Tag: Risk Management

Categories
Innovation in Compliance

Innovation in Compliance – AI in Financial Crime and Compliance: A Deep Dive with Oracle’s Jason Somrak

Innovation comes in many areas, and compliance professionals need to be ready for it and embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode,  host Tom Fox welcomes Jason Somrak, the Chief of Product and Strategy for Financial Crime and Compliance at Oracle.

Jason elaborates on his professional background and his decade-long journey at Oracle. He delves into the transformative role of AI in combating financial crimes, exploring how AI has evolved from predicting false positives to using behavioral models and generative AI to enhance investigation processes. Their discussion touches on AI’s potential to shift from detection to prevention, the impact of real-time AML, and the significance of automating noise in compliance investigations. They also discuss the importance of regulatory relationships and the emerging challenges in risk management. The episode concludes with insights into the future skills needed in compliance roles and the critical role of corporate culture in implementing AI solutions.

Key highlights:

  • AI’s Role in Financial Crime Prevention
  • Proactive vs. Reactive Approaches
  • AI in Investigations and Triage
  • Emerging Challenges in Risk Management
  • Future of AI in Compliance
  • Skills for Next-Gen Compliance Officers

Resources:

Jason Somrak on LinkedIn

Oracle Financial Services

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Popcorn and Compliance

Popcorn and Compliance: Episode 3 – Compliance in the Full Moonlight: Lessons from The Wolf Man

Welcome to a special series of Popcorn and Compliance. In this series, we will be looking at the Classic Universal Monster Movies from the 30s and 40s and mining them for compliance lessons. (Yes, it really is an excuse to rewatch them all.) In this series, we will look at Frankenstein, Dracula, The Wolf Man, The Mummy, and end with The Invisible Man. In this episode, Tom explores critical compliance insights drawn from Lon Chaney Jr.’s portrayal of The Wolf Man.

In this episode, we take a deep dive into my favorite Classic Universal Monster, The Wolf Man, to unpack five critical lessons, including the danger of ignoring warnings, the importance of timely intervention, and the challenges of recognizing risks in ordinary people under extraordinary circumstances. Listeners are encouraged to consider how these timeless themes apply to modern corporate compliance, emphasizing proactive measures to prevent potential catastrophes. Join Tom, along with AI hosts Fiona and Timothy, for a surprisingly relevant exploration of compliance through the eerie lens of Hollywood’s iconic monster movies.

Key highlights:

The Relevance of the Wolf Man to Modern Compliance

  • Lesson 1: Ordinary People Can Become Compliance Risks
  • Lesson 2: Warnings Ignored Become Disasters Realized
  • Lesson 3: The Curse of Silence and Stigma
  • Lesson 4: Risk is Cyclical and Predictable
  • Lesson 5: Tragedy Comes from a Lack of Intervention

Resources:

Compliance Lessons from Lon Chaney Jr.’s The Wolf Man on the FCPA Compliance and Ethics Blog

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Regulatory Ramblings

Regulatory Ramblings: Episode 79 – Is the Divide Between Traditional Finance and DeFi / Crypto Over? // Spotlight on: Why Businesses Must Understand Banking Flows for Due Diligence with Stanley Foodman and Viktoria Soltesz

Today’s podcast opens with Viktoria Soltesz (tax, payment, and banking expert, and founder of PSP Angels Group and the Soltesz Institute) discussing payments and banking, and why businesses must understand banking flows to ensure proper due diligence on their clients.

Following that, we chat with Miami-based accountant Stanley Foodman about an article he penned for LinkedIn earlier this summer, in which he states that the barriers between DeFi, or decentralized finance, and traditional finance have now been broken.

Biography:

Viktoria Soltesz has over 20 years of experience, with a focus on complex cases. She runs an accounting and tax consulting firm in Cyprus, supporting complex and global corporate setups, and founded PSP Angels out of frustration with not having the answers to the most basic online payment questions.

She developed the Soltesz Payment Framework, which is used by international companies worldwide. Viktoria also established the Soltesz Institute, the leading independent certification body for the payment and banking industry.

An EU-certified trainer, she formerly lectured at the University of West London and is a well-known speaker at various industry conferences and summits.

Viktoria is also an author, sharing her expertise and advice in the book Moving Money – How Banks Think, which was on the Amazon bestseller list.

She also won the “Business Woman of the Year” award in 2023 and was named “Payment Consultant of the Year” in 2023, 2024, and 2025.

Stanley Foodman is the founder and CEO of Foodman CPAs and Advisers, a Miami-based firm that he established over 50 years ago.

With decades of experience in both public and private sectors, Stan specializes in financial crime, risk management, and asset recovery. His background includes serving as an auxiliary special agent with the Florida Department of Law Enforcement and consulting for the U.S. Attorney’s Office in civil RICO money laundering cases. He partners with legal teams, financial institutions, and business leaders to proactively identify risks and protect client interests.

He holds a Master of Science degree in Accounting and Tax from the University of Miami, as well as multiple professional certifications, including CPA, CFE, CAMS, and STEP. A board member of the Financial & International Business Association, he is also a member of the AICPA, FICPA, and the ACFCS.

As for his firm, Foodman CPAs & Advisors is a specialized forensic accounting, tax compliance, and regulatory advisory firm serving C-Suite executives, financial institutions, legal professionals, businesses, and high-net-worth individuals (HNWIs).

