Compliance Perspectives

By Adam Turteltaub Recently, Gartner released very intriguing research into third party risk. Chris Audet, Vice President and Chief of Research in the Gartner Assurance Practice tell us that they found business has it’s spending all wrong. Too much is invested in due diligence, and not enough time and effort is spent on monitoring. There research found that the business unit knows the risks third parties pose and is seeing it firsthand. When relationship managers were surveyed, 84% had seen changes to the risk profile and 76% found a third party had provided materially inaccurate information.  In fact, 95% had seen something troubling in the past year. So why aren’t they reporting this information to the compliance team and what would get them to share more? There were three main answers, Chris reports: Creating more relationship ownership objectivity. Too many feel too strong a tie to the third party. Confidence in identifying red flags. Encouraging objectivity and providing reassurance that compliance won’t over-react. He also advises making it easy for third party relationship owners to contact compliance and to work compliance into the workflow. Listen in to learn more about the benefits of rebalancing the third party risk equation. Listen now Sponsored by Case IQ, a global provider of whistleblowing, case management, and compliance solutions.

By Adam Turteltaub Risk assessments are not new in healthcare, and in specific regulatory areas are required. But, that doesn’t mean things aren’t changing.  More and more organizations are embracing enterprise risk assessments (ERM) as a way to assess the range of risks that they face, including  legal and regulatory concerns. Getting the risk assessment right is particularly challenging for healthcare organizations, explains Robert Stratton, Executive Director – Enterprise Risk and Security; Corporate Compliance Official and Senior Counsel for Northwest Permanente. Robert is also the author of the chapter “Enterprise Risk Management in Healthcare” in the latest edition of the Complete Healthcare Compliance Manual. The mix of insurance, patient care professionals, large sums of money and complex structures makes the risk map challenging. On the positive side, electronic health records can provide a wealth of information to inform your ERM efforts, as can frontline employees who can provide insights into what is going on behind the numbers. Once the risks are mapped, there are four ways to manage them, he explains: transfer, accept, mitigate and avoid. It’s hard to do any of them cleanly, but it’s important to understand which approach or approaches are best for a given risk. All four approaches, he adds, need to be accompanied by a culture which is aware of the risks, understands the risk appetite of the organization and their department, and acts accordingly. Listen in to learn more about ERM and how compliance can play an effective role in identifying and managing risk. Listen now Sponsored by Case IQ, a global provider of whistleblowing, case management, and compliance solutions.

By Adam Turteltaub As if ransomware and phishing attacks weren’t enough to keep us up at night, now AI is enabling a whole new range of cyber threats. Ryan Redman, Product Manager, Marketing and Brett Sommers, Director of GRC Products at Onspring warn that the nature of attacks is evolving.  Vishing, in which criminals use technology to imitate the voices of colleagues and organization leaders, is being used to trick people into revealing passwords, share data or send money. Employees need to learn to be wary and even confirm requests, even from trusted voices, via email or other means. Healthcare and manufacturing are two industries that have been singled out by bad actors for this kind of attack. Aside from training, what else can compliance teams do? They recommend: Focusing your resources on high value risk areas Ensuring your cyber defenses are as strong as they need to be Reviewing your third parties to ensure that a compromise won’t come from someone hacking into their systems Understanding how AI is being used by your organization and vendors to make sure that the security is adequate Being transparent about your expectations Listen in to learn more. I swear it’s really us and not AI. Listen now Sponsored by Case IQ, a global provider of whistleblowing, case management, and compliance solutions.

