Compliance Perspectives show

Compliance Perspectives

Summary: Podcast featuring the top Compliance and Ethics thought leaders from around the globe. The Society of Corporate Compliance and Ethics and the Health Care Compliance Association will keep you up to date on enforcement trends, current events, and best practices in the compliance and ethics arena. To submit ideas and questions, please email: service@corporatecompliance.org

Join Now to Subscribe to this Podcast
  • Visit Website
  • RSS
  • Artist: SCCE
  • Copyright: Society of Corporate Compliance & Ethics

Podcasts:

 Carrie Penman on the State of Compliance in 2023 [Podcast] | File Type: audio/mpeg | Duration: 13:24

By Adam Turteltaub NAVEX earlier this year issued its very substantial 2023 State of Risk & Compliance Report. To learn about the key findings we sat down with longtime ethics and compliance leader Carrie Penman, who serves as the company’s Chief Risk and Compliance Officer. Overall, the data reveals strong management support for compliance and ethics programs, although there are cracks showing. When asked whether this commitment persists in the face of competing interests, the numbers show a troubling drop. Worse, there was an increase in the number of survey respondents indicating that middle managers encouraged employees to act unethically or impeded compliance personnel from their job. It was still a minority, but a larger one than before. Turning to specific risk areas, data breaches and privacy/security threats were the top fears for compliance professionals. Not surprisingly, cyber came up as a top training topic. It was followed by codes of conduct and privacy. Looking globally – the survey also has data broken out for Germany, France and the UK – there was a far from uniform picture, with country-by-country variations showing varying priorities and levels of satisfaction. For example, risk and compliance professionals in Germany reported their ability to measure training and behavior higher than their peers in France and the US. All in all, the report makes for a fascinating, and sometimes troubling, picture of the practice of compliance. Listen in to learn more about what the data said and what it may indicate for your compliance program.

 Brent Douglas on Background Checks [Podcast] | File Type: audio/mpeg | Duration: 15:55

By Adam Turteltaub It may be time to rethink background checks.  Brent Douglas (LinkedIn) partner at the law firm Hahn Loesser, explains that their use has been greatly reduced in many industries. This reflects the increase in the number of what are known as “ban the box” laws, which prohibit employers from asking job applicants to tick a box if they have a criminal history. He also warns that in some jurisdiction screening applicants wholesale for criminal backgrounds may not be permissible. Only after a job offer has been conditionally made can a firm conduct a check. That doesn’t mean background checks are always prohibited. In certain industries, such as healthcare, defense and transportation they are often obligated. Even screening for marijuana usage may be permissible, but be careful. California, starting in January 2024, will enforce a new testing methodology. If your organization conducts background checks, it may be best to have a third party conduct it for you. This both leverages their expertise and may shift liability if the check is done improperly. He also cautions that even a casual internet search of a prospective employee may turn up a past criminal conviction and cross the line into what legally constitutes a background check. For those concerned about the risks of hiring a criminal, he points out that roughly 95% of the population does not have a criminal background. Amongst those with a conviction, about 95% of those were for marijuana possession or a DUI. He asks; is it worth doing the background check given these odds? Listen in to learn more about the risks of background checks.

 Mary Shirley on Leveling Up as a Compliance Professional [Podcast] | File Type: audio/mpeg | Duration: 14:50

By Adam Turteltaub Mary Shirley (LinkedIn) has had a fascinating journey as a compliance professional. Born in Hong Kong and raised in New Zealand, she has worked in Singapore, Dubai and across the US. She currently serves as Head of Compliance at Masimo, and she just authored the book Living Your Best Compliance Life: 65 Hacks & Cheat Codes to Level Up Your Ethics & Compliance Program. In this podcast she argues for embracing professional development and owning your own advancement. Among the hacks she recommends is creating a notebook on yourself. Record in it what you have done, the key steps along the way, and some of the larger details. That way, when annual performance time comes around, you are prepared to share what you have accomplished and won’t have to scramble to reconstruct what you did over the past year. The same information, she points out, is very helpful when looking for your next position. It can help  you both recall what you have done and prepare to answer questions about key accomplishments and solutions you have developed. When it comes to speaking at conferences and writing, she offers some simple advice: Just start. If you don’t you will always wonder what might have happened if you did. From a practical perspective, she urges people to remind themselves that the first draft doesn’t have to be the last. You can turn to others for feedback who can help you revise and improve that article or speaking proposal. To get the best advice, she recommends creating what she calls a wisdom council: a group of individuals whose advice you can trust. The council should be made up of people with diverse skills and experiences who have practical expertise and the comfort level with you to offer both encouragement and honest feedback, even if it is uncomfortable. Listen in for more advice on how to level up your skills and how to find the courage to pursue your goals.

