The 14th annual Compliance Week conference in Washington D.C. is in the books, and with it more than 60 sessions filled with helpful anecdotes, shared best practices, career advice, regulatory guidance, problem-solving tips, inspirational messages, and much, much more.
What follows is my attempt at condensing it all into 10 points you can digest in (hopefully) less than 15 minutes. Here we go …
1. DOJ’s newest official previews policy
In the opening keynote of the conference, newly named Principal Deputy Associate Attorney General Claire McCusker Murray—the No. 3 official at the Department of Justice—indicated there might be news coming soon about a change to the Antitrust Division’s corporate leniency policy.
Under its current guidance, a company that self-reports involvement in an illegal cartel can get a pass in criminal prosecution in exchange for cooperation with an investigation. Murray indicated the Department may soon go a step further in incentivizing good corporate citizenship.
Instead of simply crediting extraordinary compliance measures, as the Department has done in the past, “we may soon be in a position to credit robust compliance programs at the charging stage,” Murray said, even when the company was not successful at deterring and detecting misconduct. “So, stay tuned on this front. There’s more to come.”
2. Kristy Grant-Hart inspires the audience
Like a coach giving a pep talk before a big game, Grant-Hart used her keynote to, among other things, remind compliance practitioners why they’re a critical part of every business. The author of “How To Be a Wildly Successful Compliance Officer” closed her hour-long session with a slideshow set to music that painted those in attendance as heroes whose superpowers were fostering an ethical culture and finding “true believers” to help carry out their initiatives.
She also outlined strategies to combat two issues every risk manager faces: How to go about obtaining resources (read about her six strategies here), and how to fix the perception of the compliance officer as an unsympathetic commander of the “no” police.
Among the things she recommended to make yourself more human to those you work with is to talk about yourself, show your vulnerable side, and take time to hang out occasionally with coworkers when everyone heads to happy hour. Why are those things so important? If a coworker sees you as one of the gang—another important cog in the machine instead of a wrench mucking up the works—they’re more likely to come to you directly when things get difficult or they come across an ethical dilemma.
Think of it as building trust over beers.
3. Try out ‘the choice of yes’
One of the six strategies Grant-Hart outlined for obtaining resources was a psychological trick she called “the choice of yes.” Here’s the idea: When making your pitch, give the decision makers several options for the shiny object (or program) you want them to approve, explaining the positives and negatives of each option. Do not, however, present the option of not approving your idea at all. In other words, don’t put “no” on the table.
It’s not always going to work, but it at least puts the decision makers in position to reflect on the choices you presented without dangling in front of their faces the one option that, at least in my experience, would be the easiest of all: Sorry, but we just don’t have the money for that thing you think is really important to the company.
Simple, but genius. You can bet I’m going to give that one a try.
4. Hui Chen peers into her compliance crystal ball
Compliance and ethics pioneer Hui Chen gave attendees a look at what she thinks are the most critical skills needed for the next generation of compliance leaders, based on the biggest challenges she thinks the function will face.
It used to be, she explained, that the biggest thing compliance had to prove was that a robust program existed within the organization. Not anymore. Increasingly, compliance is being tasked with better defining the key performance indicators that should be measured when trying to identify whether a program is “effective.” The answer is likely different for every company based on its risk profile, but the challenge here isn’t standardizing KPIs, it’s understanding what they should be and figuring out how to use the onslaught of data to tangibly show desired outcomes and behaviors.
That is easier said than done, especially when data is siloed—not connected in any way. The practitioners of the future (and yes, the present as well) will need to have the skills to integrate those countless data sources and create an integrated, efficient model.
“We have the process side down; now we need to measure outcomes,” she said. Better use of data is critical to evolve to that level.
5. Preet Bharara gets crowd laughing, thinking
Hands down, the most engaging speaker of the conference was Preet Bharara. The former U.S. attorney for the southern district of New York filled his hour on the main stage with funny, illustrative anecdotes from his time in office and simple advice everyone could take home with them.
Here are three among the many nuggets of wisdom …
- He said his job at the helm of the southern district of New York was much more of a leadership job than a legal one. He found himself using the skills of a good leader and motivator much more than his knowledge of the law.
