One of the most constant things about the compliance profession is its dynamism. Compliance programs are not static and the compliance profession is not static. Today’s cutting edge in compliance will be tomorrow’s best practice which will be next month’s standard expectation. While this drives those who focus on the law around compliance batty, properly understanding compliance as a business process makes this continuum clear. However, this means that any Chief Compliance Officer (CCO) or compliance practitioner must not only understand this uncertainty but embrace it to make their compliance programs respond to an ever changing legal and business environment. CCO leadership must be as dynamic as the corporate compliance programs they oversee.

Yesterday I wrote about the shift in corporate focus that brought Starbucks a huge reputational black eye, when a store manager had two African-Americans waiting in store for a colleague arrested for trespassing. Obviously the current economic and political realities for any American business can literally turn on a dime (or even a tweet). I was therefore interested in a recent article in the MIT Sloan Management Review, entitled “The Five Steps All Leaders Must Take in the Age of Uncertainty”, by Martin Reeves, Simon Levin, Johann D. Harnoss, and Daichi Ueda. The authors thesis is that “business leaders need a new mental model to better understand the complex interplay between companies, economies and societies.” I can only add this requirement is even more true for the CCO and compliance practitioner to move towards this theory.

The issue is that companies are all parts of much broader “business ecosystems — that are embedded in local and national economies, which in turn are interwoven with societies.” Changes made at one level, for example, the sourcing practices of US retailers, can directly influence higher-level systems, so “the economic value and social status of manufacturing skills” in a way totally unforeseen. The authors believe their system will assist business leaders to understand, adjust to and shape these feedback dynamics. Put another way, it is more fully operationalizing compliance which makes companies run more efficiently and provides a competitive business advantage.

Leaders in compliance need to master the art of fully operationalizing compliance systems, rather than just operating them, which means not merely extending their current game to learn and understand a new set of priorities and capabilities. The authors set out five steps to effectively shape the extended system in which they participate, which I have adapted for the compliance practitioner.

  1. Observe and understand the broader system.Compliance professionals must situate an operationalized compliance program in the context of a wider system that includes consumers, ecosystem partners, media institutions, and policymakers. This means understanding the key players and their interests and mapping out the important relationships and risks between them. Often, opportunities for and risks to the business become visible only by considering the broader system beyond traditional industry boundaries in a more comprehensive risk management program.
  1. Master the art of intervening in the system.Compliance leaders need to learn how to intervene effectively in a complex adaptive system. A common managerial mistake is to limit oneself to direct leverage points. Instead, seemingly softer indirect points can often provide more leverage in complex systems. By finding an indirect but more powerful leverage point a CCO can move compliance forward in a manner that more fully integrates the controls of compliance into the business. Using soft skills is one of the key ways a CCO or compliance practitioner exudes influence and this skill is a must.
  1. Orchestrate collaboration in the system.This point directly relates to the CCO or compliance professional as the orchestra conductor. Not only must the compliance leader work in a manner which requires striking a balance between the often-conflicting needs of companies and the broader system that they constitute but such a person “must foster mutualism and trust among the companies.” This goes beyond simply “modeling the right behaviors by creating value for the overall system but also actively surfacing and resolving tension within the system.” A compliance professional should help all stakeholders to “improve and sharpen their value proposition, whereas unsurfaced tension increases the risk of deeper disruptions down the road.” 
  1. Foresee and manage systemwide risks.The authors note that with “the increasing interconnectedness and interdependence of companies, many corporate risks present themselves to the entire system rather than to individual companies. To manage systemwide risks, leaders must be able to detect potential threats to the system’s health and have the courage to preemptively change practices to avert them.” This requires an active “antennae that sense changing political, social, and technological signals; articulate the risks these developments bring; and also act as disruptors to prod other stakeholders in the system to adopt new behaviors, even when the direct benefits to their own companies are not clear or immediate.” Here you can think of the Volkswagen (VW) emissions scandal and its negative impact on not only the German automobile industry but also the German national brand of quality and excellence.
  1. Lead with a new mindset.This is one of the biggest changes CCOs and compliance practitioners must embrace. Most of us are lawyers and these types of skills are sorely missing from law school curricula. Compliance professionals simply cannot rely only on formal authority or a chain of command when working on their system. As Jenny O’Brien and Roy Snell continually remind us, they are purveyors of persuasion. Moreover, they must leverage informal ways of exercising leadership that can transcend organizational boundaries and certainly beyond the hidebound legal dichotomy of us v. them. The authors note, “these actions transform leadership from a position of authority into an activity that can create broader influence. This transformation requires, at its root, a mindset shift from thinking in reductionist models” of performance toward more holistic models of system performance. Compliance professionals who not only embrace this new paradigm but also work towards managing this shift are bound to create an advantage for their company as well as their wider ecosystem.

