Categories
Blog

Security, Extortion, and the New Compliance Mandate in Cartel-Driven Markets

This blog continues our series on the ACI Forum on Cartels, TCOs, and Compliance in Latin America and why it is so timely. What we are seeing across the region is not simply another enforcement trend. It is a structural change in the way compliance officers, boards, legal departments, security teams, and business leaders must assess and manage risk. The issue is where security, extortion, compliance, and enterprise risk management now sit at the same table.

The key point is one that every compliance professional has heard after a failure: “We did not see that coming.” In most cases, that statement does not mean the risk was invisible. It means the organization was not looking in the right way. It had a preconceived view of its threat environment. It relied on familiar dashboards. It accepted old assumptions. It conducted a risk assessment that confirmed management’s beliefs rather than testing them. That is not a security problem alone. That is a compliance failure.

Cartel Risk Is Now an Enterprise Risk

The designation of certain cartels and criminal organizations as Foreign Terrorist Organizations and Specially Designated Global Terrorists has changed the risk conversation. Executive Order 14157 established a process for certain international cartels and other organizations to be designated as FTOs or SDGTs and described international cartels as a national security threat beyond traditional organized crime, including through infiltration of governments across the Western Hemisphere. OFAC also lists an alert on international cartels designated as FTOs and SDGTs as part of its counterterrorism sanctions resources. (OFAC)

For CCOs, this means cartel and TCO exposure cannot be treated as a regional security issue or as a one-time sanctions-screening exercise. It must be integrated into risk assessments, third-party management, contract review, internal controls, HR, community relations, logistics, government affairs, and crisis response.

True threat assessment begins by stepping back, looking at the full operating environment, and then breaking the risk down by function. The Department of Justice has made clear that compliance programs must be robust, well-resourced, and empowered, and that companies are expected to continuously review and update compliance programs to account for emerging risk factors. A static, annual, checklist-driven risk assessment is not fit for a cartel-driven operating environment.

THIRA as a Compliance Tool

One of the most useful concepts in the attached article is the use of Threat and Hazard Identification and Risk Assessment, or THIRA. THIRA began in the public-sector preparedness world, but its discipline translates well into corporate compliance. FEMA describes THIRA as a three-step risk assessment process that helps communities identify the risks of greatest concern and determine the capabilities needed to address them. FEMA also notes that identifying and assessing risk should be a key input into planning and that plans must be risk-informed.

For compliance professionals, that is the point. Do not begin with the control. Begin with the threat. What could happen? Who could exploit the business model? What routes, facilities, vendors, unions, brokers, security providers, customers, or local officials create exposure? What happens if a logistics route becomes unsafe, a vendor is coerced, a local union is compromised, a government permit is delayed unless a payment is made, or a security provider is connected to criminal actors?

THIRA-style analysis forces a company to model realistic scenarios, assess consequences, and then determine whether it can respond. That means authority, communications, escalation, training, legal review, security protocols, financial controls, and board reporting must all be stress-tested before the crisis.

Continuous Monitoring Is Not Optional

In ordinary compliance discussions, “continuous monitoring” can sound like a best practice phrase. In a high-threat environment, it is an operating necessity. The attached article notes that threats can change by the hour, routes can become unsafe, infrastructure can fail, and misinformation can spread intentionally.

The compliance parallel is direct. A company cannot rely only on lagging indicators, annual certifications, or publicly available reports. In cartel-influenced markets, yesterday’s intelligence can create today’s exposure. The risk function must have access to live operational data, hotline reports, security intelligence, payment anomalies, logistics disruptions, vendor changes, law enforcement alerts, and local business intelligence.

This also requires delegated authority. If compliance or security sees a threat but lacks authority to pause activity, reroute shipments, reject a vendor, escalate a payment, or stop a transaction, the program is underpowered. Policies without authority are not controls. They are artifacts.

The Board’s Role: Oversight, Not Assumption

Boards must also recalibrate. Duncan’s point that boards often understand risk exists but do not always understand their lane should resonate with every CCO. The board’s role is not to manage routes, approve security plans, or second-guess local threat intelligence. Its role is to ensure that management has identified the risk, defined risk tolerance, resourced the response, assigned authority, and created reliable reporting.

In cartel-driven markets, the board should ask, “Where are we operating in areas of criminal influence?” Which third parties are essential to those operations? How do we know they are not compromised? What payments, donations, sponsorships, logistics arrangements, or security relationships create exposure? What is our escalation protocol if an employee, vendor, union representative, community leader, or government official signals coercion?

