Compliance Perspectives

By Adam Turteltaub There isn’t one way to handle conflicts of interest. Much depends on the research the organization is doing, its history and other systems. Hilary Kitson, Research Compliance Business Partner at Saint Luke’s Health System, reports that typically the starting point is Title 42 PART 50 Subpart F in the Code of Federal Regulations. It lays out time points when disclosures are necessary: Annually When discovering or acquiring a new financial conflict of interest (COI) At the time of application for PHS-Funded research Disclosures aren’t enough, though. There needs to be investigators and a review committee who are competent to examine potential conflicts and are sensitive to the confidentiality of the information involved. And what if there is a conflict? She advises involving regulatory and other professionals who can help develop a management plan, if one is necessary. Listen in to learn more about the very complex issue of conflicts of interest in research.

By Adam Turteltaub Here’s a terrifying thing I just learned: the average ecommerce website has 66 third-party tags on the page. That’s according to our podcast guest, Rui Ribeiro, CEO of Jscrambler. The tags, pixels and scripts control everything from the video to payment processing to the consent wall to the chat function. And, guess what: they may all be collecting user data, and, quite possibly, more data than they should. So what’s a compliance officer to do, other than lose sleep over the issue? First, make sure there’s an inventory on all those tags, pixels and pieces of JavaScript running on your site and what data they are collecting. While you’re doing it, don’t just ask what’s being run at HQ. There may be regional variations. Next, spend time with all the departments that touch the site to see what they truly need and that data isn’t being accessed without good reason. Then change your thinking around GDPR. It’s not about just getting consent to collect data, it’s time to use it as a warning to

By Adam Turteltaub What have you done? What have you achieved? Have you forgotten? Did you succeed? What were your goals? Were they ever reached? What about your firewall? Was it ever breached? Jisha Dymond took inspiration from Dr. Seuss An annual tradition to give kids a boost. Take the time to note what you have done. It will be illuminating, and may even be fun. This is a podcast you truly must hear. It may change your outlook for many a year.  

By Adam Turteltaub In April 2024 the US Equal Employment Opportunity Commission released an update to the Enforcement Guidance on Harassment in the Workplace. This was the first update since 1999. Stephen Paskoff, the President and CEO of ELI, explains that the guidance now treats LGBTQIA+ harassment similar to other forms of harassment. The document now also addresses behavior outside of the workplace, making it clear that employers need to train and be more sensitive to behavior beyond the factory gates. Listen in to learn more about what is new in the EEOC Enforcement Guidance on Harassment in the Workplace.

By Adam Turteltaub Document retention is one of those persistent issues that comes with a great deal of complexity. As Michael Kearney (LinkedIn), Head Solution Architect, Redgrave Data explains in this podcast, organizations have to deal with a dizzying array of rules. HIPAA has one set of requirements, state laws for medical records another, financial documents have a third, employment records a fourth and on and on it goes. In addition, there are business needs for retaining and disposing of records. So, what’s a compliance team to do? He recommends working with the business unit and other affected teams to write policies that meet the needs of all involved and work out any conflicts internally or among the regulations. Work, too, with employees who may want to hold on to documents longer than policy dictates. You may find that what they want to keep is the data, not the document itself. And, if there is a litigation hold, be prepared to work quickly with legal, IT and others to ensure that the releva

By Adam Turteltaub Data analytics is a pretty darn big deal in compliance and ethics these days, with rising expectations for compliance programs to be able to demonstrate their effectiveness using hard data. The word “data” even appears a dozen times is the US Department of Justice Criminal Division’s Evaluation of Corporate Compliance Programs document. Walter Appleby, formerly VP, Compliance & Ethics at Georgia-Pacific and Rosie Williams, Director, Compliance & Ethics there will be addressing “Harnessing the Power of Data:  Unleashing Compliance Excellence” at the SCCE 23rd Annual Compliance & Ethics Institute, which will be held September 22-25 in Grapevine, TX. In this podcast they explain that better use of data carries a number of benefits including a stronger risk assessment and management program, better informed decision making, and more effective use of compliance resources. Data analytics begins with collecting together the data you have and determining its quality. As the old adage says: bad

By Adam Turteltaub Mobile devices are terrible if you need to retrieve information from them. Employees hate handing them over and there are a ton of apps in which data disappears automatically. All in all, it’s just a nightmare. But, the government still wants you to track what employees are saying, and you may have to produce that data. Matt Rasmussen (LinkedIn), CEO, and Ryan Frye (LinkedIn), Chief Innovation Officer of ModeOne want to discourage you from falling into despair over the prospect. Employee resistance can be overcome by taking a targeted approach and using electronic tools that only seek business-related data. Even before you get to that point, though, they recommend taking the time to train the workforce about what rights the company has to the data so this doesn’t come as an intrusive surprise. Listen in to learn more about how to make retrieving mobile device data a bit less painful.

