Compliance Perspectives

By Adam Turteltaub At Transparency International’s International Anti-Corruption Conference I had the good fortune of meeting Olusoji Apampa, CEO of Integrity Nigeria. I appreciated hearing his insights on corruption risk in Nigeria, and, to share them with a wider audience, we sat down for this podcast. The risk, of course, is real and high. Worse, many have bought into the idea that there is nothing that can be done, which leads to more corruption. But, happily, he reports that you absolutely do not have to engage corruption to do business there. How? First, he advises understand the risk level; it varies considerably. The picture is very different in Abuja than it is in Lagos, and Lagos is not the Niger Delta. Economic sector matters as well. Doing business in the education sector is very different than doing so in oil and gas or banking. The size of the corporation also has an impact on the corruption risk profile. Generally speaking, larger corporations ore better able to resist the pressure to pay bribes than small or medium-sized ones. So what should companies do? First, take a hard look at the specific risks of where they do business and what industry they are in. Second, don’t embrace corruption as a strategy. Aside from being illegal, paying one bribe can lead to demands for ever more. Third, stick to and be clear about what your principles are, and have a compliance program backing them up He also urges companies to think outside the box and never go it alone. Instead, they should embrace collective action, working with others who share a commitment to doing business the right way. Listen in to learn more about the risks and how to mitigate them when doing business in Nigeria. Listen now

By Adam Turteltaub Melanie Fontes Rainer recently marked the completion of her second year leading the Office for Civil Rights at HHS. In this podcast she shared some of the accomplishments over this time as well as what the health care community can expect next. She recounts the six rules that have been issued, ranging from reproductive rights to Section 1557 of the Affordable Care Act, which covers nondiscrimination and is inclusive of sex, race, disability, national origin, religion and color. Also of note have been activities designed to ensure access to documents in languages other than English. She also shares what OCR has been doing to engage with the provider community through in-person meetings, webinars, YouTube videos and resources on their site. Looking to the future, the Director warns that health care providers are likely to continue to be attractive targets for data breaches and ransomware attacks. She advises covered entities to do what they can to make themselves less attractive by having a risk plan and implementing it. Listen in to learn more about what OCR has been and will be doing.

By Adam Turteltaub There isn’t one way to handle conflicts of interest. Much depends on the research the organization is doing, its history and other systems. Hilary Kitson, Research Compliance Business Partner at Saint Luke’s Health System, reports that typically the starting point is Title 42 PART 50 Subpart F in the Code of Federal Regulations. It lays out time points when disclosures are necessary: Annually When discovering or acquiring a new financial conflict of interest (COI) At the time of application for PHS-Funded research Disclosures aren’t enough, though. There needs to be investigators and a review committee who are competent to examine potential conflicts and are sensitive to the confidentiality of the information involved. And what if there is a conflict? She advises involving regulatory and other professionals who can help develop a management plan, if one is necessary. Listen in to learn more about the very complex issue of conflicts of interest in research.

By Adam Turteltaub Here’s a terrifying thing I just learned: the average ecommerce website has 66 third-party tags on the page. That’s according to our podcast guest, Rui Ribeiro, CEO of Jscrambler. The tags, pixels and scripts control everything from the video to payment processing to the consent wall to the chat function. And, guess what: they may all be collecting user data, and, quite possibly, more data than they should. So what’s a compliance officer to do, other than lose sleep over the issue? First, make sure there’s an inventory on all those tags, pixels and pieces of JavaScript running on your site and what data they are collecting. While you’re doing it, don’t just ask what’s being run at HQ. There may be regional variations. Next, spend time with all the departments that touch the site to see what they truly need and that data isn’t being accessed without good reason. Then change your thinking around GDPR. It’s not about just getting consent to collect data, it’s time to use it as a warning to focus on knowing who the data is being collected from and why. Once you have that squarely in mind, you can find the right tools to control the data flow and ensure your organization and its third parties are only collecting essential data, not everything you can.

By Adam Turteltaub What have you done? What have you achieved? Have you forgotten? Did you succeed? What were your goals? Were they ever reached? What about your firewall? Was it ever breached? Jisha Dymond took inspiration from Dr. Seuss An annual tradition to give kids a boost. Take the time to note what you have done. It will be illuminating, and may even be fun. This is a podcast you truly must hear. It may change your outlook for many a year.

By Adam Turteltaub In April 2024 the US Equal Employment Opportunity Commission released an update to the Enforcement Guidance on Harassment in the Workplace. This was the first update since 1999. Stephen Paskoff, the President and CEO of ELI, explains that the guidance now treats LGBTQIA+ harassment similar to other forms of harassment. The document now also addresses behavior outside of the workplace, making it clear that employers need to train and be more sensitive to behavior beyond the factory gates. Listen in to learn more about what is new in the EEOC Enforcement Guidance on Harassment in the Workplace.