He leads a team dedicated to solving complex financial challenges— ranging from cross-border tax compliance and forensic investigations to litigation support and regulatory risk management.

Discussion:

Viktoria begins the conversation by explaining to Regulatory Ramblings host Ajay Shamdasani why businesses need to understand banking flows and operations to perform adequate due diligence on their clients. She also stresses that Blockchain and cryptocurrencies are not the solution, but rather, such innovations “mask the problem” because, as she puts it, “the same players are trying to cheat the system.”

She also emphasizes the need for financial education, yet she acknowledges that many institutions of higher learning do not teach their graduates about payments and banking when they matriculate from university.

According to Viktoria, awareness needs to be raised in the general population as to how banks think and manage money; how money moves is key, she says. A corollary to that is that companies need to understand cash flows and banking requirements.

The discussion ends with her sharing her thoughts on what can be done to make the existing payment systems fairer in both the developed and developing world. A common refrain is the lack of access to financial technology (fintech).

Following that, we have a lengthier chat with veteran Miami-based accountant and fraud investigator Stanley Foodman on an article he penned for LinkedIn entitled “Crypto’s Compliance Crossover: Are You Ready for Multi-Framework Reporting?”[1]

In it, he argues: “The line between digital assets and traditional finance no longer exists. With CARF and CRS 3.0 now in effect, cryptocurrency is fully within the regulatory perimeter, and financial institutions across LATAM need to be prepared. This isn’t just a reporting update. It’s a fundamental shift in how compliance must operate across jurisdictions, asset types, and internal systems.”

In his piece, Stan breaks down the most common gaps in crypto compliance today – namely:

  • Incomplete capture of wallet ownership and sender/receiver data
  • Misaligned AML/KYC and tax due diligence processes
  • Gaps in cross-border policy coverage
  • Limited interoperability across compliance tools and departments

Beyond just where institutions are falling behind, the op-ed piece explores how they can get ahead, along with what readiness truly entails under CARF and CRS 3.0.

Looking ahead, he highlights the need for strategic priorities to enhance compliance readiness. “To meet new demands of crypto compliance, institutions must go beyond surface-level solutions. A true response to CARF requires structural alignment across policy, data, staffing, and governance,” he said.

According to Stan, top compliance priorities should include:

  • Integrated Policy Frameworks: Expand your internal policies to treat crypto assets as part of the same risk landscape as traditional holdings. This includes wallet traceability, exposure to decentralized exchanges, and automated risk scoring.
  • Unified Data Architecture: Break down internal silos. Create a centralized compliance data environment where AML, tax, and digital asset reporting teams can access a consolidated view of client behaviors across fiat and blockchain transactions.
  • Enhanced Client Onboarding & Monitoring:  Update onboarding processes to capture crypto wallet IDs, source of funds, blockchain transaction history, and risk triggers. Ongoing monitoring must include both on-chain and off-chain behavior.
  • Staff Training & Cross-Functional Collaboration:  Equip your teams to understand crypto regulations and compliance risks. Encourage collaboration between compliance officers, IT, legal, and product leads to bridge technical and regulatory knowledge gaps.
  • Cross-Border Regulatory Mapping: Align your reporting framework with FATF, CARF, CRS 3.0, and relevant domestic disclosure regimes. For institutions operating in multiple jurisdictions or serving cross-border clients, a cohesive compliance map is critical.

Stan also shares a little about his background and how his training as an accountant aided him during his career in law enforcement, as well as the dividends such public service has paid him in his private practice. He reflects on what initially drew him to the field of accounting.

Ultimately, he concludes that the distinction between digital assets and traditional finance is no longer clear. Looking to compliance leadership in the digital future, Stan remarks: “The institutions that will thrive in the new era aren’t just adding crypto checkboxes to their CRS tools. They’re embedding digital assets into their entire compliance DNA, governance, strategy, and infrastructure.”

Regulatory Ramblings podcasts is brought to you by The University of Hong Kong – Reg/Tech Lab, HKU-SCF Fintech Academy, Asia Global Institute, and HKU-edX Professional Certificate in Fintech, with support from the HKU Faculty of Law.

Useful links in this episode:

You might also be interested in:

Connect with RR Podcast at:

LinkedIn: https://hk.linkedin.com/company/hkufintech 
Facebook: https://www.facebook.com/hkufintech.fb/
Instagram: https://www.instagram.com/hkufintech/ 
Twitter: https://twitter.com/HKUFinTech 
Threads: https://www.threads.net/@hkufintech
Website: https://www.hkufintech.com/regulatoryramblings 

Connect with the Compliance Podcast Network at:

LinkedIn: https://www.linkedin.com/company/compliance-podcast-network/
Facebook: https://www.facebook.com/compliancepodcastnetwork/
YouTube: https://www.youtube.com/@CompliancePodcastNetwork
Twitter: https://twitter.com/tfoxlaw
Instagram: https://www.instagram.com/voiceofcompliance/
Website: https://compliancepodcastnetwork.net

Categories
Blog

Risk Management and the Board: Why Oversight is Now a Strategic Imperative

In today’s business landscape, boards of directors are navigating a storm of risks that would test even the most resilient organizations. This topic was explored in a recent article titled “Risk Management and the Board of Directors.” Geopolitical uncertainty, economic volatility, cybersecurity threats, climate change, and the uncharted waters of generative AI are no longer background noise. They have moved to the front and center in boardrooms. Against this backdrop, risk management has emerged not just as an operational necessity but as a governance and strategic imperative. For compliance professionals, this raises a critical question: what role should the board play in risk management, and how can compliance officers support them in fulfilling that role effectively?

