Tag: RCA

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 31 – Leveraging Root Cause Analysis for Effective Compliance

Welcome to 31 Days to a More Effective Compliance Program. Over this 31-day series in January 2026, Tom Fox will post a key component of a best-practice compliance program each day. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6-8 minutes, with three key takeaways that you can implement at little or no cost to help update your compliance program. I hope you will join each day in January for this exploration of best practices in compliance. In today’s Day 31 episode, and our final day in this 2026 update to 31 Days to a More Effective Compliance Program, we end with a review of root cause analysis.

Key highlights:

  • Integrating Root Cause Analysis into Solutions
  • Regulatory Expectations and Internal Controls
  • Performing Effective Root Cause Analysis
  • Developing and Implementing Solutions

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.

Categories
Blog

Greek Philosophers Week: Part 1 – Socrates and the Asking Questions

I have long wanted to trace the origins of the modern corporate compliance organization back to the ancient Greek philosophers, drawing lessons for compliance and ethics in 2026 and beyond. Today, I begin a five-part series where I do just that. In this series, we will consider Socrates, Plato, Aristotle, Pythagoras, and Euclid. We start with Socrates.

Socrates left no writings of his own. What he left was a method. He believed wisdom began with recognizing what one did not know and then relentlessly testing assumptions through disciplined questioning. That approach maps directly onto the daily work of the compliance professional. Risk assessments, investigations, root cause analysis, culture reviews, and even board reporting all rise or fall based on the quality of the questions asked.

Every effective compliance program begins with a question. Not a policy. Not a control. Not a dashboard. A question. That insight alone makes Socrates the right place to start any serious discussion about the influence of ancient Greek philosophy on modern corporate compliance and ethics programs.

The Department of Justice’s Evaluation of Corporate Compliance Programs (ECCP) does not use the word “Socratic,” but its expectations are unmistakably aligned with Socratic inquiry. Prosecutors repeatedly ask whether a company understands its risks, tests its assumptions, challenges its controls, and adapts when reality changes. A compliance program that does not ask hard questions is not mature. It is merely quiet. Indeed, Hui Chen, the author of the original ECCP, has said that a key purpose of the ECCP was to get compliance professionals to ‘ask questions’.

Ethical Inquiry as a Compliance Obligation

Socrates believed that unexamined beliefs were dangerous. He challenged Athenian leaders not because he enjoyed disruption, but because false confidence creates harm. In a corporate setting, the same risk exists when executives assume that a policy equals compliance or that training completion equals ethical behavior.

  1. Is the corporation’s compliance program well designed?
  2. Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
  3. Does the corporation’s compliance program work in practice?

These questions are fundamentally Socratic. It demands inquiry into how the business actually operates, where pressure points exist, and how misconduct could realistically occur. A compliance function that accepts management narratives at face value fails this test.

Daily compliance operations depend on this discipline. When reviewing third-party relationships, a Socratic compliance officer does not ask whether due diligence was performed. They ask whether it was sufficient, whether red flags were rationalized, and whether business incentives distorted judgment. That is inquiry, not administration.

Challenging Assumptions Without Becoming the Enemy

Socrates was executed because his questioning made powerful people uncomfortable. Compliance professionals face a less dramatic, but no less real, version of that tension. The role requires challenging assumptions, even when doing so slows deals, complicates reporting lines, or disrupts revenue projections.

The ECCP specifically evaluates whether a corporate compliance function has sufficient staff to audit, document, analyze, and utilize the results of the corporation’s compliance efforts. Prosecutors should also determine “whether the corporation’s employees are adequately informed about the compliance program and are convinced of the corporation’s commitment to it. Does the company’s culture of compliance, including awareness among employees that any criminal conduct, including the conduct underlying the investigation, will not be tolerated.”

Those structural questions exist because DOJ understands that inquiry without protection is performative. If compliance professionals cannot safely ask uncomfortable questions, the program is cosmetic.

In daily operations, this plays out in subtle ways. Does compliance have the authority to pause a transaction? Can investigators follow evidence wherever it leads? Are audit findings welcomed or explained away? A Socratic approach demands that compliance leaders test these realities rather than assume the answer.

