Compliance Perspectives

By Adam Turteltaub Corruption is a well-known risk in Latin America, but how great the risk is on a country-by-country basis is less well understood. To fill in those blanks and many more, the law firm Miller & Chevalier just released its 2024 Latin America Corruption Survey. The firm has been fielding this survey every four years since 2008, reports Matt Ellis, Latin America Practice Lead. It provides comprehensive, country-by-country data as well as, more granular information on the risks of dealing with various governmental entities. This year’s report, he shares on the podcast, had interesting news for the compliance community. It found that, although corruption remains a pervasive problem, corporate compliance programs, more so than enforcement, are perceived as being the key driver for change. The survey also revealed significant nuances in the anticorruption risk picture: Chile, Uruguay and Costa Rica are generally perceived as the lowest risk countries Venezuela, Bolivia, Honduras and Argenti

By Adam Turteltaub How do you tell someone something that they don’t want to hear in a way that they will listen? How do you overcome your own desire to avoid the conversation? To better understand why people hesitate to have difficult talks and how to communicate more effectively, especially when the conversation is going to be a tough one, we spoke with Jason Rosoff, CEO of Radical Candor (podcasts). People hesitate to speak candidly, he explains, for a number of reasons. For one, they may fear that the conversation will harm their relationship with the other person. They may also be nervous about facing a negative reaction, or even retaliation, for speaking out. To help challenging conversations go better, he advocates for radical candor, which he explains means challenging directly but also caring personally at the same time. Be clear about the problem, he advises, and what the potential negative consequences are. At the same time, though, show you care personally. That includes giving the other perso

By Adam Turteltaub ISO 27001 is the leading standard for information security management systems. As Mel Blackmore, CEO of UK-based Blackmores explains, it is a framework that applies and is of value regardless of an organization’s size, sector or country. Organizations seek ISO 27001 certification to ensure that their IT security reflects best practices. It also brings to organizations a systematic approach to work in this area. In addition, potential business partners will have greater confidence that your organization has robust data defenses. Most organizations have a head start when it comes to becoming ISO 27001 certified. Many existing IT security practices are likely to be consistent standards. To get the rest of the way to certification, she outlines several steps including: Determine where your organization is already compliant Conduct a gap analysis Performing a risk assessment Creating policies and procedures Listen in to learn more about meeting this important ISO standard and what i

By Adam Turteltaub What do we do with ESG? Is it a part of compliance? Something different? How do we handle it? Renee Murphy, Distinguished Evangelist at Diligent argues in this podcast that while there are compliance aspects to ESG, it is best to quickly make it a part of operations and under the general risk management structure. Of the three elements of ESG, it is the environmental sustainability side, she believes, that will be the most challenging. With new requirements for organizations to report on their fossil footprint, companies are being forced to march into unexplored territory. As a result, they will need to evolve their process, which, she believes, will become easier as management comes to understand the balance sheet implications. Listen in to learn more about what is happening with ESG, and what compliance teams need to know.

By Adam Turteltaub Healthcare enforcement is never quiet. There’s always something, or many things, going on, and compliance teams need to stay on top of the trends to ensure that their programs are staying ahead of the risks. To find out where things are today, we spoke with Ronald Chapman II, author of the book Unraveling Federal Investigations, defense attorney with Chapman Law Group and president of Chapman Consulting Group. In this podcast he identifies several areas of intense enforcement activity: Drug testing labs are under scrutiny, particularly around the number of panels and reflex testing Telemedicine continues to be a hot area as well Venture capital firms are entering healthcare and/or deepening their investment, often with complex payment arrangements and without sufficient antikickback review Aggressive telemarking in the durable medical equipment space persists Credentialing issues, especially for smaller entities, are resulting in non-payments and fraud allegations On the crim

