Compliance Perspectives

By Adam Turteltaub On February 22, 2022 the European Commission adopted a proposal for a directive on corporate sustainability due diligence.  In this podcast, George Porter, Knowledge and Training Manager at Ground Truth Intelligence reports that the directive, which is still being negotiated, is both a continuation of past measures and something new. It is designed to unify a great deal of previous regulations and create an ESG framework for both EU-based companies and those doing business in the EU. The directive covers three key areas: environmental risk, social goals such as modern slavery and child labor, and governance. The governance portion, importantly, addresses the duty of care and the need to conduct due diligence. It also significantly expands the stakes for organizations. Due diligence of the supply chain continues but organizations will now be responsible not just for how they sourced materials, but also how their products are disposed of. To back it all up there will be substantial potent

By Adam Turteltaub While the pandemic seems, at least for now, to be receding into our past, many of the changes from it have not, including a large percentage of the workforce that works remotely. While in some ways we have gotten used to this new normal, Lori Tansey Martens (LinkedIn), President, International Business Ethics Institute warns that there remains cause for concern. Specifically, the prevalence of high number of remote works has been and continues to negatively impact corporate culture. Culture is made up of the shared values and beliefs, norms, values, mission and purpose, and in many ways it differentiates one organization from another. Recent research shows that the common fabric binding people together into one culture is fraying. Survey data she shares shows that employee feelings of alignment has decreased substantially, and while those declines have leveled off among in-office and hybrid employees, they have not among remote workers. Remote workers also have the highest turnover rate

By Adam Turteltaub While most eyes have focused on the US Department of Justice’s document Evaluation of Corporate Compliance Programs when looking for guidance, it’s not the only DOJ source out there. Josh Drew (LinkedIn), Member, Miller & Chevalier explains that it would be wise to also look to Attachment C. What is it? It’s a document typically attached to Foreign Corrupt Practices Act (FCPA) resolutions. It specifies what the defendant company will need to do to establish and maintain an effective corporate compliance program. As a result, it, like the Evaluation document, provides very clear guidance as to what the DOJ’s thinking is when it comes to compliance. In August and September 2023 there were several changes to Attachment C. For one, it expanded the call for support from senior management down to include midlevel management as well. It specifically points to the importance of their tone and conduct:  “The Company will ensure that mid-level management throughout its organization reinforce leade

By Adam Turteltaub At this point anyone in healthcare who doesn’t have a plan for managing HIPAA compliance risks is behind the eight ball and times. But, for those who do have a program in place, the question is: does it currently reflect your risk profile? Nancy Roht (LinkedIn), Managing Principal at Compliance Pro Consulting points out in this podcast that just because the HIPAA regulations don’t specify how often a HIPAA risk assessment should be done it’s best to do so annually, and perhaps even more frequently if something significant happens. Changes in leadership, organizational structure, goals, quality and major vendors can all call for a fundamental reexamination of your strategy. When conducting the assessment, don’t mistake it for a gap analysis. Make it a true assessment of risk and put together a work plan to address any deficiencies. When conducting the assessment, she recommends interviewing both leadership and staff to get a comprehensive picture. Take an inventory of the PHI you have, p

By Adam Turteltaub Steve Forman (LinkedIn), Senior Vice President at Strategic Management Services, had an eye-opening experience years ago when interviewing for the job of Vice President of Audit and Compliance for New York Presbyterian Hospital. The chair of the board’s audit and compliance committee told him that his main role was not to find problems or weaknesses but to validate through the discipline of the audit processes what management suspected were problematic areas in terms of audit and coverage of risk areas. That insight had several implications. First, it underscored that operational managers will always know more about their risk areas than auditors will, which means they are in the best position to identify problems and weaknesses. Second, it was a good reminder that there are never going to be enough auditors to even address the high risk areas. Once again, we are dependent on managers. So what does that mean? It means that monitoring should help drive the audit plan and strategy. In addi

