Compliance Perspectives

By Adam Turteltaub Rodrigo Cunha is Global Director, Legal, Ethics Compliance and Data Protection for AB InBev. There he focuses on digital ethics. As he explains in this podcast, when it comes to data, traditional risk management, focused on making sure that what the company is doing is compliant, is only the first step an organization needs to take. They also need to incorporate risk management in the design of the program. In addition they have to focus on reputation and trust. Without a good reputation for protecting data and the trust that comes with it, a company will have an exceedingly difficult time doing business. Digital ethics, he believes, is a business enabler. Organizations need to look beyond the compliance requirements, especially now with requirements increasing and varying so much by jurisdictions. Instead, it is better to think about expectations of the government, consumers and other stakeholders as a guide. At AB InBev that assessment led to the development of five principles that they stand for wherever they operate: * Collect only the data we need * Use the data only in a matter that we say we would * Protect the data we have * Keep only what we need * Be accountable Further thought led to the development of a sixth principle: We use data how people expect we would. Putting these principles into practice involves a deep partnership with the business units. It includes effective training but also modifying the three lines of defense model to make sure the business unit is better able to meet the challenge. That includes the compliance team working closely with them to respond effectively whenever issues arise. Listen in to learn more how to better embed data ethics into your organization, and hear what Rodrigo sees for the future, including a potentially dramatic shift in consumer behavior.

By Adam Turteltaub Why is it that so often leaders in organizations fail? They seemingly had all the skills, accumulated all the experience, and then something went wrong, sometimes disastrously. Not just the CEO, it can be leaders at other levels in the organization. Bret Hood (LinkedIn), Co-Founding Partner of 21st Century Learning & Consulting provides some fascinating answers to that question in this podcast in which he draws from, amongst other things, his 25 years in the FBI. He explains that as individuals move up the organizational ladder feelings of empathy may start to deteriorate without the person realizing it. They may grow to become self-centered, taking credit for the success of others, and distributing blame for failures, including their own. This can be coupled with what he calls “illusory superiority”: the belief that you are better than everyone else. Most of us suffer from that to a degree. A very disproportionate percentage of people feel that they are smarter than their peers or even a better driver than most. In an exercise he frequently does, rarely do more than 3%-5% believe that they are in the bottom half for leadership skills. Clearly, it’s not possible for 95% to be in the top half. Many leaders (and others as well) also suffer from what he refers to as “sunk cost bias.” A mistake is made, and instead of owning up to it there is a tendency to double down. A small fudge of the numbers in one quarter when thinking “well, it’s a small one-time dip” leads to greater fudging the next, and then on and on, rather than an honest accounting. The bottom line is knowing your capabilities and performing an honest self-assessment is difficult. That’s why he recommends two approaches. First, think about what your gut says, and then ask: what if I made the opposite decision? What would be the consequences? This technique helps you see things from more than one perspective. The second recommendation is to find people you respect who trust that it is safe for them to ask hard questions and offer opinions that contradict yours. Listen in to learn more about leadership, and also the concept of followership.

By Adam Turteltaub Exit interviews can be terrific sources of information for compliance teams, but how do you make the most of them? And do you need to be a part of all of them? That can be a very tough task in a large enterprise. Shemekia Alexander, Director, Corporate Responsibility Officer of Mercy Health recommends focusing on live interviews with key individuals that are most likely to have insights into potential compliance issues. In her case, that includes compliance and legal personnel, the executive suite, revenue cycle staff and providers. To get people to feel comfortable talking, she reaches out in advance to introduce herself and make the person comfortable with the process. Typically, she sends an email saying who she is, the purpose of the meeting and that it will be confidential. She also recommends that the departing employee, if the conversation will be via Zoom or a phone call, get to a place where they do not have to worry about being overheard. During the interview she begins by explaining what she means by compliance since some are confused about what exactly compliance encompasses. She then asks several standard questions including: * Are you aware of any compliance concerns that should be addressed? * How you raised any compliance-related issues previously that have not been addressed? * Have you seen any associates engage in conduct that may be illegal or unethical? * How would you describe the organization’s compliance culture? * Is there anything else you would like to discuss? The last, very broad questions, can be particularly helpful, opening the door for conversation. As important as what the employees says can be how they are acting in the conversation.  She advises paying attention to their behavior: are they hesitant, disgruntled, scared, aggressive? For those who are not interviewed face to face there are questions in an optional survey that HR provides to departing employees. Any issues raised there are forwarded to compliance. It’s all a part of a team approach, and cultivating the team’s support is essential for success. Listen in to learn more about how to turn an employee exit into a compliance opportunity.

