Compliance Perspectives

By Adam Turteltaub For years Caremark has set the standard for expectations for board members. The notable Delaware case made clear that boards should exercise reasonable care in overseeing an organization. In practice that includes obtaining information about the organization’s compliance efforts and responding when signs of potential violations are found. As Jay Cohen, of counsel at the law firm Giordano, Halleran & Ciesla, PC explains, now a new decision (In re McDonald’s Corporation Stockholder Derivative Litigation) extends that same duty of oversight to corporate officers within their area of expertise. This significantly raises the bar for executives when it comes to ensuring the organization is operating in a compliant manner. Perhaps even more significantly, only two executives at a corporation – the CEO and Chief Compliance Officer – are expected to exercise oversight throughout the entire organization. This, he argues, has the impact of increasing both the scope and importance of the compliance role within the organization. So, what should organizations and their compliance teams do in the wake of this decision? Jay recommends that organizations raise the stature of the compliance team. Second, look at recruiting individuals for compliance who have a history in leadership to match the role. Third, build the compliance program around impact, not just activity. Listen in to learn more about what the McDonald’s decision says, and what it means for your compliance program.

By Adam Turteltaub You really should listen to this podcast. That’s my advice. If you do you’ll hear Scott Garland, Managing Director, Sanctions, Cyber, Fraud and Ethics Compliance & Monitoring at Affiliated Monitors give better advice on giving advice. He begins by advising a bit of humility: remember that having a quick and ready answer is not always best. You are likely the newest person to learn about the problem and least familiar with it. As a result, you need to take the time to learn and determine not just what the immediate problem is but also what the situation as a whole is. Don’t be afraid to ask others to slow down to ensure you understand things completely. Then, make sure you get the facts and context right. Be sure, too, to identify assumptions being made by the advice seekers to ensure that they are correct. They may not be. Once you have that information and the goal that the advice seekers have in mind, as well as what they see as the ideal outcome, then it is time to give advice. When you do, give them, he advises, a recipe and not a treatise on cooking. They don’t need to know the long history of the rules and the many exceptions. Instead focus on bite-sized information that they can use and share with others. The BLUF approach can be very effective: Bottom Line Up Front. By summarizing the issues succinctly at the top, you are more likely to reach people who are far more focused on the advice than the reason behind it. Listen in to learn more about how to give advice wisely, the importance of documentation and the role of empathy, and if you’re in SCCE member, read two articles on the topic by Scott on COSMOS.

By Adam Turteltaub Jay Mumford is a long-time compliance veteran and Senior Global Compliance Manager at Bio-Rad Laboratories. There he developed an approach he calls MTR, which stands for Metrics, Targets and Response Plans. It’s an approach, he explains, based on ideas from the quality movement. At its heart, MTR recognizes that whatever the compliance process may be, there is a need to manage at scale. To do so, you need standards and measurements, targets, and response plans in case you miss those targets. An MTR approach, because it is disciplined and focused on goals, helps avoid a whack-a-mole approach to compliance. It enables building your program in repeatable ways, whether that’s training or, as was the case for him with document retention, ensuring that all the documents are both accounted for an not retained unnecessarily. In this podcast he explains how MTR has worked in practice and the technology tools available to compliance teams, typically at no cost, to help them take an MTR approach. These include the Power Platform embedded in Microsoft’s Enterprise platform and Visual Basic for Applications in Excel. Listen in to learn about how you can put MTR to work for your compliance program.

By Adam Turteltaub Over the last decade private equity has discovered healthcare, and with that discovery has come a rush of money and compliance nightmares. Valerie Rock (LinkedIn), Principal, and Kristen Lilly-Davidson (LinkedIn), Consulting Senior Manager, at PYA explain that there has also come a growing awareness of the importance of compliance due diligence. Five to seven years ago, they explain, private equity (PE) firms were focused on business valuations and financial reviews. Over the years, though, they have learned to appreciate the importance of compliance and coding reviews, including clinical compliance. The shift was the result of too many instances of finding significant non-compliance issues post-acquisition. These, of course, can be very expensive. Firms today need to take the time to do site reviews to examine everything from the culture to the business practices to the condition of the building to the devices used. Often paperwork doesn’t match what actual practices are, and a dysfunctional culture can’t be identified by looking at a spreadsheet. Risks include the revenue cycle but also operational processes. If they are poor, the potential for fines and other penalties is substantial. Listen in to learn more about what PE firms are, or should be, doing as they enter the healthcare market. Plus, pick up some tips that can be useful for non-PE firms that are making acquisitions and conducting their own due diligence.

