Categories
Blog

Operationalizing Compliance With 10 Questions for HR

Operationalizing compliance is the crucial step in creating an effective compliance program within an organization. It involves cascading compliance goals to all levels of the organization and fostering a culture of compliance. This process requires clarity and comparability of goals, focusing on high-risk areas first, and gradually expanding initiatives. Ethical business conduct should be a top priority, with HR playing a key role in attracting and developing talent. Continuous improvement and performance tracking are also crucial for identifying gaps and developing key compliance indicators.

Root cause analysis is a key process in identifying the reasons behind compliance failures and implementing effective solutions. It involves understanding what allowed the compliance issue to arise, rather than simply assigning blame, and addressing the core issues to prevent future compliance failures. It goes beyond assigning blame and focuses on finding solutions to prevent future failures. Understanding the root cause allows organizations to address the core issues and implement effective measures to ensure compliance.

To operationalize compliance effectively, organizations need to consider several key factors. One of the first factors is the interconnectedness of targets. Compliance goals should be cascaded down to individual workers, ensuring that everyone understands their role in achieving compliance objectives. While tone at the top is important, it is equally crucial to establish an appropriate tone in the middle and at the bottom of the organization.

Clarity and comparability of goals is another important factor. Compliance targets should be clearly communicated and understood by all employees. Complex goals can lead to confusion and hinder the operationalization process. Focusing on high-risk areas first and gradually expanding initiatives can help manage risks effectively and ensure a systematic approach to compliance.

The role of HR in operationalizing compliance cannot be overstated. HR should take the lead in showing that attracting and developing talent who will engage in ethical business conduct is a top priority. By creating the appropriate mindset of doing business the right way throughout the organization, HR can contribute to the successful operationalization of compliance.

Continuous improvement and performance tracking are essential for identifying gaps in the compliance program. Monitoring compliance programs in real-time and reacting quickly to remediate them is crucial. Auditing and monitoring should work in tandem to uncover and evaluate risks. Key compliance indicators, such as hotline or helpline reports, can provide valuable insights into the effectiveness of the compliance program.

While operationalizing compliance is essential, organizations must also consider the impact on employees. Talent acquisition and retention is a critical business function. Retaining top employees who engage in ethical business conduct is crucial for the long-term success of the compliance program. By promoting and rewarding employees who adhere to the code of conduct, organizations can create a culture of compliance and operationalize it fully.

Balancing these factors can be challenging. Organizations must weigh the tradeoffs involved in cascading compliance goals, clarifying goals, and addressing high-risk areas. They must also consider the challenges associated with monitoring and auditing, as well as the importance of root cause analysis and employee retention.

What are the 10 questions you should ask to test, monitor and improve these issues?

  1. How are compliance goals cascaded down to individual workers?
  2. Does anyone complain that your compliance targets are too complex?
  3. How do you deal with repeated compliance failures in a specific business segment or compliance program area?
  4. How does your company show that attracting and developing talent who will engage in ethical business conduct is a top priority?
  5. How long is compliance underperforming tolerated?
  6. What makes it distinctive to work at your company?
  7. How do compliance programs that are not working typically get exposed and remediated?
  8. What key compliance indicators do you use for compliance tracking?
  9. For a given compliance problem, how do you identify the root cause?
  10. What are you doing to retain your top employees from the compliance perspective?

In conclusion, operationalizing compliance is a key component of an effective compliance program. By considering the interconnectedness of targets, clarity and comparability of goals, the role of HR, continuous improvement and performance tracking, root cause analysis, and employee retention, organizations can successfully operationalize compliance and prevent future compliance failures. It is crucial to strike a balance between these factors and consider the impact on employees when making decisions about operationalizing compliance and root cause analysis.

Categories
Daily Compliance News

Daily Compliance News: September 6, 2023 – The FDA Corrupt Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance brings to you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

  • Santos prosecutors ask for more time? (Bloomberg)
  • Spanish Women’s National team coach fired. (ESPN)
  • Ramaswamy’s claims of FDA corruption disavowed by company he founded. (Reuters)
  • FIFA suspends head of Spanish football. (FT)
Categories
Compliance Into the Weeds

Compliance into the Weeds: Risk Assessments, Control Environments and Plug Power

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on sanctions compliance? Look no further than Compliance into the Weeds!

In this episode, Tom and Matt consider the recent pronouncements from the SEC regarding risk assessments together with control environments and all this played out in the Plug Power enforcement action. The importance of risk assessments and a strong control environment in companies cannot be overstated. These elements are crucial for effective internal controls and proper financial reporting, as emphasized by the SEC’s chief accountant, Paul Munter. In this episode Tom and Matt underscore the need for thorough evaluation of potential pitfalls in risk assessments, citing insufficient personnel, changes in board or management composition, and hasty adoption of new strategies or technologies as potential triggers for flawed assessments.

