Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program in Training and Communications – Using 360 Degrees of Compliance to Tell a Story

The 360-degree approach to compliance works with all the stakeholders in a compliance program, even the “Document, Document, and Document” stakeholders, i.e., the regulators. By using innovative techniques, one law firm came up with a mechanism to present verifiable evidence to regulators, using the basic techniques of social media in operationalizing compliance as a solution to a difficult compliance issue around, of all things, honey. This example shows how creative thinking by a lawyer in the field of import compliance led to the development of a software application using some of the concepts of social media. Once again, demonstrating the maxim that compliance practitioners (and lawyers) are only limited by their imagination, this software tool demonstrates the power of what a 360-degree view can bring to your compliance program.

Three Key Takeaways:

  1. Use the tools of social media to help tell your story of compliance.
  2. You are only limited by your imagination.
  3. Converging text, pictures, and data can be a powerful tool in compliance.
Categories
Blog

Gordon Lightfoot, Corporate Stakeholders and Compliance

Last week, we lost Canadian singer Gordon Lightfoot to Rock & Roll Heaven.  In the 70s he had a series of hits which were some of the most heartfelt songs I can recall, including Sundown, If Could Read My Mind, Carefree Highway, Canadian Railroad Trilogy and of course, The Wreck of the Edmund Fitzgerald. If you were growing up in the 70s, the minute you heard the opening lines If you could read my mind, love,/What a tale my thoughts could tell./Just like an old-time movie,/’Bout a ghost from a wishing well” and you heard the sonorous bass, you knew it was Gordon Lightfoot. According to his New York Timesobituary, “Mr. Lightfoot was a national hero, a homegrown star who stayed home even after achieving spectacular success in the United States and who catered to his Canadian fans with cross-country tours. His ballads on Canadian themes, like “Canadian Railroad Trilogy,” pulsated with a love for the nation’s rivers and forests, which he explored on ambitious canoe trips far into the hinterlands.”

For me, Lightfoot was a storyteller, creating and performing what Steve Earle called “story songs.” For me, his top story was his 1976 folk ballad about the sinking of the Great Lakes freighter the SS Edmund Fitzgerald, who sank 17 miles from the entrance to Whitefish Bay.  Mike Ives, also writing in the New York Times, said “The Wreck of the Edmund Fitzgerald,” “was unusual partly because, at more than six minutes long, it was about twice as long as most pop hits. It also retold a real-life tragedy — the 1975 sinking on Lake Superior of a freighter with 29 crewmen aboard — with meticulous attention to detail.” Eric Greenberg said it was a “documentarian’s song.” It still haunts me to this day as The church bell chimed ’til it rang twenty-nine times; For each man on the Edmund Fitzgerald.

 In 2019, the Business Roundtable announced the release of the Statement on the Purpose of a Corporation (The Statement). The Statement was signed by 181 Chief Executive Officers (CEOs) who committed to lead their companies for the benefit of all stakeholders – customers, employees, suppliers, communities and shareholders. It stated:

Americans deserve an economy that allows each person to succeed through hard work and creativity and to lead a life of meaning and dignity. We believe the free-market system is the best means of generating good jobs, a strong and sustainable economy, innovation, a healthy environment and economic opportunity for all. 

Businesses play a vital role in the economy by creating jobs, fostering innovation and providing essential goods and services. Businesses make and sell consumer products; manufacture equipment and vehicles; support the national defense; grow and produce food; provide health care; generate and deliver energy; and offer financial, communications and other services that underpin economic growth. 

While each of our individual companies serves its own corporate purpose, we share a fundamental commitment to all of our stakeholders. We commit to: 

  • Delivering value to our customers. We will further the tradition of American companies leading the way in meeting or exceeding customer expectations.
  • Investing in our employees. This starts with compensating them fairly and providing important benefits. It also includes supporting them through training and education that help develop new skills for a rapidly changing world. We foster diversity and inclusion, dignity and respect.
  • Dealing fairly and ethically with our suppliers. We are dedicated to serving as good partners to the other companies, large and small, that help us meet our missions.
  • Supporting the communities in which we work. We respect the people in our communities and protect the environment by embracing sustainable practices across our businesses.
  • Generating long-term value for shareholders, who provide the capital that allows companies to invest, grow and innovate. We are committed to transparency and effective engagement with shareholders.

  Each of our stakeholders is essential. We commit to deliver value to all of them, for the future success of our companies, our communities and our country.

This Statement dramatically changed the conversation in the compliance and business communities and the wider US political debate. The Statement will gave every compliance officer, Corporate Social Responsibility (CSR) professional, ethicist and all others interested in moving the ball of corporations treating a variety of stakeholders with dignity and respect greater ammunition in fighting corporate malfeasance. It also presaged the explosive growth in ESG.