- Just like telling your partner “I love you” frequently is the reflection of a happy marriage, a healthy workplace is one in which ethical principles are expressed on a regular basis. “You have to repeat the corny phrases,” Bharara said. A workplace in which “Do the right thing, the right way, for the right reasons” is repeated often is one in which that kind of thinking will be much more consistently top of mind than one in which that point is touched on infrequently.
- Avoid “groupthink” by hiring people who you know will challenge your assumptions and conclusions. Bharara also advised to never make an important decision without a consensus. A key to that, he said, is filling your staff with really smart people who are open minded. A company with “the boss knows best” as a mindset is opening itself up to a lot of risk.
6. Compliance and the Trump White House
From this perspective, the most surprisingly forthright speaker of the conference was former Head of the White House compliance and ethics program Stefan Passantino, who took us inside the early days of the Trump White House from a compliance perspective.
Passantino claimed at the outset that he knew what he was getting into with the job, but from the picture he painted of the Obama-to-Trump transition, that statement strains credulity. Picture this: The Obama administration is moving out, boxes of books and documents packed and no institutional knowledge or processes left behind. None whatsoever. In comes Trump and the new administration, most members of whom were unfamiliar not only with government but had little experience working even at public companies.
So here’s Passantino, learning where the White House bathrooms are located while at the same time trying to establish a compliance program from Day 1 with one of the most unique leadership teams ever assembled. And that’s not even getting into the enigmatic, unpredictable guy in charge of it all.
What was the strategy? Passantino described it as a “triage” approach from the get-go, one in which he made sure that before being issued badges to the White House, everyone took part in a one-hour session on the 10-15 things they needed to know in order to do their jobs without breaking any rules.
There were, of course, immediate compliance fires that needed extinguishing: the side effects of Trump’s travel ban, Kellyanne Conway’s public endorsement of Ivanka Trump’s line of apparel (which Passantino “quickly realized was going to be an issue”), even an unexpected deadline on the release of files related to JFK’s assassination that the administration had to decide on.
Passantino quickly learned he would need to focus his efforts on making the staff better at preparing for crises, which were a staple of the early days of Trump’s administration.
He described that crisis preparation as “a tree in the storm that everyone can hug.”
7. What makes people break the rules?: A lesson in human psychology
Georgetown Law Professor Donald Langevoort imparted plenty of food for thought from his keynote speech on behavioral ethics, providing illuminating examples from studies that demonstrated how human psychology—no matter the rules in place or the training provided—will take over when it comes to making a decision to cross ethical (or even legal) lines.
One example that stuck with me: A large insurance company found that its churn rate for policies was out of control, so compliance stepped in and put in place a new set of rules and identified exactly what it would do to police those rules. Namely, it indicated that any policy turned over within 90 days would be subject to review.
How did the sales team interpret that? To them, compliance essentially gave them a roadmap to avoid getting caught: Wait until the 91st day before making the new sale. That wasn’t the message compliance intended to send, but that’s how it was interpreted by a sales team that was still incentivized based on the number of policies sold.
In retrospect, the sales team’s behavior was predictable from the standpoint of motivation. They were still financially incentivized to maximize sales, so the message they received was along the lines of, OK, they want us to keep doing this, but they gave us a heads up on how to do it in a way where we won’t get caught.
Langevoort called that type of thinking “motivated reasoning.” What the compliance function failed to understand was the motivation of the sales team whose behavior it was trying to change.
Like Langevoort’s example,the anecdote that will stick with me most from Bharara was his comparison of a company with a “close-to-the-line” compliance program to the “experienced” drinker who tries to party right up to the legal limit before getting behind the wheel.
In both cases, it’s about maximizing the positive (for the company, it’s profits; for the drinker, it’s the buzz) and just barely avoiding the negative. It’s easy to envision the drinker having just a little too much and getting into deep trouble. And if you think about it in those terms, it’s just as simple to picture the company where compliance is merely tolerated instead of a way of doing business getting into hot water.
“If that’s the culture of the place, how long will it be before everyone’s in trouble?” Bharara asked rhetorically.
Quickly jumping back to Langevoort’s comments, there’s a further connection to make on human behavior. Once an employee takes the first step toward wrongdoing, he explained, the second step becomes easier, the third step even easier, and so on. As the invisible line moves, Langevoort said, that becomes the new normal. Each individual step doesn’t seem like a big deal, but every step you take gets you closer to true wrongdoing.
