By Doug Stupca
Social Media Coordinator at SCCE/HCCA

Take a look back at “Keeping Compliance Simple, Without Dumbing It Down” from the 2016 Compliance & Ethics Institute on our SlideShare page.  This presentation highlights:

• What the government practically expects of your training and communications
• Why you need to ake things simple without dumbing it down and how to do it
• How to check if your training and communications are working

Enjoy!

The 2017 Compliance & Ethics Institute will be held October 15 – 18 in Las Vegas, AZ. Register by June 19th to receive early bird savings. Details here.

Keeping Compliance Simple, Without Dumbing It Down - SlideShareClick To Tweet

By Adam Turteltaub
adam.turteltaub@corporatecompliance.org

The photo of the street sign is one I took while in Munich for a conference.  I would suppose that most everyone in Munich has long-since figured out that it means that bicycles and pedestrians can proceed.

I figured it out quickly, but a part of my brain thought, “I guess that means it’s okay to stand on your bike here.”

What the picture demonstrates is that we’re all used to certain shorthand ways of communicating.  For a Munich resident, the humor of the image is long since gone.  It just indicates whether you can go or not.  They don’t think twice about it, or at least any more than an American would think of a typical US-style walk/don’t walk sign.

But for a freshly-hired employee, it’s something different and new to be puzzled through.

For someone new in an organization, there are countless such puzzles.  There are buzzwords that established employees already know the meaning of.  There are ways that “we do things around here” that everyone is used to.  And, there are subtle bits of office etiquette that the veterans don’t even think about.

But for someone new, they have to figure it all out, including not just where the signs are but also what the signs mean.

In the case of compliance, it makes for particularly risky times.  With a set of expectations for behavior that may not match the company’s, there’s the opportunity for wrongdoing and simple misunderstandings that could escalate into serious matters.  More, there’s a need to overcome the persistent belief that “everyone knows that.”

They don’t.

So in addition to the onboarding process for a new employee in which you teach him or her about the company’s code of conduct, it’s worth considering “onboarding” the new hire’s manager.  It may be good to stop and remind him or her that the new person doesn’t know how we do things here, not just from a business systems approach, but also from an ethics and compliance perspective.  That means that the supervisor needs to pay attention to missteps and also speak more about values and policies than normal.

Only then, can a new hire know when to walk, when to stop and when it’s okay to stand on your bike.

Sign of the TimesClick To Tweet

Reprinted from the 2013 Compliance Today May Issue
Written by Timothy L. Davis

Although I have been in my position as Corporate Compliance Officer, HIPAA Privacy Officer, Risk Manager, and Director of Quality Management for a rural behavioral health provider for a little
over a year, I must admit being somewhat overwhelmed in the beginning, I was unsure if I could effectively do the work associated with each title. This was reinforced by others who, in
astonishment, asked “Can you really do all your jobs with so much to do?” I had faith in my abilities, because ideas associated with each compliance area were not new to me, but still I wondered: Am I setting myself and the agency up for failure? Can I really manage the workload of so many areas?

The reality is that most rural providers of any medical service are usually smaller than their urban counterparts and have fewer resources for development and operation of programs not geared toward clinical practice. Even if some resources are devoted, they are often not sufficient to implement all the aspects of a comprehensive compliance program. So the outcome is frequently, “Let’s hire one person and give them all the titles. That should solve all our problems. Although this sounds good, most likely it will lead to a non-functional compliance program and wasted resources. So, how do we make sure our efforts are successful?

One of the first things any agency should do is complete an analysis of need based on their size, practice, and past experience. These key elements will guide the magnitude of the program and what positions may be needed. For example, if you are a moderately sized provider and have a high volume of paybacks/overpayments resulting from insufficient documentation or billing errors, you want to focus on your Quality Management/Auditing and Corporate Compliance positions, and possibly pair other elements, such as HIPAA and Risk Management, with these positions because they may not be as pressing. This is not a onesize-fits-all approach and is as varied as each unique agency.

