Tag: investigation

Categories
Blog

The Game Is Afoot in Compliance: Why Sherlock Holmes Still Matters to the Modern Compliance Professional

It is with no small amount of pride that I am pleased to announce the publication of my latest book, The Game Is Afoot in Compliance. The book was sponsored by Gan Integrity. There is a reason Sherlock Holmes still resonates with compliance professionals. It is not nostalgia. It is not literary charm. It is not Victorian fog and deerstalker hats. It is a method.

That is what makes The Game Is Afoot in Compliance such a compelling contribution to the compliance profession. The book’s central insight is that Holmes gives us more than a detective story. He gives us a way to think. He gives us a discipline of observation, skepticism, rigor, and moral clarity that aligns remarkably well with the Department of Justice’s expectations for a modern compliance program.

For Chief Compliance Officers, compliance practitioners, boards, internal audit, and legal, that is the real message. Holmes is not a gimmick. Holmes is a framework. In the book, each of the four Holmes novels maps onto a core compliance discipline. Taken together, they form a coherent approach to designing, testing, and leading a best-practices compliance program.

We start with A Study in Scarlet. The lesson here is investigation. Holmes insists on evidence before theory. He refuses to let assumptions drive conclusions. He follows facts, not narratives. That is as close as one can get to the DOJ’s current expectations. Under the 2024 Evaluation of Corporate Compliance Programs, the DOJ is not interested in whether a company can identify a problem. It wants to know whether the company can investigate thoroughly, understand what happened, determine why it happened, and use that knowledge to improve going forward. The FCPA Resource Guide makes the same point differently. A compliance program must work in practice, and a credible investigative function is a large part of proving that.

Holmes would understand that immediately. He would also understand root cause analysis. The novel A Study in Scarlet is not simply about solving a crime. It is about going deeper than the surface event and uncovering the human, structural, and historical causes beneath it. That is precisely what compliance officers must do. Misconduct rarely appears out of nowhere. It is usually the product of pressure, weak controls, cultural tolerance, or a failure to act on warning signs.

Then comes The Sign of Four. Here, the lesson is signals, data, and decision-making. Holmes’ genius was not that he had more information than everyone else. It was that he knew how to distinguish signal from noise. That may be the most important compliance lesson of all in 2026. Every company today is awash in data. The issue is not access. The issue is architecture, judgment, and discipline.

This is where The Game Is Afoot in Compliance becomes particularly timely. Fox connects Holmes to data analytics, pattern recognition, communication, and ongoing monitoring. That is exactly where the compliance profession has moved. The best programs use data to identify anomalies, test controls, and surface risks before they become enforcement matters. But data alone is not enough. Holmes reminds us that human judgment still matters. Someone has to ask the right question. Someone has to notice the odd payment, the missing approval, the relationship that makes no sense, or the policy exception that keeps repeating.

Boards should take note here as well. Board oversight in compliance is not passive. Directors should be asking whether the company has information flows that produce timely, useful, and actionable insights. They should ask whether the compliance function can convert data into decisions. They should ask whether management can explain what it is monitoring, why it is monitoring it, and what it has learned from that work. A dashboard without analysis is decoration. Holmes would have no patience for decorative oversight.

In The Hound of the Baskervilles, I turn to third-party risk and accountability. This may be the most direct compliance analogy in the entire book. The great danger in The Hound is not simply the hound itself. It is the myth surrounding it. People accept the legend. They stop asking hard questions. They allow fear and assumption to take the place of inquiry. How often does that happen in business? “That distributor has been with us forever.” “That agent knows the local market.” “That is how business gets done there.” Those are the modern legends of the Baskerville moor. In compliance, they are red flags wrapped in habit.

The FCPA Resource Guide is crystal clear that risk-based due diligence on third parties is essential. The DOJ has repeatedly emphasized that onboarding due diligence is not enough. Companies must monitor. They must test. They must revisit. Fox makes exactly that point through Holmes: trust without verification is not trust. It is negligence

This is also where independence comes in. Holmes often solved the problem because he was willing to step back from accepted narratives and popular opinion. The compliance function must have that same independence. It must be empowered, adequately resourced, and able to challenge business assumptions. If compliance is too close to the business to question it, then the program is already standing in the Grimpen Mire.

