Tag: risk

Categories
Blog

The Muppet C-Suite: A Compliance Professional’s Guide to Culture, Controls, and Chaos Part 4: Animal as Chief Operating Risk Officer: Managing Chaos Before Chaos Manages You

This week we are honoring the return of The Muppets for a 2026 Special Edition. I thought it would be fun to look at business leadership teams through the lens of The Muppets. Every compliance professional has worked with a Kermit, managed a Piggy, worried about a Gonzo, or tried to contain an Animal. Today, we conclude by looking at The Animal problem. This series has used the Muppet executive team as a framework to explore leadership, governance, innovation, operational risk, and corporate compliance through the lens of the DOJ’s Evaluation of Corporate Compliance Programs and modern governance expectations.

Every organization has an Animal. Sometimes it is a person. Sometimes it is a business unit. Sometimes it is a revenue stream so profitable that leadership stops asking difficult questions. But every organization eventually encounters a force that is energetic, productive, volatile, difficult to control, and capable of creating enormous operational damage if left unmanaged. That is Animal.

As Chief Operating Risk Officer, Animal represents a truth many organizations struggle to confront: the greatest operational risks are often tolerated because they generate short-term success. An animal is loud, destructive, impulsive, emotional, and frequently one bad day away from catastrophe. Yet he is also highly effective in the environment for which he was designed. He brings energy, intensity, speed, and momentum.

The problem is not that Animal exists. The problem is when the organization mistakes unmanaged volatility for sustainable performance. That is where compliance, governance, and operational discipline become critical.

Operational Risk Rarely Arrives Quietly

One of the most dangerous assumptions organizations make is that operational failure arrives gradually and predictably. Often, it does not. Operational breakdowns tend to emerge after warning signs have already been normalized:

  • repeated policy exceptions,
  • constant escalation failures,
  • excessive workload pressure,
  • ignored complaints,
  • control fatigue,
  • unmanaged third parties, and
  • and high-performing employees who are allowed to operate outside established expectations.

Animal embodies this normalization problem perfectly. Everyone knows he is dangerous. Everyone knows he is unpredictable. Everyone knows he creates operational instability. Yet the organization repeatedly tolerates the behavior because the show benefits from his energy. This is how many operational crises develop in real organizations. The issue is rarely ignorance. The issue is tolerance.

The Compliance Challenge of High-Performing Risk Creators

One of the DOJ’s most important compliance questions is whether organizations apply discipline consistently, regardless of title, status, or revenue generation. That sounds straightforward. In practice, it is extraordinarily difficult. Organizations routinely create informal exceptions for:

  • top producers,
  • senior executives,
  • innovative teams,
  • politically connected employees, and
  • and operational leaders are perceived as indispensable.

An animal represents this exact governance problem. A mature compliance program recognizes that unmanaged high performers create enterprise risk because they gradually teach the organization that controls are optional for the “right” people. Once that message spreads, culture deteriorates quickly. Employees notice:

  • who gets exceptions,
  • whose misconduct is ignored,
  • whose violations are minimized, and
  • and whether leadership consistently enforces standards.

That is why operational risk is deeply connected to culture. Operational instability rarely begins with a single process failure. It usually begins with accountability failure.

Animal and the Failure of Escalation

Perhaps the most dangerous thing about Animal is not his volatility. The organization tends to underestimate the seriousness of the risk until after damage occurs. This reflects a common corporate governance problem: escalation fatigue. Over time, organizations become accustomed to recurring dysfunction:

  • “That is just how he operates.”
  • “That team is always difficult.”
  • “They are under pressure.”
  • “The business results justify the headaches.”
  • “We can manage around it.”

Those statements are operational-risk warning signs. A mature compliance program must create escalation structures capable of identifying:

  • repeated near misses,
  • recurring control failures,
  • cultural deterioration,
  • operational shortcuts, and
  • and conduct risks before they evolve into crises.

An animal should not require an explosion before leadership intervenes. Unfortunately, many organizations wait for exactly that moment.

Root Cause Analysis Matters

When operational failures occur, organizations often focus immediately on the visible event:

  • the failed transaction,
  • the misconduct,
  • the regulatory inquiry,
  • the system failure, and
  • or the public embarrassment.

But effective governance requires deeper analysis. The ECCP specifically emphasizes root cause analysis because sustainable remediation depends on understanding why the failure occurred in the first place. With Animal, the obvious answer might be: “Animal lost control.”

But the real questions are:

  • Why was the risk tolerated repeatedly?
  • Why were escalation signals ignored?
  • Why were controls insufficient?
  • Why did leadership normalize the volatility?
  • Why were prior incidents dismissed as isolated?

