Categories
Blog

Re-Calibrating Risk Assessments: Uncovering FTO and TCO Exposure in Cartel-Driven Economies

This blog continues our series focusing on the upcoming ACI Forum on Cartels, TCOs, and Compliance in Latin America and why it is so timely. It is also why compliance officers need to understand that this is not simply another enforcement trend. It is a structural change in how risk must be assessed, governed, and managed. Today, I want to explore why you need to recalibrate your risk assessment in light of the US’s shift in classifying cartels from criminal organizations to Foreign Terrorist Organizations (FTOs).

For years, many companies treated cartel risk as a regional security issue, a physical safety issue, or a narrow sanctions-screening issue. That approach is no longer sufficient. Cartel-driven economies now create enterprise risk across sales, supply chain, procurement, logistics, human resources, community relations, government affairs, security, and internal controls. The CCO must help the organization move from episodic screening to a dynamic, evidence-based risk assessment model that identifies where the business may be exposed to Foreign Terrorist Organization (FTO) and Transnational Criminal Organization (TCO) risks.

The legal and enforcement environment has shifted. Executive Order 14157 established a process for certain international cartels and other organizations to be designated as FTOs or Specially Designated Global Terrorists, and described those organizations as threats to U.S. national security, foreign policy, and the economy. OFAC later issued an alert identifying eight designated organizations and warning that companies with operations in, or exposure to, high-risk jurisdictions where designated cartels are active should assess their sanctions compliance controls. That is the compliance lesson. This is not simply a legal list update. It is a risk assessment reset.

Cartel-Driven Economies Change the Risk Ranking Model

Traditional compliance risk assessments often rank risk by country, business unit, transaction value, government touchpoints, and third-party type. Those variables still matter. But cartel-driven economies require additional factors: territorial control, coercive influence, infiltration of local business networks, labor pressure, logistics-route control, cash intensity, proximity to ports or borders, public security risks, and the likelihood that a legitimate counterparty may be owned, controlled, taxed, extorted, or otherwise influenced by criminal organizations.

The ranking model should distinguish between three types of exposure. First, direct exposure, where a company deals with a designated party or a party it owns or controls. Second, indirect exposure, where a supplier, distributor, customer, logistics provider, labor broker, or security vendor is connected to cartel-linked actors. Third, environmental exposure, where the company operates in a geography or sector where coercion, extortion, or criminal facilitation is a predictable operating condition.

The DOJ’s Evaluation of Corporate Compliance Programs (ECCP) asks whether third-party management is risk-based, integrated into vendor management, supported by business rationale, tied to appropriate contract terms, and subject to ongoing monitoring. Those questions should now be applied not only to anti-bribery risk, but also to FTO and TCO risk.

Create an Internal FTO Working Group

A company cannot manage this risk through sanctions screening alone. The CCO should establish an internal FTO working group with a clear charter, executive sponsorship, and board reporting. The group should include compliance, legal, sanctions, AML, procurement, sales, finance, logistics, security, HR, government affairs, community relations, internal audit, and enterprise risk management.

Its mandate should be practical: identify exposures, refresh risk rankings, define escalation protocols, review high-risk contracts, approve enhanced due diligence standards, monitor emerging typologies, and track remediation efforts. It should also define when the company will suspend a transaction, reject a counterparty, exit a relationship, seek external counsel, notify insurers, or brief the board. This working group should meet frequently at the outset, then move to a risk-based cadence. Its output should not be a memo that sits on a shelf. It should produce a revised heat map, a prioritized counterparty review list, an action tracker, and control enhancements that can be tested by internal audit.

Leverage Existing Risk Assessments

The most efficient approach is not to create a wholly separate FTO risk assessment. The better approach is to integrate FTO/TCO risk into existing assessments. Your FCPA risk assessment already identifies government touchpoints, customs brokers, permitting issues, gifts and entertainment, charitable donations, intermediaries, consultants, and high-risk payments. Those same data points are highly relevant to cartel exposure because criminal networks often exploit local permitting, customs clearance, transportation, public security, and procurement systems.

The business and human rights assessment also provides critical intelligence. The UN Guiding Principles on Business and Human Rights recognize a corporate responsibility to respect human rights through due diligence that avoids infringing on the rights of others and addresses adverse impacts with which the business is involved. In cartel-affected markets, human rights due diligence can reveal forced labor, threats against workers, community intimidation, unsafe security practices, land-access disputes, migrant exploitation, and labor-broker abuse.

Sanctions, AML, trade compliance, cybersecurity, and fraud risk assessments should also be mined. Look for recurring names, addresses, beneficial owners, banks, payment patterns, shell entities, shared directors, unusual routes, unexplained subcontractors, and counterparties that appear across unrelated business units.

Review Major Contracts and Customers for FTO/TCO Risk

Companies often focus due diligence on suppliers and intermediaries, while under-reviewing major customers. That is a mistake. A customer can create sanctions, money-laundering, books-and-records, reputational, and material-support risks. The company should identify major contracts in high-risk geographies and sectors, then re-rank them based on ownership transparency, payment behavior, sector exposure, government interaction, logistics routes, and local operating conditions. High-risk contracts should include enhanced representations, beneficial ownership update obligations, audit rights, sanctions, and FTO/TCO clauses, payment transparency requirements, subcontractor disclosure, termination rights, and controls over cash, commissions, rebates, donations, sponsorships, and community payments.

