Compliance Perspectives

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Corporate Social Responsibility (CSR) poses an interesting conundrum for compliance and ethics professionals.  Both CSR and compliance are, or should be, firmly grounded in an organization’s values.  But from there things start to diverge.  Compliance is charged with doing what is required, typically by law.  CSR, though, has a broader mandate. As Alison Taylor, Managing Director, Sustainability Management at Business for Social Responsibility explains, CSR is a series of processes to ensure that corporations pay attention to existing and emerging social concerns about the environment and other issues, including human rights. This may seem a bit abstract, but in practice many CSR issues – think anti-corruption and human trafficking/modern slavery – become compliance issues over time. In her podcast with us, she provides her thoughts about what CSR is and isn’t, some of the challenges it has, and how CSR and compliance teams can and should work together. She also shares insight into the hot CSR topics that may soon be compliance issues. Listen in to better understand what every compliance professional should know about CSR, and potential emerging compliance risk areas.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org An engaged compliance committee can be a dramatic and positive influence on a compliance program.  Danette Slevinski (Chief Compliance Officer of University Hospital) and Judith Marber Fox (founder and CEO of JF Real Compliance Solutions) have seen it firsthand. So how do you get there?  In this podcast, which is focused on healthcare entities but has easily extractable lessons for all organizations regardless of industry, they share their experiences and lessons learned. Listen in as they discuss: * The value of senior leaders, and how to engage them * The importance of voices on the committee that come from outside of senior leadership * Comprehensive meeting preparation and how to do it * The role of the committee charter and how it should be structured * Conducting the meeting effectively