Many compliance professionals have struggled with how to implement a ‘stakeholder’ strategy which might focus on all stakeholders listed in the Statement. I was therefore intrigued by a recent article in the Harvard Business Review, entitled “How to Create a Stakeholder Strategy” which proposes a data-driven approach to design, measurement, and implementation by authors Darrell Rigby, Zach First, and Dunigan O’Keeffe.

In their article, the authors the interconnected relationship between all stakeholders, stating “that every stakeholder has an impact on other stakeholders—engaged employees improve customer satisfaction, which in turn spurs growth, and so on—many CEOs are pledging to generate benefits for all their constituents: customers, workers, suppliers, communities, and investors. But few leaders have explicit strategies for doing so; most seem to rely on intuitive approaches.” The authors’ approach is to use a data driven approach, noting that companies should “bolster data from such third parties with inside insights and gain an understanding of the interdependencies among their particular stakeholders.” From there move forward to developing “a clear description of their purpose, establish criteria for evaluating progress toward it, set priorities among stakeholders, and start measuring value creation for each group. The last step is sustaining the new strategy through cultural change and by developing supporting processes and organizational structures.”

Over the next series of blog posts, I will be exploring the authors ideas from the compliance perspective. I will you will find this blog post series timely and useful.

Tom’s Top 5 (all from YouTube)

Sundown

If Could Read My Mind

Carefree Highway

Canadian Railroad Trilogy

The Wreck of the Edmund Fitzgerald

Categories
Innovation in Compliance

The Role of Backup Systems in Cybersecurity Defense with Curtis Preston

According to Curtis Preston, Chief Technical Evangelist at Druva, cyberattacks are not a matter of “if,” but “when.” In this episode, Tom Fox. and Curtis dive into the importance of backup systems and cyber resilience to protect against ransomware and other types of cyberattacks. Curtis shares his insights on how to limit the blast radius of an attack, why you should assume a breach, and the need to have a playbook and a cyber response team in place. They also discuss the role of state-sponsored attacks in non-kinetic warfare and the need for increased cyber resilience as we approach 2030.

W. Curtis Preston has 30 years of experience in the backup and data protection industry. He started his career at MBNA, the second-largest credit card company in 1993, and has been specializing in backup servers ever since. He is currently the Chief Technical Evangelist at Druva, where he talks, writes, and hosts podcasts about data protection systems. Curtis is also known as ‘Mr. Backup’, a moniker that he adopted while writing his first book on backups.

You’ll hear Tom and Curtis discuss:

  • SaaS-based data protection systems are becoming increasingly important as more companies rely on SaaS infrastructures like Microsoft 365 and Google Workspace. Companies should not count on these providers to protect their data; they should consider using SaaS-based backup systems instead.
  • Curtis tells Tom, “There should be security interest, as well as technical and storage and network interest. All of those interests should be reflected in the implementation of such an important system as a data protection system.”
  • Ransomware attackers are now targeting backup systems directly, making it crucial for companies to modernize the security infrastructure of their backup systems. They can do this by using SaaS-based systems that come with modern security features such as multi-factor authentication, triggers and alerts, and the concept of least privilege.
  • The inefficiencies and difficulties of a typical on-premises backup infrastructure, such as overbuilding and overengineering, can be solved by using a SaaS-based system where companies only pay for what they are actually using.
  • Fire drills, or ransomware drills, can help companies develop “muscle memory” and test their incident response playbook before an actual attack occurs.
  • Role-based administration is important to limit the blast radius in case an administrator’s account is compromised. Each person involved in the backup process should have specific roles and responsibilities.
  • State-sponsored attacks on American businesses, especially from Russia, are increasing. It’s important to beef up defenses, assume breaches, and have a playbook ready to respond to ransomware attacks.
  • By 2030, cyber resilience and protection topics will increase as people become more aware of cyberattacks. Passwords will be a thing of the past, and people will have to live in a world of constant cyberattacks.
  • A robust backup plan in place with sufficient security protocols is essential to recover from a cyberattack. It’s important to have the backup system completely air-gapped from the primary network.
  • Druva is a SaaS provider that offers a backup system that is stored behind a different authentication and authorization system. The data and metadata are separated for security reasons and constantly monitored for security purposes.

