Tag: ECCP

Categories
Blog

From Enforcement-Driven to Purpose-Driven Compliance

For more than two decades, corporate compliance programs have been built around one central organizing principle: enforcement. Where regulators go, compliance resources follow. When the Department of Justice prioritizes anticorruption, companies invest in FCPA controls. When regulators turn to privacy, cybersecurity, or AML, compliance budgets pivot accordingly. This enforcement-driven approach has shaped the modern compliance profession.

Yet, as Veronica Root Martinez persuasively argues in her recent working paper, Purpose-Driven Compliance, this dominant model may be fundamentally flawed, certainly in the era of Trump.  Despite unprecedented investments in compliance infrastructure, corporate misconduct persists. Repeat offenders remain common. Penalties grew larger, but behavior did not meaningfully improve. For compliance professionals, this raises an uncomfortable question: are we optimizing for the wrong objective?

Martinez’s answer is both challenging and clarifying. Compliance programs should not be primarily designed to satisfy enforcement authorities or to maximize mitigation credit after failure. Instead, they should be anchored in the organization’s own purpose, business risks, and ethical standards. In short, it is time to move from enforcement-driven compliance to purpose-driven compliance.

The Limits of Enforcement-Driven Compliance

The enforcement-driven model rests on two assumptions. First, that enforcement priorities reflect a company’s most significant risks. Second, that imperfect compliance is inevitable and acceptable so long as the organization can demonstrate good-faith efforts. Martinez brings both under scrutiny.

Regulatory priorities often lag behind real business risks. Enforcement agencies focus on certain categories of misconduct because they are visible, politically salient, or historically entrenched. But the risks that most threaten an organization’s mission may lie elsewhere. Martinez highlights how firms can become over-invested in compliance areas that attract enforcement attention while under-investing in mission-critical risks to their operations.

The second assumption, that some level of misconduct is acceptable, is even more troubling. Behavioral ethics research suggests that tolerating small violations creates conditions for larger ones. When leaders frame misconduct as statistically insignificant or “within expectations,” they risk normalizing behavior that undermines culture, trust, and ultimately performance. Wells Fargo’s infamous “1% problem” illustrates this danger. Senior leadership took comfort in the idea that only a small fraction of employees were engaging in misconduct, failing to appreciate that those numbers reflected only the misconduct that had been detected.

An enforcement-driven mindset encourages this type of thinking. If the organization is sanctioned, then low detection rates look like success. But if the question is whether the organization is living up to its own purpose and values, the same data tell a very different story. This is not the broken windows theory of enforcement, but something else.

The Cost of Treating Compliance as a Cost of Doing Business

Another weakness of enforcement-driven compliance is that it can turn sanctions into a predictable line item. As firms grow larger and penalties are discounted through cooperation credit, fines risk being internalized as a cost of doing business. Empirical work cited by Martinez suggests that large, repeat offenders often pay penalties that are small relative to their assets and revenues. In that environment, enforcement loses much of its deterrent effect.

For compliance professionals, this dynamic creates a structural tension. Programs may be technically “effective” under DOJ guidance while still failing to prevent misconduct that harms customers, employees, and communities. The distinction between standards of review and standards of conduct becomes critical. Meeting the government’s expectations for leniency is not the same as meeting the organization’s ethical obligations to itself and its stakeholders.

What Is Purpose-Driven Compliance?

Purpose-driven compliance begins with a simple but powerful shift in perspective. Instead of asking, “What does the regulator expect?” the organization asks, “What risks threaten our ability to achieve our purpose and what standards of conduct are required to address them?” Martinez defines purpose-driven compliance as programs directed by three elements: the firm’s purpose, the inherent risks associated with pursuing that purpose, and the ethical standards the organization sets for itself. This approach does not reject enforcement frameworks; rather, it treats them as a floor, not a ceiling.

In practical terms, purpose-driven compliance requires leadership to articulate why the organization exists and how misconduct undermines that mission. For a bank, this may mean focusing on customer trust and market integrity. For a pharmaceutical company, it may mean prioritizing patient safety and scientific integrity. For a university, it may mean safeguarding academic freedom and institutional trust. For a summer camp, it means protecting the campers from flash floods and other storms.

Once the purpose is clearly defined, compliance risk assessments become more meaningful. Risks are evaluated not only by enforcement exposure but by their potential to compromise the organization’s core objectives. This reframing helps compliance leaders resist the temptation to chase regulatory trends at the expense of mission-critical risks.

Moving Beyond Mitigation to Aspirational Standards

A key insight in Martinez’s work is that firms often confuse mitigation with excellence. Compliance programs are designed to minimize penalties rather than to maximize ethical performance. Purpose-driven compliance challenges that mindset by encouraging organizations to adopt high, ethical, and aspirational standards of conduct.

This does not mean pursuing perfection through draconian controls or internal criminalization. Martinez rightly warns against overdeterrence and strict liability regimes that incentivize concealment rather than transparency. Instead, purpose-driven compliance emphasizes ethical framing, employee voice, and organizational learning. Compliance should never be Dr. No, sitting in the Department of Business Non-Development.

The examples of Wells Fargo and Novartis are instructive. Both organizations suffered repeated compliance failures under enforcement-driven regimes. Their subsequent reforms went beyond addressing the specific violations that triggered enforcement. They re-examined culture, leadership incentives, and ethical expectations. In Novartis’s case, tying bonuses to ethical performance and co-creating a new code of ethics signaled a shift from box-checking to values anchored in purpose.

Why Purpose-Driven Compliance Matters for the Modern CCO

For today’s chief compliance officer, Martinez believes purpose-driven compliance offers three critical benefits.

First, it creates durability. Enforcement priorities shift with administrations. Indeed, this Administration has signaled a cutback in white-collar enforcement by offering essentially get-out-of-jail-free cards to companies that self-disclose early. This underscores the importance of compliance programs. A compliance program anchored solely in regulatory expectations will always be reactive. Purpose-driven programs are more stable because they are tied to the organization’s identity rather than external politics.