A contract should move into enhanced review when the business cannot explain the counterparty’s commercial rationale, when pricing is uneconomic, when payment comes from unrelated parties, when revenue spikes in cartel-affected regions, when the counterparty refuses beneficial ownership disclosure, or when local employees report pressure to use a particular vendor, union, broker, transporter, or security provider.

Detect Commingling of Legitimate and Illegal Activity

The core challenge is commingling. Cartels do not always operate through obviously illicit entities. They use logistics companies, fuel businesses, casinos, real estate, import-export companies, labor brokers, charities, community organizations, and professional service providers.

Recent enforcement actions show the point. Recently, the US Department of the Treasury announced multiple CJNG-linked fuel schemes involving cross-border smuggling, falsified customs documents, and shell companies. OFAC also described cartel-linked casino activity used to launder proceeds and integrate illicit funds into the legitimate financial system. For compliance professionals, these examples reinforce a familiar truth: a company’s legal form is not the same as its risk profile.

Detection requires data and local intelligence. Compare invoices to actual services. Review customs documentation against logistics activity. Test whether vendors have employees, assets, facilities, and capacity. Analyze payment flows for round-dollar amounts, rapid pass-through activity, third-party payments, and mismatches between business size and transaction volume. Monitor hotline reports for references to threats, forced vendors, security payments, labor pressure, and community demands.

Functions That Must Be in Scope

Supply chain must map critical suppliers, second-tier exposure, logistics corridors, warehousing, border crossings, ports, and emergency sourcing decisions. HR must assess labor brokers, recruitment channels, employee intimidation, workplace violence, the risk of retaliation, and escalation pathways for threatened employees. Community relations must review donations, sponsorships, local foundations, land-access payments, and community intermediaries. Union relations must assess whether labor organizations or labor contractors are being used as pressure points. Government affairs must evaluate permitting, customs, inspections, police interaction, and local political exposure. Security must review private security providers, public security coordination, incident response, travel protocols, and extortion procedures. The board should ask one question above all others: where could the company be doing legitimate business through a channel that criminal actors influence, control, or monetize?

Practical Takeaways

CCOs should refresh the risk assessment now, not after a transaction is called into question. Build the FTO working group, integrate existing FCPA and human rights intelligence, re-rank major contracts and customers, and test controls for commingling. The objective is not perfection. The objective is a documented, risk-based, board-visible process that shows the company understands its exposure, updates its controls, and acts when the risk profile changes.

The Cartels, TCOs & Compliance in Latin American conference will feature these topics and many more. For information and registration, click here. For a complete list of the agenda, click here. You can receive a 10% off the price by using the Discount Code D10-999-CPN26.

ACI is the sponsor of today’s blog.

Categories
FCPA Compliance Report

FCPA Compliance Report: Managing Compliance and National Security Risks When Doing Business in the DRC, Part 1

In this episode, Tom Fox welcomes David Simon, Partner at Foley & Lardner; Jack Korba, Of Counsel at Foley & Lardner; and Olivier Bustin, a Partner at Pinsent Masons, to talk about doing business in and with the Democratic Republic of the Congo (DRC). This is the first part of a two-part series on this topic. The guests present a detailed approach to evaluating and managing travel into a high-risk country or region.

The three argue that while governance and logistics risks remain, improved infrastructure and heightened strategic importance of the DRC’s critical minerals (including cobalt, coltan, lithium, manganese, and rare earths) make risks more manageable and the market more relevant, with noted U.S. government continuity across administrations. They discuss opportunities beyond mining, including power, logistics, banking/insurance, tech, entertainment, and education, while emphasizing infrastructure and bankability constraints. Korba outlines national security, sanctions/export controls, and supply chain “adjacency” risks, as well as the need for sector-specific analysis. The panel highlights “choke points” stemming from concentrated power and weak institutions, and Bustin explains why local content/ownership rules and patronage dynamics require diligence that goes beyond nominal ownership. They conclude by applying a risk-based compliance approach, devoting enhanced resources to higher-risk projects and counterparties.

Key highlights:

  • Why DRC Now
  • Beyond Mining Opportunities
  • National Security Risks
  • Choke Points Explained
  • Local Ownership Diligence
  • Risk-Based Compliance

Resources:

David Simon

Jack Korba

Olivier Bustin

Foley & Lardner

Pinsent Masons

The Democratic Republic of the Congo as a Near-Term Strategic Opportunity for U.S. Companies Part 1

Part 2

Part 3

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out my latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
AI Today in 5

AI Today in 5: June 3, 2026, The From No Control to Total Control Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. AI compliance needs risk management from day one. (FinTech Global)
  2. Driving AI-powered AML. (Finovate)
  3. Traditional KYC is no longer effective. (FinTech Global)
  4. Deskilling in healthcare. (Healthcare Dive)
  5. Trump wants AI companies to get government approval. (NYT)

For more information on the use of AI in compliance programs, Tom Fox’s new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

To learn about the intersection of Sherlock Holmes and the modern compliance professional, check out Tom’s latest book, The Game is Afoot-What Sherlock Holmes Teaches About Risk, Ethics and Investigations on Amazon.com.

