Tag: ECCP

Categories
Blog

What Interruptions Reveal About Corporate Culture

Every Chief Compliance Officer talks about culture. Every company claims to value ethics, integrity, respect, inclusion, and speak-up behavior. Those words appear in codes of conduct, CEO messages, training decks, town halls, leadership offsites, and annual ethics campaigns. Yet culture is not built into the code of conduct. It is revealed in the meeting.

That is the central lesson of Research: What Interruptions Reveal About Company Culture by William Degbey, Benjamin Laker, Baniyelme Zoogah, Sanjay Kumar Singh, and Ghulam Murtaza. The authors argue that workplace culture is shaped less by formal statements and engagement programs than by everyday interaction patterns, especially interruptions in meetings. Their research found that interruptions, redirections, and moments where employees were spoken over were not merely interpersonal annoyances. They were signals of whose voice carried weight in the room.

For the CCO, that finding should land with force. A company can have a beautifully written value of “speak up.” Still, if employees learn in ordinary meetings that certain people are cut off, ignored, or not credited for their ideas, the real culture is not to speak up. It is speak-only-if-you-have-power. That is a compliance issue.

Culture Is What Happens Before the Hotline

Compliance professionals often think about speak-up culture in terms of hotline reports, investigation data, employee surveys, and anti-retaliation policies. Those are important. The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) asks whether a company has a trusted reporting mechanism, whether employees feel comfortable using it, whether reporting is encouraged or chilled, and whether employees can raise concerns without fear of retaliation.

But by the time an employee reaches the hotline, the culture has already taught that person a great deal. It has taught them that if management listens. It has taught them whether disagreement is welcome. It has taught them whether bad news is punished. It has taught them whether junior employees can challenge senior leaders. It has taught them whether women, employees from underrepresented groups, remote employees, finance staff, compliance staff, or local market employees are taken seriously.

The author’s most important compliance lesson is that interruptions are cultural data. They are small, repeated, observable signals that show whether the company’s stated values are protected in daily business interactions or suspended when authority, speed, revenue, or hierarchy enters the room.

Why This Matters to Ethics and Integrity

Ethics and integrity depend on voice. Employees must be willing to raise concerns, ask questions, challenge assumptions, and slow down decisions when something does not look right. If the organization’s meeting culture teaches employees that unfinished concerns can be interrupted, redirected, or appropriated, then the company is training people not to speak.

The authors found that many senior leaders interpreted interruptions as signs of efficiency and engagement. They saw energetic cross-talk as evidence of a productive culture. Yet the follow-up study found that others experienced the same conduct as exclusionary and predictable. Interruptions were disproportionately directed at women and employees from underrepresented racial and ethnic groups. In the follow-up study, 19 of 27 interviewees described women being interrupted more frequently than men; all seven Black women interviewed described early-stage interruptions, and five said others later resurfaced their ideas without attribution.

For compliance, that is not simply an inclusion issue, though it certainly is. It is also a risk-detection issue. If certain voices are routinely cut off, then certain risks will be underreported. If certain employees must speak faster, more defensively, or only when explicitly invited, the company loses early warning signals. If some ideas are accepted only when repeated by someone with greater status, then the company is not evaluating risk on its merits. It is evaluating risk through hierarchy. That is how ethical blind spots form.

The Silent Cost of Being Interrupted

One of the most powerful findings in the article is that interruptions changed employee behavior. Twenty-one of the 27 participants in the follow-up study said they changed how they contributed to meetings. Some spoke faster or more defensively. Some pre-structured arguments to avoid being cut off. Some waited for explicit permission to speak. Others stopped contributing unless necessary. That is exactly what a CCO should worry about.

A healthy compliance culture does not require employees to perform perfectly polished courage. It gives employees room to raise half-formed concerns, ask awkward questions, and test whether something feels wrong before they have built a legal brief around it. Many compliance issues begin as fragments: “Something about this consultant does not feel right.” “The customer is asking for unusual documentation.” “The timing of this payment seems odd.” “Why are we routing this through that entity? ”I am not sure the data use matches what we told customers.” Those are early-stage compliance signals. They need space.

If the meeting culture rewards only fast, polished, confident speech, then employees who need time to frame a concern may never get the chance. The authors note that faster and more confident-sounding speech was often treated as more authoritative. In comparison, slower or less forceful speech was treated as incomplete and therefore easier to interrupt. For a CCO, the lesson is clear: do not build a compliance program that only works for the loudest person in the room.

From Tone at the Top to Conduct in the Room

Compliance professionals have long emphasized “tone at the top.” That remains important. But this article reminds us that tone at the top is incomplete unless it becomes conduct in the room.

The DOJ expects companies to demonstrate that compliance policies and procedures are integrated into operations and that a culture of compliance is embedded in day-to-day activities. That is precisely where meeting behavior matters. Meetings are where risk appetite becomes real. They are where employees learn whether the company actually values integrity when there is a deal to close, a target to hit, or a senior executive to satisfy.

A CCO should, therefore, ask:

What happens when ethics enters the meeting?

Does the room slow down?

Does the leader protect the person raising the concern?

Does someone capture the issue and assign a follow-up?

Does the business discuss controls and alternatives?

Or does the concern get interrupted, minimized, joked away, or pushed offline?

The answers will tell you more about culture than a slogan.

Reading Interruptions as Compliance Data

The authors recommend that leaders stop treating interruptions as isolated incidents and begin reading them as data. It suggests observing who gets interrupted, when the interruption occurs, and what happens to the idea afterward. Is the idea acknowledged? Is it dropped? Is it later picked up without credit? That framework can be directly adapted into a compliance culture assessment.

A CCO can ask compliance, internal audit, HR, or an outside facilitator to observe selected meetings where risk decisions are made. These might include third-party approval committees, deal review meetings, product governance meetings, investigations triage meetings, M&A diligence sessions, safety committees, privacy reviews, or regional leadership calls.

The observer should not simply count who speaks. This is not about policing manners. It is about understanding whether the company’s ethical culture allows risk information to travel upward and across the organization.

Slow the Meeting to Surface the Risk

The article warns that speed and forced momentum can amplify inequality. Faster conversations often favor those who already feel entitled to the floor. Those who anticipate interruption compress their thinking, hesitate, or wait for a clear opening. The authors recommend slowing the interaction: let people finish, pause before responding, reinforce the norm when someone is cut off, and rotate facilitation. This is deeply relevant to compliance.

Many corporate failures occur not because no one saw the risk, but because the organization moved past it too quickly. The payment had to go out. The distributor had to be approved. The quarter had to close. The launch date had to be met. The customer had to be retained. In that environment, “speed” can become a cultural value that overwhelms integrity. A CCO should help leaders build an “integrity pause” into decision-making.

Protect the Contribution, Not the Ego

The article also makes an important distinction. Calling out interrupters or turning every interruption into a lesson on etiquette often does not work. It can escalate the moment and personalize the issue. The better approach is to protect the contribution directly. The authors suggest short interventions such as “Let them finish,” “I want to hear the rest of that point,” and “Let’s come back to the idea that was just interrupted.” This is practical guidance for CCOs and compliance professionals.

When someone raises a compliance concern and is interrupted, the compliance professional does not need to accuse anyone of bad intent. This helps to create psychological safety around risk information. They tell the room that compliance concerns are not interruptions to business. They are part of doing business properly.

The CCO as Culture Observer

A CCO cannot improve culture solely by issuing policies. Policies matter, but culture is reinforced through repeated behavior. The DOJ guidance recognizes that policies and procedures must give effect to ethical norms and be integrated into day-to-day operations. That means the CCO must look beyond policy architecture and ask how people actually behave when decisions are being made.

Not every interruption is retaliation. Not every fast-paced meeting is unethical. Not every dominant speaker is a compliance risk. But patterns matter. Repeated interruption of certain people, functions, geographies, or types of concerns is cultural data. A CCO should treat it as such.

Turning the Article into a Compliance Playbook

A practical CCO response could include five steps.

  1. Add meeting behavior to the culture assessment. Ask employees whether they can finish raising concerns in meetings, whether leaders invite dissent, whether objections to risk are credited, and whether certain voices are routinely ignored.
  2. Observe high-risk meetings. Select a sample of decision-making forums and map interruptions, credit, follow-up, and closure. The goal is not surveillance. The goal is to understand whether the company’s values show up when risk is discussed.
  3. Train leaders on protecting concerns. Leadership training should include simple phrases or the preservation of unfinished risk points. A manager does not need to become a compliance expert to say, “Let’s hear the rest of that concern.”
  4. Build structured dissent into key decisions. For high-risk approvals, require a final risk round before the decision. Ask compliance, finance, legal, HR, internal audit, cybersecurity, or local-market leaders whether they see an unresolved issue.
  5. Report cultural signals to the board. Boards should hear more than hotline statistics. They should understand whether the organization’s meeting culture supports candor, dissent, and ethical escalation.

Improving Corporate Culture Around Ethics and Integrity

The broader message for compliance professionals is that ethics and integrity must become observable behaviors. Employees should see integrity in how meetings are run, how concerns are handled, how dissent is credited, how leaders respond to uncertainty, and how the company treats people who slow down a decision for the right reason.

The bottom line is straightforward. The words on the wall do not prove a culture of ethics and integrity. It is proven by who gets to speak, who gets heard, and what happens when someone raises a concern that slows the room down. For the CCO, the lesson from this article is powerful: look at the meetings. That is where the culture is already speaking.

Categories
Blog

The False Alignment Trap in Compliance Transformation

A major compliance initiative rarely fails because the Chief Compliance Officer (CCO) did not work hard enough. It usually fails because the organization never reached a true agreement on what the initiative was supposed to accomplish.

That is the core lesson from The False Alignment Trap by Julia Dhar, Kristy R. Ellmer, and Philip Jameson. The authors argue that many change efforts fail because senior leaders believe they agree on the “why,” “what,” and “how” of change when, in fact, they do not. A stitched-together flower is an apt metaphor for corporate change: from a distance, the initiative may look whole; up close, it may be held together by fragile threads.

