compliance ethics · 2018-04-06 · a publication of the society of corporate compliance and ethics...

a publication of the society of corporate compliance and ethics MAY 2018

Meet Jamie Watts, CCEP-ISenior Compliance & Risk Advisor

World Food Programme

Dakar, Senegal

see page 18

corporatecompliance.org

Compliance & EthicsPROFESSIONAL®

This article, published in Compliance & Ethics Professional, appears here with permission from the Society of Corporate Compliance & Ethics. Call SCCE at +1 952 933 4977 or 888 277 4977 with reprint requests.

September 24–25, 2018 | Scottsdale, AZ | The Scott Resort & Spa

corporatecompliance.org/auditQuestions: [email protected]

This Conference is designed for board members and members of an audit and/or compliance committee. Compliance officers and other senior organizational leaders are welcome to attend.

Join us and learn:• The latest on regulatory risk and

compliance obligations• How to fulfill your fiduciary obligations as a board member• How to help improve your board performance

Board Audit CommitteeCompliance Conference

Buy one registration

for $895 and get one

for $595

scce-2018-board-audit-ad-cep-may.indd 1 4/2/2018 3:55:12 PM

+1 952.933.4977 or 888.277.4977 corporatecompliance.org 3

Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

by Gerry Zack, CCEP, CFE, CIA

Is accounting fraud a compliance or ethics issue?

C ompliance with accounting standards is an area in which few compliance professionals dare to tread. Yet,

one look at the circumstances behind most financial reporting fraud cases reveals the same types of problems that compliance and ethics programs are designed to address. Is this because accounting rules are complicated? Perhaps it’s because there is a reliance (overreliance?) on outside auditors to audit the financial statements. Or is the finance

and accounting function somehow considered “out of scope” for the compliance and ethics program? It shouldn’t be.

One of the factors that might contribute to confusion in this area is that accounting is not nearly as straightforward as most non-accountants think. Indeed, many transactions are very clear

from an accounting perspective. I pay $45 for a meal with a colleague, and that $45 gets reported as an expense on my organization’s income statement. It’s clear what the amount is. It’s clear when the transaction should be recorded. Everything about this transaction is easy to account for. Any deviation from the required accounting treatment is a compliance violation.

But, significant portions of many organizations’ financial statements are subject to estimation. These areas are not nearly as clear. Even the accounting standards provide guidance only in the form of broad principles. Much is left to judgment, which can lead to human error—or worse, intentional manipulation of the organization’s financial statements to achieve a desired result (e.g., a revenue goal, projected profit).

Examples of significant estimating can be found all over a set of financial statements. Some have to do with whether or when a company is permitted to recognize revenue for a particular transaction (subject to rules that are in the process of changing and that require the application of significant judgment). Another big area deals with estimating the fair values of assets for purposes of measuring whether something is still worth the amount at which it is being reported in the financial statements. Take an intangible asset or goodwill as an example. Estimating its value likely requires at least three separate estimates: projected amounts of future cash inflows, the timing of those cash flows, and the determination of a proper interest rate to be used to discount the future cash flows. That’s a whole lot of estimating that is ripe for errors or fraud.

I think the conclusion here should be obvious. If an area of compliance risk involves the application of judgment, it is both a compliance and an ethics issue, and compliance professionals should be involved. ✵

Zack

Please don’t hesitate to call me about anything any time.+1 952.567.6215 Direct gerry.zack @ corporatecompliance.org

@Gerry_Zack /in/gerryzack/

LETTER FROM THE INCOMING CEO

complianceandethics.org

The Compliance & Ethics BlogYour Industry Resource for Compliance & Ethics News

Questions? Contact [email protected]

Guest Bloggers Wanted!The Compliance & Ethics Blog is always seeking guest authors that want to share their compliance knowledge and insights!– Articles should be between 400-1000 words

– Articles should be non-promotional in nature (a link to the company is allowed, but the post needs to be educational/informative rather than an endorsement of a product or service)

– Articles must be compliance related

– Authors earn 2 CCB CEUs

scce-2018-blog-call-for-bloggers-insert-cep-ct-mar.indd 1 2/5/18 3:57 PM


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

LETTER FROM THE CEO

by Roy Snell, CHC, CCEP‑F

A really big show

Snell

Please don’t hesitate to call me about anything any time.+1 612.709.6012 Cell • +1 952.933.8009 Direct roy.snell @ corporatecompliance.org

@RoySnellSCCE /in/roysnell

W ells Fargo set up bank accounts for customers without their approval. Society and the

enforcement community are a bit wound up about it. The cost to Wells Fargo has

been significant, and it doesn’t appear that the enforcement activity and the affiliated pain or cost is over. The following is from an article about the most recent enforcement action against Wells Fargo:

Wells is not allowed to grow beyond the $1.95 trillion in assets it had at the end of last year ‘until it sufficiently improves its governance and controls,’ the Fed said in a statement… Wells Fargo estimated that the cap will cut its annual profit by $300 million to $400 million this year, as it reduces some parts of its balance sheet, like corporate deposits and trading assets, in order to continue growing core businesses. That represents 1.5-1.9% of the profit Wells generated in 2017. The bank will also replace three board members by April and a fourth board member by the end of the year, the Fed said, without naming who they should be.1

This might just be the tip of the iceberg for companies in general. It is natural for society to think that boards should be responsible and engaged. The enforcement community is riding the coattails of the public outrage. They feel empowered. The enforcement community and society also think that what they have tried in the past to correct corporate wrongdoing is not working.

So rather than just go after and penalize companies, they are going after individuals—including board members. I am going to grab some more popcorn, because this show isn’t over. What I don’t understand is why very smart leaders don’t see this coming. I am concerned that leadership is still getting advice from people who have historically told them they are invincible, can defend anything, and that the enforcement community is not correct or capable.

I am afraid we are going to need a lot more popcorn, because it may take leadership a while to realize their historically trusted and often accurate advisers don’t understand the new world we are living in. ✵

1. Reuters: “Federal Reserve orders Wells Fargo to halt growth over compliance issues” February 3, 2018. Available at http://bit.ly/2EOrLG1.

6 corporatecompliance.org +1 952.933.4977 or 888.277.4977

Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018 DEPARTMENTS

8 News16 People on the move66 SCCE congratulates newly certified designees 68 SCCE welcomes new members71 Takeaways72 SCCE upcoming events

May 2018Contents

FEATURES18 Meet Jamie Watts

an interview by Adam Turteltaub

26 Code training: A different perspectiveby Jessica TjornehojDue to the complexity and length of standard Codes of Conduct or Ethics, teaching employees how to reference a Code as a resource can be a vital step toward long‑term compliance.

30 [CEU] Third-party assessments of ethics: A proactive tool to demonstrate due diligence

by Vincent DiCianni and Eric R. Feldman Third‑party assessments can offer organizations an unbiased account of a program’s strengths and weaknesses and be a powerful defense against future investigations or enforcement actions.

37 Is building an environment of trust a Board responsibility?by Frank BucaroUsing five leadership values, board members can be a powerful tool for shaping an organization’s culture of trust.

40 The GDPR’s Article 6 and the future of anti-bribery due diligenceby Illya AntonenkoAn in‑depth examination on the impact of anti‑bribery due diligence under GDPR.

COLUMNS

Compliance & Ethics Professional is printed with 100% soy‑based, water‑soluable inks on recycled paper, which includes 10% post‑consumer waste. The remaining fiber comes from responsibly managed forests. The energy used to produce the paper is generated with Green‑e® certified renewable energy. Certifications for the paper include Forest Stewardship Council (FSC), Sustainable Forestry Initiative (SFI), and Programme for the Endorsement of Forest Certification (PEFC).

3 Letter from the Incoming CEOby Gerry Zack

5 Letter from the CEOby Roy Snell

25 A view from abroadby Sally March

28 Byrne on governanceby Erica Salmon Byrne

35 The other side of the storyby Shin Jae Kim

39 Compliance, life, and everything elseby Thomas R. Fox

47 EU compliance and regulationby Robert Bond

61 The art of complianceby Art Weiss

65 How to be a wildly effective compliance officerby Kristy Grant-Hart

70 The last wordby Joe Murphy


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

ARTICLES

EDITOR-IN-CHIEFJoe Murphy, Esq., CCEP, CCEP-I Senior Advisor, Compliance Strategists jemurphy5730 @ gmail.com

EXECUTIVE EDITORSRoy Snell, CHC, CCEP-F CEO, Society of Corporate Compliance and Ethics roy.snell @ corporatecompliance.org

Gerard Zack, CFE, CPA, CIA, CCEP, CRMA Incoming CEO, Society of Corporate Compliance and Ethics gerry.zack@ corporatecompliance.org

ADVISORY BOARDCharles Elson, Chair in Corporate Governance, University of Delaware [email protected]

Odell Guyton, Esq., CCEP, CCEP-I VP Global Compliance, Jabil Circuit, Inc. [email protected]

Rebecca Walker, JD, Partner Kaplan & Walker LLP [email protected]

Rick Kulevich, Senior Director Ethics & Compliance CDW Corporation [email protected]

Greg Triguba, JD, CCEP, CCEP-I Principal, Compliance Integrity Solutions [email protected]

Zsuzsa Eifert, CCEP-I Group Compliance Officer, T-Mobile [email protected]

Constantine Karbaliotis, JD, CCEP-I [email protected]

Andrijana Bergant, CCEP-I Compliance Office Manager, Triglav [email protected]

Mónica Ramírez Chimal, MBA Managing Director, Asserto [email protected]

Garrett Williams, CPCU Assistant Vice President, State Farm [email protected]

Vera Rossana Martini Wanner, CCEP-I Legal/Compliance, Gerdau [email protected]

Robert Vischer, Dean and Professor of Law University of St. Thomas [email protected]

Peter Crane Anderson, CCEP Attorney at Law, Beveridge & Diamond PC [email protected]

Peter Jaffe, Chief Ethics and Compliance Officer, AES [email protected]

Michael Miller, CCEP, Executive Director of Ethics & Compliance, Aerojet Rocketdyne [email protected]

John DeLong, JD, CCEP Berkman Klein Center Harvard University [email protected]

VOLUME 15, ISSUE 5

The orientation is international. Everyone must be aware and respectful of different cultures and points of view.

See page 22“ ”44 RegTech and blockchain: Only as strong as your weakest link

by Cris MattoonBlockchain, though still in relative infancy as a compliance tool, can provide opportunities to reduce costs and free up compliance professionals to attend to qualitative activities of higher value.

49 [CEU] What is the role of a Human Resources department?by Ted Banks and Sharon RayHR departments play an important role when it comes to cases of harassment, but the number of alleged incidents coming to light shows that problems exist that need to be addressed.

54 Running a compliance program on a shoestring budget

by Leslie ReedBudget concerns are a frequent obstacle in the world of Compliance, but there are many ways to use internal resources and free programs to make your program cost effective.

57 [CEU] Ungoverned text messaging exposes your company to significant risk

by Mike PaganiText messaging is highly efficient and boosts productivity for employees, but it must be properly governed to keep its use compliant.

62 New age in compliance trainingby Maria CarrasquilloThe demographics of the private sector are changing, and compliance training programs must also change to meet the demands.

COPY EDITORBill Anholzer +1 952.405.7939 or 888.277.4977 bill.anholzer@ corporatecompliance.org

DESIGN & LAYOUTCraig Micke +1 952.567.6222 or 888.277.4977 craig.micke @ corporatecompliance.org

Compliance & EthicsPROFESSIONAL

Compliance & Ethics Professional® (C&EP) ( ISSN 1523-8466) is published by the Society of Corporate Compliance and Ethics (SCCE), 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Subscriptions are free to members. Periodicals postage-paid at Minneapolis, MN 55435. Postmaster: Send address changes to Compliance & Ethics Professional Magazine, 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Copyright © 2018 Society of Corporate Compliance and Ethics. All rights reserved. Printed in the USA. Except where specifically encouraged, no part of this publication may be reproduced, in any form or by any means, without prior written consent from SCCE. For subscription information and advertising rates, call +1 952.933.4977 or 888.277.4977. Send press releases to SCCE C&EP Press Releases, 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Opinions expressed are those of the writers and not of this publication or SCCE. Mention of products and services does not constitute endorsement. Neither SCCE nor C&EP is engaged in rendering legal or other professional services. If such assistance is needed, readers should consult professional counsel or other professional advisors for specific legal or ethical questions.

PROOFREADERPatricia Mees, CCEP, CHC +1 952.933.4977 or 888.277.4977 patricia.mees @ corporatecompliance.org

STORY EDITOR/ADVERTISINGMargaret Martyr +1 952.567.6225 or 888.277.4977 margaret.martyr @ corporatecompliance.org

PHOTOGRAPHY ON FRONT COVER AND PAGE 18: WFP/Hyejin Lee


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

NEWS

Read the latest news online · corporatecompliance.org/news

Theranos settlement shows privately held firms on the hook for securities fraudFamed Silicon Valley startup Theranos began its swift downfall in late 2015. The crash came after the biotech company’s grand promise for its future product was revealed to be a fraud. Theranos founder Elizabeth Holmes claimed to be creating a blood test that only required a few drops of blood to quickly test for dozens of medical conditions from high cholesterol to cancer. From 2013 to 2015, she became a media star and raised $700 million in private investments. Although privately held firms typically are not scrutinized by regulators, the antifraud provisions of federal securities laws do apply to any transaction in a security if there is a misstatement of

material fact. Accordingly, the Securities and Exchange Commission (SEC) recently charged the company, Holmes, and former Theranos president Ramesh Balwani with “an elaborate, years-long fraud in which they exaggerated or made false statements about the company’s technology, business, and financial performance.” Holmes and Theranos reached a settlement with the SEC. Holmes will return her shares and give up voting control in the company, pay a $500,000 penalty, and agree to not serve as a director or officer of a publicly traded company for 10 years. Balwani has opted to fight the charges in court.

Survey: Third-party risks are top concern for compliance professionalsThird-party violations of anti-bribery and corruption laws top the list of perceived risks for compliance professionals surveyed for the 2018 Anti-Bribery and Corruption Benchmarking Report, a joint study conducted by business services consultant Kroll and the Ethisphere Institute. Overall, 93% of respondents believed their anti-bribery and corruption (ABC) risks will remain the same or worsen in 2018. Of the 448 compliance and ethics professionals responding about their top concerns, 35% said third-party violations,

18% said the complex global regulatory landscape, and 11% said a lack of resources or proper controls. Looking deeper at third-party risks, only 14% of respondents said they were highly confident they could catch third-party ABC violations. One illustration of that concern, 58% of respondents reported that they have uncovered third-party violations of anti-bribery and corruption laws—even after they had completed initial due diligence steps. For more details, download the report: http://bit.ly/2DsU4qV.

SEC releases new cybersecurity disclosure guidanceThe SEC recently reminded public companies that they must make timely disclosures to investors regarding cybersecurity risks and breaches, including potential weaknesses that have not yet been targeted by hackers. In its new “Commission Statement and Guidance on Public Company Cybersecurity Disclosures,” the SEC states that security incidents and security risks are considered “material,” meaning they can affect the value of the

company’s stock. Accordingly, publicly traded companies are obligated to publicly report both incidents and risks and avoid trading shares before they do so. The guidance, which updates a 2011 version, also encourages companies to consider adopting specific policies restricting executive trading in shares while a hack is being investigated and before it is disclosed. For more information, see the guidance: http://bit.ly/2tS8lhh. ✵

INTERNATIONAL ACADEMIES

OFFERED IN 2018

AMSTERDAM, NETHERLANDS

23–26 APRIL

SINGAPORE 9–12 JULY

SÃO PAULO, BRAZIL

20–23 AUGUST

MADRID, SPAIN 24–27 SEPTEMBER

RIO DE JANEIRO, BRAZIL

26–29 NOVEMBER

REGIONAL COMPLIANCE

& ETHICS CONFERENCES OFFERED IN 2018

SINGAPORE 13 JULY

SÃO PAULO, BRAZIL 24 AUGUST

SARAJEVO, BOSNIA 4 OCTOBER

INTERNATIONAL COMPLIANCE TRAININGYour global team can benefit from the same invaluable compliance and ethics training as their U.S. colleagues

corporatecompliance.org/internationalsQuestions: [email protected]

GLOBAL TRAINING, CEUs AND NETWORKING OPPORTUNITIESThe Basic Compliance & Ethics Academy is a three-and-a-half-day classroom-style training on the fundamentals of compliance program management. The Academy is an excellent preparation for the Certified Compliance and Ethics Professional-International (CCEP-I)® exam, which is optional and available at the end of the Academy. Academies are limited to 75 participants.

The Regional Compliance & Ethics Conference is a one-day training that include updates on the latest news in regulatory requirements and enforcement, strategies to develop effective compliance programs, and networking with industry peers.

scce-2018-inter-events-cep-APRIL-Insert.indd 1 3/28/18 3:40 PM

Society of Corporate Compliance & Ethics

Data Governance Conference25–26 June, 2018 | London, UKWhile GDPR provides a large mandate, it’s far from the entire story. This conference, designed for legal and regulatory compliance professionals, examines a full range of compliance challenges associated with managing and securing data. Join us to gain a better understanding of the risks and best practices for proper compliance in data governance and to become a more skilled data steward.

corporatecompliance.org/dataQuestions? [email protected]

NEWfor

2018

Data-Governance-Conference-2018_8.5x11_1pg.indd 1 4/3/2018 1:41:59 PM


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

SCCE NEWS

Find the latest conference information online · corporatecompliance.org/events

SCCE conference news

T he Regional Compliance & Ethics Conferences are coming to 15 different cities in 2018! These one-day events

offer an opportunity to network with local compliance professionals and a convenient way to earn continuing education units (CEUs). Each program is developed by a local planning committee who identifies hot topics and speakers in the region.

Upcoming hot topics featured in the 2018 agendas include:

· Data Privacy Compliance, GDPR and Much More

· Maintaining and Monitoring Compliance in Third-Party Relationships

· Promoting a Fearless Speak-Up Culture in the Age of #MeToo

· Data Breach Response: Preserving the Privilege

· Employment Law: Sexual Harassment and Compliance in the Workplace

· Artificial Intelligence: A New Tool in Fighting Fraud

· Social Media: The Strategic Tool in Your Compliance Arsenal ✵

2018 Regional Compliance & Ethics Conferences www.corporatecompliance.org/regionals

corporatecompliance.org/regionals

FROM THE SOCIETY OF CORPORATE COMPLIANCE AND ETHICS®

AUGUST 17, 2018 | COLUMBUS, OH

Columbus Regional Compliance & Ethics Conference

NEW UPCOMING LOCATION IN 2018


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

SCCE NEWS

About Membership Job BoardHome Page

SCCE website newsContact Tracey Page at +1 952.405.7936 or email her at tracey.page @ corporatecompliance.org with any questions about SCCE’s website.