Once you have determined the positions needed, consider the workload associated with each position and the current stage of development of your compliance program. A common mistake for rural agencies is to understaff in the early (development) or middle (implementation) development stages. The CEO or the director for the agency may look like a hero to the board of directors for
saving dollars, but this approach in the longrun could lead to undesirable results, such as unfavorable financial outcomes, burnout of the compliance professional, lack of buy-in and participation by agency staff, or even negative public opinions about the agency itself.

Another mistake to avoid is the “super” compliance professional who says they can do it all. Although they are most likely capable and talented, the volume of work, even for a small agency, is daunting. Overburdening one person often leads to early negativity toward program implementation and staff unwillingness to buy-in to the program for the long-haul The key is to be realistic about what is to be accomplished, who will be completing the work, and the timeframe for completion.

Once developed and implemented, the day-to-day tasks of the compliance professional settle into a manageable process and staff can be reassigned to other duties within the department or agency. Oversight, monitoring, and updating use far fewer resources if the initial and middle development stages are completed with a thoughtful approach. The wise words: Plan for success early on, make sure you devote appropriate resources based on your agencies needs, and have enough staff to ensure the program is successful. Then, one person wearing many “hats” becomes as easy as just putting them on!

CEP Classic: Wearing Multiple Hats: The Rural Provider DilemmaClick To Tweet

By Kristy Grant-Hart
KristyGH@SparkCompliance.com

When was the last time you spoke to the folks in charge of Business Continuity Planning?  If the answer is “never” or “who?,” I recommend you reach out to them this week and set up a call or meeting.

In case you’ve not interacted with them before, the business continuity planning team is typically in charge of considering worst case scenarios and having a plan in place to deal with them.  The best business continuity departments think through everything from a terrorist attack, to catastrophic IT systems failure, to the effect of pandemic flu.  What does this have to do with compliance?  Three things come immediately to mind:

1. People Think the Rules Don’t Apply

When a disaster strikes, adrenaline takes over and people think only about what is immediately in front of them.  While this response is incredibly helpful in a medical emergency, it can be highly problematic in other scenarios.  If the entire reservations system at an airline breaks down, it would be very easy to start indiscriminately looking at customer records, or opening customer databases to people who shouldn’t have access, to try to solve the problem quickly.  This could open the company up to data privacy breaches and regulatory action after the fact.  By talking to people in the business continuity team (and IT team / team responsible for data breach response) before disaster strikes, you’re much more likely to have plans in place for a proper response when a problem occurs.

2. People Won’t Know Who to Call

If you don’t interact with those who respond to crisis before it happens, they may not know they need to call you when a crisis occurs.  Let’s say you’ve never talked to the receptionists or front desk staff in your European offices about what to do if the regulators come in during a dawn raid and demand immediate access to your offices and computer systems.  Would they know how to respond?  Do they have the phone number of a local attorney who has agreed to be there within a half hour to accompany the regulator?  By talking to people now, you avoid these problems later.

3. If You’re Caught Up in the Issue, They’ll Already Know What to Do

If you’re caught up in the issue (say, you’ve caught the pandemic flu or are held up in Mozambique because of the airline outage), your prior conversations will guide people in responding to crisis in a compliant and ethical way.  Once you’ve shown your interest, perhaps you can sit on the enterprise risk management steering committee, or you can participate in the business continuity planning practice exercise.  By making these connections now, you’ll ensure you’re on people’s minds later.

Recent events in the news have made us all aware that business and personal crisis is possible.  By planning now, you’ll make it much easier to deal with later.

Ensuring the Rules Don't Go Out the WindowClick To Tweet

Kristy Grant-Hart the author of the book “How to be a Wildly Effective Compliance Officer.”  She is CEO of Spark Compliance Consulting and is an adjunct professor at Delaware Law School, teaching Global Compliance and Ethics.  She can be found at www.ComplianceKristy.com, @KristyGrantHart and emailed at KristyGH@SparkCompliance.com.

