Compliance Perspectives

By Adam Turteltaub While the pandemic seems, at least for now, to be receding into our past, many of the changes from it have not, including a large percentage of the workforce that works remotely. While in some ways we have gotten used to this new normal, Lori Tansey Martens (LinkedIn), President, International Business Ethics Institute warns that there remains cause for concern. Specifically, the prevalence of high number of remote works has been and continues to negatively impact corporate culture. Culture is made up of the shared values and beliefs, norms, values, mission and purpose, and in many ways it differentiates one organization from another. Recent research shows that the common fabric binding people together into one culture is fraying. Survey data she shares shows that employee feelings of alignment has decreased substantially, and while those declines have leveled off among in-office and hybrid employees, they have not among remote workers. Remote workers also have the highest turnover rate and intent to change jobs, which suggests that they view their work as more transactional and are less committed. That can have a huge impact on ethics and compliance. Research suggests that employees who feel less loyal and committed are less likely to take into consideration reputational risk and long-term damage to the organization. Add to that data suggesting they are less likely to speak up, and it’s a dangerous prescription. So what should organizations do? For one, strive to connect people more fully. When workers are in the office together it’s okay to bring in remote workers via Zoom, but be sure that the people in the room are not just staring at their own individual laptops. You don’t want to exacerbate the issue by making in office people wonder why they should bother, given that they are still on Zoom. Look to do more in person rather than virtual training, people are already staring at their computers enough. Managers also need to be trained on how to manage and build teams with hybrid and remote workers. As she notes, we have totally upended the way we do business without giving them any real training. When bringing on new remote employees seek to make them feel connected. Send them a package with items reflecting the local flavor of the office and notes from their new colleagues. Make a commitment to bring them into the office occasionally. You can’t immerse them fully in the culture without doing so. Finally, track separately in-office, hybrid and remote workers on training, helpline calls and other metrics to make sure that the culture is present throughout your workforce, not just the in-house one. Listen in for more.

By Adam Turteltaub While most eyes have focused on the US Department of Justice’s document Evaluation of Corporate Compliance Programs when looking for guidance, it’s not the only DOJ source out there. Josh Drew (LinkedIn), Member, Miller & Chevalier explains that it would be wise to also look to Attachment C. What is it? It’s a document typically attached to Foreign Corrupt Practices Act (FCPA) resolutions. It specifies what the defendant company will need to do to establish and maintain an effective corporate compliance program. As a result, it, like the Evaluation document, provides very clear guidance as to what the DOJ’s thinking is when it comes to compliance. In August and September 2023 there were several changes to Attachment C. For one, it expanded the call for support from senior management down to include midlevel management as well. It specifically points to the importance of their tone and conduct: “The Company will ensure that mid-level management throughout its organization reinforce leadership’s commitment to compliance policies and principles and encourage employees to abide by them.” In the realm of training, it calls for metrics to assess the effectiveness of the training, not just that it was given. That’s a theme consistent with other direction from the DOJ. Not surprising for an FCPA-related document, it also calls for documenting the business justification for engaging a third party and ensuring that contract terms are specific. Third parties should also be tracked after the initial engagement, which means ongoing due diligence. And, here, too, as elsewhere, the Department of Justice reinforces the importance of both incentives for good behavior and disincentives for bad. Listen in and then be sure to spend some time reading Attachment C.

By Adam Turteltaub At this point anyone in healthcare who doesn’t have a plan for managing HIPAA compliance risks is behind the eight ball and times. But, for those who do have a program in place, the question is: does it currently reflect your risk profile? Nancy Roht (LinkedIn), Managing Principal at Compliance Pro Consulting points out in this podcast that just because the HIPAA regulations don’t specify how often a HIPAA risk assessment should be done it’s best to do so annually, and perhaps even more frequently if something significant happens. Changes in leadership, organizational structure, goals, quality and major vendors can all call for a fundamental reexamination of your strategy. When conducting the assessment, don’t mistake it for a gap analysis. Make it a true assessment of risk and put together a work plan to address any deficiencies. When conducting the assessment, she recommends interviewing both leadership and staff to get a comprehensive picture. Take an inventory of the PHI you have, potential threats, vulnerabilities and security measures. Then, assign risk levels, prioritize and document your thinking. Years from now no one will remember what decisions were made and why, without the documentation. Be sure to look externally at your business associates, particularly those with evergreen agreements. They may have run out of date. Listen in to learn more about how to make your HIPAA risk assessment stronger.

