Winamp Logo
Compliance Perspectives Cover

Compliance Perspectives

English, Education, 1 season, 237 episodes, 2 days, 3 hours, 55 minutes
About
An SCCE Podcast
Episode Artwork

HHS Office for Civil Rights Director Melanie Fontes Rainer on Progress and News at OCR [Podcast]

By Adam Turteltaub Melanie Fontes Rainer recently marked the completion of her second year leading the Office for Civil Rights at HHS. In this podcast she shared some of the accomplishments over this time as well as what the health care community can expect next. She recounts the six rules that have been issued, ranging from reproductive rights to Section 1557 of the Affordable Care Act, which covers nondiscrimination and is inclusive of sex, race, disability, national origin, religion and color. Also of note have been activities designed to ensure access to documents in languages other than English. She also shares what OCR has been doing to engage with the provider community through in-person meetings, webinars, YouTube videos and resources on their site. Looking to the future, the Director warns that health care providers are likely to continue to be attractive targets for data breaches and ransomware attacks. She advises covered entities to do what they can to make themselves less attractive by having a risk plan and implementing it. Listen in to learn more about what OCR has been and will be doing.
8/20/202416 minutes, 45 seconds
Episode Artwork

Hilary Kitson on Research Conflicts of Interest [Podcast]

By Adam Turteltaub There isn’t one way to handle conflicts of interest. Much depends on the research the organization is doing, its history and other systems. Hilary Kitson, Research Compliance Business Partner at Saint Luke’s Health System, reports that typically the starting point is Title 42 PART 50 Subpart F in the Code of Federal Regulations. It lays out time points when disclosures are necessary: Annually When discovering or acquiring a new financial conflict of interest (COI) At the time of application for PHS-Funded research Disclosures aren’t enough, though. There needs to be investigators and a review committee who are competent to examine potential conflicts and are sensitive to the confidentiality of the information involved. And what if there is a conflict? She advises involving regulatory and other professionals who can help develop a management plan, if one is necessary. Listen in to learn more about the very complex issue of conflicts of interest in research.
8/15/202412 minutes, 2 seconds
Episode Artwork

Rui Ribeiro on Privacy Issues from Third-Party Website Tags [Podcast]

By Adam Turteltaub Here’s a terrifying thing I just learned: the average ecommerce website has 66 third-party tags on the page. That’s according to our podcast guest, Rui Ribeiro, CEO of Jscrambler. The tags, pixels and scripts control everything from the video to payment processing to the consent wall to the chat function. And, guess what: they may all be collecting user data, and, quite possibly, more data than they should. So what’s a compliance officer to do, other than lose sleep over the issue? First, make sure there’s an inventory on all those tags, pixels and pieces of JavaScript running on your site and what data they are collecting. While you’re doing it, don’t just ask what’s being run at HQ. There may be regional variations. Next, spend time with all the departments that touch the site to see what they truly need and that data isn’t being accessed without good reason. Then change your thinking around GDPR. It’s not about just getting consent to collect data, it’s time to use it as a warning to focus on knowing who the data is being collected from and why. Once you have that squarely in mind, you can find the right tools to control the data flow and ensure your organization and its third parties are only collecting essential data, not everything you can.
8/13/202414 minutes, 30 seconds
Episode Artwork

Jisha Dymond on the Compliance Places You’ll Go [Podcast]

By Adam Turteltaub What have you done? What have you achieved? Have you forgotten? Did you succeed? What were your goals? Were they ever reached? What about your firewall? Was it ever breached? Jisha Dymond took inspiration from Dr. Seuss An annual tradition to give kids a boost. Take the time to note what you have done. It will be illuminating, and may even be fun. This is a podcast you truly must hear. It may change your outlook for many a year.  
8/8/202411 minutes, 29 seconds
Episode Artwork

Stephen Paskoff on the New EEOC Guidance on Workplace Harassment [Podcast]

By Adam Turteltaub In April 2024 the US Equal Employment Opportunity Commission released an update to the Enforcement Guidance on Harassment in the Workplace. This was the first update since 1999. Stephen Paskoff, the President and CEO of ELI, explains that the guidance now treats LGBTQIA+ harassment similar to other forms of harassment. The document now also addresses behavior outside of the workplace, making it clear that employers need to train and be more sensitive to behavior beyond the factory gates. Listen in to learn more about what is new in the EEOC Enforcement Guidance on Harassment in the Workplace.
8/6/20249 minutes, 38 seconds
Episode Artwork

Michael Kearney on Document Retention [Podcast]

By Adam Turteltaub Document retention is one of those persistent issues that comes with a great deal of complexity. As Michael Kearney (LinkedIn), Head Solution Architect, Redgrave Data explains in this podcast, organizations have to deal with a dizzying array of rules. HIPAA has one set of requirements, state laws for medical records another, financial documents have a third, employment records a fourth and on and on it goes. In addition, there are business needs for retaining and disposing of records. So, what’s a compliance team to do? He recommends working with the business unit and other affected teams to write policies that meet the needs of all involved and work out any conflicts internally or among the regulations. Work, too, with employees who may want to hold on to documents longer than policy dictates. You may find that what they want to keep is the data, not the document itself. And, if there is a litigation hold, be prepared to work quickly with legal, IT and others to ensure that the relevant documents are preserved while your ongoing document retention processes continue.
8/1/202410 minutes, 42 seconds
Episode Artwork

Rosie Williams and Walter Appleby on Data Analytics [Podcast]

By Adam Turteltaub Data analytics is a pretty darn big deal in compliance and ethics these days, with rising expectations for compliance programs to be able to demonstrate their effectiveness using hard data. The word “data” even appears a dozen times is the US Department of Justice Criminal Division’s Evaluation of Corporate Compliance Programs document. Walter Appleby, formerly VP, Compliance & Ethics at Georgia-Pacific and Rosie Williams, Director, Compliance & Ethics there will be addressing “Harnessing the Power of Data:  Unleashing Compliance Excellence” at the SCCE 23rd Annual Compliance & Ethics Institute, which will be held September 22-25 in Grapevine, TX. In this podcast they explain that better use of data carries a number of benefits including a stronger risk assessment and management program, better informed decision making, and more effective use of compliance resources. Data analytics begins with collecting together the data you have and determining its quality. As the old adage says: bad data in, bad data out. Sources of data can include your helpline, training statistics, HR and even legal. You will also need to determine which metrics best reflect the performance of the compliance program. Here, the risk assessment is helpful, but so too is taking the time to listen to and think through the needs of your customers in the business unit. Next, determine the proper recipe for integrating the various data resources so you and leadership can gain insights into gaps and deficiencies. This likely includes taking the time to think graphically to determine how best to visualize the data in ways management finds useful. Listen in to learn more about how to use data to pinpoint issues, identify opportunities and assess the effectiveness of your program. And, don’t forget to catch their session at the 23rd Annual Compliance & Ethics Institute.
7/30/202413 minutes, 46 seconds
Episode Artwork

Matt Rasmussen and Ryan Frye on Retrieving Phone Data [Podcast]

By Adam Turteltaub Mobile devices are terrible if you need to retrieve information from them. Employees hate handing them over and there are a ton of apps in which data disappears automatically. All in all, it’s just a nightmare. But, the government still wants you to track what employees are saying, and you may have to produce that data. Matt Rasmussen (LinkedIn), CEO, and Ryan Frye (LinkedIn), Chief Innovation Officer of ModeOne want to discourage you from falling into despair over the prospect. Employee resistance can be overcome by taking a targeted approach and using electronic tools that only seek business-related data. Even before you get to that point, though, they recommend taking the time to train the workforce about what rights the company has to the data so this doesn’t come as an intrusive surprise. Listen in to learn more about how to make retrieving mobile device data a bit less painful.
7/25/20247 minutes, 59 seconds
Episode Artwork

Deborah Spanic and David Gebler on What the Board Should be Asking [Podcast]

By Adam Turteltaub “What else should the board be asking?” It’s a good question in general and the tile of a session at the SCCE Compliance & Ethics Institute, which will be held September 22-25, 2024 in Grapevine, TX. In this podcast, the leaders of that session, Deborah Spanic, Chief Ethics & Compliance Officer of Clarios, and David Gebler (LinkedIn), Principal of Leading with Ethics, share that there are three fundamental questions the board should be asking about the compliance program: Is the compliance program well designed and aligned with risk? Is the program being applied earnestly and in good faith with adequate resources? Does the compliance program work in practice? From there a host of other questions fall out including those focused on culture and on the connection between the compliance program and the enterprise’s overarching strategy. Making sure the board is asking the right questions, and getting the answers it needs, requires a strong relationship with the compliance team. In Deborah’s case that includes being a standing agenda item for the audit committee each quarter and having a one-on-one conversation each mid-cycle with the audit committee chair. Listen in to learn more, and then be sure to join their session in Grapevine at the  Compliance & Ethics Institute.
7/23/202413 minutes, 3 seconds
Episode Artwork

Evie Wentink on Misconduct Reporting by Remote Employees [Podcast]

By Adam Turteltaub How do you get employees working remotely, who may have less of a connection to the company, to make the effort and take the risk of reporting potential wrongdoing? For Evie Wentink, it starts with recognizing the need to encourage a culture of reporting for these workers. It also includes recognizing that, even though they are remote, it doesn’t mean that they aren’t victims of or witnesses to a range of bad behaviors including harassment and bullying. Compliance teams should also recognize that remote workers lack many of the casual opportunities to discuss with peers what they are seeing and what to do about it. To help overcome these challenges, she recommends training and creating multiple reporting avenues. She also recommends training managers in active listening so that they know what do when an employee walks through the virtual door with a concern.
7/18/202416 minutes, 14 seconds
Episode Artwork

Kortney Nordrum on Social Media Risk in 2024 [Podcast]

By Adam Turteltaub It’s not for nothing that there’s a year in the title of this blog post and podcast. Social media risks change frequently, explains Kortney Nordrum, VP, Regulatory Counsel & Chief Compliance Officer at Deluxe. She is the author of the chapter “Social Media Compliance” in The Complete Compliance and Ethics Manual and will be leading the session Social Media:  Old News and New Risks at the 23rd Annual Compliance & Ethics Institute. These days the range of those risks is substantial. TikTok poses a notable challenge, since it accesses most everything on the user’s phone, which means work email and files may be exposed. At the same time the FTC and NLRB have been very aggressive in their enforcement. The FTC has been scrutinizing endorsements – and a “like” may count as one – by employees of their employer’s products and services. Meantime, the NLRB has made it clear that it believes employees have wide, although not complete, latitude about what they say about their workplace online. And, if that wasn’t enough, the marketing and social media teams need to be trained (and monitored) for what they are saying and doing in the company’s name. What should you do? She recommends training with concrete examples, teaching people some common sense, and keeping lines of communication open. To learn more, listen in and then don’t miss her session at the 23rd Annual Compliance & Ethics Institute.
7/16/202414 minutes, 37 seconds
Episode Artwork

Sarah Couture on Compliance Mentoring [Podcast]

By Adam Turteltaub Everyone wants a mentor. Not everyone gets one, and not every mentor-mentee relationship works out. Sarah Couture, Principal at Couture Compliance wants to change that. She’s the author of the chapter, “Mentoring for Compliance Professionals” in the Complete Healthcare Compliance Manual. In this podcast, she offers advice for mentors and mentees both. Here’s a sample: Mentors and Mentees Level setting is essential for ensuring expectations are aligned Think about your objective, what frequency of meetings makes sense and for how long the relationship should last Be humble and transparent Mentees Look for someone you respect Don’t only look for people who know exactly what you do; be open to outside expertise Let your goals help drive your mentor selection Mentors Consider if you truly have the time Ask: “Can I provide what this person is looking for?” Only select mentees you respect and click with Ask if the mentee is curious, willing to learn and to grow Listen in to learn more about how to make the mentor-mentee relationship work, and, if you subscribe to the Complete Healthcare Compliance Manual, be sure to read Sarah’s chapter.
7/11/202410 minutes, 57 seconds
Episode Artwork

Michelle Nichols on Compliance Lessons from Dating in Your 50s [Podcast]

By Adam Turteltaub Michelle Nichols (LinkedIn) from the compliance team at Farmer Mac definitely wins the prize for the most unexpected title for a session at the 2024 SCCE Compliance & Ethics Institute: “How Dating in My 50s Made Me a Better Compliance Officer.” As she explains in this podcast, the realization that people bring their past relationship experiences to potential new relationships shed light on a challenge compliance teams need to address starting with the onboarding process. While HR typically handles that process, laying out what the company’s policies and expectations are, that doesn’t fully address things. Simply stating that an employee gets x days of vacation may mean one thing to a person who came from a company where people took their vacations and another to someone coming from an organization where not taking vacation was a badge of honor. Likewise, the new employee may bring unwanted baggage with him or her when assessing their new employer’s culture and commitment to compliance. Listen in to learn more and learn what this means for both compliance teams and managers, and be sure to attend her session at the 2024 SCCE Compliance & Ethics Institute.
7/9/202410 minutes, 39 seconds
Episode Artwork

Sam Logan on Human Trafficking and Modern Slavery Risk [Podcast]

By Adam Turteltaub As the risk of human trafficking and modern slavery rises on the radar, compliance teams need to start their risk assessment by looking at the map, says Sam Logan, CEO and founder of Evidencity. The number of jurisdictions with laws in this area are increasing. In addition, some countries have far greater risk than others, with long histories of exploitation. Remember, though, that there is no such thing as a safe geography. A janitorial service in the US was found to be using child labor, and an Italian luxury goods maker’s contractor is alleged to have subcontracted with a business using Chinese laborers illegally in Italy. The key lesson from these cases: look closely at your suppliers to better understand where and how they do business. Be sure to review them not just when beginning a relationship but on an ongoing basis. Take a risk-based approach, focusing your efforts where the likelihood of modern slavery and human trafficking is greater. Finally, don’t forget about your customers. No organization wants to see its products used by forced or child labor.
7/2/202414 minutes, 52 seconds
Episode Artwork

Carrie Penman on the Latest Whistleblowing Data [Podcast]

By Adam Turteltaub The annual Navex Whistleblowing, Incident Management and Benchmarking Report provides valuable insights into what’s going on across the corporate compliance landscape. To get the highlights we spoke with Carrie Penman (LinkedIn), Chief Risk & Compliance Officer for Navex. The 2023 data showed that reporting reached an all-time high, with 1.57 reports for every 100 employees, up from 1.47 the previous year. Substantiation reached an 11 year high at 45%, which indicates that compliance teams are getting both more and better reports out of the workforce. Anonymity remained dominant, with 56% of reports arriving that way. Substantiation rates for anonymous reports held steady at 33%, which is lower than the 50% for reports given by an identified individual. Accounting-related incidents accounted for 4.3% of reports, a relatively small number. However, they were notable because they had the longest period between the observation of suspected wrongdoing and reporting. They also were the least likely to be reported anonymously. Third party reporters were likelier to report on business integrity issues, such as human rights, bribery and conflicts of interest. Substantiation rates were similar to those of anonymous reports. So what should compliance teams be doing as a result of this data? First, she recommends continuing to build trust in reporting systems. Second, prepare for an increased number of reports. Listen in to learn more about what is going on in incidents and whistleblowing.
6/27/202411 minutes, 19 seconds
Episode Artwork

Elizabeth Simon on Optimizing Your Enterprise Risk Assessment [Podcast]

By Adam Turteltaub Risk assessment and management is at the core of compliance and front and center on the agenda at the SCCE 23rd Annual Compliance & Ethics Institute, which takes place September 22-25 in Grapevine, TX (and virtually, too).  Elizabeth Simon, Vice President of Compliance & Risk at Progress Residential will be contributing to the discussion with her session, “Enter at Your Own Risk: Optimizing Your Enterprise Risk Assessment”. In this podcast she provides a preview of her session and shares that compliance plays a unique role in enterprise risk management since it touches so many risk areas, from culture to operations to finance. This, in turn, requires that the compliance team become a part of the broader risk assessment process to know where the potential challenges are. It also requires that the compliance team bring its experience and solutions to the table and to the board to demonstrate it’s value to the enterprise and its risk assessment. Listen in to learn more, and then join us in Texas for the 23rd Annual Compliance & Ethics Institute.
6/25/20248 minutes, 33 seconds
Episode Artwork

Gwen Hassan on the Expanding Web of AI Regulation [Podcast]

By Adam Turteltaub In some ways it’s still the Wild West when it comes to AI, with developments happening faster than most can fathom and the law can respond. At the same time, though, the sheriff has begun to arrive. Gwen Hassan (LinkedIn), Deputy Chief Compliance Officer at Unisys and Adjust Professor at Loyola University Chicago School of Law explains that the EU already has a law in place with a particular focus on ranking the risks of AI, including those that must not be taken, and an emphasis on the privacy implications. In the US, there is legislation proposed that would require clear notification when content is created using generative AI. It has yet to pass. Thus far the strongest direction in the US comes out of the White House, where President Biden issued the Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.  The order urges ethical generative AI guidelines, sets key goals for what good uses of AI are and calls upon various departments of the government to provide further analysis and direction. So what should compliance teams do now, despite the legislative holes? She recommends looking at how to extend the existing compliance program to AI and, as AI evolves, develop more specific programs that maps to its risks. Listen in to learn more about the emerging regulatory climate for AI.
6/20/202414 minutes, 33 seconds
Episode Artwork

Kelly Willenberg on the HCCA Healthcare Research Compliance Academy [Podcast]

By Adam Turteltaub If you’re thinking about attending an HCCA Research Compliance Academy, take a few minutes to l to this podcast featuring Kelly Willenberg (LinkedIn), one of the faculty members and founder of Kelly Willenberg & Associates. Listen in as she explains: Who the Academy is for. Basically anyone working in or with oversight of research compliance The teaching structure. All of the faculty members have deep research compliance expertise.  They will teach both compliance infrastructure and many of the complexities of the numerous legal risk areas. The attendee experience. Small class sizes lead to opportunities to learn from your peers and build an extensive and deep network. She also gives an overview of the Certified in Healthcare Research Compliance (CHRC) exam. To read more about the exam and see the detailed content outline click here. So spend ten minutes listening to the podcast, and then plan on attending an HCCA Research Compliance Academy.
6/18/20249 minutes, 39 seconds
Episode Artwork

Matt Ellis on Corruption in Latin America [Podcast]

By Adam Turteltaub Corruption is a well-known risk in Latin America, but how great the risk is on a country-by-country basis is less well understood. To fill in those blanks and many more, the law firm Miller & Chevalier just released its 2024 Latin America Corruption Survey. The firm has been fielding this survey every four years since 2008, reports Matt Ellis, Latin America Practice Lead. It provides comprehensive, country-by-country data as well as, more granular information on the risks of dealing with various governmental entities. This year’s report, he shares on the podcast, had interesting news for the compliance community. It found that, although corruption remains a pervasive problem, corporate compliance programs, more so than enforcement, are perceived as being the key driver for change. The survey also revealed significant nuances in the anticorruption risk picture: Chile, Uruguay and Costa Rica are generally perceived as the lowest risk countries Venezuela, Bolivia, Honduras and Argentina are on the riskier side In general, political parties are perceived as being corrupt as well as municipal governments Brazil’s customs authority, Peru’s judicial branch, Argentina’s executive branch and Mexico’s police and local governments were all singled out as areas of concern Listen in to learn more about what the survey revealed, including corporate trends in investing in anti-corruption efforts.
6/13/202414 minutes, 24 seconds
Episode Artwork

Jason Rosoff on Radical Candor [Podcast]

By Adam Turteltaub How do you tell someone something that they don’t want to hear in a way that they will listen? How do you overcome your own desire to avoid the conversation? To better understand why people hesitate to have difficult talks and how to communicate more effectively, especially when the conversation is going to be a tough one, we spoke with Jason Rosoff, CEO of Radical Candor (podcasts). People hesitate to speak candidly, he explains, for a number of reasons. For one, they may fear that the conversation will harm their relationship with the other person. They may also be nervous about facing a negative reaction, or even retaliation, for speaking out. To help challenging conversations go better, he advocates for radical candor, which he explains means challenging directly but also caring personally at the same time. Be clear about the problem, he advises, and what the potential negative consequences are. At the same time, though, show you care personally. That includes giving the other person the benefit of the doubt, avoiding sounding judgmental, and focusing on helping them. It also means being willing to listen to the other person’s side. Listen in to learn more about how to have better conversations and how to avoid the more common traps that we all can fall into.
6/11/202414 minutes, 15 seconds
Episode Artwork

Mel Blackmore on ISO 27001 [Podcast]

By Adam Turteltaub ISO 27001 is the leading standard for information security management systems. As Mel Blackmore, CEO of UK-based Blackmores explains, it is a framework that applies and is of value regardless of an organization’s size, sector or country. Organizations seek ISO 27001 certification to ensure that their IT security reflects best practices. It also brings to organizations a systematic approach to work in this area. In addition, potential business partners will have greater confidence that your organization has robust data defenses. Most organizations have a head start when it comes to becoming ISO 27001 certified. Many existing IT security practices are likely to be consistent standards. To get the rest of the way to certification, she outlines several steps including: Determine where your organization is already compliant Conduct a gap analysis Performing a risk assessment Creating policies and procedures Listen in to learn more about meeting this important ISO standard and what it will take to maintain certification.
6/6/202412 minutes, 1 second
Episode Artwork

Renee Murphy on ESG and Compliance [Podcast]

By Adam Turteltaub What do we do with ESG? Is it a part of compliance? Something different? How do we handle it? Renee Murphy, Distinguished Evangelist at Diligent argues in this podcast that while there are compliance aspects to ESG, it is best to quickly make it a part of operations and under the general risk management structure. Of the three elements of ESG, it is the environmental sustainability side, she believes, that will be the most challenging. With new requirements for organizations to report on their fossil footprint, companies are being forced to march into unexplored territory. As a result, they will need to evolve their process, which, she believes, will become easier as management comes to understand the balance sheet implications. Listen in to learn more about what is happening with ESG, and what compliance teams need to know.
6/4/20248 minutes, 37 seconds
Episode Artwork

Ronald Chapman II on Healthcare Enforcement Trends [Podcast]

By Adam Turteltaub Healthcare enforcement is never quiet. There’s always something, or many things, going on, and compliance teams need to stay on top of the trends to ensure that their programs are staying ahead of the risks. To find out where things are today, we spoke with Ronald Chapman II, author of the book Unraveling Federal Investigations, defense attorney with Chapman Law Group and president of Chapman Consulting Group. In this podcast he identifies several areas of intense enforcement activity: Drug testing labs are under scrutiny, particularly around the number of panels and reflex testing Telemedicine continues to be a hot area as well Venture capital firms are entering healthcare and/or deepening their investment, often with complex payment arrangements and without sufficient antikickback review Aggressive telemarking in the durable medical equipment space persists Credentialing issues, especially for smaller entities, are resulting in non-payments and fraud allegations On the criminal side, he notes that controlled substance prescribing is in prosecutors’ eyes, often coupling these cases with fraud charges, leading to a one-two punch. Listen in to learn more about what healthcare enforcement authorities are doing and how to strengthen your compliance efforts.
5/30/202410 minutes, 37 seconds
Episode Artwork

Chris Audet on Whether Culture is Truly That Important [Podcast]

By Adam Turteltaub Creating the right corporate culture is an idea that’s sacrosanct in the field of compliance and ethics. The folks at Gartner, though, are challenging that belief. In this podcast Chris Audet, Vice President and Chief of Research for General Counsels and Chief Compliance Officers, tells us that their newly released report finds that focusing on key quality measures in the compliance program may be more important. The firm reached the conclusion after surveying over 1000 employees about the situations that lead to employee noncompliance. To quote from the press release, “In the survey, 87% of respondents said they faced situations where they didn’t know how to comply in the last 12 months, followed by 77% of respondents who experienced situations of rationalization and 40% experiencing situations of malice.” Improved quality standards – the design and accessibility of policies, training and so forth – had much more of an effect on reducing uncertainty than culture did. As he notes, when employees are faced with uncertainty, the key thing is to have easily accessible policies and a workforce that knows where to find them. Most troubling, of course, is the reportedly high temptation, not always acted on, to be noncompliant for malicious reasons. Listen in to learn more about the challenges of malice and rationalization and how quality standards may help there as well.
5/28/202410 minutes, 38 seconds
Episode Artwork

Adam Greene on State Privacy Laws [Podcast]

By Adam Turteltaub There’s no General Data Protection Regulation (GDPR) in the US. Absent a comprehensive, national privacy law, states have stepped in to fill the gap. As Adam Greene (LinkedIn), Partner at Davis Wright Tremaine explains in this podcast, that’s creating some complications. The California Consumer Privacy Act (CCPA) already differs from subsequent laws in several states which use language reminiscent of the GDPR. And while there are many similarities, some differences are substantial. For example, some state laws are targeted at businesses, not non-profits. That’s an important distinction for healthcare with so many non-profit institutions. Perhaps the greatest challenge for organizations is figuring out which standard to follow, if any. Do they take a state-by-state approach, or one national approach based on the toughest state laws? Whatever the choice, it’s important to determine what data you have since there may be limits on collection and a requirement to share that data with consumers who want to see it. Listen in to learn more about what the states are requiring and what you need to do to meet their expectations.
5/23/202411 minutes, 17 seconds
Episode Artwork

Dan Wilcock on Public-Private Partnerships in Stemming Corruption [Podcast]

By Adam Turteltaub For as much as there is talk about the force of the US Foreign Corrupt Practices Act (FCPA), the impact of the OECD’s anticorruption efforts deserves a great deal of credit. By encouraging laws against foreign bribery, anticorruption compliance efforts, and grading the work of the countries who are parties to their Antibribery Convention, the OECD continue to raise the bar. In Australia, the OECD’s push for more resources for small and medium enterprises (SMEs) seeking to avoid corruption led to the creation of the Bribery Prevention Network, explains Dan Wilcock (contact), Head of Sustainability Governance for the UN Global Compact Network Australia and Manager of the Bribery Prevention Network. This public-private partnership was born out of the work of more than thirty organizations working collaboratively. The end product is a robust online hub filled with practical resources on topics such as anticorruption programs and conducting risk assessments. The Network also facilitates sharing of expertise from larger organizations to the SMEs in their supply chain. Listen in to learn more about what they are doing and lessons for others seeking to start similar endeavors.  
5/21/202412 minutes, 27 seconds
Episode Artwork

Mike Koehler on What’s Really Going on With FCPA [Podcast]

By Adam Turteltaub Best known as The FCPA Professor, Mike Koehler argues that that many people have it all wrong when it comes to enforcement of the Foreign Corrupt Practices Act (FCPA). Citing historical data he argues that there is not, contrary to popular opinion, a slow down in enforcement of the FCPA. The pace of roughly 12-13 resolutions per year has continued. In fact, the three resolutions in the first quarter of 2024, he notes, puts it on track to continue the trend. How do compliance teams get management attention to FCPA enforcement? He recommends against just focusing on the likely price of the settlement. Instead, outline all the costs. Those start with the multiple years before the resolution when the costs of legal, accounting and other fees may be as much as twice the resolution. Then, point to the eighteen months or so after the settlement when the organization will be under ongoing scrutiny, likely at a substantial cost. All of this, of course, is in addition to the diminished productivity and potential business losses. Listen in to learn more about how he sees anticorruption enforcement shaping out both by US and international prosecutors.  
5/16/202414 minutes, 3 seconds
Episode Artwork

Jessica Zeff on Preparing for a Government Audit [Podcast]

By Adam Turteltaub Jessica Zeff (LinkedIn) loves government audits. I know, it’s hard to believe, given the dread they inspire. But, the founder and lead consultant of Simply Compliance makes a very good case in this podcast that audits can be much better than people expect and actually helpful for the compliance program. How is this possible?  She argues strongly that, given the inevitability of an eventual audit, compliance teams should prepare for them on an ongoing basis rather than just when the audit notification arrives in the mail. By assessing what data an auditor might need, what gaps they may find, and what concerns they may have, compliance teams can complement their risk assessment process and have a better handle on where they should be focusing their efforts. As importantly, having this information handy can be helpful during the audit. Not only does it reduce last minute rushing to prepare, it enables the team to tell auditors their story in a way that shows the organization is doing the right thing and that compliance is on the ball. When the auditors arrive, she advises being prepared logistically as well. This includes having relevant (and not irrelevant) data ready for the auditors. In addition, she recommends thinking through what they will need -- from space to meals -- and ensuring that the staff they need to interview is available. Listen in to learn more about how a government audit may not just be better than you think but also a positive experience.
5/14/202414 minutes, 57 seconds
Episode Artwork

Paul Fiorelli on Establishing Workplace Integrity [Podcast]

By Adam Turteltaub Integrity is like peace, love and brotherhood.  We’re all for it, but when it comes to practicing it, that’s when the challenges start. Paul Fiorelli hopes to change that. The Director, Cintas Institute for Business Ethics at Xavier University has just written a new book: Establishing Workplace Integrity. In it, Paul addresses six lessons in values-based leadership. To benefit from some of his long-established and well-recognized expertise we asked him to join us for this podcast. He discusses the importance, of values-based leadership. He also cites six factors that lead people into unethical or non-compliant behavior: Pressure to perform Going down a slippery slope Rationalization Groupthink Altruism (violating the law to help the company) Greed One or several of them are at play when wrongdoing occurs. So what makes for success and helps to prevent wrongdoing? He makes an argument for SMART goals: specific, measurable, attainable, relevant and time-based. Listen in to learn more about values-based leadership and promoting a workplace of integrity.
5/9/202414 minutes, 27 seconds
Episode Artwork

Meredith Hunt on Compliance Program Effectiveness [Podcast]

By Adam Turteltaub What makes for an effective compliance program, not just from a legal perspective but from a practical one? Getting that answer, and sharing it is the focus of the LRN 2024 Ethics & Compliance Program Effectiveness Report To learn what it contains we sat down with Meredith Hunt (LinkedIn), Ethics and Compliance Specialist at LRN. In this podcast she shared that more effective programs are focused on values rather than rules, and underscore the importance of ethical culture. They are also taking a risk-based approach. Their research also revealed the importance of adapting to the current business environment. With employees working remotely has come a change in how they gather information. The code of conduct, policies and procedures have to be accessible wherever workers are. Within the compliance program’s internal operations, effective programs, they report, are focusing more on data and metrics, looking for the data that show where the program is and isn’t working, and enabling continuous improvement. Listen in to learn more about how to create a more effective compliance program in your organization.
5/7/202412 minutes, 33 seconds
Episode Artwork

Jason Reddish and Mark Ogunsusi on 340B Drug Pricing Program Compliance [Podcast]

By Adam Turteltaub The 340B Drug Pricing Program was created to protect safety net hospitals from rising drug prices. It allows them to purchase outpatient drugs, and pharma companies to sell those drugs, at a discount. In this podcast, Jason Reddish (LinkedIn), Principal and Mark Ogunsusi (LinkedIn), Associate, at Powers Pyles Sutter & Verville provide an overview of the program and the compliance requirements. They are also two of the authors of the chapter “Pharmacy:  340B Drug Pricing Program” in the Complete Healthcare Compliance Manual. The 340B program helps hospitals that are the last line of defense for underserved communities, including those with a large percentage of Medicaid patients. Often, they are the only hospital around in rural areas. Also helped by the program are federal grantees such as Ryan White clinics and those providing treatment for STDs. The program dictates which entities can buy discounted drugs and have very specific requirements including two very important ones. First, the drugs cannot be resold or transferred to anyone who is not a patient of the covered entity. Second, double billing of Medicaid is prohibited and must be monitored for. There are a number of typical compliance problem areas, but the good news is that there has been a decline in non-compliance. Listen in to learn more about what covered entities are doing right, and what you should be on the lookout for.
5/2/202413 minutes, 20 seconds
Episode Artwork

Laura Ann Smith and Judy Mayo on SEC Climate Disclosure Requirements [Podcast]

By Adam Turteltaub Currently on hold due to pending court challenges, the SEC’s rules to standardize climate-related disclosures created a fire storm of controversy and comments when first proposed. The final rules (assuming the courts sides with the SEC), explains Laura Ann Smith and Judy Mayo of the communications firm Labrador (LinkedIn), reflected strong industry pushback, easing the burden on some 4000 filers. Nonetheless, there are serious demands on industry. To quote from the SEC press release, registrants will be required to disclose: Climate-related risks that have had or are reasonably likely to have a material impact on the registrant’s business strategy, results of operations, or financial condition; The actual and potential material impacts of any identified climate-related risks on the registrant’s strategy, business model, and outlook; If, as part of its strategy, a registrant has undertaken activities to mitigate or adapt to a material climate-related risk, a quantitative and qualitative description of material expenditures incurred and material impacts on financial estimates and assumptions that directly result from such mitigation or adaptation activities; Specified disclosures regarding a registrant’s activities, if any, to mitigate or adapt to a material climate-related risk including the use, if any, of transition plans, scenario analysis, or internal carbon prices; Any oversight by the board of directors of climate-related risks and any role by management in assessing and managing the registrant’s material climate-related risks; Any processes the registrant has for identifying, assessing, and managing material climate-related risks and, if the registrant is managing those risks, whether and how any such processes are integrated into the registrant’s overall risk management system or processes; Information about a registrant’s climate-related targets or goals, if any, that have materially affected or are reasonably likely to materially affect the registrant’s business, results of operations, or financial condition. Disclosures would include material expenditures and material impacts on financial estimates and assumptions as a direct result of the target or goal or actions taken to make progress toward meeting such target or goal; For large accelerated filers (LAFs) and accelerated filers (AFs) that are not otherwise exempted, information about material Scope 1 emissions and/or Scope 2 emissions; For those required to disclose Scope 1 and/or Scope 2 emissions, an assurance report at the limited assurance level, which, for an LAF, following an additional transition period, will be at the reasonable assurance level; The capitalized costs, expenditures expensed, charges, and losses incurred as a result of severe weather events and other natural conditions, such as hurricanes, tornadoes, flooding, drought, wildfires, extreme temperatures, and sea level rise, subject to applicable one percent and de minimis disclosure thresholds, disclosed in a note to the financial statements; The capitalized costs, expenditures expensed, and losses related to carbon offsets and renewable energy credits or certificates (RECs) if used as a material component of a registrant’s plans to achieve its disclosed climate-related targets or goals, disclosed in a note to the financial statements; and If the estimates and assumptions a registrant uses to produce the financial statements were materially impacted by risks and uncertainties associated with severe weather events and other natural conditions or any disclosed climate-related targets or transition plans, a qualitative description of how the development of such estimates and assumptions was impacted, disclosed in a note to the financial statements. Even with all these requirements, Smith and Mayo recommend that companies realize that this is just a baseline. For those with operations in Europe there are requirements to meet as...
4/30/202413 minutes, 13 seconds
Episode Artwork

Eddie Green on Electronic Messaging [Podcast]

By Adam Turteltaub It used to be that tracking email usage was considered tough. These days the workforce is also communicating via text, WeChat, Slack and countless other channels both internally and externally. That can be a total nightmare since prosecutors want access to all those conversations. What makes things harder is that employees may be resistant, feeling that the communications they have on their phone, especially in organizations with a Bring Your Own Device (BYOD) policy, is private. The employee owns the phone, not the company. Eddie Green (LinkedIn), CEO of SnippetSentry advises companies get their heads around this problem. Digital compliance is broadening out from the investment community to pharma and elsewhere. To manage the issue, some companies are now scrapping BYOD policies and making it clear that all work communications need to go on work-owned devices. They are also looking for solutions which enable employees to communicate in familiar ways, but with the tracking that logs all those communications. Listen in to understand the challenge and how to approach it more effectively.
4/25/20247 minutes, 6 seconds
Episode Artwork

Professor Todd Haugh on the Southern District of New York’s Whistleblower Pilot Program [Podcast]

By Adam Turteltaub In January 2024 the US Attorney’s Office for the Southern District of New York (SDNY) set a shockwave through the business world by announcing a new whistleblower pilot program. To understand what the policy says and what it likely means for compliance programs, we spoke with Todd Haugh (LinkedIn), Associate Professor of Business Law and Ethics, Arthur M. Weimer Faculty Fellow in Business Law at the Kelley School of Business at Indiana University. Under the policy, he explains, individuals who have participated in a fraud may be eligible for a non-prosecution agreement, if the individual meets three key criteria: They provide information that is not previously known to prosecutors and is produced voluntarily, not subsequent, say, to an arrest. The information is full, substantial and truthful. The individual is not otherwise disqualified, such as serving as a government official or the CEO or CFO of the company. Given the incentives already in place for companies to self-report wrongdoing, this is in many ways an extension of what already exists. However, it’s impact should not be underplayed. The SDNY is a leader in white collar prosecutions and other US Attorney’s offices are likely to follow suit. At least one already has. Second, while the SEC has encouraged whistleblowing at publicly traded policies, the SDNY policy is open to public, private and even non-profit organizations. The new policy also may create situations in which employees and their employers find themselves in a race to disclose first. This, in turn, means that organizations need to significantly increase their efforts to create a culture that encourages internal whistleblowing. That includes creating easy paths to follow for potential whistleblowers and prompt investigations. Listen in to learn more about the policy and how your compliance program may need to evolve as a result of it.
4/23/202415 minutes, 28 seconds
Episode Artwork

David Schumacher on the HHS OIG’s General Compliance Program Guidance [Podcast]

By Adam Turteltaub In late 2023, The Office of Inspector General (OIG) at the Department of Health and Human Services issued its new General Compliance Program Guidance. In this podcast, David Schumacher, Partner and Co-Chair of the Fraud & Abuse Practice at Hooper Lundy & Bookman explains that this document is both evolutionary and revolutionary. For years the OIG’s office had been offering guidance through the Federal Register. To make that information more accessible it moved it online, consolidated the information, added interactive features and created a much richer resource which makes it both easier for compliance teams to understand the OIG’s expectations and more difficult for some to claim that they were unaware of the rules. The changes, though, are more than just the media used to communicate OIG expectations. The document demonstrates both the ongoing expectations by OIG for robust compliance programs and communicates changes in focus. For one, it reveals an enhanced emphasis on quality issues in healthcare and patient safety. It also reflects the OIG’s efforts to ensure effective compliance program in new entrants into healthcare, such as private equity and technology firms. Both may well discover that practices that are permissible elsewhere are not in healthcare. The guidance also encourages incentivizing compliance. Another gem in the guidance is the clear message to carefully scrutinize arrangements with third parties. Due diligence at the outset is important, but it is also necessary on an ongoing basis to determine if the relationship is necessary and the price tag is fair market value. Listen in to learn more, and be sure to check out the General Compliance Program Guidance.
4/18/202414 minutes, 3 seconds
Episode Artwork

Dana McMahon on Embedding the Compliance Team in the Business [Podcast]

By Adam Turteltaub Tired of being last to the party and then perceived as a party pooper? There’s a solution to that problem embraced by Dana McMahon, Global Chief Compliance Officer, Head, Privacy & Enterprise Risk at Stryker. She works to have her team embedded in the business unit. It’s a process that begins with getting a seat at the table and being intentional about conversations. From there the relationship evolves into being a consultant on sticky issues and then on to being integrated into decision making and proving yourselves indispensable. The key to the process, she explains, is to show up with a problem-solving mindset. Throughout, the compliance team has to be aware of the needs of the business and its challenges. To solidify compliance’s place takes three things: Adopt a problem-solving approach Tailor your efforts to the most pressing issues Timing: anticipate what the business needs to move forward Listen in to learn more and gain other tips for fully embedding compliance into the business process.
4/16/20248 minutes, 2 seconds
Episode Artwork

Greg Garcia on Healthcare Cybersecurity Risk [Podcast]

