Compliance Beat

The DOJ doesn’t want you to just have any risk assessment process, but have a process that is tailored to your company.

Compliance and corporate culture aren’t in a box that you take off a shelf. Growing an ethical culture is hard work. Corporate culture and compliance are integral to everyday operation. United’s challenge show us that corporate culture greatly affect what happens when frontline employees witness misconduct and fail to report it. These failures affect how an organization conducts its business.

Delta had to cancel 3,000 flights when extreme weather shut down Atlanta’s airport. It was a difficult situation and a much bigger disruption to operations than the incident United faced. But there was a night and day between how the airlines addressed the problem as Eric witnessed firsthand when he was stuck at Atlanta’s airport because his Delta flight was cancelled. Each Delta employee he encountered had an attitude that recognized the extent of passengers’ inconvenience and also tried to make their experience better.

When looking at two operational failures and the airlines’ reactions, you can the impact of a strong ethical culture and the apparent lack of one. Delta’s culture was flexible to take on operational failure. How would United employees handle the cancellation of 3,000 flight?

How do you approach a culture like Delta’s? There’s no easy answer when you are considering how to fix an unhealthy corporate culture. Clearly, one part of fixing corporate culture is the message from the top of the organization. The tone from the top must be strong about values and the fact that you can come forward and speak up when others act unethically or illegally. These two examples are important examples for your business units because they show the real consequences of corporate culture on organizations’ bottom lines.

Special Interview with Laura Cordova, Former Assistant Chief, Department of Justice, Criminal Division and Partner, Crowell & Moring, LLP

Before joining Crowell & Moring, Laura prosecuted healthcare fraud in the Fraud Section of the Department of Justice. In this interview, Eric and Laura discuss what the Department of Justice looks for in an effective corporate compliance program and how the government makes charging decisions. Eric and Laura talk about the impact of the Department of Justice’s new guidance, the Evaluation of Corporate Compliance Programs, the Department of Justice’s position on remediation, and how the Yates Memorandum has affected prosecutors’ decisions to charge individuals involved in corporate misconduct.

Hot Topics in Compliance & Ethics in Europe Part II

Eric Morehead — Wed, 12 Apr 2017 14:38:14 -0500

As Eric returns from the Society for Corporate Compliance & Ethics European Ethics & Compliance Institute in Prague, he shares the hot topics of discussion at the conference. He discusses his three main takeaways from the conference.

First, there is strong interest in corporate culture in Europe. Focus on ethical culture and compliance can vary between countries and cultures. In the past, many have held the belief that emphasis on compliance programs is not as strong in Europe as it is the US. But that’s not a fair assumption. There is a strong recognition that healthy corporate culture is essential to an effective compliance program.

Second, Eric found that European compliance professional recognized strongly the impact of collecting data and using that data to inform the development of their compliance programs. He saw a very strong commitment to benchmarking programs and a strong focus on gathering data internally for measuring performance of compliance programs.

Third, there was discussion and reaction to political changes in US and in Europe. There was particular concern about President Trump’s statements during the campaign about rolling back regulations and how this may impact perception of the need for strong compliance programs.

Hot Topics in Compliance & Ethics in Europe

Eric Morehead — Mon, 03 Apr 2017 15:31:08 -0500

Just a few years ago, Europe was considered behind the United States in compliance and ethics. That is not the case today. Eric looks at three hot topics in compliance and ethics in Europe as he prepares to leave for the Society of Corporate Compliance and Ethics European Compliance & Ethics Institute in Prague this week.

In some areas, European compliance and ethics standards are exceeding the United States’ standards. In recent years, regulators in Spain, France, and other countries have consistently recognized the importance of compliance and ethics programs. In the context of anti-corruption, the United Kingdom’s Anti-Bribery Act, the Brazilian Clean Companies Act, and other efforts to curb corruption, Europe has leapfrogged the Foreign Corrupt Practices Act, which used to be the primary legal mechanism internationally for fighting corruption. For instance, the UK Anti-Bribery Act is clearly a newer law than the FCPA and expands coverage. This leads to the questions: Will Europe become the new leader in defining what makes an effective compliance and ethics program?

There are a number of similarities between what is happening in Europe and the United States. Compliance professionals all over the world are focusing on corporate culture, measuring employees through surveys, and addressing issues like retaliation and observed misconduct. The notion that Europe is behind in compliance and ethics is not accurate anymore. We are now on the same page.

As much as we see similarities, there continue to be significant differences, particularly in data security. European Union’s General Data Protection Regulation (GDPR) will go into effect in spring of 2018. This year is the last year to come into compliance with the GDRP. Organizations need to look carefully and determine whether they have any exposure under the GDRP because there are no safe harbor provisions.

Risk Assessment and the Evaluation of Corporate Compliance Programs & Three Questions with Matt Kelly

Eric Morehead — Wed, 29 Mar 2017 13:00:14 -0500

When we are talking about risk assessment and the Evaluation of Corporate Compliance Programs, there are three areas to really focus on. First, the Evaluation considers how organizations create and use their methodology for risk assessment. Second, this new guidance focuses on how the data you gather informs the choices you make in your compliance and ethics program. Third, the Evaluation introduces the notion of manifested risk.

The Evaluation asks specifically: what methodology has the company used to identify, analyze and address the particular risks it face?

It’s similar to the teacher who asks you to show your work. Here, you must show how you developed your methodology and why. You must also consider the risk assessment’s recommendation and explain why you choose, or don’t choose, to implement the recommendations. Eric walks you through this process and explains how you can meet these standards.

This new guidance also suggests that the DOJ wants to know how you gather your information to analyze. What metrics, information and data are you collecting to help detect misconduct? How has it informed the compliance program? Many organizations gather data in a number of ways—through hotline reports, direct reports to management, and other human resources data. The Evaluation is a clarion call for organizations to aggregate data and show how the information you collect affects your program.

The Evaluation raises the idea of manifested risk, which is a new concept to many people. Manifested risk is risk that is likely to occur in your organization. For instance, if you know that the risk of bribery is high and there have been reports of bribery in the past, then bribery is a manifested risk for your organization. Many organizations spend time and money addressing risks that they are not likely to face. You want to look at your organization’s history and its operation to determine what your real risks are and then address those risks. You cannot be willfully blind.

When considering risk assessment, you must always consider the frequency of your assessments. There’s no hard and fast rule, but you should complete a risk assessment periodically.

Three Questions with Matt Kelly, Editor & CEO at Radical Compliance

Matt Kelly started his career in compliance and ethics as the managing editor of Compliance Week magazine. He spent over ten years of his career at Compliance Week, achieving the position of Editor and Publisher. Before working at Compliance Week, Matt was a freelance newspaper writer. After leaving Compliance Week, Matt founded his own company, Radical Compliance. Radical Compliance provides consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also serves as Matt’s personal blog. Matt writes and speaks frequently on corporate compliance, audit, and governance, and now works with various private clients to understand the those fields and to develop go-to-market strategies or provide other assistance in reaching audiences of compliance professionals.

The Board of Directors’ Relationship with Your Compliance Officer & the Evaluation of Corporate Compliance Programs & Three Questions with Jean-Marc Levy

Eric Morehead — Wed, 22 Mar 2017 18:47:03 -0500

What does the Department of Justice Fraud Section’s new Evaluation of Corporate Compliance Programs say about your compliance officer’s relationship with your Board of Directors? There are three salient points that you can take away from the Evaluation of Corporate Compliance Programs with regard to the Board of Directors. Some of these points aren’t necessarily new concepts, but they certainly give us more guidance in terms of what the Department of Justice is looking for when considering this relationship. In this episode, Eric takes a deep dive into the Evaluation of Corporate Compliance and how it relates to your Board of Directors.

The Evaluation of Corporate Compliance Programs asks: What compliance expertise has been available on the Board of Directors? What does this mean? Does the DOJ care about the personal experience of you Board members with regard to compliance? Compliance expertise is not only about what individual Board members bring to the table, but also the type of expertise that Board members develop as they sit on your Board of Directors. Compliance expertise can be developed through training. This is a very good reason to think about how you are training your Board of Directors and what type of expertise that you are helping them develop. Eric talks about training your Board of Directors to ensure that they have the type of compliance expertise that this new guidance contemplates.

We already know from the Federal Sentencing Guidelines that the person in charge of the day-to-day operation of your compliance and ethics program should have regular access to your Board of Directors. The Evaluation of Corporate Compliance Programs reinforces this idea of regular contact between the Board of Directors and you compliance officer. It’s important to note that this new guidance asks about private meetings between your Board and your compliance officer. Eric discusses what this means and how you might accomplish private meetings effectively.

An interesting new point that the Evaluation of Corporate Compliance raises is your compliance officer’s access to external auditors. In this guidance, the Department of Justice talks about your compliance officer’s access to the Board of Directors and/or external auditors. This is surprising and different than previous guidance.

The Evaluation of Corporate Compliance Programs also asks about the information that your Board of Directors has examined. What kind of information gets to your Board of Directors in quarterly reports? You need to consider what you are providing and why so that you have justifiable reasons for the type of information that you give the Board quarterly. There are good reasons not to do a data dump, but you must think about what information gets to the Board of Directors. You may want to think about making reports to the Board of Directors outside of the quarterly meeting.

The relationship between your Board of Directors and your compliance function is a key relationship. This relationship is as important as your organization’s ethical culture. Without a strong relationship between your compliance officer and your Board of Directors, you will be facing trouble down the road.

Three Questions with Jean-Marc Levy, Chief Executive Officer of ComplySci

Jean-Marc came to the field of compliance as the former Vice President of the New York Stock Exchange and the Head of Global Issuer Services. He has extensive experience in the financial services industry. Jean-Marc has a track record of building fast-growing information and services businesses. He was Chief Financial and Business Development Officer with TheMarkets.com, a financial technology firm he helped grow to a user base of more than 2,400 institutional investment management firms worldwide. He is formerly a member of the Board of Directors of ACE Portal. Jean-Marc and Eric have an interesting conversation about compliance and ethics, including why Jean-Marc thinks compliance is sexy.

The Checklist That’s Not A Checklist Part 3: What does the new guidance from the DOJ Fraud Section mean?

Eric Morehead — Wed, 15 Mar 2017 13:00:47 -0500

The Department of Justice Fraud Division released the Evaluation of Corporate Compliance Programs in middle of February without any announcement or fanfare. Is it a checklist? It looks like a checklist, but the DOJ says it’s not a checklist or formula. Some of the information in the Evaluation you’ve heard before, but the “checklist” expands on it. If it’s not a checklist, what does it all mean? How can it help you? Eric examines each of the Sample Topics and Questions that the DOJ puts forth in this new guidance.

In this first of what has turned into a three part series, Eric discusses in depth five of the Sample Topics and Questions covered in the Evaluation. In this edition, Eric talks about:

Remedying Misconduct
Involvement of Senior and Middle Management in the Program Compliance Autonomy and Resources
Policies and Procedures
Risk Assessment

This week, in part two of this special edition, Eric delves into:

Training and Communication
Confidential Reporting and Investigations

In part three, Eric will cover:

Incentives and Disciplinary Measures
Continuous Improvement, Periodic Testing and Review
Third Party Management
Mergers and Acquisitions

If you have a question you want answered on the podcast be sure to reach out below.

>> Welcome to Compliance Beat, the podcast for compliance and ethics professionals. We provide practical insights and answer your questions about compliance and ethics. Together we'll stay up to date on current treads so that your program stays effective. Brought to you by Moorhead Compliance Consulting. Here's your host Eric Moorhead.

Hi and welcome to the third part of a three part special edition of the podcast where we're talking about the evaluation of corporate compliance programs document that came out of the fraud section at the US Department of Justice just a few weeks ago. We've been talking, walking through the different parts of the document and I'm gonna continue on today and finish finally gonna finish today talking about the last few sections.

If you haven't already subscribed to Compliance Beat please do that on our website or on iTunes. Please give us a review, if you have the time to do so, we sure appreciate it. And also check us out at moreheadconsulting.com. We have some other additional resources there that you might wanna check out.

The next part, incentives and disciplinary measures, looks into an area that I think, as also kind of commonly, I wouldn't say overlooked, but less well developed. The first section, which talks about accountability and discipline, and how a company resolves and responds to misconduct. It relates to the things we were just talking about.

Were managers held accountable, is a question. Did the company's response and consider disciplinary actions for supervisors? So they're really looking at what the company did to discipline in a systematic way for the failure or misconduct. And they're focusing, really, really focusing on data and risk evaluation here because they ask, what is the company's record?

E.g. Number and type of disciplinary actions on employed disciple relating to the types of conduct and issue. So what's the history here? What are the trends? So you need to be able to show when there's been a failure or something of this kind. And that, or an investigation that has led to disciplinary action.

How does that relate? What's the history behind that? Are there trends around that particular type of misconduct? Did you catch that and how did you react to that? And how did the systems Both on the front and the back and change based on that. And your gonna wanna be able to show the disciplinary results.

Going back earlier to the transparency issue that we talked about being able to communicate about this. So, you need to be able to show consistency, show that you have a disciplinary. System that is consistent. You need to be able to communicate about it and you need to be able to show the data.

The second bullet under this section is what's titled Human Resource Process, and it's one simple question. Who participated in making disciplinary decisions for this type of misconduct at issue? So again, going back to the first point, what's the system? What do you have in place. How consistent is it.