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Operating a compliance program in Europe is not the same as running one in the US.  Paris-based Maria Lancri knows this well from having worked as a compliance offer and currently as an attorney with GGV Avocats. For one, in Europe there is a strong need to consider the position of employees and the union.  They must be consulted on many parts of the program, which means that compliance professionals have to be prepared to explain the advantages to workers of the compliance efforts. Other challenges include: * NGOs who scrutinize company activities closely * The Duty of Care Law, which covers Corporate Social Responsibility obligations * Tougher privacy law and aggressive antitrust/anti-cartel regulators * Increased demands on boards to oversee compliance programs As she explains in the podcast, there is much to do to meet these challenges. In addition, there is a strong need to localize the program, not just the language, but also in approach. Listen in to learn more about what you need to know to effectively manage your European compliance efforts.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Joanne Chiedi, Principal Deputy IG and acting Inspector General at the US Department of Health and Human Services, recently addressed the attendees at the 2019 Compliance Institute.  To help inform those who couldn’t attend the event, she was kind enough to record a podcast covering some of the key points from her talk. Listen in as she delivers several key messages to compliance teams, starting with the call to be bold and take action.  With so much technological change and innovation in healthcare, compliance professionals can’t be shy and must have a seat at the table.  Compliance and innovation must advance together, she argues, both to ensure controls are in place but also to provide compliance teams with data on how the program is performing. Two keys to future success for compliance teams, according to Ms. Chiedi, are agility and adaptability.  Compliance will increasingly need multidisciplinary teams to work across the organization to gain new insights into program vulnerabilities and develop solutions for addressing them. This will require compliance leaders to reassess their staffing plans and engage in continuous reprioritization.  Changing times can’t rely on static priorities. Don’t miss this opportunity to hear what the IG sees coming down the road for healthcare compliance.  And, for those outside of healthcare, it’s good advice, as well.  Technology is changing every industry.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Data risks are enormous for any organization these days, which is why, Marti Arvin (Executive Advisor at CynergisTek) and Don Ahart (Internal Auditor, Hunterdon Healthcare) advocate for data management audits. As they explain on this Compliance Perspectives podcast (and also at the 2019 HCCA Compliance Institute), a data management audit is about the logistics of your data:  where it is located, how it is classified, where it is stored, how it is used, who owns it, and who is responsible for maintaining it.  That’s even more complex than it sounds because the temptation is to just look across the network, forgetting that much data is saved on laptops, removable devices and even mobile phones. To avoid getting overwhelmed by the audit, they advise to break it down into manageable parts and recognize that this can be, and probably will be, a multi-year process: once you have the audit done you still need to remediate. Listen in to learn more about what to look for, how to prioritize risks, and how to make your remediation efforts successful.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org It happens to the best and worst of people:  An ethical lapse.  Sometimes it’s minor, and sometimes it’s major.  But it happens.  The question is why and what can we in compliance and ethics do about it. Professor Stuart Pardau argues in this episode of the Compliance Perspectives podcast that to understand these behaviors it is more instructive to look at the common cases rather than the extreme ones.  And, while doing that, pay close attention to the culture.  For one, corporate culture is a place where compliance can have an impact.  The second reason:  culture can be an effective control. Some of the other suggestions he provides to prevent lapses: * Slow down: fast-moving organizations and individuals don’t have enough time to think clearly * Give people a goal beyond just making money * Use training that provides rationales and reasons behind policies, not just what the rules are * Give real-life examples showing the consequences of ethical lapses, including on people’s families Listen in to learn more about ethical lapses, and how you can help prevent them.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Scott M. Giordano, VP, Data Protection, Spirion Session P14:  GDPR Compliance Post-Mortems:  Lessons Learned from Facebook, Uber and Others September 15, 2019, 10:30 AM – 12:00 PM GDPR has been in effect for just months but already tens of thousands of breaches have been reported to data authorities.  Scott Giordano, Vice President of Data Protection for Seattle-based Spirion reports in this podcast that this is a sign that business is taking GDPR seriously. It also reflects a key requirement of the legislation: the rule requiring notification of a breach – whether by a hacker or even due to a contract violation – within 72 hours.  That requirement forces companies to act quickly.  It is also a mandate that is spreading, with US laws and regulations also increasingly requiring similar notification timelines. Along with the new legislation has already come enforcement.  Google ran afoul of CNIL, the French data regulator, for the way in which users provided consent to the use of their data.  CNIL concluded it was too difficult for consumers to determine how their data was being used and stored. In general, Giordano recommends that organizations err on the side of caution.  They should take practical steps to ensure that they are handling data properly, starting with asking the basic question:  is there any reason to question the integrity of the data in their care? Businesses need to practice information security 101 – both to safeguard the data and to avoid running afoul of regulators – and to conduct a data inventory and risk assessment. Finally, looking to the future, Giordano counsels businesses to expect more legislation coming from states across the US.  Many have already taken notable steps to ensure that consumer data is protected. Listen in to help understand how your organization can better meet the challenges of GDPR and the ever-increasing number of data protection laws.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org When designing a compliance and ethics program, organizations want one that not only will prevent, find and fix problems, but also one that will pass muster with the US Department of Justice if there is an incident. The Criminal Division of the DOJ recently released an updated version of its Guidance document “Evaluation of Corporate Compliance Programs.”  The document is “…meant to assist prosecutors in making informed decisions as to whether, and to what extent, the corporation’s compliance program was effective at the time of the offense…” It is also a goldmine for the compliance community, providing a roadmap for what a program should contain.  As importantly, it provides support to compliance officers, enabling them to show management why they need the resources that they are asking for. In this comprehensive podcast – it’s more than twice the length of our typical one – Orrick partner Billy Jacobson provides an analysis of what the Evaluation document says.  Billy brings to this discussion his broad and deep experience in compliance, having served as a chief compliance officer, general counsel, outside counsel and a prosecutor in the FCPA unit at the DOJ. Listen in as he highlights the key provisions of the document, what’s new vs. the previous iteration, insights into how the government’s thinking has evolved, and why even companies based outside the US should study the new Evaluation guidance closely. And, if you want to learn more, be sure to attend his session on this topic at the 2019 Compliance and Ethics Institute. Note:  Apologies for the technical problems that caused the echo you may hear.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org In October 2018 Assistant Attorney General Brian Benczkowski of the US Department of Justice issued a memo entitled “Selection of Monitors in Criminal Division Matters.”  Some took the memo to herald the end of corporate monitorships. Not so, says Eric Feldman of Affiliated Monitors.  In this podcast he explains that, instead, the memo was designed to improve both the selection of monitors and the process for determining whether having a monitor is appropriate. Over the years it had become the default to have a monitor when a Deferred Prosecution Agreement was put in place.  Now a cost/benefit analysis will be conducted before going down this often long road.  The DOJ will be examining factors such as who was involved in the wrongdoing and what progress the company has made on its own to strengthen its compliance efforts. The memo calls for compliance programs and controls to be tested, Eric explains.  In addition, prosecutors will be asked to assess whether there has been a change in the culture. Listen in to learn what the Benczkowski says and, as importantly, what it doesn’t say.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Roy Snell must have written a book’s worth of material each year as the CEO of The Society of Corporate Compliance and Ethics and Health Care Compliance Association, but it wasn’t until recently that he wrote an actual book.  The Accidental Compliance Professional is the first, of potentially several, from Roy. He sat down for a podcast, along with the book’s editor, Karen Latchana Kenney to discuss how the book was developed and written.  It started out, they explained, with the idea of giving some history of compliance but quickly evolved into a vehicle to tell stories and share what Roy had learned along the way. Listen in as they discuss: * How even accidental compliance professionals may have ended up in the job for very good reasons * The genesis and purpose of Roy-isms and Roy’s rules * The value in learning from mistakes * The importance of compliance officer independence * How conflicts of interest can get in the way of preventing, finding and fixing problems