By Mahmood Sher-Jan
CHPC, CEO and founder, RADAR, Inc.

It’s been over a year since the General Data Protection Regulation (GDPR) was adopted, and one year until it takes effect. In my recent travels to conferences, seminars, and meetings with leaders in privacy across the U.S., the GDPR and its fast-approaching May 2018 effective date seems to be top-of-mind for privacy professionals.

When discussing the GDPR, conversations seem to keep returning to the topics:

• Are we prepared?
• What do we risk with noncompliance?
• What does the GDPR signify in a larger context?

In the last year, I have noticed an evolution in the way privacy professionals are talking about GDPR across the board. A year ago–or even a few months ago–conversations seemed to revolve around what is the GDPR, while in recent months the conversation becomes more nuanced: trying to tease out the inherent ambiguities, soliciting clarification, and solidifying how can we prepare and sustain compliance with the regulation.

I find this shift encouraging in that it indicates a wide acceptance that the GDPR enforcement is coming, and will have real impacts on businesses across the globe. It also indicates a growing mindset that preparing for the GDPR is just another mechanism through which you can reassess your current privacy practices and implement improvements for an overall stronger culture of compliance—achieving GDPR compliance as a natural byproduct of pursuing excellence in privacy overall.

Evolving GDPR Conversations: Are we prepared?

There remain many questions about how the GDPR will be enforced, and nuanced in the ways the regulation may be applied, which will need to be sussed out. And of course there are many studies indicating some organizations lag in preparing for GDPR compliance. Consider:

• Gartner released a statement predicting that by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements.
• In April this year, A NetApp survey of chief information officers, IT managers, and C-suite execs in France, Germany, and the UK reports 73 percent of respondents have some level of concern about meeting the GDPR deadline.
• In October of 2016, Symantec SVP Kevin Isaac expressed concerns following the State of European Data Privacy Survey, stating that “These findings show businesses are not only underprepared for the GDPR—they are underpreparing.”

On a positive note, these figures seem to evolve along with growing preparedness and awareness of GDPR. Laggards in the field are getting wise to this looming deadline. Trainings and thought leadership on the subject have grown exponentially in the last year—groups like the International Association of Privacy Professionals have established programs to offer GDPR bootcamps and trainings, for instance. And articles and lively forum discussion of the particular details of GDPR (the role of a DPO, pseudonymisation and personal data, etc.) further raise the water line of privacy awareness for all of us. My colleague, Alex Wall, recently published Preparing to Comply with the GDPR: Start Now, Plan to Invest.

Evolving GDPR Conversations: The Real Risks of Noncompliance

Since the GDPR was announced, there has been a lot of focus on the substantial fines one risks in the face of noncompliance. The possibility that you could be fined up to 20M Euros or 4 percent of your global annual revenue for an entire conglomerate seems to have effectively gotten the attention of corporate boards, executives, and their privacy professionals. In recent months, regulators have indicated that this threat is not just for show.

In a recent interview, Data Protection Commissioner Helen Dixon indicated a full willingness to apply the full fine as the case may call for it, and when asked if there will be any leeway to ease companies into the new regulation, answered “No. There’s not going to be any amnesty or first or second chances.”

Similarly, Information Commissioner’s Office Head of International Strategy and Intelligence Steve Wood stated in a recent keynote address, “Will there be a grace period? No. You will not hear talk of grace periods from people at the ICO. That’s not part of our regulatory strategy. What you will see is a common-sense, pragmatic approach to regulatory principles.” This indication, that enforcement will be in full effect come May of next year, should be motivating to the aforementioned companies lagging in GDPR preparations.

Evolving GDPR Conversations: GDPR to Motivate Positive Changes in Privacy Practices

Beyond the fines and the very tactical questions of how to prepare and what is the GDPR, are the conversations asking larger questions about proper data stewardship:

• What does the GDPR signify in a larger context?
• How do I create a sustainable and strong culture of compliance in my organization?
• In the journey towards compliance, how does GDPR align with privacy best practices I should be doing anyway?

