Tag: innovation in compliance

Categories
Blog

The Muppet C-Suite: A Compliance Professional’s Guide to Culture, Controls, and Chaos Part 3: Gonzo as Chief Innovation Officer: Innovation Without Governance Is Just Operational Risk

This week we are honoring the return of The Muppets for a 2026 Special Edition. I thought it would be fun to look at business leadership teams through the lens of The Muppets. Every compliance professional has worked with a Kermit, managed a Piggy, worried about a Gonzo, or tried to contain an Animal. This series uses the Muppet executive team as a framework to explore leadership, governance, innovation, operational risk, and corporate compliance through the lens of the DOJ’s Evaluation of Corporate Compliance Programs and modern governance expectations.

Every company eventually hires a Gonzo. Not literally, of course. But every organization eventually encounters someone who believes the limits of the possible are merely suggestions waiting to be ignored. That is Gonzo. He is creative, fearless, experimental, unconventional, and absolutely convinced that launching himself out of a cannon remains a reasonable business strategy despite overwhelming evidence to the contrary. Naturally, he becomes the Chief Innovation Officer.

At first glance, Gonzo appears to represent innovation at its most dangerous. He ignores procedure, embraces uncertainty, and treats risk as entertainment. But beneath the chaos sits a lesson that modern compliance professionals urgently need to understand: innovation itself is not the problem. The problem is innovation without governance.

That distinction matters enormously in today’s corporate environment, where organizations face relentless pressure to adopt the following:

  • artificial intelligence,
  • automation,
  • advanced analytics,
  • digital transformation,
  • agentic AI, and
  • and emerging technologies that often evolve faster than governance structures can respond.

In other words, many organizations are currently operating inside a large-scale Gonzo experiment.

Gonzo Represents Innovation Pressure

One overriding instinct: pushing boundaries drives Gonzo. That instinct exists in virtually every modern enterprise. Boards demand innovation. Investors reward disruption. Executives fear being left behind by competitors. Product teams move quickly. Technology leaders promise transformation. Vendors insist their tools are revolutionary. The result is predictable: governance often lags behind implementation.

This is exactly the environment the DOJ’s ECCP increasingly expects organizations to manage. Prosecutors now ask whether compliance programs can identify and respond to evolving risks. They also ask whether organizations adequately understand the technologies they deploy and the risks those technologies create. In practical terms, the government is asking:

Do you know where your Gonzos are? ”Many organizations do not.

The Problem Is Not Innovation. It Is Uncontrolled Innovation.

Too many compliance discussions frame governance and innovation as opposing forces. That is incorrect. Good governance should enable innovation by allowing organizations to experiment responsibly. The objective is not to stop Gonzo from inventing new things. The objective is preventing Gonzo from accidentally detonating the theater during testing. This distinction becomes critical in AI governance.

Consider what often happens inside organizations:

  • business units adopt generative AI tools without approval,
  • employees upload sensitive data into external systems,
  • procurement bypasses security reviews,
  • automated decision systems are deployed without testing,
  • vendors market “AI-powered” solutions nobody fully understands,
  • and leadership assumes innovation itself justifies the risk.

That is not a transformation. That is unmanaged operational exposure. Gonzo would absolutely deploy experimental AI tools without reading the documentation. He would also enthusiastically demonstrate them during a live performance before anyone completed legal review. Many companies are doing exactly that right now.

Shadow AI Is the Modern Gonzo Problem

One of the most significant emerging governance risks is shadow AI: technology adoption occurring outside formal oversight structures. This happens because innovation pressure rarely waits for policy development. Employees want efficiency. Business units want speed. Executives want results. Vendors promise a competitive advantage. Eventually, someone says:

“We cannot afford to fall behind.”

At that point, governance often becomes reactive rather than proactive. The compliance challenge is not preventing experimentation. It is creating governance structures that enable safe experimentation. This is why mature AI governance programs increasingly rely on:

  • approved use-case inventories,
  • risk-tiering frameworks,
  • data-governance protocols,
  • human oversight requirements,
  • testing standards,
  • escalation procedures,
  • and continuous monitoring.

