Compliance Perspectives

By Adam Turteltaub Auditing and monitoring of the compliance program is pretty standard these days.  Entain’s Karen Nightingale, Group Director of Ethics & Compliance and Jonathan Fox, Group Head of Ethics & Compliance Programmes, make the case in this podcast for going to the next level and actively testing your program. The two will also be addressing the topic at the 2025 SCCE European Compliance & Ethics Institute, which will take place in Lisbon, 10-12 March. Doing so, they suggest, can turn a reactive compliance program into a proactive one by actively searching for points of weakness, identifying red flags in advance and addressing them early. In practice, testing is more like an audit. It should be done periodically and provide an in-depth look at whether processes and controls are working as intended. By going deeper, it can uncover where there may be a weakness in what may appear to be a strong process as a whole. To determine what controls to test, there are several factors. First is recognizin

By Adam Turteltaub Note:  This podcast was recorded on December 17, 2024.  Any changes made after this date will be addressed at the Compliance Institute. At the 2025 HCCA Compliance Institute in Las Vegas, Adam Greene (LinkedIn), partner at Davis Wright Tremaine LLP will be leading the session “New Developments in Health information Privacy.” In this podcast he provides an overview of what he sees as notable privacy compliance challenges and what compliance teams need to be doing. Starting with the HIPAA Privacy Rule, reproductive information is the top of the list. There was a December 23, 2024 deadline for covered entities and business associates to have implemented a prohibition of using any personal health information (PHI) for the purposes of imposing liability or investigating reproductive health care that is lawful under state or federal law. That information, per the rule, should not even be provided to law enforcement or courts that seek to punish an individual for providing or facilitating tha

By Adam Turteltaub Well, it turns out that you can be in two places at once, if you are a surgeon. Even better, you can bill the government under the Medicare program for being at both of them. It’s not quite as strange as it sounds, explains Sara Brinkmann, Partner, and Lauren Gennett, Counsel, of King & Spalding, and, of course, there are rules. Overlapping surgeries occur when one attending surgeon is responsible for procedures that overlap in time. The attending may perform the critical part of the procedure in both, assuming they are not supposed to happen at the exact same time. Non-critical portions of the procedure, such as closing the patient, are left to a resident. There must also be a backup surgeon in case something goes awry. Payment for both surgeries is possible so long as there are the requisite safeguards in place and the various other CMS rules are followed. There may also be state requirements to be mindful of as well. If those rules aren’t followed, there is substantial risk. As they

By Adam Turteltaub On November 22, 2024, Principal Deputy Assistant Attorney General Nicole Argentieri recapped the changes made during the Biden Administration in enforcement policies and announced a few new ones. To better understand what this all means, we spoke with Daniel Kahn (LinkedIn) , partner at Davis Polk, and himself a veteran of the DOJ. There were a number of meaningful changes during the last few years, he noted. Most notably the voluntary disclosure program was significantly expanded, with companies with aggravating circumstances now able to still have the possibility of a declination. There is a catch, though, the bar for cooperation has been raised. The organization must have disclosed promptly, engaged in extraordinary cooperation and remediation and have had an effective compliance program at the time of the incident. A new change, just announced, is the addition of what we referred to in the podcast as “clawforwards” in addition to clawbacks.  Organizations are expected to not pay bonu

By Adam Turteltaub Once again it is time to sit down with Matt Kelly (LinkedIn), Editor and CEO at Radical Compliance and discuss what happened last year and where the compliance profession is going in the new one. In this podcast we looked back at 2024 and explored five key topics. Changes from the DOJ The DOJ recently issued a recap of its key activities over the last year or so, and Matt notes that a key change has been an increased willingness to give credit to companies that work with the Department of Justice.  In the past, the DOJ had only given full credit to companies that had self-disclosed, but now there is greater leniency for organizations who have demonstrated that they are willing to cooperate with the government and make serious remediation efforts. Lessons from Recent Dispositions Matt pointed to the TD Bank case and noted that, as he saw it, the company laid the seeds for its scandal by having a zero expense growth strategy  across its business.  That led to compliance spending shrinking