Those questions move the organization from blame to governance. A mature compliance function should always ask whether operational failure reflects:

  • incentive problems,
  • leadership failures,
  • staffing pressures,
  • inadequate oversight,
  • resource constraints, and
  • or cultural normalization of misconduct.

Without root cause analysis, organizations simply reset the stage for the next crisis.

Speak-Up Culture and Operational Risk

Animal also highlights the importance of a culture of speaking up. In many organizations, employees recognize operational risk long before leadership does. The problem is that employees often conclude:

  • raising concerns changes nothing,
  • leadership already knows,
  • retaliation risk is too high,
  • or operational pressure outweighs ethical concerns.

That silence becomes dangerous. The DOJ increasingly expects organizations to maintain effective reporting channels, anti-retaliation protections, and meaningful investigative response mechanisms. But a speak-up culture is not merely a hotline issue. It is a credibility issue. Employees must believe:

  • concerns will be heard,
  • escalation will occur,
  • retaliation will not be tolerated,
  • and leadership is willing to intervene even when operational performance is affected.

In Animal’s world, the organization often appears resigned to the chaos. That resignation is itself a governance failure.

Crisis Management Is a Governance Discipline

Animal is also a reminder that crisis management is not public relations. It is governance under pressure. Operational crises test:

  • leadership credibility,
  • escalation systems,
  • internal communication,
  • decision-making discipline,
  • documentation quality, and
  • and organizational resilience.

Strong organizations prepare for operational disruption before it occurs. That means:

  • crisis-management protocols,
  • escalation matrices,
  • tabletop exercises,
  • communication plans,
  • cross-functional coordination, and
  • and clear authority structures.

Animal should never be the organization’s first operational surprise.

Yet many companies operate as though volatility itself is unpredictable when, in reality, warning signs existed for months or years. The question is whether leadership chose to recognize them.

Control Fatigue Is Real

One of the most overlooked operational risks is control fatigue. When organizations operate under constant pressure, employees gradually begin bypassing safeguards:

  • approvals become rushed,
  • documentation becomes incomplete,
  • exceptions become routine,
  • monitoring weakens,
  • and oversight becomes reactive instead of preventive.

Animal accelerates this dynamic because his operational style rewards speed and intensity over discipline and sustainability. That creates a dangerous cycle:

  1. pressure increases,
  2. controls weaken,
  3. near misses increase,
  4. normalization expands, and
  5. and eventually failure becomes inevitable.

A mature compliance program continuously monitors for this pattern because operational collapse rarely occurs without warning.

5 Key Takeaways for the Compliance Professional

1. Operational risk is often tolerated because it produces results.

Organizations must resist creating informal exceptions for high-performing but destabilizing individuals or business units.

2. Escalation failures are early warning signs.

Repeated policy exceptions, ignored concerns, and normalized dysfunction frequently precede major operational breakdowns.

3. Root cause analysis is essential for sustainable remediation.

Organizations should investigate not only what failed, but why leadership and controls allowed the failure to persist.

4. Speak-up culture directly affects operational resilience.

Employees must trust that concerns will be heard, investigated, and acted upon without retaliation.

5. Crisis management is a governance function.

Effective organizations prepare for operational disruption through planning, escalation structures, monitoring, and cross-functional coordination.

The Final Governance Lesson

Across this series, Kermit, Piggy, Gonzo, and Animal together represent the four forces constantly shaping corporate governance:

  • leadership,
  • reputation,
  • innovation,
  • and operational risk.

The lesson is not that organizations should eliminate strong personalities, ambition, experimentation, or intensity. The lesson is that mature governance recognizes these forces early and builds systems capable of channeling them responsibly.

Kermit provides stability.

Piggy creates visibility.

Gonzo drives innovation.

Animal tests the strength of operational controls.

Every organization contains all four. The real question for compliance professionals is whether the governance structure is strong enough to keep the theater standing when all four are operating at the same time. Because eventually, they will be.

Long Live The Muppets

Categories
Betting the Game

Betting the Game: Entourages, Interpreters, and the People Around the Star

Betting the Game is a 10-part podcast series exploring how sports gambling reshaped the business, culture, and integrity of athletics across professional and amateur sports. Hosted by Tom Fox and Mike DeBernardis, the series examines the real-world collisions between betting markets, athlete conduct, institutional oversight, and public trust. Each episode examines a different pressure point, from player betting and college sports to prop bets, insider information, and governance failures that can put the credibility of competition at risk. At its core, the series asks a simple but urgent question: as gambling became mainstream in sports, did ethics, compliance, and oversight keep pace?