By Adam Turteltaub Third-party risk is the risk that keeps expanding. Data security and anticorruption risk have long been the focus. Now, though, the risks are broadening to include issues such as where materials are sourced and the labor that produces it. Shu Min Ho, Partner in the Singapore office of the law firm Sidley and Sam Johnson, Senior Managing Associate there explain in this podcast that with the rapid adoption of ESG programs, the scope of risks is dramatically increasing, especially considering how much ESG encompasses. To be effective, compliance teams need to focus their ESG third party risk efforts on those areas of the supply chain that are most likely to harm the business beyond the traditional legal framework. That means understanding your business and where the risks are. For example, in the technology hardware business that likely includes labor standards, worker protections and mineral sourcing. Increasingly it also means looking beyond your suppliers to their major suppliers as well. That effort requires tremendous cooperation from the business unit, procurement and, of course, the suppliers themselves. When looking at suppliers, take time to understand their business model to determine how they make money. Then watch out for signs that something may not be right. For example, if a product is suspiciously inexpensive, it may be the result of workers forced to labor long hours or outsourcing to companies with limited or no safeguards in place. Be aware, too, that expectations are different. An environmental review in the past may have looked at how toxic waste is handled. Now, sustainability is likely much more of a consideration. Finally, be especially sensitive to human trafficking and modern slavery. They are ESG issues increasingly subject to regulatory expectations. In fact, a separate due diligence effort may be necessary in this area. Listen in to learn more about how ESG is calling for a second look at third party due diligence.

By Adam Turteltaub An ethical audit is one that evaluates compliance with laws and regulations but also assess a vendor against ethical standards, explains Bruno Drummond, Senior Director, Global Compliance at DHL Supply Chain. These standards could come from an industry or other external organization or your company’s own code of conduct.  They likely would cover issues such as human rights, child labor, forced labor, discrimination, unfair and inhumane employment, working condition and even your supply chain’s own supply chain. Why should you conduct one? Because these days regulators, enforcement and the public require it. For a company such as DHL, with is heavily committed to ESG, ethical audits are at the top of their list. It’s a part of the company’s commitment to clean operations, being a good place to work and highly trusted. DHL was first exposed to ethical audits when a customer conducted one of them. Seeing the value in it they adopted it themselves. The audits are conducted both remotely and at customer locations. The DHL code of conduct is the benchmark against which the audit is conducted. Included in the process are roundtables with employees, interviews with managers and an office walk through. Because of the cost, Bruno recommends taking a risk-based approach and looking at a cross-section of your supply chain when conducting these audits. Listen in to learn more about the process and whether it’s time for your organization to embrace ethical audits.

By Adam Turteltaub Most every compliance team would like the helpline to ring more, and Brooks Rehabilitation was no different, explains Compliance Operations Manager Christine Davenport (LinkedIn). To increase call volume they adopted a snappy slogan – “Better call compliance” – and put together a full marketing campaign to support it. The efforts paid off big, doubling the number of calls over four years. It wasn’t the slogan alone that helped. Central to their success was the combination of good internal marketing along with a serious behind the scenes effort to ensure that calls were acted on. The team captured data on which line of business the call came from, type of issue and what response was provided. The data was kept on a shared drive to streamline the process and make it simple to spot a repeated question. This both saved work and decreased the time of response. Common areas of employee concerns included HIPAA and receiving gifts from patients. When responding to calls, the compliance team, wherever possible, included information about the underlying regulatory requirement. This helped provide employees with context and enabled them to better educate themselves. The compliance team also looked beyond the questions and treated the calls as a way to start a conversation and reassure employees that calling didn’t automatically get them or someone else in trouble. Listen in to learn more about their efforts and get some ideas about how to convince your workforce it better call compliance.

