The 13th annual Compliance Week national conference is in the books after three days of thoughtful discussion, insightful commentary, and best practices from some of the top thought leaders in the compliance field.

It was masterclass in ethics and compliance for this first-time attendee, one that’s difficult to sum up due to the sheer volume of quality learning opportunities. Nevertheless, we’ll give it a try—here are my 10 takeaways from Compliance Week 2018 (with contributions from CW’s Jaclyn Jaeger, Joe Mont, and Tammy Whitehouse … hey, I can’t be everywhere!):

1. DAG shows a sense of humor: The highlight of the conference was the opening keynote by Deputy United States Attorney General Rod Rosenstein, who kicked things off Monday less than 24 hours after President Trump demanded the Department of Justice investigate whether the FBI surveilled his 2016 presidential campaign for political purposes. Rosenstein, who is heading up the Mueller investigation into Russian interference in the 2016 election, has been a popular target for Trump.

To his credit, Rosenstein didn’t hide from the fact that he was in Trump’s crosshairs once again. In fact, he seemed to embrace it with a tongue-in-cheek comment that acknowledged the elephant in the room. He started his speech with an anecdote about J. Edgar Hoover needing to be snuck out of the restaurant at the historic Mayflower Hotel (site of the conference) after people would gather to watch him eat.

“When I got this job I remember being grateful that I would not have to worry about that sort of thing,” Rosenstein deadpanned, drawing laughs from the audience. “Deputy attorneys general are very low profile and tend not to be recognized. If they’re remembered at all, it’s usually for the memos they write—about corporate fraud.”

Well played.

2. How the DoJ defines cooperation: In discussing the benefits of self-reporting an FCPA violation, Rosenstein was pretty clear about what the Department of Justice takes into account when considering how harshly to penalize a corporation.

“When companies come in and it’s clear that they’ve been guilty of wrongdoing, because corporate employees have violated the law, they always portray themselves as victims—‘Our company tried to do the right thing, we had appropriate compliance measures, we hired a rogue employee who violated the rules,’ ” he explained. “Our position is, if you want to be treated like a victim, we expect you to act like a victim. Someone who’s a victim of a crime is going to be eager to assist the government in catching the perpetrator. A company that comes in early and discloses misconduct, that cooperates with us in pursuing individual violators and takes remedial action to ensure it won’t happen again is going to get the most consideration when we determine whether or not to pursue charges and what sort of financial penalty to exact.”

3. Top VW ethics officer direct and forthcoming: You typically see a lot of spin coming from a company digging out of a scandal; and make no mistake, there’s definitely a sense that Volkswagen is conscious about communicating to the public how it is cleaning up the mess it made. But there was no mincing of words by Volkswagen Head of Integrity and Legal Affairs Hiltrud Werner, who was refreshingly forthcoming in a keynote discussion about the steps the company is taking in the wake of its diesel emissions scandal.  

“Our position is, if you want to be treated like a victim, we expect you to act like a victim. Someone who’s a victim of a crime is going to be eager to assist the government in catching the perpetrator. A company that comes in early and discloses misconduct, that cooperates with us in pursuing individual violators and takes remedial action to ensure it won’t happen again is going to get the most consideration when we determine whether or not to pursue charges and what sort of financial penalty to exact.”

Deputy Attorney General Rod Rosenstein

“When you look at things from a bird’s eye view, we cheated. Yes. We lied to regulators. Yes. We covered it up,” Werner said. “We need to tell everyone that there is a red line that should never be stepped over. It is crucial for the company’s culture that everybody understands that even if this time the scandal was kicked off in technical engineering, and you may not have been affected, it is still important that you work toward having a scandal-free organization.”

Werner, who very much has a seat at the table at VW as a member of the board, stressed that while the company is focused on moving forward, the diesel scandal should stand as a reminder that compliance should never be compromised again.   

“It is important for us to understand that the diesel scandal will forever be a part of the history of this company,” she said. “We cannot ever have a day where we can check a box and say, ‘OK, we never need to talk about it anymore.’ There will always be lessons we need to learn from it, even in the future. No one should ever forget.”

Volkswagen still has a ways to go, but they seem to have the right person leading them on the path to recovery.

4. Best practices for handling harassment claims in the era of #MeToo: Perhaps the most top-of-mind topic of the week was discussed at Wednesday morning’s keynote—sexual harassment in the workplace. The message from the panel was that ethics and compliance officers, human resource departments, boards of directors, and senior executives need to reexamine their efforts in dealing with claims as employees are making their voices heard like never before. Sexual harassment training needs to be revamped (and should include the board as well). Policies must be rewritten. The ethics of non-disclosure agreements should be addressed. Most importantly, companies should examine whether they truly have a culture of transparency, one in which leadership takes punitive yet proportionate action when egregious behavior is found and people are not afraid to come forward for fear of retaliation.

