Click here to view the archived videos from this web video series.
To download full survey results, click here.
In the US, over 600 million records containing sensitive personal information have been stolen since 2005.
According to IBM, the average software contains between 5 and 50 exploitable bugs in every 1,000 lines of code.
An average company experiences 62 security incidents every week.
3 out of 4 companies will be targeted by web application exploits.
62 percent of employees think it is acceptable to transfer corporate data outside the company.
It takes, on average, 32 days to resolve a cyber attack.
The average cost of a data breach in 2013 was $5.4 million.
These are scary statistics. And more scarily, we probably haven’t even seen the end of the era of the data breach. In many ways, traditional security tools such as firewalls, anti-virus software, SSL VPNs, and password complexity rules are no longer enough. To get ahead of the curve, many companies have started hiring their own internal hackers.
These security experts are known as “ethical” or “white hat” hackers (The term comes from old westerns – the good cowboy would always be the one in the white hat). These hackers are IT professionals with a desire to solve problems and to prevent malicious attacks on systems.
The theory behind ethical hacking is that organizations hire good guys that understand the bad guys (and in some cases used to be bad guys), since one must understand how the damage is being done in order to stop it. With this in mind, companies hire ethical hackers to intentionally try to break into their systems and breach their security. The hackers are given permission to try to destroy the company and gain as much access as possible into the systems and networks.
It’s the hacker’s job to find all the nooks and crannies that the bad guys want to exploit–and to exploit them first–then report to management. Doing all of this requires the same skill set that a malicious hacker would use to penetrate the organization’s security. For this reason, training in ethical hacking has gained popularity in recent years with books, classes, and even certification available to those with the knowledge and skills to become ethical hackers.
While the profession isn’t new, it’s popularity is. In fact, the government and banking industries have been using their versions of ethical hackers for decades. Employing the best and brightest and daring them to break into their networks. In fact, you’ve probably even heard of one of the most famous, and earliest, white hat hackers: Steve Wozniak (aka the “other Steve” at Apple).
Wozniak got his hacking start designing blue boxes, which bypassed telephone-switching functions in order to make free long-distance calls (probably not technically white hat, but it lead to more ethical endeavors). He improved his hacking skills further by designing the hardware and some of the software for the first Apple prototype. Meaning your iPod, iPad, iPhone, and MacBook Air may not have existed had Woz not chosen to use his hacking skills for good.
While ethical hacking is on the rise, companies without a white hat can still follow some simple guidelines to protect against data breaches:
1. Secure your web applications.
2. Develop and implement a technology security policy.
3. Educate employees and train them on how to handle confidential information.
4. Give your developers the tools and training they need to write secure code.
Editor’s Top Choice:
From Profit Advisory Group:
What do you think is the biggest differentiator between two companies existing in the same marketplace? There are undeniable arguments to be made for differentiators like location, quality, price, marketing, or customer service. All of these factors will have an effect in the market but one factor that often gets overlooked and affects all the potential differentiators above is company culture.
Howard Stevenson, Public Admin Professor and writer for Harvard Business Review has said: “Maintaining an effective culture is so important that it, in fact, trumps even strategy.”
Does Culture Affect Your Bottom Line?
It is no secret that a great company culture will help you to recruit and retain top level employees, but do you give culture enough credit for affecting the bottom line? Some of the best companies in the world really put their money where their mouth is when it comes to culture.
Zappos, a multi-billion dollar online retailer credits it’s culture, or as they call it, the Zappos Family Core Values, as the key to their unbelievable growth and success. The CEO, Tony Hsieh has written a book, Delivering Happiness, about the Zappos rise in the online retail world and it largely focuses on how they built their culture. Read more
Other Featured Picks of the Week
Aarti Maharaj, writing for The FCPA Blog writes, “Trust in business has plummeted to a historic low, according to a recent study by Ethisphere Institute, and the composite score of trust across many industries is a cause for concern.
The 2014 Ethics Communications Best Practices Report provides a snapshot into some of the key trends in business ethics and features insights and perspectives from industry leaders, academics, and corporate governance and legal professionals.
‘If we talk about what we are doing well, then we are not being transparent,’ says Mitchell Mackler, geographic head of legal, Americas, at Wipro, a multinational information technology consulting and system integration company.
‘There are bound to be bumps in any organization, and I believe that by being open, honest and transparent, we hold ourselves accountable to the public at large, our shareholders, nongovernmental organizations, etc., and in turn, continue to build a stronger company.’” Read more
From Christopher-Marcus Gibson on the Huffington Post’s “The Thesis Project” blog, “The motivation for my honors thesis springs from our often irresolvable disagreements about moral and political issues in the public square: issues ranging from educational and economic reform to health care and immigration policy, in which we often disagree about not just the answers to our questions, but the standards that will justify them. Such intractable disagreements, and the incompatible ethical theories that often lie behind them, led me to address in my honors thesis the following question: ‘How far we can make ethics scientific?’ As a result of my research I claim that although acculturation and character development play a major role in determining the ethical claims we find persuasive, a rigorous empirical science of ethics could still be an attainable goal for us. If undertaken, such an approach to ethics could go some way toward providing potential methods of resolution for our fiercest moral and political disagreements.…” Read more
Andrew Leigh of Ethical Leadership writes, “From China to Brazil, emergent nations claim one thing in common. They are fast growing and lure some of the largest firms to invest in them. A further pang of hunger comes from the West’s own slowdown.
