Today begins a week of double themed blog-posts. First, I am back with an homage to Sherlock Holmes. The second theme will be innovation in the compliance department. I will take some recent concepts explored in the most recent issue of the MIT Sloan Management Review and apply them to innovation and development of your compliance function. I hope that you will both enjoy my dual themed week and find it helpful. Today, I consider digital strategies in compliance.

Holmes and Watson were introduced to the world in 1887, in the short story A Study in Scarlet and I I begin with the that first novel as an inspiration and introduction today. In it we find the following exchange between Holmes and Dr. Watson:

Watson: When I hear you give your reasons, the thing always appears to me to be so ridiculously simple that I could easily do it myself, though at each successive instance of your reasoning I am baffled until you explain your process. And yet I believe that my eyes are as good as yours. 

Holmes: Quite so. You see, but you do not observe. The distinction is clear. For example, you have frequently seen the steps which lead up from the hall to this room.

This dialogue serves as a by-word for innovation in compliance, which is that the information is always present, but it is not ‘observed’ by the frontline business folks either because even though it is available to them they do not know how to access or even correlate it, or a corporate compliance program has not communicated it to them. Both the solutions today speak to these twin failings.

I want to consider the issue of how a Chief Compliance Officer (CCO) or compliance practitioner can develop a digital strategy to help increase the value proposition for a corporate compliance program. Today’s blog post is based upon the MIT Sloan Management Review article entitled “How to Develop a Great Digital Strategy by Jeanne W. Ross, Ina M. Sebastian and Cynthia M. Beath.

Interestingly I discovered there are two general ways to consider a digital strategy. One is a Customer Engagement Strategy, recognizing that in the compliance realm, your customer is your internal employee. The second strategy is the Digitized Solutions Strategy. It is not simply operational excellence which drives your strategy, as the authors noted, “increasingly, operational excellence is the minimum requirement for doing business digitally, not the basis for a sustainable competitive advantage.” I found a CCO should consider both strategies as I believe they converge into one in the compliance function.

Customer Engagement Strategy

The bottom line of this strategy is to engender passion around doing business ethically and in compliance. Here you are trying to connect your compliance function to your employees’ experience. Of course, this is what the Department of Justice (DOJ) would call operationalizing your compliance program. They present several ways to do so, which I believe directly translate into the compliance experience. First offer digital mechanisms to bolster your employees’ interaction with compliance. Second, apply data analytics to identify the most effect approach for employees to engage in doing business ethically and in compliance. This is through the most effective forms of compliance function outreach by putting tools in the hands of employees. Finally, by leveraging social media to develop communities to create circles of employees to support any compliance function initiative. Here you can think of the example of Louis Sapirman, CCO at Dun & Bradstreet (D&B), who regularly engages in internal company tweet-ups to publicize, engage and communicate about compliance.

Digitized Solutions Strategy

A Digitized Solutions Strategy deals more with marketing, yet this is another area in which the CCO or compliance practitioner must engage. This digital strategy seeks “to integrate diversified products and services into solutions, to enhance products and services with information and expertise that help solve customer problems, and to add value throughout the life cycle of products and services. Over time, digitized solutions can transform a company’s business model by shifting the basis of its revenue stream from transactional sales to sophisticated, value-laden offerings that produce recurring revenue.” This is very dense business-speak for what a compliance function does.

As a CCO you should have a clear digital strategy to develop an integrated portfolio of compliance offerings. Your employees need this clear strategy, so they can implement these compliance initiatives into their sales and marketing strategies. If you want to impact employees, you must give them the compliance tools to assess risks and manage them, all the while using the information to do business more efficiently and, at the end of the day, more profitably. This type of approach was laid out by Ernst & Young (E&Y) partner Vincent M. Walden, in a Fraud Magazine article, entitled “Profit & Loss-of-One”, where he detailed a digitized process he worked with General Electric (GE), through what he called “digital twins”.

The basic difference between the two strategies is that the Customer Engagement Strategy focuses on how a corporate compliance program can better engage with, communicate to and be a more fully engaged partner with the business unit. Through the Digitized Solutions Strategy, a corporate compliance function is working to put the tools in the hands of employees to more fully operationalize compliance in an organization. I see this as a seamless process.