The Socratic Method in Investigations and Root Cause Analysis

Socrates did not accept the first answer offered. He pushed deeper, often exposing contradictions or incomplete reasoning. That approach is directly applicable to investigations and root cause analysis. The ECCP places significant emphasis on whether companies understand why misconduct occurred and whether remediation addresses underlying causes. Too many investigations stop at identifying who violated a policy. Echoing Jonathan Marks, Socratic investigation asks why the violation made sense to the individual at the time. What pressures existed? What incentives misaligned behavior? What controls failed or were bypassed?

This type of inquiry requires patience and courage. It also involves trust from leadership. Findings may implicate management decisions, cultural signals, or compensation structures. Socrates reminds us that truth-seeking is rarely comfortable, but it is essential to ethical improvement.

Culture Is Revealed by the Questions You Allow

Socrates believed that a society’s health could be measured by its openness to questioning. The same is true for corporate culture. The questions employees feel safe asking reveal more than any values statement. The ECCP now explicitly asks companies to explain how they measure and address culture. The ECCP states, “Prosecutors should also assess how the company has leveraged its data to gain insights into the effectiveness of its compliance program and otherwise sought to promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” Surveys, hotline data, and exit interviews are tools, but they are meaningless without inquiry. Key questions include: Are employees encouraged to speak up? Are concerns investigated thoroughly? Are outcomes communicated? Is retaliation punished?

In daily compliance practice, this means listening as much as enforcing. A Socratic compliance program does not treat employee concerns as noise to be managed. It treats them as data points to be explored. The quality of questions asked in response to a report often determines whether trust is strengthened or destroyed.

5 Key Takeaways for the Compliance Professional

1. Effective compliance begins with inquiry, not documentation.

A compliance program does not become effective simply because policies exist or training is completed. Effectiveness begins when compliance professionals consistently ask how misconduct could realistically occur within their organization. This requires challenging business assumptions, pressure points, and incentive structures. The ECCP repeatedly emphasizes the importance of understanding risk in context, which is impossible without disciplined questioning. A Socratic approach positions inquiry as an operational obligation, not an intellectual exercise, ensuring the program remains dynamic, responsive, and grounded in reality rather than formalism.

2. Risk assessments are living Socratic exercises, not static reports.

Too many organizations treat risk assessments as periodic documentation rather than ongoing inquiry. A Socratic risk assessment tests assumptions continuously as business models, geographies, and incentives evolve. Compliance professionals should revisit risk hypotheses, ask whether controls still function as intended, and challenge comfort-driven conclusions. Under the ECCP, regulators expect risk assessments to inform program design and resource allocation. Socratic inquiry ensures risk assessments remain relevant, credible, and capable of identifying emerging threats before they mature into enforcement issues.

3. Investigations must pursue understanding, not merely attribution.

Identifying who violated a policy is rarely sufficient to prevent recurrence. A Socratic investigation asks why the misconduct occurred, what pressures or incentives influenced behavior, and how organizational systems failed. This aligns directly with the ECCP’s focus on root cause analysis and remediation. When compliance professionals ask deeper questions, investigations become tools for program improvement rather than disciplinary endpoints. This approach strengthens controls, enhances credibility with regulators, and reduces the likelihood of repeat misconduct driven by unresolved systemic weaknesses.

4. Speak-up culture is defined by response quality, not hotline volume.

Organizations often measure speak-up culture by the number of reports received, but Socrates teaches that the real measure lies in how questions are received and addressed. Employees quickly learn whether raising concerns leads to thoughtful inquiry or defensive dismissal. The ECCP evaluates whether companies encourage reporting, protect against retaliation, and communicate outcomes appropriately. A Socratic compliance function listens carefully, asks clarifying questions, and treats concerns as signals worth examining. That discipline builds trust and reinforces ethical accountability across the organization.

5. Socratic questioning requires independence, authority, and protection.

Inquiry without authority is performative. Socrates paid the ultimate price for challenging power, but modern compliance professionals should not. The ECCP explicitly assesses whether compliance functions have sufficient independence, resources, and access to leadership. Without these safeguards, difficult questions go unasked or unanswered. A Socratic compliance program empowers professionals to challenge decisions, pause transactions, and escalate concerns without fear of retaliation. That structural support transforms ethical inquiry from individual courage into institutional practice.