They highlight the significance of small control failures and entity-level failures, such as weaknesses in IT controls, as indicators of a weak control environment.. Join Tom Fox and Matt Kelly as they delve deeper into the topic of risk assessment in the latest episode of the Compliance into the Weeds podcast.

 Key Highlights:

·      Munter’s statement

·      Enhancing Control Environment through Risk Assessments

·      The Importance of Risk Assessments and Controls

·      Attracting and Retaining Competent Individuals

·      Flaws in Risk Assessment Beyond Insufficient Personnel

·      Lessons Learned

 Resources:

Matt in LinkedIn

Matt blogged twice on these issues. A report on Munter’s statements here and on the Plug Power enforcement action here

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

AI and GDPR

Artificial Intelligence (AI) has revolutionized various industries, but with great power comes great responsibility. Regulators in the European Union (EU) are taking a proactive approach to address compliance and data protection issues surrounding AI and generative AI. Recent cases, such as Google’s AI tool, Bard, being temporarily suspended in the EU, have highlighted the urgent need for regulation in this rapidly evolving field. I recently had the opportunity to visit with GDPR maven Jonathan Armstrong on this topic. In this blog post, we will delve into our conversations about some of the key concerns raised about data and privacy in generative AI, the importance of transparency and consent, and the potential legal and financial implications for organizations that fail to address these concerns.

One of the key issues in the AI landscape is obtaining informed consent from users. The recent scrutiny faced by video conferencing platform Zoom serves as a stark reminder of the importance of transparency and consent practices. While there has been no official investigation into Zoom’s compliance with informed consent requirements, the company has retracted its initial statements and is likely considering how to obtain consent from users.

It is essential to recognize that obtaining consent extends not only to those who host a Zoom call but also to those who are invited to join the call. Unfortunately, there has been no on-screen warning about consent when using Zoom, leaving users in the dark about the data practices involved. This lack of transparency can lead to significant legal and financial penalties, as over 70% of GDPR fines involve a lack of transparency by the data controller.

Generative AI heavily relies on large pools of data for training, which raises concerns about copyright infringement and the processing of individuals’ data without consent. For instance, Zoom’s plan to use recorded Zoom calls to train AI tools may violate GDPR’s requirement of informed consent. Similarly, Getty Images has expressed concerns about its copyrighted images being used without consent to train AI models.

Websites often explicitly prohibit scraping data for training AI models, emphasizing the need for organizations to respect copyright laws and privacy regulations. Regulators are rightfully concerned about AI processing individuals’ data without consent or knowledge, as well as the potential for inaccurate data processing. Accuracy is a key principle of GDPR, and organizations using AI must conduct thorough data protection impact assessments to ensure compliance.

Several recent cases demonstrate the regulatory focus on AI compliance and transparency. In Italy, rideshare and food delivery applications faced investigations and suspensions for their AI practices. Spain has examined the use of AI in recruitment processes, highlighting the importance of transparency in the selection process. Google’s Bard case, similar to the Facebook dating case, faced temporary suspension in the EU due to the lack of a mandatory data protection impact assessment (DPIA).

It is concerning that many big tech providers fail to engage with regulators or produce the required DPIA for their AI applications. This lack of compliance and transparency poses significant risks for organizations, not just in terms of financial penalties but also potential litigation risks in the hiring process.

To navigate the compliance and data protection challenges posed by AI, organizations must prioritize transparency, fairness, and lawful processing of data. Conducting a data protection impact assessment is crucial, especially when AI is used in Know Your Customer (KYC), due diligence, and job application processes. If risks cannot be resolved or remediated internally, it is advisable to consult regulators and include timings for such consultations in project timelines.

For individuals, it is essential to be aware of the terms and conditions associated with AI applications. In the United States, informed consent is often buried within lengthy terms and conditions, leading to a lack of understanding and awareness. By being vigilant and informed, individuals can better protect their privacy and data rights.

As AI continues to transform industries, compliance and data protection must remain at the forefront of technological advancements. Regulators in the EU are actively addressing the challenges posed by AI and generative AI, emphasizing the need for transparency, consent, and compliance with GDPR obligations. Organizations and individuals must prioritize data protection impact assessments, engage with regulators when necessary, and stay informed about the terms and conditions associated with AI applications. By doing so, we can harness the power of AI while safeguarding our privacy and ensuring ethical practices in this rapidly evolving field.

