Compliance Perspectives

By Adam Turteltaub adam.turteltaub@corporatecompliance.org While Romania is a part of the European Union (EU), it has a corruption problem typical of less-developed states.  Admitted to the EU under a Cooperation and Verification Mechanism, it is subject to monitoring, according to Charles Vernon, an attorney in Bucharest with a large compliance practice. Lately, the country has not fared well with its EU monitors who have added eight additional steps for the country to take. The reason for the remedial action is what Charles describes as steps backward when it comes to fighting corruption.  The leadership has tried to loosen anticorruption laws and constitutional courts have stepped in, overturning verdicts on narrow technical grounds, he reports. At the same time, however, the public has not been quiet, taking to the streets in protest.  In addition, the younger generation recognizes the need for better governance nationally and looks to multinational companies as places where they can work with integrity and rise on their own merits. Listen in as Charles explains the risks of doing business in the country, the need for greater vetting of suppliers, and what’s going on in privacy laws.  GDPR is not as well implemented as elsewhere in Europe, but it is still a force to be reckoned with, and privacy is already closely monitored in the healthcare industry.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org One of the most provocatively titled sessions at the 2019 SCCE European Compliance and Ethics Institute was “Becoming ‘Invited In’:  Creating Compliance ‘Addicts’ Globally.” Aversion, not addiction, is more typically associated with compliance, unfortunately, and it made me want to learn more.  So, I asked the two co-presenters to sit down for a podcast to share what they meant by the term.  Nadege Rochel, Global Compliance Manager and Susan Roberts, Chief Compliance Officer of Hollister Incorporated both readily agreed. A compliance addict, they explained, is someone who does something extra beyond simple compliance.  So, how do you get people to become addicts?  Not surprisingly by rewarding them.  But what may be surprising is how simple a reward it was:  a pin.  It turned out to be both an offer of recognition and a way for the recipient to be recognized by his or her peers as someone with a strong commitment to ethics and compliance.  It also triggered a competitive streak, with others wanting to earn the pin as well. This simple approach has infused their compliance programs and offers lessons for others seeking to create cultures in which the compliance program is embraced.  As they explain, they did not stop with pins. At sales meetings they try to schedule lunches and breakfasts with people, and even join in at the end of the day.  There’s a compliance booth where employees can win a ribbon or candy for answering a question correctly.  And, once again, those who wear the ribbon generate interest in those who have not yet earned one. These techniques, coupled with several other business-team friendly initiatives, have helped the compliance team and program make tremendous strides. Listen in, even though we can’t give you a pin for doing so. Note:  Nadege speaks first.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Few can look back at a career in compliance and ethics as rich as Alan Yuspeh’s.  He served as the coordinator of the Defense Industry Initiative (DII), Senior Vice President and Chief Ethics and Compliance Officer for HCA Healthcare and as a president of the Health Care Compliance Association. In a fascinating conversation he shares his experiences and learning from a remarkable career. In 1986 he began his role with the DII, which includes 50 of the largest defense contractors.  Many of the elements of compliance programs that are commonplace today owe much of their existence to the efforts of DII members:  codes of conduct, compliance training, and hotlines to name a few. Then in 1997 he joined HCA and moved from the highly-regulated defense arena to the equally regulated healthcare industry.  A great deal of what worked in defense found a place in healthcare as well. During his time at HCA he developed a compliance program that had three aspects that he felt were particularly valuable and distinctive: * Having effective local compliance and ethics officers * The development of Responsible Executives for each area of compliance risk: experts tasked with developing strategies, policies and procedures for mitigating key risk areas * Energetic compliance reviews processes Listen in as he explains more about this trio of programs and discusses both micro and macro ethics.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org For many organizations outsourcing their data management is very desirable.  It can provide a wide range of benefits, including the ability to capitalize on machine learning. But outsourcing has risks that must be well understood and managed, says Dan Fabbri, the Founder and CEO of Maize Analytics and Assistant Professor of Biomedical Informatics and Computer Science at Vanderbilt University.  In this Compliance Perspectives podcast he explains that there are risk areas to consider and important questions to ask your vendor:  Is the data being held separately or mixed with data of other covered entities?  Will the vendor be using the data for non-contracted purposes?  Who has physical access to the data?  Is the data being accessed by IT and support people located outside the U?  Will the data be stored outside the country? Understanding the implications of the answers to these questions can make an enormous difference in whether your organization can trust that its data is secure, and exposure of Personal Health Information is unlikely.  It can even protect you from poorly-informed AI affecting your organization. Listen in to learn more about how you can safeguard your healthcare data more securely.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Compliance is never easy, and it is especially difficult for mid-sized companies in emerging markets.  Many of them operate in countries where there is not even a word in the native language for compliance. Frank Brown and Anna Kompanek of the Center for International Private Enterprise (CIPE) help companies meet this challenge.  Fortunately, they report in this podcast recorded at the 2019 Compliance and Ethics Institute in Berlin, help is coming.  Large, international businesses that they partner with are encouraging, and often requiring, compliance programs from firms in their supply chain.  