By Adam Turteltaub Document retention is one of those persistent issues that comes with a great deal of complexity. As Michael Kearney (LinkedIn), Head Solution Architect, Redgrave Data explains in this podcast, organizations have to deal with a dizzying array of rules. HIPAA has one set of requirements, state laws for medical records another, financial documents have a third, employment records a fourth and on and on it goes. In addition, there are business needs for retaining and disposing of records. So, what’s a compliance team to do? He recommends working with the business unit and other affected teams to write policies that meet the needs of all involved and work out any conflicts internally or among the regulations. Work, too, with employees who may want to hold on to documents longer than policy dictates. You may find that what they want to keep is the data, not the document itself. And, if there is a litigation hold, be prepared to work quickly with legal, IT and others to ensure that the relevant documents are preserved while your ongoing document retention processes continue.

By Adam Turteltaub Data analytics is a pretty darn big deal in compliance and ethics these days, with rising expectations for compliance programs to be able to demonstrate their effectiveness using hard data. The word “data” even appears a dozen times is the US Department of Justice Criminal Division’s Evaluation of Corporate Compliance Programs document. Walter Appleby, formerly VP, Compliance & Ethics at Georgia-Pacific and Rosie Williams, Director, Compliance & Ethics there will be addressing “Harnessing the Power of Data: Unleashing Compliance Excellence” at the SCCE 23rd Annual Compliance & Ethics Institute, which will be held September 22-25 in Grapevine, TX. In this podcast they explain that better use of data carries a number of benefits including a stronger risk assessment and management program, better informed decision making, and more effective use of compliance resources. Data analytics begins with collecting together the data you have and determining its quality. As the old adage says: bad data in, bad data out. Sources of data can include your helpline, training statistics, HR and even legal. You will also need to determine which metrics best reflect the performance of the compliance program. Here, the risk assessment is helpful, but so too is taking the time to listen to and think through the needs of your customers in the business unit. Next, determine the proper recipe for integrating the various data resources so you and leadership can gain insights into gaps and deficiencies. This likely includes taking the time to think graphically to determine how best to visualize the data in ways management finds useful. Listen in to learn more about how to use data to pinpoint issues, identify opportunities and assess the effectiveness of your program. And, don’t forget to catch their session at the 23rd Annual Compliance & Ethics Institute.

By Adam Turteltaub Mobile devices are terrible if you need to retrieve information from them. Employees hate handing them over and there are a ton of apps in which data disappears automatically. All in all, it’s just a nightmare. But, the government still wants you to track what employees are saying, and you may have to produce that data. Matt Rasmussen (LinkedIn), CEO, and Ryan Frye (LinkedIn), Chief Innovation Officer of ModeOne want to discourage you from falling into despair over the prospect. Employee resistance can be overcome by taking a targeted approach and using electronic tools that only seek business-related data. Even before you get to that point, though, they recommend taking the time to train the workforce about what rights the company has to the data so this doesn’t come as an intrusive surprise. Listen in to learn more about how to make retrieving mobile device data a bit less painful.

By Adam Turteltaub “What else should the board be asking?” It’s a good question in general and the tile of a session at the SCCE Compliance & Ethics Institute, which will be held September 22-25, 2024 in Grapevine, TX. In this podcast, the leaders of that session, Deborah Spanic, Chief Ethics & Compliance Officer of Clarios, and David Gebler (LinkedIn), Principal of Leading with Ethics, share that there are three fundamental questions the board should be asking about the compliance program: Is the compliance program well designed and aligned with risk? Is the program being applied earnestly and in good faith with adequate resources? Does the compliance program work in practice? From there a host of other questions fall out including those focused on culture and on the connection between the compliance program and the enterprise’s overarching strategy. Making sure the board is asking the right questions, and getting the answers it needs, requires a strong relationship with the compliance team. In Deborah’s case that includes being a standing agenda item for the audit committee each quarter and having a one-on-one conversation each mid-cycle with the audit committee chair. Listen in to learn more, and then be sure to join their session in Grapevine at the Compliance & Ethics Institute.

By Adam Turteltaub How do you get employees working remotely, who may have less of a connection to the company, to make the effort and take the risk of reporting potential wrongdoing? For Evie Wentink, it starts with recognizing the need to encourage a culture of reporting for these workers. It also includes recognizing that, even though they are remote, it doesn’t mean that they aren’t victims of or witnesses to a range of bad behaviors including harassment and bullying. Compliance teams should also recognize that remote workers lack many of the casual opportunities to discuss with peers what they are seeing and what to do about it. To help overcome these challenges, she recommends training and creating multiple reporting avenues. She also recommends training managers in active listening so that they know what do when an employee walks through the virtual door with a concern.