Second, it improves the quality of compliance metrics. Measuring effectiveness against internal standards allows organizations to ask harder questions about culture, decision-making, and root causes. Not every initiative will succeed, but a willingness to acknowledge failure is itself a sign of program maturity.

Third, it enhances credibility with boards and senior leadership. When compliance is framed as a strategic partner in achieving the organization’s mission, rather than as a defensive function, it earns a more meaningful seat at the table.

Conclusion

Compliance has never been more sophisticated, expensive, or visible. Yet sophistication alone does not guarantee effectiveness. Martinez’s Purpose-Driven Compliance challenges compliance professionals to rethink the foundations of their programs. Enforcement-driven compliance has taken us far, but it cannot take us far enough.

The next evolution of compliance requires organizations to define their own standards of conduct, grounded in purpose, risk, and ethics. That shift is not easy. It requires courage from compliance leaders and commitment from boards and executives. But if compliance is truly about preventing harm and sustaining trust, purpose-driven compliance is not optional. It is essential.

Categories
AI Today in 5

AI Today in 5: February 9, 2026, The AI Agents Doing Compliance Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. What to do when AI is forced on compliance. (CW)
  2. Napier AI/AML report is out. (FinTechGlobal)
  3. AI and the accountability gap. (FinTechGlobal)
  4. Where AI is tearing through corporate America. (WSJ)
  5. Goldman is letting AI Agents do compliance. (PYMNTS)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
Blog

From Principle to Proof: Operationalizing AI Governance Through the ECCP and NIST

Artificial intelligence governance has officially crossed the threshold from theory to expectation. The Department of Justice has not issued a standalone “AI rulebook,” but it has provided a framework for compliance professionals to consider the issue: the 2024 Evaluation of Corporate Compliance Programs (ECCP). In this version of the ECCP, the DOJ laid out guidance that any technology capable of creating material business risk must be governed, monitored, and improved like any other compliance risk. That includes artificial intelligence.

Too many organizations still treat AI governance as an ethics exercise, a technical problem, or a future concern. That posture is not defensible. The DOJ does not ask whether your program is fashionable or aspirational. It asks three very old-fashioned questions: Is your compliance program well designed? Is it applied in good faith? Does it work in practice? Those questions apply with full force to AI.

In this post, I want to move the discussion from abstract frameworks to operational reality. I will show how compliance professionals can use the ECCP to structure AI governance, select board-grade KPIs, and demonstrate effectiveness in a way regulators understand. I will also show how the NIST AI Risk Management Framework (NIST Framework) fits neatly underneath this structure as an operating model, not a competing philosophy.

AI Governance Is Already an ECCP Issue

The DOJ has repeatedly emphasized that compliance programs must evolve as business risks evolve. Artificial intelligence is not a future risk. It is already embedded in pricing, hiring, credit decisions, customer interactions, fraud detection, and third-party screening. If an AI model can influence revenue, customer outcomes, or regulatory exposure, it is a compliance risk. Period.

The ECCP does not require companies to eliminate risk. It requires them to identify, assess, manage, and learn from it. AI governance, therefore, belongs squarely inside the compliance program, not off to the side in an innovation lab or technology committee.

The ECCP as an AI Governance Blueprint

The power of the ECCP is its simplicity. Every enforcement action ultimately traces back to the same three questions. Let us apply them directly to AI.

Is the Program Well Designed?

Design begins with risk assessment. If your organization cannot answer a basic question such as “What AI systems do we have, who owns them, and what decisions they influence,” you do not have a program. You have hope. A well-designed AI compliance program starts with an AI asset inventory that identifies models, tools, vendors, and use cases. Each asset must be risk-classified based on business impact, regulatory exposure, and potential harm.

Board-level KPIs here are coverage metrics. How many AI assets have been identified? What percentage has been risk-classified? How many high-impact models have completed an impact assessment before deployment? If your dashboard does not show near-full coverage, the design is incomplete.

Policies and procedures come next. The DOJ does not care how many policies you have. It cares whether they provide clear guidance for real decisions. AI policies should cover the full lifecycle, from design and data sourcing through deployment, monitoring, and retirement. A practical KPI is policy coverage. What percentage of AI assets operate under current, approved procedures? How often are those procedures refreshed? Annual updates are a reasonable baseline in a rapidly changing risk environment.

Is the Program Applied Earnestly and in Good Faith?

Good faith is demonstrated through action, not intent. Training is a central indicator. The DOJ expects role-based training tailored to actual risk. A generic AI awareness course does not meet this standard. Developers, model owners, compliance reviewers, and business leaders all require different training. Completion rates matter, but so does comprehension. Measuring post-training proficiency improvement is one of the clearest signals that training is more than a box-checking exercise.

Third-party risk management is another critical area. Many organizations rely on external models, data providers, or AI-enabled vendors. If you do not understand how those tools are built, governed, and updated, you are importing risk without controls. Strong programs use standardized AI diligence questionnaires, assign assurance scores, and require contractual safeguards for high-risk vendors. A board-ready KPI here is the percentage of high-risk AI vendors subject to enhanced diligence and contractual controls.

Mergers and acquisitions deserve special attention. AI risk does not wait for post-close integration. The DOJ has been explicit that pre-acquisition diligence matters. A defensible KPI is simple and unforgiving. 100% of acquisition targets with material AI usage must undergo AI due diligence before closing. Anything less invites inherited risk.

Does the Program Work in Practice?

This is where many programs fail. Paper controls do not impress regulators. Outcomes do. Incident reporting is a critical signal. A low number of reported AI issues may indicate fear, confusion, or a lack of safety rather than safety concerns. What matters is whether issues are identified, investigated, and resolved promptly. Mean time to investigate is a powerful metric. If AI-related concerns take months to resolve, the program is not working. Clear escalation paths, defined investigation playbooks, and documented root cause analysis are essential.

Continuous monitoring is equally important. High-risk AI systems must be monitored for performance drift, data changes, and unintended outcomes. The DOJ expects companies to use data analytics to test whether controls are functioning. KPIs here include validation pass rates before deployment, drift-detection coverage for critical models, and corrective action closure rates. These are not technical vanity metrics. They are evidence of effectiveness.

