Compliance Perspectives

By Adam Turteltaub adam.turteltaub@corporatecompliance.org When it comes to HIPAA everyone knows about the risks of disclosing Personal Health Information (PHI) improperly.  Also important, but often overlooked, is the need to ensure that when patients want access to their data that they get it in a timely way and in the format that they want. Cristin Gardner, Director of Consumer Products & Markets at Life Image, warns that this is a significant risk area for healthcare providers.  The regulations stipulate that entities may not require unreasonable measures of patients.  Failing to meet consumer needs can be significant.  As she explains in the podcast, the first settlement for a violation of the regulation came in September 2019, and it cost the hospital $85,000 for just one violation. So, why aren’t providers meeting their obligations?  Part of it is due to old policies that have not caught up with the time.  Many still rely on faxed and in-person requests.  In addition, they are behind the times in their use of technology, still burning CDs for patients.  This fails to reflect, obviously, the way data is transferred and used.  In addition, it greatly slows down the sharing of critical health information. Listen in to learn more about the risk and how to help your organization start thinking differently about providing data to patients.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Unconscious bias is the predisposition to believe or behave a certain way about certain groups of people.  It creates both negative and positive views that are automatic and unintentional.  And, these biases are highly problematic in the workplace. Debra Sabatini Hennelly, Founder and President of Resiliti, found that unconscious bias isn’t just an issue for the workforce.  It can affect the compliance team as well. As she explains in this podcast, these biases stem from our brain’s need to process great amounts of information.  While doing so, the mind can take short cuts that can lead to bad decision making. To avoid the pitfalls of this largely uncontrolled thinking process, we need to be consciously aware of the need to be rational and objective and have to be mindful of our own limitations.  Listen in as she outlines the problem and ways to mitigate it, starting by simply slowing down to allow information to process more deliberately.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org A good investigation, no matter where you conduct it, begins with a plan, advises Elaine Khoo, Director for Compliance, Asia-Pacific Except China, for Marriott International.  It will help you focus on the evidence you need to gather and people you need to interview. In this podcast, recorded during the SCCE Regional Compliance & Conference in Singapore, she offers a wealth of advice including: * Look to see who can provide you with investigation support * Know your allies and enemies * Let the interviews play against each other * The importance of respecting local culture, including that body language may differ * Always show empathy * Have a good translator on hand, who is well briefed * Respect your reporting structure * And much more Listen in to gain more, rich insights into how to make your investigation successful in Asia, and around the globe.  

By Adam Turteltaub adam.turteltaub@corporatecompliance.org The good news is that people trust the businesses they work for.  The bad news is, they trust the businesses they work for. In a fascinating and provocative conversation, Matt Kelly of Radical Compliance shares some striking data from the Edelman Trust Barometer.  The global survey reveals that 75% of people trust “my employer” to do what is right.  That’s a level far higher than for any other institution, including the 54% who trust business as a whole. In addition, 74% report that “I know what is going on, I am part of the planning process, and I have a voice in key decisions; the culture is values-driven and inclusive.” All good signs but signs that carry risk.  People are increasingly looking to business to solve social problems not being solved elsewhere, which could lead to new demands on compliance and ethics teams to weigh in on social issues outside the legal and regulatory scope that they have traditionally had. So, how should companies navigate this reality?  Matt argues that now, more than ever CEOs need to hold managers accountable for violations, especially those that are visible and talked about.  Employees have to be encouraged to speak up and supported when they do so.  The compliance team needs to do a great deal of communication and outreach and encourage employees to come to them with concerns. Listen in to learn more about trust in business and how to keep it.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Being promoted from the compliance staff to the Chief Compliance Officer (CCO) can be a great moment.  But, it’s the start of a new era professionally, one that requires a new set of skills to be successful in the long run. It’s a topic that Lea Fourkiller, Managing Director at Ankura Consulting, knows well, having risen in compliance to serve as a CCO, and working as a consultant to the compliance community.  In this podcast, she shares her expertise in how to not just have the leadership title, but also succeed as a leader. Listen in for her insight into: * The importance of understanding the scope of the new role, and avoiding being pulled back into doing your old job * Earning the trust and respect of senior leaders * Demonstrating your leadership skills, especially integrity * The needs to listen, stay current on laws and regulations and what is going on in the business * Thinking strategically and becoming a problem solver * Collaboration with business leaders * Developing your team It’s helpful information whether you are newly promoted to CCO or hope to be one day.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org There have been at least 90,000 data breaches reported under the GDPR already.  