Oversight, Not Management

A crucial distinction must be made: boards are not responsible for managing risk on a day-to-day basis. That responsibility belongs to management. But boards do carry the weight of oversight. This oversight includes monitoring the most significant corporate risk factors, ensuring that appropriate risk systems are in place, and verifying that those systems function in practice.

Think about the Boeing case. Regulators and auditors identified multiple failures in Boeing’s manufacturing controls and safety processes, resulting in devastating reputational and financial consequences that continue to unfold. The lesson is clear. It is not enough for a board to approve a risk framework and then step away. Boards must oversee, probe, and confirm that those frameworks are embedded in operations across the enterprise.

Compliance officers can support this by providing boards with accurate, timely, and actionable reporting. Minutes, board packets, and oversight documentation are not administrative afterthoughts. They are evidence of diligence that courts, regulators, and investors increasingly scrutinize.

Tone at the Top: Culture as the Foundation

If oversight is the board’s mandate, then culture is the foundation that determines whether risk management succeeds or fails. Boards set the “tone at the top,” and that tone resonates throughout the organization.

Transparency, consistency, and communication are essential. A board that prioritizes ethics, compliance, and stakeholder safety sends a clear message: compliance failures and corner-cutting will not be tolerated. Conversely, when boards tolerate delay or indecision in addressing risks, such as safety lapses, misconduct, or harassment, they erode employee trust, tarnish their reputation, and invite regulatory scrutiny.

Board Readiness in a Dynamic Environment

Boards must prepare not only for the risks they know but for those that are emerging. This means ongoing director training, scenario planning, and recruitment strategies that close knowledge gaps. While no board can house every kind of subject matter expertise, they must know when to bring in advisors, leverage external resources, and engage with stakeholders directly.

A readiness mindset also means anticipating the unexpected. Crisis response plans, covering a range of scenarios from cyberattacks to workplace misconduct, should be in place and regularly tested to ensure their effectiveness. Compliance leaders should be part of these conversations, ensuring that prevention, detection, and remediation are embedded into strategy, not bolted on as afterthoughts.

Investors, regulators, and even the courts of Delaware are sharpening their focus on board-level risk oversight. The Caremark line of cases continues to set a high bar, but boards that fail to engage in good faith with core risks run the risk of liability. Compliance officers can help directors demonstrate that their oversight is active, engaged, and documented.

Practical Recommendations for Compliance Professionals

What does this mean for compliance officers working with boards? Here are four takeaways:

1. Provide Clear, Actionable Risk Reporting

Boards cannot oversee what they cannot see, and too often, directors are presented with overwhelming data that obscures the real risks. Compliance should deliver reporting that distills information into clear, concise insights, showing not just what happened but why it matters. The most effective reports highlight trends, identify root causes, and directly connect risks to business strategy, enabling the board to act with confidence.

2. Integrate Oversight into Strategy

Compliance risk management should never be treated as an afterthought, bolted onto the business after decisions are made. Instead, compliance officers must help boards see how compliance oversight is deeply intertwined with growth, innovation, and operational resilience. By linking compliance considerations to strategy, compliance becomes a driver of sustainable success rather than a box-checking obligation.

3. Focus on Emerging Risks

Generative AI, biodiversity loss, and geopolitical fragmentation are no longer distant or theoretical; instead, they are reshaping risk landscapes as we speak. Boards need compliance officers to translate these complex issues into practical implications before they escalate into crises that erode value and reputation. A forward-looking compliance function enables directors to anticipate threats, allocate resources effectively, and avoid being blindsided.

4. Reinforce Culture and Ethics

Tone at the top must resonate throughout the organization, and compliance is the bridge that connects board-level values to everyday business practices. Compliance officers can help embed cultural expectations by weaving red flags, lessons learned, and behavioral standards into training, communications, and accountability structures. When done well, this alignment ensures that ethical behavior is not aspirational but operational, lived out across all levels of the enterprise.

Why It Matters Now

The expectations for board-level risk oversight are higher than ever. Regulators want evidence that boards are engaged. Courts are scrutinizing oversight failures with fresh vigor. Investors are pressing for transparency on ESG, cyber, and DEI risks. And employees, your most important stakeholders, expect boards to prioritize safety, inclusion, and integrity.

For compliance professionals, this creates both a challenge and an opportunity. The challenge is to help boards stay ahead of complex risks in an environment of constant change. The opportunity is to elevate the compliance function as a strategic partner in governance, resilience, and corporate integrity.

Final Thoughts

Risk management is no longer just an operational function; it has become a strategic imperative. It is a governance issue that sits squarely in the boardroom. Boards do not need to manage risk, but they must actively oversee it, document their oversight, and ensure that culture and strategy align with risk management systems.

As compliance professionals, we are uniquely positioned to support this mandate. We provide the frameworks, reporting, and insights that help boards meet their obligations and protect the enterprise. In doing so, we not only maintain compliance but also enhance resilience, protect reputation, and foster trust with stakeholders.

