Compliance Perspectives

Post By: Adam Turteltaub A Systems Improvement Agreement (SIA) comes at a time of crisis for a healthcare organization, one in which it may even risk being terminated by CMS. As Suzanne Gellner (LinkedIn), Principal, The Gellner Group explains, an SIA involves a lot of work that must be done quickly, typically within just 12 months. For organizations undergoing an SIA she recommends creating an oversight committee made up of C-Suite leaders and others with oversight of the service areas under the SIA. This will help make sure that these same service areas are accountable. The committee would ideally have each group meet with them monthly and provide status updates. Leadership support is critical, but so too is the support of middle managers. They are going to be the major change against, she explains, who understand what is happening on the front lines, and what leadership wants to see happen. They are also the individuals who will be coaching the staff into how to meet the goals of the SIA. To help the managers, take the time to learn what their likely pain points are, what their day-to-day work life looks like and what challenges they perceive. With that knowledge you can better demonstrate how the SIA initiatives will help them in their work. Done right, it can turn them into ambassadors for the changes the SIA requires. Suzanne also recommends taking a unit-by-unit approach rather than a system-wide approach to the SIA. Each service area is going to be different. The challenges and people will vary. As a result, it’s essential to understand where they are and how the program will benefit them the best. In addition, once there is success in one unit, the others will likely notice, recognize the benefits and be more eager to implement the SIA. Listen in to learn more about how to successfully navigate an SIA in your organization.

Post By: Adam Turteltaub “Government ethics” is not an oxymoron. In fact, according to Jabu Sengova, Ethics officer for the City of Atlanta, government ethics programs are very real. In this podcast she provides an overview of how Atlanta’s works. She shares that when it comes to ethics in the public sector there are several areas of focus including conflicts of interest and the misuse of public assets such as credit cards and cars. Managing conflicts of interest has been a particular problem during the pandemic. With employees working from home there has been a noted increase of incidents revolving around second jobs and operating a business on the side. It is a problem likely facing the private sector as well. And, of course, there are the ongoing challenges involving gifts and gratuities, especially for those city employees who work regularly with contractors and vendors. Meeting these challenges isn’t easy for the ethics team. They serve a large 8,000 person employee base  with very limited resources. In addition, until recently there was a strong preference for in-person training. Atlanta is only now moving into elearning. Yet, despite lagging in some areas, there is much, Jabu argues, that corporate compliance programs could learn from government ones, including resiliency. She notes that in her time there she has worked for three different mayors. Business could also learn about doing more with less, she believes. For much of her time in Atlanta, there were only two or three members of the ethics team. Listen in to learn more about government ethics programs and what everyone can learn from them.

Post By: Adam Turteltaub Jim Passey, Vice President, Chief Audit & Compliance Officer at Honor Health sat down with us to record three podcasts focused on compliance career development: Setting Career Goals Moving Your Career Forward Making it to the Top It isn’t enough just to set your eyes on the goal of chief compliance officer. Nor is it probably advisable to walk into the CEO’s office and make your pitch should the job become open. In this podcast Jim Passey, who has been a Chief Compliance Officer for six years and at two organizations, share his advice for crossing the threshold from staff to leadership. He advises that you start the process long before the job opens up. Be visible and make yourself known in meetings and on key projects as an active participant, not just another body in the room. Let people see you as an agent for positive change and a key voice at the table. That will both help your career, and help others take the compliance program more seriously. Let your supervisor know you are eager to advance. Couch it in terms such as “I want to take on more responsibility” or “I’m eager to add value.” An emotionally intelligent manager shouldn’t take that as a threat, but instead take it as an opportunity to help you grow. Plus, if you don’t make your intentions clear, you may be passed up for someone else who has. When the top job does open up, it’s important to remember that the CEO, board, or whoever else is doing the actual hiring probably has never worked in compliance and lacks a full understanding of the job. You will need to bridge that knowledge gap. You will also need to remember that, at the top level, technical skills, such as expertise in specialized areas of law, are likely to be less important than personality characteristics and fit. Leadership wants someone who is going to be able to partner with them. It’s also important to remember that the interview is a two-way street. Be prepared to ask questions that will you determine if the job (especially at an unfamiliar company) is right for you. Consider questions in your head such as: Does this conform to my perception of an environment I want to work with? What kind of support will I get? Are the leaders a strong, compliant type of a group, or are they just trying to fill the role? Listen in to learn more about how you can improve your chances of making it to the top of the compliance profession.