By Adam Turteltaub “What else should the board be asking?” It’s a good question in general and the tile of a session at the SCCE Compliance & Ethics Institute, which will be held September 22-25, 2024 in Grapevine, TX. In this podcast, the leaders of that session, Deborah Spanic, Chief Ethics & Compliance Officer of Clarios, and David Gebler (LinkedIn), Principal of Leading with Ethics, share that there are three fundamental questions the board should be asking about the compliance program: Is the compliance program well designed and aligned with risk? Is the program being applied earnestly and in good faith with adequate resources? Does the compliance program work in practice? From there a host of other questions fall out including those focused on culture and on the connection between the compliance program and the enterprise’s overarching strategy. Making sure the board is asking the right questions, and getting the answers it needs, requires a strong relationship with the compliance team. In D

By Adam Turteltaub How do you get employees working remotely, who may have less of a connection to the company, to make the effort and take the risk of reporting potential wrongdoing? For Evie Wentink, it starts with recognizing the need to encourage a culture of reporting for these workers. It also includes recognizing that, even though they are remote, it doesn’t mean that they aren’t victims of or witnesses to a range of bad behaviors including harassment and bullying. Compliance teams should also recognize that remote workers lack many of the casual opportunities to discuss with peers what they are seeing and what to do about it. To help overcome these challenges, she recommends training and creating multiple reporting avenues. She also recommends training managers in active listening so that they know what do when an employee walks through the virtual door with a concern.

By Adam Turteltaub It’s not for nothing that there’s a year in the title of this blog post and podcast. Social media risks change frequently, explains Kortney Nordrum, VP, Regulatory Counsel & Chief Compliance Officer at Deluxe. She is the author of the chapter “Social Media Compliance” in The Complete Compliance and Ethics Manual and will be leading the session Social Media:  Old News and New Risks at the 23rd Annual Compliance & Ethics Institute. These days the range of those risks is substantial. TikTok poses a notable challenge, since it accesses most everything on the user’s phone, which means work email and files may be exposed. At the same time the FTC and NLRB have been very aggressive in their enforcement. The FTC has been scrutinizing endorsements – and a “like” may count as one – by employees of their employer’s products and services. Meantime, the NLRB has made it clear that it believes employees have wide, although not complete, latitude about what they say about their workplace online. And,

By Adam Turteltaub Everyone wants a mentor. Not everyone gets one, and not every mentor-mentee relationship works out. Sarah Couture, Principal at Couture Compliance wants to change that. She’s the author of the chapter, “Mentoring for Compliance Professionals” in the Complete Healthcare Compliance Manual. In this podcast, she offers advice for mentors and mentees both. Here’s a sample: Mentors and Mentees Level setting is essential for ensuring expectations are aligned Think about your objective, what frequency of meetings makes sense and for how long the relationship should last Be humble and transparent Mentees Look for someone you respect Don’t only look for people who know exactly what you do; be open to outside expertise Let your goals help drive your mentor selection Mentors Consider if you truly have the time Ask: “Can I provide what this person is looking for?” Only select mentees you respect and click with Ask if the mentee is curious, willing to learn and to grow Liste

By Adam Turteltaub Michelle Nichols (LinkedIn) from the compliance team at Farmer Mac definitely wins the prize for the most unexpected title for a session at the 2024 SCCE Compliance & Ethics Institute: “How Dating in My 50s Made Me a Better Compliance Officer.” As she explains in this podcast, the realization that people bring their past relationship experiences to potential new relationships shed light on a challenge compliance teams need to address starting with the onboarding process. While HR typically handles that process, laying out what the company’s policies and expectations are, that doesn’t fully address things. Simply stating that an employee gets x days of vacation may mean one thing to a person who came from a company where people took their vacations and another to someone coming from an organization where not taking vacation was a badge of honor. Likewise, the new employee may bring unwanted baggage with him or her when assessing their new employer’s culture and commitment to compliance.

By Adam Turteltaub As the risk of human trafficking and modern slavery rises on the radar, compliance teams need to start their risk assessment by looking at the map, says Sam Logan, CEO and founder of Evidencity. The number of jurisdictions with laws in this area are increasing. In addition, some countries have far greater risk than others, with long histories of exploitation. Remember, though, that there is no such thing as a safe geography. A janitorial service in the US was found to be using child labor, and an Italian luxury goods maker’s contractor is alleged to have subcontracted with a business using Chinese laborers illegally in Italy. The key lesson from these cases: look closely at your suppliers to better understand where and how they do business. Be sure to review them not just when beginning a relationship but on an ongoing basis. Take a risk-based approach, focusing your efforts where the likelihood of modern slavery and human trafficking is greater. Finally, don’t forget about your custom

By Adam Turteltaub The annual Navex Whistleblowing, Incident Management and Benchmarking Report provides valuable insights into what’s going on across the corporate compliance landscape. To get the highlights we spoke with Carrie Penman (LinkedIn), Chief Risk & Compliance Officer for Navex. The 2023 data showed that reporting reached an all-time high, with 1.57 reports for every 100 employees, up from 1.47 the previous year. Substantiation reached an 11 year high at 45%, which indicates that compliance teams are getting both more and better reports out of the workforce. Anonymity remained dominant, with 56% of reports arriving that way. Substantiation rates for anonymous reports held steady at 33%, which is lower than the 50% for reports given by an identified individual. Accounting-related incidents accounted for 4.3% of reports, a relatively small number. However, they were notable because they had the longest period between the observation of suspected wrongdoing and reporting. They also were the least

