Compliance Perspectives

By Adam Turteltaub Managing whistleblowers is always a hot topic, and you'll find it on the agenda at the 2025 SCCE Annual Compliance & Ethics Institute.   To provide a preview of what you will see if you join us in Nashville, we sat down with the speakers for the session “Someone Blew The Whistle: Perspectives from Former Whistleblowers, In-House Compliance, and External Investigators”. The speakers in Nashville, and guests of this podcast, are: Jordan Segall, Senior Counsel, Ethics & Compliance, Xylem John Pease, Partner, Morgan Lewis Andrew Bakaj, Chief Legal Counsel, Whistleblower Aid. In our conversation they share the work Xylem has done to encourage internal whistleblowing.  The compliance team's efforts include not just having a policy but ensuring that it is clearly accessible as well as explaining confidentiality, anonymity, and even investigative standards and processes. The company offers their employees multiple avenues to speak up, including HR, internal audit, the hotline, compliance, and even the audit committee of the board. These efforts are important, the speakers explain, because when whistleblowers go outside and bring a matter to the qui tame bar, typically it's because they felt that their concerns weren't taken seriously. To help keep employees from going outside, they offer several recommendations.  First, show employees that their concerns are appreciated and will be looked into.  Second, explain the investigative process.  Third, to the extent possible, provide regular updates.  Fourth, clearly communicate what the next steps are. Listen in to learn more, and then be sure to join their session at the  Compliance & Ethics Institute in Nashville.

By Adam Turteltaub There's a lot new going on in healthcare enforcement, and, at the same, there's a lot that hasn't changed, reports Greg Demske (LinkedIn), partner at Goodwin Proctor and, formerly, Chief Counsel to the Inspector General at HHS. While the US Department of Justice has changed its priorities in areas such as anticorruption, if you look at what they and the Office of Inspector General (OIG) at Health and Human Services have been doing, he observes, the long-time bipartisan effort to stop fraud in healthcare is continuing. Yet, there are some significant changes.  At CMS a major shift has occurred when it comes to Medicare Advantage.  In the past there were audits of fifty plans a year, but now the goal is to audit all six hundred or so annually.  Backing that up is an expansion in the number of coders from 40 to 2000.  This has huge implications both for the plans and providers. Meantime the Department of Justice and HHS have created a False Claims Act Working group to further their efforts. Then, of course, there are qui tam claims, which hit a record high in 2024, and we have dispositions in the courts as well. So what should compliance teams do?  He recommends keeping a close eye on what the government is saying to ensure your program is staying ahead of the curve. And, of course, you should listen to this podcast to gain more of his insights from private practice and over 16 years at HHS.

By Adam Turteltaub I live in Los Angeles and was fortunate enough to get through the fires unscathed.  Around me, though, were others who were not so fortunate.  A cousin and several friends lost everything. After the fires came a cleanup of epic proportions.  For Glenn Sweatt, Vice President at ECC, the company charged with remediation at all those burned out lots in Altadena and the Palisades, that's when the work began. The workforce had to be assembled, contractors brought in, and everyone needed to be trained and trained well, since the company is a federal contractor. Making that all happen required flexibility and agility.  The compliance organization, like the company, had to be adaptable to changes in conditions and be responsive to local communities which suddenly, and unhappily, had thousands of trucks running through them. Language had to be considered since Los Angeles is a diverse city.  Spanish translations were expected.  Hindi turned out to be more common than anticipated. Listen in to learn more about the challenges the compliance team overcame, and, maybe, pick up some tips for how to handle compliance requirements at your organization when things are bad, urgent, and everyone is watching.

By Adam Turteltaub Here's a little nightmare every compliance officer dreads.  You leave your current job for an exciting new one, only to find out that you just walked into a position where the compliance efforts are token at best because the organization's leadership doesn't take compliance seriously. In this podcast Mary Shirley, Vice President, Chief Compliance and Privacy Officer, Scion Health, shares what to look for and how to protect yourself if this bad dream becomes your reality.  And, for the record, she has not run into this disaster at Scion Health. So, what are the signs there is insufficient commitment?  Any or all of the following could be, although generally one or two, she notes, may not be definitive: The title and standing of the top compliance officer is relatively low with little authority The compliance teams is greatly understaffed compared to industry benchmarks (cross-industry, healthcare data), without some compelling reason such as the organization is undergoing financial difficulties There is insufficient or no budget for necessary outside resources A lack of management appetitive for even inexpensive compliance initiatives Lack of support for professional development for the compliance team Compliance not included in major deals or transactions A chief compliance officer with no background in compliance If you find yourself in a situation where the compliance role is not worth keeping, it's best to determine if there is hope for change or if it is best to leave. Either way, take the time to protect yourself by documenting what you have done and recommended, including what management ultimately decided. To prepare to leave, turn to your network, if you have one.  If you don't have one, it's time to start building it out. And, regardless of whether you are in a bad situation looking for a better one, or just looking at a potential career move, she advises asking these questions during the interview to determine if the new position is one that is set up for success or failure: What gets people fired around here? It's a good way to see if there is real and consistent discipline. Can I speak to my predecessor? What would you like to see improved in the compliance program in the next six months? How would you describe the company's risk appetite? What would the rank and file say about whether leadership is held to the same standards as they are? What deliverables from the compliance team were rewarded? What types of meeting does compliance attend? Does it have a seat at the table? What professional skills development programs were the compliance team sent to or given last year? What is the full-time staffing of the compliance office? What percentage of that is dedicated vs. liaisons? Is there budget for travel for investigations, training, compliance and ethics week activities and other purposes as needed? Listen in to learn more about how to find the right compliance role.

By Adam Turteltaub There is so much hype and drama when it comes to AI, that it's good to hear the voice of Mujo Vilasevic, Senior Compliance Officer, Raiffeisen Bank  International.  Contrary to most, he makes the case that the problem with AI is overdramatization.  Despite the fears, it's not going to take over the world or our jobs, as he sees it. So what should be doing when it comes to AI?  Educating ourselves is a very good start.  Also, look at AI both, as he describes it, outside in and inside out:  Look to see where it can be useful for the compliance department and how the business unit is putting it to use. Do so, he advises, recognizing that there is, as of yet, no global regulatory consensus.  While laws are emerging, there is still a patchwork out there. However, there are some principles of responsible AI use that do seem to have global relevance.  The EU law, for example, is based on the principles of integrity, data confidentiality, consumer data protection, personal data protection and the reliability of data used.  Few would argue against them. In sum, he argues for avoiding the easy temptation of fearing the unknown.  Instead, learn what you need to know to understand this technology (starting with this podcast), and be prepared for global regulations to provide helpful guardrails.

By Adam Turteltaub It's time to think bigger when it comes to helpline data.  Yes, it's still important to look at traditional metrics such as the number of calls and the substantiation rate.  But, there is so much more that can be done. Justin Ross, Vice President, Chief Compliance Officer at Sysco and Carrie Penman, Chief Risk and Compliance Officer at NAVEX will be addressing what you can do with your helpline data during their 2025 SCCE Compliance & Ethics Institute session “Numbers That Matter:  Moving Beyond Hotline Data to Identify and Build an Ethical Workplace.” For one, they encourage compliance officers to think about whom they are sharing the data with.  What the board, management and others will want to see is likely to be different. As a result, it's important to tailor your reporting accordingly. Second, they argue in this podcast that it's important to not just look at the data reactively.  Instead, think proactively and use it as a way to identify where there are issues to be addressed, either now or potentially in the future. The data can also provide a window into the culture of the organization as a whole, as well as the differences by region or even office.  This approach can help you better understand your risks and where you need to address potential problems. Some of the data they suggest using is: Outcomes of allegations: are they leading to discipline and is it consistent Retaliation issues Substantiation rates Patterns of employee vs. non-employee reports Number of days between allegation and conclusion of investigation Number of days between incident and helpline call Be sure, too, to look at the helpline data in concert with other data your organization has such as employee turnover, exit interviews, culture surveys, audit results and more. In sum, to get the most out of your helpline data, think about all the data that you have, what it can tell about the past and present, how it can guide the future and what's the best way to share it with each of your audiences. Listen in to learn more, and plan on joining them for the 2025 SCCE Compliance & Ethics Institute.