The message is clear: oversight is not optional, culture is not cosmetic, and preparation is not a luxury. For today’s boards and for the compliance professionals who advise them, risk management is a strategic imperative that can no longer be ignored.

Categories
AI Today in 5

AI Today in 5: September 22, 2025, The Chaos of Consent Episode

Welcome to AI Today in 5, the newest edition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI, so start your day, sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5, all from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest related to AI.

Top AI stories include:

  • JFrog advances investment compliance. (Simply Wall St)
  • Using AI to navigate consent. (MarTech)
  • Making risk management a competitive advantage. (KPMG)
  • Using AI for cybersecurity. (IBM)
  • The AI race is like the Space Race. (Bloomberg)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game. You can purchase a copy of the book on Amazon.com.

Categories
Blog

Untangling Fraud, Waste, and Abuse: A Primer for the Compliance Professional

In the world of compliance, few phrases are tossed around with as much frequency and often as little precision as “fraud, waste, and abuse.” In the government sector, this triad is well-defined. Federal and state agencies spend billions each year tracking, auditing, and enforcing rules to combat it. But in the private sector, the phrase is no less relevant. Whether you are managing a global compliance program, overseeing internal controls, or leading an ethics initiative, fraud, Waste, and abuse can quietly erode corporate value, undermine trust, and invite unwanted scrutiny from regulators, auditors, and stakeholders.

Yet too many compliance professionals lump these terms together, failing to appreciate the important differences between them. Fraud, Waste, and abuse may sometimes overlap in practice, but they require distinct prevention strategies, tailored controls, and cultural messaging. Today, we begin a multipart blog post series to unpack what each of these terms means for the private sector and explore how your organization can fight against their scourge.

Fraud: The Deliberate Deception

Fraud is the most familiar of the three. It is intentional deception or misrepresentation made with the knowledge that it will result in an unauthorized benefit. In the corporate world, fraud is not limited to elaborate Ponzi schemes or headline-grabbing accounting scandals; it often hides in plain sight.

Examples from the private sector include:

  • Financial statement fraud. Inflating revenue or concealing liabilities to present a healthier picture of the business. Enron, WorldCom, and Wirecard are stark reminders.
  • Procurement fraud. Kickbacks from suppliers, false invoices, or bid-rigging. A procurement officer who colludes with a vendor to inflate prices is not just wasting company money; they are stealing it.
  • Expense reimbursement fraud. Employees are submitting falsified receipts or double-billing travel expenses. What starts as “a little padding” quickly snowballs into a systemic problem.

Fraud is deliberate, targeted, and harmful by design. It requires intent to deceive. For this reason, fraud often falls under the purview of regulators and prosecutors, resulting in criminal charges, civil penalties, and severe reputational damage.

Waste: The Silent Erosion of Value

Waste, by contrast, is rarely intentional. It refers to the careless or unnecessary use of resources, leading to inefficiency and loss of value. Waste does not always involve dishonesty; usually, it is more often a byproduct of poor management, weak oversight, or cultural indifference.

Examples from the private sector include:

  • Operational inefficiencies. A manufacturing line that continues to use outdated machinery, consuming more energy than modern alternatives. However, it can also encompass basic corporate functions, such as failing to timely service vehicles and other large pieces of equipment until they break down.
  • Bloated corporate travel. Business units booked last-minute flights in premium class when lower-cost options were available with better planning.
  • Technology sprawl. Companies are paying for redundant software licenses because IT and business units fail to coordinate their procurement.

Waste drains profitability. Unlike fraud, it may not land your employees in court, but over time, it corrodes competitiveness, frustrates shareholders, and damages morale. For the compliance professional, Waste is tricky. Because it often lacks intent, it falls into a gray zone between compliance, internal audit, and operations. But leaving Waste unchecked is an abdication of governance responsibility. And of course, it can be very costly.

Abuse: The Exploitation of Loopholes

Abuse sits somewhere between fraud and Waste. It involves the improper or excessive use of resources or authority, but without a clear intent to defraud. Abuse may not violate the letter of company policy, but it often violates its spirit.

Examples from the private sector include:

  • Excessive executive perks. A senior leader insists on flying private, despite company policy allowing business class.
  • Overtime gaming. Employees schedule themselves in ways that maximize overtime pay, even when workloads do not justify it.
  • Supplier favoritism. A manager repeatedly awards contracts to a personal acquaintance without competitive bidding, even if the price is technically “market.”

Abuse thrives in cultures of entitlement and weak oversight. It often signals to employees that procurement rules are flexible or merely suggestions, undermining trust in leadership. Regulators may not always prosecute abuse, but investors, boards, and employees will notice.

Five Key Takeaways for the Compliance Professional

1. Know the Difference

Fraud, Waste, and abuse are often lumped together, but they are distinct risks with different causes and remedies. Fraud is intentional deception designed to enrich the perpetrator at the company’s expense. Waste is careless or inefficient use of resources, often unintentional but just as costly. Abuse sits in the middle ground, exploiting loopholes, gray areas, or authority for personal gain. If you treat these three risks as interchangeable, your controls will be blunt instruments. The savvy compliance professional tailors training, monitoring, and cultural messaging to each risk, ensuring prevention efforts are both precise and effective.

