Tag: Jonathan Marks

Categories
Blog

Greek Philosophers Week: Part 1 – Socrates and the Asking Questions

I have long wanted to trace the origins of the modern corporate compliance organization back to the ancient Greek philosophers, drawing lessons for compliance and ethics in 2026 and beyond. Today, I begin a five-part series where I do just that. In this series, we will consider Socrates, Plato, Aristotle, Pythagoras, and Euclid. We start with Socrates.

Socrates left no writings of his own. What he left was a method. He believed wisdom began with recognizing what one did not know and then relentlessly testing assumptions through disciplined questioning. That approach maps directly onto the daily work of the compliance professional. Risk assessments, investigations, root cause analysis, culture reviews, and even board reporting all rise or fall based on the quality of the questions asked.

Every effective compliance program begins with a question. Not a policy. Not a control. Not a dashboard. A question. That insight alone makes Socrates the right place to start any serious discussion about the influence of ancient Greek philosophy on modern corporate compliance and ethics programs.

The Department of Justice’s Evaluation of Corporate Compliance Programs (ECCP) does not use the word “Socratic,” but its expectations are unmistakably aligned with Socratic inquiry. Prosecutors repeatedly ask whether a company understands its risks, tests its assumptions, challenges its controls, and adapts when reality changes. A compliance program that does not ask hard questions is not mature. It is merely quiet. Indeed, Hui Chen, the author of the original ECCP, has said that a key purpose of the ECCP was to get compliance professionals to ‘ask questions’.

Ethical Inquiry as a Compliance Obligation

Socrates believed that unexamined beliefs were dangerous. He challenged Athenian leaders not because he enjoyed disruption, but because false confidence creates harm. In a corporate setting, the same risk exists when executives assume that a policy equals compliance or that training completion equals ethical behavior.

  1. Is the corporation’s compliance program well designed?
  2. Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
  3. Does the corporation’s compliance program work in practice?

These questions are fundamentally Socratic. It demands inquiry into how the business actually operates, where pressure points exist, and how misconduct could realistically occur. A compliance function that accepts management narratives at face value fails this test.

Daily compliance operations depend on this discipline. When reviewing third-party relationships, a Socratic compliance officer does not ask whether due diligence was performed. They ask whether it was sufficient, whether red flags were rationalized, and whether business incentives distorted judgment. That is inquiry, not administration.

Challenging Assumptions Without Becoming the Enemy

Socrates was executed because his questioning made powerful people uncomfortable. Compliance professionals face a less dramatic, but no less real, version of that tension. The role requires challenging assumptions, even when doing so slows deals, complicates reporting lines, or disrupts revenue projections.

The ECCP specifically evaluates whether a corporate compliance function has sufficient staff to audit, document, analyze, and utilize the results of the corporation’s compliance efforts. Prosecutors should also determine “whether the corporation’s employees are adequately informed about the compliance program and are convinced of the corporation’s commitment to it. Does the company’s culture of compliance, including awareness among employees that any criminal conduct, including the conduct underlying the investigation, will not be tolerated.”

Those structural questions exist because DOJ understands that inquiry without protection is performative. If compliance professionals cannot safely ask uncomfortable questions, the program is cosmetic.

In daily operations, this plays out in subtle ways. Does compliance have the authority to pause a transaction? Can investigators follow evidence wherever it leads? Are audit findings welcomed or explained away? A Socratic approach demands that compliance leaders test these realities rather than assume the answer.

The Socratic Method in Investigations and Root Cause Analysis

Socrates did not accept the first answer offered. He pushed deeper, often exposing contradictions or incomplete reasoning. That approach is directly applicable to investigations and root cause analysis. The ECCP places significant emphasis on whether companies understand why misconduct occurred and whether remediation addresses underlying causes. Too many investigations stop at identifying who violated a policy. Echoing Jonathan Marks, Socratic investigation asks why the violation made sense to the individual at the time. What pressures existed? What incentives misaligned behavior? What controls failed or were bypassed?

This type of inquiry requires patience and courage. It also involves trust from leadership. Findings may implicate management decisions, cultural signals, or compensation structures. Socrates reminds us that truth-seeking is rarely comfortable, but it is essential to ethical improvement.