Categories
Blog

The Muppet C-Suite: A Compliance Professional’s Guide to Culture, Controls, and Chaos Part 4: Animal as Chief Operating Risk Officer: Managing Chaos Before Chaos Manages You

This week we are honoring the return of The Muppets for a 2026 Special Edition. I thought it would be fun to look at business leadership teams through the lens of The Muppets. Every compliance professional has worked with a Kermit, managed a Piggy, worried about a Gonzo, or tried to contain an Animal. Today, we conclude by looking at The Animal problem. This series has used the Muppet executive team as a framework to explore leadership, governance, innovation, operational risk, and corporate compliance through the lens of the DOJ’s Evaluation of Corporate Compliance Programs and modern governance expectations.

Every organization has an Animal. Sometimes it is a person. Sometimes it is a business unit. Sometimes it is a revenue stream so profitable that leadership stops asking difficult questions. But every organization eventually encounters a force that is energetic, productive, volatile, difficult to control, and capable of creating enormous operational damage if left unmanaged. That is Animal.

As Chief Operating Risk Officer, Animal represents a truth many organizations struggle to confront: the greatest operational risks are often tolerated because they generate short-term success. An animal is loud, destructive, impulsive, emotional, and frequently one bad day away from catastrophe. Yet he is also highly effective in the environment for which he was designed. He brings energy, intensity, speed, and momentum.

The problem is not that Animal exists. The problem is when the organization mistakes unmanaged volatility for sustainable performance. That is where compliance, governance, and operational discipline become critical.

Operational Risk Rarely Arrives Quietly

One of the most dangerous assumptions organizations make is that operational failure arrives gradually and predictably. Often, it does not. Operational breakdowns tend to emerge after warning signs have already been normalized:

  • repeated policy exceptions,
  • constant escalation failures,
  • excessive workload pressure,
  • ignored complaints,
  • control fatigue,
  • unmanaged third parties, and
  • and high-performing employees who are allowed to operate outside established expectations.

Animal embodies this normalization problem perfectly. Everyone knows he is dangerous. Everyone knows he is unpredictable. Everyone knows he creates operational instability. Yet the organization repeatedly tolerates the behavior because the show benefits from his energy. This is how many operational crises develop in real organizations. The issue is rarely ignorance. The issue is tolerance.

The Compliance Challenge of High-Performing Risk Creators

One of the DOJ’s most important compliance questions is whether organizations apply discipline consistently, regardless of title, status, or revenue generation. That sounds straightforward. In practice, it is extraordinarily difficult. Organizations routinely create informal exceptions for:

  • top producers,
  • senior executives,
  • innovative teams,
  • politically connected employees, and
  • and operational leaders are perceived as indispensable.

An animal represents this exact governance problem. A mature compliance program recognizes that unmanaged high performers create enterprise risk because they gradually teach the organization that controls are optional for the “right” people. Once that message spreads, culture deteriorates quickly. Employees notice:

  • who gets exceptions,
  • whose misconduct is ignored,
  • whose violations are minimized, and
  • and whether leadership consistently enforces standards.

That is why operational risk is deeply connected to culture. Operational instability rarely begins with a single process failure. It usually begins with accountability failure.

Animal and the Failure of Escalation

Perhaps the most dangerous thing about Animal is not his volatility. The organization tends to underestimate the seriousness of the risk until after damage occurs. This reflects a common corporate governance problem: escalation fatigue. Over time, organizations become accustomed to recurring dysfunction:

  • “That is just how he operates.”
  • “That team is always difficult.”
  • “They are under pressure.”
  • “The business results justify the headaches.”
  • “We can manage around it.”

Those statements are operational-risk warning signs. A mature compliance program must create escalation structures capable of identifying:

  • repeated near misses,
  • recurring control failures,
  • cultural deterioration,
  • operational shortcuts, and
  • and conduct risks before they evolve into crises.

An animal should not require an explosion before leadership intervenes. Unfortunately, many organizations wait for exactly that moment.

Root Cause Analysis Matters

When operational failures occur, organizations often focus immediately on the visible event:

  • the failed transaction,
  • the misconduct,
  • the regulatory inquiry,
  • the system failure, and
  • or the public embarrassment.

But effective governance requires deeper analysis. The ECCP specifically emphasizes root cause analysis because sustainable remediation depends on understanding why the failure occurred in the first place. With Animal, the obvious answer might be: “Animal lost control.”

But the real questions are:

  • Why was the risk tolerated repeatedly?
  • Why were escalation signals ignored?
  • Why were controls insufficient?
  • Why did leadership normalize the volatility?
  • Why were prior incidents dismissed as isolated?

Those questions move the organization from blame to governance. A mature compliance function should always ask whether operational failure reflects:

  • incentive problems,
  • leadership failures,
  • staffing pressures,
  • inadequate oversight,
  • resource constraints, and
  • or cultural normalization of misconduct.

Without root cause analysis, organizations simply reset the stage for the next crisis.

Speak-Up Culture and Operational Risk

Animal also highlights the importance of a culture of speaking up. In many organizations, employees recognize operational risk long before leadership does. The problem is that employees often conclude:

  • raising concerns changes nothing,
  • leadership already knows,
  • retaliation risk is too high,
  • or operational pressure outweighs ethical concerns.