From Socrates to Plato: From Inquiry to Structure

Socrates gives us the starting point. He teaches the compliance professional how to think, question, and resist complacency. But inquiry alone is not enough. Questions must eventually lead to structure, governance, and systems that translate insight into action.

That transition sets the stage for Plato. Where Socrates focuses on method, Plato focuses on design. The movement from Socrates to Plato mirrors the evolution of a compliance program itself, from asking whether risks exist to building governance structures capable of addressing them. In that sense, Socrates is the conscience of the compliance function. He reminds us that effectiveness begins with intellectual honesty and ethical curiosity. Without those traits, even the most sophisticated compliance architecture will rest on shaky ground.

Join us tomorrow for Part 2 and learn about Plato’s role in today’s compliance and ethics programs.

Categories
Innovation in Compliance

Innovation in Compliance – Exploring Sustainable Leadership and Accountability with Gina Cotner

Innovation comes in many areas, and compliance professionals need to be ready for it and embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode,  host Tom Fox welcomes back Gina Cotner, the CEO and founder of Athena Executive Services, to delve into crucial leadership topics relevant to the compliance community.

The discussion covers root cause analysis (RCA), the importance of creating a culture of accountability, and effective delegation without abdicating responsibility. Gina emphasizes the significance of asking open-ended, curious questions, continuous coaching, and managing up for sustained organizational success. They also touch on the role of trust, psychological safety, and clear communication in enhancing team performance and leadership practices, making it a must-listen for compliance officers and corporate leaders.

Key highlights:

  • The Importance of Root Cause Analysis
  • Creating a Culture of Accountability
  • Effective Delegation Strategies
  • Trust, Psychological Safety, and Communication
  • Applying Strategies in Different Contexts
  • Sustainable Leadership Practices

Resources:

Gina Cotner on LinkedIn

Athena Executive Services

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

LinkedIn

Check out my latest book, Upping Your Game-How Compliance and Risk Management Move to 2023 and Beyond, available from Amazon.com.

Innovation in Compliance was recently honored as the number 4 podcast in Risk Management by 1,000,000 Podcasts.

Categories
AI Today in 5

AI Today in 5: September 12, 2025, The AI for RCA Episode

Welcome to AI Today in 5, the newest edition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI, so start your day, sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5, all from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest related to AI.

Top AI stories:

For more information on the use of AI in Compliance programs, my new book, Upping Your Game. You can purchase a copy of the book on Amazon.com.

Categories
Trekking Through Compliance

Trekking Through Compliance: Episode 35 – Root Cause Lessons from Star Trek’s “The Doomsday Machine”

Compliance professionals are forever tasked with pinpointing the root causes behind organizational failures, missteps, or breaches. This deep dive is critical, not only for remediating issues but also for ensuring they don’t recur. In this compliance exploration, let’s boldly go where few compliance bloggers have gone before, into the riveting episode “The Doomsday Machine.”

Here are five lessons, each anchored directly in the narrative of this classic Star Trek episode, emphasizing how thorough root cause analyses can strengthen your compliance function and safeguard your organization.

Lesson 1: Identify the Problem to Solve the Correct Issue

Illustrated By: Commodore Decker incorrectly identifies the root cause. He believes the Doomsday Machine is a conventional threat rather than an unfeeling, mechanical entity beyond traditional warfare.

Compliance Lesson. In compliance terms, this parallels the imperative first step in any root cause analysis: defining the correct problem. Misidentifying the fundamental issue can lead to misguided corrective actions that fail to prevent recurrence.

Lesson 2: Gather Complete Data Before Making Decisions

Illustrated by: Commodore Decker’s hasty decisions are predicated upon incomplete and inadequate data.

Compliance Lesson. Drawing premature conclusions from incomplete data gathering can lead to inadequate analyses, resulting in ineffective solutions and the recurrence of issues.

Lesson 3: Recognize and Address Human Factors

Illustrated By: The human element, including stress, fatigue, and emotional response, significantly impacts decision-making.

Compliance Lesson. In your root cause analyses, it is essential to consider human factors rigorously.

Lesson 4: Establish and Follow Clear Protocols

Illustrated By: Captain Kirk, once back in command, establishes a disciplined approach to address the crisis.

Compliance Lesson. Root cause analyses similarly benefit immensely from disciplined adherence to clearly established investigative protocols.