Find the latest SCCE website updates online · corporatecompliance.org

Get Connected

pinterest.com/ thescce

twitter.com/ scce

corporatecompliance.org/ google

facebook.com/ scce

corporatecompliance.org/ sccenet

[group] corporatecompliance.org/linkedin [company] corporatecompliance.org/li

youtube.com/ compliancevideos

Top pages last monthNumber of website

visits last month

169,918Video of the MonthWhy did you start blogging about ethics issues?

Hear about Edmond’s experience using social media in the Ethics department. http://bit.ly/cep-votm-2018-05.

My Account

Mobile AppsDo you know SCCE has mobile apps? For each national event, SCCE puts conference information inside SCCE Mobile. As an attendee, you have all the material you’ll need right inside your phone: the agenda, presentations, handouts, session evaluation links, and speaker bios. Just download SCCE Mobile and pick the conference you’re attending to get all the information.

SCCE also offers a mobile app for CEP. You don’t need to carry around the paper copy anymore. Just download SCCE Magazine, and you’ll have access to new and archived issues right from your phone or tablet.

Events

http://twitter.com/scce_news







Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

SCCE NEWS

SCCE social media newsContact Doug Stupca at +1 952.567.6212 or email him at [email protected] with any questions about social media.

Find the latest SCCEnet updates online · corporatecompliance.org/sccenet

Facebook — facebook.com/scceWe’re on Facebook. Like our page for compliance news and networking. Here’s a favorite recent post:

Twitter — twitter.com/scceJoin 15,000+ others and follow SCCE for breaking news and insights. A recent favorite tweet:

LinkedIn — corporatecompliance.org/linkedinJoin us on LinkedIn, a business-oriented network with over 300 million active users. With more than 22,000 members, our LinkedIn group fosters many new discussion posts every week. Some recent highlights include:

Pinterest — www.pinterest.com/thescceCheck out our boards for FCPA, Compliance, Ethics, Compliance Videos, Privacy, Corporate Compliance & Ethics Week, The Lighter Side, and map boards for our major conferences (highlighting local restaurants, sights, and things to do in each of our conference cities). Our infographics of the month and much more can all be found on our Pinterest boards!


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

SCCE NEWS

SCCE blog highlightsContact Doug Stupca at +1 952.567.6212 or email him at [email protected] with any questions about SCCE's blog.

Find the latest SCCE blog updates online · complianceandethics.org

I work in banking, but recently I flew 3,800 miles from Amsterdam to Washington DC to attend SCCE’s Utilities & Energy

Compliance & Ethics Conference. Why?There are five simple reasons that got me

on that plane to join a new set of my peers. · To demonstrate interest: We need to

support and engage with each other to help our field to evolve and mature. More than networking, this is about value-add connecting. Meeting each other on equal terms as compliance and ethics professionals, irrespective of our individual industries, helps us to leverage our mutual knowledge into one strong voice.

· In pursuit of shared objectives: Together we can form a fresh take on our common challenges. Communication, engagement, awareness, change management, leadership, and values—these are compliance and ethics topics in every industry. What’s more, in highly regulated sectors, whatever the relevant authority under whose oversight we are located, we all must contend with regulatory stakeholder management and stay up to date with supervisory agendas.

· Being positively disrupted: In my compliance practice, I call upon the business people I advise to challenge their preconceptions and consider new perspectives. What better way can I

model these conduct expectations than to learn outside of my comfort zone? I’m practicing what I preach by seeking a fresh look of my own, within the compliance profession.

· Continuing my education: We go to conferences to fulfill learning requirements and goals. By choosing events where I hop across industries, I can learn on multiple levels, best practices as well as content. We must enrich the compliance profession with knowledge that is both deep and broad. In the nine sessions I attended, I got a crash course in topics as diverse as Office of Inspector General’s criminal and civil investigations, records and information management, FCPA program trends, and FERC and NERC standards and enforcement.

· Speaking for myself: I came to this conference as both an attendee and a speaker. I wanted to return the favor to my new colleagues who have taught me so much. Speaking to a new group draws back the curtain on my industry’s practices and point of view.Thanks to broadening my horizons by

attending a compliance and ethics conference outside of the sector in which I work, I’ve gained tons of tips and tricks. The new angle on my learning and networking routines is already proving valuable for sharing and connecting. ✵

by Sally Afonso, CCEP-I

Five reasons to get out of your compliance conference comfort zone

Gather with your peers and the Society of Corporate Compliance and Ethics for the primary education and networking event for compliance and ethics professionals in higher education.

Want to become a Certi� ed Compliance & Ethics Professional (CCEP)®? Apply to take the optional CCEP exam on the last day of the conference.

June 3–6, 2018 | Austin, TX

HigherEducationCompliance Conference

Questions? [email protected]

corporatecompliance.org/highered

TWO CONFERENCES FOR THE PRICE OF ONEComplimentary access to HCCA’s Research Compliance Conference is included with your registration.

LAST CHANCE

TO REGISTER


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

PEOPLE ON THE MOVE

· Beatrix Bernauer has been named Chief Compliance Officer at Los Angeles-based Grant Thornton LLP.

· Nancy Gibson, the Open Records Officer and Public Information and Compliance Officer for Cheltenham, Pennsylvania, retired after more than 30 years of service with the Township.

· Vernie Coe has been named Anti-Money Laundering Compliance Officer and Deputy Money Laundering Reporting Officer at Knighthead Annuity & Life Assurance Company, based in Camana Bay, Cayman Islands.

· Robyn Blank Jackson has been named Chief Compliance and Ethics Officer for Florida State University in Tallahassee.

· Florida A&M University, based in Tallahassee, welcomed Rica Calhoun as their new Chief Compliance and Ethics Officer.

· Greg Betchkal is the new Chief Risk Officer at Alliance Data’s card services business in Columbus, Ohio.

RECEIVED A PROMOTION? Have a new hire in your department?

If you’ve received a promotion, award, or degree; accepted a new position; or added a new staff member to your Compliance department, please let us know.It’s a great way to keep the Compliance community up to date. Send your updates to:

[email protected]

PEOPLE on the MOVE


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

Become a Certified Compliance & Ethics Professional (CCEP)®

There’s never been a tougher or better time to be a part of the Compliance and Ethics profession. Budgets are tight, governments around the world are adding new regulations, public trust in business is low, and employees are tempted to cut corners.

As a Certified Compliance & Ethics Professional (CCEP), you’ll be able to demonstrate your ability to meet the challenges of these times and have the knowledge you need to help move your program and your career forward.

Learn more about what it takes to earn the CCEP at compliancecertification.org/ccep

- Broaden your professional qualifications- Increase your value to your employer- Gain expertise in the fast-evolving

Compliance field

Hear from your peers

17

Robert Bond, BA (Law), FSALS, CompBCS, HonMIEx, CCEPPartner and Notary PublicBristows LLPLondon, UK

1) Why did you decide to get certified? Some 7 years ago, I noticed many of my US clients had CCEP in their title. I did some research and found my way to SCCE! I visited Roy Snell in Minneapolis, and he suggested I should come to the conference in Las Vegas in 2010, and I got certified then and there!

2) How do you feel your certification has helped you? Certification made me learn all about US laws and regulations that affect compliance and ethics and gave me a greater understanding of the drivers that make my clients address compliance on a global scale. I also quickly became a member of the SCCE family!

3) Would you recommend that your peers get certified? I would like more of my peers to get certified, and I recommend this to them as often as I can.


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

FEATURE

AT: Let me start with the basics. Could you give us an overview of the World Food Programme’s work?

JW: The World Food Programme (WFP) is a United Nations (UN) agency whose objective is to fight hunger worldwide as a key player in the international commitment to end hunger and achieve food security and improved nutrition. One in nine people worldwide

do not get enough to eat, and food-related assistance is an important factor in breaking the cycle of poverty and underdevelopment.

Annually, WFP distributes approximately 12.6 billion rations to about 80 million people in 80 countries. WFP focuses on emergency assistance, relief, and rehabilitation; development aid; and special operations (for instance, providing air support for the humanitarian community in places where there is no commercial air service). Two-thirds of WFP’s work is in conflict-affected countries where people are three times more likely to be undernourished than

Meet Jamie WattsSenior Compliance & Risk Advisor

World Food ProgrammeDakar, Senegal

Jamie Watts ([email protected]) was interviewed in April of 2018 by Adam Turteltaub ([email protected]), Vice President, Strategic Initiatives and International Programs, at SCCE, based out of Minneapolis.

an interview by Adam Turteltaub

Meet Jamie Watts


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

FEATURE

those living in countries without conflict. WFP is considered one of the world’s leaders in emergency humanitarian response, providing food assistance quickly at a large scale to the neediest people in the most difficult environments.

AT: Your responsibilities cover the West Africa Regional Bureau, but that’s a huge swath of land. What are some of the countries and key challenges there?

JW: Our region covers from Central African Republic to the southeast; northward to Chad; across Niger, Nigeria, Mali, Mauritania; and across the coastal countries from Senegal to Cameroon, and it includes the small island nation of São Tomé/Príncipe. It is one of the most interesting and diverse regions in the world, with a very rich cultural heritage, three main official languages (French, English, and Portuguese), and numerous local languages. The physical environments range from the deep Sahara desert across northern Niger, Chad, Mali, and Mauritania to the “Sahelian” desert edge to coastal and island environments, and it includes some of the most diverse tropical forests on the planet. The region includes the largest economy in Africa, as well as some of the world’s poorest and least developed countries. There are several major and long-running conflicts that have killed many people and caused serious and sustained disruption of people’s livelihoods. The region is also affected by periodic natural disasters, notably drought and seasonal flooding. In addition to conflicts and natural disasters, the region is also faced with a number of other challenges that impact our operations, including limited private sector capacity, a number of supply chain obstacles for our food and cash-based programmes, and challenges to ensure WFP safely and effectively provides the right assistance to its beneficiaries.

It is tremendously challenging, and I am humbled to be able to work here. I spend a lot of time traveling across the region to the deepest corners of where WFP works. Wherever you go, you see the people as extremely resilient and always seeking ways to sustain and bring themselves up, sometimes under almost impossibly difficult conditions. I am also privileged to work with WFP staff who are out on the front lines making a difference.

AT: Regardless of where WFP operates, there must be quite a bit of risk. These are developing countries, often with conflicts going on, and I can imagine there is tremendous corruption risk. What are some of the key challenges from a compliance and ethics perspective?

JW: Of course we are alert to fraud and corruption as possible risks. Other risks include security (including possible terrorist attack, kidnapping, etc., as well as criminality), safety (vehicles, warehouses, facilities), staffing capacity (attracting highly qualified people to work in difficult environments), capacity of partners, physical access (lack of road infrastructure, limited private sector development with trucking, etc.), connectivity, and also the risk of predictable funding and funding that comes in time for us to organize the logistics of purchasing, shipping, and delivering food to those in need, when they need it. One of our biggest concerns is also the protection of our beneficiaries. The global debate about sexual harassment, abuse, and exploitation has opened up a frank discussion about how the aid sector can do more to address these issues by introducing tighter controls and protecting those who are vulnerable. WFP has robust policies and procedures to ensure that programmes are designed and implemented with the safety of


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

FEATURE

our beneficiaries being paramount. We have zero tolerance for exploitation and abuse, and we expect the same standards from our partners and vendors. So our compliance coverage is very broad and risk focused. We also try to be dynamic and responsive to emerging issues and needs.

AT: Given that you’re focused on responding to food crises, there is a tremendous amount of urgency to the work. That can make it hard to resist cutting corners. When it’s a choice between paying a small bribe and getting the truck through vs. not paying the bribe and people going hungry, how do you get people to hold the line?

JW: Not all of our work is under those types of conditions, but a significant amount of it is. In those cases, we rely a lot on the humanitarian imperative and a UN-coordinated position to ensure unrestricted access to the people in need. Our policy is not to pay bribes, and we communicate that to all parties involved. We work very closely with governments and rely on their support to facilitate our access. All misconduct must be reported to the Office of Investigation, even that committed by third parties. In fact, our programmes include community sensitization on our policies and family entitlements related to the programmes we are implementing. Toll-free numbers are available in nearly all our operations to provide feedback on our programmes and to report any suspected fraud or abuse. In addition to reinforcing our control systems, we are always aiming to build awareness that any case of misconduct can have very serious consequences to our reputation as an organization, the overall humanitarian mission and, ultimately, to the beneficiaries we are trying to serve.

AT: I should note that it’s no small task. The WFP has 5,000 trucks, 20 ships, and 70 planes. How do you effectively train such a distributed and mobile workforce?

JW: Keep in mind that my work only covers the West Africa region. Each region has its own oversight mechanisms, and we have organization-wide systems centered in our headquarters, so we fit within a broader structure, suited to a large, decentralized, operational organization. We also have separate control systems for aircraft, shipping, and security, which are supported by risk and compliance experts in these fields.

Having said that, raising awareness and capacity development are priorities of our compliance programme in the region. Every compliance mission includes a workshop for all staff, from drivers and warehouse storekeepers to top management on compliance. This builds on a corporate learning system that includes mandatory training for all staff on sexual harassment, harassment, and abuse of power; ethics; and prevention of fraud and sexual exploitation and abuse. WFP is working on strengthening risk management and compliance at all levels and ensuring that these are integrated/embedded in all processes.

AT: Given how distributed the workforce is, how hard is it to create a common culture?

JW: Fundamentally, compliance is very compatible with WFP’s overall culture, which is a humanitarian culture of service to the poor and disadvantaged. There is a strong sense for the majority of the workforce from top to bottom that we are not out for ourselves but for a higher purpose, which is fundamentally incompatible with dishonesty and self-enrichment. There are elements of the emergency response culture that can lead toward cutting corners in the heat of an emergency response, but standard systems


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

FEATURE

and processes quickly kick in, even in those conditions. Compliance officers are always deployed to serve in emergency response operations to help ensure that control systems are in place and respected. I see a strong culture of management accountability, and we find that top managers proactively seek our support to help assure them that all controls are in place and functioning well.

AT: What are some of the programs you have in place to reach them all?

JW: It’s a large organization, so there are numerous streams that aim toward building a common culture and good practice. We have an Office of Ethics, Office of Investigation, internal and external audit functions, and an independent Office of Evaluation. Each functional area, such as Finance, has its own standards and good practice, and oversight is exercised at different levels. WFP has also recently established an Enterprise Risk Management division, led by a chief risk officer, in order to support WFP offices and operations to strengthen risk management and internal controls.

Our small compliance team in the region complements and extends the work of others. Some important policies in place are WFP’s Code of Conduct, the Standards of Conduct for the International Civil Service, WFP’s Anti-Fraud and Anti-Corruption policy, and the Whistleblower Protection policy. Some measures include the inclusion of anti-fraud and anti-terrorist clauses in all contracts.

We are also part of the larger UN system, which sets the tone and standards for the international civil service, and we participate in coordination mechanisms within each country where we work.

Importantly, WFP is a part of the international humanitarian community, which is bound by a number of legal frameworks (including conventions and protocols that help

us ensure unfettered access to beneficiaries even in war zones, for example) and humanitarian principles, which emphasize impartiality, neutrality, and service to people affected by natural and human-caused disasters.

AT: Let’s step back for a bit from discussing your program and focus on your career. Your background is fascinating and mostly focused on ecological issues, working at the U.S. Forest Service, as a staff member at the Peace Corps, and for a nonprofit supporting agricultural biodiversity. You did a lot of work in the training arena along the way, looking at impacts and risk. I guess that’s a long way of saying, it’s not the most traditional route into a compliance role, but I imagine that a lot of the skills you picked up proved useful.

JW: Well, there certainly have been very few dull moments in my career—that is for sure! Even though I’ve had a wide range of jobs, I see some common themes. For one, a grounding in the physical environment and rural livelihoods, working with people who are mostly farmers and pastoralists, even starting back in my early days as a field ecologist with the Forest Service. Most of the people WFP serves are farmers or livestock herders, many who have been pushed off their lands by conflict or natural disaster. I’ve also been interested in participatory and empowerment-focused work, whether engaging with farmers to set up systems of self-monitoring to identify risks for land degradation or facilitating self-assessment in risk management processes, and helping the individual manager to become empowered (and held accountable) to do a better job themselves. Data and evidence to support management decision-making is another theme, whether that evidence or data is coming from environmental impact assessments/


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

FEATURE

monitoring in the forests in the western U.S. or through data coming from WFP’s corporate systems that flag risk or compliance issues. I’ve always worked in large, public sector, decentralized organizations and have experienced how control and management systems are set up in different organizations. This has helped me to establish a vision for and prioritize how to approach my current job.

AT: You’ve also spent most of your career working outside of the U.S. How has that affected your ability to manage compliance globally?

JW: I’ve lived and worked outside of the U.S. for many years, and most of the people I associate with at work and outside of work are not Americans. In international organizations, the orientation is international. Everyone must be aware and respectful of different cultures and points of view. However, our standards, policies, and rules of course apply to all staff, regardless of the laws or culture of their own countries. It is possible that people could interpret differently what it means to be compliant. For example, the concept of conflict of interest in cultures with strong social or extended family networks. However, I’m not sure there are great differences (as I’ve seen them so far) as to how we understand “self-serving” or “honesty” or “service to the poor.” Concepts like that seem to be very universal.

AT: Let’s get back to your current role. It’s an interesting position because you are responsible for compliance, performance, and risk management. There’s a lot of interplay, I expect, between the three, but they aren’t typically put together in one job. How are you finding having responsibility for all three has helped you in the compliance role?

JW: We coordinate and support the processes of performance and risk management; we are not responsible for the

level of performance or for undertaking risk mitigation. Coordinating and supporting the processes gives us a very clear understanding of performance plans, indicators, risk mitigation plans, etc., across the region, which are very closely linked to compliance. Risk assessment establishes the basis for prioritizing compliance issues; enhancing compliance reduces risk and improves performance. Having some responsibilities for all three enables us to have a holistic view of how they work together.

AT: Does it ever pose any conflicts?JW: I see them as more synergistic than in

conflict, emphasizing we are not responsible for the actual performance management or risk mitigation, rather the processes.

AT: We first met at the Amsterdam Academy where you brought a group along to the Academy. What led you to turn to us?

JW: WFP has a policy of staff rotation, whereby most staff are required to rotate locations and assignments every 2–4 years, depending on the hardship of the duty station (more difficult duty stations rotate out more frequently). This means that people may come into a compliance position from a wide range of backgrounds, including operations management, programme, monitoring/evaluation, and sometimes audit. We are only now starting to build a cadre of compliance professionals. I count myself in that group also, because as you point out, I came in from a quite different background.