That silence becomes dangerous. The DOJ increasingly expects organizations to maintain effective reporting channels, anti-retaliation protections, and meaningful investigative response mechanisms. But a speak-up culture is not merely a hotline issue. It is a credibility issue. Employees must believe:

  • concerns will be heard,
  • escalation will occur,
  • retaliation will not be tolerated,
  • and leadership is willing to intervene even when operational performance is affected.

In Animal’s world, the organization often appears resigned to the chaos. That resignation is itself a governance failure.

Crisis Management Is a Governance Discipline

Animal is also a reminder that crisis management is not public relations. It is governance under pressure. Operational crises test:

  • leadership credibility,
  • escalation systems,
  • internal communication,
  • decision-making discipline,
  • documentation quality, and
  • and organizational resilience.

Strong organizations prepare for operational disruption before it occurs. That means:

  • crisis-management protocols,
  • escalation matrices,
  • tabletop exercises,
  • communication plans,
  • cross-functional coordination, and
  • and clear authority structures.

Animal should never be the organization’s first operational surprise.

Yet many companies operate as though volatility itself is unpredictable when, in reality, warning signs existed for months or years. The question is whether leadership chose to recognize them.

Control Fatigue Is Real

One of the most overlooked operational risks is control fatigue. When organizations operate under constant pressure, employees gradually begin bypassing safeguards:

  • approvals become rushed,
  • documentation becomes incomplete,
  • exceptions become routine,
  • monitoring weakens,
  • and oversight becomes reactive instead of preventive.

Animal accelerates this dynamic because his operational style rewards speed and intensity over discipline and sustainability. That creates a dangerous cycle:

  1. pressure increases,
  2. controls weaken,
  3. near misses increase,
  4. normalization expands, and
  5. and eventually failure becomes inevitable.

A mature compliance program continuously monitors for this pattern because operational collapse rarely occurs without warning.

5 Key Takeaways for the Compliance Professional

1. Operational risk is often tolerated because it produces results.

Organizations must resist creating informal exceptions for high-performing but destabilizing individuals or business units.

2. Escalation failures are early warning signs.

Repeated policy exceptions, ignored concerns, and normalized dysfunction frequently precede major operational breakdowns.

3. Root cause analysis is essential for sustainable remediation.

Organizations should investigate not only what failed, but why leadership and controls allowed the failure to persist.

4. Speak-up culture directly affects operational resilience.

Employees must trust that concerns will be heard, investigated, and acted upon without retaliation.

5. Crisis management is a governance function.

Effective organizations prepare for operational disruption through planning, escalation structures, monitoring, and cross-functional coordination.

The Final Governance Lesson

Across this series, Kermit, Piggy, Gonzo, and Animal together represent the four forces constantly shaping corporate governance:

  • leadership,
  • reputation,
  • innovation,
  • and operational risk.

The lesson is not that organizations should eliminate strong personalities, ambition, experimentation, or intensity. The lesson is that mature governance recognizes these forces early and builds systems capable of channeling them responsibly.

Kermit provides stability.

Piggy creates visibility.

Gonzo drives innovation.

Animal tests the strength of operational controls.

Every organization contains all four. The real question for compliance professionals is whether the governance structure is strong enough to keep the theater standing when all four are operating at the same time. Because eventually, they will be.

Long Live The Muppets

Categories
Compliance Into the Weeds

Compliance into the Weeds: Banking Regulators Cut Model Risk Guidance: Implications for Compliance, Audit, and AML Oversight

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore it more fully, and looking for some hard-hitting insights on compliance. Look no further than Compliance into the Weeds! In this episode of Compliance into the Weeds, Tom Fox and Matt Kelly discuss new Federal Reserve, FDIC, and OCC model risk management guidance issued late Friday, arguing it replaces detailed, bright-line expectations with thin, principles-based language.

They contrast the prior OCC guidance (109 pages) with the new 12-page document, saying it describes model risk governance abstractly but offers little direction on what banks should do, leaving decisions about materiality and oversight to management. They highlight practical consequences for bank compliance and internal audit, including reduced leverage to insist on prudent governance, potential weakening of AML model oversight under the strict-liability Bank Secrecy Act, and the risk of more arbitrary enforcement amid reduced regulatory staffing. They also note that the guidance excludes AI models, with future AI guidance promised only through a later comment process.

Key highlights:

  • From 109 pages to 12
  • Principles vs specifics debate
  • Internal audit sidelined
  • Regulators and capacity cuts
  • AI models left out 

Resources:

Matt on Radical Compliance

 Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

A multi-award-winning podcast, Compliance into the Weeds was most recently honored as one of the Top 25 Regulatory Compliance Podcasts, a Top 10 Business Law Podcast, and a Top 12 Risk Management Podcast. Compliance into the Weeds has been conferred a Davey, a Communicator Award, and a W3 Award, all for podcast excellence.

Categories
Blog

AI Risk Appetite: The Conversation Boards Are Not Having

There is a quiet but serious problem developing in boardrooms around AI. Directors are hearing about innovation. They are hearing about productivity gains. They are hearing about competitive pressure, transformation, and speed. What they are not hearing enough about is risk appetite. That is the missing conversation.

