Strategic Compliance Management

📢 EU CBAM is Now Fully Operational: What You Need to Know On January 1, the EU’s Carbon Border Adjustment Mechanism (CBAM) came into full effect. Here are the key things sustainability, finance, and strategy teams should understand: 🔹 An overview CBAM is the first fully operational border carbon pricing system designed to prevent carbon leakage, the shifting of emissions-intensive production outside the EU, while protecting EU firms subject to internal carbon costs. 🔹 What has changed? Unlike prior pilots, the 2026 implementation bases costs on actual emissions intensity of imports. The EU has “externalized” carbon pricing beyond its borders, which has implications for supply chains and global trade flows, especially for goods like steel, aluminum, cement, electricity, fertilizers, and certain chemicals. 🔹 What do companies need to do? Importers and their non-EU suppliers will need to: - Map supply chains and embedded emissions - Coordinate with suppliers on verified emissions data - Assess carbon cost exposure and potential downstream price impacts 📈 The big picture CBAM goes beyond a compliance issue for firms and has real implications for supply chains and operating costs. Investors and businesses are beginning to factor in carbon pricing and supply-chain decarbonization into their financial decisions. We’ve been helping firms manage these shifts and respond strategically. Send me a message if you’d like to learn more. Visual courtesy of Carbonwise #CBAM #EURegulations #CarbonPricing #ClimatePolicy #SustainableTrade #ClimateRisk #SupplyChainEmissions #NetZero #ESG #ClimateFinance #Decarbonization

“We are ISO 27001 certified, are we DORA compliant?” Not so fast. ISO 27001 and DORA both focus on cybersecurity and risk management, but they serve very different purposes. If you're a financial institution or an ICT provider working with financial institutions in the EU, DORA compliance is mandatory, and ISO 27001 alone won’t get you there. Let’s break it down: 1. Regulatory vs. Voluntary Framework ↳ ISO 27001 – A voluntary international standard for information security management. ↳ DORA – A mandatory EU regulation for financial entities and their ICT providers, with strict oversight and penalties for non-compliance. 2. Scope and Focus ↳ ISO 27001 – Offers a customizable scope tailored to organizational needs, focusing on information security (confidentiality, integrity, availability) based on specific risk assessments and chosen controls. ↳ DORA – Enforces a standardized scope across financial entities, extending beyond security to operational resilience. It ensures institutions can withstand, respond to, and recover from ICT disruptions while maintaining service continuity. 3. Key Compliance Gaps 🔸 Incident Reporting ↳ ISO 27001 – Requires incident management but doesn’t impose strict deadlines or mandate reporting to regulators, as it is a flexible standard. ↳ DORA – 4 hours to report a major incident, 72 hours for an update, 1 month for a root cause analysis. 🔸 Security Testing ↳ ISO 27001 – Requires vulnerability management but leaves testing methods and frequency to organizational risk. ↳ DORA – Annual resilience testing, threat-led penetration testing every 3 years, continuous vulnerability scanning. 🔸 Third-Party Risk Management: ↳ ISO 27001 – Covers supplier risk but with general security controls. ↳ DORA – Enforces contractual obligations, exit strategies, and regulatory audits for ICT providers working with financial institutions. 4. How financial institutions and ICT providers can address the delta? ✅ Perform a DORA Gap Analysis – Identify missing controls beyond ISO 27001. (Hopefully, you're not still at this stage now that DORA has been mandatory since January 17, 2025.) ✅ Upgrade Incident Response – Implement real-time monitoring and reporting mechanisms to meet DORA’s deadlines. ✅ Enhance Security Testing – Introduce formalized resilience testing and threat-led penetration testing. ✅ Strengthen Third-Party Risk Management – Update contracts, prepare for regulatory audits, and ensure exit strategies comply with DORA. ✅ Improve Business Continuity Planning – Move from cybersecurity alone to full digital operational resilience. 💡 ISO 27001 is just the tip of the iceberg - beneath the surface lie significant gaps that only DORA addresses. 👇 What’s the biggest challenge in aligning with DORA? Let’s discuss. ♻️ Repost to help someone. 🔔 Follow Amine El Gzouli for more.