How is it communicating? Not just results but how is disciplinary process communicating. In your code of conduct or external. You don't describe what the investigation in disciplinary processes for compliance. Then you're not missing a great opportunity, but also you're not documenting a process that needs to be documented.

The third bullet I've already mentioned, consistency. How consistent is the application of a disciplinary result across the board. If you have a similar issue or the same issue that keeps coming up. I'll hope parties treated equally as their consistency in the disciplinary action. And interestingly. They also include.

When they're talking about consistency. Are incentives consistently applied across the organization? And that leads to our last bullet, the incentive system. The opening salvo here is how has the company incentivized compliance and ethical behavior, what do you have in place, what is your incentive program and secondly have you considered potential negative compliance implications of incentives?

And they say and rewards, I think what they're contemplating here is I know that some organizations although a minority of organizations particularly around whistle blowers have included a bounty or reward program for people coming forward and making reports or claims. I think most organizations have not gone that way and there are good reasons not to do that and I think I discussed that in the whistle blower.

Podcast. If I don't, I might have a separate podcast in the future. But I think there are good reasons why you wanna avoid those sort of incentives. But you need to have incentives. It's in the sentencing guideline standards and now it's in this guidance. So what program do you have?

Can you explain your program? Is it systematic? And can you show specific examples of actions taken, e.g. Promotions or awards denied as a result of compliance and ethics considerations. Do you consider ethics in promotion? Do you consider ethics in whether a manager gets an incentive? Whether managers goals include combined in ethics Considerations.

We've talked in the past about how that's probably the best, easiest way to start to integrate incentives into your problem, is to have some objective criteria for managers that makes sure that the manager has some skin in the game. The ninth section is continues improvement periodic testing and review.

So this is our monitoring and auditing portion and the first bullet under this section or the first check box, it's not a check box [LAUGH]. Is internal audit, no surprise here. Internal audit I think is been getting more focus over the last few years. And should be, because again, if we're having a risk based program.

If we're using data to drive our programs, then our best friend is internal audit. The questions here are pretty straight forward. What types of audits, what identified issues relevant to the misconduct? And did they occur? What types of audit findings and mediation progress. Has been reported to the management so you've done these audits, the question is, did you implement changes that were suggested and if not, why not?

And did you report it to the board and management of the organization? And what was the follow up? This is really important, what happened after the audit concluded, it perhaps had suggestions. You either took those suggestions, modified the suggestions or did not take those suggestions. What was the follow up there?

And then lastly, how often has internal audit conducted assessments in high-risk areas? Internal audit may not be looking at everything each year, but the audit plan of the internal audit function of your organization particularly if you have a mature internal audit function should be looking at pieces, I would say on at least on an annual basis in their plan.

If not. I think you need to have some reason explanation as to why it's not occurring. The second bullet is control testing. Has the company reviewed and audited its compliance program and areas relating to misconduct, including testing of relative controls, collections and analysis of compliance data, and interviews of employees and third parties.

So are you doing a risk assessment? Are you doing a program assessment on a regular basis? Are you looking at the program, as the sentencing guidelines suggest, on a periodic basis? What is a periodic basis? Well that obviously varies from organization to organization. But are you doing it on a regular basis?

Do you have a planning place as to how frequently you're going to do that sort of compliants review? And if you don't what's your justification for that? The follow up there also is how do you do it, how results reported and the actions the follow up actions on those recommendations track And what testing do you undertake.

I think that's all part and parcel of a periodic review. And this is separate apart from internal audit. I think this is important distinction. I think sometimes these two areas get blurred. But this is a separate thing. This is looking at your process. This is not looking at an individual piece or compliance risk that internal audit might look at.

This is looking at your program, your resources, from. Code of conduct to monitoring and auditing, to training communication. All seven hallmarks of the program. And then the last bullet I think we reinforces whatever we said a couple times here in the last couple of minutes. How often do you do it?

And do you have a plan for doing it? It's called evolving updates. And I ask how often have you done risk assessments? Reviewed policies, procedures and practices. What steps have you taken to determine what are those policies procedures and practices make sense moving forward? So, do you have a plan?

This is the periodic piece, how often are you gonna examine your complaints program review? Do you go to an outside party for example and if you do what's that process? And how do you maintain consistency. This whole thing you need to consider and you need to be able to show document.

The fact that you have a plan in place. There are the last two pieces of guidance to third party. Management, and mergers, and acquisitions. A lot of this comes directly out of the guidance for FCTA that came out a couple of years ago. And on first blush I think some might say, well this is stuff that really pertains to organizations that have.

Will have that risk, having encryption risk. And that doesn't really ask. We're making widgets in misery, also we don;t really have that sort of risk. I don't think that's true, although again the citations, the sources for this information in this document are the FCPA guide. It's important to note that this document, this evaluation of proper compliance programs is not just for anticorruption.

Issues, it's for any compliance issue. And this two issues are important for everyone and it's important because you have third party risk even if you don't have a single anti-corruption risk and that's, in this highly connective world with a lot of sourcing coming from international areas that hard to even imagine but Just let's take it as read that you don't have anti-corruption risk.

You still have third party management and third party compliance risk. And so you need to take this into account. So under third party management, the first Bullet is risk based and integrated processes. What they're asking here is, have you looked into your third party risk? And after you've identified it, how have you integrated processes into things like procurement and vendor management to address as issues.

I would extend it out even broader than that. Although they specifically talk about procurement and vendor management, it can be a lot of other potential third-party risk out there, as well. But the key thing here is, have you evaluated it, determined what kind of third-party risk you have?

And have you integrated it into your processes? And they again, particularly point out procurement and management. And that's again, not just for anti-corruption, but broadly speaking. The second bulletin here, appropriate controls, is really due diligence. They ask some very basic due diligence questions that you would ask, whenever you bring on a third party.

Why are you bringing on a third party? What's the business rationale? And how are you reviewing and including contractual terms that assure compliance with your responsibilities by that third party? The third bullet, management of relationships is going monitoring. So, we do the diligence on the front end when we select these parties and make sure we've got them properly.

But that's not the end. How do you manage those relationships with those third parties and the risk associated with them moving forward? What kind of systems you have in place? How have you trained those responsible for those relationships with third parties to monitor and manage those relationships moving forward?

And they talk about incentives here, how has the company incentivized compliance amongst those third parties? What have you done to encourage the third parties you do business with to To comply with compliance standards. And then lastly, something that is titled very directly, real actions and consequences. What do you do when there is an issue?

When you notice, either in due diligence, or in the ongoing monitoring process that a third has potentially engage a misconduct. How do you handle it? How do you investigate it? How do you resolve an issue once you've determined that it is. Actual misconduct. Do you terminate the relationship?

If not, why not? How do you handle those situations? Another one here that is not specifically mentioned, again that is mentioned has auditing, but if you have audit Right, in your contractual relationship. This is a biggie, that I talk to organizations about a lot. If you have audit rights, and you've never invoked your audit rights with an organization, you need to be prepared to explain why.

The last section, again, I think traditionally when you would look at a list like this and you saw that it came from the FCPA guidance, you'd say well, this is about corruption. And that's mergers and acquisitions and how an organization handles mergers and and acquisition conduct. The first is the due diligence process up front.

How, during the due diligence process, do those responsible for the deal investigate issues of compliance misconduct? What's their process, how deeply do they investigate, or who conducts that review. You need to be able to defend during that process that you were keeping compliance issues, misconduct issues, top of mind in the acquisition process.

How hard do you push? To get information from an acquisition target around these issues. That can sometimes be a very touchy subject and those involved with a deal sometimes don't want to ask those questions and don't want to push. But the downside is that if you can't justify your behavior prior to the merger on the backend you're gonna have a lot of consequences.

The second bullet is, how is compliance integrated into the function? And this really supports the first, I think. If you have a philosophy in your mergers and acquisitions process that compliance has a seat at the table, then you're more Likely to be able to discover those issues up front.

Because presumably the person responsible for compliance would say, hey, this is a black box here and we really need to know more about this before we pull the trigger. So, compliance needs to have a seat at the table. There needs to be some thought about how the organizations are going to merge, not just their business operations but their legal and compliance operations as well.

And they need to be involve in the process. And then the third At last, well it is, how do you follow up? What's the process for connecting the due diligence to implementation? That's the actual phrase. So during the due diligence process, during the acquisition process you discovered either some misconduct or some issues, some controls that were lacking, what's the follow up?

What's the process? What's the plan? How are you gonna move forward? You need to be able to show that you have a plan to do that. So, that's it and I was really a run through. I recognized. These is about twice as long as the first part. I've tried.

I tried to break it in half, but I think I failed. [LAUGH] But I do plan to come back and take some more time to parse this out in the future. But I did want to kinda give some initial thoughts. Again, as I mentioned in the very first part of this, none of this is brand new but it's interesting what they've pulled out, isn't it?

It's very different than what I think many of us would've expect it. It's very data driven. It's very, very data driven. It's very risk. Oriented and that dove tails though with what we've heard from them for the last few years about how they wanna focus on risk. And how they wanna focus on having information.

Backup the choices you make in your compliance program. This is a seat change folks, it's been happening, we've been monitoring it, we've been seeing it over the last few years, but they expect us to continue to evolve and be more data driven. Be more cognizant of risk as we move forward as a profession.

Well thanks for joining us for this third and final special edition of Compliance Bid on the new evaluation of corporate compliance programs guidance or the checklist that's not a checklist. To me as your part to get it done, but I got it done yehey! Again check us out at complienceb.com, subscribe if you haven't already, give us a review on iTunes if you haven't already, and go to more ahead consulting.com for further resources.

We're gonna redesign our web page there and we're gonna be putting more resources app on the page as we move along. Thanks and till next time.

>> Thanks for listen to compliance beat. Check out our website compliancebeat.com this podcast is brought to you

The Checklist That’s Not A Checklist Part 2: What does the new guidance from DOJ Fraud Section mean?

Eric Morehead — Thu, 09 Mar 2017 02:19:55 -0500

In this first of what has turned into a three part series, Eric discusses in depth five of the Sample Topics and Questions covered in the Evaluation. In this edition, Eric talks about:

Remedying Misconduct
Involvement of Senior and Middle Management in the Program Compliance Autonomy and Resources
Policies and Procedures
Risk Assessment

This week, in part two of this special edition, Eric delves into:

Training and Communication
Confidential Reporting and Investigations

In part three, Eric will cover:

Incentives and Disciplinary Measures
Continuous Improvement, Periodic Testing and Review
Third Party Management
Mergers and Acquisitions

If you have a question you want answered on the podcast be sure to reach out below.

Welcome to Compliance Beat, the podcast for compliance and ethics professionals. We provide practical insights and answer your questions about compliance and ethics. Together, we'll stay up to date on current trends so that your program stays effective. Brought to you by Moorhead Compliance Consulting. Here's your host, Eric Moorhead.

Hello and welcome to the second part of what's now going to be a three part special edition of Compliance Beat podcast. We're talking about the checklist that's not a checklist that came from our friends at the fraud division within the division of the Department of Justice. The document known as the Evaluation of Corporate Compliance Programs came out just under a month ago.

And we are walking through the different parts of the guidance that was provided within that document. If you haven't already, please listen to part one, where we talk about the first five. Sections. Also before we go too far, I've been remiss in the past in not saying this on the podcast, but if you haven't already, please, please go to compliancebeat.com or iTunes or wherever you happen to pick us up and subscribe.

We really appreciate it. It means a lot to us and it also helps us Move the podcast forward. And secondly, if you have time, please visit us at moreheadconsulting.com where we have resources related both to this issue and many others for you to take a look at and we recently redesigned our website as well.

So last week, we talked about the introduction and some of the background regarding this new document. And then also walk through the first five sections. Section six of the document talks about training and communication Training in communication obviously is something that's very familiar to everyone who's been building a program based on the guidelines standard for an effective program.

Training and communications are part and parcel of any effective program. I believe in the least of couple of additions before compliance we've talked about training and communication. And also talk about the fact that often times there's a lot of focus upfront on formal training. Not as much typically if you look at the entire spectrum of organizations out there.

Fewer organizations spend as much time on communications as they do on formal training. What's interesting is, right out of the box, the first portion of this section talks about training being risk based. The guidance talks about tailored solutions. It talks about what kind of analysis the company has undertaken to determine who should be train and what they should be train on.

So, this is really important for organizations that in the past have had All hands training, perhaps on what's oftentimes called code of conduct training on an annual basis that's rolled out to everybody regardless of their role, regardless of where they are located in the world and what Particular risks they face.

So this really is talking, not necessarily about training and, although it's not mentioned in here, what you're talking about here is having a training curriculum that is a risk-based curriculum. You're talking about having a training plan. You're talking about having a multitude perhaps depending on your risks of different subjects that are being rolled out to different train in groups and different employees based on where they're located in the world.

What their drop function is and what particular risk they might face based on those criteria's and others. Any good plan for training or communications these days it's going to be re-spaced as any part of a compliance program is going to be re-spaced. The second topic under training and communication, talks about the form content and effectiveness of any training that is Then undertaken by the organization.

So, this is looking at whether the training is reaching its intended audience. So that's going to be language, but that's also going to be how do you train. If it's online training as in Interactive training. Is it training that engages the employee or the person that's being trained?

Is it designed at a level of understanding that's appropriate for the audience? So that's more than just Native language that's complexity. And then the second piece of this puzzle, which is interesting, is how do you gauge the effectiveness of your training? How are you measuring whether the message has been received and the message is leading to differences in conduct?

