Tag: DOJ

Categories
Compliance Into the Weeds

Compliance into the Weeds: The DOJ Trainwreck and the Rising Risk Calculus for Compliance and Self-Disclosure

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly discuss how internal dysfunction at the U.S. Department of Justice is creating uncertainty for corporate compliance teams and corporations more generally.

Focusing on a reported turf battle between the long-standing Fraud Section in the Criminal Division, established in 1955 and central to FCPA enforcement and compliance guidance and a newly created national Fraud Division, which was initially framed as targeting government benefits fraud. They argue the reorganization could drain expertise, reduce future DOJ guidance and distort enforcement into politically selective actions, citing IBM’s $17 million settlement and an EEOC case involving The New York Times, and Smartmatic’s experience. They also highlight DOJ staffing losses  with a net 20% fewer lawyers, loss of experienced attorneys, reliance on inexperienced hires and bonuses and warn the volatility may chill voluntary self-disclosure despite DOJ messaging encouraging it.

Key Highlights

  • DOJ Train Wreck Overview
  • Fraud Section vs Fraud Division
  • Political Enforcement Reality
  • Self-Disclosure Gets Riskier
  • What Companies Should Do Now

 

Resources

Matt on Radical Compliance

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

A multi-award winning podcast, Compliance into the Weeds was most recently honored as one of a Top 25 Regulatory Compliance Podcast and a Top 10 Business Law Podcast, and a Top 12 Risk Management Podcast. Compliance into the Weeds has been conferred a Davey, Communicator and w3 Award, all for podcast excellence.

Categories
Blog

The Culture Builder’s Trilogy: Part 2 – The Art of Implementation: Where Compliance Culture Lives or Dies

Ed. Note-we are in the midst of a three-part blog post series on three recent books by Hemma Lomax and Ashley Dubriwny. The are The Art of Ideation, The Art of Celebration and The Art of Implementation.

If The Art of Ideation is about imagining better compliance, The Art of Implementation is about making it real. Hemma Lomax and Ashley Dubriwny write that implementation is where culture lives or dies. That single sentence could serve as a mission statement for every Chief Compliance Officer.

Compliance professionals know this problem well. A program can have a good Code, a strong policy inventory, a well-designed training calendar, a hotline, third-party procedures, and investigation protocols. Yet the DOJ does not ask whether a company has merely created compliance artifacts. It asks whether the program works in practice. It goes directly to the DOJ’s Evaluation of Corporate Compliance Programs (ECCP). The ECCP continues to ask whether a program is well-designed, adequately resourced, empowered to function effectively, and working in practice. That is why The Art of Implementation matters. It moves from aspiration to action. It asks how values become systems, how ideas become habits, and how culture becomes durable.

Lesson One: Mindset Before Method

The book begins with a critical insight: implementation begins with how you think. Lomax and Dubriwny identify four commitments of the culture builder’s mindset: empathy before enforcement, curiosity over control, influence rather than insistence, and legacy as a lens. For compliance professionals, this is not a rejection of enforcement. It is a recognition that enforcement without trust creates fear, not culture. A CCO must enforce standards, discipline misconduct, and protect the company. But a CCO must also understand why employees resist, where controls create friction, and how people make decisions under pressure.

This is the difference between a compliance function that says “no” and one that helps the business get to “yes, with controls.” The former may be respected in moments of crisis. The latter is trusted before the crisis arrives.

Lesson Two: Think, Build, Ship, Adopt, Tweak

One of the strongest frameworks in the book is the five forces of implementation: think, build, ship, see it adopted, and tweak. The model is practical, and it is deeply consistent with the ECCP. Think means design the change with empathy. Build means operationalize the intention. Ship means start before every detail is perfect. Adoption means embed the practice into culture. Tweak means learn, adjust, and improve.

This is what compliance program effectiveness should look like. A CCO should not wait three years to discover that annual training did not change behavior. A third-party control should not remain unchanged after repeated red flags. An AI acceptable use policy should not sit static while employees quietly adopt new tools. A speak-up program should not wait for a scandal before testing whether employees trust it. The compliance application is straightforward. Build compliance like a product. Test. Measure. Listen. Improve.

Lesson Three: Alignment Accelerates Implementation

The book’s discussion of alignment is essential for compliance. Lomax and Dubriwny use Ocean’s Eleven as a cultural reference point. The plan works not because one person is brilliant, but because purpose, people, and process are aligned. Implementation fails when a good idea lacks the right coalition, the right operational fit, or the right timing.

This is a core challenge for the CCO. Compliance cannot implement an effective third-party program without procurement, finance, legal, sales, audit, and business leadership. Compliance cannot govern AI without IT, data science, privacy, cybersecurity, HR, legal, and business users. Compliance cannot build a speak-up culture without managers. Stakeholder mapping is therefore not an administrative exercise. It is a governance control. It identifies who can accelerate the initiative, who can block it, who must own it, and who must maintain it after launch.

Lesson Four: Find Failure First

The pre-mortem section of The Art of Implementation is one of the most useful tools for compliance professionals. The authors ask teams to imagine that an initiative has failed and then work backward to identify why. This is precisely how CCOs should approach major program changes. Before launching a new hotline platform, ask why employees might still avoid reporting. Before deploying AI-assisted monitoring, ask what privacy, bias, transparency, and explainability concerns could arise. Before rolling out a third-party due diligence platform, ask why business teams might work around it. Before redesigning incentives, ask what unintended behaviors the new metrics could create.

Pre-mortems are internal controls in action. They force the organization to identify failure modes before the market, regulator, whistleblower, or plaintiff does. They can and are a powerful tool at your disposal as a CCO or compliance professional.

Lesson Five: Movements Beat Mandates

A particularly powerful theme in the book is the distinction between mandates and movements. Mandates may produce obedience. Movements produce ownership. For compliance professionals, this is a critical distinction.

The Wells Fargo fake sale scandal remains a cautionary tale about mandates, metrics, and fear-based performance pressure. Employees may comply with the apparent demand for results while violating the deeper values of the organization. That is why incentives matter. The DOJ has emphasized that companies should use both incentives and consequences to promote compliance. Its compensation and clawback pilot report states that affirmative metrics and benchmarks can reward compliance-promoting behavior, and that financial penalties can deter risky behavior.

