Tag: University of Michigan

Categories
Blog

Michigan Man, Part 4 – Lessons Learned: What This Crisis Teaches Compliance Professionals

Every major compliance failure eventually reaches the same destination: a moment when leadership says, “How did we not see this coming? ” The answer is almost always the same. The warning signs were visible. They were rationalized, minimized, or overridden in the name of performance, continuity, or institutional pride.

The Sherrone Moore crisis at the University of Michigan is not a college football anomaly. It is a case study in how compliance programs fail when they are structurally subordinated, culturally discounted, or selectively enforced. For compliance professionals, the value of this case lies not in outrage but in extraction: extracting lessons that can be operationalized before the next crisis unfolds.

Lesson 1: Compliance Authority Must Be Structural, Not Aspirational

Michigan’s experience demonstrates that access to leadership is meaningless without authority. The compliance function may have been consulted, investigations commissioned, and policies in place. None of that mattered when the athletic department retained de facto control over outcomes. For compliance professionals, the lesson is clear. Compliance must have defined escalation rights and veto authority over high-risk decisions, including promotions, discipline, and crisis response. If a business unit can override compliance based on performance or legacy, compliance is not independent. It is decorative.

The Department of Justice has repeatedly emphasized that effective compliance programs require empowered compliance functions. That empowerment must be written into governance documents, reinforced by boards, and tested in practice.

Lesson 2: Past Dishonesty Is a Permanent Risk Factor

One of the most glaring failures in this case was the organization’s willingness to treat Moore’s prior dishonesty during the sign-stealing investigation as a closed chapter. It was not. It was predictive. Compliance professionals must internalize a hard truth: once credibility is damaged, it does not reset. Individuals who have lied to investigators, deleted records, or misrepresented facts should never again be treated as presumptively reliable. Enhanced monitoring, corroboration, and scrutiny are not punitive. They are risk management.

Organizations that ignore this lesson inevitably relearn it at a higher cost.

Lesson 3: Promotions Are Compliance Decisions

The elevation of Moore to head coach was framed as a football decision. In reality, it was one of the most consequential compliance decisions the university made.

Any promotion into a role with significant authority, visibility, and discretion is a compliance event. Risk-based due diligence should include:

  • Review of prior investigations and disciplinary history
  • Assessment of truthfulness and cooperation during past inquiries
  • Evaluation of behavioral and reputational risk, not just technical violations

In corporate terms, Michigan promoted an executive with unresolved compliance issues and a clear lack of an ethical grounding into a CEO-equivalent role. That decision alone dramatically increased institutional risk. But the consequences will reverberate for a long time to come.

Lesson 4: Investigations Involving Power Imbalances Require Heightened Standards

The initial investigation into Moore’s relationship with a staffer failed predictably. When both parties denied the relationship and the evidence was limited, the inquiry stalled. That outcome reflects a misunderstanding of power dynamics. Compliance professionals know that power imbalance distorts disclosure. Subordinates may deny relationships out of fear, loyalty, or uncertainty. Senior leaders may deny wrongdoing out of self-preservation. Effective investigations account for this reality by expanding evidence collection, conducting pattern analysis, and implementing interim safeguards.

Neutrality is not passivity. When allegations involve senior leadership, the standard of diligence must rise, not fall.

Lesson 5: Star Performers Are the Highest-Risk Population

One of the most enduring myths in organizational life is that high performers deserve flexibility. In reality, they deserve even greater scrutiny. Star performers operate with autonomy, influence culture, and often shape informal norms. Moore’s trajectory illustrates how repeated exceptions create a sense of entitlement. Each time misconduct is reframed as survivable, the individual learns that boundaries are negotiable. Compliance professionals must relentlessly resist this dynamic.

Rules applied selectively are not rules. They are invitations.

Lesson 6: Pattern Risk Demands Pattern Response

Perhaps the most damning aspect of the Michigan case is that it unfolded amid repeated scandals within the athletic department. When misconduct clusters, the correct response is not incremental fixes. It is a structural intervention. Compliance professionals must recognize pattern risk early and escalate it aggressively. That escalation should include:

  • Enterprise-wide risk assessments
  • Cultural diagnostics
  • Leadership accountability reviews
  • Board-level engagement

Waiting for the next incident is not caution. It is abdication.

Lesson 7: Culture Is Set by What Leadership Tolerates

Michigan’s long-standing deference to athletic success and legacy culture created an environment where misconduct was rationalized rather than confronted. This is not unique to sports. It appears in sales-driven organizations, founder-led companies, and high-growth environments. Culture is not what leadership says. It is what leadership allows. From the Board of Regents to the UM President on down, compliance professionals must evaluate actions, not rhetoric, when assessing culture risk.

Lesson 8: Human Impact Is the Ultimate Compliance Metric

It is easy, especially for lawyers and compliance officers, to focus on policy breaches and enforcement exposure. The Moore crisis is a reminder that compliance failures produce human harm. Families are destabilized. Employees feel unsafe. Stakeholders lose trust. Effective compliance programs exist not only to prevent fines but also to prevent damage. When that purpose is forgotten, compliance becomes performative.

Final Thought: Compliance Is Tested at the Top

The Sherrone Moore crisis did not originate with a junior employee. It originated at the top of a powerful institution. That is where compliance programs are always tested. For compliance professionals, the final lesson is this: if your program cannot stop, slow, or surface misconduct by your most powerful leaders, it will eventually fail when it matters most.

The University of Michigan now faces years of rebuilding trust, governance, and credibility. Compliance professionals elsewhere should treat this case as a warning, not a curiosity. The cost of ignoring these lessons is never hypothetical. It is only deferred. This takeaway is stark but actionable. Compliance failures are rarely a surprise. They are choices made over time. The question for every compliance professional is whether those choices will be challenged early or explained later.

As always, prevention is less visible than a crisis. It is also far less costly.

Resources:

The Terrible Mess at Michigan Football, by Jason Gay, writing in the Wall Street Journal.

Ex-Michigan coach Sherrone Moore charged with home invasion, stalking, breaking—Austin Meek and Sam Jane writing in The Athletic.

Fire Everybody—Alex Kirshner, writing in Slate.

Source: Michigan begins a review of the athletic department, by Dan Wetzel and Pete Thamel, writing for ESPN.

Categories
Blog

Michigan Man, Part 3 – When Compliance Is Overruled: Institutional Failure at the University of Michigan

In Part 3, I examined Sherrone Moore’s individual compliance and ethics violations. That analysis was necessary, but it is not sufficient. No serious compliance professional believes that repeated misconduct by senior leaders occurs in a vacuum. Individual failure almost always reflects institutional weakness.

The University of Michigan did not cause Sherrone Moore’s behavior. But the university, and specifically its athletic department, bears responsibility for the systems, decisions, and omissions that allowed risk to accumulate unchecked. This is where the story becomes most relevant to corporate compliance professionals, because it illustrates how even sophisticated institutions can fail when compliance is subordinated to performance, loyalty, or brand protection.

The First Failure: Allowing Athletics to Override Compliance

The most fundamental breakdown at Michigan is structural. Over multiple years, the athletic department functioned as a semi-autonomous power center, capable of managing crises internally while insulating leadership from meaningful accountability.

This dynamic is visible in how the university handled the Connor Stalions sign-stealing scandal. Despite significant NCAA exposure, the program’s response emphasized competitive harm rather than integrity. Moore’s deletion of text messages and subsequent explanations resulted in suspensions, but not in disqualification from advancement. The compliance function did not appear to have veto power over promotion decisions, even when integrity concerns were documented. For compliance professionals, this is a familiar and dangerous pattern. When business units, or in this case, athletics, are allowed to treat compliance as advisory rather than authoritative, the message is clear: results matter more than rules.