We've talked about this before in the past. I think a couple of things that spring to mind here is Do you go back and survey or test the employees that have received or sample the employees that received that training at a time different from when they actually received the training?

Doesn't do much good to rely on the quizzes that happen five minutes after they've heard. The information, you would expect that most employees that do pay attention are going to be able to answer those questions effectively in the immediate after math of hearing the answers. So really all those pretext and post text that happen along with online training or other training.

Do as measure whether they are actually paying at that point, not necessarily retention. So what many organizations do and what you can do is do a quick assessment of retention at a different time. Maybe three months, six months, nine months down the road to test To see whether they have retained the information and knowledge you suspect.

The other big thing and important thing that we all must do in all effective programs is audit, have the behaviors that are discussed in the training, the things that you ask them to do or not to do stopped happening or are they happening? So you have to take a sample and audit it and see of for example the training that you're auditing has to do with anti corruption and you have a entertainment registry system.

Has there been an uptake in the number of people that are things into the gift system. Are the entries that are put into the GIS system more robust? Is there more information and more data being provided than prior to the training? Do you see some noticeable objective differences since the training happened based on the criteria of the training?

So you need to be able to show that. That's how you whether the training is effective. You Find out if they retain that information in their head and you find out if the actual conduct that you're asking them not to do, or asking them to do has happened in the wake of that training.

The next one is particularly interesting to me and near and dear to my heart because it's an issue that I talk to organizations a lot about. It's characterize as communications about misconduct but what it really is about is organizational justice. And communicating To the employee base about the actions that have been taken when there has been an issue, when there has been a violation of policy or code and there's been misconduct.

How does the organization react? And even more importantly in some circumstances, how does the organization communicate that? To the employee based, to the stakeholders. This is really important because there's a tension out there and has been for a long time between HR and Legal and compliance In many organizations about revealing information around misconduct and the results of investigations and incidents.

There is a natural tendency in many cases to keep those things as confidential as possible. This is sometimes coming from outside counsel who are advising their clients Based on a fear of litigation around employment issues, but I think that you need to really push back as much as you possibly can and demand answers from the Law Department either internally or externally about why you can't share a certain information about the results of an investigation, how the company handles misconduct.

Because In a vacuum people will determine what happened in their minds, and typically it's not going to be a positive outcome in their minds. So if you have taken action, if there has been a result that's a result that shows the company takes things seriously. That, for instance, it punishes the top performer Equally with the low performer when misconduct occurs you want to trumpet that, you want that to be a headline, you want that to be out there so that people have confidence in the system and confidence that the organization takes these things seriously.

And if you won’t believe me, somebody who's looked into organizations over the last several years believe our friends at the fraud section that they're going to look into that. That if there's a problem, they're gonna look into how you communicate around the results of these investigations and misconduct findings.

The last section under training and communication is what's titled availability of guidance. And it asks two salient questions. First, it asked what resources rea available to provide employees guidance around policies? So it's not talking about, are the policies available, but what guidance is available. Now remember this is housed under a training and communications heading.

So I think what they're talking about is what kind of informal communication and training is out there to help employees understand the policies, the code. What they're supposed to do, what they're not supposed to do, when they're supposed to report. So this is talking about communication. Broadly speaking or training around the policies themselves, not just the policies exist and that they're available, which is important, but how are those policies explained?

How frequently do you go out there and talk about, again, going back to the anti-corruption example, how you use the gift registry system? How's that explained? How's that explained in common sense language to the average employee or the employees that, after you've done your risk-based profile, have determined need to receive that message?

So this is not suggesting that the policies need to be available, which is important, but that there needs to be communication around it. Second question is how has the company assessed or looked into whether employees know when to seek advice and whether they're willing to do so. So this goes to the heart of the most.

Complex and difficult issue around reporting which is retaliation or fear of retaliation. We talked about this before and I encouraged you if you haven't go back and listen to our podcast on this. So, this is delving into whether the company has look into these issues. About how freely people feel about coming forward and raising questions and reporting concerns and seeking advice.

Do they know about the resources? Are they comfortable coming forward? So that's a culture survey. That's going going out and talking to people. That's doing focus groups. That's doing some research into people's perceptions about coming forward, about the resources available to do that and about how comfortable they are doing that.

So those are really salient, important things. Now it's interesting, those are the topics that are under training and communication, not whether you're regularly training, not whether you're hitting certain topics, but whether you're measuring Look at the focus here on measurement and on data. This is very different, I think than what we have done traditionally with training where we put a lot of effort into creating training based on some presumptions.

We push it out there. We insist that people do it or sit through it. But we don't really measure. So if you take one thing away from this section, that's measurement. How are you measuring? How do you do it? It's important. Section 7 is titled Confidential Reporting and Investigation.

There are three salient questions here about your reporting system. And I say system because we're not just talking about hotline here, and I'll all explain what I mean here in a second. So the first question is “How does the company collect and analyze information from its reporting mechanisms?”

So how are you gathering information? Do you have a hotline system? Do you have an incident reporting system? What are the data feeds into that? So that's not just people who happen to Call on the hotline. But how also are you using systems. If there's information that's being collected by HR or up through the management chain, how is that information collected, analyzed.

And, the second question is, once you've got that information, how do you access the seriousness of the allegations? Do you have a system? Do you have a ranking system? How do you handle different types of allegations? Who handles? Different types of allegations. We all know that a lot of the information that typically comes through a hotline or a reporting system is, broadly speaking, HR related.

So how does HR? Handle those particular reports. Do you aggregate and look at the data around HR reports that maybe you as a compliance officer don't typically handle, but do you look at trends? How does HR report back to compliance or more broadly speaking, to the governing authority of the organization around what they look at?

So have a handle on the different feeds of data. And information on reporting and asking questions that come up through the different channels. How do you collect it? How do you analyze it? And how do you rank it, how do you determine seriousness? The last question is, does the compliance function have full access to the information.

And this relates directly back to the first two questions. So if you have sort of different routes that different reports take, if HR is responsible for collecting a lot of information, what do they share? Are there things that they're not sharing around not only just trends, but what types and the volume of certain reports coming from Various parts of the organization are.

So is compliance, particularly, the compliance operation of the organization getting all the data it needs. So this is really data driven just like the prior section. The second topic heading is, focusing on investigations and sort of your investigation protocol. It's asking whether the investigations are properly scoped. And staffed by appropriate qualified personnel and are they independent objective appropriately conducted and document.

So this is looking at your investigation process so how consistent is it? How independent is the investigation process? What triggers an investigation? Who conducts an investigation? How is that determined? Are they independent? Do they have the ability to have objective conclusions and who do they report to? And how is that filtered and not filtered?

So, really go through your investigation protocol and process very carefully and make sure that you can justify that it is independent objective If that there is a process that's appropriate and professional. They're using the term qualified personnel. Do the people who are conducting the investigations have any training at all in investigations?

What's their experience level? It's important to be able to document that and justify the process you have in place. And then, lastly, under confidential reporting and investigations they have a bullet on response. What have you done? What have you done to determine why the misconduct occurred? Are there controls perhaps you could put in place?

Is there an issue with policy or procedure where there's a gap? Is there an issue with monitoring? Did you not find out About this issue and until well after you would've hoped that you would've. So on the front end our controls in place and in the backend is monitoring effective to catch these particular issues And interestingly, they also ask a slew of questions here about how high up do the investigator findings go?

What is the accountability among supervisory managers and senior executives? There's a real focus here, in this last part of part seven, on the involvement of senior management. And what they knew, what they didn't know. I don't think, necessarily, you wanna look at this only narrowly as to the particular issue of misconduct, but But were these managers involved in the lack of controls or lack of process that led to the issue if that was the case.

And the monitoring on the backend. So not only look at the systems, not only look at the Process up front and the monitoring in the back, but how management contributed to either the success or failure of those issues. So I had intended for this originally to only be a two parter, but I gotten the better of myself just talking about two parts of the 11 sections this week.

But I think it's worth spending a little bit of time. And I think we probably actually Maybe come back and examine some of this in more detail later. So join us again next week for the third and final part. I promise, I promise I'll get through it. The checklist is on the checklist

Thanks for listening to Compliance Beat. Check out our website. Compliancebeat.com, this podcast is brought to you by More Head Compliance Consulting. Be sure to check us out at moreheadconsulting.com.

...

The Checklist That’s Not A Checklist Part 1: What does the new guidance from the DOJ Fraud Section mean?

Eric Morehead — Wed, 01 Mar 2017 21:37:44 -0500

The Department of Justice Fraud Division released the Evaluation of Corporate Compliance Programs in middle of February without any announcement or fanfare. Is it a checklist? It looks like a checklist, but DOJ says it’s not a checklist or formula. Some of the information in the Evaluation you’ve heard before, but the “checklist” expands on it. If it’s not a checklist, what does it all mean? How can it help you?

In this first of a two part series, Eric discusses in depth five of the eleven topics covered in the Evaluation as well as their subtopics. In this edition, Eric talks about:

Remedying Misconduct
Involvement of Senior and Middle Management in the Program Compliance Autonomy and Resources
Policies and Procedures
Risk Assessment

Next week, in part two of this special edition, Eric will discuss the remaining topics:

Training and Communication
Confidential Reporting and Investigations
Incentives and Disciplinary Measures
Continuous Improvement, Periodic Testing and Review
Third Party Management
Mergers and Acquisitions

If you have a question you want answered on the podcast be sure to reach out below.

When and how will the organizational sentencing guidelines be amended? & Three Questions with Joe Murphy

Eric Morehead — Wed, 22 Feb 2017 14:00:41 -0500

This is another episode in our ongoing series: Sentencing Commission Confidential. The United States Sentencing Commission is the steward of the organizational sentencing guidelines. It’s helpful to understand how the United States Sentencing Commission decides to amend certain guidelines before we answer this episode’s questions. Eric explains how the Sentencing Commission sets its amendment priorities, the comment process and how to participate in it, and the actual amendment process. The Sentencing Commission could amend the organizational sentencing guidelines every year, but these guidelines have been very infrequently amended. In the past, organizational guideline amendments have been very evolutionary, reflecting changes in compliance and ethics in the years preceding their amendment. In this episode, Eric answers:

What factors should we consider as we think about when the guidelines many be amended?

Who influences the Sentencing Commission’s amendment priorities for the year?

What areas of the organizational guidelines are more likely to be amended?

The Upshot

The Upshot this week is when you are thinking about when the organizational guidelines may be amended, take a close look at the Sentencing Commission’s priorities that come out in May or June of each year and keep an eye on who President Trump appoints to the Commission. As far as what might be amended, more talk and guidance around the concept of incentives is in order. There might be some consideration of making the fine provisions of Chapter 8 more applicable to offenses that are currently carved out.

Three Questions with Joe Murphy

For 40 years, Joe Murphy, CCEP, has been a tireless champion of compliance and ethics in organizations and has done work in this field on six continents. Joe has published over 100 articles and given over 200 presentations in 17 countries. Joe is author of 501 Ideas for Your Compliance & Ethics Program and A Compliance & Ethics Program on a Dollar a Day. He is a Certified Compliance & Ethics Professional and a member of the board of the Society of Corporate Compliance & Ethics. Joe was named one of The National Law Journal’s 50 Governance, Risk and Compliance Trailblazers and Pioneers 2014.

If you have a question you want answered on the podcast be sure to reach out below.

Busting Three Third-Party Myths & Three Questions with Eric Feldman

Eric Morehead — Wed, 15 Feb 2017 14:00:17 -0500

Eric often encounters three myths that organizations believe when considering the liability they may face because of third-party partners’ or agents’ conduct. In this episode, Eric explains why believing these myths creates liability risks for your company.

Myth No. 1: Many people believe that third-party compliance is only anti-corruption, anti-bribery, and/or potential Federal Corrupt Practices Act (FCPA) violations. Your risks, however, are much broader than just those three risk areas. Eric explains why you should be concerned about your third-party agents’ or partners’ compliance in many other risk areas.

Myth No. 2: Many organizations believe that if they are operating purely domestically and don’t conduct any business overseas, they don’t have third-party compliance concerns. It is important to realize that if your third-party agent is working overseas, you may have liability related to the third-party’s conduct overseas. Eric looks at some risk areas that you may not realize you face from third-party’s conduct overseas and how you can protect yourself from those risks.

Myth No. 3: You can rely on a third-party’s compliance program to protect your organization from liability resulting from the third-party’s conduct. Many people recognize that smaller organizations that don’t have as robust a compliance program can present a greater liability risk that larger organizations that have robust compliance program. No matter how extensive a third-party’s compliance program may be, you still face risk. Eric discusses the settlements of FCPA violations related to Panelpina World Transport Ltd., a large publicly trade, multinational corporation. In these cases, many organizations faced liability due to Panelpina’s conduct overseas. Eric explores what this means for your reliance on a third-party’s compliance program.

Three Questions with Eric Feldman, Affiliated Monitors, Inc.