An example of privacy professionals viewing GDPR as a motivator toward general improvement in privacy practices was a panel session held during the IAPP Global Privacy Summit, titled “GDPR Beyond May of 2018.” In this session, privacy executives discussed long-term compliance efforts, shared aspects of their privacy programs that were particularly effective, and focused on long-term and sustainable privacy practices as the ultimate goal – not just GDPR compliance. I highly recommend reading this recap of the conversation in Infosecurity Magazine.

These conversations are invigorating, listening in as privacy professionals discuss GDPR compliance not just as a distinct regulation to meet, but as part of a larger story about operationalizing and reinforcing strong privacy programs across the board. Some, such as this article from Information Age, laud GDPR as an opportunity organizations should embrace, arguing that the GDPR not only safeguards personal data, but also allows organizations the chance to better understand the data they use, and the value that data can hold. A recent example of this type of commitment was Google’s reiteration of its continued commitment to achieve GDPR compliance by next May’s effective date.

Evolving Conversations on the General Data Protection RegulationClick To Tweet

 

Reprinted from the 2017 March/April Issue
Written by Scott Thompson

Which one are you (hint: they are not mutually exclusive choices)?

Synonyms for beyond reproach: blameless, exemplary, faultless, good, guiltless, impeccable, inculpable, innocent, irreprehensible, irreprovable, perfect, pure, reproachless, righteous, unblamable, unblemished, unimpeachable, virtuous (from Thesaurus.com).

The above adjectives are worthy character traits and goals to which compliance professionals, or arguably anyone, should aspire. However, if your fellow employees view you or the company’s Compliance function/department as unapproachable, similar to the image above, then it can have very negative ramifications for the company, even if you are beyond reproach. There could be numerous reasons Compliance is perceived as unapproachable: they are ineffective, they have limited power to assist, they have limited resources, they do not handle concerns in a timely manner, they do a poor job of communicating, they are heavy-handed when problems are raised, etc. The reasons can be varied and they can be complex. The reasons cannot be solved in a paragraph or two.

The point here is to think about being approachable in everything you do when designing and implementing compliance initiatives, and even in daily interactions with other employees. If your fellow employees cannot approach you (Bridge Out) or do not believe they can approach you (Road Closed), then everyone loses. Compliance initiatives have less impact. Problems go unsolved until it is too late.

Any compliance professional who has ever written a corrective action plan, made a self-disclosure to the government, or conducted a significant compliance investigation knows that fines, penalties, and other consequences probably could have been lessened in a particular circumstance if an employee had simply reached out with questions or to get guidance before acting or making a decision. Did your approachability impact their decision?

Being approachable is a key element in the continuous improvement feedback loop. Being approachable increases the effectiveness of your Compliance program. You want to hear from employees, and not just through the hotline. Employees know their voice will be heard if you are approachable and they will be more willing to raise concerns in a proactive manner. Aspire to be beyond reproach and to be approachable.

How do you make this a reality? Being beyond reproach is usually the easy piece for most compliance professionals. Integrity is a personal trait that either led them to the compliance profession or has helped them be successful in the profession. They pride themselves on doing the right thing and leading others to do the right thing. It is innate to them.  Being approachable takes effort and purposeful action directed at building relationships.  It is a skill that can be built and refined over time.

There is opportunity to demonstrate approachability in virtually every interaction you have, every hallway conversation, every presentation you make, every conference call, every meeting, every response to a concern that is raised, etc. After each of these interactions, ask yourself how you believe you came across to the other persons involved. Do you think you were perceived as a good listener, as a problem solver, as someone who could help make a difference, as someone who would make a diligent and good faith effort to find the best appropriate solution? Just as important, you have to follow through on any commitments you made in the interaction. Otherwise, you lose the credibility and goodwill you are trying to establish or have previously established with others.  In essence, you damage your approachability rather than build it.