For the CCO instituting a major compliance initiative, this insight is critical. Whether the project is a global third-party risk overhaul, a new sanctions screening program, an AI governance framework, a speak-up culture campaign, or a full redesign of the compliance operating model, the CCO cannot settle for polite nods around the executive table. The CCO must secure true agreement.

The authors frame the three questions every change program must answer: why are we changing, what are we changing, and how will the change occur? It also makes an important distinction between “alignment” and “agreement.” Alignment may mean that executives are not actively blocking one another. An agreement means leaders have made a detailed and explicit compact that allows them to move together and hold one another accountable. That distinction should be posted on every CCO’s wall.

Why This Matters to Compliance

A major compliance initiative always changes more than the compliance department. It changes how a sales function approves intermediaries. It changes how procurement selects vendors. It changes how finance reviews payments. It changes how HR handles discipline and incentives. It changes how legal, internal audit, cybersecurity, operations, and the business share data. It may change who can approve a deal, how quickly a transaction can move, and what documentation must be in place before revenue is booked. That means compliance transformation is not simply a compliance project. It is an enterprise change project.

The Department of Justice’s 2024 Evaluation of Corporate Compliance Programs (ECCP) asks three fundamental questions: whether the program is well designed, whether it is applied earnestly and in good faith through adequate resources and empowerment, and whether it works in practice. DOJ also asks whether senior management has articulated standards clearly, disseminated them in unambiguous terms, and demonstrated adherence by example. Those expectations cannot be met if the C-suite is only “conceptually aligned” on compliance.

A CCO may believe the company has agreed to strengthen compliance. The CEO may believe the initiative is about satisfying the board. The CFO may believe it is about reducing investigation costs. The head of sales may believe it is about avoiding bad distributors but not slowing growth. The general counsel may believe it is about reducing enforcement exposure. Operations may believe it is another documentation exercise. HR may believe it is about training completion rates. Everyone says yes. Everyone means something different. That is the false alignment trap.

The First Lesson: Never Launch on Slogans Alone

Compliance leaders love phrases such as “culture of compliance,” “tone at the top,” “risk-based approach,” “speak-up culture,” and “doing business the right way.” These phrases are useful, but they are not implementation plans. The authors warn that executives often think they agree because their conversations are insufficiently specific. Leaders may agree on a broad goal, but disagree sharply on the levers, trade-offs, timeline, funding, and operational consequences.

For a CCO, this means “we need a stronger third-party program” is not enough. The leadership team must agree on what that means in practice. Does it mean fewer third parties? More due diligence? More audits? Centralized onboarding? Automated screening? New contractual rights? Mandatory business justification? Enhanced payment controls? A right to terminate non-responsive intermediaries? A slower sales cycle in high-risk markets? Until those questions are answered, the CCO does not have agreement. The CCO has a slogan.

The Second Lesson: Silence Is Not Commitment

One of the most dangerous moments in compliance transformation is the executive meeting where everyone nods. The authors describe the “false consensus effect,” where leaders overestimate the extent to which others share their beliefs. It also describes the tendency of executives to pretend to agree rather than surface disagreement. In one example, executives used vague phrases such as “I am aligned,” “partly aligned,” and “conceptually aligned,” even though real disagreement remained unresolved.

Compliance professionals see this all the time. A regional president says, “We fully support the new due diligence process.” What she may mean is, “We support it unless it slows down strategic distributors.” A sales leader says, “We support compliance training.” What he may mean is, “We support it as long as it does not take people out of the field during the quarter.” A procurement leader says, “We support vendor controls.” What he may mean is, “We support them for new vendors, but not for legacy vendors.”

The CCO’s job is to make those reservations visible before launch. That does not mean creating conflict for conflict’s sake. It means creating a process where disagreement becomes a source of better design.

The Third Lesson: Invite Dissent Early

The authors recommend provoking an early exchange. Leaders should write down what they agree with, what they disagree with, and what they are unsure about. The authors specifically note that written reactions can reduce groupthink. They also recommend asking questions that invite contrary views, such as “What could go wrong with this approach?”

This is directly applicable to compliance. Before launching a major compliance initiative, the CCO should ask each executive to answer, in writing:

What risk are we trying to reduce?

What business process will this initiative change?

What are you worried this initiative will disrupt?

What resources will your function need?

What decisions are you willing to give up or share?

What part of this proposal do you not support?

Where do you believe compliance is underestimating the operational impact?

These questions are uncomfortable. That is the point. A compliance initiative that cannot survive executive-level dissent in a planning meeting will not survive business-level resistance during implementation.

The Fourth Lesson: Deferred Agreement Becomes Compliance Debt

The authors warn against the idea that leaders can “sort out the details later.” That may work for small experiments, but the authors argue that it is dangerous for transformative organizational change because vague or contradictory premises create confusion, delay, and employee frustration. They describe deferred agreement as a debt that leaders expect to repay quickly but often never repay at all. For compliance, deferred agreement is especially costly.

When the CCO launches without a clear executive agreement, the business will find the gaps. If sales and compliance disagree on third-party approval standards, the business will escalate every hard case. If finance and compliance disagree on payment controls, exceptions will multiply. If HR and legal disagree on discipline standards, investigations will produce inconsistent outcomes. If IT and compliance disagree on data ownership, monitoring dashboards will never mature. The result is not simply inefficiency. It is a control failure.

A CCO should treat unresolved executive disagreement as a known risk. It should be tracked, assigned, escalated, and resolved before the initiative moves from design to deployment.

The Fifth Lesson: Watch for the Three Failure Modes

The authors identify three consequences of false alignment: paralysis, hyperactivity, and tunnel vision. These are also classic symptoms of a failing compliance initiative.

Paralysis occurs when teams are stuck between competing executive priorities. In compliance, this looks like endless working groups, repeated risk assessments, draft policies that never finalize, and technology projects that remain in “requirements gathering” for months.

Hyperactivity occurs when teams launch too many initiatives to please too many stakeholders. In compliance, this looks like a dozen training campaigns, multiple dashboards, overlapping third-party reviews, new certifications, new attestations, and new committees, but no meaningful risk reduction.

Tunnel vision occurs when teams make progress on the wrong thing. In compliance, this may mean achieving 100% training completion while employees still do not know how to raise concerns. It may mean onboarding vendors faster while missing beneficial ownership risk. It may mean closing investigations more quickly while weakening root cause analysis.

The CCO should use these three symptoms as early warning indicators. If the initiative is stuck, too busy, or moving in the wrong direction, the problem may not be execution. It may be false alignment at the top.

Lessons in Building True Agreement for a Compliance Initiative

The authors offer a five-step path to true agreement: set clear parameters, provoke an early exchange, have a substantive debate, reach a formal verdict, and send a unified message. That framework can be translated directly into a CCO playbook.

  1. Set clear parameters. The CCO should define the decision rights before the project begins. Who decides the risk appetite? Who approves the budget? Who owns business process changes? What decisions require CEO approval? What issues go to the board? What happens if a regional business leader disagrees?
  2. Provoke an early exchange. The CCO should require written input from the CEO, CFO, general counsel, CHRO, CIO, internal audit, procurement, and key business leaders. This is where hidden objections should surface.
  3. Have a quality debate. The CCO should hold one-on-one conversations with executives before the group decision meeting. The point is not to lobby for superficial support. The point is to understand red lines, trade-offs, and operational realities.
  4. Come to a formal verdict. The authors recommend asking for each individual’s agreement, documenting the decision, and creating a formal record of the agreed terms. For a compliance initiative, this should become a written executive charter. It should specify scope, budget, timeline, metrics, decision rights, business obligations, and escalation paths.
  5. Send a unified message. The authors warn against each executive’s team receiving its own version of events. Instead, the decision should be broadcast simultaneously in a single format to everyone who needs to know. For compliance, this is essential. Employees should hear one message: this is why we are changing; this is what will change; this is what will not change; this is who owns what; and this is how success will be measured.

The bottom line is clear. A major compliance initiative is not successful because the CCO announces it, the board approves it, or the executive team says it is “aligned.” It is successful when the company reaches true agreement on the risk, the change, the trade-offs, the ownership, and the evidence of effectiveness.

For the compliance professional, The False Alignment Trap provides a powerful reminder: do not launch a transformation on implied consent. Build the compact first. Then execute.

Categories
Blog

Can Compliance Own Enterprise Resilience?

It has been some time since I checked in with the Harvard Business Review for some blog posts. To remedy this deficiency, I will write this week’s blog posts based on recent HBR articles that caught my interest. Today, we begin with The Case for Hiring a Chief Resilience Officer, which argues that there is a major governance gap inside most organizations. It is that no single executive is accountable for coordinating enterprise-wide resilience and recovery when failures cascade across functions. The article looks at a chief resilience officer (CResO) role which would be responsible for aligning continuity planning, recovery objectives, crisis response, and organizational learning across an enterprise.

The authors begin by noting that the July 2024 CrowdStrike outage will be remembered as more than a technology failure. It was a governance lesson. A routine software update caused cascading operational disruption across airlines, hospitals, logistics systems, and other critical services. The technical root cause mattered, but it was not the only lesson. The larger issue was how quickly a single failure could ripple across functions, third parties, customer obligations, regulatory expectations, and business operations. The article articulated this as the case for a CResO, because many organizations have no single executive accountable for coordinating enterprise-wide resilience and recovery when disruption crosses organizational boundaries.

For the corporate compliance function, that argument should sound familiar. Compliance professionals have spent years explaining that risk does not respect departmental boundaries. Bribery risk can arise from sales incentives, third-party relationships, financial controls, gifts and hospitality, and management pressure. Data risk can sit in technology, privacy, procurement, HR, and customer operations. AI risk can sit in product development, vendor management, legal, cybersecurity, records retention, and board oversight.

Operational resilience is the same kind of problem. It is not only an IT issue. It is not only a business continuity issue. It is not only a risk management issue. It is a governance issue, a controls issue, a documentation issue, a third-party issue, and a board oversight issue. That makes it a compliance issue as well.

The Compliance Significance of Resilience

The central insight behind the CResO role is that most organizations already have pieces of resilience, but they do not always have resilience governance. Risk teams assess exposure. Cybersecurity teams protect systems. Operations teams manage delivery. Business continuity teams write plans and run exercises. Procurement manages vendors. Legal evaluates obligations. Communications handles stakeholders. Compliance monitors controls, policies, reporting, and escalation. Each function may be doing its job. The problem appears when no one owns the integrated answer.

