Compliance Perspectives

Post By: Adam Turteltaub Brooke Nelson (LinkedIn), Executive Director, Worldwide Compliance and Business Ethics at Amgen had a unique and broad perspective on managing compliance during the pandemic. In this podcast she shares what she has seen, including a drop in incidents in many areas.  Part of that, she believes, is likely due to the fact that people were disconnected.  With sales reps less able to make calls on medical practices there were less interactions and less opportunities for things to go awry. When it comes to investigations the adjustment to the pandemic has gone better than might be expected.  As she notes, global organizations have always had to rely on some remote methods in the past when conducting investigations since you didn’t necessarily have compliance staff in every location.  During this era, though effective investigation practices in distant locations have likely grown more effective. However, there remains a strong case for conducting at least some aspects of the investigation in person.  An in-person meeting can give a clearer read of the individual.  In addition, the presence of an investigation team may lead other individuals on site to share information that they might not have.  An investigations team physically present also offers another benefit:  it demonstrates the company takes investigations seriously. With the US and other regions hopefully soon reopening, she does warn that compliance teams should be prepared, if they aren’t already, for change.  It is time, for example, to reiterate the need for the workforce to reach out and report their concerns through the helpline and other channels. Compliance should also look out across the organization to better understand what is happening on a country-by-country basis, both for the business units and for the compliance team, itself.  There are likely significant disparities and a need to adjust efforts and expectations accordingly. And, of course, the way we all work has changed, perhaps permanently. Listen in to learn more about our recent past and what to consider moving forward.

Post By: Adam Turteltaub Jim Passey, Vice President, Chief Audit & Compliance Officer at Honor Health sat down with us to record three podcasts focused on compliance career development: Setting Career Goals Moving Your Career Forward Making it to the Top It isn’t enough just to set your eyes on the goal of chief compliance officer. Nor is it probably advisable to walk into the CEO’s office and make your pitch should the job become open. In this podcast Jim Passey, who has been a Chief Compliance Officer for six years and at two organizations, share his advice for crossing the threshold from staff to leadership. He advises that you start the process long before the job opens up. Be visible and make yourself known in meetings and on key projects as an active participant, not just another body in the room. Let people see you as an agent for positive change and a key voice at the table. That will both help your career, and help others take the compliance program more seriously. Let your supervisor know you are eager to advance. Couch it in terms such as “I want to take on more responsibility” or “I’m eager to add value.” An emotionally intelligent manager shouldn’t take that as a threat, but instead take it as an opportunity to help you grow. Plus, if you don’t make your intentions clear, you may be passed up for someone else who has. When the top job does open up, it’s important to remember that the CEO, board, or whoever else is doing the actual hiring probably has never worked in compliance and lacks a full understanding of the job. You will need to bridge that knowledge gap. You will also need to remember that, at the top level, technical skills, such as expertise in specialized areas of law, are likely to be less important than personality characteristics and fit. Leadership wants someone who is going to be able to partner with them. It’s also important to remember that the interview is a two-way street. Be prepared to ask questions that will you determine if the job (especially at an unfamiliar company) is right for you. Consider questions in your head such as: Does this conform to my perception of an environment I want to work with? What kind of support will I get? Are the leaders a strong, compliant type of a group, or are they just trying to fill the role? Listen in to learn more about how you can improve your chances of making it to the top of the compliance profession.

Post By: Adam Turteltaub Cheryl Curbeam (LinkedIn), Vice President, Chief Risk and Compliance Officer at Corteva Agriscience has had a very interesting and unusual path to the compliance professional. She studied and began her career in mechanical engineering before moving into operations leadership. It turned out to be a great background for compliance, teaching her how to think about what is and isn’t in scope and how to solve tough problems. From there she went into sales, spending about 80% of her time on the road. It gave her great insight into the mind of salespeople, including the fact that their focus is on customers. Corporate work, including compliance training, is squeezed in when they can find time. As a result, sales teams want compliance to deliver clear and easy-to-find guidance. That experience helped her when she went to develop an app to support the compliance program for this new company, which was created in June 2019 after Dow and DuPont merged and spun Corteva off. Despite the long compliance history of both of the original organizations, the new enterprise needed to create a compliance program of its own. It launched, not too long before the pandemic and all the changes that came with it, including having even more of its workforce operating remotely. As she explains in this podcast and will also address at the SCCE Technology and Compliance Conference on June 24th, the company needed to train employees remotely and enable them to report concerns. An app turned out to be an ideal tool. The mobile solution housed training, the code of conduct and other assets such as quick learning topics.  It also provided a vehicle for accessing the helpline. What’s her advice to others considering developing an app? First, find a vendor that can support all phases of app development. Second, be sure to have a strong project manager internally to deal with the complexity inside your company. Third, know what content you need to deliver. Fourth, gain the support of your IT department. And finally, have a strong communications plan to ensure that the workforce understands the value the app provides. Listen in to learn more and be sure to join us June 24th for the SCCE Technology and Compliance Conference.