Promising companies have died this way. You could join them if you’re not careful. Here are 5 ways to avoid that: 1. Facility Compliance Should Be Default Design your layout such that: - Cleanliness is prioritized - Contamination risk is minimized 2. Quality Management from Day 1 - It has to be robust - It has to have strong documentation - Audits and quality checks are frequent 3. Qualified Supplier Networks - Be rigorous - Ensure the quality of consumables - Make sure all suppliers meet GMP 4. Stay Ahead of the Regulatory Curve - Don’t be caught by surprise - Company policies should reflect where the ball is going - not where it is right now 5. Data Integrity is King - You need impeccable records - Traceability should be second nature - It’ll take a lot of stress out of regulatory inspections So remember… Company success depends on getting GMP right. Strong, innovative companies have crashed and burned because they ignored this. Learn from their mistakes. Succeed where they failed. Any thoughts on this? Drop them in the comments. #biotechnology #gmp #cellandgenetherapy #regulatory

In the last 24 months we identified 300+ new legislations related to climate change and over 10% of them have elements assessing green claims. But what are the steps for a business to comply with the upcoming legislation in the EU? To comply with the EU's greenwashing regulations and avoid misleading consumers, companies should take the following steps: 1. Review and audit all marketing materials and environmental claims: Businesses should conduct a thorough review of their marketing materials and environmental claims to ensure they align with the regulations. This may involve consulting with legal and sustainability experts to identify potential areas of concern. 2. Substantiate environmental claims: Companies must provide evidence to support their environmental claims, using credible and verifiable sources. This may include scientific studies, third-party certifications, or government data. Companies should be prepared to disclose this information if required by the regulations. 3. Rigorous carbon accounting:  To prove one’s environmental impact, you will have to back it up with data. Companies must diverge from industry averages when calculating the footprint of a product or service. It is important to leverage primary activity data with already existing proof, for example, your scope 1 and 2 can be easily tracked through energy invoices, bills and such. Then, the golden share still is represented from scope 3 emissions, but it is important for companies to start backing up their claims with proof and data. 4. Implement standardised environmental labels: The EU Commission promotes using standardised environmental labels, such as the EU Ecolabel, to provide consumers with reliable information about a product's environmental performance. Companies should consider adopting these labels where applicable to demonstrate compliance with the regulations. 5. Train employees on greenwashing and regulations: Companies should provide training to their employees on greenwashing to ensure that all relevant personnel understand the implications of these regulations and can identify potential compliance issues. 6. Continuously monitor and update marketing materials: Businesses should regularly review and update their marketing materials and environmental claims to ensure ongoing compliance with regulations. This may involve keeping abreast of new developments in sustainability research, as well as changes to the regulatory environment. To understand further how the EU greenwashing regulations will impact your business, have a read here: https://lnkd.in/egrfuk6h To understand green-related terms, have a read here: https://lnkd.in/eznWaTZ5 #greenwashing #sustainability #co2 #eu #co2 #esg #compliance

🔐 DPDP Act Is Creating a New Compliance Economy in India With TCS preparing to apply for a “Consent Manager” permit under India’s DPDP Act—and players like Jio Platforms already in the race—it’s clear that data privacy is evolving into a full-fledged platform opportunity, not just a legal requirement. What’s emerging is a new compliance-as-a-service ecosystem, spanning: ▪️ Consent management platforms ▪️ Data discovery & enterprise data mapping ▪️ Privacy automation & audit trails ▪️ Breach notification & incident orchestration ▪️ Third-party risk & data sharing governance Estimates suggest this could become a ₹10,000+ crore market over the next few years as enterprises operationalize privacy at scale. The takeaway for companies is simple: 👉 DPDP compliance isn’t just a cost center. 👉 It’s an opportunity to build trust infrastructure and recurring revenue platforms. Those who move early will help define how privacy is managed across India’s digital economy. #DPDP #DataPrivacy #ConsentManagement #Compliance #Fintech #DataGovernance #DigitalTrust

When a product is refused or seized at the border, most people jump straight to asking what was wrong with the goods? But the better question is what broke down in your process before that shipment even left the supplier’s facility? Compliance is not only about what's in the box” or what is printed on the label. It is also about who you are doing business with, how well you know them, who has had access to the box, and whether you can trust that the paperwork matches reality. Sometimes, it is not the product that triggers a seizure. It is the involvement of a flagged party or a questionable transaction. To reduce the chances of costly delays or seizures, companies need to focus on full compliance at every step. That includes having accurate labels, correct country of origin markings, valid certificates, knowing your supply chain, and making sure the product is not violating the rules of any federal agency. Customs enforces more than just customs law. If your product violates FDA, EPA, DEA, CPSC, USDA, “ABCD” requirements, it is at risk. Many companies miss this entirely. Want to see what this actually looks like in practice? I explain it all here: https://lnkd.in/ekAZPMkZ #FDACompliance #CustomsSeizures #ImportLaw #ProductLabeling #CBP #RegulatoryStrategy