Post By: Adam Turteltaub NAVEX Global recently released its 2021 Risk & Compliance Incident Management Benchmark Report.  It is a document rich in data about what’s going on with helplines and incident management. To understand lessons learned from the data we invited Carrie Penman, Chief Risk & Compliance Officer from NAVEX, to join us. She reports that there is finally an answer to a question many have wondered: what has the pandemic’s impact been on helpline call volume. Interestingly, Carrie reports that overall call volume declined. April and May 2020 saw the steepest drops, not surprisingly since that was the time when businesses were closing quickly and employees were adjusting. But, she points out, it was not just a two-month phenomenon. Even at the end of 2020 volume had not returned to pre-pandemic levels. Drilling down into the data there were significant variations by industry, with differences caused by whether organizations had switched to a work-from-home mode or had large number of essential workers still on the job site. But what about the quality of the calls? Carrie reports that the substantiation rate of 42% was in line with previous years. There was one exception, though: environmental health & safety. Substantiation rates were lower, and the number of reports increased substantially, likely due to COVID-19 related concerns. Interestingly, 76% of EH&S reports were anonymous vs. just 54% of business integrity claims, most likely not out of fear but because complaints about things like not wearing a mask where a call back was not likely necessary. The report also includes news that the median days between incident observed and reported increased from 21 to 28 days. That’s troubling for investigators given that memories fade over time. Finally, we discuss the perennial concern about whether anonymous reports can be trusted. The data showed that anonymous reports were substantiated at a much lower rate: just 35% vs. 50% of reports with a name attached Listen in to learn more, including some potentially troubling numbers about retaliation.

Post By: Adam Turteltaub Jim Passey, Vice President, Chief Audit & Compliance Officer at Honor Health sat down with us to record three podcasts focused on compliance career development: Setting Career Goals Moving Your Career Forward Making it to the Top You’ve set your career goals. You’ve mapped out the interim steps. Now, how do you keep moving along the path you have made for yourself? The first step that Jim Passey outlines in this podcast is to do your homework. Compliance, he explains, is about giving good advice. As a result, nothing can destroy your credibility (and prospects) faster than giving bad advice. To avoid that trap he advises investing the time to understand the government’s expectations. That begins, of course, with the Federal Sentencing Guidelines, but it doesn’t stop there. Stay on top of what is going on in enforcement. Focus on what the enforcement community is focusing on. Also, have a strong grasp of your organization’s business so you know to implement your program effectively within its culture. That includes understanding the structure and political flow of decision making, including who has formal and informal authority. That’s only the beginning. As we all know, compliance isn’t just about knowing what the law and regulations requires. In many ways that is the easy part. The more difficult challenge is getting people to comply. Success is guiding behavior comes from persuasion, collaboration, motivation and inspiration. So, to ensure success for your compliance program and your career, it is essential to develop strong communication skills, and even know a bit about salesmanship. Negotiation skills are also a necessity. There are lots of grey areas in compliance where the laws and regulations aren’t perfectly clear, or a new business idea doesn’t fall neatly within existing frameworks. Having the ability to navigate the grey and find a potential solution is an invaluable skill. What else does he recommend? Be dependable. Take initiative. Be the voice of solutions not problems. Work well with others. Build your network. Get involved in the compliance community, and take advantage of what SCCE and HCCA have to offer. You can even start with this podcast.  Listen in.

