Categories
Great Women in Compliance

Great Women in Compliance – Sabrina Segal on Reimagining Risk Management

Welcome to the Great Women in Compliance Podcast. How can we reimagine risk management? In this episode, Hemma Lomax visits Sabrina Segal, a seasoned third-sector integrity risk and compliance advisor with a legal background. Sabrina is currently in Rwanda as part of an international development and humanitarian assistance team. She hosts Tolerable Risk, a podcast about integrity and compliance in the third sector.

Sabrina shares her perspective on compliance and risk management in the third sector, which is inherently high-risk, largely due to its operation in areas where the private sector may not see value and where government regulation has failed. Sabrina believes that traditional approaches to risk management, which are quantitative-heavy and designed for industries like finance and oil and gas, are unsuitable for the third sector, requiring a more accessible qualitative approach for diverse stakeholders. Drawing from an array of global experiences, Sabrina emphasizes the need for bespoke approaches tailored to the specific needs and constraints of small and medium-sized charities and nonprofits. Sabrina has developed an objective-centered risk management approach for the third sector based on work from her mentor, Timothy Leech. Objective-centered risk management focuses on facilitating the achievement of organizational objectives, collaborating to identify threats and opportunities, and directly influencing decision-making. Sabrina’s compliance and risk management work is designed to improve organizations’ overall programming and impact in the third sector. Still, it has many applications in the private sector and corporate compliance.

Key Highlights:

  • Tolerable Risk Podcast on Tailored Risk Management for Nonprofits

  • Navigating High-Risk Environments: Third Sector Compliance

  • Objective-Driven Risk Analysis and Decision-Making

  • Comprehensive Risk Management Strategy with Active Monitoring

  • The Importance of Involving Stakeholders in Risk Management

  • Quantitative tools and trust in data for risk management

  • Advocacy and Inclusion in Restorative Justice

Resources:

Join the Great Women in Compliance community on LinkedIn here.

Categories
Daily Compliance News

Daily Compliance News: February 14, 2024 – The Cut Off in Hong Kong Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • Latham attorneys cut off in Hong Kong.  (FT)
  • No DD, no problem, as HP seeks $4 billion from Mike Lynch.  (Bloomberg)
  • Vitol Trading passed cash in the Houston parking lot.  (Bloomberg)
  • New Zealand drops to No. 3 on TI-CPI.  (The Conversation)

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

Tailored Risk Management in the Third Sector

Compliance and risk management are crucial aspects of any organization; the third sector is no exception. In this week’s episode of Great Women in Compliance, hosted by Hemma Lomax, she visited with Sabrina Segal on compliance and risk management in the third sector. The third sector, which includes charities and nonprofits, operates in areas where the private sector doesn’t see value and where government regulations have failed. As a result, risk management becomes even more crucial in these high-risk environments with limited resources.

Sabrina Segal is a seasoned third-sector integrity risk and compliance advisor with a legal background, currently based in Rwanda as part of an international development and humanitarian assistance team. Her perspective on compliance and risk management in the third sector is that it is inherently high risk due to its operation in areas where the private sector does not see value and where government regulations have failed. Segal believes that the current risk management approaches, which are quantitative-heavy and designed for industries like finance and oil and gas, are not suitable for the third sector, which is more qualitative-heavy.

Drawing from her experiences, she emphasizes the need for bespoke approaches tailored to the specific needs and constraints of small and medium-sized charities and nonprofits. Segal has developed a strategy called objective-centered risk management for the third sector, which focuses on achieving objectives, identifying threats and opportunities, and directly influencing decision-making, viewing her work in compliance and risk management to improve organizations’ overall programming and impact in the third sector.

Segal advocates for an objective-centered approach to risk management in the third sector. This approach focuses on achieving objectives rather than simply creating static risk registers and matrices. By tying risk analysis directly to objectives, organizations can better understand the impact of uncertainty on their goals and make informed decisions. This approach also integrates risk management into project management, recognizing the dynamic nature of risks and their effect on objectives.

Compliance and risk management are essential for any organization, but they are significant in the third sector. Non-profit organizations often rely on public trust and funding, making it crucial to maintain a strong reputation. Compliance ensures that organizations adhere to legal and ethical standards, while risk management helps identify and mitigate potential threats to the organization’s mission and sustainability.

Another approach highlighted by Segal is Active Monitoring and Mitigation. This approach involves identifying and addressing threats and opportunities to achieve objectives. By mapping the causes of these threats and opportunities, organizations can implement active monitoring or mitigation steps to minimize risks and maximize opportunities.