By Adam Turteltaub United States Deputy Attorney General (DAG) Lisa Monaco recently gave a speech in which she outlined both new policies at the Department of Justice (DOJ) as well as enhancements to existing ones that can have a profound effect on compliance and ethics programs. To better understand both what she said and what it all means we sat down with DOJ veteran Daniel Kahn (LinkedIn), a partner in the Washington, DC office of Davis, Polk & Wardwell, for an in-depth and longer than usual podcast. He explains that while the emphasis on individual accountability is not new, there is a significant change. The Department expects that individual prosecutions will take place prior to or at the same time as corporate resolutions. Given the extra time it often takes to prosecute an individual, that will make it harder for organizations to reach a swift conclusion and move forward. There is also one other significant change in terms of how individuals are treated: the Department is now looking to see if the organization is clawing back compensation from employees who committed wrongdoing, at least in those jurisdictions where it is permitted. When it comes to leniency, the Department had previously stated that repeat offenders were not likely to receive a Non-Prosecution Agreement (NPA) or a Deferred Prosecution Agreement (DPA). The DAG’s latest comments reflected a more nuanced approach and reflect the idea that all incidents are not created equal, and that in a large organization it is possible for more than one violation to occur over time, without it being a sign of dysfunctionality. Other notable elements of her comments: * The Department expects that when an organization seeking cooperation credit comes across hot new evidence it will share it with Justice immediately * For the first time there will be policies on voluntary disclosures across all the various departments within Justice * There will be a presumption against a guilty plea if a company voluntarily self-discloses, cooperates and remediates * Non-Disparagement Agreement clauses will be looked at unfavorably if they interfere with whistleblowing One other notable element of her talk, which was, perhaps, lost in most discussions about her comments, is the call for organizations to getter a better handle on messaging by employees on their personal devices. Finally, Dan addresses what some perceive as a slowdown in corporate prosecutions over the last few years. He notes that during the Obama and Trump administration there was an uptick in cases. Any slowdown over the last two years is likely the results of changes in leadership at the DOJ with a new Administration. Bottom line is that now is not the time to assume the DOJ is not active. Listen in to learn more about what you should take away from DAG Monaco’s comments.  

By Adam Turteltaub Good communication is a two-way street, with both sides sharing their perspectives. Yet, observes Laura Valdespino (LinkedIn), Chief Compliance Officer, Booking Holdings Financial Services USA, too often it is one way, with compliance doing the talking. In this podcast, and in her in-person and virtual session at the 2022 Compliance & Ethics Institute, Laura outlines practices for creating a good dialogue with the workforce. It starts, she explains, by committing to listening. Engage with them, she advises, and look to creating opportunities for interactions through Q&A sessions or coffee and donuts. Once you are there with the workforce be sure to listen with unbiased ears to what people say they want and need from compliance. Be sure to also customize your message to the audience. Salespeople, manufacturing, IT and all the other parts of your organization will have different needs and will be listening for different information. Take the time to understand what motivates them. It helps build trust. How you communicate is also important. Learn what the frequency of communication that works best for your workforce is. Be sure to avoid lecturing, legalese and focusing on what they can’t do. Instead keep the communication focused on the right way to achieve business goals and what we all need to do. Listen in to learn more, and be sure to attend her session at the live or virtual 2022 Compliance & Ethics Institute.

By Adam Turteltaub The Organizational Sentencing Guidelines have turned thirty, and what began as an experiment is now an established framework for compliance programs in the US and around the globe. To commemorate the milestone, the United States Sentencing Commission has published The Organizational Sentencing Guidelines: Thirty Years of Innovation and Influence, which takes a look at the impact of the guidelines and what we have learned about their impact on organizational behavior. In this podcast, the Commission’s General Counsel Kathleen Grilli identifies the three largest innovations of the Guidelines: * Incentivizing self-policing by organizations * Providing guidance on effective ethics and compliance programs * Holding organizations accountable based on specific culpability factors when they commit offenses The approach has worked more successfully than had been imagined. As she notes, it has expanded beyond the criminal environment to encompass civil settlements with government agencies as well. In addition, the approach to compliance in the Guidelines has been embraced globally, with their outlines clearly visible in the laws of many nations. Within the US, she shares, a strong difference has emerged between organizations with and without compliance programs. The overwhelming majority of organizations convicted had no compliance program at all. In fact, only 11 out of approximately 5,000 organizations had a program that a court found to be effective. This points out that there is still room for improvement, particularly among smaller organizations who lack awareness of the need for and benefits of compliance programs. Listen in to learn more about the remarkable effectiveness of the Organizational Sentencing Guidelines.