It is hard not to be impressed by the vitality of these newer markets. UK firms for instance, now win over one quarter (28.2%) of their income from them. We can expect these markets to further increase five-fold, becoming larger than the developed world by 2050.
Such hot sources for business pose questions about what it means to run a responsible business. What passes as legal in China for example, may be quite the opposite in the West.
Leaders seeking to stay ethical often feel torn. They must stay on the right side of laws in their own countries. Meanwhile they must ensure sound business behaviour elsewhere. Often this brings them into conflict with local laws and culture…” Read more
Peter Post, of The Boston Globe:
Emily Post once wrote, “Etiquette must, if it is to be of more than trifling use, include ethics as well as manners.”
Ethical behavior has a moral component to it, whereas manners in and of themselves do not. For instance, which fork to use is a manner with no moral component. But taking someone else’s lunch from the office refrigerator does.
The various roles people fill in business have ethical or moral aspects to them. For example, being an ethical customer can result in receiving exemplary service from a provider. The ethical customer always engages in business with a provider in an honest and forthright way. For instance, he doesn’t ask a vendor to provide a detailed presentation or a sample of work when he has no intention of hiring the vendor, or intends to use the spec work without paying for it. In addition the ethical customer:
- Makes sure vendors receive payment on time.
- Doesn’t accept any gifts or favors as inducements to work with a specific vendor.
- Avoids conflicts of interest in choosing a vendor. The choice should be based on price and the ability of the vendor to deliver, not because the vendor is also a cousin.
- Negotiates agreements and then expects the vendor to deliver only the agreed-upon services within the agreed-upon time frame.
- Makes sure he or she delivers any expected information or materials within the contracted time frame so the vendor can meet deadlines.
If you are not yet a subscriber to the weekly business ethics email, click here to sign up for the free news and information delivered to you weekly.
A new report by the Ethisphere Institute identifies areas companies should work on to enhance transparency across all operations.
The release of the 2014 Ethics Communications Best Practices Report coincides with SCCE’s Corporate Compliance & Ethics Week May 4-10, a national week-long event that recognizes the importance of ethics and compliance in the workplace. Many companies use this week to advance the dialogue surrounding compliance and ethics and engage employees in these hot button issues.
“We are excited to build on the momentum and energy coming out of our second-annual Best Practices in Ethics Communications Workshop by publishing the expert perspectives and successful strategies that were shared at the New York Stock Exchange in October,” said Paul Gennaro, AECOM’s senior vice president and chief communications officer, who also chairs the Ethisphere Institute’s Communications Advisory Board.
The report features insights and perspectives from several recognized leaders in communications, academia, and legal and compliance, including Paul Argenti, professor of Corporate Communication and Corporate Responsibility, The Tuck School of Business at Dartmouth; Roger Bolton, president of the Arthur W. Page Society, the leading global professional association for senior public relations and corporate communications executives; Gary Sheffer, vice president of corporate communications and public affairs at General Electric and chairman of the Arthur W. Page Society; and Dr. Edward Queen, director of the Ethics and Servant Leadership Program, The Center for Ethics, Emory University.
“There are times when silence is important, especially when you don’t know all the facts. Long-term silence is never the right answer, but you have to achieve a balance where you are not rushing out with potentially false information, which can really discredit the company in the long run,” said Gregory.
Dawn Werry, vice president, marketing, Milliken & Company, added that while it is important to know all the facts before communicating, a quick response is important to controlling an organization’s rumor mill.
“You can’t go too long without telling people something, or else they will fill in the blanks,” said Werry. “Immediate communication allows you to be in control of your story, which is better than the alternative.” Werry also added that social media provides a unique tool for hearing feedback. “During a crisis while working for a previous employer, the biggest turning point for us was when we started using social media to listen.”
Click here to download a full copy of the report.
In December 2013, the world learned of the Target breach. We now know that more than 40 million credit card numbers were stolen along with 70 million other pieces of customer data. Together, this amounts to the second largest data breach at a U.S. retailer. Since the public became aware of the breach, more than 90 lawsuits have been filed against Target, as well as an investigation by the FTC and Senate Banking Committee.
As Target CEO Gregg Steinhafel was removed from his post this week, I left me to ponder what went wrong, and how it could have been avoided. Here are the 5 mistakes Target made with their data breach (that you should avoid):
1. They ignored the warnings.
Six months before the breach, Target installed a $1.5 million malware detection tool, one of the same tools the CIA and Pentagon use. Target also has an off-shore team to monitor computers 24/7 and alert the Minneapolis headquarters to anything suspicious. How then did a breach this large happen? Well, it seems as if Minneapolis ignored the warnings – at least three times.