2. Fraud Is Not the Only Threat

Compliance programs often emphasize fraud because it creates legal exposure, attracts regulatory scrutiny, and can lead to criminal liability. Yet fraud is not the only drain on corporate value. Waste can hollow out profitability year after year through inefficiency and mismanagement. Abuse corrodes employee trust, culture, and morale, even when it does not cross a legal line. Boards and shareholders increasingly look beyond compliance “check the box” fraud controls. They demand stewardship, efficiency, and accountability across the enterprise. Expanding your program’s scope to tackle Waste and abuse demonstrates leadership, adds measurable business value, and positions compliance as a strategic partner.

3. Culture Is the Battleground for Abuse

You can design airtight policies and sophisticated controls to prevent fraud or reduce Waste, but abuse is more insidious. It thrives in cultures of entitlement, favoritism, and “wink-and-nod” exceptions to the rules. Abuse may not always break laws or policies, but it violates fairness and damages trust. That is why culture is the key battleground. Compliance leaders must set clear expectations, train managers to model ethical behavior, and empower employees to speak up when necessary. When entitlement and corner-cutting are tolerated, abuse spreads. When accountability, transparency, and stewardship are celebrated, abuse withers. Culture, not checklists, is the ultimate safeguard.

4. Data Is Your Ally

The complexity of modern business means fraud, Waste, and abuse can hide in plain sight. Data analytics provides compliance professionals with the tools to detect risks early. Anomalies in travel expenses may uncover not only fraudulent reimbursement but also systemic Waste in last-minute bookings or abusive upgrades. Procurement analytics can expose inflated invoices, duplicate payments, or favoritism in the vendor selection process. The key is not just gathering data but integrating it across compliance, audit, and finance systems. With proper dashboards and regular reviews, data becomes a proactive ally, identifying red flags before they metastasize into scandals that damage reputation and value.

5. Build Cross-Functional Coalitions

Fraud, Waste, and abuse do not respect organizational silos. They intersect with compliance, audit, HR, procurement, finance, and operations. If each function fights its own battles in isolation, risks will inevitably slip through the cracks. The compliance professional is uniquely positioned to serve as the connector, building coalitions that share data, align incentives, and coordinate responses. For example, a fraud indicator spotted by finance may also highlight Waste tracked by operations. HR may uncover abusive practices that compliance can remediate with policy changes. When functions collaborate, blind spots shrink, accountability rises, and the entire organization becomes more resilient.

Stewardship as Compliance

Fraud, Waste, and abuse may manifest differently, but together they represent a continuum of risks that can erode profitability, corrode culture, and undermine trust in leadership. For the compliance professional, the way forward lies in anchoring your program on five core pillars.

First, you need to understand the difference. Fraud, Waste, and abuse require distinct approaches, and treating them as interchangeable dulls your controls. Second, remember that fraud is not the only threat. Waste and abuse, while less visible, can be just as damaging to shareholders and boards who care about stewardship as much as compliance. Third, recognize that culture is the battleground for abuse. Without accountability and transparency embedded in daily operations, policies and controls are powerless against entitlement and favoritism. Fourth, leverage the fact that data is your ally. Analytics reveal patterns across all three categories, allowing you to act before small issues metastasize. Finally, build cross-functional coalitions. Fraud, Waste, and abuse cut across silos, and only through collaboration can you close the gaps.

Taken together, these five strategies form more than a compliance toolkit; they create a holistic framework for corporate stewardship. By clearly distinguishing risks, broadening your scope, reinforcing your culture, embracing data, and building coalitions, you elevate compliance from a defensive shield to a proactive value driver.

The organizations that thrive in today’s demanding environment will be those that go beyond chasing fraud and instead build resilient, data-driven, and culture-anchored programs to fight fraud, Waste, and abuse in all their forms. That is the mandate for the modern compliance professional.

Join us tomorrow as we explore how your anti-corruption compliance program can help your company combat fraud, Waste, and abuse.

Categories
Blog

Speed as a Compliance Decision: Lessons from Amazon’s Andy Jassy

When Andy Jassy succeeded Jeff Bezos as CEO of Amazon in 2021, many questioned whether the company could maintain its legendary momentum. Four years later, Jassy has not only sustained but also accelerated growth, adding more than $230 billion in revenue, expanding AI initiatives, and reinventing the management culture of one of the world’s most complex enterprises. That is why I was intrigued by an article in the Harvard Business Review (HBR) entitled, Speed Is a Leadership Decision,” where reporter Adi Ignatius interviewed Andy Jassy.

For compliance professionals, Jassy’s insights about speed, risk, culture, and innovation offer timely lessons. Too often, compliance leaders fall back on the excuse that “we’re too big, too regulated, too constrained to move quickly.” Jassy flips that script: speed, he insists, is a leadership decision. And the same is true for compliance.

Today, we look at five key lessons compliance professionals can draw from Jassy’s leadership playbook.

1. Speed Is a Leadership Decision

Jassy bluntly states that “speed disproportionately matters in every business at every time”. He challenges leaders to stop accepting bureaucracy and regulation as excuses. Instead, leaders must actively identify and remove barriers, empowering teams to act with urgency.