By Adam Turteltaub Retaliation is the bane of every compliance program, with the potential of destroying employee confidence in reporting systems, not to mention embarrassing and expensive lawsuits. It is also complex and can be subtle, explains Keith Read, a former chief ethics and compliance officer and author of the book The Unconventional Compliance Officer: Doing Things Differently. There is overt retaliation, such as firing an employee for blowing the whistle. But there is also softer, more subtle retaliation, such as not including the whistleblower in meetings or on projects. He advises compliance teams to be sensitive to all of the many forms of retaliation and to treat it  as a risk area. That means look at where and how retaliation can occur, and then take the time to determine if is occurring. Track how the careers of whistleblowers go and see if the trajectory has changed for the worse. Also, look to patterns in management.  He found that retaliation followed certain managers around the organiz

By Adam Turteltaub How do you know your compliance program is working, both for your peace of mind or if the government comes knocking? It’s a tough question, and many wonder either how to start measuring or if they’re measuring the right thing. Andrew McBride, Founder & Chief Executive Officer at Integrity Bridge, has a great deal of experience in this area from his time serving as Chief Compliance Officer at Albemarle. In the wake of an FCPA scandal, the company had to be able to demonstrate the strength and effectiveness of its efforts. In this podcast he advises you remember three key questions from the US Department of Justice’s compliance program evaluation criteria: Is the program well designed? Is it applied earnestly and in good faith? Is it working? At the same time, though, he cautions not to just seek simple metrics alone. It’s important to also track why you are measuring what you are measuring. Compliance teams need to take the time to build out the supporting narratives that explain why and

By Adam Turteltaub Oh, come on, we all know it: sometimes the business people get tired of all those compliance requirements. That’s okay and to be expected.  But, how do you know when it has progressed beyond the usual (and maybe healthy) resistance to full-blown exhaustion? Cecilia Fellouse, General Manager of Compliance for Good, warns that, ironically, when the business team stops pushing back, it can be a sign of compliance fatigue. They may just be going behind your back to get what they want. Another troubling sign to watch out for is systematic escalation. Instead of addressing issues to you, they’re taking the issue straight to higher-level management. So, what can cause compliance fatigue and these bad behaviors? She cites several factors and ways to avoid them. Saying “no” too often and being perceived as operating from an ivory tower. Constantly denying requests without providing constructive feedback can make the compliance team seem out of touch. Lack of engagement with frontline teams.

By Adam Turteltaub Do you ever ask yourself, “What kind of compliance officer am I?” Netherlands-based  Susan du Becker, Director, Risk & Compliance at Microsoft, thinks we all should. To her experience, there are two answers to that question. One is a regulatory compliance officer: someone who is focused on the requirements of regulators, potential fines and legal consequence. The other is a business compliance officer, who is focused on what the business needs and how to ensure it achieves its goals while staying within the multitude of white lines the laws and regulations have painted. She envisions herself as the latter, balancing business and regulatory requirements. She recognizes that the business unit will test the limits, and that she is there to make sure there are always two feet solidly on the ground. To keep the business team focused on their legal and regulatory obligations, she advocates for making it clear what lines absolutely may not be crossed, taking the time to meet with them regularl

By Adam Turteltaub Rob Tull (LinkedIn), Managing Director at Effective Compliance LLC wants every compliance officer to be both competent and able to demonstrate it. He advocates for the development of four sequential, underlying skills: Communication The ability to be aware of risks Adaptability, and Decision-making/judgement Underlying all of them is knowledge, and together they form a framework for effective compliance programs. The single most important competency area, he argues, is communication. The ability to translate complex laws and regulations into simple language that helps the business make good decisions is paramount. So, too, is the ability to tailor your message to the audience:  management and the board likely need to hear something different than line managers. Listen in to learn more about what makes for competency for compliance professionals. Listen now

