Tag: CCO

Categories
Great Women in Compliance

Great Women in Compliance – Reflections and Resilience Through a Compliance Career with Karen Bertha

Welcome to the Great Women in Compliance podcast with Hemma Lomax and Lisa Fine, sponsored by Corporate Compliance Insights.   In today’s episode, Lisa speaks with Karen Bertha, who has built world-class programs throughout her career, most recently at V2X.   She has significant acquisition and post-acquisition due diligence expertise, including at V2X.  After that acquisition, she was at a crossroads and needed time to take stock and pause.

Karen reflects on her work with due diligence, including how and when compliance should be involved in due diligence.  They also discuss strategies for post-integration, even if compliance is brought at some point later.  Karen has worked in highly regulated industries, such as government contracting, and those not in highly regulated industries. She shares her experiences and lessons learned.

Karen left V2X after the acquisition when she needed time for herself and other parts of her life.  She talks about how the “power of the pause” has been helpful to her.  She talks about reflecting on her work in the Ethics & Compliance profession, increasing her learning, specifically in compliance-adjacent fields like Human Resources and audit, with time to focus.  She also shares what she has enjoyed during this time, which we at #GWIC hope can inspire those thinking about your next steps or between roles.

Join the Great Women in Compliance community on LinkedIn here.

Categories
Blog

Board Oversight of Third-Party Risk Management: Key Questions and Metrics for Effective Governance

The Telephonica Venezuela FCPA enforcement action reminds us that third-party risk management is one of the most critical components of a corporate compliance program. From suppliers and distributors to agents and joint venture partners, third parties can expose a company to significant compliance risks, including bribery, data security breaches, and regulatory violations. For a Board of Directors, effective oversight of third-party risk management is essential to fulfill its fiduciary duties and ensure that the organization mitigates these potential threats.

For boards, the responsibility involves more than just reviewing policies or compliance assessments. It requires a proactive approach, regularly engaging with the Chief Compliance Officer (CCO) and demanding specific information to confirm that third-party risks are effectively managed. Today, we will consider some key questions a board should ask and key metrics that boards should track to ensure their oversight of third-party risk management.

Key Questions a Board Should Ask About Third-Party Risk Management

To provide effective oversight, board members should ask the CCO a series of targeted questions that illuminate the strengths and weaknesses of the organization’s third-party compliance efforts. These questions can guide discussions around key areas such as due diligence, monitoring, training, and incident response.

  • What is our Third-Party Risk Profile?

This foundational question helps the Board understand the scope of the organization’s third-party network and the inherent risks involved. The CCO should be able to explain how third-party risk is assessed, classified, and prioritized. This includes geographic, industry, and transactional risks that may be more prevalent in high-risk regions or industries such as defense, oil and gas, and healthcare.

  • What Due Diligence Processes are in Place?

The Board should ask about the specific due diligence processes for third parties. This includes initial onboarding assessments, background checks, and ongoing monitoring. Understanding the due diligence process, including who is responsible, the standards used, and whether enhanced due diligence is conducted for high-risk third parties, is critical for oversight.

  • How Do We Ensure Continuous Monitoring of Third Parties?

It is not enough to perform due diligence only once. Continuous monitoring is essential to detect a third party’s risk profile changes. The Board should ask about the tools and technologies used for monitoring, the frequency of updates, and how compliance continuously evaluates third parties for new risks, such as changes in ownership, regulatory status, or financial stability.

  • How Do We Address Identified Risks?

A key component of third-party risk management is having procedures to address identified risks. The Board should inquire about the company’s approach to risk mitigation, including risk-adjusted measures for different risk levels. Are high-risk third parties subject to contract clauses or specific compliance obligations? Does the organization maintain a system to monitor the ongoing effectiveness of risk mitigation efforts?

  • What Training and Awareness Programs Do We Have in Place?

The Board should ask how compliance trains third parties on relevant laws, policies, and expectations, especially concerning anti-corruption, data protection, and ethics. Additionally, internal stakeholders involved in third-party management, such as procurement and finance, should receive specialized training to help them recognize red flags.

  • What is Our Process for Reporting and Escalating Third-Party Compliance Issues?

Knowing that issues will inevitably arise, the Board should ask how the organization reports and escalates third-party compliance concerns. Does the CCO have direct access to the Board in case of serious compliance violations? Is there a protocol for handling third-party incidents that could affect the company’s regulatory standing or reputation?

  • How Do We Measure the Effectiveness of Our Third-Party Risk Management?

The effectiveness of the third-party compliance program is a priority for the Board. Asking for metrics and other objective measures helps ensure that the program is well-designed and functioning as intended. The Board should proactively seek quantitative and qualitative evidence of effectiveness.

Key Metrics for Third-Party Risk Management Oversight

Metrics are invaluable for Board members seeking to monitor the compliance program’s health. The CCO should be able to provide regular updates on the following metrics, each offering insight into specific aspects of third-party risk management.

