CEPCOMPLIANCE & ETHICS PROFESSIONAL - Go ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
CEP
JANUARY 2021 COMPLIANCE & ETHICS PROFESSIONAL
MAGAZINE
a publication of the society of
corporate compliance and ethics
RENÉE WARDLAW
SENIOR DIRECTOR OF CORPORATE COMPLIANCE AND
ASSOCIATE GENERAL COUNSEL FOR BRISTOL BAY NATIVE
CORPORATION, ANCHORAGE, ALASKA, USA
Enhancing processes
is just the tip of
the iceberg (p10)
Returning to business travel:
Mitigating risk for
your employees (p16)
Protecting corporate data in the
work-from-home era (p20)
Rethink your policy management
system to strengthen your
compliance program (p26)
Balancing effective compliance
policies against the ubiquity of
ephemeral messaging (p32)
We’ve moved!
Effective January 1, 2021
Society of Corporate Compliance and Ethics
& Health Care Compliance Association’s
new address is:
6462 City West Parkway
Eden Prairie, MN 55344
While our address has changed, our member
service contact information remains the same:
Phone: +1 952.933.4977
Toll-free: 1.888.277.4977
Fax: +1 952.988.0146
Email: helpteam@corporatecompliance.org
corporatecompliance.org
Letter from the CEO
New year, new address for SCCE
by Gerry Zack
T
hink of this month’s letter First, people will want to return
as part two of the letter to an office. We’ve learned that
I started last month. As remote working can be efficient,
we begin 2021, many of us are so there will be greater use of
optimistic that better days lie ahead. remote-working options. But
When the COVID-19 pandemic there will be a desire and need for
became a serious threat last March, working together in an office once
we did what many organizations it becomes safe to do so.
did; we made a lot of quick decisions And this leads me to the second,
to protect our employees and our and more important, reason. When
members, resulting in a remote our employees return, whenever
workforce, the cancellation of that is, we want them to be in an
in-person conferences, and gradual environment they enjoy, so they Gerry Zack
conversion to or development of will be happy, productive, and CCEP, CFE, CIA
virtual events. I discussed many of proud of their organization. Our Please feel free to contact me anytime
these changes last month. old office was overcrowded and
to share your thoughts:
Along the way, SCCE faced inefficient in every respect. The
another decision. We were already new office will lead to improved +1 612.357.1544 (cell)
well along in the development productivity and increased +1 952.567.6215 (direct)
of a new headquarters we had capacity. In addition, we were able gerry.zack @ corporatecompliance.org
purchased, having significantly to incorporate several COVID-19
outgrown our old and very considerations into the design, @Gerry_Zack
outdated building. Should we enabling greater capabilities for
/in/gerryzack
have stopped immediately? The social distancing and other health
alarmists were saying things like, and safety measures.
“COVID-19 changes everything. The pandemic has been a
People will never return to an office setback for all of us. But rest
environment.” Should we have assured that SCCE was well
followed that logic and abandoned positioned to deal with it, and we
the build-out of the new office? have continued to take action so
We decided to move ahead and that when the craziness subsides
finish the work, and the result is and we gradually return to
the new office address you’ll see in something resembling normal,
this magazine, on our website, and this association will be stronger
on all of our materials beginning than before and able to serve the
January 1. When people ask why, profession better for many years
the answer is rather simple. to come. CEP
CEP 1
CEP
COMPLIANCE & ETHICS PROFESSIONAL
“ Our executive team
understands that
compliance is a crucial
”
component of any MAGAZINE
successful business. a publication of the society of
corporate compliance and ethics
See page 13
January 2021
Columns
1 Letter from the CEO
by Gerry Zack
15 A view from abroad
by Sally March
19 The other side of the story
by Shin Jae Kim
25 EU compliance and regulation
by Robert Bond
Features
31 Culture is all of our business
10 Meet Renée Wardlaw: Enhancing processes is by Nick Gallo and Gio Gallo
just the tip of the iceberg
an interview by Adam Turteltaub 37 Driven
by Walter E. Johnson
16 Returning to business travel:
Mitigating risk for your employees 53
How to be a wildly effective
by Michael F. Savicki compliance officer
Prepare now for the return of business travel to mitigate risk for employees and by Kristy Grant-Hart
your organization.
66 The last word
20 Protecting corporate data in the work-from-home era by Joe Murphy
by Melody Haase
There is no one-size-fits-all solution to data loss, but there are key aspects to
keep in mind.
26 Rethink your policy management system to strengthen
your compliance program
by J. Veronica Xu
Policy management is an important facet of creating a culture of compliance.
32
[CEU] Balancing effective compliance policies against the
ubiquity of ephemeral messaging
by Daniel J. Polatsek
Self-deleting message apps can be great for security — but also for concealing
unlawful conduct.
CEP Magazine (ISSN 1523-8466) is published by the Society of Corporate Compliance and Ethics (SCCE), 6462 City West Parkway, Eden Prairie, MN 55344. Subscriptions are free to members. Periodicals postage‑paid at Saint Paul, MN
55112. Postmaster: Send address changes to CEP Magazine, 6462 City West Parkway, Eden Prairie, MN 55344. Copyright © 2021 Society of Corporate Compliance and Ethics. All rights reserved. Printed in the USA. Except where specifically
encouraged, no part of this publication may be reproduced, in any form or by any means, without prior written consent from SCCE. For subscription information and advertising rates, call +1 952.933.4977 or 888.277.4977. Send press
releases to SCCE CEP Press Releases, 6462 City West Parkway, Eden Prairie, MN 55344. Opinions expressed are those of the writers and not of this publication or SCCE. Mention of products and services does not constitute endorsement.
Neither SCCE nor CEP is engaged in rendering legal or other professional services. If such assistance is needed, readers should consult professional counsel or other professional advisors for specific legal or ethical questions.