By Adam Turteltaub Usually, a Compliance Perspectives podcast focuses on just one topic, but in this one Marla Berkow, Corporate Compliance Officer at Gateway Foundation tackles two: behavioral health and restorative justice. In the first part of the conversation, we focus on the unique challenges of behavioral healthcare. They include maintaining both patient and organizational privacy. Physical and emotional safety of the staff is also important, along with a strong culture of reporting. With many patients a part of pre- or post-trial diversions there are unique challenges created, especially in the privacy arena. In the latter half of the conversation Marla focuses on a restorative justice approach, which she explains, is designed to differentiate between an intentional and inadvertent mistake, with discipline meted out appropriately. With that comes a focus on ensuring the problem is not repeated. Listen in to learn more about the challenges of behavioral health and potential benefits of a restorative justice approach to compliance.

By Adam Turteltaub Having all the privacy policies and procedures in place is one thing. Having them practiced is another, and that’s where a privacy walk-through comes into play. Jan Elezian (LinkedIn), Director Healthcare Provider Practice, Revenue Cycle Compliance, Regulatory Compliance at SunHawk Consulting, explains that the walk-through is a test of a facility’s privacy and security environment. It includes a tour of high-risk areas – registration, patient intake, wherever else PHI is accessed – to see what employees are actually doing. It can be used to identify how your administrative and technical safeguards are working in the real world and determine where they need to be strengthened. Before beginning the walk-through, she recommends putting together a checklist of what you will be looking for.  Leave room for taking notes, and hold onto it. That way, when you return for a subsequent walk-through you can easily see how things have changed for the better and worse. What should you be looking for? A variety of things including: * Is staff wearing badges? * Are visitors escorted it? * Are security reminders posed? * Are printers improperly secured? * Have papers piled up on the printer? * Are privacy practices posted for patients? Two other things to check for: fire extinguishers and smoke detectors. HIPAA requires safeguards on PHI, she points out, and that includes safeguards against fire. After you have done your visit she recommends developing a post-assessment remediation plan. There inevitably will be corrective actions needed. Be sure to include follow up steps and dates when the work will be completed. All this effort will help create a more secure data environment, and give management, the compliance committee and board  greater confidence in your program.

By Adam Turteltaub Time with the board tends to be short, valuable and critical to the success of the compliance program.  Getting and keeping their attention is essential. To do so effectively, Jason Meyer (LinkedIn), President of LeadGood Education recommends keeping in mind that board members share one thing in common with the rest of us: they want to know if what you’re telling them is truly relevant to them or a waste of their time. To communicate effectively he recommends an audience-centric approach. That means avoiding compliance jargon and focusing on terms that they care about such as “fiduciary duty”, “Caremark decision”, “oversight” and “DOJ Guidelines”. And, of course, where appropriate, “stock exchange rules”. Remember, too, that they are focused on existential risks to the organization, not the routine, everyday ones. Stay laser focused on what is in it for them and combine hard information – what their duty or a risk area is – with scenario-based examples. Think, too, like a marketer: repetition matters. Stress and keep stressing what’s important, but put some sizzle behind it. Avoid the pitfalls of simply echoing what management is saying and being just one more presentation. Have a message of your own to demonstrate independence and underscore the importance of a direct compliance-board relationship. Also, don’t forget the education part of the equation. Opportunities for them to be better educated are rare, and showing you have information they could use may be the best way to get their attention. Listen in to learn more about how to get the most out of your time with the board.

