Compliance Perspectives

By Adam Turteltaub It may be time to rethink background checks.  Brent Douglas (LinkedIn) partner at the law firm Hahn Loesser, explains that their use has been greatly reduced in many industries. This reflects the increase in the number of what are known as “ban the box” laws, which prohibit employers from asking job applicants to tick a box if they have a criminal history. He also warns that in some jurisdiction screening applicants wholesale for criminal backgrounds may not be permissible. Only after a job offer has been conditionally made can a firm conduct a check. That doesn’t mean background checks are always prohibited. In certain industries, such as healthcare, defense and transportation they are often obligated. Even screening for marijuana usage may be permissible, but be careful. California, starting in January 2024, will enforce a new testing methodology. If your organization conducts background checks, it may be best to have a third party conduct it for you. This both leverages their experti

By Adam Turteltaub Mary Shirley (LinkedIn) has had a fascinating journey as a compliance professional. Born in Hong Kong and raised in New Zealand, she has worked in Singapore, Dubai and across the US. She currently serves as Head of Compliance at Masimo, and she just authored the book Living Your Best Compliance Life: 65 Hacks & Cheat Codes to Level Up Your Ethics & Compliance Program. In this podcast she argues for embracing professional development and owning your own advancement. Among the hacks she recommends is creating a notebook on yourself. Record in it what you have done, the key steps along the way, and some of the larger details. That way, when annual performance time comes around, you are prepared to share what you have accomplished and won’t have to scramble to reconstruct what you did over the past year. The same information, she points out, is very helpful when looking for your next position. It can help  you both recall what you have done and prepare to answer questions about key accomplis

By Adam Turteltaub You’re all signed up for the Compliance & Ethics Institute or another SCCE or HCCA conference. Now, how do you make the most out of your time there? Kristy Grant-Hart CEO of Spark Compliance Consulting and a former compliance officer, herself, shares in this podcast several excellent tips for making your conference time truly valuable. Her recommendations: Plan out which sessions you want to attend before you arrive. It makes for a much more strategic and less stressful approach than picking sessions hurriedly at the breaks. Pick the sessions based on both the topic and the speakers you want to listen to and meet. Map out time to do work and answer email. It’s a lot easier to sit and listen to a session when you have a defined times to work and a defined time to be fully present at the conference. Start your networking before you go. Announce on LinkedIn that you’ll be there and try to connect with others who will be attending. Take advantage of vendor receptions and dinners t

By Adam Turteltaub First there was Safe Harbor, then there was Privacy Shield, both of which were struck down, leaving an enormous chasm in the rules for sharing data between the EU and the US. Now, explains, Andre Bywater, Partner, Cordery, there is a bridge: the EU-US Data Privacy Framework. The new framework seeks to address the issue that led to the court striking down Privacy Shield: access to data by US intelligence agencies. To allay European concerns the US has now put in place a two-level system to redress grievances. EU citizens can lodge a complaint with the Civil Liberties Protection Office. If not satisfied with the results there, they can escalate to the US Data Protection Court, which has the power to issue orders to have data deleted. The new framework is likely to be a big step forward, but it’s not the only one data processors will have to take. Organizations will first need to determine if they are eligible to participate. Next, they will need to self-certify their processes for handling

By Adam Turteltaub Payment Card Industry (PCI) compliance is driven by a set of rules that set a standard of security for any entity that takes, stores or processes credit card data. Any time you or I make a credit card purchase, we rely on PCI compliance by all involved to keep our information safe. Now, the standard is evolving to PCI 4.0, explains Mark Schreiber, Senior Counsel at McDermott Will & Emery. PCI 4.0 is far more robust and clarifies the misunderstandings in the previous standard. It also imposes more than 50 new obligations. Most notable of the changes is the new emphasis on third parties and the need to monitor them. Now, merchants must maintain lists and descriptions of all third-party providers, have written agreements with them that accounts for security standards and includes a process for due diligence before engaging with them. Central to the process is a responsibility matrix, which outlines which party is responsible for each aspect of credit card security. Perhaps needless to say

