Compliance Perspectives

By Adam Turteltaub Mary Shirley (LinkedIn) has had a fascinating journey as a compliance professional. Born in Hong Kong and raised in New Zealand, she has worked in Singapore, Dubai and across the US. She currently serves as Head of Compliance at Masimo, and she just authored the book Living Your Best Compliance Life: 65 Hacks & Cheat Codes to Level Up Your Ethics & Compliance Program. In this podcast she argues for embracing professional development and owning your own advancement. Among the hacks she recommends is creating a notebook on yourself. Record in it what you have done, the key steps along the way, and some of the larger details. That way, when annual performance time comes around, you are prepared to share what you have accomplished and won’t have to scramble to reconstruct what you did over the past year. The same information, she points out, is very helpful when looking for your next position. It can help you both recall what you have done and prepare to answer questions about key accomplishments and solutions you have developed. When it comes to speaking at conferences and writing, she offers some simple advice: Just start. If you don’t you will always wonder what might have happened if you did. From a practical perspective, she urges people to remind themselves that the first draft doesn’t have to be the last. You can turn to others for feedback who can help you revise and improve that article or speaking proposal. To get the best advice, she recommends creating what she calls a wisdom council: a group of individuals whose advice you can trust. The council should be made up of people with diverse skills and experiences who have practical expertise and the comfort level with you to offer both encouragement and honest feedback, even if it is uncomfortable. Listen in for more advice on how to level up your skills and how to find the courage to pursue your goals.

By Adam Turteltaub You’re all signed up for the Compliance & Ethics Institute or another SCCE or HCCA conference. Now, how do you make the most out of your time there? Kristy Grant-Hart CEO of Spark Compliance Consulting and a former compliance officer, herself, shares in this podcast several excellent tips for making your conference time truly valuable. Her recommendations: Plan out which sessions you want to attend before you arrive. It makes for a much more strategic and less stressful approach than picking sessions hurriedly at the breaks. Pick the sessions based on both the topic and the speakers you want to listen to and meet. Map out time to do work and answer email. It’s a lot easier to sit and listen to a session when you have a defined times to work and a defined time to be fully present at the conference. Start your networking before you go. Announce on LinkedIn that you’ll be there and try to connect with others who will be attending. Take advantage of vendor receptions and dinners to meet more people. When you connect onsite, also connect on LinkedIn right then and there. If you promise you’ll send someone a follow up email, do it that night before you forget. Don’t be afraid to approach people you don’t know. They’re probably there to meet new people, too. Put your follow-ups for once you’re back in the office into a list that you can easily find. Listen in to hear more great ideas for getting the most out of your time at the conference.

By Adam Turteltaub In 2023 the Society of Corporate Compliance and Ethics (SCCE) launched a second workshop designed specifically for investigators. The Experienced Investigator Workshop. Meric Bloch, who is one of the two instructors and Principal at Winter Investigators, explains in this podcast that the workshop is very different from most. Rather than using a traditional method of instructors in front of the room, it seeks to engage the participants directly and make them a part of the learning. Participants are led through case studies and asked to take an active part in the classroom interactions. This provides an opportunity to explore the issues, consider various ideas and think deeper. Looking beyond the surface level mechanics of the investigation is a central part of the workshop. Much of the conversation focuses not on the what to do’s, but the why’s: why use a certain technique, why one choice may be better than another. The workshop also helps its participants to prepare for what he refers to as the “unknown unknowns”. Often investigators plan out an investigation, Meric notes, based on what they know and what they known is as yet unknown. However, as the process proceeds surprises occur, previously unknown unknown elements must now be tracked down. So who is the workshop best for? Several groups: Those who already know the basics and want to get to the next level. Individuals seeing to have a wider perspective on cases and become not just an investigator but also a business advisor. People who aspire to be a full-time investigator and seek to raise their competence. Lifelong learners. Listen in to learn more, and then take some time learning more about the investigator workshops.

