Compliance Week’s 16th annual National Conference kicked off Tuesday. Held virtually, the three-day event features 23 sessions and more than 60 speakers, with the opportunity for attendees to earn continuing education credit while also gleaning insight from our panels of compliance experts.

Below is a live blog for Day 2 of the event. The blog was updated by CW staff throughout the day sharing their takeaways and favorite moments from the conference.

To see more from Day 1, click here.

5 p.m. ET: Day 2 concludes

Thanks to all who joined us Wednesday! Compliance Week 2021 will conclude Thursday with our first Career Day, featuring four sessions geared at helping compliance officers promote their personal skill set. Be sure to check it out. - Kyle Brasseur

4 p.m.: Data privacy: Risk assessments and employee training

Rich Gatz, claims counsel at Coalition, scared the audience during a session on the importance of training employees in cyber-security with tales and statistics relating to ransomware. According to a slide shared during the session, Coalition found from Q1 to Q2 2020 there was a 47 percent increase in ransom demands. In addition, the slide noted 90 percent of incidents are caused by human error. That’s why training is so important, said Gatz, who discussed three important aspects to such:

  1. Implement multifactor authentication
  2. Close remote access to the network
  3. Implement security awareness training

He also told a couple horror stories, such as the employee who took home the backup software each night to ensure it wasn’t taken. Great system, said Gatz, except when the employee’s car was broken into.

Later in the session, the audience was asked why adopt a security awareness program. Here was the answer breakdown:

  • It’s good for security – 46%
  • Recently hacked – 31%
  • Compliance – 20%
  • Vendor contract required – 3% - DeAnn Orie

During a session on data privacy and risk assessments, Veronica Torres noted she doesn’t have much compliance technology to lean on in her role as chief privacy officer at Comscore. “I am the privacy management tool,” she said. In this scenario, Torres advised a hybrid approach, where the leg work is done on the front end.

She also stressed the importance of acknowledging third-party risk management as more than a one-person job. It requires dedicated attention from multiple areas of the business, without any corners cut. - Kyle Brasseur

3 p.m.: E&C programs during and post-COVID

E&C post COVID

In a session focusing on how organizations manage risk and training, both Rob Seibel, director of legal compliance at Abercrombie & Fitch, and Kimberly Shur, Marriott’s global compliance counsel, touted the “one-pager,” a quick read of employee rules and regulations that contains the most crucial things relating to an employee’s particular job. The training is very targeted, easy-to-read, and digestible. Also particularly helpful, said Shur, is using real-life examples for risk-based training. - DeAnn Orie

Seibel talked about how A&F tests employees with fake phishing emails. If a link is clicked in the email, a pop-up comes up encouraging the employee to seek more training. If the employee forwards the email to the company’s security team, he or she is entered for the chance to win a prize. A good way to incentivize good practices without being too aggressive. - Kyle Brasseur

2 p.m.: Preparing for examinations/Three Rs of cyber-security

During a session on preparing for examinations and investigations, Janaya Moscony of SEC3 Compliance Consultants said, “Compliance technology—RegTech—has its benefits, but it also has its risks. The issue is when it’s not set up properly or not maintained.” - Jaclyn Jaeger


Moscony offered details on how companies should prepare for an SEC examination:

  • Tone at the top: CCOs should not operate in a silo. Management needs to collaborate and understand risk.
  • The compliance program should be dynamic. Companies should review SEC alerts throughout the year and annual SEC priorities, dissecting recent cases. They should apply these learnings to policies, incorporate them into testing, and show that policies are current and that you’re paying attention.
  • Testing: Companies should have business units that hold responsibility for this, and it should be rotated with periodic testing of different areas.
  • Training: This is not just about ensuring employees understand the rules, but it also protects CCOs and management.
  • Mock reviews: These give an independent look, so CCOs have a fresh perspective. It’s better the firm can discuss internally what employees plan to say to SEC examiners before the employee digs a hole that could have been avoided.

SEC Counsel Roberta Vassallo added this preparation should start before the SEC comes knocking. - DeAnn Orie

The session “Risk, regulation, and reaction: The 3 Rs of cyber-security” featured a panel of four cyber-security experts from consulting firm AlixPartners. The discussion focused on evolving cyber-risks and new developments in the area, including cyber-insurance.

Regarding fallout from COVID-19, Managing Director Tim Roberts made an interesting point: Firms with tech-savvy personnel may encounter difficulties if they try to place new restrictions on their workers. “Your employees are all innovative—if you set rules they can’t live with, they will find ways to work around them,” Roberts said.

Reminds me of my days using proxy servers to get around the middle school firewall. Shh, don’t rat me out. - Kyle Brasseur

1 p.m.: Data & analytics: It’s about the journey

Data and analytics journey

Dheeraj Thimmaiah, global director of ethics and compliance at Anheuser-Busch InBev, offered the first few steps along the journey of embracing a data analytics program, like BrewRIGHT:

1. Test the problem and start small. AB InBev piloted a simpler version of its data analytics program as a binary, rules-based test in India and China first.

2. Build in-house and ramp up the skill set. When the pilot succeeded, AB InBev hired more data engineers, data scientists, and UX specialists to grow the program.