This is where compliance culture becomes real. Employees need to see that ethical leadership, control discipline, speaking up, and responsible business performance are recognized, promoted, and rewarded. They also need to see that misconduct, retaliation, and willful blindness have consequences.

Compliance Application

The CCO’s implementation challenge is to convert program design into operational evidence. That evidence includes adoption data, control testing, investigation metrics, remediation tracking, third-party monitoring, AI use inventories, exception reporting, and incentive alignment. Implementation also requires courage. A CCO must be willing to ship pilots, gather feedback, and make changes. The compliance function must stop treating launch as success. Launch is the beginning. Adoption, evidence, and improvement are the proof.

CCO Questions

Which compliance initiatives have launched but not been adopted?

Do we have stakeholder maps for our most important compliance priorities?

Are we running pre-mortems before major program changes, including AI governance, third-party risk, speak-up enhancements, and incentive redesign?

Do our incentives reward ethical behavior, control ownership, and transparency?

What compliance practices would continue if the current CCO left tomorrow?

Practical Takeaways

  1. Identify one compliance initiative that stalled and run a pre-mortem on why it failed.
  2. Build a stakeholder map for AI governance or third-party risk.
  3. Convert one compliance aspiration into a measurable operating practice.
  4. Review incentives and promotion criteria for compliance signals.
  5. Treat implementation as the evidence layer of the compliance program. Regulators do not reward intentions. They evaluate what works.

Implementation is where compliance culture is tested. It is where the organization discovers whether its ideas can survive business pressure, competing priorities, operational friction, and human resistance. Yet even the best implemented program must still be sustained. Controls must be reinforced. Speak-up must be protected. Ethical behavior must be recognized. Employees must see that integrity, not simply performance, is honored by the organization. That is the work of the third book in the trilogy, The Art of Celebration.

Join us tomorrow for Part 3, where we will turn to celebration as a compliance discipline and explore how recognition, incentives, rituals, morale metrics, and cultural memory shape what employees believe the company truly values.

Categories
Blog

The Culture Builder’s Trilogy: Part 1 – The Art of Ideation: Compliance Begins with Better Questions

Ed. Note: over the next three blog posts, I will be running a short series on three recent books by Hemma Lomax and Ashley Dubriwny. There are The Art of Ideation, The Art of Celebration, and The Art of Implementation.

Hemma Lomax and Ashley Dubriwny’s The Art of Ideation is, on one level, a practical guide for culture builders. On another level, it is a challenge to compliance professionals: stop treating compliance as a function that merely publishes rules, delivers training, and waits for reports. Start treating compliance as a discipline of curiosity, engagement, design, and shared intelligence.

The book begins with a simple but powerful premise. Culture builders need ideas, but more importantly, they need the skill to generate better ideas through peer ideation, storytelling, and crowdsourcing intelligence. Lomax and Dubriwny describe the spark that came from compliance professionals exchanging creative approaches at a conference table and then ask why that energy should be limited to a once-a-year event. Their answer is to make ideation intentional, repeatable, and community-based.

For compliance professionals, this is not a soft concept. It goes directly to the DOJ’s Evaluation of Corporate Compliance Programs (ECCP). The ECCP continues to ask whether a program is well-designed, adequately resourced, empowered to function effectively, and working in practice. The compliance lesson from The Art of Ideation is clear: a program that does not ask better questions will not get better answers.

Lesson One: Know Your Audience Before You Design the Control

One of the book’s strongest lessons comes from the São Paulo story. Hemma arrives in Brazil to speak to more than 200 sales executives. Rather than deliver a generic compliance presentation, she uses images and experiences from the city itself to connect with the local audience. The lesson is not simply that visuals work. The deeper lesson is that compliance must demonstrate cultural awareness before it asks for behavioral change.

Too many compliance programs are still designed from the top down. Policies are written in legal language. Training is translated late, if at all. Hotline posters are posted in areas where employees do not work. Codes of Conduct speak to an imagined employee rather than the actual workforce.

The ECCP lens is unforgiving here. A risk-based program must be tailored to the company’s risk profile, business model, workforce, geography, and operations. If field employees, sales teams, or third-party-facing personnel cannot access guidance in the moment of need, the control may exist on paper but fail in practice.

Lesson Two: Storytelling Is a Control Enhancement

Dubriwny’s discussion of training emphasizes that facts alone rarely change behavior. Stories create context, emotion, and recall. In compliance, that matters because most misconduct does not arise from someone misunderstanding a policy title. It arises in moments of pressure, ambiguity, fear, loyalty, or perceived business necessity. A good compliance story can show what a conflict of interest feels like. It can show why a facilitation payment creates risk. It can show how retaliation begins quietly. It can show a manager what it means to receive a concern well.

This is especially important for a culture of speaking up. Employees do not speak up because a poster says they can. They speak up because they believe the organization will listen, protect them, and act. The Art of Ideation repeatedly returns to the need to meet people where they are, involve them, and design engagement pathways that feel safe. That maps directly onto the ECCP’s focus on confidential reporting, anti-retaliation, and investigation processes, as well as employees’ trust in those systems.

Lesson Three: The Code of Conduct Should Be Designed to Work

The book’s chapter on Codes of Conduct is especially useful for CCOs. It asks whether the Code is an external artifact, a regulatory box-checking document, or a decision-making tool for employees. The answer should be all the above, but the priority must be the employee user. That is a powerful compliance point. A code should not merely state values. It should operationalize them. It should be accessible, visually clear, mobile-friendly, translated appropriately, and supported by examples that reflect real roles, geographies, and pressures. The authors argue that a Code should be co-created, tested, and designed so people can see themselves in it.

This has implications for internal controls. A policy no one reads is not a meaningful control. A code no one uses is not a cultural anchor. A decision tree that helps an employee escalate a third-party red flag is more valuable than a beautifully written paragraph no one remembers.

Lesson Four: Crowdsourcing Risk Intelligence Is Compliance Modernization

Perhaps the most compliance-relevant section of the book is the discussion of crowdsourcing intelligence. Lomax and Dubriwny argue that leadership does not have a monopoly on the perspectives needed to identify risk. Employees across functions, geographies, and levels see vulnerabilities long before they appear in formal reporting channels. This is exactly where modern compliance must go. Annual risk assessments remain useful, but they are not enough on their own. A CCO needs real-time, near-real-time, and frontline input. This includes surveys, focus groups, collaboration tools, investigation themes, hotline trends, third-party feedback, and data analytics.