Culture Is Revealed by the Questions You Allow

Socrates believed that a society’s health could be measured by its openness to questioning. The same is true for corporate culture. The questions employees feel safe asking reveal more than any values statement. The ECCP now explicitly asks companies to explain how they measure and address culture. The ECCP states, “Prosecutors should also assess how the company has leveraged its data to gain insights into the effectiveness of its compliance program and otherwise sought to promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” Surveys, hotline data, and exit interviews are tools, but they are meaningless without inquiry. Key questions include: Are employees encouraged to speak up? Are concerns investigated thoroughly? Are outcomes communicated? Is retaliation punished?

In daily compliance practice, this means listening as much as enforcing. A Socratic compliance program does not treat employee concerns as noise to be managed. It treats them as data points to be explored. The quality of questions asked in response to a report often determines whether trust is strengthened or destroyed.

5 Key Takeaways for the Compliance Professional

1. Effective compliance begins with inquiry, not documentation.

A compliance program does not become effective simply because policies exist or training is completed. Effectiveness begins when compliance professionals consistently ask how misconduct could realistically occur within their organization. This requires challenging business assumptions, pressure points, and incentive structures. The ECCP repeatedly emphasizes the importance of understanding risk in context, which is impossible without disciplined questioning. A Socratic approach positions inquiry as an operational obligation, not an intellectual exercise, ensuring the program remains dynamic, responsive, and grounded in reality rather than formalism.

2. Risk assessments are living Socratic exercises, not static reports.

Too many organizations treat risk assessments as periodic documentation rather than ongoing inquiry. A Socratic risk assessment tests assumptions continuously as business models, geographies, and incentives evolve. Compliance professionals should revisit risk hypotheses, ask whether controls still function as intended, and challenge comfort-driven conclusions. Under the ECCP, regulators expect risk assessments to inform program design and resource allocation. Socratic inquiry ensures risk assessments remain relevant, credible, and capable of identifying emerging threats before they mature into enforcement issues.

3. Investigations must pursue understanding, not merely attribution.

Identifying who violated a policy is rarely sufficient to prevent recurrence. A Socratic investigation asks why the misconduct occurred, what pressures or incentives influenced behavior, and how organizational systems failed. This aligns directly with the ECCP’s focus on root cause analysis and remediation. When compliance professionals ask deeper questions, investigations become tools for program improvement rather than disciplinary endpoints. This approach strengthens controls, enhances credibility with regulators, and reduces the likelihood of repeat misconduct driven by unresolved systemic weaknesses.

4. Speak-up culture is defined by response quality, not hotline volume.

Organizations often measure speak-up culture by the number of reports received, but Socrates teaches that the real measure lies in how questions are received and addressed. Employees quickly learn whether raising concerns leads to thoughtful inquiry or defensive dismissal. The ECCP evaluates whether companies encourage reporting, protect against retaliation, and communicate outcomes appropriately. A Socratic compliance function listens carefully, asks clarifying questions, and treats concerns as signals worth examining. That discipline builds trust and reinforces ethical accountability across the organization.

5. Socratic questioning requires independence, authority, and protection.

Inquiry without authority is performative. Socrates paid the ultimate price for challenging power, but modern compliance professionals should not. The ECCP explicitly assesses whether compliance functions have sufficient independence, resources, and access to leadership. Without these safeguards, difficult questions go unasked or unanswered. A Socratic compliance program empowers professionals to challenge decisions, pause transactions, and escalate concerns without fear of retaliation. That structural support transforms ethical inquiry from individual courage into institutional practice.

From Socrates to Plato: From Inquiry to Structure

Socrates gives us the starting point. He teaches the compliance professional how to think, question, and resist complacency. But inquiry alone is not enough. Questions must eventually lead to structure, governance, and systems that translate insight into action.

That transition sets the stage for Plato. Where Socrates focuses on method, Plato focuses on design. The movement from Socrates to Plato mirrors the evolution of a compliance program itself, from asking whether risks exist to building governance structures capable of addressing them. In that sense, Socrates is the conscience of the compliance function. He reminds us that effectiveness begins with intellectual honesty and ethical curiosity. Without those traits, even the most sophisticated compliance architecture will rest on shaky ground.

Join us tomorrow for Part 2 and learn about Plato’s role in today’s compliance and ethics programs.

