In today’s episode of Countdown to General Data Protection Regulation (GDRP), Jonathan Armstrong, a partner at Cordery Compliance Ltd in London, and myself consider the role of the Data Protection Officer (DPO) in complying with the new regulations which go live on May 25, 2018. The Cordery Compliance FAQs note that DPO must be appointed to deal with data protection compliance where:
The DPO must be suitably qualified and is mandated with a number of tasks, including advising on data-processing, and, must be independent in the performance of their tasks – they will report directly to the highest level of management. Businesses will therefore have to determine whether a DPO must be appointed or not, but, given the significance of privacy compliance today, even if technically-speaking a DPO is not required to be appointed, a business of a particular size that regularly processes data may wish to consider appointing one in any event.
The role of the DPO is critical in complying with GDPR. The time to start is now. For more information, visit the Cordery GDPR Navigator, which provides a wealth of information to utilize in your data privacy compliance program. Finally, Jonathan Armstrong will be in Houston on April 10, 2018 to put on a 3-hour workshop on GDPR. The event will be held at the South Texas College of Law, from 9-12 AM. You can find out more information on the event and register by going to the GHBER.org site.
In this episode, Matt Kelly and I take a deep dive into the implications flowing from the Supreme Court’s decision last week in the Digital Realty Trust v. Somers decision. Matt initiated a ‘tweetstorm’ in articulating his thoughts on the effects of the decision, including its effect on corporations, Chief Compliance Officers, corporate compliance functions and the Securities and Exchange Commission.
We consider what possible remedies Congress to engage into to help fix the Dodd-Frank Whistleblower protections and remedies to support employees who want to report internally and still be protected from discrimination and harassment. We consider whether corporate legal departments will now use this decision to root out and cudgel employees who report actions they believe are securities law violations. Finally we consider the potential negative impact of this decision light of the requirement for self-disclosure under the new FCPA Corporate Enforcement Policy.
For more on the Digital Realty Trust v. Somers decision, see the following:
Matt Kelly’s piece 16 Tweets About One Whistleblower Ruling
Last week the US Supreme Court issued its decision in Digital Realty Trust v. Somers (Somers). It was a closely watched case in the compliance community. Yesterday, I reviewed the Court’s decision. In this podcast, Roy Snell and I consider the impact of the Court’s decision on a variety of actors; including the SEC itself, Chief Compliance Officers (CCOs) and compliance practitioners, compliance programs and corporate America.
While we both agreed the Supreme Court came to the correct legal decision, there are several areas which this decision may well lead to negative impacts. The first is the message that it sends to potential whistleblowers; if you do not report to the Securities and Exchange Commission (SEC) you will not receive any legal protections against discrimination or retaliation.
Second, is the impact on every Chief Compliance Officer (CCO) or compliance practitioner. This decision will negatively impact attempts to create a best practices compliance program. A key part of any best practices compliance program is an internal reporting mechanism (Hallmark 8 of an Effective Compliance Program).
Third is that companies will be cut off from its best sources of information, that from its own employees, companies now will have less ability to detect and then remediate any problems before they become legal violations or keep legal violations from expanding.
Finally is the impact the decision will have on the SEC itself. Now there is no incentive to report internally because you are not eligible for any financial incentive nor will you receive any protections from discrimination or retaliation. It is possible the SEC will be literally inundated with potential securities-laws violations.
In this episode, Jay Rosen and myself take a look at some of the top compliance stories over the past week, including inquiring into where are the chickens in England.
The top compliance roundtable podcast is back with a wrap up with a review of the first year of the Trump Administration and its impact on the compliance profession. Stayed tuned to the end for riffs and rants in this edition.
For Matt Kelly’s musings on Jay Clayton, the PCAOB, government rule-making and the SOX compliance debate, see the following:
For Mike Volkov’s excellent 3-part podcast series on the Mueller investigation and related blog posts, see the following:
For the Cordery Compliance client alerts see the following:
For Jay Rosen’s post on the new FCPA Corporate Enforcement Policy see the following:
The members of the Everything Compliance panel include:
In this episode Matt Kelly and I go meta as we podcast about another podcast that Matt posted this week on his site, Radical Compliance, where he interviewed Paul Sobel, the incoming Chairman of COSO. We discuss how Sobel sees his new role at COSO, some of the initiatives that he has in mind for the organization and how companies can use the various COSO frameworks, including the Internal Controls and ERM frameworks to better manage risk some the strategic perspective.