In episode 4 of Betting the Game, Tom and Mike examine how gambling and integrity risk often enter sports not directly through the athlete, but through the network surrounding the athlete. The episode explores how interpreters, friends, business managers, financial advisors, family members, handlers, and other trusted associates can create exposure through access to information, money, influence, and opportunity. Using the Shohei Ohtani–Ippei Mizuhara matter, the Jontay Porter case through the lens of network risk, and the broader history of athlete exploitation by trusted advisors and handlers, Tom and Mike explain why sports organizations must consider entourages as a third-party risk. At its core, this episode asks a fundamental governance question: when someone close to the athlete has trusted proximity, what controls exist to protect the athlete, the institution, and the integrity of the game?

Key highlights:

  • The athlete is not the whole risk universe.
  • Trusted proximity is a real governance risk.
  • The Ohtani–Mizuhara matter is the flagship case study.
  • Entourage risk is really third-party risk.
  • Better governance should protect the athlete, not police the athlete.

Resources:

Mike DeBernardis on LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
SBR - Authors' Podcast

SBR-Authors Podcast: Risk is the Soundtrack of Life with Jim Massey

Welcome to the SBR-Authors Podcast! In this podcast series, Host Tom Fox visits with authors in the compliance arena and beyond. In this episode, Tom Fox welcomes back Jim Massey to discuss Jim’s latest book, ‘Risk in Action: A Leader’s Guide to Clarity.’

They take a deep dive into how the book builds on the themes outlined in ‘Trust in Action,’ focusing on the comprehensive approach to managing risk, trust, and fear. Jim shares insights on redefining risk not as a binary choice but as a polarity to be managed, offering actionable steps for business and compliance leaders. He also introduces his new AI-driven risk assessment tool, designed to provide real-time, actionable insights. Jim emphasizes the importance of embracing risk as an opportunity for innovation and shares his key leadership lessons for navigating the ever-changing business landscape.

Key highlights:

  • The Genesis of ‘Risk in Action’
  • Understanding Risk and Its Importance
  • The Role of Fear in Risk Management
  • Innovative Risk Management Strategies
  • Leadership and Risk
  • The Future of Risk Assessments

Resources:

Risk in Action on Amazon

Jim Massey Website

Jim Massey on LinkedIn

Eastward.ai Website

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Risk in Action: What Jim Massey Teaches Us About Crossing the Gap

Corporate leaders love to talk about innovation, transformation, and building the future. Yet most organizations still get stuck in the same place: standing at the edge of a decision, staring into the unknown, and doing nothing. At that moment, the hesitation between where we are and where we need to go is the space Jim Massey calls the gap. And in Risk in Action, Massey makes a compelling argument that how leaders approach this gap will define not only their relevance but also their ability to lead in today’s fast-moving environment.

For the corporate compliance professional, this book is more than leadership philosophy. It is a practical guide for making disciplined, values-driven choices under uncertainty. It is also a call to rethink how our organizations confront risk, how we enable decision-making, and how we build systems that do more than slow the business down.

Risk as the Distance Between Now and Next

Early in the book, Massey reframes a concept that compliance professionals often treat as static. Risk, he argues, is not a heat map, a mitigation plan, or a quarterly review. Risk is the distance between where you are and where you want to be. Trust is the bridge. Fear is the fog that makes the crossing difficult (see Chapter 2). That deceptively simple framing is powerful. It exposes why so many organizations fall into oscillation: they mistake movement for progress. More meetings. More decks. More analysis. And yet nothing moves.

We tell ourselves we are being prudent, disciplined, or thorough when in reality we are waiting for fear to subside. Massey does not dismiss the importance of analysis. Instead, he asks leaders to confront their own reflexive relationship with risk. Whether the risk is regulatory, strategic, environmental, or reputational, the greater danger is not action; it is inaction. The world moves quickly. Competitors accelerate. Expectations shift. Standing still is its own risk, and often the most significant one.

Face, Frame, Forward: The Anatomy of Real Decision-Making

The central model in the book—Face, Frame, Forward—offers a decision-making cadence that leaders can apply daily. As Massey describes, the greatest failures he has seen in organizations did not come from a bad decision but from delaying a necessary one. His model helps break that paralysis.

Face

Facing risk begins with naming the truth in front of you. Not the sanitized version. The real version. What is the risk that keeps you up at night? What is the organizational behavior you keep tolerating? What is the emerging external pressure that is already reshaping your strategic environment? (see Chapter 4).  Massey’s point is blunt: You cannot frame a risk you refuse to see, and you cannot move forward from a place of ambiguity.

