The Compliance and Ethics Blog

SCCE/HCCA

Mentoring Compliance Professionals

by 10 Comments

By Roy Snell
roy.snell@corporatecompliance.org

Our profession came out of nowhere. Most of us were selected with no prior experience or education.  It’s a very challenging job. Some companies that are hiring people in our profession have no prior experience in hiring compliance and ethics professionals. The best of us are underestimating the need for strong interpersonal skills, and we are over emphasizing the technical skills. We have very few colleges cranking out people with college degrees in our field. We have a ways to go before our profession will be up to par with professions that have been around for 100 years from an experience and credibility standpoint. [Read more…]

Refresh, Renew, Rethink: How to Revamp your Compliance Training

by 1 Comment

By Mark Dorosz
VP of Compliance Learning, Interactive Services

Time tells all things, and it will often tell you that after a while you need to revamp and refresh some things within your organization. We can get set in our ways being comfortable with what we’ve been doing, then things get stale. A dull training atmosphere can stunt growth and creativity – two things you need! Refresh your employees with a revamp.

Choosing the Right Approach

Most compliance training revolves around making sure that employees understand and receive the information in a way that is ultimately efficient for the company. Most employees should technically be capable of absorbing this information, however, many employees are not inherently enthusiastic about almost any form of training. You set the pace and tone, so be sure to approach your training positively and enthusiastically.

Delivery Counts

Some people are more likely to absorb information if it is dictated to them. Other people will remember the things that they discuss with others more hands on. Some people have a hard time even interpreting diagrams and images, while other people will really only learn if diagrams and images are involved.

You may have employees that need to write and record things physically in order to learn something. If the compliance training information is delivered in a way that will satisfy most of these groups, it should work well.

Finding New Ways to Motivate Employees

There are some employees who still won’t respond to compliance training. Almost all employees will respond well if employers can find some additional way to motivate them to succeed at compliance training effectively. There are free or inexpensive ways of doing this.

Some employees will respond positively to a simple certificate that makes it clear that they have done well in compliance training, especially if it is something that they can use to add to their resumes. If employers actually do make a note of the employees who did really well in compliance training, they will truly make these new credentials count, and they will be able to keep track of some potentially talented employees in the process.

Refresh, Renew, Rethink: How to Revamp your Compliance TrainingClick To Tweet

The Ethical, Professional and Personal Challenges of Being Both a Company’s Lawyer and its C&E Professional [SlideShare]

by Leave a Comment

By Odell Guyton, Esq.
Carol Heliker, Esq.
Anne Tkacs, Esq.
Rebecca Walker

Here is “The Ethical, Professional and Personal Challenges of Being Both a Company’s Lawyer and its C&E Professional” from the 2016 Compliance & Ethics Institute on our SlideShare page.  This presentation highlights:

  • Many company lawyers also serve as the company’s compliance officer or director. Hear practical guidance and strategies from experienced C&E lawyers who have navigated the dual roles successfully
  • Strategies to use when professional obligations collide and perception problems arise.
  • Some practical tips on how to respond when your JD
    didn’t prepare you for this!

Enjoy!

 

The 2017 Compliance & Ethics Institute will be held October 15 – 18 in Las Vegas, AZ. Details here.

Ethikos Editor’s Weekly Picks: Happy Birthday Sarbanes-Oxley: Let’s Talk Global Ethics and Regulation

by Leave a Comment

Examining ethics and compliance issues in business since 1987

Happy Birthday Sarbanes-Oxley: Let’s talk global ethics and regulation

By Dina Medland for Forbes
Are you confident your employees will report unethical behavior?  Less than a third of C-suite and other executives- or 32.5% — polled by Deloitte are willing to say that they are, giving fresh impetus to an ongoing debate Read more

Who is your business hero

By Elliot Begoun for Huffington Post
We all have them, heroes. Those people whom we try to emulate, our teachers, trail blazers, and mentors.

I lost one of those this week. Norman McClelland, the former Chairman of Shamrock Foods Company, passed away this week at the age of 90.

To me, Norman was presidential, regal, a man of deep integrity. He was my hero. Read more

Compliance professionals: What should they monitor in anticorruption?

By Henry J. Schumacher for Business Mirror
I recently wrote about the arrival of a new tribe: the compliance professionals, and indicated the areas where their services are needed in organizations. Today, let me focus on specific tasks which are in line with the control processes the Integrity Initiative has developed over time. What are those tasks that he or she has to monitor? Read more

Two-thirds of corporations ignore corruption in their supply chains

By Jonathan Webb for Forbes
A recent report by the Economist Intelligence Unit has revealed a significant shortfall in the ethical performance of major corporations in supply chain management. Fewer than a third looked to address corruption and bribery issues with their suppliers. This was despite respondents high regard as to their company’s sustainability policies. Read more

How Uber can emerge from its scandals as a more ethical company

By Andrew J. Hawkins for The Verge
To put it lightly, Uber has had a rough couple months. After the departure of its CEO Travis Kalanick and many of his top deputies following several months of nonstop scandals and controversies, the company finds itself in the unique position to hit the reset button. Naturally, a lot of experts and pundits have been weighing in with a variety recommendations for how Uber can rebuild its tattered image.

But a new coalition of labor unions, accessibility advocates, and consumer rights groups has emerged with its own list of suggestions. This group is urging Uber to look beyond the insular world of its employees, board members, and investors to a much broader one that includes hundreds of thousands of drivers and millions of customers. Read more

 

 Join SCCE and become part of the compliance profession

Subscribe to ethikos

The most interesting business ethics, culture and leadership articles delivered right to your email every week! Browse selected articles for inspiration, tips and great ideas on how to implement and maintain a healthy business culture. Stay on top of new insights, how-tos, and interviews from around the world—all from the comfort of your desk. Subscribe now.

ethikos is a publication of the Society of Corporate Compliance and Ethics

SCCEnet SCCE's Compliance & Ethics Blog SCCE on LinkedIn Twitter Facebook Google+ YouTube Twitter

Avoiding a Turf War with Human Resources

by 1 Comment

By Kristy Grant-Hart
KristyGH@SparkCompliance.com

How do you work with Human Resources? Do you have a good relationship?  If so, why and how?  These are the questions I’ve been asking my compliance friends in a survey I’ve created to get the answers straight from the experts – YOU!  I’ll be taking your answers (anonymously of course) and putting them into my presentation at the SCCE Conference in Las Vegas.

What have I found so far that can help us avoid the dreaded turf war with Human Resources?  Four answers have emerged. [Read more…]

Statistical Sampling

by 1 Comment

By Christopher Haney, CPA, CFE, CHC
Forensus Group, LLC
Overview

Statistical sampling and extrapolation is an increasingly common practice in compliance auditing and litigation matters. Consequently, compliance officers and counsel should be aware of the techniques, strengths, and limitations of using sampling for the purposes of estimating valid and meaningful conclusions. This post provides an introduction to the steps involved in conducting defensible and meaningful statistical sampling analysis, along with a discussion of important terminology and considerations for interpreting sampling conclusions.

Introduction to Sampling

Sampling analysis is most commonly used when one seeks to infer useful information about a relatively large population without examining every unit in the population by examining only a subset of that population (i.e. a sample).  As part of sampling analysis, estimation or extrapolation is a procedure by which measured characteristics of a sample yield estimates, inferentially, about unknown characteristics of the population from which the sample was drawn.

In a simple example, one might select a sample of students from a school, measure characteristics of those students such as grade point average, and then use this data – inferentially – to estimate (i.e. extrapolate) grade point averages among all students at the school, in general.  Sampling methodologies are described at-length in textbooks, journals and various industry guidelines, and are capable of producing useful results when properly applied. [Read more…]

Compliance Policy Simplification Coordinator? The Nature of Policies

by 2 Comments

By Roy Snell
roy.snell@corporatecompliance.org

Policies are often conceived of for good reason, but those who write the policy tend to make the policy more complicated and potentially onerous than is needed to achieve the spirit of the policy. People occasionally suggest a policy that inconveniences many people be written to address an issue that rarely ever happens. Occasionally, the people who ask for the policy are the people inconvenienced by the policy. The point is, the law of diminishing returns can apply to policies too.