2. They didn’t tell consumers fast enough.
Target first publicly disclosed the breach in a press release on December 19, 2013, after journalist Brian Krebs broke the story on his website. Despite the press release and the media swirling about the breach, Target waited more than a month to personally notify customers. This left hundreds of millions of customers to read the newspaper and watch the news and wonder if they were affected for over a month. Too much, too little, too late to assuage fears and/or regain trust.
3. Even after they told consumers, they didn’t disclose the full extent of the breach.
Target told us about the 40 million credit cards on December 19, but waited until January 10 to disclose that more than 70 million customers had personal information – names, phone numbers, email and mailing addresses – stolen. This lead to the feeling that the retailer was not being fully upfront with anyone. And was it a coincidence that this information didn’t come out until after the holiday shopping season was over?
4. The never really said they’re sorry.
As consumers, we want to feel like the big bad corporation is sorry for letting our information slip. With Target, we don’t. The combination of the above events, and the complete lack of sympathy Target is showing for them certainly doesn’t feel apologetic. The data breach FAQ on Target’s website isn’t exactly apologetic and feels like it exists to keep panicky customers from clogging phone lines, more than helping.
The form letter offering credit monitoring didn’t help either. Especially since free credit monitoring won’t help anything. Credit monitoring helps if someone steals personal information (social security numbers, date of birth, mother’s maiden name) – that didn’t happen with Target. Credit and debit card fraud doesn’t trigger anything on a credit report. It was a way to allay the fears of the masses, without really doing anything.
5. They’re dumping money and manpower into “new” systems and resources without changing what went wrong.
Since the breach, Target has promised hundreds of millions in upgrades, fired their CIO (they’re still looking for her replacement), promised better security systems, and, now, forced the CEO to resign. They’ve shouted from the rooftops about their new security systems and created new security roles, including those of Chief Information Security Officer and Chief Compliance Officer (Note: neither have been filled). All of this is nice, but their entire data breach could have been prevented with training. Yep, training.
We know from the investigations that Target already had every system in place to prevent the data theft. They already had state of the art systems, and monitoring, and alerts. The problem is, they ignored them. Someone on their compliance and security teams saw an alert and chose to ignore it. Someone failed to follow protocol and didn’t act. Target can buy all the expensive software it wants, but the problem won’t be solved unless they train their employees on how to respond to alerts. There needs to be a protocol, and a hierarchy, and an internal system in place to respond to red flags; and each employee needs to know their role in that system. Simple as that.
So, if you ever find yourself in the unenviable position of dealing with a data breach, remember Target (and don’t do what they did). Disclose early and thoroughly, communicate with your customers, evaluate and change your internal systems, and maybe most importantly, say you’re sorry.
Because you’re in the food and beverage industry and that’s where you’re holding interviews for a new director for your board. It seems that the “big three” of ethics, compliance, and legal are all going to have to duke it out. How do you know which one to choose? The answer is (surprise!) it depends. And with everything, there are several factors to weigh. Obvious questions like, what is the composition of the board, who are you replacing, and what type of personality are you looking for are important, but the philosophical question of whom to choose reigns bigger. Each profession has its own unique qualities:
- Promote ethical conduct throughout your organization
- Advises your company to do what’s right, regardless of what the law says
- Operates on the moral high ground
- Advises the organization on how to stay out of trouble
- Concerned with what you are legally required to do, not what you “should” do
- Probably experienced in bringing bad news to the boss
- Advises how to protect yourself if/when you get into trouble
- Gives legal advice
- May have a conflict of interest with compliance
- Not concerned with ethics from a professional standpoint
SCCE’s Advisory Board Co-Chair, Dan Roach, weighs in here:
So which will you choose?
Sometimes just reaching one person at a time isn’t enough. Social networking allows you to interact with the community at large. To help fill that gap, SCCE has several resources available. Each social media resource can be used in a different way, but all have the common goal of keeping you informed about the compliance profession and keeping you connected with other compliance professionals.
SCCE has its own free social network called SCCEnet, which benefits from the expertise of more than 12,000 compliance professionals. In addition, SCCE has accounts for you on all the major social media sites, including Facebook, Twitter, Google+, YouTube, Pinterest, Reddit, and LinkedIn.
What can SCCEnet do for me?
SCCEnet has more than 60 discussion groups and more than 700 discussions are started each month. There are groups based on your role within your company, risk areas for your particular industry, and for different regions across the U.S. and the world. The most active discussion groups are the Chief Compliance Ethics Officer Network and the Privacy Officer’s Roundtable. But, regardless of which group you use, if you post a question, every response will be directly e-mailed to you, or you can visit the group in the future to view any responses.
In addition, SCCEnet features a series of guest commentators who discuss the critical issues that face the compliance profession. SCCEnet users can log in, read what the guest commentators have to say, share their thoughts, or get their questions answered. Users have shown a significant level of engagement with our commentators and the rich variety of insight they offer on the given topic.
What can Facebook do for me?