By Adam Turteltaub At the center of managing cyber risk in healthcare sits the Health Sector Coordinating Council Cybersecurity Working Group (LinkedIn). In this podcast, Executive Director Greg Garcia explains that healthcare has been designated as a part of the critical infrastructure, and the council has as its mission to: “identify systemic cybersecurity threats to critical healthcare infrastructure; collaborate on guidance and policies for mitigating those risks; and promote threat preparedness and incident response awareness and activities.” It’s a needed mission. The number of data breaches have soared, and ransomware has emerged as a top threat, crippling the ability of healthcare providers to care for patients. The Council recently released its Health Industry Cybersecurity – Strategic Plan. A five-year plan, it identifies trends, goals and objectives for securing healthcare technology infrastructure. One key goal, in the words of the plan, recognizes that, “A trusted healthcare delivery ecosystem is sustained with active partnership and representation between critical and significant technology partners and suppliers, including non-traditional health and life science entities”  It sets four objectives under that goal: Simplify access to resources and implementation approaches related to the adoption of controls and practices aligned with regulatory and sector standards for securing devices, services, and data Increase new partnerships with public/private entities on the front edge of evaluating and responding to emerging technology issues to enable safe, secure, and faster adoption of emerging technologies Enhance health sector senior leadership and board knowledge of cybersecurity and their accountability to create a culture of security within their organizations Develop meaningful cross-sector third-party risk management strategies for evaluating, monitoring, and responding to supply chain and third-party provider cybersecurity risks Listen in to learn more about the document, the council and how the healthcare sector is working together to stem cyberthreats.
4/11/202411 minutes, 11 seconds
Episode Artwork

Markus Funk on FCPA Enforcement and Compliance [Podcast]

By Adam Turteltaub The FCPA sure isn’t what it used to be, or is it? While the headline grabbing Foreign Corrupt Practices Act cases are much less frequent than they once were, there is still substantial risk both for individuals and companies, as recent dispositions have shown. To understand where things are we sat down with Markus Funk, partner at Perkins Coie and author of the chapter “Anti-Bribery and Corruption Compliance Programs” in The Complete Compliance and Ethics Manual 2024. He explains that just because there aren’t cases in the news, doesn’t mean all is quiet. There may remain a steady stream of companies self-reporting violations and reaching less-formal agreements with the DOJ. Whatever the trend may be, third parties remain the greatest risk, and the prescription stays the same. You need to know who the third party is and hire them for the right reason: their expertise and track record for success in the right way. Hiring a government official’s cousin to help get the deal remains a very bad idea. Another bad idea:  assuming your people are not a risk area. They are. Be sure to be sensitive to internal risks. Train the workforce and work with the finance team to help them serve as an extra sets of eyes when it comes to spotting misconduct. Above all, stay alert and be prepared to investigate possible incidents. Prosecutors still expect companies to bear the brunt of the investigative burden.  
4/9/20249 minutes, 25 seconds
Episode Artwork

Krista Muszak on Project Management and Process Improvement [Podcast]

By Adam Turteltaub Krista Muszak is organized. More importantly, the longtime compliance professional and Senior Manager, Regional Process & Optimization Lead for Pfizer knows how to keep others organized as well. She will be sharing some of this wisdom in Nashville at the 2024 HCCA Compliance Institute in the session “Muda, Mura, Muri to Veni Vidi Vici: Applying Project Management and Process Improvement to Your Compliance Program.”  She also shares a bit of it here in the latest Compliance Perspectives podcast. First, she explains that the title comes from terms used by Toyota to improve the process flow at their plants and eliminate waste. Muda is about eliminating waste and activities that don’t add value. Mura speaks to addressing variability in operations to increase stability and reduce unnecessary variations. Mudi addresses not overloading people and the business with too many asks, such as releasing a round of training at the same time as year-end activities. Embracing these concepts can increase efficiency and effectiveness. At the same time adopting a project management approach helps build guardrails around your efforts. Use it to identify who is responsible, who is accountable, who needs to be informed and who needs to consulted. This brings clarity into who the key players are and their responsibilities. With the right people on board, a project charter can be extremely effective, identifying what the project goals are, and what they aren’t. From there it is time, she explains, to move on to measure, analyze, improve and establish controls for your initiative. Listen in to learn more about how to bring greater effectiveness and efficiency for your compliance efforts.
4/4/202414 minutes, 48 seconds
Episode Artwork

Parth Chanda on Using Technology to Improve Your Compliance Program [Podcast]

By Adam Turteltaub When it comes to compliance technology, there are two challenges. First is finding the right solutions to increase your programs effectiveness. Second is securing the resources to acquire and deploy the technology. Parth Chanda, Founder and CEO of Lextegrity, covers both topics in this podcast. When it comes to tech, he explains, you want tools that give you the confidence that your program is effective in practice and not just on paper. You also need to prioritize based on risk, and your organization’s own experience with technology. If the history is short or non-existent, start with something relatively simple such as training or policy management.  Tools that can make it easier for employees to report wrongdoing are also invaluable. To secure the resources you need, he advises making the business case by focusing on the ROI, for example, by showing that investigations can be completed in less time and with less staff. But, as you look at technology, be realistic and recognize that technology will not remove human judgement. It can expose gaps and gray areas, but then the compliance team will need to step in to understand the nuances and the appropriate solution.
4/2/202414 minutes, 54 seconds
Episode Artwork

Jenna Wells on Leaning In on AI [Podcast]

By Adam Turteltaub Imagine you are at a large company with thousands of suppliers. As a part of the compliance team you need to understand the risk of working with each and every one of them. To do that you may need to understand the ownership structure, where they source materials, where and how they manufacture, and a host of other data about each and every one of them. That’s a daunting task. It’s also one that Jenna Wells, Chief Customer and Product Officer at Supply Wisdom believes is ideally suited for AI. With human supervision it can help with such a large, seemingly impossible undertaking. AI, she argues, can be an effective tool for enabling compliance programs to better understand the risks they face and then focus on the most important ones. To get there, compliance teams need to get a handle on the data that they have that is normally siloed. Look to external sources for regulatory data and emerging legislation, she suggests. At the same time, though, it’s important to understand the limitations of AI. While it can handle the brute force exercises, such as combing through all the data on all those vendors, there is still a need for the human element. Listen in to learn more about putting the power of AI to work for your compliance efforts.
3/28/202415 minutes, 36 seconds
Episode Artwork

Tanya Ganguli on the New Indian Criminal Laws [Podcast]

By Adam Turteltaub Traditionally, explains, Tanya Ganguli (LinkedIn), Principal Associate, Law Offices of Panag & Babu, India’s criminal law framework revolved around the Indian Penal Code, The Code of Criminal Procedure and the Indian Evidence Act, two of which dated back to the 19th century. That changed with the passage of three new laws: the Bharatiya Nyaya (Second) Sanhita, 2023, the Bharatiya Nagarik Suraksha (Second) Sanhita, 2023 and the Bharatiya Sakshya (Second) Bill, 2023. Together they seek to bring criminal law into the 21st century and build off of long-established precedents. They are designed, she reports, to address loopholes, enhance efficiency and ensure justice. The laws are now more victim centric, but may not be too transformative, according to Tanya, for most compliance and ethics programs. Nonetheless, there are changes. New rules for searches and seizures will likely require updated training on dawn raids. Summons can now be delivered electronically. There is much greater need to digitize and consolidate records. Having the right tone at the top will be more important than ever. However, the change is likely to come relatively slowly with many aspects of the law expected to be implemented in stages. So keep your eye on the horizon in India, and be sure to listen to this discussion. Also, don’t miss the first ever SCCE Basic Compliance & Ethics Academy in India.
3/26/202413 minutes, 50 seconds
Episode Artwork

Silke Becker and Sarah Specht on the New Volkswagen Code of Conduct [Podcast]

By Adam Turteltaub As of January 2024, there’s a new Code of Conduct of the Volkswagen Group, replacing one developed in 2017. To understand what led to the latest iteration of the code and the vision behind it we spoke with Silke Becker and Sarah Specht (LinkedIn) of Volkswagen Group Integrity & Compliance. They are part of a team lead by Tina Landsmann, Head of Volkswagen Group Center of Competence Integrity & Compliance Awareness & Qualification and Dr. Kurt Michels, Volkswagen Group Chief Integrity & Compliance Officer. The code was updated to reflect changing times, including the draft European Supply Chain Act. This required a change in content, but the team also chose to update the tone and feel. The language of the document now focuses on “we” and “us”, and it is very proactive, making the document less about what the board or management calls for and is instead about what we as a group are committing to. Each section of the code has a headline that reinforces this message: “We take responsibility for human rights,” “We lead based on our values,” “We like diversity.” The document embraces a magazine style to increase readability, and there is the opportunity to digitally drill down on individual topics, make it a one-stop shop for employees. As the team developed the document, in partnership with individuals around the company from multiple departments, they had several goals in mind. First, it had to be relevant for everyone, whether working in conventional auto manufacturing or battery development. Second, it had to work all around the globe given Volkswagen’s global footprint. It also had to be more human. Take some time to see all of these elements and more when you explore the code. Then listen to the podcast to hear the story behind it and, maybe, get some ideas for updating your code of conduct.
3/21/202414 minutes, 40 seconds
Episode Artwork

Elena Sychenko on the EU Corporate Sustainability Reporting Directive [Podcast]

By Adam Turteltaub On January 5, 2023 the EU Corporate Sustainability Reporting Directive went into force. The directive broadens the scope of companies report on sustainability issues, adds to the amount of information that needs to be reported, and even requires external assurance, reports Elena Sychenko (LinkedIn), Adjunct Professor at the Department of Management at the University of Bologna and currently a Fulbright Scholar at the Wharton School of Business. The directive now covers all listed companies with the exception of micro enterprises. Also falling under it are non-EU companies that have a significant presence in the EU. The reporting requirements, which are still being fully developed, closely follow the Global Reporting Initiative (GRI) standards and focus on ESG explicitly, with several areas of reporting under E, S, and G. These include: E: climate change, pollution, water, biodiversity S: the organization’s own workforce, the workforce in the value chain, affected communities, consumers and end users G: business conduct in general Compliance teams will need to ensure that the reporting is accurate. One area to watch out for, she notes, is vagueness. A company may choose to provide overly vague information that could be misleading. Listen in to learn more about the directive and the risks involved.
3/19/202410 minutes, 30 seconds
Episode Artwork

Brian Stimson on the No Surprises Act [Podcast]

By Adam Turteltaub The No Surprises Act is a significant change to how healthcare coverage is handled and billed. In general, it eliminates balance billing in three typical areas: A patient is brought to an emergency room in an out of network hospital A patient is transported by air ambulance A patient is being cared for at an in-network hospital but, unbeknownst to him or her, a physician or service that is out of network provides care. To understand the Act more fully, we spoke with Brian Stimson, Partner, Arnall Golden Gregory, who will be leading the session The All Surprises Act:  Avoiding Compliance Pitfalls and Responding to Administrative Enforcement Actions under the Surprise Billing Laws at the 2024 HCCA Compliance Institute. As he explains, there is a two-tiered enforcement structure to the law, with both individual states and the federal government involved. Compliance teams looking to ensure their organizations are complying need to pay close attention to patient complaints. These can be a tip off to improper balance billing and a red flag of systemic issues. Be extra alert if a patient comes to them, and it can even be good to check social media for reports of wrongful billing. Listen in to learn more, and then join us in Nashville, April 14-17, for the HCCA Compliance Institute.
3/14/202410 minutes, 7 seconds
Episode Artwork

Kelly Alwin on the Frequency of Risk Assessments [Podcast]

By Adam Turteltaub When it comes to risk assessments, the word “annual” comes up a lot. But, Kelly Alwin, Regional Compliance Officer North America for SAP America, believes that once a year may be more than a bit too long. To her, a risk assessment is more than a periodic assessment and an annual chore. It is critical to the program’s success and lends credibility and substance to the compliance program. She points out that from the Delaware Chancery Court to the US Department of Justice, the importance of a strong risk assessment is underscored. In this podcast she argues that, for the risk assessment to play the role it should, it can’t afford to sit on the shelf. It needs to be a dynamic document that both informs all the other elements of the program and evolves as risks evolve, whether due to a new go to market strategy, a merger or an entry into a new market. Bottom line: look at your risk assessment, she advises, not as a discrete activity but as a continuous analysis. Incorporate micro assessments, embrace continuous improvement, and, hopefully, enjoy a more effective compliance and ethics program as a result.
3/12/202415 minutes, 40 seconds
Episode Artwork

Kimberly Lindsay and Tim Timmons on Behavioral Health Compliance [Podcast]

By Adam Turteltaub Behavioral health shares many of the same compliance challenges as the rest of healthcare, but it also has several of its own. To understand the risks, we sat down with Community Counseling Solutions’ Executive Director Kimberly Lindsay and Compliance & Privacy Officer Tim Timmons. They will be leading the session “Developing an Ethics and Compliance Program in Behavioral Health” at the HCCA 28th Annual Compliance Institute, which will be in Nashville, April 14-17 and also offered in a virtual format. In this podcast they identify several typical compliance challenges in the behavioral health setting: Managers and supervisors who are well intentioned but busy, not holding staff accountable and not reporting in a timely manner. Incidents after hours when a patient is in crisis. This is a very difficult situation.  The team is eager to help the patient get better, but with lots of adrenaline flowing in a difficult situation, they may find themselves sharing more information about the patient than they should. Sharing PHI improperly when working with community partners. Mishandling of subpoenas and court ordered requests for records which may not comport with 42 CFR. Coding and dual diagnosis treatment Treatment plans that are not updated before providing services Overly verbose documentation Listen in as they outline these issues and ways to address them. Then, plan on joining us in Nashville for the 28th Annual Compliance Institute.
3/7/202414 minutes, 54 seconds
Episode Artwork

Jan Sprafke on Supplier Compliance [Podcast]

By Adam Turteltaub While Ericsson is best known for its mobile phones, the company’s reach in wireless is far greater. It is the creator of Bluetooth technology, owns patents on much of the critical IP that wireless systems depend on, and is active in more than 180 countries providing much of the hardware, and even cellphone towers, that enables all of us to talk, text, and surf the web wherever we are in the world. Jan Sprafke, Chief Compliance Officer at Ericsson, explains in this podcast that with that global reach – including operations in approximately 100 high risk countries – also comes a large network of suppliers. To manage the potential compliance challenges that go along with it, the company uses a risk-based approach to supplier management They assess the country risk, go to market approach and whether the supplier will be using subcontractors. Then they work closely with sourcing and other assurance functions on an ongoing basis. The company’s supplier code of conduct is shared with their vendors. But, it is just the start. There is also training provided, supplier days, meetings with them to discuss FCPA, AML, health and safety and other topics. All of these efforts and more help suppliers understand what Ericsson’s expectations are, not just in principle but also in practice. They even work with many of their contractors as they select their subcontractors. The goal is to create an end-to-end framework for managing third party compliance risk. Download the podcast (maybe even on your mobile device) to learn more.
3/5/202412 minutes, 1 second
Episode Artwork

Julie Janeway on Compliance Investigations [Podcast]

By Adam Turteltaub Julie Janeway (LinkedIn), General Counsel and principal owner, Principled  Healthcare Consulting will be speaking about internal and parallel investigations at the 2024 HCCA Compliance Institute. In this podcast she slices off a bit of that expertise. A thorough investigation is needed, she advises whenever there is an issue that could require arbitration, a court case, administrative hearing, contractual dispute or reputational issues, whether by an employee, contractor or the organization itself. The same is true if there is a policy breach or alleged violation of the code of conduct. So how best to do it? Have both an investigation plan and a preplan which designates who will be responsible for the investigation depending on what the issue is. For example, a privacy officer would likely play the lead role in a HIPAA breach allegation. As for the plan itself, it should be thorough. The team executing it should include individuals with a wide range of skills and, she highly recommends it include an experienced investigations attorney. What should you avoid? Several things, she cites, including retaliation, making the plan as you go along, letting supervisors or managers interview subordinates and not having insurance for when investigations happen. The rules are largely the same with parallel investigations, which are required pursuant to statues that call for entities notified of an investigation by a governmental agency to conduct their own investigation. These absolutely must be done, or the organization may face sanctions. She highly recommends doing these investigation under attorney-client privilege. Listen in to learn more about what to do and what not to do in an investigation. Then, don’t miss her session at the 2024 Compliance Institute, March 18-20 in Nashville.
2/29/202412 minutes, 42 seconds
Episode Artwork

Drew Neisser on Connecting in a Working Remote World [Podcast]

By Adam Turteltaub In 1984 I went to my friend Chris’s wedding, and one of the other groomsmen, Drew Neisser (LinkedIn), his then boss, talked me into pursuing a career in advertising. Just a few months shy of 40 years later, I caught a video on LinkedIn of him with chief marketing officers discussing the struggles of managing remote workers. It didn’t matter that these were marketing people, the problems sounded just like we in compliance face. So, I asked Drew, who is the founder of CMO Huddles and the author of the book Renegade Marketing:  12 Steps to Building Unbeatable B2B Brands, to sit down and do a podcast on the topic. Drew points out that, despite workers being required to come into the office more often, there is still a cost to remote work. Churn is higher than before. Partners at law firms complain that their associates are years behind in their development, likely due to the inability to learn by osmosis. So what do we do? He recommends that we recognize the present reality and look to hire self-starters. People who need a great deal of hand holding will not work out in a world where their managers are miles, if not hundreds of miles, away. Second, make sure the team understands what the organization’s business is. Then, help them connect, intellectually and emotionally, with it. If they don’t, then it’s just another job to them. Incorporate virtual bonding activities, but also try to get the team together in person. That effort creates culture and connection. Looking outside your team, he recommends four tactics: Meet, ideally in person. Get to know your colleagues, and understand their business priorities. Focus on helping them solve their problems. Track all the people you want to meet and influence. Then, take active steps to connect with them and get to know them. Share something about yourself and encourage them to do the same. Get to know the person and stay in touch. For example, send them over articles you think they would find of interest based on what you learned about them. Join formal and informal work groups. If there is a team forming to tackle a problem, be a part of it. But also look to book groups and other less structured ways to connect. Throughout, he advises thinking of yourself as an impact player and a business leader. Finally, he advises understanding how people want to communicate these days, and meet them there. The era of relying solely on email are done, especially for the younger generation. Listen in for some very good insights for compliance officers from a career marketer.
2/27/202412 minutes, 26 seconds
Episode Artwork

Richard Bistrong on Conference Networking [Podcast]

By Adam Turteltaub Some people have a gift for invisibly attending a conference, and no one knows that they were even there. That’s great for a conference of spies, but most people at compliance conferences like to meet at least some of the other attendees. For many, though, connecting with strangers is difficult, whether they know no one or they are shy about going beyond their usual circle of contacts. So what do you do if you are one of them? To find out we spoke with Richard Bistrong (LinkedIn), newsletter author and CEO Of Frontline Antibribery, who will be moderating a general session at the 2024 SCCE European Compliance & Ethics Institute in Amsterdam. If you spot someone standing alone and looking a bit lost, he recommends you think like a host and invite them to join you. Even if you’re already talking with friends, he advises being a croissant and not a bagel: be sure there is an opening for others. Make the effort to catch them up with the conversation – “we were just discussing helplines”—and ask them to share their thoughts. If you hesitate to join conversations because you don’t feel you are good at small talk, think of a few questions in advance to use as ice breakers. They don’t have to be traditional compliance-related questions. You could ask people about what excited them the most in the last year. Richard often uses Vertellis cards to start or help conversations. For those at the conference with a friend or colleague, use the other person as your wingman or wingwoman. Tell them who you are interested in meeting and have them serve as a second set of eyes and ears. Also, don’t forget about the SCCE & HCCA staff as a source of connection. See if they know someone it would be good for you to talk with. Listen in to learn more, including how to follow up properly after the conference is over. Then, be sure to say hello to Richard (and offer him a croissant) in Amsterdam at the 2024 SCCE European Compliance & Ethics Institute, March 18-20.
2/22/202413 minutes, 12 seconds
Episode Artwork

Alison Taylor on a Higher Ground for Compliance [Podcast]

By Adam Turteltaub Compliance programs have come far over the last few decades, but there is still more that they could do to elevate their performance. In this podcast, Alison Taylor, Clinical Associate Professor at NYU Stern School of Business and author of the book Higher Ground shares some intriguing and provocative ideas for improvement. She is a strong believer in what she calls “firm foundations”. These foundations avoid having too many rules which can, inadvertently, have a negative impact, causing employees to abdicate responsibility for their action and grow overly reliant on following rules. Instead, she argues for simplifying and being attuned to human behavior and the role of incentives. Be wary too, she advises, of mixed messages and potentially pernicious effects when it appears, whether true or not, that the rules for the rank and file do not apply to leadership. It degrades trust and the culture. To get more employees to speak up when they see wrongdoing, she advises investing the time in understanding why they don’t raise their hands more. When it comes to measuring the impact of the compliance program, she is a strong proponent of measuring the ethical culture. Do employees feel safe speaking up?  Whom do they speak to when there is a problem? Do they believe the whistleblower line is truly anonymous? Is leadership looking out for them? The answers to these questions, and how they change over time, can illuminate how well the program is working. Listen in to gain more insights, including how to build a common ethical foundation and the importance of adequate authority for the compliance and ethics program.
2/20/202412 minutes, 16 seconds
Episode Artwork

Tobias Kruis and Clara Becerra Campos on the EU Whistleblower Requirements [Podcast]

By Adam Turteltaub Clara Becerra Campos, Senior Compliance Analyst-Europe for TD SYNNEX, and Dr. Tobias Kruis, Head of Corporate Compliance, Giesecke+Devrient, will be addressing the new EU whistleblowing requirements at the 2024 SCCE European Compliance & Ethics Institute, which takes place in Amsterdam March 18-20. In this podcast, they delve into the challenges posed by the directive, which significantly expands the number of EU-based and non-EU-based companies that must comply. The directive not only provides protections for whistleblowers, they explain. It also establishes procedures and deadlines for handling reports. As significantly, it leaves the door open to variations among EU member states, which complicates the picture considerably. So what should you do? If your organization does not have a whistleblower line already in place they recommend you: Implement an internal reporting channel Be sure it’s aligned with legal and data privacy Consider who will manage the system and conduct the investigations Ensure confidentiality Communicate with your workforce For those with a helpline already they recommend starting with a gap analysis to determine if your existing efforts are meeting the new requirements. Listen in to learn more, then join them in Amsterdam at the 2024 SCCE European Compliance & Ethics Institute.
2/15/202415 minutes, 5 seconds
Episode Artwork

Segev Shani on AI Risk [Podcast]

By Adam Turteltaub At the 2024 SCCE European Compliance & Ethics Institute, Segev Shani, Chief Compliance & Regulatory Officer at Neopharm Group will be leading the session “Corporate Use of Third-Party Artificial Intelligence (AI) Tools.” In this podcast he shares that a great deal of risk comes from the headlong pursuit of AI technology. Businesses believe that if they are not using Ai that they will be left behind, but the adoption rate is not being matched with a complete understanding of what AI is. To manage this issue, he recommends creating an AI governance model that balances the risks and rewards. It can help employees and managers understand the risks, including inaccuracy, bias and both misuse and improper use of intellectual property. And, of course, there can be substantial privacy risks as well. Listen in as he discusses proper governance, the need for training and the importance of integrating AI governance into business processes. Then plan on joining us in Amsterdam, 18-20 March, at the 2024 SCCE European Compliance & Ethics Institute.
2/13/20247 minutes, 18 seconds
Episode Artwork

Klaus Moosmayer on the Novartis Employee Survey [Podcast]

By Adam Turteltaub A good employee survey on compliance and ethics can yield a wealth of data on how your program is and isn’t working, where the risks are, and how to move forward. The challenge is getting the survey right and getting employees to respond. Klaus Moosmayer, Member of the Executive Committee and Chief Ethics, Risk and Compliance Officer at Novartis, shares in this podcast that the compliance team has just completed the second round of their survey. The goal was to get first-hand data from as many employees globally as they could about any unethical behavior they perceive around them and how it is acted on. The survey was developed with substantial help from behavioral scientists, who created a questionnaire that captured where the company is now but also enabled them to dig deeper into key issues. For example, in the first round of the survey the Novartis team discovered that approximately 80% of employees go first to their leaders and managers when seeing unethical behavior. In the second survey they focused on what the leaders are doing with those reports. To encourage responses from employees, they invested the time in preparing the workforce and setting the context that the survey is a part of a broader effort to strengthen company culture. The messaging behind the survey was both local and global, with company presidents underscoring the importance of the study. After the first survey was completed, they made the effort to showcase how the data was used and what would be changing at Novartis as a result. That helped earn higher participation rates for the second survey. How does the data get used? The aggregated data helps inform leadership and enabled conversations as high as the board level. The data is also incorporated into the company’s integrated digital ethics, risk and compliance platform. Country managers are shown their data and told how it compared to other regions, which, of course, indicates how well they are or aren’t doing versus their peers. Local leaders are then encouraged to use the data to have roundtables, town halls and other meetings to understand why their scores are what they are. Listen in to learn what made the Novartis survey so successful and how to improve your own.
2/8/202412 minutes, 42 seconds
Episode Artwork

Letitia Adu-Ampoma on the EU Artificial Intelligence Act [Podcast]

By Adam Turteltaub When it comes to AI, there is little agreement. Some see great potential, while others see great nightmares. Some see opportunities, and many see nothing but risks. In the EU, though, there is agreement on one thing, a new EU AI Law. In December 2023 the EU Parliament and Council agreed to  a bill “…to ensure AI in Europe is safe, respects fundamental rights and democracy, while businesses can thrive and expand.” Longtime compliance professional Letitia Adu-Ampoma (LinkedIn) explains that while the law won’t fully come into force for two years or more, it’s time for compliance teams to start paying attention and preparing. The act is a part of the EU digital strategy, which is very focused on human-centric legislation. Its goal is to keep positive the impact of AI on people and society. The approach it takes is risk-based, categorizing AI systems based on the level of risk: unacceptable (and prohibited), high risk, minimal risk and no risk. The act is very specific in how it defines which AI systems fall into each category. The unacceptable risk category, for example, includes social credit scoring, emotional recognition and behavioral manipulation. Creators and users of high risk AI will be required to register the system in a public record. They will also need to conduct an impact assessment and be transparent. Transparency will also be critical for generative AI. Providers will need to disclose the content generated and ensure that the models are not designed to create illegal content. There will also need to be governance in place to protect against copyright violations. So what should compliance teams do now? Letitia recommends reading the guidance and to start preparing the business unit for what is to come. Listening to the podcast would be good, too. NOTE: This podcast was recorded in January 2024. The final version of the EU AI Act is yet to be released - a final EU parliament debate on the text will take place before its release. In the meantime, some 'unofficial' pre-final versions of the text have been leaked online in advance of this debate. The final EU definition of AI and key timescales for enforcement mentioned in the podcast are based on proposals made public. Listeners should look out for the final position which will be detailed in the EU AI Act when it is officially published in the next few weeks.
2/6/202412 minutes, 40 seconds
Episode Artwork

Matt Silverman on Keeping Compliance Champions Engaged [Podcast]

By Adam Turteltaub Having a compliance champions or ambassadors program can be a great boon for the compliance program, if you keep the champions engaged. Unfortunately, that doesn’t always happen. If not managed properly your champions may end up sleep walking through the job. In this podcast, Matt Silverman, author of the book The Champions Network and Global Trade Director and Senior Counsel at Viavi lays out several strategies for maintaining the involvement and commitment of your champions network. To ensure engagement, he recommends remembering that the people who decided to be champions did so for a reason. It may be for a wage stipend or for altruistic reasons.  Tapping into that motivation is essential. On an ongoing basis it’s important that they see the impact of their work on the organization and their own career. That means sharing outcomes, as best you can, and providing them with access to development opportunities. These could be specific to deepening compliance expertise or as broad as developing business and soft skills. Whichever you choose, it is a way for them to see what’s in it for them. Give them an opportunity, as well, to be recognized for their work, whether that’s an official recognition by the CEO or an opportunity to interact with leadership. Remember, appreciation can be a powerful reward. And, of course, make sure there is actual work that they need to do as a part of being a champion. Having the title alone is not enough. Listen in to more about how to create engaged compliance champions.
2/1/202413 minutes, 37 seconds
Episode Artwork

Sergio Leal and Jan Sprafke on M&A Compliance Due Diligence [Podcast]

By Adam Turteltaub Mergers and acquisitions create stress, opportunity and risk both for the organization and the compliance team. In this podcast, Sergio Leal, who until recently was head of M&A compliance at Ericsson along with Jan Sprafke, the company’s chief compliance officer, share their advice for compliance professionals in the midst of a transaction. They stress that the compliance team needs to be involved during the entire lifecycle, from target identification to due diligence to post-acquisition integration. This will help the organization avoid unanticipated liabilities and risks. To ensure success the compliance team needs to be embedded in the M&A team. Meet with the stakeholders regularly to ensure you are aligned with their processes. When you do, remember that compliance is just one piece of a very complex puzzle. Be prepared to move quickly. The DOJ amnesty program for issues discovered in an acquisition has a rapidly ticking clock. At the start of an acquisition or merger, they recommend focusing on three areas: The ultimate beneficial owner The operations of the business The already existing compliance program, if any, and internal controls Be especially vigilant if the acquired entity had some government ownership or government contracts. And, be very diligent if there is not a compliance program already in place. Listen in to learn more about how to be an integral part of mitigating the risks of mergers and acquisitions.
1/30/202414 minutes, 58 seconds
Episode Artwork

Kelly Cooper on Open Payments [Podcast]

By Adam Turteltaub To quote CMS, “The Open Payments program is a national disclosure program that promotes a more transparent and accountable health care system. Open Payments houses a publicly accessible database of payments that reporting entities, including drug and medical device companies, make to covered recipients like physicians.” For this transparency to work, though, it’s important for the data to actually be used. Kelly Cooper (LinkedIn), Compliance Specialist at UF Health Shands Compliance Services, reports that too often it isn’t. There is a downward trend of providers reviewing the data collected, she reports, due to lack of awareness of the program and why it matters. That needs to change. Physicians and the hospitals that employ them are now required to post a notice for patients about the Open Payment system and how to access it. This will likely lead to more questions from patients and the need for providers to monitor the data more closely. So what should compliance teams do? She recommends looking at training, awareness and policies. In addition, be sure that the profiles of covered individuals are correct and up to date. And, be prepared to navigate the dispute process. It can be a long one, but there are shortcuts. Finally, she urges compliance teams to use the data to get a better handle on staffing, credentialing, what the payment trends are and any red flags. Listen in to learn more about what the Open Payments program is and how your compliance team should be working with it.  
1/25/202411 minutes, 40 seconds
Episode Artwork

Randi Seigel and Jared Augenstein on the CMS 2024 Medicare Physician Fee Schedule [Podcast]

By Adam Turteltaub The 2024 CMS Medicare Physician Fee Schedule extends no less than ten different pandemic flexibilities related to telehealth. In this podcast, Randi Seigel, partner and Jared Augenstein, managing director, at Manatt take us through all of them, including in-person visit requirements, audio-only services, physician supervision and opioid treatment. They also address: Changes in the structure of the telehealth services list Changes to payment by place of services Remote psychological and therapeutic monitoring Enrollment and revocation A new opportunity for payments for social needs of Medicare beneficiaries Listen in to learn more about what’s new, what’s the same, and what will sunset at the end of 2024.
1/23/202415 minutes, 5 seconds
Episode Artwork

Wendy Evans on Investigative Interviewing [Podcast]

By Adam Turteltaub Effective investigative interviews are both important and sensitive. To get some pointers about how to conduct them properly, we turn in this podcast to Wendy Evans, Senior Corporate Ethics Investigator at Lockheed Martin. Wendy is also an instructor for the SCCE Fundamentals of Compliance Investigations workshops. She recommends starting by doing your homework. Before you talk with anyone, whether a possible witness or the subject, get all the information you can from the reporter. Then, review it to see if it includes the what, where, when, why and who. If you don’t have all that information, take the time to find it since it can identify what the potential motivation behind the incident was. With that information in hand, check your case management system to see if any of the parties were involved in previous reports. Follow that by notifying HR and the subject’s manager that you will be conducting an interview. They may have important insight. Think through what other evidence you may need for the investigation, including expense and audit reports. If you are going to conduct the interview remotely, she offers four pieces of advice: Be sure to schedule it appropriately. Sending a meeting request on a Friday for a Monday meeting can create an entire weekend of unnecessary stress for the individual. Mark the meeting request as private so you, and they, don’t have to worry about others seeing it. Ensure that the person has video and a private place to talk. Always include your phone number in case a technology glitch gets in the way. At the time of the interview, don’t just jump into the questions. Take time to build some rapport. This will help reduce the stress level. Then, when you start asking questions, begin with broad ones -- “tell me about your work” or “what were your last three business trips?” --  that aren’t simple yes or no. Then, over time, move in to more narrow, specific questions. When it’s time to get to the hard questions, help the subject prepare themselves psychology. Preface then by saying something along the lines of, “I have to ask you a tough question.” When concluding the interview, ask: Is there anything else I should know but didn’t ask you? That can prompt the sharing of additional information. Finally, be sure to thank them for their time and cooperation. Be sure to also reiterate what the investigation process is and what they can expect next. Listen in to learn more, and, maybe, join her at an upcoming Fundamentals of Compliance Investigations workshop.
1/18/202416 minutes, 3 seconds
Episode Artwork

Matt Kelly on the Top Compliance Stories from 2023 [Podcast]

By Adam Turteltaub Matt Kelly (LinkedIn), Editor and CEO at Radical Compliance is a close watcher of all things compliance, and in this podcast he shares his take on both the top stories of 2023 and what he sees in the cards for 2024. FCPA On the Foreign Corrupt Practices Act front, he noted a change in enforcement. While the volume of resolutions declined on the DOJ side, the SEC has remained very active. Perhaps most notably, the Albermarle case had an interesting twist. The way the company did business was changed dramatically as a part of the settlement, he reports, with a restructuring of its overseas sales and the end of the use of third parties. He speculates this may be the start of a new trend in which monetary penalties are accompanied by required changes to the way companies do business. Also of note in FCPA was the announcement by Lisa Monaco at the SCCE Compliance & Ethics Institute of a leniency policy in mergers and acquisitions. Because of the relatively short timeline for finding and disclosing problems, there is a strong incentive for organizations to involve the compliance team early and deeply in these transactions. SEC Cybersecurity Rules The July SEC rules on disclosures of cyber incidents require firms to disclose an incident within four days. Companies will need to describe the nature, timing and material consequences. That will increase the importance of thorough and prompt cyber materiality assessments, as well as both quantitative and qualitative impacts. Greenhouse Gas Disclosures The SEC’s proposed rule on greenhouse gas disclosures is now the longest and most commented rule in history. It also has not been finalized while, in the meantime, both California and Europe have passed their own laws. The rule is likely to be very complex and impose a significant burden on companies. Healthcare The biggest news he saw in 2023 was the new General Compliance Program Guidance issued by the Office of Inspector General at HHS. The document makes it clear that it expects a fully independent compliance program. As the document states: The compliance officer should: report either to the CEO with direct and independent access to the board or to the board directly; have sufficient stature within the entity to interact as an equal of other senior leaders of the entity; demonstrate unimpeachable integrity, good judgment, assertiveness, an approachable demeanor, and the ability to elicit the respect and trust of entity employees; and have sufficient funding, resources, and staff to operate a compliance program capable of identifying, preventing, mitigating, and remediating the entity’s compliance risks. The Future Looking to the future he asks if others will be as supportive as the OIG at HHS. He also points to other things to watch such as the Foreign Extortion Prevention Act, the PCAOB’s extremely controversial NOCLAR proposal and SEC v. Govil, which could eliminate disgorgement in many cases. Listen in to learn more about what has and may happen in the world of compliance.
1/16/202417 minutes, 22 seconds
Episode Artwork

Jaime Watkins on Creating a Compliance Mascot [Podcast]

By Adam Turteltaub We all want the compliance team to be approachable. It would be ideal if, when people thought of compliance, they had positive, maybe even warm and fuzzy, associations in their mind. But, how do we get there? For BroadPath, a friendly blue koala was the answer. In this podcast, Jaime Watkins, the compliance officer there, explains that she drew inspiration from the Basic Compliance & Ethics Academy and an exercise that called for creating a compliance mascot. Back at the office she created a contest among employees to create a mascot as a part of the company’s celebration of their compliance and ethics week. A winner was selected, and, with the help of the marketing team, the blue koala was born. Since then, the furry critter has been a regular part of their training, newsletter and is used everywhere that they can, even sometimes straying to the activities of other groups in the company. The impact of the koala has been enormous. People enjoy seeing variations of how it is dressed up for holidays and it even plays a role in regular compliance trivia contests. Listen in to learn more about how a mascot could help your compliance efforts.
1/11/20248 minutes, 32 seconds
Episode Artwork

Ricardo Weffer on a Global Career in Compliance [Podcast]

By Adam Turteltaub Decades ago, while at a bit of a career crossroads, I was thinking of making a dramatic change and moving halfway around the world. I was talking it through with a friend who said that one day he asked himself whether he wanted to have a successful career or an interesting one. He realized that interesting was more important to him. That decision led him from Missouri to New York to Hong Kong, Singapore and Thailand, where he ended up enjoying great success. Ricardo Weffer, Group Ethics and Compliance Head of Al Dahra, has had a similar career journey that ranged from Venezuela to Dubai with countless points in between. In this podcast he shares his almost two decades of work in compliance and anticorruption in Latin America, the Middle East, Sub-Saharan Africa, Central Europe and Asia. A lawyer by training, he has worked in energy, banking, tobacco, logistics and agriculture. Despite all this variety, both in geography and industry, he shares that there are professional commonalities wherever he has gone. These include great compliance and business leaders who stand for what is right and are willing to fight for it. He has also found, happily, that, no matter what the industry, companies are mostly made up of real, hard-working, well-intentioned people driven by values who want to do the right thing. What wisdom does he have for those thinking of having a global career?  He offers three pieces of advice: Be adventurous and open to new experiences. Be willing to be taught. Enjoy it. Working and living abroad can be tough, but the rewards are worth it. Listen in to learn more, including some inspiring words about the impact of compliance professionals.
1/9/202414 minutes, 57 seconds
Episode Artwork

Kristy Grant-Hart on internal Barriers to Success [Podcast]

By Adam Turteltaub Compliance professionals can face a lot of resistance in the course of their work: leaders who don’t have the time, budget limits, managerial indifference, and even outright hostility. But, sometimes the impediments are inside us. In this podcast, Kirsty Grant-Hart, CEO of Spark Compliance Consulting and author of the new book Your Year as a Wildly Effective Compliance Officer, points out that sometimes we get in our own way. It’s just easier for us to see what the external blocks are than it is to see those we create for ourselves. Overcome them, she argues by trusting your own value. Ask for what you want, and don’t trust that others will see the need. And, when you do ask, be sure to make clear what value the compliance program provides. She also cautions against falling into Imposter Syndrome and feeling as if you don’t belong in the room. Sitting there quietly doesn’t help, in fact it hurts by giving others the impression that you and the compliance team are not adding value. Instead, speak up at every meeting so that you can be perceived as a contributor. On the personal level, set goals for yourself. Pick an area to deepen your expertise and another to grow personally, such as in speaking publicly or improving your productivity. Also, look to growing your network. Plan on attending in-person meetings and then follow up with the people you meet there. Don’t just make them another entry in your Outlook contact list. When it comes to those external barriers, she advises not taking push back personally because most often it isn’t personal. People have other commitments. In fact, look at why they are pushing back and evaluate if the criticism is fair. If it is, then adjust your efforts. If it isn’t, let it go. Not everyone is going to get along with you. Finally, she discusses how to ensure you don’t let work take over your life. Reserve time for family, friends and your passions, and keep those commitments. When it comes to after-hours emails and texts, don’t answer them if you don’t have to, or if you do, send a delayed respond. That way people learn you won’t be responding 24/7/365. Be considerate, too. If you think of something in the evening and want to get a note out that isn’t urgent, be sure to let the recipient know they don’t need to respond right away. Listen in to learn more about how to clear your internal path and become your own best ally in compliance.
1/4/202410 minutes, 59 seconds
Episode Artwork