For compliance professionals, the lesson is clear: do not let the weight of regulations, policies, or oversight structures become a drag on effectiveness. Yes, compliance requires controls, documentation, and approvals, but speed is also important. Think of third-party due diligence reviews, hotline triage, or incident investigations. When compliance moves slowly, it signals indifference or ineffectiveness, and risks fester.

The decision to prioritize speed, backed by streamlined processes, real-time monitoring, and empowered teams, can transform compliance from a bureaucratic bottleneck into a proactive partner to the business.

2. Risk-Taking and Failure Are Essential to Innovation

Jassy observes that as companies grow, they tend to become risk-averse. Achievement-oriented professionals “play not to lose” rather than take chances. He emphasizes that the only way to build something truly unique is to take risks, make mistakes, and learn from them. Compliance teams face this challenge daily. The instinct is to avoid risk entirely, to say “no” rather than take a chance. But compliance innovation, whether adopting AI for monitoring, piloting new training formats, or embedding compliance into business processes, requires taking calculated risks. This means that risk management strategies must be implemented, monitored, and updated as necessary.

Failure in compliance is not about missing a regulatory requirement. It is about learning that a new process does not resonate with employees, or a monitoring tool generates too many false positives. Leaders should create safe zones for experimentation. If you never fail, you are not pushing hard enough. Compliance innovation must be iterative, and tolerance for small, recoverable failures is the price of true progress.

3. Flattening Bureaucracy Fuels Accountability

Jassy highlights Amazon’s initiative to flatten its organization and empower individual contributors. By increasing the ratio of builders to managers, reducing layers of decision-making, and encouraging employees to own “two-way-door decisions”. Those are choices that can easily be reversed. With this strategy, Amazon streamlined processes and accelerated innovation.

Compliance functions are often drowning in pre-meetings and approval chains. A compliance officer identifies a risk, drafts a recommendation, and waits while three levels of committees review it. Meanwhile, the risk festers. The compliance profession should adopt Jassy’s model: empower frontline employees to make two-way decisions in real-time. For example, a compliance manager in Brazil should have the authority to pause a suspicious vendor engagement without waiting for headquarters. Flattening decision-making structures creates accountability, agility, and credibility. Compliance must be a builder’s mindset: see the problem, fix the problem, move forward.

4. Culture Must Be Reinvented Continuously

“Culture is not our birthright,” Jassy warns. As companies scale, their culture stretches and must be deliberately reinforced. At Amazon, this means reasserting ownership, accountability, and a customer-centric approach, even as new layers of management emerge. For compliance professionals, this is a powerful reminder: culture is not static. A “speak-up” culture may flourish in year one and decay by year five if it isn’t nurtured. New geographies, acquisitions, and technologies stretch corporate culture in unpredictable ways.

The compliance function must continuously assess cultural health: are employees still raising concerns? Do managers still model ethical behavior? Are incentive structures still aligned with compliance values? A strong compliance culture requires constant reinvention: new training, new channels, new metrics; so that employees see it as living and evolving, not stale or perfunctory.

5. AI, Innovation, and Responsibility Must Go Hand in Hand

Jassy views AI as the biggest transformation since the internet, with the power to reinvent every customer experience. He emphasizes that progress is inevitable, so leaders must focus on using AI responsibly and productively.

Compliance professionals face the same dual imperative. On the one hand, AI tools, such as automated transaction monitoring, predictive analytics, and natural language chatbots, can make compliance faster, smarter, and more effective. On the other hand, AI introduces new risks, including bias, opacity, privacy breaches, and increased regulatory scrutiny.

The compliance leader’s role is not to resist AI but to guide its responsible adoption. Establish AI governance frameworks. Ensure transparency and explainability. Audit data inputs and outputs. Partner with business units to embed compliance guardrails into AI development. If compliance can keep pace with AI’s speed while safeguarding ethics, it will become indispensable to the business.

Compliance at the Speed of Leadership

Andy Jassy’s mantra, “speed is a leadership decision,” rings true far beyond Amazon. For compliance professionals, it reframes the mission. Compliance does not require slow responses, being bureaucratic, or being risk-averse. (Always remember, you do not have brakes on a car to drive slowly; instead, you have brakes on a car to drive fast.) Leaders can choose speed by empowering their teams, flattening the decision-making process, fostering a culture of ownership, tolerating smart failures, and embracing technology responsibly.

The stakes are high. Compliance must move at the same speed as the business, not the other way around. Regulators expect swift detection and remediation. Employees expect rapid answers to ethics and compliance questions. Boards expect real-time risk visibility. Compliance that lags will be seen as irrelevant or ineffective.

The lesson from Amazon’s Jassy is that compliance speed is not about cutting corners. It is about clarity of leadership, empowerment of people, and continuous cultural reinvention. In an era of accelerating technology and mounting risk, compliance professionals must embrace speed as a core leadership choice.

Categories
Innovation in Compliance

Innovation in Compliance – Gaurav Kapoor on Risk Management and the Role of AI in GRC

Innovation comes in many areas, and compliance professionals need to be ready for it and embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, Tom Fox interviews Gaurav Kapoor, Vice Chairman, Co-Founder and Board Member of MetricStream, discussing his extensive professional background, from co-founding MetricStream to his current focus on customer intimacy amid AI market disruptions.