By Adam Turteltaub Who are you talking to? When you think about all the employees in your organization, who do you see in your mind? You probably, and should, think of several people: the person in the plant, the R&D people, the sales team. They all have different needs, maybe even different cultures. Adam Balfour, Carsten Tams and Karen Moore (LinkedIn), each of whom is a veteran compliance professional, explain in this podcast why it’s so important to truly know who the people are in your organization and the risks they interact with. They explain that you have to take the time to get in their heads to understand what their needs are and how best to communicate with them. One technique they advocate for is developing personas: Create fictional, yet realistic descriptions of the types of people in your organization. That will help you better flesh out who they are, their goals and their skills. This process also helps you stand in their shoes and understand not what you want to say but how they are likely

By Adam Turteltaub It’s a complex world, we all know, and we all try to simplify it and our lives, at least from time to time. Nitish Upadhyaya, Director-Behavioral Insights at Ropes & Gray’s R&G Insights Lab and podcaster, wants compliance teams to appreciate complexity and, if not embrace it, at least understand how to work with it. For him this journey started many years ago with the recognition that disincentives don’t always work. He wanted to understand why. This led him to an understanding of complexity, which explores the connections between people and systems and how nonlinear and unpredictable things can be. Appreciating that knot of connections is important for compliance teams, he argues, since the nature of the job involves affecting individual behavior and culture. He outlines several principles that compliance teams should follow: Move away from the idea that you can map everything. Context matters. Understand the human dynamics and stories. The only real rule in a complex system is

By Adam Turteltaub The Health Care Compliance Association just published the 4th edition of the Research Compliance Professional’s Handbook, and to see what’s new in it we sat down with the editor, Kelly Willenberg (LinkedIn) of Kelly Willenberg & Associates. The Handbook, she explains is there to help both those who attend the HCCA Healthcare Research Compliance Academy and anyone looking for a desktop reference that addresses the fundamentals of research compliance. It addresses topics such as safety, privacy, monitoring, and biosecurity. For this edition each chapter was reviewed thoroughly with any and all necessary updates made, including to the chapter on FDA regulations. In addition, a new chapter was written to address AI. It defines what AI is and why compliance teams need to look at it from a risk management perspective. The chapter also addresses the integration of AI and how therapies are changing. One admonition that she provides for compliance teams is to watch Europe. As with privacy, Euro

By Adam Turteltaub It’s one thing if a company wants to protect its trade secrets. But, what if it wants to keep its dirty little secrets from getting out? Then, the SEC may want to step in. Stephen Cohen (LinkedIn), partner at Sidley Austin, and a former senior leader in the Enforcement Division at the SEC, explain in this podcast that, to understand the issue, we need to look back to the Dodd-Frank Act. The law led to the SEC whistleblower program and included anti-retaliation authority. The SEC believed it had implicit authority to punish efforts that impeded direct communication by whistleblowers with the Commission and its staff. Both the SEC and CFTC have created similar rules prohibiting organization and individuals from taking any action that inhibits someone communicating directly with the SEC about a possible securities law violation. The SEC has interpreted that to mean that language in non-disclosure and severance agreements, codes of conduct, policies and elsewhere that either require employe

By Adam Turteltaub Greg Walters is an attorney in the Cyber Risk and Governance Branch at the SEC. But in this podcast he’s not speaking as an enforcer but as someone who has seen a lot of compliance training during his career as a government attorney across numerous agencies. He warns that while an organization may boast of 100% completion rates for their training, that doesn’t mean 100% of the employees got the message. That’s especially true of online training, where, unlike live training, it’s hard to tell if people are truly following along and then adjust the learning. The goal, he argues, is not to just give knowledge but to affect behavior. So, to see what impact the training has had, look to changes in the number of types and questions you receive, as well as incidents that do or don’t occur. Also, take the time to understand your audience and make sure that the training is relevant to them and reflects the culture of the organization. Listen in to learn more tips for improving the effectiveness

