By Adam Turteltaub Some people have a gift for invisibly attending a conference, and no one knows that they were even there. That’s great for a conference of spies, but most people at compliance conferences like to meet at least some of the other attendees. For many, though, connecting with strangers is difficult, whether they know no one or they are shy about going beyond their usual circle of contacts. So what do you do if you are one of them? To find out we spoke with Richard Bistrong (LinkedIn), newsletter author and CEO Of Frontline Antibribery, who will be moderating a general session at the 2024 SCCE European Compliance & Ethics Institute in Amsterdam. If you spot someone standing alone and looking a bit lost, he recommends you think like a host and invite them to join you. Even if you’re already talking with friends, he advises being a croissant and not a bagel: be sure there is an opening for others. Make the effort to catch them up with the conversation – “we were just discussing helplines”—and ask them to share their thoughts. If you hesitate to join conversations because you don’t feel you are good at small talk, think of a few questions in advance to use as ice breakers. They don’t have to be traditional compliance-related questions. You could ask people about what excited them the most in the last year. Richard often uses Vertellis cards to start or help conversations. For those at the conference with a friend or colleague, use the other person as your wingman or wingwoman. Tell them who you are interested in meeting and have them serve as a second set of eyes and ears. Also, don’t forget about the SCCE & HCCA staff as a source of connection. See if they know someone it would be good for you to talk with. Listen in to learn more, including how to follow up properly after the conference is over. Then, be sure to say hello to Richard (and offer him a croissant) in Amsterdam at the 2024 SCCE European Compliance & Ethics Institute, March 18-20.

By Adam Turteltaub Compliance programs have come far over the last few decades, but there is still more that they could do to elevate their performance. In this podcast, Alison Taylor, Clinical Associate Professor at NYU Stern School of Business and author of the book Higher Ground shares some intriguing and provocative ideas for improvement. She is a strong believer in what she calls “firm foundations”. These foundations avoid having too many rules which can, inadvertently, have a negative impact, causing employees to abdicate responsibility for their action and grow overly reliant on following rules. Instead, she argues for simplifying and being attuned to human behavior and the role of incentives. Be wary too, she advises, of mixed messages and potentially pernicious effects when it appears, whether true or not, that the rules for the rank and file do not apply to leadership. It degrades trust and the culture. To get more employees to speak up when they see wrongdoing, she advises investing the time in understanding why they don’t raise their hands more. When it comes to measuring the impact of the compliance program, she is a strong proponent of measuring the ethical culture. Do employees feel safe speaking up?  Whom do they speak to when there is a problem? Do they believe the whistleblower line is truly anonymous? Is leadership looking out for them? The answers to these questions, and how they change over time, can illuminate how well the program is working. Listen in to gain more insights, including how to build a common ethical foundation and the importance of adequate authority for the compliance and ethics program.

By Adam Turteltaub Clara Becerra Campos, Senior Compliance Analyst-Europe for TD SYNNEX, and Dr. Tobias Kruis, Head of Corporate Compliance, Giesecke+Devrient, will be addressing the new EU whistleblowing requirements at the 2024 SCCE European Compliance & Ethics Institute, which takes place in Amsterdam March 18-20. In this podcast, they delve into the challenges posed by the directive, which significantly expands the number of EU-based and non-EU-based companies that must comply. The directive not only provides protections for whistleblowers, they explain. It also establishes procedures and deadlines for handling reports. As significantly, it leaves the door open to variations among EU member states, which complicates the picture considerably. So what should you do? If your organization does not have a whistleblower line already in place they recommend you: Implement an internal reporting channel Be sure it’s aligned with legal and data privacy Consider who will manage the system and conduct the investigations Ensure confidentiality Communicate with your workforce For those with a helpline already they recommend starting with a gap analysis to determine if your existing efforts are meeting the new requirements. Listen in to learn more, then join them in Amsterdam at the 2024 SCCE European Compliance & Ethics Institute.

By Adam Turteltaub At the 2024 SCCE European Compliance & Ethics Institute, Segev Shani, Chief Compliance & Regulatory Officer at Neopharm Group will be leading the session “Corporate Use of Third-Party Artificial Intelligence (AI) Tools.” In this podcast he shares that a great deal of risk comes from the headlong pursuit of AI technology. Businesses believe that if they are not using Ai that they will be left behind, but the adoption rate is not being matched with a complete understanding of what AI is. To manage this issue, he recommends creating an AI governance model that balances the risks and rewards. It can help employees and managers understand the risks, including inaccuracy, bias and both misuse and improper use of intellectual property. And, of course, there can be substantial privacy risks as well. Listen in as he discusses proper governance, the need for training and the importance of integrating AI governance into business processes. Then plan on joining us in Amsterdam, 18-20 March, at the 2024 SCCE European Compliance & Ethics Institute.

By Adam Turteltaub A good employee survey on compliance and ethics can yield a wealth of data on how your program is and isn’t working, where the risks are, and how to move forward. The challenge is getting the survey right and getting employees to respond. Klaus Moosmayer, Member of the Executive Committee and Chief Ethics, Risk and Compliance Officer at Novartis, shares in this podcast that the compliance team has just completed the second round of their survey. The goal was to get first-hand data from as many employees globally as they could about any unethical behavior they perceive around them and how it is acted on. The survey was developed with substantial help from behavioral scientists, who created a questionnaire that captured where the company is now but also enabled them to dig deeper into key issues. For example, in the first round of the survey the Novartis team discovered that approximately 80% of employees go first to their leaders and managers when seeing unethical behavior. In the second survey they focused on what the leaders are doing with those reports. To encourage responses from employees, they invested the time in preparing the workforce and setting the context that the survey is a part of a broader effort to strengthen company culture. The messaging behind the survey was both local and global, with company presidents underscoring the importance of the study. After the first survey was completed, they made the effort to showcase how the data was used and what would be changing at Novartis as a result. That helped earn higher participation rates for the second survey. How does the data get used? The aggregated data helps inform leadership and enabled conversations as high as the board level. The data is also incorporated into the company’s integrated digital ethics, risk and compliance platform. Country managers are shown their data and told how it compared to other regions, which, of course, indicates how well they are or aren’t doing versus their peers. Local leaders are then encouraged to use the data to have roundtables, town halls and other meetings to understand why their scores are what they are. Listen in to learn what made the Novartis survey so successful and how to improve your own.

By Adam Turteltaub When it comes to AI, there is little agreement. Some see great potential, while others see great nightmares. Some see opportunities, and many see nothing but risks. In the EU, though, there is agreement on one thing, a new EU AI Law. In December 2023 the EU Parliament and Council agreed to  a bill “…to ensure AI in Europe is safe, respects fundamental rights and democracy, while businesses can thrive and expand.” Longtime compliance professional Letitia Adu-Ampoma (LinkedIn) explains that while the law won’t fully come into force for two years or more, it’s time for compliance teams to start paying attention and preparing. The act is a part of the EU digital strategy, which is very focused on human-centric legislation. Its goal is to keep positive the impact of AI on people and society. The approach it takes is risk-based, categorizing AI systems based on the level of risk: unacceptable (and prohibited), high risk, minimal risk and no risk. The act is very specific in how it defines which AI systems fall into each category. The unacceptable risk category, for example, includes social credit scoring, emotional recognition and behavioral manipulation. Creators and users of high risk AI will be required to register the system in a public record. They will also need to conduct an impact assessment and be transparent. Transparency will also be critical for generative AI. Providers will need to disclose the content generated and ensure that the models are not designed to create illegal content. There will also need to be governance in place to protect against copyright violations. So what should compliance teams do now? Letitia recommends reading the guidance and to start preparing the business unit for what is to come. Listening to the podcast would be good, too. NOTE: This podcast was recorded in January 2024. The final version of the EU AI Act is yet to be released - a final EU parliament debate on the text will take place before its release. In the meantime, some 'unofficial' pre-final versions of the text have been leaked online in advance of this debate. The final EU definition of AI and key timescales for enforcement mentioned in the podcast are based on proposals made public. Listeners should look out for the final position which will be detailed in the EU AI Act when it is officially published in the next few weeks.

By Adam Turteltaub Having a compliance champions or ambassadors program can be a great boon for the compliance program, if you keep the champions engaged. Unfortunately, that doesn’t always happen. If not managed properly your champions may end up sleep walking through the job. In this podcast, Matt Silverman, author of the book The Champions Network and Global Trade Director and Senior Counsel at Viavi lays out several strategies for maintaining the involvement and commitment of your champions network. To ensure engagement, he recommends remembering that the people who decided to be champions did so for a reason. It may be for a wage stipend or for altruistic reasons.  Tapping into that motivation is essential. On an ongoing basis it’s important that they see the impact of their work on the organization and their own career. That means sharing outcomes, as best you can, and providing them with access to development opportunities. These could be specific to deepening compliance expertise or as broad as developing business and soft skills. Whichever you choose, it is a way for them to see what’s in it for them. Give them an opportunity, as well, to be recognized for their work, whether that’s an official recognition by the CEO or an opportunity to interact with leadership. Remember, appreciation can be a powerful reward. And, of course, make sure there is actual work that they need to do as a part of being a champion. Having the title alone is not enough. Listen in to more about how to create engaged compliance champions.

By Adam Turteltaub Mergers and acquisitions create stress, opportunity and risk both for the organization and the compliance team. In this podcast, Sergio Leal, who until recently was head of M&A compliance at Ericsson along with Jan Sprafke, the company’s chief compliance officer, share their advice for compliance professionals in the midst of a transaction. They stress that the compliance team needs to be involved during the entire lifecycle, from target identification to due diligence to post-acquisition integration. This will help the organization avoid unanticipated liabilities and risks. To ensure success the compliance team needs to be embedded in the M&A team. Meet with the stakeholders regularly to ensure you are aligned with their processes. When you do, remember that compliance is just one piece of a very complex puzzle. Be prepared to move quickly. The DOJ amnesty program for issues discovered in an acquisition has a rapidly ticking clock. At the start of an acquisition or merger, they recommend focusing on three areas: The ultimate beneficial owner The operations of the business The already existing compliance program, if any, and internal controls Be especially vigilant if the acquired entity had some government ownership or government contracts. And, be very diligent if there is not a compliance program already in place. Listen in to learn more about how to be an integral part of mitigating the risks of mergers and acquisitions.

By Adam Turteltaub To quote CMS, “The Open Payments program is a national disclosure program that promotes a more transparent and accountable health care system. Open Payments houses a publicly accessible database of payments that reporting entities, including drug and medical device companies, make to covered recipients like physicians.” For this transparency to work, though, it’s important for the data to actually be used. Kelly Cooper (LinkedIn), Compliance Specialist at UF Health Shands Compliance Services, reports that too often it isn’t. There is a downward trend of providers reviewing the data collected, she reports, due to lack of awareness of the program and why it matters. That needs to change. Physicians and the hospitals that employ them are now required to post a notice for patients about the Open Payment system and how to access it. This will likely lead to more questions from patients and the need for providers to monitor the data more closely. So what should compliance teams do? She recommends looking at training, awareness and policies. In addition, be sure that the profiles of covered individuals are correct and up to date. And, be prepared to navigate the dispute process. It can be a long one, but there are shortcuts. Finally, she urges compliance teams to use the data to get a better handle on staffing, credentialing, what the payment trends are and any red flags. Listen in to learn more about what the Open Payments program is and how your compliance team should be working with it.  

By Adam Turteltaub The 2024 CMS Medicare Physician Fee Schedule extends no less than ten different pandemic flexibilities related to telehealth. In this podcast, Randi Seigel, partner and Jared Augenstein, managing director, at Manatt take us through all of them, including in-person visit requirements, audio-only services, physician supervision and opioid treatment. They also address: Changes in the structure of the telehealth services list Changes to payment by place of services Remote psychological and therapeutic monitoring Enrollment and revocation A new opportunity for payments for social needs of Medicare beneficiaries Listen in to learn more about what’s new, what’s the same, and what will sunset at the end of 2024.

By Adam Turteltaub Effective investigative interviews are both important and sensitive. To get some pointers about how to conduct them properly, we turn in this podcast to Wendy Evans, Senior Corporate Ethics Investigator at Lockheed Martin. Wendy is also an instructor for the SCCE Fundamentals of Compliance Investigations workshops. She recommends starting by doing your homework. Before you talk with anyone, whether a possible witness or the subject, get all the information you can from the reporter. Then, review it to see if it includes the what, where, when, why and who. If you don’t have all that information, take the time to find it since it can identify what the potential motivation behind the incident was. With that information in hand, check your case management system to see if any of the parties were involved in previous reports. Follow that by notifying HR and the subject’s manager that you will be conducting an interview. They may have important insight. Think through what other evidence you may need for the investigation, including expense and audit reports. If you are going to conduct the interview remotely, she offers four pieces of advice: Be sure to schedule it appropriately. Sending a meeting request on a Friday for a Monday meeting can create an entire weekend of unnecessary stress for the individual. Mark the meeting request as private so you, and they, don’t have to worry about others seeing it. Ensure that the person has video and a private place to talk. Always include your phone number in case a technology glitch gets in the way. At the time of the interview, don’t just jump into the questions. Take time to build some rapport. This will help reduce the stress level. Then, when you start asking questions, begin with broad ones -- “tell me about your work” or “what were your last three business trips?” --  that aren’t simple yes or no. Then, over time, move in to more narrow, specific questions. When it’s time to get to the hard questions, help the subject prepare themselves psychology. Preface then by saying something along the lines of, “I have to ask you a tough question.” When concluding the interview, ask: Is there anything else I should know but didn’t ask you? That can prompt the sharing of additional information. Finally, be sure to thank them for their time and cooperation. Be sure to also reiterate what the investigation process is and what they can expect next. Listen in to learn more, and, maybe, join her at an upcoming Fundamentals of Compliance Investigations workshop.

By Adam Turteltaub Matt Kelly (LinkedIn), Editor and CEO at Radical Compliance is a close watcher of all things compliance, and in this podcast he shares his take on both the top stories of 2023 and what he sees in the cards for 2024. FCPA On the Foreign Corrupt Practices Act front, he noted a change in enforcement. While the volume of resolutions declined on the DOJ side, the SEC has remained very active. Perhaps most notably, the Albermarle case had an interesting twist. The way the company did business was changed dramatically as a part of the settlement, he reports, with a restructuring of its overseas sales and the end of the use of third parties. He speculates this may be the start of a new trend in which monetary penalties are accompanied by required changes to the way companies do business. Also of note in FCPA was the announcement by Lisa Monaco at the SCCE Compliance & Ethics Institute of a leniency policy in mergers and acquisitions. Because of the relatively short timeline for finding and disclosing problems, there is a strong incentive for organizations to involve the compliance team early and deeply in these transactions. SEC Cybersecurity Rules The July SEC rules on disclosures of cyber incidents require firms to disclose an incident within four days. Companies will need to describe the nature, timing and material consequences. That will increase the importance of thorough and prompt cyber materiality assessments, as well as both quantitative and qualitative impacts. Greenhouse Gas Disclosures The SEC’s proposed rule on greenhouse gas disclosures is now the longest and most commented rule in history. It also has not been finalized while, in the meantime, both California and Europe have passed their own laws. The rule is likely to be very complex and impose a significant burden on companies. Healthcare The biggest news he saw in 2023 was the new General Compliance Program Guidance issued by the Office of Inspector General at HHS. The document makes it clear that it expects a fully independent compliance program. As the document states: The compliance officer should: report either to the CEO with direct and independent access to the board or to the board directly; have sufficient stature within the entity to interact as an equal of other senior leaders of the entity; demonstrate unimpeachable integrity, good judgment, assertiveness, an approachable demeanor, and the ability to elicit the respect and trust of entity employees; and have sufficient funding, resources, and staff to operate a compliance program capable of identifying, preventing, mitigating, and remediating the entity’s compliance risks. The Future Looking to the future he asks if others will be as supportive as the OIG at HHS. He also points to other things to watch such as the Foreign Extortion Prevention Act, the PCAOB’s extremely controversial NOCLAR proposal and SEC v. Govil, which could eliminate disgorgement in many cases. Listen in to learn more about what has and may happen in the world of compliance.

By Adam Turteltaub We all want the compliance team to be approachable. It would be ideal if, when people thought of compliance, they had positive, maybe even warm and fuzzy, associations in their mind. But, how do we get there? For BroadPath, a friendly blue koala was the answer. In this podcast, Jaime Watkins, the compliance officer there, explains that she drew inspiration from the Basic Compliance & Ethics Academy and an exercise that called for creating a compliance mascot. Back at the office she created a contest among employees to create a mascot as a part of the company’s celebration of their compliance and ethics week. A winner was selected, and, with the help of the marketing team, the blue koala was born. Since then, the furry critter has been a regular part of their training, newsletter and is used everywhere that they can, even sometimes straying to the activities of other groups in the company. The impact of the koala has been enormous. People enjoy seeing variations of how it is dressed up for holidays and it even plays a role in regular compliance trivia contests. Listen in to learn more about how a mascot could help your compliance efforts.

By Adam Turteltaub Decades ago, while at a bit of a career crossroads, I was thinking of making a dramatic change and moving halfway around the world. I was talking it through with a friend who said that one day he asked himself whether he wanted to have a successful career or an interesting one. He realized that interesting was more important to him. That decision led him from Missouri to New York to Hong Kong, Singapore and Thailand, where he ended up enjoying great success. Ricardo Weffer, Group Ethics and Compliance Head of Al Dahra, has had a similar career journey that ranged from Venezuela to Dubai with countless points in between. In this podcast he shares his almost two decades of work in compliance and anticorruption in Latin America, the Middle East, Sub-Saharan Africa, Central Europe and Asia. A lawyer by training, he has worked in energy, banking, tobacco, logistics and agriculture. Despite all this variety, both in geography and industry, he shares that there are professional commonalities wherever he has gone. These include great compliance and business leaders who stand for what is right and are willing to fight for it. He has also found, happily, that, no matter what the industry, companies are mostly made up of real, hard-working, well-intentioned people driven by values who want to do the right thing. What wisdom does he have for those thinking of having a global career?  He offers three pieces of advice: Be adventurous and open to new experiences. Be willing to be taught. Enjoy it. Working and living abroad can be tough, but the rewards are worth it. Listen in to learn more, including some inspiring words about the impact of compliance professionals.

By Adam Turteltaub Compliance professionals can face a lot of resistance in the course of their work: leaders who don’t have the time, budget limits, managerial indifference, and even outright hostility. But, sometimes the impediments are inside us. In this podcast, Kirsty Grant-Hart, CEO of Spark Compliance Consulting and author of the new book Your Year as a Wildly Effective Compliance Officer, points out that sometimes we get in our own way. It’s just easier for us to see what the external blocks are than it is to see those we create for ourselves. Overcome them, she argues by trusting your own value. Ask for what you want, and don’t trust that others will see the need. And, when you do ask, be sure to make clear what value the compliance program provides. She also cautions against falling into Imposter Syndrome and feeling as if you don’t belong in the room. Sitting there quietly doesn’t help, in fact it hurts by giving others the impression that you and the compliance team are not adding value. Instead, speak up at every meeting so that you can be perceived as a contributor. On the personal level, set goals for yourself. Pick an area to deepen your expertise and another to grow personally, such as in speaking publicly or improving your productivity. Also, look to growing your network. Plan on attending in-person meetings and then follow up with the people you meet there. Don’t just make them another entry in your Outlook contact list. When it comes to those external barriers, she advises not taking push back personally because most often it isn’t personal. People have other commitments. In fact, look at why they are pushing back and evaluate if the criticism is fair. If it is, then adjust your efforts. If it isn’t, let it go. Not everyone is going to get along with you. Finally, she discusses how to ensure you don’t let work take over your life. Reserve time for family, friends and your passions, and keep those commitments. When it comes to after-hours emails and texts, don’t answer them if you don’t have to, or if you do, send a delayed respond. That way people learn you won’t be responding 24/7/365. Be considerate, too. If you think of something in the evening and want to get a note out that isn’t urgent, be sure to let the recipient know they don’t need to respond right away. Listen in to learn more about how to clear your internal path and become your own best ally in compliance.

By Adam Turteltaub We are starting a new year of Compliance Perspectives podcasts by going back to basics with an episode designed for those who are charged with starting a compliance program. While the conversation is directed to this audience, there are some good reminders even for established programs. Providing guidance are Pam Cleveland, Compliance Officer – Medicare Advantage for UCLA Health FPG and Megan Grifa, Senior Director, Compliance at Sidecar Health. So, if you are charged with launching a program, where do you begin? They advise starting by taking the time to develop a work plan that outlines your compliance program elements. Look to see what the regulatory requirements are for the business you are in and make a catalog of them. That, in turn, will help you set the objectives of your program. Next, take the time to tailor those requirements to the unique aspects of your organization. To do so, first spend time with operations to understand their level of knowledge, processes, resources and documentation. That will help you prioritize what needs to be done. Take the time also to gain the support of leadership. They may need education in everything from what a compliance program is to the specific requirements of your situation. One very effective technique is bringing them examples of non-compliance in your industry and the consequences of it. On an ongoing basis, follow the seven elements of a compliance program and make sure that you prepare your colleagues for the fact that changes happen. Law and regulations evolve, and the compliance program must do the same. It will help things go a bit smoother when you have to institute a new direction. Listen in to learn more about the essential steps for starting a compliance program.

By Adam Turteltaub When compliance professionals discuss AI most of the conversation tends to focus on the risk.  Frank Orlowski (LinkedIn), Founder and President of Ation Advisory Group, though, is far from all gloom and doom on the topic. In fact, he believes AI can be an asset to compliance programs. AI, he explains, can be of great value for compliance any place where there are large amounts of transactions that need to be monitored and checked. Two notable examples are travel & entertainment and accounts payable/vendors. AI is very useful for identifying outlier transactions that could be a sign of trouble. In manufacturing, it can be very helpful in monitoring materials being used. AI can also be helpful, he believes, in ESG efforts. But, there are limits. AI is not ready for handling contracts, he argues. It is also chronically deficient when it comes to addressing the gray areas of ethics and fairness. There it’s important for compliance teams to work with the business unit closely to ensure decisions are adequately documented and AI does not make decisions that would be regrettable from an ethics perspective. Listen in to learn more about how AI could help your compliance efforts.

By Adam Turteltaub The topic of conflicts of interest (COIs), especially in healthcare, is a very broad one. It can encompass professional activities, board membership, purchasing, procurement and more. But it is the financial conflicts, especially for those that conduct research, that can be most problematic. To help unpack the topic we are joined in this podcast by Will Crawford (LinkedIn), an associate in the DC office of Hogan Lovells. He explains that, in the case of research, a COI occurs whenever the interest of the investigator, their spouse or children can affect the design, conduct, or reporting of institutional research. And, of course, there is a potential conflict when activities like consulting and speaking can affect primary employment areas. Federal regulations have expanded greatly in this area, with the Public Health Service now being joined by the US Department of Energy and even NASA with regulations of their own. Compliance teams need to monitor the changing direction from all three. What else should compliance teams be doing? First, ensure the training is adequate and reflects the changing regulations. That includes helping others understand that the changing regulations are a necessary reflection of evolving risk. Second, ensure that the compliance team, itself, understands the current rules; there is much confusion out there. Other things to consider or embrace: Centralizing the process for managing COIs Requiring more disclosures and independent review boards Planning for greater transparency Developing policing and monitoring systems Finally, be mindful of joint ventures. They can create great opportunity, but they also carry substantial risk.

