Anticipating and Planning for the Next Big Compliance Issue: Results of the Society of Corporate Compliance and Ethics 2009 Interactive Workshop Series
6500 Barrie Road, Suite 250Minneapolis, MN 55435, United States+1 952 933 4977 or 888 277 4977www.corporatecompliance.org
1 www.corporatecompliance.org
Results of the SCCE 2009 Interactive Workshop Series
IntroductionOver the last few years the compliance community has had to adjust to success waves of changes in priorities as “new” com-pliance issues are identified. After sitting for several years on the books but unenforced, the Foreign Corrupt Practices Act (FCPA), seemingly out of nowhere became a top enforcement priority. Backdating of stock options, which had grown to be a standard within Silicon Valley, didn’t pass the smell test and had to be quickly abandoned, with the hope that no legal lines had been crossed. CEO pay and even sales retreats have come under scrutiny, and most recently, antitrust and insider trading have suddenly grown to be focus areas for the government.
With each new issue that arrises compliance teams are forced to scramble to put in place programs to manage this new, suddenly hot risk area. Training must be developed, broad communica-tion plans are put in place, systems are examined, controls are implemented and tested. Yet, each of these responses are reac-tive, which means there is a gap between the controls in place and the risks that exist.
To help change the dynamic the Society of Corporate Compli-ance and Ethics conducted a series of interactive workshops in 2009 to:
1. Identify what the next big issue is likely to be, and2. Determine how to appropriately respond to the issue
when it arises.
2 www.corporatecompliance.org
Results of the SCCE 2009 Interactive Workshop Series
These workshops took place in Los Angeles, New York, Minne-apolis and Denver, and three separate workshops were conducted during the Compliance and Ethics Institute in Las Vegas.
There was a third, and perhaps more important purpose for these sessions: to find the common elements of the solutions developed in order to create a framework that compliance pro-fessionals could use to meet virtually any new challenge. Put another way, the goal was to answer the question: how can I be prepared no matter what new risk comes my way?
MethodologyEach workshop was broken into teams of eight people or less. The teams were then charged with brainstorming new potential issues that may arise to challenge the compliance community. The teams then reported their list of potential issues out to the group as a whole.
The ideas were collected, and then each person was given three votes to assign to the issue or issues that they thought were most likely to pose substantial compliance risks. Individuals could vote for three different issues, give three votes to one issue or otherwise divide their votes.
After the voting was completed each team was assigned one issue. They were then charged with determining what would be needed to manage the compliance risk identified
Their recommendations were then reported out to the workshop as a whole.
3 www.corporatecompliance.org
Results of the SCCE 2009 Interactive Workshop Series
IssuesThe workshops identified a wide range of potential issues—see Appendix I for full list—ranging from new regulations to those relating to the social compact.
The following issues were selected by teams in various cities as the most important issues to be addressed:
• Technology crash• Privacy Compliance/security of personal information• Green Revolution• Government activities on the fly• Web 2.0 & Social media• Disparity between executives and the rest of the workforce• Strengthening the social contract• Data breach• Outsourcing risk to less-regulated markets• Disasters and pandemics• Stakeholder involvement and oversight
It should be noted that some of these were identified and selected in several cities, especially social media and data-related issues.
There was tremendous anxiety over how to handle the fast changing world of LinkedIn, Facebook and Twitter. Compa-nies have not yet developed policies in this area, as our 2009 survey on the issue showed. The risks are not fully understood and controls are weak to non existent.
4 www.corporatecompliance.org
Results of the SCCE 2009 Interactive Workshop Series
By contrast, data protection and privacy, which is by no means a new topic, is one that participants feel will continue to involve in new and unexpected ways.
Managing the IssuesEach team, as noted above, was charged with planning how to manage one of the issues. To help them in this effort they were given a sheet of papers with questions to answer:
• What aspect of this issue is likely to cause the greatest trouble for organizations?
• What kind of changes in policies are needed by organizations?
• What would you need to do to change behaviors?• What additional resources (physical and human) would
you need?• What kind of controls would be needed?• How would you audit these controls?
Each team answered as many of the questions as possible in the time allowed.
Findings
Appendix II contains the notes made by team members for the issues that they were assigned. Not surprisingly, different issues tended to call for unique approaches. Yet, the variations were far less significant than might be imagined. Instead, what was
5 www.corporatecompliance.org
Results of the SCCE 2009 Interactive Workshop Series
most striking was the commonalities in approach to solving new compliance issues.