By Adam Turteltaub These are fractious times, and it’s often difficult to figure out what to do, what comes next and keep people with divergent views working together. Despite these challenges, Anna Romberg, Executive Vice President, Sustainability, Legal and Compliance for Getinge,  doesn’t believe that things are hopeless. In an article she co-authored with Richard Bistrong for Harvard Business Review, they  laid out several strategies for successfully navigating the current era. In this podcast, she reminds us that ethics and compliance programs are about more than following the law. They are also about encouraging good behavior, which includes following the company’s values, no matter how the political winds are blowing. With that said, now is a good time to do what organizations need to do, which is assess their values periodically to ensure that they are relevant, and the organization is living up to them. At the same time, she encourages the compliance team to embrace friction. It is inevitable when facing difficult discussions and different opinions. It’s also a sign of change and that the matter at hand needed to be dealt with. She also cautions compliance teams to be alert and encourage speaking up. With increased pressure and changing norms, some may lose sight of the need to do the right thing. Listen in for a bit of stability during unstable times. Listen now Sponsored by Case IQ, a global provider of whistleblowing, case management, and compliance solutions.

By Adam Turteltaub Do you ever wish you were made of rubber, especially nowadays with so much change? Do you wish that you could be flexible enough to handle every new legal regulatory change or every business demand without breaking? It’s not likely to happen, but compliance industry veteran Lisa Beth Lentini Walker believes that we can become more resilient. Resilience, she observes, is a mindset. We can work to become more adaptable and open to change by framing it in the right way. If you look at it with dread, you are less likely to succeed. But, if you recognize that nothing is permanent, change is inevitable and focus on what needs to be done, the chances of success are much greater. Look at change as an opportunity to shine and show leadership. Become the person who management trusts to look to the future and find the path forward for the organization. The workforce, too, wants to know that they can count on you to keep them safe and the company operating strongly. Listen in to learn more about becoming resilient and an effective compliance leader during changing times. Listen now Sponsored by Case IQ, a global provider of whistleblowing, case management, and compliance solutions.

By Adam Turteltaub Uzbekistan, Kazakhstan, Tajikistan, Turkmenistan and Kyrgyzstan were all born out of the dissolution of the Soviet Union. With large energy deposits of national gas, many global companies and their suppliers are operating within these countries. To better understand the compliance risks there, we spoke with Timur Khasanov-Batirov, a compliance officer with deep and wide roots in the region. While we may think of this area as one region, he warns that there are substantial differences by country. Kazakhstan is the most developed, and compliance has gained significant traction in large companies, primarily in the oil and gas sector. Uzbekistan saw three major FCPA cases, and, as a result, compliance has garnered a great deal of attention. The other three countries have much smaller economies and less developed compliance cultures. In addition, Turkmenistan has a fairly-closed economy, which complicates the picture. While it is easy to focus on the anticorruption risk in the region, there are other challenges. The area has become a significant transshipment point to Russia of prohibited and dual-use goods. In addition, child and forced labor is an issue, especially in the textile industry. To mitigate these risks, especially for sanctions evasion and corruption, companies operating in the region will need to pay close attention to the ownership of companies. That is not always easy to do because corporate structures are often opaque. The desktop-based due diligence systems in the US and Europe are likely not sufficient, Timur advises. Having someone on the ground in the region is likely needed. Listen in to learn more about what it takes to operate a compliance program in this important part of the world. Listen now