Climate Transition Planning 🌍 Climate transition planning is no longer a nice-to-have—it’s becoming a business necessity. With mounting regulatory requirements and investor expectations, companies must move beyond setting climate targets and demonstrate how they will achieve them through structured Climate Transition Plans (CTPs). CTPs are increasingly embedded in global regulations. The UK, Switzerland, Australia, Hong Kong, and Japan have mandated transition plan disclosures, and other regions are moving in the same direction. In the US, the SEC climate disclosure rule, although currently on hold, also includes transition planning for companies that have one. Many existing sustainability frameworks already incorporate CTP elements. The Task Force on Climate-related Financial Disclosures (TCFD) remains the foundational reference, influencing ISSB’s IFRS S2 standards, SEC climate disclosures, and country-specific regulations. The overlap between frameworks allows businesses to integrate CTPs into existing sustainability reports rather than treating them as standalone requirements. The UK’s Transition Plan Taskforce (TPT) and GFANZ provide structured guidance, while SBTi, CDP, and Climate Action 100+ offer tools to assess credibility and track progress. Beyond compliance, transition planning is a strategic advantage. Investors and financial institutions are embedding transition risk assessments into decision-making, and companies with robust, science-based transition plans are better positioned to access capital and strengthen partnerships. One of the biggest challenges remains financial planning. Only 5% of companies reporting to CDP in 2023 provided sufficient details on how they will fund their transition. Aligning sustainability strategies with CapEx, OpEx, and R&D budgets is essential to turn plans into real action. Businesses that act now will be ahead of regulatory shifts and well-positioned to mitigate transition risks. A strong climate transition plan isn’t just about reducing emissions—it’s about ensuring long-term resilience and competitiveness in a rapidly changing landscape. With regulations evolving across Europe, North America, and Asia-Pacific, the question isn’t whether companies should have a CTP, but rather how well-prepared they are to disclose and implement it. Source: @BSR #sustainability #sustainable #business #esg #climatechange #CTP #risks

⚖️ Joining a Board? Read This Before You Say Yes. A board seat boosts your profile - but it can also put your house, savings, and reputation on the line. The risk isn’t theory: 🔴 BHS - directors faced £133m in claims even after taking advice. 🔴 Carillion - directors endured years of regulatory pursuit before claims dropped. 🔴 In the US, France, Germany and Australia, enforcement is even tougher. Here are 10 checks that Eireann and I think every smart director should make before joining: 1️⃣ Understand your duties Companies Act duties are personal and non-delegable: care, skill, solvency, conflicts. Advice helps - but judgment stays with you. 2️⃣ Be financially literate Directors must read and question financials. Courts apply an objective/subjective test: a finance director will be judged to a higher bar than, say, a CMO (Dorchester Finance v Stebbing). 3️⃣ Test governance and information flow Are board packs timely and complete? Are conflicts disclosed and minuted? Do the articles and shareholder agreements support oversight? Late or inadequate packs are a red flag. 4️⃣ Check disputes and compliance Ask about litigation, regulator inquiries, and whistleblowers. Verify compliance with FCA, CQC, Ofsted, HSE, ICO. Past issues often repeat. 5️⃣ Assess people and board dynamics Liability is joint and several. Who are your co-directors? Any unexplained departures? A dysfunctional board magnifies exposure. 6️⃣ Health & Safety, environmental, ESG HSE prosecutions are the most common director claims in the UK. Individuals can face criminal charges and even prison. Fines can hit millions. 7️⃣ Scrutinise indemnities and D&O Do indemnities advance defence costs and survive resignation? Read the D&O yourself and have a broker walk you through it: limits, Side A cover, inquiry-stage protection, exclusions. Secure 6 years’ prepaid run-off. 8️⃣ Check wider insurance Beyond D&O: PI, cyber, product liability, public liability, business interruption. Limits must fit the risk profile. 9️⃣ Probe tax, employment, pensions issues HMRC can issue Personal Liability Notices for PAYE/VAT arrears. Tribunal and whistleblowing claims can name directors personally. Pension deficits trigger enforcement. IR35/TUPE errors are costly. 🔟 Consider the international dimension If it’s a non-UK company, your duties follow local law. Germany (late insolvency filings), Australia (insolvent trading), and the US (derivative suits) all raise the stakes. 🚩 Red Flags - Late/incomplete board packs - Reluctance to share accounts or regulator correspondence - Unexplained resignations - Aggressive accounting or auditor churn - Thin insurance or requests for personal guarantees - Signs of trading while insolvent 👥 Executives vs NEDs Duties are identical in law. Executives carry more operational exposure, but NEDs are not “light touch” - courts expect active challenge. 👉 DM me to join my next directors' duties bootcamp. 👇 DM Eireann Kenny of #Aon to talk D&O cover.

