Tag: Risk Management

Categories
Blog

Risk Management and the Board: Why Oversight is Now a Strategic Imperative

In today’s business landscape, boards of directors are navigating a storm of risks that would test even the most resilient organizations. This topic was explored in a recent article titled “Risk Management and the Board of Directors.” Geopolitical uncertainty, economic volatility, cybersecurity threats, climate change, and the uncharted waters of generative AI are no longer background noise. They have moved to the front and center in boardrooms. Against this backdrop, risk management has emerged not just as an operational necessity but as a governance and strategic imperative. For compliance professionals, this raises a critical question: what role should the board play in risk management, and how can compliance officers support them in fulfilling that role effectively?

Oversight, Not Management

A crucial distinction must be made: boards are not responsible for managing risk on a day-to-day basis. That responsibility belongs to management. But boards do carry the weight of oversight. This oversight includes monitoring the most significant corporate risk factors, ensuring that appropriate risk systems are in place, and verifying that those systems function in practice.

Think about the Boeing case. Regulators and auditors identified multiple failures in Boeing’s manufacturing controls and safety processes, resulting in devastating reputational and financial consequences that continue to unfold. The lesson is clear. It is not enough for a board to approve a risk framework and then step away. Boards must oversee, probe, and confirm that those frameworks are embedded in operations across the enterprise.

Compliance officers can support this by providing boards with accurate, timely, and actionable reporting. Minutes, board packets, and oversight documentation are not administrative afterthoughts. They are evidence of diligence that courts, regulators, and investors increasingly scrutinize.

Tone at the Top: Culture as the Foundation

If oversight is the board’s mandate, then culture is the foundation that determines whether risk management succeeds or fails. Boards set the “tone at the top,” and that tone resonates throughout the organization.

Transparency, consistency, and communication are essential. A board that prioritizes ethics, compliance, and stakeholder safety sends a clear message: compliance failures and corner-cutting will not be tolerated. Conversely, when boards tolerate delay or indecision in addressing risks, such as safety lapses, misconduct, or harassment, they erode employee trust, tarnish their reputation, and invite regulatory scrutiny.

Board Readiness in a Dynamic Environment

Boards must prepare not only for the risks they know but for those that are emerging. This means ongoing director training, scenario planning, and recruitment strategies that close knowledge gaps. While no board can house every kind of subject matter expertise, they must know when to bring in advisors, leverage external resources, and engage with stakeholders directly.

A readiness mindset also means anticipating the unexpected. Crisis response plans, covering a range of scenarios from cyberattacks to workplace misconduct, should be in place and regularly tested to ensure their effectiveness. Compliance leaders should be part of these conversations, ensuring that prevention, detection, and remediation are embedded into strategy, not bolted on as afterthoughts.

Investors, regulators, and even the courts of Delaware are sharpening their focus on board-level risk oversight. The Caremark line of cases continues to set a high bar, but boards that fail to engage in good faith with core risks run the risk of liability. Compliance officers can help directors demonstrate that their oversight is active, engaged, and documented.

Practical Recommendations for Compliance Professionals

What does this mean for compliance officers working with boards? Here are four takeaways:

1. Provide Clear, Actionable Risk Reporting

Boards cannot oversee what they cannot see, and too often, directors are presented with overwhelming data that obscures the real risks. Compliance should deliver reporting that distills information into clear, concise insights, showing not just what happened but why it matters. The most effective reports highlight trends, identify root causes, and directly connect risks to business strategy, enabling the board to act with confidence.

2. Integrate Oversight into Strategy

Compliance risk management should never be treated as an afterthought, bolted onto the business after decisions are made. Instead, compliance officers must help boards see how compliance oversight is deeply intertwined with growth, innovation, and operational resilience. By linking compliance considerations to strategy, compliance becomes a driver of sustainable success rather than a box-checking obligation.

3. Focus on Emerging Risks

Generative AI, biodiversity loss, and geopolitical fragmentation are no longer distant or theoretical; instead, they are reshaping risk landscapes as we speak. Boards need compliance officers to translate these complex issues into practical implications before they escalate into crises that erode value and reputation. A forward-looking compliance function enables directors to anticipate threats, allocate resources effectively, and avoid being blindsided.

4. Reinforce Culture and Ethics

Tone at the top must resonate throughout the organization, and compliance is the bridge that connects board-level values to everyday business practices. Compliance officers can help embed cultural expectations by weaving red flags, lessons learned, and behavioral standards into training, communications, and accountability structures. When done well, this alignment ensures that ethical behavior is not aspirational but operational, lived out across all levels of the enterprise.

Why It Matters Now

The expectations for board-level risk oversight are higher than ever. Regulators want evidence that boards are engaged. Courts are scrutinizing oversight failures with fresh vigor. Investors are pressing for transparency on ESG, cyber, and DEI risks. And employees, your most important stakeholders, expect boards to prioritize safety, inclusion, and integrity.

For compliance professionals, this creates both a challenge and an opportunity. The challenge is to help boards stay ahead of complex risks in an environment of constant change. The opportunity is to elevate the compliance function as a strategic partner in governance, resilience, and corporate integrity.

Final Thoughts

Risk management is no longer just an operational function; it has become a strategic imperative. It is a governance issue that sits squarely in the boardroom. Boards do not need to manage risk, but they must actively oversee it, document their oversight, and ensure that culture and strategy align with risk management systems.