2 CEP
VOLUME 18, ISSUE 1
EDITOR-IN-CHIEF
Joe Murphy, Esq., CCEP, CCEP-I
Senior Advisor, Compliance Strategists
jemurphy5730 @ gmail.com
EXECUTIVE EDITOR
Gerard Zack, CCEP, CFE, CPA, CIA, CRMA
Chief Executive Officer, SCCE & HCCA
gerry.zack @ corporatecompliance.org
PUBLISHER
+1 952.933.4977 or 888.277.4977 | corporatecompliance.org YoGI Arumainayagam
Vice President of Publications, SCCE & HCCA
yogi.arumainayagam @ corporatecompliance.org
ADVISORY BOARD
Departments Mónica Ramírez Chimal, MBA
Managing Director, Asserto RSC
mramirez @ asserto.com.mx
5 News Odell Guyton, Esq., CCEP, CCEP-I
7 SCCE news VP Global Compliance, Klink & Company
guytonlaw1 @ msn.com
9 People on the move Melody Haase,
Project Manager, 4Discovery
67 Takeaways melody @ 4discovery.com
Miguel Rueda, MBA, CCEP
68 SCCE upcoming events Director, Audit & Compliance, Air Canada
miguel.rueda @ aircanada.ca
69 2020 CEP index Terry Stechysin
Compliance Director, Competition Bureau Canada
terence.stechysin @ canada.ca
Articles Greg Triguba, JD, CCEP, CCEP-I
Principal, Compliance Integrity Solutions
greg.triguba @ compliance-integrity.com
38 Engage with your marketing team to avoid influencer Ibrahim Yeku, BL, CCEP-I
marketing risks Barrister, Solola & Akpana
yekuduke @ yahoo.com
by Caroline Franco Rebecca Walker, JD
Influencer marketing predates social media, and as the practice evolves, Partner, Kaplan & Walker LLP
so do the risks. rwalker @ kaplanwalker.com
44 Your organization has received a data access
[CEU] STORY EDITOR
Margaret Martyr
request. What now? +1 952.567.6225 or 888.277.4977
margaret.martyr@corporatecompliance.org
by Patrick O’Kane
Is your company ready to handle a data access request under GDPR and the CCPA? ADVERTISING
Mary Ratzlaff
48 New data reveal the growth of compliance +1 952.567.6221 or 888.277.4977
mary.ratzlaff@corporatecompliance.org
in Latin America COPY EDITOR
Bill Anholzer
by Alejandra Montenegro Almonte and James Tillen +1 952.405.7939 or 888.277.4977
Explore the diverse and ever-changing compliance landscape in Latin America. bill.anholzer @corporatecompliance.org
54 Ensuring organizational justice for all PROOFREADER
Marina Jyring
by Emeka N. Nwankpah +1 952.405.7924 or 888.277.4977
marina.jyring@corporatecompliance.org
Does your organization treat all investigations with fairness and consistency?
DESIGN & LAYOUT
58 Is your company’s job applicant-tracking system
[CEU] Pete Swanson
+1 952.405.7903 or 888.277.4977
making compliant inquiries? pete.swanson@corporatecompliance.org
by MaryEllen O’Neill FRONT COVER AND PAGE 10:
Examine your tracking system for job applicants. You may uncover some Photography by Michael Dinneen @ dinneenphoto.com
inappropriate — or illegal — practices.
STOCK PHOTOS BY STOCK.ADOBE.COM
Page 7: © iana_kolesnikova; Page 16: © Pavlo Vakhrushev;
CEP Magazine is printed with 100% soy-based, water-soluble inks on recycled paper, which includes 10% post- Page 20: © methaphum; Page 26: © Pixel-Shot; Page 32: © Stanisic Vladimir;
consumer waste. The remaining fiber comes from responsibly managed forests. The energy used to produce the
Page 38: © oatawa; Page 40: © REDPIXEL; Page 44: © vectorhot;
paper is generated with Green-e® certified renewable energy. Certifications for the paper include Forest Stewardship
Council (FSC), Sustainable Forestry Initiative (SFI), and Programme for the Endorsement of Forest Certification (PEFC). Page 48: © wirat; Page 50: © bakhtiarzein; Page 54: © Zern Liew;
Page 58: © Rawpixel.com; Page 60: © pathdoc
CEP 3
Regional Compliance & Ethics Conferences Updates on the latest news in regulatory requirements, compliance enforcement, and strategies to develop effective compliance programs. These one-day events include general and specialty sessions, as well as opportunities to network with industry peers. Attendees will have the opportunity to earn live Compliance Certification Board (CCB)® continuing education units (CEUs). Virtual and in-person conference formats vary. January 8, 2021 • Asia VIRTUAL May 14, 2021 • San Francisco, CA VIRTUAL January 22, 2021 • Southern California VIRTUAL June 18, 2021 • Nashville, TN VIRTUAL February 4, 2021 • South America VIRTUAL July 16, 2021 • Chicago, IL VIRTUAL February 11, 2021 • Middle East & Africa VIRTUAL August 13, 2021 • Atlanta, GA VIRTUAL February 26, 2021 • Alaska VIRTUAL September 17, 2021 • Scottsdale, AZ VIRTUAL March 5, 2021 • Minneapolis, MN VIRTUAL October 8, 2021 • Washington, DC March 26, 2021 • Boston, MA VIRTUAL October 22, 2021 • Dallas, TX April 8, 2021 • Asia VIRTUAL November 5, 2021 • Columbus, OH April 23, 2021 • Tampa, FL VIRTUAL November 12, 2021 • Seattle, WA May 7, 2021 • Richmond, VA VIRTUAL December 3, 2021 • Philadelphia, PA Visit the website for more information corporatecompliance.org/regionals
News
US sanctions Russian research J&F, including Pilgrim’s Pride. The the acquisition. The Information
facility for alleged cybercrimes DOJ fined the company $256 million, Commissioner’s Office stated that
The United States Department but half of the full penalty amount the fine was under GDPR and in
of the Treasury’s Office of Foreign was credited to fines paid to cooperation with European Union
Assets Control announced the Brazilian authorities. data protection authorities.
sanctions against the State J&F now has extensive holdings
Research Center of the Russian in the US, and as equity analyst UK Serious Fraud Office
Federation FGUP Central Marco Saravalle told The Wall Street releases DPA guidance
Scientific Research Institute of Journal,4 “The important thing The United Kingdom’s Serious
Chemistry and Mechanics, or about the company is that they Fraud Office published new
TsNIIKhM, on October 23.1 have good operational assets and guidance related to deferred
The research center is accused the executives are motivated to prosecution agreements (DPAs).6
of using malware to target facilities produce results for shareholders.” The guidance, nested in the
in the Middle East in 2017 and office’s internal SFO Operational
again in the US in 2019. The attack ICO fines Marriott 18.4 million Handbook, offers insight into how
in the Middle East focused on a pounds for data breach the office will approach DPAs,
petrochemical facility, while the After extended investigations what is required of companies
US attacks were probes to identify and negotiations, the United that seek to enter such an
security vulnerabilities in the Kingdom’s Information agreement, and some of the
domestic energy infrastructure. Commissioner’s Office levied standard requirements placed upon
“‘The Russian Government a fine of £18.4 million against companies that do enter DPAs.