By Adam Turteltaub First there was Safe Harbor, then there was Privacy Shield, both of which were struck down, leaving an enormous chasm in the rules for sharing data between the EU and the US. Now, explains, Andre Bywater, Partner, Cordery, there is a bridge: the EU-US Data Privacy Framework. The new framework seeks to address the issue that led to the court striking down Privacy Shield: access to data by US intelligence agencies. To allay European concerns the US has now put in place a two-level system to redress grievances. EU citizens can lodge a complaint with the Civil Liberties Protection Office. If not satisfied with the results there, they can escalate to the US Data Protection Court, which has the power to issue orders to have data deleted. The new framework is likely to be a big step forward, but it’s not the only one data processors will have to take. Organizations will first need to determine if they are eligible to participate. Next, they will need to self-certify their processes for handling EU data, a process that will be overseen by the US Department of Commerce, with enforcement handled by the FTC. Whether self-certifying for the first time or recertifying, there are countless details to be watched. There are special provisions, for example, when it comes to HR data. And, of course, there is a question of whether courts in Europe will allow the new regime to stand. There is already speculation that a new case may be brought in January 2024. For now, though, there is a new EU-US Data Privacy Framework in place. Listen in to learn more about what your organization needs to do to comply.

By Adam Turteltaub Payment Card Industry (PCI) compliance is driven by a set of rules that set a standard of security for any entity that takes, stores or processes credit card data. Any time you or I make a credit card purchase, we rely on PCI compliance by all involved to keep our information safe. Now, the standard is evolving to PCI 4.0, explains Mark Schreiber, Senior Counsel at McDermott Will & Emery. PCI 4.0 is far more robust and clarifies the misunderstandings in the previous standard. It also imposes more than 50 new obligations. Most notable of the changes is the new emphasis on third parties and the need to monitor them. Now, merchants must maintain lists and descriptions of all third-party providers, have written agreements with them that accounts for security standards and includes a process for due diligence before engaging with them. Central to the process is a responsibility matrix, which outlines which party is responsible for each aspect of credit card security. Perhaps needless to say, this is not likely to be a quick process. Also likely to be time consuming is the mandatary self-assessment questionnaire. Listen in to learn all that PCI 4.0 requires and to hear an important warning: just because you outsource your credit card processing, doesn’t mean you outsource the risk.

By Adam Turteltaub Stamford Health has just a bit less than 4000 employees spread out in over 40 local offices. For some that would be a nightmare when figuring out how to put together a celebration of Corporate Compliance & Ethics Week, but it’s not for Cheryl Gilbert, the director of compliance and privacy. To make the annual event work she uses a wide range of communications vehicles to get the word out. The organization has a new employee orientation every other week, and compliance is a part of it. The organizational newsletter, which publishes twice each week, is also put to use. So, too, is the compliance intranet site. What aren’t used? Posters. The team found that the effort involved in creating them, putting them up and taking them down just wasn’t worth it. To make the week fun they have developed a wide range of activities including a: Haiku contest. Employees are challenged to write a haiku based on the organizations core values. Where’s Waldo type game in which employees have to spot all the breaches on a messy desktop. Question of the day. Word search, which is probably the most popular of all. There is also the opportunity to nominate compliance heroes, with rewards to both the hero and the person who nominates them. While all of these are great for building the relationship between compliance and the rest of the organization, she advises that you shouldn’t let your Corporate Compliance & Ethics Week be the only time a year in which the barriers come down. She recommends investing wherever possible in face-to-face interactions. You would be amazed, she tells us, at what a coffee cake can do to help. Listen in to learn more about how to make your Corporate Compliance & Week celebration a success.

By Adam Turteltaub Cancer is not just a diagnosis between a patient and physician. In this podcast Jeremy Laws, Operations Supervisor at the Ohio Cancer Incidence Surveillance System, explains that a cancer diagnosis triggers state-by-state reporting requirements for healthcare providers. In general, there are two areas of reporting: cancer information and patient information. Cancer information generally includes where it is on the body, the type of cancer, what type of tissues is affected and how the cancer is behaving. Patient information includes name, age, sex, race, address, date of diagnosis and date of first treatment. And, for those concerned about HIPAA, he points out that there is a public health exception that his falls squarely under. The data provided feeds into the US Cancer Statistics Report that is published annually. It is also used by policy makers and researchers. Compliance teams need to ensure that their facilities are reporting the data, which many fail to do. There is a tendency to believe that, for example, the lab is reporting the results and so the physician does not need to. That’s not the case, he explains. Worse, many facilities do not even know that they need to report cancer findings. Listen in to learn more about how to ensure your health care facilities are meeting their cancer reporting requirements.