  • Number of Third Parties by Risk Category

This metric breaks down the organization’s third parties by risk level (e.g., low, medium, high). This provides the Board with a snapshot of the company’s risk exposure and helps them assess whether the program is appropriately resourced to manage the volume of high-risk third parties.

  • Percentage of Third Parties with Completed Due Diligence

Tracking this metric shows whether the company is adhering to its compliance policies. Ideally, 100% of third parties should undergo due diligence before onboarding, and any gaps here could signal significant compliance weaknesses.

  • Average Time to Complete Due Diligence

This metric reveals the efficiency of the due diligence process. Long turnaround times can delay critical partnerships and increase risk exposure, while excessively fast times may suggest that due diligence needs to be sufficiently thorough. Boards should look for a balanced metric that reflects both efficiency and comprehensiveness.

  • Incidents of Non-Compliance Among Third Parties

The Board should be regularly informed of compliance incidents involving third parties. This metric could be broken down by type of violation (e.g., anti-bribery, data privacy, labor practices) and severity. Tracking these incidents over time helps the Board evaluate the program’s effectiveness and whether additional resources are needed.

  • Percentage of High-Risk Third Parties Monitored Regularly

Continuous monitoring is vital to effective risk management, particularly for high-risk third parties. This metric provides insight into how often high-risk third parties are reassessed, which can inform the Board about the level of vigilance being applied to higher-risk partners.

  • Training Completion Rates for Third Parties and Internal Teams

Effective third-party risk management requires third parties and the internal teams who work with them to understand the compliance risks and policies. This metric tracks how many third-party representatives and relevant employees have completed compliance training, an essential factor in reducing risk.

  • Average Time to Resolve Third-Party Compliance Issues

This metric measures the organization’s responsiveness to third-party compliance concerns. Quick resolution times may indicate an efficient and effective response system, while delays might suggest resource constraints or procedural bottlenecks. Boards should look for a metric that balances speed and thoroughness.

  • Costs of Third-Party Compliance Program

The Board should also monitor the financial investment in third-party compliance to assess if the program is adequately funded. This includes costs for due diligence, continuous monitoring, training, and compliance technology. Comparing these costs against third-party risk levels can help determine if the program is appropriately resourced.

Leveraging Metrics for Continuous Improvement

By tracking these metrics, Boards ensure that third-party risks are being effectively managed and can drive continuous improvement in the compliance function. Over time, trends will emerge, highlighting areas where the program may need reinforcement. For instance:

  • Increasing compliance incidents among third parties could indicate a need for enhanced due diligence or more stringent onboarding criteria.
  • Declining training completion rates suggest a lack of engagement from third parties, potentially due to ineffective communication or training methods that must be revisited.
  • Prolonged resolution times for compliance issues might signal the need for process optimization or additional staff in the compliance team.

The Board should encourage the CCO to use these insights to fine-tune the program and prioritize high-impact initiatives. Additionally, boards should expect the CCO to present metrics and narrative insights, offering a holistic view of the third-party compliance landscape and how specific metrics relate to broader compliance goals.

Fostering a Culture of Accountability and Compliance

Board oversight of third-party risk management is no longer a mere checkbox—it’s a crucial part of protecting the organization’s reputation, ensuring regulatory compliance, and building a resilient corporate structure. By asking the right questions and tracking key metrics, Boards can proactively ensure that third-party risks are managed effectively.

An engaged Board that emphasizes the importance of third-party compliance sends a powerful message across the organization and beyond. When Boards hold the compliance function accountable and demand robust third-party oversight, they not only mitigate potential risks but also foster a culture of integrity and accountability that resonates with employees, partners, and stakeholders alike. This, in turn, strengthens the entire organization, building a foundation of trust and resilience that will serve it well in any compliance landscape.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – CCOs Reporting to the Board

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we consider what a CCO needs to tell a Board of Directors.

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Check out the full 3-book series, The Compliance Kids, on Amazon.com.

Categories
Blog

What Should a Chief Compliance Officer Report to the Board of Directors?

The Chief Compliance Officer (CCO) role is essential in building an organization that meets regulatory standards and upholds a robust ethical culture. But what should the CCO be reporting to the Board of Directors to ensure they understand the full scope of the company’s compliance landscape? This post will consider the essential elements of an effective Board report from the CCO. These elements will help foster transparency, trust, and accountability between the compliance function and the highest levels of corporate oversight.

  • Overview of Compliance Program Structure and Key Updates

An essential part of a CCO’s responsibility to the Board is to ensure they understand how the compliance function is structured and resourced. This includes an overview of the compliance team, its reporting lines, and any recent structural changes. The CCO should also emphasize that the compliance function has the independence, resources, and support to operate effectively.

For example, it is useful to discuss whether additional resources are needed—such as an increased budget, training for compliance staff, or investments in new technology to improve monitoring. Even more crucial is regularly informing the Board about fundamental personnel changes in the compliance team, including new hires or departures. This assures the Board that the compliance team is fully staffed and led by individuals with the experience and knowledge necessary to accomplish the organization’s compliance goals.

