Categories
Blog

Navigating Transformational Changes: The Intersection of E&C and ESG

Today I would like to explore the intersection thought of ethics and compliance (E&C) and environmental, social, and governance (ESG) efforts. In a recent podcast on Report from IMPACT 2023, we explored the crucial role of ethics in guiding organizations through transformational changes. With data-driven insights and practical advice, considered the challenges, opportunities, and strategies for success in this evolving landscape.

In the face of rapid technological advancements, the importance of ethics cannot be understated. The need to build safeguards to prevent potential crashes or negative consequences. Much akin to car racing, this world has the need to moving forward with technology in a safe and responsible manner. Further and just like a skilled racer, organizations must navigate the track of progress while ensuring the ethical implications of their actions are considered. Finally always remember that brakes are not on a car to slow it down but so that you can drive fast.

As power dynamics shift and new technologies emerge, the establishment of checks and balances in this arena becomes paramount. This means that organizations need to distribute power internally both wisely and ensure ethical decision-making processes are in place. By doing so, they can safeguard against potential abuses and ensure that transformative changes are guided by integrity. I often use the visual of the billboard announcing the Eyes of Dr. T J Eckleburg from The Great Gatsby as the best way to think about having a second set of eyes on your process for process validation.

In a world undergoing rapid transformation, continuous education and expanding horizons are crucial for organizations and individuals alike. For Chief Compliance Officers (CCOs) and other compliance professionals, the importance of being adaptable and open to learning cannot be overstated. Our profession is changing as fast as any other corporate function and it is coupled with the needs of our customers changing. Who are the customers of a corporate compliance program? You can start with the multiple stakeholders identified by the Business Roundtable in their seminal Statement on the Purpose of a Corporation. It can be employees, shareholders, third-parties, vendors and business partners and those who may live in localities where your organization does business.  By embracing new perspectives and staying informed, CCOs, compliance professionals and corporate compliance functions can effectively navigate the challenges of a changing world.

A significant development highlighted in the podcast is the convergence of ESG and E&C. This integration presents a strategic risk and opportunity standpoint for organizations. By aligning environmental, social, and governance considerations with ethical and compliance practices, companies can create a holistic approach that benefits both their bottom line and society at large. Equally importantly is the mandate that the CCO and corporate compliance function should lead this effort. There is no other corporate function which has such a wide mandate, as set out by the regulators as the corporate compliance programs. One need only consider the 2019 Evaluation of Corporate Compliance Programs which led to the 2023 Evaluation of Corporate Compliance Programs to see that a corporate compliance function (and CCO) must have visibility literally across your entire corporate organization.

The demand for businesses to take positions on social issues is growing louder, both from employees and stakeholders. It well known within the compliance community and wider corporate world of the importance of both the CCO and compliance function not remaining silent on these matters. You may call this speaking truth to power but in the wider ESG world, businesses must recognize the power they hold to effect change and leverage it responsibly. By aligning their values with those of their workforce and society, they can build purpose-filled organizations that resonate with the younger generations.

I speak with many Human Resource (HR) and talent specialists and they all say that the acquisition and retention of talent will be the key market differentiator for business by mid-century. From Baby Boomers to through GenXers to Millennials and now Genders; the values and mindset of the current and upcoming workforce differ significantly from those of previous generations. To motivate and attract these individuals, organizations must listen to their ideas and incorporate them into the company’s values and purpose. By engaging with the younger generations and understanding their perspectives, board members can foster an environment that aligns with their aspirations. Businesses which try to enforce well-known and well-debunked tropes such as there is no such thing as climate change will be consigned to the dustbin of corporate failures.

Building transformative leadership and engaging forward-thinking board members pose challenges but are necessary for success. Just as talent acquisition and retention will be one of the most critical aspects of corporate survival, the importance of recruiting board members who understand current and future challenges and the need for an integrated approach will be equally critical. Critically this also means diversity on the Board. While seasoned experience is valuable, finding individuals who can bridge the gap between traditional values and the demands of a changing world is crucial. It also means new and different subject matter expertise will be critical. The Department of Justice (DOJ) has noted that a Board needs to have a compliance resource on it. The logical step is for a Board to have a Compliance Committee, chaired by a seasoned compliance professional.