Eric Feldman is the Senior Vice President, Managing Director, Corporate Ethics and Compliance at Affiliated Monitors. Eric retired from the CIA in 2011 with over 32 years of experience in Inspector General oversight and federal auditing in the executive and legislative branches of government. He has served in executive positions with Offices of Inspector General at the Department of Defense, Defense Intelligence Agency, and CIA, and was the longest serving Inspector General of the National Reconnaissance Office (NRO) from 2003-2009. At the NRO, he presided over a highly successful procurement fraud prevention and detection program, widely recognized by the Department of Justice as a model throughout the federal government. Eric is a sought-after speaker in the field of compliance and ethics. Eric’s background and experience give him unique insight into the importance of corporate culture and the future of compliance and ethics. In this interview, Eric’s discussion goes far beyond the three questions, discussing issues that range from recent newsworthy compliance failures to the future of compliance and ethics.

If you have a question you want answered on the podcast be sure to reach out below.

Click Here to Subscribe to Our Mailing List

Should you have a third-party vendor or partner code of conduct? & Three Questions with Kelly Clark

Eric Morehead — Fri, 10 Feb 2017 00:13:38 -0500

According to benchmarking data, less than half of organizations currently have third-party codes. There’s a current trend of partners asking each other to “sign off” or certify to codes of conduct. You must first assess your risk before answering whether you need a third-party code. Other controls you already have in place, such as contracting language, may fill the need. Third-party codes should be purpose made and they often cover far less information than employee codes of conduct. In this episode, Eric answers:

Why would your organization need a third-party code?
Tweet This

What do these documents look like?

What type of information should they contain?

Eric also talks about the standards and tools you should use when composing a third-party code as well as thinking about the risk topic coverage you will need.

The Upshot

When considering a third-party code, take a hard look at the purpose and audience you are trying to reach. Also consider accessibility and the communication tools you use for your employee code when drafting these documents.

Three Questions with Kelly Clark, Senior Vice President, Safety, Environmental and Regulatory Services for Holland America Group

At Holland America Group, which includes Princess Cruises, Holland America Line, Seabourn, P&O Cruises Australia, and Holland America-Princess Alaska land operations, Kelly oversees fleet compliance efforts including safety and environmental operations, emergency response organization, policy and procedure development and implementation, and training. As the group’s Chief Ethics Officer, she spends much of her time improving awareness and education throughout the organization on the importance of working with integrity, honesty and ethics at all levels. Under her stewardship, Princess Cruises, Holland America Line and Seabourn have been Ethics Inside Certified®, and the Holland America Line has been named to the list of the World’s Most Ethical Companies® for five consecutive years. Kelly was also named to Ethisphere’s list of “Attorneys Who Matter” in the area of Ethics & Compliance in 2015 and 2016.

Compliance Officer Liability after VW & Takata

Eric Morehead — Wed, 01 Feb 2017 14:58:03 -0500

What does the flurry of indictments against individuals at Volkswagen and Takata tell us about compliance officer liability after the Yates Memo? Eric revisits the impact of the Yates Memo on compliance officer liability with the news of these prosecutions. The Yates Memo, written by Deputy Attorney General Sally Yates and released on September 9, 2015, addresses individual liability for corporate wrongdoing. In the memo, DAG Yates lays out new guidance to Department of Justice attorneys who are prosecuting individuals involved in corporate wrongdoing. An earlier episode, “Does the Yates Memo increase my liability as a compliance officer?”, examines data collected by the United States Sentencing Commission regrading the rates of criminal prosecutions for individuals involved in corporate wrongdoing.

In this episode, Eric tells you why he holds to his original statement that the most important function of the Yates Memo is to open the door to and encourage important discussions about corporate culture and strong compliance and ethics programs. Volkswagen and Takata can serve as cautionary tales about the impact of a weak culture and compliance and ethics program.

Eric also goes beyond the news stories and examines the affidavit in support of the criminal complaint against VW’s compliance officer, Oliver Schmidt. He talks about the conduct that Schmidt allegedly engaged in that led to his arrest. He also discusses what compliance officers can do to avoid individual criminal liability.

What are three ways to involve managers in your compliance & ethics program? & Three Questions with Gretchen Winters

Eric Morehead — Wed, 25 Jan 2017 14:00:51 -0500

How do you create tone from the middle?

Click Here to Subscribe to Our Mailing List

Middle managers are some of the most important members of your compliance and ethics team. Research shows that employees are more likely to report concerns about misconduct to their direct manager or supervisor rather than use a hotline. Eric discusses this data more specifically in “What can you do to prevent retaliation and encourage employees to report retaliation?” and “Why does no one call the helpline?”. Giving managers the resources to be effective leaders and engaging managers in your compliance and ethics program is one of the best ways to prevent compliance failures.

Many managers are already involved in one area of training. They are often charged with overseeing their reports’ completion of computer-based training. This can be a fairly rote exercise in which managers remind employees to complete training. Managers should really have a more proactive role in training and communication about compliance and ethics issues in order for you to maintain an effective compliance and ethics program.

In this episode, Eric discusses three ways to engage managers. Managers need to become trainers in your compliance and ethics program. Online training is hard to beat when you must train hundreds or thousands of employees on the same issues. But online training shouldn’t replace live training. In live training, there is a give and take that more effectively teaches employees about risk topics. This simply can’t be replaced by online training. Eric tells you simple ways to give managers the tools to be effective trainers and to create a manager-training program that is simple to implement.

Managers also need to be part of your continuing communication around compliance and ethics issues. Communication is one of the Sentencing Guidelines Seven Hallmarks of an Effective Compliance Program. We often talk about training and communication together, but they should be two distinct parts of your program. Training encompasses those formal courses. Communication is more informal and more frequent. Eric discusses easy ways to give managers the resources to engage their reports in these discussions around risk topics and other compliance and ethics issues on a regular basis.

Even more broadly than compliance, you should help your managers engage in team building. Encouraging managers to implement policies, such as open-door policies, that good rapport and open discussions with their reports will help create an environment where managers can be more effective in training and communication. Eric talks about ways that to create an environment where people talk frequently and are encouraged to come forward to talk about issues before there’s a compliance failure.

The Upshot

If you are looking for ways to involve your managers in your compliance and ethics program, three places to start are engaging managers in training, giving managers tools to engage in regular communication about compliance and ethics issues, and helping managers build strong teams and good rapport with their direct reports.

Three Questions with Gretchen Winter, Executive Director, Center for Professional Responsibility in Business and Society at the College of Business at the University of Illinois at Urbana-Champaign

Gretchen is well known figure in the field of compliance and ethics. As the Executive Director of Center for Professional Responsibility in Business and Society at the College of Business, Gretchen also serves as a Visiting Professor at the Universite de Cergy-Pontoise School of Law, an Adjunct Professor at the University of Illinois College of Law, and as faculty for a University of Illinois College of Business class on professional responsibility and business ethics. She teaches in educational programs for NYSE Governance Services, Thomson-Reuters, the Society of Corporate Secretaries and Governance Professionals, the Ethics and Compliance Initiative, the Practising Law Institute, and the Society of Corporate Compliance and Ethics. Gretchen started her career at Baxter International, Inc. She worked for 18 years at Baxter, serving for more than a decade as Vice President and Counsel, Business Practices. Gretchen developed the company’s global ethics program and provided guidance to those who saw ethical dilemmas in their work. Eric and Gretchen discuss the importance of compliance and ethics education in law school and business school, advice for those starting a career in compliance and ethics, and future trends in compliance and ethics.

What can you do to prevent retaliation & encourage employees to report misconduct? & Three Questions with Che Hembrey

Eric Morehead — Wed, 18 Jan 2017 14:00:16 -0500

In order to answer this question, it’s important to first look at the data on retaliation. In three different reports, two in 2012 and one in 2015, the Ethics and Compliance Initiative examined the percentage of employees that report witnessing misconduct. These reports found that 40% to 50%, or approximately four out of ten employees, witnessed misconduct. The percentage of employees that then report misconduct is around 60%. Of the employees that report, 21% employees, or about one out of five, reported experiencing retaliation after reporting. These reports also found that retaliation spikes with organizational change.

In order to prevent retaliation, we have to understand what it looks like. Fear of retaliation is the number one reason why employees don’t report misconduct. What is and isn’t retaliation can be very nuanced. The key is to look at retaliation from the perception of the person experiencing it. Most of the people who experience retaliation cite being treated differently, such as being intentionally ignored or excluded. Retaliation can also take more pernicious forms, such as losing one’s job and verbal abuse.

In this episode, Eric examines the data on retaliation and discusses how to prevent and address it as well as create an environment in which employees feel comfortable reporting misconduct. He answers:

How can you ensure that employees feel comfortable reporting misconduct?
Tweet This
To whom do employees most frequently report misconduct?
What factors of a compliance program and of corporate culture create an environment that encourages reporting misconduct?

The Upshot

When addressing concerns about reporting misconduct and retaliation in your organization, you should focus on an effective compliance and ethics program that includes structural pieces, such as clear communication that addresses employees’ fears of retaliation and strong corporate culture.

Three Questions with Che Hembrey, Executive Director, Compliance at Hill-Rom Holdings, Inc.

Like many compliance professionals, Che’s path to his current position as Executive Director, Compliance at Hill-Rom was a bit circuitous. He started his career as an IT consultant. Che left IT consulting for a job in sales at LION, Inc. From sales, Che became a manager in Ethics and Compliance Audit at a pharmaceuticals company where he helped establish the company’s first ethics and compliance audit function. He rose to a Senior Manager position in R&D Compliance Programs when Che left to join Hill-Rom’s compliance division. Che was hired at Hill-Rom to restructure, develop, and implement a comprehensive risk-based compliance program focused on managing the company’s U.S. and global risk. In his current position, he is responsible for developing, updating and executing the strategic plans, and the associated activities specific to compliance auditing and monitoring, written standards, communications and training. Eric and Che discuss how his background helps him in his current position and Che’s predictions for upcoming trends in compliance and ethics.

2017 Trends in Compliance & Ethics Special Edition

Eric Morehead — Wed, 11 Jan 2017 14:00:54 -0500

What are going to be the overarching trends in compliance and ethics in 2017?

no matter what happens with regard to deregulation, all organizations face reputation risks.

In this episode, Eric talks about compliance and ethics program trends that will affect every company, no matter your size and no matter whether you are in a highly regulated space.

First, in the past year there has been lots of discussion deregulation. Will potential deregulation lessen the importance of compliance? How can you make the case for continued focus on compliance? How can you keep up the conversation within you organization? As part of his discussion, Eric references the data in the SCCE and NYSE Compliance and Ethics Program Environment Report.

Second,

Click Here to Subscribe to Our Mailing List

As we’ve all seen, social media amplifies these risks and information can go viral quickly. Eric makes the case that organizations need to consider potential reputation risks and ways to mitigate these risks.

Last, Eric predicts that defining what a risk-based approach to compliance will be a big trend in 2017. The idea of risk-based approach to compliance comes out of FCPA guidance. What does it mean to take this approach? Your organization should think about the empirical reasons for your approach to compliance and ethics. How can you use that data that you collect internally to determine where your risk areas are? How can you make the business case for investing in compliance?

Should you use interactive design for your code of conduct? & Three Questions with Ricardo Pellafone

Eric Morehead — Wed, 04 Jan 2017 14:00:45 -0500

When you are updating, refreshing, or rewriting your code of conduct, you should consider whether or not to create an interactive code of conduct. An interactive code of conduct is a digital document that a reader truly connects with. This document, which may be an interactive PDF (Adobe Portable Document Format), has clickable functions, such as learning aids, comprehension aids, videos, and/or links to other policies or documents. These elements allow readers to interact with the document as they read through it. A learning aid may ask a question, allow the reader to select an answer, and then tell the reader whether the answer is correct or incorrect as well as the reasons why. A discussion of a risk topic may link to a more specific policy. While interactivity can enhance your code of conduct, not every organization wants or needs an interactive code. In this episode, Eric explores how organizations should determine whether an interactive code is right for them and explores what type of questions you should ask when considering whether to create an interactive code. Eric discusses the three questions an organization should ask:

Do you intend for your employees and other stakeholders to interact with your code of conduct digitally or as a paper document?

How do you generally communicate with employees? What is your communication style?

What kind of internal resources in terms of IT and design do you have? How do you plan to maintain an interactive code?

The Upshot

When determining whether to use an interactive design, be sure to spend some time thinking about these three questions: How do your stakeholders interact with your current code of conduct? What is your organization's communication style? How do you maintain your code of conduct?

Three Questions with Ricardo Pellafone, Founder & Creative Director at Broadcat

As the founder of Broadcat, Ricardo’s mission is to get people excited about compliance. He brings a fresh perspective in compliance and ethics. Broadcat uses simple, task-based, graphic content to help employees grasp compliance obligations quickly, making it easy for them to know who to call and what to do when tough situations arise. Before founding Broadcat, Ricardo was the in-house investigations leader for a tech company in California and a sovereign-owned company in the United Arab Emirates. He has also worked conducting internal investigations for clients at a larger law firm. Eric and Ricardo discuss the importance of working in compliance outside of the United States, planning for the best case scenario, and the decline of best practices as the only metric for a compliance program.

If you have a question you want answered on the podcast be sure to submit it on here or reach out below.

Do we need to train our Board of Directors on compliance and ethics? & Three Questions with JoAnn Mahoney

Eric Morehead — Wed, 28 Dec 2016 17:03:54 -0500

The short answer is yes, you must train your governing authority, which may be your Board of Directors, on your compliance and ethics program. The U.S. Sentencing Guidelines require that you do so because the Board is required to oversee your program. How does this look in practical terms? Eric discusses what he calls the three pillars of Board of Directors’ training:

Compliance Risk Topic Specific Training. These topics may include conflicts of interest, anti-corruption, data protection, data privacy, insider training and other specific risk topic training.