 Kristy Grant-Hart on Maximizing Your Conference Experience [Podcast] | File Type: audio/mpeg | Duration: 12:42

By Adam Turteltaub You’re all signed up for the Compliance & Ethics Institute or another SCCE or HCCA conference. Now, how do you make the most out of your time there? Kristy Grant-Hart CEO of Spark Compliance Consulting and a former compliance officer, herself, shares in this podcast several excellent tips for making your conference time truly valuable. Her recommendations: * Plan out which sessions you want to attend before you arrive. It makes for a much more strategic and less stressful approach than picking sessions hurriedly at the breaks. * Pick the sessions based on both the topic and the speakers you want to listen to and meet. * Map out time to do work and answer email. It’s a lot easier to sit and listen to a session when you have a defined times to work and a defined time to be fully present at the conference. * Start your networking before you go. Announce on LinkedIn that you’ll be there and try to connect with others who will be attending. * Take advantage of vendor receptions and dinners to meet more people. * When you connect onsite, also connect on LinkedIn right then and there. * If you promise you’ll send someone a follow up email, do it that night before you forget. * Don’t be afraid to approach people you don’t know. They’re probably there to meet new people, too. * Put your follow-ups for once you’re back in the office into a list that you can easily find. Listen in to hear more great ideas for getting the most out of your time at the conference.

 Andre Bywater on the EU-US Data Privacy Framework [Podcast] | File Type: audio/mpeg | Duration: 11:21

By Adam Turteltaub First there was Safe Harbor, then there was Privacy Shield, both of which were struck down, leaving an enormous chasm in the rules for sharing data between the EU and the US. Now, explains, Andre Bywater, Partner, Cordery, there is a bridge: the EU-US Data Privacy Framework. The new framework seeks to address the issue that led to the court striking down Privacy Shield: access to data by US intelligence agencies. To allay European concerns the US has now put in place a two-level system to redress grievances. EU citizens can lodge a complaint with the Civil Liberties Protection Office. If not satisfied with the results there, they can escalate to the US Data Protection Court, which has the power to issue orders to have data deleted. The new framework is likely to be a big step forward, but it’s not the only one data processors will have to take. Organizations will first need to determine if they are eligible to participate. Next, they will need to self-certify their processes for handling EU data, a process that will be overseen by the US Department of Commerce, with enforcement handled by the FTC. Whether self-certifying for the first time or recertifying, there are countless details to be watched. There are special provisions, for example, when it comes to HR data. And, of course, there is a question of whether courts in Europe will allow the new regime to stand. There is already speculation that a new case may be brought in January 2024. For now, though, there is a new EU-US Data Privacy Framework in place. Listen in to learn more about what your organization needs to do to comply.

 Mark Schreiber on PCI 4.0 Compliance [Podcast] | File Type: audio/mpeg | Duration: 15:04

By Adam Turteltaub Payment Card Industry (PCI) compliance is driven by a set of rules that set a standard of security for any entity that takes, stores or processes credit card data. Any time you or I make a credit card purchase, we rely on PCI compliance by all involved to keep our information safe. Now, the standard is evolving to PCI 4.0, explains Mark Schreiber, Senior Counsel at McDermott Will & Emery. PCI 4.0 is far more robust and clarifies the misunderstandings in the previous standard. It also imposes more than 50 new obligations. Most notable of the changes is the new emphasis on third parties and the need to monitor them. Now, merchants must maintain lists and descriptions of all third-party providers, have written agreements with them that accounts for security standards and includes a process for due diligence before engaging with them. Central to the process is a responsibility matrix, which outlines which party is responsible for each aspect of credit card security. Perhaps needless to say, this is not likely to be a quick process. Also likely to be time consuming is the mandatary self-assessment questionnaire. Listen in to learn all that PCI 4.0 requires and to hear an important warning: just because you outsource your credit card processing, doesn’t mean you outsource the risk.