It might even lead to a broader concept of a true risk management professional on the Board. Given the paradigm shift coming out of the Pandemic from disaster recovery to business resiliency to business as usually; a Board having the ability to have that strategic discussion  and lead through oversight will be a critical element as well.

Recognizing the pivotal role that ethics and compliance play in guiding organizations through transformational changes is something that is gaining traction in the corporate world. In a world that is evolving at an unprecedented pace, it is imperative to build ethical safeguards, establish checks and balances, provide appropriate oversight and adapt to the values and mindset of the younger generations. By embracing continuous education, converging ESG and E&C efforts, and taking a stand on social issues, organizations can navigate the inflection point we find ourselves in and thrive in the future.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Written Standards: Day 4 – Code of Conduct: Structure and Format

Next comes the evolution of the structure and format of a best practices Code of Conduct. Initially, my experience with this is that they were written by lawyers, largely for lawyers. This included ‘thou shalts’ and ‘thou shalt nots’ liberally sprinkled throughout a lengthy written document. This was what is now referred to as Code 1.0. The compliance community then evolved to Code 2.0, where the writing was less turgid, moved to more employee-friendly language, and then somewhere along the line we started putting in hyperlinks, pictures, and videos.
There are two factors that a company should consider in the structure of a Code of Conduct. The first is to consider how your organization generally communicates, overlaid with the most effective way to communicate with the various stakeholders who will read and use it. These stakeholders can include such diverse groups as employees, shareholders and third parties on both the sales and supply side of your business. This may require multiple approaches.
Be sure to make your code readable. This is beyond simply eliminating legalese. It is writing English at a grade level that is sufficient for your employee population. It may be that an eighth-grade language level is appropriate for your workforce. However, if you have a population consisting primarily of professionals, translating it into the appropriate languages it might be appropriate to aim for a higher level of language. Finally, you do not have to say the same thing, in multiple different ways.

Three key takeaways:

  1. Companies have moved past having a Code of Conduct written by lawyers for lawyers to a fully interactive code for all employees.
  2. Consider how information is distributed at your organization as a basis for communication in your Code of Conduct.
  3. Your Code of Conduct must be readable, in both in English and native language for non-English speaking employees.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
Everything Compliance

Everything Compliance – Episode 123, The Spanish Kiss Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. In this episode, we have the quartet of Jay Rosen, Jonathan Armstrong, Matt Kelly and Karen Woody, with Tom Fox hosting. We conclude with our always popular and fan fav Shout Outs and Rants.

1. Matt Kelly looks at the new SEC requirement for companies to improve their risk assessments and attendant processes. He rants about the US Federal Courts not allowing television cameras and says we need the Trump trials televised in federal courts.

2. Karen Woody reviews Opinion Release 23-01. She shouts out to the Barbie movie.

3. Tom Fox shouts out to Megan Rapinoe for great professional career and her social activism while a member of the USWNT.

4. Jay Rosen looks at the imbroglio surrounding the Spanish National football team after its Women’s World Cup win. Rosen shouts out SOCAR, the South Orange County Compliance and Ethics Roundtable.

5. Jonathan Armstrong considers the NATS air traffic debacle and operational resilience. He shouts out Sgt. Graham Saville who lost his life helping a person in distress.

The members of the Everything Compliance are:

•       Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com

•       Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu

•       Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com

•       Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com

•       Jonathan Marks can be reached at jtmarks@gmail.com.

The host and producer, ranter (and sometime panelist) of Everything Compliance is Tom Fox the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Written Standards: Day 3 – The Code of Conduct

What is the value of having a Code of Conduct? In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to wave in the regulator’s face during an enforcement action as proof of overall ethical behavior. Is such a legalistic code effective? Is a Code of Conduct more than simply your company’s internal law? What should be the goal in creating your company’s Code of Conduct?

