Tag: Leadership

Categories
Blog

When Leaders Get Permission to Be Worse: Why Compliance Must Stop Fear-Based Leadership from Becoming Culture

Brené Brown’s blunt warning about toxic leadership is really a compliance warning: when fear, cruelty, and intimidation become normalized management tools, misconduct risk rises, speak-up culture collapses, and the compliance function must move from observer to guardian of organizational integrity.

There are moments when an outside voice captures a problem with more clarity than a stack of internal reports ever could. Brené Brown did exactly that when she warned that some leaders now feel a “sense of relief and permission from the current political climate to be the assholes that they are and have always been”. She paired that with an equally important observation: truly courageous leaders do not need permission from the political climate to be good people. For compliance professionals, that is not simply a leadership critique. It is a flashing red warning light.

Whenever a political or social environment legitimizes bullying, anti-empathy, macho posturing, humiliation, or domination, some corporate leaders will inevitably import that behavior into the workplace. They will call it toughness. They will call it candor. They will call it performance culture. They will call it accountability. But often it is something much simpler and much uglier. It is abuse wrapped in executive language. Compliance needs to be said so clearly.

The central challenge is not that every hard-driving executive is a bully. Some leaders are demanding, exacting, and high-performing without being abusive. They set clear expectations. They make hard calls. They hold people accountable. But they do not create fear as a management system. They do not humiliate subordinates. They do not retaliate against dissent. They do not turn uncertainty into control theater. That is the line compliance must help an organization define.

Brown also offers a useful lens for understanding how toxic leadership takes root. She notes that when people feel vulnerable or afraid, they “put on armor,” and for her, that armor often looks like “micromanagement” and “perfectionism”. That is a profound compliance insight. Toxic leadership is often not random. It is fear operationalized. It is insecurity translated into control. It is anxiety turned outward as cruelty. And once that fear-based conduct gets normalized, the compliance consequences follow quickly.

Employees stop raising concerns. Managers shade facts upward. Internal reporting channels become performative. Investigations lose witnesses because no one wants to be the next target. Small control failures become larger ethical failures because people learn that silence is safer than truth. In that kind of environment, the company does not merely have a culture problem; it has a systemic problem. It has a misconduct incubation problem.

This is where the Department of Justice’s Evaluation of Corporate Compliance Programs (ECCP) becomes highly relevant. The ECCP asks whether compliance is empowered, whether misconduct is investigated, whether reporting mechanisms are trusted, whether middle managers reinforce the right values, and whether the company’s culture actually supports ethical behavior. Those questions are not abstractions. They are designed to uncover exactly this sort of rot. If leadership behavior teaches employees that power matters more than principle, your code of conduct is not your culture. Your leaders are.

Prevention

That is why the compliance function must own this issue as a core mandate for prevention, detection, and response. Compliance should work with HR, internal audit, legal, and business leadership to define abusive leadership conduct in operational terms. Not vague values language. Not posters. Not generic civility commitments. Real examples. Public humiliation. Retaliation against dissent. Weaponized performance reviews—threat-based management. Selective enforcement. Meetings where people are punished for raising risks. Impossible deadlines are designed to force corner-cutting—leaders who demand loyalty over truth.

Just as importantly, compliance should distinguish this from legitimate performance management. Strong leaders can push hard. They can demand rigor. They can insist on deadlines and quality. But they do so transparently, consistently, and without degrading people. That distinction matters because toxic leaders love to hide behind the claim that others are too soft. Compliance must not allow that defense to go unchallenged.

Training is part of the answer, but only if it is targeted. Senior leader and middle manager training should include fear-based leadership scenarios, anti-retaliation obligations, how abusive conduct suppresses reporting, and how a breakdown in culture creates legal and regulatory exposure. This is not “soft skills” programming. Brown herself makes the point that leaders must know themselves, regulate their emotions, and think strategically, rejecting the dismissive label of ‘soft skills’ while linking that work directly to performance and growth. Compliance should embrace that insight. Emotional self-regulation is not cosmetic. It is a control.