By Adam Turteltaub Steve Forman (LinkedIn), Senior Vice President at Strategic Management Services, had an eye-opening experience years ago when interviewing for the job of Vice President of Audit and Compliance for New York Presbyterian Hospital. The chair of the board’s audit and compliance committee told him that his main role was not to find problems or weaknesses but to validate through the discipline of the audit processes what management suspected were problematic areas in terms of audit and coverage of risk areas. That insight had several implications. First, it underscored that operational managers will always know more about their risk areas than auditors will, which means they are in the best position to identify problems and weaknesses. Second, it was a good reminder that there are never going to be enough auditors to even address the high risk areas. Once again, we are dependent on managers. So what does that mean? It means that monitoring should help drive the audit plan and strategy. In addition, managers need to be listened to on a regular basis, and they should be charged with monitoring. In addition, he observes that the risk assessment must also not be treated as a static document. Risks can go up and down during the course of the year, and the risk mitigation strategy needs to be adjusted with it. Listen in to learn more about how to improve your monitoring and auditing, as well as the role of management in it.

By Adam Turteltaub Economic espionage sounds more like the stuff of a spy thriller than a day-to-day concern for business. Not so, as it turns out. To learn more we sat down with the FBI’s Counterintelligence Division Unit Chief Matthew Charles and Cyber Division Supervisory Special Agent Michelle Liu. Economic espionage generally refers to stealing trade secrets for the benefit of an overseas competitor, often one aligned with a foreign government. An employee at your organization working on a sensitive project may be leveraged, frequently with the lure of cash and other payments. Typical targets include technology with potential military use and, of late, pharmaceuticals. To counter this threat, the FBI Cyber Division maintains partnerships with many private sector companies to identify nefarious conduct on their networks. Meantime the Counterintelligence Division looks upstream for actors coming into the US seeking access to US technology. So what should companies do? First, protect yourself. Encryption can be helpful along with limiting access to sensitive information only to key people. Make sure, too, to track who in your firm is accessing trade secrets. Also, be sensitive to unusual employee behaviors or changes in affluence levels. An employee suddenly downloading large files at night, emailing their personal email address sensitive information or whose debt problems have inexplicably disappeared could be engaged in economic espionage. Just don’t jump to any conclusions. There could be legitimate reasons for these actions. Second, the FBI advises reaching out to them when an incident occurs. The FBI can’t investigate without ongoing collaboration of the victim organization. They also advise that it is never too early to call them in, and if you do not want them there, they will pull out. Finally, take the time to leverage government resources. Be sure to familiarize yourself with the US Department of Justice’s Criminal Division’s Computer Crime and intellectual Property Section (CCIPS) website. You will find there information on reporting computer, internet-related or intellectual property crime. And, of course, listen in to the podcast to learn more about the risks of economic espionage and what you can do to mitigate it.

By Adam Turteltaub How do you understand “neurodiversity” or “neurodivergence”? It starts with the recognition that no two human are exactly alike and not two brains function exactly the same way. It then goes on to recognize that for people with ADHD, autisms, dyslexia, sensory integration and executive function issues, those differences can be substantial. Estimates are that about 20% of the workforce has some sort of neurodivergence. In this podcast, Jason Meyer (LinkedIn), President of LeadGood Education, explains that compliance teams need to recognize neurodivergence when communicating with the workforce. This means looking for more structured communications that make it easy for learners to see things step by step. Another technique to pursue is reducing cognitive loads and demands on working memory. A test at the end of a two-hour course may be too much for many people to be able to manage successfully. Some other tips include having visual cues to accompany text and offering an audio option. That way if someone is limited in one sense, they can rely on another. If you have someone neurodivergent on your team, start with watching your assumptions. If a person is person not making eye contact or responding to questions haltingly, don't assume they don't care. They may be neurodivergent. Above all, be empathetic and listen, and park your preconceived notions at the door. Listen in to learn more about the challenges and opportunities with neurodiversity.