Facebook has over 1 billion active members, and many of those members are business professionals and your colleagues in compliance. More than 72% of all American adults are on Facebook–meaning 3 out of 4 of your friends (who are presumably grown-ups) are on Facebook. This is before you add the 1+ million local businesses with active pages.
Simply put, Facebook is where it’s at. If you are looking to test the waters of social media, start here. As an added bonus, legions of people will wish you a happy birthday on Facebook, and that will make you feel really popular.
The SCCE Facebook page provides relevant compliance news, SCCE event information, and interesting discussions. If you “Like” our SCCE page (9,500 of your peers already have), our posts will show up in your news feed.
What can Twitter do for me?
Simply put, Twitter is great for news. Twitter messages are only 140 characters, so they are short and sweet and perfect for providing compliance news headlines and a link or picture. If news is breaking, Twitter has it first. With more than 500 (that’s not a typo) million tweets every single day, Twitter will, quite literally, keep you posted. While Twitter still has a reputation for being for the younger crowd, it has clearly become a necessary tool in the social media belt.
Twitter is also unique in that you can consume all of the information you want, without having to create an account or login. Use it as a search tool to find up-to-the-minute information on whatever it is you’re looking for.
If you do chose to login, you can curate the content you want to see by following only the people or organizations that interest you. These “feeds” will then be what you see when you login to Twitter – aka your “home feed.”
The SCCE feed on Twitter helps compliance professionals by providing news and links in a simple and efficient format. We’re proud to say that we’ve got more than 11,000 followers on Twitter, more than any other compliance-related feed.
What can LinkedIn do for me?
LinkedIn has many beneficial features for compliance professionals, and with more than 277 million members, it’s an excellent site to network with your colleagues. LinkedIn doesn’t allow photo sharing and they keep advertising to a minimum, so they are able to maintain a professional and business-oriented environment.
A major benefit of LinkedIn are the discussions occurring in LinkedIn groups. Companies across the globe have created LinkedIn groups to share news and encourage discussions of current topics between group members. With more than 200 conversations starting every minute, and 8,000 new groups created weekly, you’re sure to find at least one group on LinkedIn that could be of value.
After completing the account setup, I’d suggest updating your profile to include your current contact information and job (it’s hard to network if people don’t know what you do or how to reach you). LinkedIn makes building a profile really easy by allowing you to upload your resume directly into the platform.
After you have completed your profile make sure you upload a professional picture of yourself. Much like all social media, other users want to see who you are and feel like they’re interacting with another person, rather than a blank-two-tone-grey-looks-a-little-bit-like-a-mugshot graphic. Also, you need a professional picture to be taken seriously on LinkedIn – not having one is the equivalent of wearing a bag over your head at a networking happy hour; sure, you’re there, but you’re pretty much declaring to the world that you aren’t really that interested.
After adding the finishing touches to your profile, and uploading your picture, I would recommend joining some LinkedIn groups. You can join up to 50 groups, and you can manage the settings of each group individually. The easiest way to find LinkedIn groups is to use the search function. Simply search for what you’re interested in, and find groups related to those things. Joining a group is simple, and once you’re a member of a group, you’ll be able to post a discussion, ask a question, or comment on what’s going on in the group.
Be sure to find SCCE’s group on LinkedIn – with more than 17,000 group members and 80+ discussions every week, it is an excellent place to network, stay connected, and maybe even learn something.
Privacy on Social Networks
Because social networks live on the Internet, there are always privacy concerns. To allay the fears of their users, most sites post their privacy policies to make users feel more secure. However, many people don’t realize that users (that means you) have a great deal of control regarding privacy settings on social networks.
When you create a profile on Facebook or LinkedIn, your privacy will be governed by that site’s default privacy settings. The potential problem is that default privacy settings may allow a great deal of information to be displayed to anyone who views a profile.
That being said, I recommend that anyone who sets up an account on Facebook go to the privacy settings and verify what information is being shared, how much of it you want to share with your friends, and how much information is shared with the rest of the world. Similarly, I recommend that anyone who sets up a LinkedIn account view their settings and determine what information should be displayed on their profile page, and whether they want their profile to be public to everyone on the Internet or limited only to their connections.
Managing your privacy is important, so take a few minutes to make sure your settings reflect the amount of information you intend on sharing.
To be most effective, Corporate Monitors have to be experts on corporate compliance and ethics programs. A recent article in the NY Times promulgated many misperceptions about Corporate Monitors, which I chose to respond to through a post on my personal blog (www.TheFraudGuy.com). Because parts of what I wrote may have some relevance to compliance and ethics professionals here, I’ve re-posted it below in its entirety for your convenience.
As an expert in the field of Corporate Monitors and a passionate advocate of Monitor reform (in the form of Standards and “best practices”), I follow news about Monitors very closely. An article recently published in the NY Times by Steven M. Davidoff (“In Corporate Monitor, a Well-Paying Job but Unknown Results”) deserves comment by a knowledgeable and experienced person from this field. Unfortunately, there are many misperceptions about Monitors that mask and hinder from constructive deliberation the real issues that should be highlighted, discussed, and considered for reform in this field.
