Compliance Perspectives

By Adam Turteltaub Cancer is not just a diagnosis between a patient and physician. In this podcast Jeremy Laws, Operations Supervisor at the Ohio Cancer Incidence Surveillance System, explains that a cancer diagnosis triggers state-by-state reporting requirements for healthcare providers. In general, there are two areas of reporting: cancer information and patient information. Cancer information generally includes where it is on the body, the type of cancer, what type of tissues is affected and how the cancer is behaving. Patient information includes name, age, sex, race, address, date of diagnosis and date of first treatment. And, for those concerned about HIPAA, he points out that there is a public health exception that his falls squarely under. The data provided feeds into the US Cancer Statistics Report that is published annually. It is also used by policy makers and researchers. Compliance teams need to ensure that their facilities are reporting the data, which many fail to do. There is a tendency t

By Adam Turteltaub When it comes to networking and sharing ideas with other compliance professionals, people tend to think of attending conferences. That’s not the only way to do it. In this podcast Steve Pavlicek, Community Engagement Manager at SCCE & HCCA shares the free resources the association provides and how to take advantage of them. First stop are HCCAnet and SCCEnet. They were created to be a social network just for the compliance community. People post and answer questions, share their opinions and even documents. To see all that’s there, first login on the SCCE or HCCA site. Next, click the Login button on HCCAnet or SCCEnet. You’ll find approximately 40 different communities discussing issues such as auditing and monitoring, the Foreign Corrupt Practices Act, privacy and more. There are also communities organized by industry. If you’re looking for real-time interactions try one of our Meet Ups. You’ll find a schedule of them at HCCAnet and SCCEnet. These sessions take place via Teams. The g

By Adam Turteltaub When planning for disasters, organizations are typically focused on things like call trees, backup data servers, and alternative work locations. In the crush to survive the immediate threat it’s easy to forget about compliance, and even during disaster planning, compliance may come last. That’s a dangerous mistake, explains Laura Fey, Principal, Fey, LLC; Tom Leatherbee, Manager, Recovery Division, Hagerty Consulting; and Jillian Cusack, AVP, Privacy Officer, American Fidelity. Just because normal business operations are interrupted doesn’t mean compliance obligations are also on pause. Ensuring compliance plays a role in disaster planning is more important than ever. Natural disasters, ransomware attacks, a pandemic and other threats seem to be more frequent and can turn into situations that last days, weeks, months or even years. When they do, not only do existing compliance considerations continue but new ones can arise ranging from OSHA to employee obligations – you still have to pay

By Adam Turteltaub There has been, to say the least, a great deal of controversy over the US Department of Justice’s plan to require compliance officers to provide a certification as a part of corporate resolutions. Many fear that it could lead to significant legal risk for compliance teams and fewer individuals willing to assume compliance roles. Jonny Frank, Partner, and Kat Nolan, Senior Consultant, at StoneTurn are not concerned.  They point out that in the 20+ years since Sarbanes-Oxley, despite the predictions, there have not been the lawsuits and empty CFO and CEO chairs that some feared. Instead, they believe, these certifications could lead to increased power and prestige for chief compliance officers. In the podcast they lay out a five-step process for certification: Select a framework for the certification criteria that the organization will grade itself against. Conduct a scenario-based compliance risk assessment. Assess and design key control activities. Create a sub-certification wa

By Adam Turteltaub So, you’ve got a global compliance program. But, what do you do when a local team says, “That doesn’t really work here” or “We think it would be better if it were changed to something else for us”? Kristy Grant-Hart, CEO of Spark Compliance Consulting recommends keeping your values the same wherever you operate. Values are typically based on universal ideas. They and your code of conduct should remain constant wherever possible. Communications from the CEO and leadership should also be the same everywhere. You don’t want the CEO saying one thing in one country and something else in another. Categories used for reporting and investigations should also be the same everywhere, otherwise it will be difficult, if not impossible, to track where the issues are. Similarly, root cause analysis and risk assessment methodology must be the same globally. So where can you localize? She recommends looking at areas such as gifts and hospitalities. What’s reasonable in one region may not be in the oth

