Tag: ethics

Categories
Blog

The Starliner, Culture and Compliance: Leadership Lessons from a NASA Investigation Report

Corporate compliance professionals spend a lot of time talking about controls, training, third parties, and investigations. Yet the hard truth is that the most important control environment sits above all of that: leadership behavior and the culture it creates. That is why this NASA investigation report on the Boeing CST-100 Starliner Crewed Flight Test (CFT) is such a useful case study. It is a technical report, to be sure. But it is also a cultural, leadership, and governance report. NASA’s bottom line is unambiguous: technical excellence and safety require transparent communication and clear roles and responsibilities, not as slogans, but as operating requirements that must be institutionalized so safety is never compromised in pursuit of schedule or cost.

If you are a Chief Compliance Officer, General Counsel, or business leader, you should read this report the way you read an enforcement action. Not to gawk. Not to assign blame. But to harvest lessons for your own organization before you have your own high-visibility close call.

The incident(s) that led to the report

The CFT mission launched June 5, 2024, as a pivotal step toward certifying Starliner to transport astronauts to the International Space Station. It was planned as an 8-to-14-day mission but was extended to 93 days after significant propulsion system anomalies emerged. Ultimately, the Starliner capsule returned uncrewed, while astronauts Barry “Butch” Wilmore and Sunita “Suni” Williams returned aboard SpaceX’s Crew-9 Dragon in March 2025. In February 2025, NASA chartered a Program Investigation Team (PIT) to examine the technical, organizational, and cultural factors contributing to the anomalies.

The report describes four major hardware anomaly areas, including Service Module RCS thruster fail-offs that temporarily caused a loss of 6 Degrees of Freedom control during ISS rendezvous and required in-situ troubleshooting to recover enough capability to dock, a Crew Module thruster failure during descent that reduced fault tolerance, and helium manifold leaks where seven of eight Service Module helium manifolds leaked during the mission. The PIT further determined that the 6DOF loss during rendezvous met criteria for a Type A mishap (or at least a high-visibility close call), underscoring how close the program came to a very different ending.

That is the “what.” For compliance professionals, the “so what” is that NASA did not treat this as a purely engineering problem. It treated it as an integrated system failure, in which culture and leadership either reduce risk or magnify it.

Lesson 1: Decision authority is culture, not paperwork

One of the report’s clearest threads is that fragmented roles and responsibilities delayed decision-making and eroded confidence. In the compliance world, unclear decision rights become the breeding ground for “informal governance”: private conversations, end-runs around committees, and decisions that are never fully documented. Over time, that becomes a shadow-control environment that your policies cannot touch.

Compliance action steps

  • Define decision rights for the riskiest calls (high-risk third parties, market entry, major remediation, critical incidents).
  • Require a short, written record of: facts reviewed, options considered, dissent captured, decision made, and owner accountable.
  • Separate “recommendation authority” from “approval authority” so everyone knows where they sit.

Lesson 2: Transparency is a control, and selective data sharing destroys trust

The report explicitly flags that the lack of data access fueled concerns about selective information sharing. Interviewees described frustration that information could be filtered, selectively chosen, or sanitized, which eroded confidence in the process and people. It also notes reports of questions being labeled “too detailed” or “out of scope” without mechanisms to ensure concerns were addressed. That is the compliance danger zone. When teams believe the narrative matters more than the data, they stop escalating early. They start documenting defensively. They seek safety in silence.

Compliance action steps

  • Build “open data” expectations into your incident response and investigative protocols.
  • Create a defined pathway for technical or subject-matter dissent to be logged, reviewed, and dispositioned.
  • Treat meeting notes and decisions as governed records, not optional artifacts.

Lesson 3: Risk acceptance without rigor becomes “unexplained anomaly tolerance”

NASA calls out “anomaly resolution discipline” and warns that repeated acceptance of unexplained anomalies without root cause can lead to recurrence. That single lesson belongs on a poster in every compliance office. In corporate terms, “unexplained anomalies” are recurring control exceptions, repeat hotline themes, repeated third-party red flags, and audit findings that are “managed” rather than fixed. If leadership normalizes that pattern, it teaches the organization that closure is more important than correction.

Compliance action steps

  • Require root cause analysis for repeat issues, not just incident closure.
  • Set escalation thresholds for “repeat with no root cause” findings.
  • Audit remediation quality, not only remediation completion.

Lesson 4: Partnerships fail when “shared accountability” is not operationalized

The report emphasizes that shared accountability in the commercial model was inconsistently understood and applied. It also notes that historical relationships and private conversations outside formal forums created perceptions of blurred boundaries, favoritism, and lack of objectivity, whether or not those perceptions were accurate. Compliance teams have seen this movie. Think distributors, joint ventures, outsourced compliance support, and major technology partners. If accountability is shared in theory but siloed in practice, something will fall through the cracks. Usually, it falls right into your lap when regulators arrive.

Compliance action steps

  • Define “shared accountability” in contracts, governance charters, and escalation protocols.
  • Ensure independence and objectivity are protected by design, not by personality.
  • Create joint forums where data is shared broadly, dissent is recorded, and decisions are made openly.

Lesson 5: Burnout is a risk factor, and meeting chaos is a governance failure

The report’s recommendations recognize the operational reality: high-pressure environments can degrade decision quality. It calls for “pulse checks,” rotation of high-pressure responsibilities, contingency staffing, and time protection for deep work to proactively address burnout and improve decision-making under mission conditions. Compliance professionals should take that to heart. Crisis cadence is sometimes unavoidable. Permanent crisis cadence is a leadership choice. And it carries predictable consequences: shortcuts, missed details, weakened documentation, and poor judgment.

Compliance action steps

  • Build surge staffing plans for investigations and incident response.
  • Rotate incident commander roles when events extend beyond days.
  • Protect time for analysis, not just meetings and status updates.

Lesson 6: Accountability must be visible, not performative

NASA does not bury the human dimension. The report contains leadership recommendations to speak openly with the joint team about leadership accountability, including concurrence with the report and reclassification as a mishap, and to hold a leadership-led stand-down day focused on reflection, accountability concerns, and rebuilding trust. For corporate leaders, this is where trust is won or lost after a crisis. Employees can tolerate a hard outcome. They struggle to tolerate spin. If your organization communicates externally with confidence but internally with vagueness, your culture learns the wrong lesson: optics first, truth second.