These commonalities were:
• Focus on communications in its many forms. For virtually every problem, at least one communication element was identified as central to developing a risk management effort. Because helping employees to understand what the company’s expectations are was identified as critical, training was repeatedly cited as being an essential part of the solution.
• Understand your IT resources, including their strengths and weaknesses. Whether looking at social media, data privacy or recovering from a natural disaster, IT was cited repeatedly as a critical resource that is often not well-understood by the compliance team.
• Plan on reexamining company incentives. Incentives exist to encourage employees to behave in ways which the company desires. When a dramatic change occurs it is essential to revisit the company’s incentives structure and ensure it meets the needs of changing times.
• Review what you do in house or rely on third parties for. As new situations evolve needs change. It is critical that outsourcing requirements are reviewed at times of transition to ensure that resources are aligned properly. In addition, it may be valuable to proactively examine the in-house/outsourced equation to determine if it will likely provide the company with the flexibility it needs as new issues arise.
6 www.corporatecompliance.org
Results of the SCCE 2009 Interactive Workshop Series
• Plan on working with others. HR, Internal Audit and peers at other companies will likely be essential when new issues arise. A go-it-alone approach is not likely to be successful and may be counterproductive. As a result, it is essential to build relationships before a new crisis emerges.
ConclusionIt is clear that the compliance profession will be marked by change over the years to come. Predictable changes such as shifts in priorities by the Department of Justice will continue to argue for new approaches, sometimes dramatically so.
In addition new risk areas will continue to emerge. Privacy, and how we define it, a new generation of workers, and the rise of social media are already causing unpredictable changes to how risk is managed.
Yet, the consistency of the approaches to managing hypothetical new risks suggests that compliance professionals do not need to wait for a new issue to arrive to begin preparing for it. Identify-ing key resources for communication, IT, and compensation structures can begin long before a game changing compliance issue arises. Likewise compliance professionals can begin build-ing out their network within the organizations in which they work—and with outside compliance professionals—so a sup-port network of resources is in place well before those resources need to be leveraged to stem a crisis.
7 www.corporatecompliance.org
Results of the SCCE 2009 Interactive Workshop Series
APPeNdIx I
Potential Issues Identified• Third party security in foreign countries• Privacy and personal information—what’s on Facebook• Gifts and conflicts of interest• Technology crash• US becomes a follower rather than leader• Disclosure burden on products• Offshore taxation• Global enforcement• Independent contractors• Green regulation• Board oversight• Genetic engineering/artificial intelligence• Government information requests• Non-traditional stakeholders• Web 2.0 & Social Media• IP Abuse• Products provided to Third World that don’t meet US
standards• Stock buybacks• Data collected by companies that subsequently go out of
business.• Employee privacy and data breaches• Globalization: training, policies and gifts & entertainment
8 www.corporatecompliance.org
Results of the SCCE 2009 Interactive Workshop Series
• Economic crises leading to more government activity “on the fly”
• Regulatory agencies becoming enforcers• Generation Y and their ideas of confidentiality• Working with aging baby boomers• Carbon emissions• Effectiveness of the board structure• Double standards: executives vs. rank and file• Innovation outstripping regulation• Collapse of faith in regulations and regulators• Changes in generations: values shift• Outsourcing risk to less regulated markets• Erosion of faith in government• Identity theft• Privacy• Collapsed time from incident to news• Change in employee-employer relationship• Use of Social Security numbers as identification• Cutting corners on quality• More tariff-based regulations• Disasters & Pandemics• Unintended consequences of new laws• Information Management• Knowledge transfer/succession across workforce as baby
boomers retire• Retired in place
9 www.corporatecompliance.org
Results of the SCCE 2009 Interactive Workshop Series
• Social networking• Time/location flexibility• Stakeholder involvement• Single player• Corporate espionage• Offsite data storage• Technology implemented without testing• Data breach• Commercial bribery• Multinational vetting of own operations• IT Security• Soliciting vendors for charitable gifts• Investigation abuses• Negligent supervision• Breakdown of social contract between workers and the
company: I’ll be gone, you’ll be gone
10 www.corporatecompliance.org
Results of the SCCE 2009 Interactive Workshop Series
APPeNdIx II
Solutions to Individual Compliance Issues
Notes from Team Write UpsAfter being assigned a potential issue to solve, each group was given form outlining areas of consideration. Below are the notes taken by the designated note taker on each team.
Please be aware that some issues were identified several times and, as a result, there may be more than one set of notes for a given issue.
Briefly State the Issue You Are SolvingPrivacy: understanding the data privacy risks for an organization.
How Would You Solve This?Controls
What aspect of this issue is likely to cause the greatest trouble for organizations?