By Adam Turteltaub Non-compete agreements may soon be going the way of the dodo. The FTC just concluded its public comment period for its plan to eliminate them in most cases, and new rules are expected to be released later this year. Already, though, many states have restricted these agreements. In this podcast, and in his article in Compliance & Ethics Professional, John Gardiner of Bodman explains that the new FTC rule was designed to counter agreements that many felt were overly broad and restricted the ability of employees to find gainful employment elsewhere. The agreements also raised antitrust concerns since they could stifle competition; the FTC saw behavior among employers that appeared to them to keep employees from finding work elsewhere. The new rule could change that, greatly narrowing when a non-compete agreement could be enforced. It also means that non-disparagement and non-disclosure agreements that could have the same chilling effect on employment changes will likely fall on the wrong side of the line. So, assuming the rule goes into effect, what should compliance teams do? First, dust off existing agreements to determine how they measure up against the new rule and existing state laws. Second, be on the lookout for non-solicitation agreements and provisions requiring employees to reimburse their employer for training should they switch jobs. Third, make sure that the businesspeople understand what is and isn’t permissible. Finally, remember that this may be a moving target, especially if the courts start weighing in. Listen in to learn more about the changing and eroding ground under non-compete agreements.

By Adam Turteltaub The U.S. Department of Justice (DOJ) Criminal Division Evaluation of Corporate Compliance Programs document was updated in March 2023. Since then compliance teams and the broader compliance community have examined it closely, searching to better understand the government’s expectations. Gaurav Kapoor, co-CEO and co-founder of MetricStream, sees an overarching key message to the update: The DOJ expects organizations to have a well-designed compliance, ethics and risk program and, with it, the ability to closely evaluate and monitor its effectiveness. The bar has definitely been raised. So what should the compliance team do? First, to his reading, the DOJ is encouraging organizations to follow connected, holistic approaches to compliance programs. Second, how you train and communicate must be well organized and integrated into business processes. Third, third-party risk must be scrutinized and the interconnectedness with the business must be made more visible. As for boards, they need to understand that they must continue to play their role in the business and risk governance. They must also, though, act in overseeing the risk management and compliance programs and ensuring they are successful. To that end, boards need to ensure that these programs are sufficiently funded and led, understand where compliance reports and remove any conflicts of interest. Listen in to learn more about these topics as well as adopting a compliance culture, looking beyond the guidance, and the proliferation of guidance documents that compliance teams need to navigate.

By Adam Turteltaub These days, the term “blockchain” is no longer novel. Yet, many still struggle to understand what exactly it is and what implications, if any, it may have for a compliance program. Segev Shani (LinkedIn), Chief Compliance & Regulatory Officer at Neopharm explains that it is more than the tool underlying cryptocurrency. Blockchain is a technology in which data is stored in blocks, and once that block is full, another one is formed, creating a chain. This data is not held in one place but is distributed on multiple servers, which ensures that it cannot be improperly manipulated. When it comes to privacy, though, there is a privacy-blockchain paradox. While the security of the data is protected via blockchain, the data, itself, cannot be deleted. So, should compliance teams simply say “no” to using blockchain with personal data? According to Segev, not necessarily. A growing number of tools have been developed to manage this issue, including the ability for a data subject to turn their data on or off, making it either public or private as they see fit. It’s an intriguing area, and well worth the time to listen in to learn more.