By Adam Turteltaub When it comes to networking and sharing ideas with other compliance professionals, people tend to think of attending conferences. That’s not the only way to do it. In this podcast Steve Pavlicek, Community Engagement Manager at SCCE & HCCA shares the free resources the association provides and how to take advantage of them. First stop are HCCAnet and SCCEnet. They were created to be a social network just for the compliance community. People post and answer questions, share their opinions and even documents. To see all that’s there, first login on the SCCE or HCCA site. Next, click the Login button on HCCAnet or SCCEnet. You’ll find approximately 40 different communities discussing issues such as auditing and monitoring, the Foreign Corrupt Practices Act, privacy and more. There are also communities organized by industry. If you’re looking for real-time interactions try one of our Meet Ups. You’ll find a schedule of them at HCCAnet and SCCEnet. These sessions take place via Teams. The group selects topics to discuss, breaks up into smaller groups for conversation, then returns for further conversation. In addition, there are active LinkedIn groups for SCCE and HCCA. Read the messages there, share insights of your own, or use the group to connect directly with other compliance professionals. In sum, there are a host of vehicles out there for you to connect with and meet the wider compliance community. Be sure to take advantage of all of them.

By Adam Turteltaub When planning for disasters, organizations are typically focused on things like call trees, backup data servers, and alternative work locations. In the crush to survive the immediate threat it’s easy to forget about compliance, and even during disaster planning, compliance may come last. That’s a dangerous mistake, explains Laura Fey, Principal, Fey, LLC; Tom Leatherbee, Manager, Recovery Division, Hagerty Consulting; and Jillian Cusack, AVP, Privacy Officer, American Fidelity. Just because normal business operations are interrupted doesn’t mean compliance obligations are also on pause. Ensuring compliance plays a role in disaster planning is more important than ever. Natural disasters, ransomware attacks, a pandemic and other threats seem to be more frequent and can turn into situations that last days, weeks, months or even years. When they do, not only do existing compliance considerations continue but new ones can arise ranging from OSHA to employee obligations – you still have to pay into pension plans and make insurance payments – to financial reporting. There may also be state laws and standards under ISO and SOC 2 that may be implicated. If your institution is a recipient of federal grants, the reporting requirements don’t stop during disasters. Plus, if your organization will be seeking federal disaster grants, there will be compliance obligations there as well, including the need to document the damage. To ensure the compliance team is a part of disaster planning, establish a relationship with the person in charge of leading that effort. Learn who else they work with and get to know them as well. Take the time to understand what the risks are using resources such as Ready.gov. Think through what data you will need to collect and track during the pandemic, and be prepared to help your colleagues understand that compliance can play a vital row in disaster planning and recovery.

By Adam Turteltaub There has been, to say the least, a great deal of controversy over the US Department of Justice’s plan to require compliance officers to provide a certification as a part of corporate resolutions. Many fear that it could lead to significant legal risk for compliance teams and fewer individuals willing to assume compliance roles. Jonny Frank, Partner, and Kat Nolan, Senior Consultant, at StoneTurn are not concerned. They point out that in the 20+ years since Sarbanes-Oxley, despite the predictions, there have not been the lawsuits and empty CFO and CEO chairs that some feared. Instead, they believe, these certifications could lead to increased power and prestige for chief compliance officers. In the podcast they lay out a five-step process for certification: Select a framework for the certification criteria that the organization will grade itself against. Conduct a scenario-based compliance risk assessment. Assess and design key control activities. Create a sub-certification waterfall: set accountable owners throughout organization to certify compliance effectiveness in their area. Arrange for a third party or internal audit to assess the program. Listen in to learn more, including the importance of documenting your processes.