  • Risk Assessment and Emerging Compliance Risks

One of the CCO’s primary duties is to ensure that the Board is aware of the organization’s compliance risks. An annual or quarterly update on the status of these risks—mainly if there are high-priority or emerging risks—is critical. The CCO should discuss the results of any recent risk assessments, including:

  1. The top risks currently facing the organization.
  2. Risks associated with new business ventures or geographic expansion.
  3. Changes in geo-political or regulatory landscapes that may impact risk exposure.

For instance, if the company is expanding operations in a high-risk country for bribery or data privacy, this development should be highlighted, along with any steps the compliance team is taking to mitigate the risk. The goal here is not to overwhelm the Board with excessive detail but rather to provide a clear view of where the most significant vulnerabilities lie and what strategies are in place to address them.

The Board should leave these discussions to understand the nature and scope of the company’s compliance risks and the level of oversight being applied to manage those risks. This will reassure them that the company is not only aware of potential threats but is proactively addressing them.

  • Status of Key Compliance Initiatives and Program Enhancements

Board members must see that the compliance program is not static but a dynamic, continuously improving function. The CCO should regularly report on ongoing compliance initiatives and any recent improvements to the program. This can include initiatives such as:

  1. Enhancing third-party risk processes.
  2. Implementing new training programs.
  3. Developing better monitoring and auditing capabilities.

These initiatives should align with the company’s strategic goals, and the CCO can emphasize how compliance supports and reinforces these objectives. For example, if the company has adopted a new code of conduct or revised anti-corruption policies, the CCO should detail how these updates are being rolled out, communicated, and embedded into the organization’s culture.

Additionally, metrics that measure the success of these initiatives are invaluable. For example, sharing compliance training completion rates, results from employee feedback surveys on compliance topics, or the reduction of hotline reports in specific areas can help the Board understand the program’s impact and areas that may need further attention.

  • Compliance Investigations and Response to Issues

Transparency about compliance investigations and their outcomes is fundamental to the Board’s oversight responsibilities. The CCO should provide a high-level overview of significant compliance incidents, particularly those that pose a financial, operational, or reputational risk to the company. This discussion should include:

  1. The nature of the issue or alleged violation.
  2. The investigative steps taken.
  3. Any corrective actions or disciplinary measures implemented.

The CCO should also clearly explain how these issues were detected—whether through internal audits, whistleblower reports, or monitoring activities—demonstrating that the compliance function effectively catches and addresses problems early. It’s important to note that the Board does not need the names of individuals involved or granular details. Instead, they should receive summaries on patterns, issues encountered, and root causes.

Discussions on trends emerging from investigations—such as recurring issues in specific geographies or business units—can provide the Board with valuable insights into potential vulnerabilities. This information also equips the Board to ask strategic questions about how the company’s compliance efforts address these trends, thus bolstering their understanding and oversight of the compliance program.

  • Compliance Program Metrics and KPIs

Measurable data points—such as Key Performance Indicators (KPIs)—are crucial to effective board reporting. Metrics help the Board understand how well the compliance program is performing and identify areas for potential improvement. Examples of relevant compliance metrics include:

  1. Training effectiveness rates across the organization.
  2. Number of hotline calls and resolution time.
  3. Frequency and outcomes of internal audits.
  4. Employee survey results on compliance culture and awareness.

It is helpful to present these metrics in a clear, accessible format, perhaps in the form of dashboards or visual aids, so the Board can quickly grasp the current state of the compliance program. By monitoring trends in these metrics over time, the Board can see the program’s evolution and any areas where additional focus or resources may be needed.

  • Status of the Compliance Culture and “Tone from the Top”

Building a culture of compliance starts at the top, and the Board plays a critical role in establishing this tone. The CCO should regularly report on the company’s compliance culture, noting any shifts or improvements. This could include:

  1. Results from employee surveys on attitudes towards compliance.
  2. Observations from site visits or engagement with various departments.
  3. Feedback from middle management on employee engagement with compliance.

If the company’s compliance culture has gaps, this is the ideal time to discuss closing steps. The CCO can use this section of the report to highlight the role of senior leaders and managers in reinforcing compliance messages. For instance, showcasing how top executives have engaged in recent compliance campaigns or have visibly supported compliance initiatives demonstrates a commitment to ethical conduct and can serve as a model for others.

  • Resources and Budget: Ensuring Adequate Support

One of the most significant concerns the Board should be aware of is whether the compliance function is adequately resourced. The CCO should use this portion of the report to discuss additional needs, such as funding for new technology, more staff to support compliance efforts in high-risk regions or enhanced training programs.

If budget constraints have affected the compliance program, this is also the time to discuss those challenges with the Board. Clear communication about resource needs can help the Board advocate for the compliance function, ensuring it has the tools to mitigate risks effectively. Adequate funding and resources were mandated in the 2024 Evaluation of Corporate Compliance Programs, and CCOs need to explain to the Board their responsibility to ensure this mandate is met.