Promotion and compensation systems must also be brought into the conversation. Companies create exactly what they reward. If a leader hits numbers while leaving a trail of fear, attrition, broken teams, retaliation complaints, and suppressed escalation, that person is not a high performer. That person is a risk event with a bonus target. So compensation committees, HR, and compliance should align on consequences and incentives. Promotion criteria should include team health, substantiated conduct findings, speak-up metrics, turnover patterns, and responsiveness to internal controls. A toxic rainmaker is still toxic.

Detection

Most companies already have more data on toxic leadership than they think. Hotline reports. Ombuds trends. HR complaints. exit interviews. internal mobility data. regrettable attrition. pulse surveys. investigation outcomes. audit interviews. skip-level feedback. even the language patterns that recur in misconduct reports. The failure is rarely a lack of information. The failure is the refusal to connect the dots when the accused is powerful.

Compliance should build a dashboard to monitor toxic leadership. Not for public circulation, but for disciplined internal review. Which functions have repeated retaliation allegations? Which leaders generate unusual turnover after promotion? Where do substantiated complaints cluster? Which business units show low reporting and high pressure simultaneously? Low hotline volume is not always a sign of health. Sometimes it is a sign that employees have already learned the rules of silence.

Here, the political and social climate matters. Brown describes the current atmosphere as “anti-empathy” and “sinister”. Whether one agrees with every aspect of that characterization is almost beside the point. Compliance professionals should understand that external discourse does seep into internal culture. When public life celebrates cruelty, belittles inclusion, mocks empathy, and treats domination as authenticity, some executives will feel culturally validated in bringing those behaviors to work. The company cannot control the external environment, but it can harden its internal norms to counter it. That means reinforcing that empathy is not weakness, accountability is not abuse, and candor is not humiliation.

Remediation

When a toxic leader crosses the line, the organization has to act in ways employees can see and believe, even if they do not see every fact. This is where many compliance programs fail. They investigate the conduct, document the issues, perhaps quietly coach the leader, and then move on. Employees notice. They conclude that there are two systems: one for everyone else and one for top performers.

The ECCP is skeptical of exactly that sort of inconsistency. Regulators want to know whether discipline is applied fairly across the organization and whether managers are held accountable for misconduct and for supervisory failures. A company that protects abusive executives because they deliver revenue is sending a very loud message about what it truly values.

The response toolkit should include substantiated findings, documented remediation plans, compensation impact, leadership coaching where appropriate, enhanced oversight, demotion when necessary, and termination when warranted. Not every toxic leader needs to be fired. But every confirmed pattern of abusive conduct needs a real consequence. Otherwise, the company is not remediating. It is subsidizing misconduct.

There is another subtle but important point in Brown’s remarks. She warns that emotionally resonant language can be weaponized and that vulnerability does not mean oversharing or abandoning responsibility. Compliance should take that seriously as well. Culture language can be gamed. Toxic leaders are often very good at learning the vocabulary of belonging, authenticity, or purpose without changing their behavior. So the compliance function should evaluate culture not by slogans, but by lived experience. Are people willing to raise concerns? Are bad facts welcome? Can managers be challenged without retaliation? That is the test.

In the end, the compliance function cannot prevent every executive from being a jerk. But it can and must prevent jerk behavior from becoming the unofficial operating system of the company.

That is the real issue. Not bad manners. Not personality conflicts. Not style differences. The real issue is whether fear becomes normalized as a management tool and whether the company, through inaction, grants silent permission for it to continue. When that happens, misconduct is never far behind.

Conclusion

In the final analysis, the compliance function has a duty far beyond policing policies or checking boxes. It must help set the boundaries of acceptable power inside an organization. When leaders use fear, intimidation, humiliation, or retaliation as management tools, they do more than damage morale. They corrode trust, silence speak-up culture, and create the precise conditions in which misconduct can flourish. That is why compliance professionals must be willing to call toxic leadership what it is: a cultural risk, a governance failure, and a business threat.