By Adam Turteltaub Record retention and information governance have grown exponentially more complex as the number of laws have proliferated and the amount of data housed has exploded. This has vastly complicated the question of what data to hold onto and for how long. Mark Diamond, CEO of Contoural, points out that sometimes there are even competing and conflicting compliance regimes. For the most part, the rules specify a minimum number of years that information must be retained. However, organizations can typically retain records longer if there is a compelling and documented business need. Still, the temptation to just hold onto the data must be resisted. In this podcast he outlines the importance of getting a good handle on what data the organization has, categorizing it appropriately, determining how long it will be retained, and how it will be destroyed. Typically, this is an exercise involving multiple disciplines, including compliance, legal, IT, security, privacy and the business unit. A committee is likely the best way to manage the challenge, and having a compliance person in the lead position can be very useful. Listen in to better understand how the information in your organization can be governed more effectively, who to involve, how to structure the effort, and the important difference between information governance and data governance.

By Adam Turteltaub Ronnie Feldman (LinkedIn), CEO, Founder and Creative Director of Learnings & Entertainment, thinks that compliance teams play too much defense and not enough offense. What does that mean?  In this podcast he explains that offense is the proactive preventative measures designed to prevent problems. Defense is reactive and made up of investigating allegations and cleaning up issues. To his experience, the time and money are more focused on defense than offense. So what should we do? He recommends realigning efforts, starting with looking at the key influences of behavior: the social environment and the influence of leadership. That includes changing the perception of compliance and turning it into a more positive one. One specific step he advocates is making the training more relevant and enjoyable to take. On the leadership level, he advocates for making them a larger part of the ethics team by providing them with the tools they need to address ethics issues. This could include videos to share and simple learning exercises they could take their teams through. All of these efforts can promote an environment of psychological safety and lay the groundwork for a compliance program that works and delivers measurable results. Listen in to learn more about how your program can play more offense.

By Adam Turteltaub On February 22, 2022 the European Commission adopted a proposal for a directive on corporate sustainability due diligence.  In this podcast, George Porter, Knowledge and Training Manager at Ground Truth Intelligence reports that the directive, which is still being negotiated, is both a continuation of past measures and something new. It is designed to unify a great deal of previous regulations and create an ESG framework for both EU-based companies and those doing business in the EU. The directive covers three key areas: environmental risk, social goals such as modern slavery and child labor, and governance. The governance portion, importantly, addresses the duty of care and the need to conduct due diligence. It also significantly expands the stakes for organizations. Due diligence of the supply chain continues but organizations will now be responsible not just for how they sourced materials, but also how their products are disposed of. To back it all up there will be substantial potential penalties, including civil liability and fines up to 5% of global turnover. So what should organizations expect to do differently or better from a compliance perspective? He recommends preparing for a greatly enhanced auditing and monitoring program. Action plans will be needed for suppliers who need to improve their efforts. On a continuous basis there will be a need to check that these plans are being followed and attestations are not just tick boxes. Listen in to learn more about how this directive will likely lead to substantial changes in the ways in which organizations do business and what compliance teams need to start preparing for.

By Adam Turteltaub While the pandemic seems, at least for now, to be receding into our past, many of the changes from it have not, including a large percentage of the workforce that works remotely. While in some ways we have gotten used to this new normal, Lori Tansey Martens (LinkedIn), President, International Business Ethics Institute warns that there remains cause for concern. Specifically, the prevalence of high number of remote works has been and continues to negatively impact corporate culture. Culture is made up of the shared values and beliefs, norms, values, mission and purpose, and in many ways it differentiates one organization from another. Recent research shows that the common fabric binding people together into one culture is fraying. Survey data she shares shows that employee feelings of alignment has decreased substantially, and while those declines have leveled off among in-office and hybrid employees, they have not among remote workers. Remote workers also have the highest turnover rate and intent to change jobs, which suggests that they view their work as more transactional and are less committed. That can have a huge impact on ethics and compliance. Research suggests that employees who feel less loyal and committed are less likely to take into consideration reputational risk and long-term damage to the organization. Add to that data suggesting they are less likely to speak up, and it’s a dangerous prescription. So what should organizations do? For one, strive to connect people more fully. When workers are in the office together it’s okay to bring in remote workers via Zoom, but be sure that the people in the room are not just staring at their own individual laptops. You don’t want to exacerbate the issue by making in office people wonder why they should bother, given that they are still on Zoom. Look to do more in person rather than virtual training, people are already staring at their computers enough. Managers also need to be trained on how to manage and build teams with hybrid and remote workers. As she notes, we have totally upended the way we do business without giving them any real training. When bringing on new remote employees seek to make them feel connected. Send them a package with items reflecting the local flavor of the office and notes from their new colleagues. Make a commitment to bring them into the office occasionally.  You can’t immerse them fully in the culture without doing so. Finally, track separately in-office, hybrid and remote workers on training, helpline calls and other metrics to make sure that the culture is present throughout your workforce, not just the in-house one. Listen in for more.

By Adam Turteltaub While most eyes have focused on the US Department of Justice’s document Evaluation of Corporate Compliance Programs when looking for guidance, it’s not the only DOJ source out there. Josh Drew (LinkedIn), Member, Miller & Chevalier explains that it would be wise to also look to Attachment C. What is it? It’s a document typically attached to Foreign Corrupt Practices Act (FCPA) resolutions. It specifies what the defendant company will need to do to establish and maintain an effective corporate compliance program. As a result, it, like the Evaluation document, provides very clear guidance as to what the DOJ’s thinking is when it comes to compliance. In August and September 2023 there were several changes to Attachment C. For one, it expanded the call for support from senior management down to include midlevel management as well. It specifically points to the importance of their tone and conduct:  “The Company will ensure that mid-level management throughout its organization reinforce leadership’s commitment to compliance policies and principles and encourage employees to abide by them.” In the realm of training, it calls for metrics to assess the effectiveness of the training, not just that it was given. That’s a theme consistent with other direction from the DOJ. Not surprising for an FCPA-related document, it also calls for documenting the business justification for engaging a third party and ensuring that contract terms are specific. Third parties should also be tracked after the initial engagement, which means ongoing due diligence. And, here, too, as elsewhere, the Department of Justice reinforces the importance of both incentives for good behavior and disincentives for bad. Listen in and then be sure to spend some time reading Attachment C.

By Adam Turteltaub At this point anyone in healthcare who doesn’t have a plan for managing HIPAA compliance risks is behind the eight ball and times. But, for those who do have a program in place, the question is: does it currently reflect your risk profile? Nancy Roht (LinkedIn), Managing Principal at Compliance Pro Consulting points out in this podcast that just because the HIPAA regulations don’t specify how often a HIPAA risk assessment should be done it’s best to do so annually, and perhaps even more frequently if something significant happens. Changes in leadership, organizational structure, goals, quality and major vendors can all call for a fundamental reexamination of your strategy. When conducting the assessment, don’t mistake it for a gap analysis. Make it a true assessment of risk and put together a work plan to address any deficiencies. When conducting the assessment, she recommends interviewing both leadership and staff to get a comprehensive picture. Take an inventory of the PHI you have, potential threats, vulnerabilities and security measures. Then, assign risk levels, prioritize and document your thinking. Years from now no one will remember what decisions were made and why, without the documentation. Be sure to look externally at your business associates, particularly those with evergreen agreements. They may have run out of date. Listen in to learn more about how to make your HIPAA risk assessment stronger.

By Adam Turteltaub Steve Forman (LinkedIn), Senior Vice President at Strategic Management Services, had an eye-opening experience years ago when interviewing for the job of Vice President of Audit and Compliance for New York Presbyterian Hospital. The chair of the board’s audit and compliance committee told him that his main role was not to find problems or weaknesses but to validate through the discipline of the audit processes what management suspected were problematic areas in terms of audit and coverage of risk areas. That insight had several implications. First, it underscored that operational managers will always know more about their risk areas than auditors will, which means they are in the best position to identify problems and weaknesses. Second, it was a good reminder that there are never going to be enough auditors to even address the high risk areas. Once again, we are dependent on managers. So what does that mean? It means that monitoring should help drive the audit plan and strategy. In addition, managers need to be listened to on a regular basis, and they should be charged with monitoring. In addition, he observes that the risk assessment must also not be treated as a static document. Risks can go up and down during the course of the year, and the risk mitigation strategy needs to be adjusted with it. Listen in to learn more about how to improve your monitoring and auditing, as well as the role of management in it.

By Adam Turteltaub Economic espionage sounds more like the stuff of a spy thriller than a day-to-day concern for business. Not so, as it turns out. To learn more we sat down with the FBI’s Counterintelligence Division Unit Chief Matthew Charles and Cyber Division Supervisory Special Agent Michelle Liu. Economic espionage generally refers to stealing trade secrets for the benefit of an overseas competitor, often one aligned with a foreign government. An employee at your organization working on a sensitive project may be leveraged, frequently with the lure of cash and other payments. Typical targets include technology with potential military use and, of late, pharmaceuticals. To counter this threat, the FBI Cyber Division maintains partnerships with many private sector companies to identify nefarious conduct on their networks. Meantime the Counterintelligence Division looks upstream for actors coming into the US seeking access to US technology. So what should companies do? First, protect yourself. Encryption can be helpful along with limiting access to sensitive information only to key people. Make sure, too, to track who in your firm is accessing trade secrets. Also, be sensitive to unusual employee behaviors or changes in affluence levels. An employee suddenly downloading large files at night, emailing their personal email address sensitive information or whose debt problems have inexplicably disappeared could be engaged in economic espionage.  Just don’t jump to any conclusions.  There could be legitimate reasons for these actions. Second, the FBI advises reaching out to them when an incident occurs. The FBI can’t investigate without ongoing collaboration of the victim organization. They also advise that it is never too early to call them in, and if you do not want them there, they will pull out. Finally, take the time to leverage government resources. Be sure to familiarize yourself with the US Department of Justice’s Criminal Division’s Computer Crime and intellectual Property Section (CCIPS) website. You will find there information on reporting computer, internet-related or intellectual property crime. And, of course, listen in to the podcast to learn more about the risks of economic espionage and what you can do to mitigate it.

By Adam Turteltaub How do you understand “neurodiversity” or “neurodivergence”? It starts with the recognition that no two human are exactly alike and not two brains function exactly the same way. It then goes on to recognize that for people with ADHD, autisms, dyslexia, sensory integration and executive function issues, those differences can be substantial. Estimates are that about 20% of the workforce has some sort of neurodivergence. In this podcast, Jason Meyer (LinkedIn), President of LeadGood Education, explains that compliance teams need to recognize neurodivergence when communicating with the workforce. This means looking for more structured communications that make it easy for learners to see things step by step. Another technique to pursue is reducing cognitive loads and demands on working memory. A test at the end of a two-hour course may be too much for many people to be able to manage successfully. Some other tips include having visual cues to accompany text and offering an audio option. That way if someone is limited in one sense, they can rely on another. If you have someone neurodivergent on your team, start with watching your assumptions. If a person is person not making eye contact or responding to questions haltingly, don't assume they don't care. They may be neurodivergent. Above all, be empathetic and listen, and park your preconceived notions at the door. Listen in to learn more about the challenges and opportunities with neurodiversity.

By Adam Turteltaub Currently there is a patchwork of anticorruption laws across the EU. What has been lacking, though, is a EU-wide approach. That is likely to change soon, reports Vera Cherepanova, founding partner of Studio Etica. Change is afoot.  In May 2023 the EU issued a new proposal to combat corruption, including a new Directive of the European Parliament and the Council on combatting corruption by criminal law. The new directive, she explains, makes it clear that actions by senior executives can have significant consequences both for the individuals involved and their organizations. Companies could face fines of no less than 5% of worldwide turnover. Notably, like the US Foreign Corrupt Practices Act, the new EU directive has extraterritorial reach, which raises the prospect of more enforcement actions. The directive also includes incentives for compliance programs consistent with what is found in law elsewhere: “…where legal persons have implemented effective internal controls, ethics, and compliance programmes, it should be possible to consider these actions as a mitigating circumstance.” Meantime, across the English Channel, the UK Parliament is considering a new Economic Crime and Corporate Transparency Bill, which could be represent a hugely significant change in the enforcement landscape. It includes a crime of failure to prevent fraud. In addition, corporations can be held liable for acts of senior managers. Listen in to learn more about the upcoming changes and what they may mean for your compliance program.

By Adam Turteltaub Kristine Coy-Foster (LinkedIn), Senior Manager, Compliance & Employee Engagement at Vulcan, had a challenge many in compliance face: tracking all her to-dos, and then, once a to-do turned to done, tracking the accomplishment. It was important for her to be able to capture the challenges she faced, new ideas tested and processes developed. Trying to keep it all straight in Outlook or Excel spreadsheets wasn’t enough. To solve the problem she invested the time to learn Smartsheet, a platform that primarily is for managing projects and automating processes. In it, she created workstreams, alerts, dashboards and more. She also created categories for each of the functional areas she oversees and organized her to-dos accordingly. The solution has worked well for her, but, she cautions, it does take a strong commitment to keeping everything up to date. Listen in to learn more about how to put this tool to work for you, or, maybe, customize the tool you are already using to track your own compliance team’s progress.

By Adam Turteltaub Since the 1930s the United State has had import bans on forced and convict labor. But, the rules were tightened, explains Evelyn Suarez, Principal, The Suarez Firm and Thad McBride, Partner, Bass, Berry & Sims PLC, in 2021. That is when Congress passed the Uyghur Forced Labor Prevention Act (UFLPA). The act has a rebuttable presumption that goods made in whole or part with labor from the Xinjian region in China is made with forced labor. If US customs suspects that goods are made in this region, they can stop them until the importer can provide the necessary assurances. In addition, goods made in other regions are also being stopped because their supply chain includes labor from Xinjian. So, what should compliance teams do to help the business unit navigate the issue? For one, it’s key to go beyond the first line supplier, as is typical, and start looking deeply into the supply chain and start researching your supplier’s suppliers. Suppliers should be asked what connections they have to China. Mapping questionnaires should be developed and issued. Training needs to be given, and third-party vetting vendors will likely be needed. In addition, develop interdisciplinary teams to create a plan for responding should a shipment be held. Even before that, start developing a good relationship with customs and take advantage of their expertise. As is the case with so much else in compliance, keep good records that you can present to customs, maybe even on a proactive basis. Finally, keep your eyes open for customs ruling and court cases that may provide guidance on what to expect next.

By Adam Turteltaub We spend a lot of time in compliance discussing how to encourage employees to come forward and report any wrongdoing they see around them. Considerably less time, though, is spent on how to handle employees who report their own wrongdoing. In this podcast, Stefani Sonzzini Navarro, LATAM Compliance Officer for Corteva Agrisciences balances the scales. Encouraging employees to come forward with their own questionable acts, she explains, begins with having the right culture. People need to be comfortable and feel safe to report. Getting there takes time and repetition, she explains, along with a strong anti-retaliation policy that covers self-report wrongdoing as well. When an employee first brings the potential issue to your attention, she advises letting them know that if they report something you are obligated to act on it, and that you have to do what is in the best interest of the company. Let them know you will protect their confidentiality as much as possible, but that you also will have to remediate. This will help build trust, but also let them know what is likely to happen. The subsequent investigation should be conducted as quickly as possible, in recognition of how anxious the subject likely is. Throughout, she advises, be open and make yourself available.  If you let the employee grow too anxious, there could be adverse behaviors and consequences. If the employee has in fact done something wrong, their willingness to report much be recognized.  Let them know that things would have been worse if they had not spoken to you. Listen in to learn more about how to encourage and support self-reports of wrongdoing.

By Adam Turteltaub While many of the world’s governments are struggling to determine what to do about AI, Brazil already has a track history in this area. As Maria Victoria Mota, Corporate Attorney at Viapol (a subsidiary of RPM), explains in this podcast, the roots of government action in Brazil go back to 2018 with data protection regulations that are similar to the European General Data Protection Regulation (GDPR). This initial legislation was followed by a second in 2020 created to develop the rules of how the government, companies and individuals may use AI. It was followed by more legislation, most recently in 2023. The latest came after a committee of jurists was created to help frame the bill. Working with scientists and experts in technology, they examined how AI should be used and AI laws of 31 different countries. The goal was to creation legislation specific for the needs of Brazil. Privacy is a central pillar of the bill, which is also based in human rights and sound data protection practices. It is designed to ensure accountability, and organizations seeking to comply need to follow eight steps, Maria explains: Create a multidisciplinary work group. Empower the group with knowledge so they can bring learning to company. Map AI in the company.  Understand what departments are using it and how much. Create a policy and procedures around AI and document them. Train employees on the policies and procedures created so they can understand how important they are. Apply the policy and procedures. Stay current with changing laws and regulations. Audit compliance regularly Listen in to learn more about both Brazilian AI law and what makes for effective internal controls around the use of AI.

By Adam Turteltaub Fast Company recently ran an article with the headline “Research Shows High Performing Employees are More Prone to Unethical Mistakes.” It’s both an alarming and an intriguing proposition. To understand more I spoke with Richard Bistrong, CEO of Front-Line Anti-Bribery LLC, who co-authored the article along with Ron Carucci and Dina Smith. Why are high performers potentially so dangerous? For one, he explains, success tends to block scrutiny. People don’t like to question it and are just grateful to see so much of it. They may not think to look or not want to look too deeply. Another challenge is that the more successful people are, the more addicted to success they may become, something Richard knows from his own experience. The challenge of being a corporate hero, he explains, is that once you earn that status, you typically don’t want to give it up and may end up going down what has been called the rabbit hole of success. At the same time, the company may be exerting pressure on the individual to do ever more, partially because it is standard practice in business to set higher goals. But also, the company may grow disproportionately dependent on the results the high performer can generate. Fortunately, there are several things that can be done to mitigate the risk without clipping the wings of the highflyer. For one, compliance teams should try to look at the incentive plans to both identify the risks and help mitigate them. While there, look to also include compliance measures that make it clear that it’s not just about achieving the goals, it’s also about how you achieve them. Second, connect rewards and good performances with the company’s values and mission. This helps the high performer understand both what the rules are and why they are important. Listen in to learn about how to get the most out of higher performers while avoiding the risk that can come with them.

By Adam Turteltaub In the September 2023 issue of Compliance and Ethics Professional® (CEP) magazine, Andrea Falcione (LinkedIn), Chief Ethics and Compliance Officer and Head of Advisory Services of Rethink Compliance LLC, wrote about fostering a speak-up culture. Institutional justice, she wrote, is a critical part of that effort and “paramount to gaining and keeping employee trust.” To learn more about the topic, I sat down with her for this podcast, in which she explains that there are four elements of institutional justice. The first is Respect for everyone involved in an incident. That includes the person who comes forward with an allegation of course, but it should also include those the allegation was raised against, any witnesses and also people who come forward to self-report. By doing so, you make it clear that it is safer and better to come forward when there is wrongdoing. Voice is the second element. She shares that this means allowing people to speak and share their story. It also means listening attentively, showing interest, making good eye contact and asking open-ended questions. Neutrality is about making unbiased decisions and not letting a conflict of interest get in your way, such as when investigating a high performer in the organization. Transparency, about both the process and the outcome, is the fourth key element. It helps build trust that the process is fair and demonstrates that there will be a thoughtful response by the organization. Listen in to learn more about what institutional justice is and how to improve it in your organization.

By Adam Turteltaub Where is the compliance profession now and where is it going? To find out we sat down with Chris Audet, Chief of Research at the Gartner Center for Legal, Risk & Compliance Leaders. Gartner recently issued a report: “Key Budget, Staffing and Spending Trends for Compliance in 2023”, and in this podcast he shares some of the insights in it. When it comes to budgets, compliance teams are strained, but not how they expected. During the pandemic there were fears of large funding cuts. While there have been some reductions, on the whole they have been minor. However, workloads have increased dramatically. This has led, he explains, to overstretched departments where the loss of even one FTE can be devastating. Three key issues have led to the increase in demands on compliance teams: The challenge of tracking regulations. A rising number of issues, such as ESG, that may have begun in another department but are now considered compliance’s responsibility Conducing internal investigations in an expeditious manner. With workers in the office less, the pace of investigations has slowed. To help get the work done compliance teams are investing more heavily in technology, particularly in risk management systems. The pace of investment is expected to grow as compliance teams contend with flat budgets and reduced staff. To retain staff, Gartner advises creating a strong value proposition that includes a work-life balance and career development. Listen in to learn more about the state of compliance and how teams are coping.

By Adam Turteltaub When an organization begins to expand globally, or even when a global organization enters a new market, the compliance challenges can be considerable and multiple. In this podcast, Dr. Shan Nair, President of Nucleus explains that companies need to worry not just about issues such as anti-corruption and data privacy. There are a host of HR, accounting, corporate taxation, indirect taxes, withholding taxes and other compliance issues. In addition to these obligations there may also be filing requirements. Germany, for example, requires a special filing if a local subsidiary is not self-funding. Making things more complicated is that a trusted source for compliance advice in one area likely is completely unaware of the challenges in another. The bottom line is that it takes a concerted effort and a very local approach to meet all these obligations and ensure that the organization is compliant not just on the big issues, but on the dozens of less headline grabbing ones as well.

By Adam Turteltaub You may not realize it, but your compliance program has a brand. Line employees and management all have a host of impressions about the compliance department that color how they respond to what you say and do. A strong brand means that your actions are more likely to be appreciated. A weak brand means it’s a very steep uphill climb. Adam Balfour, Vice President & General Counsel for Corporate Compliance at Bridgestone Americas and author of the book Ethics & Compliance for Humans, is an advocate for compliance teams making the effort to invest in creating a strong, positive brand that communicates the value of the program. As a part of that effort, compliance teams need to move beyond simply building awareness to ensuring that the brand resonates and is relevant to the organization. To do that he advocates taking a people centric approach and using three methods of motivation: Start with why. Don’t just tell them what to do. Tell them why they need to do it beyond “the law requires it”. Emphasize group safety. Share what others in the organization are doing and use community as a motivator. Use incentives. The US Department of Justice is calling for them, and they can be very helpful, even non-monetary ones. Finally, leaning on his United Kingdom roots, he encourages compliance teams to think like soccer midfielders, players who can both defend and attack. Listen in to learn more about how you can strengthen your compliance program’s brand.