  • Regulatory Updates and External Trends

Keeping the Board informed of the latest regulatory developments is also crucial. This includes new or evolving laws that could impact the business, industry trends in compliance and enforcement actions against companies in similar sectors. For example, if a new data protection law exists in a region where the company operates, the CCO should outline how the compliance team is preparing to address it.

This part of the report ensures the Board is aware of potential compliance-related challenges on the horizon and provides context for any new initiatives or policy updates the compliance team may propose in response to regulatory changes.

  • The CCO’s Essential Role in Equipping the Board

The relationship between the CCO and the Board is one of the cornerstones of an effective compliance program. By providing a comprehensive, transparent, and strategic report, the CCO empowers the Board to fulfill its oversight responsibilities, making informed decisions that support and enhance the company’s commitment to compliance and ethical conduct.

An effective board report is about more than compliance updates; it is an opportunity to reinforce the importance of compliance, highlight the program’s successes, and communicate any challenges that lie ahead. By keeping these eight core elements in mind, CCOs can ensure their reports inform and engage the Board, fostering a culture of accountability that permeates the entire organization.

Categories
Blog

Why the 2024 ECCP Update is a Game-Changer for Compliance

In the DOJ’s 2024 update to the Evaluation of Corporate Compliance Programs (2024 ECCP), compliance professionals face new expectations that could reshape how we approach compliance programs. In this latest update, the DOJ strongly emphasizes data-driven insights, focusing on compliance culture, employee engagement, and organizational trust. This means that compliance programs must now focus on policies and procedures and prove that these practices are embedded into the company culture and yield measurable outcomes.

The implications of these new standards extend across every aspect of compliance, from audits to employee training and risk assessments. In this post, we’ll explore the key areas of the 2024 ECCP, discussing why the DOJ’s new focus on data and culture is significant and how compliance professionals can adjust their strategies to align with these expectations.

A New Focus on Data: The Backbone of Modern Compliance

One of the most critical shifts in the 2024 ECCP is the DOJ’s call for data-backed evidence of a company’s compliance culture. The DOJ now expects organizations to establish a culture of compliance and document and track its effectiveness over time. Compliance professionals are no longer tasked with simply implementing policies; they must now demonstrate that these policies have a real impact.

For example, it is no longer enough to state that employees are encouraged to report misconduct. Now, organizations must gather data to prove employees feel safe and supported when they report issues. This could include metrics such as hotline usage rates, anonymous survey responses, and feedback on trust in leadership. By collecting data on these and other elements, compliance teams clearly understand how well the compliance culture is functioning.

The DOJ’s new data-driven approach means compliance professionals must focus on metrics that reflect the health of their programs. This might include engagement levels, response times for reports of misconduct, and employee feedback on how accessible and transparent compliance processes are. Tracking these metrics not only helps compliance teams spot trends and identify areas of improvement but also provides concrete evidence of a commitment to compliance that can be shared with regulators.

The Role of Culture Audits: A Window into Organizational Health

With the DOJ’s increased focus on culture, culture audits have become an indispensable tool for compliance professionals. A culture audit goes beyond policy checks and evaluates the organizational attitudes and behaviors that define the company’s ethical framework. This includes measuring employee engagement, trust in leadership, and perceptions around compliance practices. By regularly conducting culture audits, compliance teams can identify weaknesses, reinforce strengths, and monitor shifts in compliance culture over time.

A robust culture audit can answer the DOJ’s fundamental questions: Are employees engaged in compliance efforts? Do they feel comfortable reporting concerns? Do they trust that their leaders are committed to ethical behavior? For instance, if a culture audit reveals that only 60% of employees feel confident using the company’s whistleblower hotline, it clearly indicates that improvements are needed to make employees feel safe in reporting issues.

The data gathered from culture audits provides compliance officers with actionable insights that can be used to enhance training programs, increase communication around compliance expectations, and address gaps in trust or engagement. Additionally, regular culture audits help to create a benchmark, enabling organizations to track changes over time and prove to the DOJ that their compliance culture is consistently improving.

Practical Steps for Compliance Professionals

The 2024 ECCP serves as a roadmap for compliance professionals, outlining practical ways to elevate their compliance programs to meet new expectations. Here are some key steps that can help compliance teams align with these enhanced standards:

  1. Implement Regular Culture Audits. Regular culture audits provide a structured way to assess compliance culture and identify trends in employee engagement, trust, and ethical behavior. Compliance teams can establish a baseline and track improvements over time by conducting these audits at least annually. Regular audits also help identify areas where further training or communication may be necessary, ensuring that compliance culture remains dynamic and responsive.
  2. Prioritize Data Collection and Analysis. In the era of data-driven compliance, tracking and analyzing metrics is essential. Compliance teams should focus on data points that reveal insights into the effectiveness of their programs. This could include metrics on employee trust in reporting mechanisms, hotline usage rates, participation in compliance training, and overall engagement in compliance initiatives. By collecting and analyzing this data, compliance professionals can comprehensively view their program’s impact.
  3. Enhance Transparency and Communication. One of the DOJ’s central themes in the 2024 ECCP is transparency. Compliance professionals should ensure that employees at all levels understand the company’s commitment to ethical behavior and know how to access compliance resources. Regular communication on compliance issues, successes, and updates from leadership reinforces the importance of compliance culture and can help build trust among employees.
  4. Integrate Compliance with Performance and Incentives. Companies should align performance reviews and incentive structures with compliance goals to truly embed compliance into the organizational culture. For instance, recognizing and rewarding employees who demonstrate a commitment to compliance reinforces the message that ethical behavior is valued. This alignment also signals to employees that compliance is part of the path to career advancement and success within the organization.
  5. Document, Document, Document. If there’s one takeaway from the DOJ’s update, it’s the importance of documentation. In the DOJ’s eyes, if it’s not documented, it didn’t happen. Compliance teams should maintain thorough records of all culture audits, data findings, responses to feedback, and improvements over time. This documentation provides a clear data trail demonstrating ongoing efforts to strengthen compliance culture, which can be invaluable in a regulatory review or investigation.

Data Is a Game-Changer for Compliance Programs

The 2024 ECCP update is a milestone for compliance programs, marking a shift toward a more holistic, data-focused approach. By placing emphasis on data, the DOJ effectively requires companies to provide concrete proof of their compliance efforts, making it clear that ethical behavior is no longer just a set of policies—it’s a measurable, evolving part of the corporate culture. This represents a major change for compliance professionals, as they must now develop skills in data analysis, culture assessment, and strategic planning.

The DOJ’s increased focus on compliance culture and data-backed metrics aligns with the broader trend toward accountability and transparency in corporate governance. Compliance professionals who embrace this shift will be able to strengthen their programs, foster a more ethical workplace, and reduce their organization’s risk of regulatory scrutiny. By taking proactive steps to meet these new standards, compliance teams can also build trust with employees, investors, and regulators, creating a foundation of integrity that benefits the entire organization.

Turning Compliance into a Competitive Advantage

The DOJ’s 2024 ECCP update is not simply a set of new requirements but an opportunity for compliance professionals to elevate their programs, demonstrate value, and create a culture where ethical behavior is embedded into the organizational DNA. By focusing on data, conducting regular culture audits, and aligning compliance with incentives, compliance professionals can turn these new standards into a competitive advantage.

For compliance professionals, the ECCP update provides a clear framework for fostering a dynamic, responsive compliance culture that meets and exceeds regulatory expectations. By staying ahead of these changes, compliance professionals protect their organizations and position themselves as strategic leaders who understand the evolving nature of compliance. In an era where regulators demand proof of ethical culture, data is no longer just a tool; it is the future of compliance, and those who embrace it are setting their organizations up for long-term success.

Categories
Adventures in Compliance

The Casebook of Sherlock Holmes – Investigative Lessons from The Adventure of The Mazarin Stone

In this new season of Adventures in Compliance, host Tom Fox takes a deep dive into the Sherlock Holmes collection The Case-Book of Sherlock Holmes  by Arthur Conan Doyle. It is a final set of twelve Sherlock Holmes short stories by Arthur Conan Doyle, first published in the Strand Magazine between October 1921 and April 1927. In this episode, we consider the story, the Adventure of the Mazarin Stone. In this story, Sherlock Holmes investigates a case involving a master jewel thief and Holmes investigative techniques. This story provides several valuable investigative lessons for the 21st century compliance professional.

Fox explores how the investigative brilliance of Sherlock Holmes can be applied to modern corporate compliance. Fox translates Holmes’ detective methods into valuable compliance strategies. He discusses how creative investigative techniques, effective witness handling, and quick resolution tactics from Holmes’ era can benefit today’s compliance professionals. With reference to the 2024 updates to the DOJ Whistleblower Financial Incentive Program, Fox emphasizes the importance of timely action, collaboration with external authorities, and attention to detail.

Highlights Include:

  • Holmes’ Clever Tactics and the Jewel Thief
  • Internal Investigative Lessons for Compliance Professionals
  • Maintaining Control in Tense Situations
  • Staying Focused on Objectives
  • Gathering Evidence Discreetly
  • Handling Key Witnesses

Resources:

The New Annotated Sherlock Holmes

Sherlock Holmes FAQ by Dave Thompson

For an audio/video version of the Compliance Kids book, Speaking Up is AWESOME, contact Tom Fox. 

Connect with Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Compliance Lessons from Boris Karloff’s Frankenstein

Ed. Note: This week, leading up to Halloween, I will examine lessons for compliance professionals through the lens of the great Universal Movie Monsters: Frankenstein, Wolfman, Dracula, and The Mummy. First up is Boris Karloff’s film version of Frankenstein. 

============================================================

The 1931 classic Frankenstein, starring Boris Karloff as the iconic monster, offers more than gothic horror. It provides a rich framework for understanding corporate compliance. The film, adapted from Mary Shelley’s novel, tells the story of Dr. Henry Frankenstein, whose ambition to play God results in the creation of a monstrous figure. While focusing on the horror elements is easy and fun, a closer analysis reveals valuable lessons for compliance professionals and business leaders alike.