That is why operational resilience has become a regulatory and governance priority. The Basel Committee defines operational resilience as the ability to deliver critical operations through disruption and emphasizes governance, mapping interdependencies, third-party dependency management, business continuity testing, and incident management. The FCA in the UK similarly focuses on important business services, impact tolerances, mapping, testing, vulnerability remediation, lessons learned, and communications planning. In the EU, the Digital Operational Resilience Act (DORA) has elevated digital operational resilience, technology and information third-party risk, incident reporting, and resilience testing into a formal financial sector regulatory framework.

For compliance professionals, the message is clear. Resilience is moving from planning to evidence. Regulators, boards, and senior management will increasingly ask not simply whether the company had a plan, but whether the company knew its critical services, mapped its dependencies, tested severe but plausible scenarios, documented vulnerabilities, assigned accountability, and remediated weaknesses.

That is familiar territory for compliance. The DOJ Evaluation of Corporate Compliance Programs (ECCP) asks whether a compliance program is well designed, adequately resourced and empowered, and works in practice. It also asks whether improvements to compliance and internal controls have been tested to show they would prevent or detect similar misconduct in the future. Those questions are not limited to bribery, fraud, or sanctions. They reflect a broader governance discipline: design, authority, resources, testing, remediation, and proof.

Can Compliance Absorb the CResO Role?

The answer is yes, but only under the right conditions. A compliance function can absorb the resilience governance role if it has the mandate, authority, resources, data access, and board visibility to do the job. It cannot absorb the role if the organization merely adds resilience to the CCO’s already crowded list of responsibilities without giving compliance the ability to coordinate across technology, operations, procurement, cybersecurity, finance, legal, human resources, communications, and business leadership. This distinction matters.

Compliance can own the governance framework for resilience. It can help define standards, require documentation, monitor remediation, test controls, escalate gaps, and report to the board. It can ensure that resilience obligations are embedded into policies, third-party oversight, incident response, investigations, root cause analysis, training, and internal controls.

Compliance should not become the operator of every resilience process. The first line must still own business services. Technology must still own systems. Cybersecurity must still own cyber defense. Procurement must still own vendor contracting and supplier performance. Operations must still own delivery. Legal must still advise on obligations. Communications must still manage stakeholder messaging. The CCO can serve as the enterprise resilience governance leader, but not as a substitute for operational ownership. That is the practical dividing line.

When Compliance Is the Right Home

Compliance is a strong candidate to absorb the CResO function when resilience is framed as an enterprise governance and controls discipline. This is especially true in organizations where the compliance function already has mature capabilities in risk assessment, policy governance, third-party risk management, investigations, remediation tracking, board reporting, training, monitoring, and documentation. In that model, compliance can bring several advantages.

First, compliance understands cross-functional risk. A well-designed compliance program already reaches into the business, finance, procurement, HR, legal, internal audit, IT, and senior leadership. That horizontal view is essential for resilience.

Second, compliance understands evidence. Resilience cannot be built on verbal assurance. It requires inventories, dependency maps, testing records, incident reports, remediation plans, escalation logs, board materials, and lessons learned. Compliance professionals know how to create a record that demonstrates program effectiveness.

Third, compliance understands accountability. A resilience program without accountable owners will become a collection of meetings. Compliance can help define who owns each critical service, each dependency, each recovery objective, and who must act when testing identifies a vulnerability.

Fourth, compliance understands third-party risk. Many resilience failures begin outside the company’s walls. A critical software provider, cloud provider, logistics partner, manufacturer, payroll vendor, or data processor can disrupt the company’s ability to deliver. Compliance can help connect due diligence, contracting, ongoing monitoring, audit rights, incident notification, and exit planning into a resilience framework.

Finally, compliance understands board reporting. Resilience is a board-level issue because disruption can affect customers, investors, regulators, employees, and the company’s license to operate. The FCA has emphasized that boards need enough information to understand the firm’s resilience approach, who is responsible for it, and the organization’s ability to recover important business services within impact tolerances. Those are governance questions. Compliance is built to translate them into a management system.

When Compliance Should Not Absorb the Role

Compliance should not assume the CResO role if the function lacks operational authority, technical depth, crisis-management access, or senior-level support. A CCO who is asked to “own resilience” without the resources to do so has not been empowered. That CCO has been handed accountability without control. There are several warning signs.

If compliance does not have direct access to the CEO, executive committee, and board, it cannot coordinate enterprise resilience. If compliance cannot require action from technology, operations, procurement, and business units, it cannot close resilience gaps. If compliance lacks data on critical services, vendor concentration, system dependencies, recovery times, incident history, and testing results, it cannot evaluate resilience in practice. If compliance is already under-resourced, resilience will become another paper responsibility.

That would be a mistake. The worst outcome would be to move resilience into compliance as a label while leaving the real decision-making elsewhere. That creates the appearance of governance without its substance.

A Better Model: Compliance as Resilience Governor

For many companies, the right answer is not a binary choice between a standalone CResO and a compliance-owned resilience function. The better model may be compliance as a resilience governor. Under this approach, the company appoints a senior resilience owner, either as a CResO (chief risk and resilience officer) or as a named executive with enterprise authority. Compliance then provides the governance architecture: standards, controls, testing expectations, third-party requirements, escalation procedures, documentation rules, remediation tracking, and board reporting.

This model preserves first-line ownership while giving the organization a consistent second-line framework. It also allows compliance to ask the questions that matter:

Who owns each critical business service? What are the maximum tolerable disruptions? What systems, people, facilities, data, and third parties support each service? What severe but plausible scenarios have been tested? What vulnerabilities were identified? Who owns remediation? What evidence shows that remediation worked? What has been reported to the board?

These are not theoretical questions. They are the difference between a plan and a program.

Five Lessons for Compliance Professionals

  1. Resilience is now a compliance program issue. It involves governance, controls, accountability, documentation, testing, remediation, and board oversight.
  2. Compliance can absorb the resilience governance role, but not the operational role. The CCO can govern the framework. The business must still own delivery.
  3. Authority matters. A compliance-led resilience function must have CEO support, board visibility, cross-functional access, and the ability to require remediation.
  4. Evidence is essential. Dependency maps, scenario tests, incident reports, remediation records, and board materials are what turn resilience from aspiration into proof.
  5. The board should focus on accountability before structure. Whether the company appoints a CResO, places resilience under risk, or builds a compliance-led governance model, the core question remains the same: who owns the enterprise response when disruption crosses every boundary?

The practical compliance lesson is straightforward. Resilience cannot remain a collection of disconnected plans. It must become an operating discipline. For some companies, that discipline will require a dedicated Chief Resilience Officer. For others, a mature, properly empowered compliance function can assume the governance role. But no company should leave resilience to assumption, informal coordination, or after-the-fact improvisation.

In today’s risk environment, the ability to recover is not only an operational strength. It is evidence of effective governance.

Categories
Blog

From the Tower of Babel to the Boardroom: Part 5 – Workforce Transformation, Third-Party Risk, and Modern Slavery

Artificial intelligence often appears frictionless. A prompt goes in. An answer comes out. A report is summarized. A risk score is generated. A customer interaction is automated. A compliance analyst receives a faster answer. A business process becomes more efficient. Yet there is nothing frictionless about AI.

Behind every AI tool sits a human supply chain. Some workers label data, moderate content, train models, build infrastructure, mine minerals, assemble devices, maintain data centers, write code, manage vendors, and absorb the consequences when automation changes the nature of work. There are third parties, subcontractors, cloud providers, data brokers, model developers, implementation consultants, and business users. There are people whose labor, data, dignity, and livelihoods may be affected long before the board ever sees an AI dashboard. Now we turn to the human supply chain of AI: workforce transformation, third-party risk, and modern slavery.

The Magnifica Humanitas Lesson: AI Is Never Disembodied

Magnifica Humanitas makes a powerful point for compliance professionals: AI is not immaterial or magical. Pope Leo states, “Nothing in the world of AI is immaterial or magical.” That is a moral statement, but it is also a governance statement. The Encyclical explains that AI depends on natural resources, energy infrastructure, digital platforms, and human labor, including data labeling, model training, content moderation, and the extraction of materials needed for devices and microprocessors (Magnifica Humanitas, ¶173).

That is a direct compliance lesson. The risk does not begin when the company deploys an AI tool. The risk begins when the company selects the vendor, approves the use case, provides data, accepts contractual terms, relies on outputs, and fails to ask who and what sits behind the technology. The Encyclical is equally direct that digital systems can amplify hidden forms of exploitation and that supply chains supporting the technology industry should become transparent so competitive advantage is not built on hidden exploitation (Magnifica Humanitas, ¶179).

The document also speaks directly to work. It teaches that work is not simply an instrument, but a setting in which people develop, contribute, cooperate, support their families, and build together (Magnifica Humanitas, ¶148-149). It warns that AI can improve productivity while also de-skilling workers, subjecting them to automated surveillance, forcing them to adapt to the pace of machines, and eroding their agency (Magnifica Humanitas, ¶150). For the CCO, this means AI governance is not only about model risk. It is also about people’s risk.

From Encyclical Principle to Corporate Governance Requirement

The bridge from Magnifica Humanitas to corporate governance is straightforward. Pope Leo calls for human-centred technology, social criteria for innovation, verifiable measures to protect employment, retraining, worker participation, and a corporate commitment to include the quality and dignity of work among the indicators of success (Magnifica Humanitas, ¶156). In corporate governance language, that means AI adoption should include workforce impact assessment, role-based training, human review, bias testing, privacy controls, speak-up protections, and board reporting.

The Encyclical also calls for preventive ethical verification, or due diligence, across the digital economy, with priority given to worker protection, the fight against forced labor, and assessment of the social impact of data-driven business models (Magnifica Humanitas, ¶179). For compliance professionals, that is third-party risk management. It means vendor due diligence, subcontractor transparency, audit rights, data provenance, labor standards, modern slavery review, incident reporting, and ongoing monitoring.