Periodic Review/Discussion of Board of Directors’ Responsibilities. This should address what the Sentencing Guidelines expect of the Board of Directors or other governing authority, including their responsibility for the oversight of the compliance and ethics program.

Annual Code of Conduct Training/All Hands Training. This is the broader training that goes out to the vast group of employees and other stakeholders that receive training in your organization. Code of Conduct training kills two birds with one stone because it addresses the Board’s oversight role of the compliance and ethics program and it provides actual training to the Board. At a minimum, the Board or governing authority should receive the information that is provided in training and details of how the training is in administered.

As well as exploring these topics, Eric also answers:

How often should the Board receive training?

How should Board training be accomplished?

The Upshot

When training your Board of Directors, you should address the three pillars in board training: risk specific topic, regular review of the Board’s responsibility to oversee the compliance and ethics program, and a comprehensive review of employees’ and other stakeholders’ code of conduct training.

Three Questions with JoAnn Mahoney, Senior Director of Regulation & Compliance, Equifax, Inc.

At Equifax, JoAnn wears many hats, like many compliance professionals. She is the compliance subject matter expert for the business units at Equifax of mortgage, healthcare, insurance, data and analytics, mobile commerce, and new product innovation. JoAnn has worked in the financial services industry since working at a credit union during college. Before joining Equifax, JoAnn held role in compliance within the financial services industry, including at Bank of America and Cornerstone Bank. In this segment, JoAnn talks about her career journey. She also discusses the importance of compliance professionals to see themselves as a member of an organization’s team so that you gain credibility within your company. She also talks about future trends in the financial industry.

If you have a question you want answered on the podcast be sure to submit it on here or reach out below.

Compliance Failures & Crisis Management: What can we learn from Baylor University & Penn State?

Eric Morehead — Sat, 24 Dec 2016 14:38:40 -0500

Sexual assault allegations rocked two prestigious university football programs, Penn State and Baylor University. Both universities took two different paths to addressing the underlying compliance, governance and risk problems that led to the scandals. Penn State embraced a transparent approach to addressing the problems. In contrast, Baylor’s Board of Regents have blocked stakeholders’ efforts to understand the root causes of their compliance failures.

In fall of 2011, Jerry Sandusky, a former assistant football coach for the Penn State Nitany Lions, was charged and convicted of multiple counts of sexual abuse of children. Several Penn State University officials, whose alleged actions were questioned in terms of whether they met ethical, moral, and legal obligations in reporting any suspected abuse, were also charged. In response, the Board of Trustees commissioned an independent investigation by former FBI director Louis Freeh and his law firm. The Freeh Report found several high ranking school administrators knew about allegations of child abuse on Sandusky’s part as early as 1998 and were complicit in failing to disclose them. In so doing, Freeh stated that the most senior leaders at Penn State showed a “total disregard for the safety and welfare of Sandusky’s child victims” for 14 years and “empowered” Jerry Sandusky to continue his abuse. Penn State released the full Freeh report to the public and addressed the governance, risk and compliance issues openly.

Baylor, however, has adopted a less than transparent approach to addressing allegations that football players sexually assaulted women on campus and that the university knew and failed to act. Unlike Penn State, when the Board of Regents commissioned a report, they released a heavily edited statement to those outside of the Board. Baylor has seen substantial backlash from many stakeholders, including prominent alumni.

In the episode, Eric, a Baylor alumni, asks:

What can organizations in crisis learn from other organizations that have gone through similar trials?

How can transparancy be weilded effectively to counter-act even the most serious instances of misconduct?

What are the fundamental differences between the crisis managment approaches these two organizations have taken?

If you have a question you want answered on the podcast be sure to submit it on here or reach out below.

Does the Yates Memo increase my liability as a compliance officer? & Three Questions with Ted Banks

Eric Morehead — Fri, 16 Dec 2016 01:10:45 -0500

The Yates Memo, written by Deputy Attorney General Sally Yates and released on September 9, 2015, addresses individual liability for corporate wrongdoing. In the memo, the DAG Yates lays out new guidance to Department of Justice attorneys who are prosecuting individuals involved in corporate wrongdoing. When you review the data over the years preceding the Yates Memo, the data shows that the DOJ does a pretty good job of prosecuting individuals involved in corporate wrongdoing. From data collected by the United States Sentencing Commission, we know that in just about 60% of cases where an organization is charged with criminal conduct, an individual is charged too. In 50% of those cases, a high level employee is charged. We will have to look at 2016 data when it is released to see if the Yates Memo has any real impact on the rate of prosecution. In this episode, Eric explores the possible impact of the Yate Memo. He answers:

What is the most immediate impact of the Yates Memo?
Does the Memo mean more liability for compliance officers?
What impact might the Memo have in the future?

The Upshot

As a compliance officer or a compliance professional, the Yates Memo puts us all on notice that our responsibilities are no different than our expectations for other managers, supervisors and leaders within an organization. Our condoning of, participation in, or turning a blind eye to misconduct or violations of the law can result in us individually having some criminal liability for those actions. We’re now on notice.

Three Questions with Ted Banks, Partner, Scharf Banks Marmor, LLC

As a partner at Scharf Banks Marmor, LLC, Ted’s practice focuses on general corporate and anti-trust matters. He’s also President of Compliance and Competition Associates, a firm that provides consulting services to assist corporations in developing or improving their compliance and ethics programs, including records management, employee training and confidential investigations. As the former Chief Counsel – Global Compliance at Kraft Foods, Ted had responsibility for antitrust, general litigation, corporate transactions, sales, legal computer applications and public policy coordination. He’s an adjunct professor of law at Loyola Univeristy Law School where he teaches corporate compliance. Ted has been appointed as a corporate compliance monitor by the Federal Trade Commission and Competition Bureau of Canada to oversee compliance programs of respondent companies. Ted is a thought leader in the field of compliance and ethics and is a well known author and speaker.

If you have a question you want answered on the podcast be sure to submit it on here or reach out below.

“What are the dos and don’ts of written compliance policies?” & Three Questions with Wesley Bizzell

Eric Morehead — Wed, 07 Dec 2016 02:20:45 -0500

Written standalone policies, along with your code of conduct, form the foundation of an effective compliance and ethics program. Often organizations focus on rewriting and redesigning code of conduct to meet current best practices and do not consider rewriting standalone policies, even though most codes of conduct reference these other policies. It is important to note that the Sentencing Guidelines don’t mention code of conduct specifically, but the Guidelines do require that an organization establish standards and procedures to prevent and detect criminal conduct. When you are updating your code of conduct, you should also be considering the policies it references. Many of best practices developed over the past few years focus on rewriting your code of conduct to make it more accessible. These same lessons apply to writing effective policies. In this episode, Eric answers:

How do you ensure your policies are reasonably capable of preventing and detecting criminal conduct as required by the Sentencing Guidelines?

What lessons can you apply to writing standalone policies from code of conduct best practices?

How do you create consistency across all your organization’s policies?

How do you effectively work with subject-matter experts and other stakeholders within your organization to rewrite policies?

The Upshot

There are some key things to keep in mind when you are planning to update your standalone policies. The types of stakeholders and subject-matter experts who you will have to consult with are wider and broader than the ones you consult with when rewriting your code of conduct. It will take planning to get them aligned with the end goal. Just as you would in a modern code of conduct, you need to pay attention to the language you use in your policies. Try to reduce jargon and have a conversational tone. Consider design and interactive learning aids where possible. Also, develop a template so that you have a consistent approach across your policies.

Three Questions with Wesley Bizzell, Assistant General Counsel and Director of Political Law and Ethics Programs, External Affairs for Altria Client Services Inc.

At Altria Client Services, Wes provides in-house legal counsel on matters relating to the political, legislative, and lobbying activities of Altria Group, Inc., its services companies, including Altria Client Services, and its operating companies, including Philip Morris USA Inc., U.S. Smokeless Tobacco Co. LLC, John Middleton Co., and Ste. Michelle Wine Estates Ltd. He’s responsible for ensuring that Altria and its companies comply with all laws and regulations regarding federal, state, local, and international campaign finance, government ethics, gifts to government officials, lobbying disclosure and reporting, and charitable giving. Overseeing a comprehensive compliance system covering the regulation of government affairs, Wes provides advice and guidance on political law compliance for more than 75 jurisdictions. He also heads the legal team that supports Altria’s public policy activities, providing services related to legislative and regulatory drafting and interpretation. Mr. Bizzell is a member of Altria’s Compliance Leadership Team and its Anti-Corruption Compliance Working Group.

If you have a question you want answered on the podcast be sure to submit it on here or reach out below.

“What are the key steps for effective assessment interviews?” & Three Questions with Kathleen Grilli

Eric Morehead — Wed, 30 Nov 2016 14:00:33 -0500

As your organization approaches a regular assessment of your compliance and ethics program, consider whether you need to include personnel interviews as part of the process. Many organizations rely solely on benchmarking data and surveys to assess their programs. Time constraints can often prevent a deeper dive into program effectiveness. While not every regular assessment may need to include interviews, interviewing personnel from across the organization can provide helpful insights. Interviews can uncover issues that you simply cannot discover when relying solely on the data. During the interview process of an assessment, many organizations regularly talk to the usual suspects, including human resources, legal, audit, compliance, and upper level management. But in order to see the full picture and assess all the pieces of the puzzle, organizations should also include operational management and the rank and file. In this episode, Eric answers:

When including interviews as part of the assessment, what should the interview process look like?

Aside from the usual suspects, how do you determine who to interview?

What steps can you take before and during the interview to ensure that your interviews reveal the full picture?

The Upshot

When you’re planning the interview process as part of an assessment of your compliance and ethics program, spend some time considering what data and documentation you will review beforehand. The data you review beforehand will help inform who you are going to interview. Also take some time ensuring that you get a broad good sample of interviewees from the top to the bottom of the organization. Lastly make sure to set the right tone: inform the interviewees about your project goals because that will sometimes free them up to give you the information that you really need for an effective assessment.

Three Questions with Kathleen Grilli, General Counsel of the United States Sentencing Commission

As in many small organizations, Kathleen is not only the General Counsel of the United States Sentencing Commission, but also its Compliance Officer. Like many of you, she understands the difficulties of wearing two hats in a small organization. In her interview with Eric, Kathleen discusses her career from a criminal defense attorney in Florida to General Counsel of the Sentencing Commission. Her background and positions at the Commission as well as her experiences as a criminal defense attorney bring a unique perspective to the future of compliance.

In 2013, Kathleen was appointed General Counsel of the USSC. Kathleen has served the Commission as Deputy General Counsel since 2007, having joined the agency as an assistant general counsel in 2003. During Kathleen’s tenure at the Commission, she has played an instrumental role in the drafting of key Commission publications including the Commission’s 2006 report to Congress on the impact of the Booker decision on the federal sentencing guidelines and its comprehensive 2011 report to Congress on mandatory minimum penalties. In addition, Kathleen co-chaired the Commission’s symposium on economic crime in 2013 and a symposium on alternatives to incarceration in 2008. Kathleen has conducted training on white collar crime and the organizational guidelines at numerous Commission training events. Prior to joining the Commission in 2003, Kathleen served as staff counsel at the United States Court of Appeals for the Fourth Circuit, in Richmond, Virginia. Previously she worked in private practice and as an assistant federal public defender in Miami, Florida.

If you have a question you want answered on the podcast be sure to submit it on here or reach out below.

“What can we learn about corporate culture from Wells Fargo?” & Creating an Ethical Culture: A Conversation with Robert G. Jones of Old National Bank

Eric Morehead — Tue, 22 Nov 2016 20:00:02 -0500

The Wells Fargo fraud allegations show that there can be a tremendous disconnect between the C-Suite’s perception of an organization’s ethical culture and the actual culture in the local workplace. Former Wells Fargo CEO John Strumpf testified before Congress that he firmly believed that executives had created an ethical culture at the bank. Where did Wells Fargo go wrong? “Tone from the top” is an often used phrase in the compliance and ethics space. But as the Wells Fargo allegations show us, tone from the top isn’t always enough to ensure that employees on the ground act ethically. In this special edition episode, Eric discusses the lessons learned about corporate culture from the allegations about Wells Fargo. Eric answers:

If tone from the top isn’t enough, then who else defines the tone of the organization?

What does “tone from the middle” mean?

How can you create a tone from the middle that fosters an ethical culture for employees on the ground?

A Conversation with Robert G. Jones, Chairman and CEO of Old National Bancorp

Under Bob’s direction as CEO and President of Old National Bancorp, the company has received national recognition for its coporate culture. Since 2012, the prestigious Ethisphere Institute recognized Old National as one of the World’s Most Ethical Companies. In their conversation, Eric and Bob discuss how Old National Bancorp maintains an ethical corporate culture even as ONB continues to expand across the Midwest. Bob talks about the importance that ONB places in maintaining an ethical corporate culture, how ONB integrates new acquisitions into their current culture, and how to create a tone from the middle so that employees on the ground embrace and maintain an ethical culture.

Bob has appeared on Fox News, Fox Business News, CNBC, and Bloomberg Television, as a spokesman for Old National and community banking. He is very active in his local community and been named to the boards of the University of Evansville, Chairman of the Evansville Regional Business Council, Riley Children’s Hospital, Evansville Business Leaders Roundtable for Education, WNIN, Central Indiana Corporate Partnership, Mid-Size Bank Coalition (Chair Elect), International City/County Management Association-Retirement Corporation (ICMA-RC), and the American Bankers Council.

