Categories
Compliance Into the Weeds

Compliance into the Weeds: What Are Boards Doing About AI (Hint: Not Much)

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject.

Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt look into corporate reports on their Boards’ oversight of AI.

As the world ventures deeper into the age of artificial intelligence (AI), the issue of corporate governance over AI is emerging as a crucial point of discussion. Tech giants such as Google are facing demands for more board-level attention to AI risk management due to concerns about the lack of transparency and oversight.

Tom highlights this lack of detailed consideration of AI at the board level, raising doubts about whether boards are suitably prepared for AI’s rapid development and potential enforcement risks. His concerns are rooted in limited mentions of AI in proxy statements of S&P 500 companies, suggesting current practices might not be sufficient for the future.

Meanwhile, Matt emphasizes the need for boards to start considering staffing, expertise, and risk management related to AI without necessarily forming dedicated AI committees at present. Kelly’s concerns stem from the lack of detail in proxy statements about what boards are currently doing with AI, especially in tech-heavy companies like Google, indicating the need for potential formation of dedicated committees or sub-specializations in the future.

 Key Highlights:

  • AI Risk Management: Tech vs. Non-Tech Perspectives
  • Enhancing Corporate Governance Through AI Oversight
  • Technology Risk Oversight in Evolving Companies
  • AI Oversight for Corporate Boards: Future Risks

Resources:

Matt on Radical Compliance

 Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
FCPA Compliance Report

FCPA Compliance Report – Dottie Schindlinger on Corporate Governance and the Diligent Institute

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode, Tom Fox welcomes Dottie Schindlinger, Executive Director of the Diligent Institute.

The Diligent Institute, the governance research arm of Diligent Corporation, is on a mission to promote governance excellence by providing valuable resources and support to board members and senior leaders. Through research, thought leadership, podcasts, web shows, and certification programs, the institute addresses topics such as climate leadership, ESG, cyber risk, strategy, and AI ethics. Programs like the Next Gen Board Leaders Program and Director Network software facilitate peer-to-peer networking and board opportunities.

The Diligent Academy offers e-learning certification programs for directors, while the Diligent Forum provides a platform for directors to discuss specific themes with guest speakers. The conversation emphasizes the importance of empowering board members with the right information and insights to make informed decisions. It also discusses the changing role of directors in today’s business landscape, with a focus on digital transformation, cybersecurity, and customer satisfaction. The Diligent Institute aims to be a trusted resource for directors, providing valuable knowledge and understanding of their needs.

Key Highlights

  • Diligent Institute: Empowering Board Leaders
  • Diligent Academy and Forum
  • ESG Momentum
  • ESG Views and Director Confidence
  • The Changing Role of Directors

 Resources

Dottie Schindlinger on LinkedIn

The Diligent Institute

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Daily Compliance News

Daily Compliance News: September 7, 2023 – The SBF in Jail Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance brings to you compliance related stories to start your day. Sit back, enjoy a cup of morning coffee and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership or general interest for the compliance professional.

  • FCA to review treatment of PEPs. (WSJ)
  • Corruption in Spanish League refereeing. (Reuters)
  • Bread, water and PB. (NYT)
  • The next generation in corporate boardrooms. (FT)
Categories
Corruption, Crime and Compliance

Board Oversight and Monitoring of AI Risks

As companies rapidly adopt artificial intelligence (AI), it becomes paramount to have robust governance frameworks in place. Not only can AI bring about vast business benefits, but it also carries significant risks—such as spreading disinformation, racial discrimination, and potential privacy invasions. In this episode of Corruption, Crime and Compliance, Michael Volkov dives deep into the urgent need for corporate boards to monitor, address, and incorporate AI into their compliance programs, and the many facets that this entails.