As compliance professionals, we are uniquely positioned to support this mandate. We provide the frameworks, reporting, and insights that help boards meet their obligations and protect the enterprise. In doing so, we not only maintain compliance but also enhance resilience, protect reputation, and foster trust with stakeholders.

The message is clear: oversight is not optional, culture is not cosmetic, and preparation is not a luxury. For today’s boards and for the compliance professionals who advise them, risk management is a strategic imperative that can no longer be ignored.

Categories
AI Today in 5

AI Today in 5: September 22, 2025, The Chaos of Consent Episode

Welcome to AI Today in 5, the newest edition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI, so start your day, sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5, all from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest related to AI.

Top AI stories include:

  • JFrog advances investment compliance. (Simply Wall St)
  • Using AI to navigate consent. (MarTech)
  • Making risk management a competitive advantage. (KPMG)
  • Using AI for cybersecurity. (IBM)
  • The AI race is like the Space Race. (Bloomberg)

For more information on the use of AI in Compliance programs, my new book, Upping Your Game. You can purchase a copy of the book on Amazon.com.

Categories
Blog

Untangling Fraud, Waste, and Abuse: A Primer for the Compliance Professional

In the world of compliance, few phrases are tossed around with as much frequency and often as little precision as “fraud, waste, and abuse.” In the government sector, this triad is well-defined. Federal and state agencies spend billions each year tracking, auditing, and enforcing rules to combat it. But in the private sector, the phrase is no less relevant. Whether you are managing a global compliance program, overseeing internal controls, or leading an ethics initiative, fraud, Waste, and abuse can quietly erode corporate value, undermine trust, and invite unwanted scrutiny from regulators, auditors, and stakeholders.

Yet too many compliance professionals lump these terms together, failing to appreciate the important differences between them. Fraud, Waste, and abuse may sometimes overlap in practice, but they require distinct prevention strategies, tailored controls, and cultural messaging. Today, we begin a multipart blog post series to unpack what each of these terms means for the private sector and explore how your organization can fight against their scourge.

Fraud: The Deliberate Deception

Fraud is the most familiar of the three. It is intentional deception or misrepresentation made with the knowledge that it will result in an unauthorized benefit. In the corporate world, fraud is not limited to elaborate Ponzi schemes or headline-grabbing accounting scandals; it often hides in plain sight.

Examples from the private sector include:

  • Financial statement fraud. Inflating revenue or concealing liabilities to present a healthier picture of the business. Enron, WorldCom, and Wirecard are stark reminders.
  • Procurement fraud. Kickbacks from suppliers, false invoices, or bid-rigging. A procurement officer who colludes with a vendor to inflate prices is not just wasting company money; they are stealing it.
  • Expense reimbursement fraud. Employees are submitting falsified receipts or double-billing travel expenses. What starts as “a little padding” quickly snowballs into a systemic problem.

Fraud is deliberate, targeted, and harmful by design. It requires intent to deceive. For this reason, fraud often falls under the purview of regulators and prosecutors, resulting in criminal charges, civil penalties, and severe reputational damage.

Waste: The Silent Erosion of Value

Waste, by contrast, is rarely intentional. It refers to the careless or unnecessary use of resources, leading to inefficiency and loss of value. Waste does not always involve dishonesty; usually, it is more often a byproduct of poor management, weak oversight, or cultural indifference.

Examples from the private sector include:

  • Operational inefficiencies. A manufacturing line that continues to use outdated machinery, consuming more energy than modern alternatives. However, it can also encompass basic corporate functions, such as failing to timely service vehicles and other large pieces of equipment until they break down.
  • Bloated corporate travel. Business units booked last-minute flights in premium class when lower-cost options were available with better planning.
  • Technology sprawl. Companies are paying for redundant software licenses because IT and business units fail to coordinate their procurement.

Waste drains profitability. Unlike fraud, it may not land your employees in court, but over time, it corrodes competitiveness, frustrates shareholders, and damages morale. For the compliance professional, Waste is tricky. Because it often lacks intent, it falls into a gray zone between compliance, internal audit, and operations. But leaving Waste unchecked is an abdication of governance responsibility. And of course, it can be very costly.

Abuse: The Exploitation of Loopholes

Abuse sits somewhere between fraud and Waste. It involves the improper or excessive use of resources or authority, but without a clear intent to defraud. Abuse may not violate the letter of company policy, but it often violates its spirit.

Examples from the private sector include:

  • Excessive executive perks. A senior leader insists on flying private, despite company policy allowing business class.
  • Overtime gaming. Employees schedule themselves in ways that maximize overtime pay, even when workloads do not justify it.
  • Supplier favoritism. A manager repeatedly awards contracts to a personal acquaintance without competitive bidding, even if the price is technically “market.”

Abuse thrives in cultures of entitlement and weak oversight. It often signals to employees that procurement rules are flexible or merely suggestions, undermining trust in leadership. Regulators may not always prosecute abuse, but investors, boards, and employees will notice.

