Compliance Perspectives

By Adam Turteltaub For a time monitorships were, if not endangered, out of favor.  After many years of embracing them, the US Department of Justice had begun calling for cost benefit analyses and looking for alternatives. Then in 2021 Deputy Attorney General Lisa Monaco gave a speech announcing that the previous policy had been rescinded and that more monitorships would be coming in deferred prosecution agreements (DPAs) and non-prosecution agreements (NPAs). “I am making clear that the department is free to require the imposition of independent monitors whenever it is appropriate to do so in order to satisfy our prosecutors that a company is living up to its compliance and disclosure obligations under the DPA or NPA.” In this podcast Dykema’s Mark Chutkow and Jason Ross explain what to expect when a monitor is appointed. First, recognize that different monitors will approach the job differently. You will need to understand if they are pragmatic, open-minded, familiar with the industry’s risk and challenges, and have a record as a monitor. Typically, these questions are already answered since companies generally have a say in who their monitor will be. But, if your organization is the exception, do your homework on the monitor. Take time, too, to understand what the scope of the monitorship is. Also, make sure employees understand the role and benefits of a monitor. Leadership and the compliance team need to work to reduce  any negative impressions that employees may have so as to facilitate a construction relationship. To that end, take the time to educate employees that the monitorship will, in the long run, help them. Once the monitor arrives, expect him or her to want to conduct interviews with individual at all levels of the organization in an effort to better understand the company. The monitor will likely want to understand the pressures middle managers are under and the expectations they are setting for those who report to them. Front line workers will likely be asked if they are comfortable speaking up and raising issues. The monitor may even reach out to customers and suppliers. As for the compliance program, itself, expect the monitor to focus on whether it is properly resourced and implemented. Turning to the ongoing working relationship during the monitorship, they warn that there will be tension periodically since the monitor is an outsider, but there needs to be some level of unity to ensure that the relationship is productive. Finally, they discuss the importance of metrics.   The DOJ has made it clear that it expects data analytics from organizations when it comes to their compliance programs. Listen in to learn more about the changes and how to prepare for and succeed during a monitorship.

By Adam Turteltaub Joe Murphy (LinkedIn) is rightly considered one of the founders of the compliance profession, joining the field when compliance barely existed. Since then, he has been not only a member of the community, but an innovator and, although he might blush at the term, a philosopher. He constantly explores what compliance is, could be and should not be. In this podcast he shares his insight as to how the profession has evolved in the almost 40 years that he has been a part of it. Looking at the changes over the decades, what has surprised him the most is the large number of people who work in compliance but are not a part of corporate compliance programs as we know them. He cites individuals in anti-money laundering (AML), environmental compliance and privacy as examples. They often operate outside of the overall compliance effort and may not have the real access to power needed to be effective. What should have been done differently at the start of the compliance field? In hindsight he believes there should have been a greater emphasis on having a strong, independent compliance officer, truly at the top level of the organization. That’s where the greatest risks are, he notes. He offers another thought in what should have been different: There should have been a greater focus on incentives. Companies continue to struggle with incentives and rely upon discipline more heavily than they should or could. What would he change today? First, our attitudes towards conflicting areas of compliance and law, such as areas where privacy law may get in the way of conducting an investigation. Conflicts have always existed, he observes, and compliance teams need to navigate them. Compliance also needs to navigate what he sees as treacherous seas created by those academics who have no practical experience in compliance but, nonetheless, write articles about it that then get cited and repeated, even if they are wrong. Joe closes the conversation by looking to the future.  Not surprisingly, he encourages us in compliance to stand up for the profession and keep others from defining us. Listen in to learn more from a truly veteran compliance professional.