The larger lesson is straightforward. Culture is not shaped by what an organization says in its values statement. It is shaped by the behavior leaders model, the conduct that gets rewarded, and the misconduct that gets tolerated. If compliance leaders want to prevent corporate executives from turning into bullies with titles, they must insist on accountability before fear becomes normalized. In today’s environment, that is not optional. It is one of the clearest tests of whether a company truly has an effective compliance program.

Categories
Innovation in Compliance

Innovation in Compliance: Jim Massey on Risk in Action

Innovation spans many areas, and compliance professionals need not only to be ready for it but also to embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode,  host Tom visits with Jim Massey about his latest book, Risk in Action: The Leader’s Guide to Act with Clarity.

Jim Massey is a distinguished figure in risk management, known for translating complex ideas into practical strategies that empower business leaders. With a wealth of experience from boardrooms to executive sessions, he is a highly sought-after keynote speaker who enlightens audiences on how to navigate risks in high-pressure situations. Through his books, including his prior work, Trust in Action, Jim champions prioritizing and understanding risks, focusing on critical gaps and opportunities rather than attempting to address all risks equally. He is a proponent of using AI to streamline and revolutionize risk assessment processes, advocating a proactive approach in which leaders view risk as a potential driver of innovation and growth rather than merely a hurdle to overcome.

 

Key highlights:

  • Transforming Compliance Professionals into Risk Advisors
  • Adaptive Decision-Making in Uncertain Environments
  • Real-time AI Risk Cards for Executives
  • Embracing Risk as Catalyst for Innovation in Business
  • Embracing Risk as an Innovation Catalyst

Resources:

Jim Massey on LinkedIn

Jim Massey Website

Risk in Action: The Leader’s Guide to Act with Clarity

Innovation in Compliance was recently honored as the Number 4 podcast in Risk Management by 1,000,000 Podcasts

Categories
Daily Compliance News

Daily Compliance News: February 26, 2026, The Why So Few Women CEOs Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • What happens when companies demand that employees use AI? (WSJ)
  • Why so few women CEOs? (FT)
  • eBay finally settles Steiner harassment suit. (Reuters)
  • Alfred Sloan and objective organizations. (Bloomberg)
Categories
Great Women in Compliance

Great Women in Compliance: Proof, Patterns & Power: The Real Art of Workplace Investigations

In this roundtable episode, Sarah Hadden and Ellen M. Hunt explore the real art of workplace investigations with guests Lloydette Bai-Marrow and Onyinye Asala-Olojola through these three lenses:

  • Proof: What evidence do you need to support your finding that not only holds up in a court of law but also withstands scrutiny
  • Patterns: How to connect the dots so that the investigation tells a meaningful story that leads to action
  • Power: How to manage leaders so that the best resolution for the organization is the path forward

 

If you are looking for expert advice on how to increase the value of workplace investigations to your organization, tune in on your favorite podcast platform, on Corporate Compliance Insights, and the Compliance Podcast Network

#WorkplaceInvestigations #RootCause #CorrectiveMeasures #Retaliation #EthicalLeadership

Categories
Blog

The Starliner, Culture and Compliance: Leadership Lessons from a NASA Investigation Report

Corporate compliance professionals spend a lot of time talking about controls, training, third parties, and investigations. Yet the hard truth is that the most important control environment sits above all of that: leadership behavior and the culture it creates. That is why this NASA investigation report on the Boeing CST-100 Starliner Crewed Flight Test (CFT) is such a useful case study. It is a technical report, to be sure. But it is also a cultural, leadership, and governance report. NASA’s bottom line is unambiguous: technical excellence and safety require transparent communication and clear roles and responsibilities, not as slogans, but as operating requirements that must be institutionalized so safety is never compromised in pursuit of schedule or cost.

If you are a Chief Compliance Officer, General Counsel, or business leader, you should read this report the way you read an enforcement action. Not to gawk. Not to assign blame. But to harvest lessons for your own organization before you have your own high-visibility close call.