By Adam Turteltaub Melinda Shapiro, Senior Director of Compliance at San Diego-based National University, knew she needed to do something different with the school’s approach to enterprise risk management (ERM). When she took on the compliance role, she discovered that risks tended to be aggregated into large buckets, such as human capital, which made it difficult to assess individual risks. In addition, risk ratings varied widely by affiliate. Adding to the challenge, the document produced took a narrative approach, with long explanations of the risks and mitigation efforts. Sometimes there was a lack of alignment between risks and controls. Worse, the format made it difficult to track changes year to year. Inspiration came from speaking with two other participants at the SCCE Higher Education Compliance Conference. She was able to see a new way of approaching ERM, including switching from a one-year to a two-year cycle. The results have been highly positive. She reports that there is a much better under

By Adam Turteltaub Healthcare and healthcare compliance are often thought to be very country specific, due to the many variations of healthcare structures. To learn more about how healthcare compliance works in one country outside of the US we spoke with Emeka Obiora, Vice President, Ethics and Compliance at NMC Healthcare in Abu Dhabi. Emeka explains that the United Arab Emirates (UAE) has something of a split system. Public sector hospitals primarily serve Emiratis, who are provided with healthcare by the government. Foreign workers in the UAE are required to carry insurance and typically see private providers. As a result, the risk profile is very different. It is there, though, with several key ones to manage. The first is licensing. The UAE relies upon medical professionals who come from all over the world and have vastly different training and backgrounds. All must be qualified and licensed locally, which represents a substantial undertaking. The second common risk area is conflicts of interest, wh

By Adam Turteltaub Compliance professionals are trained to point out downsides, identify risks and educate others on what can go wrong. But, points out, Ami Simunovich, Executive Vice President, Chief Quality, Regulatory Officer & Public Affairs for BD, they need to balance that with a need to see and encourage others to take the right risks. A compliance officer who can do that earns credibility with business leaders. So, how do compliance professionals get there? She recommends reorienting thinking to focus on how to advance the business in the right way. That begins with tying decisions back to the purpose of the company. This can help enable the right leadership mindset and avoid reckless decision making. Grounding decisions in the code of ethics, along with a focus on the business’s purpose, helps create a framework for better decision making. Next, make sure business leaders are keeping up with the regulations. Also, encourage them to ask gut-check questions such as: Are we making the right decision

By Adam Turteltaub One of the more well-attended sessions at the SCCE 22nd Annual Compliance & Ethics Institute, promises to be “ESG and DEI: How to Position for Stakeholder Success”. The session will be lead by Adrian Taylor, Director of Diversity, Premier Health; Ahmed Salim, Chief Compliance Officer, iRhythym; and Nakis Urfi, Product Compliance Officer, Babylon Health. ESG and DEI are two of the hottest issues in compliance, and in this podcast preview of their session they start by taking on a controversial topic: Should DEI and ESG be combined? Traditionally, DEI has been its own discipline. Many now argue it should considered a part of the S (Social) in ESG, while others feel that doing so would diminish the emphasis on DEI. Ideally, DEI should not be affected by being included in ESG, they say. If handled correctly, it can maintain its focus and management commitment and even strengthen ESG efforts. When the two are aligned they create a more sustainable business model that balances people, profit a

By Adam Turteltaub Crystal Jezierski, Senior Managing Director, Guidepost Solutions thinks that at this point we have enough guidance documents and frameworks for compliance programs. That’s not a criticism but a compliment. She finds the existing prescriptions to be helpful, instructive and reflective of the evolving understanding of best practices for effective compliance programs. They are also flexible enough for new and emerging risks. What’s needed now, she believes, are more opportunities to benchmark, share, apply and test how programs are implemented. As with compliance programs as a whole, that begins with understanding how to assess risk and how others are doing so. If done correctly, of course, a risk assessment can  orient resources to both current and future issues as well as change how the company is doing business. When managing a new issue, she recommends involving a combination of the standard partners – HR, internal audit, finance and technology – as well as additional partners who bri