By Adam Turteltaub Improving data security at your organization doesn’t just protect you, it can also increase your business, explain Meiran Galis, Chief Executive Officer of Scytale. Customers increasingly want to know that their business partners’ systems are secure and that critical data will not get stolen or held hostage in a ransomware attack. To ensure that they are meeting data security standards and can provide their customers the assurance that they seek, many organizations pursue SOC 2 or ISO 27001 certification. As Meiran explains, there are key differences between the two. * SOC 2, he reports, has become the new gold standard for SaaS applications. It is generally considered of greater value in the US and is not technically a certification. An attestation report is made and independently certified. * ISO 27001 is a traditional certification and is focused on information security management. It is more popular outside the US, especially in Europe. So, should your organization pursue SOC 2 or ISO 27001? That depends on where your current and potential customers are and what they require. Ask sales if prospects and customers are already wanting a certification from your organization. Once you decide on which certification to pursue, or if both make sense, don’t expect it to be a fast process. For small organizations it may take 250 hours of work.  For larger companies, it may take 1000 hours or more. Once you earn the certifications, have a plan in place to continuously monitor and periodically audit your efforts. Listen in to learn more about whether SOC 2, ISO 27001 or both are necessary to protect and grow your organization.

By Adam Turteltaub The writing on the wall is pretty clear: regulators expect compliance programs to be custom designed for the organization and kept up to date. That means compliance teams need to stop periodically and reassess their program to ensure it is effective in practice and not just on paper. In this podcast, LRN’s Ty Francis MBE, Chief Advisory Officer and Eric Morehead, Director, Advisory Solutions explain that regulators want to know if organizations are targeting their compliance resources to the risks that they are facing. To allocate efforts successfully, it is essential to look at the data to see if your program is effective. Yet, they point out, it’s not just a numbers game in which more spending leads to more results. If, for example, there is an issue with employees not speaking up and living in fear of retaliation, paying for more training is not going to be enough. Instead, compliance teams need to look holistically at the situation and address the underlying cultural issues. That includes demonstrating to employees that a manager who retaliates will face discipline. So how do you conduct an effective assessment? First, they recommend budgeting enough time. The process tends to take longer than people think given the number of people you will need to interview and the time at the front end to gain support from leadership. Next, make the effort to talk to people from the top of the organization to the bottom. Do so in person, or via surveys if necessary. As you do, be sure to learn how they feel about the compliance programs, the culture of the organization, violations they may be seeing and the ability to speak up without fear. Finally, they advise looking outward. Benchmark your efforts against your peers. This can provide context and expose you to ideas and solutions you may not have been aware of. Listen in to learn more, and then spend some time assessing your assessment program.

By Adam Turteltaub GDPR, CCPA and HIPAA all pose daunting privacy challenges for organizations.  But, George Tziahanas (LinkedIn), Managing Director of Breakwater explains that there are many more national laws to consider. In this  podcast he takes us through five countries with laws and regulations that global compliance and privacy teams needs to consider. The People’s Republic of China China’s law, he reports is very focused on the company’s national interest and a belief that preserving data, particularly critical data on firms and infrastructure, needs to stay in the country. The law affects whether data can be transferred outside China and under what circumstances. It also has limits on what information can shared with foreign law enforcement. France The US Cloud Act triggered concerns in many jurisdictions around the world. The French National Security Agency established a certification program that now requires French nationals to run cloud-based services in France and limits the ownership levels of foreigners. It affects broad sectors of the economy. Germany The largest economy in Europe is embarking on efforts similar to those in France, which is having the effect of creating digital borders in the EU. They have created a sovereign cloud, in partnership with the private sector, that affects government agencies, vital services and critical sectors of the economy. The Kingdom of Saudi Arabia Saudi Arabia has classified certain data as needing to stay within the country. This has led to partnerships with cloud vendors to bring their infrastructure into the country. Dubai The UAE, he reports, has long had limits on encrypted voice channels and VOIP. To gain access to cloud technology they, too, are slated to introduce new data and cybersecurity rules that are anticipated to be similar to Saudi Arabia’s. In sum, organizations are now increasingly facing a world in which data transfers will be more complex and where data is housed will be closely scrutinized and limited. Listen in.