The incident(s) that led to the report

The CFT mission launched June 5, 2024, as a pivotal step toward certifying Starliner to transport astronauts to the International Space Station. It was planned as an 8-to-14-day mission but was extended to 93 days after significant propulsion system anomalies emerged. Ultimately, the Starliner capsule returned uncrewed, while astronauts Barry “Butch” Wilmore and Sunita “Suni” Williams returned aboard SpaceX’s Crew-9 Dragon in March 2025. In February 2025, NASA chartered a Program Investigation Team (PIT) to examine the technical, organizational, and cultural factors contributing to the anomalies.

The report describes four major hardware anomaly areas, including Service Module RCS thruster fail-offs that temporarily caused a loss of 6 Degrees of Freedom control during ISS rendezvous and required in-situ troubleshooting to recover enough capability to dock, a Crew Module thruster failure during descent that reduced fault tolerance, and helium manifold leaks where seven of eight Service Module helium manifolds leaked during the mission. The PIT further determined that the 6DOF loss during rendezvous met criteria for a Type A mishap (or at least a high-visibility close call), underscoring how close the program came to a very different ending.

That is the “what.” For compliance professionals, the “so what” is that NASA did not treat this as a purely engineering problem. It treated it as an integrated system failure, in which culture and leadership either reduce risk or magnify it.

Lesson 1: Decision authority is culture, not paperwork

One of the report’s clearest threads is that fragmented roles and responsibilities delayed decision-making and eroded confidence. In the compliance world, unclear decision rights become the breeding ground for “informal governance”: private conversations, end-runs around committees, and decisions that are never fully documented. Over time, that becomes a shadow-control environment that your policies cannot touch.

Compliance action steps

  • Define decision rights for the riskiest calls (high-risk third parties, market entry, major remediation, critical incidents).
  • Require a short, written record of: facts reviewed, options considered, dissent captured, decision made, and owner accountable.
  • Separate “recommendation authority” from “approval authority” so everyone knows where they sit.

Lesson 2: Transparency is a control, and selective data sharing destroys trust

The report explicitly flags that the lack of data access fueled concerns about selective information sharing. Interviewees described frustration that information could be filtered, selectively chosen, or sanitized, which eroded confidence in the process and people. It also notes reports of questions being labeled “too detailed” or “out of scope” without mechanisms to ensure concerns were addressed. That is the compliance danger zone. When teams believe the narrative matters more than the data, they stop escalating early. They start documenting defensively. They seek safety in silence.

Compliance action steps

  • Build “open data” expectations into your incident response and investigative protocols.
  • Create a defined pathway for technical or subject-matter dissent to be logged, reviewed, and dispositioned.
  • Treat meeting notes and decisions as governed records, not optional artifacts.

Lesson 3: Risk acceptance without rigor becomes “unexplained anomaly tolerance”

NASA calls out “anomaly resolution discipline” and warns that repeated acceptance of unexplained anomalies without root cause can lead to recurrence. That single lesson belongs on a poster in every compliance office. In corporate terms, “unexplained anomalies” are recurring control exceptions, repeat hotline themes, repeated third-party red flags, and audit findings that are “managed” rather than fixed. If leadership normalizes that pattern, it teaches the organization that closure is more important than correction.

Compliance action steps

  • Require root cause analysis for repeat issues, not just incident closure.
  • Set escalation thresholds for “repeat with no root cause” findings.
  • Audit remediation quality, not only remediation completion.

Lesson 4: Partnerships fail when “shared accountability” is not operationalized

The report emphasizes that shared accountability in the commercial model was inconsistently understood and applied. It also notes that historical relationships and private conversations outside formal forums created perceptions of blurred boundaries, favoritism, and lack of objectivity, whether or not those perceptions were accurate. Compliance teams have seen this movie. Think distributors, joint ventures, outsourced compliance support, and major technology partners. If accountability is shared in theory but siloed in practice, something will fall through the cracks. Usually, it falls right into your lap when regulators arrive.