Five Key Takeaways for the Compliance Professional

1. Know the Difference

Fraud, Waste, and abuse are often lumped together, but they are distinct risks with different causes and remedies. Fraud is intentional deception designed to enrich the perpetrator at the company’s expense. Waste is careless or inefficient use of resources, often unintentional but just as costly. Abuse sits in the middle ground, exploiting loopholes, gray areas, or authority for personal gain. If you treat these three risks as interchangeable, your controls will be blunt instruments. The savvy compliance professional tailors training, monitoring, and cultural messaging to each risk, ensuring prevention efforts are both precise and effective.

2. Fraud Is Not the Only Threat

Compliance programs often emphasize fraud because it creates legal exposure, attracts regulatory scrutiny, and can lead to criminal liability. Yet fraud is not the only drain on corporate value. Waste can hollow out profitability year after year through inefficiency and mismanagement. Abuse corrodes employee trust, culture, and morale, even when it does not cross a legal line. Boards and shareholders increasingly look beyond compliance “check the box” fraud controls. They demand stewardship, efficiency, and accountability across the enterprise. Expanding your program’s scope to tackle Waste and abuse demonstrates leadership, adds measurable business value, and positions compliance as a strategic partner.

3. Culture Is the Battleground for Abuse

You can design airtight policies and sophisticated controls to prevent fraud or reduce Waste, but abuse is more insidious. It thrives in cultures of entitlement, favoritism, and “wink-and-nod” exceptions to the rules. Abuse may not always break laws or policies, but it violates fairness and damages trust. That is why culture is the key battleground. Compliance leaders must set clear expectations, train managers to model ethical behavior, and empower employees to speak up when necessary. When entitlement and corner-cutting are tolerated, abuse spreads. When accountability, transparency, and stewardship are celebrated, abuse withers. Culture, not checklists, is the ultimate safeguard.

4. Data Is Your Ally

The complexity of modern business means fraud, Waste, and abuse can hide in plain sight. Data analytics provides compliance professionals with the tools to detect risks early. Anomalies in travel expenses may uncover not only fraudulent reimbursement but also systemic Waste in last-minute bookings or abusive upgrades. Procurement analytics can expose inflated invoices, duplicate payments, or favoritism in the vendor selection process. The key is not just gathering data but integrating it across compliance, audit, and finance systems. With proper dashboards and regular reviews, data becomes a proactive ally, identifying red flags before they metastasize into scandals that damage reputation and value.

5. Build Cross-Functional Coalitions

Fraud, Waste, and abuse do not respect organizational silos. They intersect with compliance, audit, HR, procurement, finance, and operations. If each function fights its own battles in isolation, risks will inevitably slip through the cracks. The compliance professional is uniquely positioned to serve as the connector, building coalitions that share data, align incentives, and coordinate responses. For example, a fraud indicator spotted by finance may also highlight Waste tracked by operations. HR may uncover abusive practices that compliance can remediate with policy changes. When functions collaborate, blind spots shrink, accountability rises, and the entire organization becomes more resilient.

Stewardship as Compliance

Fraud, Waste, and abuse may manifest differently, but together they represent a continuum of risks that can erode profitability, corrode culture, and undermine trust in leadership. For the compliance professional, the way forward lies in anchoring your program on five core pillars.

First, you need to understand the difference. Fraud, Waste, and abuse require distinct approaches, and treating them as interchangeable dulls your controls. Second, remember that fraud is not the only threat. Waste and abuse, while less visible, can be just as damaging to shareholders and boards who care about stewardship as much as compliance. Third, recognize that culture is the battleground for abuse. Without accountability and transparency embedded in daily operations, policies and controls are powerless against entitlement and favoritism. Fourth, leverage the fact that data is your ally. Analytics reveal patterns across all three categories, allowing you to act before small issues metastasize. Finally, build cross-functional coalitions. Fraud, Waste, and abuse cut across silos, and only through collaboration can you close the gaps.

Taken together, these five strategies form more than a compliance toolkit; they create a holistic framework for corporate stewardship. By clearly distinguishing risks, broadening your scope, reinforcing your culture, embracing data, and building coalitions, you elevate compliance from a defensive shield to a proactive value driver.

The organizations that thrive in today’s demanding environment will be those that go beyond chasing fraud and instead build resilient, data-driven, and culture-anchored programs to fight fraud, Waste, and abuse in all their forms. That is the mandate for the modern compliance professional.

Join us tomorrow as we explore how your anti-corruption compliance program can help your company combat fraud, Waste, and abuse.

Categories
Blog

Speed as a Compliance Decision: Lessons from Amazon’s Andy Jassy

When Andy Jassy succeeded Jeff Bezos as CEO of Amazon in 2021, many questioned whether the company could maintain its legendary momentum. Four years later, Jassy has not only sustained but also accelerated growth, adding more than $230 billion in revenue, expanding AI initiatives, and reinventing the management culture of one of the world’s most complex enterprises. That is why I was intrigued by an article in the Harvard Business Review (HBR) entitled, Speed Is a Leadership Decision,” where reporter Adi Ignatius interviewed Andy Jassy.

For compliance professionals, Jassy’s insights about speed, risk, culture, and innovation offer timely lessons. Too often, compliance leaders fall back on the excuse that “we’re too big, too regulated, too constrained to move quickly.” Jassy flips that script: speed, he insists, is a leadership decision. And the same is true for compliance.