AI governance fits here as well. The book encourages responsible experimentation with AI, including using AI to make policies more accessible, generate first drafts, synthesize information, and provide decision-useful guidance. In compliance terms, AI should not be a gimmick. It should be governed, risk-assessed, monitored, and used to improve the employee experience.

Compliance Application

For the compliance professional, ideation is not brainstorming for its own sake. It is how the CCO identifies gaps, improves controls, tests training, strengthens speak-up systems, modernizes the Code, and uses AI responsibly. It is how compliance moves from headquarters’ assumptions to operational intelligence.

The lesson is also relevant to investigations. The book’s discussion of investigations emphasizes empathy, transparency, gratitude toward participants, and learning from the process. That is an important reminder that investigations are not simply fact-finding exercises. There are moments when employees decide whether the compliance function is credible.

CCO Questions

  • Does our compliance function know how employees actually experience our Code, training, reporting channels, investigation process, and third-party controls?
  • Are we using peer ideation, frontline feedback, and cross-functional input to improve the program?
  • Where are we still relying on headquarters assumptions rather than operational evidence?
  • How are we using AI to improve accessibility, consistency, risk sensing, and employee guidance without weakening confidentiality, privacy, or human judgment?

Practical Takeaways

  1. Redesign one compliance communication from the user’s perspective. Make it shorter, clearer, more accessible, and easier to act on.
  2. Create an ideation circle around one major compliance risk, such as third-party due diligence, gifts and entertainment, speaking up, or AI use.
  3. Test your Code of Conduct with employees from different geographies and functions before the next refresh.
  4. Add crowdsourced risk intelligence to your risk assessment process.
  5. Treat ideation as a compliance control. Better questions produce better evidence, and better evidence produces a more effective program.

Ideation is where the compliance professional begins to see what is possible. It gives the CCO better questions, stronger engagement, richer risk intelligence, and a more human understanding of how employees experience the program. But ideas alone do not create culture. A redesigned code, a better speak-up message, a sharper AI policy, or a new third-party risk insight only matters if it moves from concept to practice. That is where the second book in the trilogy, The Art of Implementation, takes us next.

Join us tomorrow in Part 2, where we will examine how compliance professionals turn good ideas into operating discipline through alignment, stakeholder ownership, pre-mortems, adoption, incentives, and the hard work of making values real inside the business.

Categories
Blog

Compliance Week 2026: AI Governance Highlights

The 21st Annual Compliance Week Conference made one point unmistakably clear: AI is no longer a technology issue sitting outside the compliance function. It is now a governance, risk, controls, culture, and accountability issue. Across the conference, AI appeared in nearly every discussion, from practical tools for compliance teams to regulatory uncertainty, shadow AI, third-party risk, and board oversight. The central message for compliance professionals was clear: AI must be governed with the same discipline, documentation, monitoring, and continuous improvement as any other enterprise risk.

That should not surprise any Chief Compliance Officer. The DOJ’s Evaluation of Corporate Compliance Programs (2024 ECCP) has long asked whether a compliance program is well-designed, adequately resourced, empowered to function effectively, and working in practice. Those same questions now apply to AI. The issue is not whether an organization is using AI. It almost certainly is. The issue is whether the company knows where AI is being used, who approved it, the risks it creates, the controls that apply, and whether those controls are being monitored.

AI Is Now a Compliance Governance Issue

The first major theme from Compliance Week 2026 was governance. AI may be exciting, efficient, and creative, but without governance, it can quickly become a source of unmanaged enterprise risk. That governance challenge begins with oversight. Who owns AI risk? Who approves AI use cases? Who determines whether a tool is appropriate for use with company data? Who has the authority to stop an AI project that is not meeting its stated purpose? These are not theoretical questions. They are the basic operating questions of an effective compliance program.

A company should not treat AI as a series of disconnected experiments. It should treat AI as part of the enterprise control environment. That means clear governance structures, documented approvals, defined risk owners, escalation protocols, monitoring, testing, and board reporting. The board does not need to become a group of AI engineers. But directors do need to understand whether management has created a defensible AI governance framework. They should ask how AI risks are identified, how high-risk use cases are reviewed, how third-party AI vendors are assessed, and how the company detects unauthorized AI use.

Shadow AI Is the Risk Hiding in Plain Sight

One of the strongest compliance lessons from the conference was the danger of shadow AI. Employees are already using AI tools, often because they are efficient, accessible, and easy to deploy. The problem is that ease of use can defeat governance. If employees are using ChatGPT, Claude, Gemini, Copilot, or other tools without authorization, training, or data restrictions, the company has a control gap. Confidential business information, financial data, personal information, customer information, or regulated data can move into systems the company does not control. That creates legal, privacy, cybersecurity, contractual, and reputational risk.

The answer is not simply to prohibit AI. That approach is unlikely to work. The better answer is to identify the tools being used, classify them by risk, authorize appropriate use cases, train employees, monitor usage, and make clear what data can and cannot be entered into an AI system. A strong AI governance program should include an AI use register. It should identify approved tools, owners, business purposes, data categories, risk ratings, controls, monitoring obligations, and renewal or reassessment dates. Without that inventory, a company cannot credibly claim to govern AI risk.

The Compliance Risk Management Model Already Works

One of the most important insights from the conference was that compliance professionals already have the right risk management framework. AI risk does not require abandoning the compliance discipline. It requires applying it.

The framework is familiar. Identify the risk. Develop a risk management strategy. Train employees. Implement the strategy. Monitor performance. Use data to improve your strategy continuously. That is the compliance operating model. It is also the right model for AI governance.

The 2024 ECCP emphasized risk-based compliance, data access, continuous improvement, and the effectiveness of controls in practice. Those expectations fit naturally into AI governance. A company should ask whether its AI controls are designed around actual risks, whether compliance has access to AI-related data, whether employees understand acceptable use, and whether the company can prove that its controls operate effectively. The lesson is straightforward. Do not build AI governance as a technology policy alone. Build it as a compliance program.