Compliance: Beyond Reproach or Beyond Approach?Click To Tweet

By Mark Dorosz
VP of Compliance Learning, Interactive Services

The goal of compliance training is to provide managers and employees alike with guidelines to follow in cases of corruption or fraud. But what happens when, despite all the training, the policy is ignored by the company? Anti-Corruption policy is a serious matter that must be addressed head on.

The reasons for this breakdown are varied, and include lack of pre-policy risk assessment, failure to determine how daily routines might affect reporting, and managerial indifference to reporting policies. In order to correct the problem, immediate action is essential.

• Even if no corruption reports have been made to date, monitoring for non-compliance is still essential. Lack of reporting may be a sign of failure of policy, rather than lack of fraud or corruption.
• Internal auditing. Monitoring must include audits and reviews of the compliance program, including support from the top and middle management, and due diligence from outside partners.
• Training updating. Often, compliance failure can be traced to lack of training updates. Too often, compliance training is a once-yearly or biannual event, when it should be quarterly or even monthly. Laws and technology change too quickly for training to lag more than a month behind.
• Reporting and communication channels. Most critically, channels for reporting and communication need to be kept clear and open. Confidentiality is a must, and whistleblower protections have to be articulated and then followed by management and the board.

Compliance in anti-corruption and anti-fraud policy is essential in today’s corporate culture. Continuous training is only a part of the equation. Solid managerial practices and strong board support for whistleblowers is critical to keep the policies and practices flowing smoothly and reliably.

Attacking Anti-Corruption: Troubleshooting 101Click To Tweet

 

By Adam Turteltaub
adam.turteltaub@corporatecompliance.org

One of the aspects of working at SCCE/HCCA is receiving calls and emails from compliance professionals who are newly out of work.  Many wonder if there are positions here.  I leave them a bit deflated when I remind them that we don’t do consulting work or have a staff writing ethics and compliance books.  We put together meetings and publish magazines for compliance and ethics professionals.  Our staff is almost exclusively made up of meeting planners and member services people.

But, there are a lot of other ways that we can help.

First, both associations have job listings.  You can find an HCCA job board and one for the SCCE, too.  Both are updated regularly, and if you haven’t already, you should take the time to create an account on the SCCE or HCCA sites.  Once you do, you’ll be added to our mailing list and, you will get a newsletter every couple of weeks listing the jobs (plus a bunch of other mail and email from us).

Second, you will find more job listings at the LinkedIn groups for HCCA and SCCE, as well as a large number of discussions going on.  There’s a lot to be said for engaging with your peers.  You never know whom you will met.

This leads into an important point for anyone out of work:  it can be very helpful to have the right online profile.  That doesn’t mean just avoiding embarrassing photos on Facebook.  It means taking advantage of ways to maintain a positive presence online, a presence that can get noticed by recruiters.

“In addition to our existing relationships with compliance leaders, our research team is always seeking the best and brightest talent for our clients.  Having a professional online presence can be the first step towards a career advancement opportunity” said Bob Barker, Managing Partner of the executive search firm BarkerGilmore.

One such opportunity for building the right online presence is to write for the Compliance and Ethics Blog.  The blog gets about 30,000 page views a month, and we welcome submissions.  They don’t have to be long, just related to the practice of compliance and ethics.  Plus blog posts generally appear in less than a week.  You’ll get some exposure at the time, and if a prospective employer Googles you, it’s good to have some articles out there.

If you’re eager to create something longer, consider writing an article for the SCCE’s Compliance and Ethics Professional or HCCA’s Compliance Today.  Both magazines are published monthly, and can gain you exposure to our members.  Plus, after the article runs we will provide you with a nice PDF of your article, which you are free to share with your network.  It’s a great, subtle way to remind people that you’re out there and have a lot of expertise they may want to tap into.

Finally, don’t forget about our social network sites SCCEnet and HCCAnet.   There are hundreds of conversations going on, covering the gamut of compliance issues.  Sharing your expertise is a great way to help others while establishing your expertise, and, once again, you never know who may be looking for someone with your skills.

Unemployed? SCCE and HCCA Can HelpClick To Tweet