Pam Cleveland and Megan Grifa on Starting a Compliance Program [Podcast]

By Adam Turteltaub We are starting a new year of Compliance Perspectives podcasts by going back to basics with an episode designed for those who are charged with starting a compliance program. While the conversation is directed to this audience, there are some good reminders even for established programs. Providing guidance are Pam Cleveland, Compliance Officer – Medicare Advantage for UCLA Health FPG and Megan Grifa, Senior Director, Compliance at Sidecar Health. So, if you are charged with launching a program, where do you begin? They advise starting by taking the time to develop a work plan that outlines your compliance program elements. Look to see what the regulatory requirements are for the business you are in and make a catalog of them. That, in turn, will help you set the objectives of your program. Next, take the time to tailor those requirements to the unique aspects of your organization. To do so, first spend time with operations to understand their level of knowledge, processes, resources and documentation. That will help you prioritize what needs to be done. Take the time also to gain the support of leadership. They may need education in everything from what a compliance program is to the specific requirements of your situation. One very effective technique is bringing them examples of non-compliance in your industry and the consequences of it. On an ongoing basis, follow the seven elements of a compliance program and make sure that you prepare your colleagues for the fact that changes happen. Law and regulations evolve, and the compliance program must do the same. It will help things go a bit smoother when you have to institute a new direction. Listen in to learn more about the essential steps for starting a compliance program.
1/2/202413 minutes, 56 seconds
Episode Artwork

Frank Orlowski on Using AI in Compliance Programs [Podcast]

By Adam Turteltaub When compliance professionals discuss AI most of the conversation tends to focus on the risk.  Frank Orlowski (LinkedIn), Founder and President of Ation Advisory Group, though, is far from all gloom and doom on the topic. In fact, he believes AI can be an asset to compliance programs. AI, he explains, can be of great value for compliance any place where there are large amounts of transactions that need to be monitored and checked. Two notable examples are travel & entertainment and accounts payable/vendors. AI is very useful for identifying outlier transactions that could be a sign of trouble. In manufacturing, it can be very helpful in monitoring materials being used. AI can also be helpful, he believes, in ESG efforts. But, there are limits. AI is not ready for handling contracts, he argues. It is also chronically deficient when it comes to addressing the gray areas of ethics and fairness. There it’s important for compliance teams to work with the business unit closely to ensure decisions are adequately documented and AI does not make decisions that would be regrettable from an ethics perspective. Listen in to learn more about how AI could help your compliance efforts.
12/21/202310 minutes, 57 seconds
Episode Artwork

Will Crawford on Conflicts of Interest in Clinical Research [Podcast]

By Adam Turteltaub The topic of conflicts of interest (COIs), especially in healthcare, is a very broad one. It can encompass professional activities, board membership, purchasing, procurement and more. But it is the financial conflicts, especially for those that conduct research, that can be most problematic. To help unpack the topic we are joined in this podcast by Will Crawford (LinkedIn), an associate in the DC office of Hogan Lovells. He explains that, in the case of research, a COI occurs whenever the interest of the investigator, their spouse or children can affect the design, conduct, or reporting of institutional research. And, of course, there is a potential conflict when activities like consulting and speaking can affect primary employment areas. Federal regulations have expanded greatly in this area, with the Public Health Service now being joined by the US Department of Energy and even NASA with regulations of their own. Compliance teams need to monitor the changing direction from all three. What else should compliance teams be doing? First, ensure the training is adequate and reflects the changing regulations. That includes helping others understand that the changing regulations are a necessary reflection of evolving risk. Second, ensure that the compliance team, itself, understands the current rules; there is much confusion out there. Other things to consider or embrace: Centralizing the process for managing COIs Requiring more disclosures and independent review boards Planning for greater transparency Developing policing and monitoring systems Finally, be mindful of joint ventures. They can create great opportunity, but they also carry substantial risk.
12/19/202312 minutes, 15 seconds
Episode Artwork

Mark Diamond on Record Retention and Information Governance [Podcast]

By Adam Turteltaub Record retention and information governance have grown exponentially more complex as the number of laws have proliferated and the amount of data housed has exploded. This has vastly complicated the question of what data to hold onto and for how long. Mark Diamond, CEO of Contoural, points out that sometimes there are even competing and conflicting compliance regimes. For the most part, the rules specify a minimum number of years that information must be retained. However, organizations can typically retain records longer if there is a compelling and documented business need. Still, the temptation to just hold onto the data must be resisted. In this podcast he outlines the importance of getting a good handle on what data the organization has, categorizing it appropriately, determining how long it will be retained, and how it will be destroyed. Typically, this is an exercise involving multiple disciplines, including compliance, legal, IT, security, privacy and the business unit. A committee is likely the best way to manage the challenge, and having a compliance person in the lead position can be very useful. Listen in to better understand how the information in your organization can be governed more effectively, who to involve, how to structure the effort, and the important difference between information governance and data governance.
12/14/202311 minutes, 47 seconds
Episode Artwork

Ronnie Feldman on Playing Offense and Defense [Podcast]

By Adam Turteltaub Ronnie Feldman (LinkedIn), CEO, Founder and Creative Director of Learnings & Entertainment, thinks that compliance teams play too much defense and not enough offense. What does that mean?  In this podcast he explains that offense is the proactive preventative measures designed to prevent problems. Defense is reactive and made up of investigating allegations and cleaning up issues. To his experience, the time and money are more focused on defense than offense. So what should we do? He recommends realigning efforts, starting with looking at the key influences of behavior: the social environment and the influence of leadership. That includes changing the perception of compliance and turning it into a more positive one. One specific step he advocates is making the training more relevant and enjoyable to take. On the leadership level, he advocates for making them a larger part of the ethics team by providing them with the tools they need to address ethics issues. This could include videos to share and simple learning exercises they could take their teams through. All of these efforts can promote an environment of psychological safety and lay the groundwork for a compliance program that works and delivers measurable results. Listen in to learn more about how your program can play more offense.
12/12/202315 minutes, 7 seconds
Episode Artwork

George Porter on the EU Corporate Sustainability Due Diligence Directive [Podcast]

By Adam Turteltaub On February 22, 2022 the European Commission adopted a proposal for a directive on corporate sustainability due diligence.  In this podcast, George Porter, Knowledge and Training Manager at Ground Truth Intelligence reports that the directive, which is still being negotiated, is both a continuation of past measures and something new. It is designed to unify a great deal of previous regulations and create an ESG framework for both EU-based companies and those doing business in the EU. The directive covers three key areas: environmental risk, social goals such as modern slavery and child labor, and governance. The governance portion, importantly, addresses the duty of care and the need to conduct due diligence. It also significantly expands the stakes for organizations. Due diligence of the supply chain continues but organizations will now be responsible not just for how they sourced materials, but also how their products are disposed of. To back it all up there will be substantial potential penalties, including civil liability and fines up to 5% of global turnover. So what should organizations expect to do differently or better from a compliance perspective? He recommends preparing for a greatly enhanced auditing and monitoring program. Action plans will be needed for suppliers who need to improve their efforts. On a continuous basis there will be a need to check that these plans are being followed and attestations are not just tick boxes. Listen in to learn more about how this directive will likely lead to substantial changes in the ways in which organizations do business and what compliance teams need to start preparing for.
12/7/202314 minutes, 37 seconds
Episode Artwork

Lori Tansey Martens on the Continued Challenge of Remote Work and Corporate Culture [Podcast]

By Adam Turteltaub While the pandemic seems, at least for now, to be receding into our past, many of the changes from it have not, including a large percentage of the workforce that works remotely. While in some ways we have gotten used to this new normal, Lori Tansey Martens (LinkedIn), President, International Business Ethics Institute warns that there remains cause for concern. Specifically, the prevalence of high number of remote works has been and continues to negatively impact corporate culture. Culture is made up of the shared values and beliefs, norms, values, mission and purpose, and in many ways it differentiates one organization from another. Recent research shows that the common fabric binding people together into one culture is fraying. Survey data she shares shows that employee feelings of alignment has decreased substantially, and while those declines have leveled off among in-office and hybrid employees, they have not among remote workers. Remote workers also have the highest turnover rate and intent to change jobs, which suggests that they view their work as more transactional and are less committed. That can have a huge impact on ethics and compliance. Research suggests that employees who feel less loyal and committed are less likely to take into consideration reputational risk and long-term damage to the organization. Add to that data suggesting they are less likely to speak up, and it’s a dangerous prescription. So what should organizations do? For one, strive to connect people more fully. When workers are in the office together it’s okay to bring in remote workers via Zoom, but be sure that the people in the room are not just staring at their own individual laptops. You don’t want to exacerbate the issue by making in office people wonder why they should bother, given that they are still on Zoom. Look to do more in person rather than virtual training, people are already staring at their computers enough. Managers also need to be trained on how to manage and build teams with hybrid and remote workers. As she notes, we have totally upended the way we do business without giving them any real training. When bringing on new remote employees seek to make them feel connected. Send them a package with items reflecting the local flavor of the office and notes from their new colleagues. Make a commitment to bring them into the office occasionally.  You can’t immerse them fully in the culture without doing so. Finally, track separately in-office, hybrid and remote workers on training, helpline calls and other metrics to make sure that the culture is present throughout your workforce, not just the in-house one. Listen in for more.
12/5/202314 minutes, 58 seconds
Episode Artwork

Joshua Drew on Attachment C Compliance Guidance [Podcast]

By Adam Turteltaub While most eyes have focused on the US Department of Justice’s document Evaluation of Corporate Compliance Programs when looking for guidance, it’s not the only DOJ source out there. Josh Drew (LinkedIn), Member, Miller & Chevalier explains that it would be wise to also look to Attachment C. What is it? It’s a document typically attached to Foreign Corrupt Practices Act (FCPA) resolutions. It specifies what the defendant company will need to do to establish and maintain an effective corporate compliance program. As a result, it, like the Evaluation document, provides very clear guidance as to what the DOJ’s thinking is when it comes to compliance. In August and September 2023 there were several changes to Attachment C. For one, it expanded the call for support from senior management down to include midlevel management as well. It specifically points to the importance of their tone and conduct:  “The Company will ensure that mid-level management throughout its organization reinforce leadership’s commitment to compliance policies and principles and encourage employees to abide by them.” In the realm of training, it calls for metrics to assess the effectiveness of the training, not just that it was given. That’s a theme consistent with other direction from the DOJ. Not surprising for an FCPA-related document, it also calls for documenting the business justification for engaging a third party and ensuring that contract terms are specific. Third parties should also be tracked after the initial engagement, which means ongoing due diligence. And, here, too, as elsewhere, the Department of Justice reinforces the importance of both incentives for good behavior and disincentives for bad. Listen in and then be sure to spend some time reading Attachment C.
11/30/202311 minutes, 22 seconds
Episode Artwork

Nancy Roht on HIPAA Deep Dives [Podcast]

By Adam Turteltaub At this point anyone in healthcare who doesn’t have a plan for managing HIPAA compliance risks is behind the eight ball and times. But, for those who do have a program in place, the question is: does it currently reflect your risk profile? Nancy Roht (LinkedIn), Managing Principal at Compliance Pro Consulting points out in this podcast that just because the HIPAA regulations don’t specify how often a HIPAA risk assessment should be done it’s best to do so annually, and perhaps even more frequently if something significant happens. Changes in leadership, organizational structure, goals, quality and major vendors can all call for a fundamental reexamination of your strategy. When conducting the assessment, don’t mistake it for a gap analysis. Make it a true assessment of risk and put together a work plan to address any deficiencies. When conducting the assessment, she recommends interviewing both leadership and staff to get a comprehensive picture. Take an inventory of the PHI you have, potential threats, vulnerabilities and security measures. Then, assign risk levels, prioritize and document your thinking. Years from now no one will remember what decisions were made and why, without the documentation. Be sure to look externally at your business associates, particularly those with evergreen agreements. They may have run out of date. Listen in to learn more about how to make your HIPAA risk assessment stronger.
11/28/202315 minutes, 24 seconds
Episode Artwork

Steve Forman on Monitoring and Auditing [Podcast]

By Adam Turteltaub Steve Forman (LinkedIn), Senior Vice President at Strategic Management Services, had an eye-opening experience years ago when interviewing for the job of Vice President of Audit and Compliance for New York Presbyterian Hospital. The chair of the board’s audit and compliance committee told him that his main role was not to find problems or weaknesses but to validate through the discipline of the audit processes what management suspected were problematic areas in terms of audit and coverage of risk areas. That insight had several implications. First, it underscored that operational managers will always know more about their risk areas than auditors will, which means they are in the best position to identify problems and weaknesses. Second, it was a good reminder that there are never going to be enough auditors to even address the high risk areas. Once again, we are dependent on managers. So what does that mean? It means that monitoring should help drive the audit plan and strategy. In addition, managers need to be listened to on a regular basis, and they should be charged with monitoring. In addition, he observes that the risk assessment must also not be treated as a static document. Risks can go up and down during the course of the year, and the risk mitigation strategy needs to be adjusted with it. Listen in to learn more about how to improve your monitoring and auditing, as well as the role of management in it.
11/21/202310 minutes, 49 seconds
Episode Artwork

The FBI on Economic Espionage [Podcast]

By Adam Turteltaub Economic espionage sounds more like the stuff of a spy thriller than a day-to-day concern for business. Not so, as it turns out. To learn more we sat down with the FBI’s Counterintelligence Division Unit Chief Matthew Charles and Cyber Division Supervisory Special Agent Michelle Liu. Economic espionage generally refers to stealing trade secrets for the benefit of an overseas competitor, often one aligned with a foreign government. An employee at your organization working on a sensitive project may be leveraged, frequently with the lure of cash and other payments. Typical targets include technology with potential military use and, of late, pharmaceuticals. To counter this threat, the FBI Cyber Division maintains partnerships with many private sector companies to identify nefarious conduct on their networks. Meantime the Counterintelligence Division looks upstream for actors coming into the US seeking access to US technology. So what should companies do? First, protect yourself. Encryption can be helpful along with limiting access to sensitive information only to key people. Make sure, too, to track who in your firm is accessing trade secrets. Also, be sensitive to unusual employee behaviors or changes in affluence levels. An employee suddenly downloading large files at night, emailing their personal email address sensitive information or whose debt problems have inexplicably disappeared could be engaged in economic espionage.  Just don’t jump to any conclusions.  There could be legitimate reasons for these actions. Second, the FBI advises reaching out to them when an incident occurs. The FBI can’t investigate without ongoing collaboration of the victim organization. They also advise that it is never too early to call them in, and if you do not want them there, they will pull out. Finally, take the time to leverage government resources. Be sure to familiarize yourself with the US Department of Justice’s Criminal Division’s Computer Crime and intellectual Property Section (CCIPS) website. You will find there information on reporting computer, internet-related or intellectual property crime. And, of course, listen in to the podcast to learn more about the risks of economic espionage and what you can do to mitigate it.
11/16/202312 minutes, 43 seconds
Episode Artwork

Jason Meyer on Neurodiversity [Podcast]

By Adam Turteltaub How do you understand “neurodiversity” or “neurodivergence”? It starts with the recognition that no two human are exactly alike and not two brains function exactly the same way. It then goes on to recognize that for people with ADHD, autisms, dyslexia, sensory integration and executive function issues, those differences can be substantial. Estimates are that about 20% of the workforce has some sort of neurodivergence. In this podcast, Jason Meyer (LinkedIn), President of LeadGood Education, explains that compliance teams need to recognize neurodivergence when communicating with the workforce. This means looking for more structured communications that make it easy for learners to see things step by step. Another technique to pursue is reducing cognitive loads and demands on working memory. A test at the end of a two-hour course may be too much for many people to be able to manage successfully. Some other tips include having visual cues to accompany text and offering an audio option. That way if someone is limited in one sense, they can rely on another. If you have someone neurodivergent on your team, start with watching your assumptions. If a person is person not making eye contact or responding to questions haltingly, don't assume they don't care. They may be neurodivergent. Above all, be empathetic and listen, and park your preconceived notions at the door. Listen in to learn more about the challenges and opportunities with neurodiversity.
11/14/202314 minutes, 44 seconds
Episode Artwork

Vera Cherepanova on the EU Directive on Combatting Corruption [Podcast]

By Adam Turteltaub Currently there is a patchwork of anticorruption laws across the EU. What has been lacking, though, is a EU-wide approach. That is likely to change soon, reports Vera Cherepanova, founding partner of Studio Etica. Change is afoot.  In May 2023 the EU issued a new proposal to combat corruption, including a new Directive of the European Parliament and the Council on combatting corruption by criminal law. The new directive, she explains, makes it clear that actions by senior executives can have significant consequences both for the individuals involved and their organizations. Companies could face fines of no less than 5% of worldwide turnover. Notably, like the US Foreign Corrupt Practices Act, the new EU directive has extraterritorial reach, which raises the prospect of more enforcement actions. The directive also includes incentives for compliance programs consistent with what is found in law elsewhere: “…where legal persons have implemented effective internal controls, ethics, and compliance programmes, it should be possible to consider these actions as a mitigating circumstance.” Meantime, across the English Channel, the UK Parliament is considering a new Economic Crime and Corporate Transparency Bill, which could be represent a hugely significant change in the enforcement landscape. It includes a crime of failure to prevent fraud. In addition, corporations can be held liable for acts of senior managers. Listen in to learn more about the upcoming changes and what they may mean for your compliance program.
11/9/202315 minutes, 42 seconds
Episode Artwork

Kristine Coy-Foster on Goal Tracking [Podcast]

By Adam Turteltaub Kristine Coy-Foster (LinkedIn), Senior Manager, Compliance & Employee Engagement at Vulcan, had a challenge many in compliance face: tracking all her to-dos, and then, once a to-do turned to done, tracking the accomplishment. It was important for her to be able to capture the challenges she faced, new ideas tested and processes developed. Trying to keep it all straight in Outlook or Excel spreadsheets wasn’t enough. To solve the problem she invested the time to learn Smartsheet, a platform that primarily is for managing projects and automating processes. In it, she created workstreams, alerts, dashboards and more. She also created categories for each of the functional areas she oversees and organized her to-dos accordingly. The solution has worked well for her, but, she cautions, it does take a strong commitment to keeping everything up to date. Listen in to learn more about how to put this tool to work for you, or, maybe, customize the tool you are already using to track your own compliance team’s progress.
11/7/202312 minutes, 42 seconds
Episode Artwork

Evelyn Suarez and Thad McBride on the Uyghur Forced Labor Prevention Act [Podcast]

By Adam Turteltaub Since the 1930s the United State has had import bans on forced and convict labor. But, the rules were tightened, explains Evelyn Suarez, Principal, The Suarez Firm and Thad McBride, Partner, Bass, Berry & Sims PLC, in 2021. That is when Congress passed the Uyghur Forced Labor Prevention Act (UFLPA). The act has a rebuttable presumption that goods made in whole or part with labor from the Xinjian region in China is made with forced labor. If US customs suspects that goods are made in this region, they can stop them until the importer can provide the necessary assurances. In addition, goods made in other regions are also being stopped because their supply chain includes labor from Xinjian. So, what should compliance teams do to help the business unit navigate the issue? For one, it’s key to go beyond the first line supplier, as is typical, and start looking deeply into the supply chain and start researching your supplier’s suppliers. Suppliers should be asked what connections they have to China. Mapping questionnaires should be developed and issued. Training needs to be given, and third-party vetting vendors will likely be needed. In addition, develop interdisciplinary teams to create a plan for responding should a shipment be held. Even before that, start developing a good relationship with customs and take advantage of their expertise. As is the case with so much else in compliance, keep good records that you can present to customs, maybe even on a proactive basis. Finally, keep your eyes open for customs ruling and court cases that may provide guidance on what to expect next.
11/2/202314 minutes, 14 seconds
Episode Artwork

Stefani Sonzzini Navarro on When Employees Report on Themselves [Podcast]

By Adam Turteltaub We spend a lot of time in compliance discussing how to encourage employees to come forward and report any wrongdoing they see around them. Considerably less time, though, is spent on how to handle employees who report their own wrongdoing. In this podcast, Stefani Sonzzini Navarro, LATAM Compliance Officer for Corteva Agrisciences balances the scales. Encouraging employees to come forward with their own questionable acts, she explains, begins with having the right culture. People need to be comfortable and feel safe to report. Getting there takes time and repetition, she explains, along with a strong anti-retaliation policy that covers self-report wrongdoing as well. When an employee first brings the potential issue to your attention, she advises letting them know that if they report something you are obligated to act on it, and that you have to do what is in the best interest of the company. Let them know you will protect their confidentiality as much as possible, but that you also will have to remediate. This will help build trust, but also let them know what is likely to happen. The subsequent investigation should be conducted as quickly as possible, in recognition of how anxious the subject likely is. Throughout, she advises, be open and make yourself available.  If you let the employee grow too anxious, there could be adverse behaviors and consequences. If the employee has in fact done something wrong, their willingness to report much be recognized.  Let them know that things would have been worse if they had not spoken to you. Listen in to learn more about how to encourage and support self-reports of wrongdoing.
10/31/202312 minutes, 11 seconds
Episode Artwork

Maria Victoria Mota on Brazil’s AI Legislation [Podcast]

By Adam Turteltaub While many of the world’s governments are struggling to determine what to do about AI, Brazil already has a track history in this area. As Maria Victoria Mota, Corporate Attorney at Viapol (a subsidiary of RPM), explains in this podcast, the roots of government action in Brazil go back to 2018 with data protection regulations that are similar to the European General Data Protection Regulation (GDPR). This initial legislation was followed by a second in 2020 created to develop the rules of how the government, companies and individuals may use AI. It was followed by more legislation, most recently in 2023. The latest came after a committee of jurists was created to help frame the bill. Working with scientists and experts in technology, they examined how AI should be used and AI laws of 31 different countries. The goal was to creation legislation specific for the needs of Brazil. Privacy is a central pillar of the bill, which is also based in human rights and sound data protection practices. It is designed to ensure accountability, and organizations seeking to comply need to follow eight steps, Maria explains: Create a multidisciplinary work group. Empower the group with knowledge so they can bring learning to company. Map AI in the company.  Understand what departments are using it and how much. Create a policy and procedures around AI and document them. Train employees on the policies and procedures created so they can understand how important they are. Apply the policy and procedures. Stay current with changing laws and regulations. Audit compliance regularly Listen in to learn more about both Brazilian AI law and what makes for effective internal controls around the use of AI.
10/26/202310 minutes, 46 seconds
Episode Artwork

Richard Bistrong on the Risks of High Performers [Podcast]

By Adam Turteltaub Fast Company recently ran an article with the headline “Research Shows High Performing Employees are More Prone to Unethical Mistakes.” It’s both an alarming and an intriguing proposition. To understand more I spoke with Richard Bistrong, CEO of Front-Line Anti-Bribery LLC, who co-authored the article along with Ron Carucci and Dina Smith. Why are high performers potentially so dangerous? For one, he explains, success tends to block scrutiny. People don’t like to question it and are just grateful to see so much of it. They may not think to look or not want to look too deeply. Another challenge is that the more successful people are, the more addicted to success they may become, something Richard knows from his own experience. The challenge of being a corporate hero, he explains, is that once you earn that status, you typically don’t want to give it up and may end up going down what has been called the rabbit hole of success. At the same time, the company may be exerting pressure on the individual to do ever more, partially because it is standard practice in business to set higher goals. But also, the company may grow disproportionately dependent on the results the high performer can generate. Fortunately, there are several things that can be done to mitigate the risk without clipping the wings of the highflyer. For one, compliance teams should try to look at the incentive plans to both identify the risks and help mitigate them. While there, look to also include compliance measures that make it clear that it’s not just about achieving the goals, it’s also about how you achieve them. Second, connect rewards and good performances with the company’s values and mission. This helps the high performer understand both what the rules are and why they are important. Listen in to learn about how to get the most out of higher performers while avoiding the risk that can come with them.
10/24/202312 minutes, 54 seconds
Episode Artwork

Andrea Falcione on Institutional Justice [Podcast]

By Adam Turteltaub In the September 2023 issue of Compliance and Ethics Professional® (CEP) magazine, Andrea Falcione (LinkedIn), Chief Ethics and Compliance Officer and Head of Advisory Services of Rethink Compliance LLC, wrote about fostering a speak-up culture. Institutional justice, she wrote, is a critical part of that effort and “paramount to gaining and keeping employee trust.” To learn more about the topic, I sat down with her for this podcast, in which she explains that there are four elements of institutional justice. The first is Respect for everyone involved in an incident. That includes the person who comes forward with an allegation of course, but it should also include those the allegation was raised against, any witnesses and also people who come forward to self-report. By doing so, you make it clear that it is safer and better to come forward when there is wrongdoing. Voice is the second element. She shares that this means allowing people to speak and share their story. It also means listening attentively, showing interest, making good eye contact and asking open-ended questions. Neutrality is about making unbiased decisions and not letting a conflict of interest get in your way, such as when investigating a high performer in the organization. Transparency, about both the process and the outcome, is the fourth key element. It helps build trust that the process is fair and demonstrates that there will be a thoughtful response by the organization. Listen in to learn more about what institutional justice is and how to improve it in your organization.
10/19/202312 minutes, 51 seconds
Episode Artwork

Chris Audet on Compliance Program Stresses, Strains and Opportunities [Podcast]

By Adam Turteltaub Where is the compliance profession now and where is it going? To find out we sat down with Chris Audet, Chief of Research at the Gartner Center for Legal, Risk & Compliance Leaders. Gartner recently issued a report: “Key Budget, Staffing and Spending Trends for Compliance in 2023”, and in this podcast he shares some of the insights in it. When it comes to budgets, compliance teams are strained, but not how they expected. During the pandemic there were fears of large funding cuts. While there have been some reductions, on the whole they have been minor. However, workloads have increased dramatically. This has led, he explains, to overstretched departments where the loss of even one FTE can be devastating. Three key issues have led to the increase in demands on compliance teams: The challenge of tracking regulations. A rising number of issues, such as ESG, that may have begun in another department but are now considered compliance’s responsibility Conducing internal investigations in an expeditious manner. With workers in the office less, the pace of investigations has slowed. To help get the work done compliance teams are investing more heavily in technology, particularly in risk management systems. The pace of investment is expected to grow as compliance teams contend with flat budgets and reduced staff. To retain staff, Gartner advises creating a strong value proposition that includes a work-life balance and career development. Listen in to learn more about the state of compliance and how teams are coping.
10/17/202311 minutes, 48 seconds
Episode Artwork

Dr. Shan Nair on Global Expansion [Podcast]

By Adam Turteltaub When an organization begins to expand globally, or even when a global organization enters a new market, the compliance challenges can be considerable and multiple. In this podcast, Dr. Shan Nair, President of Nucleus explains that companies need to worry not just about issues such as anti-corruption and data privacy. There are a host of HR, accounting, corporate taxation, indirect taxes, withholding taxes and other compliance issues. In addition to these obligations there may also be filing requirements. Germany, for example, requires a special filing if a local subsidiary is not self-funding. Making things more complicated is that a trusted source for compliance advice in one area likely is completely unaware of the challenges in another. The bottom line is that it takes a concerted effort and a very local approach to meet all these obligations and ensure that the organization is compliant not just on the big issues, but on the dozens of less headline grabbing ones as well.
10/12/20239 minutes, 22 seconds
Episode Artwork

Adam Balfour on Branding Your Compliance Program [Podcast]

By Adam Turteltaub You may not realize it, but your compliance program has a brand. Line employees and management all have a host of impressions about the compliance department that color how they respond to what you say and do. A strong brand means that your actions are more likely to be appreciated. A weak brand means it’s a very steep uphill climb. Adam Balfour, Vice President & General Counsel for Corporate Compliance at Bridgestone Americas and author of the book Ethics & Compliance for Humans, is an advocate for compliance teams making the effort to invest in creating a strong, positive brand that communicates the value of the program. As a part of that effort, compliance teams need to move beyond simply building awareness to ensuring that the brand resonates and is relevant to the organization. To do that he advocates taking a people centric approach and using three methods of motivation: Start with why. Don’t just tell them what to do. Tell them why they need to do it beyond “the law requires it”. Emphasize group safety. Share what others in the organization are doing and use community as a motivator. Use incentives. The US Department of Justice is calling for them, and they can be very helpful, even non-monetary ones. Finally, leaning on his United Kingdom roots, he encourages compliance teams to think like soccer midfielders, players who can both defend and attack. Listen in to learn more about how you can strengthen your compliance program’s brand.
10/10/202313 minutes, 29 seconds
Episode Artwork

Lisa Monaco on Voluntary Self Disclosures in Mergers & Acquisitions [Podcast]

By Adam Turteltaub On October 4, 2023 at the SCCE Compliance & Ethics Institute in Chicago, US Deputy Attorney General Lia A. Monaco spoke live from Washington to the attendees and used this opportunity to announce a new Safe Harbor Policy for voluntary self-disclosures made in the context of the merger and acquisition process. Under the policy, acquiring companies that promptly disclose criminal misconduct voluntarily within the six-month safe harbor period, cooperate with investigators and engage in remediation, restitution and disgorgement will receive the presumption of a declination. She also explained that, absent aggravating factors at the acquired company, it will not impact the acquiring company’s ability to receive a declination. She also shared how the Department of Justice has been fighting corporate crime including: The expansion of corporate enforcement efforts in the national security realm New tools DOJ is using to penalize corporate misconduct and provide invectives for good corporate citizenship Areas where they see further opportunity for innovation and expansion Listen in to learn more and hear her underscore the importance of compliance programs, proper corporate incentive plans, and the DOJ’s expectation that the compliance team will have a seat at the deal table.
10/9/202319 minutes, 47 seconds
Episode Artwork

Scott Young on Taking a Behavioral Approach to Compliance [Podcast]

By Adam Turteltaub Much of the day to day of compliance isn’t about understanding laws. It’s about influencing human behavior and steering people in the right direction. In this podcast, Scott Young, Principal Advisor and Head of Private Sector at Behavior Insights Team, Americas shares that understanding how people make decisions can help compliance teams be more effective. To do so, he advocates for using behavioral science to gain a broader perspective for thinking about human behavior. The field has shown, for example, that the classic economics model of rational thinking doesn’t always apply. Too often we operate in a semi-automatic mode, making decisions quickly, not really aware we are even making them. So what do compliance teams do? Adopt what he describes as the EAST Framework. Easy. Make sure the proper choice is the default choice. Attractive. Make compliance fun and engaging. Embrace gamification and other ways to make compliance more attractive to people. Social. Humans are social being and we are curious what others are doing. Thinking about tapping into the power of the group, such as leveraging social norms. Timely. Having reminders and controls in place when they are timely is difficult but not impossible. Look for the right moments of intervention and the right, often quick, reminder of what is the right thing to do. Listen in to learn more to learn how you put a behavioral approach to work for your compliance program.
10/5/202314 minutes, 48 seconds
Episode Artwork

Carrie Penman on the State of Compliance in 2023 [Podcast]

By Adam Turteltaub NAVEX earlier this year issued its very substantial 2023 State of Risk & Compliance Report. To learn about the key findings we sat down with longtime ethics and compliance leader Carrie Penman, who serves as the company’s Chief Risk and Compliance Officer. Overall, the data reveals strong management support for compliance and ethics programs, although there are cracks showing. When asked whether this commitment persists in the face of competing interests, the numbers show a troubling drop. Worse, there was an increase in the number of survey respondents indicating that middle managers encouraged employees to act unethically or impeded compliance personnel from their job. It was still a minority, but a larger one than before. Turning to specific risk areas, data breaches and privacy/security threats were the top fears for compliance professionals. Not surprisingly, cyber came up as a top training topic. It was followed by codes of conduct and privacy. Looking globally – the survey also has data broken out for Germany, France and the UK – there was a far from uniform picture, with country-by-country variations showing varying priorities and levels of satisfaction. For example, risk and compliance professionals in Germany reported their ability to measure training and behavior higher than their peers in France and the US. All in all, the report makes for a fascinating, and sometimes troubling, picture of the practice of compliance. Listen in to learn more about what the data said and what it may indicate for your compliance program.
10/3/202313 minutes, 24 seconds
Episode Artwork

Brent Douglas on Background Checks [Podcast]

By Adam Turteltaub It may be time to rethink background checks.  Brent Douglas (LinkedIn) partner at the law firm Hahn Loesser, explains that their use has been greatly reduced in many industries. This reflects the increase in the number of what are known as “ban the box” laws, which prohibit employers from asking job applicants to tick a box if they have a criminal history. He also warns that in some jurisdiction screening applicants wholesale for criminal backgrounds may not be permissible. Only after a job offer has been conditionally made can a firm conduct a check. That doesn’t mean background checks are always prohibited. In certain industries, such as healthcare, defense and transportation they are often obligated. Even screening for marijuana usage may be permissible, but be careful. California, starting in January 2024, will enforce a new testing methodology. If your organization conducts background checks, it may be best to have a third party conduct it for you. This both leverages their expertise and may shift liability if the check is done improperly. He also cautions that even a casual internet search of a prospective employee may turn up a past criminal conviction and cross the line into what legally constitutes a background check. For those concerned about the risks of hiring a criminal, he points out that roughly 95% of the population does not have a criminal background. Amongst those with a conviction, about 95% of those were for marijuana possession or a DUI. He asks; is it worth doing the background check given these odds? Listen in to learn more about the risks of background checks.
9/28/202315 minutes, 55 seconds
Episode Artwork

Mary Shirley on Leveling Up as a Compliance Professional [Podcast]

By Adam Turteltaub Mary Shirley (LinkedIn) has had a fascinating journey as a compliance professional. Born in Hong Kong and raised in New Zealand, she has worked in Singapore, Dubai and across the US. She currently serves as Head of Compliance at Masimo, and she just authored the book Living Your Best Compliance Life: 65 Hacks & Cheat Codes to Level Up Your Ethics & Compliance Program. In this podcast she argues for embracing professional development and owning your own advancement. Among the hacks she recommends is creating a notebook on yourself. Record in it what you have done, the key steps along the way, and some of the larger details. That way, when annual performance time comes around, you are prepared to share what you have accomplished and won’t have to scramble to reconstruct what you did over the past year. The same information, she points out, is very helpful when looking for your next position. It can help  you both recall what you have done and prepare to answer questions about key accomplishments and solutions you have developed. When it comes to speaking at conferences and writing, she offers some simple advice: Just start. If you don’t you will always wonder what might have happened if you did. From a practical perspective, she urges people to remind themselves that the first draft doesn’t have to be the last. You can turn to others for feedback who can help you revise and improve that article or speaking proposal. To get the best advice, she recommends creating what she calls a wisdom council: a group of individuals whose advice you can trust. The council should be made up of people with diverse skills and experiences who have practical expertise and the comfort level with you to offer both encouragement and honest feedback, even if it is uncomfortable. Listen in for more advice on how to level up your skills and how to find the courage to pursue your goals.
9/26/202314 minutes, 50 seconds
Episode Artwork

Kristy Grant-Hart on Maximizing Your Conference Experience [Podcast]

By Adam Turteltaub You’re all signed up for the Compliance & Ethics Institute or another SCCE or HCCA conference. Now, how do you make the most out of your time there? Kristy Grant-Hart CEO of Spark Compliance Consulting and a former compliance officer, herself, shares in this podcast several excellent tips for making your conference time truly valuable. Her recommendations: Plan out which sessions you want to attend before you arrive. It makes for a much more strategic and less stressful approach than picking sessions hurriedly at the breaks. Pick the sessions based on both the topic and the speakers you want to listen to and meet. Map out time to do work and answer email. It’s a lot easier to sit and listen to a session when you have a defined times to work and a defined time to be fully present at the conference. Start your networking before you go. Announce on LinkedIn that you’ll be there and try to connect with others who will be attending. Take advantage of vendor receptions and dinners to meet more people. When you connect onsite, also connect on LinkedIn right then and there. If you promise you’ll send someone a follow up email, do it that night before you forget. Don’t be afraid to approach people you don’t know. They’re probably there to meet new people, too. Put your follow-ups for once you’re back in the office into a list that you can easily find. Listen in to hear more great ideas for getting the most out of your time at the conference.
9/21/202312 minutes, 42 seconds
Episode Artwork

Meric Bloch on the Experienced Investigator Workshop [Podcast]

By Adam Turteltaub In 2023 the Society of Corporate Compliance and Ethics (SCCE) launched a second workshop designed specifically for investigators.  The Experienced Investigator Workshop. Meric Bloch, who is one of the two instructors and Principal at Winter Investigators, explains in this podcast that the workshop is very different from most. Rather than using a traditional method of instructors in front of the room, it seeks to engage the participants directly and make them a part of the learning. Participants are led through case studies and asked to take an active part in the classroom interactions. This provides an opportunity to explore the issues, consider various ideas and think deeper. Looking beyond the surface level mechanics of the investigation is a central part of the workshop. Much of the conversation focuses not on the what to do’s, but the why’s: why use a certain technique, why one choice may be better than another. The workshop also helps its participants to prepare for what he refers to as the “unknown unknowns”. Often investigators plan out an investigation, Meric notes, based on what they know and what they known is as yet unknown. However, as the process proceeds surprises occur, previously unknown unknown elements must now be tracked down. So who is the workshop best for? Several groups: Those who already know the basics and want to get to the next level. Individuals seeing to have a wider perspective on cases and become not just an investigator but also a business advisor. People who aspire to be a full-time investigator and seek to raise their competence. Lifelong learners. Listen in to learn more, and then take some time learning more about the investigator workshops.
9/19/202312 minutes, 3 seconds
Episode Artwork

Andre Bywater on the EU-US Data Privacy Framework [Podcast]

By Adam Turteltaub First there was Safe Harbor, then there was Privacy Shield, both of which were struck down, leaving an enormous chasm in the rules for sharing data between the EU and the US. Now, explains, Andre Bywater, Partner, Cordery, there is a bridge: the EU-US Data Privacy Framework. The new framework seeks to address the issue that led to the court striking down Privacy Shield: access to data by US intelligence agencies. To allay European concerns the US has now put in place a two-level system to redress grievances. EU citizens can lodge a complaint with the Civil Liberties Protection Office. If not satisfied with the results there, they can escalate to the US Data Protection Court, which has the power to issue orders to have data deleted. The new framework is likely to be a big step forward, but it’s not the only one data processors will have to take. Organizations will first need to determine if they are eligible to participate. Next, they will need to self-certify their processes for handling EU data, a process that will be overseen by the US Department of Commerce, with enforcement handled by the FTC. Whether self-certifying for the first time or recertifying, there are countless details to be watched. There are special provisions, for example, when it comes to HR data. And, of course, there is a question of whether courts in Europe will allow the new regime to stand. There is already speculation that a new case may be brought in January 2024. For now, though, there is a new EU-US Data Privacy Framework in place. Listen in to learn more about what your organization needs to do to comply.
9/14/202311 minutes, 21 seconds
Episode Artwork

Mark Schreiber on PCI 4.0 Compliance [Podcast]

By Adam Turteltaub Payment Card Industry (PCI) compliance is driven by a set of rules that set a standard of security for any entity that takes, stores or processes credit card data. Any time you or I make a credit card purchase, we rely on PCI compliance by all involved to keep our information safe. Now, the standard is evolving to PCI 4.0, explains Mark Schreiber, Senior Counsel at McDermott Will & Emery. PCI 4.0 is far more robust and clarifies the misunderstandings in the previous standard. It also imposes more than 50 new obligations. Most notable of the changes is the new emphasis on third parties and the need to monitor them. Now, merchants must maintain lists and descriptions of all third-party providers, have written agreements with them that accounts for security standards and includes a process for due diligence before engaging with them. Central to the process is a responsibility matrix, which outlines which party is responsible for each aspect of credit card security. Perhaps needless to say, this is not likely to be a quick process. Also likely to be time consuming is the mandatary self-assessment questionnaire. Listen in to learn all that PCI 4.0 requires and to hear an important warning: just because you outsource your credit card processing, doesn’t mean you outsource the risk.
9/12/202315 minutes, 4 seconds
Episode Artwork