By Adam Turteltaub I recently learned that at the US Department of Justice's law library, one of the most common requests the librarians receive is for vintage dictionaries.  Why?  Because the lawyers often need to find out what the definition of a word was at the time a law was passed. Meanings change over time in the law and in the vernacular.   Remember when describing something as “sick” meant that it was bad?  Now it's the opposite. Stacey Parks, Ethics Officer, Enterprise Operations and International Ethics at Lockheed Martin will be taking on our evolving language at the 2025 SCCE Compliance & Ethics Institute.  Her session is, appropriately, entitled, “Divided by a Common Language:  No Cap.  Here's the Tea on How Being a Mom of a Teenager Made Me a Better Communicator.” With five generations in the workplace today, it's important to understand that each has its own communications style and what works for one may not for another.  Millennials, Gen Z and Gen Alpha are all digital natives and are much more comfortable than their predecessors with online communication.  They also tend to prefer shorter, more succinct messaging, including pictures and diagrams.  For them, less is more. Many are also “telephobic,” afraid of and uncomfortable using the phone for talking.  They prefer texting and have a poor understanding of telephone etiquette. What's a compliance team to do?  Think differently.  Use lots of imagery, and even memes to communicate.  Look to short form training, rather than long. Learn their language, too, so you can be a better listener when they share their concerns. And, before you dismiss these ideas, don't forget how your felt when your parents (or grandparents) threw in the word “groovy” long after it was no longer so groovy to do so. Listen in to this podcast and then be sure to join her in Nashville at the Compliance & Ethics Institute.  It's going to be sick!

By Adam Turteltaub If you're looking for compliance direction only from the US Department of Justice, you're missing the wider picture. There is a lot going on in Europe that companies operating in that geography need to be complying with. Dr. Tobias Kruis, Head of Corporate Compliance, Giesecke+Devrient, shares what is going on both in this podcast in his session “Dancing with the Acronyms: Jiving Through LkSG and CSDDDD in the European Compliance Ballroom” at the 2025 SCCE Annual Compliance & Ethics Institute. The German Supply Chain Due Diligence Act, also known under the acronym LkSG, is focused on human rights, occupational health and safety and environmental projects. It requires regular and systematic risk assessments as well as remediation and preventative measures if risks are found. Grievance procedures are also a mandate, as are annual effectiveness reports on the supplier due diligence process. Sanctions for non-compliance can be as high as 2% of annual turnover. The German regulator has already conducted over 1,000 proactive reviews since the act was adopted. The EU Corporate Sustainability Due Diligence Directive was adopted in 2024 and builds on some existing national laws. The aim is to ensure a level playing field for companies in Europe by requiring them to address human rights and environmental concerns in the supply chain. It has much broader reach than the German law in its requirements, including a mandate to conduct due diligence beyond the first tier of suppliers. While enforcement has not yet begun and several changes are contemplated, compliance teams can begin preparing now, taking a risk-based approach to their due diligence efforts. They should also start building cross-functional partnerships with HR, quality, management, procurement and the sustainability teams. Listen in to learn more about what's happening in Europe, and then don't miss his session “Dancing with the Acronyms: Jiving Through LkSG and CSDDDD in the European Compliance Ballroom” at the 2025 SCCE Annual Compliance & Ethics Institute. Listen now The Compliance Perspectives Podcast is sponsored by Athennian, a leading provider of entity management and governance software. Get started at www.athennian.com.

By Adam Turteltaub There's always a “but” when it comes to AI. It has great potential, but there's always the risk of bad things happening. In the case of the False Claims Act and healthcare, that's very much the case. In a recent article for Compliance Today – “AI and the False Claims Act: Navigating compliance in the age of automation” -- Phoebe Roth and Colton Kopcik of Day Pitney warn that the same “but” applies to medical coding. AI and coding seem to be a match made in heaven. There is enormous potential for ensuring that bills get processed quickly and all the proper charges are made.  But (of course) plenty of risks come with it. First and foremost, a lack of human oversight can lead small errors to quickly multiply, especially if the AI model was trained on biased historical data or follows patterns of mis-billing. False claims can then can quickly spiral out of control, leading to expensive refunds and settlements. Other areas of risk include telehealth and remote care fraud, especially at a time of increased government scrutiny of medically unnecessary services or improper billing. So what should you do? It is prudent when embracing AI, they warn, to ensure that the algorithm is always up to date on the latest changes to the regulations. Whether the AI was created in-house or by a vendor, be sure there is a plan in place to monitor for changes and make accurate, real-time adjustments. Having in place an AI steering committee is also a good idea. Be sure to include IT, coders, clinical staff, compliance and others. Finally, turn the staff into your front line of defense. Help them be on the alert for potential issues so that you can head off problems before they become big problems. Listen in to learn other ways to manage the “buts” of AI. This podcast is for educational purposes only and does not constitute legal advice. Listen now The Compliance Perspectives Podcast is sponsored by Athennian, a leading provider of entity management and governance software. Get started at www.athennian.com.

By Adam Turteltaub As important as gaining access to the board is, using that time properly is even more crucial. Becky Rohr, Chief Compliance Officer and head of Investigations at Ericsson, will be sharing her insights and advice on this topic in her session “Board Reporting, Not Bored Reporting: Presenting to Boards and Other Senior Stakeholders by Using Data and Storytelling” at the 2025 SCCE Annual Compliance & Ethics Institute in Nashville. In this podcast and preview of her session, she advises that, even before entering the boardroom it's important to take the time to know your audience. Talking to the board, a board committee or senior executives is different since each has its own priorities. Be sure that what you say and show them speaks directly to their role. Remember, too, that the board is focused on the organization as a whole. She cautions that the board will feel obligated to read anything you send it. So, be sure to avoid overwhelming them and to focus on the larger issues that could materially affect the organization. When presenting data, don't just give them the raw numbers. Prepare a concise analysis that tells them what those numbers mean and what the key takeaways are. She found that a slide showing opportunities, challenges, highlights and lowlights in a simple quadrant graphic can be particularly useful. Dashboards, too, can be valuable, so long as every light on it isn't green. That's bound to raise suspicions. Take the time, too, to anticipate what questions they are likely to ask. She warns that boards tend to want to know how the organization stacks up against its industry peers. So, be sure to take the time to benchmark. Be sure to also take the time to listen to the podcast and join us in Nashville, September 14-17, at the SCCE Annual Compliance & Ethics Institute. Listen now The Compliance Perspectives Podcast is sponsored by Athennian, a leading provider of entity management and governance software. Get started at www.athennian.com.

By Adam Turteltaub What you don't know can hurt you. And what you do know can hurt you.  Such is the dilemma of background screening. Companies want to know who they are hiring, but, explains Al Firato, CEO & Founder of HireSafe, some information is off limits. The 1964 Civil Rights Act and Title VII prohibit examinations of race, religion, ethnicity and more. In addition, federal and state regulations set limits on what background check firms can look at. That's not always a bad thing, Al points out. A conviction for a criminal offense from decades earlier should not be cause for immediate disqualification, especially if the person has since made amends. In addition, the conviction may not be relevant for the job at hand: a DUI for a prospective delivery driver is a lot different than one for someone who will be working at a desk all day. The EEOC has also made it clear that people are, in most cases, entitled to a second chance. With that said, background checks can be very useful for revealing exaggerated academic and work histories. Many prospective employees take advantage of the fact that, with so many mergers, it may be difficult, if not impossible, to verify previous employment. Listen in to learn more about the do's and don'ts of background screening. Listen now The Compliance Perspectives Podcast is sponsored by Athennian, a leading provider of entity management and governance software. Get started at www.athennian.com.

