Compliance Perspectives

Post By: Adam Turteltaub Consistent discipline is difficult for organizations, especially when high performers are involved. It’s even more difficult for large organizations operating in dozens of countries around the world, navigating multiple cultures. Yet, Dentsu International was not afraid to take on the challenge. In this podcast, and at their session at the 2021 SCCE Compliance & Ethics Institute, three Regional Ethics & Compliance Directors from the company -- Elaine Ong (APAC), Kalpana Kothari (EMEA) and Caveni Wong (Americas) – share what it took to put together consistent global disciplinary guidelines in a decentralized organization. The goal of the project was to impose consequence and improve accountability around the globe. A first draft was created and reviewed by the regional compliance directors, legal, HR and internal audit. Then, approval was obtained from the Global CEO and Chairman before being presented to the board. The entire process took ten months. And that was just the starting point. After that came the task of rolling it out. Critical to the next phase was the support of senior management, the board, HR and business leaders. With their support the compliance team worked with local businesses to ensure that they understood the guidelines and how to apply them. Compliance also let the business know that it would not be alone. Compliance would be supporting them along the way. Some of the other keys to success: * Develop a simplified framework that is easy to understand * Create case-based training to provide opportunities to practice decision making * Develop supporting collateral * Review employee feedback Listen in to learn more, and then plan on attending their virtual session at the 2021 SCCE Compliance & Ethics Institute

Post By: Adam Turteltaub Ted Lasso has been a pandemic streaming success story. The show stars Jason Sudeikis as an American college football coach hired to lead a troubled English soccer (football) club. Unlike the typically-portrayed coach, barking out orders and all about winning, Ted is an empathetic person, who wears his heart on his sleeve, looks for the best in people, and does his best to bring it out of everyone. That’s not always easy given the personalities that surround him. The team’s owner is engaged in a personal vendetta. One star player is self-obsessed, another is arguably the angriest person in the world. The show has been a runaway success, with the public, critics and the press. It has earned 20 Emmy nominations, including Outstanding Comedy Series, Outstanding Lead Actor in a Comedy Series, and two nominations for Outstanding Writing for a Comedy Series. For those of us working in compliance and ethics, the show is a great watch, not just for its entertainment value. It contains several lessons on creating the right organizational culture, and how to engage people in discussions of right and wrong. In this podcast I sit down with Bill Wrubel, Executive Producer of the series who, not surprisingly for a show about working as a team, gives the credit to others including Brendan Hunt, Joe Kelly, Bill Lawrence, and, of course, Jason Sudeikis, who wanted the show to have meaning and be something beyond laughter. Fittingly, when Bill interviewed for the job, Sudeikis asked him if he had any mentors in his career and to tell him about them. Sudeikis drew heavily from his own experiences in the entertainment industry, Bill shares. From his years working in improv he learned that success is the product of team work. You are as dependent upon what others are doing as what you are doing. From writing for SNL, under Tina Fey’s leadership, he had learned from her habit of listening to all the voices in the room, not just the loud ones, and to recognize that everyone had a contribution to make. You can see that in the show, when Coach Lasso encourages the players to speak their mind, and also, notably, when he chooses to listen, not escalate confrontations, and be forgiving. What may surprise many is that the writers regularly talked about and read books on leadership. They saw that not everything flows from the top and that great leadership comes from openness. “Be curious not judgmental” is an oft-quoted line from the show. Listen in to the podcast, and then enjoy Ted Lasso. Then watch it one more time (if you haven’t watched it already) for the lessons about how to create a culture that encourages growth and openness. The setting is an English football club, but the lessons can apply to compliance and ethics program everywhere.

Post By: Adam Turteltaub So much attention is paid to vetting third parties, it’s easy to forget that it is just the start of the process. Monitoring needs to be done on an ongoing basis as well. Ronnie Kann, head of Global Ethics & Compliance at Energizer Holdings and Trent Sandifur, partner at Taft Law will be addressing that topic in their virtual session “What Does Third-Party Compliance Monitoring Look Like in Real Life?” at the 2021 SCCE Compliance & Ethics Institute.  In this podcast they caution that it’s advisable to think of monitoring not as something separate but as a part of a larger third-party due diligence program. That program includes: * Keeping an eye on what’s going on with the third party * Understanding what the risks are * Thinking about how to monitor * Making any improvements necessary to ensure the risk is effectively managed How do you get the vendor on board for the monitoring process? They recommend beginning by ensuring that monitoring is included in the initial agreement. That helps both set and manage expectations. Also, work with the vendor to make sure that while getting the information you need you are not unnecessarily burdening them. Be sure also to avoid overburdening your own business people, but, at the same, time, it’s essential that they recognize that they own the risk. This can help create a spirit of partnership that will help protect your organization and make the process go smoother. Finally, they close the podcast with a discussion of what to think about as the pandemic ends and business starts catching up on all the due diligence that was done only partially when the pandemic made travel impossible. They recommend taking a risk-based approach to what you were unable to do. Listen in to learn more, and be sure to join their session session “What Does Third-Party Compliance Monitoring Look Like in Real Life?” at the 2021 SCCE Compliance & Ethics Institute.