Cheryl Gilbert on Celebrating Corporate Compliance & Ethics Week [Podcast]

By Adam Turteltaub Stamford Health has just a bit less than 4000 employees spread out in over 40 local offices. For some that would be a nightmare when figuring out how to put together a celebration of Corporate Compliance & Ethics Week, but it’s not for Cheryl Gilbert, the director of compliance and privacy. To make the annual event work she uses a wide range of communications vehicles to get the word out. The organization has a new employee orientation every other week, and compliance is a part of it. The organizational newsletter, which publishes twice each week, is also put to use. So, too, is the compliance intranet site. What aren’t used? Posters. The team found that the effort involved in creating them, putting them up and taking them down just wasn’t worth it. To make the week fun they have developed a wide range of activities including a: Haiku contest. Employees are challenged to write a haiku based on the organizations core values. Where’s Waldo type game in which employees have to spot all the breaches on a messy desktop. Question of the day. Word search, which is probably the most popular of all. There is also the opportunity to nominate compliance heroes, with rewards to both the hero and the person who nominates them. While all of these are great for building the relationship between compliance and the rest of the organization, she advises that you shouldn’t let your Corporate Compliance & Ethics Week be the only time a year in which the barriers come down. She recommends investing wherever possible in face-to-face interactions. You would be amazed, she tells us, at what a coffee cake can do to help. Listen in to learn more about how to make your Corporate Compliance & Week celebration a success.
9/7/202313 minutes, 38 seconds
Episode Artwork

Jeremy Laws on Cancer Reporting Requirements [Podcast]

By Adam Turteltaub Cancer is not just a diagnosis between a patient and physician. In this podcast Jeremy Laws, Operations Supervisor at the Ohio Cancer Incidence Surveillance System, explains that a cancer diagnosis triggers state-by-state reporting requirements for healthcare providers. In general, there are two areas of reporting: cancer information and patient information. Cancer information generally includes where it is on the body, the type of cancer, what type of tissues is affected and how the cancer is behaving. Patient information includes name, age, sex, race, address, date of diagnosis and date of first treatment. And, for those concerned about HIPAA, he points out that there is a public health exception that his falls squarely under. The data provided feeds into the US Cancer Statistics Report that is published annually. It is also used by policy makers and researchers. Compliance teams need to ensure that their facilities are reporting the data, which many fail to do. There is a tendency to believe that, for example, the lab is reporting the results and so the physician does not need to. That’s not the case, he explains. Worse, many facilities do not even know that they need to report cancer findings. Listen in to learn more about how to ensure your health care facilities are meeting their cancer reporting requirements.
9/5/202312 minutes, 43 seconds
Episode Artwork

Stephen Pavlicek on Involvement Options with SCCE & HCCA [Podcast]

By Adam Turteltaub When it comes to networking and sharing ideas with other compliance professionals, people tend to think of attending conferences. That’s not the only way to do it. In this podcast Steve Pavlicek, Community Engagement Manager at SCCE & HCCA shares the free resources the association provides and how to take advantage of them. First stop are HCCAnet and SCCEnet. They were created to be a social network just for the compliance community. People post and answer questions, share their opinions and even documents. To see all that’s there, first login on the SCCE or HCCA site. Next, click the Login button on HCCAnet or SCCEnet. You’ll find approximately 40 different communities discussing issues such as auditing and monitoring, the Foreign Corrupt Practices Act, privacy and more. There are also communities organized by industry. If you’re looking for real-time interactions try one of our Meet Ups. You’ll find a schedule of them at HCCAnet and SCCEnet. These sessions take place via Teams. The group selects topics to discuss, breaks up into smaller groups for conversation, then returns for further conversation. In addition, there are active LinkedIn groups for SCCE and HCCA. Read the messages there, share insights of your own, or use the group to connect directly with other compliance professionals. In sum, there are a host of vehicles out there for you to connect with and meet the wider compliance community. Be sure to take advantage of all of them.
8/31/20236 minutes, 55 seconds
Episode Artwork

Laura Fey, Tom Leatherbee and Jillian Cusack on Compliance and Disaster Preparedness [Podcast]

By Adam Turteltaub When planning for disasters, organizations are typically focused on things like call trees, backup data servers, and alternative work locations. In the crush to survive the immediate threat it’s easy to forget about compliance, and even during disaster planning, compliance may come last. That’s a dangerous mistake, explains Laura Fey, Principal, Fey, LLC; Tom Leatherbee, Manager, Recovery Division, Hagerty Consulting; and Jillian Cusack, AVP, Privacy Officer, American Fidelity. Just because normal business operations are interrupted doesn’t mean compliance obligations are also on pause. Ensuring compliance plays a role in disaster planning is more important than ever. Natural disasters, ransomware attacks, a pandemic and other threats seem to be more frequent and can turn into situations that last days, weeks, months or even years. When they do, not only do existing compliance considerations continue but new ones can arise ranging from OSHA to employee obligations – you still have to pay into pension plans and make insurance payments – to financial reporting. There may also be state laws and standards under ISO and SOC 2 that may be implicated. If your institution is a recipient of federal grants, the reporting requirements don’t stop during disasters. Plus, if your organization will be seeking federal disaster grants, there will be compliance obligations there as well, including the need to document the damage. To ensure the compliance team is a part of disaster planning, establish a relationship with the person in charge of leading that effort. Learn who else they work with and get to know them as well. Take the time to understand what the risks are using resources such as Ready.gov. Think through what data you will need to collect and track during the pandemic, and be prepared to help your colleagues understand that compliance can play a vital row in disaster planning and recovery.
8/29/202314 minutes, 37 seconds
Episode Artwork

Jonny Frank and Kat Nolan on Compliance Program Certifications [Podcast]

By Adam Turteltaub There has been, to say the least, a great deal of controversy over the US Department of Justice’s plan to require compliance officers to provide a certification as a part of corporate resolutions. Many fear that it could lead to significant legal risk for compliance teams and fewer individuals willing to assume compliance roles. Jonny Frank, Partner, and Kat Nolan, Senior Consultant, at StoneTurn are not concerned.  They point out that in the 20+ years since Sarbanes-Oxley, despite the predictions, there have not been the lawsuits and empty CFO and CEO chairs that some feared. Instead, they believe, these certifications could lead to increased power and prestige for chief compliance officers. In the podcast they lay out a five-step process for certification: Select a framework for the certification criteria that the organization will grade itself against. Conduct a scenario-based compliance risk assessment. Assess and design key control activities. Create a sub-certification waterfall: set accountable owners throughout organization to certify compliance effectiveness in their area. Arrange for a third party or internal audit to assess the program. Listen in to learn more, including the importance of documenting your processes.
8/24/202310 minutes, 32 seconds
Episode Artwork

Kristy-Grant Hart on the Global vs. Local Dilemma [Podcast]

By Adam Turteltaub So, you’ve got a global compliance program. But, what do you do when a local team says, “That doesn’t really work here” or “We think it would be better if it were changed to something else for us”? Kristy Grant-Hart, CEO of Spark Compliance Consulting recommends keeping your values the same wherever you operate. Values are typically based on universal ideas. They and your code of conduct should remain constant wherever possible. Communications from the CEO and leadership should also be the same everywhere. You don’t want the CEO saying one thing in one country and something else in another. Categories used for reporting and investigations should also be the same everywhere, otherwise it will be difficult, if not impossible, to track where the issues are. Similarly, root cause analysis and risk assessment methodology must be the same globally. So where can you localize? She recommends looking at areas such as gifts and hospitalities. What’s reasonable in one region may not be in the other. Look also at employment practices. Having a policy of non-discrimination is good, but in some regions there may be requirements to hire certain indigenous groups. To avoid confusion, she advises defaulting to one policy wherever possible, and be sure to have a version control process in place. You don’t want one office to still be operating under an old policy. Listen in to learn more about how to make thoughtful localization decisions, how to get honest feedback locally, and what to do about facilitation payments.
8/22/202313 minutes, 14 seconds
Episode Artwork

Melinda Shapiro on Enterprise Risk Management [Podcast]

By Adam Turteltaub Melinda Shapiro, Senior Director of Compliance at San Diego-based National University, knew she needed to do something different with the school’s approach to enterprise risk management (ERM). When she took on the compliance role, she discovered that risks tended to be aggregated into large buckets, such as human capital, which made it difficult to assess individual risks. In addition, risk ratings varied widely by affiliate. Adding to the challenge, the document produced took a narrative approach, with long explanations of the risks and mitigation efforts. Sometimes there was a lack of alignment between risks and controls. Worse, the format made it difficult to track changes year to year. Inspiration came from speaking with two other participants at the SCCE Higher Education Compliance Conference. She was able to see a new way of approaching ERM, including switching from a one-year to a two-year cycle. The results have been highly positive. She reports that there is a much better understanding of risks and controls. In addition, there is now better alignment and very strong support from the board’s audit committee. Listen in to learn more about what she did differently, how she learned from others, and new ways to think about your own ERM process.
8/17/202312 minutes, 11 seconds
Episode Artwork

Emeka Obiora on Health Care Compliance in the United Arab Emirates [Podcast]

By Adam Turteltaub Healthcare and healthcare compliance are often thought to be very country specific, due to the many variations of healthcare structures. To learn more about how healthcare compliance works in one country outside of the US we spoke with Emeka Obiora, Vice President, Ethics and Compliance at NMC Healthcare in Abu Dhabi. Emeka explains that the United Arab Emirates (UAE) has something of a split system. Public sector hospitals primarily serve Emiratis, who are provided with healthcare by the government. Foreign workers in the UAE are required to carry insurance and typically see private providers. As a result, the risk profile is very different. It is there, though, with several key ones to manage. The first is licensing. The UAE relies upon medical professionals who come from all over the world and have vastly different training and backgrounds. All must be qualified and licensed locally, which represents a substantial undertaking. The second common risk area is conflicts of interest, which is focused on interactions with pharmaceutical and medical device manufacturers. To ensure that there is undue influence, contact between clinicians and providers may be completely prohibited. As is the case elsewhere in the world, privacy is also a significant concern, and in the UAE it has grown to be a greater challenge now that there is a new, tougher law. So, is working in the UAE in healthcare right for you? Emeka recommends asking yourself if you have a sense of adventure. As importantly, ask the same about your family and what impact a move may have on them. If you do decide to take the plunge and find a potential opportunity, assess it like you would any other compliance position. Look at the organization and its governance structure: Will you have access to the senior level of the organization? Question carefully their approach to compliance and ethics. While it may likely not be as advanced as what you are used to in the US, if the tone and the commitment are there it’s worth considering, especially because there is a growing emphasis on accountability, corporate responsibility and ethics in the UAE. That portends well for the future. Listen in to learn more, including one myth about the UAE that needs to be dispelled.
8/15/202312 minutes, 23 seconds
Episode Artwork

Ami Simunovich on Growth, Risk and Compliance [Podcast]

By Adam Turteltaub Compliance professionals are trained to point out downsides, identify risks and educate others on what can go wrong. But, points out, Ami Simunovich, Executive Vice President, Chief Quality, Regulatory Officer & Public Affairs for BD, they need to balance that with a need to see and encourage others to take the right risks. A compliance officer who can do that earns credibility with business leaders. So, how do compliance professionals get there? She recommends reorienting thinking to focus on how to advance the business in the right way. That begins with tying decisions back to the purpose of the company. This can help enable the right leadership mindset and avoid reckless decision making. Grounding decisions in the code of ethics, along with a focus on the business’s purpose, helps create a framework for better decision making. Next, make sure business leaders are keeping up with the regulations. Also, encourage them to ask gut-check questions such as: Are we making the right decision? Would our partners be proud of what we have done?  Is this who we are? Along the way, embrace open conversations that ask whether the decision or initiative is the right one. At the same time, be sure that, as the business proceeds, there are controls in place that are fit for purpose for the risks at hand. Listen in to learn more about how the compliance team can help the business grow.
8/10/202313 minutes, 6 seconds
Episode Artwork

Adrian Taylor, Ahmed Salim and Nakis Urfi on ESG and DEI [Podcast]

By Adam Turteltaub One of the more well-attended sessions at the SCCE 22nd Annual Compliance & Ethics Institute, promises to be “ESG and DEI: How to Position for Stakeholder Success”. The session will be lead by Adrian Taylor, Director of Diversity, Premier Health; Ahmed Salim, Chief Compliance Officer, iRhythym; and Nakis Urfi, Product Compliance Officer, Babylon Health. ESG and DEI are two of the hottest issues in compliance, and in this podcast preview of their session they start by taking on a controversial topic: Should DEI and ESG be combined? Traditionally, DEI has been its own discipline. Many now argue it should considered a part of the S (Social) in ESG, while others feel that doing so would diminish the emphasis on DEI. Ideally, DEI should not be affected by being included in ESG, they say. If handled correctly, it can maintain its focus and management commitment and even strengthen ESG efforts. When the two are aligned they create a more sustainable business model that balances people, profit and planet. Together they can also help foster engagement with stakeholders, improve culture, encourage greater accountability, and help the company’s reputation. To be successful, Nakis, Ahmed and Adrian argue, organizations need to manage four key challenges of ESG ratings: A limited focus on DEI Having accurate, valid data A lack of standardization Subjectivity All of these can lead to ratings that are more judgement scores than a true measure of an organization’s commitment to DEI and ESG. Listen in to learn more, including how to identify data that is truly useful for measuring your organization’s DEI and ESG success. Then, don’t miss their session at the SCCE 22nd Annual Compliance & Ethics Institute.
8/8/202315 minutes, 7 seconds
Episode Artwork

Crystal Jezierski on Compliance Frameworks and Management [Podcast]

By Adam Turteltaub Crystal Jezierski, Senior Managing Director, Guidepost Solutions thinks that at this point we have enough guidance documents and frameworks for compliance programs. That’s not a criticism but a compliment. She finds the existing prescriptions to be helpful, instructive and reflective of the evolving understanding of best practices for effective compliance programs. They are also flexible enough for new and emerging risks. What’s needed now, she believes, are more opportunities to benchmark, share, apply and test how programs are implemented. As with compliance programs as a whole, that begins with understanding how to assess risk and how others are doing so. If done correctly, of course, a risk assessment can  orient resources to both current and future issues as well as change how the company is doing business. When managing a new issue, she recommends involving a combination of the standard partners – HR, internal audit, finance and technology – as well as additional partners who bring expertise to addressing the risk at hand. One other partner needs to be considered throughout: the board. It can be a tremendous asset for compliance, sometimes more so than leadership. To gain and keep board support, she advocates for regular contact, updates, and conversations about emerging issues. Listen in to learn more about how to leverage the compliance frameworks, learn from others and work with the board to create a stronger compliance program.
8/3/202311 minutes, 51 seconds
Episode Artwork

Eric Baim on Compliant Business Communications Through Messaging Apps [Podcast]

By Adam Turteltaub Email isn’t enough anymore, if it ever really was. Employees are communicating with each other, clients and prospects via texts, WhatsApp, Teams, Slack and many, many more tools. Much attention has been paid to the US Department of Justice’s call for organizations to be able to produce all that communication, which is not an easy task. Eric Baim, partner at Dovetail Consulting Group, explains that focusing on producing the communications is important, but it is isn’t enough. Compliance teams need  to train employees to use these technology appropriately. That education process begins with compliance developing an understanding of what these applications were designed to do;  facilitate quick, back and forth interactions, brainstorm, and ask a question less formally than one would via email. The problem is that often these interactions lack context because they are continuations of other conversations. As a result, an outsider seeing them can draw very incorrect conclusions about what was being said. With that understanding in mind, it’s important to make it clear to employees that if they are conducting company activity via these communication tools, they still need to follow company policy. Next, help them to understand the risk of comments taken out of context and to ensure that they add some. If the text, for example, is a follow up to an in-person meeting, reference it. Be sure also to underscore the importance of avoiding jargon, being truthful or making assumptive statements. Stick to the facts and keep personal commentary out. Internally, compliance teams, he argues, should take the time to understand how they can use these channels to communicate with the workforce. Communicating with the business where it is can help keep compliance top of mind and relatable. It can also help foster greater dialog which is, after all, what these applications were designed for.
8/1/202310 minutes, 15 seconds
Episode Artwork

Jannica Houben and Travis Waugh on Interactive Policies [Podcast]

By Adam Turteltaub In a perfect world, whenever employees face a difficult decision or outright compliance issue, the right policy would automatically pop up in front of them. While that is not likely to happen soon, Jannica Houben, Vice President, Global Legal Transformation and Travis Waugh, Director, Training, both at TD SYNNEX can envision a word in which Outlook could spot issues as they are typed, flag them for the employee and give guidance and pointers to where to call for help. Until then, there are still many things compliance teams can do using off the shelf software to automate compliance processes. It’s a topic they explore in the podcast and in greater depth in their Session “Interactive Policies: Using Technology to Enhance Decision-Making” at the 2023 SCCE Compliance & Ethics Institute. So how do you create this automated future? They recommend beginning by thinking not about what tool you want, but what benefits you want the tool to deliver. Think about the value you want to provide and what would make employees’ lives easier. In addition, expect an iterative process: you won’t get everything right the first time. Once you have that in mind, you can begin the pursuit of the tool itself. At TD SYNNEX the compliance team tried to create the path of least resistance for employees to compliance, including developing an adaptive policy guidance tool. Using BRYTER, which requires no coding, they developed a tool which asks a series of questions to determine what the issue is, gives advice and routes a form to the employee’s manager. The manager can then add notes and recommendations. The tool has a dashboard that can track the whole process. It also can help identify gaps and what the organizations risks are, what policies need to be created and when more training is required. This program has freed up time for the compliance team, enabling it to invest in relationships and add more value. Getting started is surprisingly easy, they report. Listen in for more inspiration, and then don’t miss their session at the 2023 SCCE Compliance & Ethics Institute.
7/27/202314 minutes, 27 seconds
Episode Artwork

Bill Piwonka on Privacy, Consent and Compliance [Podcast]

By Adam Turteltaub With the consent requirements built into privacy regimes, you can’t help but focus on them. Bill Piwonka, Chief Marketing Officer at Exterro, cautions, though, that there is much more than consent to worry about. Consent is very specific around whether people you are interacting with giving you permission to have and use their data for specific purposes. Much focus is given to the pop-up warnings on websites and cookies. Compliance teams, he advises, need to look at all the places where the organization collects data and uses data, including apps, to ensure proper consent is obtained. One other area not to be overlooked: Data subject access requests. It can be an enormous undertaking when a consumer demands to know what information you have on her or him. Even more daunting are similar requests by departing employees. Think of the hundreds of thousands if not millions, of documents that contain data from an employee, everything from HR records to emails to conversation on Teams. So great is the challenge of tracking them all down that employees are starting to use the threat of requiring all this data as a way to leverage a better severance package. Listen in to learn more about these issues and what you need to do to prepare to meet your privacy compliance obligations.
7/25/202313 minutes, 42 seconds
Episode Artwork

Jen Hoar on Human-Based Due Diligence [Podcast]

By Adam Turteltaub The proliferation of computer-based due diligence tools, combined with the travel restrictions of the pandemic led to a shift away from in-person due diligence efforts. Technology-based approaches increased dramatically, and, according to Jen Hoar (LinkedIn), Managing Director of Forward Risk, relying solely on them can be a mistake. Talking to human sources, she argues in this podcast, helps augment and provides nuance to open-source public records. Talking to people who have worked with the third party can flesh out what it is like to do business with them and if there are any concerns. Sources to interview can include prior investors, customers, industry experts, and even trade journalists. When conducting the interviews with these individuals, she advocates for an open-ended, conversational approach. Rather than trying to get through a list of questions, give them the opportunity to talk about whatever is important to them and pursue the conversation wherever it leads. Be sure, though, to take note if someone is oversharing.  It may be a sign of an agenda. In terms of your own agenda, she advises against going in with a hypothesis to prove or disprove. Instead, go in with an open mind. Your job is to gather information and to find out what the truth is rather than to test a theory. Listen in to learn more about the role and value of human-based due diligence.
7/20/202310 minutes, 27 seconds
Episode Artwork

In Depth: Cecilia Muller Torbrand on The Maritime Anti-Corruption Network [Podcast]

By Adam Turteltaub For organizations working to avoid corruption it can be a lonely fight. While a sales or compliance team may know that there are many others out there who would not pay a bribe, when facing a corrupt demand, they tend to be on their own. The maritime industry, though, has taken a major step to change the dynamic. In this extended, in-depth podcast, Cecilia Muller Torbrand, Chief Executive Officer at Maritime Anti-Corruption Network (MACN), explains how they pursued a collective action approach that now includes about 200 companies. The maritime industry is very exposed to corruption risk. A given ship can touch many jurisdictions over a short period of time. Captains are often very far from their headquarters and encounter multiple government touch points when approaching a port. The corruption they face varies dramatically, but it is frequently manifested with requests for facilitation payments: some token of appreciation. The challenge is a legal one since facilitation payments are prohibited under the UK Bribery Act. It is also a practical one, when the appreciation turns into a demand and expectation. When a captain turns down the request, it can lead to a host of problems, ranging from confiscated passports to endless, time consuming inspections. To help fight this problem MACN began about 10 years ago with just 8-10 companies. It has since grown to around 200. The companies recognized they could not fight the problem alone and had to work together. Success has been driven by a focus on solutions rather than finger pointing. They also, when possible, seek to bring in the local government. Armed with a database of over 50,000 incidents of corrupt demands they are able to use data, rather than anecdotes, to advocate for change and demonstrate how systemic the issue is. The results have been substantial, and over time the MACN logo on a ship has come to mean a great deal in countries where they are active. It actively helps dissuade bribe seeking. MACN has also created a Global Port Integrity Program (GPIP). It leverages the data collected on corruption incidents to provide members with a port-by-port look at corruption risk, enabling better preparation. Secondly GPIP has enabled them to provide a level of transparency not before seen that can help ports understand how they need to improve. All these efforts have led to remarkable results with measured improvements on the ground. Listen in to learn more about what MACN has done, and, perhaps, use it as a model for your industry.
7/18/202332 minutes, 37 seconds
Episode Artwork

Guillem Casoliva Cabana on Ambassador Programs [Podcast]

By Adam Turteltaub More and more organizations seem to be adopting compliance ambassadors or champions programs. In a nutshell, these efforts involve having members of the business unit serve as the eyes and ears, and sometimes arms and legs, of the compliance office. Guillem Casoliva Cabana (LinkedIn), Compliance Manager, Training & Education, at Booking.com shares his insights on the topic in this podcast. The company’s ambassadors program began over 10 years ago. Recruiting and training ambassadors is a critical part of the process at Booking.com. They are not nominated by their managers. Instead, all are individuals who volunteered to take on the role. At times, it can even be competitive. If more than one person in a given unit volunteers, there is a vote taken in the unit to make the selection. The onboarding process includes seven distinct steps, including a live session with the compliance and ethics team that goes deep into the scenarios that they may face. Experienced ambassadors serve as mentors to newer ones. And, on an ongoing basis, ambassadors are supported through in-person meetings, an online portal, newsletter and quarterly webinars. The program’s durability is a reflection of how successful it has been. The ambassadors have helped support the ethical tone of the company, served as examples of the company’s values and proven to be a cost-effective means of embedding compliance without adding to headcount. Listen in to learn more about how the program has worked and what you need to do to start a successful ambassadors effort of your own.
7/13/202314 minutes, 6 seconds
Episode Artwork

Amii Barnard-Bahn and Melanie Sponholz on Getting Paid What You’re Worth [Podcast]

By Adam Turteltaub While many would say that you couldn’t pay them enough to take a job in compliance, managers often feel as if compliance officers are being paid too much. So how do you get what you deserve? In this podcast, and at the 2023 SCCE Compliance & Ethics Institute, Amii Barnard-Bahn, Partner, Kaplan & Walker and Melanie Sponholz, Chief Compliance Officer, Waud Capital Partners, take on this touchy subject. Before asking for more money, they advise doing your homework. Take the time to talk to peers and recruiters to see what the market rate is. Also, know your employer’s compensation system. Do they tend to pay at the top, bottom or middle of the range. You can also check the SCCE or HCCA compensation survey and sites like Glassdoor and Indeed. When you do meet with your manager or leadership, go in knowing that this is a difficult conversation for them as well as for you. Do your best to keep things professional. Focus on why the increase in compensation is beneficial for them and not just for you. Spell out what contributions you have and will be making. Above all, be realistic and don’t go in angry. Want to know more? Listen in to learn how to make the conversation successful, what to do if it isn’t, and how to ask for more compensation or a changed title when your role is expanded. And, don’t forget to attend their session at the 2023 Compliance & Ethics Institute.
7/11/202316 minutes, 55 seconds
Episode Artwork

Mike Lifshotz on Retaining Staff [Podcast]

By Adam Turteltaub When an employee announces a departure to another job, there is a temptation to think that it was for more money. That’s probably a mistake, says Mike Lifshotz (LinkedIn), founder and CEO of Hatch Compliance. The new position may pay better, but employees are more likely to depart due to issues such as work/life balance, room for advancement, greater challenges, lack of appreciation and what they perceive to be a bad culture. To get them to stay, he advises, first and foremost demonstrate respect. That should begin with the hiring process, during which you should both lay out your expectations for the candidate and what they should expect from you. The organization’s values are particularly important in this regard. They are integral to setting expectations and need to be communicated from the onboarding process and on an ongoing basis. Be sure to keep the communication process going in general. Employees cannot be expected to trust their managers if the managers don’t take the time to know them. From a compliance perspective, knowing employees and their personalities can help identify when something is wrong and help you act accordingly. Compliance can also help with employee retention by providing a safe place for workers to share their concerns without fear of retaliation. One last piece of advice he offers: take the time to survey the workforce regularly. Use the survey both to measure the culture and as a way to demonstrate that the organization is willing to listen. Then, act on the results. Listen in to learn more about how to manage the challenging issue of employee retention.
7/6/202311 minutes, 53 seconds
Episode Artwork

Regina Gurvich on Staying Motivated [Podcast]

By Adam Turteltaub Regina Gurvich, Chief Compliance & Risk Officer for Omni Opthalmic Management Consultants knows from first-hand experience that it’s not always easy for compliance officers to stay motivated. There is often a strong headwind, and sometimes a brick wall. To stay motivated she advises focusing on getting your voice heard, staying true to yourself and finding enjoyment in what you to do a daily basis. For her, that begins with clinging to her idealism and the belief that few people wake up in the morning looking to do the wrong thing. Focus, she advises, on the fact that for many people the right thing just isn’t clear enough.  Think about ways to educate them and look to do so on a continuous basis. Encourage them not to just know what the law is but understand what it means and how to operationalize it. Also, grab onto your natural curiosity. Take the time to learn as much as you can about the business and how people go about doing their jobs. Understand where the money comes from and where it goes. That’s more important than ever over the last five to ten years, especially in healthcare. Then, as you work with others on putting compliance controls in place and seek solutions for a problem, be willing to negotiate and don’t lose your sense of humor. Listen in to learn more about how to make the day go a bit better.
6/29/202311 minutes, 55 seconds
Episode Artwork

Lauren Kornutick on ChatGPT Compliance Risks [Podcast]

By Adam Turteltaub ChatGPT is, like the movie title, seemingly everywhere, all the time, and all at once. Individuals and corporations have rushed to embrace it, sometimes with great results, other times, not so much. For better or worse, ChatGPT and other AI-driven solutions are here to stay, and with it comes a host of new risks to manage. In this podcast, Lauren Kornutick, Director Analyst, Legal and Compliance at Gartner shares the findings of recent research the firm conducted on ChatGPT. They found several risks for compliance teams to focus on: Fabricated and inaccurate answers. As with the case of the lawyer linked to above, ChatGPT sometimes make things up because it was trained on inaccurate material of it was unable to understand the context of the question. IP Risks. Employees may not understand that once data is put into an open source tool it becomes part of the public domain. That means more training on how to protect IP in the new AI era. Often the data set used to train the AI relies on data that is biased. A human review is absolutely essential to ensure that existing biases aren’t furthered. Fraudsters are particularly adept at finding nefarious uses for new technology. Consumer Protection. Some states require that it be made clear when consumers are interacting with a person, and when they are interacting with a bot. The FTC has also stressed that AI needs to be transparent, accountable and empirically correct. Listen in to learn more about how to protect your organization from the risks of ChatGPT. Be sure, too, to check out the press release. Gartner subscribers can learn more detail by accessing “What Legal and Compliance Leaders Need to Know About Large Language Model Risks."
6/27/202310 minutes, 30 seconds
Episode Artwork

Matej Drascek on Urban Myths About Ethics [Podcast]

By Adam Turteltaub For the cynical, business ethics, itself, is a myth. For those of us in the profession, we know it is not. Still, that doesn’t mean that certain urban myths don’t arise. Matej Drascek (LinkedIn), in this provocative podcast, and in an article from Compliance and Ethics Professional® (CEP) magazine, argues that there are, in fact, a number of them. They are: Myth 1: The code of conduct supports ethical behavior. Myth 2: The compliance program helps the organization become more ethical. Myth 3: Whistleblowing tools reduce the risk of unethical behavior. Myth 4: More training in ethics is better. Myth 5: Individual “unethical” characters can be curbed with the right controls. Myth 6: Goals related to ethics or compliance help people behave more ethically. Sound more like truths than myths? As you will hear, his comments are more warnings about the complacency traps that can arise. For example, we may think a code of conduct is helpful, but if it’s read once and then forgotten, it’s not. Or, just because there’s a whistleblower line doesn’t mean it will be used; the fear of retaliation may keep an employee from reaching out. Listen in to learn the subtle nuances. If you don’t, your ears will fall off. Okay, maybe that’s Myth 7.
6/22/202314 minutes, 23 seconds
Episode Artwork

Anitha Vittal on the Risks of AI in Healthcare [Podcast]

By Adam Turteltaub The excitement over Artificial Intelligence (AI) is often met with concerns about its negative potential. That’s especially true in healthcare where the potential gains are met by the principled and practical requirements of protecting patient data. Anitha Vittal, Head, Risk and Compliance, Providence Global Center in India tackles the topic head on in this podcast. She sees AI as having great potential to revolutionize research, diagnosis and treatment, if we can successfully create guardrails for its responsible use. To do so, she recommends focusing on the risks. The big ones are: Data protection and security. AI requires huge amounts of data, which raises potential privacy concerns. If the data is biased, then the output will be as well. Transparency and Accountability. It can be very difficult to understand AI systems. That’s why it’s essential to bring transparency and accountability into the process. Compliance teams also need to be educators, helping the AI team and businesspeople understand the ethical considerations involved. One potential technique involves creating case studies and requiring participants to play different roles to better understand perspectives and risks. Listen in to learn more about managing the  opportunities and risks of AI, including the importance of what she calls the Four E’s: Establish, Embed, Enforce and Evolve.
6/20/202313 minutes, 26 seconds
Episode Artwork

Stephen Paskoff on Making Compliance Training Effective [Podcast]

By Adam Turteltaub Stephen Paskoff, the President and CEO of ELI, believes that we need to think about compliance training differently.  Instead of it being about communicating information, it needs to be about cultivating a culture of compliance and activating organizational values. So how do we get there? He recommends focusing on education designed to be retained and applied by the learner. To do that you need to be clear not on just what the standards are but also why they are important. As importantly, the training can’t stand alone. It has to be linked to broader initiatives and relevant to employees. Even if employees don’t get every nuance of the law or regulation, they have to have a sense of what is right and wrong and be reassured that they will be welcomed if they speak up and raise a concern. Getting to that point requires making compliance as normal a part of the dialog as discussing sales, manufacturing and other issues. Organizations need to stop treating compliance as something separate and apart and more of a norm of doing business. That begins with the CEO and leadership team treating it that way. It also means knowing what the barriers are and implementing programs to overcome them. Listen in to learn more about how to improve your compliance training, including the five C’s and how they can help.
6/15/202313 minutes, 17 seconds
Episode Artwork

CJ Wolf on Adult Learning Theory [Podcast]

By Adam Turteltaub Our colleagues expect to be treated like adults, and that should include the compliance training we assign them. CJ Wolf, a professor at Brigham Young University-Idaho and founder of Codermedschool.com, explains we need to embrace adult learning theory, which recognizes that adults learn differently than children. Making mistakes, for example, is particularly powerful. Good compliance training, consequently, should be less about telling them what they need to know and more about providing them with an opportunity to work through scenarios and make their errors in a safe classroom setting rather than out in the real world. He shares a host of similar good advice in this podcast and in the SCCE Creating Effective Compliance Training Workshop. Click below to hear other do’s and don’ts to make your training more relevant: Do assess the effectiveness of the training. Be sure to include testing. Don’t assess the effectiveness just once. See what employees remember several months later. Don’t overload new employees on the first day. A lot of departments are throwing information at them.  Be judicious in terms of what you expect them to tackle right away, and what can wait until later. Do have a training plan based on your organization’s risk. Don’t give everyone the same training. Tailor based on their needs. Want to know more? Think about joining him for the Creating Effective Compliance Training Workshop.
6/13/202311 minutes, 19 seconds
Episode Artwork

David Paschall and Stephanie Haywood on Contract Lifecycle Management [Podcast]

By Adam Turteltaub Contract lifecycle management has grown to be an increasingly critical issue for healthcare providers. Staffing issues, shrinking margins and changing regulatory requirements are all adding to the challenge, report David Paschall, CEO, and Stephanie Haywood, SVP of Sales and Client Engagement at Ntracts. Pursuing a contract lifecycle management strategy, they report, can help alleviate these issues by reducing the number of days a contract spends being reviewed, increase transparency and help the organization adopt standardized language and processes to ensure greater adherence to internal policies. It can also reduce the number of contracts that get auto renewed by mistake, are not renewed when they should be or overlap needlessly with other agreements. Listen in to learn more about how adopting a contract lifecycle management strategy can bring greater efficiency and a host of other benefits to your organization.
6/8/202313 minutes, 34 seconds
Episode Artwork

Jay Cohen on the Delaware McDonald’s Decision [Podcast]

By Adam Turteltaub For years Caremark has set the standard for expectations for board members. The notable Delaware case made clear that boards should exercise reasonable care in overseeing an organization. In practice that includes obtaining information about the organization’s compliance efforts and responding when signs of potential violations are found. As Jay Cohen, of counsel at the law firm Giordano, Halleran & Ciesla, PC explains, now a new decision (In re McDonald’s Corporation Stockholder Derivative Litigation) extends that same duty of oversight to corporate officers within their area of expertise. This significantly raises the bar for executives when it comes to ensuring the organization is operating in a compliant manner. Perhaps even more significantly, only two executives at a corporation – the CEO and Chief Compliance Officer – are expected to exercise oversight throughout the entire organization. This, he argues, has the impact of increasing both the scope and importance of the compliance role within the organization. So, what should organizations and their compliance teams do in the wake of this decision?  Jay recommends that organizations raise the stature of the compliance team. Second, look at recruiting individuals for compliance who have a history in leadership to match the role. Third, build the compliance program around impact, not just activity. Listen in to learn more about what the McDonald’s decision says, and what it means for your compliance program.
6/6/202314 minutes, 48 seconds
Episode Artwork

Scott Garland on Giving Advice [Podcast]

By Adam Turteltaub You really should listen to this podcast. That’s my advice. If you do you’ll hear Scott Garland, Managing Director, Sanctions, Cyber, Fraud and Ethics Compliance & Monitoring at Affiliated Monitors give better advice on giving advice. He begins by advising a bit of humility: remember that having a quick and ready answer is not always best. You are likely the newest person to learn about the problem and least familiar with it. As a result, you need to take the time to learn and determine not just what the immediate problem is but also what the situation as a whole is. Don’t be afraid to ask others to slow down to ensure you understand things completely. Then, make sure you get the facts and context right. Be sure, too, to identify assumptions being made by the advice seekers to ensure that they are correct. They may not be. Once you have that information and the goal that the advice seekers have in mind, as well as what they see as the ideal outcome, then it is time to give advice. When you do, give them, he advises, a recipe and not a treatise on cooking. They don’t need to know the long history of the rules and the many exceptions. Instead focus on bite-sized information that they can use and share with others. The BLUF approach can be very effective: Bottom Line Up Front. By summarizing the issues succinctly at the top, you are more likely to reach people who are far more focused on the advice than the reason behind it. Listen in to learn more about how to give advice wisely, the importance of documentation and the role of empathy, and if you’re in SCCE member, read two articles on the topic by Scott on COSMOS.  
6/1/202311 minutes, 20 seconds
Episode Artwork

Jay Mumford on Metrics, Targets and Response Plans [Podcast]

By Adam Turteltaub Jay Mumford is a long-time compliance veteran and Senior Global Compliance Manager at Bio-Rad Laboratories. There he developed an approach he calls MTR, which stands for Metrics, Targets and Response Plans. It’s an approach, he explains, based on ideas from the quality movement. At its heart, MTR recognizes that whatever the compliance process may be, there is a need to manage at scale. To do so, you need standards and measurements, targets, and response plans in case you miss those targets. An MTR approach, because it is disciplined and focused on goals, helps avoid a whack-a-mole approach to compliance. It enables building your program in repeatable ways, whether that’s training or, as was the case for him with document retention, ensuring that all the documents are both accounted for an not retained unnecessarily. In this podcast he explains how MTR has worked in practice and the technology tools available to compliance teams, typically at no cost, to help them take an MTR approach. These include the Power Platform embedded in Microsoft’s Enterprise platform and Visual Basic for Applications in Excel. Listen in to learn about how you can put MTR to work for your compliance program.
5/30/202315 minutes, 22 seconds
Episode Artwork

Valerie Rock and Kristen Lilly-Davidson on Private Equity, Healthcare and Compliance [Podcast]

By Adam Turteltaub Over the last decade private equity has discovered healthcare, and with that discovery has come a rush of money and compliance nightmares.  Valerie Rock (LinkedIn), Principal, and Kristen Lilly-Davidson (LinkedIn), Consulting Senior Manager, at PYA explain that there has also come a growing awareness of the importance of compliance due diligence. Five to seven years ago, they explain, private equity (PE) firms were focused on business valuations and financial reviews.  Over the years, though, they have learned to appreciate the importance of compliance and coding reviews, including clinical compliance.  The shift was the result of too many instances of finding significant non-compliance issues post-acquisition.  These, of course, can be very expensive. Firms today need to take the time to do site reviews to examine everything from the culture to the business practices to the condition of the building to the devices used.  Often paperwork doesn’t match what actual practices are, and a dysfunctional culture can’t be identified by looking at a spreadsheet. Risks include the revenue cycle but also operational processes.  If they are poor, the potential for fines and other penalties is substantial. Listen in to learn more about what PE firms are, or should be, doing as they enter the healthcare market.  Plus, pick up some tips that can be useful for non-PE firms that are making acquisitions and conducting their own due diligence.
5/25/202312 minutes, 44 seconds
Episode Artwork

John Gardiner on Non-Compete Agreements [Podcast]