Furthermore, as compliance is a young field in WFP, we are only now building the formalities (policies, tools, etc.) to ground our work. Therefore, when I first came into this job, we started to ask what compliance means in the broader world, what are the professional standards for a compliance programme, and how do we ensure our compliance


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

FEATURE

professionals are trained and equipped to carry out their work to a high standard? Seeking answers to these questions, I became aware of the Society for Corporate Compliance and Ethics (SCCE), particularly the training and certification programme. My management agreed that I should take the training first and then judge its relevance to us. I found it highly relevant and then proposed that our entire team go through the training. Most are now certified. This increases the credibility of our work by ensuring that we are grounded in an internationally recognized standard. I also like the fact that SCCE links us up to a professional network. It’s not just a commercially offered training, but comes with webinars, journals, and other written materials; conferences; and other means to help us stay current in the field.

AT: How do you see your program evolving over the next few years?

JW: WFP overall is enhancing its risk and compliance (and performance management) systems, and bringing in new leadership at the top. So we will expect some changes overall in WFP. In the region, we will build a

somewhat larger compliance team to cover the countries and the risk areas we face, so we will focus on building that team and coordinating across it. We will focus on training and capacity building to bring along the staff who manage the operations to better understand compliance and risk management in their contexts, so they can make better decisions to enhance their work.

AT: And, finally, how do you see compliance programs as a whole evolving?

JW: I would like to see more distinction between compliance in the public sector and private sector and more tools and learning for the public sector. The public sector compliance programmes I’ve seen seem to be much broader and cover a wider range of risk areas as compared with the private sector, for example, banking. For us, financial risk is one of a much broader set of risks affecting our work, and so we require a broad range of experience, capacity, and tools to deal with compliance across such a range.

AT: Thank you, Jamie, for sharing your unique journey with us. ✵

Advertise in Compliance & Ethics Professional!Compliance & Ethics Professional magazine is one of the most trusted sources for information on compliance and ethics in the corporate environment. Each month, we reach 6,600 compliance professionals around the world, and our readership continues to grow to include chief compliance officers, corporate CEOs, auditors, corporate counsels and other legal executives, government agencies, entrepreneurs, and more!

For more information, contact Margaret Martyr at [email protected] or +1 952.567.6225 or 888.277.4977. 03.26.18

New for 2018: − Fraud awareness training − Why employees don’t speak up– and how to fix it

− ISO 37001–the anti-bribery management systems standard

− Due diligence for mergers and acquisitions − 16 updated topic areas

Your go-to resource for building and managing an effective C&E program

corporatecompliance.org/completemanual

COMPLIANCE AND ETHICS

The CompleTe

manual 2018

Get the 2018 edition now!

Published by the Society of Corporate Compliance and Ethics (SCCE) Copyright © 2018 SCCE. All rights reserved.


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

Sally March ([email protected]) is Director, Drummond March & Co, in London, UK.

by Sally March

A VIEW FROM ABROAD

Looking in the right places

We all agree that culture trumps everything else that we do and that no compliance program will

be effective if the culture is poor. So what are we monitoring to reassure ourselves that our organisations have a culture of integrity? At

the European Compliance & Ethics Institute in Frankfurt, Jane Mitchell and I led a workshop, “Organisational Ethics: Making the Intangible Tangible.”

That culture trumps all was illustrated again when a report into a unit of RBS was published recently.

Remember that RBS was the biggest corporate and ethical failure in the UK financial crisis and is still 73% owned by the taxpayer after a massive bailout. The “restructuring group” of the bank is charged with helping clients whose businesses are in trouble. This group was supposed to be advising primarily small business owners in how to restructure, and lending where appropriate to see them through their recovery. But the culture of the unit was “disgraceful,” epitomized by a memo entitled “Just Hit Budget!” The memo advised staff “how to get a customer to agree chunky fees [sic] and upsides and thank you for it.”1

This, in a bank that publishes as its values: “We have a single, simple purpose—to serve customers well.”2

RBS, Lloyds, Barclays in the UK, Wells Fargo in the U.S. They all lost sight of their values and ignored—no, encouraged—a culture of ripping off customers. So what was management doing in the way of oversight? Monitoring disciplinary actions? Not in Wells Fargo, apparently, where employees were regularly being fired for misconduct, but no root cause analysis was seriously considered.

As ethics and compliance officers, it is our job to connect the dots. One of the hardest things is to find evidence of culture—making the intangible tangible. Are we reviewing incentives schemes and performance review criteria? Do we see memos to the sales staff? How many of us chat to our colleagues in customer-facing roles to see if people are feeling pressure to “just hit budget”? Do we have 360 reviews to see where bullies are in positions of power? Once we begin to connect the dots, a picture of our culture will emerge.3 The next hardest thing is getting the board to take notice. ✵1. Promontory Financial Group: “RBS Group’s treatment of SME

customers referred to the Global Restructuring Group” September 2016. Available at http://bit.ly/2EEZO6G.

2. RBS: “Our Values.” Available at http://bit.ly/2FG5h9s.3. See, e.g., Institute of Business Ethics: Culture Indicators – understanding

corporate behaviour. March 2018. Available at http://bit.ly/2p8LqcN.

March


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

FEATURE

S hould we be training on the contents of the Code of Conduct or Code of Ethics (the Code), or on how to use it as

a resource? Code training is unique compared

to other trainings typically found in organizations, because it is usually a

snapshot or sampling of what is found in the Code itself. With pressure to reduce the length of Code training and make it more interactive and make it more function-specific (the list of demands goes on), organizations cannot possibly include everything that employees need to know about the

contents of the Code. Instead, employers find themselves forced to pick and choose a few of the many topics from the Code to delve into, and to do it in a way that captures the short attention span of employees who take the training online. Studies show that the attention span of adults typically drops significantly after about 20 minutes. So, how can ethics teams make the most of this timespan in new and practical ways that are

more effective for adult learners in the long run? Teach employees to use the Code as a tool applicable to daily life at work.

What is a Code of Ethics?Merriam-Webster’s dictionary defines Code of Ethics as “a set of rules about good and bad behavior.” Although this is a nice, succinct definition about what a Code may be, a Code can be so much more. Ethics is more than rules. The concept encompasses behavioral norms and standards that are even loftier than laws, regulations, and company policies. Therefore, the Code provides an opportunity for the organization to cement its core values in writing and set the right tone for the entire company. It is the living, breathing pronouncement of the organization’s belief system, which may include appropriate behaviors for employees to follow, but is typically not limited to rules for conduct. Often, Codes also include useful resources and reference points, such as links to more specific policies or procedures, an ethical decision-making guide, an introduction by the CEO and/or other executive leaders, and relevant contact information for concerns or escalation. These important “extras” are often not included in Code training. If

Code training: A different perspective » Current methods of Code training need a refresh to be effective in an era of limited attention spans. » There is a disconnect between Code training and actual subsequent use of the Code as a resource by employees. » The Code should be used as a real‑time resource for employees as they need guidance. » Code training is an opportunity to train employees on how to find what they need in the Code. » Knowing how to use the Code long‑term is more effective than short‑term memorization of Code highlights chosen by ethics teams.

by Jessica Tjornehoj, JD, MBA

Tjornehoj

Jessica Tjornehoj ([email protected]) is an Assistant Vice President, Manager, Global Ethics Strategy and Framework at U.S. Bank in Minneapolis, MN.


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

FEATURE

employees only take the Code training and never read or refer to the Code itself, they are missing out! The best result of Code training that organizations could ask for is to actually encourage regular use of the Code by employees. But how?

Use the Code as a resourceCompanies may have harassment, inclusion, or social media training. Although these trainings are generally based on policies, they are not necessarily snapshots of the policy itself in the way Code training tends to be a snapshot of the entire Code. So many topics are covered in most Codes that it is impossible to adequately cover all of the topics in sufficient detail in a 20-minute or so timespan, especially those important “extras” mentioned above. Therefore, employees are better served by being trained to use the Code as a resource, and regularly. To the extent that there are questions included in

the training, why not make them questions that the trainee must answer by opening the Code? Rather than training memorization of rules or key themes, why not train employees on where to locate the information they need in real time within the Code itself? How about training employees to have certain lasting mind-sets about what ethical behavior and “doing the right thing” look like, rather than focusing on policy language for very specific circumstances that they may not even encounter? Even when encountering topics not explicitly covered by the Code, employees will know to reach for its guidance in the form of a specific section or point, a decision-making guide, or a list of recommended contacts.

Let’s take a broader look at the opportunity Code training offers us: to discover the Code itself as a useful and lasting resource that applies to many day-to-day scenarios. ✵

Don’t forget to earn your CCB CEUs for this issueComplete the Compliance & Ethics Professional CEU quiz for the articles below from this issue:

· Third-party assessments of ethics: A proactive tool to demonstrate due diligence by Vincent DiCianni and Eric R. Feldman (page 30)

· What is the role of a Human Resources department? by Ted Banks and Sharon Ray (page 49)

· Ungoverned text messaging exposes your company to significant risk by Mike Pagani (page 57)

To complete the quiz:Visit corporatecompliance.org/quiz, log in with your username and password, select a quiz, and answer the questions. The online quiz is self‑scoring and you will see your results immediately.

You may also fax or mail the completed quiz to CCB:

FAX: +1 952.988.0146

MAIL: Compliance Certification Board 6500 Barrie Road, Suite 250 Minneapolis, MN 55435, United States

Questions? Call CCB at +1 952.933.4977 or 888.277.4977

To receive 1.0 non‑live Compliance Certification Board (CCB) CEU for the quiz, at least three questions must be answered correctly. Only the first attempt at each quiz will be accepted. Compliance & Ethics

Professional quizzes are valid for 12 months, beginning on the first day of the month of issue. Quizzes received after the expiration date indicated on the quiz will not be accepted.


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

by Erica Salmon Byrne

BYRNE ON GOVERNANCE

R ecent changes to US whistleblower provisions included as part of the Dodd-Frank Act have caused some

conversation in the compliance community, for good reason. After all, nirvana for a compliance officer is an organization full of people who are comfortable speaking up and

asking questions. One of the reasons none of us live in that nirvana, however, is fear of retaliation, and companies are increasingly looking at ways they can use procedures to protect employees who report suspected misconduct.

In fact, the percentage of World’s Most Ethical Companies™ (WMEC)

that use corporate processes to monitor employees who report suspected misconduct is now at 99% for the first time. Every available method included in our survey for protecting whistleblowers has seen a consistent increase since 2016, demonstrating the enhanced commitment by honorees to protect whistleblowers. In particular, we saw significant year-over-year growth in the number of companies who are routinely checking to make sure that employees affected by layoffs or restructurings are not those who have raised a concern, and those who have implemented a process where someone affirmatively checks in with a reporter following the close of an investigation. Indeed, some companies have anecdotally told us that they are using that “check in” to also get

feedback on the investigation process, which is then used to improve that aspect of the compliance program as needed.

The second reason employees do not speak up is a belief that nothing will happen, which companies in our data set are also looking to combat. Nearly every 2018 WMEC honoree (95%) communicates the number and types of reports received to some stakeholders, compared to 89% of 2016 WMEC honorees. While still among the minority of companies surveyed, the number of 2018 WMEC honorees now sharing this information broadly with employees has grown by more than double since 2016 (32% and 14%, respectively).

Leading companies recognize the importance of establishing trust, not only with employees, but also with external stakeholders. Nearly one-third (32%) of 2018 WMEC honorees communicate how many concerns were reported, the types of concerns reported, and the results of said reports to the public, either as a standalone document or within a CSR report. This represents nearly triple the proportion of honorees doing so compared to the 11% of 2016 WMEC honorees. This is a trend we commend and hope will continue. ✵

Protecting whistleblowers and increasing transparency

Leading companies recognize the importance of establishing trust,

not only with employees, but also with external stakeholders.

Erica Salmon Byrne ([email protected]) is the Executive Vice President of The Ethisphere Institute. @esalmonbyrne

Salmon Byrne

Find qualified compliance and ethics professionals for your team

Reach the right candidates, right away

Get your open positions in front of compliance and ethics professionals through SCCE’s highly targeted job board.

corporatecompliance.org/jobsQuestions? 1.888.277.4977 or +1 952.933.4977

• Not a job search engine or aggregator

• 5,000 webpage visits per month

• Sent to 25,000 professionals biweekly

SCCE-Job-Postings_1page-ad.indd 1 4/3/2018 9:06:21 AM


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

FEATURE

A n increasing number of federal and state regulatory enforcement actions against companies are

requiring ethics and integrity reforms, along with fines and penalties, as part of the

settlement or resolution. Such actions—which include deferred prosecution agreements (DPAs), non-prosecution agreements (NPAs), administrative agreements, consent decrees, and court-ordered settlements—all presuppose that the cited misconduct occurred due to an absence of effective controls, discipline, or corporate compliance. More importantly, many government actions specifically cite the absence of an effective ethics and compliance (E&C) program and controls, or weak corporate ethical culture, as the leading causal factors contributing to the

company’s misconduct. Conversely, companies that can demonstrate a corporate commitment to ethics and compliance and present a strong defense that their misconduct is truly due to one or more “bad actors” (rather than a tainted culture) fare better in the enforcement actions. “Better” often means lower fines and penalties, as well as avoidance of the costs and inconvenience of hiring an independent monitor, if required by the government agreement or ordered by a court.

Much to their benefit and credit, many national and international corporations recognize that ethics and compliance is much more than a written set of rules and policies. Companies use E&C programs to communicate company mission statements, goals, and expectations; to encourage staff to share the same set of corporate values; and to drive their behaviour in day-to-day business activities. However, if a company is truly committed to an effective E&C program, establishing a written set of policies and controls is simply not enough to withstand scrutiny. Moreover, those companies that have established strong comprehensive E&C

by Vincent DiCianni and Eric R. Feldman

Third-party assessments of ethics: A proactive tool to demonstrate due diligence » It is difficult for companies or compliance professionals to assess their own program. » An assessment of an established E&C program by an independent entity can avoid bias or erroneous conclusions based on employee feedback.

» The goal of a program assessment is to gain insight into the strengths of a company’s corporate culture as benchmarked against those of similar companies.

» A company’s investment in a third‑party assessment can become a significant asset and end up being its best defense. » Proactive evaluations help forward‑thinking companies identify potential weaknesses or risks.

Vincent DiCianni ([email protected]) is President, and Eric R. Feldman ([email protected]) is Senior Vice President and Managing Director, Corporate Ethics and Compliance Programs, at Affiliated Monitors Inc. in Boston, MA.

DiCianni

Feldman


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

FEATURE

programs know that they are not static and can get stale without appropriate regular care and attention. E&C programs evolve as companies change, employees turn over, new laws and regulations are enacted, and compliance priorities evolve, depending on government agency enforcement objectives and the public discourse on ethics and integrity matters.

Third-party assessments has advantagesWith so many factors to consider, how can a board of directors or senior corporate leadership ensure that the ethical culture they want to build is working and effectively driving employee behaviour? How can legal counsel help better prepare companies to be able to demonstrate their due diligence to government regulators or law enforcement if (or more likely, when) employee misconduct puts the company in the crosshairs of enforcement actions? To gain a better understanding of the effectiveness of corporate E&C efforts and to identify any gaps in one company’s approach compared with the best practices of other companies, some legal counsels recommend that their clients engage specialized, third-party consultants to conduct an independent assessment of their ethical culture and E&C programs before a crisis occurs.

An independent third-party assessment of a corporate E&C program is a specialized evaluation of a business entity conducted by a team of experienced E&C professionals. Its purpose is to provide an unbiased evaluation of a company’s corporate culture, assess its ethics and compliance policies and anti-corruption controls, determine whether employee training is having its intended effect, and assess whether the company is consistently and fairly enforcing its rules on ethics and integrity. An independent evaluation can help a forward-thinking

company to identify potential problem areas before violations occur, improve its ability to manage the risk of compliance or ethical violations, and demonstrate its due diligence to governmental regulatory authorities and stakeholders, if the inevitable violation occurs.

The question could be asked, why would legal counsel recommend that a company bring in an outsider to evaluate its E&C program? The answer is quite simple: It is very difficult for a compliance officer or committee to effectively self-evaluate their own program. There is a lack of objectivity in such an assessment (both real and as perceived by outside stakeholders and regulators), and often, corporate compliance officers lack a deep understanding of the best practices in the field or the ability to benchmark their program against those of other companies. Most importantly, if an enforcement action were to take place, the government is unlikely to attach much credibility to a compliance program or corporate culture evaluation conducted by the company itself.

Remove biases to increase honestyAn objective third-party assessment addresses such concerns. The outside perspective removes the biases and subjectivity that we all bring to our own work and office environment. We have found that when companies conduct self-assessments, their findings are often inaccurate or incomplete, because the information and feedback about their program on which they are relying comes from staff, through surveys and interviews, which can be less than forthright. We have found that staff are frequently uncomfortable about questioning the policies and practices of their employer.

Because the heart of E&C programs is the people they are intended to reach, even the very best programs should occasionally be checked to see if they are effectively


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

FEATURE

achieving their objectives. When such an assessment is undertaken, the company should be prepared for some degree of healthy, but sometimes negative, feedback. In addition, the company must be prepared to listen and take appropriate action to remediate any deficiencies that might surface from the assessment. A company’s ability to demonstrate that it invested the time and effort to engage a third-party assessment, and that it implemented substantive changes as a result, could end up being its best defense if a future investigation and/or enforcement action targets the company.

It is human nature to look at the world with an optimistic bias. Business leaders often unconsciously assume that not knowing bad facts within their organization means that these facts do not exist. Leaders sometimes make the mistake of believing they cannot be held responsible for bad actions they never knew about; but not knowing is viewed as an offense in and of itself by many regulators.

Obtaining internally unbiased and useful information about the effectiveness of a company’s compliance program and the strength of a corporate ethical culture can be challenging. Internal or external audits do not usually attempt a comprehensive review of a company’s overall compliance infrastructure or ethical culture, because they are better suited to address specific programs, internal controls, or processes. Furthermore, the question remains as to how effective it is to ask the managers responsible for implementing the program to evaluate their own effectiveness or success. Finally, even if such a self-evaluation mechanism is established, getting honest answers from recalcitrant employees (who may have a deep-seated fear of retaliation in responding to questions about ethics and compliance) is difficult and can lead to skewed results.

Begin with an analysisThe scope of an independent assessment of a company’s ethics and compliance posture will vary depending on multiple factors, including the type of industry and the nature of the regulatory environment; the size and geographic dispersion of the employee population; the risks associated with countries in which the company might be operating; and the organizational structure, authorities, and resources currently provided to the E&C program and its leaders. Any effective assessment typically begins with an analysis of the existing E&C program and the internal control process established to operationalize the program throughout the company. This high-level review evaluates the program for completeness in ensuring compliance with government regulations, in effectively training and communicating corporate policies, and in investigating and remediating reported instances of non-compliance or other misconduct within the organization. Other aspects of this type of review include:

· Assessing the effectiveness of the organizational structure and reporting lines for the Compliance function, including whether the E&C function has been provided the authority, independence, and adequate resources to succeed;

· Reviewing the adequacy and completeness of the company Code of Ethics and Business Conduct in setting the parameters for employee behaviour in the organization;

· Determining whether the company has established credible reporting mechanisms for employees to raise concerns and ask questions;

· Evaluating how well the company responds to allegations of suspicious or questionable activities within its


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

FEATURE

ranks, including the adequacy and professionalism of internal investigations;

· Reviewing whether the company’s ethics and compliance objectives are sufficiently aligned with the performance management systems that incentivize promotions, bonuses, and assignments; and

· Benchmarking all aspects of the company’s program with those of similarly sized companies in like industries.