Most companies are already using AI in one form or another. Some are deploying enterprise tools. Some are approving vendor solutions with embedded AI. Some are allowing business units to experiment in a controlled fashion. Some, of course, are doing all of the above and pretending it is a strategy. Yet for all the discussion about adoption, there has been far less focus on a basic governance question: what level of AI-driven decision risk is acceptable for this company? That is not a technical question. It is a board question.

The Risk Appetite Gap in AI Governance

AI is not simply another software purchase. It can influence recommendations, rankings, forecasts, summaries, classifications, and decisions. It can operate upstream from business judgments or directly within them. It can affect customer communications, hiring decisions, compliance monitoring, internal investigations, financial analysis, and reporting workflows. So the central governance challenge is not whether AI exists in the enterprise. It is how much authority the company is willing to give it, in what contexts, with what controls, and with what margin for error. If you do not define that, you do not have AI governance. You have AI optimism.

What Is AI Risk Appetite?

At its core, AI risk appetite is the level and type of AI-related risk an organization is willing to accept in pursuit of business value. That includes a series of questions boards ought to be asking. How much error is acceptable in AI-generated output before a human must intervene? Which uses are low-risk productivity enhancements, and which are sensitive, consequential, or reputation-threatening? In what contexts can AI make recommendations only, and in what contexts can it influence or automate action? How much dependence on opaque third-party models is acceptable? What degree of explainability does the company require for different use cases? When does speed stop being a benefit and start becoming exposure?

Many boards are currently discussing AI deployment without ever discussing AI tolerance. That is like approving a global third-party strategy without deciding what level of distributor risk, sanctions exposure, or bribery risk the company is prepared to accept. No compliance professional would recommend that. Yet in AI, organizations do versions of it every day.

Why Boards Avoid the Conversation

There are several reasons boards have been slow to engage on AI risk appetite.

First, the technology moves fast, and the terminology can become a fog machine. Directors do not want to look uninformed, so discussions often stay broad and strategic. Second, management may not yet have the internal inventory or classification framework needed to make a risk-appetite conversation concrete. Third, many companies are still in an experimentation phase, which creates the illusion that formal governance can come later. Fourth, there is a natural tendency to believe AI risk belongs to IT, legal, or security, rather than to enterprise oversight.

AI risk appetite cannot be delegated away because it intersects with business judgment, ethics, records, privacy, data governance, resilience, and culture. It cuts across functions. It also cuts across reputational boundaries. If a company uses AI in a way that produces unfair results, faulty decisions, poor disclosures, or customer harm, nobody is going to say, “Well, that was a technical issue, so the board need not have been involved.” Boards do not get a hall pass when the governance system is missing.

The Conversations Boards Need to Be Having

Risk Map. The first conversation is about where AI sits on the company’s risk map. Is AI a productivity tool, a strategic platform, a decision-support capability, or some combination of all three? The answer matters because it affects the level of oversight. A company using AI for internal drafting support faces one type of exposure. A company using AI in customer-facing interactions, underwriting, hiring, fraud detection, or compliance monitoring faces another challenge.

Decision Significance. Boards need to ask where AI is being used in decisions that affect legal rights, financial outcomes, customer treatment, employment status, compliance judgments, or public disclosures. Not all uses are equal. A board that treats AI use in marketing copy the same as AI use in employee discipline is not governing. It is lumping.

Acceptable Error and Human Review. Boards should ask: what level of inaccuracy can the company tolerate in a given use case, and who is accountable for checking the output before action is taken? Human oversight has become one of those phrases everybody likes, and few define. Directors need something more disciplined. When is review mandatory? What does a meaningful review look like? What evidence shows that the reviewer is not simply rubber-stamping machine output?

Data and Model |Dependency. What data is being used? Who owns it? Who has the right to it? How current is it? Are third-party vendors changing capabilities under existing contracts? Is the company becoming dependent on systems it does not fully understand or cannot easily audit? Boards should not need to know how the engine works, but they absolutely need to know whether the company is driving a car with uncertain brakes.

Incident Tolerance and Escalation. What types of AI failures must be reported to senior leadership or the board? A hallucinated internal memo may be embarrassing. A flawed AI-assisted hiring screen or customer communication may be far more serious. The board should ensure management has defined materiality thresholds before an incident occurs, not after the headlines begin.

The CCO’s Role in Shaping the Conversation

This is where compliance officers can be enormously helpful.

The CCO is often the person in the enterprise most experienced at turning abstract risk into operating discipline. Compliance knows how to frame risk-based governance. It knows how to create escalation structures, policy frameworks, investigations protocols, and oversight dashboards. It knows that culture and control design matter just as much as rules. Here are four ways to do so.

  1. A CCO can help management develop a tiered inventory of AI use cases. This is essential. Boards cannot discuss appetite in the abstract. They need to see the map. Which uses are low risk? Which are medium? Which are high? Which are prohibited absent specific approval?
  2. Compliance can help translate legal, ethical, and operational concerns into board-level language. Directors do not need a seminar on neural networks. They need clear framing around consequences, control points, accountabilities, and thresholds.
  3. A CCO can help build governance around human review, documentation, and escalation. If the company says a human is responsible, compliance can help test whether that responsibility is real, documented, and operational.
  4. Compliance can keep the conversation grounded in how people actually behave. Employees will choose convenience. Business teams will move quickly. Vendors will market aggressively. Managers may trust the generated output more than they should. A good compliance officer knows that policy must be built for actual human behavior, not ideal behavior.