Compliance action steps

  • Define “shared accountability” in contracts, governance charters, and escalation protocols.
  • Ensure independence and objectivity are protected by design, not by personality.
  • Create joint forums where data is shared broadly, dissent is recorded, and decisions are made openly.

Lesson 5: Burnout is a risk factor, and meeting chaos is a governance failure

The report’s recommendations recognize the operational reality: high-pressure environments can degrade decision quality. It calls for “pulse checks,” rotation of high-pressure responsibilities, contingency staffing, and time protection for deep work to proactively address burnout and improve decision-making under mission conditions. Compliance professionals should take that to heart. Crisis cadence is sometimes unavoidable. Permanent crisis cadence is a leadership choice. And it carries predictable consequences: shortcuts, missed details, weakened documentation, and poor judgment.

Compliance action steps

  • Build surge staffing plans for investigations and incident response.
  • Rotate incident commander roles when events extend beyond days.
  • Protect time for analysis, not just meetings and status updates.

Lesson 6: Accountability must be visible, not performative

NASA does not bury the human dimension. The report contains leadership recommendations to speak openly with the joint team about leadership accountability, including concurrence with the report and reclassification as a mishap, and to hold a leadership-led stand-down day focused on reflection, accountability concerns, and rebuilding trust. For corporate leaders, this is where trust is won or lost after a crisis. Employees can tolerate a hard outcome. They struggle to tolerate spin. If your organization communicates externally with confidence but internally with vagueness, your culture learns the wrong lesson: optics first, truth second.

Compliance action steps

  • After a major incident, publish an internal accountability and remediation plan with owners and timelines.
  • Provide regular updates on what has been completed, what is delayed, and why.
  • Make it safe for the workforce to ask questions in interactive forums, as NASA recommends.

Lesson 7: Trust repair requires a plan, not a pep talk

One of the most useful artifacts in the report is a sample Organizational Trust Plan. It sets a goal to rebuild trust by establishing clear expectations, open accountability, and shared commitment to safety and mission success. It includes objectives around transparent communication, acknowledging past challenges, reinforcing shared values, and structured engagement. It then lays out action steps: leadership engagement, facilitated sessions, outward expressions of accountability, teamwide rollout, training and coaching, and communication through a written plan and regular updates.

That is exactly the kind of operational discipline compliance leaders should bring to culture work. Culture does not change because someone gives a speech. Culture changes when the organization changes how it makes decisions, treats dissent, and follows through.

Five key takeaways for the compliance professional

  1. Clarify decision rights before the crisis. Ambiguity becomes politics under pressure.
  2. Make transparency non-negotiable. Perceived filtering of data destroys credibility.
  3. Do not normalize unexplained anomalies. Repeat issues without a root cause are future failures.
  4. Operationalize shared accountability with partners. Otherwise, it is a slogan.
  5. Rebuild trust with a written plan and visible accountability. Trust repair is a managed process.

In the end, the Starliner lesson for compliance is simple: controls matter, but culture decides whether controls work when it counts. If leadership cannot run disagreements well, cannot share data broadly, and cannot demonstrate accountability after the fact, the best-written compliance program in the world will fail the moment the pressure rises.

Categories
Great Women in Compliance

Great Women in Compliance: Why Decision Rubrics Matter in the Age of AI with Hemma Lomax and Shalini Rajoo

In this conversation, GWIC host Dr. Hemma R. Lomax and Shalini Rajoo explore the critical role of decision rubrics in governance, accountability, and trust, especially in the context of AI. Shalini shares her journey from law to compliance, emphasizing the importance of understanding systems and the impact of leadership on decision-making processes. They discuss how transparency and clarity in decision-making can build trust within organizations and the necessity of responsible AI governance. Practical tips for improving decision quality are also provided, highlighting the importance of self-awareness and critical thinking in leadership.