As the evaluation goes deeper, input is usually sought from senior leadership, mid-level managers, and working level staff. This part of the review will evaluate whether the program is actually effective by identifying and analyzing, from the staff’s perspective, what impact the program is having on the organization and its employees. For example, do the employees understand the company’s Code of Ethics and Business Conduct and related policies? Is the E&C training effective, or merely a “check the box” exercise? Are employees convinced of the important role they play in compliance? Do the company and their immediate managers place a high value on integrity, or do employees receive mixed messages from their managers and leaders? Have employees invested themselves in the success of the program and, if so, how? Do employees feel that the E&C program is fairly implemented throughout the company, regardless of rank or level of contribution?

This assessment approach allows the independent evaluator to learn about the effectiveness of the company training programs and the staff’s awareness of any communication or whistleblower hotline channels available to them. The independent evaluator can assess staff-level comfort in raising issues and questions and whether staff input is taken seriously. In addition to a greater understanding of the ethical culture,

a third-party independent assessment can contribute to a more in-depth understanding of risk areas that staff on the ground might be observing throughout the company and attempting to manage, thereby contributing to a more robust enterprise risk management assessment, where perspectives may be limited in the top and middle management layers of the organization.

Collaboration is keyOne of the most effective practices to insist upon when engaging a third-party assessment is a collaborative process between the evaluation team and the company at every stage, from developing a practical work plan to selecting staff for interviews and focus groups, and in soliciting input for the draft report. This approach ensures that the assessment is targeting those areas where the company has the greatest concerns, ethical risks, or just wants to learn more about the effectiveness of its E&C efforts. The assessment approach must also consider cultural differences that can develop in various business units and geographic locations of a single company, particularly in satellite field offices that are located a distance away from the corporate headquarters. Experience has demonstrated that attention to the internal differences in culture is fundamental to assessing the overall corporate commitment to ethics and compliance and understanding the impediments that might be preventing individual supervisors, managers, and business units from ensuring compliance in their day-to-day operations.

When companies conduct a self-assessment of their programs, they often rely on quantitative data gained from the frequency of whistleblower hotline calls, the number of staff trained, or the absence of a major compliance or ethics failure as an objective measure of success. Although


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

FEATURE

this data can contribute some necessary information, such measures can be misleading and incomplete. For example, is the fact that the company is not receiving a large number of whistleblower complaints evidence that the program is working, or might the staff be hesitant to report issues due to a fear of retaliation? Is the deployment of a computer-based ethics and compliance training module with 100% participation evidence that the training effectively familiarized the staff with their responsibilities, or might they be “pushing the button” with little comprehension to get the training completed in the shortest period of time possible? Without further insight, such data does not offer an understanding of the effectiveness of an E&C program and its impact on the workforce. An independent assessment offers a deeper, more realistic, and thorough view on whether the E&C program is helping the company manage its risk in the manner intended.

Once an E&C assessment is complete, the company is typically provided with detailed findings and conclusions drawn from the data collected. The assessment will also make recommendations to address any gaps that may exist in the program and strengthen the ethical culture. Some of the recommendations may be drawn from best practices observed during similar evaluations in other companies. In effect, the company is provided with a detailed road map for improvement.

ConclusionIndependent third-party assessments

provide more than the assurance that the investment that the company has made in their E&C program has added value. The assessment itself, which involves staff at all

levels of the company, also functions as its own independent role in educating staff of the key elements of compliance and ethics that the company has established. In fact, just the process of conducting the assessment can send a strong message to the workforce on the company’s commitment to providing more than just words when it comes to ensuring that ethics and integrity are incorporated into the day-to-day business of the organization. This message can also resonate with outside stakeholders, government regulators, and enforcement agencies if a “bad actor” shines the spotlight on a company’s E&C commitments.

With an increasing government focus on the prosecution of corruption, fraud, and other improprieties, including the scrutiny placed on existing E&C programs, companies and their legal counsel are recognizing that it is better to invest in a program that can help manage the risks of E&C problems occurring and proactively discover matters that could be self-reported to government regulators. In this way, corporate budgets are targeted on areas that add value to the company, rather than hoping that the established program is sufficient and subsequently funding the increasingly high cost of litigation, fines, and penalties when it turns out to be less than robust and real.

The use of third-party independent assessments can be a valuable resource for companies. Effective use of this risk management tool is the next step in the evolution of the field of corporate ethics and compliance for forward-leaning companies committed to ensuring that their organizations act with integrity, follow pertinent laws and regulations, and maintain a commitment to excellence. ✵


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

THE OTHER SIDE OF THE STORY

Shin Jae Kim ([email protected]) is the head of the Compliance & Investigation practice at TozziniFreire Advogados in São Paulo, Brazil.

by Shin Jae Kim

B razil has 26 states and one federal district. Rio de Janeiro is one of the most recognized states for hosting one

of the world wonders. The statue of Christ the Redeemer is memorable and one of the main

tourist attraction spots. However, lately Rio de Janeiro has been associated with its corruption scandals that are mounting one after the other. Operation “Calicute,” “Cadeia Velha,” “Ponto Final,” “C’est Fini,” and “Eficiência” are only a few of the ongoing corruption investigations.

Three former state governors are or were in jail, and several other relevant politicians are also facing charges for corruption. In this context, last November, the state congress enacted State Law No. 7,753/17, aiming to mitigate corruption and fraud involving government contracts.

This law sets forth that companies executing agreements with Rio de Janeiro’s public administration, direct and indirect, and foundation-related entities shall establish an integrity program or compliance program.

For the protection of the public administration against acts that may cause damages to the public treasury, this law applies to contracts, consortiums, conventions, concessions, or public-private partnerships with duration terms of 180 days or more and a value exceeding those provided for procurement at the modality competition, which are BRL 1.5 million (equivalent to USD 454,000) for construction work and engineering services, and BRL 650,000 (equivalent to USD 196,000) for purchases and services, even in case of electronic procurement.

It is expected that the compliance program comprises the set of internal mechanisms and procedures of integrity, audit, and incentive to report irregularities. The compliance program should also include the effective enforcement of codes of ethics and conduct, policies, and guidelines aiming to detect and remedy embezzlement, fraud, irregularities, and illegal acts perpetrated against Rio de Janeiro’s public administration. It shall be structured, applied, and updated in accordance with the characteristics and business risks of the hired companies that undertake the obligation to guarantee the integrity program’s regular refinement to reassure its effectiveness.

Aligned with the core principles guiding the enactment of the Brazilian Anticorruption Law, said law imposes the obligation for top management (including the board of directors, whenever applicable) to express unrestrained and visible support to the compliance program.

The requirement for implementing integrity programs only applies to new agreements made from the date the law comes into force; it has no application to agreements currently in effect. Failure to implement the integrity program in due time shall cause the imposition of a daily penalty amounting to 0.02% of the agreement’s overall value, limited to 10% thereof, in addition to the prohibition to enter into further agreements.

Last December, the Federal District also enacted a law requiring companies that do business with the government to implement a compliance program. More states are expected to follow the same path, forcing companies to implement compliance programs if they want to do business with the public administration. ✵

Brazil: State governments impose compliance programs

Kim

Share your expertiseCompliance & Ethics Professional is published monthly by the Society of Corporate Compliance and Ethics (SCCE). For professionals in the field, SCCE is the ultimate source of compliance and ethics information, providing the most current views on the corporate regulatory environment, internal controls, and overall conduct of business. National and global experts write informative articles, share their knowledge, and provide professional support so that readers can make informed legal and cultural corporate decisions.

To do this, we need your helpWe welcome all who wish to propose corporate compliance topics and write articles.

CERTIFICATION is a great means for revealing an individual’s story of professional growth! Compliance & Ethics Professional wants to hear from anyone with a CCEP, CCEP-I, or CCEP-F certification who is willing to contribute an article on the benefits and professional growth derived from certification. The articles submitted should detail what certification has meant to the individual and his/her organization.

EARN CEUs The CCB awards 2 CEUs to authors of articles published in Compliance & Ethics Professional.

If you are interested in submitting an article for publication in Compliance & Ethics Professional, email margaret.martyr@ corporatecompliance.org .

a publication of the society of corporate compliance and ethics APRIL 2018

Meet Gerry ZackIncoming CEO of SCCE & HCCA

see page 18

corporatecompliance.org

Compliance & EthicsPROFESSIONAL®

Topics to consider include: · Anticipated enforcement trends

· Developments in compliance and ethics and program‑related suggestions for risk mitigation

· Fraud, anti‑bribery, and anti‑corruption

· Securities and corporate governance

· Labor and employment law

· Anti‑money laundering

· Government contracting

· Global competition

· Intellectual property

· Records management and business ethics

· Best practices

· Information on new laws, regulations, and rules affecting international compliance and ethics governance

CALL FOR AUTHORS

Please note the following upcoming deadlines for article submissions:

· June 1 · August 1

· July 1 · September 1


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

FEATURE

by Frank Bucaro

W arren Buffet, in a memo to his senior managers, stated “Culture, more than rule books, determines

how an organization behaves.”Boards need to have oversight of the Ethics

and Compliance function in particular. The culture of an organization determines how people act, make decisions, and govern their affairs.

It has been said that leadership is not so much about what you do, but it’s about what other people do because you are there! In other words, there must be some type of moral authority in board leadership.

Otherwise, leadership loses its focus and impact. There are five board/leadership values that need to be non-negotiable if a culture of trust is to be created and maintained.

The first value is Trustworthiness. What is your word worth? There was a time in business when a person’s word was their

bond. Not so anymore, it seems. Do you keep your promises? If not, can you be trusted?

The second value is Unity. Are all “players” in the same book, on the same page, same paragraph, and same sentence? Do we all share the same goals, values, modus operandi, etc.? As a board, what is the communication process to keep this value as a key focal point?

The third value is Respect. There is a difference between telling someone that they are inept, unfocused, or lazy in what they do and saying something like, “Normally you don’t make these types of poor decisions. I was wondering why you did this time?” See the difference? The first option attacks their self-esteem, and the second option keeps their self-esteem intact. The lesson here is this: Boards/leaders have a right to disagree with behavior, but they have no right to go after someone else’s self-esteem! No right at all! The “cost” of attacking self-esteem is that it makes you an enemy, and what does that do to your culture of trust?

The fourth value is Justice. Boards/leaders need to ask, “What’s just? According to whom and why?” Justice can be an elusive

Is building an environment of trust a Board responsibility? » Board members need to become more involved in the culture and consistently evaluate if they are genuinely managing the culture as well as serving the long‑term goals of the organization.

» Boards need to stop asking, “Can we do this?” but instead ask, “Should we do this?” Active board engagement is crucial in directing the decision‑making process.

» Focus on how one’s organization does business, not what it does. Board members need to draw on their strengths and business acumen to focus on this issue.

» Reward ethical behavior and punish unethical behavior immediately. This is becoming increasingly a nonnegotiable, because this sets the tone for an environment of trust.

» Focus on doing the right thing, at the right time, for the right reason. Board discernment is critical and needs a proactive attitude and focus on guiding an organization.

Bucaro

Frank Bucaro ([email protected]) is President at Frank C. Bucaro and Associates, Inc. in Williams Bay, WI.


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

FEATURE

concept. Boards need to define it, clarify its basis, and then ensure that everyone plays by the same rules. For example, if something is a compliance issue, then justice is the result of the law. However, if something is an ethics issue, what is the basis for a decision that would be just? Who said so and why? What is the consequence? Who decides it? Take care when meting out justice. Be discerning, because there could be severe consequences of a not-well-thought-out process for justice.

The fifth value is Service/Humility. This is a very critical value, because it is not ego-based. It is the understanding that the board—based on their position, authority, and power—can alter one’s behavior, but only their behavior can earn them respect. Board members need to understand that people listen with their eyes and not their ears. What you do as a board is so much more important than what you say. Leaders did not get there on their own. Leaders stand on the shoulders of those who have gone before us (e.g., parents, teachers, coaches, mentors). They—maybe unbeknownst to them—set in motion the process that makes board members who they have become today. The question is, are your shoulders, as board members, strong enough to “pass on” the values learned in your journey to others who will follow you? Isn’t this the goal of genuine leadership? Be humble, grateful, and pass on the lessons and wisdom.

Alfred Adler, the eminent psychologist, believed that the most significant need of a human being is to belong. He stated that there were specific criteria for people to reference in belonging. In the business context, here is

what boards need to ask: How will what you want to do corporate-wise help your people:

· Feel like they belong? · Feel significant? · Develop a unique identity?

According to Adler, the more people experience these, the better the cooperation, the better the morale, the better the customer service, the better the environment, etc. And above all, you gain people’s cooperation. If these are not experienced and encouraged by boards and leaders, the result is eventually

conflict, because there would be no feeling of belonging, no feeling of being significant, and no unique identity.

What do you as a board do to help the members of your organization experience these three dynamics? If you change the

pronouns, it might read this way. Parents need to ask, “How will this help my children feel like they belong, develop unique identities, and feel significant?” Salespeople need to ask, “How will what I do help my customers feel like they belong, feel significant, and develop a unique identity?”

Why does this work? Because, Adler states, everyone asks what he calls the Significant Question, which is: How do I fit in here? Because to the degree that people feel like they fit in, that is the degree to which you get their cooperation, and isn’t that the goal of all board business and decisions?

In summary, the board’s goals for their organization need to be a cohesive, proactive, engaging, and reinforcing. This then not only empowers senior leadership but also consistently provides direction and vision based on trust, values, and empowerment. ✵

How will what I do help my customers feel

like they belong, feel significant, and develop

a unique identity?


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

Thomas R. Fox ([email protected]) is the Compliance Evangelist. www.fcpacompliancereport.com @tfoxlaw

COMPLIANCE, LIFE, AND EVERYTHING ELSE

by Thomas R. Fox

I n February, the U.S. Supreme Court issued its decision in Digital Realty Trust, Inc. v. Somers. It was a closely watched

case in the compliance community. The Supreme Court narrowed the definition of

whistleblowers who receive protection under Dodd-Frank to those who report to the Securities and Exchange Commission (SEC) and not those who only report internally.

Although the Supreme Court came to the correct legal decision, this decision may well lead to negative impacts for the compliance

profession. The first is the message that it sends to potential whistleblowers: If you do not report to the SEC, you will not receive any legal protections against discrimination or retaliation. One cannot overemphasize the strength of this message. There may be companies out there that say they will not terminate you for standing up, raising your hand about concerns, and internally reporting, but even if they do, you do not have any legal protection against termination or even simple discrimination. Remember, Digital Realty Trust, Inc. (DLR) allegedly fired Paul Somers for raising concerns about suspected securities laws violations.

The decision has the likelihood to cut off a corporate compliance program from its best sources of information, that from its own employees, because companies now will have less ability to detect and then remediate any problems before they become legal violations or keep legal violations from expanding. Having a legally protected whistleblower can give a company the opportunity to stop issues from percolating into legal violations. Moreover, in addition to not being informed of issues closer to the ground, businesses where their employees have whistleblown to the SEC are now automatically behind the eight ball with the SEC, because they cannot self-disclose. It would not be a far stretch to see problems actually festering and getting worse inside of a corporation because whistleblowers have no legal protection under Dodd-Frank if they report the matter internally.

A key job duty of any chief compliance officer is to engender trust through procedural fairness in an organization. Now the Supreme Court has made that job exponentially harder. Corporate Legal departments will likely rush to uncover the identities of those who have reported to the SEC and take steps to terminate them, in the belief that that is the best method to protect the organization. Digital Realty is not the first company to fire someone for alleged whistleblowing. Now it is not likely to be the last. ✵

Following the law and damaging compliance: Impact of the Somers Decision

Fox


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

FEATURE

by Illya Antonenko

C ompliance and ethics professionals know that anti-bribery due diligence of third parties involves processing

large amounts of personal data about individuals associated with the third party.

In May, the European Union’s (EU) General Data Protection Regulation (GDPR) will have a significant impact on anti-bribery due diligence processes of US companies as long as there is a chance that the individuals under review reside in the European Union. Companies “established” in the European Union must comply with GDPR requirements

with respect to personal information of individuals regardless of where they reside. Much has been written about the GDPR and its complex, burdensome requirements. In this piece we will focus only on one such requirement.

As one of the initial GDPR thresholds for processing personal data of EU residents, the controller must determine which of the six lawful bases under the GDPR’s Article 6 applies to such processing. If none of the six bases apply, such personal data processing would be deemed unlawful under the GDPR. The six bases are: (1) an express consent of data subjects, (2) performance of a contract with the data subject or a request of the data subject before such contract is executed, (3) a legal obligation imposed by an EU or EU member state law, (4) vital interests of the data subject or another individual, (5) a public interest task or processing under official authority, and (6) legitimate interests of the controller or a third party.1

We have outlined below the general considerations in support of our choice of using legitimate interests of the controller as the Article 6 basis for processing of personal data in the context of anti-bribery due diligence and rejecting each of the other five bases. In our analysis, we have been guided by

The GDPR’s Article 6 and the future of anti-bribery due diligence » The General Data Protection Regulation (GDPR), a new EU privacy legislation, will have a significant impact on anti‑bribery due diligence.

» The “legitimate interests” of the controller are the most appropriate basis for processing personal data of EU residents as part of anti‑bribery due diligence.

» An authorization by the third party under review will not be sufficient. » The Foreign Corrupt Practices Act cannot be used to establish the “legal obligation” basis for processing personal data under the GDPR.

» There is a risk that the GDPR will put up significant obstacles to processing criminal background information of EU residents.

Antonenko

Illya Antonenko ([email protected]) is Privacy Counsel at TRACE International, Inc. in Annapolis, MD.


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

FEATURE

the Article 29 Data Protection Working Party’s Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, 36 (WP 217).

Express consent of data subjectsGDPR’s Articles 4(11) and 7 make it clear that “consent” or authorization made by a representative of the third party on behalf of all data subjects would not be adequate under the GDPR. Obtaining the express consent of each individual data subject associated with a third party under review is not suitable or even feasible in the context of anti-bribery due diligence, because each of the potentially large number of data subjects would in effect be able to disrupt or significantly delay business relationships and business operations of at least two companies. This may occur even if a data subject does not have any objections to the processing of his or her data but fails to provide a timely response to a consent request through inaction or oversight. Even though a data subject’s right to object in the context of the “legitimate interests” basis may lead to a similar result, a data subject’s right to object is not absolute and may be overridden by a showing of compelling legitimate grounds for such processing, while a failure to provide consent and consent withdrawal do not have a similar mechanism.2

The GDPR right of data subjects to withdraw their consent at any time and the right to data portability, which arises when processing is based on consent, would also be inappropriate for anti-bribery due diligence.