Compliance action steps

  • After a major incident, publish an internal accountability and remediation plan with owners and timelines.
  • Provide regular updates on what has been completed, what is delayed, and why.
  • Make it safe for the workforce to ask questions in interactive forums, as NASA recommends.

Lesson 7: Trust repair requires a plan, not a pep talk

One of the most useful artifacts in the report is a sample Organizational Trust Plan. It sets a goal to rebuild trust by establishing clear expectations, open accountability, and shared commitment to safety and mission success. It includes objectives around transparent communication, acknowledging past challenges, reinforcing shared values, and structured engagement. It then lays out action steps: leadership engagement, facilitated sessions, outward expressions of accountability, teamwide rollout, training and coaching, and communication through a written plan and regular updates.

That is exactly the kind of operational discipline compliance leaders should bring to culture work. Culture does not change because someone gives a speech. Culture changes when the organization changes how it makes decisions, treats dissent, and follows through.

Five key takeaways for the compliance professional

  1. Clarify decision rights before the crisis. Ambiguity becomes politics under pressure.
  2. Make transparency non-negotiable. Perceived filtering of data destroys credibility.
  3. Do not normalize unexplained anomalies. Repeat issues without a root cause are future failures.
  4. Operationalize shared accountability with partners. Otherwise, it is a slogan.
  5. Rebuild trust with a written plan and visible accountability. Trust repair is a managed process.

In the end, the Starliner lesson for compliance is simple: controls matter, but culture decides whether controls work when it counts. If leadership cannot run disagreements well, cannot share data broadly, and cannot demonstrate accountability after the fact, the best-written compliance program in the world will fail the moment the pressure rises.

Categories
Great Women in Compliance

Great Women in Compliance: Why Decision Rubrics Matter in the Age of AI with Hemma Lomax and Shalini Rajoo

In this conversation, GWIC host Dr. Hemma R. Lomax and Shalini Rajoo explore the critical role of decision rubrics in governance, accountability, and trust, especially in the context of AI. Shalini shares her journey from law to compliance, emphasizing the importance of understanding systems and the impact of leadership on decision-making processes. They discuss how transparency and clarity in decision-making can build trust within organizations and the necessity of responsible AI governance. Practical tips for improving decision quality are also provided, highlighting the importance of self-awareness and critical thinking in leadership.

Takeaways:

  • The biggest risk in governance is unclear decisions.
  • AI amplifies existing clarity or confusion in decision-making.
  • Systems and rules reflect the identities of their architects.
  • Everyone has an impact on those around them every day.
  • Leadership is about improving the people around you.
  • It’s not just about rules; it’s about how people behave.
  • Decision rubrics provide consistency and predictability in outcomes.
  • Transparency in decision-making processes builds trust.
  • Slowing down to ask questions can lead to better decision-making.
  • Writing down the reasons for decisions brings clarity and accountability.

Sound bites:

“Systems and rules are not inherently neutral.”

“Transparency in decision making builds trust.”

“Slow is smooth, and smooth is fast.”

Chapters:

00:00 Introduction to Decision Rubrics and Governance

02:55 Shalini’s Journey: From Law to Governance

06:09 The Impact of Systems on Leadership and Accountability

09:09 Transitioning to Compliance and Ethics

11:49 Understanding Decision Rubrics in Compliance

15:06 The Role of Leadership in Decision Making

18:03 Designing Conditions for Effective Decision Making

20:47 The Importance of Transparency in Decision Processes

24:09 Decision Rubrics: Building Trust in Organizations

26:49 AI and Governance: Leadership Infrastructure Failures

29:47 Responsible AI: The Role of Ethics and Compliance

32:55 Practical Tips for Improving Decision Quality

36:00 Conclusion: The Future of Decision Making in AI

Guest Biography:

Shalini Rajoo is the Founder and Principal Consultant of Shalini Rajoo Advisory, LLC, where she partners with organizations to design governance, compliance, and decision-making systems that are resilient, trustworthy, and aligned to real operational pressures. Across more than two decades in law, compliance, HR, and organizational leadership, Shalini has helped companies and leaders move beyond check-the-box frameworks to build structures that embed accountability, clarity, and performance into everyday decisions.

She began her career in South Africa, first as a public prosecutor and then leading regulatory work with the Department of Trade and Industry, collaborating with legislative and executive stakeholders on corporate, competition, and consumer law. After relocating to the U.S., Shalini practiced commercial litigation. She later served as Director of Global Business Conduct for a Fortune 500 company, where she redesigned ethics and compliance systems, led global risk assessments, and championed psychological safety and integrity-based practices.

Today, Shalini’s work centers on helping leaders clarify decision rights, governance architectures, and accountability pathways — especially as organizations adopt AI and automation. She recently spoke at the Opal Group’s Corporate Governance & Ethics in the Age of AI conference, where she reframed AI governance as a leadership-infrastructure challenge rather than a purely technical or compliance one.

Categories
Daily Compliance News

Daily Compliance News: February 10, 2026, The Athletes, Injuries and Ethics Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • Prediction markets v. casinos at war over gambling. (NYT)
  • Banks want ‘pound of flesh’ in RTO. (FT)
  • Who gets to decide when athletes should not compete? (Reuters)
  • Google staff call for the company to cut ties with ICE. (BBC)
Categories
Blog

Roman Philosophers and the Foundations of a Modern Compliance Program: Part 1 Cicero on Duty and Ethics

I recently wrote a series on the direct link between ancient Greek Philosophers and modern corporate compliance programs and compliance professionals. It was so much fun and so well-received that I decided to follow up with a similar series on notable Roman Philosophers. This week, we will continue our exploration of the philosophical underpinnings of modern corporate compliance programs and compliance professionals by looking at five philosophers from Rome, both from the BCE and AD eras.

We will consider Cicero and the duty, law, and the moral limits of business;  Seneca and power, pressure, and ethical decision-making under stress; Marcus Aurelius and ethical leadership and tone at the top; Epictetus and accountability, control, and ethical agency; and we will conclude with Lucretius to explore rationality, fear, and risk perception. Today, we begin with Cicero and the ethical foundations of the compliance program.