What compliance leaders must do is have a broader business and social ecosystems vision. The authors call it “nested complex adaptive systems: multilevel, interconnected, dynamic systems hosting local interactions that can give rise to unpredictable global effects and vice versa. Acknowledging the unpredictability, nonlinearity, and circularity of cause-and-effect relationships within these systems is a notable departure from the simpler, linear models that underpin traditional mechanistic management thinking.” Finally, do not fear change but embrace it. Businesses change every day and while a CCO does not have to do so, if you stand still you will surely lose ground.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2018

Today begins a week of double themed blog-posts. First, I am back with an homage to Sherlock Holmes. The second theme will be innovation in the compliance department. I will take some recent concepts explored in the most recent issue of the MIT Sloan Management Review and apply them to innovation and development of your compliance function. I hope that you will both enjoy my dual themed week and find it helpful. Today, I consider digital strategies in compliance.

Holmes and Watson were introduced to the world in 1887, in the short story A Study in Scarlet and I I begin with the that first novel as an inspiration and introduction today. In it we find the following exchange between Holmes and Dr. Watson:

Watson: When I hear you give your reasons, the thing always appears to me to be so ridiculously simple that I could easily do it myself, though at each successive instance of your reasoning I am baffled until you explain your process. And yet I believe that my eyes are as good as yours. 

Holmes: Quite so. You see, but you do not observe. The distinction is clear. For example, you have frequently seen the steps which lead up from the hall to this room.

This dialogue serves as a by-word for innovation in compliance, which is that the information is always present, but it is not ‘observed’ by the frontline business folks either because even though it is available to them they do not know how to access or even correlate it, or a corporate compliance program has not communicated it to them. Both the solutions today speak to these twin failings.

I want to consider the issue of how a Chief Compliance Officer (CCO) or compliance practitioner can develop a digital strategy to help increase the value proposition for a corporate compliance program. Today’s blog post is based upon the MIT Sloan Management Review article entitled “How to Develop a Great Digital Strategy by Jeanne W. Ross, Ina M. Sebastian and Cynthia M. Beath.

Interestingly I discovered there are two general ways to consider a digital strategy. One is a Customer Engagement Strategy, recognizing that in the compliance realm, your customer is your internal employee. The second strategy is the Digitized Solutions Strategy. It is not simply operational excellence which drives your strategy, as the authors noted, “increasingly, operational excellence is the minimum requirement for doing business digitally, not the basis for a sustainable competitive advantage.” I found a CCO should consider both strategies as I believe they converge into one in the compliance function.

Customer Engagement Strategy

The bottom line of this strategy is to engender passion around doing business ethically and in compliance. Here you are trying to connect your compliance function to your employees’ experience. Of course, this is what the Department of Justice (DOJ) would call operationalizing your compliance program. They present several ways to do so, which I believe directly translate into the compliance experience. First offer digital mechanisms to bolster your employees’ interaction with compliance. Second, apply data analytics to identify the most effect approach for employees to engage in doing business ethically and in compliance. This is through the most effective forms of compliance function outreach by putting tools in the hands of employees. Finally, by leveraging social media to develop communities to create circles of employees to support any compliance function initiative. Here you can think of the example of Louis Sapirman, CCO at Dun & Bradstreet (D&B), who regularly engages in internal company tweet-ups to publicize, engage and communicate about compliance.