Moreover, anti-bribery due diligence by its nature seeks to prevent or detect unlawful acts. If data subjects engage in such acts, giving them the opportunity to preclude the due diligence review would prejudice the purposes of prevention or detection of unlawful acts.

Finally, for consent to be valid under the GDPR, it must be “freely given,” among other things. In circumstances where the failure by a data subject to give consent to anti-bribery due diligence may result in a loss of business,

it is unlikely that the European data protection authorities would see such consent as freely given.

Performance of contract or request of data subject before contract

For this basis to apply, the data subject must be a

party to the relevant contract, which would rarely be the case in the context of anti-bribery due diligence review. Even due diligence reviews of individuals or sole proprietorships typically involve processing of personal data of a number of data subjects beside the third party (e.g., basic personal information of business and financial references).

Legal obligationIn order to rely on the basis set forth in Article 6(1)(c), the legal obligation must: (1) be pursuant to the European Union or EU member state national law (e.g., the U.S. Foreign Corrupt Practices Act will not be sufficient because it is a foreign law in the EU), (2) “be sufficiently clear as to the processing of personal data it requires”3 (the text of the

A data subject’s right to object is not absolute and may be overridden by a

showing of compelling legitimate grounds.


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

FEATURE

Foreign Corrupt Practices Act and similar laws may not be sufficiently detailed about due diligence personal data processing requirements), (3) be directly applicable to the controller, and (4) “the controller should not have an undue degree of discretion on how to comply with the legal obligation.”

Given such a high bar for the application of this basis for processing personal data, its use would require a case-by-case analysis for each due diligence review and lead to uncertain results. For this reason, this is not an appropriate basis for processing personal data as part of anti-bribery due diligence for non-EU entities.

Vital interestsThis basis involves “questions of life and death or, at least, threats that pose a risk of injury or other damage to the health of the data subject” or another person.4 For example, this basis would apply when a hospital processes personal data of an unconscious patient who is unable to give his consent to such processing or when healthcare officials process personal data while dealing with a health epidemic. Anti-bribery due diligence is important, but it does not involve questions of life or death.

Public interest task or processing under official authorityRecital 10 of the GDPR and Opinion WP 217 indicate that, to serve as the basis for processing personal data, public interest tasks typically need to derive from “statutory laws or other legal regulations” of the European Union or EU member states.5 The Article 29 Working Party was explicit that “tasks carried out in the public interest of a third [i.e., non-EU] country or in the exercise of an official authority vested by virtue of foreign [to the EU] law do not fall within the scope of this provision.”

Although this basis is “relevant both to the public and private sector,” the need for a case-by-case analysis and uncertainty of application hinder its usefulness for processing of personal data in the context of anti-bribery due diligence reviews by non-EU entities.

Legitimate interestsBased on our analysis, we have come to a conclusion that both the principal company and the third party undergoing anti-bribery due diligence have legitimate interests in complying with the anti-bribery legislation of their home countries and the countries where they operate to avoid criminal liability that may result in jail time for their officers and employees, significant fines, disruption to their business operations, and damage to their reputations.

The importance of these legitimate interests is underscored by the fact that a potential violation of anti-bribery laws is considered one of the most serious corporate offenses, with recent enforcement actions resulting in penalties of tens and even hundreds of millions of dollars for companies and significant prison terms for individuals. Furthermore, the resulting loss in business and post-enforcement costs may equal or even exceed the criminal penalties under anti-bribery laws.

More generally, anti-corruption due diligence also represents compelling interests beneficial to society at large because anti-corruption due diligence plays a role in: (1) preventing corruption in the administration of government functions and in government procurements, (2) lowering the cost of bribery for taxpayers and society as a whole, (3) preserving equal access to the government, and (4) allowing law enforcement authorities to be more efficient in carrying out their duties.6


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

FEATURE

Next stepsThe determination to rely on legitimate interests as the Article 6 basis for processing personal data should be followed by: (1) the analysis of the categories of personal data processed as part of due diligence and the “necessity” of such processing for pursuing the identified legitimate interests to demonstrate that there are no other alternative, less invasive methods to pursue the legitimate interests of the controller; (2) the assessment of the impact of personal data processing on data subjects and the balancing of the controller’s legitimate interests in personal data processing against data subjects’ interests and fundamental rights that may potentially be impacted by anti-bribery due diligence (this step may require a formal data protection impact assessment under Article 35 of the GDPR); and (3) the implementation of a mechanism to make data subject notifications under Articles 13 and/or 14.

Other important GDPR issues for anti-bribery due diligenceAlthough we have focused on Article 6 of the GDPR, it should also be noted that personal data processing for anti-bribery due diligence purposes may also raise significant issues under Articles 9 and 10 of the GDPR when processing involves special categories of personal data (e.g., Politically Exposed Persons [PEP] data revealing political opinions) or criminal background information on individuals.

In fact, the most troubling part of the GDPR for anti-bribery due diligence may be its Article 10, which provides that the processing of personal data relating to criminal convictions and offences “shall be carried out only under the control of official authority or when the processing is authorized by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.” To the author’s knowledge, there is currently no such law in the European

Union that specifically authorizes the processing of personal criminal background information for purposes of anti-bribery due diligence and includes appropriate safeguards. A prohibition to inquire into individuals’ criminal backgrounds will effectively

eviscerate the anti-bribery vetting process. If this legislative gap is left unresolved by May 2018, companies may face a dilemma between complying with their international anti-bribery due diligence obligations or with the GDPR, with each option presenting a risk of an enforcement action and significant fines. Please contact the author if you are interested in learning more about the GDPR Article 10’s potential obstacles to anti-bribery due diligence and a potential solution to these obstacles. ✵1. Intersoft Consulting: “General Data Protection Regulation (GDPR).”

Available at http://bit.ly/2HzYJKg.2. WP 217 at footnote 103. Available at http://bit.ly/2DCkVkp.3. WP 217 at 19. Available at http://bit.ly/2DCkVkp.4. WP 217 at 20; Recital 46 of the GDPR. Available at

http://bit.ly/2DCkVkp.5. WP 217 at 21–22. Available at http://bit.ly/2DCkVkp.6. WP 217 at 35. Available at http://bit.ly/2DCkVkp.

A prohibition to inquire into individuals’ criminal

backgrounds will effectively eviscerate

the anti-bribery vetting process.


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

RegTech and blockchain: Only as strong as your weakest link » Organizations seek RegTech solutions to reduce risk in a cost‑effective, automated manner. » Repetitive, transaction‑based compliance tasks can be routinized, thus freeing up professional resources to perform higher‑level analysis and institute qualitative improvements.

» Trusted systems are essential when performing and validating compliance activities that rely upon RegTech. » Distributed ledger technology (blockchain) employs a permissioned consensus mechanism to confirm transactions, thus heightening trust.

» Blockchain will continue to be leveraged to improve transparency, strengthen internal controls, and provide greater assurance to stakeholders.

T he media is awash in articles, interviews, and op-ed pieces attacking or defending the emergence and

ascendency of cryptocurrency. Although Bitcoin and other cryptocurrencies rely upon distributed ledger technology (DLT), cryptocurrency is but one application of the innovative technology also known as blockchain. This is, therefore, not an article about the merits of cryptocurrencies.

Reducing compliance costs with technologyDespite improved economic conditions in many global regions, at many organizations, compliance professionals are being asked to “do more with less” amidst budget pressures and shifts toward technological tools. As Compliance departments are not “profit centers” that contribute to the organization’s net income, senior leadership seeks to maximize the return on investments in compliance professionals and regulatory technology (RegTech) tools. Because qualified compliance professionals are valued more for their qualitative skills than their ability to accomplish repetitive tasks,

the impetus to employ RegTech for routine matters is strong.

For those of us in the compliance risk management profession, the potential applications of blockchain technology are exciting and promise to revolutionize the manner in which we deploy scarce technology and key professional resources. Stakeholders—including business leaders, boards, shareholders, and customers—will look to us to ensure that compliance is not only maintained but strengthened by the implementation of these innovative tools. As experts have identified upgrading legacy systems as the biggest technology challenge of 2018,1 compliance leaders must partner with their organization’s technology peers to ingrain RegTech solutions into new application development.

What is “blockchain”?Although this article is not meant to be a primer on DLT, it is helpful to briefly explain its underpinnings. Much has already been written by authoritative sources on the technical aspects of DLT. On a blockchain, transactions are recorded chronologically, forming an immutable chain, which can be substantially anonymous depending upon

Cris Mattoon ([email protected]) is Assistant Vice President, Compliance & Ethics, for The Auto Club Group in Dearborn, MI.

by Cris Mattoon, JD, CCEP, CAMS, MCM

Mattoon


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

how the technology is implemented. The ledger is distributed across many participants in the network; it doesn’t exist in one place. Instead, copies exist and are simultaneously updated with every fully participating node in the ecosystem. A block could represent transactions and data of many types: currency, digital rights, intellectual property, identity, or property titles, to name a few.2

At its most basic level, a transaction is simply a change in the registered owner of an asset.3 When a member of the network conducts a transaction, he/she submits the transaction to the network. That new transaction changes the state of the ledger, thus causing a conflict with the state of other members’ copies of the ledger. The network discovers the new transaction. Only when the other members of the network either validate and update their own records (the consensus mechanism) or reject the new transaction will the state of the ledger be confirmed.

Routinizing repetitive compliance tasksHuman error is the weakness in any well-defined process. All the best-written policies and procedures, colorful job aids, and ergonomically aligned workspaces cannot prevent failures due to employee boredom when engaged in tedious check-the-box tasks. The decades-old myth that technology will replace employees has continued to be shattered by extremely low unemployment rates in the compliance profession. When human error and its inherent risks are

mitigated, customer satisfaction and regulatory ratings rise. RegTech can strengthen the compliance “chain.”

Much as H.J. Will’s introduction of Audit Command Language (ACL) in the early 1970s revolutionized leveraged computer technology to reduce the need for clerical analyses of large internal audit data sets, the compliance profession is continually seeking new and faster methods for validating compliance. Take the example of intellectual property, where producers, wholesalers, agents, attorneys, and customers engage in an expensive

array of imperfect relationships.

Imagine, instead, if a distributed ledger established between a software company, its distributors, and the end users could account for and continually reach consensus around the true ownership of software licenses and the payment of contractual licensing

fees. Extending that example a little further, the entertainment industry could ensure that every music recording, video recording, script, sheet of music, etc. is accounted for and balanced across the distributed ledger so that royalties were collected and paid immediately across the globe.

In a global economy subject to counterfeit consumer goods and industrial parts, manufacturers and suppliers will be able to leverage blockchain’s potential ability to verify goods moving through the supply chain. Early adopters are already seeking to build compliance and traceability into their production processes, making blockchain an excellent RegTech solution.

The decades-old myth that technology will replace employees has continued to be

shattered by extremely low unemployment

rates in the compliance profession.


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

An ethics office that is inundated with automated conflict-of-interest and gift acceptance reporting could employ a blockchain to validate response field data, producing only a periodic exception report that would require further professional analysis and follow-up. Thus, the ethics officer could instead invest time and attention in strengthening relationships with key organizational leaders, employees, and peers to foster the culture of compliance, instead of being mired in clerical fact-checking.

Heightening trust through consensusContinuing the intellectual property example described above, we know that music recordings can be pirated and reproduced. But if a unique digital signature is embedded within the recording, and the digital signature is required for each new block in the chain, then the other members of the distributed ledger would learn that the transfer has occurred. In the transactions described above, a block is created with the details of each new transfer. Each transaction is a new contract. When the parties agree to the contract by adding their unique digital signatures, a cryptographic hash is calculated that will be used to link this new transaction to the previous chronological record of transactions.

The other members of the network would then have to validate the transaction to reach consensus, putting the ledger back into balance. In the event a fraudulent version of the music recording has been offered in a transaction, the members will be able to identify the duplicate entry and reject the transaction.

In addition to the financial aspect of the transaction being voided, an audit trail would then exist to support civil or criminal action to enforce intellectual property laws. The greater level of validation will act as a

deterrent to many potential wrongdoers, whose unethical and illegal actions, in the absence of a blockchain algorithm, would most likely go undetected and legally unvindicated. Trust will be enhanced, because contracting parties would receive greater assurance of the validity of goods and receipt of payment. Yet, because the transactions are being validated by computers, less human resources would be required to track, inspect, report, or defend individual transactions.

Those same compliance professionals could redirect their attention to qualitative analysis, regulatory research, and change management to strengthen the compliance culture within the organization. Reputational, operational, and litigation risks would all decrease as a result, thus strengthening both the brand and the shareholder value of the organization.

ConclusionBlockchain, though still in its relative infancy as a RegTech compliance tool, promises to provide opportunities to reduce costs directly associated with deploying professionals to administer routine compliance tasks. As with any application of technology to compliance processes, the objective is to reduce human error, while redeploying those compliance professionals to higher-value qualitative activities that infuse assurance into business operations. Compliance professionals can embrace the distributed ledger technology, develop effective use cases for employing blockchain effectively, and support continued investments in strengthening the culture of compliance. ✵1. S. English and S. Hammond: “Fintech, Regtech and the Role of

Compliance in 2017” Thomson Reuters, December 2017. Available at http://tmsnrt.rs/2FmkKzm.

2. Zach Church: “Blockchain, explained” Newsroom, May 25, 2017. Available at http://bit.ly/2tUaILY.

3. Rebecca Lewis, John W. McPartland, and Rajeev Ranjan: “Blockchain and Financial Market Innovation” Economic Perspectives, 2017;41(7). Available at http://bit.ly/2FT5F8a.


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

Bond

by Robert Bond

EU COMPLIANCE AND REGULATION

B y the time you are reading this, May 25 may have come and gone, and the EU General Data Protection Regulation

(GDPR) will be in force. Probably, GDPR was not like Y2K; it was not a one-moment wonder;

no mega fines were dished out on May 26; and it was not a revolution, merely an evolution!

However, GDPR is here, and it does apply to almost any business that processes personal data. It is extraterritorial, and it impacts both controllers and processors. Although

privacy regulators will understand that businesses may not be 100% compliant right now, doing nothing is not an option, and so if you are not on a compliance journey, then you really must be, or you will suffer the consequences.

The eight principles of data management under GDPR address your obligations and the rights of individuals. These principles require transparency as to your use of personal data and require controllers and processors to demonstrate accountability— hence the need for policies, procedures, and training.

So first you need to address the “who, what, when, where, why, and how” of the ways in which you collect, use, store, share, and generally manage personal data. This means auditing your legacy personal data and establishing that it is still valid, lawful, accurate, and managed appropriately. Moving forward, you will need to consider all points at which personal data enters the

business and update data privacy notices and consent statements to meet the transparency requirements of GDPR.

In order to demonstrate accountability, you will need to develop or improve your policies and procedures. Typically, you will need a headline data protection policy that, like a code of conduct, sets out the legal and ethical approach of the business to compliance with GDPR and data privacy in general. This will reference policies aimed at employee personal data and also consumer and customer/supplier personal data—so internal facing and external facing.

Policies and procedures would typically have to address:

· Data subject rights, including access, portability, erasure, rectification, and correction

· Data protection impact assessments · Privacy by design · Data retention and data destruction · Data breach response · International data transfers · Internal record of processing

It is essential to ensure all vendor contracts that may involve processing personal data for the controller comply with the mandatory contract terms of GDPR and also manage risk and liability for both parties.

All these actions take time and are the responsibility of many stakeholders in the business. Getting executive buy-in is essential to ensuring you have the resources to do what you have to do! ✵

May 2018, and GDPR has arrived

Robert Bond ([email protected]) is Partner & Notary Public at Bristows LLP in London, United Kingdom.

complianceandethics.org/category/podcasts

Podcasts

Socialize!Connect with us and your compliance colleagues

on all of your favorite social media platforms.Join the compliance conversation and help

grow the compliance community.

instagram.com/ theSCCE

Blogcomplianceandethics.orgpinterest.com/

theSCCE

facebook.com/ SCCE

corporatecompliance.org/ sccenet

bit.ly/LIGroupSCCE bit.ly/LinkedInSCCE

youtube.com/ compliancevideos

twitter.com/ SCCE

corporatecompliance.org/ google

scce-2018-on-social-networks-1pgad.indd 1 1/10/18 5:24 PM


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

T he media coverage over the last several months has highlighted the issues around reporting sexual harassment

misconduct. Every company and industry is different, of course, so it may be misleading

to try to generalize the factors that allowed this conduct to continue. But there are certainly some questions that should be asked. Were the problems due to a management culture that put profits above all else? Could it be due to the lack of a credible system to report wrongdoing without fear of retaliation? Could it have been due to a pervasive societal bias that has tolerated this conduct? Could it have been due to an HR department that viewed its job as protecting management, no matter what the cost to individuals or the long-term cost to the company? Most likely, some or all of these factors played a part.

A common element in most of the reported cases is a failure to act by an organization’s HR department. Every experienced compliance officer knows that one of the key determinants of whether you have a successful compliance and ethics program is whether you have a good working relationship with the company’s HR department. Your HR colleagues can support a number of the processes, such as hiring employees who have no propensity to violate the law, communicating the importance of compliance and ethics as a key company value at new employee orientation, making certain that compliance training is delivered to the appropriate employees based on their roles, enforcing a system of incentives and punishments for compliance violations, and making certain that allegations of wrongdoing are fairly investigated without fear of (or actual) retaliation. The growing number of women coming forward with reports of sexual abuse in the workplace made it fairly obvious that in the companies where this conduct was allowed to persist, the HR department was not at the forefront of trying to protect employees from abuse.

What is the role of a Human Resources department?

» HR departments should be available for help in all compliance concerns and should be the first line of defense when it comes to cases of alleged sexual harassment.

» The evidence from media reports indicates that HR departments at numerous companies failed to protect either the company or the employee due to incompetence, active collusion with managers who behaved improperly, or by engaging in willful blindness.

» Like Compliance departments, HR departments need to get management buy‑in to a set of standards that the company stands for—and the HR department will enforce.

» HR employees need to receive training in how to deal with allegations of improper conduct. » HR departments can provide a positive benefit not only to the morale but also to the profitability of their company.

by Ted Banks and Sharon Ray

Banks

Ray

Sharon T. Ray ([email protected]) is CEO at S. Thompson & Associates in Chicago, IL, and Ted Banks ([email protected]) is Partner at Scharf Banks Marmor LLC in Chicago, IL.


