Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Mike Scher to Donna Boehme: Show us Compliance 2.0

Donna Boehme is widely credited with transforming the compliance profession into what is now known as Compliance 2.0. For that ten-year pioneering struggle and for creating models for global compliance programs, the SCCE’s 10-year anniversay award for dedicated service went to her as the “Lion of Compliance.”

Donna is the founder of Compliance Strategists, a leading consulting firm based in the metropolitan New York area specializing exclusively in compliance, ethics, risk and governance practice. She was previously in private law practice with Fried, Frank, Harris, Shriver & Jacobson in New York. She holds a J.D. from New York University School of Law.

Donna’s first interview on the FCPA Blog is here.  

*     *     *

Using your new infographic can you explain for FCPA Blog readers what is Compliance 2.0?

It’s fairly straightforward. The foundational element is true compliance subject matter expertise (SME), which is distinct and different than Legal. SME is demonstrated by a successful track record actually designing and managing an effective compliance program. The rest of the model involves positioning that SME in ”architecture” with empowerment, independence, line of sight, seat at the table and resources to do the job well. You can see the architecture in the graphic.

We have created a resource hub that discusses each of these features. (Readers can see the details of the graphic on the resource hub.)

If a CO with SME is in a structure built to succeed, then the CO has the positioning to design and manage a robust, effective program. It will work to find and fix, or to prevent, misconduct and other major problems. The company can fix them before forced by third parties to do so. The new structure supports a culture of ethical leadership, transparency and accountability at all levels of the organization.

You picture C2.0 as a building and use words like “Architecture” and “Structured for Success”. Is Compliance 2.0 a new structure for the old business function of Compliance?

The idea is that compliance needs to be structured with independence (untethered from Legal), empowerment, line of sight, seat at the table and resources to achieve the mission. It is principles-based, since there can’t be a one-size-fits-all roadmap. Staying true to the “architecture” empowers the CCO and COs to have a clear mandate and mission they can accomplish.

In the infographic you put Compliance Officers’ Subject Matter Expertise (SME) at the top of the C2.0 building. Why are COs at the top?

Many of the Compliance 1.0 disasters in the headlines have highlighted the problems that happen when lawyers or other managers without true compliance SME try to “design and manage” compliance. No one with any sense would have triple heart bypass performed by a doctor who has never performed the operation. Why would a Board or C-Suite rely on an executive without compliance SME to design and run a program?

The profession has spent over two decades building expertise, knowledge, best practice and solutions.  As I have told many CCOs: “You are the compliance SME here, so remember that no compliance SME comes into this company unless you bring it here!”

It is certainly worth noting that in both VW and GM, the big problems (emissions testing cheating scheme and deadly ignition switch defect) were known for years by insiders who tried to warn management, to no avail. Both of these companies could have benefitted from some true compliance SME.

For C2.0 to actually work, don’t businesses need to reorganize and restructure as well (such as COs reporting to the Board)?

From my experience with the old compliance 1.0, I’ve written: Choices about structure have consequences for success. A bad business structure produces bad results. Led by changes in the healthcare and big bank sectors, the principles of Compliance 2.0 are the New Normal. Surveys have shown that the momentum towards Compliance 2.0 is changing the way companies are structuring Compliance.

Can C2.0 stop scandals, like VW, that burn the house down?

Companies that correctly structure and manage compliance programs  empower their COs to achieve their mission. They will be rewarded with programs that can detect and put out those fires BEFORE they burn the house down. The successes won’t be in the headlines. But look for more scandals at companies that don’t change. That’s what the past shows us.

How about changes outside of the compliance community?  What about Boards, management, consultants, law firms, investors, prosecutors, media and public opinion?

Compliance 2.0 is all about busting the old myths of Compliance 1.0. The word is getting around. Boards, management, prosecutors and other gatekeepers are aware of the difference between the models. It’s evolving in the right direction. We have come a long way.

Fear of prosecution can’t stop “lawful but awful” conduct. There’s no prosecution for non-criminal, unethical business. But I believe C2.0 can and must stop it. What’s your view?

You raise a good point. When you think about it, every one of the great compliance scandals of our day can be attributed to the narrow, legalistic pursuit of compliance typified by Compliance 1.0. Without true COs with SME, management is in the dark on how the parts of the compliance program interact and support each other. Combined, they foster a culture of integrity, transparency and accountability at all levels.

How quickly we get there will depend on how soon and thoroughly all gatekeepers understand this dynamic and evolving profession. One of the biggest consumers of Compliance 2.0 should be the Board of Directors, who will understand it as a fundamental part of their oversight responsibilities. Two examples of companies that made the leap to Compliance 2.0 are VW and Walmart.

Compliance 2.0 was uncommon before it became the new normal. Why did you persist in making it your personal mission?

It’s been an epic journey. When I first returned to the States after my last CCO job, I had seen firsthand and heard so many “Maritza Munich” stories, that is, COs who lost their careers for doing their job well. It demonstrates Machiavelli’s warning: There is nothing more perilous than to lead in the introduction of a new order of things.

I was sick and tired of seeing Compliance Officers blamed for all the big scandals! But all the while, companies were structuring Compliance programs and functions to fail. I realized Compliance would never achieve success with the old legacy model.

So I gathered together the compliance professionals whom I regarded as the “brain trust” of the profession to discuss the problem. We called the group “Algonquin” after the hotel for our first meeting. For a decade, the resistance to criticizing the old model was intense. The Algonquin team and its growing supporters stepped up to every challenge.

After years of defining the problem and building our networks of influencers, Algonquin decided to reach for the next level, through a partnership I led with RAND, the famous nonprofit research-driven think tank. That partnership’s annual report and white papers on compliance (a symposia series) became a source of thought leadership for the profession and decision making globally.

Do you continue to see yourself as the ‘Lion of Compliance?  What’s next for your mission?

All of the “Lions” in my networks advocating for Compliance 2.0 (there are many) have their work cut out for them. We can never again allow uninformed “experts” to define our profession! We did that once, and the result — Compliance 1.0 — was an expensive and disastrous failure. A good mantra for the profession now is much like Ellaria’s line in Game of Thrones this season, “Weak men shall never rule Dorne again.”

The advocacy that is required now is to ward off the backlash from naysayers while making sure the next generation of Compliance 2.0 is successfully established and thoroughly develops its SME. That’s a great mission for all the Lions of Compliance pulling together in this inspiring, evolving profession.


Michael Scher is a senior editor of the FCPA Blog. He has over three decades of experience as a senior compliance officer and attorney for international transactions. He’ll be a speaker at the FCPA Blog NYC Conference 2016.

Share this post



  1. Compliance 2.0 is an important step, but not enough to stay here. Industry (as our internal client) is already implementing 4.0. Internet of Things, Cloud, Augmented Reality and Artificial Intelligence bring already in the near future (less than ten years) interesting new tasks for Compliance.

  2. No matter what Compliance is required to deliver to stay on top of the mandate, it cannot succeed if treated and structured as a mere subset of Legal. The task is formidable, and companies that are serious about compliance and culture won't just take the easy road to Compliance 1.0. GM and VW did that, and their scandals speak for themselves.

Comments are closed for this article!