The following is the first of 13 installments from the 2015 Risk Forecast Report from LRN’s Ethics and Compliance Alliance (ECA) Catch all future installments right here on CCI, posted every other week.
On September 22, 2014, the U.S. Securities and Exchange Commission generated headlines with the announcement that it was awarding more than $30 million to a non-U.S. resident who had supplied the agency with “key original information” that lead to a “successful enforcement action.” The SEC didn’t identify the tipster or the case involved.
The award was the largest made by the SEC’s whistleblower program since its inception three years earlier and was more than twice as much as the highest previous award of $14.7 million in 2013. It was also the fourth award given to a whistleblower living in a foreign country.
To leading securities law expert Bradley J. Bondi, a partner at the law firm of Cadwalader, Wickersham & Taft—who wasn’t involved in the case—the SEC’s record-breaking award “is a game-changer and likely will be the tip of the iceberg for awards to come.” Bondi believes the agency’s whistleblower program is “changing the corporate compliance landscape and requiring companies to work harder to ensure internal reporting.”
Bondi’s insight regarding the SEC’s whistleblower program is just one highlight of this 2015 Risk Forecast Report from LRN’s Ethics and Compliance Alliance (ECA), which features top-flight insight and analysis from ECA experts such as Bondi reporting on a dozen subjects critical to the work of ethics and compliance (E&C) professionals. As they do every year, our ECA panel members identify hot-button concerns and notable trends while also offering suggestions on how to manage increasingly complicated E&C risks.
This year’s Risk Forecast Report features a first-time look at healthcare, with a focus on information security. As you’ll see, digital technologies and data security are also a concern in industries throughout the global economy. Regulators continue with a watchful eye on traditional risk areas such as antitrust and government contracting. Global political crises (giving rise to U.S. government trade sanctions against Russia, for example) and changing social mores (more liberal local marijuana laws) are only two examples of the many factors that should be on the radar of E&C professionals in 2015, according to our ECA experts.
Familiar Risk, New Emphasis
Regardless of the subject, the stakes remain high for companies and their ethics and compliance programs. ECA expert Matteson Ellis (Anti-Bribery and Corruption) says federal prosecutors are signaling a determination to continue robust enforcement of the U.S. Foreign Corrupt Practices Act (FCPA), for example, often with aggressive investigative techniques traditionally reserved for organized crime and drug cases. He quotes one U.S. Justice Department official: “Corporate executives should wonder who is listening in on their calls and conversations.”
The White House reports that, since 2009, the United States has resolved criminal FCPA cases against more than 50 corporations worldwide and has collected penalties of approximately $3 billion. While only four countries—the United States, Germany, the United Kingdom, and Switzerland—pursue what’s been called “active enforcement” in anti-corruption matters, Ellis reports that countries like Brazil, the Netherlands, Canada, and China show signs of increased attention to countering transnational bribery, albeit in different ways.
According to Ellis, in addition to the traditional earmarks of E&C programs—“tone from the top, codes of conduct, policies, training, third party due diligence, internal reporting mechanisms, and other basic components”—enforcement authorities want to know whether companies are performing formal corruption risk assessments to understand their profiles in detail. It’s also important that anti-corruption programs be tested and audited, be “internationalized” with language adaptations, and respond to multiple international legal regimes beyond that of the U.S. FCPA.
The Justice Department isn’t the only agency looking at FCPA violations. Over at the SEC, reports Bondi (SEC Enforcement and Compliance Priorities), officials have made it clear that “no industry, region, or country is immune from FCPA or corruption issues.” What’s more, the SEC may start bringing FCPA cases in administrative proceedings in which defendants have limited discovery and tight time constraints. Administrative proceedings are heard by an administrative law judge employed by the SEC. There is no right to a trial by jury in an administrative proceeding, according to Bondi. Audit Risks
As electronic records become more popular in patient care, Marti Arvin (Healthcare Privacy and Information Security) warns that in 2015, healthcare organizations face a greater risk of privacy and data security audits conducted by the Office of Civil Rights (OCR) of the Department of Health and Human Services. While an audit could focus on many different areas of inquiry, according to Arvin, a healthcare organization should be prepared to provide the details of its risk analysis process, the process for granting a patient access to their personal information, and the notification process in the event of a data breach.
Arvin says the OCR has become much more aggressive in its enforcement actions. The first resolution agreement signed with a healthcare organization in 2008 was for $100,000; in 2014, the largest resolution agreement was for $4.8 million.
A growing risk in healthcare—and identified by several ECA experts as a concern in other industries—is the trend of allowing employees to access organizational data using their personal electronic devices, tablets, and smartphones. This so-called “bring your own device” (BYOD) approach carries considerable risk, experts say, with data security at the top of the list.
Dealing with Digital
Indeed, the explosion in digital data, cloud computing, and new communications technologies is the focus of three articles in this year’s report.
Mike Salvarezza (Records and Information Management) says the digital revolution has triggered “fundamental” challenges for organizations and how they handle information. With many industries increasingly turning to “big data” analytics to learn insights that were previously inaccessible or unknown, basic questions are being asked: What is a record? Where are records located? And what should be managed, preserved, and disposed of in the world of “big data” analysis? Information security is a fundamental concern, according to Salvarezza, who cites recent massive data breaches at high-profile companies such as Home Depot, Target, and JPMorgan Chase.