Lesson 5: Develop Sustainable Preventive Solutions, Not Temporary Fixes

Illustrated By: The Enterprise crew devises an effective solution by leveraging detailed knowledge of the Doomsday Machine’s design and vulnerabilities.

Compliance Lesson. In compliance with this, root cause analyses aim to create permanent, preventive solutions. Short-term patches that treat symptoms rather than underlying causes merely set organizations up for future compliance breakdowns.

Final ComplianceLog Reflections

As corporate compliance professionals, our role parallels that of Starfleet officers, tasked with safeguarding our organizations against compliance risks that can threaten their very existence. The Star Trek episode “The Doomsday Machine” highlights the crucial importance of effective root cause analysis, which involves accurately identifying issues, collecting comprehensive data, understanding human factors, adhering to disciplined investigative procedures, and implementing sustainable solutions.

Resources:

Excruciatingly Detailed Plot Summary by Eric W. Weisstein

MissionLogPodcast.com

Memory Alpha

Categories
Blog

Root Cause Analysis at Warp Speed: Lessons from Star Trek’s “The Doomsday Machine”

Compliance professionals are forever tasked with pinpointing the root causes behind organizational failures, missteps, or breaches. This deep dive is critical, not only for remediating issues but also for ensuring they do not recur. In this compliance exploration, let’s boldly go where few compliance bloggers have gone before, into the riveting episode “The Doomsday Machine.”

As a refresher, in “The Doomsday Machine,” the crew of the USS Enterprise encounters a planet-killing automated weapon of mass destruction from another galaxy. This relentless machine obliterates entire worlds to fuel itself. The Enterprise finds Commodore Matt Decker, captain of the now-destroyed USS Constellation, driven to obsession and near madness by his failure to protect his ship and crew from the Doomsday Machine. Commodore Decker’s flawed decisions and the ultimate resolution led by Captain Kirk provide rich material to glean essential lessons in root cause analysis for today’s compliance professionals.

Here are five lessons, each anchored directly in the narrative of this classic Star Trek episode, emphasizing how thorough root cause analyses can strengthen your compliance function and safeguard your organization.

Lesson 1: Identify the Problem to Solve the Correct Issue

Illustrated By: Commodore Decker incorrectly identifies the primary issue—he treats the Doomsday Machine as a conventional threat rather than an unfeeling, mechanical entity beyond traditional warfare. Driven by guilt and obsession, he assumes the machine can be fought head-on without thoroughly analyzing its origins or functions.

Compliance Lesson. In compliance terms, this parallels the imperative first step in any root cause analysis: defining the correct problem. Misidentifying the fundamental issue can lead to misguided corrective actions that fail to prevent recurrence. Compliance teams must focus clearly and objectively, free from bias, emotion, or hurried assumptions, on identifying the core compliance problem before proposing solutions.

Lesson 2: Gather Complete Data Before Making Decisions

Illustrated by: Commodore Decker’s hasty decisions are predicated upon incomplete and inadequate data. Driven by trauma from losing his crew, he commandeers the Enterprise in a futile, direct assault without fully understanding the nature of his adversary. His rushed judgment puts the entire Enterprise crew at risk.

Compliance Lesson. Compliance professionals must always gather comprehensive, factual, and relevant data before making decisions in a root cause analysis. Premature conclusions without thorough data gathering can lead to incomplete analyses, resulting in ineffective solutions and the recurrence of issues. Data completeness and accuracy must guide your investigative processes to ensure the development of appropriate and practical action plans.

Lesson 3: Recognize and Address Human Factors

Illustrated By: The human element, including stress, fatigue, and emotional response, significantly impacts decision-making. The psychological trauma of his losses compromises Decker’s mental state. Yet, no one initially intervenes to assess his emotional fitness for command. This omission exacerbates the crisis.

Compliance Lesson. In your root cause analyses, it is essential to consider human factors rigorously. Compliance issues rarely occur in a vacuum of policies and systems; they usually involve human decision-making under various pressures and emotions. Addressing these human factors explicitly helps in devising better support, more transparent communication, and strengthened leadership accountability.