Among the most prominent of these issues is the Monitor selection and appointment process. The misperception that has evolved is that this is a “good old boy network” where current DOJ or other government agency officials give “lucrative” contracts to former co-workers or friends.
The reality is that, since 2008/2009, the DOJ has done an effective job of preventing this from happening with Monitors and that the selection process is, as I will explain more fully later, now driven by customary and effective professional service industry business development practices. The real issues and concern lies within the Monitor selection and approval process of those outside of the DOJ, who utilize Monitors more frequently than the DOJ and are presently significantly more susceptible to nepotism and/or potential abuse.
There are no hard numbers on this, but as one who tracks it as best as I am able, I would estimate that the DOJ accounts for maybe 20% (that is on the high side) of Monitors among all the agencies that use them. The rest is spread out among other federal law and regulatory enforcement agencies (particularly in the suspension & debarment area), state & local agencies, the Courts, and non-government oversight organizations (i.e. World Bank). As is often the case, the DOJ may get the most press on the topic, but that’s only because they have the most high profile matters, not the most matters.
After the Zimmer Holdings controversy led to congressional inquiry and threatened law-making in early 2008, DOJ responded with what is commonly referred to as the “Morford Memo,” which is DOJ’s most widely known policy regarding the selection and use of corporate monitors in pre-trial diversion agreements. That policy was furthered by another, lesser publicly known and/or referenced Criminal Division memo, issued by Lanny Breuer on June 24, 2009 entitled “Selection of Monitors in Criminal Division Matters.” In both Memos, the pool of candidates for a Monitorship comes from the Company, not the DOJ.
According to several GAO reports ordered by the congressional inquiry, the DOJ was following its policy on Monitors quickly after institution. For those with interest, I have linked them here: June 2009, November 2009, and December 2009.
Here’s the reality – there is presently no indication of any political favoritism playing any role whatsoever in the selection and appointment process for Monitors in DOJ matters by the DOJ. None. To the contrary, DOJ goes to extraordinary lengths, including applying the Morford and Breuer memos more conservatively than they require, to avoid any appearance of favoritism. To this point, though each memo could be read as to permit the DOJ to take a more active role in determining the Monitor and/or pool of Monitor candidates, the DOJ does not – it instead requires the Company to propose a pool of Monitor candidates and refuses to provide any candidate names, even if asked.
There is a simple and wholly commercial reason why many Monitors come from the ranks of former federal prosecutors. It is because the white-collar defense attorneys who represent the companies needing Monitors also come mostly from the ranks of former federal prosecutors! Business development in the white-collar defense world relies on referrals – a Monitorship is simply a business referral. This is no different than if they represent a company and refer the representation of company individuals to people in their legal network whom they ordinarily make back-and-forth referrals to and believe qualified to do a good job.
In the SAC Capital Advisors matter, there is no indication whatsoever that the DOJ gave a “gift” to the proposed Monitor, Bart Schwartz, a former federal prosecutor, as Davidoff suggests. It appears that Mr. Schwartz was proposed by the company in accordance with the DOJ policies described and hyperlinked earlier. Moreover, his approval appeared to be subject to judicial approval as well, adding an additional level of scrutiny and further removing it from DOJ’s ability to “manipulate.” As it regards Mr. Schwartz, it’s not as though he is fresh out of the government and has no relevant experience in the area. To the contrary, he is a highly qualified Monitor candidate who left government service decades ago. Much like with “expert witnesses,” who need not have necessarily been so qualified previously in order to be retained in a matter, many of those proposed as Monitors have never been a Monitor before. Though this is common, unavoidable, and necessary, it also provides greater opportunity for controversy, disagreement, and discord. Mr. Schwartz is a very experienced Monitor and likely to avoid such issues and be more effective and efficient than someone lacking Monitor experience. It is perfectly reasonable to expect that companies would find such persons independent of the government and propose them as Monitor candidates.
Transparency is another issue worth exploring. If you read the Breuer Memo that I referenced and hyperlinked earlier, you will see that significant documentation should exist within and around the Monitor selection process in the DOJ’s Criminal Division. I am aware that such documentation is prepared and does exist, but I do not believe that it is something likely to be shared publicly. I’ve never filed a FOIA request, but I wouldn’t bet on getting those documents if I did so. I fully appreciate the pros and cons on this issue and would like to see the DOJ explore ways to provide greater transparency in this regard.
Outside of the DOJ, where Monitors are used more commonly and frequently, transparency is largely non-existent. Many, if not most other agencies that utilize Monitors have little or no written policy around any parts of the process, from selection through reporting. Much less do they create any documentation during that process that would provide insight into how a particular Monitor was nominated, selected, and/or approved. The same goes for the Courts (i.e. Judges).