Today, we look at five key lessons compliance professionals can draw from Jassy’s leadership playbook.

1. Speed Is a Leadership Decision

Jassy bluntly states that “speed disproportionately matters in every business at every time”. He challenges leaders to stop accepting bureaucracy and regulation as excuses. Instead, leaders must actively identify and remove barriers, empowering teams to act with urgency.

For compliance professionals, the lesson is clear: do not let the weight of regulations, policies, or oversight structures become a drag on effectiveness. Yes, compliance requires controls, documentation, and approvals, but speed is also important. Think of third-party due diligence reviews, hotline triage, or incident investigations. When compliance moves slowly, it signals indifference or ineffectiveness, and risks fester.

The decision to prioritize speed, backed by streamlined processes, real-time monitoring, and empowered teams, can transform compliance from a bureaucratic bottleneck into a proactive partner to the business.

2. Risk-Taking and Failure Are Essential to Innovation

Jassy observes that as companies grow, they tend to become risk-averse. Achievement-oriented professionals “play not to lose” rather than take chances. He emphasizes that the only way to build something truly unique is to take risks, make mistakes, and learn from them. Compliance teams face this challenge daily. The instinct is to avoid risk entirely, to say “no” rather than take a chance. But compliance innovation, whether adopting AI for monitoring, piloting new training formats, or embedding compliance into business processes, requires taking calculated risks. This means that risk management strategies must be implemented, monitored, and updated as necessary.

Failure in compliance is not about missing a regulatory requirement. It is about learning that a new process does not resonate with employees, or a monitoring tool generates too many false positives. Leaders should create safe zones for experimentation. If you never fail, you are not pushing hard enough. Compliance innovation must be iterative, and tolerance for small, recoverable failures is the price of true progress.

3. Flattening Bureaucracy Fuels Accountability

Jassy highlights Amazon’s initiative to flatten its organization and empower individual contributors. By increasing the ratio of builders to managers, reducing layers of decision-making, and encouraging employees to own “two-way-door decisions”. Those are choices that can easily be reversed. With this strategy, Amazon streamlined processes and accelerated innovation.

Compliance functions are often drowning in pre-meetings and approval chains. A compliance officer identifies a risk, drafts a recommendation, and waits while three levels of committees review it. Meanwhile, the risk festers. The compliance profession should adopt Jassy’s model: empower frontline employees to make two-way decisions in real-time. For example, a compliance manager in Brazil should have the authority to pause a suspicious vendor engagement without waiting for headquarters. Flattening decision-making structures creates accountability, agility, and credibility. Compliance must be a builder’s mindset: see the problem, fix the problem, move forward.

4. Culture Must Be Reinvented Continuously

“Culture is not our birthright,” Jassy warns. As companies scale, their culture stretches and must be deliberately reinforced. At Amazon, this means reasserting ownership, accountability, and a customer-centric approach, even as new layers of management emerge. For compliance professionals, this is a powerful reminder: culture is not static. A “speak-up” culture may flourish in year one and decay by year five if it isn’t nurtured. New geographies, acquisitions, and technologies stretch corporate culture in unpredictable ways.

The compliance function must continuously assess cultural health: are employees still raising concerns? Do managers still model ethical behavior? Are incentive structures still aligned with compliance values? A strong compliance culture requires constant reinvention: new training, new channels, new metrics; so that employees see it as living and evolving, not stale or perfunctory.

5. AI, Innovation, and Responsibility Must Go Hand in Hand

Jassy views AI as the biggest transformation since the internet, with the power to reinvent every customer experience. He emphasizes that progress is inevitable, so leaders must focus on using AI responsibly and productively.

Compliance professionals face the same dual imperative. On the one hand, AI tools, such as automated transaction monitoring, predictive analytics, and natural language chatbots, can make compliance faster, smarter, and more effective. On the other hand, AI introduces new risks, including bias, opacity, privacy breaches, and increased regulatory scrutiny.

The compliance leader’s role is not to resist AI but to guide its responsible adoption. Establish AI governance frameworks. Ensure transparency and explainability. Audit data inputs and outputs. Partner with business units to embed compliance guardrails into AI development. If compliance can keep pace with AI’s speed while safeguarding ethics, it will become indispensable to the business.

Compliance at the Speed of Leadership

Andy Jassy’s mantra, “speed is a leadership decision,” rings true far beyond Amazon. For compliance professionals, it reframes the mission. Compliance does not require slow responses, being bureaucratic, or being risk-averse. (Always remember, you do not have brakes on a car to drive slowly; instead, you have brakes on a car to drive fast.) Leaders can choose speed by empowering their teams, flattening the decision-making process, fostering a culture of ownership, tolerating smart failures, and embracing technology responsibly.

The stakes are high. Compliance must move at the same speed as the business, not the other way around. Regulators expect swift detection and remediation. Employees expect rapid answers to ethics and compliance questions. Boards expect real-time risk visibility. Compliance that lags will be seen as irrelevant or ineffective.

The lesson from Amazon’s Jassy is that compliance speed is not about cutting corners. It is about clarity of leadership, empowerment of people, and continuous cultural reinvention. In an era of accelerating technology and mounting risk, compliance professionals must embrace speed as a core leadership choice.