Among other honors, Former Indiana Governor Mitch Daniels presented Bob with the select Sagamore of the Wabash award and the Distinguished Hoosier Award. He has also been inducted into the Evansville Regional Business Hall of Fame and the Evansville Vanderburgh School Corporation Hall of Fame.

If you have a question you want answered on the podcast be sure to submit it on here or reach out below.

“Should we translate our Code of Conduct?” & Three Questions with Ronnie Feldman

Eric Morehead — Wed, 16 Nov 2016 18:48:37 -0500

When considering whether to translate your Code of Conduct into other languages, there are some surprising nuances. If your organization typically translates documents, you may be familiar with the basic process. Translating a Code of Conduct, however, is a little different than other documents because there are more factors to consider. Among them, you need to consider the process of translating the layout and design as well as text and who your audience is in each country in which you have operations.

What factors do you need to consider when determining whether to translate and, if so, which languages to choose if you are a multinational corporation?

If your organization is based solely in North America, do you even need to consider translations?

What type of guidance do government agencies provide in terms of translations and accessibility of your Code to your employees?

Eric answers these questions and more in this episode of Compliance Beat.

The Upshot

When it comes to translations, there’s more to consider than meets the eye. It’s important to think about translating your Code of Conduct, even if you are a purely domestic organization. The key is to look closely at your employee population and your stakeholder population to determine what languages are necessary. Lastly don’t forget to take a close look at your English version. If your English is too complicated, then your translations will be too complicated.

Three Questions with Ronnie Feldman, Founder of Learning & Entertainments.

Ronnie has a truly unique route to compliance and ethics. He started off his career with an MBA and worked for a boutique consulting firm which provided strategic planning to companies in the healthcare industry. Ten years into his career, he fell in love with improvisation comedy and left the corporate world to join an improv troupe. Ronnie left the improv troupe to build a corporate education business with Second City Works, the B2B arm of the famed improv comedy institution. Listen to how Ronnie has become an improvisational evangelist for thinking in the workplace. His new complany, Learning & Entertainments, brings comedy, fun and creativity to compliance and ethics training that truly engages employees.

If you a question you want answered on the podcast be sure to submit it on ComplianceBeat.com or reach out below.

Do the Sentencing Guidelines require an independent chief compliance officer? & Three Questions with Jennifer Badgley

Eric Morehead — Wed, 09 Nov 2016 20:09:08 -0500

The US Sentencing Guidelines require that individuals within an organization be delegated with day-to-day operational responsibility for the compliance program. When defining the role of this individual, the Guidelines say that the person with day-to-day operational authority shall report to high level personnel, and when appropriate, the governing authority of the organization on the effectiveness of the program. In addition, the Guidelines require that the individual responsible for the compliance program have adequate resources, appropriate authority, and direct access to the governing authority. Does this mean that the chief compliance officer or the employee tasked with day-to-day operation of the compliance program have complete independence? Should this person report solely to the Board of Directors or a sub-group of the Board of Directors? What does “adequate resources” and “appropriate authority” mean? Eric answers these questions and discusses how to ensure that your program meets the requirements of these Guidelines.

Eric also asks Jennifer Badgley, Director of Compliance & Ethics at Premera Blue Cross, Three Questions. Listen to her talk about her journey to compliance after working in internal audit at Bank of America and learn why she finds compliance to be a personally rewarding field.

If you a question you want answered on the podcast be sure to submit it on ComplianceBeat.com or reach out below.

How can the Sentencing Commission data help you make the case for the importance of a compliance and ethics program? & Three Questions with Amy Lilly

Eric Morehead — Thu, 03 Nov 2016 17:38:16 -0500

The United States Sentencing Commission is charged with collecting a vast amount of data regarding the sentencing of criminal defendants in federal courts. Among this data is a surprising amount of information regarding the organizations that take convictions in federal court for compliance and ethics failures. Many times, compliance and ethics professionals rely solely on current news to garner what information on compliance and ethics failures. The news, however, only covers a small fraction of the organizations that are charged with federal crimes. The data from the Sentencing Commission tells us the full story—a story that has more surprising outcomes than you might expect. In this episode, Eric explores the 2015 data on organizational sentences. You may be surprised to learn that 90% of organizations that take federal convictions have less than 1000 employees.

What size organizations are most at risk?
What types of crimes are organizations being charged with?

You’ll learn that many of the hot topics in compliance and ethics, like FCPA violations, make up a very small percentage of the crimes that organizations take convictions for. It’s not just organizations that get charged, but often individuals with a relationship to the organizations will be charged as well. Eric discusses the data regarding these individuals and how you can use this data to help you make the case internally about the importance of strong compliance program.

The Upshot

The U.S. Sentencing Commission’s data can tell us some very interesting and helpful things about the size of organizations that get in trouble, the types of offenses or actually the multiplicity of offenses that organizations find themselves charged with probably most importantly can talk very specifically about the collateral damage if you will that comes with a federal prosecution in the form of individuals that get prosecuted. These are all helpful pieces of information and you’re making the case internally for the necessity of compliance.

Three Questions with Amy Lilly, the Director of Corporate Ethics and Compliance at CenterPoint Energy in Houston Texas

At CenterPoint Energy, Amy integrates value-based ethics into a compliance-based company. Amy is a leader in Houston’s compliance and ethics professional community and has an interesting perspective on the future of compliance and ethics.

If you a question you want answered on the podcast be sure to submit it on ComplianceBeat.com or reach out below.

What do the Sentencing Commission data tell us about ethics and compliance programs?
The Sentencing Commission, besides providing the seven guidelines for an effective ethics and compliance program, has a couple of other functions that are worth exploring. One is the vast amounts of data it collects annually and makes available to compliance officers.
For many people in compliance their number one source of information about problems with compliance is through news reports. While using the news of the current corporate scandals that are making the headlines can be useful, particularly in preparing scenarios for training purposes, the actual data that can be derived from the media coverage about these sorts of compliance failures is not always that helpful. While they can report on the millions of dollars in fines the company must pay, and on the executive or employee or employees that have been let go, disciplined or even sentenced in federal court, this information is really just ad hoc.
In preparing training materials or internal information regarding the ramifications of compliance failure I believe that looking closing at sentencing data that the Sentencing Commission collects can be the very helpful. When I first went to the Sentencing Commission in 2007 I was unaware of the extent of the Commission’s role in gathering, reporting and sharing compliance data with the federal government and the American public. Congress gets regular reports from the Commission on the impact of sentencing of individuals and organizations and the Commission’s annual sourcebook lists facts and figures on sentencing is available to the public on its website www.USSC.gov.
The data shows that there are 70,000 to 75,000 individuals that go before federal judges each year for sentencing. The report also gives figures for cases involving organizations, only, on average between 150 to 220 cases a year. Not nearly as prevalent as the number of individual cases that happen every year.
A surprising number of small companies are the ones that face felony convictions in federal courts. Small and medium sized organizations have the impression that it is the big companies, the Wells Fargos and VWs of the world, because they are the ones making the headlines but it is really the smaller companies that are taking the hit.
For the fiscal year 2015 almost 70 percent of companies that ended up with a felony conviction in federal court had less than 50 employees; if you include those with up to 500 employees the figure is 87 percent. Only about 10 percent of the organizations that get sentenced on an annual basis in federal court have more than 1000.
Small and medium sized-companies that find themselves in federal court are usually going to face a probationary period, have a monitor appointed to oversee their compliance and ethics program, or perhaps face other sanctions and mitigation penalties. These are not the compliance failures that are seen in the news media so it is forgivable if individuals are unaware of the prevalence of these cases. Again, news reports rarely focus on smaller companies.
In an earlier podcast I discuss how too much focus is placed on the current hot button issues. When you look at the Commission’s data it shows that companies should be monitoring the actual and more common risks they might face, not just talking about anti-corruption, FCPA, or bribery, for example.
In FY 2015 the majority of offenses related to environmental, fraud, FDA, money laundering, antitrust, import/export, and immigration offenses. (Five percent of the those 200 or so organizations in 2015 that faced federal charges dealt with immigration laws.)
When we talk about fraud it is not surprising that a large portion of it is in health care fraud and the largest percentage, 27 percent, is for mail and wire fraud. I think that the recent Wells Fargo case is helping us to refocus on the issue of fraud. In this case, it is a very straightforward, garden-variety type of fraud, that of creating false accounts. A large portion of fraud cases in the US are for making false statements or filing false claims (about 5 percent.)
My point here is to focus on what most organizations may actually get charged with and to use it to serve as a wake up call. You have to focus on the risks that you actually face based on your own internal risk assessment. What this data tells me is that you can’t necessarily predict where the case might come from or what law, policy, procedure within your organization will be the area from which the issue arises. You do have some ability to assess that risk based on past experience and on the risks that other organizations are facing. It’s not a completely black box. But, there are going to be some blind spots that you’re just not going to see. The cure for this is to have the sort of company culture where individuals who are unsure about a situation, or who need to ask a question or report something, are comfortable coming forward.
One last area of the Sentencing Commission’s data (which is not found in the sourcebook or on their website, but made in its regular public reports) is the relationship of individual human cases to organizational cases. Looking at 2014 and 2015 data in about 58 percent of the cases there was at least one person charged for the same conduct as the organization. In almost 60 percent of the cases a person or persons are facing liability alongside their company!
I think that it is important--in this post-Yates Memorandum world—that the focus on individual liability has been a topic of conversation. Even before the Yates memo came out, the similar percentage of individuals were finding themselves standing next to the corporate defendant in a federal courtroom. It will be interesting to see in the Sentencing Commission data from 2016 and beyond to see if there’s an upward trend, maybe closer to 70 percent. It will valuable to compare this data as we go forward to get a broad sense of the impact of the Yates Memorandum.
Another interesting aspect, when you look at the individuals that are charged along with the organization, 50 percent of them are not high level officials; they are employees working in more operational roles. Almost 20 percent are the owners of the company, about 21 percent are board members, and about 10 percent are managers or supervisors.
For small to medium-size organizations the most pertinent data to show your stakeholders is that majority of federal convictions are reserved for small and medium-sized organizations, much more so than for the larger organization
The other takeaway is that the risks that lead to these charges are not necessarily the risks that we spend a lot of time talking about in the compliance field or what the executives and board members are hearing about. While corruption and FCPA are still very important risks, we aren’t seeing this in the data for organizations that take the most severe penalties.
Lastly, in well over half of the cases an individual also ends up facing a penalty. At least 50 percent of the time the person is a high-level official. This data should help open some eyes and get people to listen to the importance of having an effective compliance program so to avoid these problems.

The Upshot
The Sentencing Commission's data can tell us some helpful things about the size of the organizations that get in trouble, the types of offenses, the multiplicity of offenses, and the collateral damage that can comes with federal cases in the form of individuals that may also get prosecuted. There are helpful points when making the case internally for the necessity of compliance.

What do the Sentencing Guidelines say about training? & Three Questions with David Searle

Eric Morehead — Fri, 28 Oct 2016 16:57:05 -0500

Training is one area where the Sentencing Guidelines give us specific information about what’s expected for an effective program. Is your training program clear? Does it effectively communicate the company standards? Is everyone meeting these standards?

Another important effective training issue is coverage. Who is receiving it? Does it include remote employees? Does it include management, the board of directors, etc.?

The Guidelines specify “periodic” training but does not define this term. What does it mean?

How can an organization test to find out if it’s training is practical? One way is to select a sample or focus group. And we’ll discuss a few more.

The Upshot

Keep your training effective, periodic and practical. Periodic doesn’t mean once and it’s done, it means periodic. Practical means testing to ensure that the program is working. And finally, use consistent and interesting methods to ensure effectiveness.

Three Questions with David Searle, Chief Compliance Officer and Associate General Counsel at Bristow Group

What do the Sentencing Guidelines say about training?

Training is one area where the Sentencing Guidelines give us specific information about what's expected for an effective program. Training must be effective, periodic and practical. It must succeed in communicating the company's standards to the broadest possible audience. Terms like “clear, concise and interesting” are often applied to training programs that are developed to communicate these standards. Unfortunately, often the training is not “clear” and this can have serious consequences. For example, a few years ago we worked with an organization to develop its program on conflicts of interest. Interestingly, this company specifically allowed for and discussed the hiring of family members and close friends. This was a family-owned business and it would have been impossible to have a conflicts-of-interest policy that forbade nepotism. Indeed, the C.E.O.'s daughter was a General Manager, a well-known fact within the company. While working with this company we discovered that their “off the shelf” training procedures specifically stated that they could not hire family members no matter what. This was an obvious and unintended oversight. So, in the code of conduct training’s module on conflicts of interest there was a provision that directly conflicted with what the actual policy of the organization was. This sort of thing happens more frequently than you might imagine particularly with the proliferation of off-the-shelf, standardized-type training programs.

Another common scenario is when you have a company that has been acquired, or one with several separate subsidiaries, one of its divisions may have policies, procedures, and documents that are in direct conflict with its other divisions. Clear communication must be included not only in the required training but also in any written standards or informal communications that might be out there.

When we talk about clarity and effectiveness much of it comes down to consistency. It is surprising the number of times that inconsistencies occur that cause confusion for the employees and others who are receiving that information.

