Compliance Perspectives

By Adam Turteltaub KISS takes on a new meaning in this podcast: Keep it Streamlined & Strategic. Keeping it streamlined and strategic is also the topic of a session at the 2025 HCCA Compliance Institute that will be led by Krista Muszak, Senior Manager, Process Optimization at Pfizer and Angela Smart, Senior Compliance and Ethics Partner, Intermountain Healthcare. Specifically. they’ll be applying this new take on KISS to the topic of program effectiveness. So how does it work? How do we keep our programs streamlined and strategic?  First, we avoid scope creep and remain focused. That, they explain, begins with having and continuously referring back to a program charter that keeps you and everyone else involved from pursuing all the tangential issues that could derail your efforts. Second, they advise following the PDCA formula: Plan, Do, Check and Act. Third is conducting a root cause analysis that helps you understand not what happened but why. It will keep  you thinking strategically and not just about the particular incident that called for the analysis to be done. Want to learn more about KISS? Listen to this podcast and then join them in Las Vegas for the 2025 HCCA Compliance Institute. Listen now Sponsored by Bluesight, providing industry-leading privacy monitoring with fast, reliable patient data violation detection.

By Adam Turteltaub Business people are given all kinds of goals for revenues, profitability, efficiency and more. For compliance, though, not so often. Many organizations struggle with how to set compliance goals, or even if they should set them. Madrid-based, Juan Ignacio Paillás, Head of Global Compliance Business Sectors for Merck KGaA, Darmstadt, Germany, explains how it should be done. First, he advises, understand the context in which you are working, particularly about how your organizations manages objectives. For example, some organizations embrace very rigid goals, while others take a more flexible approach. When approaching management and the business unit about setting objectives, he cautions that you should expect pushback. To counter it, remind them this is about taking the company’s values and turning them into concrete, measurable behaviors. It is also an exercise in setting priorities within compliance efforts to have the greatest impact on the organization and its performance. As you go to set the goals, determine which levels of the organization you will cover and what is important for each of them. Start with leadership and then enlist them in the efforts Also, he advises being open to business people setting their own goals. Listen in to the interesting goal one person set, and what impact it had. Listen now Sponsored by Bluesight, providing industry-leading privacy monitoring with fast, reliable patient data violation detection.

By Adam Turteltaub Healthcare is often rife with fraud, and organizations struggle to prevent it. To gain a different perspective on how to prevent wrongdoing, we spoke with Alec Burlakoff, a convicted fraudster from Insys Pharmaceuticals who now leads Limitless! Consulting. To prevent fraud, he recommends seriously looking at the incentives program in your organization, especially if there are individuals whose commissions may make up  more than half of their compensation. Such high rates of reward, he warns, provide serious temptation to skirt, or outright disregard, the rules. Look also at the messages that lucrative incentive programs send to others in the organization. Individuals who are inclined to do the right thing may find themselves envying those they see breaking the rules and getting rewarded. It can cause them to emulate the bad behavior that they see. Better, he advises, is to seek ways to reward people who do things the right way and build sales for the long term. When it comes to discipline, he takes a very hard line. Many companies, he finds, have zero tolerance policies, but they may not apply them. That, he believes, has to stop. The only way to get the attention of the workforce is to swiftly punish, including terminating, employees who break the rules. Finally, he advises compliance teams to understand the thinking of businesspeople. Know what motivates them, understand their thinking, and get inside their heads. Only then will you be able to effectively reach them. Listen now Sponsored by Bluesight, providing industry-leading privacy monitoring with fast, reliable patient data violation detection.