I. Cicero in Context: Duty in an Age of Power and Commerce

Marcus Tullius Cicero lived at the intersection of law, politics, and commerce during the final decades of the Roman Republic. Rome was wealthy, expansive, and deeply corrupt. Provincial governors enriched themselves through bribery and extortion. Political power was routinely monetized. Legal technicalities were used to justify conduct that plainly violated any reasonable notion of fairness or justice.

It was in this environment that Cicero wrote De Officiis (On Duties), a work addressed not to philosophers, but to those who held power and responsibility. Cicero was not interested in abstract virtue. He was interested in how people entrusted with authority should behave when tempted by profit, pressure, or expediency.

For Cicero, duty was not optional. It arose from one’s role and the trust placed in that role. Public office, commercial activity, and leadership all carried moral obligations that custom, convenience, or legal loopholes could not waive. Most importantly, Cicero rejected the idea that what was profitable could excuse what was unethical. Where profit and moral duty conflicted, duty had to prevail.

This framing makes Cicero uniquely relevant to modern corporate compliance. Large organizations, like the Roman Republic, operate through delegated authority, complex incentives, and diffuse accountability. Cicero understood that without an ethical foundation grounded in duty, institutions eventually hollow out, even if they remain technically lawful.

II. The Compliance Problem Cicero Illuminates: When Law Becomes the Ceiling

One of the most persistent failures in corporate compliance programs is treating legal compliance as the ultimate objective rather than the minimum requirement. Organizations ask, “Is it legal?” far more often than they ask, “Is it right?” or “Is this consistent with our obligations as stewards of trust?” Cicero would have recognized this failure immediately. In De Officiis, he warned against the misuse of legal form to justify immoral conduct. He argued that clever interpretations of the law, when divorced from justice, ultimately destroy trust in institutions. This is not merely a moral observation. It is an operational one.

Modern enforcement actions repeatedly demonstrate that misconduct often occurs in plain sight, enabled by policies, approvals, and structures that technically comply with written rules. The Department of Justice has been explicit that a compliance program that exists only on paper, or that focuses solely on technical adherence, will not be viewed as effective. The DOJ Evaluation of Corporate Compliance Programs (ECCP) asks whether a company’s program is “well designed,” “applied in good faith,” and “actually works in practice.” These questions implicitly echo Cicero’s concern. A program that treats legality as the ceiling rather than the floor may satisfy internal counsel, but it fails as an ethical governance system.

Cicero teaches that compliance programs must be grounded in duty: to customers, markets, employees, shareholders, and society. Without that grounding, rules become tools for avoidance rather than instruments of integrity.

III. Modern Corporate Application: Cicero, DOJ Expectations, and Real-World Failures

The ECCP places increased emphasis on culture, leadership accountability, and the role of the board. These expectations align closely with Cicero’s insistence that those in power bear heightened ethical responsibility.

Consider enforcement actions involving bribery, corruption, or fraud in which senior leaders claimed ignorance while benefiting from the outcomes. In multiple Foreign Corrupt Practices Act resolutions, the DOJ has rejected arguments that misconduct occurred despite policies, rather than because governance systems tolerated or incentivized it. In cases such as Airbus and Goldman Sachs, regulators highlighted failures in oversight, escalation, and ethical decision-making at senior levels. From a Cicero-inspired perspective, these are failures of duty. Leaders accepted the benefits of authority without fully embracing its obligations. Compliance programs existed, but they were not anchored in a shared understanding that ethical duty limits what is acceptable in profit-seeking behavior.

Applying Cicero to modern compliance design suggests several concrete actions:

First, the code of conduct should be framed as a statement of duties rather than merely a list of prohibitions. Employees should understand not only what is forbidden, but why certain conduct violates the organization’s obligations to stakeholders.

Second, senior leadership accountability must be explicit. Cicero believed that authority magnifies moral responsibility. The DOJ now expects boards and executives to actively oversee compliance, not passively receive reports. A compliance program that cannot demonstrate meaningful leadership engagement will struggle under scrutiny.

Third, incentives matter. Cicero warned that when institutions reward success without regard to means, they invite corruption. Modern compliance programs must align compensation, promotion, and recognition with ethical behavior, not merely financial outcomes. The DOJ has repeatedly emphasized incentives and discipline as indicators of program effectiveness.

Finally, compliance should be positioned as a governance function, not a technical one. Cicero understood law as a moral instrument, not a procedural shield. Compliance professionals should frame their role as guardians of institutional duty, helping the organization navigate gray areas where legal guidance alone is insufficient.

Key Takeaways for Compliance Professionals

1. Ethical Foundation. Compliance professionals should view Cicero as the ethical foundation of a modern compliance program. Cicero establishes that compliance must be grounded in duty rather than fear of enforcement. He frames ethical behavior as an obligation arising from trust and authority, not as a discretionary choice. A compliance program without this foundation risks becoming a technical exercise divorced from purpose.

2. Law as a Floor. Compliance should treat law as the minimum standard, not the ultimate objective. Cicero warned against using legal formality to justify conduct that violates justice and fairness. Modern compliance failures often arise when organizations ask only whether conduct is legal rather than whether it is right. Effective compliance programs must push beyond legality to reinforce ethical judgment.

3. Governance and Stewardship. Compliance should be positioned as a core governance function. Cicero believed that those entrusted with authority act as stewards, not owners, of institutional power. Compliance should therefore be integrated into governance structures rather than treated as a peripheral control function. This positioning reinforces accountability to stakeholders and long-term institutional integrity.

4. Leadership Duty. Compliance should impose heightened ethical obligations on those with power. Cicero argued that authority magnifies moral responsibility rather than diminishing it. Senior leaders and boards must therefore be held to higher compliance expectations, not exempted for performance or status. Ethical leadership is essential to a program’s legitimacy.

  • Compliance should align incentives with integrity, not just results.
  • Cicero warned that rewarding success without regard to means invites corruption. Modern compliance programs fail when compensation and promotion structures undermine stated values. Incentive alignment is a critical control, not a human resources afterthought.

5. Cultural Legitimacy. Compliance should reinforce trust as an institutional asset.

Cicero understood that institutions survive only so long as they retain public and internal trust. A compliance program grounded in duty strengthens credibility with employees, regulators, and stakeholders alike. Trust is not a soft concept; it is the currency of effective governance.