We will explore how this film version of Frankenstein mirrors real-world compliance challenges and how its themes of ambition, unchecked power, and ethical negligence offer critical insights into today’s corporate environment. We will also consider how Frankenstein offers a range of corporate compliance lessons that resonate with the key points raised by Nicole Argentieri in her recent speech to the Society of Corporate Compliance and Ethics (SCCE) and the 2024 Evaluation of Corporate Compliance Programs (2024 ECCP).

The Perils of Ignoring Ethical Oversight: Frankenstein’s Creation and Corporate Risk

Dr. Frankenstein’s pursuit of creating life was a scientific marvel, but his failure to consider his work’s moral and ethical implications led to his downfall. His ambition closed his eyes to the responsibilities that come with power and innovation. This reflects a critical issue for corporate compliance: the danger of ignoring ethical oversight in the rush to achieve business objectives.

In her SCCE speech, Nicole Argentieri highlighted the importance of ethical decision-making and the need for leadership to embed compliance into every facet of business operations. The 2024 ECCP emphasizes that compliance officers must have the authority and autonomy to act independently and influence decision-making at the highest levels of an organization. Just as Frankenstein lacked the oversight to rein in his dangerous experiment, a lack of oversight in corporate governance can result in catastrophic outcomes.

The clear lesson for compliance professionals is that organizations must prioritize ethical oversight and ensure compliance is involved in strategic decision-making. As the 2024 ECCP advises, having a strong compliance function with direct access to the board of directors can prevent “Frankenstein-like” risks from spiraling out of control. Ethics cannot be an afterthought; just as Frankenstein learned too late that his creation needed more than raw ambition, organizations must recognize the importance of ethical governance before it’s too late.

Risk Management: Expecting the Unexpected

One key reason for Frankenstein’s failure was his inability to anticipate the risks his creation posed. He believed he could control the creature, but without proper planning, things quickly spiraled out of control. This is a critical lesson in risk management for any organization. The creature was the manifestation of uncalculated risk—an outcome born of Dr. Frankenstein’s failure to consider the “what ifs.”

Argentieri’s speech and the 2024 ECCP emphasize the importance of addressing emerging risks and implementing proactive risk management strategies. As business models evolve, new risks emerge, and compliance professionals must be vigilant in identifying and addressing them before they become uncontrollable.

Compliance professionals should continuously evaluate and adjust their risk management strategies. This aligns with Argentieri’s recommendation that compliance programs must be agile and anticipate emerging risks, especially in areas such as new technologies, cybersecurity, and third-party relationships. A comprehensive risk management process that includes scenario planning and stress testing can prevent corporate “creatures” from escaping the lab and causing damage.

Accountability and Governance Failures

Dr. Frankenstein operated without accountability, answerable only to himself. His lack of governance resulted in a situation without checks and balances on his actions, and his poor judgment led to tragic consequences. The creature’s actions, while horrifying, can be traced back to Frankenstein’s governance failures.

Argentieri emphasized in her SCCE speech that the DOJ expects organizations to maintain a strong compliance culture backed by a governance structure that holds individuals accountable for their actions. The 2024 ECCP builds on this expectation, stressing that compliance programs must ensure accountability at all levels—from executives to front-line employees.

Effective compliance programs must have strong governance structures to hold individuals accountable for their decisions. This is more than just ensuring policies are in place; it’s about creating a culture where employees at every level understand their ethical responsibilities. Just as Frankenstein should have been accountable for the consequences of his experiment, corporate leaders must be held accountable for the risks and decisions they make within the company.

The Ethical Consequences of Secrecy

In Frankenstein, secrecy plays a critical role in Dr. Frankenstein’s downfall. He isolates himself from his peers, hiding the details of his experiments out of fear that others will not understand or approve. This secrecy prevents him from receiving the input and guidance that could have prevented disaster.

Similarly, corporate secrecy can breed ethical violations. In her speech, Argentieri discussed the importance of transparency in compliance efforts, particularly when addressing misconduct. The 2024 ECCP emphasizes open communication within organizations, noting that secrecy or a culture of silence can lead to deeper ethical violations, regulatory breaches, and, ultimately, significant legal consequences.

Compliance professionals must constantly work to foster a culture of transparency and open communication within their organizations. Indeed, the DOJ sees compliance professionals as the holders of institutional justice and institutional fairness in their organizations. Employees should feel empowered to raise concerns without fear of retaliation. Compliance professionals should encourage whistleblowers, monitor for red flags, and ensure that no department operates in secrecy. In the same way, that Dr. Frankenstein’s isolation led to his downfall, a corporate culture of secrecy can result in unethical behaviors festering in the shadows.

Remediation and the Need for Swift Action

One of the more tragic elements of Frankenstein is Dr. Frankenstein’s inability—or refusal—to remediate his mistakes. Instead of acknowledging the harm his creation causes and taking steps to stop it, he spends much of the film trying to avoid responsibility. This refusal to act only exacerbates the problem, leading to even more destruction.