continues to engage in dangerous Marriott International Inc. for The guidance also clearly
cyber activities aimed at the a data breach that occurred in delineates the procedures
United States and our allies,’” 2014.5 The breach was one of the involved in securing a DPA; what
said Secretary Steven Mnuchin.2 largest leaks of personal data in information, if any, is released
“‘This Administration will recent years, affecting more than to the public; how a DPA looks
continue to aggressively defend 300 million guests. The breach when entered into the legal
the critical infrastructure of affected Starwood Hotels and record; and the criminal offenses
the United States from anyone Resorts Worldwide Inc., which to which DPAs can apply.
attempting to disrupt it.’” Marriott acquired in 2016. One of the most salient parts
The investigation was of the guidance, from a company’s
Brazilian meatpacking company complicated by Brexit, the point of view, describes the
settles multiple investigations passage of the General Data procedures prosecutors must go
by US authorities Protection Regulation (GDPR), through in order to determine
Brazil’s J&F Investimentos and the fact that Marriott was whether a company should be
and JBS SA agreed to pay fines accepting responsibility for a prosecuted in court or whether the
to the United States Department breach that happened prior to Crown should enter into a DPA. CEP
of Justice and the Securities
and Exchange Commission for
bribery and insider trading.3 Endnotes
J&F, owned by two Brazilian 1. Maggie Miller, “Treasury sanctions Russian group accused of targeting US critical facilities with destructive malware,”
The Hill, October 23, 2020, https://bit.ly/2Jhofdf.
brothers, controls JBS, the largest 2. United States Department of the Treasury, “Treasury Sanctions Russian Government Research Institution Connected to
meatpacking company in the world. the Triton Malware,” news release, October 23, 2020, https://bit.ly/3oDTAax
3. Harry Cassin, “Brazil holding company agrees to pay $285 million to settle FCPA violations,”
The brothers admitted to bribing The FCPA Blog, October 14, 2020, https://bit.ly/3kItn8l.
Brazilian politicians in order to gain 4. Luciana Magalhaes, Samantha Pearson, and Jacob Bunge, “Meat Giant JBS’s Owner Settles U.S. Corruption Charges,”
The Wall Street Journal, October 14, 2020, https://on.wsj.com/31WR0mf.
financing and other benefits for 5. Jonathan Armstrong and André Bywater, “Client Alert: ICO Fines Marriott £18.4m after
Data Breach,” Cordery Compliance, November 3, 2020, https://bit.ly/3oSh5wC
the company. The bribery scheme 6. United Kingdom Serious Fraud Office, “Deferred Prosecution Agreements,” SFO Operational Handbook, accessed
involved multiple subsidiaries of November 9, 2020, https://bit.ly/3eftBRY.
CEP 5
VIRTUAL
Compliance & Ethics
Essentials Workshop
Be a more effective member of your Topics include:
compliance team. Attend our new virtual
• Introduction and background to
Compliance & Ethics Essentials Workshop compliance and ethics programs
for an introduction to compliance and ethics
taught by industry leaders. The curriculum • Standards and procedures
focuses on the core elements of an • Governance, oversights, and authority
effective compliance program to help you
• Risk assessment
build a foundation for your career.
• Due diligence in delegation of authority
Workshops are limited to 150 participants.
• Communication and training
Register early to secure your spot!
• Incentives and enforcement
In addition to the valuable education • Monitoring, auditing, and reporting systems
this program provides, participants also
will be able to earn all of the continuing • Investigations
education units (CEUs) required to sit • Response to wrongdoing
for the Certified Compliance & Ethics
• Program improvement
Professional (CCEP)® exam. Interested
in elevating your career? To learn more • Overview of FCPA, UK bribery, conflict of
about eligibility and other Compliance interest, and privacy and data security
Certification Board (CCB)® exams, visit • Key skills necessary for
corporatecompliance.org/certification. compliance professionals
UPCOMING WORKSHOPS
January 11–14, 2021 March 1–4, 2021
■
Learn more
corporatecompliance.org/essentialsworkshops
SCCE news
SCCE Association News
SCCE Compliance & Ethics Essentials Workshops
corporatecompliance.org/essentialsworkshops
S
CCE’s Compliance & Ethics their compliance skills and Upcoming workshops
Essentials Workshops become more effective members ◆ January 11–14, 2021
provide a comprehensive of the compliance team. ◆ March 1–4, 2021
introduction to the elements of a Attendees will have the
compliance program. These virtual opportunity to earn 21.6 live Learn more:
programs are ideal for individuals Compliance Certification www.corporatecompliance.org/
with less than two years of Board (CCB)® continuing essentialsworkshops
experience in compliance, including education units (CEUs) from *To see all the requirements
those that have just entered their desk, enough to sit for the to sit for the certification exam,
compliance for the first time. Certified Compliance & Ethics including work experience, please
The four days of training are Professional (CCEP)® exam.* visit www.corporatecompliance.org/
designed to help new compliance Workshops are limited to just 150 certification. CEP
professionals develop and improve participants. Don’t wait to enroll.
CEP 7
Stay informed
The Compliance & Ethics Blog
Read educational insights and compliance news from industry
professionals or share your knowledge with the compliance and ethics
community by submitting an article.
Compliance Perspective Podcasts
Listen to the insights of compliance and ethics experts as they discuss
everything from assessing risk, understanding the latest regulations,
reporting to the board & training your workforce.
Subscribe to Compliance Perspectives here:
iTunes Email Android
apple.co/1TCNS24 bit.ly/podcastsub bit.ly/1Z3S2la
Learn more
complianceandethics.orgPEOPLE on
the MOVE
◆ Aida M. Lebbos has joined the University
of Maryland Global Campus as associate
vice president, institutional compliance and
risk, in Adelphi, Maryland, USA.
◆ In Purchase, New York, USA, Allison Kiene
has been appointed Argo Group’s new
group general counsel.