By Adam Turteltaub Creating the right corporate culture is an idea that’s sacrosanct in the field of compliance and ethics. The folks at Gartner, though, are challenging that belief. In this podcast Chris Audet, Vice President and Chief of Research for General Counsels and Chief Compliance Officers, tells us that their newly released report finds that focusing on key quality measures in the compliance program may be more important. The firm reached the conclusion after surveying over 1000 employees about the situations that lead to employee noncompliance. To quote from the press release, “In the survey, 87% of respondents said they faced situations where they didn’t know how to comply in the last 12 months, followed by 77% of respondents who experienced situations of rationalization and 40% experiencing situations of malice.” Improved quality standards – the design and accessibility of policies, training and so forth – had much more of an effect on reducing uncertainty than culture did. As he notes, when

By Adam Turteltaub There’s no General Data Protection Regulation (GDPR) in the US. Absent a comprehensive, national privacy law, states have stepped in to fill the gap. As Adam Greene (LinkedIn), Partner at Davis Wright Tremaine explains in this podcast, that’s creating some complications. The California Consumer Privacy Act (CCPA) already differs from subsequent laws in several states which use language reminiscent of the GDPR. And while there are many similarities, some differences are substantial. For example, some state laws are targeted at businesses, not non-profits. That’s an important distinction for healthcare with so many non-profit institutions. Perhaps the greatest challenge for organizations is figuring out which standard to follow, if any. Do they take a state-by-state approach, or one national approach based on the toughest state laws? Whatever the choice, it’s important to determine what data you have since there may be limits on collection and a requirement to share that data with consumer

By Adam Turteltaub For as much as there is talk about the force of the US Foreign Corrupt Practices Act (FCPA), the impact of the OECD’s anticorruption efforts deserves a great deal of credit. By encouraging laws against foreign bribery, anticorruption compliance efforts, and grading the work of the countries who are parties to their Antibribery Convention, the OECD continue to raise the bar. In Australia, the OECD’s push for more resources for small and medium enterprises (SMEs) seeking to avoid corruption led to the creation of the Bribery Prevention Network, explains Dan Wilcock (contact), Head of Sustainability Governance for the UN Global Compact Network Australia and Manager of the Bribery Prevention Network. This public-private partnership was born out of the work of more than thirty organizations working collaboratively. The end product is a robust online hub filled with practical resources on topics such as anticorruption programs and conducting risk assessments. The Network also facilitates shari

By Adam Turteltaub Best known as The FCPA Professor, Mike Koehler argues that that many people have it all wrong when it comes to enforcement of the Foreign Corrupt Practices Act (FCPA). Citing historical data he argues that there is not, contrary to popular opinion, a slow down in enforcement of the FCPA. The pace of roughly 12-13 resolutions per year has continued. In fact, the three resolutions in the first quarter of 2024, he notes, puts it on track to continue the trend. How do compliance teams get management attention to FCPA enforcement? He recommends against just focusing on the likely price of the settlement. Instead, outline all the costs. Those start with the multiple years before the resolution when the costs of legal, accounting and other fees may be as much as twice the resolution. Then, point to the eighteen months or so after the settlement when the organization will be under ongoing scrutiny, likely at a substantial cost. All of this, of course, is in addition to the diminished productivi

By Adam Turteltaub Jessica Zeff (LinkedIn) loves government audits. I know, it’s hard to believe, given the dread they inspire. But, the founder and lead consultant of Simply Compliance makes a very good case in this podcast that audits can be much better than people expect and actually helpful for the compliance program. How is this possible?  She argues strongly that, given the inevitability of an eventual audit, compliance teams should prepare for them on an ongoing basis rather than just when the audit notification arrives in the mail. By assessing what data an auditor might need, what gaps they may find, and what concerns they may have, compliance teams can complement their risk assessment process and have a better handle on where they should be focusing their efforts. As importantly, having this information handy can be helpful during the audit. Not only does it reduce last minute rushing to prepare, it enables the team to tell auditors their story in a way that shows the organization is doing the ri