By Adam Turteltaub On October 4, 2023 at the SCCE Compliance & Ethics Institute in Chicago, US Deputy Attorney General Lia A. Monaco spoke live from Washington to the attendees and used this opportunity to announce a new Safe Harbor Policy for voluntary self-disclosures made in the context of the merger and acquisition process. Under the policy, acquiring companies that promptly disclose criminal misconduct voluntarily within the six-month safe harbor period, cooperate with investigators and engage in remediation, restitution and disgorgement will receive the presumption of a declination. She also explained that, absent aggravating factors at the acquired company, it will not impact the acquiring company’s ability to receive a declination. She also shared how the Department of Justice has been fighting corporate crime including: The expansion of corporate enforcement efforts in the national security realm New tools DOJ is using to penalize corporate misconduct and provide invectives for good corporate citizenship Areas where they see further opportunity for innovation and expansion Listen in to learn more and hear her underscore the importance of compliance programs, proper corporate incentive plans, and the DOJ’s expectation that the compliance team will have a seat at the deal table.

By Adam Turteltaub Much of the day to day of compliance isn’t about understanding laws. It’s about influencing human behavior and steering people in the right direction. In this podcast, Scott Young, Principal Advisor and Head of Private Sector at Behavior Insights Team, Americas shares that understanding how people make decisions can help compliance teams be more effective. To do so, he advocates for using behavioral science to gain a broader perspective for thinking about human behavior. The field has shown, for example, that the classic economics model of rational thinking doesn’t always apply. Too often we operate in a semi-automatic mode, making decisions quickly, not really aware we are even making them. So what do compliance teams do? Adopt what he describes as the EAST Framework. Easy. Make sure the proper choice is the default choice. Attractive. Make compliance fun and engaging. Embrace gamification and other ways to make compliance more attractive to people. Social. Humans are social being and we are curious what others are doing. Thinking about tapping into the power of the group, such as leveraging social norms. Timely. Having reminders and controls in place when they are timely is difficult but not impossible. Look for the right moments of intervention and the right, often quick, reminder of what is the right thing to do. Listen in to learn more to learn how you put a behavioral approach to work for your compliance program.

By Adam Turteltaub NAVEX earlier this year issued its very substantial 2023 State of Risk & Compliance Report. To learn about the key findings we sat down with longtime ethics and compliance leader Carrie Penman, who serves as the company’s Chief Risk and Compliance Officer. Overall, the data reveals strong management support for compliance and ethics programs, although there are cracks showing. When asked whether this commitment persists in the face of competing interests, the numbers show a troubling drop. Worse, there was an increase in the number of survey respondents indicating that middle managers encouraged employees to act unethically or impeded compliance personnel from their job. It was still a minority, but a larger one than before. Turning to specific risk areas, data breaches and privacy/security threats were the top fears for compliance professionals. Not surprisingly, cyber came up as a top training topic. It was followed by codes of conduct and privacy. Looking globally – the survey also has data broken out for Germany, France and the UK – there was a far from uniform picture, with country-by-country variations showing varying priorities and levels of satisfaction. For example, risk and compliance professionals in Germany reported their ability to measure training and behavior higher than their peers in France and the US. All in all, the report makes for a fascinating, and sometimes troubling, picture of the practice of compliance. Listen in to learn more about what the data said and what it may indicate for your compliance program.

By Adam Turteltaub It may be time to rethink background checks.  Brent Douglas (LinkedIn) partner at the law firm Hahn Loesser, explains that their use has been greatly reduced in many industries. This reflects the increase in the number of what are known as “ban the box” laws, which prohibit employers from asking job applicants to tick a box if they have a criminal history. He also warns that in some jurisdiction screening applicants wholesale for criminal backgrounds may not be permissible. Only after a job offer has been conditionally made can a firm conduct a check. That doesn’t mean background checks are always prohibited. In certain industries, such as healthcare, defense and transportation they are often obligated. Even screening for marijuana usage may be permissible, but be careful. California, starting in January 2024, will enforce a new testing methodology. If your organization conducts background checks, it may be best to have a third party conduct it for you. This both leverages their expertise and may shift liability if the check is done improperly. He also cautions that even a casual internet search of a prospective employee may turn up a past criminal conviction and cross the line into what legally constitutes a background check. For those concerned about the risks of hiring a criminal, he points out that roughly 95% of the population does not have a criminal background. Amongst those with a conviction, about 95% of those were for marijuana possession or a DUI. He asks; is it worth doing the background check given these odds? Listen in to learn more about the risks of background checks.

By Adam Turteltaub Mary Shirley (LinkedIn) has had a fascinating journey as a compliance professional. Born in Hong Kong and raised in New Zealand, she has worked in Singapore, Dubai and across the US. She currently serves as Head of Compliance at Masimo, and she just authored the book Living Your Best Compliance Life: 65 Hacks & Cheat Codes to Level Up Your Ethics & Compliance Program. In this podcast she argues for embracing professional development and owning your own advancement. Among the hacks she recommends is creating a notebook on yourself. Record in it what you have done, the key steps along the way, and some of the larger details. That way, when annual performance time comes around, you are prepared to share what you have accomplished and won’t have to scramble to reconstruct what you did over the past year. The same information, she points out, is very helpful when looking for your next position. It can help  you both recall what you have done and prepare to answer questions about key accomplishments and solutions you have developed. When it comes to speaking at conferences and writing, she offers some simple advice: Just start. If you don’t you will always wonder what might have happened if you did. From a practical perspective, she urges people to remind themselves that the first draft doesn’t have to be the last. You can turn to others for feedback who can help you revise and improve that article or speaking proposal. To get the best advice, she recommends creating what she calls a wisdom council: a group of individuals whose advice you can trust. The council should be made up of people with diverse skills and experiences who have practical expertise and the comfort level with you to offer both encouragement and honest feedback, even if it is uncomfortable. Listen in for more advice on how to level up your skills and how to find the courage to pursue your goals.

By Adam Turteltaub You’re all signed up for the Compliance & Ethics Institute or another SCCE or HCCA conference. Now, how do you make the most out of your time there? Kristy Grant-Hart CEO of Spark Compliance Consulting and a former compliance officer, herself, shares in this podcast several excellent tips for making your conference time truly valuable. Her recommendations: Plan out which sessions you want to attend before you arrive. It makes for a much more strategic and less stressful approach than picking sessions hurriedly at the breaks. Pick the sessions based on both the topic and the speakers you want to listen to and meet. Map out time to do work and answer email. It’s a lot easier to sit and listen to a session when you have a defined times to work and a defined time to be fully present at the conference. Start your networking before you go. Announce on LinkedIn that you’ll be there and try to connect with others who will be attending. Take advantage of vendor receptions and dinners to meet more people. When you connect onsite, also connect on LinkedIn right then and there. If you promise you’ll send someone a follow up email, do it that night before you forget. Don’t be afraid to approach people you don’t know. They’re probably there to meet new people, too. Put your follow-ups for once you’re back in the office into a list that you can easily find. Listen in to hear more great ideas for getting the most out of your time at the conference.

By Adam Turteltaub In 2023 the Society of Corporate Compliance and Ethics (SCCE) launched a second workshop designed specifically for investigators.  The Experienced Investigator Workshop. Meric Bloch, who is one of the two instructors and Principal at Winter Investigators, explains in this podcast that the workshop is very different from most. Rather than using a traditional method of instructors in front of the room, it seeks to engage the participants directly and make them a part of the learning. Participants are led through case studies and asked to take an active part in the classroom interactions. This provides an opportunity to explore the issues, consider various ideas and think deeper. Looking beyond the surface level mechanics of the investigation is a central part of the workshop. Much of the conversation focuses not on the what to do’s, but the why’s: why use a certain technique, why one choice may be better than another. The workshop also helps its participants to prepare for what he refers to as the “unknown unknowns”. Often investigators plan out an investigation, Meric notes, based on what they know and what they known is as yet unknown. However, as the process proceeds surprises occur, previously unknown unknown elements must now be tracked down. So who is the workshop best for? Several groups: Those who already know the basics and want to get to the next level. Individuals seeing to have a wider perspective on cases and become not just an investigator but also a business advisor. People who aspire to be a full-time investigator and seek to raise their competence. Lifelong learners. Listen in to learn more, and then take some time learning more about the investigator workshops.

By Adam Turteltaub First there was Safe Harbor, then there was Privacy Shield, both of which were struck down, leaving an enormous chasm in the rules for sharing data between the EU and the US. Now, explains, Andre Bywater, Partner, Cordery, there is a bridge: the EU-US Data Privacy Framework. The new framework seeks to address the issue that led to the court striking down Privacy Shield: access to data by US intelligence agencies. To allay European concerns the US has now put in place a two-level system to redress grievances. EU citizens can lodge a complaint with the Civil Liberties Protection Office. If not satisfied with the results there, they can escalate to the US Data Protection Court, which has the power to issue orders to have data deleted. The new framework is likely to be a big step forward, but it’s not the only one data processors will have to take. Organizations will first need to determine if they are eligible to participate. Next, they will need to self-certify their processes for handling EU data, a process that will be overseen by the US Department of Commerce, with enforcement handled by the FTC. Whether self-certifying for the first time or recertifying, there are countless details to be watched. There are special provisions, for example, when it comes to HR data. And, of course, there is a question of whether courts in Europe will allow the new regime to stand. There is already speculation that a new case may be brought in January 2024. For now, though, there is a new EU-US Data Privacy Framework in place. Listen in to learn more about what your organization needs to do to comply.

By Adam Turteltaub Payment Card Industry (PCI) compliance is driven by a set of rules that set a standard of security for any entity that takes, stores or processes credit card data. Any time you or I make a credit card purchase, we rely on PCI compliance by all involved to keep our information safe. Now, the standard is evolving to PCI 4.0, explains Mark Schreiber, Senior Counsel at McDermott Will & Emery. PCI 4.0 is far more robust and clarifies the misunderstandings in the previous standard. It also imposes more than 50 new obligations. Most notable of the changes is the new emphasis on third parties and the need to monitor them. Now, merchants must maintain lists and descriptions of all third-party providers, have written agreements with them that accounts for security standards and includes a process for due diligence before engaging with them. Central to the process is a responsibility matrix, which outlines which party is responsible for each aspect of credit card security. Perhaps needless to say, this is not likely to be a quick process. Also likely to be time consuming is the mandatary self-assessment questionnaire. Listen in to learn all that PCI 4.0 requires and to hear an important warning: just because you outsource your credit card processing, doesn’t mean you outsource the risk.

By Adam Turteltaub Stamford Health has just a bit less than 4000 employees spread out in over 40 local offices. For some that would be a nightmare when figuring out how to put together a celebration of Corporate Compliance & Ethics Week, but it’s not for Cheryl Gilbert, the director of compliance and privacy. To make the annual event work she uses a wide range of communications vehicles to get the word out. The organization has a new employee orientation every other week, and compliance is a part of it. The organizational newsletter, which publishes twice each week, is also put to use. So, too, is the compliance intranet site. What aren’t used? Posters. The team found that the effort involved in creating them, putting them up and taking them down just wasn’t worth it. To make the week fun they have developed a wide range of activities including a: Haiku contest. Employees are challenged to write a haiku based on the organizations core values. Where’s Waldo type game in which employees have to spot all the breaches on a messy desktop. Question of the day. Word search, which is probably the most popular of all. There is also the opportunity to nominate compliance heroes, with rewards to both the hero and the person who nominates them. While all of these are great for building the relationship between compliance and the rest of the organization, she advises that you shouldn’t let your Corporate Compliance & Ethics Week be the only time a year in which the barriers come down. She recommends investing wherever possible in face-to-face interactions. You would be amazed, she tells us, at what a coffee cake can do to help. Listen in to learn more about how to make your Corporate Compliance & Week celebration a success.

By Adam Turteltaub Cancer is not just a diagnosis between a patient and physician. In this podcast Jeremy Laws, Operations Supervisor at the Ohio Cancer Incidence Surveillance System, explains that a cancer diagnosis triggers state-by-state reporting requirements for healthcare providers. In general, there are two areas of reporting: cancer information and patient information. Cancer information generally includes where it is on the body, the type of cancer, what type of tissues is affected and how the cancer is behaving. Patient information includes name, age, sex, race, address, date of diagnosis and date of first treatment. And, for those concerned about HIPAA, he points out that there is a public health exception that his falls squarely under. The data provided feeds into the US Cancer Statistics Report that is published annually. It is also used by policy makers and researchers. Compliance teams need to ensure that their facilities are reporting the data, which many fail to do. There is a tendency to believe that, for example, the lab is reporting the results and so the physician does not need to. That’s not the case, he explains. Worse, many facilities do not even know that they need to report cancer findings. Listen in to learn more about how to ensure your health care facilities are meeting their cancer reporting requirements.

By Adam Turteltaub When it comes to networking and sharing ideas with other compliance professionals, people tend to think of attending conferences. That’s not the only way to do it. In this podcast Steve Pavlicek, Community Engagement Manager at SCCE & HCCA shares the free resources the association provides and how to take advantage of them. First stop are HCCAnet and SCCEnet. They were created to be a social network just for the compliance community. People post and answer questions, share their opinions and even documents. To see all that’s there, first login on the SCCE or HCCA site. Next, click the Login button on HCCAnet or SCCEnet. You’ll find approximately 40 different communities discussing issues such as auditing and monitoring, the Foreign Corrupt Practices Act, privacy and more. There are also communities organized by industry. If you’re looking for real-time interactions try one of our Meet Ups. You’ll find a schedule of them at HCCAnet and SCCEnet. These sessions take place via Teams. The group selects topics to discuss, breaks up into smaller groups for conversation, then returns for further conversation. In addition, there are active LinkedIn groups for SCCE and HCCA. Read the messages there, share insights of your own, or use the group to connect directly with other compliance professionals. In sum, there are a host of vehicles out there for you to connect with and meet the wider compliance community. Be sure to take advantage of all of them.

By Adam Turteltaub When planning for disasters, organizations are typically focused on things like call trees, backup data servers, and alternative work locations. In the crush to survive the immediate threat it’s easy to forget about compliance, and even during disaster planning, compliance may come last. That’s a dangerous mistake, explains Laura Fey, Principal, Fey, LLC; Tom Leatherbee, Manager, Recovery Division, Hagerty Consulting; and Jillian Cusack, AVP, Privacy Officer, American Fidelity. Just because normal business operations are interrupted doesn’t mean compliance obligations are also on pause. Ensuring compliance plays a role in disaster planning is more important than ever. Natural disasters, ransomware attacks, a pandemic and other threats seem to be more frequent and can turn into situations that last days, weeks, months or even years. When they do, not only do existing compliance considerations continue but new ones can arise ranging from OSHA to employee obligations – you still have to pay into pension plans and make insurance payments – to financial reporting. There may also be state laws and standards under ISO and SOC 2 that may be implicated. If your institution is a recipient of federal grants, the reporting requirements don’t stop during disasters. Plus, if your organization will be seeking federal disaster grants, there will be compliance obligations there as well, including the need to document the damage. To ensure the compliance team is a part of disaster planning, establish a relationship with the person in charge of leading that effort. Learn who else they work with and get to know them as well. Take the time to understand what the risks are using resources such as Ready.gov. Think through what data you will need to collect and track during the pandemic, and be prepared to help your colleagues understand that compliance can play a vital row in disaster planning and recovery.

By Adam Turteltaub There has been, to say the least, a great deal of controversy over the US Department of Justice’s plan to require compliance officers to provide a certification as a part of corporate resolutions. Many fear that it could lead to significant legal risk for compliance teams and fewer individuals willing to assume compliance roles. Jonny Frank, Partner, and Kat Nolan, Senior Consultant, at StoneTurn are not concerned.  They point out that in the 20+ years since Sarbanes-Oxley, despite the predictions, there have not been the lawsuits and empty CFO and CEO chairs that some feared. Instead, they believe, these certifications could lead to increased power and prestige for chief compliance officers. In the podcast they lay out a five-step process for certification: Select a framework for the certification criteria that the organization will grade itself against. Conduct a scenario-based compliance risk assessment. Assess and design key control activities. Create a sub-certification waterfall: set accountable owners throughout organization to certify compliance effectiveness in their area. Arrange for a third party or internal audit to assess the program. Listen in to learn more, including the importance of documenting your processes.

By Adam Turteltaub So, you’ve got a global compliance program. But, what do you do when a local team says, “That doesn’t really work here” or “We think it would be better if it were changed to something else for us”? Kristy Grant-Hart, CEO of Spark Compliance Consulting recommends keeping your values the same wherever you operate. Values are typically based on universal ideas. They and your code of conduct should remain constant wherever possible. Communications from the CEO and leadership should also be the same everywhere. You don’t want the CEO saying one thing in one country and something else in another. Categories used for reporting and investigations should also be the same everywhere, otherwise it will be difficult, if not impossible, to track where the issues are. Similarly, root cause analysis and risk assessment methodology must be the same globally. So where can you localize? She recommends looking at areas such as gifts and hospitalities. What’s reasonable in one region may not be in the other. Look also at employment practices. Having a policy of non-discrimination is good, but in some regions there may be requirements to hire certain indigenous groups. To avoid confusion, she advises defaulting to one policy wherever possible, and be sure to have a version control process in place. You don’t want one office to still be operating under an old policy. Listen in to learn more about how to make thoughtful localization decisions, how to get honest feedback locally, and what to do about facilitation payments.

By Adam Turteltaub Melinda Shapiro, Senior Director of Compliance at San Diego-based National University, knew she needed to do something different with the school’s approach to enterprise risk management (ERM). When she took on the compliance role, she discovered that risks tended to be aggregated into large buckets, such as human capital, which made it difficult to assess individual risks. In addition, risk ratings varied widely by affiliate. Adding to the challenge, the document produced took a narrative approach, with long explanations of the risks and mitigation efforts. Sometimes there was a lack of alignment between risks and controls. Worse, the format made it difficult to track changes year to year. Inspiration came from speaking with two other participants at the SCCE Higher Education Compliance Conference. She was able to see a new way of approaching ERM, including switching from a one-year to a two-year cycle. The results have been highly positive. She reports that there is a much better understanding of risks and controls. In addition, there is now better alignment and very strong support from the board’s audit committee. Listen in to learn more about what she did differently, how she learned from others, and new ways to think about your own ERM process.

By Adam Turteltaub Healthcare and healthcare compliance are often thought to be very country specific, due to the many variations of healthcare structures. To learn more about how healthcare compliance works in one country outside of the US we spoke with Emeka Obiora, Vice President, Ethics and Compliance at NMC Healthcare in Abu Dhabi. Emeka explains that the United Arab Emirates (UAE) has something of a split system. Public sector hospitals primarily serve Emiratis, who are provided with healthcare by the government. Foreign workers in the UAE are required to carry insurance and typically see private providers. As a result, the risk profile is very different. It is there, though, with several key ones to manage. The first is licensing. The UAE relies upon medical professionals who come from all over the world and have vastly different training and backgrounds. All must be qualified and licensed locally, which represents a substantial undertaking. The second common risk area is conflicts of interest, which is focused on interactions with pharmaceutical and medical device manufacturers. To ensure that there is undue influence, contact between clinicians and providers may be completely prohibited. As is the case elsewhere in the world, privacy is also a significant concern, and in the UAE it has grown to be a greater challenge now that there is a new, tougher law. So, is working in the UAE in healthcare right for you? Emeka recommends asking yourself if you have a sense of adventure. As importantly, ask the same about your family and what impact a move may have on them. If you do decide to take the plunge and find a potential opportunity, assess it like you would any other compliance position. Look at the organization and its governance structure: Will you have access to the senior level of the organization? Question carefully their approach to compliance and ethics. While it may likely not be as advanced as what you are used to in the US, if the tone and the commitment are there it’s worth considering, especially because there is a growing emphasis on accountability, corporate responsibility and ethics in the UAE. That portends well for the future. Listen in to learn more, including one myth about the UAE that needs to be dispelled.

By Adam Turteltaub Compliance professionals are trained to point out downsides, identify risks and educate others on what can go wrong. But, points out, Ami Simunovich, Executive Vice President, Chief Quality, Regulatory Officer & Public Affairs for BD, they need to balance that with a need to see and encourage others to take the right risks. A compliance officer who can do that earns credibility with business leaders. So, how do compliance professionals get there? She recommends reorienting thinking to focus on how to advance the business in the right way. That begins with tying decisions back to the purpose of the company. This can help enable the right leadership mindset and avoid reckless decision making. Grounding decisions in the code of ethics, along with a focus on the business’s purpose, helps create a framework for better decision making. Next, make sure business leaders are keeping up with the regulations. Also, encourage them to ask gut-check questions such as: Are we making the right decision? Would our partners be proud of what we have done?  Is this who we are? Along the way, embrace open conversations that ask whether the decision or initiative is the right one. At the same time, be sure that, as the business proceeds, there are controls in place that are fit for purpose for the risks at hand. Listen in to learn more about how the compliance team can help the business grow.

By Adam Turteltaub One of the more well-attended sessions at the SCCE 22nd Annual Compliance & Ethics Institute, promises to be “ESG and DEI: How to Position for Stakeholder Success”. The session will be lead by Adrian Taylor, Director of Diversity, Premier Health; Ahmed Salim, Chief Compliance Officer, iRhythym; and Nakis Urfi, Product Compliance Officer, Babylon Health. ESG and DEI are two of the hottest issues in compliance, and in this podcast preview of their session they start by taking on a controversial topic: Should DEI and ESG be combined? Traditionally, DEI has been its own discipline. Many now argue it should considered a part of the S (Social) in ESG, while others feel that doing so would diminish the emphasis on DEI. Ideally, DEI should not be affected by being included in ESG, they say. If handled correctly, it can maintain its focus and management commitment and even strengthen ESG efforts. When the two are aligned they create a more sustainable business model that balances people, profit and planet. Together they can also help foster engagement with stakeholders, improve culture, encourage greater accountability, and help the company’s reputation. To be successful, Nakis, Ahmed and Adrian argue, organizations need to manage four key challenges of ESG ratings: A limited focus on DEI Having accurate, valid data A lack of standardization Subjectivity All of these can lead to ratings that are more judgement scores than a true measure of an organization’s commitment to DEI and ESG. Listen in to learn more, including how to identify data that is truly useful for measuring your organization’s DEI and ESG success. Then, don’t miss their session at the SCCE 22nd Annual Compliance & Ethics Institute.

By Adam Turteltaub Crystal Jezierski, Senior Managing Director, Guidepost Solutions thinks that at this point we have enough guidance documents and frameworks for compliance programs. That’s not a criticism but a compliment. She finds the existing prescriptions to be helpful, instructive and reflective of the evolving understanding of best practices for effective compliance programs. They are also flexible enough for new and emerging risks. What’s needed now, she believes, are more opportunities to benchmark, share, apply and test how programs are implemented. As with compliance programs as a whole, that begins with understanding how to assess risk and how others are doing so. If done correctly, of course, a risk assessment can  orient resources to both current and future issues as well as change how the company is doing business. When managing a new issue, she recommends involving a combination of the standard partners – HR, internal audit, finance and technology – as well as additional partners who bring expertise to addressing the risk at hand. One other partner needs to be considered throughout: the board. It can be a tremendous asset for compliance, sometimes more so than leadership. To gain and keep board support, she advocates for regular contact, updates, and conversations about emerging issues. Listen in to learn more about how to leverage the compliance frameworks, learn from others and work with the board to create a stronger compliance program.