Risk tolerance must be written, debated, approved, and revisited. Silence is not neutrality. It is permission.

Security Is a Compliance Function

The attached article makes another crucial point: security is not just physical. Insider threats, personal vulnerabilities, substance abuse, coercion, espionage, poor training, and cultural dysfunction all create compliance exposure. Employees must understand not only what the rules are but also why the rules matter and how criminal organizations exploit weak points.

In Venezuela, the State Department’s June 27, 2026, advisory tells travelers to reconsider travel because of crime, kidnapping, terrorism, poor health infrastructure, and natural disaster risk, and it identifies Tren de Aragua and Cartel de los Soles as FTOs that started in Venezuela and continue to operate. The same advisory states that the U.S. government has extremely limited capacity to provide emergency services to U.S. citizens, especially outside Caracas.  That is a board-level fact pattern. It affects duty of care, insurance, crisis response, employee travel, third-party security, incident reporting, and operational continuity.

Build the Threat Hub

The most practical recommendation is to create a threat hub. It should be a cross-functional forum where legal, finance, operations, security, compliance, and other functions review threats, vulnerabilities, and operational changes. This is precisely what mature compliance should look like in a high-risk market.

The threat hub should review incidents, routes, payments, vendor changes, customer anomalies, government interactions, community demands, employee reports, and security intelligence. It should have the authority to escalate. It should report to management and the board. It should test crisis plans through realistic exercises.

Practical takeaways

First, refresh the risk assessment now. Second, add THIRA-style scenario planning to cartel and TCO risk. Third, empower compliance and security to act in real time. Fourth, review third parties, major contracts, customers, logistics providers, unions, community intermediaries, and security vendors. Fifth, educate the board on its oversight role and require explicit risk tolerance.

The final lesson is simple. In high-threat markets, static programs fail. Assumptions kill preparedness. Authority matters. Culture is defined by what leaders tolerate. The choice for every company is whether to learn before or after the crisis.

This conversation makes clear that security, compliance, and risk are not separate disciplines. They are different lenses on the same problem: how organizations survive and succeed in uncertain environments. Security has taken on even greater importance in Venezuela as President Trump has announced the US will not provide any security to US companies returning to the country.

For compliance professionals, the takeaway is simple but uncomfortable. Static programs fail. Assumptions kill preparedness. Authority matters. Culture is shaped by what leaders tolerate. And boards must be educated partners, not distant overseers. In high-threat environments, failure is immediate and unforgiving. In corporate compliance, it is slower, but no less certain.

The choice, as always, is whether to learn before the crisis or after it.

The Cartels, TCOs & Compliance in Latin American conference will feature these topics and many more. For information and registration, click here. For the complete agenda, click here. You can receive 10% off the price by using the Discount Code D10-999-CPN26.

ACI is the sponsor of today’s blog.

Categories
FCPA Compliance Report

FCPA Compliance Report: Navigating Security Threats In Venezuela with Marc Duncan – A Comprehensive Approach to Risk Management

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode, Marc Duncan, Chief Operating Officer at Salus Solutions, joins Tom to discuss security issues that US companies returning to Venezuela need to address upon reentering the country.

They deep dive into understanding and managing security threats across domains such as finance, personnel, corporate structure, and cyber operations. Duncan discusses the importance of viewing problems abstractedly, conducting full-scale threat assessments, and the crucial role of continuous monitoring. He shares insights into working with local communities, ensuring physical and operational security, and developing crisis communication strategies. The conversation also touches on insider threats, technical surveillance countermeasures, and the need for a responsive, flexible security team. Learn how companies, including those operating in high-risk environments such as Venezuela, can effectively prepare for and mitigate risks.

Key highlights:

  • Comprehensive Threat Assessment
  • Corporate Security and Board Involvement
  • Assessing Organizational Risk Culture
  • Insider and External Threats
  • Logistics and Local Partnerships
  • The Importance of Crisis Communication Training
  • Final Thoughts and Recommendations

Resources:

Marc Duncan on LinkedIn

Salus Solutions

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Returning to Venezuela on Amazon.com

Categories
Blog

Returning to Venezuela: Part 4 – From Physical Security to Enterprise Risk

In this five-part series, I have walked through the core compliance risks US energy companies will face as they consider a return to Venezuela. We began with bribery and corruption and the long shadow of PDVSA (Parts 1 & 2), then moved to export controls (Part 3).