The Second Failure: Deference to Legacy and Power

Michigan Athletics operates under a powerful legacy culture. As multiple commentators have noted, the program has long wrapped itself in mythology around the “Michigan Man,” a tradition that stretches back through Bo Schembechler and is reinforced under Jim Harbaugh. That culture prizes loyalty, continuity, and internal succession.

Sherrone Moore was the embodiment of that narrative. He was Harbaugh’s lieutenant, publicly emotional, and deeply embraced by fans and players. That status created what compliance professionals recognize as halo risk. Decision-makers become reluctant to ask hard questions of leaders who symbolize institutional identity.

This deference matters. When leaders are treated as extensions of the institution itself, compliance red flags are reframed as nuisances rather than warnings. That cultural bias undermines independent oversight and discourages escalation.

The Third Failure: A Flawed Internal Investigation Process

The university did commission an outside law firm, Jenner & Block, to investigate the alleged inappropriate relationship between Moore and a staffer. On paper, that decision reflects best practice. In execution, however, significant weaknesses are evident. According to reporting, the investigation initially stalled because both Moore and the staffer denied the relationship, and investigators lacked corroborating evidence. At that point, the inquiry has paused rather than intensifying scrutiny or implementing interim risk controls.

This is a classic compliance failure. When allegations involve senior leadership and power imbalances, the absence of evidence should prompt heightened diligence, not closure. Effective investigations recognize that fear, loyalty, or dependency may suppress disclosure. Failing to account for those dynamics is not neutrality. It is naïveté.

The Fourth Failure: Continued Reliance on False Statements

Perhaps the most troubling institutional failure is the university’s repeated reliance on Moore’s representations, despite a documented history of dishonesty during investigations. Moore had already deleted records and provided questionable explanations in the NCAA matter. That history should have triggered enhanced skepticism. Instead, the institution accepted his denials at face value until external corroboration forced action. Compliance professionals know that credibility is cumulative. Once an individual has compromised their credibility, future statements must be independently verified.

By failing to apply that standard, Michigan allowed risk to persist until it exploded into a crisis involving law enforcement.

The Fifth Failure: Inadequate Background and Risk Due Diligence

Moore’s elevation to head coach in 2024 represents a textbook failure of due diligence in risk-based promotion. Promotion decisions, especially into roles of extraordinary authority, must include a holistic review of ethics, compliance history, and behavioral risk.

Moore’s record at the time of promotion included:

  • NCAA violations tied to record deletion;
  • Active involvement in a major compliance scandal; and
  • Prior suspensions that were not yet fully served.

Any one of these is enough to disqualify him from coaching at a major university. Taken together, they should have triggered a serious debate in both the UM Athletic Department and the university as a whole about tone at the top and reputational risk.

In the corporate world, promoting an executive with unresolved compliance issues into a CEO role would be viewed as reckless. Michigan did precisely that, likely prioritizing continuity and optics over risk management.

The Sixth Failure: Crisis Management Without Safeguards

One of the most alarming details reported is that Moore was terminated alone, reportedly without HR representation or security present, despite prior knowledge that he was experiencing mental health distress. From a compliance and HR standpoint, this is indefensible. Terminations involving senior leaders, allegations of misconduct, and emotional instability require structured protocols. These protocols exist to protect all parties, including the organization.

The fact that Moore was later taken into custody following an alleged incident underscores how poor crisis execution can escalate harm rather than contain it.

The Seventh Failure: A Pattern Ignored

The Moore matter does not stand alone. As ESPN and Slate documented, Michigan athletics has faced multiple scandals in recent years, including federal indictments of staff, repeated NCAA violations, and internal HR complaints across sports.

Compliance professionals recognize this as a pattern risk. When misconduct appears across functions and time, the issue is no longer individual actors. It is governance. The university’s decision to launch a broad inquiry into the athletic department acknowledges this reality. However, recognition after the fact does not mitigate prior harm.

Compliance Takeaways

For compliance professionals, the Michigan Man case offers sobering lessons about institutional vulnerability:

  • Compliance functions must have authority, not just access
  • Legacy culture can blind organizations to risk
  • Investigations involving power imbalance require heightened rigor
  • Prior dishonesty must permanently alter credibility assessments
  • Promotion decisions are compliance decisions
  • Crisis response must be governed by protocol, not expediency

Most importantly, organizations must resist the temptation to treat success as a substitute for integrity. Winning programs, like high-performing business units, often receive the least scrutiny and pose the greatest risk.

I hope you will join me for my concluding Part 4, where I will translate these posts into concrete lessons for compliance professionals across industries. These lessons are not abstract. They are operational, structural, and urgent.

Resources:

The Terrible Mess at Michigan Football, by Jason Gay, writing in the Wall Street Journal.

Ex-Michigan coach Sherrone Moore charged with home invasion, stalking, breaking—Austin Meek and Sam Jane writing in The Athletic.

Fire Everybody—Alex Kirshner, writing in Slate.

Source: Michigan begins a review of the athletic department, by Dan Wetzel and Pete Thamel, writing for ESPN.

Categories
Blog

The Michigan Man, Part 1 – From Winning Program to Institutional Crisis

There are moments when an organization confronts a crisis so severe that it overwhelms every narrative it once controlled. The University of Michigan now finds itself in precisely that moment. What began as a continuation of compliance issues stemming from the sign-stealing scandal has rapidly escalated into something far more serious, far more painful, and far more destabilizing. This is no longer a story about NCAA rules or institutional embarrassment. It is a story about human failure, organizational breakdown, and the real-world consequences of ignoring warning signs.

As compliance professionals, our instinct is to move quickly to frameworks, root causes, and lessons learned. That work will come later in this series. But first, it is essential to set out the facts as they are currently known and to acknowledge the human cost embedded in every paragraph of this story. This story is far beyond compliance and ethics, but it is a true human tragedy. But it will also show how such a human tragedy could have been prevented if the basic tenets of organizational compliance and ethics had been followed.

All resources cited in this four-part series are listed at the end of this blog post. Finally, this writing is personal, as I am a UM graduate.

The Rise of Sherrone Moore

Sherrone Moore’s ascent within the University of Michigan football program appeared, at least on the surface, to be a model of internal succession. Moore joined Jim Harbaugh’s staff in 2018 and rose steadily through the ranks, ultimately serving as offensive coordinator during Michigan’s 2023 national championship season. When Harbaugh departed for the NFL, Moore was promoted to head coach, a decision widely praised as ensuring continuity and stability.

Moore was not simply a coach. He was a symbol. His emotional post-game interview after a victory over Penn State, while Harbaugh was suspended, became an iconic moment for Michigan fans. He embodied loyalty, perseverance, and what many referred to as the “Michigan Man” ethos. ESPN

Yet even at the time of his promotion, Moore’s record was not unblemished. He had already been implicated in the Connor Stalions sign-stealing investigation and had received NCAA suspensions for deleting text messages during that inquiry. Those issues were treated by the university and much of the fan base as technical compliance matters rather than as indicators of deeper governance or integrity risks. Slate

That framing now appears deeply flawed.

The Inappropriate Relationship Investigation

According to reporting by The AthleticESPNSlate, and The Wall Street Journal, the University of Michigan received an anonymous tip earlier in 2025 alleging an inappropriate relationship between Moore and a female football staffer. The university retained Jenner & Block, an outside counsel, to conduct an investigation. Initially, both Moore and the staffer denied any relationship, and investigators reported that insufficient evidence existed to substantiate the claim.

That changed dramatically in December 2025. Prosecutors allege that the staffer disclosed corroborating evidence confirming a multi-year intimate relationship after she ended it earlier that week. At that point, the university determined that Moore had violated institutional policy and terminated him for cause, avoiding a reported $14 million buyout. The Athletic

This was not merely an employment decision. It was the spark that ignited a cascading crisis.