Lesson 4: Establish and Follow Clear Protocols

Illustrated By: Captain Kirk, once back in command, establishes a disciplined approach to address the crisis. Kirk carefully follows clearly defined Starfleet procedures to formulate a rational, effective response to neutralize the Doomsday Machine. He remains calm, clear-headed, and systematic.

Compliance Lesson. Root cause analyses similarly benefit immensely from disciplined adherence to clearly established investigative protocols. Proper frameworks, such as the “Five Whys” and Ishikawa Fishbone Diagrams or other standardized methods, help teams structure their analyses logically, ensuring a thorough exploration of contributing factors and root causes. Such discipline and rigor prevent shortcuts and superficial solutions.

Lesson 5: Develop Sustainable Preventive Solutions, Not Temporary Fixes

Illustrated By: The Enterprise crew devises an effective solution by leveraging detailed knowledge of the Doomsday Machine’s design and vulnerabilities, destroying it by detonating the crippled USS Constellation from within. Their method isn’t simply a reprieve but a durable solution to eliminate the threat permanently.

Compliance Lesson. In compliance with this, root cause analyses aim to create permanent, preventive solutions. Short-term patches that treat symptoms rather than underlying causes merely set organizations up for future compliance breakdowns. Invest your efforts in sustainable solutions that incorporate procedural changes, enhanced training, strengthened oversight, or technological adjustments to prevent recurrence effectively.

Final ComplianceLog Reflections

As corporate compliance professionals, our role parallels that of Starfleet officers tasked with safeguarding our organizations against compliance risks that can threaten their very existence. The Star Trek episode “The Doomsday Machine” highlights the crucial importance of practical root cause analysis, which involves proper issue identification, comprehensive data collection, understanding human factors, adhering to disciplined investigative procedures, and implementing sustainable solutions.

By absorbing these vital lessons, compliance leaders can ensure they are fully equipped to navigate their organizations safely through even the most daunting compliance challenges. Indeed, conducting effective root cause analyses is more than just solving problems; it is essential to preserving integrity, sustainability, and corporate resilience.

In a universe fraught with unknown risks, it’s reassuring to know that diligent compliance practices and structured root-cause analyses can turn a potential disaster into confident, controlled responses. Star Trek may have brought us entertainment, but it also offers enduring, pragmatic lessons in compliance. So, compliance professionals, let us boldly analyze areas that have not been examined before, leveraging these lessons to fortify our organizations against whatever “doomsday machines” might arise next.

Resources:

Excruciatingly Detailed Plot Summary by Eric W. Weisstein

MissionLogPodcast.com

Memory Alpha

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 31 – Leveraging Root Cause Analysis for Effective Compliance

Welcome to a special podcast series on the Compliance Podcast Network, 31 Days to a More Effective Compliance Program. Over these 31 days of the series in January 2025, Tom Fox will post a key part of a best practices compliance program daily. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6–8 minutes, and will include three key takeaways you can implement at little or no cost to help update your compliance program. I hope you will join us each day in January for this exploration of best practices in compliance.

In this final episode of our 31-day series, we dive into the importance of using root cause analysis for remediation in compliance programs. Emphasized by the ECCP and DOJ, an effective compliance program includes thorough root cause analysis to address misconduct and implement corrective actions. The process involves understanding who should perform the remediation, emphasizing independence and objectivity, integrating the information into solutions, and addressing deficiencies in internal controls. Key takeaways include using objective root cause analysis, effectively utilizing the information gathered, and implementing data-driven, repeatable solutions to prevent future issues. This episode provides valuable insights for compliance officers aiming to enhance their programs by focusing on root causes rather than just symptoms.

Key highlights:

  • Integrating Root Cause Analysis into Solutions
  • Regulatory Expectations and Internal Controls
  • Performing Effective Root Cause Analysis
  • Developing and Implementing Solutions

Resources:

Click here to receive a 20% discount on The Compliance Handbook, 5th edition, for listeners to this podcast.

Categories
Blog

Unseen Threats and Deduction: Compliance Lessons from The Adventure of the Lion’s Mane

Sherlock Holmes, the master of deduction, seldom worked without Dr. Watson. Yet in The Adventure of the Lion’s Mane, Holmes takes center stage in a quiet coastal town, solving a case that presents no apparent suspects, no human culprit, and a mystery rooted in the natural world. For corporate compliance professionals, this unusual story offers rich lessons about vigilance, adaptability, and the importance of robust investigative techniques. The story is unusual for several reasons, including Holmes’s first-person narrative. Also, the case involves an antagonist from the natural world instead of the human world.