By Adam Turteltaub Currently there is a patchwork of anticorruption laws across the EU. What has been lacking, though, is a EU-wide approach. That is likely to change soon, reports Vera Cherepanova, founding partner of Studio Etica. Change is afoot. In May 2023 the EU issued a new proposal to combat corruption, including a new Directive of the European Parliament and the Council on combatting corruption by criminal law. The new directive, she explains, makes it clear that actions by senior executives can have significant consequences both for the individuals involved and their organizations. Companies could face fines of no less than 5% of worldwide turnover. Notably, like the US Foreign Corrupt Practices Act, the new EU directive has extraterritorial reach, which raises the prospect of more enforcement actions. The directive also includes incentives for compliance programs consistent with what is found in law elsewhere: “…where legal persons have implemented effective internal controls, ethics, and compliance programmes, it should be possible to consider these actions as a mitigating circumstance.” Meantime, across the English Channel, the UK Parliament is considering a new Economic Crime and Corporate Transparency Bill, which could be represent a hugely significant change in the enforcement landscape. It includes a crime of failure to prevent fraud. In addition, corporations can be held liable for acts of senior managers. Listen in to learn more about the upcoming changes and what they may mean for your compliance program.

By Adam Turteltaub Kristine Coy-Foster (LinkedIn), Senior Manager, Compliance & Employee Engagement at Vulcan, had a challenge many in compliance face: tracking all her to-dos, and then, once a to-do turned to done, tracking the accomplishment. It was important for her to be able to capture the challenges she faced, new ideas tested and processes developed. Trying to keep it all straight in Outlook or Excel spreadsheets wasn’t enough. To solve the problem she invested the time to learn Smartsheet, a platform that primarily is for managing projects and automating processes. In it, she created workstreams, alerts, dashboards and more. She also created categories for each of the functional areas she oversees and organized her to-dos accordingly. The solution has worked well for her, but, she cautions, it does take a strong commitment to keeping everything up to date. Listen in to learn more about how to put this tool to work for you, or, maybe, customize the tool you are already using to track your own compliance team’s progress.

By Adam Turteltaub Since the 1930s the United State has had import bans on forced and convict labor. But, the rules were tightened, explains Evelyn Suarez, Principal, The Suarez Firm and Thad McBride, Partner, Bass, Berry & Sims PLC, in 2021. That is when Congress passed the Uyghur Forced Labor Prevention Act (UFLPA). The act has a rebuttable presumption that goods made in whole or part with labor from the Xinjian region in China is made with forced labor. If US customs suspects that goods are made in this region, they can stop them until the importer can provide the necessary assurances. In addition, goods made in other regions are also being stopped because their supply chain includes labor from Xinjian. So, what should compliance teams do to help the business unit navigate the issue? For one, it’s key to go beyond the first line supplier, as is typical, and start looking deeply into the supply chain and start researching your supplier’s suppliers. Suppliers should be asked what connections they have to China. Mapping questionnaires should be developed and issued. Training needs to be given, and third-party vetting vendors will likely be needed. In addition, develop interdisciplinary teams to create a plan for responding should a shipment be held. Even before that, start developing a good relationship with customs and take advantage of their expertise. As is the case with so much else in compliance, keep good records that you can present to customs, maybe even on a proactive basis. Finally, keep your eyes open for customs ruling and court cases that may provide guidance on what to expect next.