By Adam Turteltaub Ah, social media. The cause of so much joy and pain, both for individuals and organizations. For compliance teams it can be a breeding ground for breaches, particularly in healthcare where HIPAA violations and social media tend to go hand in hand. Pinnacle Healthcare Consulting’s Sheila Limmorth tackled the issue of social media and compliance in the latest edition of the Complete Healthcare Compliance Manual and does so in this podcast. Some issues, such as a worker posting a photo with a patient, persist. Often innocent, these breaches are nonetheless serious. It’s the reason why ongoing training is necessary. A new worker coming, for example, out of fast food probably is unaware of the restrictions of HIPAA. Even veteran staff may lose track of the rules, and the marketing team may not realize that the testimonial they want to run still requires a signed consent form from the patient. In addition, the rapid turnover in healthcare workers means that if you have training on an annual cycle, it’s highly likely that a significant portion of the workforce has not received the education it needs. To make that training effective, she recommends providing examples of how to use social media properly, and ways that people may use it very improperly. Unfortunately, it’s not just accidental breaches and a lack of training you need to worry about. The website and the software on it are also important. She points to the Meta Pixel JavaScript Code that many hospitals were using and which allegedly could share the data with Meta, the parent of Facebook. As with other compliance risks, ongoing monitoring is essential for managing social media. Fortunately, there are providers of software that will scour the various platforms to look for posts and even identify material that was likely submitted by an employee. In addition, she advises encouraging employees to be on the lookout for and report material that shouldn’t be on the web. The goal of this vigilance shouldn’t be to catch and punish, but prevent, educate and avoid future social media disasters. Listen in and learn more in the Complete Healthcare Compliance Manual.

By Adam Turteltaub For all the talk of tone at the top, the reality is that few employees report to the top. Virtually all report to a manager somewhere in the middle, and it’s the tone that leader sets that is often most important. Susan Du Becker, Director Risk & Compliance at Microsoft believes that compliance teams need to focus on managing from the middle and getting this important level of the organization on board. So how do you get these managers to work with you? How do you earn their commitment to help, especially in risk areas like privacy and anticorruption? For her, it’s about being inventive and thinking about how you can get them to drive compliance rather than you. To do that, she looks for the key influencers who can serve as champions for the program. They can go upstream or downstream and will help carry the message. Gaining the support of these people requires some effort, she reports. You have to sell them on your vision and let them know that it is to their benefit to further it. If, for example, you can show the sales VP that getting expense reports right reduces the risk of an audit, keeps the salesforce out of trouble and increases the speed with which the team gets reimbursed, you have a supporter. Once you have middle managers on board, make their life as easy as possible. Take away the pain, and give them the tools, templates and PowerPoints they need to put the policy into practice. What should you not do? Become overexuberant. It’s critical to avoid running ahead and instead focus on a stair step approach. Also: remember you have to keep them committed. You can’t take them for granted. Listen in to learn more about how to make the middle of your organization your greatest supporter.

By Adam Turteltaub Most of the time people look at the termination of a problematic employee as solving a problem. Bob Woolverton of Top Tier Leadership Training believes that thinking is a mistake. As he points out in this podcast, it’s not an end point. Instead, it’s the time to start, if you haven’t already, assessing how the organization got to this point. The employee’s supervisor was responsible for ensuring the worker’s success and safeguarding his or her welfare. The termination begs several questions the manager should be asking: What should or could I have done to prevent this from happening? What is my culpability? If it’s a policy violation, am I certain the employee understood the policy, or did we just have him/her sign off? Did the policy not make sense in this environment? Was there an opportunity for misapprehension or misapplication? The bottom line it is the time to start a reassessment process. On an ongoing basis he recommends organizations’ managers take a “rudder tap” approach. What this means, in practice, is providing small adjustments to course when things begin to go awry, rather than waiting until things are so far off that a bad outcome is inevitable. Making this method successful requires fostering an environment where people – both employees and managers – understand that corrections can be positive and a part of a healthy corporate culture. Listen in to learn more about how a termination can lead to a process of positive change for the organization.

