compliance ethics professional...+1 952 933 4977 or 888 277 4977 3 compliance & ethics...

Compliance & EthicsProfessional

a publication of the society of corporate compliance and ethics www.corporatecompliance.org

December

2014

45Why outsourcing

your political activity compliance

makes senseScott Stetson

29Taking compliance

programs to the next level: Using

business processesDeena King

37A unique environment:

Compliance for government

organizationsGregory Gray

21Extending the reach

of your program: Compliance and ethics liaisonsRebecca Walker

Meet Shin Jae Kim

Partner, TozziniFreire AdvogadosSao Paulo, Brazil

See page 14

The utilities and energy industries are

highly regulated. Compliance topics can

be specific and focused on areas that

are not necessarily addressed at the

all-industry level.

Take advantage of the opportunity to

discuss specific content areas in more

detail, and enjoy a forum for sharing

and exchanging ideas with others

facing the same regulations.

Learn more and register at www.corporatecompliance.org/utilities

Utilities & EnergyCompliance & Ethics ConferenceFebruary 22–25, 2015 | Houston, Texas | Westin Oaks

Questions: [email protected]

+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 3

Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

The utilities and energy industries are

highly regulated. Compliance topics can

be specific and focused on areas that

are not necessarily addressed at the

all-industry level.

Take advantage of the opportunity to

discuss specific content areas in more

detail, and enjoy a forum for sharing

and exchanging ideas with others

facing the same regulations.

Learn more and register at www.corporatecompliance.org/utilities

Utilities & EnergyCompliance & Ethics ConferenceFebruary 22–25, 2015 | Houston, Texas | Westin Oaks


LETTER FROM THE CEO

by Roy Snell, CHC, CCEP‑F

Please don’t hesitate to call me about anything any time.612 709-6012 Cell • 952 933-8009 Direct roy.snell @ corporatecompliance.org

@RoySnellSCCE /in/roysnell

An emerging best practice is to have compliance expertise on the Board. The enforcement community is tired

of organizations paying fines/penalties and considering it a part of doing business. The press, public, politicians, and prosecutors are calling for individuals to be held accountable

for recent regulatory missteps. They are suggesting board members be held accountable because they believe that regulatory compliance should be a major responsibility of the governing body. Society believes individuals (not necessarily companies) commit fraud, and that those individuals should be held accountable. Society also

believes that leadership is culpable, because leadership didn’t prevent the individuals from committing the fraud.

Having compliance expertise on the Board just makes sense. It sends a message to those who may have to determine what kind of message to send you, in the form of fines and penalties. However, the problem I see is that leadership doesn’t understand what compliance expertise is.

If you ask most companies if they have compliance expertise on their Board, most would say yes. When asked who the compliance expert is, they typically point to a lawyer, auditor, risk manager, or an ethicist. None of these professions are automatically

compliance experts. All lawyers have different specialties. You would not have a tax attorney negotiate a bribery settlement. Likewise you would not have just any lawyer provide compliance expertise.

What the government is looking for is not generic compliance expertise. They are looking for compliance program management expertise. Ethicists help build ethical cultures, but if they have never held the job of a compliance officer, it’s difficult to hold them out as compliance experts. The same is true for risk managers and auditors. Law, ethics, risk, and audit are all elements of a compliance program, but experience in those professions is not enough to claim expertise in the Compliance profession as a whole.

Well intentioned leaders are committed to compliance, and they want to set themselves apart. I tell them a best practice is to put someone with compliance experience on the Board. They respond they have it. They point to an individual with no education or job experience in the Compliance profession. The enforcement community knows what a compliance officer and a compliance program are. You simply can’t convince an enforcement official, or any other knowledgeable individual for that matter, that you have compliance expertise on your Board if no one on your board has ever held the position of a compliance officer. ✵

Snell

Compliance expertise on your Board?

https://www.linkedin.com/in/roysnell

4 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

December 2014Contents

Compliance & Ethics Professional is printed with 100% soy‑based, water‑soluable inks on recycled paper, which includes 10% post‑consumer waste. The remaining fiber comes from responsibly managed forests. The energy used to produce the paper is generated with Green‑e® certified renewable energy. Certifications for the paper include

Forest Stewardship Council (FSC), Sustainable Forestry Initiative (SFI), and Programme for the Endorsement of Forest Certification (PEFC).

FEATURES

14 Meet Shin Jae KimAn interview by Adam Turteltaub

21 Extending the reach of your program: Compliance and ethics liaisonsby Rebecca WalkerA network of liaisons who are aligned with the company’s structure and culture can be your “eyes and ears on the ground” and represent the C&E program in local units.

29 [CEU] Taking compliance programs to the next level: Using business processesby Deena KingThe seven elements can be used to design a master compliance process and manage compliance programs to increase their effectiveness.

37 [CEU] A unique environment: Compliance for government organizationsby Gregory GrayThose who work in government entities face some unique compliance challenges and could use some specialized training.

45 Why outsourcing your political activity compliance makes senseby Scott StetsonShareholders, watchdog groups, and federal, state, and local laws are demanding greater transparency, and a wrong move could be devastating.

COLUMNS

3 Letter from the CEO

ROY SNELL

13 Boehme of contention

DONNA BOEHME

47 EU compliance and regulation

ROBERT BOND

51 A view from abroad

SALLY MARCH

63 Social skills

MELODY HAASE

69 Compliance, life, and everything else

THOMAS R. FOX – NEW COLUMNIST

90 The last word

JOE MURPHY

DEPARTMENTS

6 News

12 People on the move

26 New members

48 Newly certified designees

91 Takeaways

92 Events calendar


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

ARTICLES

EDITOR-IN-CHIEF

Joe Murphy, Esq., CCEP, CCEP-I Senior Advisor, Compliance Strategists jemurphy5730 @ gmail.com

EXECUTIVE EDITOR

Roy Snell, CHC, CCEP-F, CEO, Society of Corporate Compliance and Ethics roy.snell @ corporatecompliance.org

ADVISORY BOARD

Charles Elson, Chair in Corporate Governance, University of Delaware [email protected]

Odell Guyton, Esq, CCEP, CCEP-I VP Global Compliance, Jabil Circuit, Inc. [email protected]

Rebecca Walker, JD, Partner Kaplan & Walker LLP [email protected]

Rick Kulevich, Senior Director Ethics & Compliance CDW Corporation [email protected]

Greg Triguba, JD, CCEP, CCEP-I Senior Practice Leader, Affiliated Monitors, Inc. [email protected]

Zsuzsa Eifert, CCEP-I Group Compliance Officer, T-Mobile [email protected]

Constantine Karbaliotis, JD, CCEP-I Mercer [email protected]

Andrijana Bergant, CCEP-I Compliance Office Manager, Triglav [email protected]

Mónica Ramírez Chimal, MBA Managing Director, Asserto [email protected]

Garrett Williams, CPCU Assistant Vice President, State Farm [email protected]

Vera Rossana Martini Wanner, CCEP-I Legal/Compliance, Gerdau [email protected]

Robert Vischer, Dean and Professor of Law University of St. Thomas [email protected]

Peter Crane Anderson, CCEP Attorney at Law, Beveridge & Diamond PC [email protected]

Peter Jaffe, Chief Ethics and Compliance Officer, AES [email protected]

Michael Miller, CCEP, Executive Director of Ethics & Compliance, Aerojet Rocketdyne [email protected]

John Delong, JD, Director of Compliance National Security Agency [email protected]

VOLUME 11, ISSUE 12


Corruption is undoubtedly one of the major risks when doing business

in Latin America.

See page 19“ ”

Compliance & Ethics Professional (C&EP) (ISSN 1523-8466) is published by the Society of Corporate Compliance and Ethics (SCCE), 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Subscriptions are free to members. Periodicals postage-paid at Minneapolis, MN 55435. Postmaster: Send address changes to Compliance & Ethics Professional Magazine, 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Copyright © 2014 Society of Corporate Compliance and Ethics. All rights reserved. Printed in the USA. Except where specifically encouraged, no part of this publication may be reproduced, in any form or by any means, without prior written consent from SCCE. For subscription information and advertising rates, call +1 952 933 4977 or 888 277 4977. Send press releases to SCCE C&EP Press Releases, 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Opinions expressed are those of the writers and not of this publication or SCCE. Mention of products and services does not constitute endorsement. Neither SCCE nor C&EP is engaged in rendering legal or other professional services. If such assistance is needed, readers should consult professional counsel or other professional advisors for specific legal or ethical questions.

STORY EDITOR/ADVERTISINGLiz Hergert +1 952 933 4977 or 888 277 4977 liz.hergert @ corporatecompliance.org

COPY EDITORPatricia Mees, CCEP, CHC +1 952 933 4977 or 888 277 4977 patricia.mees @ corporatecompliance.org

PROOFREADERBriana Gehring +1 952 933 4977 or 888 277 4977 briana.gehring @ corporatecompliance.org

DESIGN & LAYOUTGreg Schaffer +1 952 933 4977 or 888 277 4977 greg.schaffer @ corporatecompliance.org

53 Organizations and leadership: How power and ethics interactby Frank J. NavranThe role of physics and engineering in effective leadership, using power rather than force to achieve an ethical means to the desired outcome.

65 Why IT access controls in Compliance matterby Ralph VillanuevaEvery compliance officer needs to be knowledgeable about IT access controls to safeguard company data, and it’s not as difficult as it may seem.

71 Compliance and ethics? I can do that!by Carlos VecinoMilitary veterans may find they have skills and experiences that make them desirable candidates for jobs in the compliance and ethics area.

75 Ten psychology lessons for the ethics and compliance professionalby Virginia MacSuibhneLow‑cost lessons, techniques, and insights that can be applied in your efforts to influence employees to choose ethical and compliant behavior.

79 Taking a cue from Madison Avenue: Branding your compliance programby Christopher AnnandA recognizable brand and marketing strategy will help compliance communications stand out from all the other messages that compete for your employees’ attention.

83 [CEU] The mathematics of complianceby William L. JenningsAnalyzing data and relationships during investigations and using dashboards can help reveal unethical, non‑compliant, and/or illegal behavior.


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

NEWS

Read the latest news online · www.corporatecompliance.org/news

Barclays bans broker freebiesIn an effort to tighten internal controls, UK bank Barclays has banned its employees from giving or receiving gifts to or from brokers. The ban addresses the connections between bank employees and executing brokers, people who process orders for the bank. According to a recent article by Bloomberg News Service, Barclays traders have also been restricted to working with a pre-approved

list of brokerage firms, and meetings must take place at Barclays’ offices. The policy reportedly went into effect in March, but has only recently been made public. According to Bloomberg, Barclays has paid at least $1.36 billion in fines and settlements since 2008, including a £290 million ($470 million) penalty for rigging the London interbank offered rate (LIBOR).

Survey: Security incidents grow worldwideThe number of reported information security incidents worldwide rose 48% to 42.8 million when comparing 2014 figures with 2013 figures, according to a new survey by PwC, in conjunction with CIO and CSO magazines. In 2014, those findings are equivalent to 117,339 attacks per day. Since 2009, detected security incidents have increased 66% year-over-year. As security incidents become more frequent, the associated costs of managing and mitigating breaches are also increasing.

Globally, the estimated reported average financial loss from cybersecurity incidents was $2.7 million – a 34% increase over 2013. Big losses have been more common this year as organizations reporting financial hits in excess of $20 million nearly doubled. The survey, The Global State of Information Security® Survey 2015, represents 9,700 executive-level businesspeople and security practices from more than 154 countries. To download the survey, visit: http://bit.ly/PWCsecuritysurvey

Study: TI urges greater use of anti-corruption compliance verification measuresThe use of a risk-based approach, regular external reviews, greater public disclosure, and uniform standards for program certification are all concepts advocated by Transparency International-USA to improve compliance verification. These recommendations were offered in its recently released study, Verification of Anti-Corruption Compliance Programs, intended

for companies with international operations. To reach its conclusions, the anti-corruption group gathered data through interviews with compliance officers in US companies, accounting firms, law firms, consulting firms, government monitors, certification companies, and others. For more details, download the study here: http://bit.ly/TIcompverify.

http://bit.ly/PWCsecuritysurvey

http://bit.ly/TIcompverify


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

NEWS

Read the latest news online · www.corporatecompliance.org/news

Advertise with us!Compliance & Ethics Professional is a trusted resource for compliance and ethics professionals. Advertise with us and reach decision-makers!

For subscription information and advertising rates, contact Liz Hergert at +1 952 933 4977 or 888 277 4977 or liz.hergert @ corporatecompliance.org.

SCCE’s magazine is published monthly and has a current distribution of more than 4,700 readers. Subscribers include executives and others responsible for compliance: chief compliance officers, risk/ethics officers, corporate CEOs and board members, chief financial officers, auditors, controllers, legal executives, general counsel, corporate secretaries, government agencies, and entrepreneurs in various industries.



December

2014

45Why outsourcing



29Taking compliance








Meet Shin Jae Kim


See page 14

RegulatoryRevised US internal controls rules comingSOX compliance may soon be more difficult for public companies, thanks to updated internal control guidelines that come into effect December 15. Companies subject to Section 404 provisions of the Sarbanes-Oxley Act, which formerly followed an internal controls framework issued in 1992, will be asked to implement the 2013 Internal Control Integrated Framework. These new guidelines are the creation of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). However, since COSO has no regulatory enforcement authority, the December 15 deadline is only a suggested goal. The new framework’s goal is “defining internal control, describing requirements for effective internal control including components and relevant principles, and providing direction for all levels of management to use in designing, implementing, and conducting internal control and in assessing its effectiveness.” For more details, download COSO’s article, “The 2013 COSO Framers and SOX Compliance—One Approach to an Effective Transition”: http://bit.ly/framework-sox

DOJ and FTC sign cooperation agreement with Colombian Antitrust AgencyThe Department of Justice and the Federal Trade Commission have signed an antitrust

cooperation agreement with the Colombian antitrust agency to further enhance their law enforcement relationship. The new agreement contains provisions for antitrust enforcement cooperation and coordination, conflict avoidance, and technical cooperation. The agreement also contains confidentiality protections. This cooperation agreement is similar in substance to those previously signed by the US antitrust agencies with other jurisdictions in the Americas, including Brazil, Canada, Chile, and Mexico.

New transparency rules for big companies in EuropeThe European Council adopted new measures recently aimed at strengthening businesses’ transparency and accountability across the European Union (EU). The rules will apply to publically listed companies with more than 500 employees, of which there are approximately 6,000. The directive requires companies to disclose “relevant and material information on policies, outcomes and risks, including due diligence that they implement, and relevant non-financial key performance indicators concerning environmental aspects, social and employee-related matters, respect for human rights, anti-corruption and bribery issues, and diversity on the boards of directors.” For more details, see the EC press release: http://bit.ly/EUdisclosurerules

http://bit.ly/EUdisclosurerules

Take the Certified Compliance & Ethics Professional (CCEP)™ or Certified Compliance & Ethics Professional – International (CCEP-I)™

exam after you complete this intensive training session.

Learn more at www.corporatecompliance.org


Basic Compliance & Ethics Academies

More than 7,100 compliance professionalshold a Compliance Certification Board (CCB)® credential

Register now. Seats fill up fast.

Remaining

2014

Academy:

Dubai, UAE 14–17 December

Get Certified.Enroll Now.

scce-2014-academies-domestic-dec-cep.indd 1 11/10/14 2:57 PM


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

Find the latest conference information online · www.corporatecompliance.org/events

SCCE conference news

SCCE NEWS

Announcing the agenda for SCCE’s annual Utilities & Energy Compliance & Ethics Conference We are pleased to announce the agenda for the 2015 Utilities & Energy Compliance & Ethics Conference. The agenda includes topics such as:

· Lessons Learned: Compliance Failures and Successes in the Utilities and Gas Industry

· Cyberforensics: Critical Incident Response · The Principled Regulator · How Two Different Utilities

Approach Compliance · Recent Lessons Learned from FCPA

Enforcement Actions · Embracing the Multi-Generational

Workforce

The conference is set for February 22-25, 2015 in Houston, TX and is designed to provide the opportunity to discuss specific content areas that are affecting the energy and utilities industries in more detail. In such highly regulated industries, it can be difficult to cover the topics at an all-industry compliance and ethics conference, so we try to provide coverage of topics that are focused on these the compliance issues in the utilities and energies industry. It is also important to create a strong network for those who face these regulations so that they can share best practices and exchange ideas. To save your place, register at http://bit.ly/U-E-conf

Basic Compliance & Ethics Academies®

SCCE’s Basic Compliance & Ethics Academies® provide you with a three-and-a-half day curriculum focused on subject areas at the heart of effective compliance and ethics programs. The Academies are rich learning experiences, whether you are relatively new to compliance and looking to quickly learn the fundamentals of compliance management or you are a more experienced practitioner looking to learn the latest best practices or prepare for the CCEP® certification exam.

Every US Academy that has taken place so far in 2014 has sold out. Book now to guarantee your space at an upcoming Academy.

2014 Remaining Dates and Locations:

· December 1 – 4 | San Diego, CA

Upcoming 2015 Dates and Locations:

· February 9 – 12 | San Francisco, CA

· March 9 – 12 | Las Vegas, NV

· April 27 – 30 | Orlando, FL

· June 8 – 11 | Scottsdale, AZ

· August 10 – 13 | New York, NY

· September 14 – 17 | Chicago, IL

· October 19 – 22 | Las Vegas, NV

· November 16 – 19 | Orlando, FL

· Nov. 30 – Dec. 3 | San Diego, CA

www.corporatecompliance.org/academies

Take the Certified Compliance & Ethics Professional (CCEP)™ or Certified Compliance & Ethics Professional – International (CCEP-I)™

exam after you complete this intensive training session.

Learn more at www.corporatecompliance.org



More than 7,100 compliance professionalshold a Compliance Certification Board (CCB)® credential

Register now. Seats fill up fast.

Remaining

2014

Academy:

Dubai, UAE 14–17 December

Get Certified.Enroll Now.

scce-2014-academies-domestic-dec-cep.indd 1 11/10/14 2:57 PM


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

SCCE NEWS

SCCE website newsContact Tracey Page at +1 952 405 7936 or email her at tracey.page @ corporatecompliance.org with any questions about SCCE’s website.

Find the latest SCCE website updates online · www.corporatecompliance.org

Get Connected

Find events onlineSCCE works to provide a variety of events for our members. There are Regional Conferences across the U.S., events catered to certain industries, Academies offered all over the world that focus on basic industry information, and our annual Institute event. Plus, we offer web conferences so you don’t even have to leave the office. All of these are available for browsing and registration on our website.

To view the events, log on to our website, corporatecompliance.org, and look under the Events tab. The events are organized by date and can be narrowed down by type of event. All of our 2015 onsite events are now available on the websites, and web conferences are added regularly.

Video of the MonthDo you need to attend an Academy to become certified?

Debbie Troklus, Managing Director, Aegis Compliance and Ethics Center, discusses what is needed for certification. http://bit.ly/sccevotm12

pinterest.com/ theSCCE

twitter.com/ SCCE

corporatecompliance.org/ google

facebook.com/ sccecorporatecompliance.org/

sccenet

[group] corporatecompliance.org/linkedin [company] corporatecompliance.org/li

youtube.com/ compliancevideos

Top pages last monthNumber of website visits last month

29,603Home Page Job Board EventsMy Account Past Conference Handouts

http://bit.ly/sccevotm11

http://bit.ly/sccevotm11

http://twitter.com/scce_news







Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

SCCE social media newsContact Kortney Nordrum at +1 952 405 7928 or email her at [email protected] with any questions about SCCE social media.

Find the latest SCCEnet updates online · www.corporatecompliance.org/sccenet

SCCE NEWS

LinkedIn — corporatecompliance.org/Linkedin

Join us on LinkedIn — a business-oriented network with more than 240 million active users. With more than 13,000 members, our LinkedIn group fosters more than 75 new discussion posts every week. Some recent highlights:

SlideShare — www.slideshare.net/thescce

We love sharing! Find informative and helpful presentations from every one of our conferences and presenters — free! Some recent favorites:

Twitter — www.twitter.com/scce

Join 11,300 others and follow SCCE for breaking news and insights. Recent favorite tweets:

Pinterest — www.pinterest.com/thescce

We’ve recently joined Pinterest! Check out our boards for FCPA, Compliance, Ethics, Compliance Videos, Privacy, Corporate Compliance & Ethics Week, The Lighter Side, and map-boards for our major conferences (highlighting local restaurants, sights, and things to do in each of our conference cities). Our infographics of the month and much more can all be found on our Pinterest boards.

3. Pinterest (www.pinterest.com/theSCCE): We’ve recently joined Pinterest! Check out our boards for FCPA, Compliance, Ethics, Compliance Videos, Privacy, Corporate Compliance & Ethics Week, The Lighter Side, and map-‐boards for our major conferences (highlighting local restaurants, sights, and things to do in each of our conference cities). Our infographics of the month and much more can all be found on our Pinterest boards.

4. Slideshare (www.slideshare.net/theSCCE): We love sharing! Find informative and helpful presentations from every one of our conferences and presenters—free. Some of our recent favorites include:



Social Media News – September 2014

1. LinkedIn (www.corporatecompliance.org/Linkedin): Join us on LinkedIn — a business-‐oriented network with more than 240 million active users. With over 13,000 members, our LinkedIn group fosters more than 75 new discussion posts every week. Some recent highlights include:

2. Twitter (www.twitter.com/SCCE): Join 11,300 others and follow SCCE for breaking news and insights. Here are some recent favorite tweets.



































Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

PEOPLE ON THE MOVE

· Elekta, located in Stockholm, has appointed Helene Vibbleus as new Chief Audit Executive and Caroline Mofors as Group Compliance Officer. Through both of these recruitments, Elekta continues to develop its Internal Audit and Compliance functions, while strengthening the group’s capacity for risk management and internal control. Helene and Caroline will report their observations and actions directly to the Board and Audit Committee.

· Susan Sujatha Lyall, Company Secretary, has been appointed as the Compliance Officer of Deltron Ltd in India in the Board Meeting held on September 17, 2014. She replaces Mrs. Kiran.

· Capella Healthcare in Nashville has announced the appointment of Angie L. Mulder as Corporate Compliance Officer. With more than 20 years of leadership experience in healthcare, Mulder began her career at Ernst & Young, where she was primarily assigned to healthcare audit clients, including HealthTrust.

· Gemological Institute of America, in Carlsbad, CA, has appointed Katherine Palmer Andrews as Vice President of Ethics and Compliance, a new position. Andrews has extensive experience developing compliance programs, including six years in chief compliance officer roles at General Electric Co. and in compliance positions at GE Transportation and Thomson Reuters.

PEOPLE on the MOVE

Received a promotion? Have a new hire in your department?If you’ve received a promotion, award, or degree; accepted a new position; or added a new staff member to your Compliance department, please let us know.It’s a great way to keep the Compliance community up-to-date. Send your updates to:

[email protected]

Add value for colleagues: Be an SCCEnet Guest Commentator · Post one discussion topic each day of the week.

Each daily topic should have one overarching theme.

· Respond to posts.

· Receive 10 live CCB CEUs for the entire week, or 2.0 per day.