The Criminal Charges

Within hours of his dismissal, Moore’s personal situation escalated into a criminal matter. Prosecutors allege that Moore went to the staffer’s residence without permission, entered through an unlocked door, and engaged in a confrontation during which he picked up scissors and butter knives and threatened to harm himself. According to court statements, Moore allegedly made repeated statements such as “I am going to kill myself” and “My blood is on your hands. The Athletic

Moore was subsequently charged with felony third-degree home invasion and misdemeanor charges of stalking and breaking. He was taken into custody, evaluated at a hospital, and later released on bond with GPS monitoring and a requirement that he continue mental health treatment. A probable cause hearing is scheduled for January 2026.

At this point, it bears stating plainly: these are allegations, and Moore has pleaded not guilty. The legal process will determine criminal responsibility. However, from an organizational perspective, the damage has already been done.

The Expanding Institutional Investigation

What began as an inquiry into Moore’s conduct has now broadened into a comprehensive review of the University of Michigan athletic department. University leadership has confirmed that Jenner & Block’s mandate has expanded to examine how the athletic department handled the Moore matter and other recent scandals, including the sign-stealing investigation and prior misconduct by football staffers. ESPN

Interim President Domenico Grasso has publicly called for anyone with relevant information to come forward, emphasizing that “all of the facts here must be known.” Athletic Director Warde Manuel remains in his position for now, but multiple reports note that his leadership and oversight are under intense scrutiny.

This expansion matters. It signals that the university itself recognizes that Moore’s actions cannot be isolated from the environment in which they occurred.

Beyond Compliance: The Human Tragedy

It would be a profound mistake to reduce this story to a checklist of policy violations.

At the center of this crisis are people whose lives have been irreversibly altered. Moore is a married father of three whose career has collapsed in public view. His family faces humiliation, uncertainty, and emotional trauma that will not disappear with headlines. Prosecutors describe the staffer at the center of the allegations as someone who felt terrorized and unsafe, a position no employee should ever occupy. University of Michigan players have lost their head coach midseason, forcing them to process personal loyalty, public scandal, and institutional chaos simultaneously. There is also the culture of an entire university athletic department, which not only allowed such behavior but also tolerated and even celebrated it by promoting Moore to Head Coach.

The broader Michigan community, alumni, students, and fans are also stakeholders in this tragedy. For an institution that has long traded on its image of integrity and moral leadership, the reputational damage cuts deeply. Being a ‘Michigan Man’ was meant to stand for something—something positive, that you did things in the right way, and you personally held yourself to a higher standard. As The Wall Street Journal observed, this is no longer a college football story. It is “agony in Ann Arbor. I certainly echo that feeling personally.

A Pattern, Not an Anomaly

The most troubling aspect of the facts as currently known is how familiar they feel. The Moore scandal follows a series of incidents involving Michigan athletics over recent years, including the Stalions’ sign-stealing operation, multiple staff arrests, internal HR complaints, and even a federal indictment of a former assistant coach for accessing student-athletes’ private data. WSJ

The issue may not be any single actor but rather an entrenched culture that has historically insulated powerful figures from accountability. Slate: When organizations repeatedly frame misconduct as isolated events, they fail to confront systemic risk.

Why This Matters for Compliance Professionals

For compliance professionals, this case is already instructive even before we reach lessons learned. It demonstrates how compliance failures often emerge not as sudden collapses but as accumulations of ignored signals. It shows how reputational capital built over decades can evaporate in a matter of days. Most importantly, it reminds us that behind every policy failure are human beings who bear the consequences.

While there will be others who say ‘I told you so’ or want to bring the vaunted Michigan Man down a peg or two, the lessons from this scandal and human tragedy are no less important for your team, your school, and your university.

In the next installment of this series, I will turn directly to Sherrone Moore’s individual compliance and ethics violations, including his conduct during the sign-stealing investigation and his alleged misrepresentations to investigators. That analysis is necessary. But it should never obscure the reality that this story is about far more than rules. Compliance exists to protect people, institutions, and trust. When it fails, the cost is measured not only in fines or sanctions but also in lives disrupted and communities shaken.

Resources:

The Terrible Mess at Michigan Football, by Jason Gay, writing in the Wall Street Journal.

Ex-Michigan coach Sherrone Moore charged with home invasion, stalking, breaking—Austin Meek and Sam Jane writing in The Athletic.

Fire Everybody—Alex Kirshner, writing in Slate.

Source: Michigan begins a review of the athletic department, by Dan Wetzel and Pete Thamel, writing for ESPN.

Categories
Daily Compliance News

Daily Compliance News: December 12, 2025, The All New York Times Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day, we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Top stories include:

  • ABC protests topple the Bulgarian government. (NYT)
  • French tennis player suspended for 20 years over corruption. (NYT)
  • UM coach fired over affair with staffer. (NYT)
  • Trump puts the DOJ in a no-win position over Warner Bros.(NYT)

The Daily Compliance News has been honored as the No. 2 in Best Regulatory Compliance Podcasts category.

Categories
Blog

UM Cheating Scandal, Part 5: Compliance Lessons Learned

In August 2025, the NCAA released its long-awaited Report on infractions committed by and for the University of Michigan football program. For compliance professionals, this case should be viewed not merely as a college sports story but as a case study in organizational misconduct, leadership failure, and cultural breakdown. Just as an FCPA enforcement action lays bare how companies slip into non-compliance, this NCAA decision reveals how one of the country’s premier football programs allowed systemic misconduct to flourish.

In Part 1, we examined the background facts, the elaborate scouting scheme, recruiting inducements, and failures to cooperate. In Part 2, we discussed the deeper issue of culture, where the football program viewed compliance as an adversary. In Part 3, we analyzed the violations and penalties, focusing on the sanctions imposed on Michigan and its staff. Finally, in Part 4, we considered what happens when an enforcement agency is stripped of its ability to enforce by asking whether the NCAA itself has become a toothless enforcement agency after declining to vacate wins or strip Michigan of its 2023 national championship.

Together, these four posts tell a story that is both uniquely collegiate and universally corporate: a tale of rules violated, compliance sidelined, culture corrupted, penalties imposed, and a regulator under fire. For corporate compliance professionals, the lessons are clear.

The Background: What Happened at Michigan

At the heart of the Michigan case was Connor Stalions, a staffer who orchestrated an elaborate sign-stealing operation. Using a network of interns, acquaintances, and even student-athletes, Stalions purchased tickets, filmed opponents’ sidelines, and created a “Master Chart” of signals. Over the course of three seasons, there were 56 instances of impermissible in-person scouting across 52 games.

The violations went beyond scouting. Coaches and staff provided improper inducements, including meals, gear, and even attempts at social media “blue check” verification. Nearly 100 impermissible text messages were sent to a recruit before the allowable date.

Head coach Jim Harbaugh was charged with head coach responsibility violations, having failed to promote compliance or monitor his staff. To make matters worse, multiple individuals failed to cooperate once the investigation began; devices were destroyed, evidence was deleted, and investigators were misled.

This was Michigan’s second infractions case in as many years, making it a repeat violator.

The Cultural Breakdown

But the facts alone do not explain how this misconduct flourished. The real story was cultural.

Michigan football had a contentious relationship with compliance. Coaches dismissed the compliance staff as “roadblocks” and even “true scum of the earth.” The Chief Compliance Officer, a respected industry leader, testified that she was seen as “a thorn in [Harbaugh’s] side.”

This hostility created an environment of willful blindness. Staff admitted they “went out of their way not to know” what Stalions was doing, so long as results were delivered. Red flags raised by interns or opponents were ignored or brushed aside.

Compliance education was lacking, especially for interns, many of whom played key roles in the scheme but received no targeted training. The compliance office could not even get into the room unless it forced its way in.