Takeaways:

  • The biggest risk in governance is unclear decisions.
  • AI amplifies existing clarity or confusion in decision-making.
  • Systems and rules reflect the identities of their architects.
  • Everyone has an impact on those around them every day.
  • Leadership is about improving the people around you.
  • It’s not just about rules; it’s about how people behave.
  • Decision rubrics provide consistency and predictability in outcomes.
  • Transparency in decision-making processes builds trust.
  • Slowing down to ask questions can lead to better decision-making.
  • Writing down the reasons for decisions brings clarity and accountability.

Sound bites:

“Systems and rules are not inherently neutral.”

“Transparency in decision making builds trust.”

“Slow is smooth, and smooth is fast.”

Chapters:

00:00 Introduction to Decision Rubrics and Governance

02:55 Shalini’s Journey: From Law to Governance

06:09 The Impact of Systems on Leadership and Accountability

09:09 Transitioning to Compliance and Ethics

11:49 Understanding Decision Rubrics in Compliance

15:06 The Role of Leadership in Decision Making

18:03 Designing Conditions for Effective Decision Making

20:47 The Importance of Transparency in Decision Processes

24:09 Decision Rubrics: Building Trust in Organizations

26:49 AI and Governance: Leadership Infrastructure Failures

29:47 Responsible AI: The Role of Ethics and Compliance

32:55 Practical Tips for Improving Decision Quality

36:00 Conclusion: The Future of Decision Making in AI

Guest Biography:

Shalini Rajoo is the Founder and Principal Consultant of Shalini Rajoo Advisory, LLC, where she partners with organizations to design governance, compliance, and decision-making systems that are resilient, trustworthy, and aligned to real operational pressures. Across more than two decades in law, compliance, HR, and organizational leadership, Shalini has helped companies and leaders move beyond check-the-box frameworks to build structures that embed accountability, clarity, and performance into everyday decisions.

She began her career in South Africa, first as a public prosecutor and then leading regulatory work with the Department of Trade and Industry, collaborating with legislative and executive stakeholders on corporate, competition, and consumer law. After relocating to the U.S., Shalini practiced commercial litigation. She later served as Director of Global Business Conduct for a Fortune 500 company, where she redesigned ethics and compliance systems, led global risk assessments, and championed psychological safety and integrity-based practices.

Today, Shalini’s work centers on helping leaders clarify decision rights, governance architectures, and accountability pathways — especially as organizations adopt AI and automation. She recently spoke at the Opal Group’s Corporate Governance & Ethics in the Age of AI conference, where she reframed AI governance as a leadership-infrastructure challenge rather than a purely technical or compliance one.

Categories
Compliance Into the Weeds

Compliance into the Weeds: The Essence of Leadership and Why Donald Trump Is Not a Role Model

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore it more fully. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly look at the leadership failures from Donald Trump and his administration after the killing of Alex Pretti last weekend. This episode has significant editorial commentary.

Matt and Tom critically examine the behavior and leadership failings of Donald Trump and his Administration in the wake of the shooting of Alex Pretti and argue that his approach is far from exemplary for CEOs or business leaders. The discussion highlights the essence of effective leadership as the ability to instill trust and direction, contrasting this with Trump’s history of questionable business acumen and the allegations of his disastrous lying to the American people. The takeaway is that true leadership involves integrity, trustworthiness, and the ability to inspire and guide employees toward a common goal, traits that Trump is argued to lack. 

Key highlights:

  • Comparing CEOs to Donald Trump
  • Crisis of hyper-transparency
  • Corporate responses. Were they enough or a first step?
  • Leadership and Trust

Resources:

Matt in Radical Compliance

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

A multi-award-winning podcast, Compliance into the Weeds was most recently honored as one of the Top 25 Regulatory Compliance Podcasts, a Top 10 Business Law Podcast, and a Top 12 Risk Management Podcast. Compliance into the Weeds has been conferred a Davey, a Communicator Award, and a W3 Award, all for podcast excellence.