AI Risk Has Three Core Dimensions

The conference also highlighted the need to separate AI risk into practical categories. For compliance officers, three risk areas deserve immediate attention.

First, internal risk. This includes employee use of AI, shadow AI, unauthorized tools, misuse of confidential information, lack of training, and gaps in approval processes.

Second, external risk. This involves AI systems that affect customers, patients, consumers, investors, or other external stakeholders. These tools may raise issues involving fairness, privacy, transparency, discrimination, consumer protection, and regulatory obligations.

Third, third-party risk. Vendors, consultants, service providers, and sales agents may introduce AI into the company’s operations. A third-party vendor using AI in screening, analytics, customer service, data processing, or decision support can pose a risk to the company, even when the company did not build the tool.

This is where compliance must bring discipline. Third-party AI risk should be part of due diligence, contracting, audit rights, monitoring, and renewal. Companies should ask vendors what AI tools they use, what data those tools process, whether subcontractors are involved, how outputs are validated, and whether the company has audit rights over AI-related controls.

ROI Must Begin With the Business Purpose

AI projects should begin with a simple question: what problem are we trying to solve? Too many AI initiatives begin with pressure to “use AI” rather than a clear business case. That is not governance. That is technology enthusiasm without control or discipline. A compliance-minded AI review should ask whether the proposed tool has a defined use case, measurable business value, appropriate controls, and a clear owner. It should also ask whether the project is drifting from its original purpose. Mission creep is a real AI risk. A tool approved for one purpose can quickly be used for another. That creates new risks and may invalidate the original approval.

The more regulated the use case, the more important this analysis becomes. AI used in healthcare, employment, finance, consumer decisions, investigations, sanctions screening, or third-party risk management demands heightened scrutiny. ROI may not always appear as a direct financial return. Sometimes the business value is avoiding regulatory exposure, improving consistency, strengthening documentation, or reducing unmanaged risk.

Training Is No Longer Optional

AI training must move beyond general awareness. Employees need practical, role-based instruction. They need to know which tools are approved. They need to know what data is prohibited. They need to understand when human review is required. They need to know how to report AI concerns, errors, bias, hallucinations, or misuse. They also need to understand that AI output is not a substitute for professional judgment.

For compliance teams, training should include investigators, auditors, third-party managers, procurement, legal, finance, HR, IT, and business leaders. The message should be clear: AI can support the work, but it does not remove accountability.

Build AI In, Do Not Bolt It On

One of the most practical insights from the conference was that AI should be built into business processes, not bolted on afterward. That distinction matters. Bolted-on AI becomes a tool without governance. Built-in AI becomes part of the control environment.

For example, in third-party risk management, AI can help analyze due diligence responses, identify red flags, monitor adverse media, track contract obligations, and support ongoing risk scoring. But it must be embedded into a process with human oversight, escalation protocols, audit trails, and testing. The same applies to investigations, hotline analytics, policy management, training, and monitoring. AI should strengthen compliance processes, not bypass them.

The CCO Must Have a Seat at the AI Table

The compliance function should not wait to be invited into AI governance. It should claim its role. The CCO brings the language of risk, controls, accountability, documentation, monitoring, and culture. Those are precisely the disciplines AI governance requires. Compliance should help design AI approval workflows, risk assessments, training, third-party reviews, monitoring plans, and board reporting.

This does not mean compliance owns every AI decision. It means compliance must be part of the governance architecture. AI governance should be cross-functional, with legal, compliance, IT, privacy, cybersecurity, internal audit, procurement, HR, and the business working together. But compliance must ensure that the program is not simply innovative. It must be defensible.

Practical Takeaways for Compliance Professionals

  1. Create an AI inventory. Know what tools are being used, by whom, for what purpose, and with what data.
  2. Establish an AI governance committee. Include compliance, legal, IT, privacy, cybersecurity, internal audit, procurement, and business leadership.
  3. Build a risk-based approval process. High-risk AI use cases should require enhanced review, documentation, testing, and escalation.
  4. Address shadow AI directly. Do not assume employees are waiting for policy guidance. Identify actual use and bring it into governance.
  5. Train by role and risk. General AI awareness is not enough. Employees need practical rules for approved tools, prohibited data, human review, and reporting.
  6. Extend third-party risk management to AI. Vendor diligence, contracts, audit rights, monitoring, and renewal reviews should include AI-specific questions.
  7. Monitor and improve. AI governance is not a one-time policy exercise. It requires testing, metrics, incident review, and continuous improvement.

Board Questions

  1. Do we have an inventory of AI tools currently used across the enterprise?
  2. Who approves AI use cases, and how are high-risk uses escalated?
  3. How do we detect and manage shadow AI?
  4. What data is prohibited from being entered into AI tools?
  5. How are third-party AI vendors reviewed, contracted, monitored, and audited?
  6. What AI metrics does management provide to the board?
  7. Who has the authority to pause or terminate an AI project that creates unacceptable risk?

CCO Questions

  1. Is compliance involved before AI tools are deployed?
  2. Do our policies distinguish between approved, restricted, and prohibited uses of AI?
  3. Can we prove employees have been trained on AI risks?
  4. Do we have a documented AI risk assessment process?
  5. Are AI controls tested by internal audit or another independent function?
  6. Are AI incidents, errors, and misuse captured through speak-up and escalation systems?
  7. Can we show regulators that our AI governance works in practice?

Conclusion

Compliance Week 2026 confirmed that AI has crossed the threshold from emerging technology to core compliance risk. The companies that succeed will not be those that chase every new tool. They will be the companies that govern AI with discipline. For the modern CCO, this is the moment to step forward. AI governance belongs squarely within the compliance conversation because it involves risk, accountability, culture, controls, third parties, monitoring, and board oversight. Those are the foundations of effective compliance.

AI may change the tools. It does not change the obligation. Governance still matters. Controls still matter. Culture still matters. Accountability still matters. And compliance must help lead the way.

Categories
Blog

The Compliance Handbook, 7th Edition

As the Compliance Evangelist, I am pleased to announce the release of The Compliance Handbook, Seventh Edition. I believe it is the best single-author handbook for compliance professionals and about compliance professionals. Beautifully packaged, edited, and published by the country’s top legal and compliance publisher, LexisNexis.