By Adam Turteltaub Dr. Hemma R. Lomax, Vice President, Deputy General Counsel and Global Head of Ethics and Compliance for DocuSign thinks a lot about leaving a legacy, not just for herself but in general. She'll be addressing the topic Beyond the Rules: The Future of Compliance is Legacy-Driven Leadership at the SCCE 24th Annual Compliance & Ethics Institute, which takes place September 14-17, 2025 in Nashville. She is a strong advocate for thinking beyond quarterly goals and looking to operationalize best intentions to leave something behind that is more enduring. Getting there, she explains, requires first helping leaders understand that they know that a legacy is not out of reach, if they focus on doing the right thing and for the long run. Done correctly, the legacy they create can be an enduring strategic asset. For compliance teams it means recognizing that every human has a survivor and a sage brain. And, while we in compliance need to embrace that survivor brain and embrace bad scenarios, we cannot be prophets of doom, raising already high anxiety levels. Instead, we need to lead with transparency, embed purpose into processes, make ethics a design feature, and create internal accountability. Listen in to learn more and then join her session in Nashville at the SCCE 24th Annual Compliance & Ethics Institute. Listen now The Compliance Perspectives Podcast is sponsored by Athennian, a leading provider of entity management and governance software. Get started at www.athennian.com.

By Adam Turteltaub Joint ventures are created to capitalize on a business opportunity, but they come with challenges. Each partner may have a different experience with or attitude towards compliance. They may have distinctly different cultures, and, in the worst case, may each be expecting the other to be watching compliance when, in fact, no one is. Hassan Chaudry, a member of the SCCE & HCCA Board and Chief Compliance Officer of POSCO JV, a General Motors joint venture, recommends several keys to success in JVs. First, having meaningful conversations with leadership right at the start is important, especially if it is face-to-face. This helps establish rapport and makes top management more comfortable with the role of compliance. Look to commonalities between the partners, not just the difference. In his case, with one party being from North America and the other from South Korea, there were different approaches and laws, but both countries are members of the OECD, and its guidance for compliance programs provided a common reference point. Once the groundwork is set, take the time to meet with employees from senior and middle management, as well as the front line. Also, don't forget the board: setting expectations with them and building an ongoing line of communication is essential. He also recommends treating the JV like a start-up, not an established company. Finally, put yourself in the shoes of joint venture partners. Look at the business from their perspective, and that will help you better understand what will make for a truly successful compliance program. Listen now The Compliance Perspectives Podcast is sponsored by Athennian, a leading provider of entity management and governance software. Get started at www.athennian.com.

By Adam Turteltaub Don't take it personally if it's taking you forever to find a new compliance job. According to Matt Kelly (LinkedIn), Editor and CEO at Radical Compliance, you're far from alone. It's not that there aren't jobs out there, he explains. There is just a hesitancy to hire due to the macro-economic environment. With so much economic instability and unpredictability, organizations are slower to hire. Adding to the challenge is technology. A job posted on LinkedIn can generate hundreds or thousands of applications, making it more difficult for organizations to wade through them. So how do you make yourself stand out and become a must-hire? He recommends moving beyond showcasing your ability to manage regulatory issues and instead focus on how your skills can help the organization navigate the range of operational risks that they face. Be sure to also shift from focusing on what you can do to defend the company to how you can help the company grow. Finally, he advises showcasing your certifications and  cutting edge experiences, and using technology to help. There are AI tools out there which will help you tailor your resume to the posted job description. Listen in to learn more and accelerate your job hunt. Listen now The Compliance Perspectives Podcast is sponsored by Athennian, a leading provider of entity management and governance software. Get started at www.athennian.com.

By Adam Turteltaub Professors Todd Haugh (LinkedIn) and Suneal Bedi (LinkedIn) of the Institute for Corporate Governance & Ethics at the Kelley School of Business at Indiana University recently published a paper: Retheorizing Corporate Compliance. In it they argued strongly that compliance needs to be seen not just as a defense against potential corporate legal liability. It also needs to be recognized as a proactive offensive tool for building market share and competitive advantage. On this podcast they explain that compliance creates numerous non-market strategies for helping the business. For example, organizations with stronger programs can demonstrate to regulators that they would be a good choice to acquire a troubled company. Leading compliance programs can also help to set the standard of practices for their industry, giving their organizations an advantage over those with lagging compliance practices. In sum, by thinking of how compliance can help the business, not just protect it, there are significant opportunities created to grow the business, and change the way people think about compliance. Listen now The Compliance Perspectives Podcast is sponsored by Athennian, a leading provider of entity management and governance software. Get started at www.athennian.com.

By Adam Turteltaub In November 2024, the Office of Inspector General at Health and Human Services  released its Nursing Facility: Industry Segment-Specific Compliance Program Guidance. The document is part of an effort to modernize how HHS OIG is communicating to industry and providing information about risks, how to mitigate them and best practices for compliance programs. Jillian Willis (LinkedIn/Firm Page) and Melissa Scott (LinkedIn/Firm Page) of Nelson Mullins explain that the new guidance contains four main sections: quality of care and quality of life, Medicare and Medicaid billing requirements, Federal anti-kickback statute and other risk areas such as physician self-referral, HIPAA and related-party transactions. It shares best practices. Notably, the guidance, complements other guidance out there, including the Department of Justice's. And, in addition to focusing compliance efforts, it can be helpful for promoting operational efficiency. Listen in and then spend some time reading the Nursing Facility: Industry Segment-Specific Compliance Program Guidance. Listen now The Compliance Perspectives Podcast is sponsored by Athennian, a leading provider of entity management and governance software. Get started at www.athennian.com.

By Adam Turteltaub Professors Guido Palazzo and Ulrich Hoffrage are skeptical. When they hear that there was a bad apple at the core of a scandal, they are hesitant to accept that explanation. Instead, they argue in this podcast and in their new book, The Dark Pattern: The Hidden Dynamics of Corporate Scandals, that the problem is typically much deeper and wider. There are dark patterns, as they call them, that lead to bad behavior. Underlying the patterns are nine building blocks.  They explain: Rigid ideology is a shared belief system that narrows the view of decision-makers at the expense of other views, risking them losing sight of ethical dimensions. Toxic leadership can create fearful contexts when narcissistic, Machiavellian, or psychopathic leaders abuse their power and cause harm, be it through direct orders, leading by example, or a carrot- and- stick approach. Manipulative language restricts how things are perceived and evaluated, influencing people's judgments, decisions, and behaviors in ways that contribute to evil. Corrupting goals and unrealistic targets divert people's attention so that they lose the ability to see the bigger picture in which their decisions are embedded— and the ethical dimension of their behavior. Destructive incentives create a tunnel vision of reality and lead to unhealthy competition and fights. Ambiguous rules create a gray area where people at best are confused and at worst can morally disengage when they do something bad because, after all, they were just following the rules. Perceived unfairness can lead people to engage in illegal practices while feeling that they are restoring justice. Dangerous groups may force individuals to conform, encourage aggression against members of out- groups, or pressure those who are considering speaking up not to do so. Finally, people who are on a slippery slope may not realize how they are straying from the right path to the point of escalating their commitment to evil things without even realizing how they have changed. While there are ways to manage for these risk areas, the challenge is that they are too often missed. The solution they advocate for includes compliance teams educating themselves more in areas such as social psychology so that they are more attuned to the human factors. Within the office there is a need for companies to resist the need to move on from scandals and to instead engage in deeper soul searching to understand what went wrong and why. Finally, they are advocates for making ethics a much more important part of compliance programs. Listen in to better understand what dark patterns are and how to keep them from taking hold of your organization. Listen now Sponsored by Case IQ, a global provider of whistleblowing, case management, and compliance solutions.

By Adam Turteltaub So you've got a case of AI fever and want to put the technology to work for your compliance team. What should you do? Jordan Domash, Founder of Rersponsiv, urges you to first take a deep breath and think through the process starting with defining your goals. Interestingly, he shares, the goals can be affected by the solution you choose, whether you go with a solution that is homegrown or out of the box. Either way, once the goal is set, expect an iterative process and regular testing to ensure that the solution is delivering what you were looking for, free from hallucinations and other problems. To make that process work it's essential to have an evaluation plan in place, which includes identifying all the potential failure points. Make a part of it conducting some manual tests to see if the AI is delivering the results it should. In sum, AI can be invaluable to your program, but only if you put in the work to ensure that it is well designed and truly performing as it should. Listen now  Sponsored by Case IQ, a global provider of whistleblowing, case management, and compliance solutions.

By Adam Turteltaub On May 12, 2025 the head of the Criminal Division at the US Department of Justice issued a memo to all Criminal Division personnel with the subject: Focus, Fairness and Efficiency in the Fight Against White Collar Crime. To understand what the document means for compliance programs, we spoke with Amy Matsuo, leader for both Regulatory Insights and Compliance Transformation at KPMG. Overall, she sees the document as being good news for compliance programs.  It reiterates the importance and value of quickly finding and remediating violations. The DOJ also outlines some very favorable terms for organizations that self-disclose. These can include a declination with no requirement to enter into a criminal resolution, a non-prosecution agreement and a 75% reduction in potential fines. The Department of Justice will also be reviewing settlements that are already in place and may provide relief if the organization is found to have made substantial progress, has a reduced risk profile and self-reported. This review is a part of an effort to revisit monitorships and to ensure the cost to organizations is justified. The Department of Justice also shared where it will be focusing its efforts. Procurement and program fraud, trade violations, sanctions violations and support to foreign terrorist organizations will all be in the cross hairs. Listen in to learn more about what the DOJ's expectations are and what you should be doing to ensure your organization meets them. Listen now Sponsored by Case IQ, a global provider of whistleblowing, case management, and compliance solutions.

By Adam Turteltaub Andres Cuevas, Compliance Director LATAM for EmergentCold explains from Chile that for compliance officers to be successful in Latin America they need to stop thinking about Latin America as a whole and start thinking much more about each country and its culture. And, of course, we must be mindful that each company also has a culture of its own. To navigate the differences and build consistency, he advocates for having a strong set of baselines rules that are common across your enterprise and the region. Establish what is non-negotiable. But, at the same time, it's important to work with local leaders to have an understanding of what the local realities are, work with them and respond accordingly when variations are necessary. Compliance leaders also need to be mindful of the legal requirements of each country. In Chile, for example, he reports that there are more than 250 crimes that the company can be found liable for. Listen in to learn more about how to navigate your compliance efforts successfully across this diverse region. He also shares what he has learned about managing compliance in a company growing through acquisition. Listen now Sponsored by Case IQ, a global provider of whistleblowing, case management, and compliance solutions.

By Adam Turteltaub Mark Diamond wants you to stop thinking of records retention as a chore and start thinking of it as a driver of compliance. In this podcast the President & CEO of Contoural shares that retention schedules have grown in importance with increased requirements for privacy and safeguarding personal data. That, in turn, is having an enormous impact on the risks and costs of ediscovery. Proper retention schedules also have significant impact on employee productivity and collaboration, as well as using AI in less risky ways. Organizations are now increasingly treating records based on their business value and are developing retention schedules that reflect their worth. One of the greatest challenges they face, though, is the tendency of employees to want to hold onto everything just in case. While it's understandable, it adversely affects efficiency, as employees are forced to wade their way through obsolete records. Part of the solution, he suggests, is to develop a “super schedule” for document retention. Rather than having multiple different policies which can cause confusion, having one overall policy vastly simplifies things for employees and allows for greater automation. Listen in to learn more, but don't retain this podcast longer than you should. Listen now Sponsored by Case IQ, a global provider of whistleblowing, case management, and compliance solutions.

By Adam Turteltaub In a recent issue of Compliance & Ethics Professional ®, Nick Gallo, Chief Servant and Co-CEO of Ethico addressed the control paradox, a situation in which the controls designed to prevent misconduct, actually encourage it. Think of it like the person whose car has so many airbags that they no longer fear an accident and drive quicker. So what's the solution? He argues it's creating an environment where we have faith in controls, but not too much, and focus on helping those on the front line make the right decisions. That includes, he says, teaching not just what you should do but why. It also means encouraging ownership of ethical issues, not outsourcing it. Listen in to learn more about how to get better control on your controls. Listen now Sponsored by Case IQ, a global provider of whistleblowing, case management, and compliance solutions.

By Adam Turteltaub Recently, Gartner released very intriguing research into third party risk. Chris Audet, Vice President and Chief of Research in the Gartner Assurance Practice tell us that they found business has it's spending all wrong. Too much is invested in due diligence, and not enough time and effort is spent on monitoring. There research found that the business unit knows the risks third parties pose and is seeing it firsthand. When relationship managers were surveyed, 84% had seen changes to the risk profile and 76% found a third party had provided materially inaccurate information.  In fact, 95% had seen something troubling in the past year. So why aren't they reporting this information to the compliance team and what would get them to share more? There were three main answers, Chris reports: Creating more relationship ownership objectivity. Too many feel too strong a tie to the third party. Confidence in identifying red flags. Encouraging objectivity and providing reassurance that compliance won't over-react. He also advises making it easy for third party relationship owners to contact compliance and to work compliance into the workflow. Listen in to learn more about the benefits of rebalancing the third party risk equation. Listen now Sponsored by Case IQ, a global provider of whistleblowing, case management, and compliance solutions.

By Adam Turteltaub Risk assessments are not new in healthcare, and in specific regulatory areas are required. But, that doesn't mean things aren't changing.  More and more organizations are embracing enterprise risk assessments (ERM) as a way to assess the range of risks that they face, including  legal and regulatory concerns. Getting the risk assessment right is particularly challenging for healthcare organizations, explains Robert Stratton, Executive Director – Enterprise Risk and Security; Corporate Compliance Official and Senior Counsel for Northwest Permanente. Robert is also the author of the chapter “Enterprise Risk Management in Healthcare” in the latest edition of the Complete Healthcare Compliance Manual. The mix of insurance, patient care professionals, large sums of money and complex structures makes the risk map challenging. On the positive side, electronic health records can provide a wealth of information to inform your ERM efforts, as can frontline employees who can provide insights into what is going on behind the numbers. Once the risks are mapped, there are four ways to manage them, he explains: transfer, accept, mitigate and avoid. It's hard to do any of them cleanly, but it's important to understand which approach or approaches are best for a given risk. All four approaches, he adds, need to be accompanied by a culture which is aware of the risks, understands the risk appetite of the organization and their department, and acts accordingly. Listen in to learn more about ERM and how compliance can play an effective role in identifying and managing risk. Listen now Sponsored by Case IQ, a global provider of whistleblowing, case management, and compliance solutions.

By Adam Turteltaub As if ransomware and phishing attacks weren't enough to keep us up at night, now AI is enabling a whole new range of cyber threats. Ryan Redman, Product Manager, Marketing and Brett Sommers, Director of GRC Products at Onspring warn that the nature of attacks is evolving.  Vishing, in which criminals use technology to imitate the voices of colleagues and organization leaders, is being used to trick people into revealing passwords, share data or send money. Employees need to learn to be wary and even confirm requests, even from trusted voices, via email or other means. Healthcare and manufacturing are two industries that have been singled out by bad actors for this kind of attack. Aside from training, what else can compliance teams do? They recommend: Focusing your resources on high value risk areas Ensuring your cyber defenses are as strong as they need to be Reviewing your third parties to ensure that a compromise won't come from someone hacking into their systems Understanding how AI is being used by your organization and vendors to make sure that the security is adequate Being transparent about your expectations Listen in to learn more. I swear it's really us and not AI. Listen now Sponsored by Case IQ, a global provider of whistleblowing, case management, and compliance solutions.