Categories
Innovation in Compliance

Innovation in Compliance – Gaurav Kapoor on Risk Management and the Role of AI in GRC

Innovation comes in many areas, and compliance professionals need to be ready for it and embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, Tom Fox interviews Gaurav Kapoor, Vice Chairman, Co-Founder and Board Member of MetricStream, discussing his extensive professional background, from co-founding MetricStream to his current focus on customer intimacy amid AI market disruptions.

Kapoor delves into the evolving landscape of risk management, emphasizing the importance of midyear reviews and integration of various risk themes like operational risk, audit compliance, and cybersecurity. He elaborates on the role of AI in GRC, stating how generative and agent AI can streamline compliance processes and enhance risk management strategies. The conversation also touches on the increasing significance of cybersecurity, geopolitical instability, and climate impact on risk assessment. Kapoor highlights the shift from compliance to a more resilient and risk-aware culture within organizations.

Key highlights:

  • The Importance of July in Risk Management
  • AI’s Role in GRC
  • Emerging Risks and AI Applications
  • Counseling Boards on Risk Management
  • Top Concerns for the Second Half of 2025
  • Evolving Role of Compliance and Risk Officers

Resources:

MetricStream Website and on LinkedIn

Gaurav Kapoor on LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Trekking Through Compliance

Trekking Through Compliance: Episode 77 – Through the Atavachron: Risk Management Insights from All Our Yesterdays

When you think of Star Trek: The Original Series, certain episodes stand out for their moral clarity, exploration of ethics, and leadership lessons. Others, like All Our Yesterdays, are more subtle but no less rich in compliance and risk management insights.

As the story unfolds, the episode reveals more than just a sci-fi adventure; it presents a compelling case study in the importance of preparation, situational awareness, adaptability, and decision-making under pressure. For the compliance professional, All Our Yesterdays offers five key risk management lessons that are as relevant in the boardroom as they are in a time-portal crisis.

Lesson 1: Understand the Operating Environment Before You Act

Illustrated by: Kirk, Spock, and McCoy don’t fully grasp that the Atavachron sends people into different periods, permanently altering them to survive there, until after they have stepped through the portals.

Compliance Lesson. One of the most preventable compliance failures happens when leaders act without fully understanding the operational landscape.

Lesson 2: Know the Long-Term Consequences of Your Decisions

Illustrated by: Atoz explains that once a traveler passes through the Atavachron, they undergo physiological changes to survive in the chosen period. Returning without those adaptations can be fatal.

Compliance Lesson. Compliance decisions, especially around risk tolerance, often have long-term and sometimes irreversible consequences. For example, approving a high-risk third party because “we need them for this deal” can embed systemic vulnerabilities that are difficult to unwind later.

Lesson 3: Adapt Your Strategy to Changing Conditions

Illustrated by: Spock, under the influence of the prehistoric era, begins to revert to the more emotional mindset of ancient Vulcans, displaying anger, impatience, and even affection for Zarabeth, a woman trapped in that time

Compliance Lesson. Risk environments are dynamic. Market conditions shift, laws change, counterparties evolve, and cultural contexts can reshape behavior, sometimes subtly, sometimes dramatically.

Lesson 4: Factor in Human Behavior When Assessing Risk

Illustrated by: Zarabeth tells Spock and McCoy they can never return to their own time, a claim that at first appears to be based on Atoz’s rules but is also shaped by her emotional motives.

Compliance Lesson. Risk management isn’t just about numbers, metrics, or legal frameworks—it’s about people, their incentives, and their biases.

Lesson 5: Time Is a Critical Risk Variable

Illustrated by: The central urgency in All Our Yesterdays comes from the imminent nova of Sarpeidon’s sun. For Kirk, Spock, and McCoy, the clock is ticking.

Compliance Lesson. In compliance risk management, timing is often the difference between proactive control and reactive crisis.

Final Compliance Reflections

All Our Yesterdays may be set in a science fiction universe, but its lessons are firmly grounded in the reality of corporate compliance. Every compliance officer will, at some point, face the equivalent of a ticking sun about to go nova, a high-stakes situation where incomplete information, shifting conditions, human bias, and the relentless march of time intersect.

Remember, you may not have an Atavachron in your compliance toolkit, but you do have the power to choose which “yesterday” you’ll prepare for today. The right risk management approach ensures that, when the heat is on, your organization is not scrambling for the exit portal, as it’s already where it needs to be.

Resources:

⁠⁠Excruciatingly Detailed Plot Summary by Eric W. Weisstein⁠⁠

⁠⁠MissionLogPodcast.com⁠⁠

⁠⁠Memory Alpha

Categories
Blog

All Our Yesterdays:Risk Management Lessons for the Compliance Professional

When you think of Star Trek: The Original Series, certain episodes stand out for their moral clarity, exploration of ethics, and leadership lessons. Others, like All Our Yesterdays, are more subtle but no less rich in compliance and risk management insights.

In this episode, Captain Kirk, Mr. Spock, and Dr. McCoy beam down to the planet Sarpeidon just before its sun is about to go nova. They find the planet seemingly deserted except for a mysterious librarian named Mr. Atoz. He explains that the people have escaped into the planet’s past using a time travel device called the Atavachron. Unfortunately, in true Star Trek fashion, the landing party becomes separated; Kirk into a duel-filled era resembling the late Middle Ages, and Spock and McCoy into a frozen prehistoric wilderness.