Kapoor delves into the evolving landscape of risk management, emphasizing the importance of midyear reviews and integration of various risk themes like operational risk, audit compliance, and cybersecurity. He elaborates on the role of AI in GRC, stating how generative and agent AI can streamline compliance processes and enhance risk management strategies. The conversation also touches on the increasing significance of cybersecurity, geopolitical instability, and climate impact on risk assessment. Kapoor highlights the shift from compliance to a more resilient and risk-aware culture within organizations.

Key highlights:

  • The Importance of July in Risk Management
  • AI’s Role in GRC
  • Emerging Risks and AI Applications
  • Counseling Boards on Risk Management
  • Top Concerns for the Second Half of 2025
  • Evolving Role of Compliance and Risk Officers

Resources:

MetricStream Website and on LinkedIn

Gaurav Kapoor on LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Trekking Through Compliance

Trekking Through Compliance: Episode 77 – Through the Atavachron: Risk Management Insights from All Our Yesterdays

When you think of Star Trek: The Original Series, certain episodes stand out for their moral clarity, exploration of ethics, and leadership lessons. Others, like All Our Yesterdays, are more subtle but no less rich in compliance and risk management insights.

As the story unfolds, the episode reveals more than just a sci-fi adventure; it presents a compelling case study in the importance of preparation, situational awareness, adaptability, and decision-making under pressure. For the compliance professional, All Our Yesterdays offers five key risk management lessons that are as relevant in the boardroom as they are in a time-portal crisis.

Lesson 1: Understand the Operating Environment Before You Act

Illustrated by: Kirk, Spock, and McCoy don’t fully grasp that the Atavachron sends people into different periods, permanently altering them to survive there, until after they have stepped through the portals.

Compliance Lesson. One of the most preventable compliance failures happens when leaders act without fully understanding the operational landscape.

Lesson 2: Know the Long-Term Consequences of Your Decisions

Illustrated by: Atoz explains that once a traveler passes through the Atavachron, they undergo physiological changes to survive in the chosen period. Returning without those adaptations can be fatal.

Compliance Lesson. Compliance decisions, especially around risk tolerance, often have long-term and sometimes irreversible consequences. For example, approving a high-risk third party because “we need them for this deal” can embed systemic vulnerabilities that are difficult to unwind later.

Lesson 3: Adapt Your Strategy to Changing Conditions

Illustrated by: Spock, under the influence of the prehistoric era, begins to revert to the more emotional mindset of ancient Vulcans, displaying anger, impatience, and even affection for Zarabeth, a woman trapped in that time

Compliance Lesson. Risk environments are dynamic. Market conditions shift, laws change, counterparties evolve, and cultural contexts can reshape behavior, sometimes subtly, sometimes dramatically.

Lesson 4: Factor in Human Behavior When Assessing Risk

Illustrated by: Zarabeth tells Spock and McCoy they can never return to their own time, a claim that at first appears to be based on Atoz’s rules but is also shaped by her emotional motives.

Compliance Lesson. Risk management isn’t just about numbers, metrics, or legal frameworks—it’s about people, their incentives, and their biases.

Lesson 5: Time Is a Critical Risk Variable

Illustrated by: The central urgency in All Our Yesterdays comes from the imminent nova of Sarpeidon’s sun. For Kirk, Spock, and McCoy, the clock is ticking.

Compliance Lesson. In compliance risk management, timing is often the difference between proactive control and reactive crisis.

Final Compliance Reflections

All Our Yesterdays may be set in a science fiction universe, but its lessons are firmly grounded in the reality of corporate compliance. Every compliance officer will, at some point, face the equivalent of a ticking sun about to go nova, a high-stakes situation where incomplete information, shifting conditions, human bias, and the relentless march of time intersect.

Remember, you may not have an Atavachron in your compliance toolkit, but you do have the power to choose which “yesterday” you’ll prepare for today. The right risk management approach ensures that, when the heat is on, your organization is not scrambling for the exit portal, as it’s already where it needs to be.

Resources:

⁠⁠Excruciatingly Detailed Plot Summary by Eric W. Weisstein⁠⁠

⁠⁠MissionLogPodcast.com⁠⁠

⁠⁠Memory Alpha

Categories
Blog

All Our Yesterdays:Risk Management Lessons for the Compliance Professional

When you think of Star Trek: The Original Series, certain episodes stand out for their moral clarity, exploration of ethics, and leadership lessons. Others, like All Our Yesterdays, are more subtle but no less rich in compliance and risk management insights.

In this episode, Captain Kirk, Mr. Spock, and Dr. McCoy beam down to the planet Sarpeidon just before its sun is about to go nova. They find the planet seemingly deserted except for a mysterious librarian named Mr. Atoz. He explains that the people have escaped into the planet’s past using a time travel device called the Atavachron. Unfortunately, in true Star Trek fashion, the landing party becomes separated; Kirk into a duel-filled era resembling the late Middle Ages, and Spock and McCoy into a frozen prehistoric wilderness.

As the story unfolds, the episode reveals more than just a sci-fi adventure; it presents a compelling case study in the importance of preparation, situational awareness, adaptability, and decision-making under pressure. For the compliance professional, All Our Yesterdays offers five key risk management lessons that are as relevant in the boardroom as they are in a time-portal crisis.

