, compliance risks can emerge quickly, including breached talent contracts, overlooked union requirements, or misaligned production timelines.

Conversely, if Warner Brothers imposes its legacy processes without adapting to the digital and data-driven environment in which Netflix operates, it may undermine the transparent decision-making practices that help identify ethical and operational risks early.

Compliance leaders must act as interpreters between these operating systems. They must help leadership understand where flexibility is an asset and where structure is indispensable. Compliance must also ensure that employees across both organizations understand not only what the combined culture aspires to be, but also why certain controls exist and how they protect both the enterprise and the creative process.

Ethical Decision Frameworks Across Two Creative Ecosystems

Another challenge in cultural integration is aligning ethical decision frameworks. Netflix’s culture is rooted in accountability to metrics and performance outcomes. Warner Brothers’ culture is rooted in long-term relationships with talent, creative guilds, and industry stakeholders. This means the two companies differ in how they make decisions, escalate concerns, and evaluate the risks associated with innovative choices.

Compliance professionals must provide an ethical framework that is consistent, intuitive, and accessible across the enterprise. Employees should know how to evaluate potential conflicts of interest, report concerns, document decisions, and align risk-taking with corporate values.

When a company operates across multiple jurisdictions, creative functions, and regulatory environments, ethical consistency becomes essential. The compliance function must clearly articulate expectations repeatedly, using training, leadership engagement, and storytelling to reinforce behaviors that support integrity.

Early Indicators of Cultural Strain

Cultural tension is predictable in a transaction of this scale. The key is not to prevent tension but to identify it early. Compliance professionals should monitor indicators such as:

  • Decreased willingness to speak up;
  • Increased turnover in specific departments;
  • Divergent interpretations of policies between legacy teams.
  • Informal decision-making that bypasses established controls; and
  • Escalation patterns that shift without explanation.

These signals are rarely obvious to senior leadership unless compliance highlights them. Regular cultural risk assessments, pulse surveys, and qualitative interviews help the compliance function stay ahead of emerging conflict zones. Culture is dynamic, and risk velocity increases when expectations are unclear.

Building a Unified Culture Through Transparency and Accountability

Culture integration must be intentional. It cannot be delegated to internal communications or left to evolve without direction. Compliance leaders should work alongside HR, legal, and integration management to define the key elements of a unified culture.

This may include:

  • A consolidated code of conduct that reflects both creativity and accountability;
  • Standardized reporting channels that work across all business units;
  • Leadership models that bring together Netflix’s transparency and Warner Brothers’ collaborative ethos;
  • Clear explanations of why controls exist and how they support the creative process; and
  • Renewed emphasis on ethics as a competitive advantage.

Transparent communication is essential. Employees need to know why the organization is making certain cultural choices, what is expected of them, and how they can raise questions without fear.

The Compliance Lesson

The Netflix acquisition of Warner Brothers reveals a timeless truth: culture determines compliance outcomes. When two creative powerhouses join forces, the opportunity is immense, but the risk is equally significant. Compliance professionals must approach cultural integration with the same rigor they apply to regulatory integration or third-party risk management. Culture is not ornamental. It is operational. It is the foundation upon which speak-up behavior, ethical judgment, and internal trust are built.

If governance is the anchor of a merger, culture is the current that either carries the organization forward or pulls it off course. For compliance leaders, this is the moment to step forward, shape expectations, and ensure that the convergence of two storytelling giants becomes a model of ethical integration rather than a cautionary tale.

Join us tomorrow in Part 3, where we will consider the intellectual property risk, which could well be the hidden compliance battlefield going forward.

Categories
Blog

Why AI Demands a New Breed of Leaders: A Compliance Perspective

Artificial intelligence is no longer a distant future state for compliance teams. It is here, operating inside financial crime platforms, powering third-party due diligence tools, driving monitoring engines, and influencing the everyday judgments that regulators scrutinize. Yet too many companies still approach AI as if it were simply another IT project. In a recent Sloan Management Review article, Why AI Demands a New Breed of Leader,” the authors, Faisal Hoque, Thomas H. Davenport, and Erik Nelson, argue that successful AI transformation is far more about people, culture, and leadership than about code.

For compliance professionals, that should sound familiar. Every major enforcement action of the last decade has shown that failure rarely begins with a faulty system. Failure begins with leadership that misunderstands risk, a culture that resists change, and governance frameworks that cannot keep pace with new technologies.

The authors argue that modern organizations require a new category of leader to guide AI adoption, a role that blends technical capability with cultural stewardship, ethical understanding, and organizational change management. They call this the Chief Innovation and Transformation Officer (CITO) or an equivalent title. Whether companies formally adopt the title or not, the message is unmistakable: AI changes the leadership equation, and compliance has a front-row seat.