By Adam Turteltaub Are your helpline calls being responded to properly? Are the investigations proceeding expeditiously and properly? To find out, it’s good to do an audit periodically. Before you can begin, though, you need to determine if there is enough available data for an audit, cautions Juliette Gust, President of Ethics Suite, and author of the chapter “Auditing the Confidential Reporting Hotline and Case Management Program Effectives” in the new edition of The Complete Compliance and Ethics Manual. Many compliance programs still do not have formal processes in place, and for them, it’s best to start with a gap analysis. If you do have data, look at how you are tracking both the allegations and the work being doing as a result. How quickly are allegations being reviewed? Is someone letting the reporter know that their allegation has been received and is being acted on? How are you safeguarding the data, including being sensitive to the potential need for attorney-client privilege? Spend time, too, on auditing what is being done to encourage whistleblowing. What is the tone at the top? Are managers doing their compliance training and how quickly? How often does the compliance and ethics committee meet? Does it have a charter? Do the meetings have an agenda, and are they being followed? Another area for potential audit is the investigator. Are your investigators properly trained?  Is there enough staff to do the investigation? Is the investigation appropriately scoped? Curious to learn more about how to audit your helpline and responses to allegations? Listen in now and check out The Complete Compliance and Ethics Manual. Listen now Sponsored by Bluesight, providing industry-leading privacy monitoring with fast, reliable patient data violation detection.

By Adam Turteltaub Think you don’t have to worry about the SEC because you’re at a private company or a non-profit? Think again says, Kevin Muhlendorf, attorney at Wiley Rein. You may still end up in the Commission’s crosshairs. He warns that the SEC’s power of investigations expands far and wide, and just being a supplier to a publicly-traded company may lead them to focus on your business. If a private company is acquired by a public one or makes even a non-public offering, there is risk of fraud and SEC action. Lie to an accounting firm and the SEC may become involved. And don’t forget about the risk of parallel investigations involving multiple enforcement authorities. Another risk area is shadow trading. Let’s say your hospital is a part of a clinical trial, and an employee sees it is going well. If that employee decides to short the stock of the drug’s competitor, that could be an issue that falls under the SEC. So what should you do? Keep an eye out for these risks and pay attention to recent enforcement activity and dispositions. Oh, and listen to this podcast. Listen now Sponsored by Bluesight, providing industry-leading privacy monitoring with fast, reliable patient data violation detection.

By Adam Turteltaub Business transformations can be times both of risk and opportunity for compliance programs. Employees, struggling to understand the changes around them and feeling stressed, may opt to do the wrong or at least ill-advised things. By the same token, transformations provide an opportunity for compliance teams to change their roles within the organization and redefine the value that they bring. Jill Swain, Global Ethics Manager and Dawn Wood, Engagement, Training and Programme Manager at Rolls-Royce went through a major business transformation and will be sharing their insights from that experience in a session at the 2025 SCCE European Compliance & Ethics Institute. In this podcast they share an abbreviated version of the journey and lessons taken from it. Rolls-Royce, as it transformed itself, wanted employees to understand that ethics and compliance are a part of “winning right” and helping the companies achieve its goals. The compliance teams met the challenge by embarking on several initiatives, both broad and narrow. They: Conducted a Win Right Week Identified the need for ensuring that conflicts of interest were reviewed when reporting lines changed Helped employees understand common dilemmas and how to resolve them Became an integral part of the employee hub to make it easier to access information and ask questions Rolled out a new third party risk management platform In sum, it was a transformation both of the organization and the compliance program within it. Listen in to learn more about what they did and learned through a period of corporate transformation.  Then, join them at the 2025 SCCE European Compliance & Ethics Institute. Listen now Sponsored by Bluesight, providing industry-leading privacy monitoring with fast, reliable patient data violation detection.

By Adam Turteltaub Oh, Artificial Intelligence. So much promise, and so much risk. What’s a compliance and ethics professional to do? Start by listening to this podcast about the chapter “Managing the Ethics and Compliance Risks of Artificial Intelligence” in the 2025 edition of The Complete Compliance & Ethics Manual. We spoke with the article’s co-authors, Gwen Hassan (chief compliance officer at Unisys), Dr. Anthony J. Rhem (CEO and principal consultant at A.J. Rhem & Associates), and Patrick Henz (special advisor for compliance, Latin America, for Mitsubishi Heavy Industries Americas). They explain that when we speak of AI we aren’t talking about one technology but a wide range of them. Generative Ai may be getting the most attention but there is also natural language processing, neural networks, expert systems, machine learning and many more. As a result, compliance teams need to understand what form of AI is being used at their organization. When it comes to legal and regulatory frameworks to serve as guidance, it is probably best to look to Europe, which has taken a much more active approach than the US. The United States has just a patchwork of state laws. On the federal level, an executive order from the previous administration has been rescinded by the current one, leaving no national guidance. Despite the legal vacuum, there ae still risks such as bias to manage. As a result organizations need to have clear guidance on what AI can and cannot be used for. There should also be a risk assessment framework that includes: Assessing the data risk Understanding the model Assessing cybersecurity and compliance risk Evaluating ethical risk Continuous monitoring and updating Listen in to learn more about how to manage the possibilities and risks of AI. Then be sure to check out the 2025 edition of The Complete Compliance & Ethics Manual. Listen now Sponsored by Bluesight, providing industry-leading privacy monitoring with fast, reliable patient data violation detection.