In her SCCE speech, Argentieri emphasized the importance of remediation when compliance issues arise. The 2024 ECCP reinforces this point, stating that companies must take swift action when misconduct occurs to address the immediate issue and prevent future violations. A failure to remediate can lead to a loss of trust from regulators, stakeholders, and the public.

Companies must act swiftly to remediate any ethical or compliance violations. This means conducting thorough investigations, holding wrongdoers accountable, and implementing corrective measures to prevent similar issues in the future. Dr. Frankenstein’s inaction led to tragic consequences, and in the corporate world, failure to remediate can result in reputational damage, legal penalties, and a loss of public trust.

Creating a Culture of Compliance and Ethical Awareness

Ultimately, Dr. Frankenstein’s downfall can be traced to his failure to create an environment that valued ethical considerations and accountability. He was driven by ambition without the ethical grounding to manage his creation responsibly.

Argentieri’s speech stressed the importance of building a culture of compliance and ethical awareness within organizations. The 2024 ECCP echoes this, highlighting that culture is the foundation of an effective compliance program. A company’s culture should not only encourage compliance but make it clear that ethical behavior is a core value of the organization.

Compliance professionals should focus on building a strong ethical culture within your organization. Compliance programs are most effective when employees at all levels buy into the company’s ethical mission. Training programs, consistent messaging from leadership, and visible consequences for unethical behavior are all crucial components of creating this culture.

The Boris Karloff version of Frankenstein may be categorized as a horror film, but its compliance lessons are relevant to any organization today. From respecting ethical boundaries to the importance of accountability, risk management, and training, the film underscores the dangers of unchecked ambition and the value of thoughtful, well-designed compliance frameworks. As compliance professionals, we must ensure that our organizations don’t become modern-day Frankenstein’s, creating monsters we cannot control.

Join us tomorrow as we consider the corporate branding lessons for the compliance professional from the Bela Lugosi movie version of Count Dracula.

Categories
Blog

2024 ECCP on Accessing Data

In the recently released 2024 Update to the Evaluation of Corporate Compliance Programs (2024 ECCP), the Department of Justice (DOJ) has brought new challenges and opportunities for compliance professionals. One of the most significant changes revolves around data access and the role data plays in an effective compliance program. In this blog post, we’ll explore the key takeaways from the updated guidance and what compliance professionals must do to meet these new expectations, especially when gaining and maintaining access to the right data. This is no longer just about best practices; it is now table stakes. Matt Kelly and I explored this question in this week’s Compliance into the Weeds edition.

Now More Than Ever

One of the most notable aspects of the DOJ’s 2024 update is its focus on data access for compliance professionals. The DOJ has made it clear that if you do not have sufficient access to data, you cannot adequately monitor compliance, detect issues, or remediate problems. Compliance officers are no longer given a pass when they say, “I didn’t have access to the data.”

How did we get here? Part of this shift can be attributed to companies that have demonstrated excellence in leveraging data to bolster their compliance programs. Through the heat of DOJ investigations, these businesses have proven that with the right data, compliance officers can detect misconduct more quickly and prevent violations altogether. At the same time, the DOJ recognizes that many companies still struggle to provide their compliance teams with the data they need to do their jobs effectively.

Data Access: From Best Practice to Table Stakes

In prior years, having a robust data analytics program for compliance was considered a gold standard. It was an aspirational goal that companies could work toward. However, as the DOJ has seen companies implement highly effective data programs, what was once a best practice is now table stakes. If your compliance program can’t access the right data in real-time or near-real-time, you’re not just behind the curve—you’re putting your organization at risk.

Compliance officers can now point to this updated guidance and tell senior management: “This isn’t optional anymore.” You need the resources, tools, and support to access and analyze data effectively. The DOJ’s guidance clarifies that if your company faces an investigation, the inability to access relevant data won’t just be an inconvenience; it will be seen as a compliance failure.

The Six Key Questions: A Roadmap for Data Access

The 2024 ECCP includes six specific questions related to data access, which serve as a roadmap for what compliance officers need to ask within their organizations. While a DOJ prosecutor may not ask all six in any given case, companies should be prepared to answer them all. We will break down how compliance professionals should approach each of these questions.

Does Compliance Have Sufficient Access to Data?

The first question asks whether compliance and control personnel have direct or indirect access to relevant data sources for timely and effective monitoring or testing. In other words, can the compliance team get the information they need when they need it?

This can be a major hurdle for many companies, especially those with complex IT ecosystems. If you’ve gone through multiple mergers and acquisitions, chances are you’re dealing with a variety of legacy systems that don’t “talk” to each other. Compliance officers might find themselves chasing down data from various silos across different business units, which can delay their ability to spot red flags.

What You Should Do

  • Map out your data sources. Know where all relevant data resides, from ERP systems to HR software and procurement platforms.
  • Identify bottlenecks. If your compliance team encounters roadblocks when accessing data, document those challenges and bring them to senior management.
  • Collaborate with IT. Ensure that IT systems are integrated and compliance has the tools to pull and analyze data without delay.

Are There Impediments to Accessing Data?