By Adam Turteltaub Email isn’t enough anymore, if it ever really was. Employees are communicating with each other, clients and prospects via texts, WhatsApp, Teams, Slack and many, many more tools. Much attention has been paid to the US Department of Justice’s call for organizations to be able to produce all that communication, which is not an easy task. Eric Baim, partner at Dovetail Consulting Group, explains that focusing on producing the communications is important, but it is isn’t enough. Compliance teams need  to train employees to use these technology appropriately. That education process begins with compliance developing an understanding of what these applications were designed to do;  facilitate quick, back and forth interactions, brainstorm, and ask a question less formally than one would via email. The problem is that often these interactions lack context because they are continuations of other conversations. As a result, an outsider seeing them can draw very incorrect conclusions about what was being said. With that understanding in mind, it’s important to make it clear to employees that if they are conducting company activity via these communication tools, they still need to follow company policy. Next, help them to understand the risk of comments taken out of context and to ensure that they add some. If the text, for example, is a follow up to an in-person meeting, reference it. Be sure also to underscore the importance of avoiding jargon, being truthful or making assumptive statements. Stick to the facts and keep personal commentary out. Internally, compliance teams, he argues, should take the time to understand how they can use these channels to communicate with the workforce. Communicating with the business where it is can help keep compliance top of mind and relatable. It can also help foster greater dialog which is, after all, what these applications were designed for.

By Adam Turteltaub In a perfect world, whenever employees face a difficult decision or outright compliance issue, the right policy would automatically pop up in front of them. While that is not likely to happen soon, Jannica Houben, Vice President, Global Legal Transformation and Travis Waugh, Director, Training, both at TD SYNNEX can envision a word in which Outlook could spot issues as they are typed, flag them for the employee and give guidance and pointers to where to call for help. Until then, there are still many things compliance teams can do using off the shelf software to automate compliance processes. It’s a topic they explore in the podcast and in greater depth in their Session “Interactive Policies: Using Technology to Enhance Decision-Making” at the 2023 SCCE Compliance & Ethics Institute. So how do you create this automated future? They recommend beginning by thinking not about what tool you want, but what benefits you want the tool to deliver. Think about the value you want to provide and what would make employees’ lives easier. In addition, expect an iterative process: you won’t get everything right the first time. Once you have that in mind, you can begin the pursuit of the tool itself. At TD SYNNEX the compliance team tried to create the path of least resistance for employees to compliance, including developing an adaptive policy guidance tool. Using BRYTER, which requires no coding, they developed a tool which asks a series of questions to determine what the issue is, gives advice and routes a form to the employee’s manager. The manager can then add notes and recommendations. The tool has a dashboard that can track the whole process. It also can help identify gaps and what the organizations risks are, what policies need to be created and when more training is required. This program has freed up time for the compliance team, enabling it to invest in relationships and add more value. Getting started is surprisingly easy, they report. Listen in for more inspiration, and then don’t miss their session at the 2023 SCCE Compliance & Ethics Institute.

By Adam Turteltaub With the consent requirements built into privacy regimes, you can’t help but focus on them. Bill Piwonka, Chief Marketing Officer at Exterro, cautions, though, that there is much more than consent to worry about. Consent is very specific around whether people you are interacting with giving you permission to have and use their data for specific purposes. Much focus is given to the pop-up warnings on websites and cookies. Compliance teams, he advises, need to look at all the places where the organization collects data and uses data, including apps, to ensure proper consent is obtained. One other area not to be overlooked: Data subject access requests. It can be an enormous undertaking when a consumer demands to know what information you have on her or him. Even more daunting are similar requests by departing employees. Think of the hundreds of thousands if not millions, of documents that contain data from an employee, everything from HR records to emails to conversation on Teams. So great is the challenge of tracking them all down that employees are starting to use the threat of requiring all this data as a way to leverage a better severance package. Listen in to learn more about these issues and what you need to do to prepare to meet your privacy compliance obligations.

By Adam Turteltaub The proliferation of computer-based due diligence tools, combined with the travel restrictions of the pandemic led to a shift away from in-person due diligence efforts. Technology-based approaches increased dramatically, and, according to Jen Hoar (LinkedIn), Managing Director of Forward Risk, relying solely on them can be a mistake. Talking to human sources, she argues in this podcast, helps augment and provides nuance to open-source public records. Talking to people who have worked with the third party can flesh out what it is like to do business with them and if there are any concerns. Sources to interview can include prior investors, customers, industry experts, and even trade journalists. When conducting the interviews with these individuals, she advocates for an open-ended, conversational approach. Rather than trying to get through a list of questions, give them the opportunity to talk about whatever is important to them and pursue the conversation wherever it leads. Be sure, though, to take note if someone is oversharing.  It may be a sign of an agenda. In terms of your own agenda, she advises against going in with a hypothesis to prove or disprove. Instead, go in with an open mind. Your job is to gather information and to find out what the truth is rather than to test a theory. Listen in to learn more about the role and value of human-based due diligence.

By Adam Turteltaub For organizations working to avoid corruption it can be a lonely fight. While a sales or compliance team may know that there are many others out there who would not pay a bribe, when facing a corrupt demand, they tend to be on their own. The maritime industry, though, has taken a major step to change the dynamic. In this extended, in-depth podcast, Cecilia Muller Torbrand, Chief Executive Officer at Maritime Anti-Corruption Network (MACN), explains how they pursued a collective action approach that now includes about 200 companies. The maritime industry is very exposed to corruption risk. A given ship can touch many jurisdictions over a short period of time. Captains are often very far from their headquarters and encounter multiple government touch points when approaching a port. The corruption they face varies dramatically, but it is frequently manifested with requests for facilitation payments: some token of appreciation. The challenge is a legal one since facilitation payments are prohibited under the UK Bribery Act. It is also a practical one, when the appreciation turns into a demand and expectation. When a captain turns down the request, it can lead to a host of problems, ranging from confiscated passports to endless, time consuming inspections. To help fight this problem MACN began about 10 years ago with just 8-10 companies. It has since grown to around 200. The companies recognized they could not fight the problem alone and had to work together. Success has been driven by a focus on solutions rather than finger pointing. They also, when possible, seek to bring in the local government. Armed with a database of over 50,000 incidents of corrupt demands they are able to use data, rather than anecdotes, to advocate for change and demonstrate how systemic the issue is. The results have been substantial, and over time the MACN logo on a ship has come to mean a great deal in countries where they are active. It actively helps dissuade bribe seeking. MACN has also created a Global Port Integrity Program (GPIP). It leverages the data collected on corruption incidents to provide members with a port-by-port look at corruption risk, enabling better preparation. Secondly GPIP has enabled them to provide a level of transparency not before seen that can help ports understand how they need to improve. All these efforts have led to remarkable results with measured improvements on the ground. Listen in to learn more about what MACN has done, and, perhaps, use it as a model for your industry.

By Adam Turteltaub More and more organizations seem to be adopting compliance ambassadors or champions programs. In a nutshell, these efforts involve having members of the business unit serve as the eyes and ears, and sometimes arms and legs, of the compliance office. Guillem Casoliva Cabana (LinkedIn), Compliance Manager, Training & Education, at Booking.com shares his insights on the topic in this podcast. The company’s ambassadors program began over 10 years ago. Recruiting and training ambassadors is a critical part of the process at Booking.com. They are not nominated by their managers. Instead, all are individuals who volunteered to take on the role. At times, it can even be competitive. If more than one person in a given unit volunteers, there is a vote taken in the unit to make the selection. The onboarding process includes seven distinct steps, including a live session with the compliance and ethics team that goes deep into the scenarios that they may face. Experienced ambassadors serve as mentors to newer ones. And, on an ongoing basis, ambassadors are supported through in-person meetings, an online portal, newsletter and quarterly webinars. The program’s durability is a reflection of how successful it has been. The ambassadors have helped support the ethical tone of the company, served as examples of the company’s values and proven to be a cost-effective means of embedding compliance without adding to headcount. Listen in to learn more about how the program has worked and what you need to do to start a successful ambassadors effort of your own.

By Adam Turteltaub While many would say that you couldn’t pay them enough to take a job in compliance, managers often feel as if compliance officers are being paid too much. So how do you get what you deserve? In this podcast, and at the 2023 SCCE Compliance & Ethics Institute, Amii Barnard-Bahn, Partner, Kaplan & Walker and Melanie Sponholz, Chief Compliance Officer, Waud Capital Partners, take on this touchy subject. Before asking for more money, they advise doing your homework. Take the time to talk to peers and recruiters to see what the market rate is. Also, know your employer’s compensation system. Do they tend to pay at the top, bottom or middle of the range. You can also check the SCCE or HCCA compensation survey and sites like Glassdoor and Indeed. When you do meet with your manager or leadership, go in knowing that this is a difficult conversation for them as well as for you. Do your best to keep things professional. Focus on why the increase in compensation is beneficial for them and not just for you. Spell out what contributions you have and will be making. Above all, be realistic and don’t go in angry. Want to know more? Listen in to learn how to make the conversation successful, what to do if it isn’t, and how to ask for more compensation or a changed title when your role is expanded. And, don’t forget to attend their session at the 2023 Compliance & Ethics Institute.

By Adam Turteltaub When an employee announces a departure to another job, there is a temptation to think that it was for more money. That’s probably a mistake, says Mike Lifshotz (LinkedIn), founder and CEO of Hatch Compliance. The new position may pay better, but employees are more likely to depart due to issues such as work/life balance, room for advancement, greater challenges, lack of appreciation and what they perceive to be a bad culture. To get them to stay, he advises, first and foremost demonstrate respect. That should begin with the hiring process, during which you should both lay out your expectations for the candidate and what they should expect from you. The organization’s values are particularly important in this regard. They are integral to setting expectations and need to be communicated from the onboarding process and on an ongoing basis. Be sure to keep the communication process going in general. Employees cannot be expected to trust their managers if the managers don’t take the time to know them. From a compliance perspective, knowing employees and their personalities can help identify when something is wrong and help you act accordingly. Compliance can also help with employee retention by providing a safe place for workers to share their concerns without fear of retaliation. One last piece of advice he offers: take the time to survey the workforce regularly. Use the survey both to measure the culture and as a way to demonstrate that the organization is willing to listen. Then, act on the results. Listen in to learn more about how to manage the challenging issue of employee retention.

By Adam Turteltaub Regina Gurvich, Chief Compliance & Risk Officer for Omni Opthalmic Management Consultants knows from first-hand experience that it’s not always easy for compliance officers to stay motivated. There is often a strong headwind, and sometimes a brick wall. To stay motivated she advises focusing on getting your voice heard, staying true to yourself and finding enjoyment in what you to do a daily basis. For her, that begins with clinging to her idealism and the belief that few people wake up in the morning looking to do the wrong thing. Focus, she advises, on the fact that for many people the right thing just isn’t clear enough.  Think about ways to educate them and look to do so on a continuous basis. Encourage them not to just know what the law is but understand what it means and how to operationalize it. Also, grab onto your natural curiosity. Take the time to learn as much as you can about the business and how people go about doing their jobs. Understand where the money comes from and where it goes. That’s more important than ever over the last five to ten years, especially in healthcare. Then, as you work with others on putting compliance controls in place and seek solutions for a problem, be willing to negotiate and don’t lose your sense of humor. Listen in to learn more about how to make the day go a bit better.

By Adam Turteltaub ChatGPT is, like the movie title, seemingly everywhere, all the time, and all at once. Individuals and corporations have rushed to embrace it, sometimes with great results, other times, not so much. For better or worse, ChatGPT and other AI-driven solutions are here to stay, and with it comes a host of new risks to manage. In this podcast, Lauren Kornutick, Director Analyst, Legal and Compliance at Gartner shares the findings of recent research the firm conducted on ChatGPT. They found several risks for compliance teams to focus on: Fabricated and inaccurate answers. As with the case of the lawyer linked to above, ChatGPT sometimes make things up because it was trained on inaccurate material of it was unable to understand the context of the question. IP Risks. Employees may not understand that once data is put into an open source tool it becomes part of the public domain. That means more training on how to protect IP in the new AI era. Often the data set used to train the AI relies on data that is biased. A human review is absolutely essential to ensure that existing biases aren’t furthered. Fraudsters are particularly adept at finding nefarious uses for new technology. Consumer Protection. Some states require that it be made clear when consumers are interacting with a person, and when they are interacting with a bot. The FTC has also stressed that AI needs to be transparent, accountable and empirically correct. Listen in to learn more about how to protect your organization from the risks of ChatGPT. Be sure, too, to check out the press release. Gartner subscribers can learn more detail by accessing “What Legal and Compliance Leaders Need to Know About Large Language Model Risks."

By Adam Turteltaub For the cynical, business ethics, itself, is a myth. For those of us in the profession, we know it is not. Still, that doesn’t mean that certain urban myths don’t arise. Matej Drascek (LinkedIn), in this provocative podcast, and in an article from Compliance and Ethics Professional® (CEP) magazine, argues that there are, in fact, a number of them. They are: Myth 1: The code of conduct supports ethical behavior. Myth 2: The compliance program helps the organization become more ethical. Myth 3: Whistleblowing tools reduce the risk of unethical behavior. Myth 4: More training in ethics is better. Myth 5: Individual “unethical” characters can be curbed with the right controls. Myth 6: Goals related to ethics or compliance help people behave more ethically. Sound more like truths than myths? As you will hear, his comments are more warnings about the complacency traps that can arise. For example, we may think a code of conduct is helpful, but if it’s read once and then forgotten, it’s not. Or, just because there’s a whistleblower line doesn’t mean it will be used; the fear of retaliation may keep an employee from reaching out. Listen in to learn the subtle nuances. If you don’t, your ears will fall off. Okay, maybe that’s Myth 7.

By Adam Turteltaub The excitement over Artificial Intelligence (AI) is often met with concerns about its negative potential. That’s especially true in healthcare where the potential gains are met by the principled and practical requirements of protecting patient data. Anitha Vittal, Head, Risk and Compliance, Providence Global Center in India tackles the topic head on in this podcast. She sees AI as having great potential to revolutionize research, diagnosis and treatment, if we can successfully create guardrails for its responsible use. To do so, she recommends focusing on the risks. The big ones are: Data protection and security. AI requires huge amounts of data, which raises potential privacy concerns. If the data is biased, then the output will be as well. Transparency and Accountability. It can be very difficult to understand AI systems. That’s why it’s essential to bring transparency and accountability into the process. Compliance teams also need to be educators, helping the AI team and businesspeople understand the ethical considerations involved. One potential technique involves creating case studies and requiring participants to play different roles to better understand perspectives and risks. Listen in to learn more about managing the  opportunities and risks of AI, including the importance of what she calls the Four E’s: Establish, Embed, Enforce and Evolve.

By Adam Turteltaub Stephen Paskoff, the President and CEO of ELI, believes that we need to think about compliance training differently.  Instead of it being about communicating information, it needs to be about cultivating a culture of compliance and activating organizational values. So how do we get there? He recommends focusing on education designed to be retained and applied by the learner. To do that you need to be clear not on just what the standards are but also why they are important. As importantly, the training can’t stand alone. It has to be linked to broader initiatives and relevant to employees. Even if employees don’t get every nuance of the law or regulation, they have to have a sense of what is right and wrong and be reassured that they will be welcomed if they speak up and raise a concern. Getting to that point requires making compliance as normal a part of the dialog as discussing sales, manufacturing and other issues. Organizations need to stop treating compliance as something separate and apart and more of a norm of doing business. That begins with the CEO and leadership team treating it that way. It also means knowing what the barriers are and implementing programs to overcome them. Listen in to learn more about how to improve your compliance training, including the five C’s and how they can help.

By Adam Turteltaub Our colleagues expect to be treated like adults, and that should include the compliance training we assign them. CJ Wolf, a professor at Brigham Young University-Idaho and founder of Codermedschool.com, explains we need to embrace adult learning theory, which recognizes that adults learn differently than children. Making mistakes, for example, is particularly powerful. Good compliance training, consequently, should be less about telling them what they need to know and more about providing them with an opportunity to work through scenarios and make their errors in a safe classroom setting rather than out in the real world. He shares a host of similar good advice in this podcast and in the SCCE Creating Effective Compliance Training Workshop. Click below to hear other do’s and don’ts to make your training more relevant: Do assess the effectiveness of the training. Be sure to include testing. Don’t assess the effectiveness just once. See what employees remember several months later. Don’t overload new employees on the first day. A lot of departments are throwing information at them.  Be judicious in terms of what you expect them to tackle right away, and what can wait until later. Do have a training plan based on your organization’s risk. Don’t give everyone the same training. Tailor based on their needs. Want to know more? Think about joining him for the Creating Effective Compliance Training Workshop.

By Adam Turteltaub Contract lifecycle management has grown to be an increasingly critical issue for healthcare providers. Staffing issues, shrinking margins and changing regulatory requirements are all adding to the challenge, report David Paschall, CEO, and Stephanie Haywood, SVP of Sales and Client Engagement at Ntracts. Pursuing a contract lifecycle management strategy, they report, can help alleviate these issues by reducing the number of days a contract spends being reviewed, increase transparency and help the organization adopt standardized language and processes to ensure greater adherence to internal policies. It can also reduce the number of contracts that get auto renewed by mistake, are not renewed when they should be or overlap needlessly with other agreements. Listen in to learn more about how adopting a contract lifecycle management strategy can bring greater efficiency and a host of other benefits to your organization.

By Adam Turteltaub For years Caremark has set the standard for expectations for board members. The notable Delaware case made clear that boards should exercise reasonable care in overseeing an organization. In practice that includes obtaining information about the organization’s compliance efforts and responding when signs of potential violations are found. As Jay Cohen, of counsel at the law firm Giordano, Halleran & Ciesla, PC explains, now a new decision (In re McDonald’s Corporation Stockholder Derivative Litigation) extends that same duty of oversight to corporate officers within their area of expertise. This significantly raises the bar for executives when it comes to ensuring the organization is operating in a compliant manner. Perhaps even more significantly, only two executives at a corporation – the CEO and Chief Compliance Officer – are expected to exercise oversight throughout the entire organization. This, he argues, has the impact of increasing both the scope and importance of the compliance role within the organization. So, what should organizations and their compliance teams do in the wake of this decision?  Jay recommends that organizations raise the stature of the compliance team. Second, look at recruiting individuals for compliance who have a history in leadership to match the role. Third, build the compliance program around impact, not just activity. Listen in to learn more about what the McDonald’s decision says, and what it means for your compliance program.

By Adam Turteltaub You really should listen to this podcast. That’s my advice. If you do you’ll hear Scott Garland, Managing Director, Sanctions, Cyber, Fraud and Ethics Compliance & Monitoring at Affiliated Monitors give better advice on giving advice. He begins by advising a bit of humility: remember that having a quick and ready answer is not always best. You are likely the newest person to learn about the problem and least familiar with it. As a result, you need to take the time to learn and determine not just what the immediate problem is but also what the situation as a whole is. Don’t be afraid to ask others to slow down to ensure you understand things completely. Then, make sure you get the facts and context right. Be sure, too, to identify assumptions being made by the advice seekers to ensure that they are correct. They may not be. Once you have that information and the goal that the advice seekers have in mind, as well as what they see as the ideal outcome, then it is time to give advice. When you do, give them, he advises, a recipe and not a treatise on cooking. They don’t need to know the long history of the rules and the many exceptions. Instead focus on bite-sized information that they can use and share with others. The BLUF approach can be very effective: Bottom Line Up Front. By summarizing the issues succinctly at the top, you are more likely to reach people who are far more focused on the advice than the reason behind it. Listen in to learn more about how to give advice wisely, the importance of documentation and the role of empathy, and if you’re in SCCE member, read two articles on the topic by Scott on COSMOS.  

By Adam Turteltaub Jay Mumford is a long-time compliance veteran and Senior Global Compliance Manager at Bio-Rad Laboratories. There he developed an approach he calls MTR, which stands for Metrics, Targets and Response Plans. It’s an approach, he explains, based on ideas from the quality movement. At its heart, MTR recognizes that whatever the compliance process may be, there is a need to manage at scale. To do so, you need standards and measurements, targets, and response plans in case you miss those targets. An MTR approach, because it is disciplined and focused on goals, helps avoid a whack-a-mole approach to compliance. It enables building your program in repeatable ways, whether that’s training or, as was the case for him with document retention, ensuring that all the documents are both accounted for an not retained unnecessarily. In this podcast he explains how MTR has worked in practice and the technology tools available to compliance teams, typically at no cost, to help them take an MTR approach. These include the Power Platform embedded in Microsoft’s Enterprise platform and Visual Basic for Applications in Excel. Listen in to learn about how you can put MTR to work for your compliance program.

By Adam Turteltaub Over the last decade private equity has discovered healthcare, and with that discovery has come a rush of money and compliance nightmares.  Valerie Rock (LinkedIn), Principal, and Kristen Lilly-Davidson (LinkedIn), Consulting Senior Manager, at PYA explain that there has also come a growing awareness of the importance of compliance due diligence. Five to seven years ago, they explain, private equity (PE) firms were focused on business valuations and financial reviews.  Over the years, though, they have learned to appreciate the importance of compliance and coding reviews, including clinical compliance.  The shift was the result of too many instances of finding significant non-compliance issues post-acquisition.  These, of course, can be very expensive. Firms today need to take the time to do site reviews to examine everything from the culture to the business practices to the condition of the building to the devices used.  Often paperwork doesn’t match what actual practices are, and a dysfunctional culture can’t be identified by looking at a spreadsheet. Risks include the revenue cycle but also operational processes.  If they are poor, the potential for fines and other penalties is substantial. Listen in to learn more about what PE firms are, or should be, doing as they enter the healthcare market.  Plus, pick up some tips that can be useful for non-PE firms that are making acquisitions and conducting their own due diligence.

By Adam Turteltaub Non-compete agreements may soon be going the way of the dodo. The FTC just concluded its public comment period for its plan to eliminate them in most cases, and new rules are expected to be released later this year. Already, though, many states have restricted these agreements. In this podcast, and in his article in Compliance & Ethics Professional, John Gardiner of Bodman explains that the new FTC rule was designed to counter agreements that many felt were overly broad and restricted the ability of employees to find gainful employment elsewhere. The agreements also raised antitrust concerns since they could stifle competition; the FTC saw behavior among employers that appeared to them to keep employees from finding work elsewhere. The new rule could change that, greatly narrowing when a non-compete agreement could be enforced. It also means that non-disparagement and non-disclosure agreements that could have the same chilling effect on employment changes will likely fall on the wrong side of the line. So, assuming the rule goes into effect, what should compliance teams do? First, dust off existing agreements to determine how they measure up against the new rule and existing state laws. Second, be on the lookout for non-solicitation agreements and provisions requiring employees to reimburse their employer for training should they switch jobs. Third, make sure that the businesspeople understand what is and isn’t permissible. Finally, remember that this may be a moving target, especially if the courts start weighing in. Listen in to learn more about the changing and eroding ground under non-compete agreements.

