Compliance Perspectives

By Adam Turteltaub adam.turteltaub@corporatecompliance.org These days compliance typically stands alone and reports directly to the board.  But that’s not true for every organization. At Freddie Mac, compliance is a part of Enterprise Risk Management (ERM), albeit with a reporting line to the audit committee of the board. To get a better sense of how this relationship with risk works I spoke with Michael Levin, the Senior Director of Compliance there.  He explained that, like so many other large financial institutions, Freddie Mac operates with a three-lines-of-defense system.  Since both compliance and ERM served on the second line of defense, the company decided to combine the two under one executive leader. For Michael, there have been significant benefits to this relationship.  It has helped the compliance team to better understand risk, build bridges to the business unit, gain greater exposure to the board and become a part of business decisions much earlier. At the same time, there have been challenges, including helping the ERM team better understand the challenges of managing culture. Listen in to better understand the benefits and risks and being a part of risk management.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Delivering bad news is never easy, especially when that news is an allegation of serious wrongdoing.  Fortunately for the rest of us, Odell Guyton, Managing Director at Klink & Co. and a co-founder of the SCCE, is willing to share his expertise in this thorny area. As he explains in his podcast, it’s essential to have protocols in place before you have to deliver bad news.  These rules of the road should cover what will be brought to the attention of management or the board, and how the investigation will be managed.  One thing that must be delivered:  information they may need to share with the public, shareholders or the board. Once the investigation is in process updates should be handled judiciously, and it’s important to avoid delving into the more salacious areas. Finally, he explains how to handle – or more accurately have others handle —  any discipline that may be warranted. Spend some time listening to his thoughts.  It could make bad news a bit easier to deliver.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org If you work in a large, global company these days, odds are very good that there is an extensive ethics and compliance programs. Yet, many wonder why would a domestic company that’s small or medium-sized need one? Art Weiss, Chief Compliance & Ethics Officer at TAMKO Building Products has a great, short answer:  If you have people you need a compliance and ethics program. Working for a privately-held company in the US with a strong ethics and compliance program he has seen why every organization can benefit from compliance.  As he explains in the podcast, issues will always come up and having a code of conduct, policies and procedures is essential. He also points out that, regardless of size and geography, every company has certain risk areas that will require training:  conflicts of interest, harassment, gifts and more. To those who object, arguing that they lack the resources, he explains that small can actually be an asset.  It’s easier to do face-to-face training, and key stakeholders are easier to get to. Listen in to learn more about why every organization can benefit from a compliance program, and how to get the most out of your small-company program.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Marjorie Doyle, in addition to her years leading compliance and ethics programs, has long taught organizational ethics at SCCE’s domestic and international Basic Compliance and Ethics Academy.  In this podcast, she provides a primer on the topic. As she explains, organizational ethics is a focus on the organization’s values and how the organization wants to be seen.  It’s how you define your brand. Making the organization’s values come to life begins with incorporating it in the code of conduct, ideally with scenarios demonstrating real-life situations where they apply.  As Marjorie explains, the key is to incorporate the values wherever you can.  One good place to start is with HR and work to include in every job description a statement of the values and how particular values relate to the job.  And while there, it’s worth discussing how values, ethics and compliance will be included in annual evaluations. In addition to HR, the board can be a strong ally, if the values are taken from nice puffy clouds in the sky to practical applications.  She recommends providing boards with specific questions they can ask management, such as,  “Can we do this project and live up to our values?” Listen in to learn more about organizational values and how they can enhance your enterprise.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org There are a number of challenges to managing compliance programs in Asia:  With dozens of countries and thousands of languages, one size does not fit all.  There is tremendous diversity in cultures.  Some countries are common law and others are civil law societies.  Governments have different priorities for enforcement. But compliance officers can’t just throw up their hands, nor do they need to, says Jimmy Chatsuthiphan, who spent several years working in compliance in Asia before returning to the US.  He is currently serving as Director of Global Compliance Investigations for Panasonic Avionics Corporation.  The risks are substantial and can be managed, he tells us.  Plus, several countries in the Asia-Pacific region are known for having very clean business environments. As importantly, there are a large number of managers in the business units who are already familiar with compliance concepts.  As a result, it is not always an uphill battle. Success, he tells us in the podcast, does, though, require having someone on the ground in the region.  It is too large an area, with too great a time zone difference, to be managed remotely. What else works well in Asia?  Speaking to themes like karma and the importance of doing things right, even when no one is watching.  Likewise speaking about not disappointing your family, either your family at home or your “work family.”  Try also, he advises, citing incidents that have affected the company or competitors.  And, of course, having strong financial controls and third-party vetting. Listen in to learn more about these issues, the changing regulatory environment – compliance programs are being recognized more – and tips for conducting internal investigations.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Both HIPAA and the HITECH Act have been around forever in compliance years, but that doesn’t mean that the challenges they pose have all been met. In fact, Adam Greene, a partner at Davis Wright Tremaine in Washington, DC explains that the risks keep changing because technology keeps evolving.  Big data, Artificial Intelligence and machine learning are all changing the playing field, not to mention ransomware, information sharing and interoperability. In our talk together on this podcast he speaks to the dynamic environment as well as some of the issues compliance teams are facing when dealing with the regulators.  It’s a topic he knows well, having seen it from both sides.  Before his current tenure in the law firm, he served at HHS in the Office for Civil Rights (OCR). Some of the other topics he discusses include: * The disconnect between how information security professionals look at security vs. what OCR wants to see in compliance documentation * Ongoing difficulties in enabling patients to access and share their health data * Vendor management after the business associate agreement is in place * The European General Data Protection Regulation (GDPR), and not over or under-reacting * How best to approach regulators after a breach occurs Listen in.  He provides a good guide to changing times for this substantial compliance risk area.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org As CEO of Klink & Co., Jeff Klink has a unique and broad perspective on the challenges of global compliance programs, especially those operating in Asia.  Lately, he reports in this podcast, he has seen a rise of troubling kickback schemes plaguing large global manufacturers.  Employees are finding creative ways to get kickbacks, even setting up fictitious shell companies that appear independent. It’s a problem that, while not exactly a compliance issue, that should send up red flags for the compliance department because it points to weaknesses in third-party due diligence efforts that rely on database searches.  It often takes a site visit – one that exposes that the “company” address is actually just a studio apartment – to reveal the problem. What else should compliance teams do?  First, he advises, use a risk-based approach which invests more resources into higher risk areas.  In addition, focus on high-dollar vendors. Then don’t stop with the initial due diligence.  Ongoing auditing and monitoring are essential.  He notes that many companies do comprehensive due diligence of existing vendors every few years, especially those that interact with government officials. Listen in, and maybe share the podcast with your fraud team

By Adam Turteltaub adam.turteltaub@corporatecompliance.org These days it seems that most helplines are handled by external providers.  But, not ever company goes down that route.  For Brendan LeMoult, Fiscal Affairs and Anti-Illicit Trade Vice President at JTI, having an internal whistleblower line has distinct advantages. As he explains via this podcast, the company takes allegations itself and uses an internal investigations group for all its investigations. Employees are first encouraged to raise issues with line managers or persons they have concerns about.  If that doesn’t work, they have three ways to report anonymously or confidentially.  First, they can log on to an online portal.  Second, the company has about 250 contact persons throughout the company who have been trained to address concerns.  The third option is to come directly to corporate compliance and raise their issue. Once a concern is raised, the compliance team will examine if the concern is in scope — addresses code of conduct, policies or procedures or violation of law, rather than a routine personnel issue.  If it is in scope the allegation goes to the Business Ethics Committee which decides whether to refer the matter for a full-blown investigation. The goal of the process is to make sure that the person who raises the concern has the confidentiality/anonymity that they want, and the investigation process has sufficient independence. Listen in to learn more about the process, including the ongoing reviews of active investigations.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org When it comes to compliance due diligence during a merger or acquisition, the number one thing to know, says Kasey Ingram of ISK Americas, is that regulators expect it as a part of an effective compliance program. Even if the regulators didn’t have these expectations, it’s just plain prudent, he argues.  And, it helps the compliance department demonstrate the value it provides. So how can and should compliance be involved?  According to Kasey, it begins with having a seat at the table.  Introduce yourself to the M&A team even before a deal is in the works.  Deals happen fast;  if you’re not there at the start you may be left out. Once the deal begins, create a questionnaire for the business team to use to identify issues.  Do a quick risk assessment even before you begin the questionnaire, looking at the industry and the company’s history. The answers to your questionnaire can help identify potential issues which should be discussed with the M&A team.  They can then decide if the risks are worth taking or even price them into the deal. Also, recognize that when the deal closes the real work begins.  Compliance needs to do additional due diligence, and the company may need to self-report if violations are found – there are strong incentives to do so. In many ways, after the deal closes is the trickiest time for compliance.  It’s essential to have a checklist of things you will need to do, and be prepared for culture clashes: no two businesses have the exact same culture. Handle it all correctly and you could help both stem legal problems, and reduce internal friction. Listen in to learn more.  And for still more insights, consult the Complete Compliance and Ethics Manual.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org Sometimes you have to move on, whether it’s because your current compliance and ethics position isn’t working out, or because opportunity comes knocking. Steve Harrison of Conselium works with compliance professionals looking for new job opportunities and for companies looking to hire them.  He took time at the 2018 Compliance and Ethics Institute to record this podcast and to offer advice, starting with resume writing. He warns against resumes that are too internally focused, using, for example, abbreviations that only relate to the company and business that a candidate is working in.  For obvious reasons, resumes like this don’t translate externally.  Instead, he advises trying to portray yourself as generally capable, not just really good at what you do at your company. It’s also important, he advises, to get into the mindset of the person reading the resume.  Include information such as how many people report to you, the structure of your organization and projects that you led. What about at the interview?  He advises doing your due diligence before walking in the door.  Find out what the compliance reporting line is to see if there is appropriate independence.  Be sure to also go online to determine if the company has been in the news lately and for what. To stand out in an interview, bring ideas with confidence and talk about how you would approach the role and the program.  Also show a genuine interest in the business.  Ask the person interviewing you about their past work and what they like about working at the company. Listen in to his podcast to learn what can make you a more attractive candidate.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org While there is much discussion of the challenges in due diligence and third-party vetting in China, Russia and Africa, the risks and challenges don’t end there.  As Milos Stopic, Compliance & Ethics Officer, Middle East and Eastern Europe for Louis Berger International explains, when doing business in Eastern Europe and the Western Balkans it is a necessity as well. Happily, he reports in this podcast, it is increasingly becoming much more common and expected.  More companies are adopting due diligence standards, and even large companies are receiving more requests to give information about their compliance programs. But despite the progress, there is still resistance, mostly based on a lack of understanding as to why a company conducting due diligence is even asking questions in the first place.  That problem is often exacerbated by a lack of understanding of compliance programs. Listen is as Milos explains the challenges and what can be done to overcome resistance and help improve your due diligence efforts.  