Whichever strategy your organization might choose, there must be an operational backbone of compliance which would include such things as “access to a single authoritative source of information for key data about finances, customers and products; reliable end-to-end global supply chain processes; or back office shared services.” The authors caution that if your organization is too siloed, it will not be able to deliver “reliable operations and thus will not be able to compete digitally.” I would add this is more detrimental to an enterprise compliance initiative.

The authors conclude by stating that to succeed in the digital economy, “companies must offer a unique value proposition that is difficult for both established competitors and startups to replicate. Such a value proposition stems from a digital strategy that is focused on either a set of digitized, integrated offerings or a relationship that engages customers in ways that competitors can’t match. Without that, you might create a flurry of innovations, but you won’t deliver value-added applications of AI, biometrics, drones — or the next important digital technology.” For the compliance practitioner, this means you must have a robust set of written standards around your compliance function, including policies, procedures and internal controls to lay this innovate technology upon.

Tomorrow I will consider how GE, with the assistance of Vince Walden and his Ernst & Young colleagues, was able to bring such a Digitized Solutions Strategy to its employee base and it is truly an innovation in compliance.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2018

In this episode Matt Kelly and I take deep dive into the issue of non-GAAP metrics and its implications. We were inspired an article in this quarter’s MIT Sloan Management Review entitled, “The Pitfalls of Non-GAAP Metrics” by H. David Sherman and S. David Young. It is fascinating review of this topic, which as the authors note “Lurking within the financial statements and communications of public companies is a troubling trend. Alternative metrics, once used sparingly, have become increasingly ubiquitous and more detached from reality.”


How can you change the perceptions around compliance in your organization? With the Justice Department requirement, set out in the Evaluation of Corporate Compliance Programs, to more fully operationalize your compliance program, do you as a CCO struggle with operations buy-in? I thought about those questions and others when I read an article in the MIT Sloan Management Review, entitled “Learning the Art of Business Improvisation, by Edivandro Carlos Conforto, Eric Rebentisch, and Daniel Amaral. In this article the authors explore the issue of improvisation and write that while it “may seem to be spontaneous, but managers can foster it in innovation projects through the deliberate development of certain processes and capabilities.” For what improvisation really comes down to is the ability to “create and implement a new or unplanned solution in the face of an unexpected problem or change.”

Compliance is certainly one area that requires such flexibility because of the ever-changing business conditions that exist in today’s multinational organizations subject to the Foreign Corrupt Practices Act (FCPA). Novartis announced its South Korean subsidiary was under criminal investigation for allegations of paying bribes to physicians, this less than 60 days after agreeing to a FCPA enforcement action which involved payment of a $25 million dollar fine for the actions of its Chinese subsidiaries.

Whether deliberately or not, compliance must improvise. Such compliance “Improvisation can foster problem solving, creativity, and innovation, and it is becoming a requirement for many organizations. Although improvisation might seem to be spontaneous and intuitive, to do it well requires the development of disciplined and deliberate processes and capabilities. Managers working in dynamic, fast-paced, and highly innovative project environments should develop and refine capabilities in these three areas to create a project environment that will enhance a team’s improvisation competencies – ultimately with an eye toward improving project results and innovation.”

There are three general areas which a company can improve upon to help advance its abilities to adapt and change. They are (1) Build a culture that recognizes and views changes positively. (2) Create the right team structure and project environment. (3) Provide management practices and tools that facilitate improvisation.

Under this first prong, innovation can come from teams that have a “positive attitude toward dealing with and accepting ambiguity and project changes.” Not surprisingly, this does not come from top down leadership but allowing “higher level of autonomy in making decisions.” Further, the farther out from the corporate office, the more “teams should be empowered to make decisions locally, be informed about and willing” to take make changes and provide enhanced compliance risk management, and not overly fear potential failure.

Clearly the ability to make changes requires a robust compliance regime to begin with. However, having such a system in place, particularly through internal controls, allows a compliance department to “help them to reduce uncertainty more quickly and effectively learn from their experiences. Teams equipped with a broad array of tools and techniques can use them to respond to different types of challenges. The focus should be on helping teams anticipate and recognize changing circumstances and make more rapid and accurate decisions.”