This is where the moral language of Magnifica Humanitas becomes the operating language of compliance. Human dignity becomes human rights due diligence. Shared responsibility becomes cross-functional governance. Transparency becomes supply chain visibility. Accountability includes naming owners, documentation, monitoring, testing, challenge, and remediation.

Workforce Transformation Is a Compliance Issue

AI will change work. That is not speculation. It is already changing how employees draft, analyze, monitor, investigate, review, report, and decide. The question is whether companies will manage this transformation with governance, transparency, and care, or allow automation to wash through the workforce as a cost-reduction exercise.

Compliance should not attempt to own a workforce strategy. That belongs with management, HR, legal, finance, and business leadership. But compliance should have a voice because workforce transformation creates culture risk, speak-up risk, retaliation risk, discrimination risk, privacy risk, monitoring risk, and internal controls risk. The Encyclical warns that innovation pursued solely for cost reduction and profit can produce job insecurity, inequality, and social instability (Magnifica Humanitas, ¶151).

A company using AI to evaluate employees, monitor productivity, screen applicants, assess performance, recommend discipline, or allocate opportunities should ask hard questions. What data is being used? Has the tool been tested for bias? Are employees informed? Can individuals challenge errors? Is human review required? Are managers trained not to over-rely on AI outputs? Is the tool increasing fairness, or simply making questionable decisions faster?

AI adoption should also include change management. Employees need training on approved AI use, prohibited data inputs, required human review, and escalation of concerns. They also need assurance that raising concerns about AI will not be punished. The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) asks whether companies train employees on emerging technologies such as AI and whether companies have controls to monitor AI trustworthiness, reliability, intended use, human decision-making, and accountability. That is not only a technology expectation. It is a cultural expectation.

Third-Party AI Risk Is Not Ordinary Vendor Risk

AI vendors are not ordinary vendors when they touch sensitive data, influence consequential decisions, support compliance processes, provide core infrastructure, or rely on opaque subcontracting chains. A company may believe it is buying software. In reality, it may be acquiring a new decision system, a new data processor, a new compliance dependency, and a new supply chain exposure.

Magnifica Humanitas warns that major economic and technological actors can exercise de facto power over data, expertise, access, visibility, and opportunity. It calls for transparency, accountability, meaningful participation, independent checks, algorithmic transparency, equitable data access, and avenues for recourse (Magnifica Humanitas, ¶71-72). For the CCO, that is a vendor governance mandate.

The ECCP already provides the compliance architecture. A well-designed compliance program should apply risk-based due diligence to third-party relationships, understand the business rationale, assess the risks posed, include appropriate contract terms, monitor third parties through updated due diligence, training, audits, and certifications, and use data to evaluate vendor risk during the relationship. Apply that directly to AI vendors.

The company should know what the AI tool does, what data it uses, whether company data will train or improve the model, where data is stored, who has access, what subcontractors are involved, whether outputs are explainable, what human review is required, how incidents are reported, and whether the vendor can support audit rights. The company should also ask whether the vendor uses third parties for data labeling, content moderation, model evaluation, or technical support, and what labor standards apply to those providers.

An AI vendor questionnaire should not stop at cybersecurity and privacy. It should cover human rights, labor standards, modern slavery risk, data provenance, subcontractor transparency, model governance, incident reporting, auditability, and exit rights.

Modern Slavery Risk in the AI Supply Chain

The risk of modern slavery may seem far removed from enterprise AI adoption. It is not. Magnifica Humanitas challenges that assumption by reminding us that the digital economy depends on physical infrastructure, extracted resources, hidden labor, and vulnerable workers. It specifically identifies data labeling, model training, content moderation, resource extraction, and trafficking-enabled misuse of digital platforms as part of the moral challenge of AI (Magnifica Humanitas, ¶173).

For compliance professionals, the lesson is straightforward. AI supply chain risk should be folded into third-party risk management and human rights due diligence. The company should not assume that because an AI provider has a sophisticated interface, the underlying chain is clean. Procurement and compliance should ask who performs outsourced labeling, testing, moderation, data enrichment, and support work. They should assess whether workers are paid fairly, protected from exposure to harmful content, free from coercion, and supported by appropriate safeguards.

This is especially important where vendors rely on lower-cost labor markets, opaque subcontracting, high-volume content review, or resource extraction. The issue is not whether every AI vendor is high risk. The issue is whether the company has a defensible process to identify which vendors, services, geographies, and labor practices require enhanced review.

The Encyclical makes this corporate obligation unusually concrete: supply chains underpinning the technology industry and digital economy should become more transparent; companies and investors should adopt clear due diligence criteria; and digital platforms should cooperate to prevent communication, payment, and profiling tools from becoming channels for recruitment and control of victims (Magnifica Humanitas, ¶179). A modern AI third-party program should therefore include labor and human rights due diligence at onboarding, contractual commitments, audit rights, subcontractor approval rights, certifications, incident reporting, and ongoing monitoring.

Frameworks for Governing the Human Supply Chain

NIST and ISO/IEC provide a practical structure for this work. NIST’s Generative AI Profile calls for acceptable use policies that address proprietary and open-source AI technologies, data, contractors, consultants, and other third-party personnel. It also identifies the need to document generative AI value-chain risks, plan for failures or incidents involving third-party data or systems, and continuously monitor third-party AI systems in deployment.

ISO/IEC 42001 provides a management-system approach for organizations that develop, provide, or use AI-based products or services. It supplies the governance discipline compliance professionals understand: policy, roles, risk assessment, controls, monitoring, performance evaluation, corrective action, and continual improvement.

COSO adds the internal controls discipline. COSO’s GenAI guidance emphasizes that generative AI is moving into operations and boardrooms faster than traditional governance models anticipated, and that risks such as cyber exposure, prompt manipulation, opaque reasoning, model drift, and configuration changes can jeopardize operations, reporting, and compliance if not addressed through robust internal controls.

Together, these frameworks point to the same conclusion. AI supply chain governance must be documented, controlled, monitored, tested, and improved.

Board Oversight: The Human Cost Must Be Visible

Boards do not need to manage AI vendors. They do need to oversee the systems management used to identify, assess, monitor, and remediate material AI risks. Under Caremark principles, directors must make a good-faith effort to oversee company operations. The board’s obligation is not technical mastery. It is a reporting and monitoring system that shows management has responded to the Encyclical’s accountability and due diligence mandate.

For AI, the board should ask whether management has visibility into the human supply chain. Which AI vendors are critical? Which tools affect employees, customers, suppliers, or compliance decisions? Which vendors use subcontractors? Which AI tools rely on sensitive data? What labor and human rights risks have been identified? What workforce impacts are expected? What retraining is planned? What AI-related incidents have occurred? What open remediation items remain?

Magnifica Humanitas closes this portion of its analysis with a shared responsibility principle: innovation must be guided by institutions, businesses, intermediary organizations, educational communities, and citizens so that it serves integral human development rather than becoming a source of exclusion and dominance (Magnifica Humanitas, ¶180-181). The board failure will not be that the directors did not understand every model parameter. The failure would be failing to ask whether management has a reasonable system to govern AI’s human, third-party, and supply chain impacts.

5 Lessons for the CCO
  1. Map the human supply chain. The company should know the vendors, subcontractors, data sources, infrastructure providers, and outsourced labor that support material AI tools.
  2. Treat high-impact AI vendors as high-risk third parties. AI vendors that touch sensitive data, support consequential decisions, or affect compliance processes require enhanced due diligence, contractual protections, and ongoing monitoring.
  3. Build human rights and modern slavery risk into AI due diligence. Vendor reviews should address labor practices, subcontractors, content moderation, data labeling, resource extraction, worker protections, and geographic risk.
  4. Govern workforce transformation. AI adoption should include training, retraining, human review, transparency, privacy protections, bias testing, and speak-up channels for employee concerns.
  5. Report evidence to the board. Boards need visibility into AI vendor risk, workforce impact, supply chain exposure, incidents, remediation, and control testing.
Conclusion: From Babel to Responsible Reconstruction

The AI age will reward companies that innovate. But it will also test whether those companies can govern innovation with discipline, transparency, responsibility, and human primacy. The lesson of Magnifica Humanitas is that AI must remain at the service of the human person. That includes the employee whose job is changing, the worker hidden in the supply chain, the community affected by resource extraction, the customer subject to an automated decision, and the board charged with oversight.

This five-part series began with the Tower of Babel and the boardroom. Babel was power without humility. Nehemiah was rebuilding with responsibility. For the modern compliance professional, that is the AI governance choice. Pope Leo frames the alternative as progress that serves people or progress that subjects them to the mentality of power (Magnifica Humanitas, ¶129). We can allow AI to grow through hidden use, opaque vendors, weak controls, synthetic trust, and invisible human cost. Or we can build an AI governance program grounded in risk assessment, controls, accountability, transparency, human review, third-party diligence, workforce care, and board reporting.

The next step is to convert these five lessons into a practical board-ready AI governance checklist. That checklist should give directors, CCOs, general counsel, audit leaders, risk leaders, and CEOs a structured way to ask the right questions, demand the right evidence, and govern AI before AI governs the enterprise.

Categories
Blog

From the Tower of Babel to the Boardroom: Part 1 – Governing AI

Artificial intelligence is no longer a future issue for boards, CEOs, general counsel, chief compliance officers, audit leaders, or risk professionals. It is already inside the enterprise. It is in employee workflows, vendor platforms, data analytics, customer engagement, monitoring tools, investigations support, training design, due diligence, and decision-making processes. The compliance question is no longer whether the company will use AI. The real question is whether the company will govern AI before AI becomes embedded into the business without accountability, transparency, controls, or human judgment.

That is the danger of the modern Tower of Babel. Babel was not a failure of engineering. It was a failure of purpose, humility, and governance. It was a project built on power without accountability and ambition without restraint. For modern corporations, ungoverned AI can become a similar project. It may promise efficiency, scale, speed, and competitive advantage. Yet without proper governance, it can also produce bias, opacity, data misuse, weakened accountability, employee overreliance, vendor risk, and board blind spots.

What Is Magnifica Humanitas?