 Cheryl Gilbert on Celebrating Corporate Compliance & Ethics Week [Podcast] | File Type: audio/mpeg | Duration: 13:38

By Adam Turteltaub Stamford Health has just a bit less than 4000 employees spread out in over 40 local offices. For some that would be a nightmare when figuring out how to put together a celebration of Corporate Compliance & Ethics Week, but it’s not for Cheryl Gilbert, the director of compliance and privacy. To make the annual event work she uses a wide range of communications vehicles to get the word out. The organization has a new employee orientation every other week, and compliance is a part of it. The organizational newsletter, which publishes twice each week, is also put to use. So, too, is the compliance intranet site. What aren’t used? Posters. The team found that the effort involved in creating them, putting them up and taking them down just wasn’t worth it. To make the week fun they have developed a wide range of activities including a: * Haiku contest. Employees are challenged to write a haiku based on the organizations core values. * Where’s Waldo type game in which employees have to spot all the breaches on a messy desktop. * Question of the day. * Word search, which is probably the most popular of all. There is also the opportunity to nominate compliance heroes, with rewards to both the hero and the person who nominates them. While all of these are great for building the relationship between compliance and the rest of the organization, she advises that you shouldn’t let your Corporate Compliance & Ethics Week be the only time a year in which the barriers come down. She recommends investing wherever possible in face-to-face interactions. You would be amazed, she tells us, at what a coffee cake can do to help. Listen in to learn more about how to make your Corporate Compliance & Week celebration a success.

 Jeremy Laws on Cancer Reporting Requirements [Podcast] | File Type: audio/mpeg | Duration: 12:43

By Adam Turteltaub Cancer is not just a diagnosis between a patient and physician. In this podcast Jeremy Laws, Operations Supervisor at the Ohio Cancer Incidence Surveillance System, explains that a cancer diagnosis triggers state-by-state reporting requirements for healthcare providers. In general, there are two areas of reporting: cancer information and patient information. Cancer information generally includes where it is on the body, the type of cancer, what type of tissues is affected and how the cancer is behaving. Patient information includes name, age, sex, race, address, date of diagnosis and date of first treatment. And, for those concerned about HIPAA, he points out that there is a public health exception that his falls squarely under. The data provided feeds into the US Cancer Statistics Report that is published annually. It is also used by policy makers and researchers. Compliance teams need to ensure that their facilities are reporting the data, which many fail to do. There is a tendency to believe that, for example, the lab is reporting the results and so the physician does not need to. That’s not the case, he explains. Worse, many facilities do not even know that they need to report cancer findings. Listen in to learn more about how to ensure your health care facilities are meeting their cancer reporting requirements.

 Stephen Pavlicek on Involvement Options with SCCE & HCCA [Podcast] | File Type: audio/mpeg | Duration: 6:55

By Adam Turteltaub When it comes to networking and sharing ideas with other compliance professionals, people tend to think of attending conferences. That’s not the only way to do it. In this podcast Steve Pavlicek, Community Engagement Manager at SCCE & HCCA shares the free resources the association provides and how to take advantage of them. First stop are HCCAnet and SCCEnet. They were created to be a social network just for the compliance community. People post and answer questions, share their opinions and even documents. To see all that’s there, first login on the SCCE or HCCA site. Next, click the Login button on HCCAnet or SCCEnet. You’ll find approximately 40 different communities discussing issues such as auditing and monitoring, the Foreign Corrupt Practices Act, privacy and more. There are also communities organized by industry. If you’re looking for real-time interactions try one of our Meet Ups. You’ll find a schedule of them at HCCAnet and SCCEnet. These sessions take place via Teams. The group selects topics to discuss, breaks up into smaller groups for conversation, then returns for further conversation. In addition, there are active LinkedIn groups for SCCE and HCCA. Read the messages there, share insights of your own, or use the group to connect directly with other compliance professionals. In sum, there are a host of vehicles out there for you to connect with and meet the wider compliance community. Be sure to take advantage of all of them.