Post by Adam Turteltaub Privacy is always a hot topic in healthcare, but even so, some areas are hotter than others. In this podcast Kara L. Hillburger, Privacy Compliance & Digital Accessibility Team Leader and Managing Director of the Octillo law firm, shares insights into the areas the enforcement community is currently focused on. It’s not just the federal government that’s of concern these days, she points out.  State attorneys general are becoming more active in this arena. Under the HITECH Act they can bring actions of their own for HIPAA Violations, which has resulted in substantial financial penalties. The pandemic has also led to changes in the enforcement landscape. With the rules for telemedicine changed and more data collected on patients, several states have increased their enforcement activity. For compliance and legal teams that means taking the time to understand both the federal and state perspective. Data governance is, at the same, growing more difficult. On the one hand, ever-increasing cyber risks argue for locking down as much information as possible. At the same time, though, OCR is calling for greater data portability and transparency. So what should organizations do?  In this podcast she suggests: * Making the effort to stay on top of the legal and regulatory changes. * Ensuring that there is a strong data governance structure in place * Having a clear delineation of roles and responsibilities: Figure out who is doing what and hire the right people. * Keeping your policies and procedures up to date. * Planning on annual policy reviews that reflect the realities of both in-office and at-home workers. * Identifying proper resource. * Providing regular data privacy and security training and document it. * Having consequences in place for violations. * Knowing your vendors and what they are doing to safeguard your data. Listen in to learn more about what’s especially hot in healthcare privacy compliance.

Post by Adam Turteltaub To get a better understanding of the state of antitrust enforcement we sat down with Andrew Mast, Counsel to the Assistant Attorney General for Antitrust at the US Department of Justice. In this podcast he shares key priorities of the Antitrust Division. First up is a discussion of the Supply Chain Initiative, which is a partnership between the DOJ and FBI. Supply chain disruptions have caused prices to increase, as we have all seen, and the Initiative is tasked with determining whether the disruptions have been used as a cover for collusive conduct. As he notes, past disruptions, ranging from the Great Recession to a spike in the price of tuna, have led to collusive behavior. To help protect consumers and businesses dependent on their supply chains, the Initiative is taking a proactive approach, working closely with the governments of the United Kingdom, Canada, Australia and New Zealand, sharing intelligence and working cooperatively. The DOJ is also reaching out to the business community, providing education about antitrust laws, encouraging the development of compliance programs, and sharing details about the Antitrust Division’s leniency program. Under it, the first conspirator in a price-fixing conspiracy can avoid criminal prosecutions. But, he warns, companies must report promptly after discovering collusive behavior to enjoy the full benefits. To help business understand the program fully, a new FAQ is now available. Another priority for the Department of Justice is labor market collusion. Their goal is to ensure workers gain the benefits of competition. In the Department’s view, no-poach and similar agreements lead to lower wages, reduced mobility and less ability for workers to negotiate watches. Several firms have already been indicted. Finally, he discusses the Procurement Collusion Strike Force, founded in the wake of increased government spending such as the $1.2 billion infrastructure bill. The goals of the Task Force are to deter antitrust activity and to facilitate more effective prevention, investigation and prosecution. Over 20,000 individuals have been trained as a part of this initiative, and it covers both US procurement domestically and internationally. Listen in to learn more about what the DOJ is doing, and what compliance teams should be thinking about.

Post by Adam Turteltaub Compliance programs continue to evolve, seeking new and better ways to prevent and detect violations of law. It was in that spirit, reports Chris Audet, Senior Director, Research at Gartner, that they began examining ways to improve program effectiveness. At the time the survey began, many of their clients were dealing with peak Covid challenges, which included limits on training and the creation of new policies. Enhancing controls emerged as a potential alternative means of preventing problems. Of particular interest were embedded controls because they can both mitigate risk and reduce the burden on the workforce. Rather than training everyone on an issue or employees having to search for information, the control could flag a potential issue and help both the compliance team and the individual employee act appropriately. For example, travel and entertainment management software could automatically flag an issue and ask the proper questions. As Gartner studied the issue they discovered that compliance burdens tended to fall disproportionately on department and management levels not identified as high risk:  research and development, engineering teams, strategy, planning and others. Because these groups were least attended to, individuals working in them needed to work the hardest to understand their compliance obligations. Senior and Executive Vice Presidents also tended to be overly burdened because they are often trained less than others on compliance issues. As a result, they frequently struggle determining what to do in a given situation. To reduce the compliance burden the Gartner report recommends three things; * Help employees remember better by putting controls closer to decision making. * Reduce the number of judgement calls * Help employees execute Listen in to learn more about easing the compliance burden.