Equally interesting are the lessons the story can teach the 21st-century compliance professional. Today, I will examine five key compliance lessons from Holmes’s encounter with the lion’s mane jellyfish. For additional information on the story and commentary, check out the podcast Compliance Lessons from The Lion’s Mane on the Compliance Podcast Network.

Unraveling Unseen Threats: The Importance of Root Cause Analysis

In this story, the victim collapses after screaming the cryptic words “The lion’s mane!” while bearing strange, whip-like marks on his body. At first, suspicion falls on human suspects, but Holmes’s methodical approach reveals the true cause: a Cyanea capillata jellyfish, an elusive and deadly natural threat. The case highlights a critical point for compliance professionals: risks may not always appear obvious, and solutions often require digging beneath the surface.

In the compliance world, it is often tempting to stop at the first explanation for misconduct, such as blaming individual employees or focusing on the visible symptoms of an issue. However, failing to identify the root cause leaves your organization vulnerable to repeated compliance failures. Whether dealing with third-party bribery risks, internal fraud, or systemic policy gaps, the Department of Justice has made clear in the 2024 Update to the Evaluation of Corporate Compliance Programs, that a root cause analysis is a cornerstone of effective compliance programs, re-emphasizing the need for both performing a root cause analysis and equally importantly using it to remediate your compliance program. It stated, “A hallmark of a compliance program that works effectively in practice is the extent to which a company can conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.”

It stated what additional steps the company has taken “that demonstrate recognition of the seriousness of the misconduct, acceptance of responsibility for it, and implementing measures to reduce the risk of repetition of such misconduct, including measures to identify future risk.” The following questions were then posed:

Root Cause Analysis—What is the company’s root cause analysis of the misconduct at issue? Were any systemic issues identified? Who in the company was involved in making the analysis?

Prior Weaknesses—What controls failed? If policies or procedures should have prohibited the misconduct, were they effectively implemented, and have functions that had ownership of these policies and procedures been held accountable?

Adaptability in Unfamiliar Environments

Holmes’s seaside investigation takes him far from his usual London setting. Without the bustle of Baker Street or Watson’s steady presence, Holmes must rely entirely on his deductive skills and adaptability. This scenario mirrors the modern compliance officer’s challenge of addressing new and unfamiliar risks.

For example, your organization may expand into a new market or pivot its business model, exposing it to unfamiliar regulatory requirements or operational risks. In these situations, compliance professionals must act as business partners, guiding the organization through uncharted waters while ensuring compliance remains a priority.

You should begin with the question of who should perform the remediation; should it be an investigator or an investigative team that was part of the root cause analysis? Jonathan Marks believes the key is both “independence and objectivity.” An investigator or investigative team may be a subject matter expert and “therefore more qualified to get that particular recourse.” Yet, to perform the remediation, the key is to integrate the information developed from the root cause analysis into the solution.

Accounting for External Risks

The lion’s mane jellyfish, a force of nature, represents the kind of external risk that organizations often overlook. External risks, whether from geopolitical shifts, third-party misconduct, or environmental factors, can devastate even the most robust compliance programs if not properly managed.

Consider the recent focus on supply chain risks. An organization may have strong internal controls, but a third-party supplier engaging in unethical practices can still expose it to liability. Therefore, due diligence and ongoing monitoring are essential to an effective compliance program. Some of the key actions you can take include the following:.

Conduct comprehensive third-party due diligence before onboarding suppliers, agents, or contractors; regularly review external risks as part of your enterprise risk management (ERM) program; and implement tools and technologies to monitor external developments in real-time, such as sanctions lists or geopolitical instability.

The Power of Patience and Observation 

Holmes’s resolution hinges on his meticulous observation of minor details, marks on the victim’s body, the jellyfish’s natural habitat, and the timeline of events. He doesn’t rush to conclusions or allow others’ assumptions to sway him. Instead, he systematically gathers evidence and applies his knowledge to reach the correct conclusion. This approach underscores the importance of methodical, data-driven investigations for compliance professionals. Whether handling an internal whistleblower complaint or responding to a regulatory inquiry, rushing the process can lead to missed details or flawed conclusions.

