The social, political, and environmental landscape is only growing more complex for companies today, with this year marking not only an election year, but at a time of increasing regulatory risk on a global scale, a dramatic uptick in the demand for social justice and a heightened focus on whistleblowers. And all of this has far-reaching implications on corporate ethics and compliance departments.
On Wednesday, NAVEX Global held a Webinar discussing not only the top 10 risk and compliance trends for 2020 but also how compliance departments must manage in these turbulent times. The Webinar complemented the release of a new e-Book, with contributions from various thought leaders in the ethics and compliance space. “There are a lot of external pressures that we’re dealing with, and they also comprise a number of our trends and predictions,” Carrie Penman, NAVEX Global’s chief risk and compliance officer, said during the Webinar.
Politics in the workplace
Politics and issues of social justice are creating growing tensions in the workplace. The 2019 Edelman Trust Barometer found, for example, that many employees today demand their senior leaders take a stance on social and policy issues. Moreover, an increasing number of employees are rallying against their employers where they disagree with the stances they take. “That can create a very difficult culture for the employer or compliance officer,” said Kristy Grant-Hart, CEO of Spark Compliance Consulting, who also spoke on the Webinar.
In the thought leadership piece, Ed Petry, a senior advisor with NAVEX Global, talked about the importance of ethics and compliance officers to increase their emphasis on training and awareness concerning policies pertaining to politics and respect in the workplace. Petry further recommended targeting the training toward “repeat offenders” who instigate trouble to help ensure discussions remain respectful and never escalate into instances of harassment or violence.
Secondly, in today’s hypersensitive social environment, Petry said it helps to have an action plan in place, including an internal communication plan, to quickly respond where an action by the company sparks public outrage. He further recommended using compliance champions throughout the business to help flag potentially problematic situations and individuals.
Disruptive social movements
Prudent compliance officers today understand it’s not just about managing employees as employees but rather as people—individuals with different beliefs, personalities, purpose, and passions. It’s important to foster a culture that allows employees to express not only their concerns, but also their values.
“Often times, organizations are caught off-guard when some of their corporate values are questioned,” Penman said. “To get ahead of these events, we really need to consider and embrace transparency.”
Ingrid Fredeen, vice president of online learning content at NAVEX Global, said this “requires awareness campaigns that inform employees on exactly how the organization processes and evaluates concerns and values on social issues. It requires training on how best to raise your voice within the organization in ways that are both respectful and effective. And finally, it requires driving awareness of the organizational responses to employee reports. Transparency allows employees to trust the organization because they have the visibility necessary to verify its actions.”
This era also brings to compliance professionals a heightened focus on whistleblowers that will continue into 2020 and beyond. “We’ve seen whistleblower regulations, standards, and guidance emerging at a record pace and with an unprecedented geographic footprint,” Penman said.
It’s more important than ever to capitalize on the value of employee reporting. Avoid taking a check-the-box approach and, instead, recognize the value of the reports you receive, Penman said. Also, seek to uncover the big-picture trends. “We’re not just trying to substantiate a case. We’re trying to substantiate a culture,” she said.
“We’ve seen whistleblower regulations, standards, and guidance emerging at a record pace and with an unprecedented geographic footprint.”
Carrie Penman, Chief Risk and Compliance Officer, NAVEX Global
Heightened whistleblower culture
In the Fall of 2019, a report from a whistleblower about a phone call between the White House and the president of Ukraine changed the whistleblower landscape in dramatic ways. “We would truly be remiss if we did not understand the significance of this moment and this situation and its potential consequences for whistleblowing and internal reporting more broadly in the years to come,” Penman said.
It has brought to the forefront debates about the value of anonymous reporting, about confidentiality, the right approaches to investigations, about whether second-hand reporters should be able to report, and about the protections afforded or not to prevent retaliation, she said. “It has thrown a lot of what we’ve practiced for many years up in the air.”
Penman added, “This ongoing conversation has pushed us to an inflection point that leaves us with an open question: Will we allow this heightened scrutiny to put a further chill on our internal reporting, or is this an opportunity to capitalize on it once and for all and change the perception of whistleblowing and reporting?”
This is a time for compliance officers to be laser focused on eliminating any technical, procedural, or emotional barriers to internal reporting, as well as a time to value all forms of internal reports. It’s also a time to proactively address the fear of retaliation through proactive monitoring, awareness, and training.
“Design reporting systems that are resilient to outside influence and can offset some of the inherent pressure that we do see on internal reporters to stay silent, recant, or take their concerns elsewhere,” Penman said. Also, periodically review and test internal investigation processes to ensure they are consistent, timely, and fair.