Categories
Compliance and AI

Compliance and AI: Navigating the Challenges and Opportunities of Agentic AI in Compliance

What is the intersection of AI and compliance? What about Machine Learning? Are you using ChatGPT? These questions are just three of the many we will explore in this cutting-edge podcast series, Compliance and AI, hosted by Tom Fox, the award-winning Voice of Compliance. Today, the Everything Compliance gang, led by Dr. Hemma Lomax, is considering how to navigate the challenges and opportunities of agentic AI in compliance.

In this episode, we explore the rapidly evolving landscape of Agentic AI and its implications for compliance professionals. Agentic AI, defined as AI that acts autonomously rather than just responding to prompts, presents both significant opportunities and challenges. The technology can optimize risk management and compliance workflows, but it also introduces complexities around accountability, transparency, and oversight. We discuss recent real-world examples of Agentic AI in use, such as in banks and tax agencies, and highlight potential risks, including autonomous collusion and AI agents making unethical decisions. The episode emphasizes the need for compliance teams to shift from monitoring human activities to overseeing intelligent systems, ensuring the establishment of proper guardrails. We also delve into new roles emerging in this landscape, such as AI ethics coaches and agent supervisors, and the importance of human intervention to verify AI decisions. Join the discussion to understand how to navigate this transformative technology responsibly and effectively.

Key highlights:

  • Defining Agent AI
  • Implications for Compliance and Ethics
  • Challenges and Risks of Agent AI
  • Real-Time Compliance and Risk Management
  • Human Oversight and AI Governance

Resources:

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Great Women in Compliance

Great Women in Compliance – GWIC Joins Everything Compliance

Today, we have a special joint episode of GWIC and Everything Compliance. Lisa Fine and Hemma Lomax recently joined Matt Kelly and Jonathan Marks for an episode of Everything Compliance (Episode 162—the Numbers Numbers Numbers edition), which will post on Thursday, December 4. We are cross-posting the episode here on Great Women in Compliance.

Lisa Fine, Hemma Lomax, Matt Kelly, and Jonathan Marks each bring a unique perspective to the discussion of corporate corruption and the intersection with drug cartels, as exemplified by the Millicom Cellular case. Lisa highlights the need to understand the risks associated with smaller markets and the complexities of joint ventures, advocating for enhanced compliance education and vigilance to mitigate cartel-related corruption. Hemma underscores the importance of integrating proactive compliance measures and automation, promoting “everyday integrity as a service” to preempt issues like bribery and data leakage. Meanwhile, Matt and Jonathan focus on the structural vulnerabilities in governance and the critical need for transparency and robust monitoring systems to prevent the entanglement of corporate operations with cartel activities, cautioning against underestimating the risks in seemingly low-revenue markets.

 Highlights include:

  • Millicom Cellular: Corporate Corruption and Cartel Connections
  • Enhancing Compliance through Systematic Involvement Strategies”
  • AI-Driven Real-Time Risk Detection in Compliance
  • Enhancing Governance to Prevent Sports Betting Scandals
  • Regulatory Changes in the Global Compliance Environment
  • AI-Enhanced Policy Clarity and Management Techniques
  • Raves and Rants
Categories
Blog

Compliance Risk Assessment vs. Fraud Risk Assessment: Why the Distinction Matters

One of the most common points of confusion I see in the compliance space is the conflation of a compliance risk assessment and a fraud risk assessment. At first glance, they may look similar as both touch on governance, controls, and organizational exposure. Yet, as Jonathan Marks emphasized in a recent episode of the Data-Driven Compliance podcast, they are not the same. They serve different purposes, employ different methodologies, and generate different impacts. And if you blur the two, you may be leaving the corporate back door wide open.

In this post, I aim to explore the distinctions, explain why they matter, and demonstrate how both assessments complement one another in building a stronger, more resilient compliance program.

Compliance Risk Assessment: Coloring Inside the Lines

A compliance risk assessment is the backbone of the compliance function. It answers the question: Are we following the laws, regulations, and internal policies to which we are required to adhere?

The methodology is structured around:

  • Identifying obligations — What laws, regulations, and internal codes apply to our business?
  • Assessing exposure — Where are we most likely to be out of compliance?
  • Evaluating controls — What policies, procedures, and safeguards exist to manage those obligations?
  • Prioritizing remediation — Which gaps carry the greatest legal, financial, or reputational risk?