Digitized Solutions Strategy

A Digitized Solutions Strategy deals more with marketing, yet this is another area in which the CCO or compliance practitioner must engage. This digital strategy seeks “to integrate diversified products and services into solutions, to enhance products and services with information and expertise that help solve customer problems, and to add value throughout the life cycle of products and services. Over time, digitized solutions can transform a company’s business model by shifting the basis of its revenue stream from transactional sales to sophisticated, value-laden offerings that produce recurring revenue.” This is very dense business-speak for what a compliance function does.

As a CCO you should have a clear digital strategy to develop an integrated portfolio of compliance offerings. Your employees need this clear strategy, so they can implement these compliance initiatives into their sales and marketing strategies. If you want to impact employees, you must give them the compliance tools to assess risks and manage them, all the while using the information to do business more efficiently and, at the end of the day, more profitably. This type of approach was laid out by Ernst & Young (E&Y) partner Vincent M. Walden, in a Fraud Magazine article, entitled “Profit & Loss-of-One”, where he detailed a digitized process he worked with General Electric (GE), through what he called “digital twins”.

The basic difference between the two strategies is that the Customer Engagement Strategy focuses on how a corporate compliance program can better engage with, communicate to and be a more fully engaged partner with the business unit. Through the Digitized Solutions Strategy, a corporate compliance function is working to put the tools in the hands of employees to more fully operationalize compliance in an organization. I see this as a seamless process.

Whichever strategy your organization might choose, there must be an operational backbone of compliance which would include such things as “access to a single authoritative source of information for key data about finances, customers and products; reliable end-to-end global supply chain processes; or back office shared services.” The authors caution that if your organization is too siloed, it will not be able to deliver “reliable operations and thus will not be able to compete digitally.” I would add this is more detrimental to an enterprise compliance initiative.

The authors conclude by stating that to succeed in the digital economy, “companies must offer a unique value proposition that is difficult for both established competitors and startups to replicate. Such a value proposition stems from a digital strategy that is focused on either a set of digitized, integrated offerings or a relationship that engages customers in ways that competitors can’t match. Without that, you might create a flurry of innovations, but you won’t deliver value-added applications of AI, biometrics, drones — or the next important digital technology.” For the compliance practitioner, this means you must have a robust set of written standards around your compliance function, including policies, procedures and internal controls to lay this innovate technology upon.

Tomorrow I will consider how GE, with the assistance of Vince Walden and his Ernst & Young colleagues, was able to bring such a Digitized Solutions Strategy to its employee base and it is truly an innovation in compliance.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2018

In this episode Matt Kelly and I take deep dive into the issue of non-GAAP metrics and its implications. We were inspired an article in this quarter’s MIT Sloan Management Review entitled, “The Pitfalls of Non-GAAP Metrics” by H. David Sherman and S. David Young. It is fascinating review of this topic, which as the authors note “Lurking within the financial statements and communications of public companies is a troubling trend. Alternative metrics, once used sparingly, have become increasingly ubiquitous and more detached from reality.”


How can you change the perceptions around compliance in your organization? With the Justice Department requirement, set out in the Evaluation of Corporate Compliance Programs, to more fully operationalize your compliance program, do you as a CCO struggle with operations buy-in? I thought about those questions and others when I read an article in the MIT Sloan Management Review, entitled “Learning the Art of Business Improvisation, by Edivandro Carlos Conforto, Eric Rebentisch, and Daniel Amaral. In this article the authors explore the issue of improvisation and write that while it “may seem to be spontaneous, but managers can foster it in innovation projects through the deliberate development of certain processes and capabilities.” For what improvisation really comes down to is the ability to “create and implement a new or unplanned solution in the face of an unexpected problem or change.”

Compliance is certainly one area that requires such flexibility because of the ever-changing business conditions that exist in today’s multinational organizations subject to the Foreign Corrupt Practices Act (FCPA). Novartis announced its South Korean subsidiary was under criminal investigation for allegations of paying bribes to physicians, this less than 60 days after agreeing to a FCPA enforcement action which involved payment of a $25 million dollar fine for the actions of its Chinese subsidiaries.

Whether deliberately or not, compliance must improvise. Such compliance “Improvisation can foster problem solving, creativity, and innovation, and it is becoming a requirement for many organizations. Although improvisation might seem to be spontaneous and intuitive, to do it well requires the development of disciplined and deliberate processes and capabilities. Managers working in dynamic, fast-paced, and highly innovative project environments should develop and refine capabilities in these three areas to create a project environment that will enhance a team’s improvisation competencies – ultimately with an eye toward improving project results and innovation.”