Or, stated differently:

Someone needs to verify whether Gonzo’s cannon is aimed at the audience.

Innovation Requires Documentation

One of Gonzo’s defining traits is enthusiasm without paperwork. That creates a governance problem. The ECCP repeatedly emphasizes documentation, testing, continuous improvement, and evidence-based compliance. Organizations must demonstrate not merely that policies exist, but that controls operate effectively in practice.

Innovation functions often struggle here because innovation culture tends to prioritize speed over documentation. This creates dangerous blind spots:

  • unclear accountability,
  • undocumented approvals,
  • undefined ownership,
  • missing testing records,
  • inconsistent monitoring,
  • and inadequate escalation procedures.

If the organization cannot explain:

  • why a technology was adopted,
  • who approved it,
  • how risks were assessed,
  • what controls exist,
  • and how effectiveness is monitored,

Then the organisation does not truly govern the technology. It merely hopes for the best. Hope is not a control.

Gonzo and the Myth of the Brilliant Exception

Another important compliance lesson emerges from Gonzo’s personality itself. Organizations often tolerate elevated risk from highly creative or high-performing individuals because leadership perceives them as uniquely valuable. This is a dangerous governance instinct.

Every major corporate failure eventually contains some version of:

  • “We assumed he knew what he was doing.”
  • “Nobody wanted to challenge the innovation team.”
  • “They moved too fast for the controls.”
  • “The business results were too good to slow down.”

In many organizations, innovation teams become culturally insulated from oversight because questioning them appears anti-progress or anti-growth. That is precisely when governance becomes most necessary. The role of compliance is not to suppress innovation. It is to ensure innovation remains accountable to the enterprise.

Gonzo should absolutely continue inventing things. But somebody must still ask:

  • Was the system tested?
  • Is the data reliable?
  • Who owns the risk?
  • What happens if the model fails?
  • Is there human oversight?
  • Can we explain the outcome?

Those questions are not barriers to innovation. They are what keep innovation from becoming litigation.

Continuous Monitoring: The “Day Two” Problem

One of the most overlooked governance failures occurs after deployment. Organizations frequently focus intensely on implementation but pay far less attention to ongoing monitoring. Yet most technology risks emerge over time through:

  • model drift,
  • scope expansion,
  • vendor changes,
  • data degradation,
  • user workarounds,
  • and control fatigue.

Gonzo perfectly represents this problem because he rarely revisits prior experiments. Once the cannon fires, he is already planning the next stunt. Modern compliance programs cannot operate that way. AI governance, digital governance, and innovation oversight require “Day Two” discipline:

  • continuous testing,
  • ongoing review,
  • updated risk assessments,
  • incident reporting,
  • and remediation protocols.

The question is not merely: “Did the innovation work? ”The real question is:

Does the control environment still work six months later? ”That is where mature governance separates itself from performative governance.

The Board’s Role in Innovation Governance

Boards increasingly face direct oversight expectations regarding technology and innovation risk. That means directors should ask:

  • Do we have formal AI governance?
  • Who owns innovation risk?
  • How are emerging technologies reviewed?
  • What testing standards exist?
  • How do we monitor ongoing performance?
  • What happens when innovation conflicts with compliance requirements?
  • How quickly can issues be escalated?

These questions are no longer theoretical. Regulators increasingly expect boards and senior leadership to demonstrate understanding of operational technology risk, especially where AI, automation, or sensitive data are involved. In governance terms, the age of “let the technology team handle it” is over.

5 Key Takeaways for the Compliance Professional

1. Innovation is not the enemy of compliance.

The real risk is innovation that operates outside governance structures, documentation, and accountability.

2. Shadow AI creates significant operational exposure.

Organizations must identify and govern unauthorized or poorly supervised technology adoption.