By Adam Turteltaub We spend a lot of time in compliance discussing how to encourage employees to come forward and report any wrongdoing they see around them. Considerably less time, though, is spent on how to handle employees who report their own wrongdoing. In this podcast, Stefani Sonzzini Navarro, LATAM Compliance Officer for Corteva Agrisciences balances the scales. Encouraging employees to come forward with their own questionable acts, she explains, begins with having the right culture. People need to be comfortable and feel safe to report. Getting there takes time and repetition, she explains, along with a strong anti-retaliation policy that covers self-report wrongdoing as well. When an employee first brings the potential issue to your attention, she advises letting them know that if they report something you are obligated to act on it, and that you have to do what is in the best interest of the company. Let them know you will protect their confidentiality as much as possible, but that you also will have to remediate. This will help build trust, but also let them know what is likely to happen. The subsequent investigation should be conducted as quickly as possible, in recognition of how anxious the subject likely is. Throughout, she advises, be open and make yourself available. If you let the employee grow too anxious, there could be adverse behaviors and consequences. If the employee has in fact done something wrong, their willingness to report much be recognized. Let them know that things would have been worse if they had not spoken to you. Listen in to learn more about how to encourage and support self-reports of wrongdoing.

By Adam Turteltaub While many of the world’s governments are struggling to determine what to do about AI, Brazil already has a track history in this area. As Maria Victoria Mota, Corporate Attorney at Viapol (a subsidiary of RPM), explains in this podcast, the roots of government action in Brazil go back to 2018 with data protection regulations that are similar to the European General Data Protection Regulation (GDPR). This initial legislation was followed by a second in 2020 created to develop the rules of how the government, companies and individuals may use AI. It was followed by more legislation, most recently in 2023. The latest came after a committee of jurists was created to help frame the bill. Working with scientists and experts in technology, they examined how AI should be used and AI laws of 31 different countries. The goal was to creation legislation specific for the needs of Brazil. Privacy is a central pillar of the bill, which is also based in human rights and sound data protection practices. It is designed to ensure accountability, and organizations seeking to comply need to follow eight steps, Maria explains: Create a multidisciplinary work group. Empower the group with knowledge so they can bring learning to company. Map AI in the company. Understand what departments are using it and how much. Create a policy and procedures around AI and document them. Train employees on the policies and procedures created so they can understand how important they are. Apply the policy and procedures. Stay current with changing laws and regulations. Audit compliance regularly Listen in to learn more about both Brazilian AI law and what makes for effective internal controls around the use of AI.

By Adam Turteltaub Fast Company recently ran an article with the headline “Research Shows High Performing Employees are More Prone to Unethical Mistakes.” It’s both an alarming and an intriguing proposition. To understand more I spoke with Richard Bistrong, CEO of Front-Line Anti-Bribery LLC, who co-authored the article along with Ron Carucci and Dina Smith. Why are high performers potentially so dangerous? For one, he explains, success tends to block scrutiny. People don’t like to question it and are just grateful to see so much of it. They may not think to look or not want to look too deeply. Another challenge is that the more successful people are, the more addicted to success they may become, something Richard knows from his own experience. The challenge of being a corporate hero, he explains, is that once you earn that status, you typically don’t want to give it up and may end up going down what has been called the rabbit hole of success. At the same time, the company may be exerting pressure on the individual to do ever more, partially because it is standard practice in business to set higher goals. But also, the company may grow disproportionately dependent on the results the high performer can generate. Fortunately, there are several things that can be done to mitigate the risk without clipping the wings of the highflyer. For one, compliance teams should try to look at the incentive plans to both identify the risks and help mitigate them. While there, look to also include compliance measures that make it clear that it’s not just about achieving the goals, it’s also about how you achieve them. Second, connect rewards and good performances with the company’s values and mission. This helps the high performer understand both what the rules are and why they are important. Listen in to learn about how to get the most out of higher performers while avoiding the risk that can come with them.

By Adam Turteltaub In the September 2023 issue of Compliance and Ethics Professional® (CEP) magazine, Andrea Falcione (LinkedIn), Chief Ethics and Compliance Officer and Head of Advisory Services of Rethink Compliance LLC, wrote about fostering a speak-up culture. Institutional justice, she wrote, is a critical part of that effort and “paramount to gaining and keeping employee trust.” To learn more about the topic, I sat down with her for this podcast, in which she explains that there are four elements of institutional justice. The first is Respect for everyone involved in an incident. That includes the person who comes forward with an allegation of course, but it should also include those the allegation was raised against, any witnesses and also people who come forward to self-report. By doing so, you make it clear that it is safer and better to come forward when there is wrongdoing. Voice is the second element. She shares that this means allowing people to speak and share their story. It also means listening attentively, showing interest, making good eye contact and asking open-ended questions. Neutrality is about making unbiased decisions and not letting a conflict of interest get in your way, such as when investigating a high performer in the organization. Transparency, about both the process and the outcome, is the fourth key element. It helps build trust that the process is fair and demonstrates that there will be a thoughtful response by the organization. Listen in to learn more about what institutional justice is and how to improve it in your organization.