 Laura Fey, Tom Leatherbee and Jillian Cusack on Compliance and Disaster Preparedness [Podcast] | File Type: audio/mpeg | Duration: 14:37

By Adam Turteltaub When planning for disasters, organizations are typically focused on things like call trees, backup data servers, and alternative work locations. In the crush to survive the immediate threat it’s easy to forget about compliance, and even during disaster planning, compliance may come last. That’s a dangerous mistake, explains Laura Fey, Principal, Fey, LLC; Tom Leatherbee, Manager, Recovery Division, Hagerty Consulting; and Jillian Cusack, AVP, Privacy Officer, American Fidelity. Just because normal business operations are interrupted doesn’t mean compliance obligations are also on pause. Ensuring compliance plays a role in disaster planning is more important than ever. Natural disasters, ransomware attacks, a pandemic and other threats seem to be more frequent and can turn into situations that last days, weeks, months or even years. When they do, not only do existing compliance considerations continue but new ones can arise ranging from OSHA to employee obligations – you still have to pay into pension plans and make insurance payments – to financial reporting. There may also be state laws and standards under ISO and SOC 2 that may be implicated. If your institution is a recipient of federal grants, the reporting requirements don’t stop during disasters. Plus, if your organization will be seeking federal disaster grants, there will be compliance obligations there as well, including the need to document the damage. To ensure the compliance team is a part of disaster planning, establish a relationship with the person in charge of leading that effort. Learn who else they work with and get to know them as well. Take the time to understand what the risks are using resources such as Ready.gov. Think through what data you will need to collect and track during the pandemic, and be prepared to help your colleagues understand that compliance can play a vital row in disaster planning and recovery.

 Jonny Frank and Kat Nolan on Compliance Program Certifications [Podcast] | File Type: audio/mpeg | Duration: 10:32

By Adam Turteltaub There has been, to say the least, a great deal of controversy over the US Department of Justice’s plan to require compliance officers to provide a certification as a part of corporate resolutions. Many fear that it could lead to significant legal risk for compliance teams and fewer individuals willing to assume compliance roles. Jonny Frank, Partner, and Kat Nolan, Senior Consultant, at StoneTurn are not concerned.  They point out that in the 20+ years since Sarbanes-Oxley, despite the predictions, there have not been the lawsuits and empty CFO and CEO chairs that some feared. Instead, they believe, these certifications could lead to increased power and prestige for chief compliance officers. In the podcast they lay out a five-step process for certification: * Select a framework for the certification criteria that the organization will grade itself against. * Conduct a scenario-based compliance risk assessment. * Assess and design key control activities. * Create a sub-certification waterfall: set accountable owners throughout organization to certify compliance effectiveness in their area. * Arrange for a third party or internal audit to assess the program. Listen in to learn more, including the importance of documenting your processes.

 Kristy-Grant Hart on the Global vs. Local Dilemma [Podcast] | File Type: audio/mpeg | Duration: 13:14

By Adam Turteltaub So, you’ve got a global compliance program. But, what do you do when a local team says, “That doesn’t really work here” or “We think it would be better if it were changed to something else for us”? Kristy Grant-Hart, CEO of Spark Compliance Consulting recommends keeping your values the same wherever you operate. Values are typically based on universal ideas. They and your code of conduct should remain constant wherever possible. Communications from the CEO and leadership should also be the same everywhere. You don’t want the CEO saying one thing in one country and something else in another. Categories used for reporting and investigations should also be the same everywhere, otherwise it will be difficult, if not impossible, to track where the issues are. Similarly, root cause analysis and risk assessment methodology must be the same globally. So where can you localize? She recommends looking at areas such as gifts and hospitalities. What’s reasonable in one region may not be in the other. Look also at employment practices. Having a policy of non-discrimination is good, but in some regions there may be requirements to hire certain indigenous groups. To avoid confusion, she advises defaulting to one policy wherever possible, and be sure to have a version control process in place. You don’t want one office to still be operating under an old policy. Listen in to learn more about how to make thoughtful localization decisions, how to get honest feedback locally, and what to do about facilitation payments.