Today, we consider the security risks and the broader operational and strategic challenges of working in one of the most complex risk environments in the world. For many compliance professionals, “security” still conjures images of guards, gates, and cameras. It is treated as an operational afterthought or a line item buried somewhere between facilities and travel. The conversation I recently had with Marc Duncan, COO at Salus Solutions, should permanently disabuse compliance officers, boards, and senior executives of that narrow view. As Duncan describes it, security is not a physical function. It is an enterprise risk discipline. It is continuous monitoring at its purest. And it is inseparable from culture, governance, and decision-making authority.

For compliance professionals, especially those operating globally or in volatile environments, this conversation offers a masterclass in how risk really works when theory collides with reality.

The First Compliance Failure: Thinking You Already Know the Risk

One of the most striking observations Duncan makes is also one compliance professionals hear far too often after a failure: “We did not see that coming.” As Duncan notes, that usually means the organization was not looking. They had a preconceived notion of their threats, locked onto a narrow risk model, and failed to challenge their assumptions. This is a classic compliance failure. Risk assessments that confirm management’s beliefs instead of testing them are not risk assessments. They are comfort exercises.

True threat assessment, whether physical, cyber, financial, or reputational, begins with abstraction. You step back, examine the environment holistically, and then break it down across functions. Duncan’s approach mirrors what the DOJ expects from a mature compliance program: financial risk, personnel risk, operational risk, cyber risk, structural risk, and external conditions assessed together, not in silos. Compliance professionals should take note. If your risk assessment is static, annual, and checklist-driven, you are already behind.

An additional framework compliance professionals should consider integrating into this approach is Threat and Hazard Identification and Risk Assessment (THIRA). While THIRA originated in the public sector and homeland security context, its core discipline translates directly to corporate compliance and enterprise risk management. THIRA forces organizations to first identify credible threats and hazards, assess their likelihood and impact, and only then evaluate existing capabilities and gaps. The discipline prevents the most common compliance failure: designing controls around assumed risks rather than actual ones.

A THIRA has three key steps:

  • Identify Threats and Hazards: Identify the threats and hazards that could impact them. These can include natural disasters such as hurricanes and earthquakes, technological hazards such as power outages, and human-caused events such as terrorism.
  • Assess Impacts: Once threats and hazards are identified, assess the potential impacts of these events. This involves understanding how these threats could affect people, property, and the environment.
  • Determine Capabilities: Based on the assessed impacts, determine the capabilities they need to address these threats and hazards. This includes identifying gaps in current capabilities and planning for resource allocation and training.

Used properly, THIRA complements a compliance risk assessment by grounding it in real-world scenarios, stress-testing assumptions, and aligning resources to consequence rather than convenience. In practice, compliance teams can use THIRA-style analysis to model disruptive events, validate whether policies and response plans would function under pressure, and ensure that authority, communications, and escalation protocols actually work in dynamic conditions. Like Duncan’s threat hub, THIRA is most effective when it is iterative, cross-functional, and embedded into daily decision-making rather than treated as a one-time exercise.

Continuous Monitoring Is Not a Buzzword in a Crisis Zone

In compliance circles, we often talk about continuous monitoring and continuous improvement. In high-risk environments, Duncan explains, these are not aspirational concepts. They are daily survival requirements. Threats change by the hour. Routes become unsafe. Infrastructure fails. Information degrades. Misinformation spreads intentionally. As Duncan makes clear, relying on sanitized reports or publicly available data alone is insufficient, particularly in places like Venezuela, where reliable information can be scarce and manipulated.

For compliance professionals, the parallel is obvious. If your organization relies solely on lagging indicators, static dashboards, or once-a-year training, you are operating on yesterday’s intelligence. A mature compliance program must be dynamic, responsive, and empowered to change course quickly.

Authority Matters More Than Policy

One of the most underappreciated insights in the discussion is the emphasis on delegated authority. Duncan is blunt: security teams must be empowered to make changes on the fly. Operations teams often resist this because they have a plan for the day. But rigid plans fail in dynamic environments. Compliance professionals should see themselves clearly in this description. How often does compliance identify a risk, only to be overruled by operational convenience? How often does policy exist without authority to enforce or adapt it?

This is not merely an execution issue. It is a governance failure. If compliance, security, or risk professionals lack real authority, then the program exists in name only.