Finally, The Valley of Fear gives us the lessons of a speak-up culture, whistleblower protection, and controls on retaliation. This is perhaps the most urgent message in the book. Fear kills truth. It silences witnesses. It protects wrongdoers. It allows misconduct to metastasize. I use The Valley of Fear to show that a hotline alone is never enough. Regulators now expect proof that employees can raise concerns safely, that those concerns are investigated fairly, and that retaliation is prevented and punished. The ECCP makes this explicit. Companies must demonstrate that their reporting system is trusted and that appropriate controls are in place to prevent retaliation.

This is where leadership and board oversight become inseparable from culture. Tone at the top still matters, but so does conduct in the middle and response at the bottom. Employees watch what happens when someone raises a concern. They watch whether the reporter is protected. They watch whether the issue disappears. Every response is a cultural signal. That is one reason I wanted to write The Game Is Afoot in Compliance, and why I believe it is valuable for the compliance professional. It reminds us that compliance is not only about structure. It is about posture. Holmes teaches posture. He teaches curiosity over complacency. Evidence over assumption. Courage over convenience. Truth over comfort. Those are not literary flourishes. They are operational requirements for an effective compliance program.

The larger point is this: Holmes gives compliance professionals a mindset that fits modern enforcement expectations. The DOJ wants programs that work in practice. The FCPA Resource Guide calls for risk-based, dynamic, and grounded programs. Boards are increasingly expected to oversee not merely whether a program exists, but whether it is effective. In that environment, The Game Is Afoot in Compliance lands at exactly the right time.

It is a book launch with a larger purpose. It does not simply promote Sherlock Holmes as an entertaining analogy. It positions Holmes as a serious guide for the modern compliance professional. Fox gets that exactly right. Because at the end of the day, the best compliance officers are detectives of culture, analysts of systems, skeptics of easy answers, and guardians of institutional integrity. In other words, they are Holmesian.

And that is why this book matters.

5 Key Takeaways

  1. The Game Is Afoot in Compliance shows that Holmes provides a practical framework for modern compliance, not just a literary metaphor.
  2. A Study in Scarlet teaches the value of evidence before theory, rigorous investigation, and root cause analysis.
  3. The Sign of Four demonstrates that data only becomes useful when it is translated into disciplined monitoring, sound judgment, and defensible decisions.
  4. The Hound of the Baskervilles is a powerful lesson in third-party risk, independence, and the danger of letting myth or business custom replace due diligence.
  5. The Valley of Fear reminds us that fear and retaliation destroy speak-up culture, and that regulators now expect companies to prove their systems protect those who raise concerns.

You can purchase a copy of The Game Is Afoot in Compliance from Amazon.com. The book is sponsored by Gan Integrity and features a foreword by Karen Moore. Gan Integrity is sponsoring a road show, The Integrity Road, highlighting the book and each novel as a launching point for a larger discussion of compliance in 2026. The schedule is

Tuesday, April 21, in NYC, where we will discuss A Study in Scarlet and Investigations.

Tuesday, April 28, in San Francisco, where we will discuss the Sign of Four and AI in Compliance.

Tuesday, May 19, in London, where we will discuss The Hound of the Baskervilles and 3rd Party Risk.

You can register and find out more information here.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Reporting and Investigations – Board Investigation Protocols

Many companies have an investigation protocol in place when a potential compliance violation or other legal issue arises. However, many Boards of Directors do not have the same rigor when it comes to an investigation, which should be conducted or led by the Board itself. The consequences of this lack of foresight can be problematic, because if a Board does handle an investigation right, the consequences to the company, its reputation and value can be quite severe. The SEC considers a variety of factors around corporate investigations including: Did management, the board or committees consisting solely of outside directors oversee the review? Did company employees or outside persons perform the review? If outside persons, have they done other work for the company?