The Department of Justice (DOJ) has long framed this as a “three-question test”: Is your program well designed? Is it implemented in good faith? Does it work in practice? A compliance risk assessment is the diagnostic tool that helps answer these questions.

Consider this: a compliance risk assessment ensures that the organization operates within the bounds of the law. It helps the business avoid the unintentional missteps that could land it in hot water with regulators.

Fraud Risk Assessment: Thinking Like a Fraudster

By contrast, a fraud risk assessment is not about whether you are following the rules; it is about whether someone could deliberately break them, deceive the organization, and benefit at its expense. Marks put it succinctly: compliance without fraud detection is like locking the front door while leaving the back door wide open.

A fraud risk assessment is built around three key elements:

  1. The Act – The fraud scheme itself. Examples include false vendor setups, revenue inflation, insider collusion, or misuse of restricted funds.
  2. The Concealment – How the scheme is hidden. Fraud is rarely obvious. It may involve falsifying documents, manipulating data, overriding controls, or exploiting process weaknesses.
  3. The Conversion – How the perpetrator benefits. Whether through cash, bonuses, promotions, or reputational gain, there is always a payoff.

This approach is fundamentally about mindset. A compliance risk assessment looks at processes. A fraud risk assessment forces you to think like the fraudster, the “mind behind the crime.”

Methodological Differences

Marks emphasized that while compliance risk assessments and fraud risk assessments may overlap, their methodologies diverge in several important ways:

  • Focus on Intent vs. Process
    • Compliance asks: Are we following the rules?
    • Fraud asks: Could someone intentionally subvert the rules, and would we detect it in time?
  • Scope of Risk
    • Compliance focuses on legal and regulatory exposure.
    • Fraud encompasses a broader range of threats, including financial, operational, and reputational risks—whether driven by insiders or outsiders.
  • Tools and Techniques
    • Compliance assessments often rely on surveys, documentation review, and structured interviews.
    • Fraud assessments utilize forensic tools, including analytics, behavioral red flags, and targeted scenario testing, to identify potential risks.
  • Outcomes
    • Compliance assessments typically produce policies, certifications, and gap analyses.
    • Fraud assessments deliver actionable detection and deterrence strategies.

Red Flags: The Early Warning System

One of the most practical contributions of a fraud risk assessment is its focus on red flags, the early warning signs that something is not right. Marks categorized them into four groups:

  1. Data Red Flags – Unusual transaction timing, frequency, or amounts.
  2. Document Red Flags – Missing or altered records, incomplete approvals.
  3. Control Red Flags – Inadequate segregation of duties, override of established processes.
  4. Behavioral Red Flags – Employees living beyond their means or facing personal stressors.

The key is not simply to identify these red flags, but to connect them back to your control environment. Are your controls designed to catch intentional deception or only unintentional error? Too often, organizations rely on compliance-oriented controls that were never built to stop someone determined to cheat the system.

Skills and Experience Matter

Another critical difference lies in who conducts the assessment. Compliance risk assessments often require individuals with expertise in law or regulation. Fraud risk assessments, however, require a different skill set; professionals who understand fraud schemes, internal controls, and forensic techniques are needed.

As Marks bluntly put it: certifications are nice, but experience is essential. Those leading fraud risk assessments need to have “skinned their knees” in real-world situations to understand the difference between a red flag and a false signal. Without that expertise, organizations risk a paper exercise that fails to capture the real threats.

Complementary, Not Substitutes

It is tempting for organizations to assume that a compliance risk assessment also covers fraud risk. That is a dangerous misconception. While the two assessments intersect, they are not substitutes. A compliance risk assessment confirms the rules are being followed—a fraud risk assessment tests whether someone could and would intentionally break those rules for personal gain.

Together, they create a multidimensional view of risk:

  • Compliance risk assessments keep the organization lawful.
  • Fraud risk assessments keep the organization safe.

When aligned, they reinforce one another. For example, fraud red flags can be embedded into compliance training, transforming static learning into practical, scenario-based awareness. Compliance findings can inform fraud detection by highlighting areas where processes are weakest.

Beyond Reports: Building Organizational Resilience

The ultimate value of both types of assessments lies not in the reports they generate but in the resilience they build. Marks is right to stress that neither should be treated as a “set it and forget it” project. Both are living, breathing processes that evolve in tandem with your business model, regulatory landscape, and risk environment.