By Adam Turteltaub Stamford Health has just a bit less than 4000 employees spread out in over 40 local offices. For some that would be a nightmare when figuring out how to put together a celebration of Corporate Compliance & Ethics Week, but it’s not for Cheryl Gilbert, the director of compliance and privacy. To make the annual event work she uses a wide range of communications vehicles to get the word out. The organization has a new employee orientation every other week, and compliance is a part of it. The organizational newsletter, which publishes twice each week, is also put to use. So, too, is the compliance intranet site. What aren’t used? Posters. The team found that the effort involved in creating them, putting them up and taking them down just wasn’t worth it. To make the week fun they have developed a wide range of activities including a: Haiku contest. Employees are challenged to write a haiku based on the organizations core values. Where’s Waldo type game in which employees have to spot al

By Adam Turteltaub Cancer is not just a diagnosis between a patient and physician. In this podcast Jeremy Laws, Operations Supervisor at the Ohio Cancer Incidence Surveillance System, explains that a cancer diagnosis triggers state-by-state reporting requirements for healthcare providers. In general, there are two areas of reporting: cancer information and patient information. Cancer information generally includes where it is on the body, the type of cancer, what type of tissues is affected and how the cancer is behaving. Patient information includes name, age, sex, race, address, date of diagnosis and date of first treatment. And, for those concerned about HIPAA, he points out that there is a public health exception that his falls squarely under. The data provided feeds into the US Cancer Statistics Report that is published annually. It is also used by policy makers and researchers. Compliance teams need to ensure that their facilities are reporting the data, which many fail to do. There is a tendency t

By Adam Turteltaub When it comes to networking and sharing ideas with other compliance professionals, people tend to think of attending conferences. That’s not the only way to do it. In this podcast Steve Pavlicek, Community Engagement Manager at SCCE & HCCA shares the free resources the association provides and how to take advantage of them. First stop are HCCAnet and SCCEnet. They were created to be a social network just for the compliance community. People post and answer questions, share their opinions and even documents. To see all that’s there, first login on the SCCE or HCCA site. Next, click the Login button on HCCAnet or SCCEnet. You’ll find approximately 40 different communities discussing issues such as auditing and monitoring, the Foreign Corrupt Practices Act, privacy and more. There are also communities organized by industry. If you’re looking for real-time interactions try one of our Meet Ups. You’ll find a schedule of them at HCCAnet and SCCEnet. These sessions take place via Teams. The g

By Adam Turteltaub When planning for disasters, organizations are typically focused on things like call trees, backup data servers, and alternative work locations. In the crush to survive the immediate threat it’s easy to forget about compliance, and even during disaster planning, compliance may come last. That’s a dangerous mistake, explains Laura Fey, Principal, Fey, LLC; Tom Leatherbee, Manager, Recovery Division, Hagerty Consulting; and Jillian Cusack, AVP, Privacy Officer, American Fidelity. Just because normal business operations are interrupted doesn’t mean compliance obligations are also on pause. Ensuring compliance plays a role in disaster planning is more important than ever. Natural disasters, ransomware attacks, a pandemic and other threats seem to be more frequent and can turn into situations that last days, weeks, months or even years. When they do, not only do existing compliance considerations continue but new ones can arise ranging from OSHA to employee obligations – you still have to pay

By Adam Turteltaub There has been, to say the least, a great deal of controversy over the US Department of Justice’s plan to require compliance officers to provide a certification as a part of corporate resolutions. Many fear that it could lead to significant legal risk for compliance teams and fewer individuals willing to assume compliance roles. Jonny Frank, Partner, and Kat Nolan, Senior Consultant, at StoneTurn are not concerned.  They point out that in the 20+ years since Sarbanes-Oxley, despite the predictions, there have not been the lawsuits and empty CFO and CEO chairs that some feared. Instead, they believe, these certifications could lead to increased power and prestige for chief compliance officers. In the podcast they lay out a five-step process for certification: Select a framework for the certification criteria that the organization will grade itself against. Conduct a scenario-based compliance risk assessment. Assess and design key control activities. Create a sub-certification wa