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Kim Brandt, Principal Deputy Administrator for Operations at the Centers for Medicare & Medicaid Services (CMS) shared with the attendees at the 2019 HCCA Compliance Institute what the latest is from CMS, and what to expect in the coming months. For those who missed her talk, she was kind enough to sit down for a podcast and provide us with an extensive look at what CMS has done and will be doing.  Listen in as she shares: * The vast number of comments received on provider burdens, and how extensively CMS is actively addressing them * The comprehensive review of Medicare Conditions of Participation with the goal of removing obsolete, duplicative or unnecessary requirements * Progress on the Patients Over Paperwork initiative * CMS’s efforts to make data more transferable and accessible for patients * What CMS is doing to stem the opioid epidemic, including for new opioid prescriptions * Exploration of new value-based models * The new Medicaid program integrity strategy, and the audits that followed There’s a lot to learn.  Don’t miss the chance to learn directly from her.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Steve Priest of Integrity insight International has been a part of the corporate ethics scene for decades now.  He’s worked with companies all over the world and is expert at assessing corporate culture. In April 2019 we sat down for an atypical podcast.  Rather than dissecting one specific ethics or compliance challenge, we explored what’s concerning him these days. The conversation began with a discussion of cellphones and how disturbing they can be, as well as the poorly understood data protection risks. From there we moved on to the related and broad topic of another area where the understanding isn’t what it should be:  human psychology and behavior.  Steve argues that, for example, when it comes to training we tend to treat employees like children, telling them they shouldn’t do this or that.  He argues instead for a more prosocial approach, which goes hand in hand with the need to help employees better engage with the company.  That’s getting harder to do with so few employees staying with one employer for very long. One potential solution for addressing these challenges:  get more professionally diverse voices in compliance, people with skills outside of legal and audit. Along the way Steve also explains what he calls “The Three R’s” of putting in place a compliance program and the weakness of the fraud triangle. Listen in and enjoy an illuminating and entertaining conversation.  

By Adam Turteltaub adam.turteltaub@corporatecompliance.org The European Bank for Reconstruction and Development (EBRD) was created after the fall of the Berlin Wall to help develop open and sustainable market economies in countries that were committed to and applying democrat principles.  To date, the EBRD has invested €130 billion in 5200.  Its focus is on private sector investment and supporting six market transition qualities:  competitive, green, inclusive, well governed, resilient and integrated. Lisa Rosen, the bank’s Chief Compliance Officer, along with her team play a central role in helping the EBRD succeed in its mission.  It’s not always easy, she explains in this podcast, since many of the countries where the bank has investments have serious corruption risks.  Alongside this risk are many others, including difficulties in determining the ultimate beneficial owner, anti-money laundering, terrorist finance controls, economic sanctions, as well as present and former government officials who may sit on corporate boards, or even in management. Listen in as she explains the challenges of compliance, the risks in former Communist countries, and the role the EBRD is playing in fostering compliance and being a beacon of integrity.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org These days everything is online, well, most everything.  As Kristy Grant-Hart of Spark Compliance Consulting discovered, compliance program information is often the exception.  It may not be there at all, or not be as optimized as it should be.  For example, one third of the Codes of Conduct available on sites surveyed weren’t even in color. When she sat down with us at the Berlin European Compliance and Ethics Institute she advised compliance professionals not to think of the website as just the website.  Instead, ask:  What does the website say about the compliance program?  Is it painting the right picture of your program?  Do you have the disclosures necessary under the UK and California human trafficking and modern slavery laws?  Is the code of conduct up?  Is there a CEO letter? Your employees, venture capital firms, and even prospective employees may be looking. Also looking at the site are individuals who want to raise a potential issue.  These people may work at your organization or for a vendor or supplier.  If it’s difficult for them to find the helpline info, they may keep silent or raise their issues elsewhere. Listen in to learn more about how your compliance program can raise its web game

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Going from good to great has a different meaning to all of us, but generally, it means moving the compliance program up from informal to evolving to optimized.  Along the way, there are a number of barriers to evolution, including potentially hundreds of offices around the world to reach,  where compliance sits in the organization, resource constraints, and culture. The key to going from good to great is to move away from just being a compliance program manager into part of the business decision-making process, explains Jacki Cheslow, Director-Business Ethics and Compliance, Avis Budget Group.  In this podcast, recorded at the 2019 European Compliance and Ethics Institute, she explains that making yourself valuable from a business perspective makes all the difference.  Some of the other pieces of advice she offers: * Changing the conversation from “no you can’t” to “yes you can” but with the explanation of what’s required * Focusing on the “what’s in it for me” for your audience * Using data analytics to demonstrate progress * Leveraging your contacts across the organization to be a connector when business people have challenges Listen in for more good advice on being great.