This edition is an update of the Compliance Handbook, 7th edition. The handbook is a must-read for all ethics and compliance professionals. The Seventh Edition provides practical, helpful solutions to important ethics and compliance issues. It is comprehensive, accessible, and a must-have for every ethics and compliance professional.

As noted, I have teamed up with the country’s top legal and compliance publisher, LexisNexis Legal & Professional, to add to its winning series of compliance offerings. The Compliance Handbook, 7th edition, provides seasoned compliance professionals and those new to the profession with practical, actionable guidance and tools to design, implement, and continually enhance a best-practices compliance program. Why the need for this update?

Noted compliance maven Karen Moore said in the book’s foreword.

There is an increasing awareness that compliance and ethics stand at a unique crossroads—the intersection of human behavior and decision-making and of corporate identity, purpose, and mission. We operate at all levels of the organization: we satisfy the board, seek to understand strategy in the C-suite, engage middle managers, and stay relevant to the factory floor and frontline workers. We reconcile the need to defend the enterprise with the need to believe in its individuals. All that, within an increasingly complex landscape of shifting regulations, emerging risk areas, and geopolitical instability.

The Compliance Handbook, 7th edition, provides an in-depth look at the latest thinking and trends for the full range of critical compliance topics, including:

  • Compliance and business ventures;
  • Third-party risk management
  • The Board’s Role in Compliance
  • Continuous improvement;
  • Compliance innovation; and
  • And much more.

The Compliance Handbook, 7th edition, also takes a close look at the roles of all professionals with compliance responsibility, from Compliance Officers and Boards of Directors to Human Resources, Internal Audit and Internal Controls, and Communications and Training professionals. Understanding compliance responsibilities across the organization remains a key theme for both the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC). In this 6th edition, I expand on the concepts articulated in previous editions for operationalizing your compliance program.

What’s new for the 7th edition?

  • Key compliance enforcement actions, DOJ pronouncements, and all things compliance from 2025;
  • The revised section on the use of AI in a best practices compliance program.
  • The significant revisions to the chapter on data analytics, and
  • Looking forward to compliance in 2030 and beyond.

The Compliance Handbook, 7th edition, incorporates the most current government pronouncements governing best practices compliance programs, including the 2024 Evaluation of Corporate Compliance Programs; the new DOJ whistleblower initiative; ideas on innovation in compliance training, data, and its use in improving and maintaining corporate culture; the continued evolution of AI in compliance; and much more.

The Compliance Handbook, 7th edition, is available in both print and eBook editions.  Visit the LexisNexis® Store at https://lexisnexis.com/fox20

To save 20% on The Compliance Handbook: A Guide to Operationalizing Your Compliance Program, please use the promotion code FOX20.

Offer expires December 31, 2026. The offer applies to new orders only, before shipping and taxes are calculated, and shipped to a U.S. address. Discount will be applied to each applicable product after code FOX20 is entered.

Categories
Great Women in Compliance

Great Women in Compliance: DOJ’s New Fraud Division: Practical Insights for Compliance Professionals

In this episode, Lisa and Ellen speak with Leigha Simonton and Jennifer Beidel, former prosecutors and now partners at Dykema Gossett. They discuss the changes in the U.S. Department of Justice, focusing on the National Fraud Enforcement Division and shifts in enforcement priorities.

They discuss the spotlight on fraud involving federal funds, especially in healthcare, PPP loans, and other government programs. They discuss the new structure of the criminal fraud division and how that may change the government’s approach to prosecuting cases. At the same time, they also note that many experienced prosecutors and agents have left the DOJ, creating a gap between stated priorities and capacity and expertise.

Leigha and Jennifer also provide practical guidance for ethics and compliance professionals. They confirm that a risk assessment is critical and that any company that received federal funds, such as PPP loans, should remain vigilant for possible exposure under the current enforcement trends.

Even with these changes, they reiterate that effective, well-tested compliance programs do matter if the U.S. government is considering (or engaging in) prosecution. A proactive program—not the tick-the-box type—demonstrates implementation and remediation, increasing the likelihood of a declination.

This is a great episode for those of us trying to understand the US DOJ’s current enforcement landscape amid uncertainty.

Categories
Daily Compliance News

Daily Compliance News: May 4, 2026, The May The 4th Be With You Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • DOJ loses 25% of all lawyers. (FT)
  • The Trump Administration is to push forward with tariffs based on forced labor. (NYT)
  • Baer told the rehire about AML sanctions and the whistleblower. (Bloomberg)
  • Senior lawyers must pay for junior lawyers’ misuse of AI. (Reuters)

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
Daily Compliance News

Daily Compliance News: May 1, 2026, The May Day Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Insiders winning on polymarkets? (FT)
  • KNDS investigates bribery allegations ahead of IPO. (FT)
  • OpenAI is sued over the Canada massacre. (WSJ)
  • DOJ wins access to KKR and its lawyers’ emails. (Bloomberg)

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
Blog

Isaac Newton and the Hidden Forces Behind Misconduct

Today, we conclude our exploration of Enlightenment Thinkers to see their influence on modern compliance programs. This week’s category is broader than philosophers, as many of these men excelled in numerous fields, including science, mathematics, calculus, and medicine. However, each contributed a key component that relates directly to our modern compliance regimes. In this concluding post, we consider Isaac Newton’s theorem that misconduct is rarely random.

If Francis Bacon taught us that a compliance program must be grounded in evidence, René Descartes taught us that evidence must be examined with rigor, John Locke taught us that the system must be legitimate, and Thomas Hobbes taught us that institutions need order, Isaac Newton brings this series to its final and perhaps most powerful insight: misconduct is rarely random. Forces drive it. Pressures. Incentives. Structural weaknesses. Repeated patterns. Hidden relationships. The most mature compliance programs understand that reality and act on it.

Newton is remembered as the great scientist of motion, force, and causation. He gave the world a way to understand that observable events are often the result of underlying principles that can be identified, studied, and predicted. His work was not simply about describing what happened. It was about explaining why it happened and how the same forces might operate again. For the compliance professional, that is a profoundly useful way to think. A hotline complaint, a bribery incident, a books-and-records failure, a retaliation claim, or a control breakdown should never be seen as a one-off event. The real question is Newtonian: what forces produced this result? In a best practices compliance program, that question is the bridge from reaction to prevention.