That’s a big number, and Jonathan Armstrong, a partner at Cordery Compliance, thinks it’s probably on the low side. If there’s good news to the dizzying number of reported incidents, it’s that they are rich with learning for compliance professionals. In this podcast he offers valuable insights including: * Organizations need to have a plan in place before a breach * It’s highly worthwhile to not just have the plan but to also rehearse a data breach response, cognizant of the time deadlines of GDPR * Compliance must have a seat at the table and not let this just be handled as an IT issue * Organizations need to keep records to share with regulators * It’s essential to treat regulators with respect * Prudence argues for planning a response assuming your organization may have lost internet access Listen in to learn more about how to prepare your organization to prevent and respond to data breaches more effectively.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org There’s good news to report on social media, reports Kortney Nordrum, Regulatory Counsel and Chief Compliance Officer for Deluxe.  Employees are starting to wake up to the risks and realize that what they share on social media has consequences. But, that doesn’t mean all is well.  Risks remain for employees and their employers.  As she explains in this podcast, people who are likely to make bad decisions continue to do so on social media.  Despite changes in some of the National Labor Relations Board’s policies, employers are still greatly restricted in how they can respond to employee comments online. Listen in to the podcast as she discusses: * Whether or not to monitor employee activity * The importance of seeing what is being said about your company online * How to handle pre-employment social media scans appropriately Also, learn how some universities are using social media, including Twitter, to spread compliance messages and reach their people where they are. Here are some examples she recommends checking out: https://twitter.com/GopherGuardian https://twitter.com/UCDavisComply https://twitter.com/NIURules

By Adam Turteltaub adam.turteltaub@corporatecompliance.org If you have a compliance and ethics program of any size, odds are good that you need a solution provider to help your program function fully.  Manage the vendor search and relationship well, and if you’ve done yourself and your program a great service.  Manage it badly, and you’ve created a nightmare. Jay Rosen of Affiliated Monitors knows the challenge well, having been a buyer of solutions and currently as a vendor to the compliance and ethics community. In this podcast – a preview of his session at the 2019 Compliance & Ethics Institute — he outlines how to make the vendor relationship a healthy one, beginning even before you begin a search.  He advises that buyers reach out to their peers to learn what is working for them and the options in the marketplace. Once you begin the search keep tabs on how attentive the sales team is.  If you’re not getting the responses you need and in a timely way then, it’s generally not a good sign. Listen in to learn more about how to make the implementation go as smoothly as possible, make the ongoing relationship a success, and when it’s time to move on.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Compliance training is both essential to the effectiveness of every compliance and ethics program and an ongoing source of consternation:  Are we doing too much or too little?  Are the courses too long or too short?  Are employees understanding and retaining the learning or are they just clicking through the courses? To help answer these and countless other questions, the SCCE asked Kirsten Liston, a veteran of the compliance training industry and Principal and Founder of Rethink Compliance, to write a book on the topic.  The result is Creating Great Compliance Training in a Digital World. Over its 150 pages the book takes the reader through the principles of effective communication and training for adults. In this podcast Kirsten explains how the book is organized and her focus on providing practical advice on how to communicate effectively and from the perspective of the learner.  She leverages thinking from fields as diverse as advertising and behavioral psychology to show what gets people to pay attention,  engage with the training and take action. She also explores the importance of measuring the effectiveness of the training and the importance of figuring out what works and what doesn’t. Listen in to learn more about the book and how to think about your own training efforts.   Or check out a preview of it online on COSMOS.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Most every SCCE or HCCA conference has panel discussions led by a moderator.  Done well, they can bring tremendous insights.  Done poorly, and the audience may walk out or, even worse, doze off. Richard Bistrong is a veteran speaker and moderator.  He advises that it’s important for moderators to think of themselves as supporting actors and not stars.  They are there to stimulate engagement with the audience and bring out the best in the presenters.  That means making sure that the conversation covers the key points, moves along deliberately and that there is ample time for questions at the end. In this podcast he also shares his advice for selecting panelists, scripting out questions, building rapport among panel members, and the role of slides:  use them to support the conversation not serve as a script.  Finally, he discusses the importance of the final question for every panel discussion. Listen in to benefit from his expertise.  And, if you want to learn more, he recommends a recent article in The Atlantic.  You can also find additional advice at the bottom of the Call for Speakers page on the SCCE and HCCA websites.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org The words “Socratic Method” tend to conjure up images of law school professors boring into and humiliating ill-prepared students.   But, it shouldn’t necessarily be this way.  Instead, explains Jonathan Rusch, Adjunct Professor at the Georgetown University Law Center and Principal of DTG Risk & Compliance, Socratic questioning is about learning by asking questions about a topic. As he wrote in a recent article and shares in this podcast, the object is to ask questions, listen for the answer and then follow up appropriately to ensure you are getting to the heart of the issue.  In addition, rather than the badgering seen in movies, it’s far better to maintain a measured, even tone. In many ways, it’s an approach reminiscent of the recent DOJ guidance for evaluating compliance programs, which is rich with questions. Listen in to learn more about the importance of doing your homework, carefully structuring questions, actively listening, focusing on topics (vs. individual questions) and being patient.