By Adam Turteltaub So, you’ve got a global compliance program. But, what do you do when a local team says, “That doesn’t really work here” or “We think it would be better if it were changed to something else for us”? Kristy Grant-Hart, CEO of Spark Compliance Consulting recommends keeping your values the same wherever you operate. Values are typically based on universal ideas. They and your code of conduct should remain constant wherever possible. Communications from the CEO and leadership should also be the same everywhere. You don’t want the CEO saying one thing in one country and something else in another. Categories used for reporting and investigations should also be the same everywhere, otherwise it will be difficult, if not impossible, to track where the issues are. Similarly, root cause analysis and risk assessment methodology must be the same globally. So where can you localize? She recommends looking at areas such as gifts and hospitalities. What’s reasonable in one region may not be in the other. Look also at employment practices. Having a policy of non-discrimination is good, but in some regions there may be requirements to hire certain indigenous groups. To avoid confusion, she advises defaulting to one policy wherever possible, and be sure to have a version control process in place. You don’t want one office to still be operating under an old policy. Listen in to learn more about how to make thoughtful localization decisions, how to get honest feedback locally, and what to do about facilitation payments.

By Adam Turteltaub Melinda Shapiro, Senior Director of Compliance at San Diego-based National University, knew she needed to do something different with the school’s approach to enterprise risk management (ERM). When she took on the compliance role, she discovered that risks tended to be aggregated into large buckets, such as human capital, which made it difficult to assess individual risks. In addition, risk ratings varied widely by affiliate. Adding to the challenge, the document produced took a narrative approach, with long explanations of the risks and mitigation efforts. Sometimes there was a lack of alignment between risks and controls. Worse, the format made it difficult to track changes year to year. Inspiration came from speaking with two other participants at the SCCE Higher Education Compliance Conference. She was able to see a new way of approaching ERM, including switching from a one-year to a two-year cycle. The results have been highly positive. She reports that there is a much better understanding of risks and controls. In addition, there is now better alignment and very strong support from the board’s audit committee. Listen in to learn more about what she did differently, how she learned from others, and new ways to think about your own ERM process.

By Adam Turteltaub Healthcare and healthcare compliance are often thought to be very country specific, due to the many variations of healthcare structures. To learn more about how healthcare compliance works in one country outside of the US we spoke with Emeka Obiora, Vice President, Ethics and Compliance at NMC Healthcare in Abu Dhabi. Emeka explains that the United Arab Emirates (UAE) has something of a split system. Public sector hospitals primarily serve Emiratis, who are provided with healthcare by the government. Foreign workers in the UAE are required to carry insurance and typically see private providers. As a result, the risk profile is very different. It is there, though, with several key ones to manage. The first is licensing. The UAE relies upon medical professionals who come from all over the world and have vastly different training and backgrounds. All must be qualified and licensed locally, which represents a substantial undertaking. The second common risk area is conflicts of interest, which is focused on interactions with pharmaceutical and medical device manufacturers. To ensure that there is undue influence, contact between clinicians and providers may be completely prohibited. As is the case elsewhere in the world, privacy is also a significant concern, and in the UAE it has grown to be a greater challenge now that there is a new, tougher law. So, is working in the UAE in healthcare right for you? Emeka recommends asking yourself if you have a sense of adventure. As importantly, ask the same about your family and what impact a move may have on them. If you do decide to take the plunge and find a potential opportunity, assess it like you would any other compliance position. Look at the organization and its governance structure: Will you have access to the senior level of the organization? Question carefully their approach to compliance and ethics. While it may likely not be as advanced as what you are used to in the US, if the tone and the commitment are there it’s worth considering, especially because there is a growing emphasis on accountability, corporate responsibility and ethics in the UAE. That portends well for the future. Listen in to learn more, including one myth about the UAE that needs to be dispelled.