6. Duty Over Expediency. Finally, Cicero teaches that ethical systems collapse when expediency displaces duty. A compliance program that exists only to manage risk or avoid penalties will eventually lose legitimacy. Compliance grounded in duty, by contrast, becomes a stabilizing force for the institution itself.

Conclusion

Cicero provides the compliance professional with the ethical foundation for a program: duty, legitimacy, and moral purpose. But he largely assumes that once duty is understood, it will be followed. Experience tells us otherwise. Modern compliance failures rarely occur because people do not know the rules or the obligations. They occur because pressure, fear, ambition, and rationalization overwhelm judgment at precisely the moments when duty matters most. That is where Cicero necessarily gives way to Seneca.

If Cicero explains why a compliance program must exist and what it must stand for, Seneca confronts the harder question of how ethical commitments erode under stress. The transition from Cicero to Seneca mirrors the transition from program design to real-world operation, when incentives tighten, stakes rise, and ethical clarity is tested. This is where compliance programs are no longer theoretical and where many begin to fail.

Join us tomorrow as we explore Seneca and compliance under pressure, using Cicero’s foundation as the explicit point of departure.

Categories
Great Women in Compliance

Great Women in Compliance: A Next-Gen Video of Ethics and Compliance

In this episode of the Great Women in Compliance Podcast, Lisa Fine and Sarah Hadden (Gen X) are joined by Rebecca Anker and Emily Frank for an engaging conversation on what the next generation needs from ethics and compliance. Rebecca, Gen-Z, and Emily, a millennial, share candid insights shaped by their experiences as part of the emerging workforce.

The discussion explores the real-life impact of generational influences—from questioning hierarchy and outdated practices to prioritizing transparency, usability, and minimizing the traditional reliance on hierarchy. Rebecca and Emily discuss how the rising stars in the profession are taking the evolution to a collaborative, service-oriented function that partners with the business and clearly explains the why behind policies and decisions to new levels.

They also discuss current topics, including creative, shorter training approaches, balancing regulatory requirements with innovation, responsible AI use, and rethinking speak-up programs. They discuss why language matters, why “whistleblower” may no longer resonate, and how normalizing the act of raising concerns can strengthen speak-up culture across generations.

The episode wraps with practical advice from Rebecca and Emily for more “seasoned” compliance professionals to stay curious and engage with new voices and ideas. It is exciting to see where they and their peers will take the profession. 

Categories
Blog

Greek Philosophers Week: Part 3 – Aristotle and the Daily Practice of Ethics & Compliance

In Part 3, we continue our exploration of the origins of the modern corporate compliance organization, tracing them back to the ancient Greek philosophers, including Aristotle. Plato teaches compliance professionals how to design ethical governance systems. But anyone who has ever operated a compliance program knows that structure alone does not guarantee ethical behavior. Policies exist. Committees meet. Reporting lines are drawn. And yet misconduct still occurs. That is where Aristotle becomes essential to the modern compliance conversation.

Aristotle was not interested in ideal societies. He was interested in how people actually behave. His philosophy focuses on habit, judgment, incentives, and purpose, all of which are central to daily compliance operations. The DOJ Evaluation of Corporate Compliance Programs (ECCP) reflects this Aristotelian realism. It asks not only whether a program is well designed, but also whether it is implemented in practice and works in reality.

If Plato is the architect of compliance, Aristotle is its operator.

Virtue as Habit, Not Aspiration

Aristotle rejected the idea that ethics is a matter of knowing the right thing. He argued that virtue is formed through repeated action. People become ethical by practicing ethical behavior until it becomes a habit. This insight aligns directly with the ECCP’s focus on implementation and effectiveness. Prosecutors do not evaluate what a company claims to value. They assess how employees actually behave under pressure. Training, policies, and controls matter only to the extent they shape habits.

In daily compliance work, this means moving beyond episodic interventions. Annual training does not create virtue. Consistent reinforcement does. Indeed, the DOJ specifically called out companies that “have invested in shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions.”

Managers who model ethical decision-making, align incentives with values, and apply consequences fairly all shape behavior over time. Aristotle reminds us that culture is built one decision at a time.

Practical Wisdom and Gray-Area Decision Making

Aristotle distinguished between technical knowledge and phronesis, or practical wisdom. Rules cannot anticipate every situation. Judgment fills the gap. The ECCP implicitly recognizes this by emphasizing risk-based decision-making. A compliance program that relies solely on rigid rules will fail in complex environments. Investigations, third-party reviews, and transaction approvals all require judgment informed by experience and context.

For compliance professionals, this means embracing their role as ethical decision-makers rather than just rule enforcers. It also means documenting judgment. Regulators understand discretion, but they expect it to be principled, consistent, and explainable. Aristotle teaches that wisdom is demonstrated through action guided by reason.

The Golden Mean and Proportional Compliance

One of Aristotle’s most enduring ideas is the Golden Mean. Virtue lies between extremes. Courage sits between recklessness and cowardice. The same principle applies to compliance design and operations. The ECCP expects programs to be appropriately tailored to risk. Over-engineered compliance systems create fatigue, false positives, and cynicism. Under-resourced programs invite misconduct. Both extremes are failures.

Daily compliance operations must strike a balance. Monitoring should be robust but targeted. Controls should be strong but workable. Reporting requirements should capture risk without overwhelming employees. Aristotle reminds us that effectiveness lives in proportion, not excess.

Incentives Reveal Character

Aristotle believed character is revealed by what people pursue and what they are rewarded for achieving. This lesson is painfully relevant to compliance failures. This is also the basis for modern due diligence. The ECCP repeatedly asks how companies incentivize compliance and discipline amid misconduct. The ECCP states, “Another hallmark of effective implementation of a compliance program is the establishment of incentives for compliance and disincentives for non-compliance.” Compensation structures that reward results regardless of method undermine every policy on the books. Employees respond to what is rewarded, not what is written.

In practice, compliance professionals must engage with compensation, promotion, and performance management. Ethics cannot be siloed. When high performers are excused from consequences, the organization sends the message that virtue is optional. Aristotle would argue that such systems inevitably produce unethical outcomes, regardless of stated values.

Purpose and the Role of Compliance

Aristotle believed everything has a telos, an ultimate purpose. Understanding purpose guides action and gives coherence to effort. Compliance programs often struggle when their purpose is framed narrowly as avoiding fines or enforcement. The ECCP encourages companies to adopt a broader perspective, emphasizing risk management, trust, and sustainable operations.