One of the challenges faced by the third sector is the lack of quantitative data for risk analysis. While the finance or oil and gas industries can rely on quantitative tools such as Monte Carlo simulations or Bayesian statistics, the third sector often deals with qualitative data and dynamic systems. Segal emphasizes the need for bespoke approaches that work well for charities and nonprofits, tiny and medium-sized organizations with limited resources. She suggests using quantitative tools where possible and creating data trust in the third sector to improve risk management advice. Organizations can identify and assess potential risks more effectively using data-driven approaches. Risk matrices, statistical analysis, and predictive modeling can help quantify risks and prioritize them based on their likely impact. This allows organizations to allocate resources efficiently and make informed decisions to mitigate risks.

Active monitoring and mitigation involve continuously monitoring potential risks and proactively addressing them. Rather than waiting for risks to materialize, organizations in the third sector should adopt a proactive approach. This includes regular assessments, monitoring key performance indicators, and implementing control measures to prevent or minimize the impact of identified risks. By actively monitoring and mitigating risks, organizations can ensure the smooth operation of their programs and protect their stakeholders.

Risk analysis should be closely tied to an organization’s objectives in the third sector. By aligning risk analysis with objectives, organizations can prioritize risks that have the most significant potential to hinder the achievement of their mission. This involves identifying the risks that could impact the organization’s ability to deliver its programs or services. By linking risk analysis to objectives, organizations can develop targeted strategies to manage and mitigate these risks, ensuring the successful fulfillment of their mission.

In addition to risk management, compliance is another critical aspect of the third sector. Segal highlights the role of lawyers and compliance professionals in ensuring restorative justice and breaking the cycle of vengeance. By including all stakeholders and giving voice to the voiceless, lawyers and compliance professionals contribute to the success of restorative justice initiatives and create durable solutions in post-conflict environments.

Overall, compliance and risk management in the third sector require tailored approaches that consider charities and nonprofits’ unique challenges and limited resources. By focusing on objectives, actively monitoring and mitigating risks, and considering unforeseen risks, organizations in the third sector can improve their programming and significantly impact the communities they serve.

Categories
Data Driven Compliance

Data Driven Compliance: Sherlock Holmes on Pattern Recognition in Data-Driven Compliance

Are you struggling to keep up with the ever-changing compliance programs in your business? Look no further than the award-winning Data-Driven Compliance podcast, hosted by Tom Fox. This podcast features an in-depth conversation around the uses of data and data analytics in compliance programs. Data-Driven Compliance is back with another exciting episode. Today, I take a solo turn to talk about data analytics and pattern recognition for the compliance professional in the context of the Sherlock Holmes short story, The Adventures of the Dancing Men. For a deep dive into the story, check out the episode on my Sherlock Holmes pod, Adventures in Compliance.

In this story, Holmes decodes stick figures to solve the mystery. One of the tools he uses is pattern recognition, which plays a pivotal role in data-driven compliance programs, serving as a tool to identify anomalies and potential compliance issues. It involves the systematic observation of data to identify recurring elements or trends, even in seemingly random data, and interpreting these patterns within the appropriate context to provide meaningful insights. The importance of this process for the compliance professional cannot be overstated.

Pattern recognition requires both creativity and flexibility, and it can help predict future outcomes, optimize processes, and inform decision-making in compliance programs. I also discuss the significance of an iterative approach, which involves continuous improvement based on new information and collaboration with others to enhance analytic capabilities and gain deeper insights. Check out this most unique and interesting episode of the Data-Driven Compliance podcast, where Sherlock Holmes instructs the modern compliance professional on Data-Driven Compliance.

 Resources:

The New Annotated Sherlock Holmes

Sherlock Holmes FAQ

 Tom Fox 

Connect with me on the following sites:

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Innovation in Compliance

Innovation in Compliance – Jeff Grant on The 400th Meeting of The White Collar Support Group

Innovation comes in many areas and compliance professionals need to not only be ready for it but also embrace it. Today, I visited Jeff Grant, a compassionate leader and the founder of a white collar support group, a platform dedicated to assisting individuals prosecuted for white collar crimes and their families.

Jeff’s perspective on the importance of such support groups is shaped by his extensive experience going through the full white collar criminal experience, including jail, disbarment, release, and recovery. He has organized over 400 meetings, creating a safe space for individuals to share their experiences and challenges. Jeff views these groups as a vital resource, filling a significant gap in the criminal justice system by providing knowledge, empathy, and compassion to those who have been isolated and stigmatized. His advocacy for the rights and leniency of individuals prosecuted for white collar crimes is driven by his desire to bring their complex human tragedies to light and promote noncustodial sentences for low-level and nonviolent crimes. Through his work, Jeff continues to expand the impact of these support groups, viewing them as a lifeline for those navigating the challenges of the impact of  their white collar crimes.