A well-executed fraud risk assessment provides a strategic roadmap for preventing, deterring, and detecting fraud early. A well-executed compliance risk assessment ensures that your program is not only designed and implemented but also functioning effectively in practice. Together, they enhance oversight, foster continuous improvement, and promote a culture of integrity.

Final Thoughts

The compliance community is rightly focused on regulatory risk, ensuring that policies, procedures, and obligations are met. But stopping there creates a blind spot. Fraud is intentional, adaptive, and motivated by gain. It exploits weaknesses not only in processes but in culture.

The lesson for compliance professionals is clear:

  • Do not assume that your compliance risk assessment covers fraud risk.
  • Invest in both assessments, recognizing their differences and complementary strengths.
  • Ensure the right people, with the right experience, are conducting each.
  • Embed fraud red flags into your training and compliance processes.

At the end of the day, compliance keeps you lawful. Fraud risk management keeps you safe. Organizations that appreciate the distinction and act accordingly will be better prepared to withstand the unexpected, protect their stakeholders, and build lasting trust.

Categories
Data Driven Compliance

Data Driven Compliance – Fraud vs. Compliance Risk Assessments: Understanding Key Differences and Best Practices

Welcome to Season 2 of the award-winning Data Driven Compliance. In this new season, we will look at the new Failure to Prevent Fraud offense. Join host Tom Fox as we explore this new law and how to comply with it through the lens of data-driven compliance. KonaAI sponsors this podcast and is joined by Jonathan Marks from BDO.

Today, we look at the distinctions between fraud risk assessments and compliance risk assessments. Despite initial similarities in risk control and governance, the two are fundamentally different in purpose, methodology, and impact. We also explore how compliance risk assessments ensure organizations follow laws, regulations, and policies, while fraud risk assessments focus on identifying, assessing, and prioritizing potential fraudulent activities. Key elements, including fraud schemes, concealment techniques, conversion motivations, and red flags, are discussed. Additionally, we emphasize the need for specialized skills and experience in conducting these assessments and highlight the role of continuous improvement in strengthening organizational resilience against both compliance and fraud risks.

Key highlights:

  • Understanding Fraud Risk Assessments
  • Key Elements of Fraud Schemes
  • Identifying and Evaluating Red Flags
  • Connecting Red Flags to Controls
  • Compliance Risk Assessments Explained
  • Differences Between Compliance and Fraud Risk Assessments

Resources:

BDO

Jonathan Marks on LinkedIn

konaAI, a Covasant company

Click here for konaAI White Paper Rethinking Compliance: Practical Steps for Adapting to the UK’s New Fraud Legislation

Connect with Tom Fox on LinkedIn

Categories
Compliance Tip of the Day

Compliance Tip of the Day – The Integrity Audit

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with bite-sized, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

This week, we have a 5-part series on audits adjacent to compliance, and today, we explore Part 4 and consider the Integrity Audit.

For more on this topic, check out The Compliance Handbook, a Guide to Operationalizing your Compliance Program, 6th edition, which was recently released by LexisNexis. It is available here.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – What are Internal Controls?

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with bite-sized, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we look at several definitions of internal controls.

For more information on this topic, refer to The Compliance Handbook: A Guide to Operationalizing Your Compliance Program, 6th edition, recently released by LexisNexis. It is available here.

Categories
Trekking Through Compliance

Trekking Through Compliance – Episode 36 – Risk Management Lessons from Catspaw

In this episode of Trekking Through Compliance, we consider the episode Catspaw, which aired on October 27, 1967, and occurred on Star Date 3018.2.

Strange things happen to a landing party consisting of Jackson, Sulu, and Scotty when they beam down to planet Pyrus 7. When Kirk, Spock, and McCoy beam down to investigate, leaving DeSalle in command and Chekov as his sidekick, they are enveloped in fog. They also detect multiple life readings, even though the Enterprise’s sensors only detect the landing party. They are all captured by Korob and Sylvia.

Meanwhile,  Enterprise is breaking free through DeSalle’s efforts. Korob sets Kirk and Spock free and tells them to leave immediately because he can no longer control Sylvia. Kirk grabs Korob’s scepter, and after fending off attacks from McCoy, Scott, and Sulu, Kirk tells Sylvia that he has the scepter. Kirk breaks the scepter in front of Sylvia. The castle vanishes, and Sylvia and Korob appear as the bizarre blue and yellow puppet-like alien beings they are. Unable to survive in this galaxy without the transmuter, they shrivel up and melt away, and Sulu and Scott are returned to normal.