Where NIST Fits and Why It Matters

The NIST AI Risk Management Framework does not compete with the ECCP. It operationalizes it. The ECCP tells you what regulators expect. NIST helps you implement those expectations across governance, mapping, measurement, and management. For example, ECCP risk assessment aligns with NIST’s mapping function. ECCP’s continuous improvement aligns with NIST’s measurement and management functions. Using NIST terminology creates a shared language across compliance, legal, security, and data science teams. That shared language is governance in action.

Reporting AI Risk to the Board

Boards do not want technical detail. They want assurance. The most effective AI governance dashboards focus on a small set of indicators that answer the DOJ’s three questions: coverage, quality, responsiveness, and learning. Examples include the percentage of AI assets risk-classified, validation pass rates, investigation cycle times, and corrective action closure rates. When these metrics move in the right direction, they tell a credible story of control. More importantly, they show that compliance is not reacting to AI. It is governing it.

Five Key Takeaways for Compliance Professionals

  1. AI as Risk. Artificial intelligence is already within the scope of the ECCP. If AI can influence business outcomes, it must be governed like any other compliance risk.
  2. Risk Management Program. A well-designed AI compliance program begins with complete asset identification and risk classification. Coverage metrics are the first signal regulators will examine.
  3. Implementation. Good faith implementation is demonstrated through role-based training, disciplined third-party oversight, and pre-acquisition AI diligence. Intent without execution does not count.
  4. Outcomes, not Inputs. Effectiveness is proven through outcomes. Investigation speed, monitoring coverage, and corrective action closure rates matter more than policy volume.
  5. Complementary. The NIST Framework complements the ECCP by providing an operating model that compliance, legal, and technical teams can share. Together, they turn principles into proof.

Final Thoughts

AI governance is not about predicting the future. It is about demonstrating discipline in the present. The DOJ is not asking compliance professionals to become data scientists. It is asking us to do what they have always done well: identify risk, establish controls, test effectiveness, and improve continuously. The ECCP already gives you the framework. The only question is applying it.

Categories
Blog

Roman Philosophers and the Foundations of a Modern Compliance Program: Part 5 – Lucretius, Rationality, and Continuous Improvement in Compliance

Welcome to our concluding blog post on notable Roman Philosophers and the philosophical underpinnings of modern corporate compliance programs and compliance professionals, focusing on five philosophers from Rome spanning the end of the Roman Republic to the Roman Empire.

We have considered Cicero and the duty, law, and the moral limits of business; Seneca on power, pressure, and ethical decision-making under stress; Varro on corporate governance; and Marcus Aurelius on ethical leadership and tone at the top. Today, we conclude with Lucretius to explore rationality, fear, and risk perception.

I. Lucretius in Context: Seeing the World Clearly

Titus Lucretius Carus is the outlier in the Roman philosophical tradition, and that is precisely why he matters to compliance professionals. In De Rerum Natura (On the Nature of Things), Lucretius set out to explain the world as it actually is, stripped of superstition, fear, and comforting illusions. He believed that human suffering and bad decision-making were driven less by malice than by misunderstanding.

Lucretius lived in a Roman world gripped by fear of divine punishment, fate, and unseen forces. He argued that when people attribute events to superstition or rumor rather than observation and evidence, they lose the ability to respond rationally. Fear, in his view, was the enemy of clear judgment. Only through disciplined observation and reason could individuals and institutions act wisely.

For modern compliance professionals, Lucretius offers a final and essential lesson. Even the best-designed compliance program, staffed by accountable individuals and supported by ethical leadership, will fail if it cannot see itself clearly. Programs that rely on assumptions, anecdotes, or reputation rather than evidence inevitably drift. Lucretius teaches that rational observation is not merely a scientific virtue. It is an ethical one.

II. The Compliance Problem Lucretius Illuminates: Blind Spots and Compliance Theater

Many compliance programs operate on belief rather than proof. Leaders believe the culture is strong. Boards believe controls are effective. Compliance teams believe training is working. Yet enforcement actions routinely reveal blind spots that persisted for years, unnoticed or unchallenged. This gap between belief and reality is what Lucretius would have called superstition. In compliance, it takes the form of compliance theater: dashboards that look reassuring, certifications that go unquestioned, and metrics that measure activity rather than effectiveness.

The DOJ Evaluation of Corporate Compliance Programs (ECCP) repeatedly asks whether companies test, monitor, and improve their programs. Prosecutors are explicit that assumptions are insufficient. They want evidence that the program detects misconduct, adapts to change, and evolves based on lessons learned. Fear plays a central role here. Organizations fear discovering problems. They fear bad news reaching the board. They fear regulatory scrutiny. Lucretius warned that fear distorts perception. In compliance terms, fear leads to underreporting, superficial audits, and avoidance of uncomfortable data.

A compliance program that cannot tolerate evidence of weakness cannot improve. Lucretius insists that rational systems must prefer truth over comfort.

III. Modern Corporate Application: Lucretius, DOJ Expectations, and Evidence-Based Compliance

Applying Lucretius to modern compliance highlights the central role of monitoring, testing, and continuous improvement.

First, compliance monitoring must focus on effectiveness, not volume. Counting training completions or hotline calls says little about whether the program works. Lucretius would insist on asking harder questions. Are issues detected early? Are repeat risks declining? Are controls changing behavior?

Second, data must be interpreted without fear. DOJ guidance emphasizes learning from misconduct and near misses. Yet many organizations treat incidents as anomalies rather than signals. Lucretius teaches that patterns matter more than isolated events. Compliance teams should analyze trends across regions, functions, and time, even when results are uncomfortable.

Third, programs must adapt to changing risk. Lucretius rejected static explanations of the world. The DOJ similarly asks whether compliance programs evolve as business models, markets, and technologies change. A program designed for yesterday’s risks becomes a liability when conditions shift.