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org The US Supreme Court’s Digital Realty Trust decision has been a cause of concern within the compliance community.  In that the case the court found that the Dodd-Frank whistleblower protection provisions do not apply in instances where the whistleblower does not report the allegation to the Securities & Exchange Commission (SEC). To better understand what this case means we sat down with Sean X. McKessy, a partner at the law firm Phillips and Cohen and the former Chief of the SEC Whistleblower Office.  As he explains in this podcast, the ruling was shocking to many.  It puts employees considering reporting an issue into a more difficult position since they may potentially lose protections if they only report internally.  That will likely increase the likelihood of them taking their concerns directly to the government and, potentially, bypassing internal channels. As a result, he argues, it is now more important than ever for compliance teams, and the organization as a whole, to underscore that even if the law does not promise protection against retaliation, the institution does. Listen in to learn more about what the decision means and what compliance teams can due to help their own internal reporting efforts.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org In the pre-digital age, workplace communications tended to be verbal and memo based.  Then email came along, which changed everything.  And, now there is an explosion of new technologies such as Slack and Microsoft Teams being deployed with the goal of increasing collaboration and productivity. Behind the change, explains Robert Cruz, Managing Director at Smarsh is a changing workforce.  Younger workers and clients have their own preferences for how they want to communicate, and the emphasis is on speed. The challenge for compliance and ethics professionals, and the businesses that they serve, is that there are not yet clear guardrails, Cruz explains in this podcast, for communication on these platforms.  While some may recognize that the need for careful communication still applies, many do not.  That creates substantial risk in areas ranging from protecting corporate intellectual property to harassment to privacy laws. Organizations need to spend the time, he argues, examining what the risks are and not just the potential productivity gains.  In addition, they need to assess the ability to capture historical data should an incident occur and an investigator or regulator wants to access previous communications.  That may be harder than it seems based on how the platform has been deployed and what content it contains: text, videos, and even emoji’s. Listen in to learn more about the opportunity and risks in the emerging space of collaboration platforms.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org July 12, 2019, was the date of the first SCCE Regional Compliance & Ethics Conference in Thailand.  With our growing membership in Asia, the association is eager to provide more opportunities for members of the local compliance and ethics community to meet, network, and share best practices. While there I sat down to record this podcast with John Frangos, a partner and Deputy Director, Dispute Resolution at the law firm Tilleke & Gibbins.  In our conversation, we cover the many compliance risks for companies doing business in the country, which has the 25th largest GDP in the world. At the top of the list of compliance risks is corruption.  The country had a score of just 36 on the Transparency International 2018 Corruptions Perception Index.  Perhaps surprisingly, is that corruption is not limited to the public sector.  Business needs to be wary of corruption in the private sector as well. A second risk, although mostly for businesses in the fishing industry, is modern slavery.  This can be a particularly challenging risk area because of the length and complexity of the fish processing supply chain, he explains.  To stay on top of the issue businesses need to audit their supply chain diligently. Organizations also need to be careful when they find an issue.  Thailand, he warns, has very strict defamation laws.  Accusing a company of wrongdoing publicly can lead to criminal prosecution if that company fights back. One key to mitigating risks in Thailand, as elsewhere, is to encourage local companies your organization works with to establish or strengthen their compliance efforts.  Doing so successfully will involve convincing the local company that it will benefit their business, including the business they have with you.  It can also be advantageous to remind them of the relevant Thai law that prohibits bribery. John also suggests that compliance requirements be put into the contract, while remembering that corporate criminal liability was only introduced in Thailand in 2015.  It’s a very new concept there. Listen in to learn more about the risks of doing business in Thailand and how to navigate safely around them.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org When thinking about South America, the first step in compliance risk management is to stop thinking about South America and start thinking about each individual country.  Geert Aalbers, a Senior Partner and head of Control Risks’ Brazil and Southern Cone business, explains that the risk profiles vary considerably by country.  In fact, when looking at a risk such as anticorruption, it even varies by which governmental body you are dealing with.  While customs may be clean in one country, it could be a dangerous mess in the other. Adding to the complexity, the capacity to combat corruption also varies considerably by country. Corruption, of course, is not the only risk to think about.  As Geert explains in this podcast, other risks include regulatory, security, social, economic, environmental and, increasingly, cyber and data-related risks.  Brazil, for example, recently passed a new data protection law that is very similar in its approach to GDPR. Many may think, “no problem, already have that covered.”  Geert cautions, however, that data security practices in Brazil tend to be lax, creating a potential “perfect storm” of challenges for the compliance team. Listen in to learn more about compliance risks across the continent, mistakes to avoid, and how to strengthen your compliance efforts from Argentina to Uruguay.