By Adam Turteltaub These are fractious times, and it's often difficult to figure out what to do, what comes next and keep people with divergent views working together. Despite these challenges, Anna Romberg, Executive Vice President, Sustainability, Legal and Compliance for Getinge,  doesn't believe that things are hopeless. In an article she co-authored with Richard Bistrong for Harvard Business Review, they  laid out several strategies for successfully navigating the current era. In this podcast, she reminds us that ethics and compliance programs are about more than following the law. They are also about encouraging good behavior, which includes following the company's values, no matter how the political winds are blowing. With that said, now is a good time to do what organizations need to do, which is assess their values periodically to ensure that they are relevant, and the organization is living up to them. At the same time, she encourages the compliance team to embrace friction. It is inevitable when facing difficult discussions and different opinions. It's also a sign of change and that the matter at hand needed to be dealt with. She also cautions compliance teams to be alert and encourage speaking up. With increased pressure and changing norms, some may lose sight of the need to do the right thing. Listen in for a bit of stability during unstable times. Listen now Sponsored by Case IQ, a global provider of whistleblowing, case management, and compliance solutions.

By Adam Turteltaub Do you ever wish you were made of rubber, especially nowadays with so much change? Do you wish that you could be flexible enough to handle every new legal regulatory change or every business demand without breaking? It's not likely to happen, but compliance industry veteran Lisa Beth Lentini Walker believes that we can become more resilient. Resilience, she observes, is a mindset. We can work to become more adaptable and open to change by framing it in the right way. If you look at it with dread, you are less likely to succeed. But, if you recognize that nothing is permanent, change is inevitable and focus on what needs to be done, the chances of success are much greater. Look at change as an opportunity to shine and show leadership. Become the person who management trusts to look to the future and find the path forward for the organization. The workforce, too, wants to know that they can count on you to keep them safe and the company operating strongly. Listen in to learn more about becoming resilient and an effective compliance leader during changing times. Listen now Sponsored by Case IQ, a global provider of whistleblowing, case management, and compliance solutions.

By Adam Turteltaub Uzbekistan, Kazakhstan, Tajikistan, Turkmenistan and Kyrgyzstan were all born out of the dissolution of the Soviet Union. With large energy deposits of national gas, many global companies and their suppliers are operating within these countries. To better understand the compliance risks there, we spoke with Timur Khasanov-Batirov, a compliance officer with deep and wide roots in the region. While we may think of this area as one region, he warns that there are substantial differences by country. Kazakhstan is the most developed, and compliance has gained significant traction in large companies, primarily in the oil and gas sector. Uzbekistan saw three major FCPA cases, and, as a result, compliance has garnered a great deal of attention. The other three countries have much smaller economies and less developed compliance cultures. In addition, Turkmenistan has a fairly-closed economy, which complicates the picture. While it is easy to focus on the anticorruption risk in the region, there are other challenges. The area has become a significant transshipment point to Russia of prohibited and dual-use goods. In addition, child and forced labor is an issue, especially in the textile industry. To mitigate these risks, especially for sanctions evasion and corruption, companies operating in the region will need to pay close attention to the ownership of companies. That is not always easy to do because corporate structures are often opaque. The desktop-based due diligence systems in the US and Europe are likely not sufficient, Timur advises. Having someone on the ground in the region is likely needed. Listen in to learn more about what it takes to operate a compliance program in this important part of the world. Listen now

By Adam Turteltaub It's not a good time to be a manufacturer of ten-foot poles. That's because with the growing number of sanctions regimes, there are an increasing number of companies and individuals that businesses shouldn't touch with a poll of ten feet, or any length for that matter. Rachel Gerstein, who most recently served as Vice President, Global Ethics and Compliance Counsel for Gartner, explains in this podcast that trade sanctions are laws and regulations designed to prevent and punish engaging with countries, organization and individuals who the government has deemed a threat to national and international security, or has committed human rights violations. Many countries have sanctions regimes, although the United States tends to have the strongest. The US, for example, has countrywide sanctions against Iran, Cuba, Syria and North Korea, as well as numerous sanctions against Russian individuals and entities. The government's enforcement arm is the Department of the Treasury's Office of Foreign Assets Control (OFAC), which has developed comprehensive guidance for compliance programs. It includes five pillars that will sound very familiar to anyone in compliance: Management commitment Risk assessment Internal controls Testing and monitoring Training In addition to the obvious similarities in compliance program design, there is also great practical overlap. Third party vetting for anticorruption risk, for example, can also include sanctions-related checks. When determining if the company's owners are politically exposed, it's an ideal time to determine if there is 50% ownership by a sanctioned individual or entity. Training is another common element and particularly important. Individuals involved in payments and account receivable need to be educated in sanctions risks and what to watch out for. Employees across the workforce also need to be sensitized to the issue. Europeans, for example, may see Cuba as just another exotic Caribbean vacation destination and not realize the risk. Of course, there are also different tools also used for sanctions compliance. Your bank, for one, may be an asset given that it may be keeping its own list of sanctioned entities. Geoblockling is a tool that can be used to determine what country someone is communicating to you from and can be used by you to block interactions. In short, there is a great deal of risk, but there are great similarities with other compliance efforts, enabling you to combine sanctions compliance with other compliance efforts. But, you're still not likely to need that ten-foot pole. Listen now Sponsored by Case IQ, a global provider of whistleblowing, case management, and compliance solutions.

By Adam Turteltaub The current fee-for-services model in healthcare has challenges, to say the least. Value-based care, explains, Colleen Gianatasio, Vice President of Compliance, CoventBridge, takes a different approach by asking four questions: What are the needs for both patients and providers? What are the challenges and barriers to meeting them? What technology and other resources are available? How will providers be measured for success, and when will they be reimbursed? In answering these questions there is an underlying emphasis on a much more collaborative and transparent approach among patients, providers and payers. There is also a commitment to understanding the community as a whole. For those looking for advice on how to pursue value-based care, she offers several thoughts, including: Be thoughtful in your use of technology solutions Give all your stakeholders a seat and voice at the table Break down the silos, and communicate openly and frequently Listen in to more about the practice and promise of value-based care. Listen now Sponsored by Case IQ, a global provider of whistleblowing, case management, and compliance solutions.

By Adam Turteltaub Recently Protiviti released an intriguing report: Top Compliance Priorities for U.S. Healthcare Organizations in 2025. In this podcast their Global Healthcare Compliance Leader, Leyla Erkan, shares some of the key priorities they revealed: Managing technology. This includes wearable devices, AI, telehealth platforms and more. All have great promise, but each comes with significant risk. Privacy and security. Many organizations are struggling with right of access issues, reproductive health data, and using data more effectively to deliver care. Not to mention the issues of data breaches and ransomware. Integrating quality and safety into compliance programs. As with value-based care, expectations have grown for compliance to play a key role in ensuring quality and safety. Billing and coding. Cloning of documentation remains a key risk area along with lack of documentation. New technologies hold great promise but there are challenges in areas such as using AI. Listen in to learn more about these issues and other identified as top compliance priorities for healthcare in 2025. Listen now Sponsored by Case IQ, a global provider of whistleblowing, case management, and compliance solutions.

