It’s a moment no business owner wants: a federal agent at the door, a subpoena in hand, or a call from in-house counsel announcing an internal audit that could reveal serious problems. Whether it’s the Department of Justice, the SEC, a state attorney general, or simply your own compliance team uncovering red flags, knowing what to do next is critical.

Discovering potential misconduct in your organization is never easy—but knowing what to do next can make all the difference. Whether you’re an executive, compliance officer, or legal counsel, a critical question follows: How—and to whom—should we report compliance violations?

The 2025 National Healthcare Fraud Takedown was a sweeping enforcement action resulting in charges against 324 defendants across across 50 federal districts and 12 State Attorneys General’s Offices, linked to over $14.6 billion in fraudulent billings to Federal healthcare programs. this takedown offers valuable lessons for compliance professionals tasked with protecting their organizations.

Whistleblower complaints can be uncomfortable. They often raise questions about leadership, culture, or internal controls—and can involve sensitive or high-stakes issues like fraud, harassment, discrimination, or regulatory violations. But how your company handles whistleblower complaints says a lot about its values—and has real legal and reputational consequences.

Internal investigations are one of the most powerful tools companies have to detect, address, and remediate potential misconduct. But they also come with legal risks—especially when it comes to protecting privileged communications.

One of the most powerful tools in a company’s compliance and risk management arsenal is the internal investigation. Handled well, an internal investigation can uncover the facts, preserve trust, mitigate liability, and help the organization move forward. Handled poorly—or delayed too long—it can create legal exposure, reputational damage, and regulatory scrutiny.

Regulators, customers, and business partners increasingly expect companies to show that they not only have a compliance program on paper, but that they have a culture of compliance—one where employees understand the rules and feel empowered to apply them in practice. Training is one of your best tools to build that culture. But to be effective, it must go beyond the basics.

The challenge for smaller businesses is: who owns compliance? You may not have the budget or headcount for a full-time Chief Compliance Officer. But regulators, customers, and partners still expect you to have a credible compliance program.

A strong compliance program is designed to protect your company from legal risk, financial penalties, and reputational harm. But even the best-intentioned organizations can develop compliance gaps—places where policies are ignored, controls are weak, or misconduct goes undetected. Here are some of the most common red flags that your company may have compliance gaps—and what you can do about them.

Compliance is more than just a legal buzzword—it’s a practical, essential part of running a modern business.