Fourth, monitoring must include culture and behavior, not just transactions. Culture surveys, exit interviews, and speak-up analytics provide insight into employees’ trust in the system. Lucretius would caution against ignoring qualitative data simply because it is harder to measure.

Fifth, continuous improvement must be documented and demonstrable. The DOJ evaluates whether companies close the loop by updating controls, training, and governance in response to findings. Rational compliance requires not only seeing clearly but acting on what is seen.

Finally, compliance leaders must resist narrative-driven assurance. Statements such as “this has never happened before” or “we trust our people” are not evidence. Lucretius reminds us that trust is strengthened, not weakened, by verification.

IV. Key Takeaways for Compliance Professionals

1. Father of CM/CI. Compliance professionals should view Lucretius as the philosophical foundation of monitoring and continuous improvement. Lucretius grounds compliance in disciplined observation rather than comfort or tradition. He reminds compliance professionals that a program cannot improve what it refuses to examine honestly. Monitoring and continuous improvement are not technical exercises but ethical commitments to see the organization as it truly operates.

2. Fact-based. Compliance should privilege evidence over assumption. Assumptions about culture, control effectiveness, or employee behavior create blind spots that persist until a failure forces attention. Lucretius warns that belief without verification is a form of self-deception. An effective compliance program insists on data, testing, and validation rather than reassurance.

3. Measure outcomes, not activity. Compliance should design metrics that measure effectiveness, not activity. Counting trainings delivered or policies acknowledged does not demonstrate that misconduct is being prevented or detected. Lucretius would reject metrics that comfort leadership without revealing reality. Compliance metrics must answer whether controls change behavior and reduce risk, not merely whether processes occurred.

4. Information is data. Compliance should treat incidents and near misses as data, not embarrassment. Organizations often hide or minimize incidents out of fear of reputational harm or internal scrutiny. Lucretius teaches that fear distorts judgment and delays learning. A mature compliance program uses incidents and near misses as signals for improvement rather than reasons for denial.

5. Risks Change. Compliance should evolve as risks, markets, and technologies change. Static compliance programs assume the world remains stable, an assumption Lucretius would view as fundamentally irrational. This is certainly not true in the age of Trump. Business models, geopolitical risks, and technologies shift faster than policy cycles. Continuous adaptation is the only rational response to an environment in constant motion.

6. Embrace Observation. Compliance should embrace rational observation as an ethical obligation. Seeing clearly is not morally neutral; it is a responsibility owed to stakeholders and institutions. Lucretius argued that ignorance sustained by fear causes harm. In compliance, choosing not to look is itself an ethical failure.

7. Evidence-based. Finally, Lucretius teaches that organizations fail not because reality is unknowable, but because they choose not to look. This is the capstone lesson of the compliance lifecycle. Organizations that avoid uncomfortable facts drift into compliance theater and false confidence. Rational, evidence-based compliance treats truth as an asset, even when it reveals weakness.

V. Conclusion: Roman Philosophy and the Compliance Program That Actually Works

Taken together, these five Roman philosophers describe the full lifecycle of a modern compliance program as it exists in the real world, not as it appears in policy manuals. Cicero establishes why compliance must exist at all, grounding the program in duty rather than expediency and reminding organizations that law is only the starting point. Seneca then confronts the reality that ethical commitments are tested under pressure, exposing how fear, ambition, and rationalization undermine even well-designed systems. Epictetus moves the analysis to the individual, insisting that ethical responsibility does not disappear inside hierarchy and that compliance ultimately depends on personal agency. Marcus Aurelius elevates that responsibility to leadership, showing how culture is formed through example and how ethical expectations live or die by the behavior of executives. Finally, Lucretius closes the loop, demanding rational observation, evidence, and continuous improvement so that compliance programs do not drift into assumption, superstition, or complacency.

What makes the Roman philosophers uniquely valuable to compliance professionals is their focus on institutions, power, and human behavior under constraint. The Greeks gave us ethical ideals. The Romans showed us how those ideals survive, or fail, inside complex systems. This mirrors the Department of Justice’s modern approach to compliance, which increasingly evaluates not whether a program exists, but whether it operates, adapts, and functions under real-world conditions.

For the compliance professional, the lesson of this series is both sobering and empowering. No single control, policy, or training module is sufficient. Effective compliance requires ethical foundations, behavioral awareness, individual accountability, principled leadership, and disciplined monitoring working together as an integrated system. Remove any one of these elements, and the program weakens. Align them, and compliance becomes not a defensive function, but a durable governance capability.

In combining these Roman insights with the earlier Greek philosophical foundations, the compliance professional gains more than historical perspective. They gain a framework for building programs that withstand pressure, earn trust, and evolve. In the end, that is the measure of a compliance program that actually works.

Categories
Blog

Roman Philosophers and the Foundations of a Modern Compliance Program: Part 4 – Marcus Aurelius and Ethical Leadership

I recently wrote a series on the direct link between ancient Greek Philosophers and modern corporate compliance programs and compliance professionals. It was so much fun and so well-received that I decided to follow up with a similar series on notable Roman Philosophers. This week, we will continue our exploration of the philosophical underpinnings of modern corporate compliance programs and compliance professionals by looking at five philosophers from Rome, both from the BCE and AD eras.

We have considered Cicero and the duties, law, and moral limits of business; Seneca on power, pressure, and ethical decision-making under stress; and Varro on corporate governance. Today, we consider Marcus Aurelius and ethical leadership and tone at the top. Tomorrow, we will conclude with Lucretius to explore rationality, fear, and risk perception. Today, we continue with Marcus Aurelius, Ethical Leadership, and Culture as a Compliance Control

I. Marcus Aurelius in Context: Power with Restraint

Imagine you are the single most powerful person on earth. Are you going to be an unrepentant narcissist in the manner of Donald Trump, who believes he should govern on his own twisted morality based simply on ‘gut instinct’? Or are you going to take a different approach, set out your reasoned approach to governing in a book, and then govern with the moral authority of thousands of years of philosophy?