The second prong ably demonstrates that a key to making improvisation work is that you have good communication between the compliance function and business unit. This is not a new concept and communications runs two ways. If the business unit sees the Chief Compliance Officer (CCO) as Dr. No from the Land of No, they will not likely be calling for assistance. Yet compliance does not always know what business opportunities arise without that information so they cannot craft appropriate risk management solutions. Weekly interactions between leaders and key stakeholders are good first step.

Perhaps counter-intuitively, the authors also note that smaller teams appear to have more and better success. The “greater levels of improvisation in smaller teams that displayed more self-directing and self-organizing characteristics, such as being responsible for monitoring and updating the status of their activities and deliverables.” This can allow the compliance department to play a key oversight and support role “on the aggregated information and on more strategic issues related to the project.”

Under the final prong, it is shown that “teams with greater improvisation characteristics were more likely to use agile management approaches, techniques, and tools. In fact, teams that embraced an agile approach were nine times more likely to have high levels of improvisation compared with teams that used a more traditional (waterfall) approach.” This means that not only will a command and control structure not be able to move as quickly and efficiently but also you need to operate at a level of sophistication beyond simply spreadsheets.

Moreover, “The agile methods we observed in the teams with higher levels of improvisation included iterative development, supported by recurring delivery of higher-value deliverables; constant interactions between stakeholders and the project team; the use of visual tools to collaboratively manage the project with team members; and active involvement with the client and/or user in the development process.”

The ability to be agile is an important component of any best practices compliance program. The need to respond to business changes is always paramount. Yet there is no end to the variety of corrupt schemes engaged in by company employees. The Novartis matter in South Korea allegedly involved bribery through excessive payments for articles published in medical journals. Just as the bribery and corruption scandals involving GlaxoSmithKline PLC (GSK) and others in China demonstrate new and creative ways to put pots of money together to pay bribes, the Novartis issues may show another area that bears compliance scrutiny. A compliance function must be ready to adapt.   

Three Key Takeaways

  1. Whether deliberately or not, compliance must improvise.
  2. Improvisation may seem spontaneous, but managers can foster it in innovation projects through the deliberate development of certain processes and capabilities
  3. Work to have the changes seen as a positive in your organization.


This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to

One thing every Chief Compliance Officer (CCO) will face is multiple stakeholders. The more compliance is operationalized the more sensitized this issue will become. Yet the centralized control that many business leaders have is usually not available to a CCO and this is certainly one aspect of the operationalization of compliance. This means one issue a CCO will face is “How to charge up the organization so that we’re maximizing the intellect of all our people?” That question was recently put to Bernard Tyson, the Chief Executive Officer (CEO) of Kaiser Permanente, by Paul Michelman. The resulting answer and much more became a part of the article published in the most recent issue of the MIT Sloan Management Review magazine in an article entitled “The Question Every Executive Should Ask”.

On executive leadership, Tyson called the challenge “multidimensional” by which he meant “Leaders are required to distill the complexities of all the forces, some of which are beyond their control, and then to guide the organization in making sense out of them and delivering on the value proposition, which requires executing on strategies within all this complexity.” His response is not to instruct but “to set the direction and performance expectations, and then to inspire and motivate people.”

Stay Focused on Your Values

Tyson said one of the best pieces of advice he ever received was to “Keep the main thing the main thing.” While for Kaiser Permanente, that mission is healthcare; for the CCO that mission is to do business ethically and in compliance through the prevention, detection and remediation of issues. Tyson said, “Everything we do is through the lens of that mission. The rest is subplot. Yes, there’s going to be a lot of turbulence. The broader conditions change continuously. We don’t control that. But one thing we do control is staying focused on the main thing.”

Interestingly Tyson incorporates the company’s values statement into the hiring process. He said, “That starts with recruitment. Wherever in the organization we are hiring, we need to ask if the employee’s personal mission in life aligns with the mission of the organization. My job is to maintain an environment conducive to attracting people who fit our culture. Making sure we are all clear on the mission is core to that.”