Magnifica Humanitas is an Encyclical Letter issued by Pope Leo XIV on May 15, 2026, titled “On Safeguarding the Human Person in the Time of Artificial Intelligence.” (Magnifica Humanitas herein). The document places AI within the long tradition of Catholic social teaching and asks how humanity should respond to the “new things” of the digital age. Pope Leo frames AI not as a narrow technology issue but as a profound question about human dignity, work, truth, freedom, power, data, social justice, and the common good. The letter opens with two biblical images, the Tower of Babel and the rebuilding of Jerusalem under Nehemiah, to present the central choice of the AI age: will we construct systems of domination, or will we build communities of shared responsibility? (Magnifica Humanitas, paras. 1, 7-10).

The significance of Pope Leo issuing Magnifica Humanitas is that he places AI in the same broad moral and social category as prior industrial and economic disruptions. He expressly connects the document to the legacy of Pope Leo XIII and Rerum Novarum, the 1891 encyclical that responded to the labor, capital, and social disruptions of the industrial age. Pope Leo writes that digitalization, AI, and robotics are rapidly transforming the world, shaping decision-making and affecting both human dignity and the common good (Magnifica Humanitas, paras. 3-4). For this five-part series, we will use Magnifica Humanitas as the foundation for translating its core concepts into practical lessons for the modern compliance professional, the board, and the executive leadership team. This will not be a theological series. It will be a governance series. We will apply the moral force of the Encyclical Letter to compliance program design, board oversight, internal controls, data governance, third-party risk, workforce transformation, and corporate trust.

The Compliance Lesson of Babel

The Tower of Babel is a powerful compliance metaphor because it shows what happens when a project has capability but lacks discipline. Pope Leo describes Babel as an impressive feat with “a single language, a single technology, a single direction,” yet one that sacrificed human dignity for efficiency and sought power through self-sufficiency (Magnifica Humanitas, para. 7). In corporate language, Babel is the business transformation project that mistakes technical capability for good governance.

Pope Leo’s warning is direct: technology is never neutral because it takes on the characteristics of those who design, finance, regulate, and use it (Magnifica Humanitas, para. 9). That sentence should sit in every boardroom AI discussion. AI is not neutral in the compliance sense either. It reflects data, design, deployment, vendor, incentive, and governance choices. The first board question is therefore simple: What are we building?

Nehemiah as the Governance Model

If Babel is the warning, Nehemiah is the governance model. In Magnifica Humanitas, Pope Leo contrasts Babel with the rebuilding of Jerusalem. Nehemiah listens, inspects the damage, assigns responsibility, coordinates work, addresses opposition, and rebuilds section by section. The city is reborn through shared responsibility, not through the initiative of a single person (Magnifica Humanitas, para. 8).

That is the model compliance professionals should bring to AI governance. The CCO does not need to become a data scientist. The board does not need to manage model architecture. But the organization needs a disciplined governance structure that brings together compliance, legal, privacy, cybersecurity, IT, HR, internal audit, procurement, finance, and the business. AI governance cannot sit in a silo. It must be cross-functional because AI risk is cross-functional.

For compliance, that means asking practical questions. Where is AI being used? What problem is it solving? What data does it access? Who approved it? What risks were identified? What controls were designed? What human review is required? What could go wrong? How would we know? Who is accountable if the AI produces a harmful or unlawful result? Those are not anti-innovation questions. They are business discipline questions.

From Encyclical Principle to Corporate Governance Requirement

The bridge from Magnifica Humanitas to corporate governance is straightforward. Human dignity becomes a human impact assessment. The common good becomes enterprise risk governance and stakeholder impact. Subsidiarity becomes cross-functional governance, meaningful participation, and decision-making as close as possible to the affected process. Transparency becomes documentation, explainability, board reporting, and auditability. Accountability includes named owners, escalation rights, challenge mechanisms, and remediation.

Pope Leo makes this bridge explicit when he calls for responsible planning, human and social impact assessment, inclusion of the vulnerable, digital literacy, and guiding research and industry toward justice and peace (Magnifica Humanitas, para. 14). He also warns that control over platforms, infrastructure, data, and computing power can become opaque and evade oversight, producing dependency, exclusion, manipulation, and inequality (Magnifica Humanitas, para. 95). For the CCO and the board, that is the language of AI inventory, data governance, vendor management, access controls, model oversight, incident response, and internal audit testing. That is not only a moral framework. It is a corporate governance requirement.

AI Governance and the DOJ ECCP

The Department of Justice has already made AI a compliance program issue. The logic now runs together. Pope Leo provides the mandate for moral governance. The DOJ Evaluation of Corporate Compliance Programs (ECCP) supplies the compliance program test. The ECCP asks whether companies have a process for identifying and managing emerging risks, including risks related to new technologies such as AI; whether AI risk is integrated into enterprise risk management; how AI is governed in the business and in the compliance program; whether controls monitor trustworthiness and reliability; whether AI is limited to intended uses; what human decision-making baseline exists; how accountability is enforced; and how employees are trained.

That is a roadmap for the CCO. AI governance should be part of the compliance risk assessment. It should be reflected in policies and procedures. It should include training and communications. It should be monitored, audited, and improved. It should generate evidence. The company should be able to show not only that it has an AI policy but also that the policy has an operational effect. In other words, AI governance must move from aspiration to controls.

Board Oversight and Caremark

For boards, AI governance also raises Caremark oversight considerations. Directors are not expected to run the company’s AI systems. They are expected to make a good-faith effort to ensure that reasonable reporting and monitoring systems are in place for central compliance risks. In Marchand v. Barnhill (Bluebell Ice Cream), the Delaware Supreme Court emphasized that boards must make a good-faith effort to put in place a reasonable board-level system of monitoring and reporting around central compliance risks.

The board obligation is not technical mastery. It is a reporting and monitoring system that shows management has responded to the Encyclical’s accountability mandate. If Pope Leo requires that responsibility be defined, decisions be justified, systems be monitored, harms be challenged, and errors be remedied (Magnifica Humanitas, para. 105), then the board must ask whether management has built a governance system capable of producing that evidence. The board does not need technical comfort. It needs governance confidence.

Human Primacy as a Control

One of the most important lessons from Magnifica Humanitas is that AI is a tool, not a moral actor. Pope Leo explains that AI systems may imitate language, analysis, behavior, and even empathy, but they do not possess lived experience, conscience, wisdom, moral responsibility, or the capacity to understand what they produce (Magnifica Humanitas, para. 99). That matters deeply when AI affects employment, reputation, access, rights, opportunities, or treatment.

For compliance professionals, human primacy must be designed into AI governance. Human review is not a bureaucratic obstacle. It is a control. Pope Leo warns that sensitive decisions concerning employment, credit, access to services, and reputational risk are being delegated to automated systems that lack compassion, mercy, forgiveness, or the hope that people can change (Magnifica Humanitas, para. 102). The company should decide which AI outputs can be used automatically, which require review, which require escalation, and which uses should be prohibited altogether. The more consequential the decision, the stronger the human oversight must be.

5 Lessons for the CCO
  1. Treat AI as a human dignity and compliance risk. AI should be included in the compliance risk assessment, enterprise risk management process, and board reporting because it can affect rights, opportunities, status, freedom, privacy, and trust.
  2. Build an AI inventory because governance begins with visibility. The company cannot govern what it cannot see. The inventory should include business tools, vendor tools, embedded AI, compliance tools, and employee use of public AI.
  3. Require controls before scale because technology is never neutral. AI policies must be supported by approval processes, data controls, access controls, monitoring, testing, escalation, and remediation.
  4. Preserve human judgment because accountability cannot be outsourced. Human review should be required for high-risk and consequential decisions. Accountability must remain with people, not systems.
  5. Give the board evidence because governance requires reporting, monitoring, and remediation. Boards need dashboards, metrics, incident reporting, audit findings, risk rankings, and documentation that AI governance is working.
Conclusion: From Babel to Compliance Program Design

The lesson of Babel is not that building is wrong. The lesson is that building without humility, accountability, and purpose leads to fracture. AI is here to stay, and compliance professionals should embrace its promise. AI can improve monitoring, strengthen risk analysis, support investigations, enhance training, and identify patterns that humans might miss. But it must be governed with vigilance, responsibility, transparency, and human primacy.

Magnifica Humanitas gives us the mandate for moral governance. The ECCP gives us the compliance program questions. Caremark gives boards the oversight framework. Together, they point to the same conclusion: AI governance must be built before AI risk becomes unmanageable.

In the next post, we will move from principle to program design. We will examine why AI governance is a compliance program issue, how the CCO should help structure AI oversight, and how compliance can use AI responsibly while governing the risks AI creates.

Categories
Blog

The Muppet C-Suite: A Compliance Professional’s Guide to Culture, Controls, and Chaos Part 4: Animal as Chief Operating Risk Officer: Managing Chaos Before Chaos Manages You

This week we are honoring the return of The Muppets for a 2026 Special Edition. I thought it would be fun to look at business leadership teams through the lens of The Muppets. Every compliance professional has worked with a Kermit, managed a Piggy, worried about a Gonzo, or tried to contain an Animal. Today, we conclude by looking at The Animal problem. This series has used the Muppet executive team as a framework to explore leadership, governance, innovation, operational risk, and corporate compliance through the lens of the DOJ’s Evaluation of Corporate Compliance Programs and modern governance expectations.

Every organization has an Animal. Sometimes it is a person. Sometimes it is a business unit. Sometimes it is a revenue stream so profitable that leadership stops asking difficult questions. But every organization eventually encounters a force that is energetic, productive, volatile, difficult to control, and capable of creating enormous operational damage if left unmanaged. That is Animal.

As Chief Operating Risk Officer, Animal represents a truth many organizations struggle to confront: the greatest operational risks are often tolerated because they generate short-term success. An animal is loud, destructive, impulsive, emotional, and frequently one bad day away from catastrophe. Yet he is also highly effective in the environment for which he was designed. He brings energy, intensity, speed, and momentum.

The problem is not that Animal exists. The problem is when the organization mistakes unmanaged volatility for sustainable performance. That is where compliance, governance, and operational discipline become critical.