In daily work, purpose shapes priorities. Is compliance positioned as a business partner or a policing function? Is it involved early in decision-making or consulted after damage is done? Aristotle teaches that clarity of purpose aligns behavior. When compliance understands and articulates its role as protecting the organization’s long-term health, its influence grows.

5 Key Takeaways for the Compliance Professional

1. Ethical behavior is formed through habit, not intention.

Aristotle teaches that virtue develops through repeated action. Compliance programs must therefore consistently reinforce ethical behavior, not just episodically. The ECCP emphasizes implementation because policies alone do not shape conduct. Daily reinforcement through leadership behavior, aligned incentives, and consistent consequences builds habits that endure. Compliance professionals should evaluate whether their programs influence how employees actually act under pressure, not just what they acknowledge in training.

2. Judgment is a core compliance competency.

Rules cannot anticipate every scenario. Aristotle’s concept of practical wisdom aligns with the ECCP’s expectation of risk-based decision-making. Compliance professionals must exercise and document judgment in investigations, approvals, and remediation. This requires experience, training, and independence. Ethical compliance is not mechanical. It is reasoned, contextual, and defensible when challenged by regulators or boards.

3. Proportion matters in compliance design.

The Golden Mean teaches that extremes undermine effectiveness. Overly burdensome controls create fatigue and workarounds. Weak controls invite abuse. The ECCP expects tailoring based on risk, geography, and business model. Compliance leaders must design right-sized programs that employees can follow and that management can support. Balance is not compromise. It is effective.

4. Incentives define culture more than policies.

Aristotle understood that character is shaped by what is rewarded. Compliance failures often stem from misaligned incentives. The ECCP scrutinizes compensation and discipline for this reason. Daily compliance operations must engage with HR and leadership to ensure ethics are embedded in performance evaluations, promotions, and bonuses. Culture follows incentives, not slogans.

5. Compliance must have a clear purpose.

Aristotle’s concept of telos reminds us that purpose guides action—compliance programs framed solely as legal defense lose credibility. The ECCP encourages a broader view of compliance as a risk-management and trust-building approach. When compliance professionals articulate their purpose clearly, they gain influence, resources, and early involvement in decisions that matter.

From Aristotle to Pythagoras: From Judgment to Measurement

Aristotle grounds compliance in habit, judgment, and proportion. But judgment alone is not enough in modern organizations operating at scale. As programs mature, leaders ask how to measure effectiveness, detect patterns, and anticipate risk.

That transition leads naturally to Pythagoras. Where Aristotle focuses on ethical action, Pythagoras focuses on number, proportion, and harmony. In compliance terms, this is the shift toward data analytics, metrics, and AI. If Aristotle teaches us how people should behave within ethical systems, Pythagoras teaches us how to observe, measure, and test whether they actually do.

Aristotle teaches us how ethical compliance is lived day to day. Pythagoras will push the conversation further, asking how data, analytics, and AI can measure, test, and strengthen those ethical systems without losing proportion or judgment. Join us tomorrow in Part 4 to find out how.

 

Categories
Blog

Greek Philosophers Week: Part 2 – Plato and Building Ethical Governance Systems

In Part 2, we continue our exploration of the origins of the modern corporate compliance organization, tracing them back to the ancient Greek philosophers, including Plato. Socrates teaches the compliance professional how to ask the right questions. But questions alone do not protect an organization. They must be translated into governance, structure, and systems that endure. That is where Plato becomes indispensable to the modern compliance conversation.

Plato’s great concern was not whether people could articulate values, but whether societies could be structured to sustain them. His work, particularly The Republic, focuses on justice, leadership, and the design of institutions that align individual behavior with the collective good. For corporate compliance professionals, this is familiar terrain. The DOJ Evaluation of Corporate Compliance Programs (ECCP) is fundamentally a governance document. It asks whether companies have built systems that make ethical behavior the default rather than the exception.

If Socrates is the conscience of the compliance function, Plato is its architect. Think Joe Murphy and his weekly compliance newsletter, Compliance & Ethics: Ideas and Answers.

From Ethical Inquiry to Institutional Design

Plato understood a core truth: that good intentions fail without structure. In the Allegory of the Cave, Plato describes people mistaking shadows for reality because the system around them reinforces illusion. In corporate compliance, the same dynamic occurs when incentives, reporting lines, and performance metrics reward behavior that quietly contradicts stated values.

The ECCP repeatedly asks whether a company’s compliance program is “well designed.” That phrase is not accidental. Prosecutors examine reporting structures, escalation pathways, authority, and resources because ethics without governance is aspirational theater. Plato would recognize this immediately. Justice, in his view, emerges when each part of a system performs its proper role in harmony with the whole.

Daily compliance operations live or die by this design. A hotline without investigation authority, training without consequence management, or policies without ownership all create shadows on the wall. Plato teaches that governance must align form and function.

Justice as Consistency, Not Sentiment

Plato’s conception of justice is not emotional. It is structural. Justice exists when rules are applied consistently, and roles are respected. That lesson maps directly onto compliance enforcement and discipline. The ECCP places heavy emphasis on consistent discipline across the organization, including senior management, and asks the following question: Have disciplinary actions and incentives been fairly and consistently applied across the organization? Does the compliance function monitor its investigations and resulting discipline to ensure consistency? Are there similar instances of misconduct that were treated disparately, and if so, why? What metrics does the company apply to ensure consistency of disciplinary measures across all geographies, operating units, and levels of the organization?

This is Organizational Justice. Regulators know that selective enforcement erodes credibility faster than almost any policy failure. Employees watch how decisions are made. They see who is protected and who is expendable. In daily operations, this requires compliance professionals to insist on fairness even when outcomes are uncomfortable. Investigations must follow evidence, not hierarchy. Remediation must address systemic failures, not just individual misconduct. Plato reminds us that justice perceived as arbitrary is, by another name, injustice.

Governance Structures Are Ethical Decisions

Plato believed that leadership structure determined ethical outcomes. His concept of philosopher-kings was not an elitist fantasy. It was an argument that power should rest with those who possess both knowledge and virtue. Modern compliance programs face a parallel challenge. Who owns compliance? To whom does it report? Does compliance have direct access to the board? Can it act independently of revenue pressure? These are not administrative questions. They are ethical ones.