By Adam Turteltaub The U.S. Department of Justice (DOJ) Criminal Division Evaluation of Corporate Compliance Programs document was updated in March 2023. Since then compliance teams and the broader compliance community have examined it closely, searching to better understand the government’s expectations. Gaurav Kapoor, co-CEO and co-founder of MetricStream, sees an overarching key message to the update: The DOJ expects organizations to have a well-designed compliance, ethics and risk program and, with it, the ability to closely evaluate and monitor its effectiveness. The bar has definitely been raised. So what should the compliance team do? First, to his reading, the DOJ is encouraging organizations to follow connected, holistic approaches to compliance programs. Second, how you train and communicate must be well organized and integrated into business processes. Third, third-party risk must be scrutinized and the interconnectedness with the business must be made more visible. As for boards, they need to understand that they must continue to play their role in the business and risk governance. They must also, though, act in overseeing the risk management and compliance programs and ensuring they are successful. To that end, boards need to ensure that these programs are sufficiently funded and led, understand where compliance reports and remove any conflicts of interest. Listen in to learn more about these topics as well as adopting a compliance culture, looking beyond the guidance, and the proliferation of guidance documents that compliance teams need to navigate.

By Adam Turteltaub These days, the term “blockchain” is no longer novel. Yet, many still struggle to understand what exactly it is and what implications, if any, it may have for a compliance program. Segev Shani (LinkedIn), Chief Compliance & Regulatory Officer at Neopharm explains that it is more than the tool underlying cryptocurrency. Blockchain is a technology in which data is stored in blocks, and once that block is full, another one is formed, creating a chain. This data is not held in one place but is distributed on multiple servers, which ensures that it cannot be improperly manipulated. When it comes to privacy, though, there is a privacy-blockchain paradox. While the security of the data is protected via blockchain, the data, itself, cannot be deleted. So, should compliance teams simply say “no” to using blockchain with personal data? According to Segev, not necessarily. A growing number of tools have been developed to manage this issue, including the ability for a data subject to turn their data on or off, making it either public or private as they see fit. It’s an intriguing area, and well worth the time to listen in to learn more.

By Adam Turteltaub Ah, social media. The cause of so much joy and pain, both for individuals and organizations. For compliance teams it can be a breeding ground for breaches, particularly in healthcare where HIPAA violations and social media tend to go hand in hand. Pinnacle Healthcare Consulting’s Sheila Limmorth tackled the issue of social media and compliance in the latest edition of the Complete Healthcare Compliance Manual and does so in this podcast. Some issues, such as a worker posting a photo with a patient, persist. Often innocent, these breaches are nonetheless serious. It’s the reason why ongoing training is necessary. A new worker coming, for example, out of fast food probably is unaware of the restrictions of HIPAA. Even veteran staff may lose track of the rules, and the marketing team may not realize that the testimonial they want to run still requires a signed consent form from the patient. In addition, the rapid turnover in healthcare workers means that if you have training on an annual cycle, it’s highly likely that a significant portion of the workforce has not received the education it needs. To make that training effective, she recommends providing examples of how to use social media  properly, and ways that people may use it very improperly. Unfortunately, it’s not just accidental breaches and a lack of training you need to worry about. The website and the software on it are also important. She points to the Meta Pixel JavaScript Code that many hospitals were using and which allegedly could share the data with Meta, the parent of Facebook. As with other compliance risks, ongoing monitoring is essential for managing social media. Fortunately, there are providers of software that will scour the various platforms to look for posts and even identify material that was likely submitted by an employee. In addition, she advises encouraging employees to be on the lookout for and report material that shouldn’t be on the web. The goal of this vigilance shouldn’t be to catch and punish, but prevent, educate and avoid future social media disasters. Listen in and learn more in the Complete Healthcare Compliance Manual.

By Adam Turteltaub For all the talk of tone at the top, the reality is that few employees report to the top. Virtually all report to a manager somewhere in the middle, and it’s the tone that leader sets that is often most important. Susan Du Becker, Director Risk & Compliance at Microsoft believes that compliance teams need to focus on managing from the middle and getting this important level of the organization on board. So how do you get these managers to work with you? How do you earn their commitment to help, especially in risk areas like privacy and anticorruption? For her, it’s about being inventive and thinking about how you can get them to drive compliance rather than you. To do that, she looks for the key influencers who can serve as champions for the program. They can go upstream or downstream and will help carry the message. Gaining the support of these people requires some effort, she reports. You have to sell them on your vision and let them know that it is to their benefit to further it. If, for example, you can show the sales VP that getting expense reports right reduces the risk of an audit, keeps the salesforce out of trouble and increases the speed with which the team gets reimbursed, you have a supporter. Once you have middle managers on board, make their life as easy as possible. Take away the pain, and give them the tools, templates and PowerPoints they need to put the policy into practice. What should you not do? Become overexuberant. It’s critical to avoid running ahead and instead focus on a stair step approach. Also: remember you have to keep them committed. You can’t take them for granted. Listen in to learn more about how to make the middle of your organization your greatest supporter.

By Adam Turteltaub Most of the time people look at the termination of a problematic employee as solving a problem. Bob Woolverton of Top Tier Leadership Training believes that thinking is a mistake. As he points out in this podcast, it’s not an end point. Instead, it’s the time to start, if you haven’t already, assessing how the organization got to this point. The employee’s supervisor was responsible for ensuring the worker’s success and safeguarding his or her welfare. The termination begs several questions the manager should be asking: What should or could I have done to prevent this from happening? What is my culpability? If it’s a policy violation, am I certain the employee understood the policy, or did we just have him/her sign off? Did the policy not make sense in this environment? Was there an opportunity for misapprehension or misapplication? The bottom line it is the time to start a reassessment process. On an ongoing basis he recommends organizations’ managers take a “rudder tap” approach. What this means, in practice, is providing small adjustments to course when things begin to go awry, rather than waiting until things are so far off that a bad outcome is inevitable. Making this method successful requires fostering an environment where people – both employees and managers – understand that corrections can be positive and a part of a healthy corporate culture. Listen in to learn more about how a termination can lead to a process of positive change for the organization.

By Adam Turteltaub With the proliferation of sanctions in the wake of the war in Ukraine and more focus on responsible sourcing, trade compliance has grown exponentially in complexity. It has also become less of a compliance silo and become more integrated with other compliance efforts. To understand the state of trade compliance we sat down with Lindsay Bernsen Wardlaw (LinkedIn), Director, Trade Advisory Services, Amalie Trade Compliance, who outlined the four areas of trade compliance: sanctions, export controls, antiboycott and customs. Each has great complexity, and there’s much more than Russian sanctions to worry about. Restrictions on importing goods manufactured by forced labor have increased dramatically with the passage of the Uyghur Forced Labor Prevention Act that presumes good sourced from the Xinjiang region of China were made with forced labor. The law has real teeth, she explains. Of the approximately 3,000 shipments stopped under the law, none have been released because they were able to prove that the shipments weren’t made with forced labor; some have been released because they were able to prove they weren’t from the restricted region. So what should organizations be doing? First, take the time to understand your risks, including the primary inputs for your products and who your suppliers and customers are, including agents and channel partners. Understand, too, where the goods are being made, sold to and for whom. Have a restricted party screening process in place and an import/export classification strategy. Also, be sure to have a transaction review team in place for any deals that may be sensitive. She also recommends creating a crisis task force for when things go wrong, as they may. It will likely include the trade compliance, supply and procurement teams. Other potential members include IT, engineering, product management, and even communications. Listen in to learn more about what you need to do to ensure compliance in this ever-more complex risk area.

By Adam Turteltaub Compliance teams have long advocated for building more trust in the workplace. That is good idea for the corporate culture, but, counsels Sese Bennett, a virtual CISO for CereCore Advisory Services, going the exact opposite way may be better for your IT security. There he advocates organization never trust and always verify. So, what is a zero trust approach? It assumes that just because someone has logged in to your system doesn’t mean that person is who he says he is or that she can access the entire system. In practice that means carefully controlling access both into the network and within it. It means preventing people from accessing a low value part of the network and giving that person access to higher value servers. It means having a system that knows an individual doesn’t, say, normally login from Pakistan at 4:00 in the morning. It monitors sudden changes of usage. Importantly, he explains, a zero trust approach is not necessarily intrusive. Users won’t be forced to login repeatedly to prove who they are. Instead, it can work behind the scenes and be invisible to the end user. Listen in to learn more, including what teams you will need internally to adopt a zero trust approach and potentially better protect your data from breaches.

By Adam Turteltaub When discussing AI around compliance professionals these days you can instantly feel the tension. AI, for all its promise, has proven to be a bit of a compliance and ethics nightmare. Stories abound of AI embracing redlining and other discriminatory practices. Anthony “Ant” Stevens, CEO and Founder of Melbourne, Australia-based 6Clicks sees opportunities, though, for putting AI to work for your compliance program. It has the potential, he believes, to streamline activities, better tie policies to the underlying legal requirements and enable compliance teams to better understand the overlap of similar laws around the world. In this podcast he explains how the technology can help compliance operations, particularly ChatGPT. He also makes clear that there are limits to AI. A human element remains important for ensuring that what AI says makes sense, both on its face and for your workplace. Listen in to learn more about how AI can stop being the stuff of a compliance professional’s nightmares and start becoming a dream come true.

By Adam Turteltaub In 1986 the Emergency Medical Treatment & Labor Act (EMTALA) was enacted. As Mary Ellen Palowitch (LinkedIn), Senior, Managing Director, Dentons Health Care Group, explains in this podcast, just because it is long established doesn’t mean health care providers have it completely under control. Issues continue to come up. EMTALA requires hospitals that participate in Medicare, including rural emergency hospitals, provide medical screening to determine if there is a medical emergency. If, in fact, the patient requires treatment, the hospital must provide stabilizing treatment within their capabilities, regardless of whether the patient has the means to pay. Two areas often cause confusion and real issues under EMTALA. They are best known by the phrases “clinically stable” and “stable for transport”, neither of which is defined in EMTALA. Clinically stable, she explains, may be anything from a comparison to how the patient presented when first presenting or reflecting the patient’s overall condition. Stable for transport is a term commonly used in hospitals. It does not technically mean the patient is stable, but it signifies that the patient has achieved the level of care that the hospital can provide. Basically: the hospital has done all that it can, and it may be more prudent for the patient to be transferred elsewhere for the care needed. Complaints do arise under EMTALA and may come from patients or their families. When one is sent in to the government, a multistep process begins. The complaint is reviewed and can lead to an onsite investigation that may include comparisons to how other patients were treated, interviews with staff, a tour of the emergency department and review of records. Hospitals found to be deficient are required to remediate promptly. Listen in to learn more about how to avoid and manage EMTALA issues in your emergency center.

By Adam Turteltaub While we tend to think of colleges and universities as being filled with college students, children much younger are often on campus. In fact, Lindsay Meyer Bond, Executive Director of the Higher Education Protection Network, that there may be more minors on campus than regular students. Everything from enrichment programs to sports camps can bring hundreds of children with them. When looking for guidance as to how to keep campuses safe for children, there is no federal law to turn to. Instead, there is a patchwork of state regulations, and many universities have had to create policies of their own. For the most part, these policies require the reporting of suspected abuse or neglect. Many now require background checks for those interacting with kids that may be go beyond the initial screening when hiring. Often universities have codes of conduct that prohibit one-on-one interactions with minors, but there is complexity there. A professor may not know that the student showing up for office hours is under eighteen. In addition, there may be conflicts of law and regulations. Ohio State University has a program, she explains, where students can learn to fly. FAA regulations stipulate that only the student and instructor may be in the plane. Their solution: when the student is on the ground, he or she is never alone with an instructor. To successfully navigate the challenges of minors on campus, she recommends strong policies and ongoing communications plans. With turnover frequent in youth programs, it is risky to assume that the adults have been fully trained, unless that training is continuous. In addition, keep an eye on your campus Name, Image and Likeness (NIL) program. College athletes may be running their own programs and not be aware of all the rules. Listen in to learn more about how to manage this difficult and sensitive issue.

By Adam Turteltaub W. Bruce Cameron is the author of 8 Simple Rules for Dating My Teenage Daughter and a whole series of novels about dogs including A Dog’s Purpose which spent 63 weeks on the New York Times bestseller list. His latest novel is Love, Clancy: Diary of a Good Dog. So, why is he on a compliance and ethics podcast? Well, because his writing has a lot more to do with it than you might think, and he learned some painful lessons about setting and enforcing rules. It was easy enough to write those simple rules for dating his then two teenage daughters, but that didn’t make him popular. He was seen as a despot and met resistance (both overt and subtle). As for those daughters, one is now a CFO and the other, ironically, works in law enforcement. The experience taught him several lessons that compliance teams can relate to: You have to recognize that you can’t have complete control Just because you think thing will go better if others do what you say, they may not There is a need for human expression and accommodation for it Dogs have proven less argumentative for him. As he observes, they have been bred over the centuries to be absolutely dedicated to us. We raised them to be our tools first and then pets. Today they are thrilled when we come home and bring their optimism and hope, and their love of play, into our lives. Dogs, though, he believes, lack an innate sense of right and wrong. Instead, they are born with instincts where what pleases us is “right”. That, he explains, is why dogs owned by bad people turn out “bad”: they are doing what they think will please their owner and, to them, that’s the right thing to do. We have an ethical duty to dogs, he argues, because they are wired to please us. In addition, they were bred to depend on us even to survive. Listen in for a fun conversation about dogs, ethics and the often frustrating outcomes of setting even the most basic of rules.

By Adam Turteltaub The cyber landscape these days can be terrifying. Malware, ransomware, spyware, phishing, cloud-based computing and so much more are enough to keep even a compliance veteran up all night. There are other risks to consider, too, says Ganesh Krishnan (Twitter), co-founder and CEO of Anzenna. One major issue is scalability of IT security resources. As organizations grow larger and increasingly reliant on cloud-based software providers, the size and complexity of security challenges increase. If the cybersecurity team does not grow with it, problems increase, work doesn’t get done, and vulnerabilities quickly emerge. A second problem is the attitude the data security is the responsibility of the data security team.  He argues persuasively that it isn’t. Technology can’t solve cyber problems. The entire company has to be focused on it. That includes the workforces, which has been labeled wrongly, he argues, the “weakest link.” Instead, organizations need to recognize that employees can be the strongest link and have to be treated accordingly. This means more frequent training and less punitive measures when things go wrong. Employees should not be fearful to come forward and report a mistake they made. He also encourages organizations to be more open when there is an incident, sharing internally what happened and what employees can do in the future to help prevent it from reoccurring. Listen in to learn more about how to improve your cybersecurity program.  

By Adam Turteltaub While the trade compliance focus these days tends to be on Russia and the hundreds of sanctions imposed, one old issue remains: The Arab League Boycott of Israel. Despite improving relationships between Israel and some of its neighbors, progress has not been uniform and risk remains. In this podcast, Matt Silverman, Global Trade Director and Senior Counsel at VIAVI Solutions and author of the chapter “U.S. Antiboycott Laws: Understanding the Impact and Ensuring Compliance” in the Complete Compliance and Ethics Manual, explains that the boycott prohibits companies and individuals from doing business in Israel or with other companies that do business with the country. The US antiboycott law makes it illegal for US companies and persons to support the boycott, or, for that matter, any boycott that the US does not endorse. It would seem simple enough, but it isn’t. Individuals not familiar with the issue may not think twice of signing an agreement that says the company will follow the laws of the country where the sale is made. What they may not realize is that the country has laws on its books prohibiting business with Israel. Examples of boycott language can be found on websites of the US government. To comply with the US antiboycott law, both in the Middle East and elsewhere where boycotts may be in place, it is essential that employes be trained in what to watch out for. The company should also have an antiboycott policy. In addition, companies need to remember that there is an obligation to report any boycott requests. Listen in to learn more or read the chapter about the topic in the Complete Compliance and Ethics Manual.

By Adam Turteltaub ESG, cyber risk and privacy are all hot topics in compliance, but that doesn’t mean people typically identify the data issues as ESG topics.  Lisa Beth Lentini Walker (LinkedIn), CEO & Founder of Lumen Worldwide Endeavors  and Assistant General Counsel at Marqueta, thinks that’s a mistake. Cyber and privacy, she believes, fall very much under the Social in Environmental Social and Governance. Just look at the many ethical issues surrounding data usage these days as proof. She explains in this podcast and in the chapter “ESG, Cyber and Privacy: Bridging the Divide” in the 2023 Complete Compliance & Ethics Manual, that privacy and security are not separate and apart from ESG. They are central to how the organization navigates the world and people around it. Keeping data secure is squarely under the social mission of the enterprise. To live up to that obligation, organizations have to focus more on keeping data safe and building proper systems around how individuals interact with the data. Simply believing “well, we have a good practice” is not enough. The practices have to support the ESG framework in terms of meeting the company’s commitments. In addition, the temptation to be data hoarders has to be tempered. Collecting data is easy to do, and it’s generally inexpensive to store. That makes it easy to rationalize indefinite retention. But, a clear path to data destruction is essential. Think of it like cleaning out the closet. It may not be easy, but it needs to get done. Organizations also need to embrace greater transparency about the processes in place to safeguard and use data. That helps investors and rating agencies better assess how the entity is measuring up against the SASB and other standards. Listen in to learn more, and then check out the 2023 Complete Compliance & Ethics Manual.

By Adam Turteltaub The Gartner Legal Risk & Compliance Practice recently released a report on the state of third party risk management. To learn more we talked with Chris Matlock, Gartner’s Vice President, Advisory – Corporate Strategy & Risk Practice. The report was developed, he explained, because of the substantial changes in business over recent years. As the size of businesses has grown – many of the Fortune 500 are 50%-100% larger than they were a decade ago -- the number of third parties they work with has increased dramatically and with it the “threat surface”. Complicating the challenge, much of the pandemic took place during the pandemic, when normal third party vetting processes were not possible. Today, with a threat of a recession, third parties are often under extreme pressure to meet the expectations of both their owners and their customers. The likelihood for compliance failures is higher. Gartner’s research found that the typical risk factors remain, but they have been intensified by both new regulations and stresses on supply chains. IT and cyber risks are growing larger at the same time that companies have made substantial investments in technology to enable their team to collaborate and interact with customers electronically. Adding to the challenge, many organizations do not have a mechanism for centrally managing their third parties, which makes it more difficult to ensure consistency in practices and respond when things go awry. Pushing the “stop” button with one vendor may trigger unexpected consequences three steps downstream. Additional stress has been created through, as noted earlier, a heightened regulatory environment. Anticorruption enforcement continues while the number of privacy laws grows. To manage the risks, many have turned to tools to collect more data on their supply chain, but that has posed the problem of having too much data and, as a result, difficulty in determining which pieces of data are truly important. To help manage these risks, Chris recommends enlisting the enterprise risk management team to create key indicators that can help monitor risks in a forward-looking way.

By Adam Turteltaub At the 2023 HCCA Compliance Institute there is a sure to be fascinating roundtable discussion lead by Marti Arvin, Vice President, Chief Compliance Officer, Erlanger Health System, Joan M. Podleski, Chief Privacy Officer, Children’s Health and Adam Greene, Partner, Davis Wright Tremaine, LLP. They will be addressing a range of privacy and data-related issues. In this podcast one of the topics they discuss are the complexities around access. Often, for example, raw data is not kept in the main health information management system (HIMS). Another challenge is proper website disclosures and how visitor data is used and shared. OCR has issued guidance in this area that has earned a great deal of attention. But, it is likely to be a hard problem to solve since organizations will need to determine exactly what data they are collecting, using and storing. To help manage these issues they strongly argue for investing the time and effort in developing clear processes for responding to data requests. Then, monitor to ensure the policies are being followed. Take time also to understand what is in your designated record set and where it is stored. Then make sure your HIMS understands what qualifies as the designated record set. It’s time also to reassess how your organization is managing telehealth now that the public health emergency is ending. There will be decreased flexibility and increased emphasis on keeping these interactions on HIPAA-compliant platforms. When you do move onto one of these platforms, be sure to have a business associate agreement. When looking at technology, they advise compliance be a part of decisions related to the use of patient apps. Whether your organization is thinking of building its own or relying on a third party, it’s essential that the privacy requirements be a part of the discussion from the start. Listen in to a provocative conversation, but, be warned. It’s going to make you want to join them in person at the HCCA Compliance Institute, April 23-26 in Anaheim, and online April 24-26.

By Adam Turteltaub A lot happened in compliance in 2022, with a large number of lessons for 2023. To sort it out we turned to Michael Volkov, of the Volkov Law Group and host of the Corruption, Crime & Compliance blog and podcast. In this Compliance Perspectives podcast he addresses several key pieces of learning for compliance teams. FCPA While 2022 may have started out slowly in terms of resolutions, the year ended on a busy note with several settlements and the revised corporate enforcement policy. One thing the DOJ made clear is that it is taking a sharp look at compensation policies to see if there are both incentives and disincentives for wrongdoing. The latter should include claw backs, deferred compensation and punishment for wrongdoing. Culture (more below) was also a keen area of focus and is likely to remain so. The perennial issue of third-party risk remains, as well. Where should compliance teams focus? The contract to invoice to payment stage of deals is where FCPA violations tend to occur. Also, be on the lookout for more major dispositions shortly. Sanctions Last year, he reports, was the year of the trade compliance officer. Complying with an ever-increasing and changing list of Russia-related sanctions kept teams busy day and night. The good news is that companies seem to be on top of things. The bad news is, he warns, that the Department of Justice has warned that this could be the new FCPA, with large fines for wrongdoing. He also warns that OFAC is a strict liability enforcer. Intent does not matter. As big an issue as this has been, there is often still too much of a separation between the trade compliance and main compliance groups. That will likely need to change, if it hasn’t already. Culture Culture has gotten the attention of the enforcement community with a particular focus on ethics. Done right, the culture can be the most effective corporate control an organization has. Done wrong, and it can cause not just problems, but liability for the organization. The DOJ is looking at culture closely and recent case law out of Delaware has extended the due care responsibility to senior leadership. To survive and thrive organizations, he believes, need to define their culture, attend and imbed it, monitor, and intervene when they see deficiencies. Finally, the board and senior management need to be educated on the importance of the right culture. It’s not just about saying “do the right thing.” It’s about expectations and norms around the mission, how we treat each other and how we treat those outside the organization. Listen in to learn, including what he sees for the future of compliance programs.