We use the Sobel interview as a starting point to consider how Boards of Directors can think about risk management for a wide variety of issues, from climate change to cybersecurity to sustainability. We also discuss how the COSO frameworks can be used in conjunction with more tactical forms to create a more robust overall risk management program. Join Matt and myself as we go meta this week and take going into the weeds to a new level.
For Matt Kelly's interview with Paul Sobol click here.
For Matt Kelly's blog post on the COSO ERM Framework see, "COSO Debuts Final ERM Framework”
For Tom Fox's blog post on the COSO ERM Framework see, "The COSO ERM Framework”
Whether you are ready or not, the EU General Data Protection Regulation (GDPR) goes live on May 25, 2018. It will impact companies doing business in London as much as any other EU legislation. To help US companies prepare, Jonathan Armstrong and myself have started a countdown to GDPR podcast. In this premier episode we discuss what is GDPR and why it is so important that you begin preparing now.
It is quite a wide piece of legislation and covers all personal data. Armstrong noted it is incumbent to remember that the definition of personal information is much wider than the US definition as it includes information such as geographical locations. GDPR applies to anyone doing business in the EU. It could be as simple as having a website which is accessible to people in the EU. GDPR has heightened obligations on data security; in most cases your organization will be required to report data breaches to a UK data regulator within 72 hours of the awareness of the breach. Another distinction is the right for an individual to ask companies what information it may hold on them and to exercise the right to be forgotten. All of these requirements present special challenges for US companies. Finally, one area that has received quite a bit of attention is the fine range. Armstrong noted, “if you’re a small business then you’re subject to a fine of 20 million euros. And if you’re a larger business that fine can be 4% of your global annual general revenue.” Lastly, to top it all off, there is a private right cause of action under GDPR.
Even at this late date, there are steps you can take to begin to get ready. Armstrong laid out three steps a company can take now. First, through a proper plan which is achievable, and concentrates on the main issues, Armstrong believes “that are less likely to get you into trouble with the regulator or expose you to private rights of action.”
Second, Armstrong said you should look at how you relate to individuals, whether they are consumers or employees, you are going to have to be much clearer with them about how you are using data around them. To do so, you will need to engage with marketing and sales teams to provide them with some awareness as to the changes that GDPR is going to make to what they do with individuals and the transparency obligations.
Third is to have a real focus on data security. You will need to make sure that you secure everything that you can, including both soft and hard copies of data. In conjunction with this final point, you must plan for and rehearse data breach responses, because under GDPR you have, in most cases, just 72 hours to respond to a data breach so you need to practice the scenario to be able to do that efficiently.
Near and dear to the compliance professionals heart, Armstrong said it all begins with a risk assessment. This means your corporate compliance function may well play a very large role in your GDPR compliance. From there manage the risks that you see in your data protection and management program. In the Cordery FAQs (FAQs) regarding GDPR it states, “Privacy by design and/or default will not be an add-on, but, instead, will become the norm as businesses will have to incorporate data protection safeguards into their products and services from the beginning.”
You should anticipate the need to appointment a Data Protection Officer (DPO) in your company. The FAQs state:
A DPO will have to be appointed to deal with data protection compliance where:
“The DPO must be suitably qualified and is mandated with a number of tasks, including advising on data-processing, and, must be independent in the performance of their tasks – they will report directly to the highest level of management.”
In addition to the basic risk assessment, Cordery advises, companies should undertake ““Data Protection Impact Assessments” (DPIAs). Where processing operations, in particular those using new technologies, “are likely to result in a high risk for the rights and freedoms of individuals,” an impact assessment of the envisaged processing operations on the protection of personal data must be carried out, prior to the processing, “taking into account the nature, scope, context and purposes of the processing.” The new rules also set out other additional criteria that will necessitate an impact assessment. A data protection regulator must also be consulted prior to the processing of personal data where an assessment “indicates that the processing would result in a high risk in the absence of measures taken by a data controller to mitigate the risk”.
DPIAs are likely to become common and should prove to be a very useful tool for businesses in addressing privacy risks.”
For more information, visit the Cordery GDPR Navigator, which provides a wealth of information to utilize in your data privacy compliance program. Finally, Jonathan Armstrong will be in Houston on April 10, 2018 to put on a 3-hour workshop on GDPR. The event will be held at the South Texas College of Law, from 9-12 PM. You can find out more information on the event and register by going to the GHBER.org site.