◆ New York-based Gemini Trust Co.
LLC announced the appointment of
Andy Meehan as chief compliance officer
of Asia-Pacific region.
◆ Ashley Carr is the new director of code
enforcement for the city of Clarksburg,
West Virginia, USA.
◆ In Madison, Wisconsin, USA,
Katie Ignatowski has been promoted to
chief compliance officer for the University
of Wisconsin system.
WHERE’S YOUR
CAREER TAKING YOU? CEP MAGAZINE
If you’ve received a promotion or industry award, is also available online on
accepted a new position, or added a new staff
member to your compliance department, let us know!
It’s a great way to keep the
compliance community up to date.
To submit your news, visit http://bit.ly/2snNxdJ compliancecosmos.org
or email
margaret.martyr@corporatecompliance.org
CEP 9Cover Feature
ENHANCING
PROCESSES
IS JUST THE
TIP OF THE
ICEBERG
Meet
Renée Wardlaw
Senior Director of Corporate
Compliance and Associate
General Counsel for Bristol
Bay Native Corporation in
Anchorage, Alaska, USA
an interview by
Adam Turteltaub
Renée Wardlaw (rwardlaw@
bbnc.net) was interviewed by
Adam Turteltaub (adam.turteltaub@
corporatecompliance.org), Chief
Engagement & Strategy Officer
at SCCE & HCCA.
10 CEPFeature
AT: First, it would be good if early 2000 and has been fortunate matter, along with BBNC’s policies.
you could give an overview of the to have minimal turnover in key Because I have an MBA, I feel I
Bristol Bay Native Corporation’s leadership. Those key leaders can better appreciate the business
purpose and structure. It’s unique. have in-depth technical and perspective and efficiently resolve
management experience to navigate questions or concerns about a
RW: Unique is an understatement. the regulations and complexities proposed resolution. This augments
Bristol Bay Native Corporation pertaining to government my role as not only an issue spotter
(BBNC) was established by the contracting. Applicable laws are but also a problem solver.
Alaska Native Claims Settlement routinely updated and strictly
Act of 1971 with the mission of enforced with severe penalties
“Enriching Our Native Way of for offenses. It is critical to have
Life.” Headquartered in Anchorage,
Alaska, BBNC works to protect the
a compliance program that
meets mandatory requirements: I am sure that
land in Bristol Bay, celebrate the
legacy of its people, and enhance
qualified personnel, processes
and policies, mandated training,
fellow compliance
the lives of its shareholders — the internal controls, and reporting professionals will
Native people of Southwest Alaska’s obligations. Our code of ethics
Bristol Bay region. BBNC has five provides an overarching agree with me that
separate and distinct business
lines, which include industrial
resource to all employees and
includes a specific section on the all prosecutors
services, government services,
construction, tourism, and seafood.
importance of business ethics
and integrity in government
are compliance
Our businesses are diversified with contracting. Additionally, we champions,
successful operations that house have a network of employees
subject matter expertise in specific enterprise-wide who have whether they
industries. While we are a for-profit
corporation, we are unique in that
expertise in specialized areas of
government contracting in the realize it or not.
our shareholders receive dividends SBA 8(a) program.
derived from business profits. We
are proud to work in partnership AT: I want to focus for a bit
with our subsidiaries to ensure on you and your experiences. AT: You also had experience
that all employees are operating Normally, graduate degrees don’t working as a prosecutor, working
with integrity and fulfilling BBNC’s come up in these interviews, as an assistant attorney general
mission to enrich the lives of our but you have both a JD and an in Alaska. How well do you think
shareholders. MBA. There are lots of lawyers in prosecutors at the state level
compliance, but not as many MBAs appreciate compliance programs?
AT: Like many other native as there probably should be. How
organizations, you are also a does the MBA inform the way you RW: I am sure that fellow
government contractor. What kind approach compliance issues? compliance professionals will
of complexity does that add to the agree with me that all prosecutors
compliance program? RW: Having multiple interests are compliance champions,
can be a gift and a curse. I whether they realize it or not. As
RW: It is a bit complex, but I’ll obtained my JD and MBA in a joint an assistant attorney general, I
try to explain it simply. Alaska program at American University in represented the Alaska Division of
Native corporations are eligible to Washington, DC. I have always been Banking and Securities.
participate in the Small Business interested in business. I believe A civil or criminal matter would
Administration (SBA) 8(a) Business that compliance professionals are come to the division’s attention,
Development Program and, by an essential resource for successful and then we would investigate the
federal statute, are deemed socially business operations. I first try to issue and process the matter for
and economically disadvantaged. approach any compliance issue by resolution. From time to time, a
BBNC has been involved in looking at the perspective of the matter would push the division to
government contracting since various stakeholders involved in the draft new statutes or regulations
CEP 11Feature
to accomplish a widespread fix and are proud of our growth and and board of directors, hosts an
to an underlying issue. I gained a commitment to integrity in the US Annual Leadership & Compliance
wealth of experience in statute and and abroad. Because its employee Conference. The conference brings
regulation writing and internal population spans the globe, BBNC together BBNC leadership from
investigations. This knowledge uses technology as a tool to ensure across the country to receive
provided me with an excellent its employees have the most training in leadership, compliance,
foundation for working in a up-to-date resources available to and ethics. The conference
diversified corporate environment. them. We maintain an electronic attendees are charged with
Prosecutors and compliance policy library, including an sharing the training with their
professionals engage in a similar interactive code of ethics, and use employees. Sharing information
loop of proactive measures focused an electronic learning management from the top ensures that the
on reducing and resolving risks. system to create and deploy message of compliance and ethics
I believe prosecutors appreciate customized trainings in various is spread to all employees. BBNC
the importance of compliance areas. At BBNC, we want to make has never wavered from its
programs and value their function sure that employees not only know commitment to operating with
to reduce and resolve civil or the rules for business but that they integrity as it is continued on a
criminal matters. also know how to make ethical and trajectory of growth.
compliant business decisions. This year, we supplemented
In alignment with the our conference with our first
most recent Department of Spotlight on Compliance, which
We want to make Justice guidance for corporate
compliance programs,1 BBNC and
was a weeklong series of events,
release of tools and materials, and
sure that employees its subsidiaries use a risk-based outreach to each of our employees.