I have noticed a “practice-shift” over the last couple of years where Federal Agencies (outside of DOJ, but perhaps following in DOJ’s footsteps) have begun refusing to provide the names (i.e. more than one – a “pool” of names) of potential Monitor candidates to organizations, even when those organizations request it, for fear of running afoul of “endorsement” prohibitions under 5 C.F.R. §2635.702. I wrote the US Office of Government Ethics earlier this year asking specifically about the application of any ethical requirements and/or guidance specific to Corporate Monitors, but as one might expect, received no response at all. I am not an attorney and may well be wrong about this, but I personally do not believe that §2635.702 applies in this context, so long as there is no “private gain” for the relevant government officials. I would like to see the Government Ethics Office examine this and provide specific guidance as to whether or not a government agency can provide a pool of names of Monitor candidates to a company, particularly when so requested by the company.
Greater transparency and policy/practice documentation is a real issue, particularly as more and more agencies are beginning to appreciate the value of and use Monitors in resolving issues.
Let’s talk fees now. I seem to always see the word “lucrative” associated with Monitorship agreements in press articles – another broad and inaccurate stereotype born out of the Zimmer Holdings controversy. Certainly some of the biggest Monitorships cost organizations a sizeable amount, but that is the nature of professional hourly work in complex matters within large organizations. One could apply the term “lucrative” as well to the fees charged by external defense counsel, subject-matter experts, forensic accountants, information technology consultants, corporate compliance & ethics consultants, e-discovery professionals, document reviewers, marketing professionals, and a whole host of others whom organization’s engage long before a Monitor ever comes into the picture.
For the SAC matter, Davidoff’s suggestion that the Monitor’s fees “will probably run in the millions, if not tens of millions, of dollars” is illogical and wholly out of touch with reality. This estimate of fees seems to be more of a sensationalistic reference to the Zimmer Holdings matter (which the article brings up later) than to what any reasonable person would expect having read the scope of the “Compliance Consultant” within the SAC Plea Agreement. Under this Agreement, SAC’s Compliance Consultant will only perform two (2) assessments and file two (2) reports, all done within six (6) months. A third assessment and report may be required, if deemed necessary by the government.
Keep in mind that SAC Capital (now Point72) is not a mammoth organization with thousands of employees all over the world facing a multitude of risk areas. To the contrary, it appears to me that SAC is now practically nothing in terms of size and will only manage the money of its owner – meaning that the Monitor’s assessments should not be very big or difficult at all, nor will they extend over a lengthy period of years, as is common to many Monitorships. SAC is hardly a traditional Monitorship and certainly not a large one likely to generate millions of dollars in fees.
Another common question relates to whether or not a Monitor actually has any impact on the organization monitored. Though I can personally fall back on my own experience as a Monitor to satisfy myself that we do, I can also look to more objective studies that support the real and positive impact of Monitors. In addition to the GAO reports I linked above, some of which address that question directly with companies that were monitored, one of the best studies that I have seen on the question is a white paper entitled “Can Corporate Monitorships Improve Corporate Compliance?” by Cristie Ford and David Hess (I would love to see them update that paper!). Short answer – Monitors can and do have an impact, though much of that impact relies on the substance and terms of the underlying Agreements, which really drive the scope, authority, purpose, and role of a Monitor.
Speaking of that, another important and greatly misunderstood issue is the role, authority, purpose, and scope of a Monitor. Davidoff writes: “He is the ostensible key to ensuring that Point72 will remain on the straight and narrow. A compliance monitor or consultant is a creation of the last decade. When a corporation accused of wrongdoing agrees to settle the charges or is sentenced to probation, it is often required to pay for a monitor to ensure that it does not break the law again. The corporate monitor is to supervise the compliance procedures of the company as well as beef them up.”
Monitors are not a creation of the last decade. While there has been an increased visible use of Monitors by the DOJ within the last ten years, Corporate Monitors go back at least two decades. Also, as previously mentioned, many people mistakenly think that Monitors are only used by the DOJ, which is just the opposite of the reality.
When a company settles a matter, a Monitor is only required around 20% to 30% of the time (even outside of DOJ), certainly not “often,” as Davidoff suggests. In fact, this percentage has declined within the DOJ since 2008, though it shows signs of increasing, particularly as standards and best practices continue to develop around the field. Also, there is a developing trend of the DOJ and other government agencies requiring what I call a “hybrid-Monitor,” which is exactly the case with SAC Capital Advisors. As best as I can tell, though the title used in these Agreements may not even contain the word “Monitor,” the DOJ continues to apply Morford and Breuer principles and process and other agencies still treat the role as they would a “Monitor.”
The purpose and role of a Monitor is largely misunderstood, leading to false and unrealistic expectations. Davidoff promulgates several scope-related misperceptions that have no basis in reality – such that Monitors are in place to ensure that a company “will remain on the straight and narrow” or that we “ensure that it (the organization) does not break the law again” or that we “supervise the compliance procedures of the company as well as beef them up.”
The purpose and role of a Monitor is to verify an organization’s timely and effective compliance with the Terms of an Agreement. An Agreement, by the way, that the Monitor had no part in devising. These Agreement Terms are most frequently associated with an organization’s remediation and improvement efforts in the areas of corporate compliance & ethics programs and internal controls, largely because §8B2.1 of the United States Sentencing Guidelines (“Effective Compliance and Ethics Program”) has made those areas the measuring stick of corporate liability. As a result, the Monitor’s assessments and scope are often heavily weighted, in accordance with the Terms of the Agreement(s), on corporate compliance and ethics programs.