Post By: Adam Turteltaub Cataloguing everything your compliance program does isn’t easy, but Susan Roberts (LinkedIn), who recently retired from full-time corporate life after serving as Chief Compliance Officer at three different companies, did just that. And in this podcast she advocates for doing the same for your compliance program. She made it a habit to create what she and her team referred to as, simply, “the book.” It is designed to be a comprehensive resource should the government (or even management) want to know whether the company has an effective compliance and ethics program. To make your book both useful and complete, she advocates breaking the book into several sections including: * An introduction * Background * Executive Summary * Relevant expectations for compliance programs from government, industry groups and elsewhere (US Sentencing Guidelines, DOJ Fraud Section compliance program guidance, FCPA Resource Guide, and so on) * A description of the compliance program including sections on: * Program oversight * Tone at the top * Risk assessment * Monitoring and auditing * Standards, policies and procedures * Training, communication and awareness * Confidential reporting systems * Investigations * Corrective actions * Discipline and incentives * Employee and other screening * Third-party management * Continuous improvement In sum, it should provide a full and rich picture of the compliance program including screen shots of training, the code of conduct and helpline posters. Having all that data in one place has paid off twice in very significant ways for Susan and the companies she worked for. In one case it helped convince the Department of Justice that a monitor would not be needed after trouble was discovered at a recently acquired business unit. The book helped demonstrate that the company was already doing everything listed in the Corporate Integrity Agreement. In another case, it helped an acquiring company have faith that there truly was an effective compliance program already in place. The book can also provide insight into where the program needs to improve, acting as something of a self-assessment tool. If you have much less to say in one section, it may be a sign of a program gap. List in to learn more about creating a book of your own, including how often to update it.

Post By: Adam Turteltaub Jim Passey, Vice President, Chief Audit & Compliance Officer at Honor Health sat down with us to record three podcasts focused on compliance career development: Setting Career Goals Moving Your Career Forward Making it to the Top In this podcast, the first in the series, he encourages individuals who are still early in their compliance career to take the time to gain a broad view of the industry they work in. For him, that is healthcare, and while many of the examples he cites in this podcast are healthcare-specific, they are equally applicable to other industries. As you gain an understanding of your industry, he recommends thinking about whether you want to make compliance a career or a stop along the way. If you think it is a potential career for you, he advises you ask yourself whether you are comfortable with conflict and being the bearer of bad news. Both are, for better or worse, an essential part of a being an effective compliance officer, and many are not comfortable in that role. Also, take the time also to assess what you aspire to do within compliance. Do you want to be the chief compliance officer or are you more comfortable at another level? Do you want to be a compliance generalist or focus on specific areas? To help find the answer pursue projects in a number of different compliance niches. One important consideration when setting career goals is geography. If you are committed to staying in one region, your prospects may be limited. There may be just one top compliance job in your industry in a given city. If that’s the case, you may need either to set your sights a little lower or be willing to look in other cities and states or industries. As he observes: the fast way to move up the ladder is to move to where the jobs are. Once you determine your career objectives take the time as well to identify intermediate steps along the way. This will help you set a path and measure your progress. Check regularly to see how you are doing, especially when major events take place, such as a new initiative that interests. It may encourage an adjustment in your plans. Listen in to learn more about setting your career on the right track.

Post By: Adam Turteltaub While most of the work in compliance is selfless, there needs to be a bit of self-interest when it comes to career.  Even if a compliance officer doesn’t want to make it to the top, he or she likely would, at some point, want to move up. How best to do that?  In this podcast we talk with long-time compliance veteran and executive coach Amii Barnard-Bahn about promotability.  She has developed a Promotability Index and is author of the book The PI Guidebook. Amii reports that from her analysis there are five key elements of promotability: * Self-awareness * External awareness * Strategic thinking * Executive presence, and * Thought leadership External awareness is worth special attention and centers around how your behaviors impact others and how others perceive you.  The latter is particularly important since that perception becomes their reality when working with you. Notably absent from the list is technical expertise.  It is a requirement, to be sure, but above a certain level technical acumen starts to be less important than the ability to manage people and affect change through others. When it comes to seeking a promotion she advises to avoid having discussions with supervisors about the topic during the annual evaluation.  That conversation is more about compensation, and it is better to separate the two.  Also, it is ill-timed for another reason:  typically succession planning conversations by management and HR are held months earlier.  Better to raise the topic about six months before the annual review cycle. If you do approach your manager about moving up, make sure she or he knows it is safe to give you candid feedback.  In addition, be sure to understand the power structure and culture of your company to know the likelihood of whether you are a candidate to move up the ladder.  Ask questions such as:  “How am I seen?”  “Am I working on the things I should be?”  “Are there perceptions that block me?” Finally, she counsels individuals that the days of just working harder to get ahead are gone.  Instead, build around your strengths and remove bad habits.  Focus on areas such as the ability to influence and working with and through others. Listen in to learn more about how you may be able to improve your own promotability index.