Compliance as Risk Mitigation and Business Enablement

One of the enduring frustrations in compliance is that governance is often viewed as a speed bump until something goes wrong. AI gives us another chance to make the larger point. Governance does not slow innovation. Bad governance slows innovation by causing rework, distrust, remediation, and public embarrassment.

A well-defined AI risk appetite does the opposite. It gives the business clarity. It tells innovation teams where they can move quickly and where they must slow down. It helps procurement negotiate the right terms. It helps managers know when to escalate. It helps employees understand when they may rely on AI and when they must verify it. Most importantly, it gives the board a strategic rather than reactive basis for oversight.

That is compliance at its best. Not Dr. No, from the Land of “no,” but the function that makes responsible growth possible.

Final Thoughts

Boards need not fear AI. But they do need to govern it. And governance begins with clarity about appetite. If your board has discussed an AI opportunity but not AI tolerance, it has only had half the conversation. If your company has adopted tools but has not defined acceptable levels of error, autonomy, dependency, and oversight, it is operating on hope. Hope, as every compliance professional knows, is not a strategy and certainly not a control.

Here are the questions I would leave you with. Has your board defined what level of AI-driven decision risk it is willing to accept? Can management explain how that appetite changes across low-risk and high-risk use cases? And can your compliance function show, with evidence, whether the company is operating inside those lines? If the answer is no, then the conversation boards may be the most important AI conversation of all.

Categories
AI Today in 5

AI Today in 5: March 25, 2026, The AI Risk Handbook Edition

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider five stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

Top AI stories include:

  1. Why your AI factory will fail without compliance and security. (Forbes)
  2. Amazon introduces agentic AI for healthcare. (AHA)
  3. Cisco announces security tools for AI agents. (Yahoo! Finance)
  4. New regulatory mandates for finance risk assessments. (FinTechGlobal)
  5. AI risk handbook for finance. (FinTechGlobal)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game, is available. You can purchase a copy of the book on Amazon.com.

Categories
All Things Investigations

ATI In-House Insights: Challenges and Tips for Navigating a Changing Risk Landscape with Sarah Iles

In this episode of the ATI: InHouse Insights Podcast, Mike DeBernardis speaks with seasoned in-house compliance leader Sarah Isles about navigating an ever-changing risk landscape shaped by political, geopolitical, regulatory, and technological shifts. 

Sarah shares her background across manufacturing sectors and discusses how multinational compliance risks evolve as jurisdictional priorities shift, including sanctions, export controls, tariffs, sustainability, labor rights, data protection, and AI. They identify internal challenges, including a lack of infrastructure to address new risks, siloed ownership, and weak change management, and emphasize clear governance and accountability. Sarah advises “back to basics,” using DOJ’s Evaluation of Corporate Compliance Programs, focusing on real risk mitigation over form-heavy questionnaires, keeping communication channels open through formal committees and informal connections, scaling risk assessments appropriately, targeting communications to relevant audiences, escalating thoughtfully, and building resilient programs by expecting and embracing constant change.

Key highlights:

  • Geopolitics Drives Risk
  • Internal Adaptation Hurdles
  • Silos and Ownership
  • Culture and Change
  • Proactive Compliance Basics
  • Partnering With Business
  • Right-Sized Risk Assessments
  • Communicating Emerging Risks

Resources:

Sarah Iles LinkedIn

Mike DeBernardis LinkedIn

ATI: In-House Insights Podcast

Hughes Hubbard & Reed Website

Categories
Blog

Returning to Venezuela: Part 2 – Bribery, Corruption and the Risks You Must Confront Before You Enter

We continue our review of bribery and corruption issues (ABC) that you must address before you travel to Venezuela.  There is another set of problems that every compliance professional will face if their company decides to go into Venezuela. It is systemic corruption. Not episodic corruption. Not bad actors at the margins. Systemic, embedded, institutionalized corruption that touches government agencies, state-owned enterprises, procurement systems, and the judiciary. This is not a theoretical risk. It is the operating environment.

The Department of Justice (DOJ) has made clear in the Evaluation of Corporate Compliance Programs (ECCP) that high-risk jurisdictions require tailored, well-resourced, and empowered compliance programs. Venezuela is the textbook example of why. Over the next several blog posts, we will explore some of the key issues every company and every CCO will face when considering whether to enter (or re-enter) Venezuela. In Part 2, I will consider the second half of the 10 ABC risks a compliance professional will face. Later in this series, we will then consider AML risk, export control and trade sanctions, security risks, and end with operational risks.

In Part 1, we described the corruption environment. In Part 2, we consider what happens when companies actually try to operate inside it. This is where theory meets pressure. We begin our numbers with 6, picking up where we left off yesterday.

6. Extortion Is Not a Defense

In Venezuela, companies are often told, “You have no choice.” Payments are demanded to release cargo, protect personnel, or continue operations, sometimes thinly veiled as “fees” for expedited treatment. Venezuelan law itself recognizes extortion as a corruption offense, in which a public official abuses their position to demand an undue benefit. Under Venezuelan anti-corruption law, extortion (called concussion) carries criminal penalties and fines.

