Corporate Risk and Compliance: Theory and Practice

  • Kim Otte (University of Minnesota Law)

We will answer:  What is an effective compliance program? What is a risk-based approach to compliance? What constitutes a good risk management program? How do these formal programs provide corporate controls? We will use corporate case studies to understand the Office of Inspector General’s seven elements of an effective compliance program – governance, policies, education, reporting, monitoring, enforcement, and response. We will study the still maturing definitions and indices of a good risk management program – the ability to identify, evaluate, and manage risk to maximize the objectives of the company and minimize defects. 

This course includes practical hypotheticals and samples largely from the health care industry but transferable to any industry. We will consider where and how aritificial intelligence is likely to have an impact on this work. This context is useful for the practicing lawyer and, increasingly, is a career path unto itself.

Each student will choose a corporate scandal to study in relation to each of the risk and compliance concepts covered throughout the classes. Impactful corporate scandals – Enron, Wells Fargo, Theranos, Boeing, Purdue Pharma – are the perfect learning lab for risk and compliance theory.

 

10 Hot Topics 10 Hot Topics

AI, Future of Compliance Profession, Enforcement Trends, TPRM

10.1 Crisis Management, Business Continuity, and Third Party Risk Mgmt (TPRM) 10.1 Crisis Management, Business Continuity, and Third Party Risk Mgmt (TPRM)

10.1.1 Objectives and Discussion Questions 10.1.1 Objectives and Discussion Questions

Crisis management, business continuity, and third party risk management are related but distinct concepts all related to managing risk in a corporation.

Discussion Questions: 

1. Relate one of these concepts to a learning from your chosen scandal. How did the learnings in your scandal relate either to business continuity, crisis management, or TPRM?

2. How is TPRM related to business continuity?

3. If you were CEO of a grocery store, what are your "critical functions" if you are drafting a business continuity plan?

10.1.2. Crisis Management Plan vs Business Continuity Plan

Crisis Management Plan vs Business Continuity Plan

10.1.3. Unpacking the Relationship Between Business Continuity Management and Crisis Management

Unpacking the Relationship Between Business Continuity Management and Crisis Management

10.1.4. what is tprm and how does it fit with risk management - Search Videos

what is tprm and how does it fit with risk management - Search Videos

10.1.5. 7 Sample Business Continuity Plan Examples to Learn From

7 Sample Business Continuity Plan Examples to Learn From

10.1.6. COVID and Business Continuity Planning

COVID and Business Continuity Planning

10.1.7. Sample Plan w/ Policies

Sample Plan w/ Policies

10.2 AI Governance 10.2 AI Governance

10.2.1 Objectives and Discussion Questions 10.2.1 Objectives and Discussion Questions

AI will impact the profession of compliance. It will not only introduce new ways of working. It will introduce a new risk area for the business that requires controls and governance.

The September 2024 DOJ Guidelines for an effective compliance program added this:

Management of Emerging Risks to Ensure Compliance with Applicable Law – Does the company have a process for identifying and managing emerging internal U.S. Department of Justice Criminal Division Evaluation of Corporate Compliance Programs (Updated September 2024) 4 external risks that could potentially impact the company’s ability to comply with the law, including risks related to the use of new technologies? How does the company assess the potential impact of new technologies, such as artificial intelligence (AI)4 , on its ability to comply with criminal laws? Is management of risks related to use of AI and other new technologies integrated into broader enterprise risk management (ERM) strategies? What is the company’s approach to governance regarding the use of new technologies such as AI in its commercial business and in its compliance program? How is the company curbing any potential negative or unintended consequences resulting from the use of technologies, both in its commercial business and in its compliance program? How is the company mitigating the potential for deliberate or reckless misuse of technologies, including by company insiders? To the extent that the company uses AI and similar technologies in its business or as part of its compliance program, are controls in place to monitor and ensure its trustworthiness, reliability, and use in compliance with applicable law and the company’s code of conduct? Do controls exist to ensure that the technology is used only for its intended purposes? What baseline of human decision-making is used to assess AI? How is accountability over use of AI monitored and enforced? How does the company train its employees on the use of emerging technologies such as AI?