Because an Agreement is exactly that, an Agreement, the parties could choose and agree to include Terms that provide the Monitor with authorities far exceeding that which I have described as a Monitor’s general purpose and role. If the parties so choose and agree, they could give the Monitor significant authority beyond merely verification and reporting, such as operational decision-making, contracting approval/disapproval, etc…. This level of authority is extraordinarily rare among all monitorships and presently non-existent among DOJ Agreements requiring a Monitor.
Absent some remarkably unusual Term(s) in an Agreement requiring it of a Monitor, a Monitor’s purpose and role is NOT to ensure that the company “will remain on the straight and narrow” or “ensure that it (the organization) does not break the law again.” Nobody can do that. Nobody expects that.
The Terms of the Agreement (not the Monitor) are responsible for ensuring, in principle, that the organization will have a compliance and ethics program that, in accordance with §8B2.1(a)(2) of the US Sentencing Guidelines, “…shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct.”
To recognize and emphasize that all fraud cannot be prevented, §8B2.1(a)(2) continues: “The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.”
The notion that a Monitor can prevent and/or uncover all fraud within an organization, is utterly absurd. It is so unconscionable that suggesting it defies all common sense.
The real scope issue lies within the Terms of the Agreement(s) underlying the Monitorship, which as noted previously, the Monitor had no part in drafting. Having been a Monitor and having read every Agreement requiring a Monitor that I can get my eyes on, it is my opinion that most of these Agreements are not constructed sufficiently so as to ensure that the monitored organizations have compliance and ethics programs that adequately comport with §8B2.1 of the US Sentencing Guidelines. While DOJ’s Agreements have improved drastically in this regard over the last few years, they still too narrowly focus on the underlying issues (i.e. bribery, false claims, insider trading, etc…) and not on the whole compliance and ethics program, which is what §8B2.1 covers.
As a result of this, while a company may significantly improve, for example, its anti-corruption compliance program component under an Agreement with the DOJ, it may utterly fail in other risk areas subject to criminal misconduct and/or abuse. In other words, DOJ risks missing the forest for the trees by too narrowly focusing on the underlying issues and not on the overall compliance and ethics program, which if designed appropriately and implemented effectively, would address all fraud and compliance risks and better prevent recidivism. Isn’t that the real spirit of what everyone wants to accomplish?
Additionally, as a compliance and ethics program expert, I feel that in these Agreements (particularly those requiring a Monitor) the DOJ and most other agencies overly focus on compliance program components and not enough on ethics and ethical tone. The title of §8B2.1 is “Effective Compliance and Ethics Program” (emphasis added) and §8B2.1(a)(2) specifically relates to ethical tone, yet rare is the instance that one of these Agreements obliges a Monitor to assess and report on an organization’s ethical tone! Ethical tone and compliance programs are symbiotic – one cannot succeed without the other – and the government does not yet seem to have come to a full appreciation of it.
Another issue alluded to in Davidoff’s article related, generally, to the concept(s) of “self-monitoring” and/or government monitoring. In self-monitoring, the company assesses its own performance against the terms of an Agreement and reports to the government. Government monitoring is where the relevant government agencies conduct the monitoring.
In my opinion, “self-monitoring” is an oxymoron and cannot be generally relied upon to ensure either effective compliance with the Terms of an Agreement or that the organization establishes a compliance and ethics program that achieves the desired end-results (“spiritual compliance”) of an Agreement. Though many might think that trust and objectivity are the primary concerns in this regard, I have found that the real problem with self-monitoring is technical competence. When an organization is left to its own to make these assessments, the in-house people assigned to make and/or review such assessments often simply lack the requisite corporate compliance and ethics industry experience and knowledge necessary, leading to a “check the box” process or attitude that can hinder effective and/or “spiritual compliance” with the Agreement. This is not to suggest that a Monitor should always be required, only that greater consideration of an organization’s technical competence needs to be incorporated into the decision matrix as to whether or not a Monitor should be utilized.
For example, when an Agreement requires that an organization conduct some type of specific compliance training of employees, the company may genuinely believe it has effectively done so simply because they offered a training session (hence, “check the box”) and therefore report successful compliance with that Term of the Agreement to the government. What I frequently find, as a Monitor and compliance consultant, is that such training was not effective – meaning that those employees at risk to a compliance issue could not reasonably recognize the relevant compliance and ethics risk(s) or apply the relevant policies within the context of their role(s) (hence my term, “spiritual compliance”).
The same lack of compliance & ethics industry technical competence exists within the ranks of relevant government agencies as well, where it is exacerbated by agency budget/resource issues, making fruitful and effective compliance monitoring by the government unrealistic, if not impossible. The agencies that have the combination of technical competence and resources are very few (i.e. HHS) and even those utilize Monitors from time to time.