Why Traditional Technology Leadership Is No Longer Enough

While CIOs are increasingly viewed as changemakers, they often lack the time and mandate to address the organizational disruption AI brings. Compliance officers understand this problem intuitively. You can have the most sophisticated tools in the world, but if the culture is not ready for them, the result will be chaos or even misconduct. The authors cite survey data showing that 91 percent of large-company data leaders believe cultural issues, not technical ones, are blocking progress. That finding mirrors what compliance sees in every DOJ corporate enforcement action. Misconduct thrives not because technology fails, but because people and processes fail.

The article also includes examples of organizations that stumbled by treating AI as a purely technical deployment. The Zillow pricing model collapsed. The swift employee backlash at California State University. The Air Canada chatbot that mishandled bereavement fare guidance. Each case reveals the same lesson: AI without governance becomes a liability. For compliance professionals evaluating AI adoption, these examples should resonate. AI raises questions about transparency, fairness, documentation, accountability, and the human impact of automation. Those are governance issues, not engineering puzzles.

The New Leadership Model AI Demands

The authors describe several competencies required for effective AI leadership, all of which map directly into compliance priorities:

Navigating ethical considerations.

AI introduces bias, harm, and fairness risks, all of which are central concerns for regulators. Leaders must weigh efficiency gains against ethical boundaries.

Driving cultural transformation.

AI adoption changes workflows, reporting lines, incentives, and human-machine collaboration. Leadership must prepare the workforce for new models of decision-making.

Managing human-AI partnerships.

The near-future compliance program will rely on co-decision systems that combine algorithmic outputs with human judgment. Leaders must understand how to balance the two.

Breaking down silos.

AI implementation touches HR, legal, IT, operations, procurement, and compliance. Leadership must connect these functions rather than allow fragmented approaches.

Overseeing citizen development.

Employees across the business can now build AI models without IT involvement. That democratization requires governance and guardrails.

These competencies go far beyond traditional CIO responsibilities. They lean toward behavior, judgment, and organizational change, the same strengths compliance brings to the table.

Emerging Executive Roles Around AI

The article documents the rapid rise of AI-focused executive roles such as Chief Innovation Officer, Chief AI Officer, and Chief Transformation Officer. Compensation is rising, hiring is accelerating, and responsibilities increasingly blend technology, ethics, culture, and strategy.

The authors highlight examples:

  • PepsiCo’s Chief Strategy and Transformation Officer is overseeing enterprise-wide digitization.
  • Standard Chartered’s Chief Transformation, Technology, and Operations Officer.
  • JPMorgan Chase’s governance model for IndexGPT and AI-driven investment analysis.

These roles share a common trait: they embed ethics, cultural change, and strategic alignment directly into AI governance. This direction should reassure compliance officers. Regulators have signaled that they expect AI oversight to be integrated, accountable, and verifiable. A dedicated AI leadership role can help unify these obligations.

AI Persona Management: The Next Frontier of Governance

One of the most intriguing sections of the article describes “AI persona management,” the oversight of digital agents with defined personalities, roles, and decision-making authority. As AI becomes more autonomous, these personas may behave like digital employees. That raises profound governance questions.

Compliance professionals should begin considering:

  • What decision rights will AI personas have?
  • How will we document their logic?
  • How will we audit their behavior?
  • How will we ensure ethical consistency across different personas?

The authors note that Salesforce already uses AI personas internally to guide product decisions. That should serve as a signal: AI agents are not a theoretical concept; they are entering the enterprise now. A compliance professional will need to treat AI personas with the same seriousness as human employees, subject to monitoring, training, policies, escalation channels, and accountability structures.

What This Means for Corporate Compliance Leaders

The article argues that companies must rethink how they manage technology change. AI’s impact is too broad to remain confined to the IT organization. Talent, culture, ethics, governance, and risk management all intersect. The authors present the CITO role as the logical solution for a leader who integrates technical fluency with organizational psychology and ethical judgment.

From a compliance standpoint, this represents both an opportunity and a responsibility. The opportunity is clear: compliance brings exactly the kind of cross-functional, ethics-driven perspective AI leadership requires. The compliance function knows how to document decisions, manage cultural change, develop defensible processes, and build controls around complex risks.

The responsibility is equally clear: AI will soon permeate every corner of the enterprise. If compliance does not assert its role in governance, the organization will drift toward risk. This article provides a roadmap for what strong governance must look like. It tells companies that AI success demands a leader capable of bridging technical, ethical, and cultural domains, the very domains compliance has long mastered.

Now is the moment for compliance to claim its seat at the AI leadership table, helping shape the systems that will define operational and ethical performance for years to come.