By Adam Turteltaub Email isn’t enough anymore, if it ever really was. Employees are communicating with each other, clients and prospects via texts, WhatsApp, Teams, Slack and many, many more tools. Much attention has been paid to the US Department of Justice’s call for organizations to be able to produce all that communication, which is not an easy task. Eric Baim, partner at Dovetail Consulting Group, explains that focusing on producing the communications is important, but it is isn’t enough. Compliance teams need  to train employees to use these technology appropriately. That education process begins with compliance developing an understanding of what these applications were designed to do;  facilitate quick, back and forth interactions, brainstorm, and ask a question less formally than one would via email. The problem is that often these interactions lack context because they are continuations of other conversations. As a result, an outsider seeing them can draw very incorrect conclusions about what was

By Adam Turteltaub In a perfect world, whenever employees face a difficult decision or outright compliance issue, the right policy would automatically pop up in front of them. While that is not likely to happen soon, Jannica Houben, Vice President, Global Legal Transformation and Travis Waugh, Director, Training, both at TD SYNNEX can envision a word in which Outlook could spot issues as they are typed, flag them for the employee and give guidance and pointers to where to call for help. Until then, there are still many things compliance teams can do using off the shelf software to automate compliance processes. It’s a topic they explore in the podcast and in greater depth in their Session “Interactive Policies: Using Technology to Enhance Decision-Making” at the 2023 SCCE Compliance & Ethics Institute. So how do you create this automated future? They recommend beginning by thinking not about what tool you want, but what benefits you want the tool to deliver. Think about the value you want to provide and wh

By Adam Turteltaub With the consent requirements built into privacy regimes, you can’t help but focus on them. Bill Piwonka, Chief Marketing Officer at Exterro, cautions, though, that there is much more than consent to worry about. Consent is very specific around whether people you are interacting with giving you permission to have and use their data for specific purposes. Much focus is given to the pop-up warnings on websites and cookies. Compliance teams, he advises, need to look at all the places where the organization collects data and uses data, including apps, to ensure proper consent is obtained. One other area not to be overlooked: Data subject access requests. It can be an enormous undertaking when a consumer demands to know what information you have on her or him. Even more daunting are similar requests by departing employees. Think of the hundreds of thousands if not millions, of documents that contain data from an employee, everything from HR records to emails to conversation on Teams. So gr

By Adam Turteltaub The proliferation of computer-based due diligence tools, combined with the travel restrictions of the pandemic led to a shift away from in-person due diligence efforts. Technology-based approaches increased dramatically, and, according to Jen Hoar (LinkedIn), Managing Director of Forward Risk, relying solely on them can be a mistake. Talking to human sources, she argues in this podcast, helps augment and provides nuance to open-source public records. Talking to people who have worked with the third party can flesh out what it is like to do business with them and if there are any concerns. Sources to interview can include prior investors, customers, industry experts, and even trade journalists. When conducting the interviews with these individuals, she advocates for an open-ended, conversational approach. Rather than trying to get through a list of questions, give them the opportunity to talk about whatever is important to them and pursue the conversation wherever it leads. Be sure, thou

By Adam Turteltaub For organizations working to avoid corruption it can be a lonely fight. While a sales or compliance team may know that there are many others out there who would not pay a bribe, when facing a corrupt demand, they tend to be on their own. The maritime industry, though, has taken a major step to change the dynamic. In this extended, in-depth podcast, Cecilia Muller Torbrand, Chief Executive Officer at Maritime Anti-Corruption Network (MACN), explains how they pursued a collective action approach that now includes about 200 companies. The maritime industry is very exposed to corruption risk. A given ship can touch many jurisdictions over a short period of time. Captains are often very far from their headquarters and encounter multiple government touch points when approaching a port. The corruption they face varies dramatically, but it is frequently manifested with requests for facilitation payments: some token of appreciation. The challenge is a legal one since facilitation payments are pr