In this episode, podcast favorite James Koukios returns to discuss highlights from international anti-corruption efforts, enforcement actions and developments highlighted in Morrison and Foerster’s December report. We highlight five developments:
For more information read the full Morrison & Foerster white paper Top Ten International Anti-Corruption Developments for December 2017
In this episode, Jay Rosen and myself take a look at some of the top compliance stories over the past week.
One of the ongoing questions from members of Board of Directors is how to resolve the tension between oversight and managing. I recently had the opportunity to visit with Joe Howell, the Executive Vice President (EVP) of Workiva, Inc. on this subject. Howell has worked on and with Boards of Directors at various companies and I wanted to garner his understanding of the role of a Board and both senior management and a Chief Compliance Officer (CCO). Howell had a short response which I thought was an excellent starting point to understand the role; put sand in the shoes of management.
The key to such a metaphor succeeding is that a Board of Directors, “by continuing to challenge management on these scenarios that management has considered and the stories management is telling itself about what could go wrong”, can “help get management out of its comfort zone by and large executive teams begin to believe themselves when they talk about how well they’re doing. The independent challenge that the board can offer putting the little bit of sand in the shoe to make sure that you’re thinking about things carefully can cause you to step back and really focus your resources where they're needed.”
Board’s do this by posing questions to management that help them challenge their own assumptions, especially those assumptions which senior management is most confident about. Howell said that Board’s “need to help senior management consider the things that management is so sure about that maybe are going to play out the way that they expect. For example, the things that can hurt investors more than anything else is a surprise. Chaos does not help investors in general. The things that surprise investors frequently are the things that also surprise management. Does management consider all of the things that can go wrong and have they built an environment where they can both help prevent those things from happening and detect them when they’re small and they can actually do something about them.”
Howell noted the role of the Board is not management but oversight, focusing on governance. To do so, an effective Board should challenge senior management not only on what they have planned for but what they may not have considered or may not even know about. He said, “one very good example is the whole, the reputation of those stakeholders involved in the company and that can be the management team itself, the employees, and the board members themselves.” This is because reputational damage hurts everyone. Howell went on to state, “it’s very important as we go through some of the ways the board can help management in that role. I think the things that really make a difference to management is when the board is able to be an effective devil’s advocate. Not managing management but helping them in their governing role by helping management to step back and think critically of their own underlying assumptions and biases.”
One of continuing struggles I hear from Board members is asymmetrical information, largely due from the siloed nature of company information and structures. Howell acknowledged, “These sorts of barriers are pervasive in any company of any size that has a particularly operations and different product lines and different markets and different countries and different time zones. These limitations in the free flow of information by themselves create a risk to the organization, to the investors of the organization, to the employees of the organization and the board’s ability to ask questions. If nothing else in their governance control creates this reminder to management to open up itself to itself and listen carefully to its own organization and be able to link information to all of the places it needs to be fed.”
I asked Howell to further explain his phase “open itself up to itself and listen”. He provided the following example, “how can the Chief Financial Officer make sure that he is giving all the information that the Chief Compliance Officer needs to do his job? Those questions from the board can be very valuable in making sure that the Chief Financial Officer doesn’t forget these issues and the Chief Compliance Officer has an opportunity to engage constructively with the Chief Financial Officer and others in the organization.”
Somewhat counter-intuitively, Howell noted that when it comes to the Board’s oversight role around internal controls, less is often more. This occurs by helping management understand a company can overdo a control environment, “in the sense that when management guides controls around risks that are not going to be the most serious risks to the company, that they end up building excessive amounts of energy and protection where they're not really needed. That you as a management team end up deluding your attention and deluding your resources.”
Howell went on to explain it is simply a matter of resources, “When things do go wrong, you’re in effect spread so thin that you don’t see those risks coming at you. The real question where less is more can be very valuable is when the board continues to challenge the management team on the scenarios that could play out. That could be devastating to an organization where risk really matters.”
I asked Howell if he could provide any discrete examples and he pointed to the food service industry for the following., “For example, in a food service company or a restaurant company, if there were contamination or if there were things that could happen either at the plant or by people who are touching the food. Those are very serious risks that a company needs to both be mindful of and to be able to prevent. If something goes wrong, you need to be able to detect early. When customers of the company or others are hurt that there’s a consequence of failures that can be devastating.”
In another example Howell said he had seen situations where internal “controls that are used for financial reporting for example, when examined in the light of where the risk really exists for the company, the companies have been able to reduce their controls actually by as many as half and improve their overall control environment and reduce the aggregate risk to the company. It’s interesting that even spending less money on controls by having fewer controls can improve the overall comfort that the company and its management and investors are protected from risk.”