Categories
Into the Chair - Tales from Chief Compliance Officers

Into The Chair, Tales from Chief Compliance Officers: The Journey of Maria D’Avanzo

Welcome to the latest edition of the Compliance Podcast Network: Into the Chair: Tales from Chief Compliance Officers, which details the journey to and in the role of a Chief Compliance Officer. How does one come to sit in the CCO chair? What skills does a CCO need to navigate the compliance waters in any company successfully? What are some of the top challenges CCOs have faced and how did they meet them? These questions and many others will be explored in this new podcast series. Into the Chair: Tales from Chief Compliance Officers is a COMPLY podcast hosted by Tom Fox and is a production of the Compliance Podcast Network. In this inaugural episode, I visit with Maria D’Avanzo.

Maria D’Avanzo is a seasoned professional in the legal and compliance field, with a career that has spanned from litigation to estate work to compliance. Maria’s perspective on adaptability and continuous learning in legal and compliance roles is rooted in her own career trajectory, which has seen her successfully transition from being a litigator to opening her own law practice, and eventually becoming a compliance officer. She believes the key to success in these roles is the willingness to learn new skills and take on new challenges, even outside one’s comfort zone.

Maria also underscores the importance of transferable skills such as analytical and research abilities, critical thinking, and the capacity for advocacy and persuasion, which she honed as a trial lawyer and have been instrumental in her compliance career. Join Tom Fox and Maria D’Avanzo in this episode of the Into the Chair podcast as they delve deeper into the importance of adaptability and continuous learning in legal and compliance roles.

Key Highlights:

·      Maria’s transformation into a compliance officer

·      Navigating the Legal Field: Learning and Advocacy

·      Advocacy skills and the value of compliance

·      Navigating Compliance Challenges in Regulated and Non-Regulated Corporate Sectors

Resources:

Maria D’Avanzo on LinkedIn

COMPLY

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Written Standards: Day 2 – Clearly Articulated Written Standards

The written standard requirements have long been memorialized in the U.S. Sentencing Guidelines, which contain seven basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. From these seven compliance elements, the DOJ has crafted its minimum best practices compliance program, which is now attached to every DPA and NPA issued. These requirements were incorporated into the 2012 FCPA Guidance and brought forward in the 2023 ECCP and FCPA Corporate Enforcement Policy. The U.S. Sentencing Guidelines assumes that every effective compliance and ethics program begins with a written standard of conduct; i.e., a Code of Conduct.

Following your Code of Conduct is written policies and procedures required for a best practices compliance program are well- known and long established. The role of compliance policies is to provide guidance and to protect companies, despite an occasional hick-up. Policies provide a basic set of guidelines for employees to follow. They can include general do’s and don’ts, work process flows, specific issue guidelines. By establishing what is and is not acceptable compliance behavior, a company can mitigate the compliance risks posed by employees who might make foolish decisions or otherwise engage in unethical behavior.

There are numerous reasons to put some serious work into your Code of Conduct, policies and procedures. They are certainly a first line of defense when the government comes knocking. This means the regulators will take a strong view against a company that does not have well thought out and articulated policies, procedures or Code of Conduct; all of which are systematically reviewed and updated. Written policies, signed by employees provide a vital layer of communication. Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the “Document, Document, Document” mantra applies just as strongly to this area of anti-corruption compliance.

Three key takeaways:

  1. A Code of Conduct, together with policies and procedures, have long been recognized as cornerstones of a best practices compliance policy.
  2. Each level of written standards builds upon one another, so consider this integration step.
  3. The Fair Process Doctrine applies to your written standards.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
The Hill Country Podcast

The Hill Country Podcast: Ry’lee Paxton – Leading with KAYLA: Unlocking Community Success

Welcome to the award-winning The Hill Country Podcast. The Texas Hill Country is one of the most beautiful places on earth. In this podcast, Hill Country resident Tom Fox visits with the people and organizations that make this the most unique area of Texas. Join Tom as he explores the people, places, and activities of the Texas Hill Country. In this episode, Tom visits with Ry’lee Paxton about the Kerr County Youth Leadership Program or KAYLA.

KAYLA is an incredible organization that provides high schoolers in Kerr County with the opportunity to develop their leadership skills and gain exposure to the inner workings of their local community through the Leadership Academy and Youth Leadership Program. Through these programs, students learn important concepts like civic engagement and budgeting, as well as develop relationships with their peers and city officials. By attending the Academy, students gain an understanding of municipal government roles and responsibilities. Meanwhile, the Youth Leadership Program educates students on the importance of local job opportunities and building meaningful relationships. With KAYLA, young people can become successful leaders in their own community.