Posted by Adam Turteltaub Being a compliance department of one can be a lonely job, but not for Susan Freccia, Director of Compliance at Oregon State University. Working in a small compliance department doesn’t feel like a challenge. For one, she is not fully alone. There are compliance partners – professionals who have at least some compliance responsibilities – across the campus. More importantly, rather than focusing on her lack of a compliance team of her own she works at creating collaborative relationships far and wide. That includes the compliance partners, staff, HR, legal and audit. For others in solo situations she advises not falling into the temptation of thinking, “If only I had X or Y the compliance program could be better.” Instead, she recommends focusing on how to work effectively and continue to improve processes. She has also found success comes from the ability to help others get “unstuck” in their efforts.  She frequently meets with various individuals and teams to help figure out what the challenge is and to find a solution. She also may serve as a bridge between departments who may share responsibility in an area, helping them to collaborate more effectively. Susan also advises against seeking perfection. It’s unattainable. Incidents will always occur. She notes that even the Sentencing Guidelines reflect that reality with several elements addressing how a program responds to the inevitable problems. In sum, to make a small program work, take a collaborative, problem-solving approach. It will be more effective and help people see compliance not as the cause of problems but the solutions to them.

Posted by Adam Turteltaub The Navex 2022 Risk & Compliance Hotline & Incident Management Benchmark Report provides a fascinating look into what’s going on in compliance in general and how employees are using helplines specifically. The 2021 report had illuminating insight into the impact of the pandemic. To learn what is in the data from the latest report, we again sat down with Carrie Penman, Chief Risk & Compliance Officer from NAVEX. This year’s report, which covers data from 2021, revealed four key trends, she reports: * Whistleblowers are more emboldened. They are more likely to use their names, rather than remaining anonymous, when making a report. Viewed against the SEC’s reported near doubling of leads to the Office of the Whistleblower, it’s clear that workers are more willing than ever to come forward. What is unclear is why the change. It may be due to employees feeling that it would be easy to find another job if they were retaliated against. * Reports of retaliation have increased. The question here is whether retaliation has increased or employees are more willing to report it. One theory is that employees are much more attuned to issues of workplace civility. * COVID continues to have an impact. While the number of calls to helplines has increased, they are still below pre-COVID levels. * ESG related reporting is notably low. This may be due to employees not fully understanding ESG, or believing that those issues don’t need to be brought to compliance or the helpline. In both cases, more training may help affect the numbers Finally, looking to the future, Carrie anticipates the possible recession leading to turmoil.  Fear levels rise when layoffs occur, and people see less opportunities to find new work. Managers may place excessive pressure on employees to make the numbers, despite the economy. All of these factors could lead to a great deal of work for compliance teams, and a very different report for 2023.

Posted by Adam Turteltaub Good and bad decisions are at the heart of compliance efforts. So much of our work is dedicated to helping people make better informed choices. In this podcast, Rupert Evill, Founding Director of EthicsInsight shares practical advice for making good decisions. He begins, though, with outlining several factors that lead to bad decision making. Pressure is, not surprisingly, a very large factor, whether it is time-based or financial.  Ethical hazing wrongly gives people permission to do something that they shouldn’t. Faulty assumptions are another persistent challenge. Still another factor is failure to plan. Not taking the time to foresee issues can leave individuals suddenly confronted with circumstances where it is already too late to do the right thing. So how do we encourage and make good decisions?  He lays out four steps: * Consider possible outcomes. Take the time to assess what might happen and encourage diverse opinions. One handy trick he recommends is asking people to write down ideas rather than sharing them publicly. That can lead to more diverse thinking. * Consider the likelihood of each outcome. When doing so, he recommends using a numerical scale rather than words like “it’s possible.” That phrase can mean very different things to different people. * Rank the preferred outcomes and their likelihood. Look for assumptions in decision making and test them to see if they are true. Consider carefully your strategy for achieving your goals. * Consider what can be done now to favorable affect the outcome. Think through what the options are, don’t show your cards too soon and remember that there is usually more than one option. Listen in to learn more. It could be the best decision you make today.

Post by Adam Turteltaub Ever-increasing sanctions of Russian individuals and entities are looking to be a long-term challenge for compliance teams.  That’s not surprising since, they are a part of a war of attrition, according to Oleksandr Pomoshnikov, Head of International Business Development for Ukraine-based YouControl, which offers RuAssets, a tool for tracking Russian and Belarusian assets. In this podcast he underscores the importance of adopting a three lines of defense model and paying close attention to the origins of funds.  Russian companies have been actively changing beneficial owners to persons in neighboring jurisdictions and opening business units there as well. This can lead to very complicated and hard-to-trace business structures, he explains, not just because there may be multiple holding companies.  Many of the jurisdictions in the region have closed systems, making it difficult to determine ownership and identify politically exposed persons. Listen in to learn more.  But do listen carefully.  Oleksander was in Poland with a challenging internet connection while recording.