By Adam Turteltaub It’s not for nothing that there’s a year in the title of this blog post and podcast. Social media risks change frequently, explains Kortney Nordrum, VP, Regulatory Counsel & Chief Compliance Officer at Deluxe. She is the author of the chapter “Social Media Compliance” in The Complete Compliance and Ethics Manual and will be leading the session Social Media: Old News and New Risks at the 23rd Annual Compliance & Ethics Institute. These days the range of those risks is substantial. TikTok poses a notable challenge, since it accesses most everything on the user’s phone, which means work email and files may be exposed. At the same time the FTC and NLRB have been very aggressive in their enforcement. The FTC has been scrutinizing endorsements – and a “like” may count as one – by employees of their employer’s products and services. Meantime, the NLRB has made it clear that it believes employees have wide, although not complete, latitude about what they say about their workplace online. And, if that wasn’t enough, the marketing and social media teams need to be trained (and monitored) for what they are saying and doing in the company’s name. What should you do? She recommends training with concrete examples, teaching people some common sense, and keeping lines of communication open. To learn more, listen in and then don’t miss her session at the 23rd Annual Compliance & Ethics Institute.

By Adam Turteltaub Everyone wants a mentor. Not everyone gets one, and not every mentor-mentee relationship works out. Sarah Couture, Principal at Couture Compliance wants to change that. She’s the author of the chapter, “Mentoring for Compliance Professionals” in the Complete Healthcare Compliance Manual. In this podcast, she offers advice for mentors and mentees both. Here’s a sample: Mentors and Mentees Level setting is essential for ensuring expectations are aligned Think about your objective, what frequency of meetings makes sense and for how long the relationship should last Be humble and transparent Mentees Look for someone you respect Don’t only look for people who know exactly what you do; be open to outside expertise Let your goals help drive your mentor selection Mentors Consider if you truly have the time Ask: “Can I provide what this person is looking for?” Only select mentees you respect and click with Ask if the mentee is curious, willing to learn and to grow Listen in to learn more about how to make the mentor-mentee relationship work, and, if you subscribe to the Complete Healthcare Compliance Manual, be sure to read Sarah’s chapter.

By Adam Turteltaub Michelle Nichols (LinkedIn) from the compliance team at Farmer Mac definitely wins the prize for the most unexpected title for a session at the 2024 SCCE Compliance & Ethics Institute: “How Dating in My 50s Made Me a Better Compliance Officer.” As she explains in this podcast, the realization that people bring their past relationship experiences to potential new relationships shed light on a challenge compliance teams need to address starting with the onboarding process. While HR typically handles that process, laying out what the company’s policies and expectations are, that doesn’t fully address things. Simply stating that an employee gets x days of vacation may mean one thing to a person who came from a company where people took their vacations and another to someone coming from an organization where not taking vacation was a badge of honor. Likewise, the new employee may bring unwanted baggage with him or her when assessing their new employer’s culture and commitment to compliance. Listen in to learn more and learn what this means for both compliance teams and managers, and be sure to attend her session at the 2024 SCCE Compliance & Ethics Institute.

By Adam Turteltaub As the risk of human trafficking and modern slavery rises on the radar, compliance teams need to start their risk assessment by looking at the map, says Sam Logan, CEO and founder of Evidencity. The number of jurisdictions with laws in this area are increasing. In addition, some countries have far greater risk than others, with long histories of exploitation. Remember, though, that there is no such thing as a safe geography. A janitorial service in the US was found to be using child labor, and an Italian luxury goods maker’s contractor is alleged to have subcontracted with a business using Chinese laborers illegally in Italy. The key lesson from these cases: look closely at your suppliers to better understand where and how they do business. Be sure to review them not just when beginning a relationship but on an ongoing basis. Take a risk-based approach, focusing your efforts where the likelihood of modern slavery and human trafficking is greater. Finally, don’t forget about your customers. No organization wants to see its products used by forced or child labor.