Marcus Aurelius is often remembered as the philosopher-king, but that description understates the difficulty of his position. He ruled the Roman Empire during a period of war, plague, economic strain, and political instability. Unlike many philosophers, Marcus Aurelius did not write for an audience. His Meditations were private reflections, written to discipline his own thinking while exercising absolute power.

This matters for compliance professionals. Marcus Aurelius did not theorize about ethical leadership from a distance. He lived inside it. He understood that power magnifies temptation, insulates leaders from feedback, and creates opportunities for self-deception. His philosophy is therefore preoccupied with restraint, humility, consistency, and responsibility.

Marcus repeatedly reminded himself that leadership is not a privilege but a burden. Authority did not entitle him to indulgence; it imposed higher expectations. He believed that leaders set moral boundaries through conduct long before they issue instructions. In modern terms, Marcus Aurelius understood that culture flows downward from leadership behavior rather than upward from policy documents.

II. The Compliance Problem Marcus Aurelius Illuminates: Culture Eats Controls

One of the central lessons of modern compliance enforcement is that formal controls cannot compensate for poor culture. Organizations with detailed policies and sophisticated monitoring still fail when leadership behavior signals that results matter more than integrity. The DOJ Evaluation of Corporate Compliance Programs (ECCP) explicitly asks whether senior leaders demonstrate commitment to compliance through actions, not words. Regulators assess whether ethical behavior is encouraged, whether misconduct is addressed consistently, and whether leaders tolerate or reward problematic conduct.

Marcus Aurelius would recognize this dynamic immediately. He believed that people learn how to behave by observing those in power. When leaders act inconsistently with stated values, cynicism follows. When leaders rationalize misconduct, that rationalization spreads. Compliance programs often falter when leadership treats ethics as a communication exercise rather than a lived expectation. Codes of conduct and training sessions cannot overcome the daily signals sent by executive decisions, incentive structures, and responses to failure.

Marcus teaches that culture is not accidental. It is created continuously by leadership choices, especially under pressure.

III. Modern Corporate Application: Marcus Aurelius, DOJ Expectations, and Leadership Accountability

Applying Marcus Aurelius to modern compliance reveals several concrete expectations that closely align with DOJ guidance.

First, leadership behavior must be consistent. Marcus believed hypocrisy was corrosive to authority. The DOJ similarly evaluates whether leaders follow the same rules they impose on others. Exceptions for senior executives undermine program credibility and weaken deterrence.

Second, leadership must respond to misconduct with moral clarity. Marcus wrote that anger and denial cloud judgment. In compliance terms, this means addressing issues promptly, transparently, and proportionately. Delayed or defensive responses signal tolerance, even when discipline eventually occurs.

Third, middle management matters. Marcus understood that culture is transmitted through layers of authority. DOJ guidance emphasizes the role of middle managers as culture carriers. Compliance programs should equip managers with the tools and incentives to reinforce ethical behavior, not merely deliver targets.

Fourth, incentives must reflect values. Marcus warned against leaders who chase reputation or reward at the expense of principle. Modern compliance programs must ensure compensation structures do not reward outcomes achieved through questionable means. The DOJ has repeatedly cited incentive misalignment as a root cause of misconduct.

Finally, leadership must create psychological safety. Marcus believed leaders should listen more than they speak. In compliance terms, this translates into openness to bad news, encouragement of dissent, and protection for those who raise concerns. A culture that punishes truth-telling cannot sustain compliance.

IV. Key Takeaways for Compliance Professionals

1. The Blueprint. Compliance professionals should view Marcus Aurelius and his writings as the blueprint for culture-based compliance. You can draw a direct line from the Meditations to both your compliance program and the leadership skills a CCO needs. Compliance should evaluate leadership behavior as a primary control, not a soft factor. This means not only reviewing employees who are promoted to management, but also a deep dive into their backgrounds. Also, thorough due diligence for any senior management hires from outside your organization.

2. Higher Standards. Compliance should hold senior leaders to higher standards of consistency and accountability.

3. Institutional Justice. Compliance should focus on how leaders respond to misconduct, not just how they prevent it. This is the CCO’s charge, and it must include an institutional fairness component in your compliance program.

  1. Compliance should ensure incentives reinforce ethical behavior at every level. The DOJ has consistently discussed the role of incentives in any compliance program, as far back as the 1st edition of the FCPA Guidance in 2012.
  2. Compliance should treat culture as an operational risk area subject to oversight and testing. Culture should be assessed, monitored, and improved. Simply because it is seen as a ‘soft’ part of an organization does not mean it should be treated differently.

4. Walk the Walk. Finally, Marcus Aurelius reminds us that ethical leadership is not performative. It is visible, daily, and decisive. In organizations, culture follows leadership long before it follows policy.

V. Conclusion

Marcus Aurelius brings the compliance lifecycle to its cultural apex. He shows that leadership behavior is not merely influential but determinative, shaping whether ethical expectations are taken seriously or quietly dismissed. Yet even the strongest ethical culture is not self-sustaining. Leaders are human, memory fades, and good intentions erode without reinforcement. This is where culture must be supported by systems that observe, test, and correct.

Marcus Aurelius teaches us how leaders should behave; Lucretius challenges us to examine how organizations think. If Marcus focuses on moral example, Lucretius turns our attention to rational observation, warning against fear, superstition, and self-deception. The transition from Marcus Aurelius to Lucretius mirrors the shift from cultural leadership to continuous improvement, from ethical intent to empirical verification. In compliance terms, it is the move from assuming the program works to proving that it does, using data, monitoring, and clear-eyed analysis rather than hope or habit.

Join us tomorrow for our concluding article on Lucretius and Rationality in Monitoring and Continuous Improvement. We will consider where culture gives way to systems, data, and the discipline of seeing risk clearly rather than through fear or superstition.

Categories
Blog

Roman Philosophers and the Foundations of a Modern Compliance Program: Part 2 Seneca on Pressure and Compliance

I recently wrote a series on the direct link between ancient Greek Philosophers and modern corporate compliance programs and compliance professionals. It was so much fun and so well-received that I decided to follow up with a similar series on notable Roman Philosophers. This week, we will continue our exploration of the philosophical underpinnings of modern corporate compliance programs and compliance professionals by looking at five philosophers from Rome, both from the Roman Republic and the Roman Empire.