By Adam Turteltaub So, you’ve got a global compliance program. But, what do you do when a local team says, “That doesn’t really work here” or “We think it would be better if it were changed to something else for us”? Kristy Grant-Hart, CEO of Spark Compliance Consulting recommends keeping your values the same wherever you operate. Values are typically based on universal ideas. They and your code of conduct should remain constant wherever possible. Communications from the CEO and leadership should also be the same everywhere. You don’t want the CEO saying one thing in one country and something else in another. Categories used for reporting and investigations should also be the same everywhere, otherwise it will be difficult, if not impossible, to track where the issues are. Similarly, root cause analysis and risk assessment methodology must be the same globally. So where can you localize? She recommends looking at areas such as gifts and hospitalities. What’s reasonable in one region may not be in the oth

By Adam Turteltaub Melinda Shapiro, Senior Director of Compliance at San Diego-based National University, knew she needed to do something different with the school’s approach to enterprise risk management (ERM). When she took on the compliance role, she discovered that risks tended to be aggregated into large buckets, such as human capital, which made it difficult to assess individual risks. In addition, risk ratings varied widely by affiliate. Adding to the challenge, the document produced took a narrative approach, with long explanations of the risks and mitigation efforts. Sometimes there was a lack of alignment between risks and controls. Worse, the format made it difficult to track changes year to year. Inspiration came from speaking with two other participants at the SCCE Higher Education Compliance Conference. She was able to see a new way of approaching ERM, including switching from a one-year to a two-year cycle. The results have been highly positive. She reports that there is a much better under

By Adam Turteltaub Healthcare and healthcare compliance are often thought to be very country specific, due to the many variations of healthcare structures. To learn more about how healthcare compliance works in one country outside of the US we spoke with Emeka Obiora, Vice President, Ethics and Compliance at NMC Healthcare in Abu Dhabi. Emeka explains that the United Arab Emirates (UAE) has something of a split system. Public sector hospitals primarily serve Emiratis, who are provided with healthcare by the government. Foreign workers in the UAE are required to carry insurance and typically see private providers. As a result, the risk profile is very different. It is there, though, with several key ones to manage. The first is licensing. The UAE relies upon medical professionals who come from all over the world and have vastly different training and backgrounds. All must be qualified and licensed locally, which represents a substantial undertaking. The second common risk area is conflicts of interest, wh

By Adam Turteltaub Compliance professionals are trained to point out downsides, identify risks and educate others on what can go wrong. But, points out, Ami Simunovich, Executive Vice President, Chief Quality, Regulatory Officer & Public Affairs for BD, they need to balance that with a need to see and encourage others to take the right risks. A compliance officer who can do that earns credibility with business leaders. So, how do compliance professionals get there? She recommends reorienting thinking to focus on how to advance the business in the right way. That begins with tying decisions back to the purpose of the company. This can help enable the right leadership mindset and avoid reckless decision making. Grounding decisions in the code of ethics, along with a focus on the business’s purpose, helps create a framework for better decision making. Next, make sure business leaders are keeping up with the regulations. Also, encourage them to ask gut-check questions such as: Are we making the right decision

By Adam Turteltaub One of the more well-attended sessions at the SCCE 22nd Annual Compliance & Ethics Institute, promises to be “ESG and DEI: How to Position for Stakeholder Success”. The session will be lead by Adrian Taylor, Director of Diversity, Premier Health; Ahmed Salim, Chief Compliance Officer, iRhythym; and Nakis Urfi, Product Compliance Officer, Babylon Health. ESG and DEI are two of the hottest issues in compliance, and in this podcast preview of their session they start by taking on a controversial topic: Should DEI and ESG be combined? Traditionally, DEI has been its own discipline. Many now argue it should considered a part of the S (Social) in ESG, while others feel that doing so would diminish the emphasis on DEI. Ideally, DEI should not be affected by being included in ESG, they say. If handled correctly, it can maintain its focus and management commitment and even strengthen ESG efforts. When the two are aligned they create a more sustainable business model that balances people, profit a

By Adam Turteltaub Crystal Jezierski, Senior Managing Director, Guidepost Solutions thinks that at this point we have enough guidance documents and frameworks for compliance programs. That’s not a criticism but a compliment. She finds the existing prescriptions to be helpful, instructive and reflective of the evolving understanding of best practices for effective compliance programs. They are also flexible enough for new and emerging risks. What’s needed now, she believes, are more opportunities to benchmark, share, apply and test how programs are implemented. As with compliance programs as a whole, that begins with understanding how to assess risk and how others are doing so. If done correctly, of course, a risk assessment can  orient resources to both current and future issues as well as change how the company is doing business. When managing a new issue, she recommends involving a combination of the standard partners – HR, internal audit, finance and technology – as well as additional partners who bri

By Adam Turteltaub Email isn’t enough anymore, if it ever really was. Employees are communicating with each other, clients and prospects via texts, WhatsApp, Teams, Slack and many, many more tools. Much attention has been paid to the US Department of Justice’s call for organizations to be able to produce all that communication, which is not an easy task. Eric Baim, partner at Dovetail Consulting Group, explains that focusing on producing the communications is important, but it is isn’t enough. Compliance teams need  to train employees to use these technology appropriately. That education process begins with compliance developing an understanding of what these applications were designed to do;  facilitate quick, back and forth interactions, brainstorm, and ask a question less formally than one would via email. The problem is that often these interactions lack context because they are continuations of other conversations. As a result, an outsider seeing them can draw very incorrect conclusions about what was

By Adam Turteltaub In a perfect world, whenever employees face a difficult decision or outright compliance issue, the right policy would automatically pop up in front of them. While that is not likely to happen soon, Jannica Houben, Vice President, Global Legal Transformation and Travis Waugh, Director, Training, both at TD SYNNEX can envision a word in which Outlook could spot issues as they are typed, flag them for the employee and give guidance and pointers to where to call for help. Until then, there are still many things compliance teams can do using off the shelf software to automate compliance processes. It’s a topic they explore in the podcast and in greater depth in their Session “Interactive Policies: Using Technology to Enhance Decision-Making” at the 2023 SCCE Compliance & Ethics Institute. So how do you create this automated future? They recommend beginning by thinking not about what tool you want, but what benefits you want the tool to deliver. Think about the value you want to provide and wh

By Adam Turteltaub With the consent requirements built into privacy regimes, you can’t help but focus on them. Bill Piwonka, Chief Marketing Officer at Exterro, cautions, though, that there is much more than consent to worry about. Consent is very specific around whether people you are interacting with giving you permission to have and use their data for specific purposes. Much focus is given to the pop-up warnings on websites and cookies. Compliance teams, he advises, need to look at all the places where the organization collects data and uses data, including apps, to ensure proper consent is obtained. One other area not to be overlooked: Data subject access requests. It can be an enormous undertaking when a consumer demands to know what information you have on her or him. Even more daunting are similar requests by departing employees. Think of the hundreds of thousands if not millions, of documents that contain data from an employee, everything from HR records to emails to conversation on Teams. So gr

By Adam Turteltaub The proliferation of computer-based due diligence tools, combined with the travel restrictions of the pandemic led to a shift away from in-person due diligence efforts. Technology-based approaches increased dramatically, and, according to Jen Hoar (LinkedIn), Managing Director of Forward Risk, relying solely on them can be a mistake. Talking to human sources, she argues in this podcast, helps augment and provides nuance to open-source public records. Talking to people who have worked with the third party can flesh out what it is like to do business with them and if there are any concerns. Sources to interview can include prior investors, customers, industry experts, and even trade journalists. When conducting the interviews with these individuals, she advocates for an open-ended, conversational approach. Rather than trying to get through a list of questions, give them the opportunity to talk about whatever is important to them and pursue the conversation wherever it leads. Be sure, thou