You’ll hear Michael talk about:

  • AI is spreading like wildfire across industries, and with it comes a whole new set of risks. Many boards don’t fully understand these risks. It’s important to make sure that boards are educated about the potential and pitfalls of AI, and that they actively oversee the risks. This includes understanding their obligations under Caremark, which requires them to exercise diligent oversight and monitoring.
  • AI is a tantalizing prospect for businesses: faster, more accurate processes that can revolutionize operations. But with great power comes great responsibility. AI also comes with risks, like disinformation, bias, privacy invasion, and even mass layoffs. It’s a delicate balancing act that businesses need to get right.
  • Companies can’t just use AI, they have to be ready for it. That means adjusting their compliance policies and procedures to their specific AI risk profile, actively identifying and assessing those risks, and staying up-to-date on potential regulatory changes related to AI. As AI grows, the need for strong risk mitigation strategies before implementation becomes even more important.
  • The Caremark framework requires corporate boards to ensure that their companies comply with AI regulations. Recent cases, such as the Boeing safety oversight, demonstrate the severity of the consequences when boards fail to fulfill their responsibilities. As a result, boards must be proactive: ensure that board members have the technical expertise necessary, brief them on AI deployments, designate senior executives to be responsible for AI compliance, and ensure that there are clear channels for individuals to report issues.

 

KEY QUOTES

“Board members usually ask the Chief Information Security Officer or whoever is responsible for technology [at board meetings], ‘Are we doing okay?’ They don’t want to hear or get into all of the details, and then they move on. That model has got to change.”

 

“In this uncertain environment, stakeholders are quickly discovering the real and significant risks generated by artificial intelligence, and companies have to develop risk mitigation strategies before implementing artificial intelligence tools and solutions.”

 

“Board members should be briefed on existing and planned artificial intelligence deployments to support the company’s business and or support functions. In other words, they’ve got to be notified, brought along that this is going to be a new tool that we’re using, ‘Here are the risks, here are the mitigation techniques.’”

 

Resources:

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Board – Vin DiCianni on Board Inquiries into Compliance

Where does “tone at the top” start? With any public and most private U.S. companies, it is at the Board of Directors. But what is the role of a company’s Board in compliance? We start with several general statements about the role of a Board in U.S. companies. First, a Board should not engage in management but should engage in oversight of a CEO and senior management. The Board does this by asking hard questions, risk assessment, and identification.

A white paper by Deloitte & Touche LLP, entitled, Risk Intelligence Governance—A Practical Guide for Boards, laid out six general principles to help guide Boards in the area of risk governance. These six areas can be summarized as follows:

• Define the Board’s role. There must be a mutual understanding between the Board, CEO and senior management of the Board’s responsibilities.

• Foster a culture of risk management. All stakeholders should understand the risks involved and manage such risks accordingly.

• Incorporate risk management directly into a strategy. Oversee the design and implementation of risk evaluation and analysis.

• Help define the company’s appetite for risk. All stakeholders need to understand the company’s appetite or lack thereof for risk.

• How to execute the risk management process. Maintain an approach that is continually monitored and has continuing accountability.

• How to benchmark and evaluate the process. Systems need to be installed which allow for evaluation and modifying the risk management process as more information becomes available or facts or assumptions change.

All of these factors can be easily adapted to compliance and ethics risk management oversight. Initially it must be important that the Board receive direct access to such information on a company’s policies on this issue.

 Three key takeaways:

1. The Board’s role is to keep really bad things from happening to a company.

2. There are six general areas the point can inquire into and lead from.

3. A Board should have direct access to information on the company’s compliance program.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program with Boards – OIG Guidance for Boards Regarding Compliance

The OIG white paper “Practical Guidance for Health Care Governing Boards on Compliance Oversight (OIG Guidance), provides an excellent road map for thinking about how to structure a Compliance Committee for your Board and a Board’s obligations. As an introduction, the OIG Guidance states that a Board must act in good faith around its obligations regarding compliance. This means that there must be both a corporation information and reporting system and that such reporting mechanisms provide appropriate information to a Board. It states: The existence of a corporate reporting system is a key compliance program element, which not only keeps the Board informed of the activities of the organization but also enables an organization to evaluate and respond to issues of potentially illegal or otherwise inappropriate activity.

The OIG Guidance sets out four areas of Board oversight and review of a compliance function:

  1. Roles of, and relationships between, the organization’s audit, compliance, and legal departments;
  2. Mechanism and process for issue-reporting within an organization;
  3. Approach to identifying regulatory risk; and
  4. Methods of encouraging enterprise-wide accountability for the achievement of compliance goals and objectives.

The OIG Guidance is an excellent review for not only compliance professionals and others in the healthcare industry but a good primer for Boards around their duties under a best practices compliance program. The U.S. Sentencing Guidelines, the Hallmarks of an Effective Compliance Program, the OIG Guidance, and OIG Corporate Integrity Agreements can be used as baseline assessment tools for Boards and management in determining what specific functions may be necessary to meet the requirements of an effective compliance program.

Three key takeaways:

  1. Information flow up to the Board is critical.
  2. Compliance should be institutionalized in your company as a way of life.
  3. A Board needs to consider all risks.

For more information check out The Compliance Handbook, 3rd edition, available from LexisNexis here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program with Boards – Compliance Expertise on the Board

Every Board of Directors needs a true compliance expert sitting at the table. Almost every Board has a former CFO, former head of Internal Audit, or persons with a similar background, and often these are also the Audit Committee members of the Board. Such a background brings a level of sophistication, training, and SME that can help all companies with their financial reporting and other finance-based issues. So why is there, not such compliance SME at the Board level?

This requirement was set out in 2017 in the FCPA Corporate Enforcement Policy, where one of the criteria to be evaluated in a compliance program is “the availability of compliance expertise to the board.” Finally, the 2020 Update to the Evaluation of Corporate Compliance Programs, under the section entitled Oversight, posed the following questions What compliance expertise has been available on the Board of Directors?

The DOJ and Securities and Exchange Commission introduced this concept to the FCPA Resource Guide, 2nd edition. It means that when your company is evaluated by the DOJ, under the factors set out in the 2020 Update and the FCPA Corporate Enforcement Policy, to retrospectively determine if your company had a best practices compliance program in place at the time of any violation, you need to have not only the structure of the Board-level Compliance Committee but also the specific SME on the Board and on that committee.

Three key takeaways:

  1. Boards must have compliance expertise.
  2. Government regulators and shareholder groups have both called for greater compliance expertise on the Board.
  3. Compliance expertise at the Board works up and down as such expertise can be a resource to both the CCO and Compliance Department.

For more information check out The Compliance Handbook, 3rd edition, available from LexisNexis here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program with Boards – Prudent Discharge of Board Obligations

What are the obligations of a Board member regarding the FCPA? Are the obligations of the Compliance Committee under the FCPA at odds with a director’s “prudent discharge of duties to shareholders”? Do the words prudent discharge even appear anywhere in the FCPA? In the case of Stone v. Ritter, the proposition is found that “a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists.” From the case of In re Walt Disney Company Derivative Litigation, she drew the principle that directors should follow the best practices in ethics and compliance. The Board has the role of monitoring the performance of the compliance function, including monitoring the performance of it using customary economic metrics and overseeing compliance with applicable laws and regulations.

While the Board is not responsible for auditing or ferreting out compliance problems, it is responsible for determining that the company has an appropriate system of internal controls. The Board should also monitor company policies and practices that address compliance and matters affecting the public perception and reputation of the company. Every company should ensure that it conducts appropriate compliance training for employees and conducts regular compliance assessments. Finally, the Board must take appropriate action if and when it becomes aware of a material problem it believes management is not properly handling.
There is no reference to prudent discharge in the FCPA itself. However, a Board member might think more than twice about the prudent discharge of duties to the shareholders as both the DOJ and SEC now might wish to look into a Board’s prudent discharge of duties under the FCPA.

Three key takeaways:

  1. What is prudent discharge?
  2. What is your process for doing compliance at the Board level?
  3. A Board must have active rather than passive engagement around compliance.

For more information, check out The Compliance Handbook, 3rd edition, available from LexisNexis here.

Categories
Innovation in Compliance

Third-Party Management: A risk-based approach – Part 4: Adam Bailey on Reporting

Welcome to a special 5-part podcast series sponsored by Diligent. Over this series, we will consider a risk-based approach to third-party risk management. Over this series, I will visit with Michael Parker, the Director of Advisory and Consulting Services; Stephanie Font, Director of the Optimizations Group; Kairi Isse, Managed Services Group Manager; Adam Bailey, Senior Vice President, Product Management and Alexander Cotoia, from the Volkov Law Group. In this Part 4, I visit with Adam Bailey to look at the role of the Board in risk, audit, compliance, and ESG and the reporting from executive teams and GRC practitioners to take risks and seize chances.