not only know the
approach to create and maintain The Spotlight on Compliance
right-sized compliance programs. allowed BBNC to deliver the
rules for business Where some of our businesses
have more significant risks and
message that each of us is the i in
“integrity.” We are looking forward
but that they regulatory oversight, it is important to this being an annual event.
also know how
to rely on qualified personnel
within the specific business to AT: What comprises BBNC’s
to make ethical develop and maintain appropriate
compliance programs. We strive
compliance department?
and compliant to be in partnership with subject RW: The compliance department
business decisions. matter experts to ensure we are
delivering the right amount of
is overseen by the chief compliance
officer (CCO), who reports to the
compliance to reduce overall risks general counsel. I, as the senior
to operations. director of compliance, report
to the CCO, and I am charged
AT: Let’s go back to your day-to- AT: BBNC headquarters are in with carrying out the compliance
day work. BBNC operates in Anchorage, Alaska, which is a program, including developing
almost all 50 states and nearly remote location. How does it ensure and tracking training, policy
16 countries. How does it stay its leaders incorporate ethics and management, investigations, and
interconnected to ensure all compliance into their business compliance-driven incentives.
its employees are operating operations? Our compliance specialist
with integrity? provides administrative support
RW: Being in alignment with to the team. Our records and
RW: Connecting with others leadership has proven to be a information management team,
is my favorite part about being great asset to BBNC’s compliance which manages the life cycle of
a compliance professional for and ethics initiatives. For the records for the organization and
BBNC. We have grown leaps and past 11 years, BBNC, with the its subsidiaries, is also a part of the
bounds over the past 10 years, support of the executive team compliance department.
12 CEPFeature
AT: How does BBNC’s leadership highest standards. Their support becoming more integrated into the
support compliance within of the compliance department day-to-day business decisions of
the organization? and active participation in a successful corporation. I believe
the Annual Leadership & that compliance professionals
RW: Leadership is not only Compliance Conference is a true can bring significant value to
about talking the talk but also demonstration of talking the talk their business operations by
about walking the walk. The and walking the walk. promoting electronic collaboration
executive team is committed to an tools. Ultimately, compliance is
ethical corporate culture. BBNC AT: Finally, let’s look to the grounded in genuine and authentic
promotes a servant-leadership future. How do you see compliance relationships with others. So
philosophy, which focuses on the evolving over the next few years? long as compliance professionals
development of good corporate stay connected to the business
citizens who are empowered to RW: The most exciting aspect of operations they serve, they will be
make ethics and compliance a being a compliance professional valued members of a successful
part of their everyday life. Our is the never-ending areas where business team.
executive team understands that compliance and ethics can enhance
compliance is a crucial component existing processes. I see compliance AT: Thank you, Renée! CEP
of any successful business and
models supportive leadership
Endnotes
throughout the organization, 1. U.S. Dep’t of Justice, Criminal Div., Evaluation of Corporate Compliance Programs (Updated June 2020),
holding themselves to the http://bit.ly/2Z2Dp8R.
CEP 13Save the Date
2021 CEI
September 19-22 Compliance &
Ethics Institute
Learn more
corporatecompliance.org/2021CEIA view from abroad
Personal impact statement
by Sally March
O
n December 31, the UK’s of companies that do have a clear
Brexit transition period purpose and whose leaders use that
comes to an end. As I to make tough decisions in tough
write this, the representatives of times. Unilever, for example, has
the UK and EU are still talking clear purpose, values, and principles,
about whether a trade deal can and as part of its commitment to
be reached and, if so, what it will communities, it has been promoting
look like. With no clarity and only good hand-washing habits around
days left to prepare, on top of the the world for years. In 2020, they
fluid responses here and in other brought their experience to schools
countries to COVID-19, we have in the UK, helping teachers when
uncertainty squared. Also, though schools reopened.
I am writing before the US election Not all of us can have input on Sally March
has been certified, the count kept our corporate purpose statement, (sjmarch10@gmail.com) is
us on the edge of our seats. In but each of us can, and should, be
Director, Drummond March & Co,
uncertain times, psychologists clear about our own purpose. It’s
advise us to focus on the things we probably not in a job description, in London, UK.
can control. but understanding how our role
Business pundits are advising fits in with the organization’s
senior executives to focus on objectives is a good start. Ask,
purpose. As one of these firms “Where can I have a positive
puts it, “What is your company’s impact?” At this stage, mine is
core reason for being, and where to inspire the new generation
can you have a unique, positive of ethics and compliance
impact on society?”1 Employees professionals to think beyond
feel that purpose is important, yet boundaries. And for leaders,
most say that if their company helping team members understand
has a purpose statement, it isn’t their unique purpose will help
having an impact. We’ve seen some them focus on things they can
good examples in the past year control in these uncertain times. CEP
Endnotes
1. Arne Gast et al., “Purpose: Shifting from why to how,” McKinsey Quarterly, April 22, 2020, https://mck.co/3jY6pbO.
CEP 15RETURNING TO BUSINESS
TRAVEL: MITIGATING RISK
FOR YOUR EMPLOYEES
by Michael F. Savicki
T
he disruption of recent Companies, therefore, would be well
months has forced companies advised to start preparing.
around the world to rewrite
business plans and alter operations. Update your travel policy
Perhaps most significant has been In the past, travel policy reviews
the unprecedented migration of commonly took place once a quarter,
workers to virtual, work-from-home or even once a year. Today, employers
environments, necessitated by travel need processes that enable a regular
restrictions and the widespread review and update of their travel
lockdown of citizens. But as the rules policy. While doing so, companies
curtailing people’s movement are must understand the need to protect
eased, much has been written and both the well-being of employees
Michael F. Savicki said about the best way to get people and their own corporate reputation.
(michael.savicki@amexgbt.com) is back to their offices. For example, employers may insist
One topic not discussed as all employees use masks or facial
Vice President for Risk, Compliance &
much as it should be is the return coverings for air and rail travel
ESG—The Americas, and Global Head of business travel. While the regardless of whether it is mandated
of Privacy & Commercial Compliance number of flight bookings remain by the operator or relevant authority.
at American Express Global generally low, there has been a At the same time, a company could
Business Travel. recent uptick in some locations. In allow a business traveler to book an
October 2020, for example, more airline that employs an open middle
than a million passengers passed seat policy even if it’s not the lowest
through the Transportation Security fare available on a particular route.