This has helped midsized firms see the benefits of investing in compliance, not just as a means to prevent corruption but also as a way to have a more complete risk management system. At the same time, though, challenges remain.  Some tools offered by risk management vendors are causing confusion.  ISO37001 is sometimes presented as a panacea but can be a trap because of its one size fits all approach, they argue, and many midsized companies don’t have the resources to comply with the standard. In sum, it’s a challenge, but by listening in to the podcast compliance professionals in large companies will gain a better appreciation of the struggles of their midsized suppliers in developing markets.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Each year countries lose billions to corruption, fraud and other compliance failures. When it comes to stemming this problem, helplines are crucial.  In fact, a study by the Association of Certified Fraud Examiners found that 50% of corruption cases were found through tips from employees. The challenge for helplines is that there is often an assumption that the calls will come in through a landline.  For much of the world, though, that’s not the case.  Employees are more likely to have mobiles, and that toll-free number isn’t toll-free.  Worse, problems often arise in developing countries where English or other European languages may not be widely spoken.  If your helpline provider doesn’t have a native speaker on premises, it can lead to long delays and awkward three-way calls with a translator. Paula Davis of Waypoint GRC encourages compliance officers to begin rethinking how they put their helplines to use and explore alternatives such as apps.  She also advises “mystery shopping” the line:  making test calls in multiple languages to see how well the helpline provider handles them.  Also, she suggests asking the provider for abandoned call rates, to see if people are staying on the line. Listen in to get ideas for how you can improve your helpline’s effectiveness.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org The 2019 European Compliance and Ethics Institute began with a riveting address by Drago Kos, Chair of the OECD Working Group on Bribery. The OECD has played an enormous role in the anti-corruption efforts, setting standards that countries commit to, and holding them to public account if they fail to meet their obligations. After his talk, he took the time to record a podcast in which he shared some of the key points covered in his longer keynote address.  These include: * Only half of the OECD members have been active in anti-corruption enforcement, but there has been an increase * Rising nationalism has come with increased indifference to international standards and efforts, including the fight against corruption globally and domestically * High trust, he believes, leads to less corruption: to fight corruption you must first build trust * The OECD is working on revisions to its 2009 recommendations for combatting bribery, and this will include a public comment opportunity * The latest series of country reports shows some progress but also serious deficiencies Listen in for his insights, concerns, and warnings.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org A few months ago the threat of ransomware – and some actual cases – was sending chills of fear through hospitals, municipalities and the business community. Since then reported ransomware incidents have decreased substantially, but that doesn’t mean the threat is gone completely, warns John Riggi, the Senior Advisor for Cybersecurity and Risk for the American Hospital Association and a veteran of the FBI.  In fact, he explains in this podcast, it remains a real risk, but just one of many risks out there. Supply-chain related attacks remain an issue, for example.  Remember when the Target system was infiltrated by hackers who came in through the HVAC provider’s connection to Target’s system?  That is still a potential problem, even extending to medical devices plugged into networks at healthcare providers. Another threat to watch out for:  business email compromises, in which a cyber adversary impersonates an individual with payment authority in the organization.  He or she then sends instructions to an employee to wire funds, ostensibly to a vendor, but in reality to the criminal. So how do we help prevent these issues?  According to John training is critical.  Employees need to know what to watch for and, in the case of payments, know when to stop and call someone to confirm the instructions. Likewise, employees need to better understand the risks posed by lost files, flash drives and laptops. But, in the healthcare arena, most importantly they need to understand that patient care also means caring for patient data. Listen in to learn more.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Tomell Ceasar has spent the last 10 years working in compliance and governance roles in Dubai, both for local and multinational companies.  In that time he’s seen a lot of change in compliance programs. For one, he notes in this Compliance Perspectives podcast, the job used to be a lot lonelier.  Until about five or six years ago there weren’t many other compliance professionals. Since then the compliance profession, and compliance programs, have grown dramatically in the region, and with it has come a change in corporate cultures.  Gift giving and lavish entertainment, for example, have been reined in as part of an effort to meet international norms.  And compliance programs are the norm, rather than the exception. Listen in as he explains how the transformation is continuing to unfold, the cultural issues that still exist, and the ongoing importance of training in the region.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org By Adam Turteltaub A merger or acquisition is an expensive proposition for an organization and one that is rich in both business and compliance risks.  That’s particularly true for the healthcare industry, with its substantial regulatory burden and constant change. Shirley Qual and Andrea Ekeberg at UnitedHealthcare will be sharing their expertise on M&A compliance risk at the 2019 HCCA Compliance Institute.  In this podcast they explain that successful compliance risk management begins with getting a seat at the table and persuading the business team that compliance can bring value to the conversation.  