But its more than inspiration and motivation. Today’s employees are an integral part of success and can equally be a part of an ethical or compliance failure. Employees are part of the team that not only are doers but also thinkers. This means you should provide the tools to enable employees to come to the right decision, both in compliance training and compliance support. Yet this is the same message as operationalizing compliance. If you put the compliance system into the functional disciplines within an organization, the employees on the front lines should be able to come up with new and innovative ways of getting things done. By decentralizing both power and information you can benefit from the intellect of a wider variety of inputs from employees.

On Middle Managers

Tyson had some interesting thoughts around the role of middle managers. He believes they have one of the most difficult jobs in any organization, squeezed between being required to do the right thing culturally yet while making their numbers. Middle managers have to deal with both dynamics. Moreover, people usually make it to middle management because they were technically proficient and “When the primary job of a manager was to make sure the workforce had what it needed and did what it needed, these technical skills usually transferred pretty well. Now management is evolving away from directing and toward coaching, facilitating, and creating the right environment for people to excel in their space. Middle managers are again caught between two forces. We are asking them to move away from exercising hierarchical authority and still expecting them to deliver results.”

Tyson believes the company has to work more with middle managers as they are the key to the organizations success. This has led to different ways of training middle managers in the organization and to develop managers with different approaches. This translates into what a CCO should do in terms of overall compliance training for an organization. One of the techniques would be to bring business unit folks into compliance projects so that it expands the relationships of both the compliance function into the business and the business unit folks into compliance.

Freedom of Speech

Probably the most interesting thing which Tyson brought up is what might be termed a speak-up culture but he went far beyond this, calling it a “freedom of speech” culture. These are certainly words you do not hear very often in corporate America. Yet Tyson feels particularly passionate on this point noting, “I believe strongly that we live in a great country and that freedom of speech is, in part, what makes it great. We’re seeing it acted out every day right now in our country, and it’s a beautiful thing. The last thing I want is for individuals who exercise freedom of speech throughout the rest of their lives to feel any different about the freedom to speak inside the organization.”

This concept is about not only the right to tell the truth but also the responsibility to tell the truth. Tyson believes that when “people believe they will be respected for their views, they are more willing to contribute.” By doing so, the organization will benefit from the best thinking of its employees. Tyson puts his money where his mouth is on this issue. He related, “In senior management meetings, when one of my executives feels strongly about an issue and they want to take me on, sometimes they’ll ask, “Freedom of speech?” And I’ll say, “Yes.” And they’ll repeat, “Freedom of speech?” And I’ll say, “Absolutely.” And then they’ll come with it: “I think you’re dead wrong.” They don’t have to sugarcoat it. They just simply put the code out there: “Freedom of speech?””

Each one of the points discussed by Tyson has applicability for the CCO, both in terms of leadership and operationalization of your compliance program. The work which Tyson and Kaiser Permanente does to move decisions, literally around life or death, down to the functional level;  the use of middle management as a key component of a best practices compliance program can be a clear way forward for the CCO to use as a guide. Further, the ‘Freedom of Speech’ concept should point towards greater employee participation through engagement. Finally, staying focused on your core values can help move the entire organization forward at one time, even during choppy seas.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2017

As you might suppose I read quite a bit. One of the pleasures I receive each month is when the copy of the MIT Sloan Management Review arrives. I also find the articles highly topical and present ways to consider new compliance strategies and technologies, together with insights on leadership. The 2017 Summer edition arrived on Friday so I am going to dedicate this week to considering an article the issue, each day this week, as it relates to the Chief Compliance Officer (CCO), compliance practitioner, compliance profession or a corporate compliance practice. Today I consider an article by Renée Richardson Gosline, Jeffery Lee and Glenn Urban, entitled “The Power of Consumer Stories in Digital Marketing”.

As I often note the customer for a CCO, compliance practitioner, or a corporate compliance practice is your employee. So why not use them to help you market the message of compliance. I can point to one current successful example of using the employee base and that is Louis Sapirman at Dun & Bradstreet, Inc. (D&B), who regularly connects with employees through in-company tweet-ups and other innovative techniques to tell stories around compliance identified using the internal hashtag #DoTheRightThing.