“You’ve got to create a positive feedback loop, in which people (who have reported harassment) are thanked, people are protected from retaliation,” said Equal Employment Opportunity Commission Head Chai Feldblum. “The only way to do that is to hold accountable those who have engaged in retaliation.”

5. GDPR—ready or not, here it is: Even as GDPR takes effect Friday (!), the general consensus from the conference panels in which it was discussed is that most companies cannot say with any real certainty that they are fully prepared. Many companies are doing their best from a proactive standpoint but may have to adjust their GDPR implementation strategy as they wait with bated breath to see what legal actions arise and how regulatory bodies respond. 

6. Make sure you’re prepared for a data breach: There was a sense of inevitability in a conference breakout session on how to best be prepared for and respond to data breaches. The key consideration is not if your data will be breached, but rather how you react once you discover a breach has occurred. Equally important as a compliant data protection system is a contingency plan on how your company will react when a breach is discovered. That plan has to include training at all levels of the organization and a strategy on how to protect your brand’s reputation, how to report the incident to regulators (and cooperate with their subsequent investigation), and how to react when privacy advocates and competitors put you in their crosshairs.

“There’s no right way to handle a data breach,” one panelist explained. “There’s only a less-wrong way.”

7. Tackling the relationship between HR and compliance: One theme that stuck out in several sessions in Washington, D.C., was the sometimes-adversarial relationship between the human resources and compliance functions of an organization and how the two can work together more productively. Though there were a few anecdotes relayed of harmonious relationships between the functions, the overall sense was that compliance officers in general weren’t always feeling the love from their counterparts in HR. During the conference-concluding “Compliance 4.0” panel, the audience was asked which business silo presented the biggest challenge for compliance. HR was the most popular answer at 31 percent, followed by IT at 21 percent. Cooperation between the HR and compliance functions is critical, especially when it comes to issues like sexual harassment.

“No function is more important to a compliance officer than HR,” said Joel Katz, a panelist for the Compliance 4.0 session and SVP, chief counsel, and chief ethics & compliance officer at CA Technologies.

So how do you go about fostering a more constructive relationship with HR? The panel suggested that compliance practitioners “look inward” and ask themselves if they’re doing everything they can to be a good partner with HR and take responsibility for smoothing any rough waters.

In another session on cross-functional compliance, a panelist described how he patched up a relationship that needed fixing. In short, he extended an olive branch. He approached the individual, took responsibility for the adversarial relationship, and suggested a way to move past it that ended up working for both parties.

8. Data as a powerful tool for compliance: Panelists at a “Compliance Data Machine” session shared tips on how they have developed innovative uses for data to better strategize an approach  to compliance and even make a case for added resources. Tammy Whitehouse explains further in a blog post from the session.

9. Using positive reinforcement to encourage compliance:  We’re all familiar with the “carrots work better than sticks” axiom that suggests positive messaging works better at getting someone to comply than negative reinforcement; a study cited by brain science guru Christopher Adkins of the Notre Dame Deloitte Center for Ethical Leadership demonstrates how to use it to enforce a compliance directive.

The Clinical Infectious Diseases Journal conducted a study at a Long Island, N.Y., hospital’s ICU that showed compliance with an order for workers to wash their hands within 10 seconds of entering or leaving a room was at just 6.5 percent, even though cameras were installed specifically for monitoring them. Researchers subsequently tried a different approach—installing screens that congratulated workers after they washed their hands and even displayed where they or their team ranked in hand-washing compliance compared to others in the hospital. This strategy saw compliance with the hand-washing rules jump to a whopping 81.6 percent, a meteoric rise Adkins explained was the result of both the positive reinforcement and the added social pressure to keep up with how other groups were performing.

Keep that in mind when trying to enforce penalties when employees don’t complete their compliance training on time. Instead of calling out those who haven’t followed through, why not try rewarding those who are compliant and spotlighting them for the company to see?

10. Spirit of cooperation pervasive at CW 2018: This being my first Compliance Week conference as editor in chief, I wasn’t completely sure what to expect. What surprised me most wasn’t the top-notch quality of the speakers or the talented behind-the-scenes crew that put the conference together, it was the pervasive spirit of collaboration among the attendees. When you boil it down, the compliance field is filled with individuals whose job it is to do the right thing and to put structures in place to make sure their companies do the same. It was refreshing to see so many people eager to share best practices with each other, despite the fact they worked for competing companies that sometimes fight for the same clients.

If you’re in the compliance field and haven’t attended one of CW’s events, I’d highly recommend giving one a try. We have our second annual Technology Innovation & Compliance Summit coming up in Boston on June 26 and a Sanctions Risk Management Conference on deck for Oct. 15-16 in New York City.

And, of course, I’d be remiss if I didn’t mention the dates for our next annual conference—May 20-22, 2019, back in Washington, D.C.

Hope to see you there next year!