Hard Data on the Cost of Noncompliance

A Corporate Compliance Insights article written by Peter Merkulov recently caught my eye because of its breakdown of the hard costs of compliance – and noncompliance. The title is “The True Cost of Compliance,” and the subject is the December 2017 report issued by Globalscape and Ponemon Institute called “The True Cost of Compliance with Data Protection Regulations.” Mr. Merkulov is the chief technology officer at Globalscape, and as of this date I have not made his acquaintance, but he plucked thoughts right out of my brain with this quote:

“Unfortunately, there are organizations who elect to delay compliance efforts because of the associated costs. In so doing, they risk incurring large fines and the loss of customer trust, as well as damage to their reputation, all in an effort to avoid compliance-related expenditures.”

He then backed this statement up with hard numbers. In my effort to share my passion for building effective compliance programs, I have often described their ability to enhance corporate culture. And I do truly believe that a compliance culture is a culture of trust, accountability, and openness for which most companies at least say they are striving. But let’s go ahead and focus on the hard cost data. After all, it takes all kinds to lead on compliance – the “quals” and the “quants,” as it were.  Continue Reading

Corporate Responsibility to Migrant Workers: Preventing Exploitation in Your Supply Chain

The exploitation of migrant workers continues to be a problem across the globe as reports surface of forced labor for little to no compensation. The role multinational corporations play – or should avoid playing – in this recurring problem was the topic of many news stories over the past year. The spotlight fell on several companies that failed to prevent exploitation of migrant workers in their supply chain, while other companies were praised for making promising efforts to quash the abuse. These organizations should serve as models – and cautionary tales – to companies whose employees might be at risk. Continue Reading

Don’t Overlook the SEC’s Cybersecurity Governance Guidance

In late February, the SEC approved what it labeled “Guidance on Public Company Cybersecurity Disclosures.” And, sure enough, about three-quarters of its 24 pages focus on the various categories and locations of cybersecurity risk and incident disclosure obligations, as well as materiality determinations. Because the SEC’s much-anticipated guidance appeared right in the thick of calendar-year companies’ Form 10-K and proxy statement preparations, much attention has been paid to its disclosure aspects. But as the dust settles on Form 10-K and proxy statement filings, don’t lose sight of the SEC’s important governance guidance. Continue Reading

Rise Above ‘Why Compliance Programs Fail’ With Behavioral-Based Tips

I recently cracked open my Harvard Business Review to the article on “Why Compliance Programs Fail.” I read with great interest the authors’ theory on how weak, milque-toast metrics can result in check-the-box, paper-only compliance programs. I don’t disagree at all, but I have a few practical suggestions to add.

The authors cite, as have many, the shocking statistic from EY’s 2016 Global Fraud Survey that out of nearly 3,000 executives surveyed, 42 percent said they could justify unethical behavior to meet financial targets. Clearly, something is misaligned. The HBR authors postulate a case for better metrics aligned to strategy. It is a well-reasoned argument with which I do not quibble. But the sentence that captured my interest is this one:

“While many firms continue to see ensuring compliance as a legal exercise, it is really much more a behavioral science.” Continue Reading

In Light of the Brand Memo, Has the Way of Compliance Gone by the Wayside?

After then-U.S. Associate Attorney General Rachel Brand issued a memorandum (known as the “Brand Memo“) in January 2018, which some have interpreted as recanting all reliance on DOJ guidance documents, what’s next? Call me Pollyanna, but I contend that “the way of compliance” is here for good. Pun intended.

First, annual survey results list compliance matters as a high attention area for in-house counsel. This year the executive summary of the Association of Corporate Counsel’s 2018 Chief Legal Survey ranked ethics and compliance obligations as extremely or very important. Whether it be regulatory changes, protecting against data breaches, information privacy, GDPR, or general ethics and compliance, the focus is on keeping up with the compliance obligation. When you are the corporate point-person on all matters regulatory and legal, it is no wonder you stay up at night wondering about the unpredictable. Continue Reading

Countdown to GDPR Deadline: What Your Organization Should Be Doing to Prepare

In late May, the European Union’s new General Data Protection Regulation (GDPR) takes effect, changing the manner in which companies all over the world – not just those in the EU – store and use Europeans’ personal data. GDPR requires any company that collects personal information of European citizens to comply with its data privacy requirements, including:

  • Keeping all records of all personal data processed.
  • Performing data protection impact assessments in cases of high-risk processing activities.
  • Collecting personal information only through opt-in consent of individuals and deleting an individual’s personal data upon request.
  • Notifying individuals within 72 hours of a data security breach.

In order for U.S.-based companies to adequately prepare for GDPR compliance – and avoid massive fines – it is critical to conduct a detailed assessment of the extent to which your organization collects personal data and ensure that proper safeguards are in place throughout all divisions of your organization. Continue Reading

Five Common Compliance Myths

The recently released Society of Corporate Compliance and Ethics 2017 Compliance and Ethics Officer and Staff Salary Survey contains a host of interesting CCO and other compliance personnel compensation information. Also interesting is the survey’s profile data regarding compliance professionals and their companies.

The SCCE is a nonprofit association of more than 5,800 members, including CCOs and their staffs, employed in a wide range of industries. The 2017 survey’s data was derived from 1,376 email responses, which were then distilled down to 444 individuals employed by non-health care providers and responsible for at least 26 percent of their organization’s legal and regulatory risk (i.e., actual compliance personnel rather than personnel with isolated compliance duties).

A review of the survey’s data exposed five common compliance myths. Continue Reading

Digging Into the Details of New FCPA Guidance From the U.S. Justice Department

Over the last 10 years, 143 companies have paid a combined $10.9 billion to resolve Foreign Corrupt Practices Act cases.

That staggering price tag shows the U.S. Department of Justice’s willingness to go after alleged bribery of foreign officials, shoddy bookkeeping, and fraud. In recent years, the DOJ has beefed up its enforcement unit focused on the Foreign Corrupt Practices Act (FCPA), and officials in the Trump administration have made clear that enforcement remains a priority. If you think about FCPA enforcement as a carrot-and-stick approach, the stick isn’t going anywhere.

As for the carrot, the DOJ recently announced changes that give companies even more benefits for self-disclosing violations. The new FCPA corporate enforcement policy expands on a pilot program that had offered mitigation credit for self-disclosures. Continue Reading

The U.S. Justice Department’s Latest Compliance Program Warning

U.S Deputy Attorney General Rod Rosenstein recently announced the Department of Justice’s revised corporate enforcement policy for the Foreign Corrupt Practices Act. The revised policy is based on an FCPA pilot program (in place since April 2016), which provided mitigation credit for voluntary reporting of wrongdoing and specified levels of cooperation and remediation in connection with the resulting investigation.

Much has been made about the new policy provisions that create a presumption of DOJ declination and specify percentage reductions from the U.S. sentencing guidelines in the event that a company self-discloses, cooperates and/or remediates in accordance with specified policy requirements. Certainly, these provisions significantly further the shift toward encouraging company cooperation, as well as continue the focus on holding individuals accountable, and deserve careful attention. Continue Reading

The 12 Days of Compliance

Like a gift that keeps on giving, compliance efforts now can provide long-lasting benefits into the new year.

I have written before about the guidance document from the U.S. Department of Justice that was issued in February of this year regarding compliance programs. More recently, in October, Deputy Attorney General Rod Rosenstein left no doubt in widely reported remarks that “deterrence requires enforcement through penalties decision-makers are unwilling to pay.” Continue Reading