Sometimes white space is a good thing—as long as it's used properly. In the latest edition of our GRC Illustrated Series, which explores effective policy writing and communication, Michael Rasmussen, principal analyst with GRC 20/20 Research, explores how good policy design can be just as important as the actual written word. But good policies start with an effective foundation: the code of conduct. More inside.
As the expiration date for the framework most public companies have used to achieve compliance with Sarbanes-Oxley Act rules on internal controls nears, companies are scrambling to update to the revised framework issued last year. Now some companies are deciding that it’s better to delay implementation for another year, rather than hurry through it. “Companies shouldn’t rush to transition if they’re not prepared,” KPMG partner Dennis Whalen says.
Online learning is a booming part of compliance training—and a seldom-discussed IT weakness in such systems is growing along with it. Learning systems can be hacked, experts say, jeopardizing a company’s training documentation. “Both sides of the equation have changed,” says Jan Sramek of Better, an e-learning vendor. “Cheating has gotten easier, while breaches have become more costly.” More on the hack (and how to stop it) is inside.
The Department of Defense has proposed a rule that would shift responsibility for obtaining audits of certain business systems into the hands of the federal contractors themselves, reducing some compliance headaches while creating others. While the rule could hasten the process, it adds new risks. “Any time you have to certify something to the government, it always comes with risk,” Susan Cassidy, a partner with Covington & Burling, says.
The Financial Stability Oversight Council may add the Systematically Important Financial Institution label to more insurers and asset managers—Metlife is imminent and Fidelity may be next. Yet some are arguing that the designation, which comes with stricter compliance requirements, was tailored for banks and doesn’t fit these other types of firms. “You apply traditional bank type regulations to a product like a mutual fund and that causes all kinds of potential problems,” says Bibb Strench, counsel at law firm Seward & Kissel.
“Everybody talks about the weather, but nobody does anything about it.” That popular quote could be updated by replacing Mother Nature with cyber-security and reputation risk. A new survey by audit firm EisnerAmper finds that boards are ranking IT and reputation threats well above traditional regulatory risks, but have taken few steps to mitigate them. In this week’s podcast, we talk to Steven Kreit, a partner at EisnerAmper, about why compliance risk is slipping from boards’ radar screens and how they can shore up their approach to growing threats.
As GM works to overcome the damage from its ignition-switch disaster and the resulting mass recall, one of the central tasks for CEO Mary Barra will be to recast GM’s wayward culture and fix its communication problems. In an open letter to Barra inside, columnist Richard Steinberg suggests ways GM can improve its culture and create an environment where executives take responsibility and do the right thing.
In recent actions the U.S. Consumer Product Safety Commission has emphasized the importance of effective compliance programs, echoing the approach taken by other federal agencies in a variety of contexts. Even if a legal violation occurs, a robust compliance program may help avoid severe government action and penalties. Inside, guest columnist Stephanie Tsacoumis, general counsel of the CPSC, provides her thoughts on what constitutes an effective compliance program.
Shareholders put a high priority on CEO succession planning, but they have stopped short of calling for more transparency on the plans. That could be changing. A high-profile CEO’s illness and a campaign for more succession plan disclosures in the U.K. may bring greater attention to what companies reveal about the plans. “Investors want to know that boards have thoughtful long-term and emergency executive succession plans,” says Allie Rutherford, director of the Corporate Governance Center at auditing firm EY.
French banking giant BNP entered into a guilty plea last month and agreed to a record $8.9 billion settlement—the largest penalty ever obtained by the Justice Department in a criminal economic sanctions case. Worse still, the complaince department at the bank was accused of helping to cover up the wrongdoing. “The message to banks is that they need to take more seriously a culture of compliance," says Jeffrey Alberts, a partner with law firm Pryor Cashman.
This year looks to be a record-breaking one for mergers and acquisitions. The blockbuster deals raise several compliance issues, such as potential Foreign Corrupt Practices Act violations and ethics culture mismatch, but compliance officers may not always be part of the pre-deal diligence from the start. Getting them involved can avoid the threat of “successor liability,” post-merger bribery violations, and fostering the best cultural aspects of both sides. More inside.
Are executives ignoring cyber-risks? Even as cyber-attacks on corporate networks increase in number and severity, such risks have done little to illicit the type of alarm that senior leadership teams should be sounding, finds a new report. "It's a 21st Century risk that a lot of companies have not really come to grips with," says Sean Joyce, principal of PwC's U.S. Advisory Forensics Services practice.
Many companies strike confidentiality agreements with employees who are leaving, but some are finding they can run afoul of government whistleblower protections, especially when employees are asked to forgo whistleblower bounties as part of their severance agreement. “We see a seemingly endless array of efforts by companies to come up with new ways to dissuade individuals from providing information to the government,” says David Marshall, a partner at the law firm Katz, Marshall & Banks.
In this e-Book, produced by Compliance Week in cooperation with BlackLine Systems, we look at the progress companies are making in implementing the revised COSO internal control framework and improving their control systems. After getting off to a slow start, we look at how companies are assessing what they need to do to adopt the revised framework.