Commentary

The story follows a landing party encountering strange, supernatural events on planet Pyrus 7, leading to valuable compliance lessons. Key takeaways include maintaining situational awareness, establishing effective incident response, identifying and mitigating supply chain vulnerabilities, fostering a culture of skepticism, prioritizing resilience, and empowering cross-functional collaboration. The episode uniquely ties the plot’s elements to practical compliance and risk management learning.

Key Highlights

  • Story Synopsis
  • Fun Facts and Production Notes
  • Narcissism in Cat’s Paw
  • Risk Management Lessons

Resources

Excruciatingly Detailed Plot Summary by Eric W. Weisstein

MissionLogPodcast.com

Memory Alpha

Categories
Blog

AI in Compliance Week: Part 3 – Embracing AI-Powered Internal Controls

Integrating artificial intelligence (AI) into internal controls is pivotal in the ever-evolving corporate governance landscape. We have closely followed the discussion around this emerging trend and the insights from industry experts like Jonathan Marks. In Part 3 of my five-part blog post series, I will explore the key considerations and best practices for leveraging AI to enhance an organization’s internal control framework.

Let’s start with the basics: ‘ What are internal controls?’ The best answer I have ever heard is still provided by Jonathan Marks, who says, “Internal controls are the mechanisms, rules, and procedures implemented by an organization to ensure the integrity of financial and accounting information, promote accountability, and prevent fraud. They encompass the entire control environment, including the attitude, awareness, and actions of management and others concerning the internal control system and its importance to the entity.”

Consider that the foundation of any successful AI application lies in the quality and accessibility of data. Organizations must ensure that the data feeding into their AI systems is accurate, comprehensive, and the definitive “source of truth.” Failure to address data quality issues can lead to incorrect outputs that undermine the effectiveness of specific control mechanisms. Establishing robust data management practices, including data governance and integration, is crucial for unlocking the full potential of AI-powered internal controls. This is equally true for internal controls.

Effective implementation of AI-driven internal controls requires a skilled workforce. Companies must invest in developing internal capabilities to handle these advanced tools and accurately analyze the results. This may involve training existing employees, hiring specialized talent, and fostering a culture of continuous learning. Understanding the nuances of machine learning, natural language processing, and other AI techniques is essential for internal teams to leverage these technologies successfully. For the compliance professional, it may mean adding expertise or partnering with internal audit or your internal controls team to garner the talent needed to move to AI-powered internal controls.

The integration of AI into internal controls raises important ethical considerations. Acknowledging and addressing the inherent biases that can exist within specific AI algorithms is imperative. By creating AI systems that are open, fair, and responsible, organizations can preserve stakeholder trust and uphold their ethical norms. Incorporating ethical principles and bias mitigation strategies into designing and deploying AI-powered internal controls is critical.

Successful implementation of AI-driven internal controls often requires close collaboration with technology providers. Companies and compliance professionals should seek out respected partners who can offer customized solutions that align with their specific internal requirements. These collaborations can provide continuous assistance as the intelligence and capabilities of the AI systems evolve. By fostering a collaborative environment, companies can ensure that the integration of AI into their internal control framework is seamless and practical.

Key Considerations for AI-Powered Internal Controls

There are a few key considerations for organizations to ensure the ethical deployment of AI-powered internal controls:

  1. Transparency and Explainability: The AI system’s decision-making process should be as transparent and explainable as possible. Organizations should be able to explain how the system arrives at its decisions and recommendations and provide clear documentation on the data, algorithms, and assumptions used.
  2. Fairness and Non-Discrimination: The AI system should be carefully audited to ensure it does not exhibit biases or discriminate against protected groups. Organizations should implement testing and monitoring processes to detect and mitigate unfair or discriminatory outcomes.
  3. Human Oversight and Accountability: Clear human oversight and accountability measures should be implemented. Employees should be able to understand, challenge, and override the AI system’s decisions when appropriate. There should also be defined processes for addressing errors or unintended consequences.
  4. Data Privacy and Security: The data used to train and operate the AI system must be adequately secured and protected to respect employee privacy. Organizations should have robust data governance policies and procedures in place.
  5. Ongoing Monitoring and Adjustment: The ethical performance of the AI system should be continuously monitored, and organizations should be prepared to adjust or refine as issues are identified. This may require establishing an AI ethics review board or similar governance structure.
  6. Alignment with Organizational Values: The deployment of the AI system should be aligned with the organization’s ethical principles and values. There should be a clear understanding of how the system supports the organization’s mission and commitment to employee wellbeing.
  7. Employee Engagement and Education: Employees should be informed about using AI-powered internal controls and receive training on interacting with the system. This can help build trust and ensure the system is used appropriately.