Categories
Innovation in Compliance

Innovation in Compliance – The Strategic Evolution of Compliance: Insights from Angie McPhail

Innovation comes in many forms, and compliance professionals need not only to be ready for it but also to embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, host Tom Fox welcomes Angie McPhail to discuss the transformation of compliance from a regulatory function to a strategic business imperative.

Angie shares her professional background, having led the Integrity and Compliance group for the Americas at Juniper Networks before its acquisition by HPE. Key discussions include the evolving role of compliance as a strategic influencer within organizations, the intersection of ethics and integrity with ESG, and the importance of trust in building effective compliance programs. Angie emphasizes the need for compliance professionals to understand business strategy, leverage technology, and build trust to drive sustainable growth. The talk also covers the future outlook for compliance leaders and provides advice on preparing the next generation of compliance professionals.

Key highlights:

  • Compliance as a Strategic Business Function
  • Influence and Trust in Compliance
  • Compliance as a Driver of Business Success
  • Managing Reputational Risk
  • Future of Compliance Leadership

Resources:

Angie McPhail on LinkedIn

Innovation in Compliance was recently ranked 4th among Risk Management podcasts by 1,000,000 Podcasts.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 10 – Leadership’s Role in Shaping Corporate Culture and Compliance

Welcome to 31 Days to a More Effective Compliance Program. Over this 31-day series in January 2026, Tom Fox will post a key component of a best-practice compliance program each day. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6-8 minutes, with three key takeaways that you can implement at little or no cost to help update your compliance program. I hope you will join each day in January for this exploration of best practices in compliance. In today’s episode, Day 10, we dive into the critical role of senior management in fostering a strong corporate culture of compliance.

Key highlights:

  • The Importance of Corporate Culture
  • DOJ’s Expectations for Senior Management
  • Five Factors for Effective Leadership

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Categories
Blog

Michigan Man, Part 4 – Lessons Learned: What This Crisis Teaches Compliance Professionals

Every major compliance failure eventually reaches the same destination: a moment when leadership says, “How did we not see this coming? ” The answer is almost always the same. The warning signs were visible. They were rationalized, minimized, or overridden in the name of performance, continuity, or institutional pride.

The Sherrone Moore crisis at the University of Michigan is not a college football anomaly. It is a case study in how compliance programs fail when they are structurally subordinated, culturally discounted, or selectively enforced. For compliance professionals, the value of this case lies not in outrage but in extraction: extracting lessons that can be operationalized before the next crisis unfolds.

Lesson 1: Compliance Authority Must Be Structural, Not Aspirational

Michigan’s experience demonstrates that access to leadership is meaningless without authority. The compliance function may have been consulted, investigations commissioned, and policies in place. None of that mattered when the athletic department retained de facto control over outcomes. For compliance professionals, the lesson is clear. Compliance must have defined escalation rights and veto authority over high-risk decisions, including promotions, discipline, and crisis response. If a business unit can override compliance based on performance or legacy, compliance is not independent. It is decorative.

The Department of Justice has repeatedly emphasized that effective compliance programs require empowered compliance functions. That empowerment must be written into governance documents, reinforced by boards, and tested in practice.

Lesson 2: Past Dishonesty Is a Permanent Risk Factor

One of the most glaring failures in this case was the organization’s willingness to treat Moore’s prior dishonesty during the sign-stealing investigation as a closed chapter. It was not. It was predictive. Compliance professionals must internalize a hard truth: once credibility is damaged, it does not reset. Individuals who have lied to investigators, deleted records, or misrepresented facts should never again be treated as presumptively reliable. Enhanced monitoring, corroboration, and scrutiny are not punitive. They are risk management.

Organizations that ignore this lesson inevitably relearn it at a higher cost.

Lesson 3: Promotions Are Compliance Decisions

The elevation of Moore to head coach was framed as a football decision. In reality, it was one of the most consequential compliance decisions the university made.