By Adam Turteltaub With the proliferation of sanctions in the wake of the war in Ukraine and more focus on responsible sourcing, trade compliance has grown exponentially in complexity. It has also become less of a compliance silo and become more integrated with other compliance efforts. To understand the state of trade compliance we sat down with Lindsay Bernsen Wardlaw (LinkedIn), Director, Trade Advisory Services, Amalie Trade Compliance, who outlined the four areas of trade compliance: sanctions, export controls, antiboycott and customs. Each has great complexity, and there’s much more than Russian sanctions to worry about. Restrictions on importing goods manufactured by forced labor have increased dramatically with the passage of the Uyghur Forced Labor Prevention Act that presumes good sourced from the Xinjiang region of China were made with forced labor. The law has real teeth, she explains. Of the approximately 3,000 shipments stopped under the law, none have been released because they were able to prove that the shipments weren’t made with forced labor; some have been released because they were able to prove they weren’t from the restricted region. So what should organizations be doing? First, take the time to understand your risks, including the primary inputs for your products and who your suppliers and customers are, including agents and channel partners. Understand, too, where the goods are being made, sold to and for whom. Have a restricted party screening process in place and an import/export classification strategy. Also, be sure to have a transaction review team in place for any deals that may be sensitive. She also recommends creating a crisis task force for when things go wrong, as they may. It will likely include the trade compliance, supply and procurement teams. Other potential members include IT, engineering, product management, and even communications. Listen in to learn more about what you need to do to ensure compliance in this ever-more complex risk area.

By Adam Turteltaub Compliance teams have long advocated for building more trust in the workplace. That is good idea for the corporate culture, but, counsels Sese Bennett, a virtual CISO for CereCore Advisory Services, going the exact opposite way may be better for your IT security. There he advocates organization never trust and always verify. So, what is a zero trust approach? It assumes that just because someone has logged in to your system doesn’t mean that person is who he says he is or that she can access the entire system. In practice that means carefully controlling access both into the network and within it. It means preventing people from accessing a low value part of the network and giving that person access to higher value servers. It means having a system that knows an individual doesn’t, say, normally login from Pakistan at 4:00 in the morning. It monitors sudden changes of usage. Importantly, he explains, a zero trust approach is not necessarily intrusive. Users won’t be forced to login repeatedly to prove who they are. Instead, it can work behind the scenes and be invisible to the end user. Listen in to learn more, including what teams you will need internally to adopt a zero trust approach and potentially better protect your data from breaches.

By Adam Turteltaub When discussing AI around compliance professionals these days you can instantly feel the tension. AI, for all its promise, has proven to be a bit of a compliance and ethics nightmare. Stories abound of AI embracing redlining and other discriminatory practices. Anthony “Ant” Stevens, CEO and Founder of Melbourne, Australia-based 6Clicks sees opportunities, though, for putting AI to work for your compliance program. It has the potential, he believes, to streamline activities, better tie policies to the underlying legal requirements and enable compliance teams to better understand the overlap of similar laws around the world. In this podcast he explains how the technology can help compliance operations, particularly ChatGPT. He also makes clear that there are limits to AI. A human element remains important for ensuring that what AI says makes sense, both on its face and for your workplace. Listen in to learn more about how AI can stop being the stuff of a compliance professional’s nightmares and start becoming a dream come true.

By Adam Turteltaub In 1986 the Emergency Medical Treatment & Labor Act (EMTALA) was enacted. As Mary Ellen Palowitch (LinkedIn), Senior, Managing Director, Dentons Health Care Group, explains in this podcast, just because it is long established doesn’t mean health care providers have it completely under control. Issues continue to come up. EMTALA requires hospitals that participate in Medicare, including rural emergency hospitals, provide medical screening to determine if there is a medical emergency. If, in fact, the patient requires treatment, the hospital must provide stabilizing treatment within their capabilities, regardless of whether the patient has the means to pay. Two areas often cause confusion and real issues under EMTALA. They are best known by the phrases “clinically stable” and “stable for transport”, neither of which is defined in EMTALA. Clinically stable, she explains, may be anything from a comparison to how the patient presented when first presenting or reflecting the patient’s overall condition. Stable for transport is a term commonly used in hospitals. It does not technically mean the patient is stable, but it signifies that the patient has achieved the level of care that the hospital can provide. Basically: the hospital has done all that it can, and it may be more prudent for the patient to be transferred elsewhere for the care needed. Complaints do arise under EMTALA and may come from patients or their families. When one is sent in to the government, a multistep process begins. The complaint is reviewed and can lead to an onsite investigation that may include comparisons to how other patients were treated, interviews with staff, a tour of the emergency department and review of records. Hospitals found to be deficient are required to remediate promptly. Listen in to learn more about how to avoid and manage EMTALA issues in your emergency center.