By Adam Turteltaub Sometimes you make a few technical changes to a compliance program  because a law or regulation has changed. Autoliv didn’t want to do that and just meet technical requirement of the EU Whistleblower Directive. They wanted to use it as an opportunity to assess what they were doing to encourage employee reporting, whether it was working, and to improve support for people speaking up. Erica Wikman, Vice President, Corporate Compliance, Autoliv and David Barr (LinkedIn), co-founder of Campbell Barr, tells us in this podcast that they shared a vision of moving away from just whistleblowing. Research showed it can have negative connotations.  In addition, whistleblowing tended to be interpreted narrowly, with tremendous variations by region. They also found a fear of either retaliation or that nothing would be done. So, the Autoliv compliance team began to think more broadly and encourage people not just to speak up when they saw a potential compliance issue but also when they saw something positive in the organization or just wanted to express gratitude. Along with that change of scope, they decided to open the lines of communication and encourage employees to bring their concerns and praise wherever they were most comfortable. To make it work they reached out to HR, manufacturing, quality and the health and safety team. Together these groups identified similar needs and dialogue and a willingness of leadership in those areas to come up with a common, welcoming approach to speaking up. By making speaking up more natural and a part of the business dialogue, they were able to lower the barrier to raising issues and turn perceptions around. A potential negative had become a positive. Listen in to learn more about what they did and how you could change the entire atmosphere around speaking up. Listen now Sponsored by Bluesight, providing industry-leading privacy monitoring with fast, reliable patient data violation detection.

By Adam Turteltaub So the IT folk can’t wait for your business people to delete those old documents, meantime, the business people want to hold onto them because they never know when they might need that info again. Then, all of a sudden there’s a legal issue and a hold is in place. Instantly the game changes. Chris Kruse, Executive Vice President & Advisor at CasePoint explains that when a legal hold is placed several things need to happen: Employees with relevant need to be identified They need to be placed on notice of the obligation to preserve any relevant information. They need to be instructed on how to proceed going forward The custodians of the data need to acknowledge that they have been notified and understand their obligations Individuals with the data need to be reminded that if they create new data it also needs to be retained Securing all the documents and data can be difficult for several reasons. These range from the simple, such as an employee who doesn’t read the email with the instructions to preserve data, to the complex, such as identifying all the different kinds of documents and where they may be stored. Get it wrong, and things can go south pretty quickly. Listen in to learn more about how to ensure that your document hold doesn’t cause more problems than it solves. Listen now

By Adam Turteltaub You do all that work but how do you know you’re being successful? It’s not like people come running in the door and say, “Hey, guess what bad thing I almost did.” The compliance team at the National Security Agency (NSA) had that same challenge. In this podcast, Natalie Knowles, Director of Compliance, and Zack Conyne, Manager, first provide an overview of the NSA. As they explain it has two primary missions:  cybersecurity and signals intelligence. Every employee there annually takes an oath to defend the Constitution, which is, of course, a great reminder of the organization’s values. The compliance team is there to ensure that NSA activities are consistent with the law, including policies and procedures designed to protect privacy and civil liberties. The team measures the success of the program both using quantitative and qualitative metrics. Along the way they have learned a great deal, including the importance of telling a story, managing the complexity of data, and the importance of looking to trends. Listen in to learn more and to benefit from the insights they have gained in measuring the success of their compliance program. Listen now