Administration checkpoints for the In the policy update, employers could
first time since the lockdown began.1 also stress the need to follow the
16 CEPFeature
Centers for Disease Control and approval process in place prior to to contact their travelers and will
Prevention (CDC) best practice booking. Because these regulatory need immediate access to this
guidance for overnight hotel stays developments are constantly information. Finally, if an employee
and dining out while traveling. evolving, global travel management falls ill during a trip, employers
companies (TMCs) are uniquely will need the right insurance and
Monitor government mandates placed to help travel managers a way to efficiently repatriate
prior to booking keep travel policies current while the individual.
Federal, state, and local making sure travelers stay well
governments have responded informed prior to and during their Communicate with employees
to COVID-19 with restrictions business trip. following the trip
designed to stop the spread. These After a traveler returns
requirements continue to change Monitor travelers while traveling home, employers should have
on a regular basis. For example, Employers should be particularly a documented process for
certain states in the northeast of mindful of their duty of care employees to report any illness
the United States have enacted obligations for their travelers, as prior to returning to the office.
mandatory two-week quarantine there are many areas to address. If an employee returns from the
requirements for travelers from For starters, employers should trip feeling ill or with potential
the majority of other states, and strongly encourage travelers to symptoms, employers should
all nonessential travel remains book travel within the company’s encourage them to seek medical
prohibited between the US, Canada, existing tools and policies and assistance and/or quarantine.
and Mexico. The CDC, on the other provide personal protective
hand, recently announced a more equipment or ensure that the
nuanced approach by indicating selected supplier will do so for
that it will no longer require all the journey. Employers should After a traveler
flights carrying airline passengers also, either directly or via their
arriving from, or those who recently TMC, ensure their travelers are returns home,
had a presence in, mainland China,
Iran, the Schengen region of Europe,
fully aware of all risk-mitigation
best practices while traveling. employers should
the UK/Ireland, and Brazil to land
at one of 15 designated US airports
For example, the US government,
via the departments of
have a documented
and will halt enhanced entry health Transportation, Homeland process for
screening for these passengers.2 Security, and Health & Human
Instead, the CDC indicated that Services, issued nonbinding employees to
report any illness
it would be implementing a new guidance that highlighted best
enhanced risk-mitigation strategy practices and key mitigation
to reduce the risk of travel-related
disease transmission by prioritizing
strategies for travelers, airlines,
and airports.3 The guidance
prior to returning
other public health measures, stressed the need for individual to the office.
including (i) increased education traveler education, face masks
and outreach, (ii) contact tracing, or facial covering throughout
(iii) increased testing, and (iv) the journey, and use of apps to
post-arrival recommendations facilitate contactless travel to the Stay on top of the requirements
for monitoring and potential greatest extent possible. At its core, business travel is a
quarantine, among other activities. In addition, an employer’s global force for good. The restart of
Accordingly, employers must security team or TMC should travel will accelerate the economic
make sure travelers can access have tools that locate employees recovery needed to get the world
up-to-date information about travel traveling on business, such as moving again. Employers should
restrictions, including border tracing corporate card swipe data be aware and mindful of the
closures, entry requirements, and or geo-tracking via a mobile app various government and supplier
quarantine measures, in addition on a company device. Should an requirements, develop internal
to having a documented internal event occur, employers will want policies and procedures, and
CEP 17Feature
partner with an experienced global
TMC to support the end-to-end
business travel experience for If an employee returns from the trip
their travelers. CEP
feeling ill or with potential symptoms,
About the author
Prior to joining American Express
employers should encourage them to seek
GBT, Michael F. Savicki was senior medical assistance and/or quarantine.
attorney – compliance & corporate
governance at Sikorsky Aircraft
Corporation; secondee counsel at
Deutsche Bank’s Litigation and and a member of the Connecticut, state bars. This article reflects his
Regulatory Enforcement Group; and Massachusetts, and New York personal views.
senior litigation associate at Fried,
Frank, Harris, Shriver & Jacobson
Endnotes
LLP. He began his legal career as 1. Transportation Security Administration, “TSA screens over 1M passengers on a single day for the first time since March,”
a law clerk at the United States news release, October 19, 2020, https://bit.ly/3lkWQVV.
2. Centers for Disease Control and Prevention, “Federal Government Adjusts COVID-19 Entry Strategy for International
Second Circuit Court of Appeals. Air Passengers,” news release, September 9, 2020, https://bit.ly/3lcQbxe.
3. U.S. departments of Transportation, Homeland Security, and Health & Human Services, Runway to Recovery:
He is a graduate of Tulane Law The United States Framework for Airlines and Airports to Mitigate the Public Health Risks of Coronavirus, July 2020,
School and Connecticut College https://bit.ly/36j2gdV.
Takeaways
◆ Governments have responded to COVID-19 with various restrictions designed to stop the spread. These
requirements continue to evolve.
◆ Considering the increase of air travelers passing through security checkpoints, companies should develop
the end-to-end business travel experience for their travelers.
◆ Organizations’ travel policies need to be regularly reviewed and updated to protect both the well-being of
employees and their own corporate reputations.
◆ A documented internal approval process should be in place prior to booking and provide employees with up-
to-date travel requirements, including border closures and quarantine measures.
◆ Employers should be mindful of their duty of care obligations and require travelers to book using the
company’s tools and policies for oversight purposes.
18 CEPThe other side of the story
Operation Car Wash affects
compliance programs
by Shin Jae Kim
P
etrobras was under the or Grau de Risco de Integridade (GRI)
spotlight of Operation Car and attributes low, medium, and
Wash — an unprecedented high GRIs to potential suppliers.
corruption scandal in Brazil. Once The result of this GRI assessment is
a beloved Brazilian company, used by Petrobras to select or ban
Petrobras suffered a big hit, and its third parties to participate in public
market value reduced dramatically. tenders conducted by Petrobras. If a
Failures and weaknesses of its company is attributed with a high GRI
internal controls to prevent and score, the company is automatically
detect ethical deviations became blacklisted from participating in
evident. To rebuild its reputation public tenders and cannot be selected
and market trust, Petrobras went as a Petrobras supplier. If this is the
through a transition phase and has case, however, the company may still Shin Jae Kim
been investing in the implementation choose to present further information CCEP, CCEP-I
of an effective corporate governance and evidence of its compliance (skim@tozzinifreire.com.br) is the head
system and improvement of its program and/or remediation of red
compliance program. of the Compliance & Investigation
flags identified during the integrity
Marcelo Zenkner, chief governance due diligence to have its GRI practice at TozziniFreire Advogados
and compliance officer of Petrobras, score reviewed. in São Paulo, Brazil.