By Adam Turteltaub Non-compete agreements may soon be going the way of the dodo. The FTC just concluded its public comment period for its plan to eliminate them in most cases, and new rules are expected to be released later this year. Already, though, many states have restricted these agreements. In this podcast, and in his article in Compliance & Ethics Professional, John Gardiner of Bodman explains that the new FTC rule was designed to counter agreements that many felt were overly broad and restricted the ability of employees to find gainful employment elsewhere. The agreements also raised antitrust concerns since they could stifle competition; the FTC saw behavior among employers that appeared to them to keep employees from finding work elsewhere. The new rule could change that, greatly narrowing when a non-compete agreement could be enforced. It also means that non-disparagement and non-disclosure agreements that could have the same chilling effect on employment changes will likely fall on the wrong side of the line. So, assuming the rule goes into effect, what should compliance teams do? First, dust off existing agreements to determine how they measure up against the new rule and existing state laws. Second, be on the lookout for non-solicitation agreements and provisions requiring employees to reimburse their employer for training should they switch jobs. Third, make sure that the businesspeople understand what is and isn’t permissible. Finally, remember that this may be a moving target, especially if the courts start weighing in. Listen in to learn more about the changing and eroding ground under non-compete agreements.
5/23/202313 minutes, 45 seconds
Episode Artwork

Gaurav Kapoor on the Updated DOJ Guidance [Podcast]

By Adam Turteltaub The U.S. Department of Justice (DOJ) Criminal Division Evaluation of Corporate Compliance Programs document was updated in March 2023. Since then compliance teams and the broader compliance community have examined it closely, searching to better understand the government’s expectations. Gaurav Kapoor, co-CEO and co-founder of MetricStream, sees an overarching key message to the update: The DOJ expects organizations to have a well-designed compliance, ethics and risk program and, with it, the ability to closely evaluate and monitor its effectiveness. The bar has definitely been raised. So what should the compliance team do? First, to his reading, the DOJ is encouraging organizations to follow connected, holistic approaches to compliance programs. Second, how you train and communicate must be well organized and integrated into business processes. Third, third-party risk must be scrutinized and the interconnectedness with the business must be made more visible. As for boards, they need to understand that they must continue to play their role in the business and risk governance. They must also, though, act in overseeing the risk management and compliance programs and ensuring they are successful. To that end, boards need to ensure that these programs are sufficiently funded and led, understand where compliance reports and remove any conflicts of interest. Listen in to learn more about these topics as well as adopting a compliance culture, looking beyond the guidance, and the proliferation of guidance documents that compliance teams need to navigate.
5/18/202314 minutes, 30 seconds
Episode Artwork

Segev Shani on Privacy, Blockchain and Compliance [Podcast]

By Adam Turteltaub These days, the term “blockchain” is no longer novel. Yet, many still struggle to understand what exactly it is and what implications, if any, it may have for a compliance program. Segev Shani (LinkedIn), Chief Compliance & Regulatory Officer at Neopharm explains that it is more than the tool underlying cryptocurrency. Blockchain is a technology in which data is stored in blocks, and once that block is full, another one is formed, creating a chain. This data is not held in one place but is distributed on multiple servers, which ensures that it cannot be improperly manipulated. When it comes to privacy, though, there is a privacy-blockchain paradox. While the security of the data is protected via blockchain, the data, itself, cannot be deleted. So, should compliance teams simply say “no” to using blockchain with personal data? According to Segev, not necessarily. A growing number of tools have been developed to manage this issue, including the ability for a data subject to turn their data on or off, making it either public or private as they see fit. It’s an intriguing area, and well worth the time to listen in to learn more.
5/16/202310 minutes, 23 seconds
Episode Artwork

Sheila Limmroth on Social Media Compliance [Podcast]

By Adam Turteltaub Ah, social media. The cause of so much joy and pain, both for individuals and organizations. For compliance teams it can be a breeding ground for breaches, particularly in healthcare where HIPAA violations and social media tend to go hand in hand. Pinnacle Healthcare Consulting’s Sheila Limmorth tackled the issue of social media and compliance in the latest edition of the Complete Healthcare Compliance Manual and does so in this podcast. Some issues, such as a worker posting a photo with a patient, persist. Often innocent, these breaches are nonetheless serious. It’s the reason why ongoing training is necessary. A new worker coming, for example, out of fast food probably is unaware of the restrictions of HIPAA. Even veteran staff may lose track of the rules, and the marketing team may not realize that the testimonial they want to run still requires a signed consent form from the patient. In addition, the rapid turnover in healthcare workers means that if you have training on an annual cycle, it’s highly likely that a significant portion of the workforce has not received the education it needs. To make that training effective, she recommends providing examples of how to use social media  properly, and ways that people may use it very improperly. Unfortunately, it’s not just accidental breaches and a lack of training you need to worry about. The website and the software on it are also important. She points to the Meta Pixel JavaScript Code that many hospitals were using and which allegedly could share the data with Meta, the parent of Facebook. As with other compliance risks, ongoing monitoring is essential for managing social media. Fortunately, there are providers of software that will scour the various platforms to look for posts and even identify material that was likely submitted by an employee. In addition, she advises encouraging employees to be on the lookout for and report material that shouldn’t be on the web. The goal of this vigilance shouldn’t be to catch and punish, but prevent, educate and avoid future social media disasters. Listen in and learn more in the Complete Healthcare Compliance Manual.
5/11/202314 minutes, 2 seconds
Episode Artwork

Susan Du Becker on Managing from the Middle [Podcast]

By Adam Turteltaub For all the talk of tone at the top, the reality is that few employees report to the top. Virtually all report to a manager somewhere in the middle, and it’s the tone that leader sets that is often most important. Susan Du Becker, Director Risk & Compliance at Microsoft believes that compliance teams need to focus on managing from the middle and getting this important level of the organization on board. So how do you get these managers to work with you? How do you earn their commitment to help, especially in risk areas like privacy and anticorruption? For her, it’s about being inventive and thinking about how you can get them to drive compliance rather than you. To do that, she looks for the key influencers who can serve as champions for the program. They can go upstream or downstream and will help carry the message. Gaining the support of these people requires some effort, she reports. You have to sell them on your vision and let them know that it is to their benefit to further it. If, for example, you can show the sales VP that getting expense reports right reduces the risk of an audit, keeps the salesforce out of trouble and increases the speed with which the team gets reimbursed, you have a supporter. Once you have middle managers on board, make their life as easy as possible. Take away the pain, and give them the tools, templates and PowerPoints they need to put the policy into practice. What should you not do? Become overexuberant. It’s critical to avoid running ahead and instead focus on a stair step approach. Also: remember you have to keep them committed. You can’t take them for granted. Listen in to learn more about how to make the middle of your organization your greatest supporter.
5/9/202311 minutes, 25 seconds
Episode Artwork

Bob Woolverton on Compliance Lessons from Terminations [Podcast]

By Adam Turteltaub Most of the time people look at the termination of a problematic employee as solving a problem. Bob Woolverton of Top Tier Leadership Training believes that thinking is a mistake. As he points out in this podcast, it’s not an end point. Instead, it’s the time to start, if you haven’t already, assessing how the organization got to this point. The employee’s supervisor was responsible for ensuring the worker’s success and safeguarding his or her welfare. The termination begs several questions the manager should be asking: What should or could I have done to prevent this from happening? What is my culpability? If it’s a policy violation, am I certain the employee understood the policy, or did we just have him/her sign off? Did the policy not make sense in this environment? Was there an opportunity for misapprehension or misapplication? The bottom line it is the time to start a reassessment process. On an ongoing basis he recommends organizations’ managers take a “rudder tap” approach. What this means, in practice, is providing small adjustments to course when things begin to go awry, rather than waiting until things are so far off that a bad outcome is inevitable. Making this method successful requires fostering an environment where people – both employees and managers – understand that corrections can be positive and a part of a healthy corporate culture. Listen in to learn more about how a termination can lead to a process of positive change for the organization.
5/4/202315 minutes, 20 seconds
Episode Artwork

Lindsay Bernsen Wardlaw on Trade Compliance: It’s Both Who You Sell to and Who You Buy From [Podcast]

By Adam Turteltaub With the proliferation of sanctions in the wake of the war in Ukraine and more focus on responsible sourcing, trade compliance has grown exponentially in complexity. It has also become less of a compliance silo and become more integrated with other compliance efforts. To understand the state of trade compliance we sat down with Lindsay Bernsen Wardlaw (LinkedIn), Director, Trade Advisory Services, Amalie Trade Compliance, who outlined the four areas of trade compliance: sanctions, export controls, antiboycott and customs. Each has great complexity, and there’s much more than Russian sanctions to worry about. Restrictions on importing goods manufactured by forced labor have increased dramatically with the passage of the Uyghur Forced Labor Prevention Act that presumes good sourced from the Xinjiang region of China were made with forced labor. The law has real teeth, she explains. Of the approximately 3,000 shipments stopped under the law, none have been released. So what should organizations be doing? First, take the time to understand your risks, including the primary inputs for your products and who your suppliers and customers are, including agents and channel partners. Understand, too, where the goods are being made, sold to and for whom. Have a restricted party screening process in place and an import/export classification strategy. Also, be sure to have a transaction review team in place for any deals that may be sensitive. She also recommends creating a crisis task force for when things go wrong, as they may. It will likely include the trade compliance, supply and procurement teams. Other potential members include IT, engineering, product management, and even communications. Listen in to learn more about what you need to do to ensure compliance in this ever-more complex risk area.
5/2/202312 minutes, 32 seconds
Episode Artwork

Sese Bennett on Zero Trust [Podcast]

By Adam Turteltaub Compliance teams have long advocated for building more trust in the workplace. That is good idea for the corporate culture, but, counsels Sese Bennett, a virtual CISO for CereCore Advisory Services, going the exact opposite way may be better for your IT security. There he advocates organization never trust and always verify. So, what is a zero trust approach? It assumes that just because someone has logged in to your system doesn’t mean that person is who he says he is or that she can access the entire system. In practice that means carefully controlling access both into the network and within it. It means preventing people from accessing a low value part of the network and giving that person access to higher value servers. It means having a system that knows an individual doesn’t, say, normally login from Pakistan at 4:00 in the morning. It monitors sudden changes of usage. Importantly, he explains, a zero trust approach is not necessarily intrusive. Users won’t be forced to login repeatedly to prove who they are. Instead, it can work behind the scenes and be invisible to the end user. Listen in to learn more, including what teams you will need internally to adopt a zero trust approach and potentially better protect your data from breaches.
4/27/202314 minutes, 22 seconds
Episode Artwork

Ant Stevens on Putting AI to Work for Your Compliance Program [Podcast]

By Adam Turteltaub When discussing AI around compliance professionals these days you can instantly feel the tension. AI, for all its promise, has proven to be a bit of a compliance and ethics nightmare. Stories abound of AI embracing redlining and other discriminatory practices. Anthony “Ant” Stevens, CEO and Founder of Melbourne, Australia-based 6Clicks sees opportunities, though, for putting AI to work for your compliance program. It has the potential, he believes, to streamline activities, better tie policies to the underlying legal requirements and enable compliance teams to better understand the overlap of similar laws around the world. In this podcast he explains how the technology can help compliance operations, particularly ChatGPT. He also makes clear that there are limits to AI. A human element remains important for ensuring that what AI says makes sense, both on its face and for your workplace. Listen in to learn more about how AI can stop being the stuff of a compliance professional’s nightmares and start becoming a dream come true.
4/25/202314 minutes, 50 seconds
Episode Artwork

Mary Ellen Palowitch on EMTALA [Podcast]

By Adam Turteltaub In 1986 the Emergency Medical Treatment & Labor Act (EMTALA) was enacted. As Mary Ellen Palowitch (LinkedIn), Senior, Managing Director, Dentons Health Care Group, explains in this podcast, just because it is long established doesn’t mean health care providers have it completely under control. Issues continue to come up. EMTALA requires hospitals that participate in Medicare, including rural emergency hospitals, provide medical screening to determine if there is a medical emergency. If, in fact, the patient requires treatment, the hospital must provide stabilizing treatment within their capabilities, regardless of whether the patient has the means to pay. Two areas often cause confusion and real issues under EMTALA. They are best known by the phrases “clinically stable” and “stable for transport”, neither of which is defined in EMTALA. Clinically stable, she explains, may be anything from a comparison to how the patient presented when first presenting or reflecting the patient’s overall condition. Stable for transport is a term commonly used in hospitals. It does not technically mean the patient is stable, but it signifies that the patient has achieved the level of care that the hospital can provide. Basically: the hospital has done all that it can, and it may be more prudent for the patient to be transferred elsewhere for the care needed. Complaints do arise under EMTALA and may come from patients or their families. When one is sent in to the government, a multistep process begins. The complaint is reviewed and can lead to an onsite investigation that may include comparisons to how other patients were treated, interviews with staff, a tour of the emergency department and review of records. Hospitals found to be deficient are required to remediate promptly. Listen in to learn more about how to avoid and manage EMTALA issues in your emergency center.
4/20/202312 minutes, 11 seconds
Episode Artwork

Lindsay Meyer Bond on Protecting Children in Higher Education Settings [Podcast]

By Adam Turteltaub While we tend to think of colleges and universities as being filled with college students, children much younger are often on campus. In fact, Lindsay Meyer Bond, Executive Director of the Higher Education Protection Network, that there may be more minors on campus than regular students. Everything from enrichment programs to sports camps can bring hundreds of children with them. When looking for guidance as to how to keep campuses safe for children, there is no federal law to turn to. Instead, there is a patchwork of state regulations, and many universities have had to create policies of their own. For the most part, these policies require the reporting of suspected abuse or neglect. Many now require background checks for those interacting with kids that may be go beyond the initial screening when hiring. Often universities have codes of conduct that prohibit one-on-one interactions with minors, but there is complexity there. A professor may not know that the student showing up for office hours is under eighteen. In addition, there may be conflicts of law and regulations. Ohio State University has a program, she explains, where students can learn to fly. FAA regulations stipulate that only the student and instructor may be in the plane. Their solution: when the student is on the ground, he or she is never alone with an instructor. To successfully navigate the challenges of minors on campus, she recommends strong policies and ongoing communications plans. With turnover frequent in youth programs, it is risky to assume that the adults have been fully trained, unless that training is continuous. In addition, keep an eye on your campus Name, Image and Likeness (NIL) program. College athletes may be running their own programs and not be aware of all the rules. Listen in to learn more about how to manage this difficult and sensitive issue.
4/18/202312 minutes, 50 seconds
Episode Artwork

W. Bruce Cameron on Simple Rules, Dogs and Ethics [Podcast]

By Adam Turteltaub W. Bruce Cameron is the author of 8 Simple Rules for Dating My Teenage Daughter and a whole series of novels about dogs including A Dog’s Purpose which spent 63 weeks on the New York Times bestseller list. His latest novel is Love, Clancy: Diary of a Good Dog. So, why is he on a compliance and ethics podcast? Well, because his writing has a lot more to do with it than you might think, and he learned some painful lessons about setting and enforcing rules. It was easy enough to write those simple rules for dating his then two teenage daughters, but that didn’t make him popular. He was seen as a despot and met resistance (both overt and subtle). As for those daughters, one is now a CFO and the other, ironically, works in law enforcement. The experience taught him several lessons that compliance teams can relate to: You have to recognize that you can’t have complete control Just because you think thing will go better if others do what you say, they may not There is a need for human expression and accommodation for it Dogs have proven less argumentative for him. As he observes, they have been bred over the centuries to be absolutely dedicated to us. We raised them to be our tools first and then pets. Today they are thrilled when we come home and bring their optimism and hope, and their love of play, into our lives. Dogs, though, he believes, lack an innate sense of right and wrong. Instead, they are born with instincts where what pleases us is “right”. That, he explains, is why dogs owned by bad people turn out “bad”: they are doing what they think will please their owner and, to them, that’s the right thing to do. We have an ethical duty to dogs, he argues, because they are wired to please us. In addition, they were bred to depend on us even to survive. Listen in for a fun conversation about dogs, ethics and the often frustrating outcomes of setting even the most basic of rules.
4/13/202311 minutes, 56 seconds
Episode Artwork

Ganesh Krishnan on Cyber Threats [Podcast]

By Adam Turteltaub The cyber landscape these days can be terrifying. Malware, ransomware, spyware, phishing, cloud-based computing and so much more are enough to keep even a compliance veteran up all night. There are other risks to consider, too, says Ganesh Krishnan (Twitter), co-founder and CEO of Anzenna. One major issue is scalability of IT security resources. As organizations grow larger and increasingly reliant on cloud-based software providers, the size and complexity of security challenges increase. If the cybersecurity team does not grow with it, problems increase, work doesn’t get done, and vulnerabilities quickly emerge. A second problem is the attitude the data security is the responsibility of the data security team.  He argues persuasively that it isn’t. Technology can’t solve cyber problems. The entire company has to be focused on it. That includes the workforces, which has been labeled wrongly, he argues, the “weakest link.” Instead, organizations need to recognize that employees can be the strongest link and have to be treated accordingly. This means more frequent training and less punitive measures when things go wrong. Employees should not be fearful to come forward and report a mistake they made. He also encourages organizations to be more open when there is an incident, sharing internally what happened and what employees can do in the future to help prevent it from reoccurring. Listen in to learn more about how to improve your cybersecurity program.  
4/11/202311 minutes, 53 seconds
Episode Artwork

Matt Silverman on Antiboycott Law [Podcasts]

By Adam Turteltaub While the trade compliance focus these days tends to be on Russia and the hundreds of sanctions imposed, one old issue remains: The Arab League Boycott of Israel. Despite improving relationships between Israel and some of its neighbors, progress has not been uniform and risk remains. In this podcast, Matt Silverman, Global Trade Director and Senior Counsel at VIAVI Solutions and author of the chapter “U.S. Antiboycott Laws: Understanding the Impact and Ensuring Compliance” in the Complete Compliance and Ethics Manual, explains that the boycott prohibits companies and individuals from doing business in Israel or with other companies that do business with the country. The US antiboycott law makes it illegal for US companies and persons to support the boycott, or, for that matter, any boycott that the US does not endorse. It would seem simple enough, but it isn’t. Individuals not familiar with the issue may not think twice of signing an agreement that says the company will follow the laws of the country where the sale is made. What they may not realize is that the country has laws on its books prohibiting business with Israel. Examples of boycott language can be found on websites of the US government. To comply with the US antiboycott law, both in the Middle East and elsewhere where boycotts may be in place, it is essential that employes be trained in what to watch out for. The company should also have an antiboycott policy. In addition, companies need to remember that there is an obligation to report any boycott requests. Listen in to learn more or read the chapter about the topic in the Complete Compliance and Ethics Manual.
4/6/202315 minutes, 41 seconds
Episode Artwork

Lisa Beth Lentini-Walker on ESG, Cyber and Privacy [Podcast]

By Adam Turteltaub ESG, cyber risk and privacy are all hot topics in compliance, but that doesn’t mean people typically identify the data issues as ESG topics.  Lisa Beth Lentini Walker (LinkedIn), CEO & Founder of Lumen Worldwide Endeavors  and Assistant General Counsel at Marqueta, thinks that’s a mistake. Cyber and privacy, she believes, fall very much under the Social in Environmental Social and Governance. Just look at the many ethical issues surrounding data usage these days as proof. She explains in this podcast and in the chapter “ESG, Cyber and Privacy: Bridging the Divide” in the 2023 Complete Compliance & Ethics Manual, that privacy and security are not separate and apart from ESG. They are central to how the organization navigates the world and people around it. Keeping data secure is squarely under the social mission of the enterprise. To live up to that obligation, organizations have to focus more on keeping data safe and building proper systems around how individuals interact with the data. Simply believing “well, we have a good practice” is not enough. The practices have to support the ESG framework in terms of meeting the company’s commitments. In addition, the temptation to be data hoarders has to be tempered. Collecting data is easy to do, and it’s generally inexpensive to store. That makes it easy to rationalize indefinite retention. But, a clear path to data destruction is essential. Think of it like cleaning out the closet. It may not be easy, but it needs to get done. Organizations also need to embrace greater transparency about the processes in place to safeguard and use data. That helps investors and rating agencies better assess how the entity is measuring up against the SASB and other standards. Listen in to learn more, and then check out the 2023 Complete Compliance & Ethics Manual.
4/4/202311 minutes, 33 seconds
Episode Artwork

Chris Matlock on Third Party Risk [Podcast]

By Adam Turteltaub The Gartner Legal Risk & Compliance Practice recently released a report on the state of third party risk management. To learn more we talked with Chris Matlock, Gartner’s Vice President, Advisory – Corporate Strategy & Risk Practice. The report was developed, he explained, because of the substantial changes in business over recent years. As the size of businesses has grown – many of the Fortune 500 are 50%-100% larger than they were a decade ago -- the number of third parties they work with has increased dramatically and with it the “threat surface”. Complicating the challenge, much of the pandemic took place during the pandemic, when normal third party vetting processes were not possible. Today, with a threat of a recession, third parties are often under extreme pressure to meet the expectations of both their owners and their customers. The likelihood for compliance failures is higher. Gartner’s research found that the typical risk factors remain, but they have been intensified by both new regulations and stresses on supply chains. IT and cyber risks are growing larger at the same time that companies have made substantial investments in technology to enable their team to collaborate and interact with customers electronically. Adding to the challenge, many organizations do not have a mechanism for centrally managing their third parties, which makes it more difficult to ensure consistency in practices and respond when things go awry. Pushing the “stop” button with one vendor may trigger unexpected consequences three steps downstream. Additional stress has been created through, as noted earlier, a heightened regulatory environment. Anticorruption enforcement continues while the number of privacy laws grows. To manage the risks, many have turned to tools to collect more data on their supply chain, but that has posed the problem of having too much data and, as a result, difficulty in determining which pieces of data are truly important. To help manage these risks, Chris recommends enlisting the enterprise risk management team to create key indicators that can help monitor risks in a forward-looking way.
3/30/202315 minutes
Episode Artwork

Arvin, Greene and Podleski on Privacy and Patient Data [Podcast]

By Adam Turteltaub At the 2023 HCCA Compliance Institute there is a sure to be fascinating roundtable discussion lead by Marti Arvin, Vice President, Chief Compliance Officer, Erlanger Health System, Joan M. Podleski, Chief Privacy Officer, Children’s Health and Adam Greene, Partner, Davis Wright Tremaine, LLP. They will be addressing a range of privacy and data-related issues. In this podcast one of the topics they discuss are the complexities around access. Often, for example, raw data is not kept in the main health information management system (HIMS). Another challenge is proper website disclosures and how visitor data is used and shared. OCR has issued guidance in this area that has earned a great deal of attention. But, it is likely to be a hard problem to solve since organizations will need to determine exactly what data they are collecting, using and storing. To help manage these issues they strongly argue for investing the time and effort in developing clear processes for responding to data requests. Then, monitor to ensure the policies are being followed. Take time also to understand what is in your designated record set and where it is stored. Then make sure your HIMS understands what qualifies as the designated record set. It’s time also to reassess how your organization is managing telehealth now that the public health emergency is ending. There will be decreased flexibility and increased emphasis on keeping these interactions on HIPAA-compliant platforms. When you do move onto one of these platforms, be sure to have a business associate agreement. When looking at technology, they advise compliance be a part of decisions related to the use of patient apps. Whether your organization is thinking of building its own or relying on a third party, it’s essential that the privacy requirements be a part of the discussion from the start. Listen in to a provocative conversation, but, be warned. It’s going to make you want to join them in person at the HCCA Compliance Institute, April 23-26 in Anaheim, and online April 24-26.
3/28/202316 minutes, 3 seconds
Episode Artwork

Michael Volkov on What We Learned in 2022 and What it Means for 2023 [Podcast]

By Adam Turteltaub A lot happened in compliance in 2022, with a large number of lessons for 2023. To sort it out we turned to Michael Volkov, of the Volkov Law Group and host of the Corruption, Crime & Compliance blog and podcast. In this Compliance Perspectives podcast he addresses several key pieces of learning for compliance teams. FCPA While 2022 may have started out slowly in terms of resolutions, the year ended on a busy note with several settlements and the revised corporate enforcement policy. One thing the DOJ made clear is that it is taking a sharp look at compensation policies to see if there are both incentives and disincentives for wrongdoing. The latter should include claw backs, deferred compensation and punishment for wrongdoing. Culture (more below) was also a keen area of focus and is likely to remain so. The perennial issue of third-party risk remains, as well. Where should compliance teams focus? The contract to invoice to payment stage of deals is where FCPA violations tend to occur. Also, be on the lookout for more major dispositions shortly. Sanctions Last year, he reports, was the year of the trade compliance officer. Complying with an ever-increasing and changing list of Russia-related sanctions kept teams busy day and night. The good news is that companies seem to be on top of things. The bad news is, he warns, that the Department of Justice has warned that this could be the new FCPA, with large fines for wrongdoing. He also warns that OFAC is a strict liability enforcer. Intent does not matter. As big an issue as this has been, there is often still too much of a separation between the trade compliance and main compliance groups. That will likely need to change, if it hasn’t already. Culture Culture has gotten the attention of the enforcement community with a particular focus on ethics. Done right, the culture can be the most effective corporate control an organization has. Done wrong, and it can cause not just problems, but liability for the organization. The DOJ is looking at culture closely and recent case law out of Delaware has extended the due care responsibility to senior leadership. To survive and thrive organizations, he believes, need to define their culture, attend and imbed it, monitor, and intervene when they see deficiencies. Finally, the board and senior management need to be educated on the importance of the right culture. It’s not just about saying “do the right thing.” It’s about expectations and norms around the mission, how we treat each other and how we treat those outside the organization. Listen in to learn, including what he sees for the future of compliance programs.
3/23/202314 minutes, 43 seconds
Episode Artwork

Yolunda Dockett and Holly Hester on the Changing Telehealth Rules [Podcast]

By Adam Turteltaub Telehealth is here to stay, but that doesn’t mean the rules will all be staying the same, reports Holly Hester, Senior Director, Strategic Client Partnerships for Net Health and Yolunda Dockett (LinkedIn), Chief Compliance Officer at Anne Arundel Dermatology. While the Public Health Emergency is set to end on May 11, 2023, the Consolidated Appropriations Act of 2023 extended many telehealth flexibilities through the end of December 2024. These include the ability to provide telehealth to patients in their homes, in both rural and urban settings, and the ability of physical and occupational therapists, along with speech pathologists, to provide telehealth. Yet, there are inconsistencies, with some CPT codes used by rehab therapists set to expire at the end of 2023.  Plus, some are being continued only for 151 days after the end of the emergency. One other change to expect centers on privacy requirements. While many platforms have been used to provide telehealth, soon only HIPAA-compliant platforms will be allowed. It’s a change that makes the provision of care less flexible and perhaps less friendly. Regardless, if your organization has not yet done a risk assessment about telehealth, now is the time. Leverage the relationships established in rolling out the service and then look collaboratively at the risks and start thinking about remediation techniques. Some other things to consider: Understanding how to decide if a patient has the physical and mental capacity for telehealth Business and operational risks Privacy considerations, on both the provider and patient sides Reimbursement and billing Documentation requirements. It’s a lot of work, but it helps to ensure that telehealth can be delivered in a complaint manner. Finally, don’t miss learning more at their session “Incorporating Telehealth into Your Compliance Workplan” at the 2023 HCCA Compliance Institute.
3/21/202315 minutes, 39 seconds
Episode Artwork

Thora Johnson and Mark Fox on De-Identification Under HIPAA and GDPR [Podcast]

By Adam Turteltaub These days it’s easy to identify people using technology and databases, and that’s a problem if you are trying to comply with HIPAA or even GDPR because a lot of sensitive data eventually needs to be de-identified in a proper manner. Thora Johnson (LinkedIn), Partner at Orrick and Mark Fox (LinkedIn), Privacy and Research Compliance Officer at the American College of Cardiology explain that there are two permissible methods of de-identification under HIPAA. Safe Harbor De-Identification is a process in which eighteen identifiers are removed. The second option is Expert Determination De-Identification, in which statistical principles are used to determine if there is low risk a person can be identified. It's not an easy process, either way. Information on the individual and family members likely needs to be removed. In addition many struggle with how to do de-identification right because the work is often done only periodically and not on a regular, frequent basis. One area of particular challenge is understanding the difference between de-identification and a limited data set. There are significant requirements with these limited data sets, too, including the need for a signed agreement with the data recipient and proper permissions to share the data. Adding to the complexity, under GDPR there are the concepts of anonymization and pseudo-anonymization to reckon with. What should you do? Listen in to understand the issues, and then plan on attending Thora and Mark’s session “It’s De-Identified, or Is It?” at the 2023 HCCA Compliance Institute.
3/16/202313 minutes, 44 seconds
Episode Artwork

Andre Paris on Brazil’s Data Protection Law [Podcast]

By Adam Turteltaub With one of the largest economies in the world and serving as the South American home for many global businesses, Brazil is a country for compliance teams to watch, and their laws are very much worth heeding. That includes the Brazilian General Data Protection Law (LGPD), which entered into force on September 18, 2020. As Andre Paris (LinkedIn), Professor and Privacy & Compliance Consultant explains in this podcast, the law contains 10 principles including: Data should be processed only for specific, legitimate, explicit purposes Data quality needs to be maintained Companies must be transparent about how data is used A security regime must be in place The data should not be used in a discriminatory matter It is very similar to and consistent with the European General Data Protection Regulation (GDPR) and includes a number of rights for data subjects, such as access to personal data held by the organization, the ability to correct outdated and incorrect data, and the blocking or deletion of unnecessary data. The law applies to any data collected in Brazil, regardless of the citizenship of the individual. So how can compliance teams address the law’s requirements? He recommends several steps: Secure the support of leadership Search for someone with privacy expertise to serve as the data protection officer Train the workforce on what is essential data Map your data Determine which law authorizes the processing of data Identify any and all risks inherent in the organization’s operations Listen in to learn more about how to ensure your organization is in compliance with Brazil’s LGDP.
3/14/202314 minutes, 43 seconds
Episode Artwork

Deb McCracken and Julie Wall on Patient Safety [Podcast]

By Adam Turteltaub Patient safety remains a challenge for organizations, and not for want of trying to address the problem. Improving it is an issue addressed here and at the 2023 HCCA Compliance Institute by Deb McCracken, Chief Risk Officer, and Julie Wall, Senior Vice President, Benefis Health System. Problems such as fall prevention remain, along with improper medication administration, misidentifying patients and preventing infections. They persist because, as healthcare and technology change, procedures may as well, leading to a departure from safe behavior. Adding to the challenge, often, is an unwillingness to speak up and raise issues. Many fear that they will be retaliated against if they point out potential problems. To better understand patient safety risk they recommend a close working relationship among compliance, quality and risk management. These three departments should help form a committee focused on patient safety that includes individuals skilled in capturing and coding root cause analyses. To close safety gaps effectively, they recommend looking to best practices and implementing them. Also use lessons learned from your organization and others across the industry. That begins with debriefing after an incident. They also recommend running simulations of real-life situations. These can help you be better prepared when an incident occurs. When you do, don’t forget about practicing for workplace violence scenarios. Listen in to learn more about how you can promote better patient safety practices. And, to learn even more, join us in Anaheim for the 2023 Compliance Institute.
3/9/202311 minutes, 41 seconds
Episode Artwork

Brittney McDonough on Finding Your Next Job [Podcast]

By Adam Turteltaub With seemingly constant news stories about layoffs, many are starting to wonder what they would do if they found themselves suddenly out of work and looking for their next compliance position. There are several ways to make the process go smoother, explains Brittney McDonough, partner at the recruiting firm Barker Gilmore. That starts with making the right decision of how much time to take off after a layoff. Many people, not surprisingly, are tempted to use their severance package to take a much-needed respite from work. Be careful, though, she advises. A job search can take three to six months, so taking six months off could lead to a year out of work. That doesn’t mean, though, you shouldn’t take advantage of this time. You should embrace it; just be sure to use it strategically, balancing recharging your batteries with a thoughtful approach to finding your next opportunity. When it comes to pursuing a job search, she recommends three key steps: Develop professional objectives. Think through what you want out of your next position:  What role do you desire? What level are you open to? What type of company? What size and industry? What do you want to make? Where do you want to live? Develop a marketing plan for yourself. Think about how you are going to sell yourself and end up on the radar of recruiters and prospective recruiters. Update your resume accordingly, and be sure that you have a current and accurate presence on LinkedIn.  Recruiters depend on it. Be intentional about how you network. Put together a list of contacts who could be helpful. Reach out to them and ask what they can recommend and who they can connect you with. Be sure to also offer to help them, too. Also pursue speaking and writing opportunities. They are a way to increase your contacts and open up more opportunities. What do you do when a prospective employer asks about the job that you lost or maybe still have? Be honest but don’t go into any more details than you need to. You want to keep the focus on the job you want, not the job you have or had. Listen in to learn more, and if you want to learn more about networking, here is a link to a book that was discussed in the podcast.c
3/7/202323 minutes, 12 seconds
Episode Artwork

Elena Durante on Greewashing [Podcast]

By Adam Turteltaub As environmental expectations keeps rising and Environmental Social and Governance (ESG) metrics gain more importance to investors, some organizations will be tempted to greenwash, which is best described as making an environmental footprint look far better than it actually is. That’s a serious risk and one that will be addressed by Elena Durante, ESG Risk Audit Manager, ING Corporate Audit Services, Risk & Finance, at the SCCE European Compliance & Ethics Institute, which takes place in Amsterdam March 20-22. As she explains in this podcast, at its roots greenwashing is about misleading information supplied to investors and customers, taking advantage of the fact that these outsiders cannot fully tell if what the organization is saying is true. While greenwashing is still relatively unregulated, she tells us, that has started to change.  In the EU there have been an increasing number of efforts to combat it. Plus, there is severe reputational damage to companies caught greenwashing. Compliance teams need to be on the lookout at their organizations to ensure the integrity of their organizations’ environmental statements. That starts with ensuring that what regulations that currently exist are followed. It also means keeping an eye out for new regulations. Compliance should also be working to develop and implement ESG protocols within the organization. These should identify clear rules and policies to ensure sufficient checks and balances are in place. A training element will also be needed to help the business people understand that environmental statements need to accurately reflect the  organization’s actual activities, not just its aspirations. Listen in and then keep an eye out for greenwashing in your organization.
3/2/202314 minutes, 12 seconds
Episode Artwork

Andrew Walker on Self-Umpiring in Tennis [Podcast]

By Adam Turteltaub Andrew Walker is the US Tennis Association’s (USTA) director of education and training for officiating and chief umpire at the US Open. He was good enough to join our Sports, Compliance & Ethics Conference, where he revealed something surprising. With the USTA having over 13,000 sanctioned events a year, ranging from adults to juniors, the vast majority of matches are technically unofficiated. Roving umpires are available but move from court to court. They don’t sit in the chair and call each point. Players do and keep the score. That’s often true as well at the college level. It's not too different from how things work in the business world, with compliance officers not there to make every call for the business unit. How does this work? Part of the role of officials at entry level events, especially those with children, he explains, is not to act only as officials, but to act as educators as well. They are there to teach kids to officiate fairly, even if it means making a call against oneself. That’s not easy, human nature being what it is and with, these days, the ultra-competitive environment in youth sports. The officials seek to ingrain sportsmanship, which includes integrity, respect for your opponent and respect for the game. It also includes being a good winner and a good loser. What happens when there is a dispute? First, officials recognize that honest mistakes are possible. A player, especially a young one, running to make a shot may not see things accurately. Even competitive players can lose track of the score. But, when the calls are questionable, they will stay and watch the match for a while. And, if a player is repeatedly overruled in his or her calls, points and games can be taken away. The player may even default. Listen in to get both a new appreciation of the world of tennis and maybe pick up a few ideas about how you could encourage more self-umpiring at your organization.
2/28/202311 minutes, 30 seconds
Episode Artwork

Christopher Knight and Megan Grifa on Fraud and Compliance [Podcast]

By Adam Turteltaub Fraud and compliance issues often go hand in hand, which is why it’s important for fraud and compliance teams to work closely together. Christopher Knight (LinkedIn) of Knight Vision Fraud Investigations and Megan Grifa (LinkedIn), Senior Director, Compliance Oversight for Sidecar Health, will be addressing the fraud-compliance relationship at the 2023 HCCA Compliance Institute, taking place in Anaheim April 23-26. In this podcast that point out that communication and follow up are central to building successful connections between fraud and compliance. Each needs to let the other know what it is doing, what has been found and what is coming up next. Also of great value:  setting up mechanisms to force yourselves to connect at a certain cadence to keep the lines of communication open. In addition, they advise taking the time to get to know each other on a personal level. That will help build the trust that is essential when addressing a crisis. Even during more normal times it’s essential to cooperate, aligning program structures and sharing risk assessments. Compliance teams can benefit from data mining and analytics tools that fraud has. Meantime, the fraud team can benefit from the seven elements approach used by compliance. Listen in and then plan on learning more at the 2023 Compliance Institute.
2/23/202314 minutes, 5 seconds
Episode Artwork

Steven Pegg on Ethical Leadership [Podcast]

By Adam Turteltaub Ethical leadership is about much more than being both ethical and a leader. It is also about the actions you take to encourage ethical behavior all around you. It’s the subject of this podcast and a talk that will be given in March at the SCCE European Compliance & Ethics Institute by Steven Pegg, Senior Ethics Officer, Europe, Middle East & Africa for Lockheed Martin. Ethical leadership comes with many challenges. Aggressive goals can cause executives to focus just on the task at hand and be tempted to cut corners. Studies have shown that positions of power can have an affect on behavior over time, leading to a loss of empathy, acts of disrespect, feelings of entitlement, selfish behavior and a tendency to think that the rules don’t apply to them. These factors can create a toxic culture not surprisingly. Smaller offices also face the challenge of developing a subculture that can be inimical to ethical conduct. Lacking the controls of larger locations, unethical behavior may be left unchecked. There is one other challenge to ethical leadership: a hesitance to talk about ethics. Some leaders, even virtuous ones, are uncomfortable discussing ethical issues. To overcome these challenges ethical leaders need to develop several skills. These include: Setting the tone. People model what their leaders do. If a leader is comfortable telling stories and discussing ethical issues, it’s far more likely the rest of the workforce will be as well. Act as a positive role model. They must be accountable for their actions and both talk the talk and walk the walk. They also must respond fairly to both positive and negative feedback. Know their limits. When leaders have exhausted their own skill sets, they need to be willing to reach out to others for guidance. How can executives exercise ethical leadership in a hybrid environment? Steven recommends being creative. Use technology when it is helpful, but look also to face-to-face, in-person interactions as well. Setting up regular check-ins with the team can be particularly useful. At those meetings, encourage people to share their ideas on all the issues. It will make them feel more comfortable raising their hand, knowing they are in a safe environment. Also, remember that different cultures around the globe have their own unique ways of seeing things and behaving. Take the time to understand those differences and communicate sensitively. Finally, he discusses what to do when an employee comes forward with a concern. His central advice: listen, listen, listen. Listen in for more and then be sure to join him at the 2023 SCCE European Compliance & Ethics Institute.
2/21/202315 minutes, 22 seconds
Episode Artwork

Niurka Adorno-Davies and Scott Intner on the Compliance-General Counsel Relationship [Podcast]

By Adam Turteltaub At the 2023 HCCA Compliance Institute, which takes place April 23-26 in Anaheim (and in a virtual format  April 24-26), Niurka Adorno-Davies, AVP Compliance, Molina Healthcare, and Scott Intner, Chief Compliance Officer, GW Medical Faculty Associates, will be leading the session “Swimming with Sharks: A Compliance Officer’s Guide on Working with Legal Counsel.” Their session, and this podcast, will examine some of the friction points in the Compliance-GC relationship and how to make things go smoother. There are a number of causes of stress in the relationship, they explain. A GC controlling access to the board and senior leadership is one of them. Having legal as the gate keeper can be detrimental to the relationship and the effectiveness of the compliance program.  Another cause for stress is overlapping responsibilities. If legal and compliance are unsure where one ends and the other begins, the lack of clarity can lead to turf battles or issues falling between the cracks. To make the relationship a positive one they recommend beginning with respect for each other’s role. Second, compliance should be sure to give legal a seat at the table as soon as a potential issue is identified. Having them as a part of the team early can yield multiple benefits. Also, don’t overstep your role and start giving legal advice. That’s for them to do. To protect privilege, be prudent when confronted an issue that may lead to litigation or a settlement conversation with the government. Bring in the GC’s office, or if your organization doesn’t have one, reach out to outside counsel. Outside counsel may also be helpful if the investigation is likely to involve senior leadership or delves into an area of specialized expertise that in-house counsel lacks. Finally, be sure to share information both ways, understand each other’s roles and embrace a commitment to respect. Listen in, and be sure to check out their session at the Compliance Institute.
2/16/202312 minutes, 5 seconds
Episode Artwork