Another important effective training issue is coverage. Who is receiving the training? Does it include remote employees? Does it include management, the board of directors, etc.?

Indeed, the Sentencing Guidelines specifically say that the people to be trained include members of the governing authority, (the board of directors), high level personnel (management and executives), substantial authority personnel (those responsible for the program) and the organization’s employees and “as appropriate” its agents. If you have a substantial number of subcontractors, agents, and other third-parties who do work on behalf of your organization the Guidelines specify training for these individuals as well.

I have worked with several organizations over the last few years that have had a substantial population of agents, distributors or other third parties that to the outside world looked like they might be part of the overall organization. To have an effective training program organizations must consider anyone who may be representing the organization and the appropriateness of also training these individuals.

The Guidelines specify “periodic" training but does not define this term. Periodic means at least more than once. There are many organizations that have a good on-boarding process where they do code-of-conduct training for their employees but afterward there is no follow-up employee training. This is clearly not “periodic.”

Another thing that deserves attention, particularly if you are a government contractor, is that training may be specifically discussed in the contract. You might be certifying to the fact that you provide periodic training on your code of conduct or other standards. You need to make sure you know what has been agreed to under the contract. I know of at least one contractor that had to scramble after an audit to catch up on the training of all its employees because it had certified training on a periodic basis to mean no less than every three years.

Lastly, the guidelines specify practical training. To me, this means that there be must be adequate time devoted to the training program. Too often we find organizations scrambling at the end of the year trying to get training completed. This places time pressures on both the compliance group and the employees. This is not very practical.

Also, in talking about practicality we need to ask does the training work? How do you know that it is working? We have all heard stories, or may have been in a company, where the training just runs in the background and people aren't really paying attention to it. This is particularly true if it is an online training course. This isn’t practical or effective.

How can an organization test to find out if it's training is practical? There are a couple of ways. One way is to select a sample or focus group--a representative group of individuals--and ask them their impressions about the training and test their knowledge over subjects covered in the training. Another method is used by some organizations that take a broader-based approach about testing. Six months to nine months after the training a knowledge survey is conducted. Specific questions answered by a large group of people about the content of the received training helps the company understand if employees are retaining the information learned in training.

I think that if you pay close attention to consistency, to what's being communicated and if you do so on a periodic basis, followed by testing you will be much more involved in the nuts and bolts of your training program. You will also have a much better idea if it's effective under the Guidelines’ standards.

The Upshot
Keep your training effective, periodic and practical. Periodic doesn't mean once and it’s done, it means periodic. Practical means testing to ensure that the program is working. And finally, use consistent and interesting training to ensure effectiveness.

If you a question you want answered on the podcast be sure to submit it on ComplianceBeat.com or reach out below.

“Do we need to invest in an anti-corruption program?” & Three Questions with Douglas Veivia

Eric Morehead — Mon, 24 Oct 2016 23:49:27 -0500

Should we be investing in an anti-corruption program?

Anti-corruption risk is a “high severity/low likelihood” risk for nearly all organizations. But, if it does happen it can be very serious. Eric will look at data between the Department of Justice and various corporate defendants.

If you are asking, “Should we be investing in an anti-corruption program?” it’s probably not the question you should be asking. There are more important questions– “What are the compliance risks for this organization?” “Have you done a compliance risk assessment? “Have you evaluated what risks you face as an organization?” “How have you done that and how recently?” “How comfortable are you with that risk assessment?

You also have to ask before you get to a more specific question about anti-corruption is “What are we doing about those risks?” “What is in-place to address those risks at this point?”

The Upshot

While anti-corruption is a very serious risk it is one with very low likelihood for many organizations. Every organization needs to understand their own particular risks. By doing that you will know if you need to have an anti-corruption program.

Three Questions with Douglas Veivia, VP, International Compliance at Prudential Financial Inc.

If you a question you want answered on the podcast be sure to submit it on ComplianceBeat.com or reach out below.

If you are asking, “Should we be investing in an anti-corruption program?” it’s probably not the question you should be asking.

Should we be investing in an anti-corruption program?

Anti-corruption risk is a “high severity/low likelihood” risk for nearly all organizations. This means that if it happens it can be very serious, can impact the company for many years, cost millions of dollars, and may mean that individual employees spend time in federal prison. This is very high severity. Low likelihood risk means that the actual overall risk is not as “highly likely” as is often perceived by the compliance community-at-large.

Looking at enforcement numbers from 2015, the last full year of available data, there were 100 non-prosecution (NPA) and deferred prosecution (DPA) settlements entered between the Department of Justice and various corporate defendants. For those of you who understand anti-corruption, or the Foreign Corrupt Practices Act (FCPA), you already know that NPA and DPA agreements are the mechanism by which the Department of Justice and defendants can settle a potential criminal case without it ever being filed, or by deferring the case for a period of time until the company can complete the terms-of-agreements made in the settlement.

These NPAs and DPAs have become very popular over the last decade or so as a way to resolve corporate cases that could otherwise result in potential criminal charges for the organization. They are perhaps best known for resolving FCPA cases but they are used in many other types of cases. In fact, of the 100 cases in 2015 only two of the cases, just 2%, were for FCPA.

If we look at the 2015 U.S. Sentencing Commission’s data on organizational sentencing, i.e. companies who pled guilty to felony offenses in federal court and received sentences, there are 181 organizations. None of these involved FCPA cases.

FCPA stalwarts will point out that the Securities and Exchange Commission can also settle civil FCPA claims. In 2015 there were nine. The Environmental Protection Agency also has civil authority to bring cases against organizations. In 2015 the EPA referred 141 cases to the Department of Justice for criminal proceedings. (These cases include individual as well as companies. For comparison sake, eight individuals were prosecuted criminally under the FCPA. Regarding the enforcement taken by the EPA, there were 132 civil judicial cases and 1400 administrative cases that concluded in 2015).

I am not providing this data to suggest that somehow environmental enforcement is being overlooked or that it is more important to your organization than anti-corruption. The whole point here is to understand that there is data to look at, both externally and internally.

There are a myriad of other regulatory entities that provide for corporate integrity agreements civil settlements, and penalties. We all know this; in the compliance industry we deal with it every day. I just want to suggest that FCPA enforcement and anti-corruption enforcement is no different than the other compliance risk topics that individual compliance officers and individual organizations have to consider. This means that--

Because if you are asking this you probably don't have a program to speak of or you wouldn't be asking the questioning the first place. You need to be able to answer the question yes or no but you must first answer a few basic questions. The most important question you must ask is “What are the compliance risks for this organization?” “Have you done a compliance risk assessment? “Have you evaluated what risks you face as an organization?” “How have you done that and how recently?” “How comfortable are you with that risk assessment?

The second question you have to ask before you get to a more specific question about anti-corruption is “What are we doing about those risks?” “What is in-place to address those risks at this point?”

None of this is imply that the FCPA and anti-corruption is a non-issue. It's an important issue and I understand this as well as anyone. Over ten years ago I stood next to a man sentenced to 63 months in federal prison for violating the Foreign Corrupt Practices Act. I understand the severity and significance of the statute and the risks that are involved in corruption and bribery. I'm not minimizing it at all. I'm just suggesting that if the question is “Should we be investing in anti-corruption?” that it probably not the appropriate question.

The Upshot

Three Questions with Douglas Veivia, VP, International Compliance at Prudential Financial Inc.

“Should you market the ethics & compliance culture of your organization?” & Three Questions with Erica Salmon Byrne

Eric Morehead — Fri, 21 Oct 2016 15:13:47 -0500

There are both potential positives and negatives when you market or publicly announce your particular commitment to compliance and ethics. Or as more organizations are doing in recent years, seeking to certify that their program meets certain standards.

Let’s focus on a couple of the potential downsides or negatives. When you market your program as being a “best practices” program you need to expect that external forces and maybe even some internal forces will want to investigate. Be prepared to support and show that the program does indeed meet the standards. This may seem obvious, but beyond the hallmarks of the Sentencing Guidelines for an effective program there are a lot of “best practices” in existence that go above and beyond the guideline standards. If you are going to hold up your compliance program as a “best practices” program either through a formal certification or otherwise then you need to make sure that the homework has been done. You will want an assessment that goes through the organizational program piece by piece and thoroughly benchmarks the program against peer organizations. Don’t be caught in a situation where you are called out for not meeting “best practices.” The second potential downside is commitment to the program. If you are going to promote the effectiveness of your program you have to remain committed to applying the resources and time to assure that that program remains a “best practices” program. Once you publicly commit to the notion that the program is a “best practices” program, there is no going back. This may be a good thing if you’re trying to continue to encourage resources and enthusiasm for the program across the enterprise. But it’s a consideration before you embark on any kind of certification process or any kind of public acclamation of the success of your program. I’ve seen this go awry when an organization puts together a program they believed was a “best practices” program. It included a lot of resources including regional compliance officers, compliance committees and consistent and detailed procedures which includes certifications that these individuals had to engage in on a regular basis. The problem surfaced down the road when the organization had to cut. They cut the committees and regional compliance officers with very specific responsibilities but it was still documented as part of the program. At year-end, when the certifications were presented to the Board of Directors, they were inaccurate. The resources had been cut because the program at least in that incarnation had been unsustainable. So that’s what you don’t want to get into. You don’t want to report to have a program that has certain aspects or meet certain standards, if that’s not something you willing to continue. Another potential downside is employee perception. If the proclamation of an effective compliance program or a positive ethical culture doesn’t jibe with the perception of your employees they’re going to sense the disconnect. You will want to make sure that your evaluation of the relative success of the program jibes with the perception of the employee base. It’s like anything else, if management is proclaiming something that the rank and file do not perceive to be accurate then it’s going to ring hollow and that will obviously engender some problems internally that might affect reporting down the road. It certainly also could affect the employee’s overall negative perception of the program itself.

The upside and potential advantages when you market the success of your program or market the organization culture can affect both internal and external stakeholders. Externally, the stakeholders, whether it be shareholders, regulators or the public at large look to organizations to have an ethical culture. They expect organizations to comply not just with the letter of the law but have an effective compliance and ethics program. There are some real advantages to tout the relative success of the program. This can increase stakeholders desire to work or even partner with an organization if the overall image and brand is positive. Having an ethical culture positively impacts the image and brand. Internally, the perception of the culture is very important. I’ve talked about this culture in other podcasts and will continue to do so in the future. A positive perception of the culture impacts reporting, morale, employee retention and employee recruitment. It keeps the employees happy and content in their roles and also allows them to feel that concerns are taken seriously if the organization has culture that promotes organizational justice for example.

Lastly, another important consideration or upside is to generate interest and exposure to the compliance and ethics program itself. Many compliance officers struggle communicating to the base and getting them interested in training or interested in new code of conduct or some other initiative. Many organizations will undertake a compliance week or other initiative but, marketing the culture of the organization as a success or having a program certification that puts a stamp of approval is another way to internally market the program. This generates interest and that’s never a bad thing.

The Upshot

If you’re going to market your program’s success either internally or externally be prepared for some scrutiny, be prepared to support that the organization meets “best practices” and most importantly be prepared to continue on the long hard slog to keep the program up to snuff.

Three Questions with Erica Salmon Byrne, Ethisphere Institute

If you a question you want answered on the podcast be sure to submit it on ComplianceBeat.com or reach out below.

Tom Fox was a recent recipient of the 12th Annual International Compliance & Ethics Award

“Why is the United States Sentencing Commission involved in compliance and ethics?” & Three Questions with Tom Fox

Eric Morehead — Mon, 17 Oct 2016 17:04:14 -0500

This is part of a continuing series called Sentencing Commission Confidential. Let’s take a look at the history and operation of the sentencing guidelines and in particular chapter 8 of the sentencing guidelines that have to do with organizations. Let’s go back in time to 1984, this was before the United States Sentencing Commission. In 1984, there was a bipartisan movement in Congress to reform overall federal sentencing practices. If you remember the 80’s, you might remember parachute pants, Michael Jacksons’ “Thriller” and let’s not forget Ivan Boesky and Michael Milken, junk bond kings—insider traders. We are all too familiar with corporate scandals that have happened over the last twenty years. Let’s remember, at that time compliance and ethics as a profession wasn’t even a glimmer in the eye of anyone. There were no compliance and ethics officers, no dedicated compliance and ethics professional organizations, no professional field of study, with the exception of the highly regulated industry of finance. There was very little talk about corporate culture and certainly not in relation to how affected ethical behavior and compliance. These were the years of the original Gordon Gekko and introduced into that mixture was the ongoing sentencing reform effort that was underway in Congress at the time. This resulted in the Sentencing Reform Act and this act was primarily concerned with reforming the sentencing of individuals in federal court. It did this in broad strokes by eliminating parole and creating a determinant sentencing regime. This meant that the sentence announced by the judge should be very close to the sentence actually served. The hope was to create more transparency in the sentencing system and reduce disparities in sentencing that happened regionally across the United States. Congress wanted to alleviate scenarios where somebody charged with exactly the same offense in Massachusetts would not necessarily receive the same sentence as somebody charged with that sentence in Florida. In order to accomplish these goals the Sentencing Commission was created by the Sentencing Reform Act. The commission is an independent agency with seven voting members, both judges and and non—judges. Its role is to develop sentencing guidelines for use by federal courts in the United States to study and research sentencing issues. It collects all sentencing information and helps to educate about this topic. Importantly, Congress mandated that the Sentencing Commission consider guidelines for organizations in the new regime. So the Sentencing Commission took up creating organizational sentencing guidelines that would allow federal judges to sentence organizations that have been convicted of federal offenses. These initial organizational guidelines came into effect 25 years ago—in 1991, Happy Silver Anniversary to the Sentencing Guidelines! A guiding principle behind these new guidelines was to provide a foundation for an organization to self-police its own conduct through effective compliance and ethics programs. Although that exact terminology wasn’t used in the original guidelines and they’ve gone through iterations since then, the genesis was there in 1991. It meant to encourage compliance through this framework of principles. The idea was to reward and incentivize organizations to create effective compliance programs by mitigating their punishment in the case of a criminal violation. Basically, the organization gets credit for cooperation and for having a program. The sentencing guidelines talk about compliance and ethics because it’s the carrot that leads to mitigation for organizations that might be charged with offenses in federal court. The seven hallmarks of an effective program were developed to be applied by organizations that found themselves in the situation. After twenty five years those standards have developed into the basis for compliance programs for everyone whether they’re facing criminal charges or not. The guidelines have become what they are simply because they were first and twenty five years on they still remain the basis for any effective program.