told me that, in response to the facts Recently, many companies have
disclosed in Operation Car Wash, been seeking judicial measures
Petrobras had to work fast to mitigate against Petrobras’ blacklisting as a
risks by creating a robust compliance result of a high GRI.1 Courts (both
system, which included new controls judicial and administrative bodies)2
and procedures. This phase generated have ruled both in favor of and
the perception by some of increased against the GRI system adopted by
bureaucracy and loss of agility. In a Petrobras, but the matter has not been
second phase, the company moved to faced by Brazilian high courts, and
an effective integrity system, where it is too early to predict what will be
compliance became instilled in every the majority position in this regard.
employee in the company. Certainly, this new procedure adopted
Another initiative adopted by by Petrobras will have a domino
Petrobras is the third-party due effect on its supply chain, particularly
diligence. This procedure scores on the implementation of strong
third parties based on integrity risk compliance programs. CEP
Endnotes
1. Robson Bonin, “Petrobras rejects contractors for ‘high integrity risk,’” Veja, updated October 17, 2020, https://bit.ly/38D4gAn.
2. Valor Econômico, “Justice puts Petrobras Compliance in check,” Meritum, October 24, 2018, https://bit.ly/3pjWG3A.
CEP 19PROTECTING CORPORATE DATA
IN THE WORK-FROM-HOME ERA
by Melody Haase
W
ork restrictions created stories of businesses shutting
by COVID-19 forced their doors because of a security
companies worldwide incident. Rather than focusing on
to quickly adopt technologies and scary statistics and costly solutions,
fundamentally change the way this article will focus on general
they do business. In October 2020, security concepts and some common
McKinsey & Company released the things companies can do to enhance
results of a survey that showed corporate data privacy during the
companies exponentially adopted work-from-home era. By the end of
digital technologies to do business, this article, readers will be better
and these same companies do not informed and more prepared to
expect that to change.1 However, in take the next steps to protect
Melody Haase a rush to adopt new technologies corporate data.
(melody@4discovery.com) is the Head during a crisis, companies were often
focused on business continuity rather Understanding the threat landscape
of Client Success at 4Discovery, a
than security. Security threats can largely be
digital forensics firm based in Chicago. Security companies around the placed into two categories: internal
globe have reported increases in threats and external threats.
/in/melodyannhaase ransomware, data breaches via Internal threats typically arise
email, and unauthorized access of because of some sort of employee
systems. Data breaches of all shapes behavior, whether intentional or
and sizes can fundamentally impact not. This can take many forms,
a company’s ability to do business such as an employee who becomes
and/or its reputation. Many articles the victim of a phishing attack, a
about data security are focused on rogue employee who steals data, or
outrageous statistics and horror an employee who carelessly leaves
20 CEPFeature
sensitive files in an unsecured system access to its customers Security requires a shift in mindset
location. External threats are and employees. In order for companies to transition
actors outside of the organization traditional security practices to
that are aimed at gaining access Physical security has work from home, more emphasis
to corporate systems and data. drastically changed must be placed on giving employees
Typically, they gain access to Before COVID-19, companies were tools to be successful with their
systems by leveraging poor accustomed to all of the physical personal security, including
security practices, malware, or and environmental security in training them on basic security
exploits. Luckily, many of the tools their facilities. Security cameras practices. Many corporate security
used to thwart bad actors can be were online to monitor physical exercises contain information about
used to mitigate both internal and activities inside of locations. and examples explaining what to do
external threats. Badge access was required to inside of an office and the corporate
Additionally, every company has enter buildings. Shredding boxes environment. However, this
different clients, employee bases, were placed around locations to training typically does not include
and thresholds for risk tolerance. ensure sensitive data was disposed information on keeping data secure
This can affect how each company of properly. Printers asked for in an unsecured environment like a
views security. There is an age-old passwords before printing to typical home setting.
debate in the security industry prevent the wrong person from Training should be changed
about security vs. convenience. For picking up sensitive documents. to focus on the employee’s home
those promoting security, there Locked file cabinets were housed security practices and how they
is a push for more protections in offices to prevent access to relate to corporate data security.
and steps to access systems. For sensitive files. Doors were placed Some items employees should be
those who promote convenience, on offices and conference rooms educated on are:
there is a push for less security to to prevent people from hearing ◆ Changing standard settings on
make systems easier to access for confidential phone calls. routers and modems;
the sake of business convenience. Work from home has ◆ Checking and strengthening
However, there are always completely upended the physical security settings on their
implications to these decisions security environment. When operating systems, web
that may require companies to COVID-19 hit, many individuals browsers, and other applications;
change the way they do business. were not prepared to work ◆ Limiting the number of
A great example of how from home. Many people did applications they install to
to think about security vs. not even have workstations or prevent application-level
convenience is using the practice desks. Many homes do not have security issues;
of blacklisting IP addresses security cameras or require ◆ Creating unique usernames
by country. Blacklisting is the badge access. Shredding, printers and passwords for devices
process of blocking items. In this with password access, and and accounts that house
context of IP addresses, it means locked file cabinets are likely not corporate data;
that you can choose to block all available. Spouses often share ◆ Spotting phishing and malware
IP addresses coming into your workspaces and hear each other’s attack threats that they may
systems from hacking hotspots conversations. If the company encounter;
like Russia or China. If a company is allowing Bring Your Own ◆ Protecting physical access
only does business inside of Device (BYOD), it also means to devices containing
the United States and only has that the computer being used corporate data;
employees inside of the United for work may or may not have ◆ Disposing of documents in line
States, it may be a feasible option shared access between numerous with corporate policies; and
to turn off the rest of the world’s individuals in the house. While ◆ Reporting security incidents to
IP address range. However, it companies may not be able to the appropriate parties.
may be more complicated and control this environment, they
less feasible for a global business can, at a minimum, provide Employees should be reminded
to employ these same policies training to employees, as well as of security often. They must be
to reduce risk because it may provide them with more secure reminded that they are constantly
affect its ability to provide ways to access systems. interacting with confidential
CEP 21Feature
corporate data and should act protecting data for litigation holds are followed. How do you create a
accordingly. If the company and retrieving data for internal culture of security?