Transparency: Where is the data being stored once collected?
What kind of changes in policies are needed by organizations?
Data collected, define storage, access to data, retention of data.
What would you need to do to change behaviors?Know the data owner and collector, and who can request access to the data. Then training.
What additional resources (physical and human) would you need?
Training, resources to manage people, systems, document reten-tion software, report writer—audit.
11 www.corporatecompliance.org
Results of the SCCE 2009 Interactive Workshop Series
What kind of controls would be needed?Audit of processes: collection and identify system
Controller does audits
How you would audit those controls?Controller leads audits
Briefly State the Issue You Are SolvingTechnology crash
How Would You Solve This?
What aspect of this issue is likely to cause the greatest trouble for organizations?
Daily operations come to a halt.
What kind of changes in policies are needed by organizations?
Backup plan
Systems security—instructions to keep hackers out.
Have resources on hand.
Identify alternative platform and contractor before crash hits
Communication plan—all stakeholders
What would you need to do to change behaviors?Security policies
Educate staff on need for patches, etc.
Getting management buy in to spend preventive resources.
What additional resources (physical and human) would you need?
Security systems, educated staff, qualified contractor in place.
Have a philosophy on how resources spent—first do no harm
12 www.corporatecompliance.org
Results of the SCCE 2009 Interactive Workshop Series
What kind of controls would be needed?Annual health check and risk assessment.
Have contractor help design.
How you would audit those controls?See above—have IT security staffer monitor, “ethical hack” on a periodic basis to stress-test the IT system.
Briefly State the Issue You Are SolvingTechnology crash
How Would You Solve This?
What aspect of this issue is likely to cause the greatest trouble for organizations?
Data information, consumer confidence, re-creating data, busi-ness interruption, couldn’t give government what it needs.
What kind of changes in policies are needed by organizations?
Back up policies
Crisis management policies
Record retention policies
What would you need to do to change behaviors?Quantify impact
What additional resources (physical and human) would you need?
IT
Back up data center
Third party
13 www.corporatecompliance.org
Results of the SCCE 2009 Interactive Workshop Series
What kind of controls would be needed?Auditing
Testing
Crisis Management
How you would audit those controls?Testing
Briefly State the Issue You Are SolvingPrivacy compliance/security of personal information
How Would You Solve This?Technology/information security
What aspect of this issue is likely to cause the greatest trouble for organizations?
Aspects involving human error
Technology: rapidly changing, and can’t keep up
Obsolescence of technology: control investment
Cost of compliance
What kind of changes in policies are needed by organizations?
Privacy: employee website and third party vendors
Data security
Special consideration: health, financial, children’s
What would you need to do to change behaviors?Raise awareness of reputational risk, fines, penalties, criminal prosecution, pr and government investigation
14 www.corporatecompliance.org
Results of the SCCE 2009 Interactive Workshop Series
What additional resources (physical and human) would you need?
Technology: software, encryption, information management, record retention
What kind of controls would be needed?System capability to detect
Ongoing due diligence
How you would audit those controls?Spot audit
Hack/mock hack—physical and electronic
Technology, password protection cracker
Briefly State the Issue You Are SolvingPrivacy and personal information
How Would You Solve This?
What aspect of this issue is likely to cause the greatest trouble for organizations?
Lawsuits for breaches in privacy.
What kind of changes in policies are needed by organizations?
Information security policy
Encryption
Internal controls
15 www.corporatecompliance.org
Results of the SCCE 2009 Interactive Workshop Series
What would you need to do to change behaviors?Education
Mandatory disclosure of breaches
Enforcement, sanctions
Incentives for greater protection
What additional resources (physical and human) would you need?
IT
HR
Compliance
What kind of controls would be needed?Risk assessments
Intrusion detection
Lock-down removable media
Physical access security
How you would audit those controls?System tests
IT Audits
Compliance testing
16 www.corporatecompliance.org
Results of the SCCE 2009 Interactive Workshop Series
Briefly State the Issue You Are SolvingThe Green Revolution
How Would You Solve This?
What aspect of this issue is likely to cause the greatest trouble for organizations?
Establishing the standard. Identifying criteria to meet the stan-dard. Developing consistent standards.
The cost and realizing it will be different in each area.
What kind of changes in policies are needed by organizations?
Changes in procurement policy
Buying/selling energy credits
Changing the way you do business
Willingness to commit resources
Cost/benefit
What would you need to do to change behaviors?Give people incentives
What additional resources (physical and human) would you need?