The ECCP explicitly evaluates whether compliance has sufficient autonomy, stature, and authority. Does a corporate compliance function have (1) sufficient qualifications, seniority, and stature (both actual and perceived) within the organization; (2) sufficient resources, namely, staff to undertake the requisite auditing, documentation, and analysis effectively; and (3) sufficient autonomy from management, such as direct access to the board of directors or the board’s audit committee.

A compliance program buried several layers below decision-makers may exist on paper, but it cannot function effectively. Plato would argue that such a structure inevitably leads to injustice, regardless of intent. In practice, this means compliance leaders must engage in governance conversations, not just operational tasks. Reporting lines, committee charters, and escalation protocols shape behavior long before a policy is breached.

Education, Culture, and Ethical Formation

Plato placed enormous emphasis on education as the foundation of a just society. He understood that laws and punishments alone do not produce ethical citizens. Formation matters. The ECCP reflects this insight by focusing on training effectiveness, communication, and culture. The key is effectiveness. In training, the DOJ asks the following question: Has the training been offered in a format and language appropriate for the audience? Are the company’s training and communications tailored to the particular needs, interests, and values of relevant employees? Is the training provided online or in-person (or both), and what is the company’s rationale for its choice? This means prosecutors will ask whether training is tailored, interactive, and aligned with real-world risk. Checkbox training produces compliance in name only.

Daily compliance work must therefore treat education as formation rather than instruction. Training should reinforce ethical reasoning, not just rules. Communications should explain why standards exist, not merely what they prohibit. Plato teaches that culture is cultivated deliberately, not imposed.

The Cave and Ethical Blindness in Organizations

Perhaps Plato’s most powerful contribution to compliance thinking is the Allegory of the Cave. It explains how intelligent people can remain blind to obvious risk when systems reinforce false narratives.

In corporate settings, ethical blindness often arises from success. When revenue grows and deals close, warning signs are rationalized. Compliance concerns become shadows, dismissed as theoretical or pessimistic. The ECCP’s focus on continuous improvement and periodic testing is a direct response to this risk. Compliance professionals must act as those who have seen the light and returned to the cave, even when their message is unwelcome. Plato warns that truth-tellers are rarely celebrated. Yet without them, organizations mistake comfort for compliance.

5 Key Takeaways for the Compliance Professional

1. Ethical inquiry must be translated into governance.

Asking the right questions is essential, but compliance programs fail when inquiry does not result in structural change. Plato teaches that ethics must be embedded in systems, reporting lines, and decision-making authority. The ECCP reinforces this by evaluating program design, autonomy, and oversight. Compliance professionals must ensure that insights from risk assessments and investigations lead to governance adjustments. Without that translation, ethical awareness fades, and misconduct reemerges under familiar pressures.

2. Justice in compliance is consistency, not discretion.

Plato’s concept of justice demands consistent application of rules regardless of status or performance. The ECCP mirrors this expectation by scrutinizing discipline across seniority levels. Daily compliance operations must reinforce fairness through objective investigations, documented decisions, and transparent remediation. Selective enforcement undermines trust, weakens culture, and signals that ethics are negotiable. Justice must be structural, not situational.

3. Reporting lines and authority are ethical decisions.

Where compliance sits in the organization determines whether it can function effectively. Plato understood that leadership structure shapes outcomes. The ECCP evaluates compliance independence because authority enables ethical action. Compliance professionals must engage in governance discussions to ensure direct access to decision-makers and the board. Without structural authority, even well-intentioned programs become symbolic.

4. Training is ethical formation, not information delivery.

Plato emphasized education as the foundation of justice. Compliance training should shape ethical reasoning, not merely convey rules. The ECCP expects tailored, risk-based training connected to real-world scenarios. Daily operations should reinforce values through ongoing communication and leadership modeling. Culture forms through repetition and example, not annual courses.

5. Ethical blindness thrives in poorly designed systems.

The Allegory of the Cave explains how organizations normalize risk when systems reward illusion. Compliance professionals must challenge comfortable narratives and continuously test assumptions. The ECCP’s focus on monitoring and improvement reflects this need. Plato reminds us that ethical failure often begins with structural blindness, not bad intent.

From Plato to Aristotle: From Structure to Execution

Plato gives compliance professionals the blueprint. He shows how governance structures, justice systems, and educational frameworks translate ethical ideals into organizational reality. But even the best-designed systems fail if they are not used daily.

That is where Aristotle enters the conversation. Aristotle shifts the focus from ideal structures to practical execution, from governance to habit, judgment, and decision-making at the operational level. If Plato teaches us how to design ethical systems, Aristotle teaches us how people actually behave within them. That transition mirrors the next stage in compliance maturity, where structure meets reality and ethics become a matter of daily choice.

Join us tomorrow in Part 3 to find out how.

Categories
FCPA Compliance Report

FCPA Compliance Report: Navigating Corporate Ethics and Compliance Trends in 2026 with Mike Volkov

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this inaugural episode of 2026, Tom Fox welcomes back his good friend and colleague, Mike Volkov, to reflect on the tumultuous year of 2025 and discuss the new trends for the upcoming year. This is Part 1 of a two-part series.

Highlighting the resilience of corporate ethics amid the suspension of the FCPA, the conversation underscores the necessity for businesses to uphold ethical values, despite regulatory changes. Discussions delve into the importance of demonstrating ethical behavior as a fundamental business value and the growing significance of organizational justice and trust within corporations. Moreover, they address evolving enforcement in areas such as export controls, trade sanctions, and tariff regulations, suggesting a shift toward rigorous compliance in national security matters. This episode provides a comprehensive outlook on the compliance challenges and opportunities for 2026.

Key highlights:

  • Welcome to 2026: A New Beginning
  • The Importance of Ethics in Business
  • Organizational Justice and Trust
  • Generational Perspectives on Ethics
  • Emerging Trends in Trade and Compliance

Resources:

Mike Volkov on LinkedIn

Volkov Law Group

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Michigan Man, Part 4 – Lessons Learned: What This Crisis Teaches Compliance Professionals

Every major compliance failure eventually reaches the same destination: a moment when leadership says, “How did we not see this coming? ” The answer is almost always the same. The warning signs were visible. They were rationalized, minimized, or overridden in the name of performance, continuity, or institutional pride.