Key Highlights:

  • The 400th Meeting
  • Supporting Families of White Collar Criminals
  • Transforming Lives Through Spiritual Guidance
  • Supporting White Collar Crime Victims and Advocacy

Resources:
Jeff Grant on LinkedIn | Twitter
Grant Law
Prisonist.org

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Tip of the Day

Compliance Tip of the Day: What The Pandemic Changed for Compliance

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

In this episode, we consider the ongoing trends that accelerated during the pandemic year of 2022 and how these changes have impacted compliance literally forever.

These changes include:

  1. Compliance Convergence
  2. Public/private partnership in the ABC fight
  3. Data, Data, Data
  4. Compliance as an ethical & business advantage

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Daily Compliance News

Daily Compliance News: February 13, 2024 – The Quiet Hiring Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • What is quiet hiring?  (FT)
  • Xi’s never-ending corruption hunt. (BBC)
  • More Ohio state charges in the FirstEnergy corruption scandal. (WSJ)
  • A Huawei killer. (WaPo)

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

Solar Winds Under GDPR: Corporate Responsibility and Risks in Data Protection

The General Data Protection Regulation (GDPR) has significantly changed how organizations handle data protection and privacy. It emphasizes the importance of transparency and honesty in disclosing data breaches and vulnerabilities. In a recent episode of the podcast Life with GDPR, Tom Fox and Jonathan Armstrong from Cordery Compliance discussed the topic of corporate responsibility and risks in data protection, with a particular focus on the SolarWinds case.

To recap, in late 2023, the SEC filed a lawsuit against SolarWinds Corp and its CISO, Tim Brown, following the 2020 data breach, bringing the issue of executive liability in cybersecurity disclosures to the forefront. The lawsuit raised important questions about the personal liability of senior executives for inaccurate risk disclosures and has potential implications for other industries under US securities law.

The 2020 breach, orchestrated by Russian hackers, targeted SolarWinds’ software, Orion, and exposed highly sensitive information. The hackers gained access to SolarWinds and planted spyware in the Orion program. SolarWinds then distributed an update to its corporate customers, unknowingly spreading the Russian spyware. This allowed the hackers to access the highest levels of the US government and major corporations.

The SEC’s lawsuit against SolarWinds and Tim Brown focused on the poor disclosures about the company’s information security throughout 2018, 2019, and 2020. While SolarWinds publicly claimed to have good cybersecurity, internal communications revealed that employees were aware of the company’s cybersecurity issues and considered them a mess. This discrepancy between internal knowledge and external disclosures formed the basis of the SEC’s allegations.

The SEC complaint alleged that SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds. Similarly, as alleged in the SEC’s complaint, 2018 and 2019 presentations by Brown stated, respectively, that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”

Beyond this SEC enforcement action, there were other implications as well. One key takeaway from the episode is the pressure on corporate leaders, including CISOs, Data Protection Officers, and Compliance Officers, to disclose data breaches promptly. While GDPR offers some protection to Data Protection Officers, they are not entirely exempt from liabilities. The SolarWinds case serves as a reminder of the need for specific and timely disclosure of breaches and the importance of addressing system vulnerabilities.

The risks associated with data breaches are not limited to regulatory fines. Litigation risks are a significant concern for organizations, with shareholders and whistleblowers potentially seeking legal action. The episode highlights the importance of transparency and not misrepresenting information to regulators. Misrepresentations can lead to severe consequences for individuals in positions of responsibility within corporations.

Budget constraints can also hinder the timely fixing of vulnerabilities, ultimately leading to breaches. Organizations need to take proactive measures to identify and address vulnerabilities promptly. Realistic resource assessments are crucial to ensuring that adequate resources are allocated to data protection efforts. Additionally, having adequate insurance protection, such as Directors and Officers (D&O) insurance, can help protect individuals in positions of responsibility from potential liabilities.

The episode also emphasizes the need for organizations to consider the impact on their stock exchange filings when deciding whether to disclose a data breach. The decision to admit a violation of a stock exchange can be challenging and depends on factors such as materiality. Organizations need to assign a dedicated team to consider these factors, mainly when engaged in transactions like mergers and acquisitions or fundraising.