 Melinda Shapiro on Enterprise Risk Management [Podcast] | File Type: audio/mpeg | Duration: 12:11

By Adam Turteltaub Melinda Shapiro, Senior Director of Compliance at San Diego-based National University, knew she needed to do something different with the school’s approach to enterprise risk management (ERM). When she took on the compliance role, she discovered that risks tended to be aggregated into large buckets, such as human capital, which made it difficult to assess individual risks. In addition, risk ratings varied widely by affiliate. Adding to the challenge, the document produced took a narrative approach, with long explanations of the risks and mitigation efforts. Sometimes there was a lack of alignment between risks and controls. Worse, the format made it difficult to track changes year to year. Inspiration came from speaking with two other participants at the SCCE Higher Education Compliance Conference. She was able to see a new way of approaching ERM, including switching from a one-year to a two-year cycle. The results have been highly positive. She reports that there is a much better understanding of risks and controls. In addition, there is now better alignment and very strong support from the board’s audit committee. Listen in to learn more about what she did differently, how she learned from others, and new ways to think about your own ERM process.

 Emeka Obiora on Health Care Compliance in the United Arab Emirates [Podcast] | File Type: audio/mpeg | Duration: 12:23

By Adam Turteltaub Healthcare and healthcare compliance are often thought to be very country specific, due to the many variations of healthcare structures. To learn more about how healthcare compliance works in one country outside of the US we spoke with Emeka Obiora, Vice President, Ethics and Compliance at NMC Healthcare in Abu Dhabi. Emeka explains that the United Arab Emirates (UAE) has something of a split system. Public sector hospitals primarily serve Emiratis, who are provided with healthcare by the government. Foreign workers in the UAE are required to carry insurance and typically see private providers. As a result, the risk profile is very different. It is there, though, with several key ones to manage. The first is licensing. The UAE relies upon medical professionals who come from all over the world and have vastly different training and backgrounds. All must be qualified and licensed locally, which represents a substantial undertaking. The second common risk area is conflicts of interest, which is focused on interactions with pharmaceutical and medical device manufacturers. To ensure that there is undue influence, contact between clinicians and providers may be completely prohibited. As is the case elsewhere in the world, privacy is also a significant concern, and in the UAE it has grown to be a greater challenge now that there is a new, tougher law. So, is working in the UAE in healthcare right for you? Emeka recommends asking yourself if you have a sense of adventure. As importantly, ask the same about your family and what impact a move may have on them. If you do decide to take the plunge and find a potential opportunity, assess it like you would any other compliance position. Look at the organization and its governance structure: Will you have access to the senior level of the organization? Question carefully their approach to compliance and ethics. While it may likely not be as advanced as what you are used to in the US, if the tone and the commitment are there it’s worth considering, especially because there is a growing emphasis on accountability, corporate responsibility and ethics in the UAE. That portends well for the future. Listen in to learn more, including one myth about the UAE that needs to be dispelled.

 Ami Simunovich on Growth, Risk and Compliance [Podcast] | File Type: audio/mpeg | Duration: 13:06

By Adam Turteltaub Compliance professionals are trained to point out downsides, identify risks and educate others on what can go wrong. But, points out, Ami Simunovich, Executive Vice President, Chief Quality, Regulatory Officer & Public Affairs for BD, they need to balance that with a need to see and encourage others to take the right risks. A compliance officer who can do that earns credibility with business leaders. So, how do compliance professionals get there? She recommends reorienting thinking to focus on how to advance the business in the right way. That begins with tying decisions back to the purpose of the company. This can help enable the right leadership mindset and avoid reckless decision making. Grounding decisions in the code of ethics, along with a focus on the business’s purpose, helps create a framework for better decision making. Next, make sure business leaders are keeping up with the regulations. Also, encourage them to ask gut-check questions such as: Are we making the right decision? Would our partners be proud of what we have done?  Is this who we are? Along the way, embrace open conversations that ask whether the decision or initiative is the right one. At the same time, be sure that, as the business proceeds, there are controls in place that are fit for purpose for the risks at hand. Listen in to learn more about how the compliance team can help the business grow.

Comments

Login or signup comment.