By Adam Turteltaub Telehealth is here to stay, but that doesn’t mean the rules will all be staying the same, reports Holly Hester, Senior Director, Strategic Client Partnerships for Net Health and Yolunda Dockett (LinkedIn), Chief Compliance Officer at Anne Arundel Dermatology. While the Public Health Emergency is set to end on May 11, 2023, the Consolidated Appropriations Act of 2023 extended many telehealth flexibilities through the end of December 2024. These include the ability to provide telehealth to patients in their homes, in both rural and urban settings, and the ability of physical and occupational therapists, along with speech pathologists, to provide telehealth. Yet, there are inconsistencies, with some CPT codes used by rehab therapists set to expire at the end of 2023.  Plus, some are being continued only for 151 days after the end of the emergency. One other change to expect centers on privacy requirements. While many platforms have been used to provide telehealth, soon only HIPAA-compliant platforms will be allowed. It’s a change that makes the provision of care less flexible and perhaps less friendly. Regardless, if your organization has not yet done a risk assessment about telehealth, now is the time. Leverage the relationships established in rolling out the service and then look collaboratively at the risks and start thinking about remediation techniques. Some other things to consider: Understanding how to decide if a patient has the physical and mental capacity for telehealth Business and operational risks Privacy considerations, on both the provider and patient sides Reimbursement and billing Documentation requirements. It’s a lot of work, but it helps to ensure that telehealth can be delivered in a complaint manner. Finally, don’t miss learning more at their session “Incorporating Telehealth into Your Compliance Workplan” at the 2023 HCCA Compliance Institute.

By Adam Turteltaub These days it’s easy to identify people using technology and databases, and that’s a problem if you are trying to comply with HIPAA or even GDPR because a lot of sensitive data eventually needs to be de-identified in a proper manner. Thora Johnson (LinkedIn), Partner at Orrick and Mark Fox (LinkedIn), Privacy and Research Compliance Officer at the American College of Cardiology explain that there are two permissible methods of de-identification under HIPAA. Safe Harbor De-Identification is a process in which eighteen identifiers are removed. The second option is Expert Determination De-Identification, in which statistical principles are used to determine if there is low risk a person can be identified. It's not an easy process, either way. Information on the individual and family members likely needs to be removed. In addition many struggle with how to do de-identification right because the work is often done only periodically and not on a regular, frequent basis. One area of particular challenge is understanding the difference between de-identification and a limited data set. There are significant requirements with these limited data sets, too, including the need for a signed agreement with the data recipient and proper permissions to share the data. Adding to the complexity, under GDPR there are the concepts of anonymization and pseudo-anonymization to reckon with. What should you do? Listen in to understand the issues, and then plan on attending Thora and Mark’s session “It’s De-Identified, or Is It?” at the 2023 HCCA Compliance Institute.

By Adam Turteltaub With one of the largest economies in the world and serving as the South American home for many global businesses, Brazil is a country for compliance teams to watch, and their laws are very much worth heeding. That includes the Brazilian General Data Protection Law (LGPD), which entered into force on September 18, 2020. As Andre Paris (LinkedIn), Professor and Privacy & Compliance Consultant explains in this podcast, the law contains 10 principles including: Data should be processed only for specific, legitimate, explicit purposes Data quality needs to be maintained Companies must be transparent about how data is used A security regime must be in place The data should not be used in a discriminatory matter It is very similar to and consistent with the European General Data Protection Regulation (GDPR) and includes a number of rights for data subjects, such as access to personal data held by the organization, the ability to correct outdated and incorrect data, and the blocking or deletion of unnecessary data. The law applies to any data collected in Brazil, regardless of the citizenship of the individual. So how can compliance teams address the law’s requirements? He recommends several steps: Secure the support of leadership Search for someone with privacy expertise to serve as the data protection officer Train the workforce on what is essential data Map your data Determine which law authorizes the processing of data Identify any and all risks inherent in the organization’s operations Listen in to learn more about how to ensure your organization is in compliance with Brazil’s LGDP.

By Adam Turteltaub Patient safety remains a challenge for organizations, and not for want of trying to address the problem. Improving it is an issue addressed here and at the 2023 HCCA Compliance Institute by Deb McCracken, Chief Risk Officer, and Julie Wall, Senior Vice President, Benefis Health System. Problems such as fall prevention remain, along with improper medication administration, misidentifying patients and preventing infections. They persist because, as healthcare and technology change, procedures may as well, leading to a departure from safe behavior. Adding to the challenge, often, is an unwillingness to speak up and raise issues. Many fear that they will be retaliated against if they point out potential problems. To better understand patient safety risk they recommend a close working relationship among compliance, quality and risk management. These three departments should help form a committee focused on patient safety that includes individuals skilled in capturing and coding root cause analyses. To close safety gaps effectively, they recommend looking to best practices and implementing them. Also use lessons learned from your organization and others across the industry. That begins with debriefing after an incident. They also recommend running simulations of real-life situations. These can help you be better prepared when an incident occurs. When you do, don’t forget about practicing for workplace violence scenarios. Listen in to learn more about how you can promote better patient safety practices. And, to learn even more, join us in Anaheim for the 2023 Compliance Institute.

By Adam Turteltaub With seemingly constant news stories about layoffs, many are starting to wonder what they would do if they found themselves suddenly out of work and looking for their next compliance position. There are several ways to make the process go smoother, explains Brittney McDonough, partner at the recruiting firm Barker Gilmore. That starts with making the right decision of how much time to take off after a layoff. Many people, not surprisingly, are tempted to use their severance package to take a much-needed respite from work. Be careful, though, she advises. A job search can take three to six months, so taking six months off could lead to a year out of work. That doesn’t mean, though, you shouldn’t take advantage of this time. You should embrace it; just be sure to use it strategically, balancing recharging your batteries with a thoughtful approach to finding your next opportunity. When it comes to pursuing a job search, she recommends three key steps: Develop professional objectives. Think through what you want out of your next position:  What role do you desire? What level are you open to? What type of company? What size and industry? What do you want to make? Where do you want to live? Develop a marketing plan for yourself. Think about how you are going to sell yourself and end up on the radar of recruiters and prospective recruiters. Update your resume accordingly, and be sure that you have a current and accurate presence on LinkedIn.  Recruiters depend on it. Be intentional about how you network. Put together a list of contacts who could be helpful. Reach out to them and ask what they can recommend and who they can connect you with. Be sure to also offer to help them, too. Also pursue speaking and writing opportunities. They are a way to increase your contacts and open up more opportunities. What do you do when a prospective employer asks about the job that you lost or maybe still have? Be honest but don’t go into any more details than you need to. You want to keep the focus on the job you want, not the job you have or had. Listen in to learn more, and if you want to learn more about networking, here is a link to a book that was discussed in the podcast.c

By Adam Turteltaub As environmental expectations keeps rising and Environmental Social and Governance (ESG) metrics gain more importance to investors, some organizations will be tempted to greenwash, which is best described as making an environmental footprint look far better than it actually is. That’s a serious risk and one that will be addressed by Elena Durante, ESG Risk Audit Manager, ING Corporate Audit Services, Risk & Finance, at the SCCE European Compliance & Ethics Institute, which takes place in Amsterdam March 20-22. As she explains in this podcast, at its roots greenwashing is about misleading information supplied to investors and customers, taking advantage of the fact that these outsiders cannot fully tell if what the organization is saying is true. While greenwashing is still relatively unregulated, she tells us, that has started to change.  In the EU there have been an increasing number of efforts to combat it. Plus, there is severe reputational damage to companies caught greenwashing. Compliance teams need to be on the lookout at their organizations to ensure the integrity of their organizations’ environmental statements. That starts with ensuring that what regulations that currently exist are followed. It also means keeping an eye out for new regulations. Compliance should also be working to develop and implement ESG protocols within the organization. These should identify clear rules and policies to ensure sufficient checks and balances are in place. A training element will also be needed to help the business people understand that environmental statements need to accurately reflect the  organization’s actual activities, not just its aspirations. Listen in and then keep an eye out for greenwashing in your organization.

By Adam Turteltaub Andrew Walker is the US Tennis Association’s (USTA) director of education and training for officiating and chief umpire at the US Open. He was good enough to join our Sports, Compliance & Ethics Conference, where he revealed something surprising. With the USTA having over 13,000 sanctioned events a year, ranging from adults to juniors, the vast majority of matches are technically unofficiated. Roving umpires are available but move from court to court. They don’t sit in the chair and call each point. Players do and keep the score. That’s often true as well at the college level. It's not too different from how things work in the business world, with compliance officers not there to make every call for the business unit. How does this work? Part of the role of officials at entry level events, especially those with children, he explains, is not to act only as officials, but to act as educators as well. They are there to teach kids to officiate fairly, even if it means making a call against oneself. That’s not easy, human nature being what it is and with, these days, the ultra-competitive environment in youth sports. The officials seek to ingrain sportsmanship, which includes integrity, respect for your opponent and respect for the game. It also includes being a good winner and a good loser. What happens when there is a dispute? First, officials recognize that honest mistakes are possible. A player, especially a young one, running to make a shot may not see things accurately. Even competitive players can lose track of the score. But, when the calls are questionable, they will stay and watch the match for a while. And, if a player is repeatedly overruled in his or her calls, points and games can be taken away. The player may even default. Listen in to get both a new appreciation of the world of tennis and maybe pick up a few ideas about how you could encourage more self-umpiring at your organization.

By Adam Turteltaub Fraud and compliance issues often go hand in hand, which is why it’s important for fraud and compliance teams to work closely together. Christopher Knight (LinkedIn) of Knight Vision Fraud Investigations and Megan Grifa (LinkedIn), Senior Director, Compliance Oversight for Sidecar Health, will be addressing the fraud-compliance relationship at the 2023 HCCA Compliance Institute, taking place in Anaheim April 23-26. In this podcast that point out that communication and follow up are central to building successful connections between fraud and compliance. Each needs to let the other know what it is doing, what has been found and what is coming up next. Also of great value:  setting up mechanisms to force yourselves to connect at a certain cadence to keep the lines of communication open. In addition, they advise taking the time to get to know each other on a personal level. That will help build the trust that is essential when addressing a crisis. Even during more normal times it’s essential to cooperate, aligning program structures and sharing risk assessments. Compliance teams can benefit from data mining and analytics tools that fraud has. Meantime, the fraud team can benefit from the seven elements approach used by compliance. Listen in and then plan on learning more at the 2023 Compliance Institute.

By Adam Turteltaub Ethical leadership is about much more than being both ethical and a leader. It is also about the actions you take to encourage ethical behavior all around you. It’s the subject of this podcast and a talk that will be given in March at the SCCE European Compliance & Ethics Institute by Steven Pegg, Senior Ethics Officer, Europe, Middle East & Africa for Lockheed Martin. Ethical leadership comes with many challenges. Aggressive goals can cause executives to focus just on the task at hand and be tempted to cut corners. Studies have shown that positions of power can have an affect on behavior over time, leading to a loss of empathy, acts of disrespect, feelings of entitlement, selfish behavior and a tendency to think that the rules don’t apply to them. These factors can create a toxic culture not surprisingly. Smaller offices also face the challenge of developing a subculture that can be inimical to ethical conduct. Lacking the controls of larger locations, unethical behavior may be left unchecked. There is one other challenge to ethical leadership: a hesitance to talk about ethics. Some leaders, even virtuous ones, are uncomfortable discussing ethical issues. To overcome these challenges ethical leaders need to develop several skills. These include: Setting the tone. People model what their leaders do. If a leader is comfortable telling stories and discussing ethical issues, it’s far more likely the rest of the workforce will be as well. Act as a positive role model. They must be accountable for their actions and both talk the talk and walk the walk. They also must respond fairly to both positive and negative feedback. Know their limits. When leaders have exhausted their own skill sets, they need to be willing to reach out to others for guidance. How can executives exercise ethical leadership in a hybrid environment? Steven recommends being creative. Use technology when it is helpful, but look also to face-to-face, in-person interactions as well. Setting up regular check-ins with the team can be particularly useful. At those meetings, encourage people to share their ideas on all the issues. It will make them feel more comfortable raising their hand, knowing they are in a safe environment. Also, remember that different cultures around the globe have their own unique ways of seeing things and behaving. Take the time to understand those differences and communicate sensitively. Finally, he discusses what to do when an employee comes forward with a concern. His central advice: listen, listen, listen. Listen in for more and then be sure to join him at the 2023 SCCE European Compliance & Ethics Institute.

By Adam Turteltaub At the 2023 HCCA Compliance Institute, which takes place April 23-26 in Anaheim (and in a virtual format  April 24-26), Niurka Adorno-Davies, AVP Compliance, Molina Healthcare, and Scott Intner, Chief Compliance Officer, GW Medical Faculty Associates, will be leading the session “Swimming with Sharks: A Compliance Officer’s Guide on Working with Legal Counsel.” Their session, and this podcast, will examine some of the friction points in the Compliance-GC relationship and how to make things go smoother. There are a number of causes of stress in the relationship, they explain. A GC controlling access to the board and senior leadership is one of them. Having legal as the gate keeper can be detrimental to the relationship and the effectiveness of the compliance program.  Another cause for stress is overlapping responsibilities. If legal and compliance are unsure where one ends and the other begins, the lack of clarity can lead to turf battles or issues falling between the cracks. To make the relationship a positive one they recommend beginning with respect for each other’s role. Second, compliance should be sure to give legal a seat at the table as soon as a potential issue is identified. Having them as a part of the team early can yield multiple benefits. Also, don’t overstep your role and start giving legal advice. That’s for them to do. To protect privilege, be prudent when confronted an issue that may lead to litigation or a settlement conversation with the government. Bring in the GC’s office, or if your organization doesn’t have one, reach out to outside counsel. Outside counsel may also be helpful if the investigation is likely to involve senior leadership or delves into an area of specialized expertise that in-house counsel lacks. Finally, be sure to share information both ways, understand each other’s roles and embrace a commitment to respect. Listen in, and be sure to check out their session at the Compliance Institute.

By Adam Turteltaub So what do escalators in Japan have to do with compliance and ethics? As Christian Hunt found, quite a lot. In this podcast the author of Humanizing Rules and founder of the consultancy Human Risk shares an interesting tale. A community outside of Tokyo found that the rate of injuries on escalators to and from train platforms had grown alarmingly high. The culprit was a tendency of some people to walk or run on the escalator, rather than just stand there. They ended up jostling other passengers, many of whom were older. This led to several injuries. To combat the problem a campaign was launched requiring people to stand on the escalators. Signs were posted telling people that hurrying up or down the escalator was prohibited. There was no rigid enforcement, just a reliance on people’s goodwill. At first there was near universal compliance. People saw that no one else was running or walking on the escalators, which provided social proof that standing was the only acceptable behavior. Also, with so many people just standing, it was more difficult to get by them all, effectively forcing people to stand where they were. Not surprisingly, injury rates plummeted. Over time, though, compliance rates dropped. For some, resisting the urge to hurry and not be late was just too strong, but, happily, injury rates remained far lower than their peak. As Christian explains, this case of what he calls “compliance in the wild” – something compliance-related we see in everyday life that we can learn from – provided several lessons for compliance teams: Maintaining 100% compliance is extremely difficult for long periods of time Even less than 100% compliance can be a big win Battling human urges (including simply feeling you are late) is extremely challenging He also provides a warning that, when seeking to influence human behavior one must be mindful of not annoying them any more than you need to. If you go too far, it may well provoke bad behavior elsewhere. Listen in, but maybe not while riding an escalator.

By Adam Turteltaub Veronique Roedolf, the Brussels-based Chief Compliance Officer at Solvay, was focused on developing and enhancing the compliance program.  As she shares in this podcast, the company evolved their efforts and developed what they call a “Four Cluster Compliance Program.” The clusters are: Protecting a Culture of Integrity A culture of integrity, as they defined it internally, is about not just following the law but also acting with integrity according to the organization’s values. Building a Strong Speak-Up Culture Here they sought to raise the bar, overcome regional differences and help everyone understand that speaking up is not a negative thing. When done in good faith it enables the culture of integrity. Increasing Third Party Oversight These days every organization is only as strong as its weakest third party. Due diligence was expanded to include human rights and environmental issues. Addressing and Mitigating Risk Compliance and risk management are very much connected. The goal was to detect and address a broader spectrum of risk in an early stage. Overall the focus is on prevention, which goes hand in hand with being more efficient and effective as a compliance program. To achieve their goals they worked to become more embedded in and supportive of the business. They secured management commitment by involving leadership from the start. They also made sure there were opportunities or feedback and to have an impact. To launch and sustain the program the compliance team developed a strategic communication plan with consistent and repeated messaging around two key communication points: Acting with integrity in everything we do Thank you for protecting our culture of integrity at Solvay Listen in to learn more about the development and implementation of the Solvay Four Cluster Compliance Program.

By Adam Turteltaub ESG, or Environmental Social and Governance efforts, may not be a mandate quite yet for healthcare providers, but already there are heavy demands for ESG-related information from regulators, the public and bondholders. As organizations pull together the data they need to report, says Rebekuh Eley and Rick Kes of RSM, it’s important to make sure that you have a thoughtful process behind it so that the data is accurate, consistent and complete. The last thing an organization wants is to have faulty data. At the same time, many organizations only scratch the surface of what they can take credit for in terms of increasing health equity for the communities they serve or improving their environmental footprint. That information can be helpful in meeting federal tax compliance requirements. While some may see ESG as something new and different, they note that community health is squarely under the S (Social) aspect of ESG. Keeping a good score on your ESG efforts can help demonstrate that your organization is meeting its obligations to the community and 501(r) requirements. It can also earn you credit for your environmental and governance efforts, including the number of community members who are on your board. Listen in to learn more about ESG and its role in healthcare

By Adam Turteltaub London-based Keith Read (LinkedIn) is a longtime member of the compliance community and author of the book The Unconventional Compliance Officer: Doing Things Differently. He laments the fact that compliance officers spend their time “pushing”, as he describes it: pushing training, reminders, policies and so forth. That, he believes, leads to compliance fatigue and pushback. Instead, he is an advocate for creating pull, where employees don’t see compliance as a chore but as an asset. In this podcast he outlines several intriguing practices he has used throughout the year to stimulate pull: A compliance passport system to provide a more formal and valuable certification for employees of their achievement in meeting their compliance training requirements A competition to identify compliance and ethics issues, which exposed some genuinely real issues Creating “licensed professionals”. For example, by completing compliance training you are then licensed to perform your job. This helped identify gaps and tighten up the procurement process. Instead of just auditing third parties, providing them with a grade, similar to what is often done for health and safety ratings at restaurants. Vendors came to use good ratings as a badge of pride internally and to help them win additional business Listen in to learn more about these ideas and others that could stimulate new ways to think about your compliance and ethics program.

By Adam Turteltaub Pharmaceutical and medical device companies use a number of methods to market their products. Among them, speaker programs get the most attention, often for all the wrong reasons. As Radha Inguva (LinkedIn), Director of Compliance, The CM Group explains in this podcast, while these programs are designed to educate the medical community they often lead to wrongdoing, with “educational sessions” held at wine tastings, lavish dinners and even Hooters. To avoid problems, she and others are advocates for what is known as the optics test:  basically, asking how a program would look, sound and feel to others. If it doesn’t seem right, it probably isn’t. From a practical perspective, she advises looking at all aspects of the program. Are the menu selections appropriate? Is alcohol served (which it shouldn’t be)? Is there an appropriate amount of educational content? Is the venue consistent with learning? Are there some doctors attending the same program again and again for no apparent reason other than the free lunch? Are the speakers being paid an appropriate honorarium? Then, after a program concludes, spend time making sure that it makes sense from both a business and optics perspective. It isn’t just pharma and medical device companies that need to look at the optics. Health care providers are looking at them, too, with some creating blacklists of restaurants that they will not allow people to visit for presentations. Listen in to learn more about what makes for a speaker program that’s safe to listen to.

By Adam Turteltaub Providence is a US-based healthcare system with over 165 years of history behind it. But, the Providence Global Center in India started just in 2020. It was founded as an engineering and operations hub and has a startup culture. Anitha Vittal, Head, Risk and Compliance, was charged with getting the program off the ground. To get things started she first spent time talking with staff. Happily, she learned that attitudes towards compliance were very positive. While each person may have had a different definition of compliance, there was an eagerness for guidance and, for some, to have others responsible for managing the many legal and regulatory requirements. After considering how to make the program effective and relevant, she ultimately decided to leverage the start-up culture and position compliance differently. Instead of speaking of it as a control, she positioned it as a way to make each endeavor successful. This approach includes three key elements: Each new hire, as part of their two-day orientation, is given a thirty-minute introduction to the compliance program featuring an engaging story-telling approach A compliance champions network Encouraging a speak-up culture In addition, the risk assessment results were characterized in a new way, with each area labeled either “asking for help”, “may need help in the future”, or “no help needed”. Using this nomenclature, she found, was much more successful at providing dimension to risk areas. Looking to the future, 2023 plans include embedding compliance into the organization’s DNA, exploring opportunities for insourcing resources, and leveraging technology to enhance productivity and bring efficiencies. Listen in to learn more about what she and Providence are doing.

By Adam Turteltaub On December 7, 2022 The Speak Out Act became law. Stephen Paskoff, the President and CEO of ELI explains that the law was spurred by the #MeToo movement and the Non-Disclosure Agreements (NDAs) that limited recourse available for victims. It was designed to make it easier for victims to come forward, and for improper behavior to remain hidden. The new law, limits the ability of employers to include NDAs when it comes to sexual assault and harassment. Specifically, it states: With respect to a sexual assault dispute or sexual harassment dispute, no nondisclosure clause or nondisparagement clause agreed to before the dispute arises shall be judicially enforceable in instances in which conduct is alleged to have violated Federal, Tribal, or State law. As a result of the law, compliance teams, no doubt working closely with HR and the general counsel’s office, will need to work to ensure that NDAs for sexual assault and harassment are no longer used internally or even externally with vendors. Existing agreements will need to be reviewed as well. Organizations will also need to recognize that the balance has shifted, making it easier for employees to air grievances publicly. To get ahead of this issue, they will need to take several steps that they likely should have already, including stressing standards and the value of respect. Training to prevent the bad behavior in the first place will be even more important, as will be good controls to catch it quickly when it happens. Listen in to learn more about what The Speak Out Act means for your compliance program.

By Adam Turteltaub Perhaps the biggest non-Covid change in the corporate landscape over the last few years has been the growth of the Environmental Social and Governance (ESG) movement and its call to measure business on more than P&L statements. While some consider it a passing phase, Stuart Pardau, Associate Professor of Business Law, Professional Practice at Miami Herbert Business School at the University of Miami, thinks it is here to stay. As proof he points out that BlackRock, Vanguard and State Street, with a combined $20 trillion in assets, have stated their commitment to making investment decisions informed by ESG considerations. He also notes that the SEC has proposed new rules to standardize climate-related disclosures. On the corporate side, bonuses are increasingly tied to ESG metrics, and annual reports are featuring ever more language on the topic. Organizations are also more willing to take a stand on social issues. With this revolution, though, has come new risks, he notes. Greenwashing – making marginal or fraudulent environmental claims – has grown to be a serious issue with the potential for reputational damage. With this and other risks have come new challenges for compliance programs. Compliance teams need to help in the assessment of which ESG risks are greatest for their organization. In addition, they must keep in mind that not all of these risks come from aspiring to be a better organization. Some, whether around environmental, forced labor, or other issues, already have laws behind them. There is also an internal risk around corporate culture. If there is a gap between the professed values and the everyday actions, the chances of a public and embarrassing failure are great. Listen in to learn more about where ESG is going and the role of compliance along the way.