By Adam Turteltaub Economic espionage sounds more like the stuff of a spy thriller than a day-to-day concern for business. Not so, as it turns out. To learn more we sat down with the FBI’s Counterintelligence Division Unit Chief Matthew Charles and Cyber Division Supervisory Special Agent Michelle Liu. Economic espionage generally refers to stealing trade secrets for the benefit of an overseas competitor, often one aligned with a foreign government. An employee at your organization working on a sensitive project may be leveraged, frequently with the lure of cash and other payments. Typical targets include technology with potential military use and, of late, pharmaceuticals. To counter this threat, the FBI Cyber Division maintains partnerships with many private sector companies to identify nefarious conduct on their networks. Meantime the Counterintelligence Division looks upstream for actors coming into the US seeking access to US technology. So what should companies do? First, protect yourself. Encrypti

By Adam Turteltaub How do you understand “neurodiversity” or “neurodivergence”? It starts with the recognition that no two human are exactly alike and not two brains function exactly the same way. It then goes on to recognize that for people with ADHD, autisms, dyslexia, sensory integration and executive function issues, those differences can be substantial. Estimates are that about 20% of the workforce has some sort of neurodivergence. In this podcast, Jason Meyer (LinkedIn), President of LeadGood Education, explains that compliance teams need to recognize neurodivergence when communicating with the workforce. This means looking for more structured communications that make it easy for learners to see things step by step. Another technique to pursue is reducing cognitive loads and demands on working memory. A test at the end of a two-hour course may be too much for many people to be able to manage successfully. Some other tips include having visual cues to accompany text and offering an audio option. Tha

By Adam Turteltaub Currently there is a patchwork of anticorruption laws across the EU. What has been lacking, though, is a EU-wide approach. That is likely to change soon, reports Vera Cherepanova, founding partner of Studio Etica. Change is afoot.  In May 2023 the EU issued a new proposal to combat corruption, including a new Directive of the European Parliament and the Council on combatting corruption by criminal law. The new directive, she explains, makes it clear that actions by senior executives can have significant consequences both for the individuals involved and their organizations. Companies could face fines of no less than 5% of worldwide turnover. Notably, like the US Foreign Corrupt Practices Act, the new EU directive has extraterritorial reach, which raises the prospect of more enforcement actions. The directive also includes incentives for compliance programs consistent with what is found in law elsewhere: “…where legal persons have implemented effective internal controls, ethics, and com

By Adam Turteltaub Kristine Coy-Foster (LinkedIn), Senior Manager, Compliance & Employee Engagement at Vulcan, had a challenge many in compliance face: tracking all her to-dos, and then, once a to-do turned to done, tracking the accomplishment. It was important for her to be able to capture the challenges she faced, new ideas tested and processes developed. Trying to keep it all straight in Outlook or Excel spreadsheets wasn’t enough. To solve the problem she invested the time to learn Smartsheet, a platform that primarily is for managing projects and automating processes. In it, she created workstreams, alerts, dashboards and more. She also created categories for each of the functional areas she oversees and organized her to-dos accordingly. The solution has worked well for her, but, she cautions, it does take a strong commitment to keeping everything up to date. Listen in to learn more about how to put this tool to work for you, or, maybe, customize the tool you are already using to track your own comp

By Adam Turteltaub Since the 1930s the United State has had import bans on forced and convict labor. But, the rules were tightened, explains Evelyn Suarez, Principal, The Suarez Firm and Thad McBride, Partner, Bass, Berry & Sims PLC, in 2021. That is when Congress passed the Uyghur Forced Labor Prevention Act (UFLPA). The act has a rebuttable presumption that goods made in whole or part with labor from the Xinjian region in China is made with forced labor. If US customs suspects that goods are made in this region, they can stop them until the importer can provide the necessary assurances. In addition, goods made in other regions are also being stopped because their supply chain includes labor from Xinjian. So, what should compliance teams do to help the business unit navigate the issue? For one, it’s key to go beyond the first line supplier, as is typical, and start looking deeply into the supply chain and start researching your supplier’s suppliers. Suppliers should be asked what connections they have to