Boards Are Often the Weakest Link

Perhaps the most candid portion of the conversation is Duncan’s discussion of boards of directors. Boards understand that risk exists, but they often do not understand their lane. Worse, they sometimes overstep based on assumptions rather than expertise, thereby influencing the organization’s security and risk culture to its detriment. This should resonate deeply with compliance professionals. Many compliance failures originate at the policy level. Boards check in periodically, hear a summary, and move on. They rarely engage with the complexity of the operating environment or the second- and third-order consequences of their decisions.

Duncan advocates for an ongoing relationship with boards or policy groups, not episodic briefings. Education is continuous. Risk is dynamic. Governance must keep pace. For compliance officers, this reinforces a critical point: board engagement is not about presentations. It is about sustained dialogue, shared understanding, and clearly articulated risk tolerance.

Culture Is Defined by Accepted Loss

One of the most insightful compliance lessons emerges from Duncan’s discussion of risk acceptance, particularly in the energy sector. Every organization accepts some level of loss. The problem arises when that acceptance is implicit, unexamined, or outdated. Compliance professionals should recognize this immediately. Risk tolerance that is not written down, debated, and revisited becomes invisible policy. It shapes behavior without accountability.

Duncan’s approach is instructive. He pushes organizations to explicitly articulate acceptable loss, document it, and use it as a guideline. When conditions change, that tolerance must be reassessed at the policy level. This is exactly how compliance culture should function. Silence is not neutrality. It is permission.

Security Is Not Just Physical: Insider Threats and Human Risk

If compliance professionals think security stops at the perimeter, Duncan quickly disabuses them of that notion. Insider threats loom large. Alcoholism, substance abuse, personal stressors, and poor life choices can all create vulnerabilities. So can espionage, coercion, and cultural dysfunction.

This is compliance territory. Training that treats employees like mushrooms kept in the dark will fail. Effective programs connect behavior to consequences: personal, professional, financial, and reputational. Duncan’s emphasis on “wholesome” training aligns with modern compliance expectations. Employees must understand not just what is prohibited, but why it matters, how it affects the organization, and how it exposes them personally.

Partnering with Locals: A Lesson in Third-Party Risk

One of the most counterintuitive lessons for many executives is the need to partner with local communities, vendors, and even security forces. Cutting locals out of economic participation breeds sabotage and resentment. Compliance professionals should immediately recognize the parallel to third-party risk management. Isolation does not reduce risk. Engagement does. Oversight, contracts, inspections, and partnerships create shared incentives and stability.

Whether it is food supply, logistics, or perimeter security, Duncan emphasizes layered controls and local investment. This is not unlike building a resilient third-party ecosystem rather than relying on transactional relationships.

The Threat Hub: A Compliance Blueprint

Perhaps the most transferable concept for compliance professionals is the “threat hub.” Duncan describes a cross-functional, daily forum where representatives from legal, finance, operations, security, and other functions review threats, vulnerabilities, and operational changes. This is what an effective compliance program should look like. Not a standalone department issuing policies, but an integrated function embedded across the organization, sharing intelligence, and adapting in real time.

Finally, Duncan issues a challenge that every compliance officer should take seriously: crisis exercises will break you. They expose gaps in policy, logistics, communications, authority, and preparedness that no binder ever reveals. Compliance professionals often assume crisis plans are adequate because they exist. Duncan’s experience says otherwise. Without realistic testing, organizations are unprepared when it matters most.

Final Thoughts

This conversation makes clear that security, compliance, and risk are not separate disciplines. They are different lenses on the same problem: how organizations survive and succeed in uncertain environments.

For compliance professionals, the takeaway is simple but uncomfortable. Static programs fail. Assumptions kill preparedness—authority matters. Culture is shaped by what leaders tolerate. And boards must be educated partners, not distant overseers. In high-threat environments, failure is immediate and unforgiving. In corporate compliance, it is slower, but no less certain.

The choice, as always, is whether to learn before the crisis or after it.

Join us tomorrow for Part 5 as we conclude our series by looking at AML risks associated with returning to Venezuela.

Categories
The Ethics Experts

Episode 013–Shannon Walker


On this episode of The Ethics Experts, we speak with Shannon Walker about whistleblowing, culture, and why speaking up should be more than a talking point…it should be an action.

 Check out more episodes, and don’t forget to subscribe on your favorite podcast platform!

Categories
ComplianceLIVE

Fun-Size Your Password Can’t Be PASSWORD123: Staying Compliant While Working From Home

Amanda zooms with show regular Chris Martin about how to stay compliant while working from home.

Check out more episodes and full episode videos at ComplianceLine.com, and don’t forget to subscribe on your favorite podcast platform!