KEY QUOTES:

“Today, I think the average user is so used to equipment that just works, they don’t really think as much about backup and recovery, I think, as we did back in the day.” – Curtis Preston

“By the way, I do think by 2030, passwords will be a thing of the past.” – Curtis Preston

“It’s also having a robust backup plan in place with sufficient security protocols and that when you are attacked, not if when you are attacked, they can’t take your star player out, and if it all does go down, you have a way to at least build back.” – Curtis Preston

Resources:

Curtis Preston on LinkedIn | Twitter

Backup Central | Druva

Categories
Compliance Week Conference Podcast

Billy Jacobson – A Fireside Chat with Glenn Leon

In this episode of the Compliance Week 2023 Speaker Preview Podcasts series, Billy discusses some of his fireside chats at Compliance Week 2023 with Glenn Leon, head of the Fraud Section at the DOJ, “Confronting Corporate Crime.”

Join Billy as he visits with Glenn Leon for a discussion focused on the priorities for the fraud section and what compliance professionals can expect in the coming year. Hear the DOJ’s perspective on evaluating corporate compliance programs, including implementing the DOJ’s new white-collar policies, such as violations of FCPA, and investigating complex schemes involving health care, securities, and procurement fraud.

I hope you can join me at Compliance Week 2023. This year’s event will be May 15-17 at the JW Marriott in Washington, DC. The line-up of this year’s event is simply first-rate, with some of the top ethics and compliance practitioners around.

Gain insights and make connections at the industry’s premier cross-industry national compliance event offering knowledge-packed, accredited sessions and take-home advice from the most influential leaders in the compliance community. Back for its 18th year, compliance, ethics, legal, and audit professionals will gather safely face-to-face to benchmark best practices and gain the latest tactics and strategies to enhance their compliance programs. And many others to:

  • Network with your peers, including C-suite executives, legal professionals, HR leaders, and ethics and compliance visionaries.
  • Hear from 75+ respected cross-industry practitioners who are CEOs, CCOs, regulators, federal officials, and practitioners to help inform and shape the strategic direction of your enterprise risk management program.
  • Hear directly from the two SEC Commissioners, gain insights into the agency’s enforcement areas, and walk away with guidance on remaining compliant within emerging areas such as ESG disclosure, third-party risk management, cybersecurity, cryptocurrency, and more.
  • Bring actionable takeaways from your program from various session types, including ESG, Human Trafficking, Board obligations, and many others, for you to listen, learn and share.
  • Compliance Week aims to arm you with information, strategy, and tactics to transform your organization and career by connecting ethics to business performance through process augmentation and data visualization.

I hope you can join me at the event. For information on the event, click here. Listeners of this podcast will receive a discount of $200 by using code TF200 on the link here.

Categories
Daily Compliance News

Daily Compliance News: May 9, 2023 – The Int’l ABC Court Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Stories we are following in today’s edition:

  • Will SCt kill SEC rule-making ability? (WSJ)
  • Int’l ABC court gains traction in the UK. (The Guardian)
  • Poor AML killed the bank merger. (WSJ)
  • PNF is investigating Thales over sales into India. (Bloomberg)
Categories
Data Driven Compliance

Data Drive Compliance: Dale Waterman – The Role of Data Sovereignty in Data Driven Compliance

Are you struggling to keep up with the ever-changing compliance programs in your business? Look no further than the award-winning Data Driven Compliance podcast, hosted by Tom Fox, which is a podcast featuring an in-depth conversation around the uses of data and data analytics in compliance programs.

In this episode, host Tom Fox brings in industry expert Dale Waterman as a guest to discuss data sovereignty and its implications for businesses. Waterman, Managing Director at Secretariat, shares his experience in the Middle East and Africa region and how US companies looking to invest in the region need to be aware of local laws and their complexities. Listeners will learn about data protection principles, such as data minimization and de-identification, and the importance of considering third-party risks in data protection. Dale also provides tips for improving data security and predicts a growing trend of cybersecurity and data governance convergence. Tune in to this podcast to learn how to navigate issues related to data sovereignty, cross-border data transfer, and evolving data privacy and protection laws. Subscribe to the Data Driven Compliance podcast today!

Key Highlights:

·      Data sovereignty and cross-border laws

·      The Global Impact of Tech Surveillance

·      Data Sovereignty and Regulations in the EU vs. the Middle East

·      Future Challenges in Data Governance

 Notable Quotes:

“The sovereignty of data refers to the fact that no matter where the data moves, across borders, you still apply the laws of the country where the organization is based.”

The term is I’ve talked briefly about the fourth industrial revolution, and you’ve got these data driven technologies, and all of them are predicated on an ability to access and process data, and they need that free flow of data across borders.

“Step number 1 is we’ve got this broad global move by governments to kind of aggregate data and keep control of it.”

“All of this, again, is created in this concept of sovereignty where the data’s ours, and you can’t send it out our region unless x, y, and zed happens.”

 Resources

Dale Waterman on LinkedIn

Secretariat

 Tom Fox 

Connect with me on the following sites:

Instagram

Facebook

YouTube

Twitter

LinkedIn