By Adam Turteltaub The Gramm-Leach-Bliley Act (GLBA) is typically referred to in the context of financial institutions. It requires offerers of consumer financial products to explain how they share information and protect sensitive data. It’s not, however, only banks that fall under GLBA’s umbrella. New rules will affect retailers offering credit terms to their customers, higher education institutions that administer federal student aid and others a well, explains Kayne McGladrey, Field CISO for Hyperproof. The FTC, has set June 2023 as the deadline for compliance with the revised GLBA Safeguards Rule. It requires that affected organizations: Have a qualified individual to implement and enforce an information security plan Conduct a periodic cybersecurity risk assessment Implement cybersecurity controls to manage those risk Document who has access to customer data Assess the risks of applications that can access the data Securely destroy old data Periodically test the controls to verify their effectiveness In addition, staff needs to be trained, there must be a written incidence response plan and ongoing testing. It is a considerable commitment, Kayne points out, but since it overlaps with the requirements of the European General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), many organizations may already have significant structures in place. Even so, it’s important to conduct a gap analysis, he advises, to ensure all the requirements are being met. Listen in to learn more about what Gramm-Leach-Bliley now requires for your organization.

By Adam Turteltaub Last year was an eventful one for the world and the compliance profession. In this podcast, Matt Kelly, Editor and CEO of Radical Compliance, looks back at what he sees as the biggest events, and looks into the future. The conversation begins with the impact of the war in Ukraine. He observes that the increasing number of sanctions of Russian individuals and entities, as well as the variations from country to country, have forced companies to improve their sanctions compliance efforts. The sanctions have also complicated procurement, forcing organizations to review their suppliers more carefully to avoid sanctions issues. With the war has also come of host of ethical considerations. Organizations have had to decide what to do with their Russian operations and the people that work at them. Also on the international front, 2023 brought increased cooperation among prosecutors, with a rising number of anti-corruption enforcement actions combining the resources of prosecutors in multiple countries. ABB, Glencore and Danske Bank are three notable examples. This activity comes at the same time as Europe continues to lead the world in privacy and data protection requirements. Looking domestically, he points to statements by Lisa Monaco at the Department of Justice and the push to require certification of the effectiveness of the compliance program by the CEO and chief compliance officer. This could be a dramatic shift for compliance programs.  On the one hand, it could create stronger ties between the CEO and compliance, Matt observes. On the other hand, compliance officers would see greater personal risk, especially given the real likelihood that, despite a strong program, wrongdoing may occur. Whether certification truly becomes established practice, though, has yet to be seen. Thus far it has only been imposed in the context of recently signed DPAs. As a result, certification will come in three years, if at all. He notes that a change in Administration could see a reversal of the policy. What does he see in 2023? For one, a need for compliance teams to improve their ability to access and analyze data. The US Department of Justice has made it clear that it expects organizations to have robust compliance data analytics processes. Second, he sees increased data protection enforcement actions, both abroad and in the US. Listen in to learn more about what happened and what to expect for your compliance program in the year to come.

By Adam Turteltaub It’s critical for patients leaving the hospital for a post acute care (PAC) provider that the handoff be conducted well. Some facilities will be better suited to the patients needs than others, which is why the process needs to be handled properly, with discharge planners making recommendations based on patient need, rather than the financial interests of the hospital or PAC. Unfortunately, explains Beth Kastner, Member, and Shannon DeBra, Senior Counsel, at Epstein Becker & Green, that’s not always the case. Patient steering and charting can take place, with bad outcomes for everyone involved. While there is no official definition of patient steering, it has been informally defined as the practice of directing patients and/or their caregivers to PAC providers that do not align with the patient’s goals of care and treatment plan. It can also be defined as inappropriately influencing the patient and/or care giver. Traditionally this occurs when the hospital, or its discharge planner, has been remunerated in some way by the PAC. As recent cases have shown, that could come in the form of gift cards, massages or even a free cruise. It might also be delivered as staffing for the hospital paid for by the PAC. Whatever the form, it’s improper and could lead to a very large settlement and termination of the Medicare provider agreement. Patient charting is a scheme in which a PAC is given access to patient data to identify patients for referral to their facility. It’s a practice that holds multiple risks, including anti-kickback and privacy. So how can a hospital stay ahead of this risk? First, train the staff that remuneration comes in many forms and carries substantial risks. Second, reinforce that discharge planning must be done in the best interest of the patient. Third, watch carefully, including ensuring that all arrangements are in writing and reviewed by legal or compliance before signing. Listen in to learn more about the issue and the do’s and don’ts of preventing patient steering and charting.

By Adam Turteltaub In December 2020 the Pandemic Response Accountability Committee (PRAC) issued the report:  Insights on Telehealth Use and Program Integrity Risks Across Selected Health Care Programs During the Pandemic. To better understand the PRAC and the report, we spoke with Erin Bliss, Assistant Inspector General for Evaluation and Inspections at the Office of Inspector General for the Department of Health & Human Services. As she explains in this podcast, the PRAC was formed as an outcome of the CARES Act. Its mission is to promote transparency and coordinate oversight of the federal coronavirus response; prevent and detect fraud, waste, misuse and mismanagement; and identify risks across agencies. The Offices of Inspector General from HHS, Justice, Veterans Affairs, Defense, Labor and Office of Personnel Management are all PRAC members. The report revealed how great an increase there was in telehealth. In the first year of the pandemic, telehealth usage increased from roughly 3 million people across six federal programs to 37 million. This change was largely the result of an expansion of the Medicare rules, which previously had limited telehealth to rural communities during in-office visits. While few today dispute the value of telehealth, that does not mean its use has not come without challenges. More data, the report notes, is still needed for oversight of telehealth’s use and impact, particularly on quality of care. In addition, data collection policies need to be improved since many providers have kept only rudimentary information. At the same time, the report identified activity that indicated waste, fraud and abuse. These included billing the same service twice, billing for extremely high amounts of telehealth services, billing for services that did not seem appropriate for telehealth, and billing at the highest, most expensive level. If there is good news to these findings, it is that the risks are ones already familiar to healthcare providers. Established risk management and compliance tools will likely be useful. Listen in to learn more about what the report revealed and what steps you can take, including active monitoring, to ensure the integrity of your organization’s telehealth services.

By Adam Turteltaub Compliance programs start with the laws and regulations, but compliance failures begin with people. That’s why, argues Jochen Vankerckhoven (LinkedIn), founder of Antwerp-based Compliance Explained, that it is essential to take an audience-driven view of compliance programs. What that means in practice is designing and implementing a program that is suited for the people who are the intended audience. It also means valuing your audience and realizing it is one of the main pillars of a successful program. Think, he advises, of your compliance program as having two parts: a front and a back end.  The front end is what the workforce sees. Then consider what the right message is and the right time to deliver it so it has the most meaning to your audience. Be reasonable with your communication goals. Strive for a not a deep understanding of a topic but awareness of an issue and where to go to get help. On the backend, have the right controls in place and recognize that it is better to prevent a problem in the first place than to rely on those controls. Listen in to learn more about this unconventional approach to thinking of compliance programs.

By Adam Turteltaub Auditing and monitoring is a required element for an effective compliance program, but it also carries with it a host of benefits. In this podcast, Jessenia Cornejo (LinkedIn), Chief Compliance Officer for Bridge Diagnostics and Brittani Summers, Compliance Manager for Sprinter Health, outline all you can get from a robust auditing and monitoring program and how to create one. Benefits of a strong auditing and monitoring program include: Measuring the effectiveness of your compliance program Identifying criminal or malicious conduct Highlighting risk areas Accountability Transparency Continuous improvement (which the government is looking for these days) Greater collaboration with other departments In addition to all these benefits, a strong program in this area can be enormous dividends when a regulator of the Department of Justice comes knocking at your door. When launching an auditing and monitoring initiative they recommend putting a work plan in place. It will enable you to manage the implementation to your goals and objectives. Be sure to include scheduling, they advise. It will help you stay on track. Then share the plan with leadership or the compliance committee. That will help ensure buy in, identify constraints and risks, and help you get any additional resources you may need. They also offer one simple, but important, piece of advice: don’t try and do everything all at once. Don’t wait until everything is in place before beginning. Instead, focus on the top risks as soon as you can. Likewise, don’t try and audit everything all at once. It can be better to tackle one item at a time. Listen in and learn more about how to make your auditing and monitoring program a success.

By Adam Turteltaub With increased focus on the board’s oversight of compliance programs by the US Department of Justice and the Delaware Courts, there is a strong case for adding compliance officers to boards of directors, and many compliance professionals have the skills.  Few, though, have been able to make the leap. Haydee Olinger (LinkedIn), Sr. Advisor at Barker Gilmore, and former longtime chief compliance officer at McDonald’s, is one of the few who have. She has now served on the board of two publicly-traded companies. How did she do it? She was able to find her way onto the first board through a combination of networking, and by virtue of the fact that she had such deep experience in the quick serve restaurant category. Her journey is a good reminder to compliance professionals that your position doesn’t just mean you have expertise in compliance. You also have expertise in the industry in which you work. The compliance role gives you insight into all the various aspects of the business. It’s an asset not to be downplayed when pursuing board positions. Despite have worked with boards as a compliance officer, she reports that serving as a board member greeted her with many surprises. For one, board members don’t have the opportunity to settle in and learn the business. They have to hit the ground running and address a wide range of issues, which these days include the lingering impact of covid, supply chain challenges, inflation, labor shortages, IT security and, of course, compliance. Second, as a board member you have to reorient your thinking away from an executive whose job it is to get things done to a role of strategy and oversight. That means as a board member you need to stay out of the weeds. One implication for compliance officers meeting with the board: don’t bog it down in detail. Instead focus on corporate risks, their likelihood of occurrence and what is being done to mitigate them. While in the meeting, listen carefully to board questions to anticipate what they will need for future meetings. Between meetings, build a relationship with the relevant committee chair, board chair and even individual board members. The more interactions you have with them, the easier it will be to anticipate what they will want to know. Listen in to learn more, and, perhaps, start thinking about how you can make the leap to board membership.

By Adam Turteltaub A lot of people, myself included, have wondered what it would be like to live and work, abroad. Matt Nobles, Chief Compliance Officer – Middle East & Africa for GE Gas Power has lived the life, even as a child. As he shares in this podcast he spent his childhood as an ex-patriot kid living in Southeast Asia, and for many years now he has lived in Dubai. It’s a life he has enjoyed greatly, meeting people from all over the world, and experiencing a wide range of cultures, food, music and art. It has also enabled him to expand his network and count friends all over the world. His family has benefitted too, with his children enjoying an experience they would not otherwise have had. In terms of one’s career, time spent in another country can have many benefits. A short-term assignment in a difficult region could leave to promotions when returning home. Alternatively, one assignment abroad could to another and another, and a life of living all over the world. So what should you do if you have the desire to live and work abroad? First, he recommends considering the unique aspects of the region you are contemplating, the cost of being far away from family and the opportunities in that region versus others. When you get to your new posting, he recommends spending the first 90 days listening as much as possible. Connect with your local team, learn their compliance challenges and the local dynamics. These include cultural, geopolitical, and legal factors. Next dig into legacy issues to understand what has gone wrong in the past, and how it has been fixed, or still needs to be. On the personal side, the first thing, of course, is getting yourself and family settled in. Then build out a local community for yourself to make the experience more enjoyable for you and your family. Be sure to take advantage of local experiences. Expat blogs and even books can be very helpful in helping you understand the region and the local mindset. One mistake to avoid, he warns, is trying to focus on the American or Western way of doing things. Don’t go charging in with a fixed view. Instead, listen carefully to learn how things are done locally. Listen in to learn more, and then, maybe, start packing your bags.

By Adam Turteltaub With enhanced concerns and vigilance over cybersecurity has come an increasing number of yardsticks that organizations much measure themselves against. As Troy Fine, Director, Risk and Compliance at Drata explains, in addition to legal requirements such as the European General Data Protection Regulation (GDPR), HIPAA and the California Consumer Privacy Act (CCPA) two key standards have emerged: SOC2: This standard was developed by the accounting body ISACA and is primarily of import to US-based technology companies and startups. Audits are performed by CPA firms on internal controls related to security ISO27001: More popular in Europe, it is a certification on information security management systems, examining how risks are identified and mediated and what control plans are in place To prepare for an audit he recommends first getting a good understanding of the relevant standard so you understand all the elements it requires and what it will take to meet those requirements. Next determine when you will need the certification in hand and start building a timeline backwards to determine when you need to start. Calculate, too, what it will cost in terms of time, people and everything else, including the price of the audit. How you work with the auditor will depend largely on which audit you pursue. He explains that SOC2 audits allow for more consultation than ISO27001 does. When hiring an auditor, it can be tempting to use the one with the lowest price. He recommends, though, being careful before going down that route since the auditor is likely to have less time to give. Be sure also to ensure that the auditor has the necessary expertise to be able to evaluate your technology. Some may not be as well versed on various elements, including cloud services, as they should. Once the audit begins, compliance teams can be helpful by ensuring that all the data and people the auditor needs are available. And, he advises, be transparent, even about your gaps. Listen in to learn more about having a successful data security standard audit.

By Adam Turteltaub Personal data, especially in healthcare, seems to breed on its own, which is why, like the dinosaurs in Jurassic Park, it’s critical to keep close tabs on where it is and how it is used. First stop: a data inventory. Nick Weil and Mayesha Awal (LinkedIn) of Epsilon Life Sciences explain that a data inventory is necessary because often organizations don’t have a strong handle on their data. You need to take a noun and verb approach, they explain. The noun addresses where the data is: what computers, servers and file cabinets it is stored in. The verb speaks to what is being done with the data. What are the processing activities? What functions are accessing the data? It's good information to have for its own sake, but under data protection regimes ranging from GDPR in Europe to HIPAA in the US, it is essential. It is also a project that is often filled with surprises. Compliance teams conducting an inventory may discover a wide range and types of data processing activities. These can include GPS information, payment card method, biometrics and much more. Plus, of course, there are the number of ways that vendors may be using the data, and what information may be in the Zoom call that just got recorded. Listen in to learn more about how to uncover and manage the data in your organization’s inventory.

By Adam Turteltaub The holidays are here, and with them come good tidings of comfort and joy, and increased corruption risk. Holiday gifts, both given and received, can lead to serious compliance challenges. In this podcast Richard Bistrong of Front-Line Anti-Bribery warns that 2022 may be particularly difficult. For many this will be the first time in several years that they have had the opportunity to connect face to face with customers and vendors. There may be a desire to catch up for lost time, and the rules of the road for giving may have been forgotten. Some may even be tempted to dip into their own pocket to keep the gift off the books. Making things difficult is that it’s difficult to find a rule of thumb for gift giving that reflects all the various nuances from culture to culture around the globe. However, employees can learn to look to the code of conduct, reach out to managers and contact compliance to ensure that they are staying between the guardrails. It’s important that workers know that the rules apply to gifts given to government officials and also to employees at other companies. Commercial bribery is a real risk, and a gift that may be perceived as creating an obligation of some sort is not appropriate. Even charitable giving may be problematic. Although a part and parcel of the regular giving of many industries, it’s important to ensure that the funds are being used appropriately and that the charity is not tied closely with a government official. In general, organizations need to embrace reasonable and transparent gift giving. To that end, a gift registry can be extremely helpful, tracking both what is given and received, as well as any gift giving plans. Finally, don’t forget to train employees on what gifts they can accept, and to warn them that it’s easy, as Richard learned, for a seemingly innocent gift to lead them down a dangerous path.

By Adam Turteltaub Harsh Kariwala, CEO of VComply, warns that traditional tools for managing compliance programs, such as spreadsheets, may be hurting your compliance program. They often are not scalable and can lead to inefficiencies and unnecessary complexities. Automating your compliance program can be a natural choice, but organizations may resist doing so out of budgetary concerns or mindset. Budget is typically of greatest concern for smaller organizations, which have less to spend and are eager to build or sustain their cultures. If your organization is ready for automation, he recommends identifying the tools and technology that you would want, followed by defining what process you want to start with. Take a phased approach to automation rather than trying to do everything at once. Pick one area to start, and analyze what is going right and wrong in the process. This will give you a better sense of the tools you will need and challenges you face. Measure success by the value it provides to the end user in areas such as time saved versus manual projects and potential penalties that are avoided. Finally, he advises avoiding the mistake of trying to do everything at once. So, take the first steps now, and listen to the podcast, but not all the podcasts.

By Adam Turteltaub A compliance budget is a lot more than the numbers in it, explains Betsy Wade (LinkedIn), Chief Compliance & Ethics Officer at Signature Healthcare. It should be a reflection of the organization’s priorities and risk profile. The budget is also a point of focus of the US Department of Justice when examining a compliance program during an investigation. Their Evaluation of Corporate Compliance Program guidance for prosecutors asks not only if there are sufficient resources but if they are allocated on a “risk-tailored” basis. So, what is the right budget to have? To determine that answer she recommends compliance teams do a risk assessment and determine what mitigation efforts will be needed. In addition, benchmark against other organizations to learn what they are spending and doing. Just try to make sure that you do so against as similar a business as possible. Look also to publicly available resources such as benchmarking surveys from HCCA and SCCE. Keep your eye out, too, for what regulators and enforcement authorities are saying. US Assistant Attorney General Kenneth A. Polite, Jr., she reports, recently called for compliance FTE for every thousand employees. The compliance budget should include the cost for all that compliance personnel. Also in the budget should be any travel, certification costs of staff members, staff training, services purchased, and more. To win management approval, she recommends continued analysis of the budget and making adjustments. She also advises using the risk assessment as a tool to support the compliance team’s budget request. Listen in. Doing so won’t add a penny to your budget.

By Adam Turteltaub Go back roughly twenty years and you wouldn’t find a country in South America that had corporate criminal liability laws. Today, though, the picture has changed dramatically. Felipe Sottorff Araya (LinkedIn), a compliance consultant from Chile who recently moved to the US, reveals that half of the countries now have corporate criminal liability statutes, the latest being Colombia. That doesn’t mean they all have the same laws. There are significant differences among the countries when it comes to triggers for corporate criminal liability. Some have adopted broad rules; others have taken a narrow route. There are common elements, however. Bribery is treated as a corporate liability trigger throughout. In addition, the crime has to be committed to benefit the company. Another common element: expectations for compliance programs. Each country follows the seven elements approach found throughout the world. Listen in to learn more about the changing landscape of corporate criminal liability and also learn where organizations are most likely to fall short in their compliance efforts.

By Adam Turteltaub The Winchester Mystery House is both an unusual tourist destination, and a good metaphor, as it turns out.  Built by an eccentric heiress who never stopped making changes and additions to it, the home is filled with dead-end passages and stairs that lead nowhere, a result of the constant building. Ultimately it grew to 24,000 square feet, 10,000 windows and 2,000 doors. In this podcast, Deena King, author of Compliance in One Page and a working compliance professional, tips her hat to Andrew Nebbett of Ethisphere and the warning to avoid creating a Winchester House of a compliance program. Too often compliance programs have one piece of another built onto them as they grow to accommodate more risk areas and parts of the organization. Worse, sometimes those pieces operate independently, leading to redundant efforts and a lack of cross pollination of ideas. To avoid this chaotic mishmash, she advises pursuing what she calls “strategic compliance”. Instead of focusing on the seven elements of the program, focus on the ultimate goal: to prevent, find and fix problems. Then treat the elements as a means, not an end. Develop a strategic model, she advises, and then push it out through the organization. It helps prevent additions that are separate from the main program and don’t really fit with it. Set up, too, a network for your compliance teams to communicate with each other, share insights and avoid learning dead ends. Listen in to learn more, and let us know if you’ve been to the Winchester Mystery House.

By Adam Turteltaub The compliance team has a new initiative, or you need to tell the business unit that, if it wants to get into a new line of business, a list of compliance requirements need to be implemented. Even if there is no overt pushback, there may be some very severe reservations. Doubt mining, explains Alan Wilemon (LinkedIn), Head of Privacy at Stellar Health, is about getting people to give feedback about what they are nervous about and what they feel will not work in a project. Put another way, it’s about searching for why they have doubts about the project and whether a goal can be achieved on schedule. So how do you mine those doubts and identify where the risks are? First, create a safe environment and invite them to speak up. Reach out to project stakeholders first. Then, secondarily, talk to any people who have been spoken for in the meeting. If people are “volunteered” to be a part of the project, talk to them as well. Also, avoid asking for questions or concerns only at the end of the meeting. At that point many people are eager to leave and won’t say or want to hear anything. And even if people do want to discuss the issue, you will quickly run out of time. Instead, invite comments earlier and ask them questions such as “Do you think we are being too aggressive?” You need to be the first to admit that there may be issues and the plan could be improved. Listen in to learn more, and then become a doubt miner.

By Adam Turteltaub Whether you call it a layoff or a reduction in force (RIF) it’s a stressful time for the organization and the people who work there. Research shows that people under stress don’t make the best decisions, which could raise compliance risk. Plus, it is always feared that some may make retaliation claims in order to preserve their jobs. Roxanne Petraeus, co-founder and CEO of workplace compliance training company Ethena, says that the good news for compliance teams is that they should continue to focus where they always have: the culture. The bad news is that culture and trust are both damaged during a RIF, which can lead to both an increase in misconduct and a decrease in reporting. Because of that, communication is more important than ever, she observes. Employees are hungry for more information. And don’t forget another form of communication: just being visible. Let them know that you are there for them. Other advice she offers: Remind employees about the organization’s policies Embrace the idea that more is better Train effectively in a targeted way, such as focusing on the code of conduct Get in the habit of conducting regular surveys of the workforce Listen in to learn more about how to better manage compliance programs during layoffs.

By Adam Turteltaub There has been a lot of discussion over the last few years about nudges, although typically in the general business environment, rather than in the world of compliance and ethics. A notable exception has been the work of Todd Haugh, Associate Professor of Business Law and Ethics at the Kelley School of Business at Indiana University, and a Board Member and Jesse Fine Fellow for the Poynter Center for the Study of Ethics and American Institutions. He has written about nudges and offers additional resources on behavioral compliance. In this podcast, he explains that behavioral science has revealed that nudges – carefully crafted prods to make the right decision – can have a profound impact. A nudge takes advantage of choice architecture, which pushes people in a direction by structuring the environment in which choices are made. Notably, this is not about tricking people. This is a pro-social effort. So, how does it work in practice? It begins at the end. Look at the outcome desired and then examine the steps along the way. As you do, build a behavioral map that identifies when small interventions in existing processes can achieve positive compliance results. For example, one organization was receiving more anonymous reports on its help line than it desired. The organization realized that the default setting for reporters was set to anonymous. By simply shifting the default to including the person’s identifying information, non-anonymous calls increased 5%. Another example comes in the area of travel. When an employee fills out a travel form for a high-risk country, it’s a good time to provide information on data security and the corruption risks of meeting with government officials. Professor Haugh cautions that it is best to think of nudges as ways to have specific impacts on certain behaviors, not to do something broad like creating a positive corporate culture. Have reasonable expectations and then test out various nudges to see which ones are having an impact and which ones aren’t. Listen in.  It may nudge you to think of your compliance efforts differently.