Post By: Adam Turteltaub Andy Powell is Chief Ethics & Compliance Officer, Senior Vice President and Deputy General Counsel at Flex, a global technology manufacturing company with approximately 160,000 employees in over 100 manufacturing and services sites spread out over 30 countries. When he entered the compliance role there he realized that, realistically, the compliance team couldn’t be everywhere all the time. He also sought to enhance the compliance and ethics culture.  To do so, he embarked on a strategy of normalizing compliance, making it a part of every manager’s job.  That, he knew, would require making managers both responsible and accountable. His solution: create an integrated scorecard that leaders could manage against and would provide valuable insights to the compliance team.  As he explains in this podcast, you can’t expect managers to be accountable unless you can show them how they are doing. The scorecard provides the hard numbers managers need.  To create it, he worked cross-functionally to gather data points from across the organization, including employee engagement surveys, helpline data, and even external benchmarking data.  The information is represented graphically along with insights from the compliance team.  Some of the data is macro.  Some give insights as finite as production lines. How powerful is this tool?  Day to day it helps identify hot spots and generate improvements.  As importantly, the CEO typically asks each manager to show it to her whenever she travels around the company. Listen is to learn more about the benefits from creating an integrated scorecard.

Post By: Adam Turteltaub What does the SEC expect from an internal investigation?  It’s a topic that Nick Morgan, partner, Paul Hastings and Andy Dunbar, Chief Compliance Officer, Herbalife Nutrition tackle in this podcast and will be addressing at the 2021 SCCE Compliance & Ethics Institute. So what makes for a good internal investigation?  It starts before the investigation even begins with a robust whistleblower program, speak-up culture and easily accessible reporting opportunities. It also includes a disciplined investigation process.  That means someone need to be monitoring it to ensure that matters don’t fall through the cracks, that they get assigned efficiently, and that all investigations are moving forward.  In addition, someone has to be designated to review the final outcome of the investigations and determine if the right people were spoken to and the right documents examined. And while the emphasis and effort will be placed on those tips that seem to have merit, It’s important to remember that the vast majority of them will not.  Yet, even for those that are unsubstantiated, take the time to document what was done and how conclusions were reached. No matter if a claim does or doesn’t have merit, they advise ensuring that an adequate program is in place to protect whistleblowers from retaliation.  That includes a documented anti-retaliation policy and processes available for both employees to turn to and regulators to see.  Be sure also to let whistleblowers know that the same channels they used to report wrongdoing can be used to report retaliation as well. It is also advisable for the compliance team to stay in contact with the whistleblower, even checking in a couple of months after an investigation concludes to make sure he/she is doing okay.  That can be very reassuring to the whistleblower and demonstrate that the compliance program is trustworthy. Finally, they address what the compliance team can do, should the matter escalate to the point that the organization self-report, or if the SEC or DOJ comes knocking.  These include: * Reviewing hotline data to see if there were any early indications of the problem * Amassing the data to demonstrate the effectiveness of the compliance program * Preparing a plan to remediate Listen in to learn more, and be sure to attend their session What the SEC Expects from Your Internal Investigation:  Former SEC Enforcement Attorneys Share Their Insights at the 2021 SCCE Compliance & Ethics Institute.

Post By: Adam Turteltaub HIPAA Section 1135 waivers are a tricky area, explains Courtney Blau (LinkedIn), Attorney, Risk Management and Compliance, Norman Regional Health System. As she explains, Section 1135 Subsection B in the Social Security Act provides express authority to the HHS Secretary to waive a number of requirements, including the HIPAA privacy rule. In response to the pandemic, the Secretary was given additional authority to make amendments to HIPAA by program instruction or otherwise. These are no longer subject to public hearing or comment period. However, a waiver is only effective for three days after implementation. As a results she advises not to adjust your organization’s processes. Instead continue to maintain normal operations. In addition, compliance teams need to remember that many states have laws that are even stricter HIPAA. As a result, the waiver may not be applicable to providers in those states. Listen in to learn more about this complex topic.