Indeed violation of your Code of Conduct can form the basis of a domestic FCPA enforcement action. In an enforcement action involving United Airlines, Inc., a breach of the Code of Conduct by the Company CEO was determined to be an FCPA internal controls violation. It involved a clear quid pro quo benefit paid out by United to David Samson, the former Chairman of the Board of Directors of the Port Authority of New York and New Jersey. This public government entity has authority over, among other things, United’s operations at the company’s huge east coast hub in Newark, NJ.
Your Code of Conduct should be tailored to your company’s culture, industry, and corporate identity. It should provide a mechanism by which employees trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used for employee review and evaluation. It should certainly be invoked if there is a violation. Your company’s disciplinary procedures must be stated in the Code. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code. Further, your company’s Code should emphasize it will comply with all applicable laws and regulations wherever it does business. The code must be written in plain English and translated into other languages so all applicable persons can understand it.

Three key takeaways:

1  A Code of Conduct is a foundational document in any compliance regime.
2  The substance of your Code of Conduct should be tailored to the company’s culture, industry, and corporate identity.
3  “Document, Document, and Document” your training and communication efforts regarding your Code of Conduct.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
The ESG Report

The ESG Report – Tommy Linstroth on Building for a Sustainable Future: The Role of ESG in Construction

The ESG Report podcast is hosted by Tom Fox. Looking for innovative solutions to tackle climate change? Look no further than The ESG Report! In this episode, Tom speaks with Tommy Linstroth founder and CEO at Green Badger about the role and opportunity for the construction industry in the ESG arena.

The podcast episode discusses the increasing importance of incorporating ESG practices in the construction industry. Tommy Linstroth, an expert in the field, emphasizes the need for companies to embrace ESG to remain competitive and attract talent. Linstroth highlights the demand for ESG compliance from customers, regulators, and financiers. He emphasizes the need for companies to measure and integrate various ESG factors, breaking down silos within organizations. The conversation also emphasizes the role of safety in ESG and the potential benefits of ESG in improving efficiency, talent attraction, and transparency. Overall, the episode underscores the significance of ESG integration in the construction industry and the importance of a strategic approach to its implementation.

Key Highlights

·       The Intersection of Construction and ESG

·       ESG Integration in Construction Industry

·       ESG and Business Efficiency

·       Getting Started with ESG

·       ESG Implementation and Continuous Improvement

Resources

Tommy Linstroth on LinkedIn

Green Badger

Tom Fox 

Connect with me on the following sites:

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Daily Compliance News

Daily Compliance News: September 7, 2023 – The SBF in Jail Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance brings to you compliance related stories to start your day. Sit back, enjoy a cup of morning coffee and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership or general interest for the compliance professional.

  • FCA to review treatment of PEPs. (WSJ)
  • Corruption in Spanish League refereeing. (Reuters)
  • Bread, water and PB. (NYT)
  • The next generation in corporate boardrooms. (FT)
Categories
Blog

Operationalizing Compliance With 10 Questions for HR

Operationalizing compliance is the crucial step in creating an effective compliance program within an organization. It involves cascading compliance goals to all levels of the organization and fostering a culture of compliance. This process requires clarity and comparability of goals, focusing on high-risk areas first, and gradually expanding initiatives. Ethical business conduct should be a top priority, with HR playing a key role in attracting and developing talent. Continuous improvement and performance tracking are also crucial for identifying gaps and developing key compliance indicators.

Root cause analysis is a key process in identifying the reasons behind compliance failures and implementing effective solutions. It involves understanding what allowed the compliance issue to arise, rather than simply assigning blame, and addressing the core issues to prevent future compliance failures. It goes beyond assigning blame and focuses on finding solutions to prevent future failures. Understanding the root cause allows organizations to address the core issues and implement effective measures to ensure compliance.

To operationalize compliance effectively, organizations need to consider several key factors. One of the first factors is the interconnectedness of targets. Compliance goals should be cascaded down to individual workers, ensuring that everyone understands their role in achieving compliance objectives. While tone at the top is important, it is equally crucial to establish an appropriate tone in the middle and at the bottom of the organization.

