Compliance Perspectives

By Adam Turteltaub How do you know your compliance program is working, both for your peace of mind or if the government comes knocking? It’s a tough question, and many wonder either how to start measuring or if they’re measuring the right thing. Andrew McBride, Founder & Chief Executive Officer at Integrity Bridge, has a great deal of experience in this area from his time serving as Chief Compliance Officer at Albemarle. In the wake of an FCPA scandal, the company had to be able to demonstrate the strength and effectiveness of its efforts. In this podcast he advises you remember three key questions from the US Department of Justice’s compliance program evaluation criteria: Is the program well designed? Is it applied earnestly and in good faith? Is it working? At the same time, though, he cautions not to just seek simple metrics alone. It’s important to also track why you are measuring what you are measuring. Compliance teams need to take the time to build out the supporting narratives that explain why and how their choices were made and have a fully written out risk assessment. These documents help guide what is measured and establish why those measurements are worth taking. Having the narrative in place also helps the program keep its focus. Over time people change and memories fade as to why a given compliance path was taken. With strong documentation of the original thinking, the compliance team can better assess if the program is delivering what it needs to or if it needs adjustment. When it comes to who does the analysis of the data, he highly recommends hiring a data analyst. These individuals have the capacity to turn the numbers into meaningful dashboards and graphics that everyone can understand. They can also be adept at finding data where you might not think to look. Listen in to learn more about how to effectively measure the effectiveness of your measurement efforts. Listen now

By Adam Turteltaub Oh, come on, we all know it: sometimes the business people get tired of all those compliance requirements. That’s okay and to be expected.  But, how do you know when it has progressed beyond the usual (and maybe healthy) resistance to full-blown exhaustion? Cecilia Fellouse, General Manager of Compliance for Good, warns that, ironically, when the business team stops pushing back, it can be a sign of compliance fatigue. They may just be going behind your back to get what they want. Another troubling sign to watch out for is systematic escalation. Instead of addressing issues to you, they’re taking the issue straight to higher-level management. So, what can cause compliance fatigue and these bad behaviors? She cites several factors and ways to avoid them. Saying “no” too often and being perceived as operating from an ivory tower. Constantly denying requests without providing constructive feedback can make the compliance team seem out of touch. Lack of engagement with frontline teams. Take the time to talk with them and learn their needs Limited or lack of support from top management. Without their support, the job is all but impossible An isolated compliance team. Without interaction with others, including members of the compliance community, it’s easy for the compliance team to get burned out.  You need to make the effort get out there and connect. She also strongly advocates for taking the time to truly understand the business, not just as a whole but also on a more granular basis, down to what is done day to day. Listen in to learn more, including some signs to watch for in the compliance team that suggests that it, too, may be suffering from compliance fatigue. Listen now

By Adam Turteltaub Do you ever ask yourself, “What kind of compliance officer am I?” Netherlands-based  Susan du Becker, Director, Risk & Compliance at Microsoft, thinks we all should. To her experience, there are two answers to that question. One is a regulatory compliance officer: someone who is focused on the requirements of regulators, potential fines and legal consequence. The other is a business compliance officer, who is focused on what the business needs and how to ensure it achieves its goals while staying within the multitude of white lines the laws and regulations have painted. She envisions herself as the latter, balancing business and regulatory requirements. She recognizes that the business unit will test the limits, and that she is there to make sure there are always two feet solidly on the ground. To keep the business team focused on their legal and regulatory obligations, she advocates for making it clear what lines absolutely may not be crossed, taking the time to meet with them regularly and being prepared to have some difficult conversations if necessary. She also believes that compliance teams are most effective when not positioning themselves as just a gate keeper. Listen in to learn more about the approach, the role of governance and how to ensure the business understand this it owns compliance. Listen now

By Adam Turteltaub Rob Tull (LinkedIn), Managing Director at Effective Compliance LLC wants every compliance officer to be both competent and able to demonstrate it. He advocates for the development of four sequential, underlying skills: Communication The ability to be aware of risks Adaptability, and Decision-making/judgement Underlying all of them is knowledge, and together they form a framework for effective compliance programs. The single most important competency area, he argues, is communication. The ability to translate complex laws and regulations into simple language that helps the business make good decisions is paramount. So, too, is the ability to tailor your message to the audience:  management and the board likely need to hear something different than line managers. Listen in to learn more about what makes for competency for compliance professionals. Listen now

By Adam Turteltaub Who are you talking to? When you think about all the employees in your organization, who do you see in your mind? You probably, and should, think of several people: the person in the plant, the R&D people, the sales team. They all have different needs, maybe even different cultures. Adam Balfour, Carsten Tams and Karen Moore (LinkedIn), each of whom is a veteran compliance professional, explain in this podcast why it’s so important to truly know who the people are in your organization and the risks they interact with. They explain that you have to take the time to get in their heads to understand what their needs are and how best to communicate with them. One technique they advocate for is developing personas: Create fictional, yet realistic descriptions of the types of people in your organization. That will help you better flesh out who they are, their goals and their skills. This process also helps you stand in their shoes and understand not what you want to say but how they are likely to interpret and use that information. Listen in to learn more about how to bring your workforce to life in front of you and have a real impact on their behavior. Listen now