Post By: Adam Turteltaub When a data breach occurs, one step is often overlooked in the rush to remediate:  preserving as much of the data logs and backups as possible  That’s a mistake, say Debra Geroux, Shareholder at Butzel Long and Scott Wrobel, Co-Owner, N1 Discovery, because that data illuminates what happened, how it happened, and what data was taken. In this podcast they also advise hiring cyber counsel immediately to obtain guidance through the legal and regulatory issues.  They may also be able to help you conduct the subsequent investigation under privilege.  Counsel can also help identify outside resources, deal with law enforcement, and help healthcare organizations determine if the breach is a reportable one. In addition to outside counsel, Geroux and Wrobel argue strongly for leveraging the organization’s communication team.  Managing messaging is critical.  The communication targets—victims, employees, the board, public, media -- have to be identified and given the information they need.  But, be judicious.  Limit your communications to essential information to reduce the opportunity to spin the story. Most importantly, they advise, make the effort to understand what the root cause of the incident was.  Often, that’s not as evident as it may seem.  Sometimes the first suspected point of breach is not the actual one. To reduce the risk of future incidents, they recommend adopting two-factor authentication.  Workforce training is also essential since so often employee errors (and vulnerability to sophisticated phishing efforts) are a factor. Hiring a third-party security company to conduct an internal and external vulnerability assessment can also be helpful.  It should identify every device and piece of software on or connected to your network, their vulnerabilities and how to remediate them. That assessment should also address any cloud-based solutions your organization is using.  While, generally speaking. those solutions are secure, if your organization leaves the default settings in place, it could leave you exposed to bad actors. Listen in to learn more about how to protect your organization, including the need to take a second look at your cyber insurance policy.

By Adam Turteltaub Matt Kelly (LinkedIn), Editor and CEO at Radical Compliance is a close watcher of all things compliance, and in this podcast he shares his take on both the top stories of 2023 and what he sees in the cards for 2024. FCPA On the Foreign Corrupt Practices Act front, he noted a change in enforcement. While the volume of resolutions declined on the DOJ side, the SEC has remained very active. Perhaps most notably, the Albermarle case had an interesting twist. The way the company did business was changed dramatically as a part of the settlement, he reports, with a restructuring of its overseas sales and the end of the use of third parties. He speculates this may be the start of a new trend in which monetary penalties are accompanied by required changes to the way companies do business. Also of note in FCPA was the announcement by Lisa Monaco at the SCCE Compliance & Ethics Institute of a leniency policy in mergers and acquisitions. Because of the relatively short timeline for finding and disclosing problems, there is a strong incentive for organizations to involve the compliance team early and deeply in these transactions. SEC Cybersecurity Rules The July SEC rules on disclosures of cyber incidents require firms to disclose an incident within four days. Companies will need to describe the nature, timing and material consequences. That will increase the importance of thorough and prompt cyber materiality assessments, as well as both quantitative and qualitative impacts. Greenhouse Gas Disclosures The SEC’s proposed rule on greenhouse gas disclosures is now the longest and most commented rule in history. It also has not been finalized while, in the meantime, both California and Europe have passed their own laws. The rule is likely to be very complex and impose a significant burden on companies. Healthcare The biggest news he saw in 2023 was the new General Compliance Program Guidance issued by the Office of Inspector General at HHS. The document makes it clear that it expects a fully independent compliance program. As the document states: The compliance officer should: report either to the CEO with direct and independent access to the board or to the board directly; have sufficient stature within the entity to interact as an equal of other senior leaders of the entity; demonstrate unimpeachable integrity, good judgment, assertiveness, an approachable demeanor, and the ability to elicit the respect and trust of entity employees; and have sufficient funding, resources, and staff to operate a compliance program capable of identifying, preventing, mitigating, and remediating the entity’s compliance risks. The Future Looking to the future he asks if others will be as supportive as the OIG at HHS. He also points to other things to watch such as the Foreign Extortion Prevention Act, the PCAOB’s extremely controversial NOCLAR proposal and SEC v. Govil, which could eliminate disgorgement in many cases. Listen in to learn more about what has and may happen in the world of compliance.