Yesterday, we considered Cicero and the duty, law, and the moral limits of business; today, we will look at Seneca and power, pressure, and ethical decision-making under stress; upcoming blog posts include Marcus Aurelius and ethical leadership and tone at the top; Varro and corporate governance; and Lucretius to explore rationality, fear, and risk perception. Today, we continue with Seneca on pressure and when compliance matters the most.

I. Seneca in Context: Ethics from Inside Power

Lucius Annaeus Seneca did not write philosophy from a safe distance. He lived at the center of Roman power, wealth, and danger. As tutor and later advisor to Emperor Nero, Seneca understood how quickly ethical intentions could be compromised by fear, ambition, loyalty, and survival. He also understood how people justify those compromises to themselves.

Seneca’s writings, particularly Letters from a Stoic and On Anger, are not abstract moral treatises. They are practical examinations of how human beings behave when placed under stress. He was deeply concerned with emotional excess, not because emotions were immoral, but because unchecked emotion distorts judgment. Anger, fear, greed, and the desire for approval all lead otherwise rational people to make decisions they later defend as necessary.

For Seneca, ethical failure was rarely sudden. It was incremental. People crossed lines not because they intended to be corrupt, but because they convinced themselves that circumstances demanded flexibility. This insight makes Seneca indispensable to the modern compliance professional, whose greatest challenge is not policy design, but behavior under pressure.

II. The Compliance Problem Seneca Illuminates: Rationalization Under Stress

Most compliance programs are designed around rules, controls, and reporting structures. Far fewer are designed with human psychology in mind. Seneca would argue that this is a critical oversight. Modern compliance failures often occur in high-pressure environments: aggressive sales targets, looming deadlines, competitive markets, political instability, or financial distress. In these moments, individuals do not typically reject ethical norms outright. Instead, they rationalize deviations as temporary, necessary, or harmless.

Common rationalizations include:

  • “This is how business is done here.”
  • “We will fix it later.”
  • “No one is really harmed.”
  • “Leadership expects results.”
  • (and my personal favorite) “We’ve always done it this way.”

Seneca warned that these internal narratives are more dangerous than ignorance. Once people justify unethical conduct to themselves, external controls become less effective. A policy cannot compete with a story someone tells themselves to preserve status, income, or safety. The DOJ, particularly in its various iterations of the Evaluation of Corporate Compliance Programs (ECCP), has increasingly focused on this dynamic. In recent enforcement actions, regulators have emphasized root-cause analysis, asking not only what rule was broken but also why individuals felt compelled to break it. Pressure, incentives, and cultural signals consistently appear as contributing factors.

Seneca teaches that compliance programs must anticipate rationalization. It is not enough to say “do not do this.” Organizations must understand when and why people will convince themselves that doing it is acceptable.

III. Modern Corporate Application: Seneca, DOJ Expectations and Behavioral Compliance

The ECCP explicitly asks whether a company’s risk assessment and controls account for “the types of misconduct most likely to occur” and whether the company has “addressed the root causes of misconduct.” These questions align directly with Seneca’s insights. Consider major enforcement actions involving systemic bribery, fraud, or manipulation of controls. In cases such as the Wells Fargo fraudulent accounts scandal or the Volkswagen emissions testing scandal, both of which involved employees operating under intense performance pressure. While not all wrongdoing can be excused by culture, regulators repeatedly noted environments where employees felt trapped between expectations and ethics.

A Seneca-informed compliance program would focus on several practical measures.

First, risk assessments should explicitly identify pressure points. Compliance should map where incentives, deadlines, or market conditions increase the likelihood of rationalization. This includes sales functions, third-party relationships, emerging markets, and crises.

Second, training should move beyond rules into scenario-based discussions. Seneca believed self-awareness was an ethical discipline. Modern compliance training should confront common rationalizations directly, helping employees recognize them before they take hold. DOJ guidance increasingly favors practical, tailored training over generic training.

Third, escalation pathways must be realistic under stress. A hotline that exists only on paper will not be used when fear of retaliation or failure dominates. Seneca understood that fear silences conscience. Effective compliance programs must demonstrate that speaking up under pressure is protected, valued, and acted upon.

Fourth, leadership messaging matters most during crises. Seneca warned that leaders set moral boundaries through behavior, not speeches. The DOJ has emphasized that how management responds to misconduct is a key indicator of program effectiveness. When leaders excuse results achieved through questionable means, rationalization spreads quickly.

Finally, compliance must be present before the crisis, not introduced afterward. Seneca would view reactive compliance as inherently weak. Ethical resilience must be built in advance, when judgment is clear, and stakes are lower.

Key Takeaways for Compliance Professionals

1. Behavioral Risk. Compliance professionals should view Seneca as a guide to behavioral risk, not philosophical pessimism. Seneca focuses on how real people behave under pressure rather than on abstract ethical ideals. He recognizes that stress, fear, ambition, and loyalty distort judgment long before formal rules are broken. For compliance professionals, Seneca provides a framework for understanding why misconduct occurs even in organizations with well-designed programs.

2. Pressure Points. Compliance should identify and manage pressure points where rationalization thrives. High-performance targets, crises, and competitive markets create environments where ethical shortcuts are easily justified. Seneca teaches that rationalization flourishes when people feel trapped between expectations and consequences. Compliance programs must proactively map and mitigate these pressure points rather than react after misconduct occurs.

3. Training Design. Compliance should design training that addresses how people actually make decisions under stress. Traditional rule-based training assumes calm, rational decision-making, which rarely occurs in real-world situations. Seneca reminds us that ethical failure often occurs in moments of emotional intensity rather than in deliberation. Effective compliance training should use scenarios and realistic dilemmas that reflect pressure, ambiguity, and competing incentives.

Compliance should ensure escalation mechanisms work when fear and incentives collide. A hotline or reporting channel is ineffective if employees do not trust it during high-risk moments. Seneca understood that fear silences conscience and discourages disclosure. Compliance programs must test whether escalation pathways function when the personal cost of speaking up feels high.