By Adam Turteltaub Integrity is like peace, love and brotherhood.  We’re all for it, but when it comes to practicing it, that’s when the challenges start. Paul Fiorelli hopes to change that. The Director, Cintas Institute for Business Ethics at Xavier University has just written a new book: Establishing Workplace Integrity. In it, Paul addresses six lessons in values-based leadership. To benefit from some of his long-established and well-recognized expertise we asked him to join us for this podcast. He discusses the importance, of values-based leadership. He also cites six factors that lead people into unethical or non-compliant behavior: Pressure to perform Going down a slippery slope Rationalization Groupthink Altruism (violating the law to help the company) Greed One or several of them are at play when wrongdoing occurs. So what makes for success and helps to prevent wrongdoing? He makes an argument for SMART goals: specific, measurable, attainable, relevant and time-based. Listen in to

By Adam Turteltaub What makes for an effective compliance program, not just from a legal perspective but from a practical one? Getting that answer, and sharing it is the focus of the LRN 2024 Ethics & Compliance Program Effectiveness Report To learn what it contains we sat down with Meredith Hunt (LinkedIn), Ethics and Compliance Specialist at LRN. In this podcast she shared that more effective programs are focused on values rather than rules, and underscore the importance of ethical culture. They are also taking a risk-based approach. Their research also revealed the importance of adapting to the current business environment. With employees working remotely has come a change in how they gather information. The code of conduct, policies and procedures have to be accessible wherever workers are. Within the compliance program’s internal operations, effective programs, they report, are focusing more on data and metrics, looking for the data that show where the program is and isn’t working, and enabling conti

By Adam Turteltaub The 340B Drug Pricing Program was created to protect safety net hospitals from rising drug prices. It allows them to purchase outpatient drugs, and pharma companies to sell those drugs, at a discount. In this podcast, Jason Reddish (LinkedIn), Principal and Mark Ogunsusi (LinkedIn), Associate, at Powers Pyles Sutter & Verville provide an overview of the program and the compliance requirements. They are also two of the authors of the chapter “Pharmacy:  340B Drug Pricing Program” in the Complete Healthcare Compliance Manual. The 340B program helps hospitals that are the last line of defense for underserved communities, including those with a large percentage of Medicaid patients. Often, they are the only hospital around in rural areas. Also helped by the program are federal grantees such as Ryan White clinics and those providing treatment for STDs. The program dictates which entities can buy discounted drugs and have very specific requirements including two very important ones. First, th

By Adam Turteltaub Currently on hold due to pending court challenges, the SEC’s rules to standardize climate-related disclosures created a fire storm of controversy and comments when first proposed. The final rules (assuming the courts sides with the SEC), explains Laura Ann Smith and Judy Mayo of the communications firm Labrador (LinkedIn), reflected strong industry pushback, easing the burden on some 4000 filers. Nonetheless, there are serious demands on industry. To quote from the SEC press release, registrants will be required to disclose: Climate-related risks that have had or are reasonably likely to have a material impact on the registrant’s business strategy, results of operations, or financial condition; The actual and potential material impacts of any identified climate-related risks on the registrant’s strategy, business model, and outlook; If, as part of its strategy, a registrant has undertaken activities to mitigate or adapt to a material climate-related risk, a quantitative and qualit

By Adam Turteltaub It used to be that tracking email usage was considered tough. These days the workforce is also communicating via text, WeChat, Slack and countless other channels both internally and externally. That can be a total nightmare since prosecutors want access to all those conversations. What makes things harder is that employees may be resistant, feeling that the communications they have on their phone, especially in organizations with a Bring Your Own Device (BYOD) policy, is private. The employee owns the phone, not the company. Eddie Green (LinkedIn), CEO of SnippetSentry advises companies get their heads around this problem. Digital compliance is broadening out from the investment community to pharma and elsewhere. To manage the issue, some companies are now scrapping BYOD policies and making it clear that all work communications need to go on work-owned devices. They are also looking for solutions which enable employees to communicate in familiar ways, but with the tracking that logs all