By Adam Turteltaub There is an expectation in many, if not most people, that at some point they will, or should be, promoted. But how do you know if you are ready? And, once you are promoted, what does it take to succeed in your new role? To find the answers we spoke with compliance veteran, Debbie Hennelly, Founder & President of Resiliti. The first piece of advice she shares is that not everyone needs or wants to be a manager. For many it’s okay to say that they love being a subject matter expert and advisor, and they aren’t ready, or maybe never will be ready, to be something else. If you are looking to move up, how do you know you are ready? She reports that you don’t until you are actually in the job. That’s especially true for compliance people, since we who often don’t benefit from the leadership and management training that is given to other parts of the organization. Once in the role, let the team know that you value them. If there was someone else on it that you beat out for the role, acknowled

By Adam Turteltaub What if you had a compliance program and nobody noticed? It’s not likely. But what if you had a compliance program, and nobody understood what it did? That, sadly, is more than a bit of an ongoing problem. To take on that challenge we spoke with Carolina Santos de Silva, Head of Ethics & Compliance EMEA for Bridgestone EMEA and Pauline Blondet, Co-Owner and Chief Operating Officer of Upright Solutions. The two recently published the article “How to Sell Ethics and Compliance to your Organization” in the October issue of Ethikos. They persuasively argue in this podcast for compliance teams to think about their product, brand and having a robust message. Start with your product. Is it ethics, ethics and compliance, integrity? Think through which best defines what you are offering. Your brand is the image the compliance team communicates within the organization and what differentiates you from other departments. It needs to reflect the department’s message. From the brand will come a pit

By Adam Turteltaub With the explosion of sanctions regimes globally, and particularly in the US, most any company that exports just about anything now has to have a trade compliance effort. To understand what that entails we spoke with Julia Komarovskaya, Export Compliance Manager at MathWorks. It’s a complex challenge, she explains, with the Bureau of Industry and Security (BIS), International Traffic in Arms Regulations (ITAR), and Office of Foreign Assets Control (OFAC) all having a say, and often with overlapping jurisdictions. Organizations need to watch what goods they export, to where and to whom. Knowing your customer has never been more important. To navigate this minefield, she recommends first recognizing that the rules don’t apply only to goods. Services can be covered as well. Also recognize that exporting something as innocuous as a pencil could be prohibited, if sent to the wrong person. Developing an export control program right takes understanding what you are exporting now, working close

By Adam Turteltaub Reports are that there over 50 million people in the world living in modern slavery conditions, and, of those, 60% work in forced labor in the private economy. Ensuring that your organization isn’t sourcing from suppliers who victimize labor is both a moral and a legal obligation, with more and more jurisdictions enacting legislation in this area. Vera Belazelkoska, Managing Director at Ulula urges organizations to look to balancing this risk with a mixture of boots on the ground and technology. Both, she notes, have their virtues and limitations. While having someone visit a factory provides an eyewitness account, it’s expensive, and unscrupulous manufacturers may hide the truth from investigators. Technology solutions are less expensive, but they are not necessarily as precise as they could be, often providing country data, but not the granularity needed. Only with a prudent mixture of the two can an organization gain a better understanding of its supply chain and the presence, or abse

By Adam Turteltaub There are hundreds of Compliance Perspectives podcasts, and this is the first one that is a podcast about podcasts. More specifically, the podcasts created by the compliance team at John Deere. The compliance team there had long looked to a wide range of tools for reaching the workforce including a monthly email newsletter, channel on internal social media, an intranet site and even digital signs on TV screens at their facilities. Yet, despite all this effort, they knew they could do more. As Wendy Davies-Popelka, the Associate Director, Global Ethics & Compliance, explains, the compliance team was listening to and hooked on several podcasts, and it occurred to them that they should try and create one of their own. So, they did. The podcasts are generally 5-10 minutes long and are based on actual cases that occurred at the company. Investigators, business people and others are interviewed to tell the story, from initial allegation through dispensation. The series has been very successf