Dan Chapman has said this is the time for a very frank conversation with your Board about what such an investigation will entail. Costs must be adequately discussed to set proper expectations. These include both direct costs and, what Chapman believes may be even more important, a discussion of indirect costs to the company. He noted, “the biggest cost to a company during an investigation is the diversion of management resources” and, as he further explained, “everything stops to focus on the investigation.” This indirect cost comes through largely the time commitment of senior management. He further explained, “if senior management has to commit 20% of their time to the investigation, that’s 20% that’s not going towards revenue generating, shareholder value protecting activities.”

Finally, Jonathan Marks has noted after notification of serious allegations, Boards should take the following steps:

• Consider creating a Special Committee to conduct the investigation;

• Establish a committee charter;

• Preserve the electronic and hardcopy documentation environment;

• Communicate with external auditors; and

• Plan potential communication with the SEC, DOJ, and the relevant stock exchange.

Marks also notes that while a special committee might be necessary in certain rare circumstances, the Board should try to avoid forming a special investigative committee to oversee the investigation if the Audit Committee is composed of independent and disinterested directors that are suited for the task. A special committee must be disbanded at some point (usually once the investigation is completed and before the restatement process begins), and the disbanding could become a complicated news item. Conversely, if the Audit Committee oversees the investigation, then, once the investigation is complete, they can pivot back to their normal role, which would include overseeing the actual restatement process. Investigations overseen by the Audit Committee also benefit from the positive relationship that the committee chair usually has with the audit partner of the company’s external auditor.

 Three key takeaways:

1. The Board should have a written protocol for investigations prepared in advance.

2. Any Board led investigation must be both credible and objective.

3. The investigation must be thorough but the Board can be cost effective.

Categories
31 Days to More Effective Compliance Programs

One Month to Better Reporting and Investigations – Preparing for the Investigation

Under Part 1, Section D. Confidential Reporting Structure and Investigation Process stated in part, Properly Scoped Investigation by Qualified Personnel –What steps does the company take to ensure investigations are independent, objective, appropriately conducted, and properly documented? How does the company determine who should conduct research, and who makes that determination? These questions were presaged by the DOJ’s 2015 Yates Memo and the 2016 FCPA Pilot Program. The pressure on every CCO and company to get an investigation done quickly, efficiently and, most importantly, right is even greater now.
Jonathan Marks began by cautioning that when considering any well-run internal investigation, a CCO must be cognizant of the strictures laid out in the Evaluation. It all begins with who in-house is looking at the complaint and does the CCO, compliance practitioner, or legal team have the skills and capabilities to handle the matter which has arisen. Obviously, if there are esoteric accounting issues or significant internal control workarounds and overrides, a CCO may not have the skills to really understand all the issues. Similarly, if the matter is a global FCPA or equivalent bribery and corruption matter, Marks related, these “come in different flavors, and because they come in different flavors you may not have the skills or capabilities to do an investigation that would take place in say Brazil or Russia or China or India.”

Three key takeaways:

  1. Always remember your ultimate audience may be the government.
  2. You must understand both the business environment and extended business enterprise.
  3. Communication and collaboration in any investigation are critical so you should begin early and continue to do so throughout the investigation.
Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Reporting and Investigations – Introduction

The call, email, or tip comes into your office; an employee reports suspicious activity somewhere across the globe. That activity might well turn into an FCPA issue for your company. As the CCO, it will be up to you to begin the process which will determine, in many instances, how the company will respond. This chapter will provide you with the steps you will need to consider going forward.
This chapter will detail the two parts; internal reporting and investigations. It would seem axiomatic that organizations understand the benefits of having an internal reporting system, whether it is called a hotline, helpline, or something else. Just as plainly, a company should understand the need for effective investigations after a report comes in which might lead to a potential violation.

Three key takeaways:

  1. A robust internal reporting system will be one of the key indicia the DOJ considers.
  2. Hotline reporting can bring a visibility to problems.
  3. Hotline reports must be treated fairly and justly.
Categories
ComplianceLIVE

Episode 20: Compliance Investigations in the Time of Coronavirus

Amanda welcomes ComplianceLine’s Director of Compliance Jenelle Stone Case to the studio to discuss tips on how to conduct compliance investigations remotely.

Check out more episodes and full episode videos at ComplianceLine.com, and don’t forget to subscribe on your favorite podcast platform!