By addressing these key areas, organizations can work towards the ethical deployment of AI-powered internal controls and build trust with their employees. Collaboration with ethicists, legal experts, and other stakeholders can help refine best practices in this rapidly evolving landscape. However, this remains an evolving and complex area that requires ongoing vigilance and adaptation.

Ethical AI Deployment

There are some examples of organizations that have successfully navigated the challenges of ethical AI deployment.

Microsoft has been faced with ensuring fairness and mitigating bias in AI systems. To meet this, the company developed a comprehensive, Responsible AI Standard outlining principles and practices for ethical AI development.

IBM was challenged to achieve transparency and explainability in AI-powered decision-making. To meet this challenge, IBM has invested in explainable AI (XAI) technologies, such as its AI Explainability 360 toolkit. This enables developers to understand and interpret the inner workings of their AI models.

Google faced privacy and security concerns when using employee data for AI development. Google has established a Responsible AI Principles framework emphasizing data privacy and security, including differential privacy and secure multi-party computation techniques.

Salesforce must ensure alignment between AI-powered tools and the organization’s ethical values. To this end, it developed guidance through its AI Ethics & Humanism Council on the responsible development and use of AI across the company. This includes aligning AI systems with Salesforce’s core values.

Anthem needs to gain employee trust and acceptance in using AI-powered internal controls. To do so, Anthem has implemented an “AI Ambassadors” program, where select employees are trained to help their colleagues understand and navigate the company’s AI-powered systems, fostering greater acceptance and trust.

These examples demonstrate how leading organizations have proactively addressed the ethical challenges of AI deployment through a combination of technical, policy, and organizational approaches. By prioritizing principles like fairness, transparency, privacy, and alignment with corporate values, these companies have made progress in ensuring the responsible and trustworthy use of AI within their organizations, particularly around AI-powered internal controls.

Both compliance and internal audit professionals must recognize the pivotal role that AI can play in enhancing the effectiveness of internal controls. By proactively exploring the incorporation of AI into their control mechanisms, organizations can gain a significant advantage in managing the complexities of modern enterprises and the ever-increasing data landscape. The deliberate integration of AI into internal controls will be a crucial factor in determining the success and resilience of an organization’s overall governance framework.

Integrating artificial intelligence into internal controls represents an opportunity for organizations to strengthen their control environment and make more informed decisions. Compliance professionals can help AI-powered internal controls become a cornerstone of effective corporate governance by addressing data quality, skill development, ethical considerations, and collaboration. I am excited to see how this technology continues to evolve and reshape the way we approach internal control systems and your compliance program.

Join us tomorrow as we examine the role of compliance in keeping AI decisions fair and unbiased.

Categories
Blog

What is a Root Cause Analysis?

One of the biggest changes in the 2020 FCPA Resource Guide, 2nd edition, is the addition of a new Hallmark, entitled, Investigation, Analysis, and Remediation of Misconduct, which reads in full:

The truest measure of an effective compliance program is how it responds to misconduct. Accordingly, for a compliance program to be truly effective, it should have a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigations structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.

In addition to having a mechanism for responding to the specific incident of misconduct, the company’s compliance program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls on a go-forward basis. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.

There are many interesting aspects to this Hallmark, not the least that it begins with “The truest measure of an effective compliance program is how it responds to misconduct.” This builds upon the language found in the “Confidential Reporting and Internal Investigations Hallmark, which stated, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response,”. Now beyond being properly funded, you must have a “well-functioning mechanism” for the “timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents.”