By Adam Turteltaub Where is the compliance profession now and where is it going? To find out we sat down with Chris Audet, Chief of Research at the Gartner Center for Legal, Risk & Compliance Leaders. Gartner recently issued a report: “Key Budget, Staffing and Spending Trends for Compliance in 2023”, and in this podcast he shares some of the insights in it. When it comes to budgets, compliance teams are strained, but not how they expected. During the pandemic there were fears of large funding cuts. While there have been some reductions, on the whole they have been minor. However, workloads have increased dramatically. This has led, he explains, to overstretched departments where the loss of even one FTE can be devastating. Three key issues have led to the increase in demands on compliance teams: The challenge of tracking regulations. A rising number of issues, such as ESG, that may have begun in another department but are now considered compliance’s responsibility Conducing internal investigations in an expeditious manner. With workers in the office less, the pace of investigations has slowed. To help get the work done compliance teams are investing more heavily in technology, particularly in risk management systems. The pace of investment is expected to grow as compliance teams contend with flat budgets and reduced staff. To retain staff, Gartner advises creating a strong value proposition that includes a work-life balance and career development. Listen in to learn more about the state of compliance and how teams are coping.

By Adam Turteltaub When an organization begins to expand globally, or even when a global organization enters a new market, the compliance challenges can be considerable and multiple. In this podcast, Dr. Shan Nair, President of Nucleus explains that companies need to worry not just about issues such as anti-corruption and data privacy. There are a host of HR, accounting, corporate taxation, indirect taxes, withholding taxes and other compliance issues. In addition to these obligations there may also be filing requirements. Germany, for example, requires a special filing if a local subsidiary is not self-funding. Making things more complicated is that a trusted source for compliance advice in one area likely is completely unaware of the challenges in another. The bottom line is that it takes a concerted effort and a very local approach to meet all these obligations and ensure that the organization is compliant not just on the big issues, but on the dozens of less headline grabbing ones as well.

By Adam Turteltaub You may not realize it, but your compliance program has a brand. Line employees and management all have a host of impressions about the compliance department that color how they respond to what you say and do. A strong brand means that your actions are more likely to be appreciated. A weak brand means it’s a very steep uphill climb. Adam Balfour, Vice President & General Counsel for Corporate Compliance at Bridgestone Americas and author of the book Ethics & Compliance for Humans, is an advocate for compliance teams making the effort to invest in creating a strong, positive brand that communicates the value of the program. As a part of that effort, compliance teams need to move beyond simply building awareness to ensuring that the brand resonates and is relevant to the organization. To do that he advocates taking a people centric approach and using three methods of motivation: Start with why. Don’t just tell them what to do. Tell them why they need to do it beyond “the law requires it”. Emphasize group safety. Share what others in the organization are doing and use community as a motivator. Use incentives. The US Department of Justice is calling for them, and they can be very helpful, even non-monetary ones. Finally, leaning on his United Kingdom roots, he encourages compliance teams to think like soccer midfielders, players who can both defend and attack. Listen in to learn more about how you can strengthen your compliance program’s brand.