A Board is not simply there to be a rubber stamp for senior management. It must exercise independent judgment, action and oversight. Further, it is the Board’s role to ask hard, difficult and probing questions to make sure management is not only doing its job but has considered other risk possibilities.
In this episode, Matt Kelly and I go into the weeds on the fascinating subject relating to the intersection of compliance and technology: AI and hotlines. Matt blogged on and podcasted with Scott LaVictor, CEO of Neighborhood Watch for Corporations. His firm has been developing an app to help employees report harassment in a way that is secure and anonymous for them, but useful for compliance officers. We explore how this phone app can assist the compliance practitioner by using technology to overcome the inherent tension in an anonymous reporting system where the reporter may desire anonymity while the CCO wants and needs as much information as possible.
The hotline app example would seem to incorporate several of these concepts starting with an incredible ease of use as a phone app. But the AI features allow it to inquire directly from the reporter additional information which will be important to the compliance professional. We discussed the following example from Matt’s blog post; “an employee might call a telephone hotline and leave a recorded message, “I saw my boss bribing some guy $500 the other day!” An app could be programmed to ask:
We also discuss why if there was one technology tool for compliance to be bullish about it is AI. There is an obvious cost savings but more importantly there is the opportunity for more effective compliance risk management simultaneously with greater business efficiencies. All of this will lead to more profitability that the compliance function can point to going forward. This can include overseeing routine transactions, answering routine questions and extracting data from documents can be moved to a more efficient and useful platform.
For additional reading and listening, see
Matt’s blog post and podcast
Tom’s blog posts
We are back with more leadership lessons from Oscar-winning Best Picture movies and today’s offering is the 1981 film Chariots of Fire 1981. It relates the based-on fact story of two athletes in the 1924 Olympics: Eric Liddell, a devout Scottish Christian who runs for the glory of God, and Harold Abrahams, an English Jew who runs to overcome prejudice. The film was directed by Hugh Hudson. It was nominated for seven Academy Awards and won four, including Best Picture and Best Original Screenplay. The film is also notable for its memorable electronic theme tune by Vangelis, who won the Academy Award for Best Original Score. Its principal stars were Ben Cross and Ian Charleson starred as Abrahams and Liddell, alongside with Ian Holm as Sam Mussabini, Abrahams coach. We will consider leadership lessons for these three characters.
In this episode I visit with Carlos Ayres, partner at Medea, Ayres and Sarubbi in Sao Paulo. We visit on the past year in anti-corruption enforcement in Brazil and where it may lead in 2018. Carlos discusses the continued fallout from the Odebrecht corruption scandal, across the continent of Latin America with the new anti-corruption laws being implemented in Argentina, Peru and Chile. We also discuss what US and UK companies need to do if they are doing business in those countries to protect themselves.
For more on Carlos Ayres and his firm Meada, Ayres and Sarubbi, check out their website by clicking here.
In this episode, Jay Rosen and myself take a look at some of the top compliance stories over the past week.
In this episode, Matt Kelly and I take a deep dive into the events which led to the resignation of Steve Wynn as the CEO and Chairman of Wynn Casinos for sexual harassment and misconduct. We consider how quickly the scandal escalated after it was initially reported by the Wall Street Journal and the response (or lack thereof) by the Board of Directors to Wynn’s conduct which had been an open secret for almost 20 years. We review what structural inputs a company should have in place when it has a true charismatic leader. We consider the role of the Board of Directors in light of the recent Wells Fargo penalty levied by the Federal Reserve to limit growth and require the Wells Fargo Board to refocus its efforts on more robust corporate risk management.
For more on the Wynn scandal and corporate governance, see Matt’s blog post So Much Wynning You Can’t Stand It
For more on the Federal Reserve’s penalty on Wells Fargo and the Board of Director’s need for a compliance profession on the Board, see Tom’s blog post, Wells Fargo, Put a Compliance Professional on Your Board
In this episode I visit with Dr. Marsha Ershaghi Hames, Managing Director, Strategy Development at LRN. We discuss the ongoing national conversation about sexual harassment which has been ongoing from Weinstein to #METOO. How has this awareness of sexual harassment changed the corporate conversation? Dr. Ershaghi Hames has written the article The Value in Having a Difficult Conversation. We explore why she wrote this and why not is the time to have that conversation. We consider the role of senior management, as well in that conversation? What is the role of compliance? How should supervisors, managers and co-workers be trained to report harassment they might observe that happens to others or that others report to them.
In this episode, Jay Rosen and myself take a look at some of the top compliance stories over the past week, including: