Summary: Podcast featuring the top Compliance and Ethics thought leaders from around the globe. The Society of Corporate Compliance and Ethics and the Health Care Compliance Association will keep you up to date on enforcement trends, current events, and best practices in the compliance and ethics arena. To submit ideas and questions, please email: email@example.com
By Adam Turteltaub firstname.lastname@example.org When a compliance breach occurs, one would expect the compliance team to be a part of the crisis management team. Crisis management expert James Green argues that compliance needs to be a part of the crisis management team regardless of the incident. That’s because even a response to a natural disaster may have compliance implications. For example, if a flood makes your office inaccessible, it may seem just fine to have employees work from home. But, what if they are interacting with personal data? Is their home network secure enough to protect it or are you opening yourself up to the risk of a data breach? This edition of the Compliance Perspectives podcast also includes other important advice for managing a crisis, including: * Pick crisis committee members not based on their title but based on their knowledge of how the business works * Be sure your response is a fit with your culture, or you may end up creating even more problems * Know in advance which authorities you need to contact, what method – mail, email, fax, phone – must be used, and by what date * Make sure you keep your employees informed about what’s going on; it’s better than them finding out through the media * Revisit your crisis plan regularly and test it periodically Listen in to the podcast now. You’ll be glad you did when the next crisis hits.
By Adam Turteltaub email@example.com Compliance success in a heavily-regulated industry likely means working hand in hand with the regulatory team. Kasey Ingram, General Counsel and Chief Compliance Officer of ISK Americas, a global chemical company, knows this well. Few industries are as regulated as the chemicals business. As he explains in his latest podcast, success for him and his compliance program begins with understanding what compliance and regulatory each can do best. He focuses on looking at the big culture controls while the regulatory department, which has the very specific knowledge of all the details, deals with the day-to-day activities. To help ensure collaboration with regulatory, he advises that compliance be present, make sure people know who you are and are comfortable talking to you. That way you go from the compliance guy to a person. Second, build controls based on what people do and that both minimize interference and are easy to perform. Finally, he advises that you do your best to know the rules: if you can’t understand them you won’t have any credibility. Listen in as he also provides a process for building a regulatory compliance program that recognizes the risks, has proper controls in place and enjoys the support of key business leaders (even the ones who initially weren’t happy about it).
By Adam Turteltaub firstname.lastname@example.org Managing economic sanctions compliance is a hot topic these days. The US Department of the Treasury’s Office of Foreign Assets Controls (OFAC) just released a new Framework for OFAC Compliance Commitments. At the same time, the picture for Iranian sanctions seems to be changing daily. To help understand the issue, we sat down for a podcast with Kevin Braine, Kroll’s Regional Managing Director EMEA, Compliance Risk & Diligence. He explained that both the US and EU have been active in issuing sanctions, but that the US has proven a more active regulator, with very severe economic consequences possible for those who run afoul of sanctions regimes. Making matters more complex is that the sanctions may apply both to individuals (people and companies) and entire sectors. In addition, there can be differences in sanctions regimes between the US and EU, with the EU (when we recorded this but that may have changed by the time you listen) taking a softer stance on Iran. France has even offered to compensate French companies for doing business with Iran if fined by the US. To get a handle on the issue, understand where the US and EU stand on Iran and Russia. In addition, know the sanctions regimes of other countries where your firm does business, Braine warns. It’s also crucial to know who is the ultimate beneficial owner (UBO) of organizations you do business with. That can be a great challenge in many countries, where ownership is opaque either intentionally or due to paper-based systems. Bottom line: listen in, and tread carefully in the realm of sanction.
By Adam Turteltaub email@example.com Conflicts of interests have likely been around as long as there have been people. When mankind learned to use fire, there was probably a guy who made blankets who criticized fire as too dangerous as a source of warmth, not realizing he was conflicted, or hoping others wouldn’t figure it out. Despite the timelessness of them, businesses can’t afford to not manage conflicts of interest. Brian Beeghly, co-founder, and CEO of Informed360, explains in this podcast that most companies today have at least a conflict of interest policy. There, however, the paths diverge. Some have no mechanisms for tracking conflicts, others rely on paper-based methods and some have moved to automated tools and processes. Brian argues that companies have to look at the disclosure process itself, starting with the timing. Is it an annual event across the company or is it more personal and timed to when an employee starts working with a new customer or vendor, or assumes a new position in the company? Also, examine how easy it is for the employee to disclose their conflicts. Not only should the actual process be simple, but employees should also have the training to understand what conflicts are. Listen in to learn more about how your organization can better manage conflicts of interest.
By Adam Turteltaub firstname.lastname@example.org Is your hotline ringing enough or too much? Are you getting too many calls in one risk area or country? Not enough in another? And is the telephone-based helpline really all you need anymore? To help answer these questions UK-based hotline provider Expolink recently released its fourth annual Whistleblowing Benchmarking Report. In this podcast, Expolink Chief Executive John Wilson discusses some of the highlights with us. Notably, the data shows that picking up the phone, as opposed to using online channels, has declined considerably through the years. And, while actual calls now account for less than half of all reports, there is still great value to them. People often prefer and can be more forthcoming when there is another person on the other side of the line. In addition, they are less likely to be anonymous. Listen in as we discuss this issue as well as additional findings including: * Whether the fear of malicious reports through anonymous channels is warranted * The number of calls that are HR-related rather than compliance-focused * The impact of the #MeToo movement on helpline contacts * The often substantial variations by country in the types of reported violations, use of anonymous vehicles and reporting methods * The rise in confidential reporting
By Adam Turteltaub email@example.com Corporate Social Responsibility (CSR) poses an interesting conundrum for compliance and ethics professionals. Both CSR and compliance are, or should be, firmly grounded in an organization’s values. But from there things start to diverge. Compliance is charged with doing what is required, typically by law. CSR, though, has a broader mandate. As Alison Taylor, Managing Director, Sustainability Management at Business for Social Responsibility explains, CSR is a series of processes to ensure that corporations pay attention to existing and emerging social concerns about the environment and other issues, including human rights. This may seem a bit abstract, but in practice many CSR issues – think anti-corruption and human trafficking/modern slavery – become compliance issues over time. In her podcast with us, she provides her thoughts about what CSR is and isn’t, some of the challenges it has, and how CSR and compliance teams can and should work together. She also shares insight into the hot CSR topics that may soon be compliance issues. Listen in to better understand what every compliance professional should know about CSR, and potential emerging compliance risk areas.
By Adam Turteltaub firstname.lastname@example.org An engaged compliance committee can be a dramatic and positive influence on a compliance program. Danette Slevinski (Chief Compliance Officer of University Hospital) and Judith Marber Fox (founder and CEO of JF Real Compliance Solutions) have seen it firsthand. So how do you get there? In this podcast, which is focused on healthcare entities but has easily extractable lessons for all organizations regardless of industry, they share their experiences and lessons learned. Listen in as they discuss: * The value of senior leaders, and how to engage them * The importance of voices on the committee that come from outside of senior leadership * Comprehensive meeting preparation and how to do it * The role of the committee charter and how it should be structured * Conducting the meeting effectively
By Adam Turteltaub email@example.com Operating a compliance program in Europe is not the same as running one in the US. Paris-based Maria Lancri knows this well from having worked as a compliance offer and currently as an attorney with GGV Avocats. For one, in Europe there is a strong need to consider the position of employees and the union. They must be consulted on many parts of the program, which means that compliance professionals have to be prepared to explain the advantages to workers of the compliance efforts. Other challenges include: * NGOs who scrutinize company activities closely * The Duty of Care Law, which covers Corporate Social Responsibility obligations * Tougher privacy law and aggressive antitrust/anti-cartel regulators * Increased demands on boards to oversee compliance programs As she explains in the podcast, there is much to do to meet these challenges. In addition, there is a strong need to localize the program, not just the language, but also in approach. Listen in to learn more about what you need to know to effectively manage your European compliance efforts.
By Adam Turteltaub firstname.lastname@example.org Joanne Chiedi, Principal Deputy IG and acting Inspector General at the US Department of Health and Human Services, recently addressed the attendees at the 2019 Compliance Institute. To help inform those who couldn’t attend the event, she was kind enough to record a podcast covering some of the key points from her talk. Listen in as she delivers several key messages to compliance teams, starting with the call to be bold and take action. With so much technological change and innovation in healthcare, compliance professionals can’t be shy and must have a seat at the table. Compliance and innovation must advance together, she argues, both to ensure controls are in place but also to provide compliance teams with data on how the program is performing. Two keys to future success for compliance teams, according to Ms. Chiedi, are agility and adaptability. Compliance will increasingly need multidisciplinary teams to work across the organization to gain new insights into program vulnerabilities and develop solutions for addressing them. This will require compliance leaders to reassess their staffing plans and engage in continuous reprioritization. Changing times can’t rely on static priorities. Don’t miss this opportunity to hear what the IG sees coming down the road for healthcare compliance. And, for those outside of healthcare, it’s good advice, as well. Technology is changing every industry.
By Adam Turteltaub email@example.com Data risks are enormous for any organization these days, which is why, Marti Arvin (Executive Advisor at CynergisTek) and Don Ahart (Internal Auditor, Hunterdon Healthcare) advocate for data management audits. As they explain on this Compliance Perspectives podcast (and also at the 2019 HCCA Compliance Institute), a data management audit is about the logistics of your data: where it is located, how it is classified, where it is stored, how it is used, who owns it, and who is responsible for maintaining it. That’s even more complex than it sounds because the temptation is to just look across the network, forgetting that much data is saved on laptops, removable devices and even mobile phones. To avoid getting overwhelmed by the audit, they advise to break it down into manageable parts and recognize that this can be, and probably will be, a multi-year process: once you have the audit done you still need to remediate. Listen in to learn more about what to look for, how to prioritize risks, and how to make your remediation efforts successful.
By Adam Turteltaub firstname.lastname@example.org It happens to the best and worst of people: An ethical lapse. Sometimes it’s minor, and sometimes it’s major. But it happens. The question is why and what can we in compliance and ethics do about it. Professor Stuart Pardau argues in this episode of the Compliance Perspectives podcast that to understand these behaviors it is more instructive to look at the common cases rather than the extreme ones. And, while doing that, pay close attention to the culture. For one, corporate culture is a place where compliance can have an impact. The second reason: culture can be an effective control. Some of the other suggestions he provides to prevent lapses: * Slow down: fast-moving organizations and individuals don’t have enough time to think clearly * Give people a goal beyond just making money * Use training that provides rationales and reasons behind policies, not just what the rules are * Give real-life examples showing the consequences of ethical lapses, including on people’s families Listen in to learn more about ethical lapses, and how you can help prevent them.
By Adam Turteltaub email@example.com Scott M. Giordano, VP, Data Protection, Spirion Session P14: GDPR Compliance Post-Mortems: Lessons Learned from Facebook, Uber and Others September 15, 2019, 10:30 AM – 12:00 PM GDPR has been in effect for just months but already tens of thousands of breaches have been reported to data authorities. Scott Giordano, Vice President of Data Protection for Seattle-based Spirion reports in this podcast that this is a sign that business is taking GDPR seriously. It also reflects a key requirement of the legislation: the rule requiring notification of a breach – whether by a hacker or even due to a contract violation – within 72 hours. That requirement forces companies to act quickly. It is also a mandate that is spreading, with US laws and regulations also increasingly requiring similar notification timelines. Along with the new legislation has already come enforcement. Google ran afoul of CNIL, the French data regulator, for the way in which users provided consent to the use of their data. CNIL concluded it was too difficult for consumers to determine how their data was being used and stored. In general, Giordano recommends that organizations err on the side of caution. They should take practical steps to ensure that they are handling data properly, starting with asking the basic question: is there any reason to question the integrity of the data in their care? Businesses need to practice information security 101 – both to safeguard the data and to avoid running afoul of regulators – and to conduct a data inventory and risk assessment. Finally, looking to the future, Giordano counsels businesses to expect more legislation coming from states across the US. Many have already taken notable steps to ensure that consumer data is protected. Listen in to help understand how your organization can better meet the challenges of GDPR and the ever-increasing number of data protection laws.
By Adam Turteltaub firstname.lastname@example.org When designing a compliance and ethics program, organizations want one that not only will prevent, find and fix problems, but also one that will pass muster with the US Department of Justice if there is an incident. The Criminal Division of the DOJ recently released an updated version of its Guidance document “Evaluation of Corporate Compliance Programs.” The document is “…meant to assist prosecutors in making informed decisions as to whether, and to what extent, the corporation’s compliance program was effective at the time of the offense…” It is also a goldmine for the compliance community, providing a roadmap for what a program should contain. As importantly, it provides support to compliance officers, enabling them to show management why they need the resources that they are asking for. In this comprehensive podcast – it’s more than twice the length of our typical one – Orrick partner Billy Jacobson provides an analysis of what the Evaluation document says. Billy brings to this discussion his broad and deep experience in compliance, having served as a chief compliance officer, general counsel, outside counsel and a prosecutor in the FCPA unit at the DOJ. Listen in as he highlights the key provisions of the document, what’s new vs. the previous iteration, insights into how the government’s thinking has evolved, and why even companies based outside the US should study the new Evaluation guidance closely. And, if you want to learn more, be sure to attend his session on this topic at the 2019 Compliance and Ethics Institute. Note: Apologies for the technical problems that caused the echo you may hear.
By Adam Turteltaub email@example.com In October 2018 Assistant Attorney General Brian Benczkowski of the US Department of Justice issued a memo entitled “Selection of Monitors in Criminal Division Matters.” Some took the memo to herald the end of corporate monitorships. Not so, says Eric Feldman of Affiliated Monitors. In this podcast he explains that, instead, the memo was designed to improve both the selection of monitors and the process for determining whether having a monitor is appropriate. Over the years it had become the default to have a monitor when a Deferred Prosecution Agreement was put in place. Now a cost/benefit analysis will be conducted before going down this often long road. The DOJ will be examining factors such as who was involved in the wrongdoing and what progress the company has made on its own to strengthen its compliance efforts. The memo calls for compliance programs and controls to be tested, Eric explains. In addition, prosecutors will be asked to assess whether there has been a change in the culture. Listen in to learn what the Benczkowski says and, as importantly, what it doesn’t say.
By Adam Turteltaub firstname.lastname@example.org Roy Snell must have written a book’s worth of material each year as the CEO of The Society of Corporate Compliance and Ethics and Health Care Compliance Association, but it wasn’t until recently that he wrote an actual book. The Accidental Compliance Professional is the first, of potentially several, from Roy. He sat down for a podcast, along with the book’s editor, Karen Latchana Kenney to discuss how the book was developed and written. It started out, they explained, with the idea of giving some history of compliance but quickly evolved into a vehicle to tell stories and share what Roy had learned along the way. Listen in as they discuss: * How even accidental compliance professionals may have ended up in the job for very good reasons * The genesis and purpose of Roy-isms and Roy’s rules * The value in learning from mistakes * The importance of compliance officer independence * How conflicts of interest can get in the way of preventing, finding and fixing problems