The Upshot

The Sentencing Commission is involved in compliance and ethics not only to determine the result of a criminal conviction for an organization, but to set standards, actionable standards for all organizations. The reason the commission is involved may be an accident of history, but the commission has taken its role very seriously and has put together a scalable set of standards for ethics and compliance program that all organizations can use to be more effective.

Three Questions with Tom Fox.

If you a question you want answered on the podcast be sure to submit it on ComplianceBeat.com or reach out below.

eric@moreheadconsulting.com

If you want to avoid having a whistleblower you need to focus on your culture.

“What is the best defense against a Whistleblower?” & Three Questions with Dick Dube

Eric Morehead — Fri, 14 Oct 2016 17:34:49 -0500

This week’s question is “What’s the best defense against a whistleblower?”

A few years ago, the SEC announced their bounty program and there was much discussion about it. Is this a good idea for organizations? Does this stop an individual from coming forward with reports? We’ll discuss the reasons I am against financial compensation.

What happens to the company culture when you have a whistleblower? Let’s look at Cortland Kelley, head of GM’s inspection program, who raised alarms about the Cavalier and Cobalt vehicles. How did this affect the culture at GM?

So, what is the first thing an organization can do to respond to the potential for a whistleblower? What questions does your organization need to be asking? You will need to to measure the perception of the culture from the perspective of the employees and look at all levels of your organization, especially middle management.

One last thought about responding to potential whistleblowers is to consider very specifically your retaliation within the organization. This is key to avoidance of whistleblowers and can be key to addressing how you encourage people to come forward internally. This goes hand in hand with working on the culture and also encouraging managers to be primary communicators about all of these issues.

THE UPSHOT

Invest in middle management and understand the perception of retaliation in your organization these three things overlap and there are vitally important to keeping people reporting inside your organization.

Three Questions with Dick Dube, EVP – Chief Audit Executive & Ethics Officer at Old National Bancorp

If you want to avoid having a whistleblower you need to focus on your culture.

This week's question is “What's the best defense against a whistleblower?”

A few years ago, the SEC announced its bounty program and there was much discussion about it. At that time, I was working with an organization which was seriously discussing offering an internal reward to individuals who come forward with reports. Wisely, this organization decided not to move forward with the offer. I think there are two good reasons for this decision. One is very practical—how could an internal body match the financial value in some of the recent FCC settlements. The second reason is that it really sends the wrong message. Most organizations have focused on reporting and open communication, wanting a culture that speaks up. We want to make sure that everybody is comfortable coming forward, asking questions and making reports when they feel necessary. I really think that's key in answering the question—how you respond to a whistleblower? The Global Business Ethics Survey, formerly called the National Business Ethics Survey, by the Ethics and Compliance Initiative, actually has data on this. They have been looking at this issue for many years now. One particular metric that's come up repeatedly is that individuals that find themselves in weak or weak leaning cultures are much less likely to report as opposed to those that perceive a strong or strong leaning culture.

Cortland Kelley was a 3rd generation GM employee and had been the head of GM’s inspection program when he raised the alarm about issues with the Cavalier and the Cobalt vehicles. He repeatedly raised concerns and felt like no one seemed to be concerned and there were no actions taken. It got to the point that he actually became a whistleblower, he filed suit in 2002. GM denied the wrongdoing and the case was dismissed, the allegations contained therein later turned out to be true. But at the time GM had a victory and Mr Kelly's career as was reported in Bloomberg went into “hibernation.” Eventually, The CEO of GM was called to speak to Congress about these issues. The interesting thing is that when the people responsible for the safety program were questioned, they said they were too afraid to insist on safety concerns. They had seen their predecessors “pushed out the door.” My point here is even if the culture had changed from the perspective of management, it had not changed from the the perception of those employees. They still felt that if they were to speak up or make waves they would be retaliated against.

So, what is the first thing an organization can do to respond to the potential for a whistleblower? First, you need to measure the perception of the culture from the perspective of the employees. Find out how comfortable your employees are or uncomfortable as the case may be about speaking up. How do they feel about organizational justice? How do they feel about their avenues of reporting, asking questions or raising concerns? By measuring this information it gives you a baseline to have an understanding of where your needs are and where you need to address resources to try to change that perception. This leads to a second major area to address—the focus on the middle. I was speaking with a chief compliance officer who's responsible for an international, sophisticated, well-documented program. It included quarterly certifications from the regional managers about their compliance with certain aspects of the program. While discussing the overall tenor of the program, the culture of the organization and tone from the middle, the CCO brought up the certifications as proof that he had strong tone from the middle. These managers certified on a regular basis, they were doing the things that were prescribed in their programs. But in actuality, while many managers were doing the things that they needed to do, many were not and yet were still certifying. And if you talk to some of the people that were in their business units they didn't necessarily feel like they could approach those managers about compliance issues, concerns and questions. The point is that you can't measure tone from the middle based solely on the representations of the middle. The effectiveness of tone from the middle is measured at the rank and file. People that you're ultimately trying to reach through the management. If you're trying to determine the success or failure of tone, you have to measure that from the bottom. Are your messages getting through this middle level? Are they reaching the employees? And are concerns and questions from employees getting back up the chain of command in an appropriate way? It’s important to get buy-ins from managers, hey need to be educated about their roles. Give them resources and arm them to do a good job as ambassadors for the culture of the organization. They need to create an environment where people can come forward and ask questions and hopefully not become whistleblowers. But you can't simply assign the duty to the managers and not measure the effectiveness of that attempt.

One last thought about responding to potential whistleblowers is to consider very specifically your retaliation within the organization. The ECI has found that those who experience retaliation are much more likely to report outside the organization as whistleblowers. In fact they're nearly 50% more likely to go outside the organization. They also noted that whistleblowing is more likely to happen when management is involved in the misconduct. Need to address both actual retaliation and fear of retaliation. This is key to encouraging people to come forward and report. Its important to understand that retaliation can come in many ways. It can be the perception that you're not getting a promotion, that you've been reassigned or demoted. Be aware of this perception, this is key to avoidance of whistleblowers and can be key to addressing how you encourage people to come forward internally. This goes hand in hand with working on the culture and also encouraging managers to be primary communicators about all of these issues.

THE UPSHOT

eric@moreheadconsulting.com

3 Questions with Dick Dube, EVP - Chief Audit Executive & Ethics Officer at Old National Bancorp

If you a question you want answered on the podcast be sure to submit it on ComplianceBeat.com or reach out below.

eric@moreheadconsulting.com

https://twitter.com/eric_morehead

LinkedIn -Eric Morehead

https://www.facebook.com/compliancebeat/

“What does a foundation mean?” & Three Questions with Nicole Tarasoff

Eric Morehead — Wed, 12 Oct 2016 15:16:22 -0500

The Code of Conduct is the Foundation

Why does the Department of Justice and the SEC call the Code of Conduct the foundation of an effective compliance and ethics program? This question is something that has come up often over the last few years and this terminology— the foundation has become a buzzword. Let’s take a step back and look at where the Code of Conduct became such a vitally important piece of the puzzle for a compliance program. If we look back at the original U.S. Sentencing Guidelines standards for organizations, which by the way are going to be celebrating their 25th anniversary in November 2016, we don’t find code of conduct. There just wasn’t a focus on code of conduct when these initial compliance and ethics program standards were being developed. It’s only been a sharper focus in the last 5 to 10 years. Today, standards could be mere individual policies, they could also be other written documents. They definitely could be code of conduct which could encompass things like your employee handbook.

So this term foundation—what does it mean? There are some fundamental pieces of the compliance and ethics program puzzle that the code of conduct can often be a part of. So, when we talk about a foundation what do we expect from a foundation? We expect the foundation to be solid, we expect it to be well planned. Just like a a foundation for a building, it should should reflect everything that’s going to stand on top of it, it is the support system. We also know that foundations for buildings need to be maintained on a regular basis. The same goes for your compliance and ethics program. It needs to be revisited on a regular basis, that’s really important and sometimes overlooked.

Practically speaking, you should also consider a mission statement when talking about what a foundation means. What are the expectations of your organization? Code of conducts often have a statement from the CEO or chief executive in the front of the document, this can serve as a mission statement for compliance at the organization. It wasn’t always there 10 years ago but certainly that personal message stands for something, for ideals and principles, it establishes the tone of the conversation. The tone that you’re going to continue to have with your employees about these issues. It can be individual risk topics or discussions of things like reporting. It can be considered the hub of the wheel or base of operations for your compliance program.

Another key aspect of a foundation is that it’s basic, it’s simple, it’s structural. I think that really lends itself to talking about the broad values that underpin your compliance and ethics program. And the bottom line here is you want people to be familiar with these values, Familiar with the basic premises from the code of conduct.

I think as compliance professionals we are “glass half-empties” type of people. So when we think about the code of conduct and discussion of risk topics we’re trying to put together a resource to help people remediate problems. We need to think more like “glass half-full” people. The code should be aspirational, it should be the values platform of the organization. I think we tend to forget that and concentrate more on the mitigation or the clean up afterwards rather than the aspirational piece and I think that’s important to consider when you’re talking about a foundation. It’s a values foundation, a values platform for the organization as a whole and in their compliance and ethics program.

This notion of a foundation and using that kind of terminology is a very clear cue that the Department of Justice & SEC expect to see a code of conduct. A foundation that talks about values. A foundation that talks about big picture expectations. A foundation that supports a real bonafide program. So let’s take them at their word. Let’s make sure that the foundation is strong.

If you a question you want answered on the podcast be sure to submit it on ComplianceBeat.com

The Upshot

The Code of Conduct is the foundation of your program. It’s got to be solid and well maintained, it must be purpose built for your unique organization, it must support your program and state the value of your organization. Lastly it must be maintained.

3 Questions with Nicole Tarasoff

If you a question you want answered on the podcast be sure to submit it on ComplianceBeat.com or reach out below.

eric@moreheadconsulting.com

SCCE Conference Highlights-Special Edition

Eric Morehead — Thu, 06 Oct 2016 17:30:59 -0500

The SCCE Compliance and Ethics Institute Conference in Chicago on September 24-27, 2016 is the stage for this podcast.

Eric Morehead, host of Compliance Beat was in attendance at the SCCE conference, along with 1700 compliance professionals and shares conference highlights and emerging trends in this Special Edition. The profession continues to grow and expand and more importantly people want to continue to grow and learn as they find themselves responsible for compliance issues.

Trends

A surprising & interesting trend is to now find newly appointed compliance officers or professionals wearing multiple hats. It’s fair to say in the past, especially in larger organizations, the trend was to apply more resources and have people that had compliance as their sole responsibility. This may be anecdotal, but it seems there is some retrenchment there. Could we be seeing this change due to lack of resources? One benefit at least–someone is now nominally in charge of the program. But on the flip-side could be wearing so many hats they may not have the time or expertise to devote fully to compliance.

As an exhibitor, Eric spent many hours in the exhibit hall at the SCCE conference, this allowed him to spend quality time with both vendors and service providers. One of the trends in the hall seems to be consolidation, which makes it feel like there are fewer choices. One example of this is Hotline services, in previous year there were many large providers. That’s not to say, that consolidation has caused any decrease in customer service, it’s just that choice is a good thing. In larger companies, you need to have some additional choices, especially when RFP’s are required. It was still good to see quite a few, newer and small organizations offering innovative tools and services. Many like Morehead Compliance Consulting were 1st time exhibitors.

A continuing trend involves training. The 45-minute training is disappearing unless mandated by statutory requirements. Training is becoming shorter in length, think of it as bite-sized pieces with more engagement, humor and entertainment. This does cause some concern for companies that are just not comfortable yet with mixing humor with compliance issues, they aren’t sure if this diminishes the importance of this issue. But, overall think many companies are realizing the value.

Another trend that came up was integration. It was common thread in many of the sessions. It was great to see the overall maturity of many of the programs. Companies have the basic pieces in place, but now are trying to get more integrated, trying to partner in a way that hasn’t been done in the past. They are starting to realize the importance of partnering with the employees in all departments–the “boots on the ground” so to speak.

You many not have been at the SCCE conference, but would love to hear any feedback on any trends you are seeing in the industry. Be sure to reach out and say Hello.