Ultimately, the NCAA concluded that “Michigan failed to create a culture of compliance in the football program.” For compliance professionals, this is a cautionary tale: no matter how effective your compliance office is, culture will ultimately prevail if leadership undermines it.

The Penalties: What Was Possible, What Was Imposed

The violations — Level I for the most serious. They were for scouting, head coach responsibility, and failures to cooperate, and Level II for recruiting and monitoring, which carried potentially devastating penalties. As a repeat violator, Michigan could have faced multi-year postseason bans, scholarship reductions, and the vacating of wins.

Instead, the NCAA opted for a different approach:

  • For Michigan: Four more years of probation, multi-million-dollar fines, loss of postseason revenue, recruiting restrictions, and public posting of the infractions’ decision.
  • For Individuals: Career-altering show-cause orders and doling out 10 years for Harbaugh, 8 years for Stalions, 3 years for Robinson, and 2 years for Moore. Negotiated resolutions added show-cause penalties for Clinkscale and Minter.

But the NCAA declined to impose a postseason ban or vacate Michigan’s 2023 national championship. Instead, it substituted financial penalties, citing fairness to current athletes who were not involved in the violations.

The NCAA’s Credibility Crisis

This decision has sparked a broader debate: Is the NCAA now a toothless enforcement agency? By choosing not to vacate wins, not to impose a postseason ban, and not to strip the national championship, the NCAA sent a message: even the most serious Level I–Aggravated violations can be survived without meaningful on-field consequences.

The NCAA justified its choice by citing the need for fairness to current athletes. But the effect was to undercut deterrence. If Michigan can commit widespread violations, win a championship during the scheme, and keep both the wins and the trophy, what message does that send? For compliance professionals, this is equivalent to a regulator declining to debar a repeat corporate offender or refusing to impose a monitor after repeated bribery scandals have occurred. Enforcement without teeth creates cynicism, undermines culture, and emboldens violators.

Five Lessons for Corporate Compliance Professionals

From the four perspectives we have explored — facts, culture, penalties, and the regulator’s credibility — come five key lessons for corporate compliance officers.

1. Culture Will Always Trump Policy

Michigan had a compliance office, policies, and training. Yet the football program treated compliance as the enemy. Harbaugh’s tone at the top set a culture where results mattered more than rules. Compliance professionals must remember that culture is the real driver of behavior. Policies without culture are paper tigers.

2. Repeat Offenders Face Escalating Consequences

Michigan’s repeat violator status magnified its penalties. In the corporate world, companies with prior FCPA or sanctions violations are judged far more harshly when caught again. Building credibility requires not just resolving past cases but sustaining reform over time.

3. Individual Accountability is Here to Stay

The NCAA’s most severe sanctions fell on individuals, Harbaugh and Stalions in particular. This mirrors the DOJ’s emphasis on individual liability. Compliance officers must ensure executives understand that they will personally bear responsibility for compliance failures.

4. Cooperation is Non-Negotiable

The obstruction made this case far worse. Destroying evidence and refusing to cooperate turned a bad situation into a career-ending one for multiple individuals. In corporate enforcement, cooperation credit can significantly reduce penalties; obstruction can magnify them.

5. Regulators Must Enforce Meaningfully — or Risk Irrelevance

The most sobering lesson is about the NCAA itself. By declining to vacate wins or strip championships, the NCAA undermined its own credibility. For compliance officers, this underscores the importance of strong, consistent enforcement. If your regulator is weak, it makes your job harder because the business will treat compliance as optional.

The Broader Meaning

The Michigan case is about more than football. It is about how organizations treat compliance, how regulators enforce rules, and how culture drives outcomes. For compliance professionals, it offers a sobering parable. When leadership undermines compliance, culture tolerates misconduct, violations are repeated, and regulators fail to enforce penalties meaningfully, the result is inevitable: misconduct flourishes, penalties escalate, and credibility erodes.

The job of the compliance professional is to resist that cycle: to build cultures that embrace compliance, to insist on accountability, to promote cooperation, and to hold leadership accountable for setting the tone at the top. And when regulators fail to act, compliance officers must redouble their efforts internally because rules without enforcement may be just suggestions, but culture without compliance is a guaranteed recipe for disaster.

Categories
Blog

UM Cheating Scandal: The NCAA – What Happens When Enforcement Is Toothless?

In August 2025, the NCAA released its long-awaited Report on infractions committed by and for the University of Michigan football program. For compliance professionals, this case should be viewed not merely as a college sports story but as a case study in organizational misconduct, leadership failure, and cultural breakdown. Just as an FCPA enforcement action lays bare how companies slip into non-compliance, this NCAA decision reveals how one of the country’s premier football programs allowed systemic misconduct to flourish.

In Part 1 of this series, we examined the factual record of the University of Michigan football infractions case, including the impermissible scouting scheme, recruiting inducements, and failures to cooperate. In Part 2, we examined the culture that enabled these violations —a football program that viewed compliance as an enemy and leadership that turned a blind eye. In Part 3, we examined enforcement, or the lack thereof.

Today, when considering the penalties and the enforcement agency, the NCAA. When the dust settled, Michigan walked away without the kind of penalties most observers expected. No games were vacated. No national championship trophies were stripped. No postseason ban was imposed. Instead, Michigan received financial penalties, recruiting restrictions, and an additional four years of probation, in addition to its existing sanctions.

For many, the outcome raises an uncomfortable question: has the NCAA become a toothless enforcement agency? For compliance professionals in the corporate world, this is more than a sports story. It presents an opportunity to reflect on the broader role of enforcement bodies. What happens when regulators fail to enforce meaningfully? How does weak enforcement shape culture? And what can companies learn about their own compliance posture from the NCAA’s example?

The NCAA’s Enforcement Challenge

The NCAA has long touted its role as the guardian of fair play in college sports. Yet over the last decade, its enforcement credibility has eroded. From the Penn State scandal, where authority was challenged in court, to the University of North Carolina’s academic fraud case, where the NCAA claimed it lacked jurisdiction, the association has repeatedly faced criticism that its sanctions are inconsistent, politically influenced, or ineffective.

The Michigan case is the latest data point. Despite describing the scouting scheme as “one of one” in scope and seriousness, the Committee on Infractions declined to impose the stiffest penalties available:

  • No vacating of wins from the 2021–2023 seasons.
  • No forfeiture of the 2023 National Championship, which Michigan won while the scheme was ongoing.
  • No postseason ban, even though the guidelines make such bans mandatory in Level I–Aggravated cases without exemplary cooperation.

Instead, the NCAA substituted financial penalties, citing fairness to current student-athletes who were not involved in the allegations. While this rationale has merit, it leaves the impression that Michigan “got away with it” and that the NCAA is unwilling to enforce its own rules when high-profile programs are involved.

What Weak Enforcement Signals

For compliance officers, this is familiar territory. Regulators who talk tough but avoid meaningful enforcement send a dangerous signal. They tell organizations:

• The risk of being caught is survivable. If the worst that can happen is a fine or probation, misconduct can be rationalized as a business risk.

• The rules are negotiable. If guidelines call for certain penalties but regulators bend them for expedience, the rules lose their deterrent effect.

• Culture follows enforcement. If leaders see that regulators will not impose significant penalties, they are less likely to instill a culture of compliance.

The DOJ has been explicit on this point in its 2023 and 2024 guidance updates: enforcement must be consistent, transparent, and meaningful. Otherwise, companies see compliance as optional.

Parallels to Corporate Enforcement

Consider the parallels between the NCAA’s enforcement dilemma and corporate regulation:

  • Financial Institutions and Money Laundering: If a bank is repeatedly fined for AML violations but never loses its charter or key licenses, the cost of compliance failure becomes just another line item on the balance sheet.
  • FCPA Cases Without Monitors: When companies resolve foreign bribery matters with fines but no independent monitor, questions arise about whether compliance programs will really change.
  • Tech Sector Antitrust: When major technology firms pay record fines but retain their market dominance, critics argue that regulators are unwilling to disrupt the status quo.