Post by Adam Turteltaub When we talk about communications in the world of compliance, we tend to focus on training and other forms of mass information sharing. Not as often discussed, but just as important, are the individual one-to-one conversations between the compliance team, leadership, management, and frontline personnel. Getting these interactions right is essential to the success of a compliance and ethics program. Donna Schneider (LinkedIn), Vice President, Corporate Compliance and Internal Audit, Lifespan, has been running a series of six columns in Compliance Today magazine focused on communication done well. In this podcast she touches on a few of the key topics that she addresses. Her first piece of advice: stick to the facts. It's very important to be factual because if you do not rely on facts there is a tendency to tell yourself a story. By analogy she points out that when someone cuts you off driving we tend to come up with reasons why the person did it, even though all we know is that they cut us off. Likewise in a crucial conversation it's good to focus on what you know definitively:  the things you saw, heard or read yourself. She also shares how to handle one of the ongoing challenges when it comes to compliance:  setting expectations for leadership. Often, management is eager to come to a quick resolution and put the issue behind them. That is not always the best course since a thorough investigation takes time. For that reason, she advocates consistent communication, establishing a collaborative rapport and setting reasonable expectations.  Periodic updates are also exceedingly important. Before a difficult conversation she advises thinking through what outcome you want for yourself, others or the organization. Consider, too, the relationship between you and the person you are speaking to. Don't focus on the specific issue you are talking about but what you want to happen. Are you in a dialogue, do you want to share facts or are you there to learn facts? Think about your intent and then ask yourself: how would I behave to achieve that goal? Think through, too, both what verbal and nonverbal communication skills you will need. Think through also how you would respond if the conversation went south. What would you say or do to bring it back to the direction that you want? Listen in to learn more about how to best prepare for difficult conversations, including the power of “do” and “don't do” statements.

Posted by Adam Turteltaub You just started leading a compliance program.  Whether you are new to the company or new to compliance, you probably have a lot of questions to ask as you get started, but where do you begin? In this podcast, Beverlin Hammett (LinkedIn), Compliance Regulatory Risk Officer at Habersham Medical Center, offers an intriguing answer.  She met with leadership around the organization and asked them three questions: * How long have you been with the hospital? * What are your main issues? * What do you think I am here to do? The first question helped her understand how much experience the person had both within the organization and their role.  This helped her gain an understanding of how much expertise the person had as well as the issues, challenges and triumphs that they had experienced. Asking what the main issues they saw was a more subtle question than it appears.  It provided insights into their perspective on the institution and its challenges and helped her understand their focus. The final question, “What do you think I am here to do?” helped illuminate attitudes towards compliance and begin laying the foundation for the idea that compliance is here to help solve problems. The exercise helped her both get off on the right foot with operations and to better understand the challenges and opportunities.  It also helped illuminate several issues within the organizations that she was able to successfully address immediately. Listen into learn more about her intriguing approach and the benefits it could have for other organizations.

By Adam Turteltaub When it comes to encouraging internal whistleblowers, there are two main barriers to coming forward, reports Jeb White, CEO, Taxpayers Against Fraud.  First, is the belief that their concerns won’t be heard.  Put another way:  why bother.  The second is the fear that by sticking their necks out they risk getting their heads chopped off. Their careers could be ended. Even for those who do come forward, there is always the challenge of keeping their trust so that they do not then go outside the organization to the press or regulators. To solve these challenges he recommends embracing communication and transparency.  To the extent that you can, keep whistleblowers in the loop.  Let them know that the investigation is proceeding.  Embrace the lesson from food delivery apps that let you know that your pizza is in the oven.  Let the whistleblower know that the investigation is ongoing and active.  And, to the extent you can, let them know what the final disposition was. If the organization does not find wrongdoing, he recommends sharing with the employee the broader context as to why what he or she saw was legal and proper.  Perhaps explain the laws involved. That will help them both understand the organization’s decision and stay engaged. If the organization does find wrongdoing, Jeb is a strong advocate for sharing the lesson internally.  It will help demonstrate that the organization takes wrongdoing seriously. It also helps mitigate the risk of a dysfunctional culture, in which the words in the code of ethics are nothing more than words, employees are afraid to speak up, and lines of communication are shut down. Listen in to learn more about how you can improve your own internal whistleblowing efforts.