By Adam Turteltaub While we tend to think of colleges and universities as being filled with college students, children much younger are often on campus. In fact, Lindsay Meyer Bond, Executive Director of the Higher Education Protection Network, that there may be more minors on campus than regular students. Everything from enrichment programs to sports camps can bring hundreds of children with them. When looking for guidance as to how to keep campuses safe for children, there is no federal law to turn to. Instead, there is a patchwork of state regulations, and many universities have had to create policies of their own. For the most part, these policies require the reporting of suspected abuse or neglect. Many now require background checks for those interacting with kids that may be go beyond the initial screening when hiring. Often universities have codes of conduct that prohibit one-on-one interactions with minors, but there is complexity there. A professor may not know that the student showing up for office hours is under eighteen. In addition, there may be conflicts of law and regulations. Ohio State University has a program, she explains, where students can learn to fly. FAA regulations stipulate that only the student and instructor may be in the plane. Their solution: when the student is on the ground, he or she is never alone with an instructor. To successfully navigate the challenges of minors on campus, she recommends strong policies and ongoing communications plans. With turnover frequent in youth programs, it is risky to assume that the adults have been fully trained, unless that training is continuous. In addition, keep an eye on your campus Name, Image and Likeness (NIL) program. College athletes may be running their own programs and not be aware of all the rules. Listen in to learn more about how to manage this difficult and sensitive issue.

By Adam Turteltaub W. Bruce Cameron is the author of 8 Simple Rules for Dating My Teenage Daughter and a whole series of novels about dogs including A Dog’s Purpose which spent 63 weeks on the New York Times bestseller list. His latest novel is Love, Clancy: Diary of a Good Dog. So, why is he on a compliance and ethics podcast? Well, because his writing has a lot more to do with it than you might think, and he learned some painful lessons about setting and enforcing rules. It was easy enough to write those simple rules for dating his then two teenage daughters, but that didn’t make him popular. He was seen as a despot and met resistance (both overt and subtle). As for those daughters, one is now a CFO and the other, ironically, works in law enforcement. The experience taught him several lessons that compliance teams can relate to: You have to recognize that you can’t have complete control Just because you think thing will go better if others do what you say, they may not There is a need for human expression and accommodation for it Dogs have proven less argumentative for him. As he observes, they have been bred over the centuries to be absolutely dedicated to us. We raised them to be our tools first and then pets. Today they are thrilled when we come home and bring their optimism and hope, and their love of play, into our lives. Dogs, though, he believes, lack an innate sense of right and wrong. Instead, they are born with instincts where what pleases us is “right”. That, he explains, is why dogs owned by bad people turn out “bad”: they are doing what they think will please their owner and, to them, that’s the right thing to do. We have an ethical duty to dogs, he argues, because they are wired to please us. In addition, they were bred to depend on us even to survive. Listen in for a fun conversation about dogs, ethics and the often frustrating outcomes of setting even the most basic of rules.

By Adam Turteltaub The cyber landscape these days can be terrifying. Malware, ransomware, spyware, phishing, cloud-based computing and so much more are enough to keep even a compliance veteran up all night. There are other risks to consider, too, says Ganesh Krishnan (Twitter), co-founder and CEO of Anzenna. One major issue is scalability of IT security resources. As organizations grow larger and increasingly reliant on cloud-based software providers, the size and complexity of security challenges increase. If the cybersecurity team does not grow with it, problems increase, work doesn’t get done, and vulnerabilities quickly emerge. A second problem is the attitude the data security is the responsibility of the data security team. He argues persuasively that it isn’t. Technology can’t solve cyber problems. The entire company has to be focused on it. That includes the workforces, which has been labeled wrongly, he argues, the “weakest link.” Instead, organizations need to recognize that employees can be the strongest link and have to be treated accordingly. This means more frequent training and less punitive measures when things go wrong. Employees should not be fearful to come forward and report a mistake they made. He also encourages organizations to be more open when there is an incident, sharing internally what happened and what employees can do in the future to help prevent it from reoccurring. Listen in to learn more about how to improve your cybersecurity program.