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

Why have the HR department?Traditionally, once a company reached a certain number of employees, it made sense to create an HR department to manage some of the personnel functions, such as job interviews, coordination of employee benefits, training, and compensation. If a company became large enough, responsibilities might be transferred to another department, such as payroll. Additional responsibilities might be added, such as records management, which many HR departments undertook as an outgrowth of HIPAA and other privacy responsibilities.

But HR had a unique role in the relationship with employees, because it was often the first interface that a new employee would have with the company. It would also be the last place they might interact, because the HR department usually handled terminations and exit interviews. Along the way, the HR department would also get involved in managing relationships between employees and the management staff. It would work with managers to administer disciplinary actions based on reports of misconduct. This would often require investigations of claims, and well-run departments would make certain that they had the expertise to investigate allegations and determine the proper way a company should respond to an allegation.

Unfortunately, in many companies, the resources devoted to HR were also frequently cut as managers sought ways to save money. Training courses, or the entire training function, disappeared. Specialists

in various HR functions were replaced by generalists, and the process of manually reviewing the qualifications of applicants and personal interviews were replaced by online résumé submission and the online interview. Generalists were often assigned responsibility for multiple locations, and combined with doing more functions via computer— algorithms replaced people wherever possible in many companies—building personal relationships with employees became a thing of the past. In some cases, HR departments were eliminated altogether.

And what about support for the compliance and ethics program? An effective compliance and ethics program really depends on a good relationship and shared responsibilities with HR. Unfortunately, as HR resources are reduced, the ability to support compliance and ethics might well

be sacrificed so that other, closer-in traditional HR functions could be supported.

So, what happens when an employee has a problem? Many departments seem to have tried to avoid getting involved if it would reflect badly on the company or on certain officers. The net result was a continuation of bad behavior of varying degrees, with the victimized employee (usually, but not always, female) paying the price.

What is the purpose of the modern HR department?It would seem that the very name of “Human Resources” fully explains an important role to protect valuable—usually the most valuable

Many departments seem to have tried to avoid getting involved if it would reflect badly on the company or on

certain officers.


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

assets of the company: its employees. But this title can also be very limiting. Most people think of HR as a series of mechanical or clerical functions related to working with people. Management interactions with the HR department typically involve things like asking for help with recruiting for open positions, benefits management, and pay administration. Through the years, HR departments have attempted to change their names to represent the true work in the department, which includes activities such as talent acquisition and development, workforce planning, benefits administration, pay administration, diversity management, and building a culture—to name a few. Unfortunately, in many cases it seems that no matter how HR is positioned in the organization or how it tries to describe its value, people still see it how they want to see it, which is to use HR for certain mechanical functions and otherwise not think about it.

But HR’s role is to protect the organization. By protecting the company’s human assets, it is also protecting the company, since loss of human assets can be severely damaging to the company, just like loss of a manufacturing machine due to poor maintenance or loss of a trade secret by failing to protect confidentiality. HR and senior management must accept this wider role: not just making sure that paychecks are generated but that the human assets are protected.

Additionally, there may be a certain degree of conflict in the HR role, sort of like the conflict with regard to the role of the Legal department of a company in handling compliance matters. Is the role of the Legal department that of corporate gladiator or corporate conscience? Does it protect the company at all costs or ensure that the company does the right thing? Part of HR’s role in protecting the human assets of the company is to recognize that it must stand

up for the rights of the individual as part of its professional functions. It should recognize this role in making certain that the company follows legal and ethical principles, and does not operate with the idea that its function is to defend the company at all costs. It should be remembered, as with compliance and ethics in general, that doing the right thing always pays off in the end. Trying to cover up wrongdoing never succeeds for long. And the cover-up is often worse than the original problem. In the long-term, doing the right thing is best for the company, for its shareholders, and for its employees.

So why didn’t HR protect employees?In the cases that have been reported recently, there seem to be a number of reasons why HR did not—or could not—do more to protect the victims. Each of the possible reasons throws into question whether the company had a completely ineffective HR department when it came to anything that went beyond the typical HR processes, such as onboarding new employees.

It is possible that the HR department didn’t know about the misconduct. This suggests that the department was out of touch with its employees or was so mistrusted by them that nobody was willing to go to HR to discuss the problem. Perhaps there was no system for anonymous reporting (i.e., a hotline), but that seems unlikely with companies of any size today. So, were there reports that were actively suppressed?

In the long-term, doing the right thing is best for the

company, for its shareholders, and for its employees.


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

Perhaps the HR department knew about the allegations but chose not to act. In some cases, the knowledge available to the HR department was not confidential, but perhaps indirect. Some things have no good explanation, and the only explanation for failing to take action is willful blindness. If something seems suspicious, HR needs to investigate.

It is also possible that, in some companies, the HR department actively worked with lawyers to negotiate confidential settlements, but those settlements had the effect of concealing the misconduct and did nothing to change the circumstances that resulted in the harassment. Resolving a complaint with a confidential settlement is not, in itself, a bad thing. But it is only part of the resolution of the problem. When victims see that the perpetrators are not punished and remain in their positions, it reinforces the impression that the company does not care about the incident that took place, and this discourages employees from reporting incidents of harassment.

HR departments may have been part of the “frat boy” culture that pervaded companies like Uber, where nothing mattered other than profits. For all the talk about corporate ethics and social responsibility, capital still readily flows to enterprises that are making money without careful examination of whether they have a functioning compliance or corporate governance system. At Uber, the culture was set by the former CEO, Travis Kalanick, who “openly disregarded many rules and norms, backing down only when caught or cornered.”1 Incidents that were reported to HR, such as a manager throwing a coffee cup at a subordinate or an employee outing to an escort bar, resulted in no action.

What could have been done?The HR department needs to work to gain the trust of employees. This requires management support and recognition that a certain degree of independence may be required. The board of directors should insist, as part of its compliance oversight, that a robust set of HR policies make it clear that the company will treat its employees with respect, will follow all applicable laws, and will not tolerate offensive behavior within the company.

HR and Compliance should be connected and share the responsibility of developing training and policies that set standards and educate employees on ethical behavior in their workplace. This includes the process of reporting an incident as a witness or victim. The policy should make it clear to employees that the company will conduct a formal investigation, and the process should be explained. Discipline should be administered that is proportional to the violation—not to the rank of the violator.

Mandatory training on sexual harassment for employees, managers, and senior managers should be delivered once a year, allowing time for questions and answers. The training should consist of how the lack of reporting an incident and/or the mishandling of information can affect the individual and the company. Employees should know that once they reveal this information to a manager or a friend, they have an obligation to report the incident to HR or to the compliance hotline. The training information should be given not only at the beginning of employment but also periodically throughout the year.

Hopefully, the HR department will have some expertise in adult learning so it can assist in delivering training that is effective. The training should not serve just the “check the box” purpose, but should also communicate the policy of non-harassment


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

and non-retaliation without castigating all men as harassers or all women as victims. The focus should be on civility in the workplace and how observers can play an important role in reducing harassment by reporting what is going on around them.

If there is a report of harassment, the HR department should actively and promptly investigate allegations of wrongdoing (assuming, of course, that there are trained investigators in the HR department). The investigation may be done in conjunction with company lawyers, but there should be quick decisions as to who will manage the overall investigation. The purpose of the investigation should be clearly defined, and a list of questions for all employees involved in the process should be established. Interviews should be scheduled, where answers are documented and the investigators ask clarifying questions as needed. In many cases, it may be appropriate to have two people conduct the questioning, with at least one being a female. A report of the facts uncovered in the course of the investigation should be reviewed with an employment lawyer.

The investigators should make a recommendation to management as to the proper resolution of the matter. Termination is not always required, but the discipline should reflect the seriousness (or frequency) of the violation, and not the rank of the violator or whether that person was considered “high potential.” In other words: no double standards. Once a resolution has been decided, it is very important to communicate to the individuals affected and the organization. This takes time and significant thought around what is to be shared among which groups of people and the ramifications

of the information being shared. The subject of this type of investigation is very sensitive, of course, and the identity of the victims should be protected to the extent possible.

However, if a company is serious about creating an environment where sexual harassment is not tolerated and victims will not be scared to come forward, it must demonstrate that it actively enforces its policies. Therefore, it is a good idea to release some details about the allegations and the punishment, even if the names of the parties are not revealed. Often company scuttlebutt fills in the details, but in any case, employees are reassured when they see that discipline has been imposed.

ConclusionRecent news about the apparent prevalence of sexual harassment in many organizations may perhaps accomplish something positive as awareness of the problem has increased. But the common factor of the failure of the Human Resources staff to provide a check on unconscionable behavior must be recognized. A fair amount has been written about the conflicting roles of corporate Legal departments when it comes to compliance, but we would submit that such a conflict should not exist with regard to the HR department.

The HR department exists to protect the company by protecting its human assets. That means that it must be willing to stand up for principles of human rights and dignity, even if that means disciplining or terminating senior executives or high-potential/high-performance employees. HR cannot stand idly by or assist in concealing the misconduct. ✵1. Mike Isaac: “Uber’s C.E.O. Plays With Fire” The New York Times,

April 23, 2017. Available at http://nyti.ms/2oidfkx.


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

T he dreaded sales call. Not dreaded because you hate them, dreaded because your answer will be, “We have

no budget for that.” How many times have you discovered a fantastic third-party compliance program, only to know you will never be able to secure money for it? Compliance professionals are no strangers to this conflict. Don’t give up. There are things you can do to run an effective compliance program on a shoestring or no-string budget; it takes a lot of work, relationships, and resourcefulness.

It is one thing to operate a well-established compliance program with little money for third-party assistance, and a whole other thing to start one from scratch. Adding a global span to that only increases the need for third-party translators, travel, and delivery systems. So what are some things you can do to get a compliance program

up and running with no budget?

Use existing resourcesI have found that Human Resources and IT have been my primary contacts for systems that are already in place. I have used Human

Resource Information Systems (HRIS) to deliver code of conduct certifications, new policy acknowledgements, and onboarding requirements. For example, I used HRIS to launch a code of conduct and to secure annual certifications. Using the same type of process as a benefits enrollment, all users were assigned a task to complete their code of conduct certification. They logged in, retrieved the document, and then uploaded it into their employee profile. I could easily retrieve reports of completions, and the certifications were available for HR or Legal retrieval if needed. No paper and no new third-party management system required.

If you have an online training system, that is an untapped resource waiting for your compliance materials. I have used an online training system to deliver code of conduct certifications and new policy acknowledgements as well. Think outside the box for delivery. What global delivery system does your company employ? Not sure? Just watch your emails and see what companywide communications you receive. Benefit enrollment? Annual performance reviews? Start asking yourself, “Can I use that same system to deliver my message?” The IT department is also a fantastic resource, especially for SharePoint or cloud-based

Running a compliance program on a shoestring budget

» Use existing resources. You may already have what you need. » Involve other departments. Everyone has something to offer. » Resourcefulness is free. Don’t reinvent the wheel. » Create a business case. Be prepared for when you have to ask for money. » Timing is everything. Certain events can give you the opportunity to seek funding.

by Leslie Reed, ACP (Estate Planning), CFE

Reed

Leslie D. Reed ([email protected]) has worked in corporate compliance for over 10 years and currently is a paralegal at Horizon Attorneys & Counselors at Law in Tulsa, Oklahoma. http://bit.ly/2FNzrvU


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

resources. I always run something I want to do by my IT coworkers, because they often already have things in place to do what I need.

Involve other departmentsThis section could easily be titled, “Leveraging your relationships,” but I despise corporate speak. However, that is what it is. Most of you in Compliance for a while understand that without help from your coworkers, you are just spinning the wheels of your little compliance car. In this case, you have no money for gas! Other than the two departments previously mentioned, an important one is Marketing. What are you trying to do with your compliance program? You are trying to sell it! Who is best at making people want to buy things? Exactly. Marketing and Sales should be target relationships for you.

I want any code of conduct I release to be a positive reflection of my company. I do not have the software or the patience for making my code of conduct as visually dynamic as possible, but Marketing does. Give them some space to do what they enjoy and do best. Now, asking for these things sometimes requires a little return. For instance, I might offer to do a slide deck for someone or help write some procedures for another department. A “thank you” card goes a long way. I am sure there are many publications about how to foster other relationships as a compliance professional. What is important is that every department in your company has something to offer your program—open the door.

Resourceful is freeSo far, I stepped lightly on the feet of third-party companies that provide compliance services, but I am about to step a little harder. There are so many free things available online, maybe the question to ask yourself should be, “Why should I outsource anything?” White papers, guidebooks, and graphics, oh my! Need to send an employee survey to benchmark your program? Free. Export compliance clearance? Free. Examples of codes of conduct, anti-trafficking statements, policies? All available for viewing. Do not

plagiarize, but do not reinvent the wheel. Microsoft Word has a multitude of templates for posters, brochures, and newsletters.

Network. LinkedIn and Twitter are the best social media sites I have found to meet compliance professionals. Most will share their

work, and if someone asks you for guidance, give it if you can. We are all in this together! Be mindful of copyrights and proprietary information of others. You set an example of lawful and compliant behavior, all the way down to your compliance materials.

Sometimes, you just need a third-party service. Maybe it is boots-on-the-ground due diligence or a hotline provider. There is still no money. Now what?

Learn how to make a business casePart of writing a business case is knowing your audience. Is the decision-maker a numbers person? Legal person? Charts and graphs reader? Have they had experience with

You set an example of lawful and compliant

behavior, all the way down to your

compliance materials.


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

compliance issues or investigations before? Deliver the information with the method they are most receptive to, and if legal advice is given in the business case, talk to your legal counsel first (attorney-client privilege can be very important). Go get the data to support your position; it is out there. Offer pros and cons. Be factual, neutral, and avoid being an alarmist. Take small wins and turn them into big ones. Present all of the options. Perhaps you have multiple options for hotline coverage. Address what happens if you do not have one, the one you can live with, and the one of your dreams. Middle ground options, I have found, are the most chosen because everyone wins. Use the win on the middle option to get you closer to your dream program after you establish the value.

Timing is everythingWe work very hard to prevent bad things from happening. Sometimes they do. After the dust settles, do a gap analysis. If that gap analysis reveals that a cost-incurring resource can mitigate a risk, then there might be an opportunity to put that business case forward. Note that you did not read a recommendation to include “I told you so” or something with that tone in your business case. Stating that something happened and this is how we can possibly avoid it in the future is definitely a position

you can and should take. I cannot stress how important it is to think heavily about using your company’s bad experience to better your program. Sometimes you need to do it for the greater good, but do not use every opportunity afforded to do so. Other “moving events” can be big fines assessed to your company’s competitors or similarly structured entities. Share these developments regularly and tie common facts like company structure, global footprint, and industry so that it has an impact on the decision makers.

Compliance functions within a company typically are cost centers. We do not make money for the company, and convincing them we are saving money by being compliant is a constant challenge. Most of us operate with very limited resources with the same expectation. Being resourceful

with strong relationships is key to getting it done. We would all love to have an open-ended budget to outsource everything we thought could be done better or that takes too much of our time, but there is an upside to operating with a shoestring or zero budget: It is all yours. To succeed, to improve, to struggle, and to fail. Pride goes hand in hand with ownership, and I would trade that over a big budget any day. ✵

Pride goes hand in hand with ownership, and I

would trade that over a big budget any day.


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

by Mike Pagani

L et’s face it, texting is simple, concise, and supported by virtually every mobile device, operating system,

and wireless carrier. This makes it the go-to preference when an employee needs to communicate with their colleagues, customers,

or prospects in a time-crunched, always-connected society.

In fact, according to the Pew Research Center, 97% of Americans who own smartphones use them to send or receive text messages,1 demonstrating that mobile messaging is one of the most widely used forms of electronic communications today.

However, even though texting is easy, reliable, and efficient, if it’s used for official business communications, it can create tremendous risk for a company.

Text messages can be problematicWhen you consider the countless regulatory, legal, and general risk and brand management

challenges that companies must manage today, you might think email and other official communications using social media accounts and corporate websites are the only content types that need to be archived or actively supervised. Although its use by employees for official company business is often prohibited by organizations, the reality is that text messaging does get used and therefore should be governed the same way as all other channels. Sending text messages between mobile devices is now one of the key ways that employees connect with each other and customers, and these records need to be maintained for completeness.

According to the Smarsh 2017 Electronic Communications Compliance Survey Report, one alarming thing is that companies don’t give text messaging the same level of recordkeeping attention as other forms of digital communications.2 Many don’t have an archiving solution in place for the retention and oversight of text messages, which causes problems and significant risk when facing a regulatory examination, an open records

Ungoverned text messaging exposes your company to significant risk

» Employee use of text messaging for business purposes is on the rise despite prohibition policies by organizations in the financial services industry and public sector.

» Recordkeeping and proper supervisory obligations for electronic communications extend to text messaging if the messages contain business‑related content.

» Most organizations in regulated industries still do not have a proper system in place to reliably capture, supervise, and produce employee text messages.

» Organizations mistakenly implement separate point products and systems for each electronic communication type instead of using a single, comprehensive archiving platform.

» Text messaging is highly efficient and boosts productivity for employees, but it must be properly governed to keep its use compliant.

Pagani

Mike Pagani ([email protected]) is Chief Evangelist at Smarsh in Portland, OR.


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

request, an investigation, an e-discovery event, or litigation.

Compliance, Legal, IT, and risk and reputation professionals across a variety of litigious and regulated industries are now realizing that proactively automating the archiving and supervising of text messages is necessary to mitigate the myriad of potential risks that arise, because their records retention and oversight practices are not keeping pace as employee use increases. They need to meet the challenge of accurately identifying specific sources of additional risk with this form of communication as employees use it for business purposes. Text messaging without proper governance is a major gap that can no longer be ignored.

The following circumstances have organizations worried about recordkeeping challenges related to text messaging.

Searchable and retrievable formatText messages must be kept in a searchable format that cannot be tampered with, destroyed, or otherwise disposed of by anyone deliberately or accidentally. Text messages must also be produced in a timely manner for e-discovery, public records requests, and regulatory examinations to meet firm deadlines.

Retention issuesA company may operate a tremendous number of mobile devices through contracts with one or more carriers, and erroneously assume text records are being retained by the carriers. However, carriers typically only keep text messages long enough to ensure delivery

to all parties before deleting them from their systems, and they aren’t obliged to provide records of them either. The responsibility for retaining and producing requested text messages lies with the organization that creates the records.

Proper oversightOrganizations can no longer say, “we didn’t know” as an excuse to avoid archiving and performing proper oversight of text messages. Several well-publicized cases involving text business messages that have been lost, altered,

or mishandled in the public sector, financial services, and other industries have alerted us all to the fact that these types of messages must have proper oversight. The good news is, organizations that aren’t yet retaining

text messages will find they have plenty of technology options to take care of the issue.