Post By: Adam Turteltaub When a data breach occurs, one step is often overlooked in the rush to remediate:  preserving as much of the data logs and backups as possible  That’s a mistake, say Debra Geroux, Shareholder at Butzel Long and Scott Wrobel, Co-Owner, N1 Discovery, because that data illuminates what happened, how it happened, and what data was taken. In this podcast they also advise hiring cyber counsel immediately to obtain guidance through the legal and regulatory issues.  They may also be able to help you conduct the subsequent investigation under privilege.  Counsel can also help identify outside resources, deal with law enforcement, and help healthcare organizations determine if the breach is a reportable one. In addition to outside counsel, Geroux and Wrobel argue strongly for leveraging the organization’s communication team.  Managing messaging is critical.  The communication targets—victims, employees, the board, public, media -- have to be identified and given the information they need.  But, be judicious.  Limit your communications to essential information to reduce the opportunity to spin the story. Most importantly, they advise, make the effort to understand what the root cause of the incident was.  Often, that’s not as evident as it may seem.  Sometimes the first suspected point of breach is not the actual one. To reduce the risk of future incidents, they recommend adopting two-factor authentication.  Workforce training is also essential since so often employee errors (and vulnerability to sophisticated phishing efforts) are a factor. Hiring a third-party security company to conduct an internal and external vulnerability assessment can also be helpful.  It should identify every device and piece of software on or connected to your network, their vulnerabilities and how to remediate them. That assessment should also address any cloud-based solutions your organization is using.  While, generally speaking. those solutions are secure, if your organization leaves the default settings in place, it could leave you exposed to bad actors. Listen in to learn more about how to protect your organization, including the need to take a second look at your cyber insurance policy.