There are three general areas which a company can improve upon to help advance its abilities to adapt and change. They are (1) Build a culture that recognizes and views changes positively. (2) Create the right team structure and project environment. (3) Provide management practices and tools that facilitate improvisation.

Under this first prong, innovation can come from teams that have a “positive attitude toward dealing with and accepting ambiguity and project changes.” Not surprisingly, this does not come from top down leadership but allowing “higher level of autonomy in making decisions.” Further, the farther out from the corporate office, the more “teams should be empowered to make decisions locally, be informed about and willing” to take make changes and provide enhanced compliance risk management, and not overly fear potential failure.

Clearly the ability to make changes requires a robust compliance regime to begin with. However, having such a system in place, particularly through internal controls, allows a compliance department to “help them to reduce uncertainty more quickly and effectively learn from their experiences. Teams equipped with a broad array of tools and techniques can use them to respond to different types of challenges. The focus should be on helping teams anticipate and recognize changing circumstances and make more rapid and accurate decisions.”

The second prong ably demonstrates that a key to making improvisation work is that you have good communication between the compliance function and business unit. This is not a new concept and communications runs two ways. If the business unit sees the Chief Compliance Officer (CCO) as Dr. No from the Land of No, they will not likely be calling for assistance. Yet compliance does not always know what business opportunities arise without that information so they cannot craft appropriate risk management solutions. Weekly interactions between leaders and key stakeholders are good first step.

Perhaps counter-intuitively, the authors also note that smaller teams appear to have more and better success. The “greater levels of improvisation in smaller teams that displayed more self-directing and self-organizing characteristics, such as being responsible for monitoring and updating the status of their activities and deliverables.” This can allow the compliance department to play a key oversight and support role “on the aggregated information and on more strategic issues related to the project.”

Under the final prong, it is shown that “teams with greater improvisation characteristics were more likely to use agile management approaches, techniques, and tools. In fact, teams that embraced an agile approach were nine times more likely to have high levels of improvisation compared with teams that used a more traditional (waterfall) approach.” This means that not only will a command and control structure not be able to move as quickly and efficiently but also you need to operate at a level of sophistication beyond simply spreadsheets.

Moreover, “The agile methods we observed in the teams with higher levels of improvisation included iterative development, supported by recurring delivery of higher-value deliverables; constant interactions between stakeholders and the project team; the use of visual tools to collaboratively manage the project with team members; and active involvement with the client and/or user in the development process.”

The ability to be agile is an important component of any best practices compliance program. The need to respond to business changes is always paramount. Yet there is no end to the variety of corrupt schemes engaged in by company employees. The Novartis matter in South Korea allegedly involved bribery through excessive payments for articles published in medical journals. Just as the bribery and corruption scandals involving GlaxoSmithKline PLC (GSK) and others in China demonstrate new and creative ways to put pots of money together to pay bribes, the Novartis issues may show another area that bears compliance scrutiny. A compliance function must be ready to adapt.   

Three Key Takeaways

  1. Whether deliberately or not, compliance must improvise.
  2. Improvisation may seem spontaneous, but managers can foster it in innovation projects through the deliberate development of certain processes and capabilities
  3. Work to have the changes seen as a positive in your organization.


This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to

One thing every Chief Compliance Officer (CCO) will face is multiple stakeholders. The more compliance is operationalized the more sensitized this issue will become. Yet the centralized control that many business leaders have is usually not available to a CCO and this is certainly one aspect of the operationalization of compliance. This means one issue a CCO will face is “How to charge up the organization so that we’re maximizing the intellect of all our people?” That question was recently put to Bernard Tyson, the Chief Executive Officer (CEO) of Kaiser Permanente, by Paul Michelman. The resulting answer and much more became a part of the article published in the most recent issue of the MIT Sloan Management Review magazine in an article entitled “The Question Every Executive Should Ask”.