Christian Hunt on Escalators in Japan [Podcast]

By Adam Turteltaub So what do escalators in Japan have to do with compliance and ethics? As Christian Hunt found, quite a lot. In this podcast the author of Humanizing Rules and founder of the consultancy Human Risk shares an interesting tale. A community outside of Tokyo found that the rate of injuries on escalators to and from train platforms had grown alarmingly high. The culprit was a tendency of some people to walk or run on the escalator, rather than just stand there. They ended up jostling other passengers, many of whom were older. This led to several injuries. To combat the problem a campaign was launched requiring people to stand on the escalators. Signs were posted telling people that hurrying up or down the escalator was prohibited. There was no rigid enforcement, just a reliance on people’s goodwill. At first there was near universal compliance. People saw that no one else was running or walking on the escalators, which provided social proof that standing was the only acceptable behavior. Also, with so many people just standing, it was more difficult to get by them all, effectively forcing people to stand where they were. Not surprisingly, injury rates plummeted. Over time, though, compliance rates dropped. For some, resisting the urge to hurry and not be late was just too strong, but, happily, injury rates remained far lower than their peak. As Christian explains, this case of what he calls “compliance in the wild” – something compliance-related we see in everyday life that we can learn from – provided several lessons for compliance teams: Maintaining 100% compliance is extremely difficult for long periods of time Even less than 100% compliance can be a big win Battling human urges (including simply feeling you are late) is extremely challenging He also provides a warning that, when seeking to influence human behavior one must be mindful of not annoying them any more than you need to. If you go too far, it may well provoke bad behavior elsewhere. Listen in, but maybe not while riding an escalator.
2/14/202312 minutes, 3 seconds
Episode Artwork

Veronique Roedolf on a Four Cluster Compliance Program [Podcast]

By Adam Turteltaub Veronique Roedolf, the Brussels-based Chief Compliance Officer at Solvay, was focused on developing and enhancing the compliance program.  As she shares in this podcast, the company evolved their efforts and developed what they call a “Four Cluster Compliance Program.” The clusters are: Protecting a Culture of Integrity A culture of integrity, as they defined it internally, is about not just following the law but also acting with integrity according to the organization’s values. Building a Strong Speak-Up Culture Here they sought to raise the bar, overcome regional differences and help everyone understand that speaking up is not a negative thing. When done in good faith it enables the culture of integrity. Increasing Third Party Oversight These days every organization is only as strong as its weakest third party. Due diligence was expanded to include human rights and environmental issues. Addressing and Mitigating Risk Compliance and risk management are very much connected. The goal was to detect and address a broader spectrum of risk in an early stage. Overall the focus is on prevention, which goes hand in hand with being more efficient and effective as a compliance program. To achieve their goals they worked to become more embedded in and supportive of the business. They secured management commitment by involving leadership from the start. They also made sure there were opportunities or feedback and to have an impact. To launch and sustain the program the compliance team developed a strategic communication plan with consistent and repeated messaging around two key communication points: Acting with integrity in everything we do Thank you for protecting our culture of integrity at Solvay Listen in to learn more about the development and implementation of the Solvay Four Cluster Compliance Program.
2/9/202313 minutes, 17 seconds
Episode Artwork

Rebekuh Eley and Rick Kes on ESG and Healthcare [Podcast]

By Adam Turteltaub ESG, or Environmental Social and Governance efforts, may not be a mandate quite yet for healthcare providers, but already there are heavy demands for ESG-related information from regulators, the public and bondholders. As organizations pull together the data they need to report, says Rebekuh Eley and Rick Kes of RSM, it’s important to make sure that you have a thoughtful process behind it so that the data is accurate, consistent and complete. The last thing an organization wants is to have faulty data. At the same time, many organizations only scratch the surface of what they can take credit for in terms of increasing health equity for the communities they serve or improving their environmental footprint. That information can be helpful in meeting federal tax compliance requirements. While some may see ESG as something new and different, they note that community health is squarely under the S (Social) aspect of ESG. Keeping a good score on your ESG efforts can help demonstrate that your organization is meeting its obligations to the community and 501(r) requirements. It can also earn you credit for your environmental and governance efforts, including the number of community members who are on your board. Listen in to learn more about ESG and its role in healthcare
2/7/202315 minutes, 8 seconds
Episode Artwork

Keith Read on Approaching Compliance Differently [Podcast]

By Adam Turteltaub London-based Keith Read (LinkedIn) is a longtime member of the compliance community and author of the book The Unconventional Compliance Officer: Doing Things Differently. He laments the fact that compliance officers spend their time “pushing”, as he describes it: pushing training, reminders, policies and so forth. That, he believes, leads to compliance fatigue and pushback. Instead, he is an advocate for creating pull, where employees don’t see compliance as a chore but as an asset. In this podcast he outlines several intriguing practices he has used throughout the year to stimulate pull: A compliance passport system to provide a more formal and valuable certification for employees of their achievement in meeting their compliance training requirements A competition to identify compliance and ethics issues, which exposed some genuinely real issues Creating “licensed professionals”. For example, by completing compliance training you are then licensed to perform your job. This helped identify gaps and tighten up the procurement process. Instead of just auditing third parties, providing them with a grade, similar to what is often done for health and safety ratings at restaurants. Vendors came to use good ratings as a badge of pride internally and to help them win additional business Listen in to learn more about these ideas and others that could stimulate new ways to think about your compliance and ethics program.
2/2/202314 minutes, 38 seconds
Episode Artwork

Radha Inguva on Speaker Programs [Podcast]

By Adam Turteltaub Pharmaceutical and medical device companies use a number of methods to market their products. Among them, speaker programs get the most attention, often for all the wrong reasons. As Radha Inguva (LinkedIn), Director of Compliance, The CM Group explains in this podcast, while these programs are designed to educate the medical community they often lead to wrongdoing, with “educational sessions” held at wine tastings, lavish dinners and even Hooters. To avoid problems, she and others are advocates for what is known as the optics test:  basically, asking how a program would look, sound and feel to others. If it doesn’t seem right, it probably isn’t. From a practical perspective, she advises looking at all aspects of the program. Are the menu selections appropriate? Is alcohol served (which it shouldn’t be)? Is there an appropriate amount of educational content? Is the venue consistent with learning? Are there some doctors attending the same program again and again for no apparent reason other than the free lunch? Are the speakers being paid an appropriate honorarium? Then, after a program concludes, spend time making sure that it makes sense from both a business and optics perspective. It isn’t just pharma and medical device companies that need to look at the optics. Health care providers are looking at them, too, with some creating blacklists of restaurants that they will not allow people to visit for presentations. Listen in to learn more about what makes for a speaker program that’s safe to listen to.
1/31/202311 minutes, 43 seconds
Episode Artwork

Anitha Vittal on Compliance Program in a Startup Environment at Providence India [Podcast]

By Adam Turteltaub Providence is a US-based healthcare system with over 165 years of history behind it. But, the Providence Global Center in India started just in 2020. It was founded as an engineering and operations hub and has a startup culture. Anitha Vittal, Head, Risk and Compliance, was charged with getting the program off the ground. To get things started she first spent time talking with staff. Happily, she learned that attitudes towards compliance were very positive. While each person may have had a different definition of compliance, there was an eagerness for guidance and, for some, to have others responsible for managing the many legal and regulatory requirements. After considering how to make the program effective and relevant, she ultimately decided to leverage the start-up culture and position compliance differently. Instead of speaking of it as a control, she positioned it as a way to make each endeavor successful. This approach includes three key elements: Each new hire, as part of their two-day orientation, is given a thirty-minute introduction to the compliance program featuring an engaging story-telling approach A compliance champions network Encouraging a speak-up culture In addition, the risk assessment results were characterized in a new way, with each area labeled either “asking for help”, “may need help in the future”, or “no help needed”. Using this nomenclature, she found, was much more successful at providing dimension to risk areas. Looking to the future, 2023 plans include embedding compliance into the organization’s DNA, exploring opportunities for insourcing resources, and leveraging technology to enhance productivity and bring efficiencies. Listen in to learn more about what she and Providence are doing.
1/26/202311 minutes, 16 seconds
Episode Artwork

Stephen Paskoff on The Speak Out Act [Podcast]

By Adam Turteltaub On December 7, 2022 The Speak Out Act became law. Stephen Paskoff, the President and CEO of ELI explains that the law was spurred by the #MeToo movement and the Non-Disclosure Agreements (NDAs) that limited recourse available for victims. It was designed to make it easier for victims to come forward, and for improper behavior to remain hidden. The new law, limits the ability of employers to include NDAs when it comes to sexual assault and harassment. Specifically, it states: With respect to a sexual assault dispute or sexual harassment dispute, no nondisclosure clause or nondisparagement clause agreed to before the dispute arises shall be judicially enforceable in instances in which conduct is alleged to have violated Federal, Tribal, or State law. As a result of the law, compliance teams, no doubt working closely with HR and the general counsel’s office, will need to work to ensure that NDAs for sexual assault and harassment are no longer used internally or even externally with vendors. Existing agreements will need to be reviewed as well. Organizations will also need to recognize that the balance has shifted, making it easier for employees to air grievances publicly. To get ahead of this issue, they will need to take several steps that they likely should have already, including stressing standards and the value of respect. Training to prevent the bad behavior in the first place will be even more important, as will be good controls to catch it quickly when it happens. Listen in to learn more about what The Speak Out Act means for your compliance program.
1/24/202310 minutes, 49 seconds
Episode Artwork

Stuart Pardau on ESG and Compliance [Podcast]

By Adam Turteltaub Perhaps the biggest non-Covid change in the corporate landscape over the last few years has been the growth of the Environmental Social and Governance (ESG) movement and its call to measure business on more than P&L statements. While some consider it a passing phase, Stuart Pardau, Associate Professor of Business Law, Professional Practice at Miami Herbert Business School at the University of Miami, thinks it is here to stay. As proof he points out that BlackRock, Vanguard and State Street, with a combined $20 trillion in assets, have stated their commitment to making investment decisions informed by ESG considerations. He also notes that the SEC has proposed new rules to standardize climate-related disclosures. On the corporate side, bonuses are increasingly tied to ESG metrics, and annual reports are featuring ever more language on the topic. Organizations are also more willing to take a stand on social issues. With this revolution, though, has come new risks, he notes. Greenwashing – making marginal or fraudulent environmental claims – has grown to be a serious issue with the potential for reputational damage. With this and other risks have come new challenges for compliance programs. Compliance teams need to help in the assessment of which ESG risks are greatest for their organization. In addition, they must keep in mind that not all of these risks come from aspiring to be a better organization. Some, whether around environmental, forced labor, or other issues, already have laws behind them. There is also an internal risk around corporate culture. If there is a gap between the professed values and the everyday actions, the chances of a public and embarrassing failure are great. Listen in to learn more about where ESG is going and the role of compliance along the way.
1/19/202315 minutes, 13 seconds
Episode Artwork

Kayne McGladrey on What Businesses other than Banks Need to Know about Gramm-Leach-Bliley [Podcast]

By Adam Turteltaub The Gramm-Leach-Bliley Act (GLBA) is typically referred to in the context of financial institutions. It requires offerers of consumer financial products to explain how they share information and protect sensitive data. It’s not, however, only banks that fall under GLBA’s umbrella. New rules will affect retailers offering credit terms to their customers, higher education institutions that administer federal student aid and others a well, explains Kayne McGladrey, Field CISO for Hyperproof. The FTC, has set June 2023 as the deadline for compliance with the revised GLBA Safeguards Rule. It requires that affected organizations: Have a qualified individual to implement and enforce an information security plan Conduct a periodic cybersecurity risk assessment Implement cybersecurity controls to manage those risk Document who has access to customer data Assess the risks of applications that can access the data Securely destroy old data Periodically test the controls to verify their effectiveness In addition, staff needs to be trained, there must be a written incidence response plan and ongoing testing. It is a considerable commitment, Kayne points out, but since it overlaps with the requirements of the European General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), many organizations may already have significant structures in place. Even so, it’s important to conduct a gap analysis, he advises, to ensure all the requirements are being met. Listen in to learn more about what Gramm-Leach-Bliley now requires for your organization.
1/17/202314 minutes, 57 seconds
Episode Artwork

Matt Kelly on the Big Stories in Compliance in 2022 [Podcast]

By Adam Turteltaub Last year was an eventful one for the world and the compliance profession. In this podcast, Matt Kelly, Editor and CEO of Radical Compliance, looks back at what he sees as the biggest events, and looks into the future. The conversation begins with the impact of the war in Ukraine. He observes that the increasing number of sanctions of Russian individuals and entities, as well as the variations from country to country, have forced companies to improve their sanctions compliance efforts. The sanctions have also complicated procurement, forcing organizations to review their suppliers more carefully to avoid sanctions issues. With the war has also come of host of ethical considerations. Organizations have had to decide what to do with their Russian operations and the people that work at them. Also on the international front, 2023 brought increased cooperation among prosecutors, with a rising number of anti-corruption enforcement actions combining the resources of prosecutors in multiple countries. ABB, Glencore and Danske Bank are three notable examples. This activity comes at the same time as Europe continues to lead the world in privacy and data protection requirements. Looking domestically, he points to statements by Lisa Monaco at the Department of Justice and the push to require certification of the effectiveness of the compliance program by the CEO and chief compliance officer. This could be a dramatic shift for compliance programs.  On the one hand, it could create stronger ties between the CEO and compliance, Matt observes. On the other hand, compliance officers would see greater personal risk, especially given the real likelihood that, despite a strong program, wrongdoing may occur. Whether certification truly becomes established practice, though, has yet to be seen. Thus far it has only been imposed in the context of recently signed DPAs. As a result, certification will come in three years, if at all. He notes that a change in Administration could see a reversal of the policy. What does he see in 2023? For one, a need for compliance teams to improve their ability to access and analyze data. The US Department of Justice has made it clear that it expects organizations to have robust compliance data analytics processes. Second, he sees increased data protection enforcement actions, both abroad and in the US. Listen in to learn more about what happened and what to expect for your compliance program in the year to come.
1/12/202315 minutes, 53 seconds
Episode Artwork

Beth Kastner and Shannon DeBra on Patient Steering and Charting [Podcast]

By Adam Turteltaub It’s critical for patients leaving the hospital for a post acute care (PAC) provider that the handoff be conducted well. Some facilities will be better suited to the patients needs than others, which is why the process needs to be handled properly, with discharge planners making recommendations based on patient need, rather than the financial interests of the hospital or PAC. Unfortunately, explains Beth Kastner, Member, and Shannon DeBra, Senior Counsel, at Epstein Becker & Green, that’s not always the case. Patient steering and charting can take place, with bad outcomes for everyone involved. While there is no official definition of patient steering, it has been informally defined as the practice of directing patients and/or their caregivers to PAC providers that do not align with the patient’s goals of care and treatment plan. It can also be defined as inappropriately influencing the patient and/or care giver. Traditionally this occurs when the hospital, or its discharge planner, has been remunerated in some way by the PAC. As recent cases have shown, that could come in the form of gift cards, massages or even a free cruise. It might also be delivered as staffing for the hospital paid for by the PAC. Whatever the form, it’s improper and could lead to a very large settlement and termination of the Medicare provider agreement. Patient charting is a scheme in which a PAC is given access to patient data to identify patients for referral to their facility. It’s a practice that holds multiple risks, including anti-kickback and privacy. So how can a hospital stay ahead of this risk? First, train the staff that remuneration comes in many forms and carries substantial risks. Second, reinforce that discharge planning must be done in the best interest of the patient. Third, watch carefully, including ensuring that all arrangements are in writing and reviewed by legal or compliance before signing. Listen in to learn more about the issue and the do’s and don’ts of preventing patient steering and charting.
1/10/202314 minutes, 33 seconds
Episode Artwork

Erin Bliss on The Telehealth Risk Report [Podcast]

By Adam Turteltaub In December 2020 the Pandemic Response Accountability Committee (PRAC) issued the report:  Insights on Telehealth Use and Program Integrity Risks Across Selected Health Care Programs During the Pandemic. To better understand the PRAC and the report, we spoke with Erin Bliss, Assistant Inspector General for Evaluation and Inspections at the Office of Inspector General for the Department of Health & Human Services. As she explains in this podcast, the PRAC was formed as an outcome of the CARES Act. Its mission is to promote transparency and coordinate oversight of the federal coronavirus response; prevent and detect fraud, waste, misuse and mismanagement; and identify risks across agencies. The Offices of Inspector General from HHS, Justice, Veterans Affairs, Defense, Labor and Office of Personnel Management are all PRAC members. The report revealed how great an increase there was in telehealth. In the first year of the pandemic, telehealth usage increased from roughly 3 million people across six federal programs to 37 million. This change was largely the result of an expansion of the Medicare rules, which previously had limited telehealth to rural communities during in-office visits. While few today dispute the value of telehealth, that does not mean its use has not come without challenges. More data, the report notes, is still needed for oversight of telehealth’s use and impact, particularly on quality of care. In addition, data collection policies need to be improved since many providers have kept only rudimentary information. At the same time, the report identified activity that indicated waste, fraud and abuse. These included billing the same service twice, billing for extremely high amounts of telehealth services, billing for services that did not seem appropriate for telehealth, and billing at the highest, most expensive level. If there is good news to these findings, it is that the risks are ones already familiar to healthcare providers. Established risk management and compliance tools will likely be useful. Listen in to learn more about what the report revealed and what steps you can take, including active monitoring, to ensure the integrity of your organization’s telehealth services.
1/5/202313 minutes, 56 seconds
Episode Artwork

Jochen Vankerckhoven on Audience-Driven Compliance [Podcast]

By Adam Turteltaub Compliance programs start with the laws and regulations, but compliance failures begin with people. That’s why, argues Jochen Vankerckhoven (LinkedIn), founder of Antwerp-based Compliance Explained, that it is essential to take an audience-driven view of compliance programs. What that means in practice is designing and implementing a program that is suited for the people who are the intended audience. It also means valuing your audience and realizing it is one of the main pillars of a successful program. Think, he advises, of your compliance program as having two parts: a front and a back end.  The front end is what the workforce sees. Then consider what the right message is and the right time to deliver it so it has the most meaning to your audience. Be reasonable with your communication goals. Strive for a not a deep understanding of a topic but awareness of an issue and where to go to get help. On the backend, have the right controls in place and recognize that it is better to prevent a problem in the first place than to rely on those controls. Listen in to learn more about this unconventional approach to thinking of compliance programs.
1/3/202311 minutes, 40 seconds
Episode Artwork

Jessenia Cornejo and Brittani Summers on Auditing & Monitoring [Podcast]

By Adam Turteltaub Auditing and monitoring is a required element for an effective compliance program, but it also carries with it a host of benefits. In this podcast, Jessenia Cornejo (LinkedIn), Chief Compliance Officer for Bridge Diagnostics and Brittani Summers, Compliance Manager for Sprinter Health, outline all you can get from a robust auditing and monitoring program and how to create one. Benefits of a strong auditing and monitoring program include: Measuring the effectiveness of your compliance program Identifying criminal or malicious conduct Highlighting risk areas Accountability Transparency Continuous improvement (which the government is looking for these days) Greater collaboration with other departments In addition to all these benefits, a strong program in this area can be enormous dividends when a regulator of the Department of Justice comes knocking at your door. When launching an auditing and monitoring initiative they recommend putting a work plan in place. It will enable you to manage the implementation to your goals and objectives. Be sure to include scheduling, they advise. It will help you stay on track. Then share the plan with leadership or the compliance committee. That will help ensure buy in, identify constraints and risks, and help you get any additional resources you may need. They also offer one simple, but important, piece of advice: don’t try and do everything all at once. Don’t wait until everything is in place before beginning. Instead, focus on the top risks as soon as you can. Likewise, don’t try and audit everything all at once. It can be better to tackle one item at a time. Listen in and learn more about how to make your auditing and monitoring program a success.
12/22/202215 minutes, 31 seconds
Episode Artwork

Haydee Olinger on When a Compliance Officer Becomes a Board Member [Podcast]

By Adam Turteltaub With increased focus on the board’s oversight of compliance programs by the US Department of Justice and the Delaware Courts, there is a strong case for adding compliance officers to boards of directors, and many compliance professionals have the skills.  Few, though, have been able to make the leap. Haydee Olinger (LinkedIn), Sr. Advisor at Barker Gilmore, and former longtime chief compliance officer at McDonald’s, is one of the few who have. She has now served on the board of two publicly-traded companies. How did she do it? She was able to find her way onto the first board through a combination of networking, and by virtue of the fact that she had such deep experience in the quick serve restaurant category. Her journey is a good reminder to compliance professionals that your position doesn’t just mean you have expertise in compliance. You also have expertise in the industry in which you work. The compliance role gives you insight into all the various aspects of the business. It’s an asset not to be downplayed when pursuing board positions. Despite have worked with boards as a compliance officer, she reports that serving as a board member greeted her with many surprises. For one, board members don’t have the opportunity to settle in and learn the business. They have to hit the ground running and address a wide range of issues, which these days include the lingering impact of covid, supply chain challenges, inflation, labor shortages, IT security and, of course, compliance. Second, as a board member you have to reorient your thinking away from an executive whose job it is to get things done to a role of strategy and oversight. That means as a board member you need to stay out of the weeds. One implication for compliance officers meeting with the board: don’t bog it down in detail. Instead focus on corporate risks, their likelihood of occurrence and what is being done to mitigate them. While in the meeting, listen carefully to board questions to anticipate what they will need for future meetings. Between meetings, build a relationship with the relevant committee chair, board chair and even individual board members. The more interactions you have with them, the easier it will be to anticipate what they will want to know. Listen in to learn more, and, perhaps, start thinking about how you can make the leap to board membership.
12/20/202211 minutes, 11 seconds
Episode Artwork

Matt Nobles on Working Abroad [Podcast]

By Adam Turteltaub A lot of people, myself included, have wondered what it would be like to live and work, abroad. Matt Nobles, Chief Compliance Officer – Middle East & Africa for GE Gas Power has lived the life, even as a child. As he shares in this podcast he spent his childhood as an ex-patriot kid living in Southeast Asia, and for many years now he has lived in Dubai. It’s a life he has enjoyed greatly, meeting people from all over the world, and experiencing a wide range of cultures, food, music and art. It has also enabled him to expand his network and count friends all over the world. His family has benefitted too, with his children enjoying an experience they would not otherwise have had. In terms of one’s career, time spent in another country can have many benefits. A short-term assignment in a difficult region could leave to promotions when returning home. Alternatively, one assignment abroad could to another and another, and a life of living all over the world. So what should you do if you have the desire to live and work abroad? First, he recommends considering the unique aspects of the region you are contemplating, the cost of being far away from family and the opportunities in that region versus others. When you get to your new posting, he recommends spending the first 90 days listening as much as possible. Connect with your local team, learn their compliance challenges and the local dynamics. These include cultural, geopolitical, and legal factors. Next dig into legacy issues to understand what has gone wrong in the past, and how it has been fixed, or still needs to be. On the personal side, the first thing, of course, is getting yourself and family settled in. Then build out a local community for yourself to make the experience more enjoyable for you and your family. Be sure to take advantage of local experiences. Expat blogs and even books can be very helpful in helping you understand the region and the local mindset. One mistake to avoid, he warns, is trying to focus on the American or Western way of doing things. Don’t go charging in with a fixed view. Instead, listen carefully to learn how things are done locally. Listen in to learn more, and then, maybe, start packing your bags.
12/15/20229 minutes, 44 seconds
Episode Artwork

Troy Fine on Data Security Standards Audits [Podcast]

By Adam Turteltaub With enhanced concerns and vigilance over cybersecurity has come an increasing number of yardsticks that organizations much measure themselves against. As Troy Fine, Director, Risk and Compliance at Drata explains, in addition to legal requirements such as the European General Data Protection Regulation (GDPR), HIPAA and the California Consumer Privacy Act (CCPA) two key standards have emerged: SOC2: This standard was developed by the accounting body ISACA and is primarily of import to US-based technology companies and startups. Audits are performed by CPA firms on internal controls related to security ISO27001: More popular in Europe, it is a certification on information security management systems, examining how risks are identified and mediated and what control plans are in place To prepare for an audit he recommends first getting a good understanding of the relevant standard so you understand all the elements it requires and what it will take to meet those requirements. Next determine when you will need the certification in hand and start building a timeline backwards to determine when you need to start. Calculate, too, what it will cost in terms of time, people and everything else, including the price of the audit. How you work with the auditor will depend largely on which audit you pursue. He explains that SOC2 audits allow for more consultation than ISO27001 does. When hiring an auditor, it can be tempting to use the one with the lowest price. He recommends, though, being careful before going down that route since the auditor is likely to have less time to give. Be sure also to ensure that the auditor has the necessary expertise to be able to evaluate your technology. Some may not be as well versed on various elements, including cloud services, as they should. Once the audit begins, compliance teams can be helpful by ensuring that all the data and people the auditor needs are available. And, he advises, be transparent, even about your gaps. Listen in to learn more about having a successful data security standard audit.
12/13/202214 minutes, 55 seconds
Episode Artwork

Nick Weil and Mayesha Awal on Data Inventories [Podcast]

By Adam Turteltaub Personal data, especially in healthcare, seems to breed on its own, which is why, like the dinosaurs in Jurassic Park, it’s critical to keep close tabs on where it is and how it is used. First stop: a data inventory. Nick Weil and Mayesha Awal (LinkedIn) of Epsilon Life Sciences explain that a data inventory is necessary because often organizations don’t have a strong handle on their data. You need to take a noun and verb approach, they explain. The noun addresses where the data is: what computers, servers and file cabinets it is stored in. The verb speaks to what is being done with the data. What are the processing activities? What functions are accessing the data? It's good information to have for its own sake, but under data protection regimes ranging from GDPR in Europe to HIPAA in the US, it is essential. It is also a project that is often filled with surprises. Compliance teams conducting an inventory may discover a wide range and types of data processing activities. These can include GPS information, payment card method, biometrics and much more. Plus, of course, there are the number of ways that vendors may be using the data, and what information may be in the Zoom call that just got recorded. Listen in to learn more about how to uncover and manage the data in your organization’s inventory.
12/8/202213 minutes, 52 seconds
Episode Artwork

Richard Bistrong on the Line Between Gift Giving and Bribery [Podcast]

By Adam Turteltaub The holidays are here, and with them come good tidings of comfort and joy, and increased corruption risk. Holiday gifts, both given and received, can lead to serious compliance challenges. In this podcast Richard Bistrong of Front-Line Anti-Bribery warns that 2022 may be particularly difficult. For many this will be the first time in several years that they have had the opportunity to connect face to face with customers and vendors. There may be a desire to catch up for lost time, and the rules of the road for giving may have been forgotten. Some may even be tempted to dip into their own pocket to keep the gift off the books. Making things difficult is that it’s difficult to find a rule of thumb for gift giving that reflects all the various nuances from culture to culture around the globe. However, employees can learn to look to the code of conduct, reach out to managers and contact compliance to ensure that they are staying between the guardrails. It’s important that workers know that the rules apply to gifts given to government officials and also to employees at other companies. Commercial bribery is a real risk, and a gift that may be perceived as creating an obligation of some sort is not appropriate. Even charitable giving may be problematic. Although a part and parcel of the regular giving of many industries, it’s important to ensure that the funds are being used appropriately and that the charity is not tied closely with a government official. In general, organizations need to embrace reasonable and transparent gift giving. To that end, a gift registry can be extremely helpful, tracking both what is given and received, as well as any gift giving plans. Finally, don’t forget to train employees on what gifts they can accept, and to warn them that it’s easy, as Richard learned, for a seemingly innocent gift to lead them down a dangerous path.
12/6/202212 minutes, 46 seconds
Episode Artwork

Harsh Kariwala on Compliance Automation [Podcast]

By Adam Turteltaub Harsh Kariwala, CEO of VComply, warns that traditional tools for managing compliance programs, such as spreadsheets, may be hurting your compliance program. They often are not scalable and can lead to inefficiencies and unnecessary complexities. Automating your compliance program can be a natural choice, but organizations may resist doing so out of budgetary concerns or mindset. Budget is typically of greatest concern for smaller organizations, which have less to spend and are eager to build or sustain their cultures. If your organization is ready for automation, he recommends identifying the tools and technology that you would want, followed by defining what process you want to start with. Take a phased approach to automation rather than trying to do everything at once. Pick one area to start, and analyze what is going right and wrong in the process. This will give you a better sense of the tools you will need and challenges you face. Measure success by the value it provides to the end user in areas such as time saved versus manual projects and potential penalties that are avoided. Finally, he advises avoiding the mistake of trying to do everything at once. So, take the first steps now, and listen to the podcast, but not all the podcasts.
12/1/20228 minutes, 35 seconds
Episode Artwork

Betsy Wade on the Strategic Side of Compliance Budgets [Podcast]

By Adam Turteltaub A compliance budget is a lot more than the numbers in it, explains Betsy Wade (LinkedIn), Chief Compliance & Ethics Officer at Signature Healthcare. It should be a reflection of the organization’s priorities and risk profile. The budget is also a point of focus of the US Department of Justice when examining a compliance program during an investigation. Their Evaluation of Corporate Compliance Program guidance for prosecutors asks not only if there are sufficient resources but if they are allocated on a “risk-tailored” basis. So, what is the right budget to have? To determine that answer she recommends compliance teams do a risk assessment and determine what mitigation efforts will be needed. In addition, benchmark against other organizations to learn what they are spending and doing. Just try to make sure that you do so against as similar a business as possible. Look also to publicly available resources such as benchmarking surveys from HCCA and SCCE. Keep your eye out, too, for what regulators and enforcement authorities are saying. US Assistant Attorney General Kenneth A. Polite, Jr., she reports, recently called for compliance FTE for every thousand employees. The compliance budget should include the cost for all that compliance personnel. Also in the budget should be any travel, certification costs of staff members, staff training, services purchased, and more. To win management approval, she recommends continued analysis of the budget and making adjustments. She also advises using the risk assessment as a tool to support the compliance team’s budget request. Listen in. Doing so won’t add a penny to your budget.
11/29/202211 minutes, 16 seconds
Episode Artwork

Felipe Sottorff Araya on Corporate Criminal Liability in South America [Podcast]

By Adam Turteltaub Go back roughly twenty years and you wouldn’t find a country in South America that had corporate criminal liability laws. Today, though, the picture has changed dramatically. Felipe Sottorff Araya (LinkedIn), a compliance consultant from Chile who recently moved to the US, reveals that half of the countries now have corporate criminal liability statutes, the latest being Colombia. That doesn’t mean they all have the same laws. There are significant differences among the countries when it comes to triggers for corporate criminal liability. Some have adopted broad rules; others have taken a narrow route. There are common elements, however. Bribery is treated as a corporate liability trigger throughout. In addition, the crime has to be committed to benefit the company. Another common element: expectations for compliance programs. Each country follows the seven elements approach found throughout the world. Listen in to learn more about the changing landscape of corporate criminal liability and also learn where organizations are most likely to fall short in their compliance efforts.
11/22/20228 minutes, 45 seconds
Episode Artwork

Deena King on Avoiding a Compliance Winchester House [Podcast]

By Adam Turteltaub The Winchester Mystery House is both an unusual tourist destination, and a good metaphor, as it turns out.  Built by an eccentric heiress who never stopped making changes and additions to it, the home is filled with dead-end passages and stairs that lead nowhere, a result of the constant building. Ultimately it grew to 24,000 square feet, 10,000 windows and 2,000 doors. In this podcast, Deena King, author of Compliance in One Page and a working compliance professional, tips her hat to Andrew Nebbett of Ethisphere and the warning to avoid creating a Winchester House of a compliance program. Too often compliance programs have one piece of another built onto them as they grow to accommodate more risk areas and parts of the organization. Worse, sometimes those pieces operate independently, leading to redundant efforts and a lack of cross pollination of ideas. To avoid this chaotic mishmash, she advises pursuing what she calls “strategic compliance”. Instead of focusing on the seven elements of the program, focus on the ultimate goal: to prevent, find and fix problems. Then treat the elements as a means, not an end. Develop a strategic model, she advises, and then push it out through the organization. It helps prevent additions that are separate from the main program and don’t really fit with it. Set up, too, a network for your compliance teams to communicate with each other, share insights and avoid learning dead ends. Listen in to learn more, and let us know if you’ve been to the Winchester Mystery House.
11/17/202212 minutes, 3 seconds
Episode Artwork

Alan Wilemon on Doubt Mining [Podcast]

By Adam Turteltaub The compliance team has a new initiative, or you need to tell the business unit that, if it wants to get into a new line of business, a list of compliance requirements need to be implemented. Even if there is no overt pushback, there may be some very severe reservations. Doubt mining, explains Alan Wilemon (LinkedIn), Head of Privacy at Stellar Health, is about getting people to give feedback about what they are nervous about and what they feel will not work in a project. Put another way, it’s about searching for why they have doubts about the project and whether a goal can be achieved on schedule. So how do you mine those doubts and identify where the risks are? First, create a safe environment and invite them to speak up. Reach out to project stakeholders first. Then, secondarily, talk to any people who have been spoken for in the meeting. If people are “volunteered” to be a part of the project, talk to them as well. Also, avoid asking for questions or concerns only at the end of the meeting. At that point many people are eager to leave and won’t say or want to hear anything. And even if people do want to discuss the issue, you will quickly run out of time. Instead, invite comments earlier and ask them questions such as “Do you think we are being too aggressive?” You need to be the first to admit that there may be issues and the plan could be improved. Listen in to learn more, and then become a doubt miner.
11/15/202211 minutes, 47 seconds
Episode Artwork

Roxanne Petraeus on Compliance During Layoffs [Podcast]

By Adam Turteltaub Whether you call it a layoff or a reduction in force (RIF) it’s a stressful time for the organization and the people who work there. Research shows that people under stress don’t make the best decisions, which could raise compliance risk. Plus, it is always feared that some may make retaliation claims in order to preserve their jobs. Roxanne Petraeus, co-founder and CEO of workplace compliance training company Ethena, says that the good news for compliance teams is that they should continue to focus where they always have: the culture. The bad news is that culture and trust are both damaged during a RIF, which can lead to both an increase in misconduct and a decrease in reporting. Because of that, communication is more important than ever, she observes. Employees are hungry for more information. And don’t forget another form of communication: just being visible. Let them know that you are there for them. Other advice she offers: Remind employees about the organization’s policies Embrace the idea that more is better Train effectively in a targeted way, such as focusing on the code of conduct Get in the habit of conducting regular surveys of the workforce Listen in to learn more about how to better manage compliance programs during layoffs.
11/10/202212 minutes, 45 seconds
Episode Artwork

Todd Haugh on Nudges, Compliance & Ethics [Podcast]

By Adam Turteltaub There has been a lot of discussion over the last few years about nudges, although typically in the general business environment, rather than in the world of compliance and ethics. A notable exception has been the work of Todd Haugh, Associate Professor of Business Law and Ethics at the Kelley School of Business at Indiana University, and a Board Member and Jesse Fine Fellow for the Poynter Center for the Study of Ethics and American Institutions. He has written about nudges and offers additional resources on behavioral compliance. In this podcast, he explains that behavioral science has revealed that nudges – carefully crafted prods to make the right decision – can have a profound impact. A nudge takes advantage of choice architecture, which pushes people in a direction by structuring the environment in which choices are made. Notably, this is not about tricking people. This is a pro-social effort. So, how does it work in practice? It begins at the end. Look at the outcome desired and then examine the steps along the way. As you do, build a behavioral map that identifies when small interventions in existing processes can achieve positive compliance results. For example, one organization was receiving more anonymous reports on its help line than it desired. The organization realized that the default setting for reporters was set to anonymous. By simply shifting the default to including the person’s identifying information, non-anonymous calls increased 5%. Another example comes in the area of travel. When an employee fills out a travel form for a high-risk country, it’s a good time to provide information on data security and the corruption risks of meeting with government officials. Professor Haugh cautions that it is best to think of nudges as ways to have specific impacts on certain behaviors, not to do something broad like creating a positive corporate culture. Have reasonable expectations and then test out various nudges to see which ones are having an impact and which ones aren’t. Listen in.  It may nudge you to think of your compliance efforts differently.
11/8/202213 minutes, 44 seconds
Episode Artwork

Rodrigo Cunha on Digital Ethics [Podcast]

By Adam Turteltaub Rodrigo Cunha is Global Director, Legal, Ethics Compliance and Data Protection for AB InBev. There he focuses on digital ethics. As he explains in this podcast, when it comes to data, traditional risk management, focused on making sure that what the company is doing is compliant, is only the first step an organization needs to take. They also need to incorporate risk management in the design of the program. In addition they have to focus on reputation and trust. Without a good reputation for protecting data and the trust that comes with it, a company will have an exceedingly difficult time doing business. Digital ethics, he believes, is a business enabler. Organizations need to look beyond the compliance requirements, especially now with requirements increasing and varying so much by jurisdictions. Instead, it is better to think about expectations of the government, consumers and other stakeholders as a guide. At AB InBev that assessment led to the development of five principles that they stand for wherever they operate: Collect only the data we need Use the data only in a matter that we say we would Protect the data we have Keep only what we need Be accountable Further thought led to the development of a sixth principle: We use data how people expect we would. Putting these principles into practice involves a deep partnership with the business units. It includes effective training but also modifying the three lines of defense model to make sure the business unit is better able to meet the challenge. That includes the compliance team working closely with them to respond effectively whenever issues arise. Listen in to learn more how to better embed data ethics into your organization, and hear what Rodrigo sees for the future, including a potentially dramatic shift in consumer behavior.
11/3/202215 minutes, 53 seconds
Episode Artwork

Bret Hood on Why Leaders Fail [Podcast]

By Adam Turteltaub Why is it that so often leaders in organizations fail? They seemingly had all the skills, accumulated all the experience, and then something went wrong, sometimes disastrously. Not just the CEO, it can be leaders at other levels in the organization. Bret Hood (LinkedIn), Co-Founding Partner of 21st Century Learning & Consulting provides some fascinating answers to that question in this podcast in which he draws from, amongst other things, his 25 years in the FBI. He explains that as individuals move up the organizational ladder feelings of empathy may start to deteriorate without the person realizing it. They may grow to become self-centered, taking credit for the success of others, and distributing blame for failures, including their own. This can be coupled with what he calls “illusory superiority”: the belief that you are better than everyone else. Most of us suffer from that to a degree. A very disproportionate percentage of people feel that they are smarter than their peers or even a better driver than most. In an exercise he frequently does, rarely do more than 3%-5% believe that they are in the bottom half for leadership skills. Clearly, it’s not possible for 95% to be in the top half. Many leaders (and others as well) also suffer from what he refers to as “sunk cost bias.” A mistake is made, and instead of owning up to it there is a tendency to double down. A small fudge of the numbers in one quarter when thinking “well, it’s a small one-time dip” leads to greater fudging the next, and then on and on, rather than an honest accounting. The bottom line is knowing your capabilities and performing an honest self-assessment is difficult. That’s why he recommends two approaches. First, think about what your gut says, and then ask: what if I made the opposite decision? What would be the consequences? This technique helps you see things from more than one perspective. The second recommendation is to find people you respect who trust that it is safe for them to ask hard questions and offer opinions that contradict yours. Listen in to learn more about leadership, and also the concept of followership.
11/1/202211 minutes, 53 seconds
Episode Artwork

Shemekia Alexander on Compliance Exit Interviews [Podcast]