So … how does one discourage such conduct? The first step is to make sure employees’ incentives are aligned with the behaviors the company is trying to encourage. That’s easier said than done, of course, especially because of the compliance versus human resources “evil twin problem.”
Langevoort explains: “Many of the behaviors that send you into a compliance tailspin are the very same ones that are prized by HR in looking for good employees.”
What he’s talking about there are traits possessed by highly motivated individuals: confidence, optimism, creativity, intensity. These are prized in corporate culture, but they can be dangerous when trying to foster an ethical workplace. There’s a hard-wired belief, Langevoort said, that these types of values in leaders are what make companies successful. The other side of that equation, however, is the fact that these very same values can create a level of risk.
Langevoort’s suggestions on how to combat this include creating a more diverse leadership core (more women on boards, for starters) and appeal to the value of a “team” atmosphere: If you are truly a “team player” and care about the success of the team (something people value in themselves), you won’t engage in risky behavior because of the effects it will have on that team.
8. Impact of cannabis legalization on corporate compliance
It was unusual to see a packed room for the very last session of the conference, but perhaps the standing-room-only crowd at the conference-closing cannabis compliance session speaks to just how big of an issue this is becoming in North America.
As legal recreational marijuana use is becoming more widespread (so far it’s at 10 states and counting, plus all of Canada), so too are the compliance challenges.
What is sound employment policy in the age of cannabis legalization? If, for example, you operate a factory in a state where recreational use is legal, do you allow for cannabis use on the job? Or do you treat it like alcohol?
The first question to ask, according to the panelists, is, “Are they intoxicated or are they medicated?” That distinction alone separates it from alcohol in the minds of many, as marijuana has been legalized for medical use in many states.
What about employees whose jobs require operating heavy machinery or otherwise involve performing safety-related tasks? Should your policies be different for an employee operating a forklift in a factory than for an employee analyzing spreadsheets in a cubicle?
And what about client entertainment policies? In certain industries, it’s considered common practice to have a drink at lunch with a client. Should those same rules apply for cannabis consumption?
Let’s not forget policies for leaders or key decision makers. Should they be held to a different standard as well?
Companies also need to take into consideration company-sanctioned after-hours events where alcohol might be served. Is cannabis allowed as well? One of the panelists pointed out the potentially dangerous interactions between cannabis and alcohol if consumed together. Combining them can send the level of impairment off the charts. Should that person get behind a wheel and get into an accident, you better believe there will be liability for the company.
“You don’t want to be the test case,” one of the panelists said.
There are no across-the-board answers or easy rules offered up, but these tough questions were a stark reminder that if cannabis isn’t a consideration in your policies and controls, it should be.
9. Cyber-security: Let the FBI be your friend
If your company hasn’t yet been targeted by hackers, it’s only a matter of when—not if—your cyber-security protections will be tested. That was the scary message from a panel on cyber-security investigations that included Adam Cohen, an attorney with the FBI’s Office of the General Counsel.
If your company has experienced a breach event or you’re worried it might have been, do not hesitate to bring in the feds, who say they take a “one team, one fight” approach to working with companies to troubleshoot and prevent cyber-breaches.
They won’t storm through the doors, donning their “FBI” vests, box up your servers, and leave you in the lurch, said Cohen. Instead, they’ll work with you—even performing their investigations during off hours—so as not to disrupt operations at your company.
“We’re not re-victimizing people,” Cohen said.
The FBI won’t even report your breach to regulators, Cohen said. If, say, the Securities and Exchange Commission comes to the FBI with questions about a breach at a particular company, the Bureau will refer them to the company. The FBI does not report incidents to regulators at the federal level, Cohen said.
In fact, cooperating with the FBI—particularly in the early stages after a breach or even before a breach even happens—will be looked upon favorably by regulators.
10. A decision tree for compliance
We’ll leave you with the most memorable and useful slide from the conference, taken from Grant-Hart’s keynote on how to be successful in compliance. Next time you’re faced with a tough decision, take a cue from this chart here:
About 2,700 words later, there are my top 10 takeaways from Compliance Week’s annual conference—three days you should bookmark on your calendar every year. Thanks for reading and hopefully, if you made it this far, I can convince you to set aside the dates for next year’s conference: May 18-20, back at the historic Mayflower Hotel in Washington D.C.
Hope to see you there!
Takeaways from Compliance Week 2019
- Currently reading
Ten takeaways from CW2019