By Adam Turteltaub It’s a complex world, we all know, and we all try to simplify it and our lives, at least from time to time. Nitish Upadhyaya, Director-Behavioral Insights at Ropes & Gray’s R&G Insights Lab and podcaster, wants compliance teams to appreciate complexity and, if not embrace it, at least understand how to work with it. For him this journey started many years ago with the recognition that disincentives don’t always work. He wanted to understand why. This led him to an understanding of complexity, which explores the connections between people and systems and how nonlinear and unpredictable things can be. Appreciating that knot of connections is important for compliance teams, he argues, since the nature of the job involves affecting individual behavior and culture. He outlines several principles that compliance teams should follow: Move away from the idea that you can map everything. Context matters. Understand the human dynamics and stories. The only real rule in a complex system is it will have unintended consequences. When dealing with a complex system, think of the direction you want, not just the end point. It's about managing energy in the system and following natural contours Anomalies are helpful. Outliers can be your next risk or innovation. Map constraints, the things that connect or limit people, such as fear of retaliation or cultural issues, And when it comes to a root cause analysis, dig until you find not just the root, but the several roots that likely underlie it. Listen in to learn more about approaching and harnessing complexity. Listen now

By Adam Turteltaub The Health Care Compliance Association just published the 4th edition of the Research Compliance Professional’s Handbook, and to see what’s new in it we sat down with the editor, Kelly Willenberg (LinkedIn) of Kelly Willenberg & Associates. The Handbook, she explains is there to help both those who attend the HCCA Healthcare Research Compliance Academy and anyone looking for a desktop reference that addresses the fundamentals of research compliance. It addresses topics such as safety, privacy, monitoring, and biosecurity. For this edition each chapter was reviewed thoroughly with any and all necessary updates made, including to the chapter on FDA regulations. In addition, a new chapter was written to address AI. It defines what AI is and why compliance teams need to look at it from a risk management perspective. The chapter also addresses the integration of AI and how therapies are changing. One admonition that she provides for compliance teams is to watch Europe. As with privacy, Europe has taken the lead in AI regulation. Be sure to listen in and then take a look into buying your own copy of Research Compliance Professional’s Handbook, 4th Edition. Listen now

By Adam Turteltaub It’s one thing if a company wants to protect its trade secrets. But, what if it wants to keep its dirty little secrets from getting out? Then, the SEC may want to step in. Stephen Cohen (LinkedIn), partner at Sidley Austin, and a former senior leader in the Enforcement Division at the SEC, explain in this podcast that, to understand the issue, we need to look back to the Dodd-Frank Act. The law led to the SEC whistleblower program and included anti-retaliation authority. The SEC believed it had implicit authority to punish efforts that impeded direct communication by whistleblowers with the Commission and its staff. Both the SEC and CFTC have created similar rules prohibiting organization and individuals from taking any action that inhibits someone communicating directly with the SEC about a possible securities law violation. The SEC has interpreted that to mean that language in non-disclosure and severance agreements, codes of conduct, policies and elsewhere that either require employees to report issues internally rather than to the government, or require non-disclosure to the government as a condition of severance, are illegal. Several companies have since run afoul of the SEC on this issue, with cases going back to 2015. So what should companies do? For one, make sure that they are properly balancing the need to protect confidentiality without interfering with whistleblowing. Watch for language prohibiting disclosure of information to third parties that doesn’t provide an exception for the government. Be on the lookout, too, for policies requiring departing employees to attest that they did not disclose information to the government. Look, too, at what your employment agreements say. Likewise, watch what language you include in agreements with your third parties. The SEC looks askance, there, too, to language that it perceives would inhibit reporting of wrongdoing. Listen in to learn more about this evolving issue and its many pitfalls. Listen now

By Adam Turteltaub Greg Walters is an attorney in the Cyber Risk and Governance Branch at the SEC. But in this podcast he’s not speaking as an enforcer but as someone who has seen a lot of compliance training during his career as a government attorney across numerous agencies. He warns that while an organization may boast of 100% completion rates for their training, that doesn’t mean 100% of the employees got the message. That’s especially true of online training, where, unlike live training, it’s hard to tell if people are truly following along and then adjust the learning. The goal, he argues, is not to just give knowledge but to affect behavior. So, to see what impact the training has had, look to changes in the number of types and questions you receive, as well as incidents that do or don’t occur. Also, take the time to understand your audience and make sure that the training is relevant to them and reflects the culture of the organization. Listen in to learn more tips for improving the effectiveness of your compliance training program. Listen now

By Adam Turteltaub There is an expectation in many, if not most people, that at some point they will, or should be, promoted. But how do you know if you are ready? And, once you are promoted, what does it take to succeed in your new role? To find the answers we spoke with compliance veteran, Debbie Hennelly, Founder & President of Resiliti. The first piece of advice she shares is that not everyone needs or wants to be a manager. For many it’s okay to say that they love being a subject matter expert and advisor, and they aren’t ready, or maybe never will be ready, to be something else. If you are looking to move up, how do you know you are ready? She reports that you don’t until you are actually in the job. That’s especially true for compliance people, since we who often don’t benefit from the leadership and management training that is given to other parts of the organization. Once in the role, let the team know that you value them. If there was someone else on it that you beat out for the role, acknowledge the situation and let the person know you recognize the sensitivities and hope to earn their trust. If you are new to the organization, know that it’s okay and better to spend the first 90 days doing a lot more listening than talking. Resist the urge to make changes until you have a better understanding of the organization’s culture. Also, take the time to introduce yourself to peers and leaders. Ask them about their roles and how you can support them. Listen in to learn more about how to step up successfully. Listen now