Post By: Adam Turteltaub Mergers and acquisitions can be filled with landmines.  To find out what compliance teams can do to help manage the risk, and help ensure a successful transaction for the business unit, we spoke on this podcast with Fernanda Beraldi, Senior Director, Ethics and Compliance at Cummins Inc. and Ed Broecker, Partner, Foster Brown Todd.  The two of them will be leading the session Compliance Diligence in M&A:  Best Practices from LOI to Integration at the 2021 SCCE Compliance & Ethics Institute, which will be taking place in-person and virtually September 19-22, 2021. Since the earlier compliance is brought into the M&A process the better, they advise developing a close relationship with the business. The goal is to have compliance involved starting with the initial discussions, even before there is a letter of intent. When doing a compliance assessment, they recommend conducting a risk-based approach, to a point. Looking at legal and regulatory risk areas are important, but as important is looking at the corporate culture. Get a handle on whether the compliance program simply exists on paper or is woven into the way the company does business. Take the time to interview the compliance team at the target company and ask specific questions about culture, training, and receptiveness to compliance. Be alert also to one red flag that is often missed: the absence of helpline calls and cases.  While it is hard not to miss the red flag of a lot of calls from a facility or a large number of investigations, it can be easy not to notice when there are far too few calls, or none at all. That may be the very troubling sign of a culture that makes it difficult, if not impossible, for employees to raise their hands when they see something wrong. After the acquisition, they advocate for the creation of a compliance champions or ambassadors program. Having people in other departments who can be the eyes, ears, arms and legs for the compliance program can be invaluable both for what is happening and for communicating compliance messages. Listen in to learn more, and to gain even more of their expertise, be sure to join us in Las Vegas at the 2021 SCCE Compliance & Ethics Institute.

Post By: Adam Turteltaub How do you get people to come forward and report issues? Ronnie Feldman (LinkedIn), President and Founder of Learnings & Entertainment, has an unconventional suggestion:  Learn from improv groups. As he explains in this Compliance Perspectives podcast, improv performances only work because the members of the cast know that they have unconditional support from their castmates. They embrace the concept of “yes and”, looking to embellish what each other did and move it forward.  That gives them the ability to take risks. Improv artists also practice their listening skills to make sure that they understand what each other is saying. This creates a psychologically safe environment where people can bring ideas forward without fear. Harvard Professor Amy Edmondson, argues that the best organizations do the same thing, he explains. How does an organization get to that place of psychological safety where people can feel come forward and say what’s on their mind safely? By constantly reminding people that it is okay to point out what is wrong. And a good compliance program, he explains, is one that creates this environment. How can a program get there? For one, he argues that compliance training needs to be improved. Taking the trouble to do it right both engages employees and shows the company is committed. Stories of incidents that happened at the organization can be particularly impactful. Then think more like an advertising agency and seek to get the message in front of people as many times as possible and as creatively as possible. And, as you do so, be entertaining and interesting. He argues that this will help put compliance in a more positive light. Listen in to hear more provocative ideas for encouraging more employees to come forward.

Post By: Adam Turteltaub What do the current times and the times to come mean for corporate values? To answer that question we turn in this podcast to Marjorie Doyle, Principal, Marjorie Doyle & Associates, and Art Weiss, Principal, Strategic Compliance and Ethics Advisors, SCCE & HCCA President and Chief Compliance and Ethics officer at TAMKO Building Products. These two compliance veterans, and members of the SCCE Basic Compliance & Ethics Academies faculty, will be addressing the topic in their session “Polish Your Brand! Make Your Values Apply to Current Issues” on September 19th at the 2021 SCCE Compliance & Ethics Institute. When faced with such monumental changes as we are today they advise sticking to your values but looking to see if it is time to evolve the definitions. As an example they point to the value of safety, which now should likely reflect not just preventing injuries from things such as falls, but also from COVID-19. Likewise, they argue that with remote work values remain just as important, but organizations need to recognize that the application of those values is different. Studies have long shown that company values tend to be stronger for employees in the corporate headquarters than they are for those farther away. With so many workers no longer in the office, organizations will need to work harder to keep their values front and center and a driver of corporate culture. And how can organizations bridge the very different experiences of workers who come into the office and those who don’t? They advise regular communications from leadership filled with examples that reinforce the organizational culture. Those communications, and others, should also explain how the organization’s values are being applied to meet the changing environment. Listen in to learn more, and be sure to join us at the 2021 SCCE Compliance & Ethics Institute.