The NCAA’s approach in the Michigan case echoes these patterns: big headlines, some financial pain, but no penalties that fundamentally change behavior.

Why the NCAA Chose This Path

The NCAA faced a difficult choice. Punishing current athletes for past staff misconduct raises questions of fairness. Vacating championships is largely symbolic; fans remember who won on the field. And the legal and political environment has shifted: with NIL, the transfer portal, and litigation like House v. NCAA, the NCAA’s authority is weaker than ever.

However, from an enforcement perspective, these explanations do not eliminate the central issue. When rules are broken at the highest level and the sanctions do not match the severity of the violations, the credibility of the regulator erodes.

Lessons for Compliance Professionals

What should compliance officers take away from the NCAA’s Michigan decision?

1. Enforcement Must Be Meaningful

If sanctions do not create real pain, misconduct will be rationalized as a cost of doing business. Compliance programs must be backed by meaningful consequences, whether in sports, banking, or healthcare.

2. Consistency Matters

Regulators that treat marquee institutions differently from smaller ones risk undermining the integrity of the system. In the corporate world, DOJ has emphasized consistency across industries. Selective enforcement creates cynicism.

3. Symbolic Sanctions Still Matter

Yes, vacating wins may be symbolic, but symbols shape culture. Stripping a national championship would have sent a message: no program is above the rules. In the corporate world, this is akin to requiring public admissions of wrongdoing, symbols that reinforce accountability.

4. Enforcement Without Teeth Undermines Compliance Officers

Michigan’s Chief Compliance Officer fought to enforce the rules but was rebuffed by the football staff. The NCAA’s weak enforcement now validates that resistance. Similarly, in corporations, when regulators fail to take action, compliance officers lose internal leverage.

5. The Importance of Independent Oversight

The NCAA is fundamentally a membership organization, as the member schools police themselves. This structural conflict mirrors corporate boards that allow management too much sway over investigations. Independence matters. Without it, enforcement credibility is always in doubt. Even worse is the clear implication that the NCAA is now entirely irrelevant for enforcement.

The Broader Question: Can the NCAA Still Govern

The Michigan case may be remembered less for the violations than for what it revealed about the NCAA’s limits. With the rise of NIL collectives, super conferences, and legal challenges, the NCAA’s role as enforcer is shrinking.

Some argue that conferences, such as the SEC and Big Ten, or even external regulators, such as Congress or state legislatures, may need to step into the breach. Others believe that the market itself, including fans, media, and sponsors, will impose reputational sanctions when the NCAA fails to do so.

For compliance officers, this debate is instructive. When a regulator loses credibility, industry participants look elsewhere for governance. The same could happen in corporate sectors if regulators falter: private monitors, investor activism, or even international bodies may step in to enforce standards.

The Cost of Toothless Enforcement

The NCAA’s decision in the Michigan case underscores a hard truth: rules without meaningful enforcement are not rules at all but merely suggestions.

For compliance professionals, this case should prompt reflection. What happens when your regulator is unwilling to enforce? What happens when penalties are softened to avoid controversy? And how do you, as a compliance officer, maintain credibility in a culture that sees enforcement as toothless?

The answers are sobering. Regulators must be consistent, meaningful, and unafraid to impose real consequences. Otherwise, they risk becoming like the NCAA: long on rules, short on enforcement, and increasingly irrelevant.

Categories
Blog

UM Cheating Scandal Part 3: Violations, Penalties, and Compliance Lessons

In August 2025, the NCAA released its long-awaited Report on infractions committed by and for the University of Michigan football program. For compliance professionals, this case should be viewed not merely as a college sports story but as a case study in organizational misconduct, leadership failure, and cultural breakdown. Just as an FCPA enforcement action lays bare how companies slip into non-compliance, this NCAA decision reveals how one of the country’s premier football programs allowed systemic misconduct to flourish.

In Part 1 of this series, we examined the factual record of the University of Michigan football infractions case, including the impermissible scouting scheme, recruiting inducements, and failures to cooperate. In Part 2, we examined the culture that enabled these violations —a football program that viewed compliance as an enemy and leadership that turned a blind eye. Today in Part 3, we turn to the enforcement phase. What violations did the NCAA find? What penalties did the rules call for? And most importantly, what lessons can compliance professionals take from the outcome?

The Violations

The NCAA catalogued a long list of violations. They fell into five main categories, each with parallels to corporate enforcement.

1. Impermissible Off-Campus Scouting (Level I)

    • Connor Stalions directed a network of interns, staff, and acquaintances to attend opponents’ games, film sidelines, and provide footage to Michigan coaches.
    • In all, there were 56 instances across 52 contests over three seasons.
    • This was deemed a Level I violation, the most serious category, as it undermined integrity and provided an unfair advantage.

2. Recruiting Inducements and Communications (Level II)

      • Staff provided meals, gear, and even attempted to secure Instagram “blue check” verification for recruits.
      • Nearly 100 impermissible text messages were exchanged with a prospect before the allowable contact date.
      • These were classified as Level II violations, significant breaches, but less than systemic corruption.

3. Head Coach Responsibility (Level I)

    • Jim Harbaugh was charged with failure to promote an atmosphere of compliance and monitor his staff.
    • After January 2023, under new rules, head coaches are automatically responsible for staff violations.

4. Failure to Cooperate (Level I and II)

    • Stalions destroyed his phone and hard drives, instructed others to delete evidence, and misled investigators.
    • Harbaugh refused to provide records or sit for interviews after leaving the University of Michigan.
    • Denard Robinson provided false information.
    • Sherrone Moore deleted text messages but ultimately cooperated; his failure was deemed Level II.

5. Failure to Monitor (Level II)

    • Michigan, as an institution, failed to monitor its football program, was unable to educate interns, and allowed a culture hostile to compliance to persist.

Possible Penalties

NCAA bylaws, much like DOJ sentencing guidelines, provide ranges of penalties depending on the level of violation and the presence of aggravating or mitigating factors.

For Level I–Aggravated cases (the category Michigan, Harbaugh, Stalions, and Robinson were placed in), possible penalties include:

  • Multi-year postseason bans.
  • Scholarship reductions or equivalent financial penalties.
  • Multi-year probation.
  • Show-cause orders for individuals (restricting employment opportunities).
  • Suspensions.
  • Financial fines, including forfeiture of postseason revenue.

For Level II cases, penalties typically include:

  • Probation.
  • Recruiting restrictions.
  • Shorter show-cause orders.
  • Limited suspensions.

Given Michigan’s status as a repeat violator, from its 2024 infractions case, the panel could have imposed harsher penalties, including a multi-year postseason ban.

The Actual Penalties

The Committee on Infractions ultimately issued a wide-ranging set of penalties but also made notable adjustments.

For the Institution

  • Probation: Four years, consecutive to the 2024 probation. Michigan is now under probation through 2031.
  • Financial Penalties:
    • $50,000 plus 10% of the football budget.
    • Forfeiture of postseason revenue sharing for the 2025–26 and 2026–27 seasons.
    • An additional fine equal to 10% of football scholarships (converted to a financial penalty rather than scholarship reductions).
  • Recruiting Restrictions:
    • 25% reduction in official visits.
    • 14 weeks of no recruiting communications during probation (three self-imposed, 11 added by the panel).
  • Public Censure: Posting of infractions decision on the athletic department’s website and disclosure to all recruits.

Notably, no postseason ban and no scholarship reductions were imposed—instead, financial penalties substituted for those traditional sanctions. The panel explained that banning postseason play would unfairly punish current athletes who were not involved in the misconduct.