By Adam Turteltaub We spend a lot of time in compliance discussing how to encourage employees to come forward and report any wrongdoing they see around them. Considerably less time, though, is spent on how to handle employees who report their own wrongdoing. In this podcast, Stefani Sonzzini Navarro, LATAM Compliance Officer for Corteva Agrisciences balances the scales. Encouraging employees to come forward with their own questionable acts, she explains, begins with having the right culture. People need to be comfortable and feel safe to report. Getting there takes time and repetition, she explains, along with a strong anti-retaliation policy that covers self-report wrongdoing as well. When an employee first brings the potential issue to your attention, she advises letting them know that if they report something you are obligated to act on it, and that you have to do what is in the best interest of the company. Let them know you will protect their confidentiality as much as possible, but that you also wi

By Adam Turteltaub While many of the world’s governments are struggling to determine what to do about AI, Brazil already has a track history in this area. As Maria Victoria Mota, Corporate Attorney at Viapol (a subsidiary of RPM), explains in this podcast, the roots of government action in Brazil go back to 2018 with data protection regulations that are similar to the European General Data Protection Regulation (GDPR). This initial legislation was followed by a second in 2020 created to develop the rules of how the government, companies and individuals may use AI. It was followed by more legislation, most recently in 2023. The latest came after a committee of jurists was created to help frame the bill. Working with scientists and experts in technology, they examined how AI should be used and AI laws of 31 different countries. The goal was to creation legislation specific for the needs of Brazil. Privacy is a central pillar of the bill, which is also based in human rights and sound data protection practice

By Adam Turteltaub Fast Company recently ran an article with the headline “Research Shows High Performing Employees are More Prone to Unethical Mistakes.” It’s both an alarming and an intriguing proposition. To understand more I spoke with Richard Bistrong, CEO of Front-Line Anti-Bribery LLC, who co-authored the article along with Ron Carucci and Dina Smith. Why are high performers potentially so dangerous? For one, he explains, success tends to block scrutiny. People don’t like to question it and are just grateful to see so much of it. They may not think to look or not want to look too deeply. Another challenge is that the more successful people are, the more addicted to success they may become, something Richard knows from his own experience. The challenge of being a corporate hero, he explains, is that once you earn that status, you typically don’t want to give it up and may end up going down what has been called the rabbit hole of success. At the same time, the company may be exerting pressure on the

By Adam Turteltaub In the September 2023 issue of Compliance and Ethics Professional® (CEP) magazine, Andrea Falcione (LinkedIn), Chief Ethics and Compliance Officer and Head of Advisory Services of Rethink Compliance LLC, wrote about fostering a speak-up culture. Institutional justice, she wrote, is a critical part of that effort and “paramount to gaining and keeping employee trust.” To learn more about the topic, I sat down with her for this podcast, in which she explains that there are four elements of institutional justice. The first is Respect for everyone involved in an incident. That includes the person who comes forward with an allegation of course, but it should also include those the allegation was raised against, any witnesses and also people who come forward to self-report. By doing so, you make it clear that it is safer and better to come forward when there is wrongdoing. Voice is the second element. She shares that this means allowing people to speak and share their story. It also means list

By Adam Turteltaub Where is the compliance profession now and where is it going? To find out we sat down with Chris Audet, Chief of Research at the Gartner Center for Legal, Risk & Compliance Leaders. Gartner recently issued a report: “Key Budget, Staffing and Spending Trends for Compliance in 2023”, and in this podcast he shares some of the insights in it. When it comes to budgets, compliance teams are strained, but not how they expected. During the pandemic there were fears of large funding cuts. While there have been some reductions, on the whole they have been minor. However, workloads have increased dramatically. This has led, he explains, to overstretched departments where the loss of even one FTE can be devastating. Three key issues have led to the increase in demands on compliance teams: The challenge of tracking regulations. A rising number of issues, such as ESG, that may have begun in another department but are now considered compliance’s responsibility Conducing internal investigations