Specifically, we can help them to prioritize and identify risks before the deal closes. Once the deal is done, it’s time for compliance to go back to the seven elements of a compliance program and assess whether they are present at the acquired entity.   Also, it’s essential to find out if they have a risk assessment, and what it says. Then, Shirley and Andrea suggest, look into past enforcement actions and how the entity has responded. Listen in to learn more about how to manage the compliance role during a merger or acquisition.  And don’t miss them at the 2019 Compliance Institute.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org With a constant stream of enforcement actions related to the US Foreign Corrupt Practices Act (FCPA), it can be difficult to read the tea leaves and discern the patterns. Laura Perkins of Hughes Hubbard & Reed is co-author of the firm’s Annual FCPA & Anti-Bribery Alert, which gives her perspective on what all those individual cases are pointing to.  In this episode of the Compliance Perspectives Podcast she reports that the biggest trend in 2018 was the growth in international enforcement and cooperation in anti-bribery laws.   More and more it’s not just the US Department of Justice (DOJ) or the UK Serious Fraud Office prosecuting on its own.  Enforcement authorities from across multiple jurisdictions are working together. A second trend is a significant increase in individual enforcement actions.  The DOJ seems to have made good on its word to focus on the people, not just the companies they work for. Listen in as she discusses these trends, the pace of prosecutions, the state of the DOJ’s Pilot Program, and how GDPR is affecting internal investigations.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Sydney Finkelstein is the Steven Roth Professor of Management at the Tuck School of Business at Dartmouth.  In addition, he is the author of 20 books, including Why Smart Executives Fail, Think Again and SUPERBOSSES:  How Exceptional Leaders Master the Flow of Talent.  And, if that wasn’t enough, he is the host of his own podcast series:  SydCast. He took some time to sit down for the Compliance Perspective Podcast to share some deep and actionable insights. In our conversation we discuss: * The common causes of business and compliance failures, both start with human frailty * How to overcome the natural resistance to limits being set * Developing talent on your compliance team: think like a teacher * Building a compliance department that will survive your departure * What to expect from the next generation of business school grads. Relax, it’s good news. Listen in to gain these and other insights from a top business school professor.  

By Adam Turteltaub adam.turteltaub@corporatecompliance.org No one wants to work under a Corporate Integrity Agreement (CIA), but there are lots of good lessons that can be learned from them. Laura Ellis, Senior Counsel in the Office of Special Counsel to the Inspector General at HHS, and Michael Lampert, a partner in the Boston office of Ropes & Gray will be addressing CIAs in their session at the 2019 Compliance Institute in Boston. In this podcast they reveal some of the insights they will be sharing at the conference.  They focus on three elements now found in all CIAs: * Board members are required to pass a resolution finding that their compliance program is effective and in compliance with the corporate integrity agreement provisions. * Senior managers must sign an annual certification that they have been trained on compliance, are aware of the compliance program, have operated their department in a compliant manner, and are not aware of any improper behavior. * The company undergo an annual compliance risk assessment. These elements are designed to ensure that compliance cascades through the organization and that the compliance program remains dynamic and aligned with key risks for healthcare providers. Listen in to learn more about the OIG’s office’s approach, and then join them at the 2019 Compliance Institute.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org For a long time corporate internal investigations in Asia tended to be anti-corruption related, reports Robert Hunt, a partner in the Hong Kong office of the law firm Herbert Smith Freehills.  These days, though, while bribery is still an area of great concern, other issues have started to gain more of the spotlight.  Of particulate note, he relates in this podcast, are sales and revenue fraud, money laundering, and sanctions. But whatever the risk area, there are multiple factors that compliance professionals need to consider when conducting investigations in Asia.  Data privacy is a growing concern, as many Asian countries either enact new or strengthen existing privacy laws in the wake of GDPR.  Adding to the complexity, the Bring Your Own Device (BYOD) phenomenon has made it harder to access employee communications.  No longer are all electronic communications backed up on the server, with workers increasingly using WeChat and WhatsApp to communicate. It’s not just employee communications that may be an issue.  Internal communications with the legal team are a risk area of their own.  Privilege laws vary greatly when conducting an investigation, something to be considered when generating or collecting documents. And, when interviewing suspects and witnesses, it’s essential to remain aware of and sensitive to the language and cultural issues.  Even an executive who speaks English regularly may prefer using the local language when in a high-stress interview. In sum, before you leap into an investigation it’s essential to look and to listen to this Compliance Perspectives Podcast.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Culture is always discussed as critically important to successful compliance and ethics programs, but what is it exactly? “Culture is what happens when an individual’s behaviors meet an organization’s,” according to Jane Mitchell, the founder and director of JL&M, a consultancy.  In this podcast, Jane, a frequent speaker at SCCE international programs, offers a deep and sometimes provocative perspective on what culture is, what makes for a healthy culture and how to manage culture. Listen in as she discusses: * The key dimensions of corporate culture * The question of whether the organization is supporting the behaviors it says it wants * The interplay between a compliant culture and an ethical one * How to encourage “speak up” behavior * Organizational justice * How to use employee data effectively * The role of the CEO and leadership in shaping culture