By Adam Turteltaub On October 4, 2023 at the SCCE Compliance & Ethics Institute in Chicago, US Deputy Attorney General Lia A. Monaco spoke live from Washington to the attendees and used this opportunity to announce a new Safe Harbor Policy for voluntary self-disclosures made in the context of the merger and acquisition process. Under the policy, acquiring companies that promptly disclose criminal misconduct voluntarily within the six-month safe harbor period, cooperate with investigators and engage in remediation, restitution and disgorgement will receive the presumption of a declination. She also explained that, absent aggravating factors at the acquired company, it will not impact the acquiring company’s ability to receive a declination. She also shared how the Department of Justice has been fighting corporate crime including: The expansion of corporate enforcement efforts in the national security realm New tools DOJ is using to penalize corporate misconduct and provide invectives for good corporate citizenship Areas where they see further opportunity for innovation and expansion Listen in to learn more and hear her underscore the importance of compliance programs, proper corporate incentive plans, and the DOJ’s expectation that the compliance team will have a seat at the deal table.

By Adam Turteltaub Much of the day to day of compliance isn’t about understanding laws. It’s about influencing human behavior and steering people in the right direction. In this podcast, Scott Young, Principal Advisor and Head of Private Sector at Behavior Insights Team, Americas shares that understanding how people make decisions can help compliance teams be more effective. To do so, he advocates for using behavioral science to gain a broader perspective for thinking about human behavior. The field has shown, for example, that the classic economics model of rational thinking doesn’t always apply. Too often we operate in a semi-automatic mode, making decisions quickly, not really aware we are even making them. So what do compliance teams do? Adopt what he describes as the EAST Framework. Easy. Make sure the proper choice is the default choice. Attractive. Make compliance fun and engaging. Embrace gamification and other ways to make compliance more attractive to people. Social. Humans are social being and we are curious what others are doing. Thinking about tapping into the power of the group, such as leveraging social norms. Timely. Having reminders and controls in place when they are timely is difficult but not impossible. Look for the right moments of intervention and the right, often quick, reminder of what is the right thing to do. Listen in to learn more to learn how you put a behavioral approach to work for your compliance program.

By Adam Turteltaub NAVEX earlier this year issued its very substantial 2023 State of Risk & Compliance Report. To learn about the key findings we sat down with longtime ethics and compliance leader Carrie Penman, who serves as the company’s Chief Risk and Compliance Officer. Overall, the data reveals strong management support for compliance and ethics programs, although there are cracks showing. When asked whether this commitment persists in the face of competing interests, the numbers show a troubling drop. Worse, there was an increase in the number of survey respondents indicating that middle managers encouraged employees to act unethically or impeded compliance personnel from their job. It was still a minority, but a larger one than before. Turning to specific risk areas, data breaches and privacy/security threats were the top fears for compliance professionals. Not surprisingly, cyber came up as a top training topic. It was followed by codes of conduct and privacy. Looking globally – the survey also has data broken out for Germany, France and the UK – there was a far from uniform picture, with country-by-country variations showing varying priorities and levels of satisfaction. For example, risk and compliance professionals in Germany reported their ability to measure training and behavior higher than their peers in France and the US. All in all, the report makes for a fascinating, and sometimes troubling, picture of the practice of compliance. Listen in to learn more about what the data said and what it may indicate for your compliance program.

By Adam Turteltaub It may be time to rethink background checks. Brent Douglas (LinkedIn) partner at the law firm Hahn Loesser, explains that their use has been greatly reduced in many industries. This reflects the increase in the number of what are known as “ban the box” laws, which prohibit employers from asking job applicants to tick a box if they have a criminal history. He also warns that in some jurisdiction screening applicants wholesale for criminal backgrounds may not be permissible. Only after a job offer has been conditionally made can a firm conduct a check. That doesn’t mean background checks are always prohibited. In certain industries, such as healthcare, defense and transportation they are often obligated. Even screening for marijuana usage may be permissible, but be careful. California, starting in January 2024, will enforce a new testing methodology. If your organization conducts background checks, it may be best to have a third party conduct it for you. This both leverages their expertise and may shift liability if the check is done improperly. He also cautions that even a casual internet search of a prospective employee may turn up a past criminal conviction and cross the line into what legally constitutes a background check. For those concerned about the risks of hiring a criminal, he points out that roughly 95% of the population does not have a criminal background. Amongst those with a conviction, about 95% of those were for marijuana possession or a DUI. He asks; is it worth doing the background check given these odds? Listen in to learn more about the risks of background checks.