Post by Adam Turteltaub The European General Data Protection Regulation (GDPR) already provides considerable requirements for compliance programs. With Brexit comes a new GDPR for the United Kingdom. Adding to the complexity, the UK GDPR also contains a Children’s Code, explains Jeff Kluge (LinkedIn), Founder & CEO of Holistic Ethics. The UK has long led in protecting the data of children, and the new code follows the UN Convention on the Rights of the Child. For companies doing business solely within the United States it is not likely to be an issue but for those operating globally he advises being aware of and in compliance with the Children’s Code’s requirements. There are standards and rules in place for connected games and toys, for using artificial intelligence (AI) and processing children's data. So, what should compliance teams do? First, they need to understand the algorithm used in the AI their organization employs, ideally while it is still being developed. Second there should be a children's data oversight committee in place. Third the company should be asking whether they should have an ethics committee overseeing their AI-based systems. Also, the compliance team needs to recognize that AI initiatives are often created without their knowledge. It's important to get a handle on what's going on help people understand the importance of closely monitoring artificial intelligence, particularly those systems that are autonomous. He reports that the compliance team can be particularly helpful in identifying what data is being collected and what is the right data to be using. The team particularly needs to be monitoring what decisions are being made based by the AI. Listen in to learn more about the UK GDPR Children’s Code and what compliance teams need to do to protect both children and their own organizations.

Post by Adam Turteltaub San Diego-based Qualcomm was having a tough 2018. The company was going through a whole host of highly destabilizing activity including an attempted hostile takeover. Needless to say, it was a challenging time for the company and the corporate culture. The compliance team very much wanted to be a part of the solution, Krista Wolff, Senior Manager, Corporate Compliance Communications tells us.  Their goal was to amplify the positive and strengthen the organization's culture, despite all the challenges it faced. To help, in the Spring of that year they launched the Lead the Way employee ethics recognition program. In the Fall they launched the newly revised code of conduct and their first Compliance and Ethics Awareness Week. Through the years since they have rolled out a number of activities to involve employees and communicate important messages. One of their more fun ideas was a “spot the issues” exercise. They staged desks, photographed them, and asked employees to spot items on the desk that could be indicative of something problematic. When the pandemic struck and people began working from home, they continued this program although now featuring desks in a home setting. One of the more interesting efforts they did was focused on protecting confidential corporate information. As a technology company IP is very important to Qualcomm and the compliance team wanted to stress to people the importance of protecting data. They worked with the IT department to identify printers around the globe at Qualcomm offices. They then sent to the printers in these in these offices a document marked confidential company information with a message about the importance of protecting IP and asking the employee who found it to email compliance letting them know where they found that document and when. It was a great way to demonstrate that people sometimes send things to printers that they shouldn't and leave them there far too long. This activity had an interesting response rate that illuminated cultural differences. They found that people in Asia rarely emailed in. From Europe, by contrast, the response rates were very high, and in the US employees tended to leave the document on the printer for others to find as well. To make other parts of the program relevant globally they worked with their ethics liaisons and in-country compliance teams around the world to plan local events. The response has been very positive, and the level of innovation has been equally high. Listen in to learn more about how Qualcomm’s Compliance and Ethics Awareness Week both helped to meet their compliance goals and strengthen the overall corporate culture.

Posted by Adam Turteltaub Compliance teams spend a great deal of time and effort encouraging employees to contact the helpline.  But, points out Jay Anstine, Compliance Program Director, Western Division, Banner Health, we tend to make less of an effort to train them in what happens after they make that call. That’s a mistake, he argues in this podcast, since employees who see perceived wrongdoing tend to feel anxious and vulnerable.  They are stressed because they are uncertain what is going to happen, if anything. By helping them understand the post-call process, we can eliminate this blind spot, he argues, greatly reduce the stress level, and increase the likelihood that they will come forward.  That means providing training that brings greater clarity to the process during on-boarding and annually thereafter.  It also means taking the time to understand the questions the workforce may have about what happens from start to finish. Also, he advises, include in the training information about what to expect when reporting face to face, either to their supervisor, or somewhere else, including the compliance team. Finally, Jay provides insight into how to make the reporter feel comfortable when bringing the information to compliance, and what you can do to protect his or her anonymity. Listen in to learn more about how demystifying the helpline could help yours ring more often.