🇬🇧 Worth checking out the updated #RESIST framework designed by the UK government in order to embrace information threats more fully. 🔹A pragmatic approach focused on perceptions and a full-blown model for any institution developing its own strategic communications methodology 👉🏼RESIST Counter‑Disinformation Toolkit : a structured framework for government communicators to identify, assess and respond to disinformation. 👉🏼The toolkit frames disinformation as a risk not only to communications per se, but to policy outcomes, national security, international reputation, and democratic legitimacy. 🔹It provides checklists, matrices (ex : for prioritisation: does a message harm ability to deliver services? does it affect vulnerable audiences? etc.) and guidance on measurement. ♻️ A 6️⃣ step approach : 1️⃣ Recognise: identify possible instances of mis/dis/malinformation, check the techniques (fabrication, disguised identity, rhetoric, symbolism etc) (FIRST indicators). 2️⃣ Early Warning: Monitor the information space for signals of emerging threats, vulnerabilities, target audiences, relevant narratives. 3️⃣ Situational Insight: Turn monitoring data into actionable insights : what’s happening, who is vulnerable, what narratives are evolving, what the context is. 4️⃣ Impact Analysis: Assess the potential damage: what are the objectives of the threat actor, the reach, the likelihood, how does it affect your priorities/responsibilities. Use structured analysis rather than just “gut feeling”. 5️⃣ Strategic Communication: Decide whether and how to respond. Not all incidents merit a public response — some may self-correct. If you respond: ensure the truth is well told, choose appropriate channels/audiences, embed resilience building, engage partnerships. 6️⃣ Tracking Effectiveness: Measure output vs outcome; track metrics (reach, behaviour change, attitude change) and learn from each response. Underlying principles 🔹A government communications function must support resilience: of institutions, public trust, policy delivery. 🔹Communications is a proactive posture : pre-bunking, shaping narratives is as important as reactive posture (debunking). 🔹Partnership matters because information threats do not respect organisational boundaries : across gov departments, with civil society, academia, media, international partners 🔹Focus on audiences & vulnerabilities: recognising that some audiences are more exposed (due to digital skills, language, socio-economic factors) and that those vulnerabilities shape how to tailor prevention/response. How this could apply to other nations 🔹 a structured framework to impart discipline & consistency in detecting and responding to threats. 🔹 helps build an institutional capacity 🔹 supports the shift from reactive (respond when scandal/hit) to proactive risk management

💸 Money laundering techniques 💸 ➡️ Rosewood trade-based money laundering 🪵 🌳 The illegal rosewood trade is not just an environmental crime. It’s also a major enabler of money laundering and even terrorist financing. This multi-billion dollar industry thrives on corruption, tax evasion, and financial secrecy. Criminal networks exploit weak regulations to integrate illegal logging profits into the formal economy, using shell companies, offshore accounts, and TBML. ⚙️ How the scheme works: 1️⃣ Rosewood operators, often backed by criminal enterprises, illegally harvest protected timber. They evade forestry regulations and cut down vast amounts of rosewood, primarily in Africa and Southeast Asia. 2️⃣ To ensure smooth operations, they bribe regional government officials, paying fines to secure transport permits. 3️⃣ The harvested rosewood is then sold in bulk to Chinese importers, who often make cash purchases to avoid banking scrutiny. This cash is then funneled back into the criminal network. 4️⃣ The illicit proceeds from rosewood sales are then laundered through multiple channels: ➡️ Some of the money is sent to overseas bank accounts, where it is integrated into other businesses or used to fund additional illegal activities. ➡️ A portion is funneled into other industries, disguising the origins of the funds through legitimate business transactions. ➡️ Some funds flow to central government institutions under the guise of taxes, lending an air of legitimacy to the transactions while reinforcing corruption within official structures. 5️⃣ The central government, while collecting revenues from these activities, is also susceptible to corruption. Bribes and campaign contributions ensure that policies remain favorable to illicit logging operations. 6️⃣ Meanwhile, international organizations like the World Bank and U.N. provide aid to stop illegal logging. However, due to systemic corruption, portions of this aid are misappropriated or fail to make a significant impact. ⚠️ Red flags in rosewood trade-based money laundering can be: 📌 Large cash transactions in timber supply chains 📌 Use of shell companies to obscure ownership of logging businesses 📌 Discrepancies between declared and actual timber exports 📌 Payments to PEPs in high-risk countries 📌 Frequent fund transfers to offshore bank accounts linked to logging companies 🛡 Best practices to combat this scheme are: ➡️ Enhanced due diligence on high-risk sectors like timber and logging ➡️ Strengthening trade monitoring systems to detect invoice fraud ➡️ Increased transparency in beneficial ownership of logging companies ➡️ Cross-border cooperation to trace illicit financial flows linked to environmental crimes Are you passionate about an AML-related topic? 🤔 Would you like to write about it and reach over 23k compliance professionals? 🔥 If so, just send me a message to work out the details! 🙂 #compliance #financialcrime #moneylaundering #aml