By Adam Turteltaub In January 2024 the US Attorney’s Office for the Southern District of New York (SDNY) set a shockwave through the business world by announcing a new whistleblower pilot program. To understand what the policy says and what it likely means for compliance programs, we spoke with Todd Haugh (LinkedIn), Associate Professor of Business Law and Ethics, Arthur M. Weimer Faculty Fellow in Business Law at the Kelley School of Business at Indiana University. Under the policy, he explains, individuals who have participated in a fraud may be eligible for a non-prosecution agreement, if the individual meets three key criteria: They provide information that is not previously known to prosecutors and is produced voluntarily, not subsequent, say, to an arrest. The information is full, substantial and truthful. The individual is not otherwise disqualified, such as serving as a government official or the CEO or CFO of the company. Given the incentives already in place for companies to self-report wr

By Adam Turteltaub In late 2023, The Office of Inspector General (OIG) at the Department of Health and Human Services issued its new General Compliance Program Guidance. In this podcast, David Schumacher, Partner and Co-Chair of the Fraud & Abuse Practice at Hooper Lundy & Bookman explains that this document is both evolutionary and revolutionary. For years the OIG’s office had been offering guidance through the Federal Register. To make that information more accessible it moved it online, consolidated the information, added interactive features and created a much richer resource which makes it both easier for compliance teams to understand the OIG’s expectations and more difficult for some to claim that they were unaware of the rules. The changes, though, are more than just the media used to communicate OIG expectations. The document demonstrates both the ongoing expectations by OIG for robust compliance programs and communicates changes in focus. For one, it reveals an enhanced emphasis on quality issues

By Adam Turteltaub Tired of being last to the party and then perceived as a party pooper? There’s a solution to that problem embraced by Dana McMahon, Global Chief Compliance Officer, Head, Privacy & Enterprise Risk at Stryker. She works to have her team embedded in the business unit. It’s a process that begins with getting a seat at the table and being intentional about conversations. From there the relationship evolves into being a consultant on sticky issues and then on to being integrated into decision making and proving yourselves indispensable. The key to the process, she explains, is to show up with a problem-solving mindset. Throughout, the compliance team has to be aware of the needs of the business and its challenges. To solidify compliance’s place takes three things: Adopt a problem-solving approach Tailor your efforts to the most pressing issues Timing: anticipate what the business needs to move forward Listen in to learn more and gain other tips for fully embedding compliance into th

By Adam Turteltaub At the center of managing cyber risk in healthcare sits the Health Sector Coordinating Council Cybersecurity Working Group (LinkedIn). In this podcast, Executive Director Greg Garcia explains that healthcare has been designated as a part of the critical infrastructure, and the council has as its mission to: “identify systemic cybersecurity threats to critical healthcare infrastructure; collaborate on guidance and policies for mitigating those risks; and promote threat preparedness and incident response awareness and activities.” It’s a needed mission. The number of data breaches have soared, and ransomware has emerged as a top threat, crippling the ability of healthcare providers to care for patients. The Council recently released its Health Industry Cybersecurity – Strategic Plan. A five-year plan, it identifies trends, goals and objectives for securing healthcare technology infrastructure. One key goal, in the words of the plan, recognizes that, “A trusted healthcare delivery ecosyste

By Adam Turteltaub The FCPA sure isn’t what it used to be, or is it? While the headline grabbing Foreign Corrupt Practices Act cases are much less frequent than they once were, there is still substantial risk both for individuals and companies, as recent dispositions have shown. To understand where things are we sat down with Markus Funk, partner at Perkins Coie and author of the chapter “Anti-Bribery and Corruption Compliance Programs” in The Complete Compliance and Ethics Manual 2024. He explains that just because there aren’t cases in the news, doesn’t mean all is quiet. There may remain a steady stream of companies self-reporting violations and reaching less-formal agreements with the DOJ. Whatever the trend may be, third parties remain the greatest risk, and the prescription stays the same. You need to know who the third party is and hire them for the right reason: their expertise and track record for success in the right way. Hiring a government official’s cousin to help get the deal remains a very