On executive leadership, Tyson called the challenge “multidimensional” by which he meant “Leaders are required to distill the complexities of all the forces, some of which are beyond their control, and then to guide the organization in making sense out of them and delivering on the value proposition, which requires executing on strategies within all this complexity.” His response is not to instruct but “to set the direction and performance expectations, and then to inspire and motivate people.”

Stay Focused on Your Values

Tyson said one of the best pieces of advice he ever received was to “Keep the main thing the main thing.” While for Kaiser Permanente, that mission is healthcare; for the CCO that mission is to do business ethically and in compliance through the prevention, detection and remediation of issues. Tyson said, “Everything we do is through the lens of that mission. The rest is subplot. Yes, there’s going to be a lot of turbulence. The broader conditions change continuously. We don’t control that. But one thing we do control is staying focused on the main thing.”

Interestingly Tyson incorporates the company’s values statement into the hiring process. He said, “That starts with recruitment. Wherever in the organization we are hiring, we need to ask if the employee’s personal mission in life aligns with the mission of the organization. My job is to maintain an environment conducive to attracting people who fit our culture. Making sure we are all clear on the mission is core to that.”

But its more than inspiration and motivation. Today’s employees are an integral part of success and can equally be a part of an ethical or compliance failure. Employees are part of the team that not only are doers but also thinkers. This means you should provide the tools to enable employees to come to the right decision, both in compliance training and compliance support. Yet this is the same message as operationalizing compliance. If you put the compliance system into the functional disciplines within an organization, the employees on the front lines should be able to come up with new and innovative ways of getting things done. By decentralizing both power and information you can benefit from the intellect of a wider variety of inputs from employees.

On Middle Managers

Tyson had some interesting thoughts around the role of middle managers. He believes they have one of the most difficult jobs in any organization, squeezed between being required to do the right thing culturally yet while making their numbers. Middle managers have to deal with both dynamics. Moreover, people usually make it to middle management because they were technically proficient and “When the primary job of a manager was to make sure the workforce had what it needed and did what it needed, these technical skills usually transferred pretty well. Now management is evolving away from directing and toward coaching, facilitating, and creating the right environment for people to excel in their space. Middle managers are again caught between two forces. We are asking them to move away from exercising hierarchical authority and still expecting them to deliver results.”

Tyson believes the company has to work more with middle managers as they are the key to the organizations success. This has led to different ways of training middle managers in the organization and to develop managers with different approaches. This translates into what a CCO should do in terms of overall compliance training for an organization. One of the techniques would be to bring business unit folks into compliance projects so that it expands the relationships of both the compliance function into the business and the business unit folks into compliance.

Freedom of Speech

Probably the most interesting thing which Tyson brought up is what might be termed a speak-up culture but he went far beyond this, calling it a “freedom of speech” culture. These are certainly words you do not hear very often in corporate America. Yet Tyson feels particularly passionate on this point noting, “I believe strongly that we live in a great country and that freedom of speech is, in part, what makes it great. We’re seeing it acted out every day right now in our country, and it’s a beautiful thing. The last thing I want is for individuals who exercise freedom of speech throughout the rest of their lives to feel any different about the freedom to speak inside the organization.”

This concept is about not only the right to tell the truth but also the responsibility to tell the truth. Tyson believes that when “people believe they will be respected for their views, they are more willing to contribute.” By doing so, the organization will benefit from the best thinking of its employees. Tyson puts his money where his mouth is on this issue. He related, “In senior management meetings, when one of my executives feels strongly about an issue and they want to take me on, sometimes they’ll ask, “Freedom of speech?” And I’ll say, “Yes.” And they’ll repeat, “Freedom of speech?” And I’ll say, “Absolutely.” And then they’ll come with it: “I think you’re dead wrong.” They don’t have to sugarcoat it. They just simply put the code out there: “Freedom of speech?””

Each one of the points discussed by Tyson has applicability for the CCO, both in terms of leadership and operationalization of your compliance program. The work which Tyson and Kaiser Permanente does to move decisions, literally around life or death, down to the functional level;  the use of middle management as a key component of a best practices compliance program can be a clear way forward for the CCO to use as a guide. Further, the ‘Freedom of Speech’ concept should point towards greater employee participation through engagement. Finally, staying focused on your core values can help move the entire organization forward at one time, even during choppy seas.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2017