The Sherrone Moore crisis at the University of Michigan is not a college football anomaly. It is a case study in how compliance programs fail when they are structurally subordinated, culturally discounted, or selectively enforced. For compliance professionals, the value of this case lies not in outrage but in extraction: extracting lessons that can be operationalized before the next crisis unfolds.

Lesson 1: Compliance Authority Must Be Structural, Not Aspirational

Michigan’s experience demonstrates that access to leadership is meaningless without authority. The compliance function may have been consulted, investigations commissioned, and policies in place. None of that mattered when the athletic department retained de facto control over outcomes. For compliance professionals, the lesson is clear. Compliance must have defined escalation rights and veto authority over high-risk decisions, including promotions, discipline, and crisis response. If a business unit can override compliance based on performance or legacy, compliance is not independent. It is decorative.

The Department of Justice has repeatedly emphasized that effective compliance programs require empowered compliance functions. That empowerment must be written into governance documents, reinforced by boards, and tested in practice.

Lesson 2: Past Dishonesty Is a Permanent Risk Factor

One of the most glaring failures in this case was the organization’s willingness to treat Moore’s prior dishonesty during the sign-stealing investigation as a closed chapter. It was not. It was predictive. Compliance professionals must internalize a hard truth: once credibility is damaged, it does not reset. Individuals who have lied to investigators, deleted records, or misrepresented facts should never again be treated as presumptively reliable. Enhanced monitoring, corroboration, and scrutiny are not punitive. They are risk management.

Organizations that ignore this lesson inevitably relearn it at a higher cost.

Lesson 3: Promotions Are Compliance Decisions

The elevation of Moore to head coach was framed as a football decision. In reality, it was one of the most consequential compliance decisions the university made.

Any promotion into a role with significant authority, visibility, and discretion is a compliance event. Risk-based due diligence should include:

  • Review of prior investigations and disciplinary history
  • Assessment of truthfulness and cooperation during past inquiries
  • Evaluation of behavioral and reputational risk, not just technical violations

In corporate terms, Michigan promoted an executive with unresolved compliance issues and a clear lack of an ethical grounding into a CEO-equivalent role. That decision alone dramatically increased institutional risk. But the consequences will reverberate for a long time to come.

Lesson 4: Investigations Involving Power Imbalances Require Heightened Standards

The initial investigation into Moore’s relationship with a staffer failed predictably. When both parties denied the relationship and the evidence was limited, the inquiry stalled. That outcome reflects a misunderstanding of power dynamics. Compliance professionals know that power imbalance distorts disclosure. Subordinates may deny relationships out of fear, loyalty, or uncertainty. Senior leaders may deny wrongdoing out of self-preservation. Effective investigations account for this reality by expanding evidence collection, conducting pattern analysis, and implementing interim safeguards.

Neutrality is not passivity. When allegations involve senior leadership, the standard of diligence must rise, not fall.

Lesson 5: Star Performers Are the Highest-Risk Population

One of the most enduring myths in organizational life is that high performers deserve flexibility. In reality, they deserve even greater scrutiny. Star performers operate with autonomy, influence culture, and often shape informal norms. Moore’s trajectory illustrates how repeated exceptions create a sense of entitlement. Each time misconduct is reframed as survivable, the individual learns that boundaries are negotiable. Compliance professionals must relentlessly resist this dynamic.

Rules applied selectively are not rules. They are invitations.

Lesson 6: Pattern Risk Demands Pattern Response

Perhaps the most damning aspect of the Michigan case is that it unfolded amid repeated scandals within the athletic department. When misconduct clusters, the correct response is not incremental fixes. It is a structural intervention. Compliance professionals must recognize pattern risk early and escalate it aggressively. That escalation should include:

  • Enterprise-wide risk assessments
  • Cultural diagnostics
  • Leadership accountability reviews
  • Board-level engagement

Waiting for the next incident is not caution. It is abdication.

Lesson 7: Culture Is Set by What Leadership Tolerates

Michigan’s long-standing deference to athletic success and legacy culture created an environment where misconduct was rationalized rather than confronted. This is not unique to sports. It appears in sales-driven organizations, founder-led companies, and high-growth environments. Culture is not what leadership says. It is what leadership allows. From the Board of Regents to the UM President on down, compliance professionals must evaluate actions, not rhetoric, when assessing culture risk.

Lesson 8: Human Impact Is the Ultimate Compliance Metric

It is easy, especially for lawyers and compliance officers, to focus on policy breaches and enforcement exposure. The Moore crisis is a reminder that compliance failures produce human harm. Families are destabilized. Employees feel unsafe. Stakeholders lose trust. Effective compliance programs exist not only to prevent fines but also to prevent damage. When that purpose is forgotten, compliance becomes performative.

Final Thought: Compliance Is Tested at the Top

The Sherrone Moore crisis did not originate with a junior employee. It originated at the top of a powerful institution. That is where compliance programs are always tested. For compliance professionals, the final lesson is this: if your program cannot stop, slow, or surface misconduct by your most powerful leaders, it will eventually fail when it matters most.

The University of Michigan now faces years of rebuilding trust, governance, and credibility. Compliance professionals elsewhere should treat this case as a warning, not a curiosity. The cost of ignoring these lessons is never hypothetical. It is only deferred. This takeaway is stark but actionable. Compliance failures are rarely a surprise. They are choices made over time. The question for every compliance professional is whether those choices will be challenged early or explained later.

As always, prevention is less visible than a crisis. It is also far less costly.

Resources:

The Terrible Mess at Michigan Football, by Jason Gay, writing in the Wall Street Journal.

Ex-Michigan coach Sherrone Moore charged with home invasion, stalking, breaking—Austin Meek and Sam Jane writing in The Athletic.

Fire Everybody—Alex Kirshner, writing in Slate.

Source: Michigan begins a review of the athletic department, by Dan Wetzel and Pete Thamel, writing for ESPN.

Categories
Blog

Michigan Man, Part 3 – When Compliance Is Overruled: Institutional Failure at the University of Michigan

In Part 3, I examined Sherrone Moore’s individual compliance and ethics violations. That analysis was necessary, but it is not sufficient. No serious compliance professional believes that repeated misconduct by senior leaders occurs in a vacuum. Individual failure almost always reflects institutional weakness.