has a corporate newsletter or investigations. Similarly, employees Start by conducting an
bulletin, dedicating a portion control security patches and have assessment of your policies
of it to security practices can the ability to install whatever and procedures. Each of them
be extremely beneficial. It software they want. This can needs to be updated to adjust for
can help reinforce the items allow insecure devices to connect employees who are now potentially
learned during training as well to corporate infrastructure and working in unsecured areas using
as provide employees updates create additional security incidents. unauthorized equipment and
about changes in the corporate Most importantly, employees accounts. Simultaneously, the
security environment. can commingle personal and incident response playbook should
professional data on any of their be reviewed and updated to ensure
A primer on BYOD devices and accounts. parties still have a streamlined
At the beginning of COVID-19, Often, BYOD policies, processes, way to respond to incidents.
many employees that typically and procedures do not require Once updated, these policies and
worked in secure corporate employees to sign a declaration procedures should be redistributed
environments were sent home to certifying they have deleted to employees for review.
work on home computers, personal corporate data from the device This should all be pushed
cell phones, and home networks. and/or their personal accounts out with an enhanced work-
From a security standpoint, upon the termination of their from-home training program
BYOD is not recommended. It is employment. This declaration is as described above. Provide
a great area of risk, and policies beneficial to collect in the event employees with common
and practices related to BYOD litigation for theft of corporate data examples of security mistakes,
are riddled with issues. There are needs to occur. At a minimum, how they affect the business,
simply too many variations on every company should stop and how they could have been
BYOD for an in-depth analysis in and consider its current BYOD prevented with stronger security
this article. However, because of practices, conduct a risk assessment practices. These exercises do not
BYOD’s risk, it is necessary to stop regarding the safety and security need to be extravagant. Simply
and consider it as part of a general of the data accessed by BYOD focus on the most important
security plan. users, check if its policy is currently areas of data security for your
These personal devices updated for COVID-19-related organization.
often have no form of mobile activities, and ensure the policy
device management or data loss addresses how to retrieve and/or A cycle of continuous
prevention software installed certify the destruction of corporate security improvement
on them, both of which provide data at the end of the work-from- A security assessment of
an extra layer of protection to home period or upon termination of the organization’s current
corporate data and accounts by employment. technology environment needs
allowing corporate information to be conducted. Network
technology (IT) to have some Security starts at the top infrastructure, individual devices,
administrative oversight of the While the first part of this article and online accounts all have
device and the data contained on focused on employees and the potential security issues that need
the device. When companies allow home environment, the major to be checked. At 4Discovery, most
individuals to use their own devices component of corporate security of the security incident response
for work without any protections, comes from within. Corporate cases we have worked on thus
the company ultimately loses security is best implemented, far had a simple root cause, such
control of that device and the data practiced, and enforced when as a security setting that was
stored on it. it comes from the highest never changed when a system
Because the employee owns the leadership levels. Communication was implemented, a system that
device and controls access to the about security and buy-in needs was unpatched, or reusing an
device, it becomes complicated and to happen at all levels of the administrator username and
can even become a legal battle to organization to ensure that all password throughout an entire
perform basic functions such as security policies and practices infrastructure.
22 CEPFeature
IT should constantly be in immensely when strengthening as ensuring the firewall is not
a cycle of continuous security systems. POLP simply means that speaking to the entire internet,
improvement as a common course individual users only need, and thus making applications ask for camera
of practice. Below are some helpful should only have access to, the least and microphone permission, and
practices to combat common amount of system access necessary turning on logging and monitoring.
weaknesses used by attackers to to perform a task. Reducing people’s The goal is to prevent bad actors
gain access to systems. access to systems and data limits from having easy access and
the ability of bad actors to move provide IT with the tools they need
Take password throughout corporate systems to monitor attacks.
protection seriously using their accounts. It also hinders
One of the most common methods rogue employees who may
used in data breaches is password attempt to access and exfiltrate
compromise. Ensure all default
administrator usernames and
confidential data.
Individual users
passwords have been changed for
off-the-shelf devices. Create unique
Control all programs
and settings
only need, and
administrative usernames and
passwords for individual pieces
Use gold images and control
the device from the start. Gold
thus should only
of infrastructure. All accounts
must require strong passwords
images are the standard settings
and programs that are deployed
have access to,
that are long and use a variety
of characters. Along those same
on corporate assets. By using a
gold image, IT can more quickly
the least amount
lines, password changes should
be mandatory on a routine basis
set up new machines while
customizing settings to least
of system access
to prevent any user credentials privileges before deployment. necessary to
that may have appeared in past When creating a standard, think
data breaches to be used to about how much of the internet perform a task.
access systems. employees need to access. Do
they need the ability to install
Use multifactor authentication software, and are they going
everywhere possible to need to plug in USB devices? Continuously update systems
Multifactor authentication (MFA) These are all common ways people Setting a routine software update
should be required for all accounts exfiltrate data and attempt to cover schedule every week is crucial.
that have the option. MFA is the their tracks. You can also combine As an example, WannaCry and
process by which a user needs at this practice with POLP role- other ransomware forms were able
least two things to enter a system. based permissions, common data to spread throughout the globe
Some commonly used forms of MFA loss prevention software, and/or because systems went without
are two-factor authentication text device management solutions to patches for over two months. Years
message codes, and hardware- or maintain more control over the later, many systems still had not
software-based tokens. While devices and data. applied the patch Microsoft issued
two-factor authentication text in March of 2017.2 If companies
codes are not recommended as Interrogate and harden all would have taken the proactive
a best practice for MFA, simply default settings steps to fix their systems, the
having them in lieu of nothing Many systems and applications vulnerability would have been
adds an additional layer to come with minimal security patched, and system access never
account security. settings for the sake of convenience would have occurred.
for the average user while
Employ the POLP sacrificing some security. This Encrypt traffic with a VPN
Simply looking at all of the is done with the expectation While an organization may not
account settings in systems and that the user or administrator be able to control an employee’s
evaluating them using the principle will strengthen the settings as home router settings, it can
of least privilege (POLP) can help necessary. This can be as simple provide a safe way for its
CEP 23You can also read