By Adam Turteltaub Compliance professionals are trained to point out downsides, identify risks and educate others on what can go wrong. But, points out, Ami Simunovich, Executive Vice President, Chief Quality, Regulatory Officer & Public Affairs for BD, they need to balance that with a need to see and encourage others to take the right risks. A compliance officer who can do that earns credibility with business leaders. So, how do compliance professionals get there? She recommends reorienting thinking to focus on how to advance the business in the right way. That begins with tying decisions back to the purpose of the company. This can help enable the right leadership mindset and avoid reckless decision making. Grounding decisions in the code of ethics, along with a focus on the business’s purpose, helps create a framework for better decision making. Next, make sure business leaders are keeping up with the regulations. Also, encourage them to ask gut-check questions such as: Are we making the right decision? Would our partners be proud of what we have done? Is this who we are? Along the way, embrace open conversations that ask whether the decision or initiative is the right one. At the same time, be sure that, as the business proceeds, there are controls in place that are fit for purpose for the risks at hand. Listen in to learn more about how the compliance team can help the business grow.

By Adam Turteltaub One of the more well-attended sessions at the SCCE 22nd Annual Compliance & Ethics Institute, promises to be “ESG and DEI: How to Position for Stakeholder Success”. The session will be lead by Adrian Taylor, Director of Diversity, Premier Health; Ahmed Salim, Chief Compliance Officer, iRhythym; and Nakis Urfi, Product Compliance Officer, Babylon Health. ESG and DEI are two of the hottest issues in compliance, and in this podcast preview of their session they start by taking on a controversial topic: Should DEI and ESG be combined? Traditionally, DEI has been its own discipline. Many now argue it should considered a part of the S (Social) in ESG, while others feel that doing so would diminish the emphasis on DEI. Ideally, DEI should not be affected by being included in ESG, they say. If handled correctly, it can maintain its focus and management commitment and even strengthen ESG efforts. When the two are aligned they create a more sustainable business model that balances people, profit and planet. Together they can also help foster engagement with stakeholders, improve culture, encourage greater accountability, and help the company’s reputation. To be successful, Nakis, Ahmed and Adrian argue, organizations need to manage four key challenges of ESG ratings: A limited focus on DEI Having accurate, valid data A lack of standardization Subjectivity All of these can lead to ratings that are more judgement scores than a true measure of an organization’s commitment to DEI and ESG. Listen in to learn more, including how to identify data that is truly useful for measuring your organization’s DEI and ESG success. Then, don’t miss their session at the SCCE 22nd Annual Compliance & Ethics Institute.

By Adam Turteltaub Crystal Jezierski, Senior Managing Director, Guidepost Solutions thinks that at this point we have enough guidance documents and frameworks for compliance programs. That’s not a criticism but a compliment. She finds the existing prescriptions to be helpful, instructive and reflective of the evolving understanding of best practices for effective compliance programs. They are also flexible enough for new and emerging risks. What’s needed now, she believes, are more opportunities to benchmark, share, apply and test how programs are implemented. As with compliance programs as a whole, that begins with understanding how to assess risk and how others are doing so. If done correctly, of course, a risk assessment can orient resources to both current and future issues as well as change how the company is doing business. When managing a new issue, she recommends involving a combination of the standard partners – HR, internal audit, finance and technology – as well as additional partners who bring expertise to addressing the risk at hand. One other partner needs to be considered throughout: the board. It can be a tremendous asset for compliance, sometimes more so than leadership. To gain and keep board support, she advocates for regular contact, updates, and conversations about emerging issues. Listen in to learn more about how to leverage the compliance frameworks, learn from others and work with the board to create a stronger compliance program.

By Adam Turteltaub Email isn’t enough anymore, if it ever really was. Employees are communicating with each other, clients and prospects via texts, WhatsApp, Teams, Slack and many, many more tools. Much attention has been paid to the US Department of Justice’s call for organizations to be able to produce all that communication, which is not an easy task. Eric Baim, partner at Dovetail Consulting Group, explains that focusing on producing the communications is important, but it is isn’t enough. Compliance teams need to train employees to use these technology appropriately. That education process begins with compliance developing an understanding of what these applications were designed to do; facilitate quick, back and forth interactions, brainstorm, and ask a question less formally than one would via email. The problem is that often these interactions lack context because they are continuations of other conversations. As a result, an outsider seeing them can draw very incorrect conclusions about what was being said. With that understanding in mind, it’s important to make it clear to employees that if they are conducting company activity via these communication tools, they still need to follow company policy. Next, help them to understand the risk of comments taken out of context and to ensure that they add some. If the text, for example, is a follow up to an in-person meeting, reference it. Be sure also to underscore the importance of avoiding jargon, being truthful or making assumptive statements. Stick to the facts and keep personal commentary out. Internally, compliance teams, he argues, should take the time to understand how they can use these channels to communicate with the workforce. Communicating with the business where it is can help keep compliance top of mind and relatable. It can also help foster greater dialog which is, after all, what these applications were designed for.