For Individuals

  • Connor Stalions: 8-year show-cause order, 100% suspension of first season if employed.
  • Jim Harbaugh: 10-year show-cause order, 100% suspension if employed. This runs consecutively to his 4-year show-cause from the 2024 case, extending sanctions through 2038.
  • Denard Robinson: 3-year show-cause order, 100% suspension if employed.
  • Sherrone Moore: 2-year show-cause order, additional one-game suspension on top of Michigan’s self-imposed two-game suspension.
  • Jesse Minter (via negotiated resolution): One-year show-cause order.
  • Steve Clinkscale (via negotiated resolution): Two-year show-cause order plus 50% suspension of first season if employed.

Analyzing the Penalties

How should compliance professionals view the gap between possible and actual penalties?

1. Postseason Ban Avoided

    • The NCAA rules require a postseason ban in Level I — Aggravated cases, absent exemplary cooperation. Michigan, as a repeat violator, did not meet that standard.
    • Yet the panel deviated, imposing financial penalties instead. The rationale: punishing current student-athletes for past staff misconduct would be inequitable.
    • In corporate terms, this is akin to regulators substituting financial penalties for draconian sanctions that would harm innocent employees or shareholders. For example, instead of barring a company from government contracting (a “corporate death penalty”), DOJ sometimes imposes fines or monitorships.

2. Scholarship Reductions Replaced with Fines

    • Traditionally, scholarship cuts penalize future competitiveness. However, with the NCAA shifting to roster limits, the panel converted this to a financial penalty equivalent to 10% of the scholarships.
    • This reflects a broader compliance trend: sanctions are evolving to fit new realities. Just as regulators now focus on clawbacks, certifications, or ESG commitments, the NCAA tailored penalties to the modern college sports landscape.

3. Severe Individual Penalties

    • The most striking sanctions were against individuals: 8 years for Stalions, 10 years for Harbaugh.
    • These are career-altering penalties. They mirror corporate enforcement where executives are increasingly held personally liable, facing debarment, fines, or even prison.
    • Regulators have made clear: individuals cannot hide behind institutions. The NCAA sent the same message here.

4. Repeat Violator Consequences

    • Michigan’s repeat violator status magnified penalties. The institution argued that violations occurred before the prior case closed. The panel rejected this, emphasizing that timing games cannot avoid repeat status.
    • Corporate regulators apply the same principle. A company that resolves one FCPA case and then stumbles again will face far harsher sanctions, regardless of technical timing arguments.

5. Failure to Cooperate as a Penalty for Drivers

    • The panel noted that Stalions’ obstruction was “one of the more significant and serious failures the COI has seen.” Harbaugh’s refusal to cooperate also elevated his penalties.
    • For corporations, this is a reminder: obstruction is worse than the underlying violation. The DOJ has repeatedly stated that cooperation credit can substantially reduce penalties. Michigan shows the reverse, that obstruction inflates them.

Compliance Lessons

What does all this mean for compliance officers outside of college athletics? Several clear lessons emerge.

1. Culture Drives Outcomes

The penalties Michigan received were not just about violations; they were about culture. The NCAA emphasized how the football program treated compliance with disdain. Regulators in the corporate world do the same; they look beyond technical violations to ask whether the company fostered a culture of compliance.

2. Repeat Offenders Lose Credibility

Michigan’s back-to-back cases destroyed any claim of mitigation. Similarly, corporations with repeat offenses face escalating sanctions. Building credibility with regulators requires not only remediating violations but sustaining reform over time.

3. Individual Accountability is Here to Stay

The lengthy show-cause orders against Harbaugh and Stalions reveal a trend of targeting individuals. In corporate enforcement, the DOJ’s Yates Memo and subsequent policies have prioritized individual accountability. Compliance officers must ensure that executives understand they are personally accountable for their actions.

4. Cooperation Matters More Than Ever

The panel’s harshest language was reserved for those who failed to cooperate. In the private business world, DOJ guidance is clear: full cooperation, timely disclosure, and preservation of evidence are prerequisites for leniency. Michigan’s case proves the inverse: obstruct, and you will pay dearly.

5. Penalties Are Evolving

Just as the NCAA substituted fines for postseason bans, regulators are adapting penalties to modern realities. Companies must be prepared not only for fines but also for innovative sanctions, such as monitorships, clawbacks, mandated compliance certifications, or public disclosure requirements.

A Cautionary Tale

The University of Michigan football case is more than a sports scandal. It is a compliance parable. A program that treated compliance as an enemy, ignored red flags, and repeatedly committed violations ultimately faced some of the harshest individual penalties ever handed down in NCAA history.

For compliance professionals, the lessons are timeless. Culture matters more than policy. Repeat violations destroy credibility. Individuals are accountable. Cooperation is non-negotiable. And penalties evolve with the times.

As the DOJ, SEC, and other regulators continue to refine enforcement expectations, companies would do well to heed Michigan’s example. When compliance is marginalized, when leadership fails to set the tone, and when violations become patterns, the penalties—financial, reputational, and personal—will follow.

Categories
Compliance Into the Weeds

Compliance into the Weeds: Unpacking the University of Michigan Football Scandal: Compliance and Consequences

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more fully. Seeking insightful perspectives on compliance? Look no further than Compliance into the Weeds! In this episode, Tom Fox and Matt Kelly discuss the recent University of Michigan football scandal.

They draw parallels to the infamous 2017 Houston Astros sign-stealing incident and examine the numerous compliance failures within Michigan’s football program. Highlighted issues include impermissible scouting, leadership failures by Jim Harbaugh, marginalization of the compliance function, and the NCAA’s ineffective enforcement. The conversation highlights crucial lessons for corporate compliance, emphasizing the importance of documentation, intern training, cooperation in investigations, and maintaining robust enforcement actions.

Key highlights:

  • Michigan Football Scandal Overview
  • Impermissible Scouting and Violations
  • Leadership Failures and Compliance Issues
  • NCAA’s Toothless Enforcement
  • Comparisons to Corporate Compliance
  • Lessons for Compliance Officers

Ed. Note: Tom Fox has written a 5-part blog post series on the UM Cheating Scandal. It will be posted each day this week. You can view the full series on his blog, the FCPA Compliance and Ethics Blog.

Resources :

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

A multi-award-winning podcast, Compliance into the Weeds was most recently honored as one of the Top 25 Regulatory Compliance Podcasts, a Top 10 Business Law Podcast, and a Top 12 Risk Management Podcast.

Categories
Blog

UM Cheating Scandal Part 2: A Culture at War With Compliance

In August 2025, the NCAA released its long-awaited Report on infractions committed by and for the University of Michigan football program. For compliance professionals, this case should be viewed not merely as a college sports story but as a case study in organizational misconduct, leadership failure, and cultural breakdown. Just as an FCPA enforcement action lays bare how companies slip into non-compliance, this NCAA decision reveals how one of the country’s premier football programs allowed systemic misconduct to flourish.

In Part 1 of this series, we looked at the factual background of the University of Michigan football program’s NCAA infractions case: the impermissible scouting scheme, recruiting inducements, failures to cooperate, and the repeat violator status that ultimately sealed the program’s fate. But if the facts explain what happened, they do not explain why it happened. So today, in Part 2, we consider the lack of a culture of compliance inside Michigan football.

The “why” lies in culture. And here, the NCAA’s decision is crystal clear: Michigan’s football program did not have a culture of compliance. The compliance office existed, it was well-resourced, and a respected Chief Compliance Officer staffed it. Yet the football program treated compliance as a nuisance, an adversary, even an enemy. For compliance professionals, this is where the story gets interesting. Because in sports, as in business, culture eats policy for breakfast.