By Adam Turteltaub More and more organizations seem to be adopting compliance ambassadors or champions programs. In a nutshell, these efforts involve having members of the business unit serve as the eyes and ears, and sometimes arms and legs, of the compliance office. Guillem Casoliva Cabana (LinkedIn), Compliance Manager, Training & Education, at Booking.com shares his insights on the topic in this podcast. The company’s ambassadors program began over 10 years ago. Recruiting and training ambassadors is a critical part of the process at Booking.com. They are not nominated by their managers. Instead, all are individuals who volunteered to take on the role. At times, it can even be competitive. If more than one person in a given unit volunteers, there is a vote taken in the unit to make the selection. The onboarding process includes seven distinct steps, including a live session with the compliance and ethics team that goes deep into the scenarios that they may face. Experienced ambassadors serve as mentor

By Adam Turteltaub While many would say that you couldn’t pay them enough to take a job in compliance, managers often feel as if compliance officers are being paid too much. So how do you get what you deserve? In this podcast, and at the 2023 SCCE Compliance & Ethics Institute, Amii Barnard-Bahn, Partner, Kaplan & Walker and Melanie Sponholz, Chief Compliance Officer, Waud Capital Partners, take on this touchy subject. Before asking for more money, they advise doing your homework. Take the time to talk to peers and recruiters to see what the market rate is. Also, know your employer’s compensation system. Do they tend to pay at the top, bottom or middle of the range. You can also check the SCCE or HCCA compensation survey and sites like Glassdoor and Indeed. When you do meet with your manager or leadership, go in knowing that this is a difficult conversation for them as well as for you. Do your best to keep things professional. Focus on why the increase in compensation is beneficial for them and not just f

By Adam Turteltaub When an employee announces a departure to another job, there is a temptation to think that it was for more money. That’s probably a mistake, says Mike Lifshotz (LinkedIn), founder and CEO of Hatch Compliance. The new position may pay better, but employees are more likely to depart due to issues such as work/life balance, room for advancement, greater challenges, lack of appreciation and what they perceive to be a bad culture. To get them to stay, he advises, first and foremost demonstrate respect. That should begin with the hiring process, during which you should both lay out your expectations for the candidate and what they should expect from you. The organization’s values are particularly important in this regard. They are integral to setting expectations and need to be communicated from the onboarding process and on an ongoing basis. Be sure to keep the communication process going in general. Employees cannot be expected to trust their managers if the managers don’t take the time to

By Adam Turteltaub Regina Gurvich, Chief Compliance & Risk Officer for Omni Opthalmic Management Consultants knows from first-hand experience that it’s not always easy for compliance officers to stay motivated. There is often a strong headwind, and sometimes a brick wall. To stay motivated she advises focusing on getting your voice heard, staying true to yourself and finding enjoyment in what you to do a daily basis. For her, that begins with clinging to her idealism and the belief that few people wake up in the morning looking to do the wrong thing. Focus, she advises, on the fact that for many people the right thing just isn’t clear enough.  Think about ways to educate them and look to do so on a continuous basis. Encourage them not to just know what the law is but understand what it means and how to operationalize it. Also, grab onto your natural curiosity. Take the time to learn as much as you can about the business and how people go about doing their jobs. Understand where the money comes from and wh

By Adam Turteltaub ChatGPT is, like the movie title, seemingly everywhere, all the time, and all at once. Individuals and corporations have rushed to embrace it, sometimes with great results, other times, not so much. For better or worse, ChatGPT and other AI-driven solutions are here to stay, and with it comes a host of new risks to manage. In this podcast, Lauren Kornutick, Director Analyst, Legal and Compliance at Gartner shares the findings of recent research the firm conducted on ChatGPT. They found several risks for compliance teams to focus on: Fabricated and inaccurate answers. As with the case of the lawyer linked to above, ChatGPT sometimes make things up because it was trained on inaccurate material of it was unable to understand the context of the question. IP Risks. Employees may not understand that once data is put into an open source tool it becomes part of the public domain. That means more training on how to protect IP in the new AI era. Often the data set used to train the AI relie