By Adam Turteltaub When an organization begins to expand globally, or even when a global organization enters a new market, the compliance challenges can be considerable and multiple. In this podcast, Dr. Shan Nair, President of Nucleus explains that companies need to worry not just about issues such as anti-corruption and data privacy. There are a host of HR, accounting, corporate taxation, indirect taxes, withholding taxes and other compliance issues. In addition to these obligations there may also be filing requirements. Germany, for example, requires a special filing if a local subsidiary is not self-funding. Making things more complicated is that a trusted source for compliance advice in one area likely is completely unaware of the challenges in another. The bottom line is that it takes a concerted effort and a very local approach to meet all these obligations and ensure that the organization is compliant not just on the big issues, but on the dozens of less headline grabbing ones as well.

By Adam Turteltaub You may not realize it, but your compliance program has a brand. Line employees and management all have a host of impressions about the compliance department that color how they respond to what you say and do. A strong brand means that your actions are more likely to be appreciated. A weak brand means it’s a very steep uphill climb. Adam Balfour, Vice President & General Counsel for Corporate Compliance at Bridgestone Americas and author of the book Ethics & Compliance for Humans, is an advocate for compliance teams making the effort to invest in creating a strong, positive brand that communicates the value of the program. As a part of that effort, compliance teams need to move beyond simply building awareness to ensuring that the brand resonates and is relevant to the organization. To do that he advocates taking a people centric approach and using three methods of motivation: Start with why. Don’t just tell them what to do. Tell them why they need to do it beyond “the law requires it

By Adam Turteltaub On October 4, 2023 at the SCCE Compliance & Ethics Institute in Chicago, US Deputy Attorney General Lia A. Monaco spoke live from Washington to the attendees and used this opportunity to announce a new Safe Harbor Policy for voluntary self-disclosures made in the context of the merger and acquisition process. Under the policy, acquiring companies that promptly disclose criminal misconduct voluntarily within the six-month safe harbor period, cooperate with investigators and engage in remediation, restitution and disgorgement will receive the presumption of a declination. She also explained that, absent aggravating factors at the acquired company, it will not impact the acquiring company’s ability to receive a declination. She also shared how the Department of Justice has been fighting corporate crime including: The expansion of corporate enforcement efforts in the national security realm New tools DOJ is using to penalize corporate misconduct and provide invectives for good corporate

By Adam Turteltaub Much of the day to day of compliance isn’t about understanding laws. It’s about influencing human behavior and steering people in the right direction. In this podcast, Scott Young, Principal Advisor and Head of Private Sector at Behavior Insights Team, Americas shares that understanding how people make decisions can help compliance teams be more effective. To do so, he advocates for using behavioral science to gain a broader perspective for thinking about human behavior. The field has shown, for example, that the classic economics model of rational thinking doesn’t always apply. Too often we operate in a semi-automatic mode, making decisions quickly, not really aware we are even making them. So what do compliance teams do? Adopt what he describes as the EAST Framework. Easy. Make sure the proper choice is the default choice. Attractive. Make compliance fun and engaging. Embrace gamification and other ways to make compliance more attractive to people. Social. Humans are social being a

By Adam Turteltaub NAVEX earlier this year issued its very substantial 2023 State of Risk & Compliance Report. To learn about the key findings we sat down with longtime ethics and compliance leader Carrie Penman, who serves as the company’s Chief Risk and Compliance Officer. Overall, the data reveals strong management support for compliance and ethics programs, although there are cracks showing. When asked whether this commitment persists in the face of competing interests, the numbers show a troubling drop. Worse, there was an increase in the number of survey respondents indicating that middle managers encouraged employees to act unethically or impeded compliance personnel from their job. It was still a minority, but a larger one than before. Turning to specific risk areas, data breaches and privacy/security threats were the top fears for compliance professionals. Not surprisingly, cyber came up as a top training topic. It was followed by codes of conduct and privacy. Looking globally – the survey also h