Self-monitoring and/or government monitoring assumes an expertise that is presently uncommon among organizations and government agencies – the whole compliance and ethics industry itself is barely out of its infancy, though it is growing and progressing rapidly. Monitors fill this void perfectly, often playing the role of teacher and guide to both the organization and government.
I much appreciate Davidoff’s dislike that Monitor reports cannot usually be obtained. There are many who argue that Monitor reports, as a general rule, should be publicly available, albeit with appropriate redactions, primarily to protect proprietary, sensitive, and/or personal information that such reports might contain. Also, how willing organizations might be to enter into Agreements where they know a Monitor’s reports will be available to the world could have a very chilling impact on both the willingness to enter into such an Agreement and the degree to which the organization might more openly and fully work with a Monitor towards “spiritual compliance.”
Balancing the obligation for the Monitor to inform (report to) the government against the risks of such information being used or misused by outside interested parties is a very difficult task, whose consequences could easily outweigh the public interest as it concerns access to a Monitor’s reports. For a more recent general exploration of these issues, I suggest “Minding the Monitor: Disclosure of Corporate Monitor Reports to Third Parties” by Karen Green and Timothy Saunders of Wilmer Hale.
There are a myriad of important issues that still exist around Corporate Monitors that yet need to be pointed out, deliberated, and resolved. I never even touched on “independence,” which is certainly one of the big ones! As someone who is passionate about and intimately involved in the development of Standards and “best practices” for Monitors, I hope that writings such as this may bring attention to the important and real Corporate Monitor issues, allay misperceptions, and lead to a greater appreciation for Monitors – an extraordinarily effective and largely under-utilized means by which government and/or other oversight bodies can better achieve long-lasting success in resolving corporate misconduct, fraud, waste, and/or abuse.
For ethics and compliance professionals, creating an environment where employees are encouraged to do the right thing in the face of difficulties and challenges may seem like a herculean task – especially in this ever-changing regulatory landscape.
But, according to a recent opening keynote at Ethisphere/Thomson Reuters sixth annual Global Ethics Summit (GES), which took place in New York City on March 20-21, it all boils down to working with the right people to avoid potential reputational risks.
“Company concerns are very much beyond just business conduct; personal behavior and personal conduct now more than ever can reflect poorly upon the company,” said Larry Thompson, executive vice president, government affairs, general counsel and corporate secretary of PepsiCo during the opening keynote panel, which also featured Randal Milch, executive vice president, public policy and general counsel for Verizon.
Moderated by Holly J Gregory, partner at Sidley Austin, the discussion provided insights into the evolving role of the compliance officer and zeroed in on some areas business leaders should pay more attention to in 2014.
“Social media is great because it allows us to get closer to our customers,” said Milch to the room filled with governance, ethics and compliance officers. “Social media can also be a potential threat to our reputation, and it should be carefully monitored at the same time.”
Key Takeaway: Ethics and Communications
Another panel discussion, “Ethical communication during an era of heightened transparency,” served as the lunch keynote session. Moderator Paul Gennaro, AECOM senior vice president and chief communications officer, urged participants to work across the C-Suite to build and sustain an ethical culture — and rebuild public trust. “When I speak with colleagues in the corporate communications profession about priorities and goals, I encourage them to seek out their peers in ethics and compliance,” he said. ‘We have an opportunity to lead the way.”
Gennaro was recently named one of the top 100 Thought Leaders in Trustworthy
Business for 2014 by Trust Across America Trust Around the World, which was launched by communications expert, Barbara Kimmel to promote thought leadership in this space and quantify organizational trust.
The keynote panel included Gary Sheffer, General Electric’s vice president of corporate communications and public affairs; Grace Wu de Plaza, deputy ethics and compliance officer at the Nature Conservancy; and Dr. Edward Queen, director of the Ethics and Servant Leadership Program at Emory University’s Center for Ethics.
“Unfortunately, we live in a world where too often people say one thing and mean or do another,” said Queen. “Central to the issue of developing a convincing commitment to ethics is the practice of equity, of fairness. People in the organization need to know that the rules apply to everyone.”
Creating a global ethical corporate culture that is an authentic and durable remains a challenge for many governance and compliance officers. Sheffer believes that as companies expand into new territories and encounter different cultures, it is best to communicate in a context that is easy for local employees to understand. “At General Electric, we change our messaging according to the target audience,” he added. “In India, for example, we created Bollywood advertisements to foster employee engagement, and we continue to do the same in other countries.”
Taking Sheffer’s point further, a panel discussion on March 21, titled “Cultural Considerations for Codes of Conduct,” explored how cultural considerations should be taken into account in a global compliance program.
“All employees have the responsibility to act with the highest degree of integrity and in full compliance with the law,” said Susan Frank Divers, assistant general counsel for ethics and compliance at AECOM, who chaired the panel. “In order to gain a clear understanding of ethical and legal guidelines, companies must rely on a user-friendly Code of Conduct that caters to different cultures and regions.”
AECOM was one of the many companies named to World’s Most Ethical Companies list for the fourth consecutive year (2011-2014). To view the complete list of 2014 honorees, click here.