4. Leadership Engagement. Compliance should engage leadership on how their responses to pressure shape ethical behavior. Leaders signal ethical boundaries most clearly when responding to setbacks, failures, or missed targets. Seneca warned that inconsistent or emotionally driven leadership responses accelerate ethical decay. Compliance professionals must ensure leaders understand that their reactions under pressure become cultural instruction.

  • Compliance should focus on prevention through awareness, not punishment after failure. Seneca emphasized self-awareness as the first defense against moral error. Compliance messaging that only appears after misconduct reinforces fear rather than learning. Ongoing communication about pressure, rationalization, and ethical expectations strengthens resilience before problems arise.
  • Finally, Seneca instructs us that ethical systems fail not because people abandon values, but because they convince themselves that those values can wait. A compliance program that ignores pressure is a program designed to fail when it matters most. Rationalization is the quiet mechanism through which ethical erosion occurs. Seneca shows that delay, exception-making, and “temporary” compromises accumulate into systemic failure. Compliance programs that do not confront rationalization directly leave themselves exposed at their most vulnerable moments.

Conclusion

Seneca exposes the internal dynamics that cause compliance programs to fail under pressure. He shows us how fear, ambition, and rationalization erode ethical judgment, even when rules are clear and controls are in place. But Seneca largely examines the problem from the inside out, focusing on how individuals respond to external forces. That analysis leads directly to the next question in the compliance lifecycle: what responsibility does the individual retain when pressure is real, and authority is unequal? This is where Seneca gives way to Epictetus.

Join us tomorrow as we explore Varro and corporate governance for your compliance regime.

Categories
Blog

Roman Philosophers and the Foundations of a Modern Compliance Program: Part 1 Cicero on Duty and Ethics

I recently wrote a series on the direct link between ancient Greek Philosophers and modern corporate compliance programs and compliance professionals. It was so much fun and so well-received that I decided to follow up with a similar series on notable Roman Philosophers. This week, we will continue our exploration of the philosophical underpinnings of modern corporate compliance programs and compliance professionals by looking at five philosophers from Rome, both from the BCE and AD eras.

We will consider Cicero and the duty, law, and the moral limits of business;  Seneca and power, pressure, and ethical decision-making under stress; Marcus Aurelius and ethical leadership and tone at the top; Epictetus and accountability, control, and ethical agency; and we will conclude with Lucretius to explore rationality, fear, and risk perception. Today, we begin with Cicero and the ethical foundations of the compliance program.

I. Cicero in Context: Duty in an Age of Power and Commerce

Marcus Tullius Cicero lived at the intersection of law, politics, and commerce during the final decades of the Roman Republic. Rome was wealthy, expansive, and deeply corrupt. Provincial governors enriched themselves through bribery and extortion. Political power was routinely monetized. Legal technicalities were used to justify conduct that plainly violated any reasonable notion of fairness or justice.

It was in this environment that Cicero wrote De Officiis (On Duties), a work addressed not to philosophers, but to those who held power and responsibility. Cicero was not interested in abstract virtue. He was interested in how people entrusted with authority should behave when tempted by profit, pressure, or expediency.

For Cicero, duty was not optional. It arose from one’s role and the trust placed in that role. Public office, commercial activity, and leadership all carried moral obligations that custom, convenience, or legal loopholes could not waive. Most importantly, Cicero rejected the idea that what was profitable could excuse what was unethical. Where profit and moral duty conflicted, duty had to prevail.

This framing makes Cicero uniquely relevant to modern corporate compliance. Large organizations, like the Roman Republic, operate through delegated authority, complex incentives, and diffuse accountability. Cicero understood that without an ethical foundation grounded in duty, institutions eventually hollow out, even if they remain technically lawful.

II. The Compliance Problem Cicero Illuminates: When Law Becomes the Ceiling

One of the most persistent failures in corporate compliance programs is treating legal compliance as the ultimate objective rather than the minimum requirement. Organizations ask, “Is it legal?” far more often than they ask, “Is it right?” or “Is this consistent with our obligations as stewards of trust?” Cicero would have recognized this failure immediately. In De Officiis, he warned against the misuse of legal form to justify immoral conduct. He argued that clever interpretations of the law, when divorced from justice, ultimately destroy trust in institutions. This is not merely a moral observation. It is an operational one.

Modern enforcement actions repeatedly demonstrate that misconduct often occurs in plain sight, enabled by policies, approvals, and structures that technically comply with written rules. The Department of Justice has been explicit that a compliance program that exists only on paper, or that focuses solely on technical adherence, will not be viewed as effective. The DOJ Evaluation of Corporate Compliance Programs (ECCP) asks whether a company’s program is “well designed,” “applied in good faith,” and “actually works in practice.” These questions implicitly echo Cicero’s concern. A program that treats legality as the ceiling rather than the floor may satisfy internal counsel, but it fails as an ethical governance system.

Cicero teaches that compliance programs must be grounded in duty: to customers, markets, employees, shareholders, and society. Without that grounding, rules become tools for avoidance rather than instruments of integrity.

III. Modern Corporate Application: Cicero, DOJ Expectations, and Real-World Failures

The ECCP places increased emphasis on culture, leadership accountability, and the role of the board. These expectations align closely with Cicero’s insistence that those in power bear heightened ethical responsibility.

Consider enforcement actions involving bribery, corruption, or fraud in which senior leaders claimed ignorance while benefiting from the outcomes. In multiple Foreign Corrupt Practices Act resolutions, the DOJ has rejected arguments that misconduct occurred despite policies, rather than because governance systems tolerated or incentivized it. In cases such as Airbus and Goldman Sachs, regulators highlighted failures in oversight, escalation, and ethical decision-making at senior levels. From a Cicero-inspired perspective, these are failures of duty. Leaders accepted the benefits of authority without fully embracing its obligations. Compliance programs existed, but they were not anchored in a shared understanding that ethical duty limits what is acceptable in profit-seeking behavior.