By Adam Turteltaub Exit interviews can be terrific sources of information for compliance teams, but how do you make the most of them? And do you need to be a part of all of them? That can be a very tough task in a large enterprise. Shemekia Alexander, Director, Corporate Responsibility Officer of Mercy Health recommends focusing on live interviews with key individuals that are most likely to have insights into potential compliance issues. In her case, that includes compliance and legal personnel, the executive suite, revenue cycle staff and providers. To get people to feel comfortable talking, she reaches out in advance to introduce herself and make the person comfortable with the process. Typically, she sends an email saying who she is, the purpose of the meeting and that it will be confidential. She also recommends that the departing employee, if the conversation will be via Zoom or a phone call, get to a place where they do not have to worry about being overheard. During the interview she begins by explaining what she means by compliance since some are confused about what exactly compliance encompasses. She then asks several standard questions including: Are you aware of any compliance concerns that should be addressed? How you raised any compliance-related issues previously that have not been addressed? Have you seen any associates engage in conduct that may be illegal or unethical? How would you describe the organization’s compliance culture? Is there anything else you would like to discuss? The last, very broad questions, can be particularly helpful, opening the door for conversation. As important as what the employees says can be how they are acting in the conversation.  She advises paying attention to their behavior: are they hesitant, disgruntled, scared, aggressive? For those who are not interviewed face to face there are questions in an optional survey that HR provides to departing employees. Any issues raised there are forwarded to compliance. It’s all a part of a team approach, and cultivating the team’s support is essential for success. Listen in to learn more about how to turn an employee exit into a compliance opportunity.
10/27/202210 minutes, 49 seconds
Episode Artwork

Shu Min Ho and Sam Johnson on Third Party ESG Risk [Podcast]

By Adam Turteltaub Third-party risk is the risk that keeps expanding. Data security and anticorruption risk have long been the focus. Now, though, the risks are broadening to include issues such as where materials are sourced and the labor that produces it. Shu Min Ho, Partner in the Singapore office of the law firm Sidley and Sam Johnson, Senior Managing Associate there explain in this podcast that with the rapid adoption of ESG programs, the scope of risks is dramatically increasing, especially considering how much ESG encompasses. To be effective, compliance teams need to focus their ESG third party risk efforts on those areas of the supply chain that are most likely to harm the business beyond the traditional legal framework. That means understanding your business and where the risks are. For example, in the technology hardware business that likely includes labor standards, worker protections and mineral sourcing. Increasingly it also means looking beyond your suppliers to their major suppliers as well. That effort requires tremendous cooperation from the business unit, procurement and, of course, the suppliers themselves. When looking at suppliers, take time to understand their business model to determine how they make money. Then watch out for signs that something may not be right. For example, if a product is suspiciously inexpensive, it may be the result of workers forced to labor long hours or outsourcing to companies with limited or no safeguards in place. Be aware, too, that expectations are different. An environmental review in the past may have looked at how toxic waste is handled. Now, sustainability is likely much more of a consideration. Finally, be especially sensitive to human trafficking and modern slavery. They are ESG issues increasingly subject to regulatory expectations. In fact, a separate due diligence effort may be necessary in this area. Listen in to learn more about how ESG is calling for a second look at third party due diligence.
10/25/202216 minutes, 21 seconds
Episode Artwork

Bruno Drummond on Ethical Audits [Podcast]

By Adam Turteltaub An ethical audit is one that evaluates compliance with laws and regulations but also assess a vendor against ethical standards, explains Bruno Drummond, Senior Director, Global Compliance at DHL Supply Chain. These standards could come from an industry or other external organization or your company’s own code of conduct.  They likely would cover issues such as human rights, child labor, forced labor, discrimination, unfair and inhumane employment, working condition and even your supply chain’s own supply chain. Why should you conduct one? Because these days regulators, enforcement and the public require it. For a company such as DHL, with is heavily committed to ESG, ethical audits are at the top of their list. It’s a part of the company’s commitment to clean operations, being a good place to work and highly trusted. DHL was first exposed to ethical audits when a customer conducted one of them. Seeing the value in it they adopted it themselves. The audits are conducted both remotely and at customer locations. The DHL code of conduct is the benchmark against which the audit is conducted. Included in the process are roundtables with employees, interviews with managers and an office walk through. Because of the cost, Bruno recommends taking a risk-based approach and looking at a cross-section of your supply chain when conducting these audits. Listen in to learn more about the process and whether it’s time for your organization to embrace ethical audits.
10/20/202212 minutes, 45 seconds
Episode Artwork

Chris Davenport on Getting the Helpline to Ring [Podcast]

By Adam Turteltaub Most every compliance team would like the helpline to ring more, and Brooks Rehabilitation was no different, explains Compliance Operations Manager Christine Davenport (LinkedIn). To increase call volume they adopted a snappy slogan – “Better call compliance” – and put together a full marketing campaign to support it. The efforts paid off big, doubling the number of calls over four years. It wasn’t the slogan alone that helped. Central to their success was the combination of good internal marketing along with a serious behind the scenes effort to ensure that calls were acted on. The team captured data on which line of business the call came from, type of issue and what response was provided. The data was kept on a shared drive to streamline the process and make it simple to spot a repeated question. This both saved work and decreased the time of response. Common areas of employee concerns included HIPAA and receiving gifts from patients. When responding to calls, the compliance team, wherever possible, included information about the underlying regulatory requirement. This helped provide employees with context and enabled them to better educate themselves. The compliance team also looked beyond the questions and treated the calls as a way to start a conversation and reassure employees that calling didn’t automatically get them or someone else in trouble. Listen in to learn more about their efforts and get some ideas about how to convince your workforce it better call compliance.
10/18/202210 minutes, 43 seconds
Episode Artwork

Dan Kahn on the Recent Comments by Deputy Attorney General Lisa Monaco [Podcast]

By Adam Turteltaub United States Deputy Attorney General (DAG) Lisa Monaco recently gave a speech in which she outlined both new policies at the Department of Justice (DOJ) as well as enhancements to existing ones that can have a profound effect on compliance and ethics programs. To better understand both what she said and what it all means we sat down with DOJ veteran Daniel Kahn (LinkedIn), a partner in the Washington, DC office of Davis, Polk & Wardwell, for an in-depth and longer than usual podcast. He explains that while the emphasis on individual accountability is not new, there is a significant change. The Department expects that individual prosecutions will take place prior to or at the same time as corporate resolutions. Given the extra time it often takes to prosecute an individual, that will make it harder for organizations to reach a swift conclusion and move forward. There is also one other significant change in terms of how individuals are treated: the Department is now looking to see if the organization is clawing back compensation from employees who committed wrongdoing, at least in those jurisdictions where it is permitted. When it comes to leniency, the Department had previously stated that repeat offenders were not likely to receive a Non-Prosecution Agreement (NPA) or a Deferred Prosecution Agreement (DPA). The DAG’s latest comments reflected a more nuanced approach and reflect the idea that all incidents are not created equal, and that in a large organization it is possible for more than one violation to occur over time, without it being a sign of dysfunctionality. Other notable elements of her comments: The Department expects that when an organization seeking cooperation credit comes across hot new evidence it will share it with Justice immediately For the first time there will be policies on voluntary disclosures across all the various departments within Justice There will be a presumption against a guilty plea if a company voluntarily self-discloses, cooperates and remediates Non-Disparagement Agreement clauses will be looked at unfavorably if they interfere with whistleblowing One other notable element of her talk, which was, perhaps, lost in most discussions about her comments, is the call for organizations to getter a better handle on messaging by employees on their personal devices. Finally, Dan addresses what some perceive as a slowdown in corporate prosecutions over the last few years. He notes that during the Obama and Trump administration there was an uptick in cases. Any slowdown over the last two years is likely the results of changes in leadership at the DOJ with a new Administration. Bottom line is that now is not the time to assume the DOJ is not active. Listen in to learn more about what you should take away from DAG Monaco’s comments.  
10/13/202228 minutes, 9 seconds
Episode Artwork

Laura Valdespino on Communicating & Compliance [Podcast]

By Adam Turteltaub Good communication is a two-way street, with both sides sharing their perspectives. Yet, observes Laura Valdespino (LinkedIn), Chief Compliance Officer, Booking Holdings Financial Services USA, too often it is one way, with compliance doing the talking. In this podcast, and in her in-person and virtual session at the 2022 Compliance & Ethics Institute, Laura outlines practices for creating a good dialogue with the workforce. It starts, she explains, by committing to listening. Engage with them, she advises, and look to creating opportunities for interactions through Q&A sessions or coffee and donuts. Once you are there with the workforce be sure to listen with unbiased ears to what people say they want and need from compliance. Be sure to also customize your message to the audience. Salespeople, manufacturing, IT and all the other parts of your organization will have different needs and will be listening for different information. Take the time to understand what motivates them. It helps build trust. How you communicate is also important. Learn what the frequency of communication that works best for your workforce is. Be sure to avoid lecturing, legalese and focusing on what they can’t do. Instead keep the communication focused on the right way to achieve business goals and what we all need to do. Listen in to learn more, and be sure to attend her session at the live or virtual 2022 Compliance & Ethics Institute.
10/11/202215 minutes, 30 seconds
Episode Artwork

Kathleen Grilli on 30 Years of the US Federal Sentencing Guidelines [Podcast]

By Adam Turteltaub The Organizational Sentencing Guidelines have turned thirty, and what began as an experiment is now an established framework for compliance programs in the US and around the globe. To commemorate the milestone, the United States Sentencing Commission has published The Organizational Sentencing Guidelines: Thirty Years of Innovation and Influence, which takes a look at the impact of the guidelines and what we have learned about their impact on organizational behavior. In this podcast, the Commission’s General Counsel Kathleen Grilli identifies the three largest innovations of the Guidelines: Incentivizing self-policing by organizations Providing guidance on effective ethics and compliance programs Holding organizations accountable based on specific culpability factors when they commit offenses The approach has worked more successfully than had been imagined. As she notes, it has expanded beyond the criminal environment to encompass civil settlements with government agencies as well. In addition, the approach to compliance in the Guidelines has been embraced globally, with their outlines clearly visible in the laws of many nations. Within the US, she shares, a strong difference has emerged between organizations with and without compliance programs. The overwhelming majority of organizations convicted had no compliance program at all. In fact, only 11 out of approximately 5,000 organizations had a program that a court found to be effective. This points out that there is still room for improvement, particularly among smaller organizations who lack awareness of the need for and benefits of compliance programs. Listen in to learn more about the remarkable effectiveness of the Organizational Sentencing Guidelines.
10/6/202214 minutes, 17 seconds
Episode Artwork

Marla Berkow on Behavioral Health and Restorative Justice [Podcast]

By Adam Turteltaub Usually, a Compliance Perspectives podcast focuses on just one topic, but in this one Marla Berkow, Corporate Compliance Officer at Gateway Foundation tackles two: behavioral health and restorative justice. In the first part of the conversation, we focus on the unique challenges of behavioral healthcare. They include maintaining both patient and organizational privacy. Physical and emotional safety of the staff is also important, along with a strong culture of reporting. With many patients a part of pre- or post-trial diversions there are unique challenges created, especially in the privacy arena. In the latter half of the conversation Marla focuses on a restorative justice approach, which she explains, is designed to differentiate between an intentional and inadvertent mistake, with discipline meted out appropriately. With that comes a focus on ensuring the problem is not repeated. Listen in to learn more about the challenges of behavioral health and potential benefits of a restorative justice approach to compliance.
10/4/202211 minutes, 25 seconds
Episode Artwork

Jan Elezian on Privacy Walk-Throughs [Podcast]

By Adam Turteltaub Having all the privacy policies and procedures in place is one thing. Having them practiced is another, and that’s where a privacy walk-through comes into play. Jan Elezian (LinkedIn), Director Healthcare Provider Practice, Revenue Cycle Compliance, Regulatory Compliance at SunHawk Consulting, explains that the walk-through is a test of a facility’s privacy and security environment. It includes a tour of high-risk areas – registration, patient intake, wherever else PHI is accessed – to see what employees are actually doing. It can be used to identify how your administrative and technical safeguards are working in the real world and determine where they need to be strengthened. Before beginning the walk-through, she recommends putting together a checklist of what you will be looking for.  Leave room for taking notes, and hold onto it. That way, when you return for a subsequent walk-through you can easily see how things have changed for the better and worse. What should you be looking for? A variety of things including: Is staff wearing badges? Are visitors escorted it? Are security reminders posed? Are printers improperly secured? Have papers piled up on the printer? Are privacy practices posted for patients? Two other things to check for: fire extinguishers and smoke detectors. HIPAA requires safeguards on PHI, she points out, and that includes safeguards against fire. After you have done your visit she recommends developing a post-assessment remediation plan. There inevitably will be corrective actions needed. Be sure to include follow up steps and dates when the work will be completed. All this effort will help create a more secure data environment, and give management, the compliance committee and board  greater confidence in your program.
9/29/20227 minutes, 22 seconds
Episode Artwork

Jason Meyer on Not Boring the Board [Podcast]

By Adam Turteltaub Time with the board tends to be short, valuable and critical to the success of the compliance program.  Getting and keeping their attention is essential. To do so effectively, Jason Meyer (LinkedIn), President of LeadGood Education recommends keeping in mind that board members share one thing in common with the rest of us: they want to know if what you’re telling them is truly relevant to them or a waste of their time. To communicate effectively he recommends an audience-centric approach. That means avoiding compliance jargon and focusing on terms that they care about such as “fiduciary duty”, “Caremark decision”, “oversight” and “DOJ Guidelines”. And, of course, where appropriate, “stock exchange rules”. Remember, too, that they are focused on existential risks to the organization, not the routine, everyday ones. Stay laser focused on what is in it for them and combine hard information – what their duty or a risk area is – with scenario-based examples. Think, too, like a marketer: repetition matters. Stress and keep stressing what’s important, but put some sizzle behind it. Avoid the pitfalls of simply echoing what management is saying and being just one more presentation. Have a message of your own to demonstrate independence and underscore the importance of a direct compliance-board relationship. Also, don’t forget the education part of the equation. Opportunities for them to be better educated are rare, and showing you have information they could use may be the best way to get their attention. Listen in to learn more about how to get the most out of your time with the board.
9/27/202215 minutes, 12 seconds
Episode Artwork

Meiran Galis on Data Security, SOC 2 and ISO 27001 [Podcast]

By Adam Turteltaub Improving data security at your organization doesn’t just protect you, it can also increase your business, explain Meiran Galis, Chief Executive Officer of Scytale. Customers increasingly want to know that their business partners’ systems are secure and that critical data will not get stolen or held hostage in a ransomware attack. To ensure that they are meeting data security standards and can provide their customers the assurance that they seek, many organizations pursue SOC 2 or ISO 27001 certification. As Meiran explains, there are key differences between the two. SOC 2, he reports, has become the new gold standard for SaaS applications. It is generally considered of greater value in the US and is not technically a certification. An attestation report is made and independently certified. ISO 27001 is a traditional certification and is focused on information security management. It is more popular outside the US, especially in Europe. So, should your organization pursue SOC 2 or ISO 27001? That depends on where your current and potential customers are and what they require. Ask sales if prospects and customers are already wanting a certification from your organization. Once you decide on which certification to pursue, or if both make sense, don’t expect it to be a fast process. For small organizations it may take 250 hours of work.  For larger companies, it may take 1000 hours or more. Once you earn the certifications, have a plan in place to continuously monitor and periodically audit your efforts. Listen in to learn more about whether SOC 2, ISO 27001 or both are necessary to protect and grow your organization.
9/22/202214 minutes, 9 seconds
Episode Artwork

Ty Francis and Eric Morehead on Assessing Your Compliance Program [Podcast]

By Adam Turteltaub The writing on the wall is pretty clear: regulators expect compliance programs to be custom designed for the organization and kept up to date. That means compliance teams need to stop periodically and reassess their program to ensure it is effective in practice and not just on paper. In this podcast, LRN’s Ty Francis MBE, Chief Advisory Officer and Eric Morehead, Director, Advisory Solutions explain that regulators want to know if organizations are targeting their compliance resources to the risks that they are facing. To allocate efforts successfully, it is essential to look at the data to see if your program is effective. Yet, they point out, it’s not just a numbers game in which more spending leads to more results. If, for example, there is an issue with employees not speaking up and living in fear of retaliation, paying for more training is not going to be enough. Instead, compliance teams need to look holistically at the situation and address the underlying cultural issues. That includes demonstrating to employees that a manager who retaliates will face discipline. So how do you conduct an effective assessment? First, they recommend budgeting enough time. The process tends to take longer than people think given the number of people you will need to interview and the time at the front end to gain support from leadership. Next, make the effort to talk to people from the top of the organization to the bottom. Do so in person, or via surveys if necessary. As you do, be sure to learn how they feel about the compliance programs, the culture of the organization, violations they may be seeing and the ability to speak up without fear. Finally, they advise looking outward. Benchmark your efforts against your peers. This can provide context and expose you to ideas and solutions you may not have been aware of. Listen in to learn more, and then spend some time assessing your assessment program.
9/20/202215 minutes, 11 seconds
Episode Artwork

George Tziahanas on New International Privacy Laws [Podcast]

By Adam Turteltaub GDPR, CCPA and HIPAA all pose daunting privacy challenges for organizations.  But, George Tziahanas (LinkedIn), Managing Director of Breakwater explains that there are many more national laws to consider. In this  podcast he takes us through five countries with laws and regulations that global compliance and privacy teams needs to consider. The People’s Republic of China China’s law, he reports is very focused on the company’s national interest and a belief that preserving data, particularly critical data on firms and infrastructure, needs to stay in the country. The law affects whether data can be transferred outside China and under what circumstances. It also has limits on what information can shared with foreign law enforcement. France The US Cloud Act triggered concerns in many jurisdictions around the world. The French National Security Agency established a certification program that now requires French nationals to run cloud-based services in France and limits the ownership levels of foreigners. It affects broad sectors of the economy. Germany The largest economy in Europe is embarking on efforts similar to those in France, which is having the effect of creating digital borders in the EU. They have created a sovereign cloud, in partnership with the private sector, that affects government agencies, vital services and critical sectors of the economy. The Kingdom of Saudi Arabia Saudi Arabia has classified certain data as needing to stay within the country. This has led to partnerships with cloud vendors to bring their infrastructure into the country. Dubai The UAE, he reports, has long had limits on encrypted voice channels and VOIP. To gain access to cloud technology they, too, are slated to introduce new data and cybersecurity rules that are anticipated to be similar to Saudi Arabia’s. In sum, organizations are now increasingly facing a world in which data transfers will be more complex and where data is housed will be closely scrutinized and limited. Listen in.
9/15/202213 minutes, 27 seconds
Episode Artwork

Cindy Morrison on Trust and Speak-Up Cultures [Podcast]

By Adam Turteltaub Getting employees to come forward and raise issue can be difficult. There is often genuine fear of retaliation, and many don’t trust that the company will do anything. It’s a topic that Cindy Morrison CCEP (LinkedIn), Director, Global Ethics and Compliance, Post Holdings, Inc. will be addressing at the 2022 SCCE Compliance & Ethics Institute and tackles in the latest Compliance Perspectives podcast. Her own journey of discovery in this area was jolted by an assessment revealing that employees did not think the company had a speak-up culture. The key to creating one, she realized, is encouraging respectful dialogue. A true, two-way discussion is necessary to help build the trust that is so essential. Employees want to be heard, and if the company isn’t listening to them, they are never going to feel safe. Showing that the organization is listening begins with making the effort to know the employees, a difficult challenge in this remote-working world where employees tend to change jobs frequently. Still, it must be done and managers need to practice active listening and adapting communications style to the listener. It also means demonstrating that when employees speak up, actions are taken: bad actors get disciplined or fired, policies are changed or publicly reinforced. In addition, it is essential to remember that each facility may have its own distinct culture. That may stem from the history of the facility and who has worked there, or the ethnic makeup of the employees. It’s also important to remember that not all facilities in the same country will share a common culture. As she notes, their operation in Minnesota is 70% Somali. Finally, she underscores the importance of constant education. Make sure the workforce knows all the ways it can raise issues and what to do if they feel they are being retaliated against. Listen in to learn more, and then join us at the 2022 SCCE Compliance & Ethics Institute.
9/13/202212 minutes, 23 seconds
Episode Artwork

Vin Lacovara and Corey Parker on Risk Assessment Frameworks [Podcast]

By Adam Turteltaub What’s a risk assessment framework? How can it help? Vin Lacovara, Institutional Compliance Leader, George Mason University and Corey Parker, Director, Baker Tilly, explain that the framework is a document that should be tailored to the organization’s needs and starts with an inventory of applicable laws and regulations. Next, the responsible personnel and controls that are in place should be added, followed by a preliminary prioritization of risk areas. Then, more details can be added, looking on the more granular level. All in all, the process should take about a month. The harder, longer work comes next and involves filling out all the efforts that need to be put in place. How often should the framework be reassessed? That depends on the organization’s priorities and how high a given risk is. Any high risk area that threatens to literally or figuratively shut the institution down should be looked at more frequently to see where the institution’s risk mitigation efforts stand. To ensure that the framework is properly tailored to your organization, they recommend investing time in developing relationships with stakeholders to make sure their needs are met. The most important thing is to start somewhere, don’t let yourself get bogged down, and look for the process to develop and improve over time. Perfection out of the gate is not likely. Listen in to learn more about how to create a proper risk assessment framework.
9/8/202214 minutes, 37 seconds
Episode Artwork

Rich Hale on Data Security and Privacy [Podcast]

By Adam Turteltaub The challenge of complying with data protection laws is growing more complex, with US states increasingly having their own laws or considering adopting them. This had led many to call for one national data privacy law for the US. Rich Hale, Chief Technology Officer, ActiveNav hopes that a national law emerges that identifies and normalizes the common threads in the various state requirements. Until then compliance needs to draw out those threads, itself, and provide clear advice on core requirements. Compliance teams, he advises, also need to resist the temptation to boil the ocean and try to solve all the challenges at once. Instead, as elsewhere, it is better to identify and prioritize the risks. Then, work in partnership with operations to implement effective mitigation plans. One key area to focus on is identifying what data the organization has and the justification for holding it, including understanding where the data is being used. That is often easier said than done, since many organizations do not have a full appreciation of all the uses of the data. Finding that information, he reports, is both a top-down and bottom-up exercise. Here, too, prioritization is critical. You need to determine where the data is used most actively, including the unstructured data. Listen in to learn more about how to get a better handle on your data in the face of regulatory complexity.
9/6/202212 minutes, 57 seconds
Episode Artwork

Marsha Ershaghi Hames on The Board’s Role in Corporate Culture [Podcast]

By Adam Turteltaub Corporate culture, tone at the top, proper governance and the relationship between the board and compliance have all been frequent subjects of conversations of late. In this podcast, Marsha Ershaghi Hames, partner at Tapestry Networks, shares recent research into governing boards and their role in shaping corporate culture. The report, Assessing Corporate Culture:  A Practical Guide to Improving Board Oversight, and the research leading up to it, revealed that culture Is most definitely a focus of directors, and there is a strong need for board alignment on what the culture should be. Turning that vision into a reality requires building bridges and a partnership between the board and the management team. It also requires data to measure where an organization is and to track progress about where it is going. That is not all, though. Directors who formerly held compliance roles were quick to point out that there is a need to think beyond the numbers and balance quantitative, qualitative and anecdotal evidence. All these measures are essential to developing a holistic view. The report, which was developed after interviews with 40 directors from 65 publicly traded companies, revealed five keys to success: Prioritize culture on the agenda The board has to challenge its own culture Monitor and measure, but also create blended data sources Ensure that the culture is articulated and simplified enough that it can be measured Calibrate the board and management structure to optimize the information flow The last step means enabling managers, including compliance, to communicate directly with the board as needed to give it a fuller picture of the organization. Listen in to learn more about how to help the board lead in shaping corporate culture.
9/1/202211 minutes, 14 seconds
Episode Artwork

Chris Audet on Helpline Usage, Or Lack Thereof [Podcast]

By Adam Turteltaub The 2022 Risk & Compliance Hotline & Incident Management Report from NAVEX included data that showed that helpline calls, while increasing, were not back to pre-pandemic levels. New research from Gartner confirms that data, reports Chris Audet, Gartner’s Senior Director, Research. It also provides new insights into reporting and where organizations continue to struggle to win over their workforces. The drop in observed misconduct reported likely reflects, he explains, a decline in actual misconduct – a reflection of less opportunity for it – and a significant change in the landscape: the type of misconduct is changing. Bullying, intimidation, unwanted behavior and misuse of time and resources are going up. So what should organizations do with employees calling the helpline not as often? He recommends relying less on reporting and more on embedded controls, as was discussed in his previous podcast. In addition, many are seeking technologies that support narrow risk areas such as insider trading. Gartner is also seeing an increase, he reports, in questions about wider views into risk through GRC and other third-party risk tools. But, even with all that, the helpline is critically important to compliance programs. To increase its usage, the research suggests revisiting the value proposition about reporting. Expectations have change for the employer/employee relationship over the last few years. Feeling safe from retaliation is not the driver that it was thought to be. Their data suggest that there are other levers to pull. Listen in to learn about what those levers are and how to use them most effectively.
8/30/202213 minutes, 17 seconds
Episode Artwork

Melanie Sponholz and Nick & Gio Gallo on Compliance Budgets [Podcast]

By Adam Turteltaub Melanie Sponholz, Chief Compliance Officer, WCP Healthcare, Nick Gallo, Chief Servant and Co-CEO of ComplianceLine, and Gio Gallo, Co-CEO and CTO of ComplianceLine have a simple message for compliance officers:  don’t be embarrassed about asking for the budget you need. Historically, they report, compliance budget proposals have not been strong, and some programs have even lacked a formal budget, which is consistent with the historical perception that compliance is a cost center. Changing that dynamic, they argue in this podcast, means taking a more positive approach and discarding any apologetic tones to the budget request. Instead, they counsel going in knowing the worth of the program and feeling empowered to create a budget based on the resources the program needs, just as other department do. Let management know what your goals are, what it will take to achieve them, and how much of an investment is required now, they say. Also, don’t worry about the data you don’t have. Instead, focus on what you have and know, and use it to support your argument. When presenting the budget, they offer three additional pieces of advice: When facing feedback and hard questions, don’t freak out. It’s a normal part of the process. Anticipate objections and concerns, and be prepared to address them. Be honest. If you can approach the budget meeting calmly and feeling prepared, you will be far better off. Listen in to learn more, including what poker players can teach you about getting the right budget for your compliance program.
8/25/202214 minutes, 31 seconds
Episode Artwork

Amii Barnard-Bahn on Delivering Bad News [Podcast]

Post by Adam Turteltaub No one likes to be the bearer of bad news, but if you sign up for a job in compliance, you are inevitably going to be one. The challenge is doing so in a way that is most productive. Long-time compliance veteran and executive coach Amii Barnard-Bahn has invested a great deal of time in studying this challenge. She reports in this podcast that social science has discovered that bad events impact us five times more than positive ones. We are programmed not to want bad news. Worse, messengers of unwelcome information tend to be deemed unlikeable and less competent. There is even some malevolence towards them, believing, usually wrongly, that the person got some pleasure from sharing the unpleasant news. So how do we overcome it? She developed a six-step process: Psychologically prepare your audience Rehearse confident delivery Be present and fully focused Convey benevolent, proactive intent Explain without justifying Add a sense of urgency Psychological preparation of the audience, she explained, is often overlooked. When people are surprised it can slow down their thinking and increase negative emotions. So, it is best to prepare people for what is coming. Then let them know what the cost will be, time involved and what needs to change. Conveying benevolent, proactive intent is about overcoming the gut perception that somehow you were involved, wanted the incident to happen or are to blame. Chances are you were not the one at fault and you need to help people see it. When you did make a mistake, take the blame, accept responsibility and then show a path forward. Listen in and learn more about how to make delivering bad news better.
8/23/202211 minutes, 28 seconds
Episode Artwork

Philip Winterburn and Jane Mitchell on Compliance, Ethics and Disruptive Times [Podcast]

By Adam Turteltaub These are different times. We all know that we are living in them, and that calls for different thinking. But, what does that mean? To help answer that question we spoke with UK-based Jane Mitchell (LinkedIn), an independent consultant who specializes in culture, ethics, values and leadership and Philip Winterburn, Ethics Principal at OneTrust. As they look around at the business world they see that leaders are struggling to understand what the impact of the pandemic has been on the people that work for and with them. Given how much people have been affected by the last few years, there is a clear need to focus on culture, which Jane describes as the “corporate immune system”. It can be either an asset or liability when it comes to both preventing wrongdoing and managing the now significantly more difficult task of recruiting and retaining talent. Meanwhile, outside the organization, attitudes towards purchasing are starting to change. Customers, whether consumers or other businesses, want to know where your goods are made, under what conditions and how the raw material are sourced. If they do not like what they see, they are turning away. So what makes for a healthy organization in this environment? For one, broadening the conversation beyond the numbers and looking at how the organization can be smart, resilient and sustainable. That will be especially true over the next few yeas when a rocky, unpredictable economy is predicted. In terms of leadership, it calls for CEOs who truly understand what is going on, welcome the truth and encourage people to speak up and openly disagree. It also calls on CEOs to recognize that people want to please them and may be painting too rosy a picture. Listen in to hear more about how compliance and ethics teams can thrive and lead during these uncertain times.
8/18/202216 minutes, 22 seconds
Episode Artwork

Lola Adekanye on Corruption Risk in Africa [Podcast]

Post by Adam Turteltaub While in most cases the pandemic created nothing but challenges, Lola Adekanye (LinkedIn), Senior Program Officer for the Center for International Private Enterprise (CIPE) reports in this podcast that, in some respects, it provided some benefits. While initiatives to encourage transparency and integrity were stretched, employees endured indefinite periods of working from home and governments were challenged with their budgets, the commitment by citizens and civil society to promote anticorruption and integrity grew. So, even though the risk for corruption increased, there was also a rise in whistleblowing, particularly in Zimbabwe, Kenya, South Africa and Nigeria. Most of the activity in this area revolved around the acquisition and distribution of Covid-related supplies, not surprisingly.  The transportation sector also saw a rise in corruption. Government procurement has continued to be a sore point, with many cases of collusion, price-fixing and kickbacks. But, consumer goods have seen a decline. For the long term she sees a collision between two forces. On the one side are traditional, authoritarian regimes with higher corruption. On the other side, which she thinks will prevail, are young people and institutions coming together to find ways to hold government and companies accountable. Listen in to learn more about the present and future of anticorruption efforts in Africa.
8/16/202213 minutes, 17 seconds
Episode Artwork

Rebecca Wellum on Third Party ESG Vetting [Podcast]

By Adam Turteltaub Many organizations have grown accustomed to and developed protocols for vetting third parties for issues such as anticorruption compliance and privacy. But, with the rise of ESG, suppliers need to be reviewed for exposure on a much wider scale than ever before.  Can existing protocols be used, or do they need to be replaced? To find an answer we spoke with Rebecca Wellum (LinkedIn), Vice President Compliance & Diversity at GEOTAB. In this podcast she explains that in many ways ESG is a repackaging of things many organizations have been doing for some time. To make your process effective she recommends starting by defining the risk areas for your industry. Then, look at your material sourcing to understand where everything in your supply chain is coming from. Learn not just what the supplier is providing and how, but it’s suppliers practices and sources as well. When assessing vendors, she has found that in-person meetings are invaluable. It provides an opportunity to assess the cues that something may be amiss. These can include environmental health and safety papers and certifications that are out of date or a lunchroom that doesn’t look quite rights. Data points like these can give you a strong sense of the treatment of labor, and even the organization’s own sourcing methods. She also recommends insisting on audit rights upfront. That’s when your organization has the most leverage. And be sure, she advises, to allow for not just paper, but in person audits, including on a surprise basis. Small and medium-sized organizations need to be aware, she cautions, that this is not a simple task, but it is an essential one. Even if the company is not public and subject to the scrutiny of the SEC and shareholders, its customers are already likely to be increasing their ESG investment and expectation of their suppliers. She also highly recommends taking the time to document what you have done. Keep audit trails and be prepared to demonstrate what steps you took while selecting, onboarding and periodically reassessing your suppliers. Listen in to learn more, including the growing importance of assessing diversity as well.
8/11/202214 minutes, 4 seconds
Episode Artwork

Reginald Youngblood on the Interplay Between Compliance & ESG [Podcast]

By Adam Turteltaub The relationship between ESG and compliance is as of yet not a fully defined one.  That’s not surprising given both the newness of ESG and the many similarities between it and compliance. While many see an overlap between the two, Reginald Youngblood, Associate Vice President Corporate Compliance at AT&T, sees more of an overlay with existing frameworks for managing risks.  As with other risk areas, there is a need to look at the financial impact, how often it occurs, the inherent risk and how it affects the business. He also observes that, like compliance, ESG touches an enormous cross section of the enterprise, albeit in a somewhat different way.  By becoming involved with ESG the compliance team, he believes, can have more contact with the organization as a whole, address issues in a new way and help define what ESG means to the organization. This approach has enabled the AT&T compliance team to open doors and become an active partner in projects that they never would have been asked to be a part of before.  In addition, it has provided compliance with greater visibility into the organization while acting as a bridge between compliance and the business. As a side benefit, the compliance team has also discovered new repositories of data within the firm, enabling it to better assess risk. In the end, he sees the relationship between ESG and compliance as a very happy one with great opportunity, earning compliance a seat at the table while creating greater appreciation for the risk management process and the focus on values and integrity that have long been a staple of compliance programs. Listen in to learn more about how to leverage the relationship with ESG.
8/9/202210 minutes, 53 seconds
Episode Artwork

Eric Hontz on Compliance in Ukraine [Podcast]

By Adam Turteltaub One day the war in Ukraine will stop, and many companies will be looking to either enter or return to the country. But what compliance challenges might they face? In tis podcast Eric Hontz, Director-Center for Accountable Investment at the Center for International Private Enterprise (CIPE) shares that business may be pleasantly surprised when they return. Despite the war the government has been functioning on multiple fronts and has continued to pass reform bills. They are particularly focused on EU-related reforms as a candidate for membership. In addition, a great deal of government power has moved outward from the central government to mayors and regional governments, enabling greater transparency into how funds are being used. All of this has made the corruption risk in the country less. When doing business in the country, Eric recommends enlisting civil society groups as an ally. There are a large number of progressive business groups, he reports, working to stem corruption and encourage innovation. The success of their efforts can be seen in the many technology companies across the country. After the war ends, he expects the country to continue its trajectory away from corruption. There is a growing consensus that corruption weakens the country, and he expects returning soldiers to have far less sympathy for it. As for Russian sanctions, he does not see much risk when doing business in Ukraine.  Outflows of investment by Russians began long before the war. Listen in to learn more about what to expect when the day comes that your organization begins working in Ukraine.
8/4/202215 minutes, 9 seconds
Episode Artwork

Gael O’Brien on Emotional Culture [Podcast]

By Adam Turteltaub For decades, if not centuries, the idea of being professional tended to focus on a cold, cognitive approach to work. Emotions were supposed to be secondary to a much more rationale form of management and work environments. In this podcast, Gael O’Brien, executive coach and columnist for Business Ethics Magazine and The Week in Ethics, shares the research of the late Wharton School Professor Sigal Barsade, who examined the impact of emotions in the workplace. Her work focused on how leaders can get culture right. Emotions, in particular compassion, were found to be very important. She also found that employees who feel loved at work perform better. Kindness, caring and feeling connected have a strong impact on employee satisfaction and retention. In fact, she found that employees are 10.4 times more likely to leave because of a toxic culture than they are to depart because of compensation. To create the right environment she is an advocate for an “emotional culture”, which she defines as the emotions necessary for a group to meet its goals. This culture, Barsade found, is transmitted through subtle signals such as facial expression and body language, especially of leaders. That’s a challenge in these Zoom times when traditional queues may be missing. To get the right culture she advocates several steps including: Executives verbalizing, modeling and rewarding the emotions they want to cultivate Mangers communicating that information to front-line employees Surveys and interviews that ask employees what emotions they see in colleagues around them It’s both an intuitive and counterintuitive approach. To learn more about Professor Barsade's work, read some of her articles in Harvard Business Review (article 1 and article 2). You can also see the video of a talk she gave. And of course, click above to listen to our podcast with Gael O’Brien.
8/2/20229 minutes, 42 seconds
Episode Artwork

Gabe Imperato on the Health Care Fraud and Abuse Control Program FY 2021 Report [Podcast]

By Adam Turteltaub The recently-released Health Care Fraud and Abuse Control Program FY 2021 report contains a treasure trove of information for healthcare compliance teams. To gain a better understanding of lessons to be learned from this document we sat down with SCCE & HCCA board member Gabe Imperato, Partner at Nelson Mullins. The report makes clear, he explained, how much coordination and review there is now among the Office of Inspector General at HHS, the US Department of Justice and also CMS. As a result, a subpoena, or even an inquiry needs to be taken very seriously. Compliance teams need to treat these external actions as if they are a report of non-compliant activity. The report also reveals that there has been an increase in cases based on failures of organizations to appropriately collect copays. Some organizations have taken egregious activity that could be characterized as ignoring the obligation. In other cases the provider has made what it considers to be a reasonable effort to collect the payment – asking at time of service, sending follow up letters – others think that more could be done such as calling patients and setting up a payment plan. With no clear definition of what’s reasonable, the potential for a whistleblower case is high. The report also illuminates the challenges of Stark and Antikickback cases. In his opinion these cases makes it clear that if you are looking at a circumstances where on the one hand there is a potential source of business and on the other hand a potential source of revenue, and there is a financial relations between the two, it is best to bring in competent outside counsel to determine if there may be a violation of these highly complex laws. Kickback cases are very popular with qui tam attorneys, he notes, because of the difficulty in defending them completely. Looking to the future, Gabe sees a large number of Covid-related fraud cases that will likely take years to play out. Listen in to learn more, and be sure to read the report.
7/28/202214 minutes, 13 seconds
Episode Artwork

Stacy Giwa and Marisa Hardy on Evolving Your Compliance Program [Podcast]

By Adam Turteltaub The ethics and compliance team at the University of Southern California (USC) wanted to revamp their program. Stacy Giwa, Vice President Culture, Ethics and Compliance, and Marisa Hardy, Assistant Director Compliance, explain that they went into the initiative with several overarching goals. They wanted to: Bring values and ethics-related behaviors to the compliance program Provide reasonable assurance to stakeholders that there are core compliance programs elements in place, no easy task in a large, complex organization Be more proactive, and identify gaps, trends and themes so that one part of the organization could learn from another Focus on partnership at every phase and build understanding of why a compliance program is important To make the evolution a success they engaged the compliance and ethics committee to help enhance the university’s program’s standards and framework. As a part of that, they framed out what compliance is responsible for and what belongs to other departments. They also obtained strong leadership support. The resulting program included an assessment tool that enabled both the team and the individual units of the school to evaluate their elements of the program. They also embraced transparency, letting departments know what information they are capturing and the dashboard they were using. Findings were reviewed with departments and characterized in a positive way, as opportunities for improvement. Improvements plans were set with 1-3 year timeframes, which set goals, but did so in a less overwhelming way. Their approach earned them overwhelmingly positive feedback from over 25,000 members of the USC community. Listen in to learn how they did it and to get ideas for how to successfully evolve your compliance program.
7/26/202216 minutes, 27 seconds
Episode Artwork

Mark Chutkow and Jason Ross on Monitorships [Podcasts]