Employees often say things can’t get done quickly because of all the bureaucracy. A strong leader can reduce this problem, but not without criticism associated with refusing to write a complicated policy every time someone demands one. Bureaucracy is a choice; however, for some reason, it must be a tough choice because we all end up with so much bureaucracy.

Having no policies is possible, however, it is a ridiculous idea and most everyone seems to agree with that perspective. Having some policies is possible and necessary, and most everyone seems to agree with that perspective too. What we seem to have trouble agreeing on is when to stop writing or unnecessarily complicating a particular policy.  Some people think more is better. Some people think the more complicated their creation is, the better their creation is.  People often write policies to cover every eventuality regardless of the odds that a particular eventually will occur. As a result, some policies become more problematic than the problems they are intended to prevent or fix. I have watched people question where all the bureaucracy comes from while they are creating more bureaucracy.

Somehow we don’t see the negative downstream impact of an onerously written policy as we write it. We all get a little indignant occasionally about an issue and passionately pursue a good policy relating to the important issue.  I am all for developing policies.  I am just suggesting that we should be more careful about writing policies that have negative unintended side effects on people and companies. We should revisit the wording of policies every once in a while to see if the policy is still needed or if the policy has had unnecessary negative impact that can be easily fixed.  Although I doubt it will ever happen, I would consider creating a position of Compliance Policy Simplification Coordinator. They would wander the organization looking for good intentions gone bad and work with the department to unwind the unnecessary bureaucratic unintended consequences of a policy.

Compliance Policy Simplification Coordinator? The Nature of PoliciesClick To Tweet

Raising the Bar on Fraud Protection & Money Laundering

by Leave a Comment

By Mark Dorosz
VP of Compliance Learning, Interactive Services

The quality and effectiveness of an anti-money laundering compliance program depends on commitment, continuous training and executive oversight. The best time for employees to identify suspicious activities is before transactions are completed, so these industry best practices will ensure transparency and high quality protection.

Impeccable Leadership

More and more companies are hiring chief compliance officers (CCOs) to help oversee their financial operations. The SEC states that CCOs play a critical role in maintaining financial integrity. They generally have three primary duties. First, policy management through defining, training and communicating corporate procedures. Second, compliance monitoring through measuring organizational adherence to standards. Third, investigation management through thoroughly examining and responding to violations. They usually collaborate with risk, legal and financial departments to resolve issues and maintain programs. [Read more…]

The Components of Strong Cybersecurity Plans Part Five: Penetration Testing

by Leave a Comment

By Mark Lanterman, Chief Technology Officer, Computer Forensic Services
Carolyn Engstrom, Director of Corporate Compliance

In the fifth and final installment of this cybersecurity series, I will discuss the role of penetration testing in developing a strong security program. As described in my previous four articles, a growing awareness of cybersecurity regulations, trends, and threats has led many organizations to request a penetration test of their technical infrastructure—without really knowing what that means, what its purpose is, and what degree of assurance it really offers.

When I ask if they have already conducted a security assessment, know their controls, have implemented regular vulnerability scanning, and have security auditing procedures in place, they usually respond with “That’s what we’re asking for. We want a penetration test”. In this way, penetration testing and all the other components of cybersecurity plans have become synonymous terms. This conflation is especially prevalent in small to medium-sized firms. However, each component is separate and distinct within a mature security program all serving different purposes, leveraging different methodologies, providing different levels of assurance and benefits, requiring different skills from the assessor, providing different deliverables, and are performed at different stages of a security program’s development. In order to reap the most benefit from a penetration test, the organization should be able to answer the following five questions based on the previous maturity assessment, security risk assessment, and security audits.