Frame

Framing is about meaning-making. Two companies can experience the same regulatory change, market disruption, or technology shift and respond in completely different ways. Why? Because they frame its significance differently (see Chapter 5). Framing is where compliance officers have enormous influence. We help leaders see regulatory shifts as more than check-the-box obligations. We help boards see cultural issues as more than HR noise. We help executives understand that ESG risks are strategic risks and that reputational risks are governance risks. Impact matters, yes. But meaning drives action.

Forward

Forward is where clarity becomes motion. Not recklessness. Not speed for speed’s sake. But disciplined, intentional, values-aligned action. Massey writes that the fog does not lift before we move. It lifts because we move (Chapter 6). That insight is especially relevant for compliance professionals. We often wait for the perfect policy, perfect data, or perfect operating plan. Yet most risks today evolve faster than our systems can process. The future belongs to organizations that move forward with clarity, not certainty.

Risk, Trust, and Fear: The Three-Dimensional Model of Leadership

What makes Risk in Action uniquely valuable for compliance professionals is Massey’s integration of risk, trust, and fear. These forces, he argues, are always active, competing, overlapping, and shaping our choices (see Chapter 7). Compliance professionals know this intuitively. A team hesitates to escalate a concern—not because they lack information, but because fear is louder than trust. A business unit drags its feet on a remediation plan—not because the fix is complicated, but because the risk feels abstract. A board over-rotates to control, not because of a regulatory requirement, but because fear has dominated the discussion.

Massey identifies three essential questions every leader must answer:

  1. Can we? (capability)
  2. Do we care? (intent and connection)
  3. Will we do it? (commitment)

These three elements—Can, Care, Do—form the building blocks of trust (see Chapter 8). And trust, in turn, is what enables movement across the risk gap.

FearFULL Leadership: Why Pretending to Be Fearless Does Not Work

One of the book’s most compelling contributions is Massey’s challenge to the myth of fearlessness. Leaders spend too much time trying to appear unshakable. In reality, fear shows up silently, through overcontrol, indecision, or relentless perfectionism. Massey argues for something more honest: becoming fearFULL, not devoid of fear, but full of awareness, reflection, and intention (see Chapter 9). FearFULL leaders admit the truth early. They ask the hard questions. They name the tension. And by doing so, they create a sense of psychological safety for others.

For compliance professionals, this matters enormously. Transparency, escalation, and ethical decision-making cannot coexist with unacknowledged fear. Leaders who cannot name their own fear cannot build environments where employees feel safe speaking up.

The Compliance Connection: Why This Book Matters for Our Profession

At its core, Risk in Action is about building systems and cultures where leaders face reality with honesty, interpret risks with clarity, and move with purpose. That is the very heart of compliance work. Massey critiques the old model of compliance as the organizational brake pedal. The modern compliance function must instead help the business navigate uncertainty, not out of fear, but with disciplined confidence (see Chapter 1).

Compliance does not eliminate risk. Compliance enables the organization to move forward intelligently. Risk in Action reinforces several truths compliance professionals have long understood:

  • Controls without comprehension fail.
  • Strategy without alignment stalls.
  • Culture without clarity decays.
  • And risk without action accumulates.

What Massey offers is a leadership model that makes movement possible again.

Five Key Takeaways for the Compliance Professional

  1. Risk is not a barrier. Risk is the path forward.
  2. Treating risk purely as something to avoid limits innovation and weakens relevance. Compliance must help leaders see risk as the space where opportunity lives.
  3. Face, Frame, Forward is a practical tool for enabling action.
  4. Name the risk clearly, interpret it through values and strategy, and move forward with intention. Avoid the organizational trap of oscillation.
  5. Trust is operational. Fear is real. And both shape risk decisions.
  6. Compliance programs must build systems that reinforce capability, connection, and commitment—because without trust, no risk model works.
  7. FearFULL leadership produces better compliance outcomes.
  8. Pretending to be fearless creates silence. Acknowledging fear creates honesty. Leaders who name fear make it safer for others to speak up early.
  9. Compliance must evolve from protectors to navigators.
  10. The speed of today’s risks demands a forward-looking, strategy-aligned compliance function. Your role is not to slow the business down; your role is to move it wisely.

Perhaps the most interesting overall concept posited by Massey is one I learned from John Lee Dumas from his interview in the award-winning podcast series, Looking Back on 9/11. On 9/11, Dumas was a college senior in ROTC, and that night, he knew he was going to war. As a 21-year-old Lieutenant, he led a 40-man tank crew in the invasion of Iraq. I asked him what he learned from his Army experience. He instantly responded, “Make a Decision.” He added that you never have perfect information, so you have to take what you have, synthesize it, and act on it. Massey makes clear that compliance leadership requires action.