Why Newton Matters to Compliance

Newton helps compliance professionals move beyond event-based thinking. Too often, organizations respond to misconduct by focusing only on the visible incident. Someone violated policy. Someone approved a bad payment. Someone ignored a red flag. Someone retaliated against a whistleblower. Those facts matter, of course, but they are usually only the surface expression of deeper conditions. Newton would urge us to ask what was acting beneath the surface.

Was the employee under intense sales pressure? Were performance incentives designed in a way that rewarded output but ignored process? Was a business unit growing so quickly that controls were bypassed in the name of speed? Did management tolerate workarounds because the local market was too important to slow down? Was the company relying on outdated monitoring tools in a rapidly changing business model? Were risk signals present but scattered across functions with no one connecting them?

That is Newton’s great gift to compliance. He reminds us that forces shape behavior, and if you want to reduce misconduct, you must understand and address the forces that make misconduct more likely.

The DOJ Expects Companies to Understand Causes, Not Just Outcomes

The Department of Justice’s Evaluation of Corporate Compliance Programs (ECCP) reflects this Newtonian logic with remarkable consistency. The ECCP asks whether a company performs root cause analysis, adapts its program based on lessons learned, uses data to identify patterns, aligns incentives with ethical conduct, and can demonstrate that controls are responsive to emerging risks. These are not narrow enforcement questions. There are questions about causation.

The ECCP is not satisfied when a company says it found the bad actor and imposed discipline. Regulators want to know what the company learned. Why did the misconduct happen? Were there prior warning signs? Was the conduct enabled by poor oversight, flawed incentives, weak middle management, insufficient resources, or ineffective controls? Did the company identify those drivers and change the system? That is exactly the sort of inquiry Newton would have appreciated.

Root Cause Analysis Is Newton in Practice

If there is one place where Newton’s influence should be front and center, it is root cause analysis. In compliance, root cause analysis is the discipline of looking beyond the immediate violation to identify the pressures, structures, incentives, and system weaknesses that created the conditions for failure. This is where many companies still fall short.

A company uncovers improper payments and concludes that an employee acted dishonestly. Perhaps that is true. But Newton would ask what else was in motion. Was there a compensation model that encouraged aggressive behavior without corresponding control discipline? Were finance and compliance understaffed relative to expansion? Did business leadership send signals that revenue mattered more than process? Had similar concerns surfaced in audit findings or prior investigations? Was a third-party oversight process designed for a smaller and less risky operating model? A true root cause analysis keeps asking until the organization understands the forces at work.

Incentives Are Among the Strongest Forces in Any Organization

Newton’s framework is especially valuable when thinking about incentives. Every organization generates motion through what it rewards, measures, and celebrates. If those incentives are poorly designed, they can push employees and managers toward decisions that undermine the compliance program even when the formal policy language is sound. This is one of the most underappreciated truths in compliance.

A company may say all the right things about integrity, but if promotions, bonuses, and recognition go disproportionately to people who hit aggressive numbers regardless of how they achieved them, employees receive a different message. If managers are evaluated on speed and volume but not on control discipline, they will often treat process as friction. If local market leaders are given extraordinary flexibility without matching oversight, the organization may create precisely the pressures and blind spots that breed misconduct.

The ECCP has increasingly focused on compensation structures, clawbacks, and incentive alignment for precisely this reason. Regulators understand that culture is shaped not only by leadership’s words, but also by tangible rewards that guide daily conduct. Newton helps compliance professionals explain why this matters. Incentives are not background conditions. They are active forces inside the corporate system.

Analytics Help the Company See What the Eye Misses

A Newtonian compliance program also leverages analytics more effectively. Newton’s work showed that patterns in motion could be identified through disciplined observation and analysis. Modern compliance can do something similar. Data analytics, trend reviews, and integrated monitoring allow a company to detect patterns that an isolated human review might miss. That does not mean technology replaces judgment. It means technology can help reveal the forces and relationships that judgment must then interpret.

Consider a multinational company reviewing third-party spend, travel, and entertainment data, hotline trends, and investigation outcomes. Each data set alone may show only limited information. But when viewed together, patterns may emerge. A particular region may show above-average use of high-risk intermediaries, greater discounting, delayed documentation, and increased employee complaints about management pressure. No single data point proves misconduct. But together they may reveal a system under strain.

This is where Newton connects back to Bacon. Bacon tells us to gather evidence. Newton tells us to study how patterns and causes operate across the system. Together, they produce a compliance function that is empirical, analytical, and forward-looking.

Misconduct Is Often a Systems Failure, Not Merely an Individual Failure

One of the most valuable lessons Newton offers the compliance profession is that misconduct is frequently systemic. This does not excuse individual wrongdoing. Personal accountability remains essential. But if a company stops with personal accountability, it may miss the broader organizational truth.

An employee may make an improper payment, but the surrounding system may have made that outcome easier, more predictable, or more likely. A senior manager may retaliate against a reporter, but the broader culture may have conditioned leaders to treat bad news as disloyalty. A financial control breakdown may involve one approving official, but the deeper problem may be a long-standing tolerance for informal overrides. In each case, the misconduct event should prompt a systems review.

This is particularly important in fast-changing environments. Growth, acquisitions, digital transformation, remote work, AI deployment, and market stress all alter the forces acting on the organization. Controls designed for one operating model may not be sufficient for the next. A Newtonian compliance officer understands that governance must evolve as the system changes. The question is never just whether the policy still exists. The question is whether the underlying forces have shifted in ways the compliance program has not yet caught up to.

Newton and the Future of Compliance

Newton is particularly relevant today because the modern compliance landscape is increasingly defined by complexity. Third-party ecosystems are larger. Data flows are faster. Business models shift more quickly. AI and automated decision-making create new risks that can change over time through drift, scale, and changing use cases. In that world, static compliance is not enough. A company needs to understand how moving systems work.

This is where frameworks like NIST and ISO/IEC 42001 become useful companions to Newtonian thinking. They emphasize lifecycle governance, ongoing monitoring, documented accountability, testing, and adaptation. In the AI context, especially, the lesson is clear: a control that works on day one may not be enough on day two. Risks evolve—inputs change. Vendors change. User behavior changes. Governance must therefore be dynamic, evidence-based, and attentive to emerging forces.