By Adam Turteltaub How much is your cybersecurity program worth? Traditionally the thinking has kind of been: if we don't have a breach it's expensive but valuable, and if we do have one it's both expensive and worthless. Eric Shoemaker of Genius GRC advocates for a different way to value cybersecurity efforts. Instead of just looking at what it prevents, also look at what it enables: your organization to do business with less friction. A good cybersecurity  program give customers the confidence that you are safe to do business with. It prevents business interruptions, and doesn't get too much in the way of the business. So track things like deals successfully closed after reviewing the company's cyber defenses. He also argues for using near misses as a way to demonstrate value. Each incident provides an opportunity to examine what could have gone wrong, what controls worked, and what enhancements could be made to strengthen them. Listen in to learn more about how you can establish the value of your cyber protection efforts. Listen now Sponsored by Case IQ, a global provider of whistleblowing, case management, and compliance solutions.

By Adam Turteltaub Virginia MacSuibhne is not your typical compliance officer. It's not surprising then that this former global chief compliance at Agilent and Roche, who also has an Etsy shop selling irreverent, NSFW compliance merch, decided she wanted to do an atypical podcast. Rather than focusing on a brilliant idea she had or a huge success, she suggested we discuss the mistakes she has made. Each of them has an important lesson for others in compliance. Mistake #1: Do the code of conduct yourself. It's far better to involve the business team both to gain their insights and get their buy in. Mistake #2: Think working inside a company is like working for their law firm. When you work in a company, even in the legal department, you need to focus on relationships and be less transactional. There's no clock or timesheet to record billable hours. So spend the time getting to know your colleagues and building personal connections with them. Mistake #3: Disregard the rhythm of the business. Every business has its own rhythm, with busy and quiet times and its own processes for getting thing done. Take the time to learn them. Mistake #4: React immediately and strongly to evaluations. Sometimes it's better to take a breath and understand the context as well as what drives you. Unofficial mistake #5: Not listening to this podcast. Listen now Sponsored by Case IQ, a global provider of whistleblowing, case management, and compliance solutions.

By Adam Turteltaub A good, juicy case study is great for compliance training. An artfully created scenario can also be remarkably effective, especially for ethics training. What makes them so appealing, and how do you use them best? Colin May, Adjunct Professor at Stevenson University, explains that problem-based learning is very effective for adults both for knowledge transfer and retention. It also helps people apply what they have learned. Case studies, which are based on actual incidents, and scenarios, which are fictional, also benefit from a human love of stories. When determining whether to use a case study, scenario or some other learning method, he advises first thinking about the outcome: what do you want people to take away from the training. Next, think about the debriefing after employees have had a chance to either read the case study or act out a scenario. That subsequent conversation may prove to be the most valuable part of the learning exercise. Be sure, too, to keep your case studies and scenarios current. They do have an expiration date. Even big, juicy ones can seem dated after a few years. Even something as big as Enron can get old: it happened 24 years ago, before a significant portion of your workforce was born. Finally, be sure to listen to the podcast and reach out to him through LinkedIn if you would like the tool that he referred to. Listen now Sponsored by Ethena - automated compliance training, an employee hotline, and case management, all in one tool.

By Adam Turteltaub There's a lot of discussion about the relationship between compliance and the general counsel. Less words, though, have been dedicated to the important relationship between compliance and HR. Netherlands-based Asaf Shalev, Global Ethics, Risk & Compliance Lead for DLL rightly observes that maximizing synergy between the work of HR and compliance is a key for success of both the compliance program and the business. The departments share overlapping interests in a number of areas, including the code of conduct. He advocates both sides working closely together to ensure that it is human centric. When it comes to compensation, HR can help by building in compliance-related metrics. When it comes to discipline, HR can ensure that it is documented, consistent and fair. They can also be helpful for navigating local the labor laws that may apply. Listen in to learn more about how to make the compliance-HR relationship work from recruiting and onboarding through the entire employee lifecycle. Listen now Sponsored by Ethena - automated compliance training, an employee hotline, and case management, all in one tool.

By Adam Turteltaub Stress can be a good thing. Burnout, though, is something altogether different and very real for compliance professionals. Sarah Hadden (LinkedIn), CEO and Publisher of Corporate Compliance Insights shares in this podcast the not always encouraging data on stress and burnout from their 2025 Compliance Officer Working Conditions, Stress & Mental Health survey. The research did reveal some very good news. Compliance officers are generally happy with their work. They have a sense of purpose and feel that what they are doing is important. The findings also revealed a small but notable increase in the belief that the organization is supportive of compliance efforts. On the other side of the coin, though, only 7% said that job stress was not an issue. More concerning, 51% reported that they are experiencing burnout. What causes that burnout? A variety of factors are in play including the fast pace of regulations, personal liability fears, lack of time and resources and even AI. One of the greatest causes of stress, the survey revealed, is reporting structure, with those reporting to legal, rather than to leadership or the board, being the least satisfied and most stressed out. Listen in to learn more, unless, of course, it's going to stress you out. Listen now Sponsored by Ethena - automated compliance training, an employee hotline, and case management, all in one tool.

By Adam Turteltaub There is a tendency to think of risk assessment as one thing and demonstrating the value of the compliance program as another. In this podcast, Catherine Bruno, Assistant Director Office of Integrity and Compliance (OIC) at the FBI shows that the risk assessment process can also be a great way to demonstrate the value of a strong compliance program. So how do they make that happen?  First, the OIC ensures that individuals who are closer to the risk, the subject matter experts at each of the divisions at FBI headquarters, as well as each field office, are involved both from the start and on an ongoing basis. Every six months the OIC requires them to spend time assessing compliance risk and put forward at least one. This process ensures participation without demanding too much of the field's time. In advance of that meeting, the OIC conducts a training session, provides a model agenda, and may do a presentation on a particular risk area. They also require that, at the meeting, the participants also spend time examining the tier 1 risks that the OIC has identified. In the future, she is looking to better spell out the cost of non-compliance and the savings of proactive measures. But, she cautions, quantifying the benefits does not have to be based on dollars exclusively. Reputational factors can and should also be considered. Each field office is also required to provide data on the risk areas that they are tracking. That data gets compiled and gives them an opportunity to compare themselves to each other. The information is also shared at higher-level branch meetings a month later, and it helps executive assistant directors understand where field offices are focused in terms of their risks. In sum, the process provides both a better understanding of risk and demonstrates the value of the compliance program. Listen in. Listen now Sponsored by Ethena - automated compliance training, an employee hotline, and case management, all in one tool.

By Adam Turteltaub The words “works council” inspires fear and dread in the hearts and minds of many who have never worked with them. They need not, says Lisanne Winde, attorney at law at Wybenga advocaten and Alain Lambert, regional ethics and compliance officer for Central Europe at WSP. In this podcast, they share how the works council can actually help compliance teams. These entities are not unions but are specific to the company. They can be helpful for facilitating communication with employees and giving greater legitimacy to company policies. In practice they collaborate with management and can be more helpful than those unfamiliar with them may think. However, there are times when working with the works council is not just a nice to have but a requirement. Issues relating to whistleblowing and disciplinary policies are two examples. And there may be others, as well.  The laws vary by country. To make the most out of the relationship they recommend taking time to listen to what the works council says. Make sure they understand your role and the independence it has from management, and invite their participation early. It's better to find out what issues are and benefit from their expertise early rather than too late. Listen in to learn more, then, take a deep breadth and relax next time you hear the words “works council.” Listen now Sponsored by Ethena - automated compliance training, an employee hotline, and case management, all in one tool.