By Adam Turteltaub For a time monitorships were, if not endangered, out of favor.  After many years of embracing them, the US Department of Justice had begun calling for cost benefit analyses and looking for alternatives. Then in 2021 Deputy Attorney General Lisa Monaco gave a speech announcing that the previous policy had been rescinded and that more monitorships would be coming in deferred prosecution agreements (DPAs) and non-prosecution agreements (NPAs). “I am making clear that the department is free to require the imposition of independent monitors whenever it is appropriate to do so in order to satisfy our prosecutors that a company is living up to its compliance and disclosure obligations under the DPA or NPA.” In this podcast Dykema’s Mark Chutkow and Jason Ross explain what to expect when a monitor is appointed. First, recognize that different monitors will approach the job differently. You will need to understand if they are pragmatic, open-minded, familiar with the industry’s risk and challenges, and have a record as a monitor. Typically, these questions are already answered since companies generally have a say in who their monitor will be. But, if your organization is the exception, do your homework on the monitor. Take time, too, to understand what the scope of the monitorship is. Also, make sure employees understand the role and benefits of a monitor. Leadership and the compliance team need to work to reduce  any negative impressions that employees may have so as to facilitate a construction relationship. To that end, take the time to educate employees that the monitorship will, in the long run, help them. Once the monitor arrives, expect him or her to want to conduct interviews with individual at all levels of the organization in an effort to better understand the company. The monitor will likely want to understand the pressures middle managers are under and the expectations they are setting for those who report to them. Front line workers will likely be asked if they are comfortable speaking up and raising issues. The monitor may even reach out to customers and suppliers. As for the compliance program, itself, expect the monitor to focus on whether it is properly resourced and implemented. Turning to the ongoing working relationship during the monitorship, they warn that there will be tension periodically since the monitor is an outsider, but there needs to be some level of unity to ensure that the relationship is productive. Finally, they discuss the importance of metrics.   The DOJ has made it clear that it expects data analytics from organizations when it comes to their compliance programs. Listen in to learn more about the changes and how to prepare for and succeed during a monitorship.
7/21/202216 minutes, 14 seconds
Episode Artwork

Joe Murphy on the Evolution of Compliance [Podcast]

By Adam Turteltaub Joe Murphy (LinkedIn) is rightly considered one of the founders of the compliance profession, joining the field when compliance barely existed. Since then, he has been not only a member of the community, but an innovator and, although he might blush at the term, a philosopher. He constantly explores what compliance is, could be and should not be. In this podcast he shares his insight as to how the profession has evolved in the almost 40 years that he has been a part of it. Looking at the changes over the decades, what has surprised him the most is the large number of people who work in compliance but are not a part of corporate compliance programs as we know them. He cites individuals in anti-money laundering (AML), environmental compliance and privacy as examples. They often operate outside of the overall compliance effort and may not have the real access to power needed to be effective. What should have been done differently at the start of the compliance field? In hindsight he believes there should have been a greater emphasis on having a strong, independent compliance officer, truly at the top level of the organization. That’s where the greatest risks are, he notes. He offers another thought in what should have been different: There should have been a greater focus on incentives. Companies continue to struggle with incentives and rely upon discipline more heavily than they should or could. What would he change today? First, our attitudes towards conflicting areas of compliance and law, such as areas where privacy law may get in the way of conducting an investigation. Conflicts have always existed, he observes, and compliance teams need to navigate them. Compliance also needs to navigate what he sees as treacherous seas created by those academics who have no practical experience in compliance but, nonetheless, write articles about it that then get cited and repeated, even if they are wrong. Joe closes the conversation by looking to the future.  Not surprisingly, he encourages us in compliance to stand up for the profession and keep others from defining us. Listen in to learn more from a truly veteran compliance professional.
7/19/202213 minutes, 29 seconds
Episode Artwork

Kara Hilburger on Healthcare Privacy Enforcement Trends [Podcast]

Post by Adam Turteltaub Privacy is always a hot topic in healthcare, but even so, some areas are hotter than others. In this podcast Kara L. Hillburger, Privacy Compliance & Digital Accessibility Team Leader and Managing Director of the Octillo law firm, shares insights into the areas the enforcement community is currently focused on. It’s not just the federal government that’s of concern these days, she points out.  State attorneys general are becoming more active in this arena. Under the HITECH Act they can bring actions of their own for HIPAA Violations, which has resulted in substantial financial penalties. The pandemic has also led to changes in the enforcement landscape. With the rules for telemedicine changed and more data collected on patients, several states have increased their enforcement activity. For compliance and legal teams that means taking the time to understand both the federal and state perspective. Data governance is, at the same, growing more difficult. On the one hand, ever-increasing cyber risks argue for locking down as much information as possible. At the same time, though, OCR is calling for greater data portability and transparency. So what should organizations do?  In this podcast she suggests: Making the effort to stay on top of the legal and regulatory changes. Ensuring that there is a strong data governance structure in place Having a clear delineation of roles and responsibilities: Figure out who is doing what and hire the right people. Keeping your policies and procedures up to date. Planning on annual policy reviews that reflect the realities of both in-office and at-home workers. Identifying proper resource. Providing regular data privacy and security training and document it. Having consequences in place for violations. Knowing your vendors and what they are doing to safeguard your data. Listen in to learn more about what’s especially hot in healthcare privacy compliance.
7/14/202213 minutes, 31 seconds
Episode Artwork

Andrew Mast on the US Department of Justice’s Antitrust Initiatives [Podcast]

Post by Adam Turteltaub To get a better understanding of the state of antitrust enforcement we sat down with Andrew Mast, Counsel to the Assistant Attorney General for Antitrust at the US Department of Justice. In this podcast he shares key priorities of the Antitrust Division. First up is a discussion of the Supply Chain Initiative, which is a partnership between the DOJ and FBI. Supply chain disruptions have caused prices to increase, as we have all seen, and the Initiative is tasked with determining whether the disruptions have been used as a cover for collusive conduct. As he notes, past disruptions, ranging from the Great Recession to a spike in the price of tuna, have led to collusive behavior. To help protect consumers and businesses dependent on their supply chains, the Initiative is taking a proactive approach, working closely with the governments of the United Kingdom, Canada, Australia and New Zealand, sharing intelligence and working cooperatively. The DOJ is also reaching out to the business community, providing education about antitrust laws, encouraging the development of compliance programs, and sharing details about the Antitrust Division’s leniency program. Under it, the first conspirator in a price-fixing conspiracy can avoid criminal prosecutions. But, he warns, companies must report promptly after discovering collusive behavior to enjoy the full benefits. To help business understand the program fully, a new FAQ is now available. Another priority for the Department of Justice is labor market collusion. Their goal is to ensure workers gain the benefits of competition. In the Department’s view, no-poach and similar agreements lead to lower wages, reduced mobility and less ability for workers to negotiate watches. Several firms have already been indicted. Finally, he discusses the Procurement Collusion Strike Force, founded in the wake of increased government spending such as the $1.2 billion infrastructure bill. The goals of the Task Force are to deter antitrust activity and to facilitate more effective prevention, investigation and prosecution. Over 20,000 individuals have been trained as a part of this initiative, and it covers both US procurement domestically and internationally. Listen in to learn more about what the DOJ is doing, and what compliance teams should be thinking about.
7/12/202218 minutes, 36 seconds
Episode Artwork

Chris Audet on Compliance Burdens [Podcast]

Post by Adam Turteltaub Compliance programs continue to evolve, seeking new and better ways to prevent and detect violations of law. It was in that spirit, reports Chris Audet, Senior Director, Research at Gartner, that they began examining ways to improve program effectiveness. At the time the survey began, many of their clients were dealing with peak Covid challenges, which included limits on training and the creation of new policies. Enhancing controls emerged as a potential alternative means of preventing problems. Of particular interest were embedded controls because they can both mitigate risk and reduce the burden on the workforce. Rather than training everyone on an issue or employees having to search for information, the control could flag a potential issue and help both the compliance team and the individual employee act appropriately. For example, travel and entertainment management software could automatically flag an issue and ask the proper questions. As Gartner studied the issue they discovered that compliance burdens tended to fall disproportionately on department and management levels not identified as high risk:  research and development, engineering teams, strategy, planning and others. Because these groups were least attended to, individuals working in them needed to work the hardest to understand their compliance obligations. Senior and Executive Vice Presidents also tended to be overly burdened because they are often trained less than others on compliance issues. As a result, they frequently struggle determining what to do in a given situation. To reduce the compliance burden the Gartner report recommends three things; Help employees remember better by putting controls closer to decision making. Reduce the number of judgement calls Help employees execute Listen in to learn more about easing the compliance burden.
7/7/202212 minutes, 22 seconds
Episode Artwork

Susan Freccia on Small Compliance Programs [Podcast]

Posted by Adam Turteltaub Being a compliance department of one can be a lonely job, but not for Susan Freccia, Director of Compliance at Oregon State University. Working in a small compliance department doesn’t feel like a challenge. For one, she is not fully alone. There are compliance partners – professionals who have at least some compliance responsibilities – across the campus. More importantly, rather than focusing on her lack of a compliance team of her own she works at creating collaborative relationships far and wide. That includes the compliance partners, staff, HR, legal and audit. For others in solo situations she advises not falling into the temptation of thinking, “If only I had X or Y the compliance program could be better.” Instead, she recommends focusing on how to work effectively and continue to improve processes. She has also found success comes from the ability to help others get “unstuck” in their efforts.  She frequently meets with various individuals and teams to help figure out what the challenge is and to find a solution. She also may serve as a bridge between departments who may share responsibility in an area, helping them to collaborate more effectively. Susan also advises against seeking perfection. It’s unattainable. Incidents will always occur. She notes that even the Sentencing Guidelines reflect that reality with several elements addressing how a program responds to the inevitable problems. In sum, to make a small program work, take a collaborative, problem-solving approach. It will be more effective and help people see compliance not as the cause of problems but the solutions to them.
7/5/202214 minutes, 4 seconds
Episode Artwork

Carrie Penman on the Latest Helpline Trends [Podcast]

Posted by Adam Turteltaub The Navex 2022 Risk & Compliance Hotline & Incident Management Benchmark Report provides a fascinating look into what’s going on in compliance in general and how employees are using helplines specifically. The 2021 report had illuminating insight into the impact of the pandemic. To learn what is in the data from the latest report, we again sat down with Carrie Penman, Chief Risk & Compliance Officer from NAVEX. This year’s report, which covers data from 2021, revealed four key trends, she reports: Whistleblowers are more emboldened. They are more likely to use their names, rather than remaining anonymous, when making a report. Viewed against the SEC’s reported near doubling of leads to the Office of the Whistleblower, it’s clear that workers are more willing than ever to come forward. What is unclear is why the change. It may be due to employees feeling that it would be easy to find another job if they were retaliated against. Reports of retaliation have increased. The question here is whether retaliation has increased or employees are more willing to report it. One theory is that employees are much more attuned to issues of workplace civility. COVID continues to have an impact. While the number of calls to helplines has increased, they are still below pre-COVID levels. ESG related reporting is notably low. This may be due to employees not fully understanding ESG, or believing that those issues don’t need to be brought to compliance or the helpline. In both cases, more training may help affect the numbers Finally, looking to the future, Carrie anticipates the possible recession leading to turmoil.  Fear levels rise when layoffs occur, and people see less opportunities to find new work. Managers may place excessive pressure on employees to make the numbers, despite the economy. All of these factors could lead to a great deal of work for compliance teams, and a very different report for 2023.
6/30/202213 minutes, 7 seconds
Episode Artwork

Rupert Evill on Good and Bad Decision Making [Podcast]

Posted by Adam Turteltaub Good and bad decisions are at the heart of compliance efforts. So much of our work is dedicated to helping people make better informed choices. In this podcast, Rupert Evill, Founding Director of EthicsInsight shares practical advice for making good decisions. He begins, though, with outlining several factors that lead to bad decision making. Pressure is, not surprisingly, a very large factor, whether it is time-based or financial.  Ethical hazing wrongly gives people permission to do something that they shouldn’t. Faulty assumptions are another persistent challenge. Still another factor is failure to plan. Not taking the time to foresee issues can leave individuals suddenly confronted with circumstances where it is already too late to do the right thing. So how do we encourage and make good decisions?  He lays out four steps: Consider possible outcomes. Take the time to assess what might happen and encourage diverse opinions. One handy trick he recommends is asking people to write down ideas rather than sharing them publicly. That can lead to more diverse thinking. Consider the likelihood of each outcome. When doing so, he recommends using a numerical scale rather than words like “it’s possible.” That phrase can mean very different things to different people. Rank the preferred outcomes and their likelihood. Look for assumptions in decision making and test them to see if they are true. Consider carefully your strategy for achieving your goals. Consider what can be done now to favorable affect the outcome. Think through what the options are, don’t show your cards too soon and remember that there is usually more than one option. Listen in to learn more. It could be the best decision you make today.
6/28/202211 minutes, 39 seconds
Episode Artwork

Oleksandr Pomoshnikov on Russia Sanctions [Podcast]

Post by Adam Turteltaub Ever-increasing sanctions of Russian individuals and entities are looking to be a long-term challenge for compliance teams.  That’s not surprising since, they are a part of a war of attrition, according to Oleksandr Pomoshnikov, Head of International Business Development for Ukraine-based YouControl, which offers RuAssets, a tool for tracking Russian and Belarusian assets. In this podcast he underscores the importance of adopting a three lines of defense model and paying close attention to the origins of funds.  Russian companies have been actively changing beneficial owners to persons in neighboring jurisdictions and opening business units there as well. This can lead to very complicated and hard-to-trace business structures, he explains, not just because there may be multiple holding companies.  Many of the jurisdictions in the region have closed systems, making it difficult to determine ownership and identify politically exposed persons. Listen in to learn more.  But do listen carefully.  Oleksander was in Poland with a challenging internet connection while recording.
6/23/202214 minutes, 7 seconds
Episode Artwork

Donna Schneider on Having Better Conversations [Podcast]

Post by Adam Turteltaub When we talk about communications in the world of compliance, we tend to focus on training and other forms of mass information sharing. Not as often discussed, but just as important, are the individual one-to-one conversations between the compliance team, leadership, management, and frontline personnel. Getting these interactions right is essential to the success of a compliance and ethics program. Donna Schneider (LinkedIn), Vice President, Corporate Compliance and Internal Audit, Lifespan, has been running a series of six columns in Compliance Today magazine focused on communication done well. In this podcast she touches on a few of the key topics that she addresses. Her first piece of advice: stick to the facts. It's very important to be factual because if you do not rely on facts there is a tendency to tell yourself a story. By analogy she points out that when someone cuts you off driving we tend to come up with reasons why the person did it, even though all we know is that they cut us off. Likewise in a crucial conversation it's good to focus on what you know definitively:  the things you saw, heard or read yourself. She also shares how to handle one of the ongoing challenges when it comes to compliance:  setting expectations for leadership. Often, management is eager to come to a quick resolution and put the issue behind them. That is not always the best course since a thorough investigation takes time. For that reason, she advocates consistent communication, establishing a collaborative rapport and setting reasonable expectations.  Periodic updates are also exceedingly important. Before a difficult conversation she advises thinking through what outcome you want for yourself, others or the organization. Consider, too, the relationship between you and the person you are speaking to. Don't focus on the specific issue you are talking about but what you want to happen. Are you in a dialogue, do you want to share facts or are you there to learn facts? Think about your intent and then ask yourself: how would I behave to achieve that goal? Think through, too, both what verbal and nonverbal communication skills you will need. Think through also how you would respond if the conversation went south. What would you say or do to bring it back to the direction that you want? Listen in to learn more about how to best prepare for difficult conversations, including the power of “do” and “don't do” statements.
6/14/202211 minutes, 34 seconds
Episode Artwork

Beverlin Hammett on the First Questions to Ask [Podcast]

Posted by Adam Turteltaub You just started leading a compliance program.  Whether you are new to the company or new to compliance, you probably have a lot of questions to ask as you get started, but where do you begin? In this podcast, Beverlin Hammett (LinkedIn), Compliance Regulatory Risk Officer at Habersham Medical Center, offers an intriguing answer.  She met with leadership around the organization and asked them three questions: How long have you been with the hospital? What are your main issues? What do you think I am here to do? The first question helped her understand how much experience the person had both within the organization and their role.  This helped her gain an understanding of how much expertise the person had as well as the issues, challenges and triumphs that they had experienced. Asking what the main issues they saw was a more subtle question than it appears.  It provided insights into their perspective on the institution and its challenges and helped her understand their focus. The final question, “What do you think I am here to do?” helped illuminate attitudes towards compliance and begin laying the foundation for the idea that compliance is here to help solve problems. The exercise helped her both get off on the right foot with operations and to better understand the challenges and opportunities.  It also helped illuminate several issues within the organizations that she was able to successfully address immediately. Listen into learn more about her intriguing approach and the benefits it could have for other organizations.
6/9/202210 minutes, 37 seconds
Episode Artwork

Jeb White on Encouraging Internal Whistleblowers [Podcast]

By Adam Turteltaub When it comes to encouraging internal whistleblowers, there are two main barriers to coming forward, reports Jeb White, CEO, Taxpayers Against Fraud.  First, is the belief that their concerns won’t be heard.  Put another way:  why bother.  The second is the fear that by sticking their necks out they risk getting their heads chopped off. Their careers could be ended. Even for those who do come forward, there is always the challenge of keeping their trust so that they do not then go outside the organization to the press or regulators. To solve these challenges he recommends embracing communication and transparency.  To the extent that you can, keep whistleblowers in the loop.  Let them know that the investigation is proceeding.  Embrace the lesson from food delivery apps that let you know that your pizza is in the oven.  Let the whistleblower know that the investigation is ongoing and active.  And, to the extent you can, let them know what the final disposition was. If the organization does not find wrongdoing, he recommends sharing with the employee the broader context as to why what he or she saw was legal and proper.  Perhaps explain the laws involved. That will help them both understand the organization’s decision and stay engaged. If the organization does find wrongdoing, Jeb is a strong advocate for sharing the lesson internally.  It will help demonstrate that the organization takes wrongdoing seriously. It also helps mitigate the risk of a dysfunctional culture, in which the words in the code of ethics are nothing more than words, employees are afraid to speak up, and lines of communication are shut down. Listen in to learn more about how you can improve your own internal whistleblowing efforts.
6/7/202210 minutes, 55 seconds
Episode Artwork

Jeff Kluge on the UK GDPR Children’s Code [Podcast]

Post by Adam Turteltaub The European General Data Protection Regulation (GDPR) already provides considerable requirements for compliance programs. With Brexit comes a new GDPR for the United Kingdom. Adding to the complexity, the UK GDPR also contains a Children’s Code, explains Jeff Kluge (LinkedIn), Founder & CEO of Holistic Ethics. The UK has long led in protecting the data of children, and the new code follows the UN Convention on the Rights of the Child. For companies doing business solely within the United States it is not likely to be an issue but for those operating globally he advises being aware of and in compliance with the Children’s Code’s requirements. There are standards and rules in place for connected games and toys, for using artificial intelligence (AI) and processing children's data. So, what should compliance teams do? First, they need to understand the algorithm used in the AI their organization employs, ideally while it is still being developed. Second there should be a children's data oversight committee in place. Third the company should be asking whether they should have an ethics committee overseeing their AI-based systems. Also, the compliance team needs to recognize that AI initiatives are often created without their knowledge. It's important to get a handle on what's going on help people understand the importance of closely monitoring artificial intelligence, particularly those systems that are autonomous. He reports that the compliance team can be particularly helpful in identifying what data is being collected and what is the right data to be using. The team particularly needs to be monitoring what decisions are being made based by the AI. Listen in to learn more about the UK GDPR Children’s Code and what compliance teams need to do to protect both children and their own organizations.
6/2/202211 minutes, 5 seconds
Episode Artwork

Krista Wolff on Memes, Printers and Compliance [Podcast]

Post by Adam Turteltaub San Diego-based Qualcomm was having a tough 2018. The company was going through a whole host of highly destabilizing activity including an attempted hostile takeover. Needless to say, it was a challenging time for the company and the corporate culture. The compliance team very much wanted to be a part of the solution, Krista Wolff, Senior Manager, Corporate Compliance Communications tells us.  Their goal was to amplify the positive and strengthen the organization's culture, despite all the challenges it faced. To help, in the Spring of that year they launched the Lead the Way employee ethics recognition program. In the Fall they launched the newly revised code of conduct and their first Compliance and Ethics Awareness Week. Through the years since they have rolled out a number of activities to involve employees and communicate important messages. One of their more fun ideas was a “spot the issues” exercise. They staged desks, photographed them, and asked employees to spot items on the desk that could be indicative of something problematic. When the pandemic struck and people began working from home, they continued this program although now featuring desks in a home setting. One of the more interesting efforts they did was focused on protecting confidential corporate information. As a technology company IP is very important to Qualcomm and the compliance team wanted to stress to people the importance of protecting data. They worked with the IT department to identify printers around the globe at Qualcomm offices. They then sent to the printers in these in these offices a document marked confidential company information with a message about the importance of protecting IP and asking the employee who found it to email compliance letting them know where they found that document and when. It was a great way to demonstrate that people sometimes send things to printers that they shouldn't and leave them there far too long. This activity had an interesting response rate that illuminated cultural differences. They found that people in Asia rarely emailed in. From Europe, by contrast, the response rates were very high, and in the US employees tended to leave the document on the printer for others to find as well. To make other parts of the program relevant globally they worked with their ethics liaisons and in-country compliance teams around the world to plan local events. The response has been very positive, and the level of innovation has been equally high. Listen in to learn more about how Qualcomm’s Compliance and Ethics Awareness Week both helped to meet their compliance goals and strengthen the overall corporate culture.
5/31/202215 minutes, 31 seconds
Episode Artwork

Jay Anstine on Demystifying the Helpline [Podcast]

Posted by Adam Turteltaub Compliance teams spend a great deal of time and effort encouraging employees to contact the helpline.  But, points out Jay Anstine, Compliance Program Director, Western Division, Banner Health, we tend to make less of an effort to train them in what happens after they make that call. That’s a mistake, he argues in this podcast, since employees who see perceived wrongdoing tend to feel anxious and vulnerable.  They are stressed because they are uncertain what is going to happen, if anything. By helping them understand the post-call process, we can eliminate this blind spot, he argues, greatly reduce the stress level, and increase the likelihood that they will come forward.  That means providing training that brings greater clarity to the process during on-boarding and annually thereafter.  It also means taking the time to understand the questions the workforce may have about what happens from start to finish. Also, he advises, include in the training information about what to expect when reporting face to face, either to their supervisor, or somewhere else, including the compliance team. Finally, Jay provides insight into how to make the reporter feel comfortable when bringing the information to compliance, and what you can do to protect his or her anonymity. Listen in to learn more about how demystifying the helpline could help yours ring more often.
5/26/202210 minutes, 26 seconds
Episode Artwork

Jay Ernst on Tying Corporate Compliance & Ethics Week to Your Values [Podcast]

Posted by Adam Turteltaub Procter & Gamble (P&G) is one of the best-known companies in the world, boasting top brands such as Tide, Crest and Charmin. The company is also well recognized for its highly strategic marketing and its integrity. In fact, its reputation for principled behavior is what attracts and helps retain top talent at the organization, reports Jay Ernst (LinkedIn), Director – Ethics & Compliance Office, P&G, in this podcast. How strong is the organization’s commitment to ethical behavior?  In annual surveys the company's purpose, values and principles are cited most frequently by employees as something that they do not want to change. For its annual Corporate Compliance & Ethics Week celebration, which they have dubbed the “Do The Right Thing Celebration”, the compliance team ties the program and compliance training into one of three commitments – respect, integrity and stewardship -- that are part of their refreshed code of conduct. In 2021 the theme was “Leading with Respect”. Activities included marquee events featuring external or high-profile internal speakers. They also had videos highlighting challenges people may face, risk areas and how to deal with them. To make the program relevant to its employees around the world, they enlisted the help of the employee relations group, which helped them identify individuals to lead the local activation of the program. The same people each year now lead the activities in their region. While the local activation follows the common theme, there is opportunity to customize the program to increase the relevance to their communities. Each year there are even global recognition awards for activations that demonstrate creative activity and engagement. The company also has a peer recognition program known as the Power of You, which recognizes excellence across a range of areas, including ethics. Employees can nominate their peers who have gone above and beyond in their work. It has proven to be an excellent opportunity to recognize ethical actions on a peer-to-peer basis. Listen in to learn more about P&G’s experience and how you may be able to apply it to your own organization.
5/24/202215 minutes, 5 seconds
Episode Artwork

Mary Shirley on Encouraging Employee Feedback [Podcast]

Posted by Adam Turteltaub Getting employees to come forward and provide feedback on the corporate compliance and ethics program is often a challenge. Many are hesitant to talk to compliance at all. Still others may fear that their conversation may lead to more scrutiny by the compliance team. Mary Shirley, Head of Culture of Integrity and Compliance Education at Fresenius Medical Care and co-host of the Great Women in Compliance podcast, found an interesting way to change the dynamic. She made feedback an integral part of the organization's annual Corporate Compliance & Ethics Week celebration. The compliance team there recognized that during the week-long celebration people are eager to participate. That means there is a golden opportunity to collect data from them that can provide insights that might not otherwise be captured. This includes both informal conversations and using things like quizzes to determine how much information from earlier training has been retained. Also, games can help.  In one fun exercise they had a ring toss in which to get a ring the individual had to answer correctly a question related to compliance. The program has yielded remarkable insights. For example, one part of the compliance team was concerned that it was sending too much email. When they used this opportunity to ask employees what they felt, they were surprised to discover that it was actually a preferred means of communications. Listening has one other benefit: it enables the compliance team to demonstrate that it is responsive to employee workplace concerns. Listen in to learn more about how you can turn Corporate Compliance & Ethics Week into a learning experience both for employees and for the compliance team.
5/19/202213 minutes, 1 second
Episode Artwork

Michele Landis on Digital Accessibility [Podcast]

Post by Adam Turteltaub While we have all grown accustomed to seeing access ramps and automated doors in the physical world, it is easy to forget that the Americans with Disabilities Act (ADA) requires digital accessibility as well. In this podcast, Michelle Landis, co-founder of Accessible360, explains that the challenges start with organizations not even realizing that the ADA sets numerous requirements that organizations must comply with. The challenge posed by this knowledge gap has been both exposed and increased by the pandemic, which has accelerated the need for online resources that are available to all. How do you bank, order groceries, and work from home if the websites you need are not accessible to individuals with physical challenges? For organizations looking to catch up with the digital requirements of the ADA, she recommends starting by taking an inventory of your consumer facing websites and mobile apps.  Those are the ones most likely to be subject to litigation. Next, get a live user assessment by individuals trained in this area and from people who are living with disabilities. She advises being cautious around companies promising to provide a quick fix with a simple overlay. Another pitfall, she warns, is underestimating the time it takes to implement suitable changes to your websites and apps that need them. When faced with a demand letter for changes within 21 days, you should engage your legal team to respond in an appropriate way. Finally, she advises that, as with the physical world, it is better to build in accessibility from the start rather than adding it later. That means keeping it front and center when designing and evolving your organization's digital assets.
5/17/202211 minutes, 53 seconds
Episode Artwork

Adam Balfour on Corporate Compliance & Ethics Week at Bridgestone Americas [Podcast]

Posted by Adan Turteltaub There are a lot of things you can do to make your organization’s celebration of Corporate Compliance & Ethics Week a success. But sometimes, less is more.  Adam Balfour, vice president and general counsel for corporate compliance and Latin America, Bridgestone America's, explains in this podcast that they realized that it would be better to evolve their celebration from a lot of different activities to just a few and to make them bigger. So what are they doing? For the last few years they have bestowed a series of Leading With Integrity awards. These go to managers who have been nominated by employees for their exemplary leadership when it comes to compliance and ethics issues. All 50,000 of the organization's employees can nominate any leader, manager or supervisor that they think deserves the prize. The nominations are evaluated by a cross functional panel which is good for bringing in and engaging other leaders in the organization. Then five or six winners are selected each year, and they are announced during a leadership panel with about 1100 employees on the call. For the winners the greatest impact comes from the recognition and knowing that the CEO knows your name and for a very positive reason. This program has also helped the compliance team gain exposure to people they didn't realize were embodying the organization's commitment to compliance. Another event that they do, or more accurately two events, are leadership panels wherein employees are invited to join in and listen as leaders discuss compliance and ethics issues. It sets a clear tone at the top for the organization and illustrates ethical decision making. Each year, for a little bit of fun, the compliance team puts together an event using ethics issues found in popular TV shows and movies. This helps teach compliance in a more relatable way and leverages good adult learning theory. Finally, the compliance organization offers a Compliance Battle Royale every year.  It's a big production with a bracket of 16 teams competing against each other over a period of four days.  There is daily elimination, and it gets very competitive. Got any good ideas of your own to share? If so add them to the comments below. And be sure to listen to this podcast.
5/12/202214 minutes, 19 seconds
Episode Artwork

Julie Sheppard on the Importance and Value of HCCA Membership [Podcast]

Posted by Adam Turteltaub If you have ever considered joining the Health Care Compliance Association (HCCA) but haven’t, this podcast will give you cause to reconsider. Julie Sheppard, Founder and President of First Healthcare Compliance joined the association a decade ago when she was looking for a reliable source of information on healthcare compliance issues.  She wanted an unbiased, trusted source of information that would keep her updated on the challenges of managing compliance. Through the years she has taken advantage of a wide range of HCCA programs, from an Academy to web conferences to reading the magazine Compliance Today. She also obtained her Certified in Healthcare Compliance (CHC) designation, which she sees as a means to differentiate herself and demonstrate her expertise. Listen in to learn more about her journey with HCCA and how she sees healthcare compliance evolving over the next few years.
5/10/20227 minutes, 40 seconds
Episode Artwork

Steven Melinosky on Conflicts of Interest in Healthcare and Elsewhere [Podcast]

Posted by Adam Turteltaub Conflicts of interest are a particularly challenging issue in healthcare.  Medical professionals may moonlight at a rival hospital, have an interest in a medical device or real estate a hospital is thinking of acquiring, and, of course, family members who might work at a key vendor. Steven Melinosky, Regional Director Compliance/Investigations and Policy at Trinity Health of New England, explains in this podcast that managing conflicts of interest is possible, with the right policies and procedures in place. That begins with recognizing that one policy is likely not enough.  The conflicts faced by leadership and the board are likely quite different than those faced by rank-and-file employees.  Conflicts for senior leaders and board members likely should be reviewed by the board chair.  Those for employees can typically be handled by the compliance team working with frontline managers. Underlying  these efforts must be a culture of compliance from the top down and bottom up.  The danger of conflicts of interest must be taught from day one, along with encouragement to report and a clear explanation of the disclosure process.  Supervisors need to be trained to identify conflicts, and periodic reminders need to be scheduled. One tool that can help make conflict of interest management simpler is something he created and calls a “Conflict of Interest Dictionary.”  It is a spreadsheet designed to help respond to common conflicts.  It contains several columns: What the conflict is What else needs to be known about it, such as if the individual affected has purchasing authority, is in management and at what level Why this issue poses a conflict Standardized action plans that lay out expectations for behavior Having this dictionary helps to ensure consistency in the process and greatly expedites actions since a starting point (and potentially an ending post) is already in place. Along with this dictionary it’s important to take the time to assess the risk – both likelihood and potential impact – of a conflict and to ensure that the plans put in place are sufficient to mitigate the risk. He also recommends providing both the affected employee and his or her manager with a written plan which includes the background, the risks and expectations. Listen in to learn more about how to better manage conflicts of interest and whether a Conflict of Interest Dictionary is right for your program.
5/5/202212 minutes, 3 seconds
Episode Artwork

Peggy Tighe and Mark Ogunsusi on 340B Drug Pricing Programs [Podcast]

Posted by Adam Turteltaub The 340B program was set up to providers of care to Medicaid patients to stretch federal dollars.  Hospitals and clinics are able to buy covered, outpatient drugs at a discounted price from manufacturers. As usual, though, what sounds like a simple program poses compliance risks for manufacturers and front-line providers, explains Peggy Tighe (LinkedIn) and Mark Ogunsusi (LinkedIn) of the law firm Powers Pyles Sutter & Verville PC. Providers can either pass the discounted price along to patients or dispense the drugs and get reimbursement from a private or federal payer at regular rates, using the difference to support their services. While the 340B program is designed to be flexible, there are several strings attached.  Providers need to ensure that the drugs prescribed go to the patient.  In addition, the individual has to meet specific guidance as to what constitutes a patient.  Simply writing a prescription is not enough.  A set of criteria must be met, and those rules are strict enough that an entire category of software providers has emerged to manage this issue. Other risks for providers to consider include virtual inventories and over purchasing 340B drugs For drug manufacturers, it’s essential to ensure that price data is accurate, and that prices do not exceed the ceiling price.  A mistake could lead to civil monetary penalties and even termination from the program.  Duplicate discounts are also prohibited and pose another risk. Listen in to learn more about how to avoid the many compliance challenges of 340B drug pricing programs.
5/3/202214 minutes, 15 seconds
Episode Artwork

Tiffany Turner Lynch on Corporate Compliance & Ethics Week [Podcast]

Posted by:  Adam Turteltaub There are lots of ways to make your organization’s Corporate Compliance & Ethics Week a success.  For Tiffany Turner Lynch (LinkedIn) and her colleagues at Winston-Salem State University that meant timing it to the launch of their compliance training initiative.  They saw the joint effort as an excellent opportunity to demonstrate that supporting a culture of compliance and ethics is the responsibility of everyone and is something that the university values highly. Before beginning the training, she and the chief counsel met with internal audit to discuss policies that are audited the most.  They also discussed issues that most frequently led to calls to audit and legal.  In addition, they identified issues that are central to compliance in higher education, such as the Family Educational Rights and Privacy Act (FERPA).  Throughout the week they reinforced elements of the training They also developed a five-part podcast series, each one featuring a different “no” department:  Internal Audit, Equal Employment Opportunity, Title IX, the police, legal and compliance.  The podcasts served to the lift the veil on what happens when an investigation is conducted.  They demonstrated not just the process, but also that these departments exist to protect the university and its staff. To add some fun to the celebration they conducted a virtual scavenger hunt.  Everyone who was able to answer all the questions was entered into a drawing to win one of two $100 cash gifts. As Tiffany reports in this podcast, the results were outstanding.  It helped people understand more about the compliance office, built rapport, raised the comfort level with reporting and engagement with the policy portal. Listen in both to learn more and get some inspiration for your own Corporate Compliance & Ethics Week efforts.
4/28/202211 minutes, 46 seconds
Episode Artwork

Jeff Hahn on Delivering Bad News and Crisis Communications [Podcast]

Posted by:  Adam Turteltaub Nobody likes delivering bad news, but if you’re in compliance and ethics, you’re going to have to do it sooner or later.  When that time comes, it’s essential you do so in the best way possible. In this podcast, Jeff Hahn (LinkedIn), author and the owner and principal of Hahn Marketing & Communications, reveals that one secret for sharing bad news is to provide the right context.  Give management the salient facts and avoid burdening them with every detail.  Second, he advises following what he has dubbed “The Goldilocks Rule”.  Present options that are not hot enough, not cold enough, and just right.  In practice this means ranging from doing nothing to doing something extreme.  Generally, the “just right” option prevails and enables leadership to feel bought in to the path forward. Once the goals are set and the organization’s response moves into the implementation stage, it’s time to bring in the line managers.  That conversation, he relates, needs to be focused on implementation, and the conversation switches from creative to directive. What about the wider workforce?  It’s important to remember that they are brand ambassadors.  Inform them to the best of your abilities.  Be authentic, and remember that they can check up on you from the inside. When it comes to external communications, the compliance team can be invaluable in creating stakeholder talking points, including a timeline of what happened when. Finally, the conversation explores what not to do a crisis.  There are three things to avoid: Make an absolute and outright denial, unless the claim is obviously false and ridiculous Attack the accusers Scapegoat, especially those who are tangential to the core issue Listen in to learn more about how to break bad news and be an integral, appreciated part of a crisis response.
4/26/202212 minutes, 33 seconds
Episode Artwork

Blaise Wabo on the Healthcare Cyberthreat Landscape [Podcast]

Posted by:  Adam Turteltaub The war in Ukraine and pandemic have both dramatically changed the cyberthreat landscape for healthcare entities. There are many more employees working from home, as well as patients communicating with their physicians remotely.  At the same time, governments have warned of potential cyberattacks by Russia. Even without these threats, ransomware provides its own challenges.  As Blaise Wabo, Healthcare and Financial Services Leader for A-Lign explains in this podcast, it’s a fast-growing threat.  Deloitte research indicates that ransomware attacks increased by 1755% in 2021. So how should healthcare entities respond?  Start by focusing on your people, he advises.  They tend to be the weakest link in the security chain.  Some common challenges: A lack of encryption of their home WIFI Routers still with the default password Connecting from Starbucks, the airport or hotel without using a VPN Falling for a phishing attack To manage the risk, he recommends starting with a risk assessment that includes third-party suppliers and your supply chain.  Determine the vulnerabilities and rank the risks.  Then begin implementing controls.  Encrypt PHI, even in transit.  Conduct phishing training for your staff.  Hire a third party to do a penetration test and identify gaps in your security. In addition to preventing problem, steps like these can help when one occurs, given the provisions of the HIPAA Safe Harbor Act. Listen in for more advice and learn how to navigate an increasingly challenging cyber landscape.
4/21/20220
Episode Artwork

Sheila Limmroth on Hybrid Workforces [Podcast]

Posted by:  Adam Turteltaub Hybrid work is likely here to say, and, as Sheila Limmroth, privacy specialist at DCH Health System, and the author of the chapter Hybrid Work Environment in the Complete Healthcare Compliance Manual  observes in this podcast, it’s up to compliance teams to manage the risks, many of which, even at this stage of the current era, aren’t always recognized. For example, we’re all familiar with the need to secure electronic PHI, but if your employees have printers at home, are they permitted to print out any data? If so, do they have shredders or some other way to destroy the document? Are employees even trained to destroy it? One other consideration: is Alexa listening in on what they are saying? These are but two examples that point to the need to think through all the implications of having a hybrid workforce, even after two years of remote working. So, what should compliance team be doing? Education is essential so that employees understand that certain behaviors are risky: Talking on your cell about a patient while sitting in Starbucks is not a good idea. Phishing remains a substantial risk in the home office as it is in the workplace. The router needs to be secured with a password other than the default one that comes out of the box. At the same time there’s a need to also recognize the new challenges inside the facility.  When it comes to telehealth, not all videoconferencing software is created equal. The platform must be HIPAA compliant. Even for video conference calls it’s probably a good idea to issues PINs to the attendees. The bottom line is it’s time to revisit your organization’s risks and policies to determine what works and what doesn’t as more employees return to the office while many remain at home. Listen in to learn more, and be sure to check out the Complete Healthcare Compliance Manual.
4/19/202215 minutes, 45 seconds
Episode Artwork

Isabella Porter on Privacy and Healthcare Business Associates [Podcast]

Post by:  Adam Turteltaub Isabella Porter is the director of compliance and privacy officer of District Medical Group and author of the chapter “Patient Privacy and Security:  Business Associates” in the Complete Healthcare Compliance Manual. In this podcast she shares the key consideration that covered entities – physicians, hospitals, health plans and others who fall under the requirements of HIPAA – must consider when working with their various business associates (BA) with whom they share personal health information (PHI). When considering a potential new business associate she recommends ensuring that the vendor understand that it meets the definition of a business associate. Quite often they do and already have on hand a business associate agreement. It’s preferable to ask them to default to your own agreements, but if they do not – for practical reasons business associates with a large number of customers cannot accommodate each customer’s agreement – see if they are willing to amend their own, if necessary. When assessing a BA, also take the time to determine if they are using subcontractors. If they do, they should be referenced in the BA agreement. Also, ask the vendor what kind of checks they are doing on their vendors and their own ongoing monitoring efforts One important thing to also check: where the data is housed. If the servers are outside of the US, there may be other laws to consider such as the European General Data Protection Regulation (GDPR). Listen in to learn about the requirements of ensuring the safety of your BA agreements, including ten elements that need to be included in each one.
4/14/202215 minutes, 35 seconds