3. Begin a phased rollout. BrewRIGHT was rolled out regionally. - Aly McDevitt

When building an in-house data mapping program, Thimmaiah suggested the first skill set to tap is that of a business analyst. “Mapping the business problem to the data you need” is key, Thimmaiah said. Also important is the input of data specialists as opposed to strictly legal professionals. “You can have all lawyers on the team, but the way to move forward is to have a variety of skill sets,” he said. - Kyle Brasseur

11:30 a.m.: Compliance in 2030


Ann Chaglassian, CCO for the Americas at Mercer, talked about how to effectively utilize rewards. “It’s easy to say nonretaliation,” she said, but employees who have the courage to step forward need to be rewarded and recognized to encourage peers to do the same.

Chaglassian said you see it a lot with the new workforce. These employees want to work for a company with values that “stand for something more than quarterly earnings. They want to take pride in what they are producing.” - DeAnn Orie

“The ethics piece of compliance is often undersold,” said ContourGlobal CCO Stuart Altman. Such an approach can prove costly for companies, particularly regarding ESG.

“I think there’s going to be growing connections between the ESG world and the compliance and ethics world, because I don’t think you can do one without the other,” Altman said.

Valerie Charles of StoneTurn concurred, noting she’s heard of many compliance officers having ESG added to their plate. Some have struggled to grasp the concept, but “the great compliance officers already know how to do it,” Charles said. “This is just one additional piece, and they are well-equipped to do it.” - Kyle Brasseur

11:00 a.m.: Continuing the discussion

Colin Henderson of OneTrust talked more about cyber-security in a fireside chat with CW’s Aly McDevitt.

Aly asked Henderson how much should companies “strong-arm” employees’ return to the office from a cyber-security standpoint.

“I think if given the world we’re in now, as companies are looking at that internally, the realization is we’re not going to be able to require everybody to come back,” Henderson said. He cautioned, however, that as people go back out into the world to work and leave the home office, they will need to be more aware of how to keep information safe. - DeAnn Orie

Reflecting on this past winter’s SolarWinds hack, Henderson said companies will need to enhance the granularity of their vendor and supply chain risk management processes to preempt cyber-attacks of that particular variety and caliber from happening again.

Henderson believes that in the post-pandemic work environment, companies will need to focus on utilizing technology and building culture to ensure there isn’t an unlevel playing field between employees who opt to work in the office and those who work from home. - Aly McDevitt

10:00 a.m.: Privacy in the boardroom

Privacy in the boardroom

Ryder System CCO Pilar Caballero discussed the importance of document retention. She noted the importance of not only considering what the end user has, but also thinking about shared files—what’s on your desktop, your platforms, etc. “Make sure the company is looking at it in a very broad perspective and is incorporating a document retention schedule,” she said.

Colin Henderson of OneTrust added what most organizations aren’t good at holistically is managing data. “There’s a fear in most organizations about purging data,” he said. - DeAnn Orie

“It’s entirely unsexy to talk about data retention to anyone, but it’s incredibly important,” said Cynthia Cole, a partner at Baker Botts. The panel discussed key metrics to track in order to demonstrate success, which help beyond reporting up to senior management.

“More and more of our customers are requesting information on our privacy program,” said Caballero. “Sometimes it’s the differentiator between getting the business and not getting the business.” - Kyle Brasseur

If acquiring another business, best to make sure you’ve already built privacy into the process, noted Henderson. “Have privacy requirements and the processes baked into the beginning, or you will pay out the nose later to retrofit.” - DeAnn Orie

9:00 a.m.: Mary McNiff Q&A

Mary McNiff CW2021

Appointed chief compliance officer at Citi last summer, McNiff said she has taken a “listen-to-learn” approach to picking up the job. Like many others in the profession, she didn’t see herself getting into compliance but has enjoyed taking to the role. - Kyle Brasseur

McNiff: “Diversity of thought means diversity of mind and really gets the best answer.” - DeAnn Orie


McNiff discussed the importance of the compliance practitioner being a first responder in terms of staying on top of changing regulation and being cognizant of “constant change.”

Speaking on ESG mandates, McNiff said the challenge is in getting a climate risk management perspective in addition to the compliance perspective. - DeAnn Orie

In her new role, McNiff has looked to modernize Citi’s systems. One way she’s done this is by asking “but why” when others explain to her “this is the way we’ve always done things.” The question has helped pave the way to the bank updating its controls. - Kyle Brasseur


McNiff talked about Citi’s “reverse mentor” program in which she has eight people in various positions and locations throughout the bank who give her advice and feedback on how bank initiatives and procedures are being viewed by the rank-and-file. They regularly text and email her, and she asks them questions as well. “It keeps you fresh in terms of how you’re thinking about things,” she said. - Aaron Nicodemus

Having a “save me” word is key. McNiff said her children would often text her “apple” if they were somewhere in need of help, and she would come right away. This is an anecdote she’s shared with her team; she has received the same “apple” call for help from colleagues when they were in a sticky situation. - DeAnn Orie

McNiff’s advice to younger compliance officers is to never turn an opportunity down. “I think that’s why I’ve ended up moving around the world.” she said. Indeed, her company bio touts her experience across markets in Hong Kong, Singapore, Australia, London, Latin America, and the United States. - Kyle Brasseur

7:00 a.m.: Day 2 preview

Hello, all! The second full day of our National Conference is set to kick off in two hours with a keynote from Citi CCO Mary McNiff. The day’s slate also includes a fireside chat with Colin Henderson of OneTrust, along with sessions on compliance in 2030, privacy in the boardroom, preparing for investigations, and more.

Stay tuned for updates to this blog throughout the day, and catch up here if you missed out on yesterday’s events. - Kyle Brasseur