By Adam Turteltaub It’s not a good time to be a manufacturer of ten-foot poles. That’s because with the growing number of sanctions regimes, there are an increasing number of companies and individuals that businesses shouldn’t touch with a poll of ten feet, or any length for that matter. Rachel Gerstein, who most recently served as Vice President, Global Ethics and Compliance Counsel for Gartner, explains in this podcast that trade sanctions are laws and regulations designed to prevent and punish engaging with countries, organization and individuals who the government has deemed a threat to national and international security, or has committed human rights violations. Many countries have sanctions regimes, although the United States tends to have the strongest. The US, for example, has countrywide sanctions against Iran, Cuba, Syria and North Korea, as well as numerous sanctions against Russian individuals and entities. The government’s enforcement arm is the Department of the Treasury’s Office of Foreign Assets Control (OFAC), which has developed comprehensive guidance for compliance programs. It includes five pillars that will sound very familiar to anyone in compliance: Management commitment Risk assessment Internal controls Testing and monitoring Training In addition to the obvious similarities in compliance program design, there is also great practical overlap. Third party vetting for anticorruption risk, for example, can also include sanctions-related checks. When determining if the company’s owners are politically exposed, it’s an ideal time to determine if there is 50% ownership by a sanctioned individual or entity. Training is another common element and particularly important. Individuals involved in payments and account receivable need to be educated in sanctions risks and what to watch out for. Employees across the workforce also need to be sensitized to the issue. Europeans, for example, may see Cuba as just another exotic Caribbean vacation destination and not realize the risk. Of course, there are also different tools also used for sanctions compliance. Your bank, for one, may be an asset given that it may be keeping its own list of sanctioned entities. Geoblockling is a tool that can be used to determine what country someone is communicating to you from and can be used by you to block interactions. In short, there is a great deal of risk, but there are great similarities with other compliance efforts, enabling you to combine sanctions compliance with other compliance efforts. But, you’re still not likely to need that ten-foot pole. Listen now Sponsored by Case IQ, a global provider of whistleblowing, case management, and compliance solutions.

By Adam Turteltaub The current fee-for-services model in healthcare has challenges, to say the least. Value-based care, explains, Colleen Gianatasio, Vice President of Compliance, CoventBridge, takes a different approach by asking four questions: What are the needs for both patients and providers? What are the challenges and barriers to meeting them? What technology and other resources are available? How will providers be measured for success, and when will they be reimbursed? In answering these questions there is an underlying emphasis on a much more collaborative and transparent approach among patients, providers and payers. There is also a commitment to understanding the community as a whole. For those looking for advice on how to pursue value-based care, she offers several thoughts, including: Be thoughtful in your use of technology solutions Give all your stakeholders a seat and voice at the table Break down the silos, and communicate openly and frequently Listen in to more about the practice and promise of value-based care. Listen now Sponsored by Case IQ, a global provider of whistleblowing, case management, and compliance solutions.

By Adam Turteltaub Recently Protiviti released an intriguing report: Top Compliance Priorities for U.S. Healthcare Organizations in 2025. In this podcast their Global Healthcare Compliance Leader, Leyla Erkan, shares some of the key priorities they revealed: Managing technology. This includes wearable devices, AI, telehealth platforms and more. All have great promise, but each comes with significant risk. Privacy and security. Many organizations are struggling with right of access issues, reproductive health data, and using data more effectively to deliver care. Not to mention the issues of data breaches and ransomware. Integrating quality and safety into compliance programs. As with value-based care, expectations have grown for compliance to play a key role in ensuring quality and safety. Billing and coding. Cloning of documentation remains a key risk area along with lack of documentation. New technologies hold great promise but there are challenges in areas such as using AI. Listen in to learn more about these issues and other identified as top compliance priorities for healthcare in 2025. Listen now Sponsored by Case IQ, a global provider of whistleblowing, case management, and compliance solutions.

By Adam Turteltaub How much is your cybersecurity program worth? Traditionally the thinking has kind of been: if we don’t have a breach it’s expensive but valuable, and if we do have one it’s both expensive and worthless. Eric Shoemaker of Genius GRC advocates for a different way to value cybersecurity efforts. Instead of just looking at what it prevents, also look at what it enables: your organization to do business with less friction. A good cybersecurity  program give customers the confidence that you are safe to do business with. It prevents business interruptions, and doesn’t get too much in the way of the business. So track things like deals successfully closed after reviewing the company’s cyber defenses. He also argues for using near misses as a way to demonstrate value. Each incident provides an opportunity to examine what could have gone wrong, what controls worked, and what enhancements could be made to strengthen them. Listen in to learn more about how you can establish the value of your cyber protection efforts. Listen now Sponsored by Case IQ, a global provider of whistleblowing, case management, and compliance solutions.