Bailey has worked to help organizations better manage their risk by providing insight and clarity to boards of directors. He strived to enable executive teams and GRC practitioners to assess and manage strategic risks, ultimately connecting boards, practitioners, and executives together to innovate and drive growth. With the complexity of third-party relationships continuing to grow, companies need to adopt a continuous improvement approach to contend with unforeseen risks. A corporate compliance function is not just something nice to have, but a must and a Board needs clear and relevant data to make the best decisions. Organizations need to use the necessary tools to ensure that Boards have the visibility to manage their third parties and make informed decisions.


Key Highlights

1. A compliance function must support leaders through its reporting work.
2. Companies can effectively manage third-party risk with a risk-based approach and robust processes.
3. Connecting Board, senior executives, and practitioners together to enable organizations to take risks and innovate is critical.

Notable Quotes

  1. “The key to this effective risk management is truly the follow-up, the ongoing follow-up to ensure that all the controls are in place and, if needed, are changed.”
  2. “Continuous blanket monitoring of all third parties with every risk asset you can think of is just not feasible and probably wouldn’t deliver the outcomes that we need.”
  3. “We know that change is constant, regulators are looking for risk management policies and practices which continually improve and evolve over time.”
  4. “We need robust processes and systems in place to make sure that when you create your third-party profile, it’s screened against sanctions lists, embargo watch lists, et cetera, to provide the rich data that’s there.”

Resources

Adam Bailey on LinkedIn

Check out Diligent’s 3rd party products and services here.

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 1

What happens when two top compliance commentators get together? They talk compliance, of course. Join Kristy Grant-Hart and Tom Fox for their new podcast, 2 Gurus Talk Compliance! But it is not simply Kristy and Tom talking about compliance. In this podcast series, Kristy and Tom also review other top commentators in compliance. In this podcast, we will consider all things compliance, corporate ethics, ESG, governance, and whatever else is on our minds and the minds of other experts in the field. Kristy and Tom explore all of these topics with expertise and wit.

In this inaugural episode, they discuss the latest compliance trends and news, including two Supreme Court cases that have implications for the compliance profession. They also cover the Department of Justice and whistleblower trends, taking a look at Miranda and Upjohn’s warnings and increasing numbers of whistleblower reports to the SEC. They also dive into an article from the Harvard Law School Forum on corporate governance and discuss the Illinois Biometric law. Join the conversation and discover the latest on compliance and regulations with 2 Gurus Talk Compliance.

Highlights Include

The Role of In-House Attorneys in Communication Between Outside Counsel and Businesses [00:05:17]

Supreme Court Decision on the Future of the CFPB [00:09:11]

Impact of the Colorado Draft Regulation on Artificial Intelligence Compliance Programs [00:13:23]

The Benefits of Automated Data Deletion [00:17:23]

A Miranda component to corporate Upjohn Warnings [00:21:25]

The Obligation of Society to Address Climate Change [00:25:33]

The Benefits of Self-Disclosure in the DOJ Justice System [00:29:18]

The Role of the Board in Overseeing Third Parties in High-Risk Countries [00:33:14]

The Impact of Whistleblowers on the SEC [00:40:54]

White Castle’s Violation of Illinois Biometric Law [00:45:05]

Notable Quotes

  1. The DOJ is urging a federal judge to sanction Google’s parent, Alphabet, for its practice of setting employee chats to auto delete despite promising to preserve records.”
  2. “It goes beyond the specifics of this law, something you and I have talked about for several years now, that the compliance function and the CCO is well perhaps the most well-suited corporate discipline to deal with these new initiatives because it’s the basic framework of compliance that you and I have worked with for 15 years.”
  3. “Most compliance programs just don’t have good frameworks for things like AI or for big data even though we’ve been using that word for a long time.”

Resources

  1. Boards and 3rd Party Risk Oversight
  2. CO Draft AI Rules for Insurance
  3. Miranda Warnings in Corp Investigation
  4. Current whistleblowing landscape
  5. Has the stature of the CCO changed? 
  6. Analysis of the DOJ’s update to the self-disclosure program
  7. Supreme Court considering defunding the CFTC
  8. Trends in state privacy law   
  9. Litigation holds and records retention/Google/DOJ  
  10. Individuals charged – first enforcement action 2023 

Connect with Kristy Grant-Hart on LinkedIn

Spark Consulting

Connect with Tom Fox on Linkedin