Transparency and honesty are key principles in data protection and privacy. Audit reports and investigation findings must be acted upon promptly to address vulnerabilities. Emails and other forms of communication can serve as evidence in legal proceedings, highlighting the importance of careful communication within organizations.

The potential for litigation is significant in data breach cases. Shareholders may seek legal action if they believe the value of their stock has been affected. Whistleblowers, incentivized by various jurisdictions, may also come forward with information. This highlights the need for organizations to maintain a culture of transparency and integrity and for individuals to review their remuneration packages to avoid conflicts of interest.

In conclusion, GDPR, corporate responsibility, and risks in data protection are interconnected. Organizations must prioritize transparency, honesty, and timely disclosure of breaches and vulnerabilities. Proactive measures, realistic resource assessments, and adequate insurance protection are crucial to mitigating risks. By considering the impact on stock exchange filings and maintaining a culture of integrity, organizations can navigate the challenges associated with data protection and privacy in the GDPR era.

Categories
All Things Investigations

All Things Investigations – Kevin Carroll on The Trump Immunity Appeal

Welcome to the Hughes Hubbard Anti-Corruption & Internal Investigations Practice Group’s podcast, All Things Investigation. In this podcast, I joined HughesHubbardReed partner Kevin Carroll to take a deep dive into the DC Court of Appeals opinion on the immunity claim of Citizen Trump.

Kevin Carroll’s perspective on the percussive opinion on Trump’s immunity doctrine claims is that it was a significant and positive development for democracy. Carroll expresses satisfaction with the unanimous opinion and believes that it comprehensively addresses the issues at stake. His understanding of the resolution of Bill Clinton’s special counsel case further reinforces his belief that former presidents can be held criminally liable for conduct committed in office. He also emphasizes the importance of the opinion being written in a way that is understandable to non-lawyers and the weight of the per curium nature of the opinion, indicating that all three judges signed it, making it difficult to challenge or dismiss any part of it.

Join Tom Fox and Kevin Carroll on this episode of All Things Investigation to delve deeper into this topic.

Key Highlights:

  • Unified and Authorless Judicial Decisions
  • Expiration and Integration of Presidential Terms
  • Influence and Binding of the Opinion
  • The Crucial Role of the Appeal Process
  • Wither the Mandate?

Resources:

Hughes Hubbard & Reed website

Kevin Carroll on LinkedIn

Categories
Corruption, Crime and Compliance

Trade Compliance Trends and Expectations with Gabrielle Griffith

Gabrielle Griffith, Director of BPE Global, is an expert in trade compliance issues. Gabrielle assists clients in implementing effective trade compliance programs by addressing improvements within organizations’ people, processes, and systems. In the area of U.S. export controls, she advises clients on compliance with the International Traffic in Arms Regulations, the U.S. Export Administration Regulations and the various embargo and sanctions programs administered by the Office of Foreign Asset Controls. On import compliance matters, she advises on classification, country of origin, special duty programs such as USMCA, focused assessments, C-TPAT, antidumping/countervailing duty, as well as Sections 232 and 301 matters. Gabrielle joins Michael to discuss current trade compliance trends and expectations for 2024.

  • The increase in national security risk has heightened the need for creative thinking to identify potential threats that may not be designated within regulations. This means that companies must go beyond traditional compliance measures and think outside the box to proactively address emerging risks to national security.
  • Global companies are facing unprecedented risks and challenges in today’s economy, leading to a greater emphasis on robust ethics and compliance programs. These programs are essential for promoting positive corporate citizenship and mitigating the legal and economic risks associated with corruption and crime.
  • Trade compliance is no longer a silo within a compliance department but must be integrated into the entire operation of a company. This means that trade compliance considerations should be incorporated into all aspects of a company’s business processes, from product development to supply chain management.
  • The Department of Justice is ramping up efforts to prosecute companies for trade compliance violations, particularly in relation to national security. This increased focus on enforcement means that companies need to be proactive in ensuring compliance with export control regulations and other trade compliance requirements.
  • Over-controlling trade compliance can hinder business operations while under-controlling can lead to violations. Finding the right balance is crucial. Companies should strive to implement effective trade compliance measures that align with their specific business needs, avoiding unnecessary restrictions while still ensuring compliance with applicable regulations.
  • The government should collaborate more with industry consultants to bridge the gap between enforcement agencies and companies, ensuring effective communication and guidance. This collaboration can help companies navigate the complex landscape of trade compliance and provide valuable insights to regulators on emerging technologies and industry practices.

Resources:

Gabrielle Griffith on LinkedIn

BPE Global

Michael Volkov on LinkedIn | X(Twitter)

The Volkov Law Group