3. Documentation is a governance control.

If an organization cannot explain how a technology was approved, tested, monitored, and governed, it does not truly control the risk.

4. High-performing innovators still require oversight.

Organizations should not exempt innovation teams from compliance expectations because they generate results or move quickly.

5. Governance continues after deployment.

Continuous monitoring, testing, escalation, and remediation are essential to managing evolving technology and innovation risk.

From Gonzo to Animal

Gonzo teaches compliance professionals that innovation creates risk when governance cannot keep pace with experimentation. But there is another danger waiting behind the pressure to innovate: the normalisation of unmanaged operational chaos. That is where Animal enters the story.

Because eventually every organization encounters a moment when high-energy operational risk stops being an exception and starts becoming part of the culture itself. In Part 4, we will examine Animal as Chief Operating Risk Officer and what he teaches compliance professionals about operational volatility, escalation failures, crisis management, and the dangers of unmanaged high performers.

Categories
Innovation in Compliance

Innovation in Compliance: Monica Goyal on Tech-Driven Solutions for Law Firms

Innovation comes in many areas and compliance professionals need to not only be ready for it but embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. This month’s sponsor of Innovation in Compliance is Athennian.

In this episode, Tom welcomes Monica Goyal, the Vice President for Legal Innovation and Lawyer at Caravel LLC and Briefly LLC, to explore the transformative potential of technology in the legal industry.

Monica has a non-traditional journey to the legal profession, beginning with her educational background in electrical engineering and firsthand experience in Silicon Valley. From this perspective and after law school and work in the legal field, she observed multiple process inefficiencies. She discusses how advanced technologies like generative AI and data analytics can address these inefficiencies, improving corporate governance, contract management, and the overall delivery of legal services.

Monica highlights the importance of legal innovation officers in law firms and the role of Caravel Law’s unique model in providing backend support to legal professionals, allowing them to escape administrative tasks and focus on core legal work. She also touches on the innovative concept of fractional in-house counsel, which serves businesses needing more support than external counsel without the full expense of a general counsel. Listeners will gain insights into the growing necessity for legal tech skills and the benefits of tools such as Athennian for document automation. Monica underscores the value of emerging technologies and encourages further exploration of resources like Caravel and Briefly for legal professionals.

Key Highlights:

  • Monica Goyal’s Unique Journey into Law
  • Innovations in Corporate Legal Departments
  • Communicating Tech Solutions to Legal Professionals
  • Caravel’s Unique Business Model
  • Management with Athennian

Future of Legal Tech and Data Analytics

Resources:

Monica Goyal on LinkedIn

Caravel LLC

Athennian

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Tip of the Day

Compliance Tip of the Day: Compliance Innovation Through KPIs

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

In this episode, we consider innovation in compliance through Key Performance Indicators (KPIs).

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program: Day 12 – A Seat at the Table

Going into the 2020s and beyond, a corporate compliance function must be integral to your business strategy. One of the key reasons is that the ever-important debate of compliance as a cost center will become more critical in the future in this decade. If compliance programs are ineffective, enforcement actions will continue to be highly costly. Over the last 10 years, there has been an increasing impact on the business where you must have compliance resources focused on remediation and business resources. This has only grown greater with reputational risks amplified by social media.

This is because as significant (and costly) as these regulatory fines and penalties have been, it is the intangible reputational damage that, in the long run, maybe even more expensive. Multiple stakeholders who might not desire to play out on the risk curve might be at higher risk, located in higher jurisdictions, or operating in higher-risk industries. Further, there are other consequential impacts if compliance does not have a seat at the table. Suppose compliance has a seat at the table. In that case, there can be some leeway for compliance officers and firms to figure out how best to roll out a compliance program that is commensurate with the organization’s risk and compliant with the regulations. If compliance is relegated to the back of the (corporate) bus, there will be little chance to do so.