By Adam Turteltaub Rodrigo Cunha is Global Director, Legal, Ethics Compliance and Data Protection for AB InBev. There he focuses on digital ethics. As he explains in this podcast, when it comes to data, traditional risk management, focused on making sure that what the company is doing is compliant, is only the first step an organization needs to take. They also need to incorporate risk management in the design of the program. In addition they have to focus on reputation and trust. Without a good reputation for protecting data and the trust that comes with it, a company will have an exceedingly difficult time doing business. Digital ethics, he believes, is a business enabler. Organizations need to look beyond the compliance requirements, especially now with requirements increasing and varying so much by jurisdictions. Instead, it is better to think about expectations of the government, consumers and other stakeholders as a guide. At AB InBev that assessment led to the development of five principles that they stand for wherever they operate: Collect only the data we need Use the data only in a matter that we say we would Protect the data we have Keep only what we need Be accountable Further thought led to the development of a sixth principle: We use data how people expect we would. Putting these principles into practice involves a deep partnership with the business units. It includes effective training but also modifying the three lines of defense model to make sure the business unit is better able to meet the challenge. That includes the compliance team working closely with them to respond effectively whenever issues arise. Listen in to learn more how to better embed data ethics into your organization, and hear what Rodrigo sees for the future, including a potentially dramatic shift in consumer behavior.

By Adam Turteltaub Why is it that so often leaders in organizations fail? They seemingly had all the skills, accumulated all the experience, and then something went wrong, sometimes disastrously. Not just the CEO, it can be leaders at other levels in the organization. Bret Hood (LinkedIn), Co-Founding Partner of 21st Century Learning & Consulting provides some fascinating answers to that question in this podcast in which he draws from, amongst other things, his 25 years in the FBI. He explains that as individuals move up the organizational ladder feelings of empathy may start to deteriorate without the person realizing it. They may grow to become self-centered, taking credit for the success of others, and distributing blame for failures, including their own. This can be coupled with what he calls “illusory superiority”: the belief that you are better than everyone else. Most of us suffer from that to a degree. A very disproportionate percentage of people feel that they are smarter than their peers or even a better driver than most. In an exercise he frequently does, rarely do more than 3%-5% believe that they are in the bottom half for leadership skills. Clearly, it’s not possible for 95% to be in the top half. Many leaders (and others as well) also suffer from what he refers to as “sunk cost bias.” A mistake is made, and instead of owning up to it there is a tendency to double down. A small fudge of the numbers in one quarter when thinking “well, it’s a small one-time dip” leads to greater fudging the next, and then on and on, rather than an honest accounting. The bottom line is knowing your capabilities and performing an honest self-assessment is difficult. That’s why he recommends two approaches. First, think about what your gut says, and then ask: what if I made the opposite decision? What would be the consequences? This technique helps you see things from more than one perspective. The second recommendation is to find people you respect who trust that it is safe for them to ask hard questions and offer opinions that contradict yours. Listen in to learn more about leadership, and also the concept of followership.

By Adam Turteltaub Exit interviews can be terrific sources of information for compliance teams, but how do you make the most of them? And do you need to be a part of all of them? That can be a very tough task in a large enterprise. Shemekia Alexander, Director, Corporate Responsibility Officer of Mercy Health recommends focusing on live interviews with key individuals that are most likely to have insights into potential compliance issues. In her case, that includes compliance and legal personnel, the executive suite, revenue cycle staff and providers. To get people to feel comfortable talking, she reaches out in advance to introduce herself and make the person comfortable with the process. Typically, she sends an email saying who she is, the purpose of the meeting and that it will be confidential. She also recommends that the departing employee, if the conversation will be via Zoom or a phone call, get to a place where they do not have to worry about being overheard. During the interview she begins by explaining what she means by compliance since some are confused about what exactly compliance encompasses. She then asks several standard questions including: Are you aware of any compliance concerns that should be addressed? How you raised any compliance-related issues previously that have not been addressed? Have you seen any associates engage in conduct that may be illegal or unethical? How would you describe the organization’s compliance culture? Is there anything else you would like to discuss? The last, very broad questions, can be particularly helpful, opening the door for conversation. As important as what the employees says can be how they are acting in the conversation.  She advises paying attention to their behavior: are they hesitant, disgruntled, scared, aggressive? For those who are not interviewed face to face there are questions in an optional survey that HR provides to departing employees. Any issues raised there are forwarded to compliance. It’s all a part of a team approach, and cultivating the team’s support is essential for success. Listen in to learn more about how to turn an employee exit into a compliance opportunity.

By Adam Turteltaub Third-party risk is the risk that keeps expanding. Data security and anticorruption risk have long been the focus. Now, though, the risks are broadening to include issues such as where materials are sourced and the labor that produces it. Shu Min Ho, Partner in the Singapore office of the law firm Sidley and Sam Johnson, Senior Managing Associate there explain in this podcast that with the rapid adoption of ESG programs, the scope of risks is dramatically increasing, especially considering how much ESG encompasses. To be effective, compliance teams need to focus their ESG third party risk efforts on those areas of the supply chain that are most likely to harm the business beyond the traditional legal framework. That means understanding your business and where the risks are. For example, in the technology hardware business that likely includes labor standards, worker protections and mineral sourcing. Increasingly it also means looking beyond your suppliers to their major suppliers as well. That effort requires tremendous cooperation from the business unit, procurement and, of course, the suppliers themselves. When looking at suppliers, take time to understand their business model to determine how they make money. Then watch out for signs that something may not be right. For example, if a product is suspiciously inexpensive, it may be the result of workers forced to labor long hours or outsourcing to companies with limited or no safeguards in place. Be aware, too, that expectations are different. An environmental review in the past may have looked at how toxic waste is handled. Now, sustainability is likely much more of a consideration. Finally, be especially sensitive to human trafficking and modern slavery. They are ESG issues increasingly subject to regulatory expectations. In fact, a separate due diligence effort may be necessary in this area. Listen in to learn more about how ESG is calling for a second look at third party due diligence.

By Adam Turteltaub An ethical audit is one that evaluates compliance with laws and regulations but also assess a vendor against ethical standards, explains Bruno Drummond, Senior Director, Global Compliance at DHL Supply Chain. These standards could come from an industry or other external organization or your company’s own code of conduct.  They likely would cover issues such as human rights, child labor, forced labor, discrimination, unfair and inhumane employment, working condition and even your supply chain’s own supply chain. Why should you conduct one? Because these days regulators, enforcement and the public require it. For a company such as DHL, with is heavily committed to ESG, ethical audits are at the top of their list. It’s a part of the company’s commitment to clean operations, being a good place to work and highly trusted. DHL was first exposed to ethical audits when a customer conducted one of them. Seeing the value in it they adopted it themselves. The audits are conducted both remotely and at customer locations. The DHL code of conduct is the benchmark against which the audit is conducted. Included in the process are roundtables with employees, interviews with managers and an office walk through. Because of the cost, Bruno recommends taking a risk-based approach and looking at a cross-section of your supply chain when conducting these audits. Listen in to learn more about the process and whether it’s time for your organization to embrace ethical audits.

By Adam Turteltaub Most every compliance team would like the helpline to ring more, and Brooks Rehabilitation was no different, explains Compliance Operations Manager Christine Davenport (LinkedIn). To increase call volume they adopted a snappy slogan – “Better call compliance” – and put together a full marketing campaign to support it. The efforts paid off big, doubling the number of calls over four years. It wasn’t the slogan alone that helped. Central to their success was the combination of good internal marketing along with a serious behind the scenes effort to ensure that calls were acted on. The team captured data on which line of business the call came from, type of issue and what response was provided. The data was kept on a shared drive to streamline the process and make it simple to spot a repeated question. This both saved work and decreased the time of response. Common areas of employee concerns included HIPAA and receiving gifts from patients. When responding to calls, the compliance team, wherever possible, included information about the underlying regulatory requirement. This helped provide employees with context and enabled them to better educate themselves. The compliance team also looked beyond the questions and treated the calls as a way to start a conversation and reassure employees that calling didn’t automatically get them or someone else in trouble. Listen in to learn more about their efforts and get some ideas about how to convince your workforce it better call compliance.

By Adam Turteltaub United States Deputy Attorney General (DAG) Lisa Monaco recently gave a speech in which she outlined both new policies at the Department of Justice (DOJ) as well as enhancements to existing ones that can have a profound effect on compliance and ethics programs. To better understand both what she said and what it all means we sat down with DOJ veteran Daniel Kahn (LinkedIn), a partner in the Washington, DC office of Davis, Polk & Wardwell, for an in-depth and longer than usual podcast. He explains that while the emphasis on individual accountability is not new, there is a significant change. The Department expects that individual prosecutions will take place prior to or at the same time as corporate resolutions. Given the extra time it often takes to prosecute an individual, that will make it harder for organizations to reach a swift conclusion and move forward. There is also one other significant change in terms of how individuals are treated: the Department is now looking to see if the organization is clawing back compensation from employees who committed wrongdoing, at least in those jurisdictions where it is permitted. When it comes to leniency, the Department had previously stated that repeat offenders were not likely to receive a Non-Prosecution Agreement (NPA) or a Deferred Prosecution Agreement (DPA). The DAG’s latest comments reflected a more nuanced approach and reflect the idea that all incidents are not created equal, and that in a large organization it is possible for more than one violation to occur over time, without it being a sign of dysfunctionality. Other notable elements of her comments: The Department expects that when an organization seeking cooperation credit comes across hot new evidence it will share it with Justice immediately For the first time there will be policies on voluntary disclosures across all the various departments within Justice There will be a presumption against a guilty plea if a company voluntarily self-discloses, cooperates and remediates Non-Disparagement Agreement clauses will be looked at unfavorably if they interfere with whistleblowing One other notable element of her talk, which was, perhaps, lost in most discussions about her comments, is the call for organizations to getter a better handle on messaging by employees on their personal devices. Finally, Dan addresses what some perceive as a slowdown in corporate prosecutions over the last few years. He notes that during the Obama and Trump administration there was an uptick in cases. Any slowdown over the last two years is likely the results of changes in leadership at the DOJ with a new Administration. Bottom line is that now is not the time to assume the DOJ is not active. Listen in to learn more about what you should take away from DAG Monaco’s comments.  

By Adam Turteltaub Good communication is a two-way street, with both sides sharing their perspectives. Yet, observes Laura Valdespino (LinkedIn), Chief Compliance Officer, Booking Holdings Financial Services USA, too often it is one way, with compliance doing the talking. In this podcast, and in her in-person and virtual session at the 2022 Compliance & Ethics Institute, Laura outlines practices for creating a good dialogue with the workforce. It starts, she explains, by committing to listening. Engage with them, she advises, and look to creating opportunities for interactions through Q&A sessions or coffee and donuts. Once you are there with the workforce be sure to listen with unbiased ears to what people say they want and need from compliance. Be sure to also customize your message to the audience. Salespeople, manufacturing, IT and all the other parts of your organization will have different needs and will be listening for different information. Take the time to understand what motivates them. It helps build trust. How you communicate is also important. Learn what the frequency of communication that works best for your workforce is. Be sure to avoid lecturing, legalese and focusing on what they can’t do. Instead keep the communication focused on the right way to achieve business goals and what we all need to do. Listen in to learn more, and be sure to attend her session at the live or virtual 2022 Compliance & Ethics Institute.

By Adam Turteltaub The Organizational Sentencing Guidelines have turned thirty, and what began as an experiment is now an established framework for compliance programs in the US and around the globe. To commemorate the milestone, the United States Sentencing Commission has published The Organizational Sentencing Guidelines: Thirty Years of Innovation and Influence, which takes a look at the impact of the guidelines and what we have learned about their impact on organizational behavior. In this podcast, the Commission’s General Counsel Kathleen Grilli identifies the three largest innovations of the Guidelines: Incentivizing self-policing by organizations Providing guidance on effective ethics and compliance programs Holding organizations accountable based on specific culpability factors when they commit offenses The approach has worked more successfully than had been imagined. As she notes, it has expanded beyond the criminal environment to encompass civil settlements with government agencies as well. In addition, the approach to compliance in the Guidelines has been embraced globally, with their outlines clearly visible in the laws of many nations. Within the US, she shares, a strong difference has emerged between organizations with and without compliance programs. The overwhelming majority of organizations convicted had no compliance program at all. In fact, only 11 out of approximately 5,000 organizations had a program that a court found to be effective. This points out that there is still room for improvement, particularly among smaller organizations who lack awareness of the need for and benefits of compliance programs. Listen in to learn more about the remarkable effectiveness of the Organizational Sentencing Guidelines.

By Adam Turteltaub Usually, a Compliance Perspectives podcast focuses on just one topic, but in this one Marla Berkow, Corporate Compliance Officer at Gateway Foundation tackles two: behavioral health and restorative justice. In the first part of the conversation, we focus on the unique challenges of behavioral healthcare. They include maintaining both patient and organizational privacy. Physical and emotional safety of the staff is also important, along with a strong culture of reporting. With many patients a part of pre- or post-trial diversions there are unique challenges created, especially in the privacy arena. In the latter half of the conversation Marla focuses on a restorative justice approach, which she explains, is designed to differentiate between an intentional and inadvertent mistake, with discipline meted out appropriately. With that comes a focus on ensuring the problem is not repeated. Listen in to learn more about the challenges of behavioral health and potential benefits of a restorative justice approach to compliance.

By Adam Turteltaub Having all the privacy policies and procedures in place is one thing. Having them practiced is another, and that’s where a privacy walk-through comes into play. Jan Elezian (LinkedIn), Director Healthcare Provider Practice, Revenue Cycle Compliance, Regulatory Compliance at SunHawk Consulting, explains that the walk-through is a test of a facility’s privacy and security environment. It includes a tour of high-risk areas – registration, patient intake, wherever else PHI is accessed – to see what employees are actually doing. It can be used to identify how your administrative and technical safeguards are working in the real world and determine where they need to be strengthened. Before beginning the walk-through, she recommends putting together a checklist of what you will be looking for.  Leave room for taking notes, and hold onto it. That way, when you return for a subsequent walk-through you can easily see how things have changed for the better and worse. What should you be looking for? A variety of things including: Is staff wearing badges? Are visitors escorted it? Are security reminders posed? Are printers improperly secured? Have papers piled up on the printer? Are privacy practices posted for patients? Two other things to check for: fire extinguishers and smoke detectors. HIPAA requires safeguards on PHI, she points out, and that includes safeguards against fire. After you have done your visit she recommends developing a post-assessment remediation plan. There inevitably will be corrective actions needed. Be sure to include follow up steps and dates when the work will be completed. All this effort will help create a more secure data environment, and give management, the compliance committee and board  greater confidence in your program.

By Adam Turteltaub Time with the board tends to be short, valuable and critical to the success of the compliance program.  Getting and keeping their attention is essential. To do so effectively, Jason Meyer (LinkedIn), President of LeadGood Education recommends keeping in mind that board members share one thing in common with the rest of us: they want to know if what you’re telling them is truly relevant to them or a waste of their time. To communicate effectively he recommends an audience-centric approach. That means avoiding compliance jargon and focusing on terms that they care about such as “fiduciary duty”, “Caremark decision”, “oversight” and “DOJ Guidelines”. And, of course, where appropriate, “stock exchange rules”. Remember, too, that they are focused on existential risks to the organization, not the routine, everyday ones. Stay laser focused on what is in it for them and combine hard information – what their duty or a risk area is – with scenario-based examples. Think, too, like a marketer: repetition matters. Stress and keep stressing what’s important, but put some sizzle behind it. Avoid the pitfalls of simply echoing what management is saying and being just one more presentation. Have a message of your own to demonstrate independence and underscore the importance of a direct compliance-board relationship. Also, don’t forget the education part of the equation. Opportunities for them to be better educated are rare, and showing you have information they could use may be the best way to get their attention. Listen in to learn more about how to get the most out of your time with the board.

By Adam Turteltaub Improving data security at your organization doesn’t just protect you, it can also increase your business, explain Meiran Galis, Chief Executive Officer of Scytale. Customers increasingly want to know that their business partners’ systems are secure and that critical data will not get stolen or held hostage in a ransomware attack. To ensure that they are meeting data security standards and can provide their customers the assurance that they seek, many organizations pursue SOC 2 or ISO 27001 certification. As Meiran explains, there are key differences between the two. SOC 2, he reports, has become the new gold standard for SaaS applications. It is generally considered of greater value in the US and is not technically a certification. An attestation report is made and independently certified. ISO 27001 is a traditional certification and is focused on information security management. It is more popular outside the US, especially in Europe. So, should your organization pursue SOC 2 or ISO 27001? That depends on where your current and potential customers are and what they require. Ask sales if prospects and customers are already wanting a certification from your organization. Once you decide on which certification to pursue, or if both make sense, don’t expect it to be a fast process. For small organizations it may take 250 hours of work.  For larger companies, it may take 1000 hours or more. Once you earn the certifications, have a plan in place to continuously monitor and periodically audit your efforts. Listen in to learn more about whether SOC 2, ISO 27001 or both are necessary to protect and grow your organization.

By Adam Turteltaub The writing on the wall is pretty clear: regulators expect compliance programs to be custom designed for the organization and kept up to date. That means compliance teams need to stop periodically and reassess their program to ensure it is effective in practice and not just on paper. In this podcast, LRN’s Ty Francis MBE, Chief Advisory Officer and Eric Morehead, Director, Advisory Solutions explain that regulators want to know if organizations are targeting their compliance resources to the risks that they are facing. To allocate efforts successfully, it is essential to look at the data to see if your program is effective. Yet, they point out, it’s not just a numbers game in which more spending leads to more results. If, for example, there is an issue with employees not speaking up and living in fear of retaliation, paying for more training is not going to be enough. Instead, compliance teams need to look holistically at the situation and address the underlying cultural issues. That includes demonstrating to employees that a manager who retaliates will face discipline. So how do you conduct an effective assessment? First, they recommend budgeting enough time. The process tends to take longer than people think given the number of people you will need to interview and the time at the front end to gain support from leadership. Next, make the effort to talk to people from the top of the organization to the bottom. Do so in person, or via surveys if necessary. As you do, be sure to learn how they feel about the compliance programs, the culture of the organization, violations they may be seeing and the ability to speak up without fear. Finally, they advise looking outward. Benchmark your efforts against your peers. This can provide context and expose you to ideas and solutions you may not have been aware of. Listen in to learn more, and then spend some time assessing your assessment program.

By Adam Turteltaub GDPR, CCPA and HIPAA all pose daunting privacy challenges for organizations.  But, George Tziahanas (LinkedIn), Managing Director of Breakwater explains that there are many more national laws to consider. In this  podcast he takes us through five countries with laws and regulations that global compliance and privacy teams needs to consider. The People’s Republic of China China’s law, he reports is very focused on the company’s national interest and a belief that preserving data, particularly critical data on firms and infrastructure, needs to stay in the country. The law affects whether data can be transferred outside China and under what circumstances. It also has limits on what information can shared with foreign law enforcement. France The US Cloud Act triggered concerns in many jurisdictions around the world. The French National Security Agency established a certification program that now requires French nationals to run cloud-based services in France and limits the ownership levels of foreigners. It affects broad sectors of the economy. Germany The largest economy in Europe is embarking on efforts similar to those in France, which is having the effect of creating digital borders in the EU. They have created a sovereign cloud, in partnership with the private sector, that affects government agencies, vital services and critical sectors of the economy. The Kingdom of Saudi Arabia Saudi Arabia has classified certain data as needing to stay within the country. This has led to partnerships with cloud vendors to bring their infrastructure into the country. Dubai The UAE, he reports, has long had limits on encrypted voice channels and VOIP. To gain access to cloud technology they, too, are slated to introduce new data and cybersecurity rules that are anticipated to be similar to Saudi Arabia’s. In sum, organizations are now increasingly facing a world in which data transfers will be more complex and where data is housed will be closely scrutinized and limited. Listen in.

By Adam Turteltaub Getting employees to come forward and raise issue can be difficult. There is often genuine fear of retaliation, and many don’t trust that the company will do anything. It’s a topic that Cindy Morrison CCEP (LinkedIn), Director, Global Ethics and Compliance, Post Holdings, Inc. will be addressing at the 2022 SCCE Compliance & Ethics Institute and tackles in the latest Compliance Perspectives podcast. Her own journey of discovery in this area was jolted by an assessment revealing that employees did not think the company had a speak-up culture. The key to creating one, she realized, is encouraging respectful dialogue. A true, two-way discussion is necessary to help build the trust that is so essential. Employees want to be heard, and if the company isn’t listening to them, they are never going to feel safe. Showing that the organization is listening begins with making the effort to know the employees, a difficult challenge in this remote-working world where employees tend to change jobs frequently. Still, it must be done and managers need to practice active listening and adapting communications style to the listener. It also means demonstrating that when employees speak up, actions are taken: bad actors get disciplined or fired, policies are changed or publicly reinforced. In addition, it is essential to remember that each facility may have its own distinct culture. That may stem from the history of the facility and who has worked there, or the ethnic makeup of the employees. It’s also important to remember that not all facilities in the same country will share a common culture. As she notes, their operation in Minnesota is 70% Somali. Finally, she underscores the importance of constant education. Make sure the workforce knows all the ways it can raise issues and what to do if they feel they are being retaliated against. Listen in to learn more, and then join us at the 2022 SCCE Compliance & Ethics Institute.

By Adam Turteltaub What’s a risk assessment framework? How can it help? Vin Lacovara, Institutional Compliance Leader, George Mason University and Corey Parker, Director, Baker Tilly, explain that the framework is a document that should be tailored to the organization’s needs and starts with an inventory of applicable laws and regulations. Next, the responsible personnel and controls that are in place should be added, followed by a preliminary prioritization of risk areas. Then, more details can be added, looking on the more granular level. All in all, the process should take about a month. The harder, longer work comes next and involves filling out all the efforts that need to be put in place. How often should the framework be reassessed? That depends on the organization’s priorities and how high a given risk is. Any high risk area that threatens to literally or figuratively shut the institution down should be looked at more frequently to see where the institution’s risk mitigation efforts stand. To ensure that the framework is properly tailored to your organization, they recommend investing time in developing relationships with stakeholders to make sure their needs are met. The most important thing is to start somewhere, don’t let yourself get bogged down, and look for the process to develop and improve over time. Perfection out of the gate is not likely. Listen in to learn more about how to create a proper risk assessment framework.