Post By: Adam Turteltaub America’s data is under attack. Solar Winds and other recent headline-grabbing stories have demonstrated that foreign adversaries are eager to hack into computer systems for a wide range of purposes. The US Department of Defense has had its supply chain hit hard, and to help protect both the chain and the nation’s assets has pursued the Cybersecurity Maturity Model Certification (CMMC), with a multi-level approach requiring outside certification, not the self-certification as in the past.  Although only for defense contractors, it is a model worth watching since it may eventually expand, in one form or another, to additional areas of government contracting. In this podcast Tony Buenger, Cyber Security Consultant and Instructor, and Marti Arvin, Executive Advisor, both of CynergisTek explain some of the complexities of CMMC and its many levels. Level 1 covers basic hygiene and is primarily focused on technical security controls. Level 3 is a certification that requires maturity in terms of documented policies and procedures that have been institutionalized. Level 5, the highest level, is focused on persistent threats. Notably CMMC focuses not just on technology, but also on processes and people, even looking to ensure that the process are built into the organization’s governance. As a result, it’s not a standard for just the CISO or CIO to handle. CMMC is a commitment that needs to be institutionalized, takes time, and requires both trust and ongoing verification. In sum, it very much requires the maturity that is a part of its name. Listen in to learn more about CMMC and what your organization needs to do now, and possibly in the future.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org These days compliance teams play a large role in vetting third parties, especially in high-risk countries and business areas such as sales consultants.  But after the vendor is cleared and it’s time to write up the contract, compliance needs to remain involved, according to Amy McDougal, President of CLEAR Resources and Jason Meyer, President of LeadGood. As they point out in this podcast, the legal team tends to be focused on the typical legal issues, not on how to reinforce the compliance program, including extending rights to audit. What’s reasonable to expect from your vendors when it comes to compliance?  They caution against being overly demanding, especially with smaller vendors.  Set to the bar too high and the deal may no longer be worth it for the vendor, or they may sign on the dotted line with no intention of doing what they said they would.  Also, expect some resistance from vendors with well-established programs, who likely won’t want to make changes just because their program differs from yours. And, expect to include audit rights in the agreement.  They’re critical if an allegation of wrongdoing is made. Listen in to learn more about how to ensure your organization’s vendor relationships get off on the right foot and stay that way.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org For too many people LinkedIn is just a tool when looking for a new job.  That’s a huge waste.  The ability to connect with your peers even when you’re happy in your job and not looking elsewhere is enormous.  Both SCCE and HCCA maintain a substantial presence on the site just for this purpose. LinkedIn’s Matt Ross sat down for this podcast at the 2019 SCCE Compliance & Ethics Institute (apologies for the echo in the room) to share insights into how to gain the most out of this invaluable site.  Listen in to hear his recommendations including: * Have a photo and headline * The photo should show you dressed as you would be at work * Check out strangers before connecting with them * Take advantage of the content feed to both learn and make yourself known It’s a valuable conversation, even for those who think they already have LinkedIn down pat.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org GDPR requires businesses to be transparent, fair, and proportionate in how they collect process and store personal data.  Many in compliance and the business world fear, though, that it also severely hampers the way in which business can conduct internal investigations. SCCE Vice President, Partner & Notary Public at the UK law firm Bristow’s Robert Bond, though, offers significant reassurances in this podcast.  He shares that there are far too many myths about GDPR.  Contrary to popular belief, GDPR does not necessarily trump other laws.  It is also a myth, he reports, that employee rights under GDPR are absolute. However, that doesn’t mean an employer can do what he or she wishes.  Compliance teams need to be mindful of the lawful grounds for processing data, including consent and contractual necessity.  In addition, there is a need to conduct a fair assessment of whether there is a legitimate interest in conducting the investigation, one that outweighs privacy rights.  Be sure also, he warns, to document your decision making in each and every case. And before you think, “Neither the company, nor the employee, are in Europe so we don’t have to worry about this,” don’t forget an increasing number of nations, and the State of California, are adopting GDPR-like laws. Listen in to learn more about how you can conduct a fair investigation, without running afoul of GDPR.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Many companies use employee surveys to better understand the ethical health of the organization.  But what about the health of the relationship with compliance?  Marjorie Maier, Senior Director and Division Compliance and Privacy Officer at HMS, has found that surveys can be useful for that, too. Listen in to learn how she used regular employee surveys to understand the strengths and weaknesses of the compliance program and how she evolved her efforts to better meet the organization’s needs.  It’s a journey your institution may benefit from. You’ll also gain from her advice on issues such as whether to survey the entire organization or start with just one part, how to craft questions to get more honest answers, and how to shift perceptions over time.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org At the 2019 SCCE Sao Paulo Regional Compliance & Ethics Conference, we were fortunate enough to be joined by Pedro Ruske Freitas, the Director of Integrity of the Comptroller General’s Office (CGU) in Brazil. The CGU is a part of Brazil’s executive branch and is, amongst other things, responsible for the government’s corruption prevention efforts.  It has engaged extensively with the business community and worked very hard to support compliance efforts, even sending some of its people to the SCCE Basic Compliance & Ethics Academy in Sao Paulo to ensure it fully understood compliance and wrote appropriate regulations. In this conversation, the Director shares the enormous difference in compliance programs since the adoption of Brazil’s Clean Companies Act.  He also shares the challenges he sees, including a lack of full application of compliance programs and struggles by small and medium-sized enterprises.  In addition, he observes that global companies still need to ensure that they fully localize their program, with messages from both the global and local CEO and codes of conduct in Portuguese. Listen in to learn more about how to strengthen your compliance program in one of the world’s largest economies.