The University of Michigan did not cause Sherrone Moore’s behavior. But the university, and specifically its athletic department, bears responsibility for the systems, decisions, and omissions that allowed risk to accumulate unchecked. This is where the story becomes most relevant to corporate compliance professionals, because it illustrates how even sophisticated institutions can fail when compliance is subordinated to performance, loyalty, or brand protection.

The First Failure: Allowing Athletics to Override Compliance

The most fundamental breakdown at Michigan is structural. Over multiple years, the athletic department functioned as a semi-autonomous power center, capable of managing crises internally while insulating leadership from meaningful accountability.

This dynamic is visible in how the university handled the Connor Stalions sign-stealing scandal. Despite significant NCAA exposure, the program’s response emphasized competitive harm rather than integrity. Moore’s deletion of text messages and subsequent explanations resulted in suspensions, but not in disqualification from advancement. The compliance function did not appear to have veto power over promotion decisions, even when integrity concerns were documented. For compliance professionals, this is a familiar and dangerous pattern. When business units, or in this case, athletics, are allowed to treat compliance as advisory rather than authoritative, the message is clear: results matter more than rules.

The Second Failure: Deference to Legacy and Power

Michigan Athletics operates under a powerful legacy culture. As multiple commentators have noted, the program has long wrapped itself in mythology around the “Michigan Man,” a tradition that stretches back through Bo Schembechler and is reinforced under Jim Harbaugh. That culture prizes loyalty, continuity, and internal succession.

Sherrone Moore was the embodiment of that narrative. He was Harbaugh’s lieutenant, publicly emotional, and deeply embraced by fans and players. That status created what compliance professionals recognize as halo risk. Decision-makers become reluctant to ask hard questions of leaders who symbolize institutional identity.

This deference matters. When leaders are treated as extensions of the institution itself, compliance red flags are reframed as nuisances rather than warnings. That cultural bias undermines independent oversight and discourages escalation.

The Third Failure: A Flawed Internal Investigation Process

The university did commission an outside law firm, Jenner & Block, to investigate the alleged inappropriate relationship between Moore and a staffer. On paper, that decision reflects best practice. In execution, however, significant weaknesses are evident. According to reporting, the investigation initially stalled because both Moore and the staffer denied the relationship, and investigators lacked corroborating evidence. At that point, the inquiry has paused rather than intensifying scrutiny or implementing interim risk controls.

This is a classic compliance failure. When allegations involve senior leadership and power imbalances, the absence of evidence should prompt heightened diligence, not closure. Effective investigations recognize that fear, loyalty, or dependency may suppress disclosure. Failing to account for those dynamics is not neutrality. It is naïveté.

The Fourth Failure: Continued Reliance on False Statements

Perhaps the most troubling institutional failure is the university’s repeated reliance on Moore’s representations, despite a documented history of dishonesty during investigations. Moore had already deleted records and provided questionable explanations in the NCAA matter. That history should have triggered enhanced skepticism. Instead, the institution accepted his denials at face value until external corroboration forced action. Compliance professionals know that credibility is cumulative. Once an individual has compromised their credibility, future statements must be independently verified.

By failing to apply that standard, Michigan allowed risk to persist until it exploded into a crisis involving law enforcement.

The Fifth Failure: Inadequate Background and Risk Due Diligence

Moore’s elevation to head coach in 2024 represents a textbook failure of due diligence in risk-based promotion. Promotion decisions, especially into roles of extraordinary authority, must include a holistic review of ethics, compliance history, and behavioral risk.

Moore’s record at the time of promotion included:

  • NCAA violations tied to record deletion;
  • Active involvement in a major compliance scandal; and
  • Prior suspensions that were not yet fully served.

Any one of these is enough to disqualify him from coaching at a major university. Taken together, they should have triggered a serious debate in both the UM Athletic Department and the university as a whole about tone at the top and reputational risk.

In the corporate world, promoting an executive with unresolved compliance issues into a CEO role would be viewed as reckless. Michigan did precisely that, likely prioritizing continuity and optics over risk management.

The Sixth Failure: Crisis Management Without Safeguards

One of the most alarming details reported is that Moore was terminated alone, reportedly without HR representation or security present, despite prior knowledge that he was experiencing mental health distress. From a compliance and HR standpoint, this is indefensible. Terminations involving senior leaders, allegations of misconduct, and emotional instability require structured protocols. These protocols exist to protect all parties, including the organization.

The fact that Moore was later taken into custody following an alleged incident underscores how poor crisis execution can escalate harm rather than contain it.

The Seventh Failure: A Pattern Ignored

The Moore matter does not stand alone. As ESPN and Slate documented, Michigan athletics has faced multiple scandals in recent years, including federal indictments of staff, repeated NCAA violations, and internal HR complaints across sports.

Compliance professionals recognize this as a pattern risk. When misconduct appears across functions and time, the issue is no longer individual actors. It is governance. The university’s decision to launch a broad inquiry into the athletic department acknowledges this reality. However, recognition after the fact does not mitigate prior harm.

Compliance Takeaways

For compliance professionals, the Michigan Man case offers sobering lessons about institutional vulnerability:

  • Compliance functions must have authority, not just access
  • Legacy culture can blind organizations to risk
  • Investigations involving power imbalance require heightened rigor
  • Prior dishonesty must permanently alter credibility assessments
  • Promotion decisions are compliance decisions
  • Crisis response must be governed by protocol, not expediency

Most importantly, organizations must resist the temptation to treat success as a substitute for integrity. Winning programs, like high-performing business units, often receive the least scrutiny and pose the greatest risk.

I hope you will join me for my concluding Part 4, where I will translate these posts into concrete lessons for compliance professionals across industries. These lessons are not abstract. They are operational, structural, and urgent.

Resources:

The Terrible Mess at Michigan Football, by Jason Gay, writing in the Wall Street Journal.

Ex-Michigan coach Sherrone Moore charged with home invasion, stalking, breaking—Austin Meek and Sam Jane writing in The Athletic.

Fire Everybody—Alex Kirshner, writing in Slate.

Source: Michigan begins a review of the athletic department, by Dan Wetzel and Pete Thamel, writing for ESPN.