Keeping abreast of international laws and regulation regarding data protection is no small task, notes Robert Bond (Global Data Protection and Information Security). The U.S. has no single federal data protection law, but it does have a number of sector-specific laws and regulations. In contrast, legislators in Europe are close to finalizing a broad new data protection regulation that would affect all EU members. Meanwhile, other countries around the world, including South Africa, Columbia, Malaysia, South Korea, and Singapore, have passed data protection laws with many similarities to that of European Union.
And social media networks, such as Facebook, Twitter, and LinkedIn, continue to present E&C executives with enormous challenges on a global scale, reports Michael Connor (Social Media). Employees are using these new platforms for personal business (on and off the job) even as more companies increase their use of social media to increase brand exposure, boost web traffic, and gain market insight. By one estimate, according to Connor, social media marketing budgets are projected to double in the next five years.
Competition & Contracts
Ted Banks (Antitrust and Competition Law) suggests that E&C executives need to do more than tick the boxes in looking at their companies’ antitrust policies and practices. One reason: Justice Department officials have said it’s “unlikely that a corporate defendant’s pre-existing compliance and ethics program will be considered effective enough” to mitigate a potential sentence if the program failed to prevent the company from violating antitrust laws.
Trade associations are one key source of antitrust violations, according to Banks, because association meetings are sometimes used to facilitate price-fixing conspiracies. His suggestion: make sure your trade associations are monitored and that people who participate in the meetings understand what they can and cannot do at those meetings.
The continuing threat of U.S. government budget “sequestration” translates into intense competition for contracts and a need for strict compliance with procurement rules, writes Scott Arnold (Government Contracts). Companies holding cost-type government contracts or contracts involving the submission of cost and pricing data have been facing increasingly aggressive government audits in recent years.
“Contractors sometimes need to choose between refusing unjustified auditor requests, which entails the risk of alienating the auditor or even being accused of impeding an audit, or simply complying with the request,” Arnold writes. “Contractors with strong ethics and compliance programs are in the best position to navigate these issues with limited exposure.”
Sanctions and Bullies
If your company exports goods, Marian Ladner and Thomas P. Scott III (Trade Compliance) say the changing landscape of U.S. export controls and geo-political developments require you to be “vigilant and nimble” in adapting export compliance programs to meet the new challenges presented. In 2014, the U.S. Departments of Commerce and State continued to implement the President’s Export Control Reform Initiative, which includes the movement of low-level defense articles from State Department jurisdiction to Commerce Department jurisdiction.
Meanwhile, the U.S. Treasury Department is administering long-standing embargoes against a number of countries, including Cuba and Iran. New sanctions imposed on Russia in 2014, following its activities in Crimea and the eastern part of Ukraine, are layered and complex. “The result,” say Ladner and Scott, “is that any potential transaction with Russia requires significant due diligence to ensure there is no violation of the targeted sanctions currently in place.”
In the workplace, Marcia Narine (Labor) highlights legal disparities involving a familiar weed: marijuana. She reports that employers are increasingly caught between state laws regarding marijuana (which are becoming more liberal) and federal law (which still deems marijuana illegal). Because of the federal position, most employers have not changed their drug-testing policies for applicants and current employees; but many employees don’t realize that legal, off-duty use of marijuana can still run afoul of their employers’ policies.
Bullying in the workplace is also attracting attention. One survey found that half of human resources managers admitted that bullying occurred in their workplace. Narine says that in 2014, Tennessee passed the nation’s first workplace bullying law, covering public sector employees; a new California law requires employers to train on abusive conduct even though workplace bullying is not illegal in that state.
Managing the E&C Program
Does organizational structure affect the success of an ethics and compliance program? Rebecca Walker (Program Management) says yes, though each organization needs to decide what’s most appropriate to achieve its goals. Walker examines arguments for and against locating the E&C function within the Legal Department—a common practice at many companies—while also highlighting the potential value of increasingly popular E&C “liaison” networks within organizations.
E&C liaisons are employees who typically have important responsibilities, sometimes part-time, for implementing the E&C program in their geographies or businesses units; when liaisons have a solid-line or even a dotted-line reporting relationship to E&C, the likelihood of creating a successful E&C network is significantly increased, according to Walker.
“Liaisons can help make E&C programs more relevant to the local business they serve,” she writes. “They can provide critical input to the E&C office regarding the effectiveness of the program ‘on the ground,’ and they often play an important role in implementing certain aspects of the program, such as rolling out training, receiving reports of suspected misconduct, and conducting E&C investigations.”
In her analysis, Marsha Ershaghi Hames (Education and Communications) recommends that companies consider employing Blended Learning, an education strategy that adopts mixed modes of learning tools and resources to create a personalized, more relevant type of learning. “A good Blended Learning strategy,” she writes, “must incorporate more interactive, engaging activities in which learners work together to solve problems, reflect on real-life situations, and ‘take ownership’ of the learning process.”
The Program vs. the Journey
Identifying risk is only one part of the challenge for E&C professionals, of course. At LRN, we believe that accomplishing a goal of effective compliance requires an organization to implement governance, culture, and leadership in a systematic and comprehensive way. That requires becoming deliberate about shaping your culture as fundamental to corporate strategy, and seeing culture itself as a strategy for winning. Journeys are more arduous than programs, but they can be pursued with similar rigor and discipline.
We hope you’ll see this 2015 Risk Forecast Report as a valuable resource. If you’d like to speak with any of our ECA experts about any of their articles, or if you’d like assistance from our ECA staff on any matter, please don’t hesitate to reach out. We’d be delighted to lend a hand.