More money
Third party resources
What kind of controls would be needed?Monitoring
Training
How you would audit those controls?Hire environmental engineers to review and assess
17 www.corporatecompliance.org
Results of the SCCE 2009 Interactive Workshop Series
Briefly State the Issue You Are SolvingThe Green Revolution
How Would You Solve This?1. Panel: what can your business do to help?
2. Incentives: tax/economic credit, curb emissions
3. Marketing benefits: Baldridge type award
4. What do it mean to be green, no standard like Sentencing Guidelines
5. Behavior/education: make it palatable
Briefly State the Issue You Are SolvingGovernment issues regulations on the fly
How Would You Solve This?Values based rather than compliance based
What aspect of this issue is likely to cause the greatest trouble for organizations?
Corporate buy in
Staying on top of issues
Training: policy development, implementation
Downstream to employees, vendors, monitoring
Self reporting—putting spotlight
What kind of changes in policies are needed by organizations?
Values based incentives and discipline: violate value rather than policy #3.
Proactive approach rather than reactive
Systematic approach, tracking.
18 www.corporatecompliance.org
Results of the SCCE 2009 Interactive Workshop Series
What would you need to do to change behaviors?Values based rather than compliance
What additional resources (physical and human) would you need?
Internal resources: make team experts in their area
Trade associations: use as resources—join, become involved
Outside experts: ad hoc basis—in certain areas
Redeployment of internal experts
What kind of controls would be needed?How you would audit those controls?
Briefly State the Issue You Are SolvingWeb 2.0
How Would You Solve This?
What aspect of this issue is likely to cause the greatest trouble for organizations?
IP, insider info leakage
“Mob” potential—beat up on an employee
Unintentional infringement on privacy
What kind of changes in policies are needed by organizations?
Treatment under likely already existing policy but special recog-nition of it.
What would you need to do to change behaviors?Communicate
19 www.corporatecompliance.org
Results of the SCCE 2009 Interactive Workshop Series
What additional resources (physical and human) would you need?
What kind of controls would be needed?
How you would audit those controls?
Briefly State the Issue You Are SolvingStakeholder involvement/oversight
How Would You Solve This?Education
What aspect of this issue is likely to cause the greatest trouble for organizations?
Loss of control
What kind of changes in policies are needed by organizations?
More marketing, disclosure internally/externally (consistent)
What would you need to do to change behaviors?Education internally and external controls
What additional resources (physical and human) would you need?
Benchmarking/surveying, investor relations team. Corporate compliance
What kind of controls would be needed?Internal (legal), testing, public disclosures
How you would audit those controls?Periodically testing, use internal auditing through corporate compliance.
20 www.corporatecompliance.org
Results of the SCCE 2009 Interactive Workshop Series
Briefly State the Issue You Are SolvingSocial network
How Would You Solve This?
What aspect of this issue is likely to cause the greatest trouble for organizations?
Corporate privacy—where does it start and end
Reputation/Branding
Work quality and production
What kind of changes in policies are needed by organizations?
No access at work/limit access
A protocol of what is good and bad activities on social sites
What would you need to do to change behaviors?Change in policy—a social network policy
Code of conduct
Communications/education and training
What additional resources (physical and human) would you need?
People to police social networks
Training of why this is good
What are the risks and rewards
What kind of controls would be needed?Publish results of findings of bad activities
Let them see sites but not upload
21 www.corporatecompliance.org
Results of the SCCE 2009 Interactive Workshop Series
How you would audit those controls?Police and respond/posting
IT tracking of key strokes and websites
Enforcement committee with [unclear] and managers
Briefly State the Issue You Are SolvingPandemic and natural disasters as well as act of terrorism
How Would You Solve This?
What aspect of this issue is likely to cause the greatest trouble for organizations?
Unknown magnitude, planning for unknown, failure to con-nect with emergency management resources, communicating to employees, financial resources, mobilizing people, contingency plans
What kind of changes in policies are needed by organizations?
Continuous review and update emergency plans and contacts
What would you need to do to change behaviors?Communicate
Contingency plans for contingency plans
What additional resources (physical and human) would you need?
Contracts, logistic support
What kind of controls would be needed?Train, train, train—drills—education
Mobilization to unaffected resources
How you would audit those controls?
22 www.corporatecompliance.org
Results of the SCCE 2009 Interactive Workshop Series
Briefly State the Issue You Are SolvingOutsourcing risk to less-regulated markets
How Would You Solve This?Perform risk analysis
Set threshold for what we can and cannot outsource
What aspect of this issue is likely to cause the greatest trouble for organizations?