As the story unfolds, the episode reveals more than just a sci-fi adventure; it presents a compelling case study in the importance of preparation, situational awareness, adaptability, and decision-making under pressure. For the compliance professional, All Our Yesterdays offers five key risk management lessons that are as relevant in the boardroom as they are in a time-portal crisis.

Lesson 1: Understand the Operating Environment Before You Act

Illustrated by: When Kirk, Spock, and McCoy first arrive, they assume the library is a static place in the present day. They don’t fully grasp that the Atavachron sends people into different periods, permanently altering them to survive there, until after they have stepped through the portals.

Compliance Lesson. One of the most preventable compliance failures happens when leaders act without fully understanding the operational landscape. Just as Kirk should have gathered more intelligence before stepping through the portal, compliance officers must conduct thorough due diligence before making high-impact decisions, especially in new markets or with new business models.

Jumping into a jurisdiction with unfamiliar regulatory structures or cultural norms without advance research can leave your compliance program operating with blind spots. A robust risk assessment, stakeholder mapping, and regulatory scan are your “Atavachron briefing”; without them, you’re walking through the wrong portal unprepared.

Lesson 2: Know the Long-Term Consequences of Your Decisions

Illustrated by: Atoz explains that once a traveler passes through the Atavachron, they undergo physiological changes to survive in the chosen period. Returning without those adaptations can be fatal. This means each journey into the past is not just a visit—it’s a permanent commitment.

Compliance Lesson. Compliance decisions, especially around risk tolerance, often have long-term and sometimes irreversible consequences. For example, approving a high-risk third party because “we need them for this deal” can embed systemic vulnerabilities that are difficult to unwind later.

Spock and McCoy’s plight in the ice age is a reminder that once certain paths are chosen, backing out may be impossible or costly. Before green-lighting any strategy or business partner, ask: What will be the long-term compliance footprint? Are we setting ourselves up for future exposure? Risk management is not just about the next quarter; it’s about the next decade.

Lesson 3: Adapt Your Strategy to Changing Conditions

Illustrated by Spock, under the influence of the prehistoric era, begins to revert to the more emotional mindset of ancient Vulcans, displaying anger, impatience, and even affection for Zarabeth, a woman trapped in that time. McCoy, ill from the cold, must rely on Spock’s shifting judgment to survive.

Compliance Lesson. Risk environments are dynamic. Market conditions shift, laws change, counterparties evolve, and cultural contexts can reshape behavior, sometimes subtly, sometimes dramatically. The compliance officer must be alert to these shifts and recalibrate strategies accordingly.

Like Spock, even seasoned professionals can find themselves influenced by their environment in ways they don’t immediately recognize. Compliance teams need to build monitoring systems that not only track external risk factors but also assess how those factors may be affecting decision-makers internally. Adaptation is not a sign of weakness—it’s a core competency in sustainable risk management.

Lesson 4: Factor in Human Behavior When Assessing Risk

Illustrated by: Zarabeth tells Spock and McCoy they can never return to their own time, a claim that at first appears to be based on Atoz’s rules but is also shaped by her emotional motives. Her loneliness influences how she frames the “facts.”

Compliance Lesson. Risk management isn’t just about numbers, metrics, or legal frameworks—it’s about people, their incentives, and their biases. Vendors may hide problems to protect their contracts. Employees may omit details in self-reporting to avoid blame. Executives may downplay risk to push through a deal.

Zarabeth’s well-intentioned but self-serving misinformation underscores the need for independent verification of claims. Compliance programs should be designed to collect and validate facts from multiple sources, reducing the risk of being swayed by the partial truths of a single stakeholder.

Lesson 5: Time Is a Critical Risk Variable

Illustrated by: The central urgency in All Our Yesterdays comes from the imminent nova of Sarpeidon’s sun. The people had to evacuate into the past before the moment of destruction; anyone left behind would perish. For Kirk, Spock, and McCoy, the clock is ticking.

Compliance Lesson. In compliance risk management, timing is often the difference between proactive control and reactive crisis. Delaying a decision, such as suspending a suspicious transaction, escalating a whistleblower report, or halting engagement with a questionable vendor, can mean the difference between a manageable incident and a reputational disaster.

The episode reinforces the importance of early detection and swift action. Compliance teams should have rapid-response protocols, much like an evacuation plan, that can be activated the moment credible risk signals appear. The longer you wait, the narrower your options become.

Final Compliance Reflections

All Our Yesterdays may be set in a science fiction universe, but its lessons are firmly grounded in the reality of corporate compliance. Every compliance officer will, at some point, face the equivalent of a ticking sun about to go nova, a high-stakes situation where incomplete information, shifting conditions, human bias, and the relentless march of time intersect.

The episode reminds us that effective risk management is not simply about having a well-written policy. It’s about equipping yourself and your team to:

  • Anticipate the terrain.
  • Weigh long-term consequences before stepping through the “portal.”
  • Stay agile under environmental pressures.
  • Test assumptions and verify information.
  • Act decisively when the moment demands it.

In All Our Yesterdays, Kirk, Spock, and McCoy return to the present just in time, thanks to quick thinking, adaptability, and the ability to work within and around constraints. In the corporate compliance world, those same skills can mean the difference between a controlled risk event and a full-blown regulatory disaster.