The authors consider a broader use and begin with the basic premise that “When consumers prepare to make purchase decisions, stories can deliver important information and shape the decision and the overall brand experience. With the advent of consumer-to-consumer social media platforms such as Facebook and Twitter, stories can be powerful tools for shaping cognitive processing, recall, brand image, and choice.” The authors found a statistically significant increase of product purchases, “when consumer-based storytelling was employed.” So why not use those same techniques around internal marketing of your compliance function and training on your compliance program?

From their research which led to the article the authors found that customers responded to a story about a brand, when certain factors were present. These included trust in the brand; that consumers saw themselves in the stories and there was a “self-connection” to the brand. Every corporate compliance program should have the employees trust and they should feel connected to the notion of doing business ethically and in compliance, if not the compliance function should fold up the tent and go home. The power of telling stories that resonate with the experiences of employees in the real world is also a well-known and used standard in compliance training. Here you can think of the RESIST training scenarios.

The authors proposed four steps which they advised a company to engage in to implement such a strategy. I found it quite use for the CCO or compliance practitioner to think through when considering this approach. I have adapted the authors’ consumer approach for the compliance practitioner and their employee base.

1.Work with consumers to generate believable and compelling stories. The authors found that by examining “comments on Facebook, Twitter, YouTube, and other social media sites, you should be able to find leads to consumer stories about your brand that you can follow up on. It’s a little like curating an art show: You need to find the best examples and work with storytellers to deliver the right message.”

For the CCO or compliance profession you should mine your data sources to find stories. Even if you are not as tech savvy as the compliance team at D&B, there should be a wealth of other compliance information and data available to you. You can consider hotline reports, remembering that not all hotline reports are of illegal, unethical or fraudulent conduct. It may only be the perception of unfairness or favoritism. Dispelling such faulty acuities can go a long way towards directly improving employee morale. This can be a powerful story and useful to utilize when marketing your hotline.

2.Convert stories into high-quality presentations. A great example here is a video CenterPoint Energy released in 2015 after the Volkswagen (VW) emissions-testing scandal became public. The video featured Scott Prochazka, CenterPoint Energy President and Chief Executive Officer (CEO). He used the VW scandal to proactively address culture and values at the company and used the entire scenario as an opportunity to promote integrity in the workplace. But more than simply a one-time video, the company followed up with a with an additional resource, entitled “Manager’s Toolkit – “What does Integrity mean to you?””, that managers used to facilitate discussions and ongoing communications with employees around the company’s ethics and compliance programs. Finally, as noted by Amy Lilly, Director, Corporate Ethics and Compliance at CenterPoint Energy, the cost for the video was quite reasonable as it was produced internally.

3.Embed stories in your social media mix. The authors related, “Posting videos of customer stories on your brand website means they will be perceived as coauthored by the consumer and the brand. Use true consumer stories and present them through your branded social media channels to maximize impact.” Another way to consider this concept is that short videos are good videos. You can have a series of short videos communicating different aspects of your compliance program. It can range from short messages from your CEO, to videos of your CCO to videos of employees. Employees always tune in when senior management speaks to them internally through a video. Employees want to hear from the President and a message of commitment to the culture values of doing business ethically and in compliance is always a message that will resonate with employees. Finally, employees want to hear stories from and about their co-workers who faced compliance challenges and #DoTheRightThing.

4.Integrate paid media strategies with voluntary sharing of stories on social media. Here the authors focus on the overlap and intersection of professional media strategies with “story-based consumer content generated for social media.” For the compliance practitioner, this translates into an opportunity around training. You can use traditional methods of compliance training, interspersed with videos and other social media uses of your employee base with real world examples of how compliance not only helped them do business ethically and in compliance but also how it made your organization more efficient together with being more profitable.

The authors conclude by noting, “Throughout history, storytelling has been an integral way to convey attitudes and values, and it will remain a key source of information and influence in the digital world. As new technologies such as virtual reality evolve and improve, brands can expect to continue to have new opportunities to use consumer storytelling in their communication strategy.” You should incorporate these concepts and employee-told stories into your compliance message as well.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2017