Criteria for what can & cannot be outsourced
What kind of changes in policies are needed by organizations?
Thing through an outsourced scenario beyond profitability/rev-enue targets
Making sure profitability evaluations includes risk assessment
What would you need to do to change behaviors?Discipline
What additional resources (physical and human) would you need?
What kind of controls would be needed?
How you would audit those controls?
23 www.corporatecompliance.org
Results of the SCCE 2009 Interactive Workshop Series
Briefly State the Issue You Are SolvingBreach of Privacy
How Would You Solve This?
What aspect of this issue is likely to cause the greatest trouble for organizations?
Technology
Human behavior (losing computers, seeking info they should have)
What kind of changes in policies are needed by organizations?
What would you need to do to change behaviors?Enhance training and communications
What additional resources (physical and human) would you need?
What kind of controls would be needed?Stronger IT oversight
How you would audit those controls?
24 www.corporatecompliance.org
Results of the SCCE 2009 Interactive Workshop Series
Briefly State the Issue You Are SolvingSocial networking
How Would You Solve This?
What aspect of this issue is likely to cause the greatest trouble for organizations?
Disclosure of proprietary or damaging information
What kind of changes in policies are needed by organizations?
Updating confidentiality policy to include social networking
Include in risk assessment process
What would you need to do to change behaviors?
What additional resources (physical and human) would you need?
What kind of controls would be needed?
How you would audit those controls?
Briefly State the Issue You Are SolvingData breach
How Would You Solve This?
What aspect of this issue is likely to cause the greatest trouble for organizations?
Reputational risk
Trade secret
Being source of information that leads to identity theft
25 www.corporatecompliance.org
Results of the SCCE 2009 Interactive Workshop Series
What kind of changes in policies are needed by organizations?
Type of info stored and collected
Location of Info
Access
Retention policies
Centralized decision making and control
What would you need to do to change behaviors?Educate
Discipline
Tie into compensation
Incentivize reporting and remediation
What additional resources (physical and human) would you need?
Upgrades of systems
Security analyst
What kind of controls would be needed?Access controls and monitoring
Implementing policies above
Access cards
Access logs
How you would audit those controls?Ethical hackers/vulnerability audits
Counting number of breeches
26 www.corporatecompliance.org
Results of the SCCE 2009 Interactive Workshop Series
Briefly State the Issue You Are SolvingSocial media
How Would You Solve This?Data loss prevention tools—monitors
[illegible] data, emails & ioncreases monitoring
Policies
Values based
What aspect of this issue is likely to cause the greatest trouble for organizations?
Harm to brand
Insider trading
Law suits
What kind of changes in policies are needed by organizations?
Waiver if you refer to company xyz
Monitor website usage
What would you need to do to change behaviors?Awareness; training
Pop up policies with certain searches
Lead by example
What additional resources (physical and human) would you need?
Monitoring tools very expensive
Buy in
What kind of controls would be needed?
How you would audit those controls?
27 www.corporatecompliance.org
Results of the SCCE 2009 Interactive Workshop Series
Briefly State the Issue You Are SolvingStrengthening the social contract. Develop behaviors that con-tribute to the long-term success of the company.
How Would You Solve This?
What aspect of this issue is likely to cause the greatest trouble for organizations?
High turnover. Loss of knowledge transfer.
What kind of changes in policies are needed by organizations?
Implement long-term incentives
Recognize that different incentives work for different people
What would you need to do to change behaviors?Study loyalty, relationships
Case studies—ex: Sealy mattress
What additional resources (physical and human) would you need?
Esprit de corps efforts. Money. Creativity.
Communication, change management.
Engender trust by developing sound processes with effective con-trols. People need to be able to trust the system.
What kind of controls would be needed?Transparent controls
How you would audit those controls?Carefully and often.
Independently
28 www.corporatecompliance.org
Results of the SCCE 2009 Interactive Workshop Series
Briefly State the Issue You Are SolvingDisparity between executives and the rest of the workforce, espe-cially in touch economic times.
How Would You Solve This?
What aspect of this issue is likely to cause the greatest trouble for organizations?
Increased potential for misconduct/theft, physical violence, fraud
What kind of changes in policies are needed by organizations?
Policies alone will not solve these issues.
Walking the walk
Lead by example: deferring bonuses, other perks
What would you need to do to change behaviors?More communication.
Awareness of employee perceptions
Employee assessments
Lead by example
Board engaged—rubber stamp
What additional resources (physical and human) would you need?
More innovative use of existing tools
What kind of controls would be needed?More transparency
Improved communication
How you would audit those controls?