Lesson 1: Understand the Operating Environment Before You Act

Illustrated by: When Kirk, Spock, and McCoy first arrive, they assume the library is a static place in the present day. They don’t fully grasp that the Atavachron sends people into different periods, permanently altering them to survive there, until after they have stepped through the portals.

Compliance Lesson. One of the most preventable compliance failures happens when leaders act without fully understanding the operational landscape. Just as Kirk should have gathered more intelligence before stepping through the portal, compliance officers must conduct thorough due diligence before making high-impact decisions, especially in new markets or with new business models.

Jumping into a jurisdiction with unfamiliar regulatory structures or cultural norms without advance research can leave your compliance program operating with blind spots. A robust risk assessment, stakeholder mapping, and regulatory scan are your “Atavachron briefing”; without them, you’re walking through the wrong portal unprepared.

Lesson 2: Know the Long-Term Consequences of Your Decisions

Illustrated by: Atoz explains that once a traveler passes through the Atavachron, they undergo physiological changes to survive in the chosen period. Returning without those adaptations can be fatal. This means each journey into the past is not just a visit—it’s a permanent commitment.

Compliance Lesson. Compliance decisions, especially around risk tolerance, often have long-term and sometimes irreversible consequences. For example, approving a high-risk third party because “we need them for this deal” can embed systemic vulnerabilities that are difficult to unwind later.

Spock and McCoy’s plight in the ice age is a reminder that once certain paths are chosen, backing out may be impossible or costly. Before green-lighting any strategy or business partner, ask: What will be the long-term compliance footprint? Are we setting ourselves up for future exposure? Risk management is not just about the next quarter; it’s about the next decade.

Lesson 3: Adapt Your Strategy to Changing Conditions

Illustrated by Spock, under the influence of the prehistoric era, begins to revert to the more emotional mindset of ancient Vulcans, displaying anger, impatience, and even affection for Zarabeth, a woman trapped in that time. McCoy, ill from the cold, must rely on Spock’s shifting judgment to survive.

Compliance Lesson. Risk environments are dynamic. Market conditions shift, laws change, counterparties evolve, and cultural contexts can reshape behavior, sometimes subtly, sometimes dramatically. The compliance officer must be alert to these shifts and recalibrate strategies accordingly.

Like Spock, even seasoned professionals can find themselves influenced by their environment in ways they don’t immediately recognize. Compliance teams need to build monitoring systems that not only track external risk factors but also assess how those factors may be affecting decision-makers internally. Adaptation is not a sign of weakness—it’s a core competency in sustainable risk management.

Lesson 4: Factor in Human Behavior When Assessing Risk

Illustrated by: Zarabeth tells Spock and McCoy they can never return to their own time, a claim that at first appears to be based on Atoz’s rules but is also shaped by her emotional motives. Her loneliness influences how she frames the “facts.”

Compliance Lesson. Risk management isn’t just about numbers, metrics, or legal frameworks—it’s about people, their incentives, and their biases. Vendors may hide problems to protect their contracts. Employees may omit details in self-reporting to avoid blame. Executives may downplay risk to push through a deal.

Zarabeth’s well-intentioned but self-serving misinformation underscores the need for independent verification of claims. Compliance programs should be designed to collect and validate facts from multiple sources, reducing the risk of being swayed by the partial truths of a single stakeholder.

Lesson 5: Time Is a Critical Risk Variable

Illustrated by: The central urgency in All Our Yesterdays comes from the imminent nova of Sarpeidon’s sun. The people had to evacuate into the past before the moment of destruction; anyone left behind would perish. For Kirk, Spock, and McCoy, the clock is ticking.

Compliance Lesson. In compliance risk management, timing is often the difference between proactive control and reactive crisis. Delaying a decision, such as suspending a suspicious transaction, escalating a whistleblower report, or halting engagement with a questionable vendor, can mean the difference between a manageable incident and a reputational disaster.

The episode reinforces the importance of early detection and swift action. Compliance teams should have rapid-response protocols, much like an evacuation plan, that can be activated the moment credible risk signals appear. The longer you wait, the narrower your options become.

Final Compliance Reflections

All Our Yesterdays may be set in a science fiction universe, but its lessons are firmly grounded in the reality of corporate compliance. Every compliance officer will, at some point, face the equivalent of a ticking sun about to go nova, a high-stakes situation where incomplete information, shifting conditions, human bias, and the relentless march of time intersect.

The episode reminds us that effective risk management is not simply about having a well-written policy. It’s about equipping yourself and your team to:

  • Anticipate the terrain.
  • Weigh long-term consequences before stepping through the “portal.”
  • Stay agile under environmental pressures.
  • Test assumptions and verify information.
  • Act decisively when the moment demands it.

In All Our Yesterdays, Kirk, Spock, and McCoy return to the present just in time, thanks to quick thinking, adaptability, and the ability to work within and around constraints. In the corporate compliance world, those same skills can mean the difference between a controlled risk event and a full-blown regulatory disaster.

Remember, you may not have an Atavachron in your compliance toolkit, but you do have the power to choose which “yesterday” you’ll prepare for today. The right risk management approach ensures that, when the heat is on, your organization is not scrambling for the exit portal as it’s already where it needs to be.

 Resources:

⁠⁠Excruciatingly Detailed Plot Summary by Eric W. Weisstein⁠⁠

⁠⁠MissionLogPodcast.com⁠⁠

⁠⁠Memory Alpha