At the same time, U.S. enforcement views participation in extortion as a compliance red flag. While coercion can be a mitigating factor in narrow circumstances under the Foreign Corrupt Practices Act (FCPA) or the Foreign Extortion Prevention Act (FEPA), repeated payments, disguised invoices, or third-party routing create evidence of complicity. Deciding to pay from the field without escalation essentially decides for the company, and compliance will struggle to justify it under an ECCP review. Compliance professionals must define escalation paths, refusal protocols, and clear exit points before any signs of extortion arise. Waiting to decide “in the moment” is too late.

Compliance Response

1. Assessment Controls

  • Identify operational choke points where officials or intermediaries can halt operations, including ports, customs, checkpoints, utilities, and inspections.
  • Assess historical incidents involving detentions, delays, threats, or asset seizure tied to payment demands.
  • Map scenarios where employee safety or operational continuity could be leveraged for improper payments.

2. Management Controls

  • Establish a zero-tolerance policy for extortion payments, with narrowly defined emergency exceptions tied to imminent health or safety threats.
  • Implement pre-approved emergency response protocols for detentions, threats, or seizures.
  • Prohibit third-party routing, recharacterization, or retroactive approval of payments in the context of extortion scenarios.
  • Require contemporaneous documentation of all extortion-related incidents and decisions.

3. Monitoring

  • Track frequency, location, and duration of detentions or operational stoppages.
  • Review off-cycle, urgent, or cash payment requests for patterns.
  • Audit expense categories are commonly used to disguise extortion payments.

4. Board Oversight

  • Where are we most exposed to extortion pressure?
  • How often are emergency exceptions invoked, and are they increasing?
  • At what point do we pause or exit operations rather than continue under pressure?

7. Third Parties as the Primary Corruption Vector

In Venezuela, third parties are the everyday vectors through which corruption pressure crystallizes. Agents, customs brokers, logistics providers, security vendors, and even local fixers frequently serve as the conduit for improper value transfers. These intermediaries claim to navigate Venezuela’s opaque systems, but they also create liability if their actions result in bribery or improper advantage.

Pressure points are endemic and include:

  • Customs clearance: Goods may be held pending unofficial “service fees” or clearance bribes.
  • Port operations: Terminal operators or officials may demand payments for priority access.
  • Transportation: Toleration at checkpoints is often predicated on unofficial payments.
  • Security arrangements: Local guards or militia may demand fees for access or protection.
  • Licensing follow-up: Expediency “services” are offered at a premium.

Third parties promise solutions. They also create liability when their conduct crosses legal lines. Under the ECCP, regulators will ask whether the company understands and monitors how these third parties operate in practice, not just whether it has a diligence checklist. Paper diligence alone is insufficient where pressure is constant, and corruption vectors hide in plain sight.

Compliance Response

1. Assessment Controls

  • Classify third parties by function (customs, logistics, security, licensing), not by spend alone.
  • Identify third parties that interact directly with government officials.
  • Assess compensation structures for success fees, urgency premiums, or discretionary payments.

2. Management Controls

  • Apply enhanced due diligence to high-pressure third-party functions.
  • Require detailed, verifiable scopes of work tied to legitimate services.
  • Mandate compliance approval before onboarding or paying high-risk third parties.
  • Prohibit subcontracting or pass-through arrangements without prior written approval.

3. Monitoring

  • Conduct invoice analytics to identify duplications, rounding issues, urgency issues, or vague descriptions.
  • Monitor third-party performance against contractual scope and deliverables.
  • Review third parties involved in repeated government interactions or escalations.

4. Board Oversight

  • Which third-party functions create the greatest corruption pressure?
  • How do we verify what third parties do in practice?
  • When do we terminate a third-party relationship rather than attempt remediation?

8. Organized Crime and the Blurred Line of “Business”

In Venezuela, organized crime intersects with commerce, logistics, and even parts of the formal economy. Corruption and criminal networks often coalesce in sectors like mining, fuel distribution, and transport infrastructure, where armed groups and informal power structures exercise influence. Some of these networks are intertwined with state actors, and corruption and illicit activity can reinforce one another.

For compliance professionals, this means recognizing when business relationships drift into criminal entanglement. That drift is not always obvious at contract signing. Contracts negotiated under duress or through intermediaries with opaque ownership may conceal criminal activity. Continuous monitoring matters precisely because initial signals are subtle. The line between a vendor and a syndicate can be ecosystem-specific and may manifest in patterns of behavior, unexplained payments, or associations with known corrupt actors.

This is also where AML risk begins to dominate. When organized crime is part of the value network, it is present through smuggling rings, illicit fuel markets, or bribery conduits.  The controls for bribery, AML, sanctions, and export compliance must interlock to detect and escalate suspicious patterns.

1. Assessment Controls

  • Screen vendors and partners for criminal exposure, unusual affiliations, and opaque ownership.
  • Assess whether services operate in sectors known for illicit activity, including fuel distribution, logistics, or private security.
  • Review beneficial ownership structures and local power dynamics.

2. Management Controls

  • Integrate anti-bribery, AML, and sanctions screening for high-risk vendors.
  • Require certifications regarding lawful sourcing, operations, and subcontractors.
  • Prohibit informal arrangements, undocumented services, or side agreements.

3. Monitoring

  • Monitor for cash-intensive activity without commercial justification.
  • Track changes in ownership, management, or operational behavior.
  • Escalate associations with known illicit markets, actors, or criminal networks.