These readings consider some of the risks AI may introduce and then turn to early attempts in the law and in industry to manage these risks. 

Discussion Questions:

1. What is the argument against federal or state regulation of AI?

2. How might a seven element compliance program best apply to the risk of AI?

3. Where do you think AI Governance should best "live" in a corporation?

 

10.2.2. Agentic Misalignment: How LLMs could be insider threats \ Anthropic

Agentic Misalignment: How LLMs could be insider threats \ Anthropic

10.2.3. How Medicare Advantage plans use AI to cut off care for seniors

How Medicare Advantage plans use AI to cut off care for seniors

10.2.4. AI in Healthcare

AI in Healthcare

10.2.5. AWS-Responsible-Use-of-AI-Guide-Final

AWS-Responsible-Use-of-AI-Guide-Final

10.2.6. NIST.AI.100-1

NIST.AI.100-1

10.2.7 Hypo: What could go wrong? 10.2.7 Hypo: What could go wrong?

In preparation for class please read thru the ChatGPT-generated hypo below and begin to consider how you would analyze the "learnings" and what you would tackle in what order:

Hypo: “The Aurora Governance Breakdown”

Background
NovaGen Solutions is a global pharmaceutical and medical device company undergoing an “AI-first transformation.” Its central system, Aurora, is a generative AI model licensed from an external vendor and fine-tuned using NovaGen’s proprietary clinical trial data, quality records, and limited patient information.

Aurora is now embedded in multiple operations, including R&D, quality documentation, and sales support. The Board’s Risk Committee receives high-level dashboards referencing “AI initiatives,” but has not reviewed any detailed governance plans, risk controls, or validation reports.

Triggering Events

1. R&D System Failure and Business Interruption

Aurora generates a draft clinical trial protocol with dosage levels above FDA safety limits.

  • The flawed protocol automatically overwrites a validated prior version in NovaGen’s trial-management system.

  • The system lacks a manual override. IT cannot immediately reverse the changes.

  • R&D loses two weeks of work until the previous protocol is reconstructed manually.

2. Vendor Data Misuse

Internal audit discovers that the AI vendor used NovaGen’s training data to improve its general model, contrary to contract restrictions.

  • NovaGen fears that terminating the contract will halt key R&D functions because Aurora has no backup system.

  • Vendor lock-in and lack of contingency planning prevent immediate mitigation.

3. Off-Label Messaging Generated by AI

A regional sales VP deploys an Aurora-based “physician outreach generator” without approval.

  • Aurora produces emails implying off-label benefits of an oncology drug.

  • Sales reps are concerned but cannot identify any internal channel for reporting AI misuse.

  • Believing the internal hotline is not intended for AI issues, a rep submits a complaint directly to an external consumer watchdog organization.

4. Public Exposure and Rapid Escalation

The watchdog posts a public report titled “NovaGen’s AI Is Generating Illegal Drug Claims.”

  • A tech blogger amplifies the story, and it spreads rapidly.

  • NovaGen’s stock drops 9%.

  • The FDA requests information about Aurora’s role in clinical protocols and communications.

  • Employees express fear that Aurora may be “controlling” systems and refuse to use it.

5. Board-Level Oversight Issues

The Board is caught off guard by the crisis.

  • The Risk Committee relied solely on high-level dashboards and did not request details about AI risks, data governance, or controls.

  • The Board never reviewed an AI governance framework, validation process, or risk-appetite statement.

  • Several Board members express concern that Aurora was “mission-critical” to regulated operations without adequate controls or monitoring.

Assignment

You are the Chief Integrity and Compliance Officer and are part of a cross-functional team brought in after the crisis breaks. Prepare:

  1. A root-cause assessment of NovaGen’s failures. Where are the gaps in risk management and controls in this scenario?

  2. Create a 90-day and 12-month remediation roadmap to stabilize and govern AI use across NovaGen.

10.3 SCCE Code of Ethics 10.3 SCCE Code of Ethics

10.3.1. SCCECodeOfEthics_English

SCCECodeOfEthics_English

10.4 Privacy and Security 10.4 Privacy and Security

10.5 Whistleblower Trends 10.5 Whistleblower Trends