The Adversarial Relationship with Compliance

The NCAA decision describes a “contentious relationship” between Michigan football and the university’s compliance office. Staff members regularly dismissed or mocked compliance staff. One recruiting staffer went so far as to describe them in a text message as “true scum of the earth.” Others referred to compliance as “roadblocks” or even “shitty at their jobs.” Indeed, UM’s Chief Compliance Officer herself acknowledged that she was “perceived as a thorn in [Harbaugh’s] side.” Even the athletic director noted the “tension” he observed between the two offices.

For any corporate compliance officer, this picture may sound all too familiar. You have a respected compliance function, staffed by experienced professionals, but the business unit sees them as the enemy. Compliance is viewed not as a partner but as an obstacle. When that perception takes hold, it is only a matter of time before rules are ignored, controls are bypassed, and misconduct proliferates.

Willful Blindness and “Not Wanting to Know”

The culture in Michigan football was not simply adversarial; it was deliberately blind. Regarding Connor Stalions’ elaborate signal-stealing scheme, multiple staffers admitted that “no one really cared how you got it done as long as you got it done.” A student-athlete noted that the staff “went out of their way not to know” what Stalions was up to.

Even when red flags were raised, they were dismissed. One intern reported that Stalions asked him to rent a car under false pretenses. When he brought this up to an Assistant Coach, including concerns about “signal stealing,” he was told the coach “did not want to hear any more about that.” Another coach, confronted by an opponent who accused Michigan of improper sign stealing, relayed the concern internally, only to be met with a shrug and denial.

This is the corporate equivalent of sales teams ignoring whistleblowers who raise concerns about improper payments, or executives waving away red flags because they don’t want to know. It is the textbook definition of willful blindness, a concept the DOJ and SEC regularly cite in enforcement actions.

Excluding Compliance from the Room

The Chief Compliance Officer testified that she and her team were rarely, if ever, invited into football operations by the football staff. Instead, they had to push their way in: “I can’t think of a time when we scheduled a meeting at football’s request. It was pretty much always us saying, hey, we’ve got to get in there, we’ve got to do some education”.

Obviously, this matters, even if only for optics. Compliance cannot be effective if it is excluded from the business. When compliance officers are locked out of meetings, ignored in decision-making, or treated as outsiders, they cannot monitor risks or detect misconduct. In corporate settings, we often see this when compliance is not given a seat at the table in M&A due diligence, sales strategy, or third-party onboarding. The result is predictable: compliance is left to clean up violations after the fact, rather than preventing them in real time.

Interns, Education, and the Forgotten Workforce

One of the most revealing details in the NCAA’s decision involves the interns. Stalions used interns heavily in his scouting scheme. They were instructed to attend games, film sidelines, and even help analyze signals. Some were unsure whether their actions were permissible. The Chief Compliance Officer admitted that Michigan had no targeted compliance education for interns. Here, you can recall HP and its FCPA enforcement action, where a contract employee was unsure how to raise compliance concerns. Interns came and went frequently, making them difficult to track. Compliance training was focused on full-time staff, not on lower-level interns.

Sound familiar? In corporate compliance, we often see companies that train executives but neglect contractors, temporary workers, or third-party agents. Yet these “lower-level” actors usually pose the greatest risks, precisely because they are less trained, less supervised, and more vulnerable to pressure.

The lesson here is straightforward: compliance education cannot stop with senior leaders. It must cascade down to every level of the organization, including temporary staff, contractors, and anyone acting on behalf of the enterprise.

Harbaugh’s Leadership and the Tone at the Top

At the center of all of this was head coach Jim Harbaugh. The NCAA made it clear: “Harbaugh did not embrace responsibility. He and his program had a contentious relationship with compliance, leading coaches and staff members to act, at times, with disregard for the rules”.

This is the compliance officer’s nightmare. When the leader of the organization treats compliance as an adversary, that tone cascades down. Staff pick up on it. Interns internalize it. Even student-athletes understood the message: compliance was not to be welcomed.

Tone at the top is more than a catchphrase; it is the single greatest driver of compliance culture. Regulators from the DOJ to the FCA in the UK emphasize it again and again. Harbaugh’s indifference or worse, hostility, set a tone that made noncompliance not just possible but inevitable.

The Cost of Compliance as “The Enemy”

The Michigan case is a powerful example of the dangers of treating compliance as the enemy. When business units (or in this case, football staff) see compliance as an obstacle, several consequences follow:

  1. Red flags are ignored — because staff fear raising them or believe no one cares.
  2. Compliance staff are marginalized, making it harder to educate or monitor.
  3. Misconduct festers in the shadows — as employees learn that leadership values results over rules.
  4. Investigations are obstructed — because a culture that disrespects compliance has no incentive to cooperate with regulators.

For corporations, the consequences are clear: higher penalties, damaged reputations, and, in some cases, existential crises.

Corporate Parallels: Uber, Wells Fargo, and Beyond

Michigan football’s cultural breakdown is hardly unique. We’ve seen the same dynamic play out in corporate scandals:

  • At Uber, a “growth at any cost” culture led to systemic misconduct and regulatory run-ins.
  • At Wells Fargo, sales culture so dominated compliance that millions of fake accounts were created, even as compliance officers raised alarms.
  • At Odebrecht, a construction giant, compliance existed on paper but was ignored in practice, allowing a global bribery scheme to flourish.

In each case, the lesson was the same: when culture treats compliance as an obstacle, violations become not just likely but inevitable.

The Compliance Officer’s Dilemma

One striking aspect of the NCAA decision is how much it sympathized with Michigan’s Chief Compliance Officer. The panel noted that she was “a well-respected leader in the industry” and that she “did everything she could to promote compliance.” Yet her efforts “were not welcomed. Instead, they were rebuked, dismissed, and disregarded”.

This raises an important question for compliance professionals: what happens when the business refuses to engage? What happens when leadership is openly hostile to compliance?

The DOJ has been clear on this point. It is not enough to have compliance programs that look good on paper. Regulators will ask whether compliance has sufficient stature, resources, and access to management. If compliance is marginalized, companies cannot expect leniency.

Lessons for Corporate Compliance Officers

What should compliance professionals take from Michigan’s cultural breakdown?

  1. Measure culture, not just policies. Policies are necessary, but culture drives behavior. Tools like employee surveys, exit interviews, and hotline trends can help assess whether compliance is trusted or distrusted.
  2. Fight for access. Compliance must be in the room where business decisions are made. If your team is always chasing after the business, you are already behind.
  3. Train the forgotten workforce. Interns, contractors, and agents often do the risky work. Make sure they are trained, monitored, and held accountable.
  4. Escalate leadership failures. If tone at the top is toxic, escalate to the board. Regulators are increasingly holding boards accountable for failing to address cultural risks.
  5. Document resistance. If business leaders are hostile to compliance, document it. This may protect you later and show regulators that the compliance function was not complicit.

Culture Wins Every Time

The Michigan football infractions case demonstrates what happens when compliance is marginalized. The Chief Compliance Officer could not overcome a culture that treated compliance as an enemy. Harbaugh’s tone at the top, combined with willful blindness, ensured that misconduct flourished.

For corporate compliance officers, the lesson is sobering: no matter how good your compliance systems are, culture will win. If leadership sets the wrong tone, compliance will fail.

Join us tomorrow, as we continue this series with Part 3, where we will examine the penalties Michigan received, including fines, suspensions, and probation, and draw lessons on how repeat violations, obstruction, and cultural failure influence sanctioning decisions.

Categories
Blog

UM Cheating Scandal Part 1: The Background Facts Underlying the NCAA Violations

In August 2025, the NCAA released its long-awaited Report on infractions committed by and for the University of Michigan football program. For compliance professionals, this case should be viewed not merely as a college sports story but as a case study in organizational misconduct, leadership failure, and cultural breakdown. Just as an FCPA enforcement action lays bare how companies slip into non-compliance, this NCAA decision reveals how one of the country’s premier football programs allowed systemic misconduct to flourish.