The second question focuses on barriers preventing compliance from accessing data. These barriers could be structural, such as outdated or incompatible systems, or they could be cultural, such as senior management not prioritizing compliance’s data needs.

What You Should Do

  • Address structural and cultural issues: If your company uses disparate systems, work with IT to create a data lake or central repository for key compliance data. Culturally, ensure that leadership understands the importance of compliance’s access to data and empowers the team accordingly.

Does Compliance Have the Tools to Analyze Data?

Once you can access the data, do you have the tools to analyze it effectively? This question goes beyond simply having access to the data—it’s about whether you have the analytics capabilities to make sense of it.

What You Should Do

  • Invest in the right tools. Data access means nothing if you can’t analyze the information. Invest in data analytics platforms, allowing your compliance team to automate risk assessments, flag potential issues, and generate real-time reports.
  • Train your team. Ensure that compliance personnel are trained on how to use these tools effectively. Analytics without insight is just noise.

Is Data Maintained Properly?

The fourth question concerns data maintenance. Is data stored securely, and is it accurate and reliable? The DOJ wants to ensure that companies don’t just pull data from disparate sources without validating its accuracy.

What You Should Do

  • Validate your data. Work with IT to ensure that data is accurate and up-to-date. Compliance teams need to know that the information they are using is reliable.
  • Establish data governance protocols. Set clear guidelines for data maintenance, including how data should be stored, accessed, and updated.

Is the Company Leveraging Data Analytics to Improve Compliance?

This question is at the heart of the DOJ’s updated guidance. It asks whether companies are using data analytics to create efficiencies in compliance operations and to measure the effectiveness of their compliance programs.

What You Should Do

  • Integrate data analytics into your compliance program. Use data to identify risk patterns, monitor employee behavior, and assess the effectiveness of your compliance efforts.
  • Review your analytics strategy regularly to ensure that you’re continually improving how you use data analytics to enhance your compliance program.
  1. How Precise is Your Data?

Finally, the DOJ asks about the precision of your data. This question goes beyond accuracy—it’s about whether you’re getting the right data at the right level of detail.

What You Should Do

  • Refine your data collection efforts. Ensure you collect precise, relevant data that aligns with your compliance needs. Broad, imprecise data won’t help you detect or prevent misconduct.

Communicating the Importance of Data Access to Senior Management

One of the most important takeaways from the 2024 ECCP update is that compliance officers now have a concrete basis to advocate for better data access. This is no longer about wish lists or best practices—it’s a regulatory expectation. Compliance officers must have honest conversations with senior management and the board about the company’s current data capabilities and where improvements are needed.

Companies often invest in technology when a problem arises, only to pull back once the issue is resolved. This cycle leaves compliance teams under-resourced and needing help to keep pace with evolving risks. The 2024 ECCP gives compliance officers the leverage to push for sustained investments in data access and analytics.

The DOJ’s 2024 update to the Evaluation of Corporate Compliance Programs underscores the critical importance of data access and analytics for modern compliance programs. It is no longer enough to have policies in place; compliance officers need the right data at the right time and the tools to analyze it effectively. The questions posed by the DOJ should serve as a guide for structuring your data access strategy and ensuring that your compliance program is up to the task.

By taking proactive steps to improve data access and analytics, compliance professionals can meet regulatory expectations and build stronger, more resilient programs that can detect and prevent misconduct before it escalates into a serious issue.

Categories
Innovation in Compliance

Innovation in Compliance: Evie Wentink on Rethinking Compliance

Innovation comes in many areas and compliance professionals need to not only be ready for it but embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast.

In this episode, Tom welcomes back Evie Wentink to discuss the importance of rethinking ethics and compliance practices.

Evie shares insights from her recent LinkedIn articles on best practices for ethics hotlines and the importance of finding creative ways to engage employees in compliance topics. She reads a whimsical Dr. Seuss-inspired piece on reaching ethics hotlines and emphasizes the need for compliance messaging to be approachable and engaging. Additionally, Evie discusses the challenges compliance professionals face with limited budgets and offers practical solutions such as leveraging LinkedIn for networking and creating low-cost, effective compliance awareness tools.

The conversation also touches on the significance of changing the narrative around ethics and compliance for younger generations. Evie shares her experiences discussing compliance with her children and highlights the need for better education in schools to prepare future employees. She concludes by mentioning her new website, Ethical Edge Experts, and various platforms she’s using to spread compliance awareness. Tom and Evie agree on the necessity of continuous dialogue and innovation in the compliance field.

Key Highlights:

  • Rethinking Compliance Practices
  • Creative Messaging for Ethics Hotlines
  • Leveraging Low-Cost Resources
  • Engaging Managers in Compliance

Resources:
Evie Wentink on LinkedIn

Evie’s Top 10 Compliance Back to Basics

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Tip of the Day

Compliance Tip of the Day: Everything Old is New Again: The John Deere FCPA Enforcement Action

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law.

Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today we review the basics of the John Deere enforcement action and why it is so instructive for compliance professionals.