By Adam Turteltaub The annual Navex Whistleblowing, Incident Management and Benchmarking Report provides valuable insights into what’s going on across the corporate compliance landscape. To get the highlights we spoke with Carrie Penman (LinkedIn), Chief Risk & Compliance Officer for Navex. The 2023 data showed that reporting reached an all-time high, with 1.57 reports for every 100 employees, up from 1.47 the previous year. Substantiation reached an 11 year high at 45%, which indicates that compliance teams are getting both more and better reports out of the workforce. Anonymity remained dominant, with 56% of reports arriving that way. Substantiation rates for anonymous reports held steady at 33%, which is lower than the 50% for reports given by an identified individual. Accounting-related incidents accounted for 4.3% of reports, a relatively small number. However, they were notable because they had the longest period between the observation of suspected wrongdoing and reporting. They also were the least likely to be reported anonymously. Third party reporters were likelier to report on business integrity issues, such as human rights, bribery and conflicts of interest. Substantiation rates were similar to those of anonymous reports. So what should compliance teams be doing as a result of this data? First, she recommends continuing to build trust in reporting systems. Second, prepare for an increased number of reports. Listen in to learn more about what is going on in incidents and whistleblowing.

By Adam Turteltaub Risk assessment and management is at the core of compliance and front and center on the agenda at the SCCE 23rd Annual Compliance & Ethics Institute, which takes place September 22-25 in Grapevine, TX (and virtually, too). Elizabeth Simon, Vice President of Compliance & Risk at Progress Residential will be contributing to the discussion with her session, “Enter at Your Own Risk: Optimizing Your Enterprise Risk Assessment”. In this podcast she provides a preview of her session and shares that compliance plays a unique role in enterprise risk management since it touches so many risk areas, from culture to operations to finance. This, in turn, requires that the compliance team become a part of the broader risk assessment process to know where the potential challenges are. It also requires that the compliance team bring its experience and solutions to the table and to the board to demonstrate it’s value to the enterprise and its risk assessment. Listen in to learn more, and then join us in Texas for the 23rd Annual Compliance & Ethics Institute.

By Adam Turteltaub In some ways it’s still the Wild West when it comes to AI, with developments happening faster than most can fathom and the law can respond. At the same time, though, the sheriff has begun to arrive. Gwen Hassan (LinkedIn), Deputy Chief Compliance Officer at Unisys and Adjust Professor at Loyola University Chicago School of Law explains that the EU already has a law in place with a particular focus on ranking the risks of AI, including those that must not be taken, and an emphasis on the privacy implications. In the US, there is legislation proposed that would require clear notification when content is created using generative AI. It has yet to pass. Thus far the strongest direction in the US comes out of the White House, where President Biden issued the Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. The order urges ethical generative AI guidelines, sets key goals for what good uses of AI are and calls upon various departments of the government to provide further analysis and direction. So what should compliance teams do now, despite the legislative holes? She recommends looking at how to extend the existing compliance program to AI and, as AI evolves, develop more specific programs that maps to its risks. Listen in to learn more about the emerging regulatory climate for AI.

By Adam Turteltaub If you’re thinking about attending an HCCA Research Compliance Academy, take a few minutes to l to this podcast featuring Kelly Willenberg (LinkedIn), one of the faculty members and founder of Kelly Willenberg & Associates. Listen in as she explains: Who the Academy is for. Basically anyone working in or with oversight of research compliance The teaching structure. All of the faculty members have deep research compliance expertise. They will teach both compliance infrastructure and many of the complexities of the numerous legal risk areas. The attendee experience. Small class sizes lead to opportunities to learn from your peers and build an extensive and deep network. She also gives an overview of the Certified in Healthcare Research Compliance (CHRC) exam. To read more about the exam and see the detailed content outline click here. So spend ten minutes listening to the podcast, and then plan on attending an HCCA Research Compliance Academy.

By Adam Turteltaub Corruption is a well-known risk in Latin America, but how great the risk is on a country-by-country basis is less well understood. To fill in those blanks and many more, the law firm Miller & Chevalier just released its 2024 Latin America Corruption Survey. The firm has been fielding this survey every four years since 2008, reports Matt Ellis, Latin America Practice Lead. It provides comprehensive, country-by-country data as well as, more granular information on the risks of dealing with various governmental entities. This year’s report, he shares on the podcast, had interesting news for the compliance community. It found that, although corruption remains a pervasive problem, corporate compliance programs, more so than enforcement, are perceived as being the key driver for change. The survey also revealed significant nuances in the anticorruption risk picture: Chile, Uruguay and Costa Rica are generally perceived as the lowest risk countries Venezuela, Bolivia, Honduras and Argentina are on the riskier side In general, political parties are perceived as being corrupt as well as municipal governments Brazil’s customs authority, Peru’s judicial branch, Argentina’s executive branch and Mexico’s police and local governments were all singled out as areas of concern Listen in to learn more about what the survey revealed, including corporate trends in investing in anti-corruption efforts.