Remember, you may not have an Atavachron in your compliance toolkit, but you do have the power to choose which “yesterday” you’ll prepare for today. The right risk management approach ensures that, when the heat is on, your organization is not scrambling for the exit portal as it’s already where it needs to be.

 Resources:

⁠⁠Excruciatingly Detailed Plot Summary by Eric W. Weisstein⁠⁠

⁠⁠MissionLogPodcast.com⁠⁠

⁠⁠Memory Alpha

Categories
AI Today in 5

AI Today in 5: August 13, 2025, The Beware the EU AI Act Episode

Welcome to AI Today in 5, the newest addition to the Compliance Podcast Network. Each day, Tom Fox will bring you 5 stories about AI to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the AI Today In 5. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest about AI.

For more information on the use of AI in compliance programs, see Tom Fox’s new book, Upping Your Game. You can purchase a copy of the book on Amazon.com.

Categories
Trekking Through Compliance

Trekking Through Compliance: Episode 71 – Surviving the Unknown: Risk Management Lessons from “That Which Survives”

In compliance, risk management is more than a checklist. It is the ongoing discipline of identifying threats, assessing their potential impact, and implementing measures to mitigate or neutralize them before they cause harm.

Few Star Trek episodes illustrate the escalating consequences of underestimated risks as effectively as That Which Survives. In it, the Enterprise crew encounters a seemingly lifeless planet guarded by Losira, an alien projection who can kill with a single touch. Her purpose is to protect the planet’s secrets, but her method is indiscriminate, deadly, and poorly aligned to the situation at hand.

For compliance professionals, this episode offers five important lessons on anticipating, assessing, and responding to risks, both known and unknown, within an organization.

Lesson 1: Identify Risks Before Engaging in New Ventures

Illustrated By: The Enterprise arrives at an uncharted planet. Within moments, a mysterious woman materializes and kills a crew member simply by touching him.

Compliance Lesson. Too often, companies rush into new markets, partnerships, or projects without conducting a thorough risk assessment. This can expose the organization to sanctions violations, corruption risks, cybersecurity vulnerabilities, or operational failures.

Lesson 2: Understand That Some Risks Are Intelligent and Adaptive

Illustrated By: Losira targets specific individuals and adapts her approach to their vulnerabilities.

Compliance Lesson. Not all risks are static. Fraudsters change tactics, cyber threats evolve, and corrupt third parties find new ways to conceal misconduct. A compliance program must anticipate that some risks will actively seek to bypass controls.

Lesson 3: Don’t Dismiss Low-Probability, High-Impact Threats

Illustrated By: At first, the crew assumes Losira’s appearances are isolated incidents, but they quickly realize she poses an existential threat.

Compliance Lesson. Rare events, such as a single high-value bribery transaction, a lone rogue employee, or a targeted cyberattack, can have catastrophic consequences. Organizations sometimes underprepare for these scenarios because they seem unlikely.

Lesson 4: Risk Mitigation Requires Cross-Functional Coordination

Illustrated By: The landing party on the planet and the Enterprise crew in orbit are each facing threats from Losira, but their survival depends on sharing information and coordinating responses. Without clear communication, both groups would be doomed.

Compliance Lesson. Compliance cannot manage risk in isolation. It must work with legal, internal audit, operations, IT, and HR to identify threats and implement controls.

Lesson 5: Address the Root Cause, Not Just the Symptoms

Illustrated By: The crew eventually discovers that Losira is an automated defense mechanism left behind by an extinct race. Once the crew understands her origin and purpose, they can neutralize the threat.

Compliance Lesson. In risk management, addressing surface-level problems without finding the underlying cause only delays future incidents. Compliance should integrate root cause analysis into all investigations.

Final ComplianceLog Reflections

That Which Survives is more than a suspense episode; it is a cautionary tale about the dangers of underestimating risk. Losira was not inherently evil; she was a misunderstood, unexamined part of an environment the crew did not fully assess before engagement.

The compliance officer’s mandate is to ensure the company doesn’t make the same mistake: to scan for threats before beaming in, to adapt to risks that evolve, to prepare for unlikely but devastating events, to coordinate across the enterprise, and to address the root cause when problems arise. Risk management is not just about surviving; it is about ensuring that your organization thrives in any environment, whether it’s an unexplored planet or a rapidly changing market.

Resources:

⁠⁠Excruciatingly Detailed Plot Summary by Eric W. Weisstein⁠⁠

⁠⁠MissionLogPodcast.com⁠⁠

⁠⁠Memory Alpha

Categories
Blog

Risk Management in Compliance: Five Lessons from Star Trek’s That Which Survives

In compliance, risk management is more than a checklist. It is the ongoing discipline of identifying threats, assessing their potential impact, and implementing measures to mitigate or neutralize them before they cause harm.

Few Star Trek episodes illustrate the escalating consequences of underestimated risks as effectively as That Which Survives. In it, the Enterprise crew encounters a seemingly lifeless planet guarded by Losira, an alien projection who can kill with a single touch. Her purpose is to protect the planet’s secrets, but her method is indiscriminate, deadly, and poorly aligned to the situation at hand.

For compliance professionals, this episode offers five important lessons on anticipating, assessing, and responding to risks, both known and unknown, within an organization.