Post By: Adam Turteltaub On July 1, 2021 the US National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), FBI, and UK National Cyber Security Centre (NCSC) released an advisory reporting on “malicious cyber activities by Russian military intelligence against U.S. and global organizations…” The advisory shared that “brute force” is being used to “penetrate government and private sector victim networks.” To understand what this means for organizations and what they should do we talked with Mark Lanterman (LinkedIn), Chief Technology Officer at ComputerForensic Services. He explains in this podcast that it’s not just the brute force attacks that should cause concerns. It is these efforts combined with the use of “known vulnerabilities” to access data undetected. What should organizations do to protect themselves? He advises following the recommendations in the advisory. For one adopt multi-factor authentication along with time out and lockout features. Other steps to take include network segmentation and closely monitoring access controls. He also suggests that organizations review existing protocols to ensure that they are actually being followed. Just because a policy is documented, he warns, doesn’t mean it is being applied. If your organization is using a cloud provider, he recommends take the time to revisit its value as a tool, what protections are in place, what data is stored and where it is stored. Ask your cloud provider about the infrastructure it uses, how it is protected, and what are the backup and protection policies. Trusting any third party with your data, including a cloud provider, is not something that should be done lightly. Inside your organization, he argues for rethinking the approach to data security, changing it from something you train on once a year to an entire culture. There can’t be a set it and forget it mentality. A much more dynamic approach is required. Listen in to learn more about how you can better protect your organization against brute force and more subtle attacks.

Post By: Adam Turteltaub Liverpool-based Jenny Radcliffe, who leads Human Factor Security, is not your typical hacker, clad in a black hoodie and working out of basement. Rather than spending her time hunched over a keyboard, she seeks to hack people. What does that mean? As she explains in this podcast, she uses persuasion, psychology and influence methods to make her way into systems, and even into physical premises. She is often hired to break alarms and see if she can talk her way into a building. She does it by capitalizing on the all-too-human aspects of our personalities, and from her experiences she has learned how phishing emails and other techniques also capitalize on human weaknesses to enable hackers to breach computer systems. What’s both terrifying and fascinating, is how hackers take advantage of our weaknesses, tailoring their attacks, knowing that different scams work for different people and cultures. In fact, she explains that the organization culture you have, is the hack you invite. In a hierarchical organization the hacker will likely use authority principles. In a younger, less rules-driven culture attackers may use registration for a social activity as a way to steal passwords and IDs. Hackers also take advantage of human emotions and stress. As she memorably says, “Emotion kicks logic off the cliff.” That’s why techniques such as promising a prize or threatening the release of embarrassing information can be so successful in getting people to click where they shouldn’t. She advises companies create “cognitive firewalls” within their organization, helping employees to watch for red flags such as: * Any approach via email, call or social media that makes the recipient emotional * The mentioning of money * The request to act, especially if asked to act quickly How else can you protect your organization? By making it safe for people to come forward when they make a digital mistake. The more comfortable they are coming forward, the faster they will and the sooner the breach is remediated. And how do you find the internal bad actor? That, she says, falls on the shoulders of line managers, who need to be on the lookout for changes of behavior that may indicate stress. Listen in to learn more, including the risks that can come as employees return to the workplace.

Post By: Adam Turteltaub Legacy data is any data that your organization has lying around in obsolete formats that isn’t accessed regularly but is, instead, held for regulatory purposes. While that may sound innocuous enough, it can be an enormous problem for healthcare providers, says Bridget Group (LinkedIn), Corporate Counsel of Harmony Healthcare IT. Typically the data is held in systems which are long out of date and lack the security features that are prudent for the current environment. The hardware is equally problematic, tending to be unstable with long downtimes and high maintenance costs. That can make it hard to meet the requirements of HIPAA and the 21st Century Cures Act. So what should healthcare providers do to manage this challenge? First, she recommends setting up a registry of all the systems across the enterprise to get a handle on what data is available and where it is. The IT department and health information management team can both be helpful. Take the time to understand the retention requirements for the data under both Federal and State laws, the latter of which can be the more restrictive. Then, if you don’t have one already, set up a data governance board, with the charge to identify health information captured across the organization, understand the purpose of the data, who can access it and how long it must be kept for. The board can and should create policies for retention, destruction and access. Be sure also to train the workforce so it understands its obligations. Finally, she advises moving data into an archiving solution, the cloud or a data warehouse and off of those legacy systems. Listen in to learn more about how to keep legacy data from damaging your organization’s legacy.