By Adam Turteltaub In a perfect world, whenever employees face a difficult decision or outright compliance issue, the right policy would automatically pop up in front of them. While that is not likely to happen soon, Jannica Houben, Vice President, Global Legal Transformation and Travis Waugh, Director, Training, both at TD SYNNEX can envision a word in which Outlook could spot issues as they are typed, flag them for the employee and give guidance and pointers to where to call for help. Until then, there are still many things compliance teams can do using off the shelf software to automate compliance processes. It’s a topic they explore in the podcast and in greater depth in their Session “Interactive Policies: Using Technology to Enhance Decision-Making” at the 2023 SCCE Compliance & Ethics Institute. So how do you create this automated future? They recommend beginning by thinking not about what tool you want, but what benefits you want the tool to deliver. Think about the value you want to provide and what would make employees’ lives easier. In addition, expect an iterative process: you won’t get everything right the first time. Once you have that in mind, you can begin the pursuit of the tool itself. At TD SYNNEX the compliance team tried to create the path of least resistance for employees to compliance, including developing an adaptive policy guidance tool. Using BRYTER, which requires no coding, they developed a tool which asks a series of questions to determine what the issue is, gives advice and routes a form to the employee’s manager. The manager can then add notes and recommendations. The tool has a dashboard that can track the whole process. It also can help identify gaps and what the organizations risks are, what policies need to be created and when more training is required. This program has freed up time for the compliance team, enabling it to invest in relationships and add more value. Getting started is surprisingly easy, they report. Listen in for more inspiration, and then don’t miss their session at the 2023 SCCE Compliance & Ethics Institute.

By Adam Turteltaub With the consent requirements built into privacy regimes, you can’t help but focus on them. Bill Piwonka, Chief Marketing Officer at Exterro, cautions, though, that there is much more than consent to worry about. Consent is very specific around whether people you are interacting with giving you permission to have and use their data for specific purposes. Much focus is given to the pop-up warnings on websites and cookies. Compliance teams, he advises, need to look at all the places where the organization collects data and uses data, including apps, to ensure proper consent is obtained. One other area not to be overlooked: Data subject access requests. It can be an enormous undertaking when a consumer demands to know what information you have on her or him. Even more daunting are similar requests by departing employees. Think of the hundreds of thousands if not millions, of documents that contain data from an employee, everything from HR records to emails to conversation on Teams. So great is the challenge of tracking them all down that employees are starting to use the threat of requiring all this data as a way to leverage a better severance package. Listen in to learn more about these issues and what you need to do to prepare to meet your privacy compliance obligations.

By Adam Turteltaub The proliferation of computer-based due diligence tools, combined with the travel restrictions of the pandemic led to a shift away from in-person due diligence efforts. Technology-based approaches increased dramatically, and, according to Jen Hoar (LinkedIn), Managing Director of Forward Risk, relying solely on them can be a mistake. Talking to human sources, she argues in this podcast, helps augment and provides nuance to open-source public records. Talking to people who have worked with the third party can flesh out what it is like to do business with them and if there are any concerns. Sources to interview can include prior investors, customers, industry experts, and even trade journalists. When conducting the interviews with these individuals, she advocates for an open-ended, conversational approach. Rather than trying to get through a list of questions, give them the opportunity to talk about whatever is important to them and pursue the conversation wherever it leads. Be sure, though, to take note if someone is oversharing. It may be a sign of an agenda. In terms of your own agenda, she advises against going in with a hypothesis to prove or disprove. Instead, go in with an open mind. Your job is to gather information and to find out what the truth is rather than to test a theory. Listen in to learn more about the role and value of human-based due diligence.