Lesson 1: Identify Risks Before Engaging in New Ventures

Illustrated By: The Enterprise arrives at an uncharted planet, scans it briefly, and beams down a landing party. Within moments, a mysterious woman materializes and kills a crew member simply by touching him.

Compliance Lesson. Too often, companies rush into new markets, partnerships, or projects without conducting a thorough risk assessment. This can expose the organization to sanctions violations, corruption risks, cybersecurity vulnerabilities, or operational failures. Compliance should lead or be deeply involved in pre-engagement risk assessments. Before “beaming down” into a new business environment, map potential threats—regulatory, operational, reputational—and identify safeguards. Skipping this step can lead to preventable harm and costly remediation.

Lesson 2: Understand That Some Risks Are Intelligent and Adaptive

Illustrated By: Losira’s ability to appear anywhere, both on the planet and aboard the Enterprise, shows she is not a passive hazard. She targets specific individuals and adapts her approach to their vulnerabilities.

Compliance Lesson. Not all risks are static. Fraudsters change tactics, cyber threats evolve, and corrupt third parties find new ways to conceal misconduct. A compliance program must anticipate that some risks will actively seek to bypass controls. Build adaptive monitoring into your compliance systems. Use continuous transaction monitoring, real-time alerts, and data analytics to detect changes in patterns. A one-time risk assessment is not enough—ongoing vigilance is essential.

Lesson 3: Don’t Dismiss Low-Probability, High-Impact Threats

Illustrated By: At first, the crew assumes Losira’s appearances are isolated incidents, but they quickly realize she poses an existential threat. Even though she is only one individual, her capabilities could destroy the Enterprise if not addressed.

Compliance Lesson. Rare events, such as a single high-value bribery transaction, a lone rogue employee, or a targeted cyberattack, can have catastrophic consequences. Organizations sometimes underprepare for these scenarios because they seem unlikely. Compliance departments should incorporate low-probability, high-impact risks into the risk register. Conduct tabletop exercises to simulate rare but potentially devastating events, ensuring the organization has both prevention and response plans in place.

Lesson 4: Risk Mitigation Requires Cross-Functional Coordination

Illustrated By: The landing party on the planet and the Enterprise crew in orbit are each facing threats from Losira, but their survival depends on sharing information and coordinating responses. Without clear communication, both groups would be doomed.

Compliance Lesson. Compliance cannot manage risk in isolation. It must work with legal, internal audit, operations, IT, and HR to identify threats and implement controls. Silos breed blind spots, and blind spots breed crises. Establish cross-functional risk committees or working groups. Ensure that incident reporting and escalation procedures are well understood across departments. Make compliance the hub of a collaborative risk network, not a separate spoke.

Lesson 5: Address the Root Cause, Not Just the Symptoms

Illustrated By: The crew eventually discovers that Losira is an automated defense mechanism left behind by an extinct race. She’s not malicious—she’s simply executing a program without context or adaptability. Once the crew understands her origin and purpose, they can neutralize the threat.

Compliance Lesson. In risk management, addressing surface-level problems without finding the underlying cause only delays future incidents. For example, punishing an employee for violating a policy without examining why the policy was ignored leaves the organization vulnerable to repeat violations. Compliance should integrate root cause analysis into all investigations. Whether it’s a process flaw, cultural issue, or oversight gap, solving the real problem is the only way to reduce recurrence.

The Enterprise as a Risk Management Model

Captain Kirk and his crew succeed not because they are lucky, but because they adapt quickly, share intelligence, and dig deeper to understand the nature of the threat. These are precisely the attributes a corporate compliance department needs to lead risk management:

  • Proactive assessment before engagement.
  • Adaptive controls that respond to evolving risks.
  • Preparation for rare but high-impact events.
  • Collaboration across organizational functions.
  • Root cause remediation for lasting solutions.

Practical Compliance Takeaways

From That Which Survives, compliance professionals can draw these operational insights:

  1. Integrate Compliance Early—Risk management starts before contracts are signed or operations begin, not after.
  2. Invest in Technology—Data analytics, AI monitoring, and continuous auditing tools make adaptive risk management possible.
  3. Conduct Scenario Planning—Practice responding to “Losira-like” threats: targeted, intelligent, and hard to predict.
  4. Build Risk Alliances—Partner with all departments to create a unified threat picture.
  5. Close the Loop—Use each incident to strengthen your program against future threats.

Final ComplianceLog Reflections

That Which Survives is more than a suspense episode; it is a cautionary tale about the dangers of underestimating risk. Losira was not inherently evil; she was a misunderstood, unexamined part of an environment the crew did not fully assess before engagement.

The compliance officer’s mandate is to ensure the company doesn’t make the same mistake: to scan for threats before beaming in, to adapt to risks that evolve, to prepare for unlikely but devastating events, to coordinate across the enterprise, and to address the root cause when problems arise.

In other words, risk management is not just about surviving; it is about ensuring that your organization thrives in any environment, whether it’s an unexplored planet or a rapidly changing market.

Resources:

⁠⁠Excruciatingly Detailed Plot Summary by Eric W. Weisstein⁠⁠

⁠⁠MissionLogPodcast.com⁠⁠

⁠⁠Memory Alpha