Operational Risk Rarely Arrives Quietly

One of the most dangerous assumptions organizations make is that operational failure arrives gradually and predictably. Often, it does not. Operational breakdowns tend to emerge after warning signs have already been normalized:

  • repeated policy exceptions,
  • constant escalation failures,
  • excessive workload pressure,
  • ignored complaints,
  • control fatigue,
  • unmanaged third parties, and
  • and high-performing employees who are allowed to operate outside established expectations.

Animal embodies this normalization problem perfectly. Everyone knows he is dangerous. Everyone knows he is unpredictable. Everyone knows he creates operational instability. Yet the organization repeatedly tolerates the behavior because the show benefits from his energy. This is how many operational crises develop in real organizations. The issue is rarely ignorance. The issue is tolerance.

The Compliance Challenge of High-Performing Risk Creators

One of the DOJ’s most important compliance questions is whether organizations apply discipline consistently, regardless of title, status, or revenue generation. That sounds straightforward. In practice, it is extraordinarily difficult. Organizations routinely create informal exceptions for:

  • top producers,
  • senior executives,
  • innovative teams,
  • politically connected employees, and
  • and operational leaders are perceived as indispensable.

An animal represents this exact governance problem. A mature compliance program recognizes that unmanaged high performers create enterprise risk because they gradually teach the organization that controls are optional for the “right” people. Once that message spreads, culture deteriorates quickly. Employees notice:

  • who gets exceptions,
  • whose misconduct is ignored,
  • whose violations are minimized, and
  • and whether leadership consistently enforces standards.

That is why operational risk is deeply connected to culture. Operational instability rarely begins with a single process failure. It usually begins with accountability failure.

Animal and the Failure of Escalation

Perhaps the most dangerous thing about Animal is not his volatility. The organization tends to underestimate the seriousness of the risk until after damage occurs. This reflects a common corporate governance problem: escalation fatigue. Over time, organizations become accustomed to recurring dysfunction:

  • “That is just how he operates.”
  • “That team is always difficult.”
  • “They are under pressure.”
  • “The business results justify the headaches.”
  • “We can manage around it.”

Those statements are operational-risk warning signs. A mature compliance program must create escalation structures capable of identifying:

  • repeated near misses,
  • recurring control failures,
  • cultural deterioration,
  • operational shortcuts, and
  • and conduct risks before they evolve into crises.

An animal should not require an explosion before leadership intervenes. Unfortunately, many organizations wait for exactly that moment.

Root Cause Analysis Matters

When operational failures occur, organizations often focus immediately on the visible event:

  • the failed transaction,
  • the misconduct,
  • the regulatory inquiry,
  • the system failure, and
  • or the public embarrassment.

But effective governance requires deeper analysis. The ECCP specifically emphasizes root cause analysis because sustainable remediation depends on understanding why the failure occurred in the first place. With Animal, the obvious answer might be: “Animal lost control.”

But the real questions are:

  • Why was the risk tolerated repeatedly?
  • Why were escalation signals ignored?
  • Why were controls insufficient?
  • Why did leadership normalize the volatility?
  • Why were prior incidents dismissed as isolated?

Those questions move the organization from blame to governance. A mature compliance function should always ask whether operational failure reflects:

  • incentive problems,
  • leadership failures,
  • staffing pressures,
  • inadequate oversight,
  • resource constraints, and
  • or cultural normalization of misconduct.

Without root cause analysis, organizations simply reset the stage for the next crisis.

Speak-Up Culture and Operational Risk

Animal also highlights the importance of a culture of speaking up. In many organizations, employees recognize operational risk long before leadership does. The problem is that employees often conclude:

  • raising concerns changes nothing,
  • leadership already knows,
  • retaliation risk is too high,
  • or operational pressure outweighs ethical concerns.

That silence becomes dangerous. The DOJ increasingly expects organizations to maintain effective reporting channels, anti-retaliation protections, and meaningful investigative response mechanisms. But a speak-up culture is not merely a hotline issue. It is a credibility issue. Employees must believe:

  • concerns will be heard,
  • escalation will occur,
  • retaliation will not be tolerated,
  • and leadership is willing to intervene even when operational performance is affected.

In Animal’s world, the organization often appears resigned to the chaos. That resignation is itself a governance failure.

Crisis Management Is a Governance Discipline

Animal is also a reminder that crisis management is not public relations. It is governance under pressure. Operational crises test:

  • leadership credibility,
  • escalation systems,
  • internal communication,
  • decision-making discipline,
  • documentation quality, and
  • and organizational resilience.

Strong organizations prepare for operational disruption before it occurs. That means:

  • crisis-management protocols,
  • escalation matrices,
  • tabletop exercises,
  • communication plans,
  • cross-functional coordination, and
  • and clear authority structures.

Animal should never be the organization’s first operational surprise.

Yet many companies operate as though volatility itself is unpredictable when, in reality, warning signs existed for months or years. The question is whether leadership chose to recognize them.

Control Fatigue Is Real

One of the most overlooked operational risks is control fatigue. When organizations operate under constant pressure, employees gradually begin bypassing safeguards:

  • approvals become rushed,
  • documentation becomes incomplete,
  • exceptions become routine,
  • monitoring weakens,
  • and oversight becomes reactive instead of preventive.

Animal accelerates this dynamic because his operational style rewards speed and intensity over discipline and sustainability. That creates a dangerous cycle:

  1. pressure increases,
  2. controls weaken,
  3. near misses increase,
  4. normalization expands, and
  5. and eventually failure becomes inevitable.

A mature compliance program continuously monitors for this pattern because operational collapse rarely occurs without warning.

5 Key Takeaways for the Compliance Professional

1. Operational risk is often tolerated because it produces results.

Organizations must resist creating informal exceptions for high-performing but destabilizing individuals or business units.

2. Escalation failures are early warning signs.

Repeated policy exceptions, ignored concerns, and normalized dysfunction frequently precede major operational breakdowns.

3. Root cause analysis is essential for sustainable remediation.

Organizations should investigate not only what failed, but why leadership and controls allowed the failure to persist.

4. Speak-up culture directly affects operational resilience.

Employees must trust that concerns will be heard, investigated, and acted upon without retaliation.

5. Crisis management is a governance function.

Effective organizations prepare for operational disruption through planning, escalation structures, monitoring, and cross-functional coordination.

The Final Governance Lesson

Across this series, Kermit, Piggy, Gonzo, and Animal together represent the four forces constantly shaping corporate governance:

  • leadership,
  • reputation,
  • innovation,
  • and operational risk.

The lesson is not that organizations should eliminate strong personalities, ambition, experimentation, or intensity. The lesson is that mature governance recognizes these forces early and builds systems capable of channeling them responsibly.

Kermit provides stability.

Piggy creates visibility.

Gonzo drives innovation.

Animal tests the strength of operational controls.

Every organization contains all four. The real question for compliance professionals is whether the governance structure is strong enough to keep the theater standing when all four are operating at the same time. Because eventually, they will be.

Long Live The Muppets

Categories
Blog

The Culture Builder’s Trilogy: Part 3 – The Art of Celebration: What Compliance Chooses to Honor Becomes Culture

Ed. Note: We conclude our three-part blog post series on three recent books by Hemma Lomax and Ashley Dubriwny. There are The Art of Ideation, The Art of Celebration, and The Art of Implementation.

The final book in Hemma Lomax and Ashley Dubriwny’s trilogy, The Art of Celebration, completes the arc. Ideation imagines what is possible. Implementation gives that possibility form. Celebration sustains the culture by recognizing what matters, reinforcing what works, and creating the memory that carries the organization forward.

For compliance professionals, celebration may sound like the least obvious compliance discipline. That would be a mistake. The authors make clear that celebration is not decorative. It is strategic. It is a feedback system. It teaches people what the culture values. It turns behaviors into norms and norms into identity. The compliance lesson is profound: what the organization celebrates, it multiplies.

Lesson One: Recognition Is a Control Signal

The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) focuses on incentives and consequences, providing compliance professionals with a regulatory rationale to take compliance seriously. The DOJ’s compensation and clawback Pilot Report states that prosecutors consider whether companies use positive incentives for ethical behavior and compliance leadership, whether compensation systems include compliance criteria, and whether companies penalize breaches of the compliance program.

That means recognition is not merely an HR activity. It is part of the control environment. When a company celebrates only sales growth, deal speed, cost reduction, or heroic problem-solving after avoidable chaos, employees learn what really matters. When a company celebrates employees who pause a transaction over a red flag, escalate a concern, improve a control, cooperate in an investigation, or protect a colleague from retaliation, employees learn a different lesson. The question for the CCO is not whether the company celebrates. Every company celebrates something. The question is whether those celebrations are aligned with the Code, controls, risk appetite, and ethical commitments.

Lesson Two: Celebration Can Strengthen Speak-Up Culture

The Art of Celebration explains that appreciation and recognition can foster conditions of trust, belonging, openness, and moral reasoning. The book ties celebration to the willingness to speak up, take healthy risks, protect colleagues, and choose integrity. This has direct compliance relevance. Employees do not report concerns simply because the hotline exists. They report when they believe the organization values truth over comfort. They report when managers respond with care. They report when prior reporters were not punished, isolated, or ignored.

Celebration can reinforce this. A company should not publicly identify confidential reporters, but it can celebrate the behavior of raising concerns, asking hard questions, and improving systems. It can share anonymized stories showing that reports led to meaningful improvements. It can recognize managers who receive concerns well. It can reward teams that identify and remediate control gaps before they become enforcement problems.

Lesson Three: Celebration Must Be Aligned, or It Becomes Dangerous

The authors are careful to address the shadow side of celebration. Misaligned recognition can distort culture. They cite examples where companies celebrated the wrong behaviors, including aggressive sales targets, engineering brilliance without ethical oversight, deal-making over transparency, speed over safety, and ambition over rigor.

This is where compliance professionals should pay close attention. Wells Fargo did not fail because it lacked stated values. It failed because its operating incentives and recognition systems pushed employees to open accounts at any cost. Boeing’s 737 MAX crisis offers another cautionary tale about what can happen when cost, schedule, and production pressure overwhelm engineering judgment and safety culture. Volkswagen shows the risk of celebrating technical performance while ethical guardrails lag. Celebration is therefore not harmless. It is a governance tool. If the company celebrates the wrong thing, it creates evidence of cultural misalignment. If it celebrates the right thing, it demonstrates culture in practice.