Contact SCCE to learn more and get your guest commentator credentials


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

by Donna Boehme

BOEHME OF CONTENTION

The Anti-Bully Board Escalation Policy

Every CCO and compliance professional has run into a bully whilst trying to do their job well. The stories sound

remarkably alike. · Senior manager calls the CCO

onto the carpet and demands to know the confidential identity of a team member who has called the helpline, as well as the confidential details of the resulting investigation.

· Senior manager threatens to “investigate” the way the CCO has overseen an investigation.

· Head of Internal Audit demands changes in an investigation report before it is viewed by the compliance committee, to change the outcome in a manner that will benefit a protégé and himself.

My personal life policy when dealing with bullies is to do the exact opposite of what the bully is trying to make me do, on the time honored principle that, “BULLIES SHOULD NEVER WIN.” Where did this come from? Maybe it’s just my obstinate and stubborn nature. Or maybe my innate belief that a bully who is allowed to win will continue to practice bully behavior on other victims, so should never be thus encouraged or rewarded.

This is why every company needs to include in its Board Escalation Policy (You do have a Board Escalation Policy, right?), “Threats or attempts to intimidate or retaliate against the CCO or a member

of the compliance team are matters to be automatically escalated to the attention of the Board”. The beauty of nuclear weapons is that you rarely have to use them if everyone knows you have them, so the best protection for the Compliance function and the company’s compliance program is a well-known Board Escalation Policy.

And needless to say, any company or Board that is serious about compliance should have a good, well-known Board Escalation Policy that protects its Compliance function as well as ensures that certain high-risk matters and behaviors come to its immediate attention. Because every company has exactly the compliance program it wants.1 ✵

1. Donna Boehme: “In Love & Compliance: You Get What You

Want,” The Corporate Strategists Blog, April 16, 2014. Available at http://bit.ly/d-boehme

Donna Boehme ([email protected]) is Principal of Compliance Strategists and former Chief Compliance and Ethics Officer for two leading multinationals. Her full bio can be viewed here

bit.ly/donnaboehme @DonnaCBoehme

Boehme

My personal life policy when dealing with bullies is to do

the exact opposite of what the bully is trying to make me do, on the time honored principle

that, “BULLIES SHOULD NEVER WIN.”


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

FEATUREFEATURE

Shin Jae Kim ([email protected]) is Partner at TozziniFreire Advogados in Sao Paulo, Brazil. She was interviewed in September of 2014 by Adam Turteltaub ([email protected]), Vice President of Membership Development at SCCE.

AT: Your law firm, TozziniFreire Advogados, was an early proponent of compliance programs in Brazil. What led the firm to establish the practice?

SJK: Since 1976, the inaugural year for TozziniFreire, the firm has distinguished itself as a full-service law firm by consistently providing legal services to Brazilian and international companies in a wide variety of

business sectors. In addition to our technical skills, we also hold a well-earned reputation as a trendsetter with innovative legal services for our clients.

In the late 1990s, we assisted a US company with a Brazilian subsidiary allegedly involved in a Foreign Corrupt Practices Act (FCPA) violation. This client came to us after having spoken to many lawyers, and was frustrated with the general perception in Brazil that the FCPA was not applicable here, due to questionable extra-territorial reach and because it was considered yet another US-centric creation. We at TozziniFreire felt that it was not only

Shin Jae KimPartner, TozziniFreire AdvogadosSao Paulo, Brazil

an interview by Adam Turteltaub

Meet Shin Jae Kim

mailto:[email protected]



Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

FEATURE

about the U.S., but rather a movement arising out of the opening of global markets and the rapid emergence of new global players, such as Brazil.

We worked on this project for years, and we created and successfully developed a practice group which was first named Corporate Reputation Management. While our new practice area was busy with new matters and clients, given the increase of actions by foreign regulators (as I will explain further), we also faced the need to assist our clients in identifying and minimizing their reputational and legal risks.

During this period of time, I met my dear friend Joe Murphy (an active member of SCCE) in Rio de Janeiro, and luckily, Joe introduced me to the Society of Corporate Compliance & Ethics (SCCE). This was the starting point for our firm to create a Compliance Practice Group, and it could not have been more successful.

In 2006, TozziniFreire formally joined SCCE, and I have been serving as an Advisory Board member of the SCCE and now also for the Health Care Compliance Association (HCCA).

In parallel, since the inception of our Compliance Practice Group, my team and I have been dedicating a significant amount of time to the development of the Compliance field in Brazil. Currently, our Compliance Practice Group is led by our three partners and six of our team members have certifications in CCEP/CCEP-I. Today, Brazil has more than 120 CCEP professionals.

I should also note that TozziniFreire is a pioneer in the implementation of its own compliance program.

AT: What kind of resistance, if any, did you see to establishing compliance programs?

SJK: Culture is probably the biggest issue in establishing compliance programs in Brazil. It is challenging to explain that the compliance program is not another “creation” from the parent company and that

it is good to play by the rules and to do the right thing to prevent liabilities and reputational damage. Companies in Brazil have to overcome the idea that compliance programs only create obstacles to their local operations. I should also mention that Brazilians are not used to the idea of “blowing

the whistle”, and it is a challenge to make employees understand that it is important for the company that they report suspected misconduct.

AT: I’m assuming that initially compliance programs were found exclusively in US and other multinational companies. Were there some companies or industry sectors in Brazil that were early adopters of compliance programs? It’s worth noting that Brazil has some very large businesses of its own that operate globally.

SJK: Subsidiaries of multinational companies doing business in Brazil were indeed the pioneers in adopting compliance programs in the country. But regardless of such influence, the Brazilian Financial Sector

FEATURE

I should also mention that Brazilians are not

used to the idea of “blowing the whistle”, and

it is a challenge to make employees understand

that it is important for the company that they report

suspected misconduct.


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

FEATURE

took the lead in the adoption of compliance programs.

Although the concept of compliance was not as sophisticated, financial institutions embraced compliance as a result of the Basel Committee for Banking Supervision (BCBS), which was created in the 1970s and has built a strong and comprehensive culture of compliance.

AT: What are some of the mistakes you see global companies make when they set up compliance programs in Brazil?

SJK: A common mistake is for companies to use the same compliance program used abroad without paying attention to the peculiarities of Brazilian law. As an example, while facilitation payments are allowed by the FCPA, such payments may be considered bribes in Brazil.

Another mistake is to disregard culture and, in particular, language in implementing compliance programs. Codes of conducts from parent companies are often imposed upon Brazilian subsidiaries in English, and even if translated into Portuguese, we’ve seen cases where it’s translated, not into Brazilian Portuguese, but into Portuguese from Portugal, both of which can be quite different from one another.

The compliance program cannot be an imposition from abroad, especially without conducting a risk assessment to identify sensitive areas for the company in Brazil.

Global companies need to engage Brazilian employees in the culture of compliance and clearly explain the importance and benefits of the compliance program and what the company’s policy is, in particular, such as the main identified risks for the company and the employees.

Several actions that constitute violations of Brazilian laws and regulations are seen as regular course of business by Brazilian

employees, such as anti-competitive conduct and certain issues related to labor relationships. The effectiveness of a compliance program will, most of the time, depend on the ability to overcome an employee’s own perception of what is acceptable and what is not acceptable when doing business.

Therefore, it is vital for a compliance

program in Brazil to include constant and interactive trainings, tailor-made for sensitive departments and specific audiences. It is advisable to seek outside advisors to assist the companies in the risk assessment, review of the compliance programs, awareness discussion with top management, third-party compliance due diligence, etc.

AT: What are some of the factors that led more Brazilian companies to start compliance programs?

SJK: As of the 1990s, not only did the Brazilian market open up to foreign investment, but domestic companies listed themselves on American stock exchanges. Foreign companies doing business in

FEATURE

Several actions that constitute violations of Brazilian laws and

regulations are seen as regular course of business

by Brazilian employees, such as anti-competitive

conduct and certain issues related to labor

relationships.


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

FEATURE

Brazil brought in the concepts of corporate governance, and domestic companies struggled to adapt to the high standards of transparency and compliance demanded by its new foreign shareholders, clients and buyers, and commercial partners, and to keep up with the SEC regulation.

Following scandals involving large American companies, such as Enron and WorldCom, the enactment of the Cadbury Code in the United Kingdom, and the Sarbanes-Oxley Act in the United States, branches of UK and US companies doing business in Brazil focused their efforts to adjust their Brazilian subsidiaries to the new corporate governance climate.

This abrupt change in the corporate environment motivated Brazil to engage in the fight against corruption. Starting from the signing of three international agreements1 to undergo a complete political transformation and increase investigations of corruption schemes, the new scenario challenged Brazilian companies to change their corrupt practices and focus on effective anti-bribery measures.

Finally, the new anti-corruption law establishes that the company with an effective compliance program may receive a reduction of penalty in case of a violation.

AT: Recently, things changed dramatically in Brazil with the adoption of a new anti-corruption law. Can you explain the key elements of the law?

SJK: The new Anti-Corruption Law (aka, the Clean Company Act) provides for

administrative and civil liability for companies engaging in acts of corruption of public officials in Brazil and abroad, as well as illegal conduct in connection with governmental bid and governmental contracts.

Administrative penalties include fines up to 20% of the entity’s gross revenues or up to BRL 60,000,000 and the publication of the conviction in the media. Judicial penalties include suspension of activities of the legal entity, prohibition from receiving public incentives or subsidies for up to five years and, in more serious cases, the compulsory dissolution of the legal entity. The government

will also maintain a blacklist of condemned companies.

One of the key elements of the Anti-corruption Law is strict liability, which means that the company may be held responsible for actions which cause damage, regardless of any negligence or fault. Also, it provides for successor liability, as

well as joint liability of parent companies, controlled entities, affiliates, and joint-venture partners, limited to the payment of fines and full restitution for damages.

An innovation of the law, based on the successful experience of the Brazilian anti-trust authorities, is the provision of a leniency agreement. To be eligible for the leniency agreement, the corporation has to be the “first-in,” take prompt and effective action to terminate its participation in the illegal activity, confess to its participation in the violation to the Anti-Corruption Law, and to fully cooperate with the investigation. As a result, the corporation may receive a reduction of up to 2/3 of the applicable fine and may be

Administrative penalties include

fines up to 20% of the entity’s gross revenues or up to BRL 60,000,000

and the publication of the conviction in

the media.


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

FEATURE

exempt from other types of penalties set forth in law.

A sensitive point pertaining to the leniency agreement is the lack of non-prosecution protection for the individuals, which may prevent corporations from applying for the leniency agreement when their board of directors or high-level executives are involved in the violations.

On the other hand, given the evolution of anti-trust enforcement and changes made in the legislation over the past years, it is expected that certain adjustments will likely to be made in the coming years.

AT: The law also provides incentives for compliance, correct?

SJK: The law sets forth that a compliance program will be taken into account by the authority when applying sanctions, but the parameters for assessing the compliance program will be determined in a separate regulation to be issued by the Federal Executive Branch.

The regulation is already drafted and pending executive order. The current forecast is that the executive order will likely not be issued until next year. The expectation is that there will not be a deviation from international best practices.

AT: And it should be noted that the Brazilian government was eager to learn about best practices in compliance. They even sent several people to the SCCE Academy

in Sao Paulo. What other business outreach was there?

SJK: This is the 5th year that the SCCE has had its Basic Compliance & Ethics Academy in Sao Paulo, and each year the attendance has been growing steadily. In fact, the number of participants in Sao Paulo was the highest ever for an Academy which took place outside of

the U.S., and included attendees from Brazil, the U.S., Argentina, Colombia, Chile, Germany, Finland, Peru, Mexico, and the Dominican Republic.

Many Brazilian and foreign multinational companies were represented at the Academy, as well as consultants, accountants, and lawyers. For instance, several members of Ernst & Young

attended the Academy in addition to a number of lawyers from various law firms, all of whom are seeking to take advantage of and ride the growing compliance wave in Brazil.

Many multinational companies are deciding to certify all compliance professionals. Consequently, despite the fact that the Academy is conducted in English, more than 300 professionals have already attended the Academy in Brazil.

AT: Now, one thing that may cause concern is that, under this law, not only can federal prosecutors investigate corruption, but local ones can as well. How should companies prepare for this potential eventuality?

SJK: Companies are in fact concerned about the decentralized jurisdiction

Many multinational companies are deciding to certify all compliance

professionals. Consequently, despite the fact that the Academy is conducted in English, more than 300 professionals have already attended the Academy in Brazil.


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

FEATURE

established in the Brazilian law. In practice, it means that those applying penalties might be its own beneficiaries, potentially creating conflict-of-interests to start procedures and enforce the law.

The decentralization increases problems, such as the lack of expertise to identify violations, evaluate compliance programs, and impose proper sanctions, raising doubts on the investigative capabilities of such agencies and entities. Besides, it incentivizes a scenario which lacks transparency and consistency in the enforcement of the Anti-Corruption Law.

Handling a governmental investigation for any alleged violation will be a complex web of different authorities and proceedings. Therefore, the compliance team should work very closely with the legal team.

The good news is that the federal government is aware of this issue and is working on training many governmental agencies, and will issue the guidelines to assist relevant parties.

AT: Corruption grabs the headlines, but there are a lot of other risks companies face when doing business in Brazil. What are some that compliance officers should be aware of?

SJK: Anti-trust violations have been strongly enforced in past years and have been under intense media spotlight. With skyrocketing fines imposed on companies and officers, compliance officers should assess the existence of anti-trust risks and deal with them accordingly to prevent liability and

reputation issues for the company and its management.

Internal fraud has also been a concern for companies doing business in Brazil. Ranging from the payment of kickbacks to deviation of assets from the company, employee fraud has caused huge losses and should be taken into consideration when defining internal control procedures.

I should also mention labor relations, tax regulations, and environmental issues should be a point of attention. Violations on working conditions and labor laws may lead

to employees’ claims for damages, piercing the corporate veil and bringing negative impact to credit lines with the funds of the Brazilian Development Bank (BNDES).

AT: As large a market as Brazil is, it’s not the only one in the region. Colombia, for example, has been undergoing

a business renaissance. What are some considerations for compliance programs when operating elsewhere in the region?

SJK: Corruption is undoubtedly one of the major risks when doing business in Latin America. The excessive bureaucracy in Latin American countries is nurturing ground for “selling facilities.”

That being said, companies should pay special attention when using third parties, such as consultants, sales or customs agents, and other external third parties or business partners acting on behalf of the company. The Walmart allegations in Mexico are a

Violations on working conditions and labor laws

may lead to employees’ claims for damages,

piercing the corporate veil and bringing negative

impact to credit lines with the funds of the Brazilian

Development Bank (BNDES).


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

FEATURE

clear example of how devastating the lack of oversight on third parties can be in a Latin American country.

It is important for companies to toughen up due diligences on third parties to identify any red flags, such as unusual connections with public officials, unjustified high success fees or recommendation by a public official, lack of expertise, and reputation. Special attention should be given to any third party rendering services in connection with public officials who have a higher risk of being involved in corruption, such as tax inspectors, police officers, and customs agents.

AT: What are some best practices you’ve seen for compliance in Brazil and elsewhere in the region?

SJK: Overall, we are still developing best practices. Nevertheless, as compared to other countries in Latin America, Brazil can be considered the most advanced in terms of formulating best practices, particularly in the pharmaceutical industry, which has its own code of conduct. Other industry associations are also doing the same. In addition, we have an active community of compliance professionals who are open to sharing experiences, and many excellent events at which to learn and network. This movement will certainly contribute to the enhancement of the Compliance field in Brazil.

AT: I would be remiss if I didn’t note that your practice also includes business in Asia,

particularly Korea. Any advice for compliance officers managing a program there?

SJK: Korea revised the Capital Market and Financial Investment Act in 2014 and the Commercial Act in 2012, which now have a direct impact on compliance regulation. Both Acts require certain companies to have at least one compliance officer. The first refers to financial institutions; the second refers to companies with more than 500 billion won

(approximately $500 million US) in total assets.

Because of these revised laws, concerns and interests on compliance have been heightened quite a lot. For the last two years, companies (especially financial institutions) have hired many compliance officers. But since the position is new,

compliance officers have been involved with their respective businesses in different degrees and seem to be settling down in their roles within the company.

Similar to Brazil, Korean authorities have been focusing on the enforcement of anti-trust, tax, labor, privacy, and corruptions violations in the past few years.

AT: Thank you, Shin, for sharing your insights with us. ✵ 1. OECD’s Convention on Combating Bribery of Foreign Public

Officials in International Business Transactions, the United Nations’ Convention against Corruption, and the OAS’s Inter American Convention against Corruption.

Korea revised the Capital Market and

Financial Investment Act in 2014 and the Commercial Act in 2012, which now have a direct impact on compliance regulation.

Both Acts require certain companies to have at least

one compliance officer.


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

FEATURE

Walker

by Rebecca Walker

Embedding compliance and ethics (C&E) programs “in the business” has always been one of the bigger challenges

facing C&E programs and C&E professionals. Although the Compliance profession has long debated the appropriate positioning

of the chief ethics and compliance officer (CECO), regardless of to whom the CECO reports, the position is typically a corporate function, housed at headquarters. It is a perennial challenge to make compliance an everyday part of the business, in part in light of the central positioning of the function and the fact that the

function is typically very leanly staffed.Some organizations have had success in

extending the reach of their C&E programs through the use of C&E liaisons (CELs). CELs can also help localize C&E programs and can provide useful input to the C&E office regarding how the program is working “on

the ground.” A survey by the Corporate Executive Board in late 2012 found that 54% of responding companies use CELs, so this is an increasingly common practice.1 However, for many of those organizations that have created CEL positions, there continues to be room for learning what works best in this area. And many organizations are still considering whether to implement a CEL network, and, if so, how to structure it.

In attempting to create or enhance a CEL network, it is important to ensure that CEL responsibilities are adequately articulated; that CELs have adequate time, resources and accountability to perform their CEL responsibilities; and that the CEL structure has the appropriate level of support from senior leadership, in particular of those functions that CELs are part of. As part of the ongoing conversation regarding important characteristics of CEL networks and how best to structure them, what

Extending the reach of your program: Compliance and ethics liaisons

» Compliance and ethics liaisons have helped many organizations extend the reach of their C&E programs – both geographically and deeper into the business.

» Compliance and ethics liaisons help localize C&E programs.

» To create an effective compliance and ethics liaison network, the liaisons must have adequate time, resources, independence, and the authority necessary to fulfill their liaison responsibilities.

» Ideally, compliance and ethics liaisons will have readily‑available access to both the head of the relevant business unit and the CECO.

» Compliance and ethics liaisons should be given accountability for their performance of C&E responsibilities.


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

FEATURE

follows is an exploration of various aspects, including: (1) common organizational structures; (2) who typically serves as CELs; (3) the amount of time CELs typically spend on C&E duties; (4) common CEL responsibilities; and (5) CEL training.

Organizational structureDepending on the size and diversity of the particular organization, CEL networks may be organized by business unit, by geography, or by business unit and geography. CEL networks are often structured along the same lines as other functions at an organization, such as the Legal and HR functions. This is logical both because it can help align CEL networks with company structure and culture, and because CELs are often drafted from these other functions.

With respect to geographical organization, CELs may be appointed for each country of operation or for geographic regions (e.g., Asia, Middle East/Africa, Western Europe, Eastern Europe), typically corresponding to the way in which the organization is geographically organized for business purposes. Because one of the primary purposes of a CEL network is to create “local” representation for the C&E program, CELs are typically physically located in the region or country that they serve.

Who serves as CELs?Because C&E is often a very leanly-staffed function, CELs are often also members of other compliance-related functions, such as Legal, HR, Internal Audit, or Finance. Such

positions are natural candidates for CELs, because their existing job responsibilities typically include CEL-type duties, such as training, audits, and conducting investigations. However, some organizations appoint CELs from operations. When organizations appoint CELs from operations or the business, they tend to be high-potential employees who are appointed as CELs for a fixed (e.g., two-year) term in order to allow the individual to “rotate” through a C&E position.

This can be a helpful way to create greater C&E traction in the business more generally.

Several considerations are important to determining who at an organization should serve as CELs. First, CELs obviously need to have an adequate amount

of time and resources to satisfy their CEL responsibilities. If members of the business simply would not have the ability to spend time focusing on CEL responsibilities, it likely makes sense to look elsewhere to fill these positions. Second, CELs need an appropriate level of independence and authority to be able to perform their job responsibilities. For example, if CELs will be responsible for conducting investigations, they need to have access to documents and witnesses without intervention, and to make determinations free of any inappropriate influences. The same requirements hold for conducting C&E audits and assessments.

Another important factor in determining the identity of CELs is the position of the potential CEL within the business unit that he/she will serve. Just as the appropriate

Depending on the size and diversity of the particular organization, CEL networks may be organized by business

unit, by geography, or by business unit

and geography.


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

FEATURE

positioning of the CECO is critically important to the ability of that position to function effectively, a CEL needs to be positioned appropriately in order to be effective. Ideally, the CEL will have readily-available access to both the head of the business unit that he/she serves and to the CECO.

Full- or part-timeCELs typically serve in their C&E roles on a part-time basis. In a benchmarking survey of a dozen organizations with CEL networks (conducted by Kaplan & Walker LLP last year), the majority of participating organizations reported that part-time CELs spend between 15% and 20% of their time on CEL responsibilities, although some organizations reported that part-time CELs spend as much as 60% of their time on compliance. In addition, depending on the size and level of complexity of the particular business, some organizations have some full-time CELs, instead of or in addition to part-time CELs.

In the Kaplan & Walker benchmarking study, one of the factors that respondents denoted as most challenging in implementing an effective CEL network is ensuring that CELs have the time necessary to perform their CEL responsibilities. Obviously, the amount of time required of CELs will vary with their responsibilities, but, because this is often a “second job” for CELs, it is critically important that organizations proactively ensure that CELs have the time necessary to satisfy their CEL responsibilities.

C&E influenceFor most organizations, CELs report directly to their functions (e.g., Legal, HR) or the business, with a dotted-line reporting relationship to the C&E office. For some organizations, this means that the C&E office has no input into a CEL’s performance evaluation. Because CEL responsibilities are often a second job, when the CEL’s responsibilities do not configure in a CEL’s performance evaluations, there is

an obvious negative impact on effectiveness. Many organizations have long experienced this same phenomenon when using non-C&E functions to perform C&E investigations. When C&E is not able to provide feedback regarding the performance of investigations, it can result in the

investigations’ not being given priority in time or quality.

However, at some organizations, the CECO or the enterprise-wide C&E committee does provide input into the CELs’ performance evaluations, and at other organizations, the local C&E officer (as opposed to the enterprise-wide CECO) or local C&E committee provides input. At one organization that participated in Kaplan & Walker’s benchmarking survey, the local C&E committees (of which the CELs are the members) have a dotted line to the enterprise-wide C&E Committee, and are required to produce the minutes of their meetings to that committee, but the CELs do not have any individual reporting obligations to the C&E Office. However it is achieved, it is important to create some level of accountability for CELs with respect to their performance of C&E responsibilities.

For most organizations, CELs

report directly to their functions (e.g., Legal, HR) or the business, with a dotted-line

reporting relationship to the C&E office.


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

FEATURE

Duties and responsibilitiesTo help ensure effectiveness, CELs should be provided with clearly articulated, documented responsibilities for their C&E roles. Based on the benchmarking survey referenced above, CEL responsibilities typically include some or all of the following:1. Assisting in and contributing to the risk

assessment process;2. Advising on the creation and distribution

of the code of conduct, company policies, training, and communications;

3. Providing training and communications to employees;

4. Tracking employee C&E training and certifications;

5. Serving as a resource to address business conduct questions within their area of responsibility;

6. Determining conflicts of interest and/or gifts and entertainment pre-approval or waiver decisions;

7. Receiving allegations of violations of the code of conduct and other allegations of non-compliance;

8. Escalating allegations to the enterprise C&E office as appropriate;

9. Conducting and/or overseeing C&E investigations, including tracking completion;

10. Determining or advising on disciplinary decisions when violations are determined to have occurred; and

11. Reviewing the effectiveness of the C&E program within their area of responsibility and suggesting modifications and improvements to the program.

With respect to tasks such as assisting in and contributing to the risk assessment process, CELs obviously need to be guided in their contributions. C&E offices should prepare and provide explicit instructions to CELs to ensure effective contributions to such projects.

Some organizations have created websites that contain a variety of resources for use by CELs, such as sample communications, guidelines on conducting investigations, FAQs regarding company policies, etc.

Training and practice sharingMany organizations train CELs upon initial appointment. Training may be conducted via teleconference, videoconference, or face to face. Some organizations host annual CEL training conferences, where CELs gather in person for a day or up to several days to learn and share practices. In addition, some organizations host periodic (e.g., quarterly) video or teleconferences for CEL training, practice sharing, and question and answer sessions. At some organizations, a member of the C&E department makes periodic visits to the CELs to assist them in their responsibilities and provide them with ongoing training. Some organizations also encourage CELs to become active in the C&E community and attend C&E conferences. And, as noted above, many organizations also provide CELs with materials that guide them in their roles.

ConclusionCELs can serve an important role in extending the reach of a C&E program to an organization’s different geographies and businesses. The C&E profession continues to advance our understanding of how to structure a CEL network effectively, but if CELs are provided with clear and detailed responsibilities as well as the resources, authority, and independence required to conduct their duties effectively, CELs can add a tremendous amount of value to C&E programs. ✵

1. Abbott Martin: “Four Traits of Leading Compliance and

Ethics Programs.” March 5, 2013. CEB Blogs. Available at http://bitly.com/four-traits

Rebecca Walker ([email protected]) is a Partner at the law firm of Kaplan & Walker LLP, in Santa Monica, CA and Princeton, NJ.

These days there’s no shortage of information, but sifting through it can be an overwhelming task. When legal and compliance professionals need help, they turn to Kroll – the market leader for due diligence and compliance solutions.

We offer services at various levels to help you focus your attention in the right places:

Screening and Due Diligence

Transaction Due Diligence

Compliance Program Consulting

Compliance Technology

Anti-Money Laundering and Know Your Customer (KYC) Compliance

Anti-Corruption Compliance (FCPA, UK Bribery Act)

Supplier Diversity

© 2014 Kroll. All Rights Reserved. Certain Kroll companies provide investigative services. See www.kroll.com/licensing for state licensing information.

Contact Kroll for more information:Americas: + 1 212.833.3208 | EMEA: +44 (0)20 7029.5136 | APAC: +65 6645.4950

kroll.com

It’s not what you look at that matters, it’s what you see Henry

David Thoreau


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

ALASKA · Robin Fowler, Tanana Chiefs Conference · Dorothy Pickles, Akeela, Inc.

ARKANSAS · Jennifer Pope, Walmart Stores, Inc. · Matt Pope, Wal‑Mart Stores, Inc.

CALIFORNIA · Emily Behr, Pacific Gas and Electric Company · John Christian, Illumina, Inc. · Marianne Cocard‑Aikawa, Pacific Gas and Electric Company

· Kathleen Collins, Black Knight Financial Services · Brian Crumbaker, Goldline, LLC · Cliff Gleicher, Pacific Gas & Electric Company · Blair Harris, Goldline, LLC · Douglas Harris, Oracle · Meredith Lorentzen, Allergan · Anna Mack, Allergan · Manish Mudgal, HP · Sadie Sayyah, Goldline, LLC · Neil Smithline, NMA/Mercer · Eric Wong, The Pasha Group

COLORADO · Alexandra Medina, Black Knight Financial Services · Jane Rosenthal, Colorado School of Mines

CONNECTICUT · Kimberly Tabb, Prudential

FLORIDA · Chuck Attal, TECO Services Inc · Ana‑Paola Capaldo, Laureate Education, Inc. · Darren Chiappetta, Darden Restaurants · Gena Coursen, Black Knight Financial Services · Lewis Dunton, Fidelity National Financial Inc – Corporate Compliance

· Judy Estren, Compliance & Contract Management Group, LLC

· Daryl Finkelman, Verio Inc. · Gilbert Gaveau, Amadeus North America Inc. · Geoffrey Litchney, Black Knight Financial Services · Mitchell Nixon, TransUnion · Elizabeth Reilly, Fidelity National Inc · Katie Schmidt, Fidelity National Inc · Susan Scott, BBA Aviation USA, Inc. · Megan Wilson, Fidelity National Inc

GEORGIA · Jeremy Farmer, Altisource · Erin Harris, Colonial Pipeline Company · Diane Serzega, Kimberly‑Clark Corporation · Deborah Zink, Andritz (USA) Inc.

IDAHO · Joanna Allen, Idaho National Laboratory · Johanna Hale, J.R. Simplot Company · Stephanie Pickett, Idaho National Laboratory

ILLINOIS · Bryce Harris, Universal Gaming Group · Theodor Hengesbach, City of Chicago Office of Inspector General

· Kathleen Kramer, Pierce & Associates, P.C. · Aaron Marshall, Medline Industries, Inc. · Kristi Nelson, Chen Nelson Roberts Ltd. · Nickolas Schad, Pierce & Associates, P.C.

INDIANA · Tabitha Meier, Hillenbrand, Inc.

LOUISIANA · Deborah Foshee, Jefferson Parish

MAINE · Rebecca Gervais, IDEXX Laboratories, Inc.

MARYLAND · Ayodele Oseni, Keller Foundations · Clifford Rogers, Department of Defense · Gwen Romack, Hewlett‑Packard

MASSACHUSETTS · Shay Atar, Boston College · Bob Jordan, OSRAM Sylvania · Victoria Riemer Gilmore, Energy Services Group · Garrett Scheck, Santander Bank, N.A.

MICHIGAN · Deanna Malczewski, Fiat Chrysler Automobiles · Greg Zigulis, Sixth Sense Safety Solutions, LLC

MINNESOTA · Bob Fischer, IT Companies · Donald Franke, Compliance and Commercial Consulting · Erbayne Jarvis, The Law Office of Erbayne W. Jarvis · Kristi Lahti‑Johnson, Hennepin County · Nicholas Meinen, Xcel Energy · Jackie Romano, Digital River, Inc. · Louis Thayer, Minnesota Department of Human Services

MISSISSIPPI · Julie Gresham, Huntington Ingalls Industries, Inc.

MISSOURI · Heather Findley, Washington University‑St Louis · Lucie Huger, Greensfelder, Hemker & Gale, PC · Crystal Rhodes, The Boeing Company

SCCE welcomes NEW MEMBERS


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

NEBRASKA · Chris Bacon, Cabela’s Inc. · Megan Belcher, ConAgra Foods

NEW HAMPSHIRE · Marion Hanson, Black Knight Financial Services

NEW JERSEY · Yolonda Baker, Ortho Clinical Diagnostics · George Henein, United Nations · Valerie Workman, Realogy Franchise Group

NEW YORK · Timothy Hedley, KPMG LLP · Benson Martin, Empire State Development · Lisa White, Excellus · Diane Young, Sojitz Corporation of America

NORTH CAROLINA · Susan Burgess, University of North Carolina at Charlotte · Marty Griffin, Clariant Corporation · Ericka Kranitz, Duke University · Alan Roberts, Chiesi USA, Inc.

OHIO · Dean Boland, ComplyUS, LLC · Susan George, The J.M. Smucker Company · Julie Thomas, Ohio National Life Insurance Co

PENNSYLVANIA · Anthony Cerbone, Teva Pharmaceuitcals · Jessica Nayden, EQT Corporation · Carol Roney, Precyse Solutions · Robert Talley, Johnson Matthey, Inc. · Barbara Triolo, Johnson Matthey, Inc.

SOUTH CAROLINA · David VanGieson, Piedmont Natural Gas

TENNESSEE · Ryan Wettergren, Alere

TEXAS · Eric Christopher, Signet Jewelers · John Dillon, KPMG, LLC · Rachel Fox, HP · Eric Hinton, 7‑Eleven, Inc. · Linda Nash, HP · Stephen M. Naughton, Kimberly‑Clark Corporation · Darla Wade, University of Texas at Dallas · James Walker, FF Properties LLC

UTAH · Lori Midgley, HealthEquity

VIRGINIA · Sean Dent, Federal Housing Finance Agency · Raymond Ho, Old Dominion University · William Krayer, Thundercat Technology · Jessica Mungle, Tredegar Corporation

WASHINGTON · Elizabeth Cherry, University of Washington · Nicole Goodman, Western Washington University · Sassa Kitka, Sealaska · Elizabeth Schutt, The Boeing Company · Gunars Turaids, The Boeing Company · Craig Watson, Port of Seattle · Dave Young, The Boeing Company

DISTRICT OF COLUMBIA · Rabiya Hirji‑Young, Dickstein Shapiro LLP

BRAZIL · Luciana Barbosa, HP · Yeda Couri, T‑Systems do Brasil Ltda. · Fernando Granzote, Bridgestone do Brasil Ind. e Com. Ltda. · Raul Neto, Ernts & Young · Pyter Stradioto, Embraer S/A · Leonardo Veras, Hidrovias do Brasil S.A.

CANADA · Kirsten Merryweather, Alberta Gaming and Liquor Commission

· Bernadette Gabriel, EY PII Services Limited

FRANCE · Philippe Montigny, ETHIC Intelligence

PAKISTAN · Muhammad Talib Uz Zaman, Center for International Private Enterprise

SINGAPORE · Saypeng Foo, Avnet

SWEDEN · Mikael Eliasson, TeliaSonera AB

UNITED ARAB EMIRATES · Neeraj Bhaskar, Abu Dhabi Company for Onshore Oil Operations

· Clemencia Bright, Pepsico International · Shada Eymech, PepsiCo International

UNITED KINGDOM · Alyson Corrigan, Tate & Lyle PLC · Ashley Ratcliffe, Apollo Group Inc

VIRGIN ISLANDS (U.S.) · Joy Penn, Virgin Islands Economic Development Authority · Kyle Thomas, Virgin Islands Economic Development Authority

· Stephanie Berry, Virgin Islands Economic Development Authority

· Ayanna Romney, Virgin Islands Economic Development Authority


7,100+ compliance professionals hold a Compliance Certification Board (CCB)® credential

Plan now to take a CCEP certification exam after you complete this intensive training


San Francisco, CAFebruary 9–12, 2015

Las Vegas, NVMarch 9–12, 2015

Orlando, FL April 27–30, 2015

Scottsdale, AZ June 8–11, 2015

New York, NYAugust 10–13, 2015

Chicago, ILSeptember 14–17, 2015

Las Vegas, NVOctober 19–22, 2015

Orlando, FLNovember 16–19, 2015

San Diego, CANov 30–Dec 3, 2015


from the Society of Corporate Compliance and Ethics®

2015

scce-2015-academies-domestic-1pgad.indd 1 10/9/14 4:22 PM


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

FEATURE

Taking compliance programs to the next level: Using business processes » The seven elements of a compliance program create an integrated business system.

» Applying process‑oriented principles to how we design and manage compliance programs has the potential to increase their effectiveness.

» Ranking the chronological order of the seven elements will help you devise a master compliance process.

» A strength or weakness in any step will similarly affect the steps that follow it.

» Implementing a master process based on the principles discussed above is largely a matter of planning and scheduling.

King

by Deena King

Anyone who has been in the compliance business for any amount of time knows that the primary

framework for establishing a compliance program is comprised of the seven elements found in Chapter 8, Part B, Section 2.1 of the

Federal Sentencing Guidelines (FSG §8B2.1). When I first began my work in Compliance, the compliance officer I worked with always introduced these elements to organizational compliance managers as a master process.

The more I grew in the industry, the more I realized how brilliant

a “master compliance process” was for one simple reason—the seven elements are not mutually exclusive but interrelated. Most of the elements either: (1) require or produce information that is (2) produced or required by other elements. In other words, each element does not stand alone. In reality, the elements of a compliance program create an integrated business system.

If you go online, you can find several images and models for “compliance process” so I am not alone in this understanding. Many compliance leaders recognize the benefits of adopting a master compliance process that is wholly compatible with the FSG’s seven elements.

This article will review a few possible ways of incorporating business process techniques into compliance programs. The focus will be at the governance level, but this concept also applies at division/department

The more I grew in the industry, the more I realized

how brilliant a “master compliance process” was for

one simple reason—the seven elements are not mutually exclusive but interrelated.


7,100+ compliance professionals hold a Compliance Certification Board (CCB)® credential

Plan now to take a CCEP certification exam after you complete this intensive training


San Francisco, CAFebruary 9–12, 2015

Las Vegas, NVMarch 9–12, 2015

Orlando, FL April 27–30, 2015

Scottsdale, AZ June 8–11, 2015

New York, NYAugust 10–13, 2015

Chicago, ILSeptember 14–17, 2015

Las Vegas, NVOctober 19–22, 2015

Orlando, FLNovember 16–19, 2015

San Diego, CANov 30–Dec 3, 2015


from the Society of Corporate Compliance and Ethics®

2015

scce-2015-academies-domestic-1pgad.indd 1 10/9/14 4:22 PM


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

FEATURE

levels. The following paragraphs will provide rationale for this approach as well as give an overview of the benefits of a master compliance process.

First, let’s quickly review the seven elements often presented as the foundation of an effective internal compliance program:1. Implementing written policies,

procedures, and standards of conduct.2. Designating a compliance officer and

compliance committee.3. Conducting effective training

and education.4. Developing effective lines of

communication.5. Conducting internal monitoring

and auditing.6. Enforcing standards through well-

publicized disciplinary guidelines.7. Responding promptly to detected

offenses and undertaking corrective action.1

Now let’s shake things up a little by asking one question: Are there any items on this list that cannot be started (or updated) unless another item is finished first? For example, what do we need to know before we can write policies and procedures? Or, do any elements need to be in place before we can begin auditing and monitoring? Yet again, what information is required before disciplinary action can be taken?

What these questions help us recognize is that buried in the seven elements is a business process. At its most fundamental, business process helps units, departments, and companies get things done (i.e., “Before we can do this, we have to do that, etc.”). Business process can work to the advantage of compliance professionals by helping us put order to what can often be cluttered and disorganized. In short, applying process-oriented principles to how we design and

manage compliance programs has the potential to increase their effectiveness.

Before getting into a couple of possible ways the elements contained in the FSG can be formed into a master compliance process, let’s do a short exercise. Below are seven quotes taken directly from FSG §8B2.1. For this exercise, please keep in mind the idea that certain items on this list need to be completed before other items. There is no right answer—this is just an opportunity for you to begin thinking in terms of what process might work best in your organization. Once you have made your choices, I will present one possible way to organize these elements into a basic master compliance process.

Instructions: In the box on the left, rank each item based on what you believe should be finished first, then second, then third, and so on.

Auditing/Monitoring: Ensure that the organization’s compliance and ethics program is followed; Monitoring and auditing to detect criminal conduct; Evaluate periodically the effectiveness of the organization’s compliance and ethics program. (§8B2.1.b.5.A-B)

Policies/Procedures: The organization shall establish standards and procedures to prevent and detect criminal conduct. (§8B2.1.b.1)

Compliance Organization: Governing authority shall be knowledgeable and shall exercise reasonable oversight; High-level personnel of the organization shall ensure the organization has an effective compliance and ethics program; Specific individual(s) within the organization shall be delegated day-to-day operational responsibility; Exercise of due diligence. (§8B2.1.b.2.A-C & 3)


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

FEATURE

Change/Improve: After criminal conduct has been detected, the organization shall take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s compliance and ethics program. (§8B2.1.b(7))

Requirements/Risks: The organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement. (§8B2.1.c)

Communication/Training: Communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals by conducting effective training programs and otherwise disseminating information. (§8B2.1.b.4.A&B)

Implementation: [The organization’s] compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. (§8B2.1.a.2)

Congratulations! You have just created your first master compliance process. By pondering what order each of the above should be completed, you now recognize the value of process.

As mentioned above, there is really no right or wrong answer. While some elements definitely need to be completed before others can even be started, if you think the “Governing authority shall be knowledgeable…” should come before “The organization shall establish standards and

procedures…” then that is what will work best for your program.

Below is a short discussion of a one possible way the above elements could be organized in an effort to create an orderly, effective master compliance process. This discussion is followed by an overview of three currently published master compliance processes.

A basic master compliance processThe following seven steps outline one possible way to organize program elements into a basic master compliance process. This example will help give you an idea of how applying process might work in your own organization.

Step 1: Identify requirements/risks (§8B2.1.c)The foundation of any business process is the objective. All business processes exist for a reason or purpose. When it comes to compliance, the objective is to be compliant with all relevant requirements of all relevant laws and regulations. To accomplish this objective two things are required: (1) you must know what legal/regulatory requirements you are required to comply with; and (2) you must know which of these pose the greatest risk to your organization. Item 2 will help focus limited compliance resources towards areas of high risk. The end result of Step 1 is a complete inventory of an organization’s compliance risks and requirements. This information is vital to the success of Steps 2 through 7.

Step 2: Compliance organization (§8B2.1.b.2.A-C & 3)A key component of any business process is who—who is responsible to manage and/or administer that process? Once compliance requirements are identified and risks are assessed, someone must do something with this information. That is one of the primary


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

FEATURE

reasons the Federal Sentencing Guidelines require a compliance organization that includes personnel from throughout the entity.

As most compliance professionals already know, a compliance organization has multiple levels: governance, high-level, and operations. Governance leaders oversee, high-level executives and managers administrate, and operational personnel “do.” Here is why Step 1 provides valuable information for Step 2. The core competencies of each of these people are different. For example, the skills required to oversee, administer, and operate an Equal Employment Opportunity (EEO) compliance program will be different than those required for an Environmental Protection Agency (EPA) program, a Federal Energy Regulatory Commission (FERC) program, a Sarbanes-Oxley (SOX) program, or a corporate-wide program. Knowing and understating compliance risks and requirements helps leaders determine who should oversee, administer, and manage those requirements.

Step 3: Policies/Procedures (§8B2.1.b.1)One of the key requirements of a moderately mature business process is that it be documented. A common maturity term is “defined.” Yes, it can be argued that a process can be “established” without being “documented.” However, if an auditor or regulator asks to evaluate your compliance program, you cannot prove that standards,

policies, and procedures have been established unless they are documented.

Many leaders, managers, and front-line personnel often push back on documentation because it can be arduous and time-consuming. But, these efforts are worth it. In the end, everyone will understand their

responsibilities and duties and will have a place to go if there are ever questions regarding what should be done in specific circumstances. Thus, documentation is at the heart of a well-functioning compliance process.

One way to look at this step is as a translation phase. This is where all the

legalese of laws and regulations is translated into standards, policies, and procedures that can be understood and carried out by non-legal personnel. Step 1 provides the laws and regulations that need to be translated and Step 2 designates who will do the work of Step 3.

Step 4: Communication/Training (§8B2.1.b.4.A&B)Communication and training are among the most significant components of a business process, because a documented process that no one knows about or is trained how to use is almost worthless. Thus, the communication and training of information created in Step 3 are key for any effective compliance and ethics program. In addition, how can you communicate and/or train organizational personnel on policies and procedures that have not been established yet?

Communication and training are among the most significant

components of a business process, because a

documented process that no one knows about or is trained how to use is

almost worthless.


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

FEATURE

Most regulatory requirements include a communications and training component. They require an organization to periodically communicate standards and procedures using training or other means such as newsletters, speeches, emails, etc. Essentially, this element requires that all employees and agents of an organization, from the Board down to contractors and agents, be made aware via communication and/or training of the elements of compliance and ethics that affect them.

Step 5: Implementation (§8B2.1.a.2)Business processes are not just paper exercises—they are meant to be carried out, executed, and/or accomplished. A statement that supports this idea comes from one of the FERC compliance guidelines: “It is not enough to create a good compliance program on paper; the company must carry through to implement the program with effective accountability for compliance.”2 A perfectly designed compliance and ethics program will be the equivalent of a paper tiger if it is not implemented. Implementation includes promotion and enforcement. And how can a compliance program be implemented and enforced if it has not yet been designed (Step 3) and employees have not yet been trained and/or informed (Step 4)?

Step 6: Auditing/Monitoring (§8B2.1.b.5.A-B)A hallmark of maturity in a business process is measurement. The FSG embody this by requiring that an institution “evaluate the

effectiveness of the organization’s compliance program.” FERC and other regulatory agencies have similar requirements. This requires an evaluation of the overall compliance program and individual programs to ensure all the components of an effective program are in place and functioning. This process is sometimes referred to as program

evaluation and would include evaluating how Steps 1 through 7 are working. Once again, how can a program be evaluated and compliance systems be monitored and/or audited if it is not already in place (Steps 1-5)?

Step 7: Change/Improve (§8B2.1.b(7))

The most effective business processes recognize the importance of improvement. After a process has been designed, implemented, and evaluated, changes are often necessary to fix what is not working or improve what is working. The term for incorporating ongoing changes into a process is continuous improvement. Continuous improvement as a modern discipline can be traced back to the work of Dr. J. Edward Deming, a famous quality expert who designed a highly effective technique that serves as a practical tool to carry out continuous improvement in the workplace. This technique is called the PDCA Cycle. PDCA is an acronym for Plan, Do, Check, and Act.

Thus, Step 7 represents “acting” on what was learned after checking (Step 6). Continuous improvement is all about making changes that will help the compliance process

A hallmark of maturity in a business process is measurement. The FSG

embody this by requiring that an institution

“evaluate the effectiveness of the organization’s

compliance program.”


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

FEATURE

become more and more effective. Once monitoring, auditing, and evaluation have occurred, one or more of the areas of the compliance and ethics program may need to be modified in order to improve the program as a whole.

Putting it all togetherA basic master compliance process that includes the elements discussed above might look like figure 1.

You will notice this diagram does not represent a perfect cycle. This is because the changes required as a result of Step 7 (Change/Improve) may need to be made anywhere in the process. For example, maybe a legal requirement was missing or unknown (Step 1), a newsletter contained incorrect information (Step 4), or an enforcement process needs to be fine-tuned (Step 5).

In addition, this figure helps us recognize a domino effect. A weakness in Step 3 can subsequently weaken Steps 4 and 5; a weakness in Step 2 can weaken Steps 3 through 5, etc.

Some examples of master compliance processesWhat follows is a short discussion of three existing master compliance processes. Many more are out there, but this is a good sample of how others have adopted master compliance processes.

Agile Product Governance and ComplianceOne example comes from a company called RapidFlow Apps. This company has designed an application add-on that allows “companies to manage product policies and use [a] built-in compliance framework.” This module uses a 5-step compliance master process illustrated in figure 2.3

As illustrated, this company promotes and uses a 5-step master compliance process:1. Define regulatory compliance objectives.2. Track compliance relative to and based

on requirements.3. Calculate compliance, (i.e. determine if the

data has passed/failed).4. Report compliance to entity leadership.5. Manage compliance by making changes

where necessary.

è

èè

èè

è

èèèè

Change/Improve

Requirements/Risks

Auditing/Monitoring

Implementation Communication/Training

Compliance Organization

Policies/Procedures

Figure 1. A Basic Master Compliance Process

è

è

è

è

è

Define

Manage

Report Calculate

Track

Figure 2 – Agile Product Governance and Compliance Process


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

FEATURE

Janco Associates, Inc.A second example comes from Janco Associates, Inc. This company has distilled compliance program requirements into a 4-step master process. These steps are outlined in figure 3.4

These four steps include:1. Define: Document how the company will

comply by establishing policies and rules.2. Discover: Determine whether or not the

company is in compliance through regular audits/reports.

3. Evaluate: Based on what is learned during discovery, determine where the greatest compliance risks are.

4. Remediate: Correct the compliance policies and rules that need to be changed based on discovery and evaluation.

Compliance in One PageOne final example is the recently published approach, Compliance in One Page5 (See figure 4).

This particular process is very similar to the basic process discussed above. However,

one additional element has been added—leadership and corporate culture, because leadership and corporate culture together represent two key components that can make or break an entire compliance effort. In other words, great leadership can be the catalyst that creates and upholds a culture of compliance. On the other hand, poor leadership can be the catalyst that creates and encourages a culture of non-compliance—as seen by the well-documented failures at Enron, Arthur Anderson, WorldCom, and others.

This is why figure 4 uses a “cloud” or “water” to surround each and every component of the Compliance in One Page process. The color blue was used as a symbol because leadership and corporate culture are like the air we breathe or the water to a fish. It is all around us in everything we do, see, and hear in our organizations. Both set the tone for compliance and ethics.

Implementing a compliance master processImplementing a master process based on the principles discussed above is largely a matter of

Figure 4 – The Compliance in One Page Master Process

èè

è

è

Define: Policy and Rules

Remediate: Correct

Evaluate: Risk Assessment

Figure 3 – Janco Associates, Inc. Compliance Master Process

Discover: Audit and Report


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

FEATURE

planning and scheduling. One method might be a basic annual action plan that includes the following elements:

· What · Who · Deliverable · Due Date · Status

For Step 1, Identifying Risks and Requirements, a basic action plan might look like this:1. What: Conduct an annual inventory of laws

and regulations that affect the organization. Who: Chief Compliance Officer Deliverable: Compliance Inventory Due Date: January 31, 2015 Status: [A brief discussion of the status of this task]

2. What: Once the inventory of laws and regulations is complete, do a risk assessment that ranks which of them could most negatively impact the organization. Deliverable: A list of the high, medium, and low compliance risks facing the organization Who: Chief Compliance Officer Due Date: February 28, 2015 Status: [A brief discussion of the status of this task]

Similar steps could be designed for steps 2-7. Another option is to organize these steps in an “action plan” table with Who, What, etc. as column headings.

ConclusionToday the requirements placed upon compliance professionals are numerous. The amount of data that needs to be understood, the people that need to be informed, and the monitoring involved can be overwhelming. However, getting organized can help—particularly using a technique that takes into account the process-oriented characteristics of compliance programs. Applying business process techniques to compliance can give an entity some of the tools it needs to design and implement a healthy, well-controlled, continuously improving internal compliance and ethics program. ✵ 1. OIG Health Care Fraud Prevention and Enforcement Action Team

(HEAT):“Health Care Compliance Program Tips.” Available at http://bit.ly/Comp-101-tips

2. Federal Energy Regulatory Commission: 2008 Policy Statement on Compliance, Docket No. PL09-1-000. October 2008. Available at http://bit.ly/whats-new-comm

3. RapidflowApps: “Oracle Agile PLM and MDM.” Available at http://bit.ly/rapidflowapps

4. Victor Janulaitis: “10 Corporate Compliance Best Practices.” Janco Associates blog, November 23, 2012. Available at http://bit.ly/e-janco

5. Deena King, Compliance in One Page, 2014. More at http://bit.ly/pureknow

Deena King ([email protected]) is the Managing Principle of Pure Knowledge Consulting, LLC in Salt Lake City, UT and Las Vegas, NV.

purekcllc.com @Compliance1page bit.ly/in-DeenaKing

Thank You!Has someone done something great for you, for the Compliance profession, or for SCCE?If you would like to give recognition by submitting a public “Thank You” to be printed in Compliance & Ethics Professional, please send it to liz.hergert @ corporatecompliance.org. Entries should be 50 words or fewer.


http://www.purekcllc.com


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

FEATURE

As someone who has performed compliance functions in both the private sector and the public sector,

I can assure you that many, if not the vast majority, of the compliance activities in either environment are the same. Large

organizations, whether they are public or private, are going to be subject to waste, fraud, poor internal controls, inadequate oversight, unethical behavior, and the multitude of other compliance deficiencies we compliance professionals see on a regular basis. However, upon close scrutiny, it is clear that governmental

compliance officials operate in a unique landscape that calls for unique tools. Frankly, the uniqueness in constructing a compliance plan at a governmental entity, in my opinion,

calls for specialized training and possibly unique certification to recognize that training.

Federal Sentencing Guidelines for OrganizationsSignificant evidence shows that the recent growth in compliance and ethics programs in

A unique environment: Compliance for government organizations » Governmental entities should set an example for those they regulate and develop programs that will better safeguard taxpayer’s funds.

» The value of a compliance plan may be consistent regardless of the organization type, although clearly working in a governmental agency is very different from working in the private sector.

» As governmental administrations change, the whole overlay of senior management also changes. Short tenures impact enterprise compliance in a variety of ways, including employee morale and engagement.

» Governmental bodies have been less receptive to creating compliance functions, in part, because of the specific challenges that resonate with those working in government.

» There is a need for a group of government compliance professionals to look at areas where training might be prepared that would focus on compliance in a government setting.

Gray

by Gregory Gray

As someone who has performed compliance

functions in both the private sector and the public sector, I can assure you that many, if not the vast majority, of the

compliance activities in either environment are the same.


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

FEATURE

corporations tracks closely with the passage of amendments to the Federal Sentencing Guidelines for Organizations (FSGO) 1 However, even though the FSGO includes governmental bodies in the definition of organizations, we still don’t see a similar increase in compliance offices in the public sector. Irrespective of coverage in the FSGO, the elements of a robust compliance program are valuable to any organization. I’m sure each of us remembers the seven essential elements of a compliance plan:

· Standards and Procedures

· Oversight · Education and

Training · Monitoring and Auditing · Reporting · Enforcement and Discipline · Response and Prevention

The seven essential elements of a compliance program transcend organizational type. Frankly, one would expect that governmental entities, which have a responsibility for the regulation of others, would themselves be on the forefront of developing strong compliance plans of their own. Those governmental entities should set an example for those they regulate, and at the same time, develop programs that will better safeguard taxpayer’s funds. In this article, I would like to discuss some of the issues that I believe are unique to governmental entities and why targeting training specific to governmental compliance practitioners should be considered.

Corporate vs. governmental compliance—What’s the difference?Several articles have been written on the value of governmental bodies developing compliance offices and plans similar to those in the private sector. For example, the July 2014 edition of Compliance & Ethics Professional

featured an interview with Joe Murphy in which he discusses his goal of promoting the use of compliance and ethics programs “as an important tool for government to ensure ethical and legal conduct in the public sector.”2 Looking even farther back, the June 2008 edition of Compliance & Ethics Magazine featured an article written by Emil

Moschella, who at the time was assisting the FBI in the implementation of a compliance program. In the article, Moschella effectively discusses the value of compliance and ethics programs in corporations and how that same value would accrue to governmental bodies.3 Both authors look to mirror government compliance and ethics programs on those used in the private sector.

However, the value of a compliance plan may be consistent, regardless of the organization type, but clearly working in a governmental agency is very different from working in the private sector. In the for-profit corporate environment, the mandate is clear—maximize profits in a lawful (and hopefully) ethical way. BusinessDictionary.com defines a “for-profit organization” as: “A business or other organization whose primary goal is making money (a profit), as opposed to a nonprofit organization which focuses on a goal such as helping the

Frankly, one would expect that governmental

entities, which have a responsibility for the regulation of others,

would themselves be on the forefront of developing

strong compliance plans of their own.


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

FEATURE

community and is concerned with money only as much as necessary to keep the organization operating.”4

In a governmental body, the objectives are less precise. Improving efficiency and saving money is a laudable goal and is often part of the monitoring and auditing aspect of a compliance plan. However, during weather-related disasters or a significant public health crisis, the governmental compliance plan must be able to balance efficiency and cost savings with a more immediate goal of protecting the public and preserving lives. Most compliance plans strive to implement controls to prevent fraud and waste, but if an agency is created to provide benefits to those who are on the margins of our society, getting benefits to those vulnerable individuals in a timely manner may sometimes require a reduction of frontend controls, but greater emphasis on follow-up after the fact. When the nation geared up for war after 9/11, substantial expenditures were made with minimal oversight. Later, funds seemingly directed to the war effort were found to be missing or used inappropriately. 5 What role should/could a compliance official in the Department of Defense have played? From a compliance standpoint, what is the obligation of the governmental compliance professionals during these types of situations? Is there value in some measure of specialized training for those involved in implementing compliance and ethics programs in governmental entities?

The challenges of implementing a compliance program in a governmental body may be no greater than in a corporation. I am not arguing that one environment is more difficult than the other, or that the job of a government compliance professional is inherently more trying than that of their counterparts in the private sector. Each environment has its unique challenges.

However, I do believe that governmental bodies have been less receptive to creating compliance functions, in part, because we don’t often speak to the specific challenges that resonate with those working in government. Below, I list a handful of specific areas where I believe there are pronounced differences between

the environments faced by compliance professionals in the public sector versus those working in corporations.

StructuralA corporation will answer primarily to a board of directors, but public entities are often headed by appointed officials who may have split loyalties between the people or body who appointed them and the organization they head. The Compliance function, in many cases, must be the voice in the room that brings up issues others in the room may not want to hear. As a result, the compliance officer should have some measure of job security in their position that will allow them to speak their mind without fear of reprisals.

The nature of governmental agencies is that the tenure of most agency heads is

In a governmental body, the objectives are less precise. Improving efficiency and saving money is a laudable

goal and is often part of the monitoring and

auditing aspect of a compliance plan.


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

FEATURE

short, relative to that of most corporate CEOs. For example, in the agency where I work, the average tenure for a commissioner is about three years. Many of my coworkers have been around through five or six different administrations. As administrations change, the whole overlay of senior management also changes. Needless to say, short tenures impact enterprise compliance in a variety of ways, including employee morale and engagement, as well as difficulties in developing and maintaining a culture of compliance and ethical behavior.

OversightCorporations have a variety of bodies providing oversight, including regulatory agencies, shareholders, internal and external auditors, but the transparency expected of government agencies and officials makes the public environment even more challenging. Government agencies have most of the corporate oversight burden I noted for corporations but, in addition, due to generous state data practices laws6 (or federal laws like the Freedom of Information Act), these entities are open to even more scrutiny. In Minnesota, state agencies are required to provide the public with access to vast amounts of data, including everything from e-mails and instant messages, to traditional hardcopy documents. Public access to information is a laudable goal in agencies like mine, where there is a substantial amount of protected health information or simply private employee and client information, but the expanded access by the public poses a variety of compliance issues

not traditionally faced in the normal corporate environment.

FundingAny function that is expected to operate properly must be funded appropriately. Unfortunately, government does not always function as objectively or efficiently as the private sector. One need only read the paper to see how Congress has failed to pass

virtually all of the major spending bills needed to run the government. Compliance resources and other funding issues are often at the mercy of the partisan political process, rather than the objective rational analysis that would likely take place at most corporations.7 Compliance

professionals working in a governmental environment need to realistically explore what options are available to them to ensure they have at least the minimum resources necessary to do their jobs. Furthermore, each individual compliance professional must consider the ethical implications if they conclude that they cannot adequately perform their duties due to inadequate resources.

Diverse/Quickly changing issuesIn 2011, early in my tenure as Chief Compliance Officer for a large state agency, I was tasked with assisting with the development of an agency contingency plan in preparation for the possible shutdown of state government operations. Due to a political impasse on funding government, Minnesota was preparing to close all but the

Any function that is expected to operate

properly must be funded appropriately.

Unfortunately, government does not always function

as objectively or efficiently as the private sector.


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

FEATURE

most essential services. In fact, Minnesota’s state government operations did close down for more than a month, but the real question for me was what my responsibilities were in managing such a calamity. A year later, the agency was in the middle of assisting in the development of a healthcare insurance exchange, which required the efforts of multiple agencies, several IT contractors, private insurance plans, the federal government, and others. As a compliance professional, how do I assess risk in this uncharted environment? How do I protect my agency, but still work cooperatively with others? Many private sector compliance personnel must juggle a variety of high profile matters, but they have far more control over the issues they choose to deal with. The requirement that government compliance officials assess risk and recommend necessary controls in a timely manner in such a varied and fast changing environment is a distinguishing characteristic of government service.

Urgency of the issuesFinally, often governmental agencies are on the forefront of critical health and safety issues. One need only think of the Department of Veteran’s Affairs to see the human toll that an inadequate compliance structure can have.8

Compliance training in a governmental settingGovernment compliance professionals need all the basic compliance training, but there are areas where they might benefit from specialized or targeted training. SCCE has

long been the premier organization with regard to compliance issues, so my hope is that the SCCE would convene a group of government compliance professionals to look at areas where training might be prepared that would focus on compliance in a government

setting. A recent White Paper titled “Compliance and Ethics Programs for Government Organizations” from the Rutgers Center for Government Compliance and Ethics would be a good starting point.9 In the short-term, simply

including topics of concern to government compliance professionals in the curriculum of the Compliance & Ethics Institute would be great. Later, if there is adequate interest, specific workshops could be developed. Long-term, again if there is adequate interest, a government compliance certification should be considered. ✵

1. Ashoke S. Talukdar: “The Voice of Reason: The Corporate

Compliance Officer and the Regulated Corporate Environment.” Business Law Journal, U.C. Davis; 2005, vol. 6, no. 3. (posted June 4, 2014). Available at http://bit.ly/the-voice-of-reason

2. Roy Snell: “A conversation with Joe Murphy” Compliance & Ethics Professional, July 2014, pp 14-19.

3. Emil Moschella: “Federal agency compliance: Applying corporate lessons in government settings.” Compliance and Ethics Magazine, June 2008, pp 34-38.

4. BusinessDictionary.com. Available at http://bit.ly/profit-org5. Liz Sly: “Pentagon can’t account for $8.7 billion in Iraqi funds.” Los

Angeles Times, July, 26, 2010. Available at http://bit.ly/pentagon-funds6. Government Data Practices Act, Minnesota Statutes, Chapter 13

(2013).7. Ezra Klein: “14 reasons why this is the worst Congress

ever.” Washington Post, July 13, 2012. Available at http://bit.ly/worst-congress

8. Scott Bronstein and Drew Griffin: “A fatal wait: Veterans languish and die on a VA hospital’s secret list.” CNN.com, April 23, 2014. Available at http://bit.ly/va-secret-list

9. Rutgers School of Law: Compliance and Ethics Programs for Government Organizations: Lessons from the Private Sector. White Paper, December 2010. Available at http://bit.ly/rutgers-gov-programs

Gregory Gray ([email protected]) is Chief Compliance Officer at the Minnesota Department of Human Services in Saint Paul, MN.

Government compliance professionals need all the basic compliance

training, but there are areas where they might benefit from specialized

or targeted training.



Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

www.corporatecompliance.org/academiesQuestions: [email protected]

Learn the essentials of managing compliance & ethics programs

Basic Compliance & Ethics Academies2015

in EUROPE, AUSTRALIA, ASIA, SOUTH AMERICA, and UAE

Now you and your international colleagues around the world can benefit from the same invaluable, intensive training available in the U.S. Our international Academies cover critical content in-depth and are a great preparation course for the CCEP-I exam. You’ll learn about:

• Standards, policies, and procedures

• Compliance and ethics program administration

• Communications, education, and training

• Monitoring, auditing, and internal reporting systems

• Response and investigation, discipline and incentives

• Anti-corruption and bribery

• Risk assessment

So let your colleagues around the world know about SCCE’s Academies, and get your entire compliance team on the same page.

Brussels, BelgiumApril 13–16

Sydney, AustraliaMay 11–14

SingaporeJuly 13–16

São Paulo, BrazilAugust 24–27

Dubai, UAEDecember 13–16

NEW

NEW

Take the exam and get certified after this intensive training

scce-2015-academies-intl-1pgad.indd 1 8/20/14 9:34 AM

www.corporatecompliance.org/academiesQuestions: [email protected]

Learn the essentials of managing compliance & ethics programs

Basic Compliance & Ethics Academies2015

in EUROPE, AUSTRALIA, ASIA, SOUTH AMERICA, and UAE

Now you and your international colleagues around the world can benefit from the same invaluable, intensive training available in the U.S. Our international Academies cover critical content in-depth and are a great preparation course for the CCEP-I exam. You’ll learn about:

• Standards, policies, and procedures

• Compliance and ethics program administration

• Communications, education, and training

• Monitoring, auditing, and internal reporting systems

• Response and investigation, discipline and incentives

• Anti-corruption and bribery

• Risk assessment

So let your colleagues around the world know about SCCE’s Academies, and get your entire compliance team on the same page.

Brussels, BelgiumApril 13–16

Sydney, AustraliaMay 11–14

SingaporeJuly 13–16

São Paulo, BrazilAugust 24–27

Dubai, UAEDecember 13–16

NEW

NEW

Take the exam and get certified after this intensive training

scce-2015-academies-intl-1pgad.indd 1 8/20/14 9:34 AM

SCCE Regional ConferencesJoin us in 2015 to share information about compliance successes and challenges, enjoy an inexpensive educational opportunity close to home, and earn CEUs.

www.corporatecompliance.org/regionals

Questions? [email protected]

February 13, 2015 • Phoenix, AZ

March 13, 2015 • Miami, FL

April 24, 2015 • Chicago, IL

May 1, 2015 • Washington DC

May 15, 2015 • New York, NY

June 19, 2015 • San Francisco, CA

June 25–26, 2015 • Anchorage, AK

October 23, 2015 • Minneapolis, MN

October 30, 2015 • Atlanta, GA

November 13, 2015 • Boston, MA

December 4, 2015 • Dallas, TX

Network & learn locally

and earn CEUs

scce-2015-regionals-1pgad.indd 1 8/6/14 12:46 PM

Share your expertise.Compliance & Ethics Professional is published monthly by the Society of Corporate Compliance and Ethics (SCCE). For professionals in the field, SCCE is the ultimate source of compliance and ethics information, providing the most current views on the corporate regulatory environment, internal controls, and overall conduct of business. National and global experts write informative articles, share their knowledge, and provide professional support so that readers can make informed legal and cultural corporate decisions.

To do this, we need your help!We welcome all who wish to propose corporate compliance topics and write articles.

CERTIFICATION is a great means for revealing an individual’s story of professional growth! Compliance & Ethics Professional wants to hear from anyone with a CCEP, CCEP-I, or CCEP-F certification who is willing to contribute an article on the benefits and professional growth derived from certification. The articles submitted should detail what certification has meant to the individual and his/her organization.

Earn CEUs! The CCB awards 2 CEUs to authors of articles published in Compliance & Ethics Professional.

If you are interested in submitting an article for publication in Compliance & Ethics Professional, email liz.hergert @ corporatecompliance.org .



December

2014

45Why outsourcing



29Taking compliance








Meet Shin Jae Kim


See page 14

Topics to consider include: · Anticipated enforcement trends

· Developments in compliance and ethics and program-related suggestions for risk mitigation

· Fraud, anti-bribery, and anti-corruption

· Securities and corporate governance

· Labor and employment law

· Anti-money laundering

· Government contracting

· Global competition

· Intellectual property

· Records management and business ethics

· Best practices

· Information on new laws, regulations, and rules affecting international compliance and ethics governance

CALL FOR AUTHORS

Please note the following upcoming deadlines for article submissions:

· January 1

· March 1

· February 1

· April 1


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

FEATURE

Political activity compliance is an unfamiliar topic for the majority of compliance professionals. Most are

likely unaware whether their organization engages in political activity, or the full scope of that activity. Compliance professionals

customarily engage with more general corporate compliance, such as wage and hour requirements, corporate ethics, and privacy or workplace issues. Likewise, political activity compliance is an unfamiliar area to the majority of in-house corporate counsel who deal with general business issues.

In the post Citizens United1 world, corporations, trade associations, and non-profit organizations are engaging in greater political activity. These organizations are under a microscopic level of scrutiny regarding their political activity. Shareholders and watchdog groups are increasingly pressuring entities to fully and publically disclose their political activity policies, including lobbying, issue advocacy, direct political contributions, and political action committee (PAC) activity.

Additionally, regulatory oversight of political activity is increasing with many states and municipalities passing legislation that requires greater transparency and more in-depth reporting. For federal lobbying, organizations must comply with the Lobbying Disclosure Act and Section 404 of the Sarbanes–Oxley Act. Depending upon the status designation of an organization, there are also Internal Revenue Service (IRS) and Securities and Exchange Commission (SEC) rules to comply with.

For organizations that already have or seek to have government contracts, there are procurement lobbying and state “pay-to-play” laws, as well as the Federal Acquisition Rules—as applied to political activity involving federal government contractors—to follow.

The Department of Justice, the SEC, and the IRS have all increased their scrutiny of organizations’ political activity and are actively prosecuting violators. In July, powerhouse accounting firm Ernst & Young (EY) agreed to a $4 million dollar settlement with the SEC over independence violations involving EY’s legislative advisory practice.2

Why outsourcing your political activity compliance makes sense

» Organizations are becoming increasingly involved in political activity.

» Political activity compliance requirements are different in every jurisdiction.

» Most compliance professionals are unfamiliar with political activity compliance.

» Outsourcing political activity compliance provides peace of mind.

» Non‑compliance can cause serious financial, reputational, or administrative harm to an organization.

by Scott Stetson

Stetson


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

FEATURE

In such a hyper-transparent environment, entities cannot afford anything less than full compliance all of the time. Inaccurate or incomplete disclosure filings, or no filing at all, may cause avoidable financial, reputational, and administrative harm to an organization. Administrative harm may include fines or debarment. Being prohibited from submitting responses to RFPs due to debarment can be catastrophic to organizations that rely on government contracts for a significant part of their revenue. In many jurisdictions willful non-compliance with disclosure laws may result in criminal charges.

The size and scope of an organization’s political activity will vary from small, single-state or regional programs all the way up to nationwide activity encompassing most or all of the states, as well as the federal level. Lobbying activity generally includes both the Legislative and Executive branches. Meanwhile, the reporting requirements for lobbying activity are different in every single jurisdiction.

If the organization has a PAC, there will be state and federal campaign finance laws to comply with that require frequent and detailed disclosure filings. As with lobbying, the specific disclosure requirements differ from state to state. In many jurisdictions, including the federal level, campaign contributions from registered lobbyists must be disclosed. The Federal Election Commission (FEC) governs federal campaign

finance activity, and every state has laws regarding campaign finance activity.

As mentioned above, political activity compliance requirements are different at the local, state, and federal levels. The only consistent element is that some form of

compliance is required. Outsourcing the reporting requirements for your lobbying and PAC activity can be an effective, cost-efficient solution for political compliance.

Outsourcing to a firm that specializes in political activity compliance provides your organization with a valuable asset in that the firm has the requisite knowledge

and expertise necessary to effectively prepare and file disclosure reports in every state, the FEC, and Congress. From a risk perspective, outsourcing this very specialized area to an experienced firm serves as risk mitigation to the organization.

Just as organizations rely on external professionals for legal, accounting, and tax issues, they should evaluate whether outside experts should be retained for political activity compliance. Specialty political compliance firms are equipped to partner with in-house Compliance and Legal departments to ensure full, ongoing compliance with the intricate requirements of this growing compliance area. ✵ 1. Citizens United v. Federal Election Commission,

558 U.S. 310, 2010, (Docket No. 08-205558. Available at http://bit.ly/citizens-united-vs-fed

2. Kent Cooper: “Ernst & Young Agrees To Pay $4 Million Over Lobbying Violations.” Roll Call, July 15, 2014. Available at http://bit.ly/ea-pays

Scott Stetson ([email protected]) is Manager of Compliance Services at MultiState Associates, Inc. in Alexandria, VA.

The size and scope of an organization’s political activity will vary from small, single-state or

regional programs all the way up to nationwide activity encompassing

most or all of the states, as well as the federal level.

http://en.wikipedia.org/wiki/United_States_Reports

http://supreme.justia.com/us/558/08-205/index.html


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

On the 27th June, 2014, the heads of State and government of the African Union adopted the Convention on

Cyber Security and Personal Data as part of existing commitments to build the Information Society and to reaffirm commitments to

fundamental freedoms and human rights contained in the declarations, conventions, and other instruments adopted within the framework of the African Union and the United Nations.

The Convention addresses a number of obstacles to the development of electronic commerce

in Africa, particularly: · The gaps affecting the regulation of legal

recognition of data communications and electronic signatures;

· The absence of specific legal rules that protect consumers, intellectual property rights, personal data, and information systems;

· The absence of e-services and telecommunication laws;

· The application of electronic techniques to commercial and administrative acts;

· The requirement for recognition of authentication elements in e-commerce introduced by digital techniques such as time stamping and certification;

· Rules applicable to cryptology devices and services;

· The oversight of online marketing and advertising; and

· The absence of appropriate fiscal and customs legislations for e-commerce.

In addition to the above areas, the Convention gives specific attention to data protection and the prevention of cybercrime in line with the increasing adoption of similar legislation in other parts of the world.

The Convention recognises the need for the African Union to create legislative frameworks that enable states to proactively participate in the digital economy whilst protecting the fundamental rights of individuals in relation to their personal data, and creating a framework that enable states to combat cyber risks and cybercrime.

There are already a number of African countries that have data privacy and e-commerce laws, and South Africa has followed an EU style approach to information security and data protection laws.

Whilst the Convention is a move in the right direction, the fact that its principles need to be implemented at a state level means that there is unlikely to be a level playing field, and there is no guarantee that the 53 States of the African Union will implement local laws in an integrated and harmonised fashion. ✵

Robert Bond ([email protected]) is Partner at Speechly Bircham LLP in London.

by Robert Bond, CCEP

African Union Convention on Cyber Security and Personal Data Protection

EU COMPLIANCE AND REGULATION

Bond

48

Congratulations Newly certified designees!

48

The Compliance Certification Board (CCB)® offers opportunities the CCEP and CCEP-I certification exams. Please contact us at ccb @ compliancecertification.org, call +1 952 933 4977 or 888 277 4977, or visit www.compliancecertification.org.

Achieving certification required a diligent effort by these individuals. CCEP certification denotes a professional with sufficient knowledge of relevant regulations and expertise in compliance processes to assist corporate industries in understanding and addressing legal obligations. Certified individuals promote organizational integrity through the development and operation of effective compliance programs.

The individual who earns CCEP-I certification is a professional with knowledge of relevant international compliance regulations and has expertise in compliance processes sufficient to assist corporate industries in understanding and addressing legal obligations, and promoting organizational integrity through the operations of an effective compliance program.

· Charles Olakunle Alaka · Khalid Al Aseeri · Ashleigh B. Baker · John A. Bannon · Caroline B. Brandt · May Jane Coulson · Vincent P. Eng · Aprille Erickson

· Yurima F. Falcon-Grace · Mary E. Heeringa · Walter T. Hendriks · Scott J. Jensen · Christina R. Johnson · Lori A. Knudson · Karina G. Leite · Francesca Lulgjuraj

· Timothy S. McFarlane · Mia M. Mounts · Segun Oke · Bradley L. Ottinger · Leopoldo Paullada Rivera · Helen A. Reetz · Kristopher D. Rossfeld · Jose R. Ruiz

· Patricia A. Ryder · Mark Sagrans · Katharina V. Scholz · Lisa Schor Babin · Kristin A. Strickland · Cassandra C. Taylor-Wilson · Amy Thiel · Nicole F. Tillman

· Melinda M. Wallace · Stephanie C. Werner · Javier Zamora · Jane Zsigmond · Edward J. Zulkey

· Erin E. Anton · Donna L. Barker · Dawn M. Boudreau · Jennifer K. Brewer · Michelle Camarillo · Shirley Chang-Rodriguez · Birtina M. Clayburn · Wilde C. Colares · Robin DeGrandis · Denise A. Devlin · Kristen M. Dygon · Tracey L. Ellerson · Jeffrey T. Erickson · Kristina P. Ferkinhoff · Ernesto G. Fernandez

· Judith L. Garner · Leslie A. Green · Andrew P. Hall · Raymie L. Hamann · Salvador Hernandez · Christopher H. Horan · Matilda O. Jinadu · Mariel S. Kagan · Louis J. Krzemien · Richelle A. Ladwig · Von E. Layvas · Brian J. Leddin · Scott Mahoney · Martina Manzone · Jack Marr

· Jeremy Mauritson · Jennifer A. McGlinn · Jason B. Meyer · Andrea D. Mogab · Eric O. Morehead · Jason P. Murray · Patricia Padilla · Catherine Paulson · Amy R. Petschauer · Carmi E. Pietila Cleary · Charlotte P. Piontek · Trina R. Pollman · Denise Ragland · Alistair Raymond · Hannah L. Renfro

· Julian M. Rierson · Jennifer Ruocco · Mike S. Sackett · Ruth Savolaine · Gloria J. Sawusch · Randolph W. Sawyer · Kathleen L. Schnier · Kevin W. Shaughnessy · Gabrielle Shinohara · Kynzie R. Sims · Jeremy T. Steele · Katelynn D. Stevens · Kurt Stitcher · Nicole Stone · Glenn A. Sweatt

· Diana L. Terita · Julie T. Thomas · Kisha B. Turpin · Constance Valkan · Kelly L. Ward · Brian J. White · Kimberly W. White · Cathlene K. Wiedenhoeft · Linda M. Williams · Michael Williamson · Lisa M. Wilson · Brigitte Wolin · Cindy Wren · Caitlin H. Zimmerman

Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

Become a Certified Compliance & Ethics Professional (CCEP)®

There’s never been a tougher or better time to be a part of the Compliance and Ethics profession. Budgets are tight, governments around the world are adding new regulations, public trust in business is low, and employees are tempted to cut corners.

As a Certified Compliance and Ethics Professional (CCEP) you’ll be able to demonstrate your ability to meet the challenges of these times and have the knowledge you need to help move your program and your career forward.

Learn more about what it takes to earn the CCEP at www.compliancecertification.org/ccep

• Broaden your professional qualifications

• Increase your value to your employer

• Gain expertise in the fast-evolving compliance field

CCEP_1-page_4-color_space-for-testimonial_ad.indd 1 10/2/14 12:38 PM

Hear from your peersBilal Masood, CCEP-I Compliance Operations Manager – Middle East & North Africa 3M Gulf Dubai, United Arab Emirates

1) Why did you decide to get certified?

It was important for me to independently validate the experience I have gained in compliance and to test that in a formalized manner (i.e. through the exam). Also, I wanted to benefit from a forum that brings compliance experts and my compliance peers in the region and industry together, in order to discuss, learn, and share experiences and practices. The certification was a culmination of the knowledge I have gained so far, including what I learned in the Academy, and provides me with an external qualification that is internationally recognized. On a personal level, I am passionate about compliance, and this was an important self-development objective.

2) How do you feel the CCEP-I certification will help you?

It gives recognition to my work and awareness of compliance and it is a well-respected qualification/certification in the industry, which I can proudly use.

3) Would you recommend that your peers get certified?

Yes, most certainly!

49

October 4–7, 2015

ARIA in Las Vegas

Las Vegas, NV

14th Annual

Compliance & Ethics Institute

VEGAS 2015

SAVE THE DATE


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

A t the Compliance & Ethics Institute in September, Roy Snell and Jennifer O’Brien shared valuable insights

into the elements of influence. After all, isn’t our job description “to prevent misconduct”? The essence of what we are trying to do is

to influence behaviour—of our colleagues, of our senior executives, and of our key partners. One of the most powerful messages that I took from their session was “Know the business.” Pardon me for stating the obvious, but I assume we’ve all read the annual report and read the SEC filings

if a company is publicly listed. And the risk assessment has probably involved interviews with managers across the business. Jenny spoke of going on sales calls with the sales team. I would also recommend an analysis of the performance review and incentive programs.

Years ago, when I was practicing in a law firm, I was advising a banker on a loan to a joint venture in an exotic location. I kept telling him that this was a very risky proposition, and it was being made worse by each concession. He kept pressing on to close the deal. I wondered if the fact that we were coming up to Christmas meant that he wanted to clear his desk before he left for the holidays. It was some time afterward that I learned that his bonus was based on loans closed by year-end. The quality of the loans didn’t figure in the rewards. There was no “claw-back” in the bank’s incentive scheme. If there were a subsequent review of the quality of a banker’s book of business, it played no part in future rewards. Years later, I was invited to join a company that needed to build a Compliance function because it was in the midst of an investigation into accounting

“improprieties.” The company was struggling in tough market conditions and good people were leaving every day. The CEO and CFO were accused of shifting reserves in order to trigger the company’s bonus scheme, of which they were the largest recipients. The former executives were ultimately acquitted of fraud, but as one commentator observed, “If [they] had passed up the bonuses to which they were entitled, they would have spared themselves a great deal of grief.”1

Since incentives are some of the strongest influences on behaviour in a company, we should understand and anticipate where these may conflict with maintaining an ethical culture. And be prepared to point out to leaders where their own incentives send the wrong message.

As Roy and Jenny said, “Be credible. Be relevant.” ✵

1. “The moral of the Nortel story.” The Globe and Mail, 2012. Available

at: http://bit.ly/the-globe

Sally March ([email protected]) is Director, Drummond March & Co, in London.

A VIEW FROM ABROAD

by Sally March

Keep your eyes on the prize

MarchYears ago, when I was

practicing in a law firm, I was advising a banker on a loan to a joint venture in an exotic location. I kept telling

him that this was a very risky proposition, and it was being

made worse by each concession.

corporatecompliance.org/highered

Gather with your peers for the primary networking and learning event for compliance and ethics professionals in higher education.

Learn how to increase the effectiveness of your institution’s compliance program, discuss emerging risks and issues with your colleagues, share best practices, and build valuable relationships.

REGISTER BY APRIL 8 AND SAVE $250

May 31–June 3, 2015 | Austin, TXquestions katie.burk @ corporatecompliance.org

HigherEducationCOMPLIANCE CONFERENCE

TWO CONFERENCES FOR THE PRICE OF ONEComplimentary access to HCCA’s Research Compliance Conference is included with your registration. Build your own schedule and attend sessions at both conferences!


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

A recent LinkedIn discussion in the Ethics Professionals group suggested that ethics and power do not mix.

In the opening position, they were likened to water and paraffin (oil and water in colloquial American English). About four comments

into the discussion I posted the following observation:

To add another two cents worth - in physics, power is expressed as a function of force, distance, and time.

In simple terms, power is what makes things happen. Nothing happens

unless power is expended. For the purpose of this question, I would propose that distance and time are ethically “neutral.” So the key variable is force. What force do we apply? And, unstated in the physics of power, to what end?

The ethics of power may thus be reduced to a question of ends and means. Both ends and means can have an ethics component. Both ends and means can be “evaluated” (their value determined) in

their contemplation (before the fact), their execution, and effect (after the fact).

Thus, the intended use, the manner of use, and the resultant consequences of the power we expend can have an ethical component. Don’t blame the power we expend for the unethical choice(s) we make. That would be akin to blaming gasoline for the carnage on our highways. It is responsibility that is the flip side of the power coin. The ethics of power lies in both the intentions and abilities of the user. We are accountable for the consequences of our actions and the power we employ in that exercise.

Context and backgroundI started my higher education in the School of Engineering, but learned three semesters into my education that I was not engineering material. I graduated with a BA with Honors in Political Science and a minor in Anthropology.

Following university, I was fortunate to be recruited and hired by the preeminent research and development laboratory of the day, Bell Labs. I was offered a staff position.

Organizations and leadership: How power and ethics interact

» Organizations succeed when individuals are willing to subordinate their personal agendas to the greater agenda of the organization.

» Power is not a “dirty word.”

» Creating and sustaining an “ethical organizational culture” is a leadership issue.

» The key to an organization’s cultural success is “fit.”

» Ethical leadership does not require a new skill set. It is simply a “decision” you make.

by Frank J. Navran

Navran


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

In part, I was deemed to be qualified because I “spoke engineer.” I wasn’t an engineer per se but had an affinity for the both the conceptual and practical nature of, and appreciation of, the academic demands of research and development, and was effective in my various support roles.

My final five years in Bell provided what I consider to be the best graduate education I could have ever experienced. I spent those years balancing the pragmatic demands of sustaining a complex system in transition and strengthening the ethical components of leadership, the means for establishing and maintaining an organizational culture that was built on the bedrock of ethical values/principles. I was surprised at first to recognize that nearly every “organizational effectiveness” issue I confronted had an ethical component. I was just as surprised to realize that I had a talent for addressing those issues. Seems I had found my niche.

My connecting physics and ethics in my LinkedIn comment reflects a parallel path I have followed all my life. I live in the world of conceptual physics (physics, hold the math) and ethics. Physics is the “natural world” analog of systems theory—the interconnectedness of everything. I see the world as a would-be engineer—looking for how things connect, how they work, and how to make those things work better.

Put physics together with organizational effectiveness and you get comments like the LinkedIn entry above, where a physical

world definition of power is applied to an organizational question.

Ethics, power, and leadershipImplicit in the LinkedIn discussion referenced above is the idea that there is a direct interconnectedness between ethics, power, and leadership. If that were not self-evident, consider the well-known observation, “Power tends to corrupt, and absolute power corrupts absolutely. Great men are almost always bad men.”1

That is a cynical and immensely inaccurate proposition. I suggest that our greatest, most effective leaders are more often highly ethical people in both their professional and personal lives. The vast majority of the successful leaders I have met and served are also ethical leaders. Perhaps that is because only those so disposed would seek the services of an ethics and leadership

consultancy. However, even those not so disposed would often engage our services from a pragmatic point of view – the need to have an effective program to prevent and detect violations in order to reduce their exposure to extraordinarily high fines.

If we are going examine this juxtaposition of power, ethics, and leadership in organizations, then definitions are in order.

OrganizationsThis may be the easiest of the definitions. Organizations are collections of individuals coming together for a common purpose. Inherent in that “coming together” is the

I suggest that our greatest, most effective leaders are more often

highly ethical people in both their professional and personal lives. The

vast majority of the successful leaders I have met and served are also

ethical leaders.


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

notion that each individual will subordinate his/her personal agenda to the greater agenda of the organization. The mission and vision of the organization define that agenda. Its values define boundaries and limits regarding what specific behaviors may be employed in the pursuit that agenda. “Organization” also suggests some form, structure or division of labor/responsibilities within the group, such as a hierarchy or chain of command.

CorruptionCorruption is about behavior. In this case it is behavior that is dishonest or fraudulent. It includes behaviors such as lying, cheating, and stealing. It is often associated with illicit efforts to influence another’s opinions or actions, such as when referring to a corrupt politician or judge. More generally, it can be descriptive of the abuse of trust for personal gain. And that need not be limited to bribery, the most common example. It can be the abuse of one’s position for the purpose of creating a positive impression, such as a manager taking credit for a subordinate’s idea.

PowerI once heard power characterized as the last dirty word in the English language. Back in the 1970s, when comic George Carlin was talking about the seven dirty words you can never say on television, no one was talking about power as a “dirty word.” Even so, some topics were just taboo, and power was one of them. For some reason, in today’s society it is still less appropriate/polite to talk about how to acquire, use, and respond to the use of power than it is to the discuss Carlin’s views on the bodily functions and private sexual matters that never made it to network television.

Carlin aside, the better definition of power comes from physics. Power is the result of force applied to mass to create movement.

That definition is judgment free. There is no “good” or “bad” in that definition. It does not presume to judge the purpose for creating that movement, the motives of the mover, or the impact of the movement. It is a simple equation and, in my opinion, well suited to describing how power plays out in leadership. And, it also allows us to consider the ethics of how that power is applied. We can look at the type of force applied, to what or whom it was applied, and what “movement” (outcome) it produced. And we can then superimpose a judgment regarding both the means and the ends, and if we are so disposed, the motive.

Among the various observations concerning “power” that I have encountered, perhaps the most inappropriate from an organizational/leadership point of view, is the above mentioned “power is the last dirty word in the English language.” That is, at best, a counter-productive perception. At worst it causes people to ignore and/or hide information critical to effective management and leadership. How unfortunate that in contemporary society we can talk about almost anything, yet we are still reluctant to talk about how to accrue and maintain power. Too often we pass over the productive aspects of the ethical use of power. We have learned to fear the potential for the abuse of power and that taints the whole reality that nothing happens unless or until someone exercises power.

What is preventing us from openly talking about the accrual and utilizations of personal and positional power in ethical ways that serve the organization, further its mission, and add value to the business proposition both within the organization and among those it serves?

What is preventing us from advocating for more personal and professional power for those we lead and serve? What ethical values might be better served if we were to include


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

a frank and candid discussion of power, its acquisition, and utility in those conversations?

EthicsEthics is also about behavior. Its various definitions discuss values and standards that establish boundaries, defining and limiting rights and wrongs. Those standards help one determine if any given behavior is or is not ethical. Those standards also point out that in different contexts the same behavior may be ethical or unethical. Thus, ethics is situational. For example, most people agree that taking a human life is wrong, yet in self-defense it may be “justified” and in wartime it may be “patriotic.”

There is nothing situational about power. It is a mathematical expression of a physical phenomenon. Ethics, on the other hand, is a judgment – not a measurement. We cannot quantify or objectify ethics. It is an opinion of how well a given behavior reflects the shared opinion of society as to what constitutes doing what is right, fair, and good.

LeadershipMy favorite description of leadership is the ability to get others to want to do what you want or need them to do, and to do so to the very best of their ability, without resorting to bribery, positional authority, or any explicit/implicit form of a threat. Leadership that relies on threats or fear is not actually leadership. It is coercion or bullying.

Leadership is also situational. What is deemed appropriate leadership behavior in one situation could well be judged

inappropriate in another. That means that leaders must reflect on both the principles they wish to uphold and the circumstances of the specific instance to which they want those principles applied. Nowhere is this more evident than when facing an ethical dilemma —a situation where there are competing and/or conflicting values. A simple example is when trust and compassion are mutually exclusive. I may want to spare another person

a “hurt” but the only way is to withhold a “truth” to which they are entitled. Consider the physician who discovers that a patient is facing a life-threatening illness. To complicate matters, this patient is in a “delicate”

mental state and telling them that they are facing a near hopeless fight against an incurable illness may push them over the edge. Many physicians will chose to “soften” the diagnosis for fear that the patient might lose the will to fight the condition, if they believe that such an effort would be futile. That might also eliminate the admittedly small chance that they could win such a fight. So, what best serves the patient may be to “fudge” the facts, or, so goes the rationalization. (My favorite definition of a rationalization is that it is a lie we tell ourselves to give us permission to do what we know is wrong.)

Leadership is about the skills needed to have others want to do what we want/need them to do, and to do so to the best of their ability, without our having to resort the use of negative power, such as threats or bribes. Effective leaders employ positive power, such

Ethics is also about behavior. Its various definitions discuss

values and standards that establish boundaries,

defining and limiting rights and wrongs.


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

as respect for the legitimacy of another’s person or position, the shared need to serve a customer, and the pursuit of other agreed-upon goals, including “mundane” goals like making a living.

Potential for abuseBoth personal power (e.g., respect, reputation) and positional power (i.e., hierarchical authority) can be and often are abused. That abuse can be defined as the subversion of one’s positional authority for the pursuit of improper goals. For example, using one’s positional authority as a supervisor to “encourage” employees to come over to one’s house on a weekend for a “painting party” where the supervisor provides the brushes, rollers, paint, and an endless supply of beer and food, and his employees paint his house. I only wish I was creative enough to make up examples like these. This is something I found in a work group I inherited, and it took an executive order from yours truly, prohibiting such behavior, to cause to it stop. Prior to my taking that position, this was a commonplace practice, and none of those on the management team thought there was anything inappropriate about it. Their rationale was “We’ve always done it this way” and “The union doesn’t ‘grieve’ it, so it must be OK.”

Organizational ethics and leadershipWhen these two concepts are discussed in the context of organizations, they become even more specific and concrete. If organizational ethics is about applying both our individual values and our organization’s shared values to our actions and decisions, then organizational ethics and leadership is about ensuring that the actions we take address any or all of those ethical considerations and anticipate and address any potential ethical considerations inherent in the proposed solution(s). This

means, that as leaders, we (as well as those we lead) must:

· be able to identify the ethical component of any situation requiring a decision,

· be able to identify the most likely outcomes of the decision, and

· be prepared to select the alternative that best addresses those components in a way that deals with both the core issue and any ancillary ethical considerations inherent in the solutions we propose.

Creating and sustaining that practice in a work group is a leadership issue. Like any other standard we want to establish and maintain it requires:

· an effective communication strategy, · a means for ensuring both understanding

and competence within the workforce charged with executing that standard, and

· a demonstration of our commitment to the standards in question, over the long haul, lest they be perceived as the latest management “fad du jour” and ignored.

Typically, that third point means that the practice under discussion must be prominently featured in routine conversation about the work being done as well as in the measurements and rewards mechanisms. Ethics being part of everyone’s regular performance review process is certainly a significant piece of that process.

Leadership optionsAssuming you find the ethical leadership model described above appealing, how might you better integrate a more balanced power and ethics orientation onto your current approach to leadership? What are some of the specific things you might choose to do to increase your ethical effectiveness both as a decision-maker and leader?


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

I suggest that there are three basic steps: · Definition · Implementation · Evaluation

DefinitionThe concept of ethical leadership is described above, but concepts are abstract. What we recommend is that you consider you own unique circumstances, and begin to identify specific, concrete language for how you might better articulate your ethical standards and expectations. First of all, what exactly do you want or expect from those you lead? Why is it important to you, to them, the company, and to your internal and external customers? How will you recognize when those expectations are or are not being met? And what are the individual and organizational consequences for meeting or missing those goals?

Specific concrete examples I have used in the past have included such basics as integrity in reporting. Ours was a “metrics” driven organization. There were numerous stated goals and management employees were measured and rewarded against their success in meeting or exceeding those goals. Union employees’ compensation was bargained for. Supervisors’ salaries were a function of their manager’s evaluation of their performance.

How things work around hereBob had a “system.” He knew the goal was for his team to average 12 work units per hour, based on a complex algorithm where each task was assigned an expected time to completion and a number of work units that reflected the

complexity/difficulty of the task. Each week, the control foreman computed each of my supervisors’ performance, and I was provided those numbers. I started to track them on a wall chart and noticed an anomaly. If the goal was 12 work units per hour (wph) each of the foremen was averaging pretty close to that goal, with some week-to-week variations – all except Bob that is. Bob’s wph never varied by

more than a decimal point or two.

After tracking this long enough to recognize the pattern, I called Bob into my office and pointed out the differences. My chart clearly illustrated the “flat line” performance curve for Bob and the distinct contrast

between his performance and the others’. Over a 12-week period, all were averaging numbers within a decimal point or two of the goal, but Bob’s day-to-day, week-to-week numbers were impossibly consistent. So I posed the question to him.

Proudly, he “educated” me. I was the new guy and he was showing me how an experienced “pro” handled reporting. His argument was brilliant in its simplicity. If Bob was having a good week, he “banked” a few jobs. He left them “open” and saved the work units for when he might need them. That way, if he was having a less productive week later, he could “close” those jobs and never have his performance fall under the threshold.

Apparently my predecessor knew of this arrangement and condoned it. Bob never “got” why I not only opposed it, but also forbade it going forward. I could not bring myself to discipline him for the previous false reporting, since it had been a long-standing practice that

If Bob was having a good week,

he “banked” a few jobs. He left them “open” and saved the work units for when he might need them.


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

had gone unattended until I took the reins, but that practice was discontinued, at least for the three years that I was the manager.

ImplementationWhat follows is a not a set of specific recommendations, but rather, a set of observations.1. The key to a culture’s success is

congruence or “fit.” When it comes to implementing leadership changes, there is no ideal model. There are, however, ideal outcomes. How you attain those outcomes is a matter of what needs changing and who is doing it. There are significant substance and style issues that change requires, and both of those need to fit (i.e., to be congruent with the needs and culture of the organization) to be effective.

2. If culture is the shared understanding of how things work around here, then there has to be near universal acceptance of any proposed change before it can be said to be part of the culture.

3. Work ethic (how hard we are willing to work to find the best solution to the problem at hand), diligence, depth, endurance, perseverance… is more often a culture issue than a leadership style issue. A variety of leadership styles can support a strong work ethic.

4. Some elements of culture tend to be leader-specific. These style-specific elements seem to be more about appearances than core beliefs. Then tend to describe how we go about doing the task at hand rather than defining one’s commitment to the task itself. For example, where you sit on the formality–informality scale is a leadership style issue. Style is a minor component of culture. Culture is the deeper, richer, and more relevant context.

5. Succession creates unparalleled opportunity for culture change. It is when

an organization expects change that it may be most open to it.

6. On the other hand, one way to test for what is truly core culture and what is “style” is to pay attention to what survives succession. Core culture will endure almost anything short of catastrophic change.

Among my favorite implementation strategies is one that I have used repeatedly with some success. It starts with coming to understand the status quo. What are the underlying assumptions about the current culture? As a consultant, I have come to rely on “the culture question”—a question I started using years ago and that has proven to be one of the strongest diagnostic tools in my arsenal: “If I were a new employee here and you were committed to helping me be successful, what one or two things would you tell me that I need to know, but won’t find written down anywhere?”

I have referenced this question in other articles, but it bears repeating. It is perhaps the most powerful diagnostic tool I have ever discovered. The most interesting thing about this question is that no one has ever said, “We don’t have any of those.” Test it for yourself. Ask yourself that question and see if the answer you come up with is or is not essential to understanding the culture of the organization you currently support.

EvaluationWe have made the effort to describe “ethical effectiveness” in specific, concrete language. What does it look like? How will you know it when you see it? Why might you consider adding it to your current leadership repertoire?

The remaining question is, “How will I know of it is working?” The answer depends on how you define success. In my experience,


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

success has several dimensions. My list may not be the same as the list you would create. I include my list as an example, but not a strict “exemplar.” I do not propose that I have the right answers, merely that I have answers that work for me, with the understanding that there may be as many “right” answers as there are leaders willing to pursue ethical effectiveness as part of their overall approach to leading.

Here are examples of the things I have observed. Some are fairly simple, almost mechanical, responses to a given leadership initiative. Others are rather dramatic evidence that this initiative is being understood as more than the “programme du jour.” It is not the leadership flavor of the week. It is a substantive, meaningful improvement over past practices and is being adopted because it is better than what preceded it. Some of the improvements I have experienced and/or observed, include, but are not limited to:

· The dialog between leaders and the led takes on a different tone. There is a “mutuality” to the dialog. Both sides listen more intently and are more respectfully of new ideas, suggestions, and concerns.

· There is less defensiveness and a greater sense of shared commitment to finding the best solution to whatever problem has presented itself.

· Greater initiative – employees are more willing to find a problem and fix it, rather than waiting for someone above them to find it and assign it to them to be fixed.

· Increased responsibility for one’s own actions and decisions. Employees have an increased sense of ownership of the work and the problems it is intended to address or prevent.

· More creativity in finding new solutions to old problems as well as finding better solutions to new problems.

· Improved internal communication. Less waiting to be asked. More initiative in raising questions and concerns. Better listening all around.

· Increase in mutual respect that cascades down to the lowest level employee.

Ethical decision-makingSo, what does ethical decision-making look like? It looks just like any other form of decision-making, except there is an added consideration in key steps. You don’t have to learn a new decision process. You simply have to add a “question” to some of the key steps.

· Every decision model starts with problem recognition. There is something here that requires me to make a decision. The added step is to specifically ask yourself if there is an ethical component or aspect to the current situation or problem at hand?

· Once that is identified, the process goes “creative” and adding a step here could stifle that creativity. How might we fix what needs fixing? The ideal is that, having defined the problem, we consider as many possible solutions as time, our experience, and imagination allow, lest we fall into the trap of “same old problem—same old solution” when that is not the optimal alternative.

· Once we have identified options, we evaluate each in turn, looking for the optimal response. Evaluation of those steps allows us to raise the ethics question. In addition to addressing the core problem, does this potential solution address whatever ethics issues might be present in the problem at hand, and, does it have the potential for creating new ethics issues/problems if implemented?

· Given the answers to the above, we evaluate the options that are available to us and select the optimal solution.


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

· The solution does not stop with selection. What follows is implementation. And, yes, these are two separate steps and need to be seen as such. Often we decide and do nothing. We have many of those moments when we look at a situation and decide what we would/should do and then, for any number of reasons, do not act. Often it is not our decision to make. But we “solve” it, at least in our heads, because that is part of our psychology.

· And, finally, we evaluate. And there is an ethical component to our evaluation. Did the solution work? Did it solve the problem at hand? What residual problems remain? What ancillary problems did that solution create? Is there an ethics component to any/all of the above?

SummaryWe started b y asking if and how power and ethics interact in the context of organizations and leadership. We suggest that they are inexorably intertwined. Every decision and action of a leader has the potential to have an ethical component. If that component is not recognized, then chances are that it will not be addressed, at least not intentionally. If unaddressed, it makes our decisions less effective.

Ethical leadership requires each of us to consider the question, “Is there an ethical consideration to this question/problem/issue that warrants my attention?” If yes, then how do I go about doing what is required in ways that are both efficient and effective?”

How do I exercise my power as a leader and decision-maker so that it addresses the problem at hand, meets the standards of the

company I work for, and serves as a model for those I lead? How do I exercise ethical power?

The idealThe ideal answer is joyful in its simplicity. We don’t need to learn a whole new skill set. We don’t have to master complex theories or create any sort of disruption to what is already working well for us. We simply need

to add a mental step to our process. It can be invisible to those around us, but will be manifest in its impact on the quality and efficacy of our decisions and actions. We can remember to include the ethics question each and every time we are called upon

to make a decision. We simply exercise the power we have to make the very best leadership decisions, using the best available processes so that we consistently produce the best, most ethical of outcomes. Once again, the steps are:

· This is the problem – is there an ethics component to the problem as I have defined it?

· These are my options. · This is the option that does the best job of

solving the problem, while conforming to the highest ethical standards.

· And, after the fact, if I had it to do over again, what might I have done to make this a better, more ethical decision?

Game over! You win! ✵ 1. Quote attributed to John Emerich Edward Dalberg Acton, first Baron

Acton (1834–1902) noted in 1887. Frank Navran ([email protected]) is Principal Consultant at Navran Associates in Palm Coast, FL.

The ideal answer is joyful in its

simplicity. We don’t need to learn a

whole new skill set.


Improving Governance Practices

November 9–10, 2015 | Scottsdale, AZ

Join us and learn:

• The latest on regulatory risk and compliance obligations

• The latest on fulfilling your fiduciary obligations as a board member

• How to help improve your board performance

corporatecompliance.org/events

This conference is designed for board members and members of a board Audit and/or Compliance Committee of not-for-profit organizations. Compliance officers and other senior leaders in the organization are welcome to accompany board members.

REGISTER NOW: SPACE IS LIMITED TO 70 ATTENDEES

NEW

Buy one registration

for $795 and get one for

$495

Audit &Committee ConferenceCompliance

scce-2014-cep-09-auditcomp-ad.indd 1 9/12/14 1:44 PM


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

Insta-what? Understanding photographic content on social media sites

SOCIAL SKILLS

Haase

by Melody Haase

I love professional sports, and when draft season hits, my case load heavily shifts into vetting potential draft picks. During

this process, I get to examine the good, the bad, and the ugly. Many people assume I rely on keyword and sentiment analysis for these cases, but those techniques rarely yield

the results I am looking for. My heaviest workload in these cases is in photographic and video analysis.

There is currently a huge shift in communications, moving us from a verbal culture to a visual one, and it has greatly impacted social media data. There is a treasure trove

of information embedded in photographs and videos. However, there is typically not searchable text which fully describes the content, and modern technology does not automate visual analysis. This places manual content analysis squarely upon the shoulders of the researcher. The process I use to conduct this research is broken down into three easy steps.

Defining what to look forWhat you look for is completely based upon the objectives of your research. That can be anything from understanding product usage to conducting social network analysis to identifying illicit materials. Referencing these objectives helps you frame the content. Now you know to focus on captions, faces and identifying markers, specific objects, cultural symbols, or other items.

Knowing where to lookTo do this research effectively, you need to profile. Based upon demographics, cultural norms, industry standards, and geographic location, people tend to gravitate towards different social media platforms. For instance, youth living in urban areas tend to use mobile-based applications such as Twitter, Instagram, and Snapchat. If you are doing broad-scale research, useful large photo repositories may include Facebook, Flickr, Google Images, Instagram, Photobucket, and Twitter.

Collecting the dataHow you collect data is dependent upon how it will be used. If photos are collected for intelligence purposes, screenshots and written notes should suffice. On the other hand, collecting evidence requires a more technical approach. At a minimum, you need to extract photographic metadata, called exchangeable image file format (exif) data. This information includes items such as date and time, geographic, and device identifiers. However, some social media sites, including Facebook, remove exif data from posted content. Understanding these limitations is a necessity because you may ultimately have to go through a costly eDiscovery process.✵ Melody Haase ([email protected]) is a Research Analyst at CES in St. Augustine, FL. /in/melodyannhaase

@CESNB www.cesnb.com

Corporate Compliance & Ethics Week

We’re Listening

Companies across the world highlight the importance of compliance and ethics during Corporate Compliance & Ethics Week.

Join us! Celebrate Corporate Compliance & Ethics week in your organization and show your workforce how important compliance and ethics are to you. Promote your compliance program and work to build an ethical, speak-up culture.

Build on your regular training and increase awareness with a Corporate Compliance & Ethics Week celebration. HCCA has created tools and products to help organizations like yours advance your compliance and ethics goals.

Visit corporatecompliance.org/CandEWeek to download the free Train-the-Trainer kit, listen to a free webcast, sample products and posters to spread the word—and then join the hundreds of organizations celebrating Corporate Compliance & Ethics Week!

November 1–7, 2015Join organizations worldwide in championing workplace compliance and ethics

corporatecompliance.org/CandEWeek

scce-2015-ccew-1pgad.indd 1 11/6/14 3:23 PM


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

Villanueva

by Ralph Villanueva, CFE, CIA, CISA, CRMA

There was a time when compliance work was much simpler. All that the employee assigned to do compliance

work did was match a sample of the company’s practices, on say, hiring new employees, against applicable Department of Labor (DoL) standards on fairness and equal opportunity. He need not worry about the Electronic Data Processing (EDP), or Information Technology (as IT was known

back then) aspect of hiring, such as entering the new employee’s name in a database, encoding the agreed upon salary and benefits, etc. Back then, everything electronic was done in one location by the employees of the EDP department. IT access controls weren’t much of an issue, because only the EDP department had computers,

which were mainframes costing hundreds of thousands of dollars. Moreover, if incorrect data about the new employee was entered, it was easy to pinpoint the culprit.

The advent of distributed computing on cheap PCs (initially using private networks and nowadays using the Internet) has made IT

access controls more critical. Every employee in the company now has much more potential for mishandling company data, because everyone is connected to the company’s servers, databases, and the outside world. Hence, the electronic equivalent of a castle drawbridge is more vital than ever in ensuring that important company data, as contained within the electronic castle walls of a database server, is safe from accidental modification or deliberate mischief.

This has not escaped the eyes of regulators around the world, especially in the U.S. A quick review of recent major state and federal

Why IT access controls in Compliance matter

» Management and compliance officers should take note of the IT access control portion of regulatory requirements.

» Compliance officers should look into IT access controls on information that is subject to regulatory scrutiny.

» Adequate IT access controls should be implemented on employees who enter, alter, and/or delete data subject to compliance.

» Compliance officers should look into the organization’s level of data information security.

» The best way to ensure compliance with IT access controls is to ensure that everyone is educated on the basics of information security.

Every employee in the company now has much more

potential for mishandling company data, because

everyone is connected to the company’s servers, databases,

and the outside world.


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

regulations governing business practices mention the importance of IT controls. For instance, the Nevada Gaming Control Board (NGCB) Minimum Internal Control Standards number 41 on Keno mentions that “Changes to the player tracking system parameters, such as point structures and employee access, must be performed by supervisory personnel independent of the Keno department.” The Health Information Portability and Accountability Act (HIPAA) Privacy Rule Summary states on page 10 of Access and Uses that “For internal uses, a covered entity must develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce.” The Gramm-Leach-Bliley Act on banks and other financial businesses requires that financial institutions take steps to ensure the security and confidentiality of customers’ personal information such as names, addresses, phone numbers, bank and credit card account numbers, income and credit histories, and Social Security numbers.

The penalties for non-compliance with these regulations are very stiff. In a recent seminar on HIPAA regulations that this author attended, the speaker stated that a small medical-care facility in the U.S. was fined $20,000 for not complying with properly safeguarding patient information.

Controlling accessMoreover, the need for strong IT access controls is necessitated by the ceaseless wave of identity thefts primarily facilitated by illicit access to hosted electronic data. According to the 2014 Identity Fraud Report

by Javelin Strategy and Research, the number of identity fraud victims reached 13.1 million in 2013 at a cost of $18 billion, up from 12.6 million victims in the previous year. Hence, it is imperative that everyone in the company, but especially the compliance officers, be aware of how to

strengthen IT access controls. If their existing Information Use policies do not have one, then now is the time to formulate one.

Hence, knowledge of IT access controls should now be a requirement for every compliance officer. Contrary to popular notion, understanding all things IT is not as difficult as it seems. And IT access controls are no different from access control in a typical house. Using the house as an example, the door of a house could represent a physical access control or a logical access control. The physical access control, a door, physically keeps the bad guys out and your valued books on compliance safe. The logical access controls, which are locks on the door, ensure that only the owners or those with keys can open it. The peephole, which is an authentication control, enables you to see who is knocking before you open the door. The high fence around your house represents the high level of security in keeping

According to the 2014 Identity Fraud Report

by Javelin Strategy and Research, the number

of identity fraud victims reached 13.1 million in 2013

at a cost of $18 billion, up from 12.6 million victims in

the previous year.


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

nosy neighbors from seeing what is going on in your backyard, and the same can be said of firewalls in keeping hackers from seeing what is inside your servers and databases.

As an internal and IT auditor who has audited everything from consumer distribution to healthcare delivery to casino operations, I observed that asking the following IT access control questions can help any auditor or compliance officer protect his/her company from potential financial losses or reputational damage.

Who has access to sensitive company data and why?Certain company information should be kept confidential for obvious reasons. You don’t want vital financial information, such as projected sales from new products, to end up in the hands of the inventory control manager, whose husband is an upstart business development officer in a competing company. Or you don’t want a “favored” employee’s salary information to be the cause of so much jealousy and animosity among her co-workers. Hence, IT access control should not only be about unique user names and passwords, but should also be about role-based access and according to each role’s place in the corporate hierarchy. An inventory control manager should have access to monthly inventory reports in the Inventory Control folder in the file server, but never to the Financial department folder, where profit and loss,

balance sheet, cash flow, and sales projections are stored. If this provision is missing in the company’s policy on information use, then the compliance officer should insist that it be included.

Who grants access to company data and computer system?In computer parlance, this is called “user provisioning.” Who can grant access to

files and systems to computer users within the company? It should be someone who is not a member of the same department. The employees of the Human Resources department cannot create their own user account in the payroll system. Ideally, the IT department employees should do this, and only

with the approval of the Human Resources and Payroll department managers. Likewise, only the IT department employees should disable or delete a user account. Otherwise, someone can maliciously alter computer files and delete his account to erase any trace of his existence. Though activity logs can eventually “out” this nefarious employee, it is always best to practice the adage “An ounce of prevention is worth a pound of cure.”

Are IT resources protected?This goes beyond our earlier analogy of the house. The compliance officer should be familiar with certain aspects of basic

You don’t want vital financial information, such as projected sales from new products, to end up in the hands of the inventory control

manager, whose husband is an upstart business

development officer in a competing company.


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

information security. Just like a military checkpoint between the civilian population of a city and the jungle hideout of murderous rebels, internal company information should always be guarded by an electronic version of this checkpoint. For instance, a payroll database containing employee bank information should not be connected directly to the Internet, but should first be connected to a firewall and an anti-malware appliance, which screens incoming electronic traffic from the Internet for malware or malicious programs. A quick interview of the company’s IT officer should do the trick in answering this question. The answer to this question is also important in case the compliance officer has to write a report about a data breach—and who to blame in his report.

Are company employees educated in IT access controls?This author’s company integrated it’s Information Use policy in its new employee hiring packet. Each new employee has to read and sign a document which states that company computer resources and information can be used only for doing his/her job. Moreover, going to unauthorized and illicit websites will be sufficient reason for termination. After all, information security is everyone’s job, and if everyone does this job well, then the compliance officer’s job will be easier.

Is violation of company Information Use policy part of the company’s whistleblower program?More often than not, the conventional transgressions against the company, such as theft or vandalism, are the ones that get reported through an employee fraud hotline. However, since information is just as

important as cash in the bank, the compliance officer should ensure that information-related infractions should also be reportable via the hotline. In this author’s industry, even seemingly mundane data, such as gigabytes of player card information, can enable fraud or give

a competitor undue advantage. Hence, it is important that the compliance officer be an advocate of information security through anonymous reporting of its misuse.

SummaryIndeed, IT is not as difficult as it seems. And if the compliance officer keeps an open mind and continuously learns from his peers and the IT people in the organization, he/she will be a better guardian of his company and be an expert in IT access control as well. ✵

Ralph Villanueva ([email protected]) is IT Security and Compliance Analyst at The Westgate Las Vegas Casino and Resort.

Just like a military checkpoint between the

civilian population of a city and the jungle hideout of

murderous rebels, internal company information

should always be guarded by an electronic version of

this checkpoint.



Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

Fairness in your compliance program

Fox

by Thomas R. Fox

In the business world there is rarely talk about fairness. Such concepts are seen as antithetical to profit making. However,

in the compliance world, fairness is a key component of any successful best practices regime. Why? It is because procedural fairness

is one of the things that will bring credibility to your employee base so that they will believe in your compliance program. Procedural fairness has been dubbed the “Fair Process Doctrine,” and this “Doctrine” generally recognizes that there are fair procedures, not arbitrary ones,

in processes involving rights. Considerable academic and business research has shown that people are more willing to accept negative, unfavorable, and non-preferred outcomes when processes and procedures that are perceived as fair arrive at such outcomes. By adhering to the Fair Process Doctrine in your compliance program, you can obtain credibility with the rest of the workforce.

In a compliance program, there are several areas where the Doctrine has direct bearing. In the area of internal investigations, it is incumbent that your investigations be perceived as fair. This may mean you need to bring in outside counsel who do not regularly perform legal work for your company and are skilled at corporate internal investigations. Further, the people being investigated and those regulators who review the results must have confidence that the law firm who performed the work is truly independent from management.

A second area is a company’s treatment of whistleblowers. Not only does the whistleblower need to have confidence that any information be treated confidentially and there will be no retaliation, but they also need to feel confident that a serious response will be made by the company. In addition to the company hiring outside counsel, the whistleblower should be periodically updated about what is being done about the report. A whistleblower should be appraised when an investigation is concluded. If you fail to do so, your cooperative internal whistleblower may well go to the Securities and Exchange Commission (SEC) under Dodd-Frank.

Finally, there is the area of discipline. Put simply if you fire employees in South America for conduct which violates your Code of Conduct, you have to give the same treatment to your big sales leaders in the U.S. Nothing hurts the credibility of a compliance program or officer worse than meting out unequal discipline for similar offenses.

So think about the importance of fairness in your compliance program. ✵

Thomas R. Fox ([email protected]) is Principle for Tom Fox Law in Houston.

www.tfoxlaw.com @tfoxlaw tfoxlaw.wordpress.com

COMPLIANCE, LIFE, AND EVERYTHING ELSE

In a compliance program, there are several areas

where the Doctrine has direct bearing.

For 27 years, ethics and compliance experts have gathered to share ideas

in the pages of Ethikos.

Here’s your chance to see why.

Now available from SCCE. Visit www.corporatecompliance.org/EthikosBook,

or call +1 952 933 4977 or 888 277 4977

ethikos-book-1pgad.indd 1 8/8/14 9:59 AM


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

A fter a 21-year military career, primarily in intelligence, counter-insurgency, and Latin-American

regional affairs, my family and I decided it was time for a change. As any veteran would attest, one of the hardest parts of a

military-to-civilian transition is translating your skills and experience. Some skills like law enforcement, medical, and logistics are pretty straightforward and an easy “kill” (like we would say in the military when something is a “slam-dunk”). Other skills like intelligence, missile launch operations, and M1A1

Abrams tank driver are a little more difficult. Undeterred, because that word doesn’t exist in the military lexicon, I sat down and took a good look at some of the additional duties I was “voluntold” for in the military and became excited at the possibilities. I should point out that “additional duties as assigned” is the military’s way of saying, “Yeah, we know you signed up to be an astronaut, but we need you to be a band leader for a couple of years.” No joke, the Air Force has a band

leader and a pretty good band too! My point is, additional duties or career broadening opportunities aren’t always a bad thing, because they often lead to additional skills and experience that are pretty desirable in the civilian workplace.

My first career broadening opportunity was on a major command’s Inspector General (IG) team where I led all operational intelligence inspections for the Air Force. My team inspected over 70 intelligence units world-wide for compliance (there’s the key word) with Air Force instructions, Department of Defense directives, and U.S. public law. In

Compliance and ethics? I can do that!

» Military veterans need to think about everything they did in the military to include additional duties when building their resume and targeting job opportunities.

» Compliance and Ethics is a great field of work for transitioning military veterans.

» The Basic Compliance and Ethics Academy is a quick and easy way to get certified.

» CCEP certification conveys expertise and commitment to the field and mitigates employer risk.

» A passion for compliance and ethics guarantees you will always have a place in this profession.

by Carlos Vecino

Vecino

My first career broadening opportunity was on a major

command’s Inspector General (IG) team where I led all operational intelligence

inspections for the Air Force.


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

essence, the Air Force IG program ensures compliance by monitoring and auditing to detect anything that could lead to loss of life or mission failure. Hmm, “monitoring and auditing” sounds a lot like Chapter Eight of the Federal Sentencing Guidelines. Another “opportunity to excel” presented to me as an “offer you can’t refuse” was serving as an Executive Officer to a two-star general officer. The “Exec” is, among other things, the commander’s eyes and ears, and they help protect their boss from the many hazards senior leaders can inadvertently find themselves in. Conflicts of interest, gifts and entertainment, and other ethical challenges (there’s another key word) were a part of my daily responsibilities. With the help of the staff judge advocate (General Counsel) we “guarded the general’s six” or, in other words, protected him from ethical hot spots. I also had the opportunity to see first-hand how our organization promoted and enforced our compliance and ethics program through appropriate incentives and disciplinary measures. Sound familiar?

The other career broadening opportunity I was honored to have been chosen for was command. Command is undoubtedly any military officer’s greatest privilege, but the trick with command is that you are first chosen and only later told what and where you will command. I ended up commanding a training and education squadron where I became very familiar with conducting effective training programs. Where have we heard those words before?

Finally, I was appointed to serve as an Investigative Officer for Commander Directed Investigations (CDI) several times. A CDI is the Air Force’s version of a workplace investigation. A reporter alleges a violation of policy, and the commander appoints an independent and impartial officer to investigate. And as with all things military, if you do a pretty decent job, you all of a sudden become the “CDI guy.” I found myself investigating several complex allegations at

several Air Force bases around the world and finding that I enjoyed talking to people, uncovering the facts, and providing commanders decision-making information. I’m not sure I would have ever known how much I enjoyed the

investigative process had the Air Force not given me yet another “opportunity to excel.”

So when I found a civilian job posting looking for someone with experience and skills in: (1) providing professional advice and support to management and leadership on ethics-related matters; (2) investigations and fact-gathering activities; (3) providing subject-matter-expertise for complex ethical issues, including conflicts of interests; and (4) creating and delivering effective training, I knew I had to look into this opportunity a little closer. As I was doing my research into this Compliance and Ethics field I knew little about, I ran across the SCCE website, read up on the Certified Compliance and Ethics Professional (CCEP) certification process, and knew early on that I needed to get certified as soon as possible. I was fortunate to have been hired by USAA without my certification, but

In essence, the Air Force IG program ensures

compliance by monitoring and auditing to detect anything that could lead to loss of life or

mission failure.


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

certification became a key goal of mine and of my supportive manager. USAA’s mission is to facilitate the financial security of its members and to be the provider of choice for the military community. To fulfill our mission, USAA is committed to going above for those who have gone beyond, and nearly one in four USAA employees is actively serving, has served in the military, or is a military spouse.

USAA supported my goal and 367 days after being hired, I was sitting for the CCEP exam after having completed the Basic Compliance and Ethics Academy in New York. I could have sat for the test without going to the Academy, but the convenience of receiving your required Continuing Education Units (CEUs) and testing with a cranium (the military’s preferred term for your brain) full of recent knowledge definitely helped. I knew that certification conveys credibility, but more importantly, the letters “CCEP” demonstrate a

commitment to excellence and helps mitigate employer risk when a compliance and ethics professional’s qualifications are questioned. In fact, I’m advising my military friends to look into certification before they leave the military, because I can’t think of a better way to show a prospective employer you’re serious about compliance and ethics than to be CCEP certified.

My journey from the military to the corporate world was similar to many veterans before me, but I was fortunate to have found my calling. A mentor of mine once told me that you can be fired from a job or even a career, but you could never be fired from what you are passionate about. Compliance and ethics is a passion for me, and having the letters “CCEP” following my name gives me the credibility to live out that passion. ✵ Carlos Vecino ([email protected]) is Senior Ethics Program Advisor for USAA in San Antonio, TX.

Compliance and ethics programs have a clear goal: to prevent, detect, and respond to misconduct. Accomplishing that goal takes concerted effort through all levels of an organization.

Compliance 101 provides the basic information you need to build and maintain an effective compliance and ethics program in your organization.

ComplianCe and ethiCsExplainEd

www.corporatecompliance.org/Compliance101


Want to engage with your employees for more effective ethics training?It’s time to try Compliance Is Just the BeginningNo doubt you want to train your employees to make better ethical decisions at work. Compliance is essential, but it’s not enough.

Compliance Is Just the Beginning, a 2-part video training program, presents an easy-to-learn approach that will help employees at all levels make better ethical decisions.

• Program One, “3 Steps to Ethical Decisions” (24 minutes), introduces the three steps to take when faced with a tough ethical choice: 1) The Compliance Test; 2) The Ripple Effect; and 3) The Gut Check.

• Program Two, “Ethical Situations to Consider” (32 minutes), presents us with eight dramatized scenarios. By discussing these situations and applying the three steps process in each case, employees gain valuable practice and reinforcement.

Produced by Quality Media Resources (QMR), these award-winning programs come with a comprehensive facilitation package with course outlines, training activities, reproducible handouts, and optional PowerPoint slides. To view a free, full-length preview of the program, visit www.corporatecompliance.org/QMRvideopreviews. For more information and to order, visit www.corporatecompliance.org/products.

http://www.corporatecompliance.org/QMRvideopreviews

http://www.corporatecompliance.org/products


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

W hat can ethics and compliance professionals learn from psychology? As it turns out, quite

a lot. An emerging set of research in the field of psychology is providing insight on human behavior and how it can be and is influenced

by certain specific communication techniques and tools.

Such work has long been leveraged by product marketers and salespeople around the world in order to attempt to influence purchasing behavior, but these same lessons, techniques, and tools should be considered and applied in our efforts to influence the right

behavior of employees in our organizations.Below are 10 specific things you

should incorporate into your ethics and compliance program to further influence the right behaviors.1. Always get someone else to introduce

you. Research studies by Jeffrey Pfeffer and colleagues demonstrate that when a third party speaks for you, your ratings increase on nearly every scale, including likeability,

even when the person is paid to provide the introduction. Is it any wonder companies continue to hire paid spokespeople to endorse their products?

2. Use handwritten sticky notes when you want to increase a response. Add a handwritten “thank you” for even better results. Studies by Randy Garner show that the addition of a handwritten sticky note requesting survey completion can result in a significant increase in the response rate to the survey compared to surveys without a note, or surveys where the note was written directly on the cover letter. When a handwritten “thank you” was added,

Ten psychology lessons for the ethics and compliance professional

» Use handwritten sticky notes when you want to increase a response.

» Use “because” in every communication.

» Make communications easy.

» Get an active public commitment by those you want to engage.

» Use numbers to demonstrate the norm of behavior.

by Virginia MacSuibhne, JD, CCEP

MacSuibhne

Use handwritten sticky notes when you want to

increase a response. Add a handwritten “thank you”

for even better results.


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

the response rate to the survey increased even further.

3. Use “because” in every communication. Use of the word “because” increases the chances someone will cooperate. Accompany requests with a strong rationale (even when the reason might be clear). Research by Ellen Langer and colleagues used a line at a copy machine and found that almost 100% of people agreed to a request to cut in line when they used the word “because,” whether they requested to go first because they were “in a rush” or because they had “to make copies.”

4. Make communications easy. Your communications should be easy to read (consider the font, color, and size of the message), and easy to say. Get rid of the “lawyer language.” “Hereinafter,” “recitations”, “whereas,” and any Latin phrase simply have no place in compliance messages – save these for the court briefs.

5. When in doubt, rhyme it out. Rhyming phrases allow information to be more easily processed and recalled, and, as McGlone and Tofighbakhsh showed in their research, even judged as more accurate. While I could not find any words that rhyme with ethics, consider something as simple as “compliance not defiance” in your messaging.

6. Place memory aids and messaging at the place where the action in question is most likely to occur. Placement is a key consideration to drive increased compliance. For example, if you are messaging your hotline number, place the messaging on or near phones. When messaging about activities completed on computers, consider adding messaging directly into the program, such as on the expense report webpages. When messaging about hand washing, place the

messages in the bathroom stalls and/or above the sinks.

7. Consider compliance posters that have pictures of mirrors or eyes on them. Arthur Beaman’s Halloween research, Carl Kallgren’s television research, and Melissa Bateson’s eye image research all indicate that mirrors, reflections, and actual eyes or pictures of them can influence people to behave in a more socially acceptable way. Consider even the benefits of an open work space in compliance.

8. Get an active public commitment by those you want to engage. Robert Cialdini, Delia Cioffi, Randy Garner, and many other researches have demonstrated that commitments made active and public (instead of passive and/or private) are more likely to be upheld. When conducting live training, work to ensure you get an active public commitment from those participating that they will follow the rules. Consider having them raise their right hand and pledge their commitment or as they sign the training sheet, thank them for their commitment to compliance. Consider asking participants to sign your compliance posters in demonstration of their commitment.

9. Use numbers to demonstrate the norm of behavior. Noah Goldstein and his research partners used hotels to test what would influence people most in reuse of their towels. What they found was that guests, who learned that most other guests had reused their towels, were more likely to engage in the same behavior than when just presented with an environmental appeal. Guests who were told most people in their room engaged in towel reuse had an even greater likelihood of reusing their towels. Consider messaging to employees around the fact that most employees at


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

the company had already completed their required training or that most completed their expense reports within 15 days of the charges. Science suggests this type of messaging can influence the same behavior of others.

10. Offer smiles for positive actions. Whether you smile when you directly and personally recognize compliant behavior or you provide a smiley face on a document that shows the completion of an activity in the time and the manner expected (such as mandatory training), a smile can have a positive effect. A household energy consumption study by Wesley Schultz and Robert Cialdini and colleagues and a customer satisfaction study by Alicia Grandey and others demonstrate the power of a smile (real or pictures). Where can you reward positive behaviors by employees with a smile?

In a profession where resources are often particularly constrained, these lessons from psychology offer ethics and compliance professionals valuable insights that, when leveraged properly, can influence ethical and compliant behavior with little or no additional investment other than our creativity and a few simple changes in the manner in which we are communicating about our programs. Try making these easy adjustments to your ethics and compliance program communications today to increase your effectiveness and response rates without increasing your budget. ✵ Much of the material in this article was derived from the book Yes! 50 Secrets from the Science of Persuasion by N. Goldstein, S. Martin, and R. Cialdini and was presented at the SCCE Annual Compliance & Ethics

Institute in Chicago in September 2014. Virginia MacSuibhne ([email protected]) is Chief Compliance Officer at Roche in Pleasanton, CA.

Upcoming SCCE Web Conferences12.2.2014 | Engaging Your Board: Best Practices for Effectively Communicating Information and Data• Eric O. Morehead, Vice President and

Senior Compliance Counsel, NYSE Governance Services

12.8.2014 | 2014 Compliance & Ethics Institute Rebroadcast Event• Karen M. Aavik, Assistant General Counsel,

First Niagara Financial Group• Kirsten E. Liston, Associate Vice President,

SAI Global• Michael Levin, Senior Director of Compliance:

Ethics & Business Practices, Freddie Mac• Rebecca Walker, Partner, Kaplan & Walker LLP• Virginia MacSuibhne, Chief Compliance Officer,

Roche

1.12.2015 | How Legal, Audit & Compliance Work Together in an Effective Risk Management Environment• JESSICA KURZBAN, Counsel, Wilmerhale

1.13.2015 | Developing an Effective Audit and Compliance Committee• Sean McKenna, Partner, Hayne and Boone, LLP• Bret S. Bissey, Senior Vice President,

Compliance Services, MediTract

1.21.2015 | Importing goods into Brazil: boosting anti-corruption compliance for challenges of a high-risk activity• Alexandre Lira De Oliveira, Managing Partner

of Lira & Associates Law Firm

Learn more and register at www.corporatecompliance.org/webconferences


Establish a career where you can

An authoritative, step-by-step guide to entering one of the fastest growing fields in the business world

MAKE A DIFFERENCE

www.corporatecompliance.org • +1 952 933 4977 or 888 277 4977

“This book is an immensely valuable contribution to the field. It will not only help guide a new generation of compliance and ethics officers through the many professional challenges that await them, but will also provide considerable useful insight and know-how to their experienced counterparts.”

— Jeffrey M. KaplanPartner, Kaplan & Walker LLP,

a compliance law firm; former program

director of the Conference Board’s

Business Ethics Conference

BuildingCareer_fullpage.indd 1 2/15/13 4:51 PM


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

In two months, we will likely hear about another record level of spending for advertisers during one of the largest

sporting events in the United States—the Super Bowl. In 2013, the average spending on a 30-second ad spot was close to $4 million1

and several major companies used the event to broadcast their messages to a massive television audience (at least, before the game got out of hand and sent many a viewer to an early exit). The dollar amount spent on such short bursts of communication may boggle the mind, but the exercise of creating a targeted, memorable, and

effective message that ultimately supports a company’s brand is a concept worth imitating in the compliance space.

Legal and compliance professionals may initially wince at the idea of having a brand

for their compliance program; after all—isn’t branding the domain of those more creative-minded folks in the Marketing department? Although the concept may seem foreign to us, there are a number of reasons for employing a marketing campaign approach to your program’s communication efforts:

· The average employee already receives an average of over 100 emails per day,2 forcing them to “triage” messages into what they

Taking a cue from Madison Avenue: Branding your compliance program

» Competition for the attention of your employees continues to increase, making it harder for compliance messages to stand out from the clutter of other communications.

» A brand is a promise between you and your employees – defining what your employees can expect of you and how your compliance message is different from the other messages competing for our employee’s attention.

» Creating a brand for your program starts by answering some simple questions about how your program supports the organization, what your employees think about compliance, and what you want them to think about compliance.

» Once a brand and strategy is created, it is equally important to spend time and effort on deploying and maintaining your brand, so it can have a lasting impact, as opposed to being a flash in the pan.

» Having a recognizable brand and marketing strategy for your compliance program will make it easier to connect with your audience and demonstrate the value you bring to the organization.

by Christopher Annand

Annand

Legal and compliance professionals may initially

wince at the idea of having a brand for their compliance program…

Establish a career where you can

An authoritative, step-by-step guide to entering one of the fastest growing fields in the business world

MAKE A DIFFERENCE

www.corporatecompliance.org • +1 952 933 4977 or 888 277 4977

“This book is an immensely valuable contribution to the field. It will not only help guide a new generation of compliance and ethics officers through the many professional challenges that await them, but will also provide considerable useful insight and know-how to their experienced counterparts.”

— Jeffrey M. KaplanPartner, Kaplan & Walker LLP,

a compliance law firm; former program

director of the Conference Board’s

Business Ethics Conference

BuildingCareer_fullpage.indd 1 2/15/13 4:51 PM


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

read now, what they read later, and what they don’t read at all. Having a strategy that makes your compliance message stand out and engage your audience can prevent it from being discarded.

· Marketing-style communications typically promote more positive messages that can move employees to seeing the benefits of being ethical and compliant, as opposed to always hearing about the consequences for not following policy or rules.

· Having a brand strategy for your compliance program can help you to become more coordinated in your messaging and communicate more often. If employees only hear from compliance at new hire orientation, annual certification, and when something goes wrong, your department may have a harder time being viewed as something other than the “police” or an adversary to the business.

· Perhaps most importantly, an active, highly visible compliance program provides more opportunities to demonstrate value; something critical for many Compliance departments that must justify their annual funding.

So if my own marketing has upped your interest in putting together a brand and campaign for your program, let’s explore how to do it.

Creating your brandIf you have never participated in anything close to a marketing campaign or don’t consider yourself a “creative” person, starting the process of developing your program’s brand may seem daunting, but it is really not that complicated. In its simplest definition, a brand is a promise between you and your customer, defining what your customer can expect of you and how you are different than other competitors.

In our compliance efforts, the brand promise is to our employees and how we, in our messaging, are different than the other messages competing for our employee’s attention. To help you start thinking about what your promise might be, consider these initial questions:

· What is your company’s mission statement? Showing ways that the Compliance department supports the company’s mission and goals provides a good foundation for building loyalty to your program.

· What are some benefits to being ethical and compliant? As mentioned earlier, sharing positive messaging with employees can strengthen the case for “wanting” to comply, instead of just “having” to comply.

· What do employees think about compliance, and what do you want them to think about compliance? This question can help you set some initial goals for your efforts and may give some ideas for initial messages to try, especially if you are trying to change a negative perception of Compliance’s interaction with the business.

Here’s an example of the above. If your company includes in its mission statement or values something about transparency, that’s a good item for Compliance to latch onto. Being transparent about how our company operates by sharing our mistakes as well as our successes can help our company grow stronger. Many employees desire transparency, because it provides them a sense of fairness and honesty between themselves and the company’s leaders. Therefore, a possible compliance brand promise can be transparency—pledging to share examples through case studies or other features to show employees how their company is supporting a culture of compliance.

As your brand promise begins to take shape, you will find that elements of the


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

promise can help to create other components of your overall campaign, such as a tagline to include in your regular communications, or images and themes that can be incorporated into communication templates (e.g., presentations, newsletters, websites, etc.). All of these physical materials will help to weave an overall look and feel to your program’s communications – not unlike the logos, color schemes, and slogans that make companies and their products instantly recognizable to consumers.

Deploying your brandHow you communicate your message is almost as important as what you are communicating. If one of our goals is having our messages stand out and promote engagement, we certainly don’t want to our hard work to get lost in the clutter by choosing the wrong delivery method. Here are some ideas that can help you meet that goal:

· Demographics: Employee audiences are often every bit as diverse as your company’s customers, so having a better understanding of who your employees are will be helpful in determining the best methods to reach them. Consider doing some focus groups to learn how your employees like to hear from the company.

· Tools: Try to make use of multiple tools in your communication strategy, as opposed to relying solely on one method. Think of the many messages you receive during your work day and how they are brought to you. What stands out, and what typically makes your eyes glaze over?

· Alternative methods: Although one of the easiest means of getting a message to a large group of people, we probably can all agree that email has become overused. Consider alternatives such as posters, table tents, a compliance space on your employee intranet site (or perhaps

your own compliance website) and town halls/compliance events; all can be used to reach your people in interesting and engaging ways.

· Allies and partners: Perhaps the best news about looking for ways to get your message out is that you don’t have to go it alone. You can find potential allies and partners in a number of different places, such as Human Resources, Corporate Affairs/Communications, and even senior management. Don’t pass up opportunities to receive help when you can get it.

At the end of the day, we all hope for the same thing that traditional advertisers do—having our customers provide the positive, word-of-mouth advertising that does the work for us and is free!

Maintaining your brandOnce you have built your brand and marketing strategy and then launched it to your audience, there’s one more important piece to the overall campaign, and that’s maintenance. We can’t afford to let all of our prior efforts become a flash in the pan and fizzle out; we need to keep our brand a finely-tuned machine, while being flexible to evolving along with our company.

Below are three important goals to keep in mind for maintaining your branding efforts:

· Be consistent: Making minor tweaks and changes to your strategy is to be expected, but regularly changing components of your brand every other month will confuse your employees and may call your brand promise into question.

· Don’t go overboard: If you start getting positive feedback on part of your marketing strategy, it can be tempting to expand and perhaps, overreach. Methods that were new and different on their introduction will quickly become stale if you start using them for everything else, not to mention the


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

possibility of putting unwanted pressure on your time and financial budget.

· Actively seek feedback: As your program’s brand matures, it is important to keep tabs on the effectiveness of your strategy to reach your audience. Informal polls, surveys, and focus groups can provide a good pulse with what is working, what is not, and some additional information to share with your governance committees when speaking on the overall health of your compliance program.

SummaryIn addition to the important rules and policies that Compliance needs employees to

understand and abide by, we have a wealth of tips, best practices, and experience to help them thrive in their roles and support our organization’s ethical culture. Having a recognizable brand and marketing strategy for your compliance program will make it easier to connect with your audience, demonstrate the value you bring to the organization and, who knows, maybe even have a little more fun in your own workday, all at a fraction of the cost for one of those Super Bowl commercials! ✵ 1. Rob Siltanen:“Yes, a Super Bowl Is Really is Worth $4 Million.” Forbes

Magazine, January 29, 2013. Available at http://bit.ly/forbes-4-million2. Radicati Group, Inc.: Email Market, 2013-2017. November 2013.

Available at http://bit.ly/radicati-email Christopher Annand ([email protected]) is Global Ethics & Compliance Program Director at Cargill Incorporated in Wayzata, MN.

Don’t forget to earn your CCB CEUs for this issueComplete the Compliance & Ethics Professional CEU quiz for the articles below from this issue:

· Taking compliance programs to the next level: Using business processes by Deena King (page 29)

· A unique environment: Compliance for government organizations by Gregory Gray (page 37)

· The mathematics of compliance by William L. Jennings (page 83)

To complete the quiz:Visit www.corporatecompliance.org/quiz, log in with your username and password, select a quiz, and answer the questions. The online quiz is self‑scoring and you will see your results immediately.

You may also fax or mail the completed quiz to CCB:

FAX: +1 952 988 0146

MAIL: Compliance Certification Board 6500 Barrie Road, Suite 250 Minneapolis, MN 55435, United States

Questions? Call CCB at +1 952 933 4977 or 888 277 4977

To receive 1.0 non‑live Compliance Certification Board (CCB) CEU for the quiz, at least three questions must be answered correctly. Only the first attempt at each quiz will be accepted. Compliance & Ethics Professional

quizzes are valid for 12 months, beginning on the first day of the month of issue. Quizzes received after the expiration date indicated on the quiz will not be accepted.



Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

A very unusual thing was happening in the construction division of a large movie theater chain: All of the movie

theater construction projects were going over budget. An analysis of the construction cost records revealed that the projects were on

target or under budget through 80% of the construction, but would invariably go over budget during the last 20% of the construction work. A deeper look at the construction costs revealed that there were numerous change orders and disputes with many of the subcontractors that were unresolved at the end of the construction. Yet all

of the subcontractor work appeared to have been necessary and performed properly. So, what went wrong? The construction planning, budgeting, and scheduling must have been inadequate. They all appeared to be proper and appropriate when reviewed carefully; it was only when the construction budget and cost data were time sequenced that the answer became clear. All of the theater projects were way over budget before the first 20% of the construction was completed. The applications for payment, at the beginning of the project, had been falsified.

As it turned out, the general manager and the construction manager had colluded with one another to set up fake subcontracting companies, which they owned, to invoice the theater company for work that was never performed. Their fake subcontractors would stop invoicing before the projects were one-fifth complete. Later, when the projects went over budget, the legitimate contractors were blamed. It took the theater company years to uncover this scheme. The corrupt actions of the two senior managers were used to explain why the scheme was not caught sooner. Had the construction division embraced mathematics in the overall design of its compliance program, this crime may have been prevented.

Mathematics is, among other things, the science of numbers and the relationships between them. It is a science because it tests theorems, when possible, using strict empirical methods. The result is that assertions can be made, with absolute confidence, about widely divergent sets of data and conditions. In this sense, mathematics also provides us with a language that we can use to communicate precise meanings about the data and relationships we are evaluating.

The mathematics of compliance

» The Fraud Function and how it can help you to explain unwanted behavior.

» Chebyshev’s Theorem and the predictive value of data analysis.

» Benford’s Law and why it is impossible to fake natural.

» How mathematics can transform your mountain of data into meaningful insight.

» Dashboards, a tool that will keep problems out of your rear view mirror.

by William L. Jennings, CPA, CFF, CFE

Jennings


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

The Fraud FunctionMy own experience over the past 30 years in investigating hundreds of incidents related to violations of corporate compliance policies, the majority of which were also criminal acts, has convinced me that anyone is capable of committing a crime. Those same experiences have convinced me that it is usually not possible to identify persons who are capable of committing compliance violations and/or white collar crimes by any outward characteristic. To be sure, persons who are observed to be clearly living beyond their means, engaged in addictive behaviors, in deep financial distress, or who are bent on vengeance against the organization they serve and its stakeholders, are more likely to commit these acts. However, in my experience, many of these persons resolve their issues in other ways (e.g., seek help, resign, commit suicide, etc.). Also, persons who do commit these acts do not always exhibit any outward characteristic that their colleagues are capable of observing. I tell clients that past history is the best predictor of future behavior and advise that they use that as the most important reason to encourage thorough background checks for all applicants. However, the Association of Certified Fraud Examiners (ACFE) notes in its Report to the Nations on Occupational Fraud and Abuse, 2014 Global Fraud Study, that the vast majority of the people who committed the violations had no prior criminal record.1

One thing has remained consistent across all of the investigations I have conducted: the relationship between fear and desire on the part of the perpetrators of the compliance violations and criminal acts. A desire can be anything that a person becomes obsessed with obtaining or doing, but which cannot be obtained or done with the person’s own resources or authorities, and cannot be shared with others who might otherwise provide

assistance, due to fear of punishment or ostracism. In my own work I have had three cases in which the desire turned out to be an unquenchable lust for antiques. In one case, the objects of the obsessive desire were antique sea trunks and quilts that turned out to be worth far less than the man paid for them. More common desires arise from gambling addiction, affairs, lifestyles of the rich or famous, and so on. In another case, the desire was simply the thrill of stealing. The one common thread is that these desires were all enormously important to the people who committed the crimes. So important, in fact, that they were willing to risk loss of freedom, family, and reputation to satisfy them.

Mathematics can be useful in explaining the behavior of the people who engage in violations of compliance policies and/or crimes. I call the mathematical function, which I developed to explain this behavior, the Fraud Function. It can be expressed as follows:

Desire > Fear = ActTerms:Desire: Obsession; Fear: Fear of getting caught; Act: Unethical, non-compliant and/or criminal act

The usefulness of this function in understanding these relationships becomes clear if we assign relative values to each term. So, suppose we assign the Desire (e.g., gambling debts arising from addictive gambling behavior) an initial value of 9 and we assign Fear an initial value of 10.

D (9) < Fear (10) ≠ Act

In that case the person does not act. But if the Desire, following a particularly bad weekend losing streak, rises to 20, then the person would act, for the first time, to cover his/her gambling debts.


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

D (20) > Fear (10) = Act

Once the person acts and is not caught, the Fear factor falls. In our example, we will lower the Fear factor to 5. This makes it easier to act the next time. In the case of gambling addiction, the person often returns to the tables and gets further into debt, raising the Desire. In our example we will raise it to 30.

D (30) > Fear (5) = Act

The person acts again. This cycle often repeats many times so that the thefts become quite large over time. The pattern of behavior, expressed in the Fraud Function, can be generalized across many different forms of unethical, non-compliant, and/or illegal behavior.

Chebyshev’s TheoremPavroty Chebyshev, a Russian mathematician, found the proportions of data in a population that fall within each standard deviation from the population mean. Chebyshev’s Theorem states that for any data set, the proportion of data which lies within k standard deviations of the mean is, at least, 1 – (1 / k squared).

Therefore, if k = 3, the proportion of data which we would expect to see, within three standard deviations of the mean, would be 1- (1/3 squared) = (at least) 89%.2 (See figure 1)

The theorem is true for the entire population and any statistically valid sample drawn from the population. The proportions of data, which fall within each standard deviation, become even more precise if the population data has a normal, bell-shaped distribution. This is called the Empirical Rule and predicts that more than 99% of the data should be found within three standard deviations of the mean.

This theorem is useful in understanding compliance and lack of compliance. It is used to control uniformity and quality in manufacturing processes. Incidentally, the mathematical symbol for each standard deviation is called “sigma.” Note that there are three standard deviations, or sigmas, to the right of the mean and three to the left; six sigmas in total. Chebyshev’s theorem is also quite useful in compliance applications. If you create or identify what you believe to be a population mean, then more than 89% of all observations should fall within three standard deviations of that mean in any type of population. If the population data is normally

distributed (i.e., bell shaped curve), then the expected proportion of data, within three standard deviations of the mean, rises to more than 99%. (See figure 2)

So, if you select a sample which is representative of the population and determine the sample mean, at least 89% of the data in the sample should fall within three standard deviations of that mean. If that is not the case; for example, if

3

Figure 1 – Chebyshev’s Theorem


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

you discover that 20% of your sample data is beyond three standard deviations from the mean, there is only one possible conclusion—whatever you believed about the essential attributes of your population is incorrect. There is an unexplained variance between your beliefs about the characteristics of the population and the reality of the population characteristics.

I used this technique in an internal investigation of a large public company. The investigation of the principal allegations, which gave rise to the internal investigation, had been completed. However, the company’s auditors wanted assurance that the company’s accounts did not contain other fraudulent entries. I proposed using Chebyshev’s Theorem to identify anomalies for further investigation. Note that I did not say that I proposed using Chebyshev’s Theorem to identify the fraudulent entries the auditors were concerned about; these techniques are useful in identifying compliance or lack of compliance. The causes of non-compliance must be investigated thoroughly in order to be correctly understood.

Benford’s LawIn the 1930s, prior to the advent of electronic calculators or personal computers, physicist Frank Benford observed that the pages of an overused logarithm table were worn in a curious manner. The pages containing logarithms of the numbers 1 and 2 were more stained and frayed than those containing logarithms for the numbers 8 and 9. Benford noted that the logarithm tables were used in virtually every

mathematic, engineering, and scientific analysis in which the subject of the analysis can be described using numbers.5 Benford went on to carefully research and test this hypothesis, over a number of years, using a wide variety of data sets. This research and testing led to what is known as Benford’s Law.

Benford’s Law is best demonstrated in large data sets. If smaller data sets fail to satisfy the rule, combining data sets often produces a new sequence that will more closely approximate the distribution of first digits predicted by Benford’s Law. Benford’s Law is satisfied when the probability of observing a first digit of d (i.e., for digits 1 – 9) is log base 10 (d+1/d). The expected distribution of first digits, predicted by Benford’s Law, describes what could be expected to occur in the natural world if human beings or mechanical systems did not intervene in the processes that gave rise to them. The distribution of proportions of first digits, which are predicted by Benford’s Law, follows:

1 = 30.0%2 = 17.6%

Figure 2 – Empirical Rule

4


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

3 = 12.5%4 = 9.7%5 = 7.9%6 = 6.7%7 = 5.8%8 = 5.1%

This predictive capability is useful in being able to detect first-digit distribution anomalies that may have been caused by artificial intervention.

I used this technique in fully investigating an accounts payable fraud perpetrated by the president of a division of a large public company. The fraud was so massive that the division was shut down, due to the size of its recurring losses. There were numerous fake vendors, set up by the division president, that had submitted invoices for payment. Many were identified by other investigative techniques, such as identifying vendors who shared a common address. However, it became clear that there were other fake vendors that could not be identified by these means. We were looking not for a needle in a haystack, but for a needle in a needle stack. How to identify the fake invoices among the tens of thousands of legitimate invoices? This was an impossible task for individual review. A more efficient technique had to be employed; enter Benford’s Law. The invoices received by the division often contained hundreds of line items. We loaded the vendor name, number of items purchased, and price per item for each item included in the invoices received by the division into a spreadsheet. We then had the spreadsheet multiply the number of items purchased by the dollar amount per item (i.e., we re-performed each extension on the odd chance that the extension had been falsified). Also, this was done to create a large data set from the mathematical combination of numbers from two distributions, which was more likely to satisfy Benford’s Law. Next we separated

the first digit in each result into a separate column. We then analyzed the proportions of the numbers 1 – 9 appearing as the first digit in our results. Note that we did not first sort by vendor. This exercise helped us identify vendor invoices that contained line items that did not satisfy Benford’s Law. The vendors who sent these invoices were then investigated. This investigation revealed another group of vendors that turned out to be fraudulent. Why? Because you can’t fake natural.

ConclusionOf course, the preceding examples demonstrate how mathematical techniques can be used to investigate illegal conduct after the crime has occurred; however, these same techniques and others can be deployed as an integral part of any compliance system to detect anomalies in real time.

The great thing about electronic data is that it is available, in real time, 24/7. All you need to do is to gather, organize, and analyze it to effectively answer your questions, then find a useful way to get the results in front of the right people. If you can identify data populations that could provide information related to critical compliance objectives and if you are able to continuously gather and organize that data, analyze it using mathematical tools, then display the results on dashboards for persons responsible for critical compliance functions, you would effectively be able to identify critical compliance problems before they get out of control. ✵ 1. The Association of Certified Fraud Examiners: Report to the Nations

on Occupational Fraud and Abuse: 2014 Global Fraud Study. p. 69. Available at http://bit.ly/report-to-nations

2. James R. Evans and David L. Olson: Statistics, Data Analysis, and Decision Modeling (Second Edition). Upper Saddle River, NJ: Pearson Education, Inc., 2003; p. 54.

3. UC Davis Stat Wiki: 2.5 The Empirical Rule and Chebyshev’s Theorem. Available at http://bit.ly/Chebyshev-27s

4. Ibid5. D. Larry Crumbley, Lester E. Heitger, G. Stevenson Smith: Forensic

and Investigative Accounting, CCH: Chicago, IL, 2007, pp. 9-17, 9-18. William L. Jennings ([email protected]) is Managing Director at Alvarez & Marsal Global Forensic and Dispute Services, LLC in Atlanta, GA.


Infographic of the Month

501 Ideas for Your

ComplIanCe and ethICs program

Lessons from 30 Years of Practice

Author Joe Murphy has compiled the most

effective ideas he and other compliance

professionals have tried. Topics covered in this

collection include:

• Identifying Compliance & Ethics Risks

• Establishing and Enforcing A Program

• Conducting Audits

• Benchmarking Against Industry Practices

• Preparing for Investigations

• Evaluating Effectiveness

• and Much More!

to order, vIsIt www.CorporateComplIanCe.org/books

or Call 888-277-4977


Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

They were words I will never forget. My colleague and I were down to our last witnesses in an extended international

investigation. We were seated around a small conference table, when into the room walked our next scheduled employee-witness,

carrying a folder of papers. He looked directly at us, smiled,

and said, “I’ve been waiting for you to call.” He then gave us all the information we needed to break the case. His folder held contemporaneous notes that spelled out the missing parts of the story, including a hotel lounge napkin with

handwritten notes of the scheme, as told to him by the target of the investigation. We now had what we needed.

But a question haunted me. Why had he been waiting for our call? He had violated no laws—he had not participated in the scheme—but he had not reported what he knew. His company had lawyers, a helpline, and a respected compliance officer. Our witness knew the conduct he had seen was wrong. Why didn’t he call?

Years of compliance program experience have answered this question for me: In any group of employees, only some will pick up the phone and call at the first sign of trouble. There may also be some who never cooperate and may even lie, but most employees are probably in between. They will not turn in their fellow employees, but they will not lie either. If you ask them the right questions, they will talk.

Who are these people? They are the ones who may open up in an investigation or focus group. They may talk to you during a break in training sessions. But for reasons that are important to them, they will not seek you out. During a training session, an employee may raise a concern about a boss’s suspicious retention of a foreign agent (raised with me after a training session). Another employee may feel she is being discriminated against in an all-male office (raised with me in response to an “anything else” question at the end of a compliance audit interview).

What does this tell us? Reporting systems like helplines certainly are useful in surfacing concerns, but we in Compliance and Ethics must also be out among the people who are running the business. In the end, we will always need to seek employees out on their own turf—because the next discussion you initiate could well begin with, “I’ve been waiting for you to call.” ✵ Joe Murphy ([email protected]) is a Senior Advisor at Compliance Strategists, SCCE’s Director of Public Policy, and Editor-in-Chief of Compliance & Ethics Professional magazine.

by Joe Murphy, CCEP, CCEP‑I

“I’ve been waiting for you to call”

THE LAST WORD

Murphy

He looked directly at us, smiled, and said, “I’ve been

waiting for you to call.” He then gave us all the

information we needed to break the case.

s



Com

pli

ance

& E

thic

s P

rofe

ssio

nal

D

ecem

ber 2

014

Extending the reach of your program: Compliance and ethics liaisonsRebecca Walker (page 21) » Compliance and ethics liaisons have helped many

organizations extend the reach of their C&E programs – both geographically and deeper into the business.

» Compliance and ethics liaisons help localize C&E programs.

» To create an effective compliance and ethics liaison network, the liaisons must have adequate time, resources, independence, and the authority necessary to fulfill their liaison responsibilities.

» Ideally, compliance and ethics liaisons will have readily‑available access to both the head of the relevant business unit and the CECO.

» Compliance and ethics liaisons should be given accountability for their performance of C&E responsibilities.

Taking compliance programs to the next level: Using business processesDeena King (page 29) » The seven elements of a compliance program create an

integrated business system.

» Applying process‑oriented principles to how we design and manage compliance programs has the potential to increase their effectiveness.

» Ranking the chronological order of the seven elements will help you devise a master compliance process.

» A strength or weakness in any step will similarly affect the steps that follow it.

» Implementing a master process based on the principles discussed above is largely a matter of planning and scheduling.

A unique environment: Compliance for government organizationsGregory Gray (page 37) » Governmental entities should set an example for those

they regulate and develop programs that will better safeguard taxpayer’s funds.

» The value of a compliance plan may be consistent regardless of the organization type, although clearly working in a governmental agency is very different from working in the private sector.

» As governmental administrations change, the whole overlay of senior management also changes. Short tenures impact enterprise compliance in a variety of ways, including employee morale and engagement.

» Governmental bodies have been less receptive to creating compliance functions, in part, because of the specific challenges that resonate with those working in government.

» There is a need for a group of government compliance professionals to look at areas where training might be prepared that would focus on compliance in a government setting.

Why outsourcing your political activity compliance makes senseScott Stetson (page 45) » Organizations are becoming increasingly involved in

political activity.

» Political activity compliance requirements are different in every jurisdiction.

» Most compliance professionals are unfamiliar with political activity compliance.

» Outsourcing political activity compliance provides peace of mind.

» Non‑compliance can cause serious financial, reputational, or administrative harm to an organization.

Organizations and leadership: How power and ethics interactFrank J. Navran (page 53) » Organizations succeed when individuals are willing

to subordinate their personal agendas to the greater agenda of the organization.

» Power is not a “dirty word.”

» Creating and sustaining an “ethical organizational culture” is a leadership issue.

» The key to an organization’s cultural success is “fit.”

» Ethical leadership does not require a new skill set. It is simply a “decision” you make.

Why IT access controls in Compliance matterRalph Villanueva (page 65) » Management and compliance officers should take

note of the IT access control portion of regulatory requirements.

» Compliance officers should look into IT access controls on information that is subject to regulatory scrutiny.

» Adequate IT access controls should be implemented on employees who enter, alter, and/or delete data subject to compliance.

» Compliance officers should look into the organization’s level of data information security.

» The best way to ensure compliance with IT access controls is to ensure that everyone is educated on the basics of information security.

Compliance and ethics? I can do that!Carlos Vecino (page 71) » Military veterans need to think about everything they

did in the military to include additional duties when building their resume and targeting job opportunities.

» Compliance and Ethics is a great field of work for transitioning military veterans.

» The Basic Compliance and Ethics Academy is a quick and easy way to get certified.

» CCEP certification conveys expertise and commitment to the field and mitigates employer risk.

» A passion for compliance and ethics guarantees you will always have a place in this profession.

Ten psychology lessons for the ethics and compliance professionalVirginia MacSuibhne (page 75) » Use handwritten sticky notes when you want to

increase a response.

» Use “because” in every communication.

» Make communications easy.

» Get an active public commitment by those you want to engage.

» Use numbers to demonstrate the norm of behavior.

Taking a cue from Madison Avenue: Branding your compliance programChristopher Annand (page 79) » Competition for the attention of your employees

continues to increase, making it harder for compliance messages to stand out from the clutter of other communications.

» A brand is a promise between you and your employees – defining what your employees can expect of you and how your compliance message is different from the other messages competing for our employee’s attention.

» Creating a brand for your program starts by answering some simple questions about how your program supports the organization, what your employees think about compliance, and what you want them to think about compliance.

» Once a brand and strategy is created, it is equally important to spend time and effort on deploying and maintaining your brand, so it can have a lasting impact, as opposed to being a flash in the pan.

» Having a recognizable brand and marketing strategy for your compliance program will make it easier to connect with your audience and demonstrate the value you bring to the organization.

The mathematics of complianceWilliam L. Jennings (page 83) » The Fraud Function and how it can help you to explain

unwanted behavior.

» Chebyshev’s Theorem and the predictive value of data analysis.

» Benford’s Law and why it is impossible to fake natural.

» How mathematics can transform your mountain of data into meaningful insight.

» Dashboards, a tool that will keep problems out of your rear view mirror.

Compliance & Ethics

ProfessionalDecember 2014TakeawaysTear out this page and keep for reference, or share with a colleague. Visit www.corporatecompliance.org for more information.

s

Dates and locations are subject to change.

2014‑2015 Upcoming Events

1 2 3

4 5 6 7 8 9 10

11 12 13 14 15 16 17

18 19 20 21 22 23 24

25 26 27 28 29 30

Sunday Monday Tuesday Wednesday Thursday Friday Saturday

January 2015

WEB CONFERENCE:

Developing an Effective Audit and Compliance Committee

WEB CONFERENCE:

Importing goods into Brazil: boosting anti-corruption compliance for challenges of a high-risk activity

SCCE OFFICE CLOSEDNew Years Day

SCCE OFFICE CLOSEDMartin Luther King Day

WEB CONFERENCE:

How Legal, Audit & Compliance Work Together in an Effective Risk Management Environment

1 2 3 4 5 6

7 8 9 10 11 12 13

14 15 16 17 18 19 20

21 22 23 24 25 26 27

28 29 30 31

Sunday Monday Tuesday Wednesday Thursday Friday Saturday

December 2014

SCCE OFFICE CLOSEDChristmas Day

SCCE OFFICE CLOSEDChristmas Eve

International Basic Compliance & Ethics Academy®

Dubai, UAE CCEP-I Exam

Basic Compliance & Ethics Academy®

San Diego, CA CCEP Exam

WEB CONFERENCE:

Engaging Your Board: Best Practices for Effectively Communicating Information and Data

Southwest Regional ConferenceDallas, TX

WEB CONFERENCE:

2014 Compliance & Ethics Institute Rebroadcast Event

2014 EventsInternational Basic Compliance & Ethics AcademiesDecember 14–17 | Dubai, UAE

2015 EventsUtilities & Energy Compliance & Ethics ConferenceFebruary 22–25 | Houston, TX

European Compliance & Ethics InstituteMarch 29–April 1 | London, UK

Higher Education Compliance ConferenceMay 31–June 3 | Austin, TX

Compliance & Ethics InstituteOctober 4–7 | Las Vegas, NV

Audit & Compliance Committee ConferenceNovember 9–10 | Scottsdale, AZ

Regional Compliance & Ethics Conferences

February 13 | Phoenix, AZ

March 13 | Miami, FL

April 24 | Chicago, IL

May 1 | Washington DC

May 15 | New York, NY

June 19 | San Francisco, CA

June 25–26 | Anchorage, AK

October 23 | Minneapolis, MN

October 30 | Atlanta, GA

November 13 | Boston, MA

December 4 | Dallas, TX

Basic Compliance & Ethics AcademiesFebruary 9–12 | San Francisco, CAMarch 9–12 | Las Vegas, NVApril 27–30 | Orlando, FLJune 8–11 | Scottsdale, AZ August 10–13 | New York, NYSeptember 14–17 | Chicago, ILOctober 19–22 | Las Vegas, NVNovember 16–19 | Orlando, FL Nov 30–Dec 3 | San Diego, CA

International Basic Compliance & Ethics AcademiesApril 13–16 | Brussels, BelgiumMay 11–14 | Sydney, AustraliaJuly 13–16 | SingaporeAugust 24–27 | São Paulo, BrazilDecember 13–16 | Dubai, UAE

NEW

NEW

NEWLearn more about SCCE events at

www.corporatecompliance.org/events

complianceandethics.org

blog

SCCE has a

Why should you attend?• Hear directly from compliance and ethics

professionals from Europe and around the world

• Learn the latest, best, and emerging solutions for a wide range of compliance and ethics challenges, not just one or two

• See how other industries are solving many of the same challenges you face

• Build out your network of experienced compliance and ethics experts

• Get the continuing education units you need and take the Certifi ed Compliance & Ethics Professional–International (CCEP-I)™ exam

REGISTER NOW www.corporatecompliance.org/ecei

Questions: taci.tolzman @ corporatecompliance.org

European Compliance & Ethics Institute

“This organization is pure professional. The speaker, the topics, the facilitation, everything was fi rst class and fantastic. I learned so much this week and am going home with many new ideas and tools to implement within my Company’s Program. The vendors were a great addition and very much appreciated! Thank you for a fantastic and educational conference.”

― a 2014 attendee

Save the date

29 MARCH –1 APRIL 2015HILTON ON PARK LANE | LONDON, UK

scce-2015-european-cei-1pgad.indd 1 8/13/14 2:51 PM

compliance ethics professional...+1 952 933 4977 or 888 277 4977 3 compliance & ethics...

Documents