Following email and social media, SMS/text messaging is perceived as the next biggest source of compliance risk by compliance professionals in the financial services industry. The Smarsh 2017 Electronic Communications Compliance Survey Report revealed that when SMS/text messaging is allowed for business communications, nearly half (48%) of firms said they still do not have an archiving/supervision solution in place. In addition, more than two-thirds (67%) of respondents said they are not confident that they could prove the prohibition of text messaging for business purposes is working.

In the public sector, citizens’ expectations have changed in relation to government records transparency and accessibility.

The good news is, organizations that aren’t

yet retaining text messages will find they have plenty of technology options to take

care of the issue.


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

Community members and watchdog groups want to be able to readily access information from government organizations and to hold public officials accountable for their decisions. Text-related public records requests are now a lot more common, and people routinely ask for text messages from agencies alongside emails and social media content. Maintaining text records to comply with open records laws means that an organization must be able to easily secure, retain, search, and retrieve those records. Government offices have increasingly faced lawsuits over text messages if they fail to retain and manage them properly.

The three business risks of text messagingNow that we have discussed the circumstances that have organizations worried about text message recordkeeping challenges, let’s take a closer look at risks and the potential impact they can have on a business.

Legal riskText messages can also be requested as part of an e-discovery or litigation event, since texts are often considered relevant, electronically stored information (ESI) within an organization. Many courts compel the production of texts in civil litigation if a mobile device is believed to be the source of relevant text messages—regardless of whether the device and account used is owned by the individual or the business entity.

Although other forms of electronic communication, including email, are relatively straightforward to collect, archive, and extract, text is different. Companies must now figure out how to collect and preserve data from numerous devices, operating systems, and device ownership scenarios. It does not matter if an employee uses a corporate-issued device, a personally owned device, or a combination of the two for business-related texts. All devices and messages they produce are fair

game for discovery in litigation if they contain relevant business communications.

If a company’s legal team cannot find, preserve, and produce text data in real time, and respond quickly and completely when asked to search and produce specific text messages for discovery events and litigation, the organization may face legal consequences related to data spoliation, missing records, or failure to produce requested data—not to mention high legal fees.

Reputational riskThe use of text messaging without the proper monitoring protections in place can also leave a company susceptible to brand problems. Most businesses know the importance of brand reputation, because those with a strong track record tend to attract the best employee talent and are perceived as providing more value to customers. Customers may also be more loyal and likely to recommend a company if it has a trusted reputation.

The supervision of electronic communications is critical for companies that want to find and mitigate any potential reputation risks, even if they aren’t directly related to compliance or legal issues. Emails, social media accounts, and corporate websites are often monitored, but text messages must be brought within the compliance perimeter to further reduce risk. Currently, most companies still do not actively monitor business text messages sent and received by their employees despite the increasing usage.

When a company manages its brand by monitoring text messages and other electronic

The use of text messaging without the proper monitoring protections in place can also leave a company

susceptible to brand problems.


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

communications on a regular basis, steps can be taken to quickly assess potential threats and mitigate potential added risks as they occur.

Regulatory riskIn highly regulated industries, text communications need to be retained and supervised. For instance, financial services firms are required by the Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) to archive and supervise electronic communications used for business purposes, including text messages—and the recent Smarsh survey shows firms are not confident that they can adequately meet those requirements.

Similarly, state governments have seen recent rulings that reinforce how text messages are classified as business records. Essentially, any highly regulated industry that has recordkeeping requirements for business communications must archive electronic messages, no matter what platform they are on—and that includes mobile devices.

Don’t get left behindArchiving, monitoring, and producing

text message data needs to become a core part of your overall electronic communications risk-based surveillance preparedness. Organizations of all sizes need to put the right policies in place and implement automated text archiving and supervision systems as soon as possible—before it’s too late.

An important component of the chosen solution is the ability to archive employees’ text messages directly from mobile carriers for employer-issued devices or use a device-resident application for personally owned, ‘bring your own’ devices (BYODs) alongside your other electronic communications content. Text messages should be governed the same

way as email, social media, websites, instant messaging, and collaboration platforms—to give compliance, legal, and risk and reputation professionals the ability to supervise and produce these records in one place, with a common user and administration interface. Implementing point products and systems for specific content types leaves gaps and creates separate silos of information. This greatly complicates the process of searching for and producing a complete set of records when the need arises.

When a company has access to these content types with a single comprehensive archiving solution, conversations can be monitored from a broader and more holistic perspective. For instance, conversation threads can be followed easily when a discussion starts on social media, moves to email, and concludes in text messages.

Businesses that recognize the benefits of comprehensive archiving will reap the rewards almost immediately when they implement it to allow their employees to take full advantage of the productivity that text messaging provides while staying compliant and managing the risk. Others that leave text messages out of their electronic communications compliance strategy, or implement multiple point products to try and address it, will lag behind and be playing the odds—at a time when compliance examinations, litigation procedures, and the importance of brand reputation and risk management are more central than ever to business success. It’s time to stop ignoring the issue, and take the proper measures to enable your employees to get the full business benefits of using text messaging while making its usage compliant and safe in the process. ✵1. Aaron Smith: “U.S. Smartphone Use in 2015” Pew Research Center,

April 1, 2015. Available at http://pewrsr.ch/19JDwMd.2. Smarsh report: “The Smarsh 2017 Electronic Communications

Compliance Survey Report” Available at http://bit.ly/2GwhqPE.


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

Art Weiss ([email protected]) is Chief Compliance and Ethics Officer at TAMKO Building Products in Joplin, MO.

THE ART OF COMPLIANCE

Five words or less: No more than five!

by Art Weiss, JD, CCEP‑F, CCEP‑I

T his morning I saw a post shared by a Facebook friend that I keep coming back to. It said “Explain

what you do in 5 words or less. No more than 5!!” How many of us can do that? I find myself constantly answering friends’ and

colleagues’ questions about what I do. Just what is it that compliance officers do? What is compliance? I’ve answered, or tried to answer, that question literally a hundred times. Being our company’s first chief compliance officer, and the creator of our first compliance and ethics program, I was asked questions like

these almost daily. The frequency of such questions has dropped off markedly over the years. I’d like to think that it’s because I did such a great job answering those questions. More likely, I so confused people that they quit asking.

So, I am going to pass along my friend’s Facebook challenge to you. Tweet, get on SCCE’s LinkedIn site, The Compliance & Ethics Blog, or SCCEnet and tell me—and the rest of us that are asked what compliance

is—just exactly what the heck it is we do, in five words or less. I think if I leave out all pronouns, and skip a few obvious words, I might be all right. I’ll start:

· Stay out of trouble · Do what’s right (Ha, three words!) · Guide conduct (Down to two words) · Set example

See how easy this is? OK, back to work. · Prevent and detect violations of law

(Busted! Yeah, I know it’s six words and stolen from some early ‘90s government document)

· Guide behavior · Adapt (Now we’re cookin’; down to one

word!)

Piece of cake! · Adjust · Lead · Advise · Counsel · Argue (Yeah, sometimes) · Plead · Substantiate

OK, now you’ve got the picture. Let’s hope you all say this: Succeed! ✵

Weiss


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

T he U.S. Bureau of Labor Statistics has estimated that of the 151 million US citizens employed in 2016, 47 million

were between the ages of 20 and 35, a generation branded as millennials (as defined

by Merriam-Webster dictionary: A person born in the 1980s or 1990s). As the generation that has recently overtaken the baby boomers as America’s largest living generation, millennials have begun to permeate various industries within the private sector. The Bureau of Labor Statistics has published that more

than 7 million millennials currently work in wholesale and retail trade, with the 25 –34 age group taking the number one spot among the more than 20 million employed within this sector. But the idea that the number of millennials entering the US workforce has been growing quickly is not a novel concept.

Within the last decade, the industry has witnessed changes in the workplace, some of which have been introduced to attract this new generation of employees. From the introduction of open offices and interactive

workspaces, to the incorporation of extra workday perks such as beer carts, ping-pong tables, and other break-time activities, the private sector has begun to experience a “youth-quake” of its own. What has remained relatively stagnant is the training experience of this new generation of employees.

New age in learning Two major changes in learning need to be considered when it comes to training in order to avoid negative repercussions to your business, such as an employee failing to perform in accordance with compliance policies, which may lead to worse outcomes for the company as whole. These two factors are technology in education and learning styles, the latter influenced by the former.

Millennials are known as a “digital native” generation, meaning they have likely never known a world without technology and immediate access to large amounts of information. Growing up in a media-saturated world with relatively free, instant access to boundless information has altered this tech-savvy generation’s learning style. They require media-rich learning environments that don’t limit the access to relevant and concise content

New age in compliance training » The demographics of the private sector are changing, and compliance training programs must also change to meet the demands.

» This change in workforce demographics must come with a change in the methods we use to train new hires. » Compliance personnel must rise to the occasion and learn new, diverse methods of training; adapt required trainings; and create new initiatives to meet the demand of this growing population in the workface.

» Creativity will be the key to updating the usual yet outdated paper‑based and slide deck–based training methods of some in the industry.

» Within the last decade, the industry has witnessed changes in the workplace, some of which have been introduced to attract this new generation of employees. Compliance personnel should strive to do the same.

by Maria Carrasquillo

Carrasquillo

Maria Carrasquillo ([email protected]) is a Compliance Specialist at Vapotherm Inc. in Exeter, NH.


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

to hold their attention and allow them to gain full understanding.

Second, massive changes in teaching methods and paradigms came about during the decades in which millennials received their formative education. Anecdotal evidence shows a greater emphasis on the use of rubrics to evaluate success, meaning that the steps necessary to succeed were clearly outlined and their relevance explained prior to a student’s attempt to complete a task. This created an even playing field for each participant and likely increased the ante in regard to competition. Also present in the millennial educational experience were the concepts of interactivity and collaboration, which have played a major role in their experiences with task completion as adults.

With this change in workforce demographic must come a change in the methods we use to train new hires—especially in regard to compliance and ethics—due, in part, to the complexity of the subject matter, lack of geographic proximity when training domestic sales or international teams, and now the presence of new factors such as learning styles, which obviously differ from generation to generation. Today, failure to incorporate a digital component, set clear goals and steps to success, explain the pertinence of information, or allow easy access to relevant content can further complicate any training initiative but more so in the field of compliance and ethics.

Our takeVapotherm Inc., a medical device manufacturing and sales company headquartered in Exeter, New Hampshire, like many other companies, has also experienced an influx of millennial-aged employees and has in turn begun to change its training methods to meet their needs and more generally grab the attention of all new hires. An initiative to create supplemental training materials as well as a gamified component in addition to our traditional compliance and ethics training is underway. The most recent

effort included the creation of quick-access rubric-like “fact sheets” to provide relevant, concise information at the employee’s fingertips via laptop or phone.

In August of 2017, the company brought together both corporate and field employees to participate in a weeklong development

program that incorporated a “compliance competition.” Participants were required to take part in a daily compliance quiz on company policies, which then culminated in a half-hour-long “escape room” competition where participants were asked to solve a fictional compliance investigation in front of an audience. Along the way, participants were quizzed on company compliance and ethics policies and were then challenged to apply these policies to the situation at hand to identify compliance violations. This hands-on approach proved to be educational yet

Second, massive changes in teaching

methods and paradigms came about during

the decades in which millennials received their

formative education.


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

competitive, and it kept employees engaged and interested in the curriculum.

Final thoughtsCompliance personnel must rise to the occasion and learn new, diverse methods of training; adapt required trainings; and create new initiatives to meet the demand of this growing population in the workplace. These new initiatives could be as simple as creating easily accessible and attention-grabbing

rubric-like documents that create a clear outline of the necessary steps to meet a legal requirement or complete a task ethically. Or, the measures could be as extensive as creating an easy-access library of entertaining yet educational video or audio trainings to review important policies, processes, and procedures. Creativity will be the key to updating the usual yet outdated paper-based and slide deck–based training methods of some in the industry. ✵

International Compliance 101

Globalize Your Compliance ProgramInternational Compliance 101 covers the basics of building and maintaining an effective compliance program outside of the United States and reviews major governing directives that exist in other regions of the world.

$60 for non-members$50 for members

Available for Purchase at corporatecompliance.org/International101Also available in electronic format at Amazon.com or Kobobooks.com

Published by the Society of Corporate Compliance and Ethics (SCCE). Copyright © 2018 SCCE. All rights reserved.


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

HOW TO BE A WILDLY EFFECTIVE COMPLIANCE OFFICER

Three entrepreneurial ideas to bring to Compliance

“I terative,” “Failing forward,” and “MVP” were unfamiliar phrases for me when I started my company

two years ago. In reading about successful entrepreneurship, I realized that many ideas that help make entrepreneurs successful can also help make compliance officers

successful. Ready to challenge your entrepreneurial self? Try out these three ideas.

Iterative“Iterative” is defined by the Cambridge Dictionary as “doing something again and again, usually to improve it.” When one takes an iterative

approach, it means that the original version doesn’t have to be perfect. In fact, the first version may not even be terribly good. Instead, it serves as a place to start.

It’s been said that “the perfect is the enemy of the good.” You may feel that you can’t send out a draft of the new code of conduct until it’s perfect. You may feel that you can’t give your training until the slides are perfect. Don’t fall into that trap. Start with something. Then iterate into a new and improved version.

Failing forwardHave you ever noticed on shows like Shark Tank, the investors favor entrepreneurs who have already owned companies—even if they’ve previously failed? That’s because people learn quickly from failure. Failure is practically deified in Silicon Valley. If you haven’t failed big, the thinking goes, you probably haven’t tried hard enough.

Might you fail? Sure. But it’s just as likely that you’ll succeed. Perhaps this year you’ll offer your employees the option to test out of online training. If someone can pass the test before taking the online course, then they don’t have to take it. Perhaps you can try a mobile code of conduct or an online app for policies. If you accept that you may fail, you may succeed beyond what you thought was possible.

MVPIn the entrepreneurial world, “MVP” stands for minimum viable product. This is the idea that you socialize or sell your idea as soon as it is formed enough to test it. If you’re thinking of innovating within your program, roll out the idea to a test group as soon as it is fully formed. By getting feedback on it early on, you can pivot to make your idea more effective.

By employing these entrepreneurial ideas into your program, you can be the MVP—most valuable player—on your team. ✵

by Kristy Grant‑Hart

Grant-Hart

Kristy Grant-Hart ([email protected]) is the Managing Director of Spark Compliance Consulting in London, and author of the book, How to be a Wildly Effective Compliance Officer. ComplianceKristy.com @KristyGrantHart

bit.ly/li-KristyGrantHart

66

Congratulations Newly certified designees!

Achieving certification required a diligent effort by these individuals. Corporate Compliance & Ethics Professional (CCEP)® certification denotes a professional with sufficient knowledge of relevant regulations and expertise in compliance processes to assist corporate industries in understanding and addressing legal obligations. Certified individuals promote organizational integrity through the development and operation of effective compliance programs.

· Ayobami O. Adisa · Adetara C. Agbakoba · Marie Barrett · Courtney Baxter · Christopher Bills · Bradley Blanchard · Joseph Cantalini · Boru Chen · Daniela M Sandoval Coli · Jessica Davis · Treza Edwards · Janine Foster · Lara Fox · Jamie Galioto

· Erin Gallagher · Jody Gonzalez · Pamela M. Harper · Cheryl Harris · Leah Hughes · Susan Hutson · Terri James · Robert J. Kane · Joy Kelleher · Kevin D. Kelley · Theodore Kelly · Edward Key · Guruka Kaur Khalsa · Andrea Kibalo

· Tyler Langford · Kerrie Liedtke · Fotoula Mantas · Alexander T. Marx · Erin R. McGowan · Michelle Mentzer · Chase Meyers · Andrew Nasar · Violet O. Ncho · Sujata A. Pagedar · Candice Palen · Lindy Palmberg · Frances Palmer-Smith · Annunziata Pasquale

· Regan Pennypacker · Karl Porter · Ashok Rau · Nakia Robinson · Alfredo Rodriguez · Rebecca Rohr · Candin Ruvolo · Philip Strauss · Lisa A. Sullivan · Jennifer Sum · Nicole Tarasoff · Kristen M Thaler

The Compliance Certification Board (CCB)® offers opportunities to

take the CCEP and CCEP-I certification exams. Please contact us at [email protected], call +1 952.933.4977 or 888.277.4977, or visit ComplianceCertification.org.

The individual who earns the Corporate Compliance & Ethics Professional - International (CCEP-I)® certification is a professional with knowledge of relevant international compliance regulations and has expertise in compliance processes sufficient to assist corporate industries in understanding and addressing legal obligations, and promoting organizational integrity through the operations of an effective compliance program.

· Sharmila Chandan · Jay D. Mitchell · Huiping Mo · Viviana Montero · Diana Vellara

A few letters after your name can make a big difference.Why do people add JD, MBA, or CPA after their name? They know those initials add credibility.

Become a Certified Compliance and Ethics Professional (CCEP)®, a Certified Compliance & Ethics Professional‑International (CCEP‑I)® or a Certified Compliance & Ethics Professional‑Fellow (CCEP‑F)®.

Set the bar for your compliance team and demonstrate your skill in the compliance profession, increase your value in the workplace and to future employers, and showcase your compliance knowledge and experience.

Applying to become certified is easy.To learn what it takes to earn the CCEP, CCEP‑I, or CCEP‑F designation, visit compliancecertification.org.