Lesson Four: Metrics of Morale Must Be Ethical

One of the most forward-looking sections of The Art of Celebration addresses the “metrics of morale.” The authors explore how organizations can use communications data, sentiment analysis, wearables, AI-assisted pattern recognition, and cultural dashboards better to understand trust, stress, belonging, and burnout. They also warn that these tools must be used as coaching, not surveillance, systems. Participation should be voluntary, data should be aggregated, and insights should improve systems rather than punish individuals.

That is a critical lesson in AI governance. AI can help compliance detect cultural signals, emerging risks, retaliation patterns, training gaps, and control friction. But AI can also chill speech, invade privacy, amplify bias, or turn culture monitoring into employee surveillance. For CCOs, the right framework is clear. Use AI to improve governance, risk sensing, and employee support. Anchor it in transparency, purpose limitation, access controls, human review, and documented risk assessment. Align the work with NIST AI Risk Management Framework, ISO/IEC 42001, privacy principles, and the company’s own AI governance program.

Lesson Five: Rituals Preserve Culture Under Pressure

The book’s discussion of rituals is especially important for compliance. Rituals are repeated practices that teach a community what to remember. In compliance, rituals can include investigation debriefs, quarterly risk reviews, third-party red-flag meetings, manager speak-up moments, annual code refresh discussions, control-owner certifications, AI use reviews, and post-remediation lessons learned.

A ritual is stronger than a reminder. A reminder tells people to do something. A ritual teaches people who they are. This matters under pressure. When a quarter-end target is at risk, when a sales team faces a red flag, or when a senior leader wants to move quickly, the organization will not live up to the words in its code. It will fall to the level of its practiced rituals. If those rituals include escalation, challenge, documentation, and accountability, the culture has muscle memory.

Compliance Application

Celebration belongs in the compliance program because it helps answer one of the DOJ’s most important practical questions: Does the company incentivize compliance and ethical behavior in a meaningful way? The Criminal Division’s compensation pilot report states that companies that proactively design compensation systems to incentivize ethical behavior and that adopt company policies are better positioned to prevent misconduct, generate reports, address incidents before they escalate, and build a company-wide culture of compliance.

A mature compliance program should therefore examine recognition, promotion, compensation, awards, leadership messaging, and performance management as part of the control environment. The CCO should ask not only what misconduct is punished but also what integrity is honored.

CCO Questions

  • What behaviors does the company currently celebrate, formally and informally?
  • Do performance reviews, promotions, bonuses, and awards reflect ethical leadership and control ownership?
  • Are speak-up, cooperation, remediation, and control improvements recognized as business contributions?
  • Do we use cultural data and AI responsibly, or are we creating surveillance risk?
  • What rituals reinforce the compliance program under pressure?

Practical Takeaways

  1. Inventory what the company celebrates in awards, town halls, performance reviews, and leadership communications.
  2. Align recognition with the Code, internal controls, speak-up expectations, and risk management priorities.
  3. Create anonymized speak-up success stories that show reporting leads to improvement.
  4. Review incentive structures for misconduct risk and compliance-positive behaviors.
  5. Build compliance rituals that preserve culture: pre-mortems, post-investigation lessons learned, recognition of control owners, third-party red-flag reviews, and AI governance check-ins.

Conclusion: The Compliance Culture Builder’s Discipline

Taken together, Hemma Lomax and Ashley Dubriwny’s trilogy offers compliance professionals something more than a culture-building framework. It offers a practical operating model for program effectiveness. The Art of Ideation reminds us that compliance begins with better questions, deeper listening, and the courage to design around employees’ lived experiences. The Art of Implementation shows that even the best ideas fail unless they are operationalized through alignment, ownership, testing, adoption, and iteration. The Art of Celebration completes the cycle by showing that culture is sustained by what the organization chooses to recognize, repeat, and remember. This is the full arc of a mature compliance program: imagine wisely, execute consistently, and reinforce intentionally.

For the CCO, the message is clear. Culture is not an abstraction, and it is not a slogan. It is built through the systems employees use, the controls they trust, the concerns they feel safe raising, the incentives they see rewarded, the investigations they experience as fair, and the stories leaders choose to elevate. The DOJ’s ECCP asks whether a compliance program is well designed, adequately resourced, empowered to function, and working in practice. This trilogy gives compliance professionals a human-centered way to answer those questions with evidence. Ideation creates the insight. Implementation creates the operating discipline. Celebration creates the cultural memory.

The larger lesson is that compliance professionals are not simply policy owners, trainers, investigators, or risk managers. They are culture builders. They help organizations decide what matters, operationalize those commitments, and ensure they endure under pressure. In an era of AI governance, third-party complexity, speak-up expectations, incentive scrutiny, and board oversight, this work is more important than ever. The compliance programs that will matter most are not the ones with the most polished documents. They are the ones where employees know how to act, leaders know what to reinforce, controls work in practice, and the organization honors integrity as a business discipline.

That is the power of the trilogy. It takes us from possibility to practice to permanence. It reminds us that compliance effectiveness is not created in a single policy rollout, annual training event, or investigation report. It is created over time through disciplined attention to what people need, how work happens, and what the organization chooses to celebrate. For the modern compliance professional, this is both the challenge and the opportunity: to build a culture where ethics is not episodic, controls are not ornamental, and integrity is not merely stated. It is lived, reinforced, and carried forward.

Categories
Compliance Into the Weeds

Compliance into the Weeds: The DOJ Trainwreck and the Rising Risk Calculus for Compliance and Self-Disclosure

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore it more fully. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly discuss how internal dysfunction at the U.S. Department of Justice is creating uncertainty for corporate compliance teams and corporations more generally.

Focusing on a reported turf battle between the long-standing Fraud Section in the Criminal Division, established in 1955 and central to FCPA enforcement and compliance guidance, and a newly created national Fraud Division, which was initially framed as targeting government benefits fraud. They argue the reorganization could drain expertise, reduce future DOJ guidance, and distort enforcement into politically selective actions, citing IBM’s $17 million settlement and an EEOC case involving The New York Times and Smartmatic’s experience. They also highlight DOJ staffing losses with a net 20% fewer lawyers, loss of experienced attorneys, reliance on inexperienced hires and bonuses, and warn that the volatility may chill voluntary self-disclosure despite DOJ messaging encouraging it.

Key highlights:

  • DOJ Train Wreck Overview
  • Fraud Section vs Fraud Division
  • Political Enforcement Reality
  • Self-Disclosure Gets Riskier
  • What Companies Should Do Now

Resources:

Matt on Radical Compliance

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

A multi-award-winning podcast, Compliance into the Weeds was most recently honored as one of the Top 25 Regulatory Compliance Podcasts, a Top 10 Business Law Podcast, and a Top 12 Risk Management Podcast. Compliance into the Weeds has been conferred a Davey, a Communicator Award, and a W3 Award, all for podcast excellence.

Categories
Blog

The Culture Builder’s Trilogy: Part 2 – The Art of Implementation: Where Compliance Culture Lives or Dies

Ed. Note: We are in the midst of a three-part blog post series on three recent books by Hemma Lomax and Ashley Dubriwny. There are The Art of Ideation, The Art of Celebration, and The Art of Implementation.

If The Art of Ideation is about imagining better compliance, The Art of Implementation is about making it real. Hemma Lomax and Ashley Dubriwny write that implementation is where culture lives or dies. That single sentence could serve as a mission statement for every Chief Compliance Officer.

Compliance professionals know this problem well. A program can include a strong code of conduct, a comprehensive policy inventory, a well-designed training calendar, a hotline, third-party procedures, and investigation protocols. Yet the DOJ does not ask whether a company has merely created compliance artifacts. It asks whether the program works in practice. It goes directly to the DOJ’s Evaluation of Corporate Compliance Programs (ECCP). The ECCP continues to ask whether a program is well-designed, adequately resourced, empowered to function effectively, and working in practice. That is why The Art of Implementation matters. It moves from aspiration to action. It asks how values become systems, how ideas become habits, and how culture becomes durable.

Lesson One: Mindset Before Method

The book begins with a critical insight: implementation begins with how you think. Lomax and Dubriwny identify four commitments of the culture builder’s mindset: empathy before enforcement, curiosity over control, influence rather than insistence, and legacy as a lens. For compliance professionals, this is not a rejection of enforcement. It is a recognition that enforcement without trust creates fear, not culture. A CCO must enforce standards, discipline misconduct, and protect the company. But a CCO must also understand why employees resist, where controls create friction, and how people make decisions under pressure.

This is the difference between a compliance function that says “no” and one that helps the business get to “yes, with controls.” The former may be respected in moments of crisis. The latter is trusted before the crisis arrives.

Lesson Two: Think, Build, Ship, Adopt, Tweak

One of the strongest frameworks in the book is the five forces of implementation: think, build, ship, see it adopted, and tweak. The model is practical and deeply consistent with the ECCP. “Think” means design the change with empathy. “Build” means operationalize the intention. A ship means starting before every detail is perfect. Adoption means embedding the practice into the culture. “Tweak” means to learn, adjust, and improve.

This is what compliance program effectiveness should look like. A CCO should not wait three years to discover that annual training did not change behavior. A third-party control should not remain unchanged after repeated red flags. An AI acceptable use policy should not sit static while employees quietly adopt new tools. A speak-up program should not wait for a scandal before testing whether employees trust it. The compliance application is straightforward. Build compliance like a product. Test. Measure. Listen. Improve.

Lesson Three: Alignment Accelerates Implementation

The book’s discussion of alignment is essential for compliance. Lomax and Dubriwny use Ocean’s Eleven as a cultural reference point. The plan works not because one person is brilliant, but because purpose, people, and process are aligned. Implementation fails when a good idea lacks the right coalition, operational fit, or timing.

This is a core challenge for the CCO. Compliance cannot implement an effective third-party program without the support of procurement, finance, legal, sales, audit, and business leadership. Compliance cannot govern AI without IT, data science, privacy, cybersecurity, HR, legal, and business users. Compliance cannot build a speak-up culture without managers. Stakeholder mapping is therefore not an administrative exercise. It is a governance control. It identifies who can accelerate the initiative, who can block it, who must own it, and who must maintain it after launch.