The same is true across compliance more broadly. Companies cannot assume that yesterday’s control environment will manage tomorrow’s pressures. Newton teaches that motion continues unless acted upon, and in the corporate setting, that means risk patterns will continue to develop unless governance actively intervenes.

The Compliance Officer as Interpreter of Organizational Forces

If Bacon casts the compliance officer as an institutional scientist, Descartes as a guardian of clear thinking, Locke as a steward of legitimacy, and Hobbes as an architect of order, Newton casts the compliance officer as an interpreter of organizational forces. That is a sophisticated and necessary role.

The compliance officer must ask what is really driving conduct across the enterprise. Which incentives are shaping decisions? Which processes are creating blind spots? Which managers are transmitting pressure? Which data trends suggest a deeper problem? Which repeated “isolated incidents” are no longer isolated at all? Which changes in the business model have altered the risk environment without corresponding updates to governance?

Those are not merely compliance questions. They are strategic governance questions. That is why Newton is such a fitting conclusion to this series. He pulls together all that came before. Evidence matters. Rigor matters. Legitimacy matters. Order matters. But ultimately, the mature compliance program does something more. It understands how these elements interact inside a living system. It seems that misconduct does not fall from the sky. It emerges from forces that can be studied, anticipated, and changed. Isaac Newton would have understood that a well-governed institution learns to read its own motion.

Five Lessons Learned for the Modern Compliance Professional

First, misconduct is rarely random. It is usually the product of identifiable pressures, incentives, weaknesses, and structural conditions.

Second, root cause analysis must go beyond the visible event. The goal is to understand the forces that made the event more likely.

Third, incentives are among the strongest drivers of conduct. A company must align compensation, promotion, and recognition systems with ethical and compliant behavior.

Fourth, analytics and trend analysis are essential tools for seeing patterns across the system. They help the company detect pressure points before they become crises.

Fifth, the most mature compliance programs are systemic and preventive. They do not simply respond to incidents. They study the organization well enough to reduce the conditions that produce misconduct.

Closing It Out

This five-part journey through Bacon, Descartes, Locke, Hobbes, and Newton shows that the architecture of a modern compliance program is not merely legal or procedural. It is intellectual. Bacon teaches us to demand evidence. Descartes teaches us to examine it with discipline. Locke teaches us that the system must be legitimate. Hobbes teaches us that institutions require order. Newton teaches us to understand the forces that shape outcomes.

Together, they offer a powerful framework for the compliance professional, the board, internal audit, legal, and business leadership. A best practices compliance program is not simply a collection of policies. It is a way to see the organization clearly, govern it credibly, and continuously improve it. That is as true now as it would have been revolutionary in their own time.

 

Categories
Blog

Thomas Hobbes and Why Every Compliance Program Needs Order

We continue our exploration of Enlightenment Thinkers to see their influence on modern compliance programs. This week’s category is broader than philosophers, as many of these men excelled in numerous fields, including science, mathematics, calculus, and medicine. However, each contributed a key component that relates directly to our modern compliance regimes. In this post, we consider how Thomas Hobbes makes clear in his writings that no institution can function without order.

If Francis Bacon teaches that compliance must be grounded in evidence, René Descartes teaches that evidence must be examined rigorously, and John Locke teaches that a compliance system must be legitimate, Thomas Hobbes takes us to a different but equally important truth about structure.  That is where Hobbes becomes surprisingly relevant to the modern corporate compliance program.

That point can sound severe to modern ears, but compliance professionals understand it instinctively. Good intentions are not enough. Strong values are not enough. Even a trusted culture is not enough. A company also needs structure, clear rules, defined authority, escalation channels, and credible enforcement. Without them, pressure, ambiguity, and self-interest will fill the vacuum.

Hobbes is often remembered for his stark view of human nature and his argument that, in the absence of a strong governing authority, disorder follows. In his political philosophy, institutions exist in part to prevent chaos, conflict, and the breakdown of shared rules. While corporations are not states and employees are not citizens in the political sense, the organizational lesson is powerful. In any complex enterprise, when roles are unclear, rules are weak, exceptions become routine, and accountability is diffuse, people will default to local incentives, personal judgment, and short-term advantage. That is a dangerous environment for compliance.

Why Hobbes Matters to Compliance

Hobbes helps us understand something that compliance officers see every day: misconduct often flourishes not simply because individuals have bad intent, but because the system around them lacks structure. When approval processes are vague, when no one knows who owns a risk, when policies are written but not operationalized, when escalation lines are uncertain, or when managers believe standards are optional if performance is strong, disorder sets in. It may not look dramatic at first. It may look like improvisation, local flexibility, or entrepreneurial speed. But over time, that disorder becomes fertile ground for misconduct. Hobbes would not have been surprised.

His philosophy begins with the recognition that interests, fears, ambitions, and competing claims drive human beings. In the absence of a framework that organizes conduct, conflict, and opportunism follow. Translate that into corporate life, and the message becomes clear. Sales teams under pressure will rationalize shortcuts. Business sponsors will push third parties through onboarding if they believe control functions are merely advisory. Local managers will create informal workarounds if policies lack clear accountability. A company does not become more ethical by leaving such matters to improvisation. It becomes less governable. That is why compliance needs structure. Structure is what turns values into operations.

The DOJ Looks for Structure, Not Slogans

The Department of Justice’s Evaluation of Corporate Compliance Programs (ECCP) reflects this Hobbesian insight throughout. Prosecutors do not simply ask whether a company talks about ethics. They ask whether the compliance function has authority, stature, autonomy, and resources. They ask who owns specific risks, how decisions are made, whether controls are implemented consistently, whether investigations are escalated properly, and whether disciplinary systems are enforced. Those are all questions about institutional order.

This is important because many organizations still overestimate the power of tone. Tone at the top matters. Culture matters. Legitimacy matters. But none of those can substitute for structure. A CEO can deliver a compelling speech about integrity. However, if the company’s third-party onboarding process is fragmented, if financial approvals can be bypassed informally, or if no one knows when a matter must be escalated to legal or compliance, then the organization has created a system in which disorder is likely.