More than 100 countries, to date, have adopted privacy legislation, with two of the most expansive and prescriptive being the EU General Data Protection Regulation and the California Consumer Privacy Act. “If you do not have a data protection officer, you probably should get one,” Grant-Hart said.
Jess Wilburn, data privacy officer and senior counsel at NAVEX Global, recommended in the e-Book that each team “have a privacy representative or champion who can effectively speak to the team’s data practices, usage, and retention. These relationships are key; a DPO can tell you what the privacy requirements are, but they will need functional experts to help translate and apply the law across different use cases.”
Data mapping is also important and requires understanding what data types are collected, where it’s stored, who processes it, where the access points are, and what data retention practices are in place. “Data handling practices should then be formalized throughout the organization by codifying data privacy best practices through updated privacy policies and data privacy compliance training designed to educate the critical personnel who collect, manage or process data within the organization,” Wilburn wrote.
Digitization of investigations
Because many financial crimes today are cyber-enabled, financial-crime investigators and forensic accountants must better understand network security and the software systems underlying things like expense reporting, payroll, procurement, and electronic banking. It’s important that compliance and internal audit be a part of that communication flow to properly conduct an internal investigation.
Thus, it’s important to identify and work alongside subject-matter experts, particularly in IT and information security, to gather evidence and identify responsible parties, Grant-Hart said. “I would recommend that you talk to your data protection officer or head of privacy and find out if there are data maps or data inventories that exist at the company,” she said. “If you can get your head around how the data moves between your company and third parties, that can really help you.”
On Thursday, Deloitte issued its latest “State of the Deal” report on merger and acquisition (M&A) trends in 2020. According to that report, 63 percent of 1,000 U.S. corporate dealmakers and private-equity firm professionals polled said they expect the number of merger and acquisition deals they close in the next 12 months to increase.
Alongside that finding, 56 percent of respondents said they expect deal values to increase in the year ahead. Practically speaking, this means if a deal does not go well, larger deals come with a higher risk of loss, Penman noted, citing the data.
One factor that determines the success or failure of an M&A deal is the alignment of culture, a factor that is oftentimes underestimated, Penman said. For compliance officers, it’s important to have insight into the culture with which the company is integrating, a lot of insight of which can be mined from internal hotline whistleblower data.
Fernanda Beraldi, senior director of ethics and compliance at Cummins, recommended in the e-Book asking the following questions: “Do employees feel empowered to report misconduct? Are they properly trained on values and expectations for the corporation? Does the company really know what risk looks like, and is the culture equipped to support enterprise-wide hygiene? Or is their potential cynicism or distrust brewing beneath the surface?”
With the issuance of the “Framework for OFAC Compliance Commitments” published by the Department of the Treasury’s Office of Foreign Assets Control, compliance officers for the first time have a prescriptive framework for building a well-crafted sanctions compliance program.
“Perhaps the most interesting component of OFAC’s new guidance is the implicit message that OFAC no longer cares why your program failed,” wrote Michael Volkov, CEO & owner of The Volkov Law Group. “It doesn’t matter if your violations were made in earnest, or if they resulted from actions taken by your third party without your knowledge. Regulators no longer want to hear your excuses.” Compliance officers should refer to OFAC’s very prescriptive guidance to ensure they meet those sanctions compliance expectations.
“Perhaps the most interesting component of OFAC’s new guidance is the implicit message that OFAC no longer cares why your program failed. It doesn’t matter if your violations were made in earnest, or if they resulted from actions taken by your third party without your knowledge. Regulators no longer want to hear your excuses.”
Michael Volkov, CEO & Owner, The Volkov Law Group.
Compliance officers literally have “only so much time and mental capacity” to deal with the rising tide of global regulations, Grant-Hart said. One way to handle that is to figure out which regulations and guidance are most relevant.
Use a risk assessment to inform where to focus your energy, she said. Instead of spending time glancing through every piece of guidance, perform a deeper dive into one piece of guidance, and then create a plan to update your program appropriately.
Also, seek the help of law firms and consultants who can create resources for you. Lastly, find the low-hanging fruit. Lean on training vendors for updated learning courses on new laws and regulations, for example, instead of developing your own.
“The future of risk management will be in how we embrace risk through a holistic yet agile approach,” Sam Abadir, director of IRM Industry Solutions at NAVEX Global, wrote in the e-Book. This requires a better understanding of how to address the company’s “most immediate and damaging” risks—people, business, and regulatory, he said.
It also requires breaking down silos and increasing transparency. “The goal, however, is to create systems that force those siloes to identify the relevant information that needs to be communicated across, and integrated into, global operations,” Abadir said. This will help to develop a common risk vocabulary and build working relationships with other departments.