By Adam Turteltaub An audit by a Unified Program Integrity Contractor auditor, better known as a UPIC audit, can be a very scary thing. Providers are often shocked and even indignant to receive a letter notifying them of the audit and alleging fraud. Jon Rawlson (LinkedIn), President & Founder of Armory Hill Advocates, reminds us that the audit was likely not triggered by an allegation but by an algorithm catching outlier events such as a provider processing claims outside of their normal daily work, utilizing a DME, a skin substitute or some other expensive item that is outside the norm. Once you have calmed down after reviewing the letter, he advises acting immediately but calmly. Begin reviewing the documents you have been providing the Medicare program and bring in whatever help you need. And, don't forget you have a five step appeal process that enables you to prove  your innocence. But, be mindful of the timeline the government gives. The consequences can be grave if you miss a deadline. Listen in to learn more, and if you're a member of SCCE or HCCA, be sure to read his article on the subject in Compliance Today magazine. Listen now Sponsored by Ethena - automated compliance training, an employee hotline, and case management, all in one tool.

By Adam Turteltaub As the sun set, the chief compliance officer stared out the window, wondering how she would communicate with her workforce in a way that they would understand. As much as she looked, the answer wasn't outside in the skies turning from blue to black. She wasn't finding it under the white LEDs in the ceiling above her desk, either. Feeling a bit desperate, and a little bit bored, she decided to walk the halls to see if perhaps the answers were there. She got all of ten feet before a colleague stopped her,  eyes open wide and voice a little breathless, to tell her about an incident discovered and resolved. As she listened to him speak, she realized the answer was right there in front of her in the power of storytelling. Janine Fadul, Compliance and Privacy officer at GW Medicine, learned long ago to focus on the story she was trying to tell people, not just the facts. By following the elements of storytelling, she explains, you can grab people's interest, keep it, and help them understand what you are trying to communicate. That doesn't just apply to training. It can also be useful for communicating with leadership. Listen in to learn more about the elements of good storytelling. Then, apply them, and your compliance program may live happily ever after. Listen now Sponsored by Ethena - automated compliance training, an employee hotline, and case management, all in one tool.

By Adam Turteltaub In addition to releasing its General Compliance Program Guidance, the OIG at HHS announced plans to publish a series of Industry Segment-Specific Compliance Program Guidances (ICPG). The first of these, addressing nursing facilities, was released in November 2024. As CJ Wolf, Professor in healthcare Administration at BYU Idaho explains in this podcast, the first ICPG is instructive both for skilled nursing facilities (SNFs) and those looking to anticipate what will be coming in future ICPGs. Currently, three more are expected to be published in 2025: Medicare Advantage, hospital and clinical laboratories. Two additional ICPGs – pharmaceutical manufacturers and hospice – are also planned, but with a publication date as yet to be determined. There are several notable elements to the SNF ICPG. First, it interlinks compliance, quality of care and quality of life for patients. Second, there is an entire supplement focused on reimbursement, raising the scrutiny level of billing compliance. It addresses the prospective payment system, value-based payment models, Medicare Part D, Medicare Advantage, and Medicaid managed care, amongst other issues. When it comes to Anti-Kickback, the ICPG provides specific examples that are close to home for skilled nursing facilities. These hot points include free or below fair market value goods and services, discounts, arrangements for services and supplies, pharmacist relationships, care coordination, value-based care arrangements and join ventures. It is expected that future ICPGs will also have a focus on the Anti-Kickback statute. CJ also anticipates future guidances to continue to focus on greater accuracy and quality of care. Listen in, whether you are working at a SNF or looking to learn what likely comes next with ICPGs. Listen now Sponsored by Ethena - automated compliance training, an employee hotline, and case management, all in one tool.

By Adam Turteltaub Sevda Huseynova is the Ethics and Compliance Officer for SOCAR Midstream, a state-owned enterprise (SOE) in Azerbaijan. The company manages the oil and gas export pipelines of the country. If you think working for an SOE means you don't have to worry about compliance, she warns you to think again. SOEs still faces risk in a wide range of areas including anticorruption, sanctions, third parties and more. Investors want to ensure that the company operates up to global standards, which isn't always easy since compliance is relatively new in Azerbaijan. SOCAR midstream is up to the task, though, she reports. The company seeks to comply with local laws as well as international standards such as those of the OECD and the UN Convention on Corruption. To meet its goals, the compliance program is based on the seven elements approach found in most compliance programs and has three tiers addressing prevention, detection and corrective actions. She advises others working in SOEs to embrace five key strategies: Gain leadership buy-in and the corresponding tone at the top Customize the program to the SOE context Build a strong compliance infrastructure with adequate support Strengthen third party management Monitor, measure and improve on a continuous basis Listen in to learn more about the challenges and opportunities of compliance programs in an SOE. Listen now Sponsored by Ethena - automated compliance training, an employee hotline, and case management, all in one tool.

By Adam Turteltaub KISS takes on a new meaning in this podcast: Keep it Streamlined & Strategic. Keeping it streamlined and strategic is also the topic of a session at the 2025 HCCA Compliance Institute that will be led by Krista Muszak, Senior Manager, Process Optimization at Pfizer and Angela Smart, Senior Compliance and Ethics Partner, Intermountain Healthcare. Specifically. they'll be applying this new take on KISS to the topic of program effectiveness. So how does it work? How do we keep our programs streamlined and strategic?  First, we avoid scope creep and remain focused. That, they explain, begins with having and continuously referring back to a program charter that keeps you and everyone else involved from pursuing all the tangential issues that could derail your efforts. Second, they advise following the PDCA formula: Plan, Do, Check and Act. Third is conducting a root cause analysis that helps you understand not what happened but why. It will keep  you thinking strategically and not just about the particular incident that called for the analysis to be done. Want to learn more about KISS? Listen to this podcast and then join them in Las Vegas for the 2025 HCCA Compliance Institute. Listen now Sponsored by Bluesight, providing industry-leading privacy monitoring with fast, reliable patient data violation detection.

By Adam Turteltaub Business people are given all kinds of goals for revenues, profitability, efficiency and more. For compliance, though, not so often. Many organizations struggle with how to set compliance goals, or even if they should set them. Madrid-based, Juan Ignacio Paillás, Head of Global Compliance Business Sectors for Merck KGaA, Darmstadt, Germany, explains how it should be done. First, he advises, understand the context in which you are working, particularly about how your organizations manages objectives. For example, some organizations embrace very rigid goals, while others take a more flexible approach. When approaching management and the business unit about setting objectives, he cautions that you should expect pushback. To counter it, remind them this is about taking the company's values and turning them into concrete, measurable behaviors. It is also an exercise in setting priorities within compliance efforts to have the greatest impact on the organization and its performance. As you go to set the goals, determine which levels of the organization you will cover and what is important for each of them. Start with leadership and then enlist them in the efforts Also, he advises being open to business people setting their own goals. Listen in to the interesting goal one person set, and what impact it had. Listen now Sponsored by Bluesight, providing industry-leading privacy monitoring with fast, reliable patient data violation detection.

By Adam Turteltaub Healthcare is often rife with fraud, and organizations struggle to prevent it. To gain a different perspective on how to prevent wrongdoing, we spoke with Alec Burlakoff, a convicted fraudster from Insys Pharmaceuticals who now leads Limitless! Consulting. To prevent fraud, he recommends seriously looking at the incentives program in your organization, especially if there are individuals whose commissions may make up  more than half of their compensation. Such high rates of reward, he warns, provide serious temptation to skirt, or outright disregard, the rules. Look also at the messages that lucrative incentive programs send to others in the organization. Individuals who are inclined to do the right thing may find themselves envying those they see breaking the rules and getting rewarded. It can cause them to emulate the bad behavior that they see. Better, he advises, is to seek ways to reward people who do things the right way and build sales for the long term. When it comes to discipline, he takes a very hard line. Many companies, he finds, have zero tolerance policies, but they may not apply them. That, he believes, has to stop. The only way to get the attention of the workforce is to swiftly punish, including terminating, employees who break the rules. Finally, he advises compliance teams to understand the thinking of businesspeople. Know what motivates them, understand their thinking, and get inside their heads. Only then will you be able to effectively reach them. Listen now Sponsored by Bluesight, providing industry-leading privacy monitoring with fast, reliable patient data violation detection.