Hobbes helps compliance professionals make this point without apology. Rules are not a sign of distrust. Controls are not bureaucratic excess. Escalation pathways are not obstacles to business. They are the architecture that prevents pressure and self-interest from overwhelming principle. The COSO Internal Controls Framework makes much the same point in a different vocabulary. The control environment, control activities, information and communication, and monitoring all depend on defined roles, clear expectations, and operational discipline. The Federal Sentencing Guidelines likewise assume that compliance requires standards, oversight, training, auditing, reporting, and consistent response. Hobbes would recognize all of that as institutional design for preventing disorder.

Policies Must Be Operational, Not Aspirational

One of the most common failures in corporate compliance is the belief that policy issuance is itself control. It is not. A policy can express a standard, but unless the company translates that standard into decision rights, workflows, approvals, and accountability, the policy remains aspirational. This is where Hobbes is especially useful. He reminds us that order is created not by declarations, but by mechanisms.

Take a gifts, travel, and entertainment policy. On paper, the policy may clearly prohibit excessive or improperly documented expenses. But the real compliance question is whether the operating system around the policy supports that standard. Who approves the expense? Is there a threshold that triggers additional review? Are government-facing interactions flagged? Is supporting documentation required before reimbursement? Are there analytics to identify unusual patterns? Are exceptions tracked? Can someone ask a friendly manager to sign off without scrutiny? If the answers are weak, the policy is weak, no matter how polished its language.

Internal Controls Are the Language of Order

If one wanted to translate Hobbes into modern corporate practice, one would end up talking about internal controls. Controls are how an organization embeds order into decision-making. They define who can do what, under what conditions, with what approvals, and with what oversight. They reduce discretion where discretion creates unacceptable risk. They separate duties so that no single actor can move money, approve vendors, or override procedures without a second set of eyes. They create documentation so that actions can be reviewed later. They make authority visible.

For compliance professionals, this is a critical point. Compliance is not merely about training people to do the right thing. It is also about designing systems that make the right thing more likely and the wrong thing harder to do. Hobbes would say that the institution failed to create sufficient order to contain foreseeable human behavior.

Escalation Is a Form of Governance

Another Hobbesian lesson for compliance is the importance of escalation. In poorly governed companies, people often know something is wrong but do not know where the issue should go, who owns the decision, or what threshold requires higher review. That uncertainty is one of the most dangerous forms of disorder because it allows time, politics, and convenience to shape the response. A mature compliance program should therefore have clear escalation pathways.

When does a third-party red flag require a compliance sign-off? When must legal be brought into an internal investigation? At what point does a matter involving senior leadership move to the audit committee or board? Who can approve an exception to policy, and what documentation must support it? Who decides whether a substantiated misconduct issue triggers broader control remediation? These are not administrative details. They are the channels through which institutional order is maintained.

The ECCP pays close attention to this issue because escalation is one of the clearest indicators of whether compliance has real authority. If important matters can be contained, softened, or rerouted informally by management, then the program is fragile. Hobbes would have recognized the danger immediately. Where the lines of authority are unclear, competing interests will rush in.

Enforcement Gives Standards Their Weight

No discussion of order would be complete without enforcement. Hobbes understood that rules without consequences are invitations to defection. The same is true in corporate compliance. A company may have excellent policies, robust training, and well-designed procedures, but if employees believe violations will be ignored, minimized, or treated selectively, the system loses force. This is where consistent discipline matters so much. John Locke helped us see discipline as a question of legitimacy and fairness. Hobbes adds a different point. Discipline is also what gives the rule structure its operational credibility. It signals that standards are real, that no one is exempt, and that the organization is willing to defend the order it has established.

This does not mean punitive excess. It means predictability and seriousness. A company should be able to explain how disciplinary outcomes are determined, how similar cases are handled, and how managers are held accountable not only for their own conduct but for the environments they create. High performers cannot be given private exemptions. Senior executives cannot be allowed to negotiate around standards. Informal workarounds cannot become tolerated customs. Hobbes would have called that a dangerous condition.

The Compliance Officer as Architect of Order

If Bacon casts the compliance officer as an institutional scientist, Descartes as a guardian of clear thinking, and Locke as a steward of legitimacy, Hobbes casts the compliance officer as an architect of order. The compliance officer helps turn principle into process. The compliance officer asks where authority sits, where decisions are made, where controls can be bypassed, where exceptions accumulate, where roles are unclear, and where escalation can fail. That work is not separate from ethics. It is one of the main ways ethics becomes operational inside a large organization.

This is especially important during periods of growth, restructuring, acquisitions, digital transformation, or market stress. Disorder often enters through change. New business lines are launched before roles are clarified. AI tools are deployed before governance is assigned. Third parties are engaged before diligence and monitoring are fully operational. Incentives are revised without understanding how they affect conduct. Hobbes reminds us that institutional order is not self-sustaining. It must be built, maintained, and defended.

Thomas Hobbes may seem like an austere companion for the modern compliance professional, but his lesson is both practical and urgent. Institutions do not drift into integrity. They require order.

Five Lessons from Thomas Hobbes for the Modern Compliance Professional

First, culture and values are essential, but they cannot substitute for structure. A company needs clear rules, defined roles, and operating discipline.

Second, policies are not controls unless they are translated into workflows, approvals, documentation, and accountability.

Third, internal controls are the mechanisms by which institutional order is embedded in business operations. They make the right behavior more likely and the wrong behavior harder to execute.

Fourth, escalation pathways are critical. Employees and managers must know when and how risk moves upward for review and decision.

Fifth, enforcement gives standards their weight. Rules without consistent consequences will eventually be overtaken by convenience and local incentives.

Coming Next: Isaac Newton and the Hidden Forces Behind Misconduct

If Thomas Hobbes teaches us why every compliance program needs order, Isaac Newton will help us understand something even deeper: misconduct is rarely random. It is produced by forces, incentives, pressures, and patterns that can be studied and addressed. In Part 5, I will explore how Newton’s systems-based way of thinking offers a powerful framework for root cause analysis, incentive review, compliance analytics, and proactive prevention. A mature compliance program does not simply respond to failure. It learns to understand the forces that make failure more likely.