This clearly mandates that once an allegation or even suspicion comes to the attention of compliance, it must be properly triaged, your investigation protocol should kick in with a detailed and effective investigation that is completed in a reasonable time and provide a response to the investigative findings. Moreover, an investigation is not the ending point and should be followed with a robust root cause analysis. This builds upon several sources.

The 2023 ECCP also raised the following questions under “Root Cause Analysis—What is the company’s root cause analysis of the misconduct at issue? Were any systemic issues identified? Who in the company was involved in making the analysis?”

Well known fraud investigator Jonathan Marks, partner at BDO, defined a root cause analysis as “research based approach to identifying the bottom line reason of a problem or an issue; with the root cause, not the proximate cause the root cause representing the source of the problem.” He contrasted this definition with that of a risk assessment which he said “is something performed on a proactive basis based on various facts. A root cause analysis analyzes a problem that (hopefully) was previously identified through a risk assessment.” He went on to note, “Root cause analysis is a tool to help identify not only what and how an event occurred, but also why it happened. When we are able to determine why an event or failure occurred, we can then recommend workable corrective measures that deter future events of the type observed.”

However, there is no one formula for performing a root cause analysis. One protocol, articulated by Health COMPass, advocates a four-step process which includes:

Step 1: Identify possible causal factors. Using the incident(s) to identify causal factors—things that cause or contribute to the compliance failure. It includes asking such questions as:

• What sequence of events leads to the problem?

• What conditions allow the problem to occur? [e.g., traditional values and practices]

• What problems co-exist with the central problem and might contribute to it? [e.g., lack of health facilities]

• Identify as many causal factors as possible. Start with the problem and brainstorm causal factors for that problem by asking “Why?” The root cause analysis team can also ask themselves (based on their own experience) and stakeholders “why” or “so what” questions to identify causal factors.

Step 2: Identify the root cause. To find root causes—the primary sources of the compliance violation—start with the causal factors and ask why. Root causes are seldom found in the most obvious causes. It is important to dig deeper and continue to ask “Why?” until nearly all responses have been exhausted or roots that seem important to address are reached. There are several useful methods for identifying root causes. One is to construct a root cause tree. Start with the problem and brainstorm causal factors for that problem by asking why. Connect them in a logical cause and effect order until arriving at the root of the problem.

Step 3: Identify communication challenges. Now ask which root causes are challenges that compliance can and should address and which are not. Share findings about other root causes with local authorities and leaders or organizations that might be able to address them.

Step 4: Prioritize compliance challenges. If root cause analysis identifies more than one compliance failure, decide which failure to address first. Rank root causes in order, starting with the main cause. To determine rank, consider:

• The potential impact of addressing the compliance failure. The greater the potential impact, the more important it is to address.

• How difficult it will be to reach the audience associated with the compliance failure.

• The mandate attached to the funding.

• If more than one causal factor is linked to the root cause. When a root cause is the source of multiple causal factors, it indicates that addressing the root cause can have far-reaching effects.

Another approach articulated by Marks is the Five Why’s approach. As he explained “Early questions are usually superficial, obvious; the later ones more substantive.” Borrowing from Six Sigma, the folks at iSixSigma.com believe this approach contemplates that “By repeatedly asking the question “Why” (five is a good rule of thumb), you can peel away the layers of symptoms which can lead to the root cause of a problem. Very often the ostensible reason for a problem will lead you to another question. Although this technique is called “Five Whys,” you may find that you will need to ask the question fewer or more times than five before you find the issue related to a problem.”

To use this approach, iSixSigma.com suggests the following protocol. Begin by writing down the specific problem, which assists you to formulate the issue or problem. Then begin asking, “Why?” Ask why the compliance failure occurred write the answer down below the problem. But do not stop there if this first response does not “identify the root cause of the problem that you wrote down in Step 1, ask why again and write that answer down. Loop back to step 3 until the team is in agreement that the problem’s root cause is identified. Again, this may take fewer or more times than five whys.”

Ultimately, performing a root cause analysis is not simply a matter of sitting down and asking a multitude of questions. You need to have an operational understanding of how a business operates and how they have developed their customer base. Overlay the need to understand what makes an effective compliance program, with the skepticism an auditor should bring so that you do not simply accept an answer that is provided to you, as you might in an internal investigation. As Marks noted, “a root cause analysis is not something where you can just go ask the five whys. You need these trained professionals who really understand what they’re doing.”