By Adam Turteltaub Are your helpline calls being responded to properly? Are the investigations proceeding expeditiously and properly? To find out, it's good to do an audit periodically. Before you can begin, though, you need to determine if there is enough available data for an audit, cautions Juliette Gust, President of Ethics Suite, and author of the chapter “Auditing the Confidential Reporting Hotline and Case Management Program Effectives” in the new edition of The Complete Compliance and Ethics Manual. Many compliance programs still do not have formal processes in place, and for them, it's best to start with a gap analysis. If you do have data, look at how you are tracking both the allegations and the work being doing as a result. How quickly are allegations being reviewed? Is someone letting the reporter know that their allegation has been received and is being acted on? How are you safeguarding the data, including being sensitive to the potential need for attorney-client privilege? Spend time, too, on auditing what is being done to encourage whistleblowing. What is the tone at the top? Are managers doing their compliance training and how quickly? How often does the compliance and ethics committee meet? Does it have a charter? Do the meetings have an agenda, and are they being followed? Another area for potential audit is the investigator. Are your investigators properly trained?  Is there enough staff to do the investigation? Is the investigation appropriately scoped? Curious to learn more about how to audit your helpline and responses to allegations? Listen in now and check out The Complete Compliance and Ethics Manual. Listen now Sponsored by Bluesight, providing industry-leading privacy monitoring with fast, reliable patient data violation detection.

By Adam Turteltaub Think you don't have to worry about the SEC because you're at a private company or a non-profit? Think again says, Kevin Muhlendorf, attorney at Wiley Rein. You may still end up in the Commission's crosshairs. He warns that the SEC's power of investigations expands far and wide, and just being a supplier to a publicly-traded company may lead them to focus on your business. If a private company is acquired by a public one or makes even a non-public offering, there is risk of fraud and SEC action. Lie to an accounting firm and the SEC may become involved. And don't forget about the risk of parallel investigations involving multiple enforcement authorities. Another risk area is shadow trading. Let's say your hospital is a part of a clinical trial, and an employee sees it is going well. If that employee decides to short the stock of the drug's competitor, that could be an issue that falls under the SEC. So what should you do? Keep an eye out for these risks and pay attention to recent enforcement activity and dispositions. Oh, and listen to this podcast. Listen now Sponsored by Bluesight, providing industry-leading privacy monitoring with fast, reliable patient data violation detection.

By Adam Turteltaub Business transformations can be times both of risk and opportunity for compliance programs. Employees, struggling to understand the changes around them and feeling stressed, may opt to do the wrong or at least ill-advised things. By the same token, transformations provide an opportunity for compliance teams to change their roles within the organization and redefine the value that they bring. Jill Swain, Global Ethics Manager and Dawn Wood, Engagement, Training and Programme Manager at Rolls-Royce went through a major business transformation and will be sharing their insights from that experience in a session at the 2025 SCCE European Compliance & Ethics Institute. In this podcast they share an abbreviated version of the journey and lessons taken from it. Rolls-Royce, as it transformed itself, wanted employees to understand that ethics and compliance are a part of “winning right” and helping the companies achieve its goals. The compliance teams met the challenge by embarking on several initiatives, both broad and narrow. They: Conducted a Win Right Week Identified the need for ensuring that conflicts of interest were reviewed when reporting lines changed Helped employees understand common dilemmas and how to resolve them Became an integral part of the employee hub to make it easier to access information and ask questions Rolled out a new third party risk management platform In sum, it was a transformation both of the organization and the compliance program within it. Listen in to learn more about what they did and learned through a period of corporate transformation.  Then, join them at the 2025 SCCE European Compliance & Ethics Institute. Listen now Sponsored by Bluesight, providing industry-leading privacy monitoring with fast, reliable patient data violation detection.

By Adam Turteltaub Oh, Artificial Intelligence. So much promise, and so much risk. What's a compliance and ethics professional to do? Start by listening to this podcast about the chapter “Managing the Ethics and Compliance Risks of Artificial Intelligence” in the 2025 edition of The Complete Compliance & Ethics Manual. We spoke with the article's co-authors, Gwen Hassan (chief compliance officer at Unisys), Dr. Anthony J. Rhem (CEO and principal consultant at A.J. Rhem & Associates), and Patrick Henz (special advisor for compliance, Latin America, for Mitsubishi Heavy Industries Americas). They explain that when we speak of AI we aren't talking about one technology but a wide range of them. Generative Ai may be getting the most attention but there is also natural language processing, neural networks, expert systems, machine learning and many more. As a result, compliance teams need to understand what form of AI is being used at their organization. When it comes to legal and regulatory frameworks to serve as guidance, it is probably best to look to Europe, which has taken a much more active approach than the US. The United States has just a patchwork of state laws. On the federal level, an executive order from the previous administration has been rescinded by the current one, leaving no national guidance. Despite the legal vacuum, there ae still risks such as bias to manage. As a result organizations need to have clear guidance on what AI can and cannot be used for. There should also be a risk assessment framework that includes: Assessing the data risk Understanding the model Assessing cybersecurity and compliance risk Evaluating ethical risk Continuous monitoring and updating Listen in to learn more about how to manage the possibilities and risks of AI. Then be sure to check out the 2025 edition of The Complete Compliance & Ethics Manual. Listen now Sponsored by Bluesight, providing industry-leading privacy monitoring with fast, reliable patient data violation detection.

By Adam Turteltaub Sometimes you make a few technical changes to a compliance program  because a law or regulation has changed. Autoliv didn't want to do that and just meet technical requirement of the EU Whistleblower Directive. They wanted to use it as an opportunity to assess what they were doing to encourage employee reporting, whether it was working, and to improve support for people speaking up. Erica Wikman, Vice President, Corporate Compliance, Autoliv and David Barr (LinkedIn), co-founder of Campbell Barr, tells us in this podcast that they shared a vision of moving away from just whistleblowing. Research showed it can have negative connotations.  In addition, whistleblowing tended to be interpreted narrowly, with tremendous variations by region. They also found a fear of either retaliation or that nothing would be done. So, the Autoliv compliance team began to think more broadly and encourage people not just to speak up when they saw a potential compliance issue but also when they saw something positive in the organization or just wanted to express gratitude. Along with that change of scope, they decided to open the lines of communication and encourage employees to bring their concerns and praise wherever they were most comfortable. To make it work they reached out to HR, manufacturing, quality and the health and safety team. Together these groups identified similar needs and dialogue and a willingness of leadership in those areas to come up with a common, welcoming approach to speaking up. By making speaking up more natural and a part of the business dialogue, they were able to lower the barrier to raising issues and turn perceptions around. A potential negative had become a positive. Listen in to learn more about what they did and how you could change the entire atmosphere around speaking up. Listen now Sponsored by Bluesight, providing industry-leading privacy monitoring with fast, reliable patient data violation detection.

By Adam Turteltaub So the IT folk can't wait for your business people to delete those old documents, meantime, the business people want to hold onto them because they never know when they might need that info again. Then, all of a sudden there's a legal issue and a hold is in place. Instantly the game changes. Chris Kruse, Executive Vice President & Advisor at CasePoint explains that when a legal hold is placed several things need to happen: Employees with relevant need to be identified They need to be placed on notice of the obligation to preserve any relevant information. They need to be instructed on how to proceed going forward The custodians of the data need to acknowledge that they have been notified and understand their obligations Individuals with the data need to be reminded that if they create new data it also needs to be retained Securing all the documents and data can be difficult for several reasons. These range from the simple, such as an employee who doesn't read the email with the instructions to preserve data, to the complex, such as identifying all the different kinds of documents and where they may be stored. Get it wrong, and things can go south pretty quickly. Listen in to learn more about how to ensure that your document hold doesn't cause more problems than it solves. Listen now