By Adam Turteltaub Risk assessment and management is at the core of compliance and front and center on the agenda at the SCCE 23rd Annual Compliance & Ethics Institute, which takes place September 22-25 in Grapevine, TX (and virtually, too).  Elizabeth Simon, Vice President of Compliance & Risk at Progress Residential will be contributing to the discussion with her session, “Enter at Your Own Risk: Optimizing Your Enterprise Risk Assessment”. In this podcast she provides a preview of her session and shares that compliance plays a unique role in enterprise risk management since it touches so many risk areas, from culture to operations to finance. This, in turn, requires that the compliance team become a part of the broader risk assessment process to know where the potential challenges are. It also requires that the compliance team bring its experience and solutions to the table and to the board to demonstrate it’s value to the enterprise and its risk assessment. Listen in to learn more, and then join us in

By Adam Turteltaub In some ways it’s still the Wild West when it comes to AI, with developments happening faster than most can fathom and the law can respond. At the same time, though, the sheriff has begun to arrive. Gwen Hassan (LinkedIn), Deputy Chief Compliance Officer at Unisys and Adjust Professor at Loyola University Chicago School of Law explains that the EU already has a law in place with a particular focus on ranking the risks of AI, including those that must not be taken, and an emphasis on the privacy implications. In the US, there is legislation proposed that would require clear notification when content is created using generative AI. It has yet to pass. Thus far the strongest direction in the US comes out of the White House, where President Biden issued the Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.  The order urges ethical generative AI guidelines, sets key goals for what good uses of AI are and calls upon various departments of the

By Adam Turteltaub If you’re thinking about attending an HCCA Research Compliance Academy, take a few minutes to l to this podcast featuring Kelly Willenberg (LinkedIn), one of the faculty members and founder of Kelly Willenberg & Associates. Listen in as she explains: Who the Academy is for. Basically anyone working in or with oversight of research compliance The teaching structure. All of the faculty members have deep research compliance expertise.  They will teach both compliance infrastructure and many of the complexities of the numerous legal risk areas. The attendee experience. Small class sizes lead to opportunities to learn from your peers and build an extensive and deep network. She also gives an overview of the Certified in Healthcare Research Compliance (CHRC) exam. To read more about the exam and see the detailed content outline click here. So spend ten minutes listening to the podcast, and then plan on attending an HCCA Research Compliance Academy.

By Adam Turteltaub Corruption is a well-known risk in Latin America, but how great the risk is on a country-by-country basis is less well understood. To fill in those blanks and many more, the law firm Miller & Chevalier just released its 2024 Latin America Corruption Survey. The firm has been fielding this survey every four years since 2008, reports Matt Ellis, Latin America Practice Lead. It provides comprehensive, country-by-country data as well as, more granular information on the risks of dealing with various governmental entities. This year’s report, he shares on the podcast, had interesting news for the compliance community. It found that, although corruption remains a pervasive problem, corporate compliance programs, more so than enforcement, are perceived as being the key driver for change. The survey also revealed significant nuances in the anticorruption risk picture: Chile, Uruguay and Costa Rica are generally perceived as the lowest risk countries Venezuela, Bolivia, Honduras and Argenti

By Adam Turteltaub How do you tell someone something that they don’t want to hear in a way that they will listen? How do you overcome your own desire to avoid the conversation? To better understand why people hesitate to have difficult talks and how to communicate more effectively, especially when the conversation is going to be a tough one, we spoke with Jason Rosoff, CEO of Radical Candor (podcasts). People hesitate to speak candidly, he explains, for a number of reasons. For one, they may fear that the conversation will harm their relationship with the other person. They may also be nervous about facing a negative reaction, or even retaliation, for speaking out. To help challenging conversations go better, he advocates for radical candor, which he explains means challenging directly but also caring personally at the same time. Be clear about the problem, he advises, and what the potential negative consequences are. At the same time, though, show you care personally. That includes giving the other perso

By Adam Turteltaub ISO 27001 is the leading standard for information security management systems. As Mel Blackmore, CEO of UK-based Blackmores explains, it is a framework that applies and is of value regardless of an organization’s size, sector or country. Organizations seek ISO 27001 certification to ensure that their IT security reflects best practices. It also brings to organizations a systematic approach to work in this area. In addition, potential business partners will have greater confidence that your organization has robust data defenses. Most organizations have a head start when it comes to becoming ISO 27001 certified. Many existing IT security practices are likely to be consistent standards. To get the rest of the way to certification, she outlines several steps including: Determine where your organization is already compliant Conduct a gap analysis Performing a risk assessment Creating policies and procedures Listen in to learn more about meeting this important ISO standard and what i