Three key takeaways:

  1. It will be even more important for compliance to sit at the table in the future.
  2. Look for synergies with other types of compliance.
  3. Such synergies can be a big cost savings.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program Through Innovation: Day 5 – Communication to see Around Corners

The more you can operationalize compliance, the more it works to operationalize culture in your organization. It works for all levels of a company, literally from the Boardroom to the shop floor. The DOJ and SEC recognized this when they noted in their 2020 FCPA Resource Guide, “A compliance program should apply from the board room to the supply room – no one should be beyond its reach.” Yet culture can provide more than simply an ethical foundation, and it is also a part of the business foundation of an entity.

Using such an approach to communications allows a CCO to “see around corners” and can be one of the greatest strengths of a best practices compliance program. The reason is listening. Listening is a key leadership component, and there are certainly many ways to listen. You can sit in your office and wait for a call or report on the hotline, or you can go out into the field and find out what challenges employees are facing. From this, you can work with them to craft a solution that works for the company and holds to the company’s ethical and compliance values.

Using social media tools, a CCO can move towards Thomas’ next key ingredient of a successful corporate culture, which is trust. Thomas said, “I’m obsessive about the culture that we create specifically around trust, and this is an adjustment for some people when they come here. If you join our team, there’s trust by default here. That means you trust in the competence of your teammates. You trust in their intentions and what they’re saying. At some companies, the culture is that trust is earned over time, but that means if everyone in the organization says you have to earn trust, the amount of energy that actually goes into the trust-earning process is a distraction from our mission.”

Three key takeaways:

  1. A company can fail if it does not get its culture right.
  2. Using communications to “see around corners.”
  3. Trust works as a business strategy.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program Through Innovation: Day 3 – The Digital Transformation of Compliance

Through restructuring, senior leadership can signal that digital transformation in compliance is critical for the future of the organization. From this point, the compliance function can work with an internal digital product design group. By doing so, the corporate compliance function can work with a team dedicated to supervising the development of the new compliance solution through product design, testing, and analysis, which will include customized generative design and analysis tools. Top management can signal the importance of the compliance digital transformation by using this dedicated team to spearhead the compliance function’s digital transformation development process.

One of the great things about the compliance world is that we are only limited by our own imaginations. If you can imagine a better way for your company to comply fully, it is at your disposal to do so. Yet, rarely do we think about the structure of how compliance activates as a way to operationalize compliance more fully. By identifying and bringing in the skills needed to move forward with compliance innovation, you can help kick-start the compliance operationalize process through a digital transformation of your compliance regime. By doing so, you may make all the difference between success and failure coming out of the Coronavirus health crisis as the world reopens for business.

Three key takeaways:

  1. Have you considered a generational team approach to a digital transformation in compliance?
  2. Have non-compliance professionals aid in compliance program development.
  3. In compliance, you are only limited by your imagination.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program Through Innovation: Day 2 – Taming Complexity in Compliance

One of the lessons we have learned from various FCPA enforcement actions over the years is how complexity in business organizations can work to defeat compliance programs. Whether a corrupt employee is working to actively hide a pot of money, which can or will be used to pay a bribe, or an improper payment slips through the cracks, complexity can work to defeat a best practices compliance program. A compliance function needs visibility into a business unit, how it does business, and where its payments are going, or else it may be due to design defects or inadvertent complexity.

Compliance is now in an era of brisk innovation and evolution. It is prone to technological change and rapid obsolescence of the lawyer-driven, spreadsheets, and word document-based compliance programs. As we advance, the compliance professional needs to understand that a “package of resilience, adaptability, coordination, and inimitability becomes more attractive than the package of efficiency, understandability, manageability, and predictability.” The key is to learn how to harness complexity on a sustainable basis.