Applying Cicero to modern compliance design suggests several concrete actions:

First, the code of conduct should be framed as a statement of duties rather than merely a list of prohibitions. Employees should understand not only what is forbidden, but why certain conduct violates the organization’s obligations to stakeholders.

Second, senior leadership accountability must be explicit. Cicero believed that authority magnifies moral responsibility. The DOJ now expects boards and executives to actively oversee compliance, not passively receive reports. A compliance program that cannot demonstrate meaningful leadership engagement will struggle under scrutiny.

Third, incentives matter. Cicero warned that when institutions reward success without regard to means, they invite corruption. Modern compliance programs must align compensation, promotion, and recognition with ethical behavior, not merely financial outcomes. The DOJ has repeatedly emphasized incentives and discipline as indicators of program effectiveness.

Finally, compliance should be positioned as a governance function, not a technical one. Cicero understood law as a moral instrument, not a procedural shield. Compliance professionals should frame their role as guardians of institutional duty, helping the organization navigate gray areas where legal guidance alone is insufficient.

Key Takeaways for Compliance Professionals

1. Ethical Foundation. Compliance professionals should view Cicero as the ethical foundation of a modern compliance program. Cicero establishes that compliance must be grounded in duty rather than fear of enforcement. He frames ethical behavior as an obligation arising from trust and authority, not as a discretionary choice. A compliance program without this foundation risks becoming a technical exercise divorced from purpose.

2. Law as a Floor. Compliance should treat law as the minimum standard, not the ultimate objective. Cicero warned against using legal formality to justify conduct that violates justice and fairness. Modern compliance failures often arise when organizations ask only whether conduct is legal rather than whether it is right. Effective compliance programs must push beyond legality to reinforce ethical judgment.

3. Governance and Stewardship. Compliance should be positioned as a core governance function. Cicero believed that those entrusted with authority act as stewards, not owners, of institutional power. Compliance should therefore be integrated into governance structures rather than treated as a peripheral control function. This positioning reinforces accountability to stakeholders and long-term institutional integrity.

4. Leadership Duty. Compliance should impose heightened ethical obligations on those with power. Cicero argued that authority magnifies moral responsibility rather than diminishing it. Senior leaders and boards must therefore be held to higher compliance expectations, not exempted for performance or status. Ethical leadership is essential to a program’s legitimacy.

  • Compliance should align incentives with integrity, not just results.
  • Cicero warned that rewarding success without regard to means invites corruption. Modern compliance programs fail when compensation and promotion structures undermine stated values. Incentive alignment is a critical control, not a human resources afterthought.

5. Cultural Legitimacy. Compliance should reinforce trust as an institutional asset.

Cicero understood that institutions survive only so long as they retain public and internal trust. A compliance program grounded in duty strengthens credibility with employees, regulators, and stakeholders alike. Trust is not a soft concept; it is the currency of effective governance.

6. Duty Over Expediency. Finally, Cicero teaches that ethical systems collapse when expediency displaces duty. A compliance program that exists only to manage risk or avoid penalties will eventually lose legitimacy. Compliance grounded in duty, by contrast, becomes a stabilizing force for the institution itself.

Conclusion

Cicero provides the compliance professional with the ethical foundation for a program: duty, legitimacy, and moral purpose. But he largely assumes that once duty is understood, it will be followed. Experience tells us otherwise. Modern compliance failures rarely occur because people do not know the rules or the obligations. They occur because pressure, fear, ambition, and rationalization overwhelm judgment at precisely the moments when duty matters most. That is where Cicero necessarily gives way to Seneca.

If Cicero explains why a compliance program must exist and what it must stand for, Seneca confronts the harder question of how ethical commitments erode under stress. The transition from Cicero to Seneca mirrors the transition from program design to real-world operation, when incentives tighten, stakes rise, and ethical clarity is tested. This is where compliance programs are no longer theoretical and where many begin to fail.

Join us tomorrow as we explore Seneca and compliance under pressure, using Cicero’s foundation as the explicit point of departure.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 31 – Leveraging Root Cause Analysis for Effective Compliance

Welcome to 31 Days to a More Effective Compliance Program. Over this 31-day series in January 2026, Tom Fox will post a key component of a best-practice compliance program each day. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6-8 minutes, with three key takeaways that you can implement at little or no cost to help update your compliance program. I hope you will join each day in January for this exploration of best practices in compliance. In today’s Day 31 episode, and our final day in this 2026 update to 31 Days to a More Effective Compliance Program, we end with a review of root cause analysis.

Key highlights:

  • Integrating Root Cause Analysis into Solutions
  • Regulatory Expectations and Internal Controls
  • Performing Effective Root Cause Analysis
  • Developing and Implementing Solutions

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 27 – The Compliance Function in an Organization

Welcome to 31 Days to a More Effective Compliance Program. Over this 31-day series in January 2026, Tom Fox will post a key component of a best-practice compliance program each day. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6-8 minutes, with three key takeaways that you can implement at little or no cost to help update your compliance program. I hope you will join each day in January for this exploration of best practices in compliance. In today’s Day 27 episode, we explore the growing importance and responsibilities of the compliance function within corporations, emphasizing the need for adequate staffing, resources, and independence.

Key highlights:

  • DOJ’s Expectations for Compliance Programs
  • Funding and Resources for Compliance
  • Compliance Program Structure and Authority

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 26 – Elevating the Role and Independence of the Chief Compliance Officer

Welcome to 31 Days to a More Effective Compliance Program. Over this 31-day series in January 2026, Tom Fox will post a key component of a best-practice compliance program each day. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6-8 minutes, with three key takeaways that you can implement at little or no cost to help update your compliance program. I hope you will join each day in January for this exploration of best practices in compliance. In today’s Day 26 episode, we ponder the evolving stature and authority of the CCO within organizations, as highlighted by recent guidelines and regulations.

Key highlights:

  • Key Inquiries Around the CCO and Compliance Function
  • Importance of CCO Certification and Court Decisions
  • Critical Takeaways for Compliance Professionals

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.