Become Certified

ccb-2018-03-all-ccep-certifications-1pgad.indd 1 2/6/18 3:27 PM


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

SCCE welcomes NEW MEMBERSALABAMA

· Deborah Boutwell, Poarch Band of Creek Indians

· Kimberly Long, Poarch Band of Creek Indians

· Lauren Montgomery, The University of Alabama System Office

· Blanche Thompson, Poarch Band of Creek Indians

ARIZONA · Alicia Aguirre · Jesus Amaya · Lara Fox, University of Phoenix · Jennifer Gilhool, ON Semiconductor · Mary Modelski, Valley Metro

ARKANSAS · Jonathan Avila, Walmart Stores Inc

CALIFORNIA · Carl Ellis, Parker Hannifin · Emilie Gawronski, VMware Inc · Derek Ho · Malcolm MacLeod, JLL, Inc · Melissa Marvier, JLL, Inc · Angela McClure, Solano County Public Health

· Mardi Norman, Dynamic Systems Inc · Brandi Schmitt, University of California Office of the President

· Anne Sweeney-Hoy, Stanford University

COLORADO · David Jones · Lisa McGuire, Convercent · Donald Weston, Kiewit Corporation · Jim Wilson, Superior Operations

CONNECTICUT · John Hoff, NatWest Markets

FLORIDA · Monica Cruz · Tod Godfrey, Walmart Stores Inc · Carla Markx, University of Central Florida

· Pariksith Singh, Access Health Care Physicians, LLC

· Jeff Vanderark, Lockheed Martin

GEORGIA · Mary Briley, Georgia Southern University

· Kelly Crosby, Georgia Southern University

· Derek Gilliam, The Coca-Cola Company

· Sterling Ives, Georgia Southern University

· Anitra McDade, Georgia Pacific · Katrina McNair, Georgia Southern University

· Rhonda Musser, The Coca-Cola Company

· Kimberly Phelps, Southern Nuclear · Jyotsna Vanapalli, University of Maryland

ILLINOIS · Philip Bach, Top Jar, LLC · Gilberto Carrillo, Reyes Holdings · Kitty Liu, Komatsu America Corp · Nancy Masten, Great Lakes Higher Education

· MyLynda Moore, Blue Cross Blue Shield Association

· JoAnn Nyssen, ACCESS Community Health Network

· Corey Perman, R1 RCM Inc · Stacey Randell, Wauboonsee Comunity College

· Chris Runowski, Komatsu America Corp

IOWA · Shawna Pope, FBL Financial Group, Inc

KANSAS · Jon Stiebner, Koch Minerals, LLC

KENTUCKY · Jaclyn Badeau, Tempur Sealy · Ashley Lewis, Tempur Sealy

MARYLAND · Joana Cobblah, Equal Justice Works · Sonia Owens, US Senate

MASSACHUSETTS · Eric Baim, Dovetail Consulting Group LLC

· Nancy Eddy, Fresenius Medical Center

· Anna Estiandan, Springfield Medical Associates

· Michelle Gerroir, Blue Cross Blue Shield of MA Inc

· Amy Richard

MICHIGAN · Favi Bogen, BorgWarner · Caroline Connelly, JLL · Sara Horvath, Whirlpool Corporation · Kiewanin Johnson, Walmart Stores Inc

MINNESOTA · Maureen Anderson, GreenPath, Inc · Ricardo Figueroa, Minnesota Department of Human Services

· Megan Gerlach, VF Corporation · Hannah Thompson, Prime Therapeutics

· Jeff Van Nest, FBI

MISSOURI · Teresa Moreno, Boeing

NEBRASKA · Jan Kleinhesselink, Lincoln Surgical Hospital

NEW JERSEY · Bin Li, Johnson & Johnson · Deborah LoDico, Zufall Health · Erin Mandato · AlJabbar Riddle, Riddle Compliance Consulting, LLC

NEW YORK · Jamal Ahmad, StoneTurn Group · Vanessa Baldwin, Heritage Ministries · Barbara Boland, CA Technologies · Michele Bowman, Eli Global · Shawn Carlson, Abilities First Inc · Joann Casado, The Children’s Aid Society

· Bruno Consentino, IWRCF Advogados · Carol Lopez, Palladium Equity Partners

· Jonathan Newcomb, Guidepost Solutions

· Joseph Santiago, Med-Trans Corporation

· Joan Sullivan, Harris Beach · Debra Torres, The Prot Authority of NY & NJ

NORTH CAROLINA · Kathryn Hast, Asheville-Buncombe Technical Community College

· William Pleasant, CommScope · Kenneth Wittenauer, Husqvarna AB


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

OHIO · Ed Allison, Honda Logistics North America Inc

· Rosemary Benton, EnvisionRx Options

· Elizabeth Hoffman, TimkenSteel Corporation

· Carol Krysevig, FirstEnergy Corp · Amber Williams, L Brands · Amy Yates, EaglePicher Technologies, LLC

OKLAHOMA · Maria Canaga, Global Gaming Solutions

PENNSYLVANIA · Scott Beaves, FedEx Ground · Heather Grantz, Arconic · Erin Lederman, Lockheed Martin · Kimberly Quinn, KenCrest Services · Donna Sadusky, Alcoa · Andrew Whittemore, Lockheed Martin

RHODE ISLAND · Tracy Feeney, BAMSI

SOUTH CAROLINA · Jill Bechtold, The Boeing Company · Beverly Cleveland, Fluor Government Group

SOUTH DAKOTA · Marcie Cudmore · Nicole Daniel, Black Hills Corporate

TENNESSEE · Dana Dalton, Univ of Tennessee · Talisha Marshall, Blue Cross Blue Shield of Tennessee

TEXAS · B. Riku Ahluwalia, Houston Community College

· Robert Bailey, CITGO Petroleum · Tiffany Dixon, Altrua HealthShare · Reagan Heine, American Airlines Inc · Laurie Hill, American Airlines Inc · Cheryl Krafft, Genentech, Inc · Tamara Kubala, JPI Companies · Rene Navarro, Emergence Health Network · Wisdom Oghenerurie, Cheniere Energy · Susan Parcell, Marathon Oil Company · Stefany Records, University of Houston-Downtown

· Julie Rickman, CaptureRx · Margaret Rupert, Golden Spread Electric Cooperative Inc

· Patrick Sanders, American Airlines Inc · Cari Shanks, Univ of Texas Southwestern Medical Center

· Vincent van Panhuys, American Airlines Inc

UTAH · Todd Corbett, Xcelus, LLC · Mitch Gilbert, Western Governors Univ

· Alton James, Western Governors Univ · Lucas Kavlie, Western Governors Univ · Ashley Leonard, Utah Attorney General’s Office

· Barbara Pavlick, Western Governors Univ

· Linda Wendling, Western Governors Univ

· Roderick Willis, Western Governors Univ

VIRGINIA · Shannon Firman, Lumber Liquidators · Julie Hurd, Freddie Mac · Jamie Mera, Boeing · Mary Ann Nord, Leidos Inc · Lynn OConnor, CFA Institute · Jerry Porter, Federal Home Loan Banks-Office of Finance

· Rosemary Wagner, CFA Institute

WASHINGTON · Tracy Chen, Microsoft Corporation · Lynn Erickson, The Boeing Company · Jesse Hart, The Boeing Company · Sharla Rohr, The Boeing Company · Julie Russell, The Boeing Company · Allie Wittenberger, Alaska Airlines

WEST VIRGINIA · Amy Kittle, Davis & Ekins College

WISCONSIN · Benjamin Lee, Great Lakes Higher Education

DISTRICT OF COLUMBIA · Victoria King, Gallaudet University · Michael Provenza, Chemonics International

PUERTO RICO · Alessandra Merino

CANADA · Lesley Hallowell, JJMDC · Tommaso Nunziato, Ethidex Inc

FINLAND · Selma Mustonen, Stora Enso Oyj

GEORGIA · Ana Tatishvili, JSC Silknet

HONG KONG · Grace Michallet, AECOM

INDIA · Simrat Sohal, Becton Dickinson · Pankaj Bisht

JORDAN · Sufian Khatib, Aramex International

NETHERLANDS · Flavia Pacheco, Omron Europe · Megan Paget-Brown

PORTUGAL · Giovanna Crotti

SAUDI ARABIA · Ibrahim Aldinyawi, Public Pension Agency

SINGAPORE · Paulus de Ruiter, Experian · Yann Shuang Lee, Medtronic International Ltd

· Ek Chuan Ng, Faro Singapore Pte Ltd · Angela Ong, Medtronic · Yien Chyn Tan, Internet Corporation for Assigned Names and Numbers

SWITZERLAND · Gabe Shawn Varges, HCM

UNITED ARAB EMIRATES · Latika Kapoor, Johnson & Johnson · Balasaraswathi Motwani, Johnson & Johnson ME FZ LLC


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

THE LAST WORD

We’re supposed to “monitor”? What does that mean?

A s part of another recent project, the question came up, “What does it mean to do monitoring in a

compliance program?” Under the Sentencing Guidelines, we are supposed to engage in “monitoring and auditing to detect criminal conduct.” So starting with basic logic, if it says

“monitoring and auditing,” then they must mean something different.

If you research what “auditing” means, you will find plenty. But “monitoring”? Not so much.

Here are some basics. Auditing is retrospective in nature. You are looking back at what happened before to determine if the rules were

followed and if people did the right thing. The term “audit” may be a very technical term with defined meanings in the accounting profession, but it is also used generally in the compliance and ethics field to cover a range of checking. One of the core aspects of auditing is the need for some degree of independence. Someone engaged in auditing should not be reviewing their own work. The person conducting the audit should not have an interest in what is being audited.

In contrast, monitoring generally refers to real-time reviews. Rather than looking back at what happened, one is observing activities as they happen. Although someone conducting monitoring may be independent, it is less of an expectation than is the case for auditing.

What would be examples of monitoring? This is a function that can be performed by line management. The sales supervisor may ride along with a sales person to observe how they perform. The supervisor may offer coaching on sales techniques to help the person improve. But at the same time, the supervisor should be watching for any red flags or questionable conduct.

If supervisor monitoring is to serve a compliance function, then there are steps that should be taken. Supervisors need training to spot red flags; they should know to contact their Legal department immediately at the first sign of trouble. Supervisors should also have this compliance monitoring function as part of their job descriptions and as a key part of their appraisals and incentives.

Monitoring is also a function of company lawyers and compliance people. When they sit in on business meetings, when they talk with fellow employees, and when they listen to employees in training sessions, they are also performing a monitoring function.

Of course in the age of big data, we also need to consider electronic reviews. It is possible to do automatic monitoring of company numbers and employee language. A company’s data system may detect number patterns or email language that constitute red flags.

So the next time you wander the floors, chatting with employees, and your boss asks what you are doing, just tell her you are engaged in the important function of compliance monitoring! ✵

by Joe Murphy, CCEP, CCEP‑I

Murphy

s

Joe Murphy ([email protected]) is a Senior Advisor at Compliance Strategists, SCCE’s Director of Public Policy, and Editor-in-Chief of Compliance & Ethics Professional magazine.


Com

plia

nce

& Et

hics

Pro

fess

iona

l® M

ay 2

018

Code training: A different perspectiveJessica Tjornehoj (page 26) » Current methods of Code training need a refresh to

be effective in an era of limited attention spans. » There is a disconnect between Code training and

actual subsequent use of the Code as a resource by employees.

» The Code should be used as a real-time resource for employees as they need guidance.

» Code training is an opportunity to train employees on how to find what they need in the Code.

» Knowing how to use the Code long-term is more effective than short-term memorization of Code highlights chosen by ethics teams.

Third-party assessments of ethics: A proactive tool to demonstrate due diligenceVincent DiCianni and Eric R. Feldman (page 30) » It is difficult for companies or compliance

professionals to assess their own program. » An assessment of an established E&C program by

an independent entity can avoid bias or erroneous conclusions based on employee feedback.

» The goal of a program assessment is to gain insight into the strengths of a company’s corporate culture as benchmarked against those of similar companies.

» A company’s investment in a third-party assessment can become a significant asset and end up being its best defense.

» Proactive evaluations help forward-thinking companies identify potential weaknesses or risks.

Is building an environment of trust a Board responsibility?Frank Bucaro (page 37) » Board members need to become more involved

in the culture and consistently evaluate if they are genuinely managing the culture as well as serving the long-term goals of the organization.

» Boards need to stop asking, “Can we do this?” but instead ask, “Should we do this?” Active board engagement is crucial in directing the decision-making process.

» Focus on how one’s organization does business, not what it does. Board members need to draw on their strengths and business acumen to focus on this issue.

» Reward ethical behavior and punish unethical behavior immediately. This is becoming increasingly a nonnegotiable, because this sets the tone for an environment of trust.

» Focus on doing the right thing, at the right time, for the right reason. Board discernment is critical and needs a proactive attitude and focus on guiding an organization.

The GDPR’s Article 6 and the future of anti-bribery due diligenceIllya Antonenko (page 40) » The General Data Protection Regulation (GDPR), a

new EU privacy legislation, will have a significant impact on anti-bribery due diligence.

» The “legitimate interests” of the controller are the most appropriate basis for processing personal data of EU residents as part of anti-bribery due diligence.

» An authorization by the third party under review will not be sufficient.

» The Foreign Corrupt Practices Act cannot be used to establish the “legal obligation” basis for processing personal data under the GDPR.

» There is a risk that the GDPR will put up significant obstacles to processing criminal background information of EU residents.

RegTech and blockchain: Only as strong as your weakest link Cris Mattoon (page 44) » Organizations seek RegTech solutions to reduce risk in a

cost-effective, automated manner. » Repetitive, transaction-based compliance tasks can

be routinized, thus freeing up professional resources to perform higher-level analysis and institute qualitative improvements.

» Trusted systems are essential when performing and validating compliance activities that rely upon RegTech.

» Distributed ledger technology (blockchain) employs a permissioned consensus mechanism to confirm transactions, thus heightening trust.

» Blockchain will continue to be leveraged to improve transparency, strengthen internal controls, and provide greater assurance to stakeholders.

What is the role of a Human Resources department?Ted Banks and Sharon Ray (page 49) » HR departments should be available for help in all

compliance concerns and should be the first line of defense when it comes to cases of alleged sexual harassment.

» The evidence from media reports indicates that HR departments at numerous companies failed to protect either the company or the employee due to incompetence, active collusion with managers who behaved improperly, or by engaging in willful blindness.

» Like Compliance departments, HR departments need to get management buy-in to a set of standards that the company stands for—and the HR department will enforce.

» HR employees need to receive training in how to deal with allegations of improper conduct.

» HR departments can provide a positive benefit not only to the morale but also to the profitability of their company.

Running a compliance program on a shoestring budgetLeslie Reed (page 54) » Use existing resources. You may already have what

you need. » Involve other departments. Everyone has

something to offer. » Resourcefulness is free. Don’t reinvent the wheel. » Create a business case. Be prepared for when you

have to ask for money. » Timing is everything. Certain events can give you

the opportunity to seek funding.

Ungoverned text messaging exposes your company to significant riskMike Pagani (page 57) » Employee use of text messaging for business

purposes is on the rise despite prohibition policies by organizations in the financial services industry and public sector.

» Recordkeeping and proper supervisory obligations for electronic communications extend to text messaging if the messages contain business-related content.

» Most organizations in regulated industries still do not have a proper system in place to reliably capture, supervise, and produce employee text messages.

» Organizations mistakenly implement separate point products and systems for each electronic communication type instead of using a single, comprehensive archiving platform.

» Text messaging is highly efficient and boosts productivity for employees, but it must be properly governed to keep its use compliant.

New age in compliance trainingMaria Carrasquillo (page 62) » The demographics of the private sector are

changing, and compliance training programs must also change to meet the demands.

» This change in workforce demographics must come with a change in the methods we use to train new hires.

» Compliance personnel must rise to the occasion and learn new, diverse methods of training; adapt required trainings; and create new initiatives to meet the demand of this growing population in the workface.

» Creativity will be the key to updating the usual yet outdated paper-based and slide deck–based training methods of some in the industry.

» Within the last decade, the industry has witnessed changes in the workplace, some of which have been introduced to attract this new generation of employees. Compliance personnel should strive to do the same.

May 2018TakeawaysTear out this page and keep for reference, or share with a colleague. Visit www.corporatecompliance.org for more information.

s

Compliance & EthicsPROFESSIONAL

SCCE upcoming events

Learn more about SCCE events atcorporatecompliance.org/events

2018Higher Education Compliance Conference June 3–6 | Austin, TX

Internal Investigations Compliance Conference June 7–8 | Orlando, FL

Data Governance Conference 25–26 June | London, United Kingdom

Board Audit Committee Compliance Conference September 24–25 | Scottsdale, AZ

Compliance & Ethics Institute October 21–24 | Las Vegas, NV

Basic Compliance & Ethics AcademiesJune 11–14 | Scottsdale, AZ

August 6–9 | Washington DC

September 10–13 | Las Vegas, NV

October 1–4 | Dallas, TX

November 12–15 | San Diego, CA

December 10–13 | Orlando, FL

INTERNATIONAL Basic Compliance & Ethics Academies9–12 July | Singapore

20–23 August | São Paulo, Brazil

24–27 September | Madrid, Spain

Regional Compliance & Ethics ConferencesMay 18 | San Francisco, CA

June 8 | Atlanta, GA

June 21–22 | Anchorage, AK

13 July | Singapore

August 17 | Columbus, OH

24 August | São Paulo, Brazil

September 21 | Washington, DC

September 28 | Dallas, TX

4 October | Sarajevo, Bosnia And Herzegovina

NEW

27 28 29 30 31 1 2

3 4 5 6 7 8 9

10 11 12 13 14 15 16

17 18 19 20 21 22 23

24 25 26 27 28 29 30

June 2018 Sunday Monday Tuesday Wednesday Thursday Friday Saturday

29 30 1 2 3 4 5

6 7 8 9 10 11 12

13 14 15 16 17 18 19

20 21 22 23 24 25 26

27 28 29 30 31 1 2

May 2018 Sunday Monday Tuesday Wednesday Thursday Friday Saturday

REGIONAL CONFERENCEChicago, IL

WEB CONFERENCE:

Conduct Risk Reporting – Connecting the Dots Across Key Metrics

REGIONAL CONFERENCESan Francisco, CA

WEB CONFERENCE:

LET THE GAMES BEGIN; Improving Compliance Cultures with gamification

WEB CONFERENCE:

2018 Compliance & Ethics Institute Preview Webinar

Higher Education Compliance Conference Austin, TX CCEP Exam

WEB CONFERENCE:

Quilting for Employers: Patching Together Employment Compliance Trends

Internal Investigations Compliance Conference Orlando, FL

REGIONAL CONFERENCEAtlanta, GA

Basic Compliance & Ethics Academy® Scottsdale, AZ CCEP Exam

REGIONAL CONFERENCEAnchorage, AK

Data Governance Conference London, UK

With this book, you’ll learn: ■ What it means to have an ethical culture

and why it’s critical to your organization’s survival

■ How to build a solid foundation for a compliance and ethics program that thrives

■ How to inspire, support, and reward ethical behavior

■ Strategies and tactics to strengthen and reinforce values-based behavior and a commitment to integrity over time

AVAILABLE N OW !

corporatecompliance.org/books

Published by the Society of Corporate Compliance and Ethics (SCCE) Copyright © 2018 SCCE. All rights reserved.

ETHICALCULTURE

B U I L D I N G A N

complianceethicsinstitute.org

Follow a Track: Professional Skills - NEW, Advanced Compliance - NEW, Compliance Lawyer, IT Compliance, Ethics, Risk, Case Studies, Multi-National/International, General Compliance/Hot Topics,

Advanced Discussion Groups

> Global Compliance> Internal Investigations> Risk Assessment

> Fostering a Compliance Culture

> Cyber Security> Whistleblowers> Retaliation

> SOX Compliance > Privacy Programs> Regulatory Compliance

Attendees have the opportunity to learn about current hot topics including:

OCTOBER 21-24, 2018 | LAS VEGAS, NV

COMPLIANCE & ETHICS INSTITUTE

17th Annual Society of Corporate Compliance and Ethics

Save! Register by June 5

Full AgendaONLINE NOW

10 LEARNING TRACKS

150+ SPEAKERS

100+ SESSIONS

1800+ ATTENDEES

scce-2018-cei-ad-cep-may.indd 1 4/2/18 2:14 PM

compliance ethics · 2018-04-06 · a publication of the society of corporate compliance and ethics...

Documents