By Adam Turteltaub While the trade compliance focus these days tends to be on Russia and the hundreds of sanctions imposed, one old issue remains: The Arab League Boycott of Israel. Despite improving relationships between Israel and some of its neighbors, progress has not been uniform and risk remains. In this podcast, Matt Silverman, Global Trade Director and Senior Counsel at VIAVI Solutions and author of the chapter “U.S. Antiboycott Laws: Understanding the Impact and Ensuring Compliance” in the Complete Compliance and Ethics Manual, explains that the boycott prohibits companies and individuals from doing business in Israel or with other companies that do business with the country. The US antiboycott law makes it illegal for US companies and persons to support the boycott, or, for that matter, any boycott that the US does not endorse. It would seem simple enough, but it isn’t. Individuals not familiar with the issue may not think twice of signing an agreement that says the company will follow the laws of the country where the sale is made. What they may not realize is that the country has laws on its books prohibiting business with Israel. Examples of boycott language can be found on websites of the US government. To comply with the US antiboycott law, both in the Middle East and elsewhere where boycotts may be in place, it is essential that employes be trained in what to watch out for. The company should also have an antiboycott policy. In addition, companies need to remember that there is an obligation to report any boycott requests. Listen in to learn more or read the chapter about the topic in the Complete Compliance and Ethics Manual.

By Adam Turteltaub ESG, cyber risk and privacy are all hot topics in compliance, but that doesn’t mean people typically identify the data issues as ESG topics. Lisa Beth Lentini Walker (LinkedIn), CEO & Founder of Lumen Worldwide Endeavors and Assistant General Counsel at Marqueta, thinks that’s a mistake. Cyber and privacy, she believes, fall very much under the Social in Environmental Social and Governance. Just look at the many ethical issues surrounding data usage these days as proof. She explains in this podcast and in the chapter “ESG, Cyber and Privacy: Bridging the Divide” in the 2023 Complete Compliance & Ethics Manual, that privacy and security are not separate and apart from ESG. They are central to how the organization navigates the world and people around it. Keeping data secure is squarely under the social mission of the enterprise. To live up to that obligation, organizations have to focus more on keeping data safe and building proper systems around how individuals interact with the data. Simply believing “well, we have a good practice” is not enough. The practices have to support the ESG framework in terms of meeting the company’s commitments. In addition, the temptation to be data hoarders has to be tempered. Collecting data is easy to do, and it’s generally inexpensive to store. That makes it easy to rationalize indefinite retention. But, a clear path to data destruction is essential. Think of it like cleaning out the closet. It may not be easy, but it needs to get done. Organizations also need to embrace greater transparency about the processes in place to safeguard and use data. That helps investors and rating agencies better assess how the entity is measuring up against the SASB and other standards. Listen in to learn more, and then check out the 2023 Complete Compliance & Ethics Manual.

By Adam Turteltaub The Gartner Legal Risk & Compliance Practice recently released a report on the state of third party risk management. To learn more we talked with Chris Matlock, Gartner’s Vice President, Advisory – Corporate Strategy & Risk Practice. The report was developed, he explained, because of the substantial changes in business over recent years. As the size of businesses has grown – many of the Fortune 500 are 50%-100% larger than they were a decade ago -- the number of third parties they work with has increased dramatically and with it the “threat surface”. Complicating the challenge, much of the pandemic took place during the pandemic, when normal third party vetting processes were not possible. Today, with a threat of a recession, third parties are often under extreme pressure to meet the expectations of both their owners and their customers. The likelihood for compliance failures is higher. Gartner’s research found that the typical risk factors remain, but they have been intensified by both new regulations and stresses on supply chains. IT and cyber risks are growing larger at the same time that companies have made substantial investments in technology to enable their team to collaborate and interact with customers electronically. Adding to the challenge, many organizations do not have a mechanism for centrally managing their third parties, which makes it more difficult to ensure consistency in practices and respond when things go awry. Pushing the “stop” button with one vendor may trigger unexpected consequences three steps downstream. Additional stress has been created through, as noted earlier, a heightened regulatory environment. Anticorruption enforcement continues while the number of privacy laws grows. To manage the risks, many have turned to tools to collect more data on their supply chain, but that has posed the problem of having too much data and, as a result, difficulty in determining which pieces of data are truly important. To help manage these risks, Chris recommends enlisting the enterprise risk management team to create key indicators that can help monitor risks in a forward-looking way.