  • Do we know what is connected to our systems and networks at all times?
  • Do we know what software is running, or trying to run, on our systems and networks?
  • Are we continuously managing our systems using “known good” configurations?
  • Are we continuously looking for, and managing, “known bad” software?
  • Do we limit and track the people who have the administrative privileges to change, bypass, or over-ride our security settings?

A penetration test is an attempt to defeat boundary defenses and gain access to an organization’s internal network by exploiting vulnerabilities. This test is used to determine whether an unmitigated risk exists. In this sense, it tests whether an outside attacker could bypass perimeter controls, gain access to the internal network, and establish command and control capabilities. Many techniques can be employed during a penetration test including vulnerability scanning and social engineering attacks.

Social engineering attacks are targeted at exploiting the human vulnerabilities in an organization. Spear phishing emails, unauthorized issuing of credentials, and taking advantage of physical vulnerabilities can all be examples of ways in which an assessor will use social engineering during a penetration test.

If a security assessor is unable to stage a successful penetration test, this confirms that, taken as a whole, internal controls are operating effectively to externally protect the organization from threats. With these results, management may mistakenly assume that the organization is secure. However, unlike broader security audits, a penetration test provides limited assurance to a specific point in time. Depending on the timeline, results could vary substantially. A penetration test conducted one day could fail to reveal serious vulnerabilities that appear the next day. Risk levels are always changing, which is part of why a complete understanding achieved through maturity assessments, security assessments, security auditing, and regular vulnerability scanning is so critical. Penetration testing provides only a glimpse of an organization’s overall security posture.

Ultimately, a penetration test is only a fraction of developing a strong cybersecurity plan. However, the fact remains that it is very important and these tests are frequently required for compliance with regulations. A penetration test’s objective is essentially to circumvent security controls, providing a different perspective than other security audit measures. Therefore, penetration testing may uncover issues that a traditional security audit or assessment may not.

In conclusion, complete security plans incorporate a number of factors, all of which are important in establishing a strong cybersecurity posture. Each stage and technique of the process ought to be regularly conducted in order to provide baselines and comparisons for improvement. But it should be noted that in spite of an organization’s best efforts, no security policy is perfect. Given the constantly changing nature of technology and its inherent risks, security policies have to evolve to meet the demands of our digital landscape.

The Components of Strong Cybersecurity Plans Part Five: Penetration Testing Click To Tweet

The Ideal Employee

by 3 Comments

By Adam Turteltaub
adam.turteltaub@corporatecompliance.org

Let me describe a type of employee for you. This person is:

  • Able to stick to their principles even under extreme pressure
  • Comfortable with a certain degree of non-conformity
  • Someone who values justice over loyalty
  • Willing to make personal sacrifices for a greater good
  • Aware of the consequences of his or her actions

Sounds like a pretty good employee, right? It’s a description of a kind of soul who would do the right thing even when it is difficult.

These attributes were cited in a recent article in The Washington Post about whistleblowers.  Contrary to what some believe, whistleblowers are not greedy, traitorous rats, or out for themselves.  In fact, the research indicates that they are pretty much the opposite of someone who is out for him or herself.  They are focused on the greater good, no matter what the potential personal cost.

It’s good that they’re not out for themselves.  As I’ve noted on this blog, the numbers aren’t very good for potential whistleblowers.  In fact, they’re horrible.

And that’s fundamentally not fair either to them or the idea of identifying wrongdoing.

Sadly, though, that’s not going to change.  There seems to be a deep reservoir of distrust with humans of people who go against the group, stand up for their beliefs, defend what’s right and won’t be swayed.  That’s why we in compliance have to continue to do what we have:  encourage them to come forward internally, make sure that they are listened to and protect them from retaliation.  And sometimes, we need to remind the rest of the world, that there is a greater virtue in coming forward with an issue than remaining silent.

The Ideal EmployeeClick To Tweet