Post By: Adam Turteltaub Preventing data breaches is a critical task for all businesses these days, but it’s especially so in healthcare. No one wants to see health information disclosed, and the risks of a ransomware attack are enormous, literally putting lives at stake. And, of course, there are significant consequences under HIPAA. Nick Culbertson, CEO and co-Founder of Protenus, reports that there were well over 700 breaches in healthcare in 2020. Over 40 million records were affected. It’s a staggering number, and one such breach exposed over 3 million records. Breaches occurred in 49 of 50 states and Puerto Rico. In sum, nowhere is safe. What can healthcare organizations -- and others, too, for that matter -- do to protect themselves? He recommends taking a layered approach. That includes security measures such as strong firewalls but also extensive training of employees, penetration testing and audit log monitoring. In sum, embrace multiple layers of defense that can protect against a wide range of possible mishaps. In addition, as he explains in this podcast, it is important to take a broad view of the human risk elements. These range from snooping into records to find out if someone does or does not have COVID, to failing to dispose of paper records properly, to bad actors offering furloughed employees cash for their passwords and IDs. One other area to protect against: breaches through business associates. With increased integration of providers and their suppliers comes dramatically increased risk. The largest incident in 2020 was the result of one such breach. The bottom line, he reports, is that organizations need to invest more in their cybersecurity, but compliance and privacy teams also need to stay on the alert for simple, human failings. Listen in to learn more about how to protect your organization.

Post By: Adam Turteltaub HIPAA?  HITRUST?  One you have to follow (or else), the other it may be time to pursue. In this podcast Justin Beals, CEO & Co-Founder of Strike Graph provides a primer on HITRUST and what companies thinking about pursuing certification need to consider. HIPAA, he explains, is a legal requirement providing rules for how healthcare data must be handled, and penalties for when it is mishandled.  HITRUST is not a legal requirement but a standard.  An organization can get assessed against it and even certified. Why should you pursue it? There are many reasons, but, likely the most compelling is that healthcare providers require HITRUST certification from their vendors.  With approximately 70% of data breaches traceable to third parties, organizations are demanding that their suppliers take strong steps to ensure the security of their systems. Pursuing HITRUST certification can be a long process, Justin explains.  As a result, one key to success is starting early and avoiding the temptation to go too fast.  It’s not supposed to be fast and easy.  Plus, it requires the collection of significant data. A second key to success:  recognizing that this represents a culture change.  Attitudes toward security will likely need to evolve, and data protection is now more important than ever, bringing with it a host of changes that need to be implemented. A concerted communications and education effort will be needed to achieve success.  With so many breaches beginning with human errors, the workforce has to know what to watch out for, what to avoid, and why cybersecurity must be taken so much more seriously. Listen in to learn more about HITRUST and the challenges and rewards in implementing it in your organization.

Post By: Adam Turteltaub Brooke Nelson (LinkedIn), Executive Director, Worldwide Compliance and Business Ethics at Amgen had a unique and broad perspective on managing compliance during the pandemic. In this podcast she shares what she has seen, including a drop in incidents in many areas.  Part of that, she believes, is likely due to the fact that people were disconnected.  With sales reps less able to make calls on medical practices there were less interactions and less opportunities for things to go awry. When it comes to investigations the adjustment to the pandemic has gone better than might be expected.  As she notes, global organizations have always had to rely on some remote methods in the past when conducting investigations since you didn’t necessarily have compliance staff in every location.  During this era, though effective investigation practices in distant locations have likely grown more effective. However, there remains a strong case for conducting at least some aspects of the investigation in person.  An in-person meeting can give a clearer read of the individual.  In addition, the presence of an investigation team may lead other individuals on site to share information that they might not have.  An investigations team physically present also offers another benefit:  it demonstrates the company takes investigations seriously. With the US and other regions hopefully soon reopening, she does warn that compliance teams should be prepared, if they aren’t already, for change.  It is time, for example, to reiterate the need for the workforce to reach out and report their concerns through the helpline and other channels. Compliance should also look out across the organization to better understand what is happening on a country-by-country basis, both for the business units and for the compliance team, itself.  There are likely significant disparities and a need to adjust efforts and expectations accordingly. And, of course, the way we all work has changed, perhaps permanently. Listen in to learn more about our recent past and what to consider moving forward.