Any promotion into a role with significant authority, visibility, and discretion is a compliance event. Risk-based due diligence should include:

  • Review of prior investigations and disciplinary history
  • Assessment of truthfulness and cooperation during past inquiries
  • Evaluation of behavioral and reputational risk, not just technical violations

In corporate terms, Michigan promoted an executive with unresolved compliance issues and a clear lack of an ethical grounding into a CEO-equivalent role. That decision alone dramatically increased institutional risk. But the consequences will reverberate for a long time to come.

Lesson 4: Investigations Involving Power Imbalances Require Heightened Standards

The initial investigation into Moore’s relationship with a staffer failed predictably. When both parties denied the relationship and the evidence was limited, the inquiry stalled. That outcome reflects a misunderstanding of power dynamics. Compliance professionals know that power imbalance distorts disclosure. Subordinates may deny relationships out of fear, loyalty, or uncertainty. Senior leaders may deny wrongdoing out of self-preservation. Effective investigations account for this reality by expanding evidence collection, conducting pattern analysis, and implementing interim safeguards.

Neutrality is not passivity. When allegations involve senior leadership, the standard of diligence must rise, not fall.

Lesson 5: Star Performers Are the Highest-Risk Population

One of the most enduring myths in organizational life is that high performers deserve flexibility. In reality, they deserve even greater scrutiny. Star performers operate with autonomy, influence culture, and often shape informal norms. Moore’s trajectory illustrates how repeated exceptions create a sense of entitlement. Each time misconduct is reframed as survivable, the individual learns that boundaries are negotiable. Compliance professionals must relentlessly resist this dynamic.

Rules applied selectively are not rules. They are invitations.

Lesson 6: Pattern Risk Demands Pattern Response

Perhaps the most damning aspect of the Michigan case is that it unfolded amid repeated scandals within the athletic department. When misconduct clusters, the correct response is not incremental fixes. It is a structural intervention. Compliance professionals must recognize pattern risk early and escalate it aggressively. That escalation should include:

  • Enterprise-wide risk assessments
  • Cultural diagnostics
  • Leadership accountability reviews
  • Board-level engagement

Waiting for the next incident is not caution. It is abdication.

Lesson 7: Culture Is Set by What Leadership Tolerates

Michigan’s long-standing deference to athletic success and legacy culture created an environment where misconduct was rationalized rather than confronted. This is not unique to sports. It appears in sales-driven organizations, founder-led companies, and high-growth environments. Culture is not what leadership says. It is what leadership allows. From the Board of Regents to the UM President on down, compliance professionals must evaluate actions, not rhetoric, when assessing culture risk.

Lesson 8: Human Impact Is the Ultimate Compliance Metric

It is easy, especially for lawyers and compliance officers, to focus on policy breaches and enforcement exposure. The Moore crisis is a reminder that compliance failures produce human harm. Families are destabilized. Employees feel unsafe. Stakeholders lose trust. Effective compliance programs exist not only to prevent fines but also to prevent damage. When that purpose is forgotten, compliance becomes performative.

Final Thought: Compliance Is Tested at the Top

The Sherrone Moore crisis did not originate with a junior employee. It originated at the top of a powerful institution. That is where compliance programs are always tested. For compliance professionals, the final lesson is this: if your program cannot stop, slow, or surface misconduct by your most powerful leaders, it will eventually fail when it matters most.

The University of Michigan now faces years of rebuilding trust, governance, and credibility. Compliance professionals elsewhere should treat this case as a warning, not a curiosity. The cost of ignoring these lessons is never hypothetical. It is only deferred. This takeaway is stark but actionable. Compliance failures are rarely a surprise. They are choices made over time. The question for every compliance professional is whether those choices will be challenged early or explained later.

As always, prevention is less visible than a crisis. It is also far less costly.

Resources:

The Terrible Mess at Michigan Football, by Jason Gay, writing in the Wall Street Journal.

Ex-Michigan coach Sherrone Moore charged with home invasion, stalking, breaking—Austin Meek and Sam Jane writing in The Athletic.

Fire Everybody—Alex Kirshner, writing in Slate.

Source: Michigan begins a review of the athletic department, by Dan Wetzel and Pete Thamel, writing for ESPN.