Clarity and comparability of goals is another important factor. Compliance targets should be clearly communicated and understood by all employees. Complex goals can lead to confusion and hinder the operationalization process. Focusing on high-risk areas first and gradually expanding initiatives can help manage risks effectively and ensure a systematic approach to compliance.

The role of HR in operationalizing compliance cannot be overstated. HR should take the lead in showing that attracting and developing talent who will engage in ethical business conduct is a top priority. By creating the appropriate mindset of doing business the right way throughout the organization, HR can contribute to the successful operationalization of compliance.

Continuous improvement and performance tracking are essential for identifying gaps in the compliance program. Monitoring compliance programs in real-time and reacting quickly to remediate them is crucial. Auditing and monitoring should work in tandem to uncover and evaluate risks. Key compliance indicators, such as hotline or helpline reports, can provide valuable insights into the effectiveness of the compliance program.

While operationalizing compliance is essential, organizations must also consider the impact on employees. Talent acquisition and retention is a critical business function. Retaining top employees who engage in ethical business conduct is crucial for the long-term success of the compliance program. By promoting and rewarding employees who adhere to the code of conduct, organizations can create a culture of compliance and operationalize it fully.

Balancing these factors can be challenging. Organizations must weigh the tradeoffs involved in cascading compliance goals, clarifying goals, and addressing high-risk areas. They must also consider the challenges associated with monitoring and auditing, as well as the importance of root cause analysis and employee retention.

What are the 10 questions you should ask to test, monitor and improve these issues?

  1. How are compliance goals cascaded down to individual workers?
  2. Does anyone complain that your compliance targets are too complex?
  3. How do you deal with repeated compliance failures in a specific business segment or compliance program area?
  4. How does your company show that attracting and developing talent who will engage in ethical business conduct is a top priority?
  5. How long is compliance underperforming tolerated?
  6. What makes it distinctive to work at your company?
  7. How do compliance programs that are not working typically get exposed and remediated?
  8. What key compliance indicators do you use for compliance tracking?
  9. For a given compliance problem, how do you identify the root cause?
  10. What are you doing to retain your top employees from the compliance perspective?

In conclusion, operationalizing compliance is a key component of an effective compliance program. By considering the interconnectedness of targets, clarity and comparability of goals, the role of HR, continuous improvement and performance tracking, root cause analysis, and employee retention, organizations can successfully operationalize compliance and prevent future compliance failures. It is crucial to strike a balance between these factors and consider the impact on employees when making decisions about operationalizing compliance and root cause analysis.

Categories
Daily Compliance News

Daily Compliance News: September 6, 2023 – The FDA Corrupt Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance brings to you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

  • Santos prosecutors ask for more time? (Bloomberg)
  • Spanish Women’s National team coach fired. (ESPN)
  • Ramaswamy’s claims of FDA corruption disavowed by company he founded. (Reuters)
  • FIFA suspends head of Spanish football. (FT)
Categories
Compliance Into the Weeds

Compliance into the Weeds: Risk Assessments, Control Environments and Plug Power

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on sanctions compliance? Look no further than Compliance into the Weeds!

In this episode, Tom and Matt consider the recent pronouncements from the SEC regarding risk assessments together with control environments and all this played out in the Plug Power enforcement action. The importance of risk assessments and a strong control environment in companies cannot be overstated. These elements are crucial for effective internal controls and proper financial reporting, as emphasized by the SEC’s chief accountant, Paul Munter. In this episode Tom and Matt underscore the need for thorough evaluation of potential pitfalls in risk assessments, citing insufficient personnel, changes in board or management composition, and hasty adoption of new strategies or technologies as potential triggers for flawed assessments.

They highlight the significance of small control failures and entity-level failures, such as weaknesses in IT controls, as indicators of a weak control environment.. Join Tom Fox and Matt Kelly as they delve deeper into the topic of risk assessment in the latest episode of the Compliance into the Weeds podcast.