4. Board Oversight

  • How do we detect drift from legitimate commerce into criminal entanglement?
  • What triggers an immediate suspension or exit?
  • Are our controls sufficient to identify concealed criminal exposure?

9. Currency, Pricing, and Manipulation Pressure

Venezuela’s economic distortions, including exchange controls, multiple currency rates, and the scarcity of hard currency, create fertile ground for corruption. Access to U.S. dollars through official channels is tightly controlled, which historically has led companies and intermediaries to engage in schemes to secure foreign exchange at preferential rates. A notable U.S. enforcement action involved a major telecommunications subsidiary that allegedly bribed officials to gain access to a currency auction and disguised corrupt commissions through inflated equipment purchases.

These distortions become more than operational headaches. They create incentives for side payments and off-book arrangements on pricing and contracts. These practices are not just bribery issues. They implicate accounting integrity, financial reporting, AML vigilance, and sanctions exposure. Once money flows lose transparency, whether through inflated vendor invoices, opaque currency conversions, or third-party routing, compliance loses line-of-sight and control. This intersection reinforces why a compliance program must integrate transactional monitoring and financial controls alongside anti-bribery controls to detect anomalies that traditional gift/entertainment policies won’t reveal.

Compliance Response

1. Assessment Controls

  • Identify exposure to foreign exchange approvals, currency scarcity, and pricing discretion.
  • Review historical pricing anomalies or currency-related workarounds.
  • Map payment flows involving third-country or non-standard accounts.

2. Management Controls

  • Enforce strict controls over pricing adjustments and currency conversions.
  • Require joint Finance–Compliance approval for non-standard payment terms.
  • Prohibit side agreements, rebates, or off-book arrangements.

3. Monitoring

  • Monitor invoices for inconsistencies with market pricing.
  • Flag requests for alternative currencies or complex payment routing.
  • Conduct periodic reviews of foreign exchange transactions and pricing deviations.

4. Board Oversight

  • Where do currency controls create the strongest corruption incentives?
  • How do we maintain transparency in pricing and payments?
  • When does financial complexity cross into unacceptable risk?

10. Weak Rule of Law Raises the Stakes

Venezuela’s judiciary and law enforcement institutions are widely seen as politicized, under-resourced, and inconsistent in enforcing anti-corruption laws. Although the Venezuelan legal framework criminalizes extortion, passive and active bribery, and related offenses, enforcement is weak and selective. In practice, companies cannot rely on local remedies to resolve disputes or push back against corrupt demands.

This elevates the importance of internal compliance controls and pre-defined exit strategies. When there is no neutral referee, no reliable government adjudicator, and prevention becomes the only viable protection. It also means that compliance must internalize enforcement risk rather than outsource it to local authorities. A robust compliance program must include strict refusal protocols, incident documentation, real-time monitoring, and clear decision-making boundaries. Without these, companies are exposed to both local corruption risk and U.S. enforcement risk under the FCPA and allied statutes.

Compliance Response

1. Assessment Controls

  • Assume limited availability of neutral local legal remedies.
  • Identify areas where officials exercise unchecked discretion.
  • Assess reliance on informal dispute resolution mechanisms.

2. Management Controls

  • Strengthen internal documentation, approval, and escalation requirements.
  • Define clear walk-away criteria when disputes cannot be resolved lawfully.
  • Require Legal and Compliance review of all high-risk disputes and resolutions.

3. Monitoring

  • Track disputes resolved outside formal legal or contractual processes.
  • Review patterns of repeated “local solutions” or informal settlements.
  • Assess escalation timelines and resolution outcomes.

4. Board Oversight

  • Where are we relying on influence rather than process?
  • How quickly do disputes escalate to senior leadership?
  • When do we exit rather than attempt resolution?

Parts 1 and 2 of this series make clear that bribery and corruption are not peripheral risks in Venezuela. They are the entry conditions. From systemic corruption and PDVSA exposure to extortion, third-party involvement, currency manipulation, and a weak rule of law, each risk compounds the next. For compliance professionals, the lesson is not that Venezuela is impossible, but that it is unforgiving of informal controls, delayed escalation, and weak governance. Elevated risk can be managed only through disciplined assessment, operational controls, continuous monitoring, and engaged board oversight. When corruption becomes operational, however, another risk inevitably follows.

Next in Part 3 of this series, we turn to anti-money laundering, where improper value moves, hides, and metastasizes beyond corruption alone. Bribery is how improper value enters the system. Money laundering is how it moves and hides. Once corruption becomes operational, AML risk becomes unavoidable. Join us tomorrow for Part 3 in our series.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 19 – Evaluating the Risk Management Process

Welcome to 31 Days to a More Effective Compliance Program. Over this 31-day series in January 2026, Tom Fox will post a key component of a best-practice compliance program each day. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6-8 minutes, with three key takeaways that you can implement at little or no cost to help update your compliance program. I hope you will join each day in January for this exploration of best practices in compliance. In today’s Day 19 episode, we review the critical process of evaluating and translating risk assessments into actionable risk profiles.

Key highlights:

  • Understanding Risk Profiles
  • Evaluating Risk Management Processes
  • Risk Matrix and Heat Maps

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 6th edition, by clicking here.