Categories
Popcorn and Compliance

Popcorn and Compliance: Episode 3 – Compliance in the Full Moonlight: Lessons from The Wolf Man

Welcome to a special series of Popcorn and Compliance. In this series, we will be looking at the Classic Universal Monster Movies from the 30s and 40s and mining them for compliance lessons. (Yes, it really is an excuse to rewatch them all.) In this series, we will look at Frankenstein, Dracula, The Wolf Man, The Mummy, and end with The Invisible Man. In this episode, Tom explores critical compliance insights drawn from Lon Chaney Jr.’s portrayal of The Wolf Man.

In this episode, we take a deep dive into my favorite Classic Universal Monster, The Wolf Man, to unpack five critical lessons, including the danger of ignoring warnings, the importance of timely intervention, and the challenges of recognizing risks in ordinary people under extraordinary circumstances. Listeners are encouraged to consider how these timeless themes apply to modern corporate compliance, emphasizing proactive measures to prevent potential catastrophes. Join Tom, along with AI hosts Fiona and Timothy, for a surprisingly relevant exploration of compliance through the eerie lens of Hollywood’s iconic monster movies.

Key highlights:

The Relevance of the Wolf Man to Modern Compliance

  • Lesson 1: Ordinary People Can Become Compliance Risks
  • Lesson 2: Warnings Ignored Become Disasters Realized
  • Lesson 3: The Curse of Silence and Stigma
  • Lesson 4: Risk is Cyclical and Predictable
  • Lesson 5: Tragedy Comes from a Lack of Intervention

Resources:

Compliance Lessons from Lon Chaney Jr.’s The Wolf Man on the FCPA Compliance and Ethics Blog

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Great Women in Compliance

Great Women in Compliance – Navigating Risk, Culture, and Compliance with Teri Cotton Santos

✨ New Episode Alert! ✨

On this special episode of #GWIC, guest host Ellen Hunt talks with the incredible Teri Cotton Santos, Chief Compliance Officer at Phillips 66.

Teri shares her inspiring journey—from serving as General Counsel in Asia at Eli Lilly to leading compliance at HF Sinclair, and now shaping the culture of ethics and compliance at Phillips 66.

🔑 Key takeaways from this conversation:

  • Why trust is the foundation of every effective compliance program
  • How to integrate risk, ethics, and strategy to create impact
  • Lessons in resilience and resourcefulness when leading with limited resources
  • Building compliance programs that are truly fit-for-purpose and built to scale
  • The growing importance of data, technology, and behavioral science in compliance work

Teri also reflects on #leadership, #mentorship, and the power of community in the compliance profession.

🎧 Tune in for an honest, thoughtful, and inspiring discussion about leading with purpose and integrity in today’s evolving regulatory environment.

🔗 Sponsored by Corporate Compliance Insights

#Compliance #Leadership #WomenInCompliance #GreatWomenInCompliance #Ethics #Trust

Categories
Compliance Tip of the Day

Compliance Tip of the Day – How a CFO Views Compliance and Risk

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide you with bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we conclude our multipart look at thinking through the ROI of your compliance program by considering how a CFO might well view compliance.

For more on this topic, check out The Compliance Handbook, a Guide to Operationalizing Your Compliance Program, 6th edition, which LexisNexis recently released. It is available here.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Crowd Sourcing Risk Intelligence

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with bite-sized, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we consider how you can use your data to crowdsource your risk intelligence.

For more information on this topic, refer to The Compliance Handbook: A Guide to Operationalizing Your Compliance Program, 6th edition, recently released by LexisNexis. It is available here.

Categories
Daily Compliance News

Daily Compliance News: April 14, 2025, The Cascade of Corruption Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy your morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional. Yesterday, Trump rolled back almost all tariffs he had imposed 48 hours earlier. We look at four stories on that issue from the compliance angle.

Top stories include:

  • Trump’s tariffs will lead to a cascade of corruption. (CNN)
  • What happens when you tell workers they are bad? (FT)
  • Trump creates both chaos and risk. (NYT)
  • China admits role in infrastructure hacks. (WSJ)
Categories
Daily Compliance News

Daily Compliance News: April 2, 2025, The All WSJ Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News—all from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • What is the true cost of corruption-lost lives? (WSJ)
  • Agentic AI and ‘a moment of truth.’ (WSJ)
  • Head of EU Competition heads to US for Liberation Day. (WSJ)
  • The eyes of Dr. T. J. Eckleburg. (WSJ)