Lesson Four: Find Failure First

The pre-mortem section of The Art of Implementation is one of the most useful tools for compliance professionals. The authors ask teams to imagine that an initiative has failed and then work backward to identify why. This is precisely how CCOs should approach major program changes. Before launching a new hotline platform, ask why employees might still avoid reporting. Before deploying AI-assisted monitoring, ask about potential privacy, bias, transparency, and explainability concerns. Before rolling out a third-party due diligence platform, ask why business teams might work around it. Before redesigning incentives, ask what unintended behaviors the new metrics could create.

Pre-mortems are internal controls in action. They force the organization to identify failure modes before the market, the regulator, the whistleblower, or the plaintiff does. They can be and are a powerful tool at your disposal as a CCO or compliance professional.

Lesson Five: Movements Beat Mandates

A particularly powerful theme in the book is the distinction between mandates and movements. Mandates may produce obedience. Movements produce ownership. For compliance professionals, this is a critical distinction.

The Wells Fargo fake sale scandal remains a cautionary tale about mandates, metrics, and fear-based performance pressure. Employees may comply with the apparent demand for results while violating the organization’s deeper values. That is why incentives matter. The DOJ has emphasized that companies should use both incentives and consequences to promote compliance. Its compensation and clawback pilot report states that affirmative metrics and benchmarks can reward compliance-promoting behavior and that financial penalties can deter risky behavior.

This is where compliance culture becomes real. Employees need to see that ethical leadership, controlled discipline, speaking up, and responsible business performance are recognized, promoted, and rewarded. They also need to see that misconduct, retaliation, and willful blindness have consequences.

Compliance Application

The CCO’s implementation challenge is to convert program design into operational evidence. That evidence includes adoption data, control testing, investigation metrics, remediation tracking, third-party monitoring, AI use inventories, exception reporting, and incentive alignment. Implementation also requires courage. A CCO must be willing to ship pilots, gather feedback, and make changes. The compliance function must stop equating launch with success. Launch is the beginning. Adoption, evidence, and improvement are the proof.

CCO Questions

  • Which compliance initiatives have been launched but not adopted?
  • Do we have stakeholder maps for our most important compliance priorities?
  • Are we running pre-mortems before major program changes, including AI governance, third-party risk, speak-up enhancements, and incentive redesign?
  • Do our incentives reward ethical behavior, promote control over ownership, and ensure transparency?
  • What compliance practices would continue if the current CCO left tomorrow?

Practical Takeaways

  1. Identify one compliance initiative that stalled and run a pre-mortem on why it failed.
  2. Build a stakeholder map for AI governance or third-party risk.
  3. Convert one compliance aspiration into a measurable operating practice.
  4. Review incentives and promotion criteria for compliance signals.
  5. Treat implementation as the evidence layer of the compliance program. Regulators do not reward intentions. They evaluate what works.

Implementation is where compliance culture is tested. It is where the organization discovers whether its ideas can survive business pressure, competing priorities, operational friction, and human resistance. Yet even the best-implemented program must still be sustained. Controls must be reinforced. Speak-ups must be protected. Ethical behavior must be recognized. Employees should see that integrity, not just performance, is valued by the organization. That is the work of the third book in the trilogy, The Art of Celebration.

Join us tomorrow for Part 3, where we will turn to celebration as a compliance discipline and explore how recognition, incentives, rituals, morale metrics, and cultural memory shape what employees believe the company truly values.

Categories
Blog

The Culture Builder’s Trilogy: Part 1 – The Art of Ideation: Compliance Begins with Better Questions

Ed. Note: over the next three blog posts, I will be running a short series on three recent books by Hemma Lomax and Ashley Dubriwny. There are The Art of Ideation, The Art of Celebration, and The Art of Implementation.

Hemma Lomax and Ashley Dubriwny’s The Art of Ideation is, on one level, a practical guide for culture builders. On another level, it is a challenge to compliance professionals: stop treating compliance as a function that merely publishes rules, delivers training, and waits for reports. Start treating compliance as a discipline of curiosity, engagement, design, and shared intelligence.

The book begins with a simple but powerful premise. Culture builders need ideas, but more importantly, they need the skill to generate better ideas through peer ideation, storytelling, and crowdsourcing intelligence. Lomax and Dubriwny describe the spark that came from compliance professionals exchanging creative approaches at a conference table and then ask why that energy should be limited to a once-a-year event. Their answer is to make ideation intentional, repeatable, and community-based.

For compliance professionals, this is not a soft concept. It goes directly to the DOJ’s Evaluation of Corporate Compliance Programs (ECCP). The ECCP continues to ask whether a program is well-designed, adequately resourced, empowered to function effectively, and working in practice. The compliance lesson from The Art of Ideation is clear: a program that does not ask better questions will not get better answers.

Lesson One: Know Your Audience Before You Design the Control

One of the book’s strongest lessons comes from the São Paulo story. Hemma arrives in Brazil to speak to more than 200 sales executives. Rather than deliver a generic compliance presentation, she uses images and experiences from the city itself to connect with the local audience. The lesson is not simply that visuals work. The deeper lesson is that compliance must demonstrate cultural awareness before it asks for behavioral change.

Too many compliance programs are still designed from the top down. Policies are written in legal language. Training is translated late, if at all. Hotline posters are posted in areas where employees do not work. Codes of Conduct speak to an imagined employee rather than the actual workforce.

The ECCP lens is unforgiving here. A risk-based program must be tailored to the company’s risk profile, business model, workforce, geography, and operations. If field employees, sales teams, or third-party-facing personnel cannot access guidance in the moment of need, the control may exist on paper but fail in practice.

Lesson Two: Storytelling Is a Control Enhancement

Dubriwny’s discussion of training emphasizes that facts alone rarely change behavior. Stories create context, emotion, and recall. In compliance, that matters because most misconduct does not arise from someone misunderstanding a policy title. It arises in moments of pressure, ambiguity, fear, loyalty, or perceived business necessity. A good compliance story can show what a conflict of interest feels like. It can show why a facilitation payment creates risk. It can show how retaliation begins quietly. It can show a manager what it means to receive a concern well.

This is especially important for a culture of speaking up. Employees do not speak up because a poster says they can. They speak up because they believe the organization will listen, protect them, and act. The Art of Ideation repeatedly returns to the need to meet people where they are, involve them, and design engagement pathways that feel safe. That maps directly onto the ECCP’s focus on confidential reporting, anti-retaliation, and investigation processes, as well as employees’ trust in those systems.

Lesson Three: The Code of Conduct Should Be Designed to Work

The book’s chapter on Codes of Conduct is especially useful for CCOs. It asks whether the Code is an external artifact, a regulatory box-checking document, or a decision-making tool for employees. The answer should be all the above, but the priority must be the employee user. That is a powerful compliance point. A code should not merely state values. It should operationalize them. It should be accessible, visually clear, mobile-friendly, translated appropriately, and supported by examples that reflect real roles, geographies, and pressures. The authors argue that a Code should be co-created, tested, and designed so people can see themselves in it.

This has implications for internal controls. A policy no one reads is not a meaningful control. A code no one uses is not a cultural anchor. A decision tree that helps an employee escalate a third-party red flag is more valuable than a beautifully written paragraph no one remembers.

Lesson Four: Crowdsourcing Risk Intelligence Is Compliance Modernization

Perhaps the most compliance-relevant section of the book is the discussion of crowdsourcing intelligence. Lomax and Dubriwny argue that leadership does not have a monopoly on the perspectives needed to identify risk. Employees across functions, geographies, and levels see vulnerabilities long before they appear in formal reporting channels. This is exactly where modern compliance must go. Annual risk assessments remain useful, but they are not enough on their own. A CCO needs real-time, near-real-time, and frontline input. This includes surveys, focus groups, collaboration tools, investigation themes, hotline trends, third-party feedback, and data analytics.

AI governance fits here as well. The book encourages responsible experimentation with AI, including using AI to make policies more accessible, generate first drafts, synthesize information, and provide decision-useful guidance. In compliance terms, AI should not be a gimmick. It should be governed, risk-assessed, monitored, and used to improve the employee experience.

Compliance Application

For the compliance professional, ideation is not brainstorming for its own sake. It is how the CCO identifies gaps, improves controls, tests training, strengthens speak-up systems, modernizes the Code, and uses AI responsibly. It is how compliance moves from headquarters’ assumptions to operational intelligence.

The lesson is also relevant to investigations. The book’s discussion of investigations emphasizes empathy, transparency, gratitude toward participants, and learning from the process. That is an important reminder that investigations are not simply fact-finding exercises. There are moments when employees decide whether the compliance function is credible.

CCO Questions

  • Does our compliance function know how employees actually experience our Code, training, reporting channels, investigation process, and third-party controls?
  • Are we using peer ideation, frontline feedback, and cross-functional input to improve the program?
  • Where are we still relying on headquarters assumptions rather than operational evidence?
  • How are we using AI to improve accessibility, consistency, risk sensing, and employee guidance without weakening confidentiality, privacy, or human judgment?

Practical Takeaways

  1. Redesign one compliance communication from the user’s perspective. Make it shorter, clearer, more accessible, and easier to act on.
  2. Create an ideation circle around one major compliance risk, such as third-party due diligence, gifts and entertainment, speaking up, or AI use.
  3. Test your Code of Conduct with employees from different geographies and functions before the next refresh.
  4. Add crowdsourced risk intelligence to your risk assessment process.
  5. Treat ideation as a compliance control. Better questions produce better evidence, and better evidence produces a more effective program.

Ideation is where the compliance professional begins to see what is possible. It gives the CCO better questions, stronger engagement, richer risk intelligence, and a more human understanding of how employees experience the program. But ideas alone do not create culture. A redesigned code, a better speak-up message, a sharper AI policy, or a new third-party risk insight only matters if it moves from concept to practice. That is where the second book in the trilogy, The Art of Implementation, takes us next.

Join us tomorrow in Part 2, where we will examine how compliance professionals turn good ideas into operating discipline through alignment, stakeholder ownership, pre-mortems, adoption, incentives, and the hard work of making values real inside the business.