Three key takeaways:

  1. Not all complexity is bad.
  2. If you cannot figure out how a foreigner does business, you have a problem.
  3. Compliance is now properly seen as a business process.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program Through Innovation: Day 1 – Originating a Compliance Ecosystem

The compliance profession is at an inflection point, moving away from the lawyer-driven written policies and procedures to a more operationalized regime where compliance is a part of the overall ecosystem embedded directly in the business process-focused discipline. Seen in this manner, compliance will be seen not as a cost center but as a value creation center, helping the company to make business processes more efficient and then more profitable. To be the orchestrator and prime mover of a compliance ecosystem, you need a superior compliance service that is hard to replicate. This means some combination of compliance, an extensive network of internal users, and strong branding.

Compliance is undergoing a paradigm shift as a result of technological and digital innovation. CCOs who cannot interpret the data from their systems will likely find themselves consigned to the dustbin of corporate luddites. Compliance will be moving into a new era of collaboration and connection to more fully operationalize compliance to make all business stakeholders more efficient and more profitable.

Three Key Takeaways:

  1. Compliance is undergoing a paradigm shift as a result of technological and digital innovation.
  2. To be the orchestrator and prime mover of a compliance ecosystem, you need a superior service that is hard to replicate.
  3. Compliance should help other corporate functions.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program in Training and Communications – Sharing to 360-Degrees of Communication

Why do people share information? The answer to that question has important implications for every compliance practitioner and compliance program. Sharing is a primary method to communicate and connect. This is always a challenge in any far-flung international corporation, particularly for disciplines that can be viewed as home office overhead at best and the Land of No at worst. Work to hone your message through social media. Part of this is based on experimenting with what message to send and how to send it. Another aspect was based upon the Wave (of all things), its development, and coming to fruition in the early 1980s. It took some time for it to become popular, but once it was communicated to enough disparate communications, it took off. “It’s the same thing with social media. On social media, we think something will go viral because the art is beautiful or the science is full of deep analytics, but it takes time to build the community.”

This means that you will need to work to hone your message and continue to plug away to send that message out. The Morgan Stanley declination will always be instructional as one of the reasons the DOJ did not prosecute the company, as they sent out 35 compliance reminders to its workforce over seven years. Social media can be used in the same cost-effective way to get the message of compliance out and to receive information and communications back from your customer base, the company employees.

Three key takeaways:

  1. What makes your employees want to share information?
  2. Facilitate mechanisms that allow sharing with the compliance function.
  3. The Morgan Stanley declination still resonates.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program in Training and Communications – Using Social Media to Innovate in Compliance

I am a huge fan of using social media in your compliance function. But how can you get your arms around how to structure such a program for your company?  After acknowledging that social media focuses on the social aspects of communication, the most important thing to remember is that communication in social media is two-way, both inbound and outbound. It helps to bring your employee base together in an efficient manner to create an environment conducive to compliance for your organization. It also has the benefit of continued engagement. It is more than putting on training or even a set of initiatives; you can continue the conversation and enthusiasm about compliance going forward throughout the year. The authors break this down further into three parts that emphasize 1) the need to listen to and learn from user-generated content, 2) the need to engage and facilitate dialogue with employee innovators, and 3) to find an audience of early adopters to create excitement and collect feedback.

If your goal in the compliance function is to create awareness and publicize your compliance program and initiatives, social media can be a powerful tool. This is so paramount that it should become a core activity of your compliance function. Using social media tools, your compliance function can tell the story of compliance, communicate expectations, and even train. Yet again, it is simply more than a one-way tool. Just as employees are more apt to tell you about a concern immediately or soon after being trained on that issue, they may well communicate directly with you after receiving social media communication on subjects such as managing third-party relationships.
CCOs and compliance practitioners must develop a dedicated compliance strategy around social media in the context of their corporate objectives. It allows you a 360-degree view of compliance, through which you can take input from your employee base and create a compliance experience that your employees will embrace.

 Three key takeaways:

  • Never forget that social media is a two-way communication.
  • Company employees are the customers of the compliance department.
  • As with all compliance issues, assess what works for your company and appropriately tailor your social media approach.

For more information, check out The Compliance Handbook, 4th edition here.