 Key Highlights

·       Youth Leadership in Kerrville and Kerr County

·       City Budgeting

·      Leadership Academy

·      Kerr County Youth Leadership Program

 Resources

Kayla

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Data Driven Compliance

Data Driven Compliance: Julie Myers Wood – Using AI for Data Driven Compliance

Are you struggling to keep up with the ever-changing compliance programs in your business? Look no further than the award-winning Data Driven Compliance podcast, hosted by Tom Fox, is a podcast featuring an in-depth conversation around the uses of data and data analytics in compliance programs. Data Driven Compliance is back with another exciting episode The intersection of law, compliance, and data is becoming increasingly important in the world of cross-border transactions and mergers and acquisitions.

In this podcast episode, Tom Fox and Julie Myers Wood, CEO at Guidepost Solutions take a deep dive into the intersection of compliance and generative AI and how this intersection will lead to more data driven compliance.  Wood emphasizes the importance of understanding the various ways AI can impact a company, including internal use, sales, compliance tools, freelancers, and criminal exploitation. Compliance teams need to have a comprehensive inventory of the tools being used and understand the capabilities and limitations of AI to ensure compliance and mitigate risks.

They discussed the need for companies to be aware of the potential risks associated with AI and have clear policies and procedures in place to protect intellectual property. He also discusses the importance of employee retraining and thoughtful decision-making when integrating AI into business practices. Overall, the podcast provides valuable insights into the challenges and considerations of incorporating AI into compliance programs, emphasizing the need for compliance professionals to adapt and stay informed.

Highlights Include

·      Key Considerations for Compliance and AI

·      Importance of Inventorying Tools and Managing Risks

·      AI and Intellectual Property Protection

·      Challenges of Implementing AI

·      AI and Compliance

Resources:

Julie Myers Wood on LinkedIn

Guidepost Solutions

 Tom Fox 

Connect with me on the following sites:

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Written Standards: Day 1 – Introduction to Written Standards

The cornerstone of any best practices compliance program is written protocols. This includes a Code of Conduct, policies and procedures. These elements have long been memorialized in the US Sentencing Guidelines; the Department Of Justice’s (DOJs) Opinion Releases regarding compliance programs, the 2012 FCPA Guidance, both DOJ and Securities and Exchange Commission (SEC) enforcement actions, the 2019 Guidance and FCPA Corporate Enforcement Policy.
There are three levels of standards and controls, Code of Conduct standards and policies and procedures. Every company should have a Code of Conduct that expresses its ethical principles. But a Code of Conduct is not enough. The Code of Conduct is implemented through your compliance policies. It is further operationalized through your compliance procedures. The DOJ spoke to their importance in the 2019 Guidance when it stated, “As a threshold matter, prosecutors should examine whether the company has a code of conduct that sets forth, among other things, the company’s commitment to full compliance with relevant Federal laws that is accessible and applicable to all company employees.” As a corollary, prosecutors should also assess whether the company has established policies and procedures that incorporate the culture of compliance into its day-to-day operations.

At the end of the 31 Days you will have a very detailed grounding on better written standards for your compliance program. You will be able to utilize the information presented to implement a more effective compliance program for your organization. 

Three key takeaways: 

  1. The cornerstone of any best practices compliance program is its written protocols.
  2. Written standards work to prevent, detect and remediate.
  3. What are the specific written protocols you should have in your compliance program?

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
Everything Compliance - Shout Outs and Rants

Everything Compliance – Episode 123, Shout Outs and Rants – The Spanish Kiss Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. In this episode, we have the quartet of Jay Rosen, Jonathan Armstrong, Matt Kelly and Karen Woody, with Tom Fox hosting on this episode of our fan fav Shout Outs and Rants section.

1. Matt Kelly rants about the US Federal Courts not allowing television cameras and says we need the Trump trials televised in federal courts.

2. Karen Woody shouts out to the Barbie movie.

3. Tom Fox shouts out to Megan Rapinoe for great professional career and her social activism while a member of the USWNT.

4. Jay Rosen shouts out SOCAR, the South Orange County Compliance and Ethics Roundtable.

5. Jonathan Armstrong shouts out Sgt. Graham Saville lost his life helping a person in distress.

The members of the Everything Compliance are:

•       Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com

•       Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu

•       Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com

•       Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com

•       Jonathan Marks can be reached at jtmarks@gmail.com.

•       Special Guest Kristy Grant-Hart is the founder of Spark Consulting.

The host and producer, ranter of Everything Compliance is Tom Fox the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.