By Adam Turteltaub adam.turteltaub@corporatecompliance.org May 25, 2018 was the deadline for companies to comply with the new European General Data Protection Regulation (GDPR), and for many organizations, it was a very long slog just getting there. Andre Bywater of Cordery Compliance warns, though, that it’s best not to think of that date as an endpoint.  Instead, it’s a starting line for a new era in data protection. Already many complaints have been brought before data protection regulators, and they have led to subsequent investigations based on allegations of violations.  One organization has already been told to stop processing data. So, the consequences for violations are real and, notably, they extend beyond the EU. Even companies who have done an excellent job preparing for GDPR need to remain diligent, particularly for data breaches.   Hacking is a problem and a headline grabber, but there is a significant day-to-day challenge with human error:  lost laptops, phone stolen, and so forth.  Under GDPR, organizations have to report these incidents promptly to the regulator and may have to tell the individuals involved. This need to report quickly makes it essential for compliance teams to have a plan in place for responding, even before the breach occurs. Another issue to prepare for: individuals have the right to ask what information the organization has collected on them.  That can be a time-consuming process that includes paper records.  Once again, it’s important to have plans in place before the request comes in. In sum, GDPR poses significant ongoing challenges and will be a part of compliance efforts for a long time to come.  Listen in to the podcast to learn more about what you should be thinking about and doing.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org The US Foreign Corrupt Practices Act and similar anti-corruption laws around the globe get the lion’s share of attention, but as the Wall Street Journal recently reported, sanctions accounted for 56% of fines in the last ten years, totaling $26 billion worldwide. Suzanne Bullitt, who is Director, Global Trade Strategy & Compliance at the Eastman Chemical Company, is well aware of the compliance risk.  She has to be. Suzanne took the time to share with us in this podcast a wealth of advice for anyone who oversees export compliance, or is wondering if the people who are supposed to be doing it are truly on the ball.  Hear her advice such as: * Ensure that all of your classifications are accurate and harmonized, and watch out for manipulations from the business units * Make sure that classifications are consistent, accurate and declared properly * Take the time to understand the regulatory requirements and country-specific requirements for both export and import * Be absolutely certain who the end user of your goods are, including who owns over 50% of the company * Be especially alert with joint ventures * Don’t forget to examine all parties to the transaction, including bankers, vendors and even the ships the goods sail on If you have trade compliance risks, take advantage of Suzanne’s wisdom.  It may help your organization avoid becoming a part of the next $26 billion in fines.  

By Adam Turteltaub adam.turteltaub@corporatecompliance.org For over two decades the Society of Corporate Compliance and Ethics and Health Care Compliance Association, along with the entire compliance profession, has benefited from the leadership of Roy Snell.  With Roy’s retirement beginning on November 1, 2018 we wanted to have one last opportunity to gain his insights while he is still the CEO. In this conversation Roy discusses: * What he’s most proud of from his years of leading the association * Reasons why the HCCA and SCCE have grown so strongly and for so long * Why the compliance profession has also seen such dramatic increases both in the number of compliance professionals and compliance programs * What the future will likely hold for compliance Be sure to take advantage of this opportunity to tap into Roy’s more than twenty years of experience working as a compliance professional and supporting our community.

By Adam Turteltaub adam.turteltaub@corporatecompliance.org In 2005 the London-based Institute of Business Ethics conducted its first Ethics at Work survey.   At the time it focused solely on Great Britain.  Since then, as Philippa Foster Back, the IBE’s Director explains, the survey has grown to include twelve European countries. The findings from the latest issue of this one-every-three-years survey were fascinating.  They found that more than three-quarters of employees thought that their corporation is honest.  The reasons for the positive feelings were codes of ethics and training for one.  In addition, Philippa tells us in the podcast, the corporate responsibility movement has raised awareness in employees’ eyes about how companies are behaving in the community. On the flip side, several factors can undermine employee faith.  In particular: people who see things wrong in their organization and don’t see the organization taking responsibility to stop it, particularly if someone had the courage to speak up and raise the issue. She encourages organizations, if they want employees to come forward, to write the speak-up policy from the user’s point of view.  Put yourself, she advises, in the shoes of someone who has seen something and wants to raise an issue:  Who is going to take the helpline call?  What will they ask me? Second, if your policy calls on employees to try to take the issue to their manager or supervisor, make sure that manager or supervisor knows how to handle the issue. Listen in to gain more of Philippa Foster Back’s insights.