 Key Highlights:

·      Munter’s statement

·      Enhancing Control Environment through Risk Assessments

·      The Importance of Risk Assessments and Controls

·      Attracting and Retaining Competent Individuals

·      Flaws in Risk Assessment Beyond Insufficient Personnel

·      Lessons Learned

 Resources:

Matt in LinkedIn

Matt blogged twice on these issues. A report on Munter’s statements here and on the Plug Power enforcement action here

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

AI and GDPR

Artificial Intelligence (AI) has revolutionized various industries, but with great power comes great responsibility. Regulators in the European Union (EU) are taking a proactive approach to address compliance and data protection issues surrounding AI and generative AI. Recent cases, such as Google’s AI tool, Bard, being temporarily suspended in the EU, have highlighted the urgent need for regulation in this rapidly evolving field. I recently had the opportunity to visit with GDPR maven Jonathan Armstrong on this topic. In this blog post, we will delve into our conversations about some of the key concerns raised about data and privacy in generative AI, the importance of transparency and consent, and the potential legal and financial implications for organizations that fail to address these concerns.

One of the key issues in the AI landscape is obtaining informed consent from users. The recent scrutiny faced by video conferencing platform Zoom serves as a stark reminder of the importance of transparency and consent practices. While there has been no official investigation into Zoom’s compliance with informed consent requirements, the company has retracted its initial statements and is likely considering how to obtain consent from users.

It is essential to recognize that obtaining consent extends not only to those who host a Zoom call but also to those who are invited to join the call. Unfortunately, there has been no on-screen warning about consent when using Zoom, leaving users in the dark about the data practices involved. This lack of transparency can lead to significant legal and financial penalties, as over 70% of GDPR fines involve a lack of transparency by the data controller.

Generative AI heavily relies on large pools of data for training, which raises concerns about copyright infringement and the processing of individuals’ data without consent. For instance, Zoom’s plan to use recorded Zoom calls to train AI tools may violate GDPR’s requirement of informed consent. Similarly, Getty Images has expressed concerns about its copyrighted images being used without consent to train AI models.

Websites often explicitly prohibit scraping data for training AI models, emphasizing the need for organizations to respect copyright laws and privacy regulations. Regulators are rightfully concerned about AI processing individuals’ data without consent or knowledge, as well as the potential for inaccurate data processing. Accuracy is a key principle of GDPR, and organizations using AI must conduct thorough data protection impact assessments to ensure compliance.

Several recent cases demonstrate the regulatory focus on AI compliance and transparency. In Italy, rideshare and food delivery applications faced investigations and suspensions for their AI practices. Spain has examined the use of AI in recruitment processes, highlighting the importance of transparency in the selection process. Google’s Bard case, similar to the Facebook dating case, faced temporary suspension in the EU due to the lack of a mandatory data protection impact assessment (DPIA).

It is concerning that many big tech providers fail to engage with regulators or produce the required DPIA for their AI applications. This lack of compliance and transparency poses significant risks for organizations, not just in terms of financial penalties but also potential litigation risks in the hiring process.

To navigate the compliance and data protection challenges posed by AI, organizations must prioritize transparency, fairness, and lawful processing of data. Conducting a data protection impact assessment is crucial, especially when AI is used in Know Your Customer (KYC), due diligence, and job application processes. If risks cannot be resolved or remediated internally, it is advisable to consult regulators and include timings for such consultations in project timelines.

For individuals, it is essential to be aware of the terms and conditions associated with AI applications. In the United States, informed consent is often buried within lengthy terms and conditions, leading to a lack of understanding and awareness. By being vigilant and informed, individuals can better protect their privacy and data rights.

As AI continues to transform industries, compliance and data protection must remain at the forefront of technological advancements. Regulators in the EU are actively addressing the challenges posed by AI and generative AI, emphasizing the need for transparency, consent, and compliance with GDPR obligations. Organizations and individuals must prioritize data protection impact assessments, engage with regulators when necessary, and stay informed about the terms and conditions associated with AI applications. By doing so, we can harness the power of AI while safeguarding our privacy and ensuring ethical practices in this rapidly evolving field.