You may also have deficiencies in internal controls. Failing to remediate gaps in internal controls “allows additional errors or misconduct to occur and thus could damage the company’s credibility with regulators” by allowing the same or similar conduct to reoccur. Finally, with both the 2024 ECCP and FCPA Corporate Enforcement Policy, the DOJ has added its voice to prior SEC statements that regulators “will focus on what steps the company took upon learning of the misconduct, whether the company immediately stopped the misconduct, and what new and more effective internal controls or procedures the company has adopted or plans to adopt to prevent a recurrence.”

Communication as a Compliance Superpower

One of Holmes’s strengths lies in his ability to explain complex phenomena in a way others can understand. In this story, he demystifies the jellyfish’s deadly nature for the local community, helping them grasp their danger and take appropriate precautions. Communication is equally critical. Whether presenting findings to the board, conducting employee training, or preparing reports for regulators, you must convey complex information clearly and compellingly. The best compliance programs are not just comprehensive; they are understood and embraced by everyone in the organization.

For compliance professionals, there are several actions you can take. First, tailor your communication style to your audience, whether it’s frontline employees, senior leadership, or regulators. Next, use data visualization, case studies, and real-world examples to make your message relatable and memorable. Finally, foster a culture of transparency, ensuring employees feel empowered to ask questions and report concerns without fear of retaliation.

Final Thoughts 

The Adventure of the Lion’s Mane is a tale of hidden threats, careful investigation, and the power of critical thinking—qualities that resonate deeply with the compliance profession. Holmes’s success lies in adapting to unfamiliar circumstances, uncovering an unseen danger, and effectively communicating his findings. Compliance officers need these skills to navigate the complex and ever-changing corporate risk landscape.

As you reflect on Holmes’s seaside investigation, consider how his methods can inspire your compliance practices. Are you conducting root-cause analyses with the same rigor? Have you adapted your program to account for external risks? And most importantly, are you equipping your organization with the tools and knowledge to prevent compliance failures before they occur?

By channeling Sherlock Holmes’s spirit of deduction and vigilance, you can strengthen your compliance program and ensure it is prepared to face even the most unexpected challenges. When the next hidden risk emerges, you will be ready to solve the mystery with precision and confidence, just like Sherlock Holmes.

Categories
Everything Compliance

Everything Compliance: Episode 143, The North to South Episode

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows.

In this episode, we have the quartet of Matt Kelly, Jonathan Marks, and Karen Moore; with host Tom Fox wearing a double hat as a commentator as well. We take up Root Cause Analysis, DEI questions in the Boeing monitorship, failures at TD Bank and a possible Caremark claim.

1. Matt Kelly takes a look into the commercial strategies which led to the compliance failures at TD Banks.  He rants about the Boston’s National Women’s Soccer League team (now deleted) advertising campaign announcing the new team with the tagline ‘too many balls’.

2. Jonathan Marks explains the differences in a Root Cause Analysis and investigations. He shouts out the WNBA and the person who solved the Golden Owl puzzle.

3. Karen Moore takes a deep dive into the district court’s request for more information on the impact of DEI on the Boeing monitorship. She rants about non-civility in the Supermarkets of America’s Parking Lots.

4. Tom Fox takes a look at the potential Caremark claim against TD Bank for both Directors and Officers failures in their duties. He shouts out to GOP dominated Texas Legislature for subpoenaing Robert Roberson for an appearance before the House, one day before his scheduled execution and the Texas Supreme Court for staying his execution until he could appear.

The members of the Everything Compliance are:

The host and producer, rantor (and sometime panelist) of Everything Compliance is Tom Fox the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the award-winning Compliance Podcast Network.

Additional Resources:

1.     Jonathan Marks on Root Cause Analysis on LinkedIn.

2.     Matt Kelly on TD Bank’s Enforcement Action on Radical Compliance.

3.     Tom Fox on the potential Caremark claims in the TD Bank case on the Compliance Podcast Network blog.

 

Categories
Compliance Tip of the Day

Compliance Tip of the Day: Lessons on Root Cause Analysis from John Deere

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law.

Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Not only does the DOJ expect companies to perform a Root Cause Analysis during any investigation, but a RCA helps to identify systemic issues for remediation.