This week, in a five-part series, I will explore the case in detail. Today, in Part 1, we will review the background facts: what happened, who was involved, and how the NCAA investigation unfolded. In Part 2, we will move beyond the facts to examine the lack of a culture of compliance inside Michigan football. In Part 3, we’ll discuss the violations, penalties, and key lessons for compliance professionals. In Part 4, we will explore the consequences when regulators, such as the NCAA, become ineffective. In Part 5, we will explore lessons learned for the corporate compliance professional.

The Scheme’s Architect: Connor Stalions

Every corruption case has its “architect,” and here that title belongs to Connor Stalions. A former U.S. Naval Academy graduate and Marine, Stalions became obsessed with signal decoding, the football equivalent of corporate espionage. What began as a volunteer role with Michigan evolved into a full-time staff position, with his primary job being not recruiting, as his title suggested, but intelligence gathering.

Between 2021 and 2023, Stalions organized an extensive off-campus, in-person scouting operation. Using a network of acquaintances, interns, and even players’ friends, he orchestrated the purchase of tickets to opponents’ games, positioned people in prime seats to film sidelines, and then used that footage to decipher signals.

The scale was stunning. Across three seasons, there were 56 instances of scouting across 52 contests involving 13 opponents. Stalions even disguised himself on the sideline of a Central Michigan game in full coaching gear. He spent upwards of $35,000 on tickets in a single year, often buying burner phones and paying for travel for his “KGB” network of helpers.

He maintained elaborate records, including a “Master Chart” of games, a Google calendar of assignments, and “game day sheets” cataloging thousands of opponent signals. This was not a one-off corner-cutting; it was a fully designed intelligence apparatus.

For compliance officers, this resonates with what we see in corporate scandals: low-level staffers who are empowered and even celebrated for gaming the system, building shadow operations, and producing results that leadership quietly benefits until the scheme explodes into public view.

Beyond Scouting: Recruiting Inducements and Communications

The NCAA’s investigation did not stop at the scouting scheme. It also uncovered impermissible recruiting inducements and contacts. Assistant Coach Steve Clinkscale drove a recruit and his parents to dinner and paid for their meals, provided gear, and even tried to secure “blue check” Instagram verification for another recruit. Denard Robinson, a Michigan football legend turned staffer, also handed out bags of gear. Other inducements included charitable donations to the family of a recruit.

In another violation, Assistant Coaches Jesse Minter and Chris Partridge exchanged nearly 100 impermissible text messages with a prospect before the allowable date. The rules here are clear: no electronic communication until a prospect’s junior year. Yet the coaches went forward anyway, later excusing themselves as “confused about the player’s age”.

Again, this will sound familiar to compliance officers. How many corporate bribery cases involve “hospitality” that turns into improper meals or “business development” that is, in fact, disguised inducement? How many sales managers try to explain away improper payments by claiming they misunderstood the rules?

Leadership Failures: Jim Harbaugh’s Responsibility

The NCAA placed significant responsibility on then-Head Coach (and now San Diego Charger Head Coach) Jim Harbaugh. Under NCAA rules, the head coach is presumed responsible for creating a culture of compliance and monitoring staff. Harbaugh failed in both respects. The decision was blunt: “Harbaugh did not embrace that responsibility. Harbaugh and his program had a contentious relationship with Michigan’s compliance office, leading coaches and staff members to act, at times, with disregard for the rules”.

In practice, this meant Harbaugh either knew and ignored, or intentionally avoided knowing, what his staff was doing. As the record showed, staff referred to compliance as “true scum of the earth,” while Harbaugh awarded Stalions a game ball for his signal-stealing efforts. Whether or not he knew the full scope, the culture was one of indifference, if not hostility, to rules.

For corporate leaders, this is a textbook “tone at the top” failure. Regulators have made clear that leaders are responsible not only for their own conduct but for the culture they set. Harbaugh’s failure mirrors what the DOJ calls “failure to promote a culture of compliance.”

Failures to Cooperate and Obstruction

The misconduct did not stop when the NCAA came knocking. In fact, some of the most damning behavior occurred after the investigation began.

  • Connor Stalions destroyed his phone and hard drives, bragging they were at the bottom of a pond. He instructed interns to delete texts, and even urged a student-athlete to “lie your ass off” to investigators.
  • Jim Harbaugh refused to turn over phone records or sit for interviews once he left for the NFL.
  • Sherrone Moore, then an assistant, deleted 52 text messages with Stalions the day the news broke. He later admitted it was an “emotional reaction”.
  • Denard Robinson gave false or misleading answers about whether he handed out gear.

The NCAA viewed these failures to cooperate as Level I violations, some of the most serious possible. For compliance officers, the parallel is unmistakable. In corporate investigations, obstruction , destroying documents, deleting emails, misleading investigators,  is often what turns a bad case into a catastrophic one.

Repeat Violator Status

Perhaps the most damning aspect of this case was Michigan’s history. The 2025 case overlapped with a 2024 infractions decision, also involving the football program, where violations occurred during the COVID dead period. That case resulted in probation, recruiting restrictions, and suspensions. Now, less than a year later, Michigan was back before the Committee on Infractions. As a result, both the university and Harbaugh were deemed repeat violators (recidivists in the compliance world), triggering higher penalties.

For compliance professionals, this is the equivalent of a company that resolves an FCPA matter, pledges reform, and then shows up again within five years. Regulators view such behavior harshly. Once you’ve been given a chance to reform, repeated violations suggest systemic problems and leadership indifference.

The NCAA’s Case Summary

To summarize the background facts:

  • Impermissible scouting: 56 instances of in-person, off-campus scouting across three seasons.
  • Recruiting inducements: meals, gear, transportation, and social media favors for prospects.
  • Improper communications resulted in nearly 100 premature text messages.
  • Leadership failures: Harbaugh’s lack of responsibility and tone at the top.
  • Failures to cooperate: destruction of evidence, deletions, and false statements.
  • Repeat violator status: back-to-back major infractions cases within two years.

As with an SEC or DOJ enforcement action, the facts reveal a program where non-compliance was not incidental but systemic, and where leadership did little to prevent or even detect misconduct.

Why Compliance Professionals Should Care

At first glance, one might dismiss this as a sports story. But for compliance officers, this case is highly instructive. It demonstrates:

  • How schemes are often run by ambitious “low-level” staff but tolerated at higher levels.
  • How small inducements such as meals, gear, favors can constitute serious violations.
  • How leadership failures define culture.
  • How obstruction magnifies penalties.
  • How repeat violations eliminate credibility with regulators.

These are not just lessons for athletics; they are lessons for corporate compliance across industries. The University of Michigan football infractions case offers a rich factual record, but facts alone do not explain why violations occurred. For that, we must examine the culture.

In Part 2 of this series, I will explore how the Michigan football program created an environment where compliance was unwelcome, resisted, and actively undermined. As the NCAA decision made clear, the Chief Compliance Officer did everything she could — but the culture of football won the day. For compliance professionals, that is the heart of the story: the facts expose the violations, but the culture explains them.

Ed. Note: As most of my readers know, I am a UM Law graduate. Now we have UM winning a National Championship, the same year they were cheating in college football games. Did its cheating help win games? About as much as the Houston Astros’ trash can beating, sign-stealing did to help them win the AL Pennant back in 2017. I went to the University of Texas for my undergraduate degree, and now all I need for UT to become embroiled in a cheating scandal the first year they will win the National Championship since Vince Young and the win over USC in 2006, and I will have the trifecta of my teams cheating to win ‘the Big One’. (I am also a huge Dallas Cowboys fan, but there is no chance the Cowboys will ever win a championship as long as Jerry Jones runs the club, so no worries, Cowboy cheating and about moving to a Quad.)