Anticipating and Planning for the Next Big Compliance Issue › Portals › 1 › ...Anticipating and Planning for the Next Big Compliance Issue: Results of the Society of Corporate

Anticipating and Planning for the Next Big Compliance Issue: Results of the Society of Corporate Compliance and Ethics 2009 Interactive Workshop Series

6500 Barrie Road, Suite 250Minneapolis, MN 55435, United States+1 952 933 4977 or 888 277 4977www.corporatecompliance.org

1 www.corporatecompliance.org

Results of the SCCE 2009 Interactive Workshop Series

IntroductionOver the last few years the compliance community has had to adjust to success waves of changes in priorities as “new” com-pliance issues are identified. After sitting for several years on the books but unenforced, the Foreign Corrupt Practices Act (FCPA), seemingly out of nowhere became a top enforcement priority. Backdating of stock options, which had grown to be a standard within Silicon Valley, didn’t pass the smell test and had to be quickly abandoned, with the hope that no legal lines had been crossed. CEO pay and even sales retreats have come under scrutiny, and most recently, antitrust and insider trading have suddenly grown to be focus areas for the government.

With each new issue that arrises compliance teams are forced to scramble to put in place programs to manage this new, suddenly hot risk area. Training must be developed, broad communica-tion plans are put in place, systems are examined, controls are implemented and tested. Yet, each of these responses are reac-tive, which means there is a gap between the controls in place and the risks that exist.

To help change the dynamic the Society of Corporate Compli-ance and Ethics conducted a series of interactive workshops in 2009 to:

1. Identify what the next big issue is likely to be, and2. Determine how to appropriately respond to the issue

when it arises.



These workshops took place in Los Angeles, New York, Minne-apolis and Denver, and three separate workshops were conducted during the Compliance and Ethics Institute in Las Vegas.

There was a third, and perhaps more important purpose for these sessions: to find the common elements of the solutions developed in order to create a framework that compliance pro-fessionals could use to meet virtually any new challenge. Put another way, the goal was to answer the question: how can I be prepared no matter what new risk comes my way?

MethodologyEach workshop was broken into teams of eight people or less. The teams were then charged with brainstorming new potential issues that may arise to challenge the compliance community. The teams then reported their list of potential issues out to the group as a whole.

The ideas were collected, and then each person was given three votes to assign to the issue or issues that they thought were most likely to pose substantial compliance risks. Individuals could vote for three different issues, give three votes to one issue or otherwise divide their votes.

After the voting was completed each team was assigned one issue. They were then charged with determining what would be needed to manage the compliance risk identified

Their recommendations were then reported out to the workshop as a whole.



IssuesThe workshops identified a wide range of potential issues—see Appendix I for full list—ranging from new regulations to those relating to the social compact.

The following issues were selected by teams in various cities as the most important issues to be addressed:

• Technology crash• Privacy Compliance/security of personal information• Green Revolution• Government activities on the fly• Web 2.0 & Social media• Disparity between executives and the rest of the workforce• Strengthening the social contract• Data breach• Outsourcing risk to less-regulated markets• Disasters and pandemics• Stakeholder involvement and oversight

It should be noted that some of these were identified and selected in several cities, especially social media and data-related issues.

There was tremendous anxiety over how to handle the fast changing world of LinkedIn, Facebook and Twitter. Compa-nies have not yet developed policies in this area, as our 2009 survey on the issue showed. The risks are not fully understood and controls are weak to non existent.



By contrast, data protection and privacy, which is by no means a new topic, is one that participants feel will continue to involve in new and unexpected ways.

Managing the IssuesEach team, as noted above, was charged with planning how to manage one of the issues. To help them in this effort they were given a sheet of papers with questions to answer:

• What aspect of this issue is likely to cause the greatest trouble for organizations?

• What kind of changes in policies are needed by organizations?

• What would you need to do to change behaviors?• What additional resources (physical and human) would

you need?• What kind of controls would be needed?• How would you audit these controls?

Each team answered as many of the questions as possible in the time allowed.

Findings

Appendix II contains the notes made by team members for the issues that they were assigned. Not surprisingly, different issues tended to call for unique approaches. Yet, the variations were far less significant than might be imagined. Instead, what was



most striking was the commonalities in approach to solving new compliance issues.

These commonalities were:

• Focus on communications in its many forms. For virtually every problem, at least one communication element was identified as central to developing a risk management effort. Because helping employees to understand what the company’s expectations are was identified as critical, training was repeatedly cited as being an essential part of the solution.

• Understand your IT resources, including their strengths and weaknesses. Whether looking at social media, data privacy or recovering from a natural disaster, IT was cited repeatedly as a critical resource that is often not well-understood by the compliance team.

• Plan on reexamining company incentives. Incentives exist to encourage employees to behave in ways which the company desires. When a dramatic change occurs it is essential to revisit the company’s incentives structure and ensure it meets the needs of changing times.

• Review what you do in house or rely on third parties for. As new situations evolve needs change. It is critical that outsourcing requirements are reviewed at times of transition to ensure that resources are aligned properly. In addition, it may be valuable to proactively examine the in-house/outsourced equation to determine if it will likely provide the company with the flexibility it needs as new issues arise.



• Plan on working with others. HR, Internal Audit and peers at other companies will likely be essential when new issues arise. A go-it-alone approach is not likely to be successful and may be counterproductive. As a result, it is essential to build relationships before a new crisis emerges.

ConclusionIt is clear that the compliance profession will be marked by change over the years to come. Predictable changes such as shifts in priorities by the Department of Justice will continue to argue for new approaches, sometimes dramatically so.

In addition new risk areas will continue to emerge. Privacy, and how we define it, a new generation of workers, and the rise of social media are already causing unpredictable changes to how risk is managed.

Yet, the consistency of the approaches to managing hypothetical new risks suggests that compliance professionals do not need to wait for a new issue to arrive to begin preparing for it. Identify-ing key resources for communication, IT, and compensation structures can begin long before a game changing compliance issue arises. Likewise compliance professionals can begin build-ing out their network within the organizations in which they work—and with outside compliance professionals—so a sup-port network of resources is in place well before those resources need to be leveraged to stem a crisis.



APPeNdIx I

Potential Issues Identified• Third party security in foreign countries• Privacy and personal information—what’s on Facebook• Gifts and conflicts of interest• Technology crash• US becomes a follower rather than leader• Disclosure burden on products• Offshore taxation• Global enforcement• Independent contractors• Green regulation• Board oversight• Genetic engineering/artificial intelligence• Government information requests• Non-traditional stakeholders• Web 2.0 & Social Media• IP Abuse• Products provided to Third World that don’t meet US

standards• Stock buybacks• Data collected by companies that subsequently go out of

business.• Employee privacy and data breaches• Globalization: training, policies and gifts & entertainment



• Economic crises leading to more government activity “on the fly”

• Regulatory agencies becoming enforcers• Generation Y and their ideas of confidentiality• Working with aging baby boomers• Carbon emissions• Effectiveness of the board structure• Double standards: executives vs. rank and file• Innovation outstripping regulation• Collapse of faith in regulations and regulators• Changes in generations: values shift• Outsourcing risk to less regulated markets• Erosion of faith in government• Identity theft• Privacy• Collapsed time from incident to news• Change in employee-employer relationship• Use of Social Security numbers as identification• Cutting corners on quality• More tariff-based regulations• Disasters & Pandemics• Unintended consequences of new laws• Information Management• Knowledge transfer/succession across workforce as baby

boomers retire• Retired in place



• Social networking• Time/location flexibility• Stakeholder involvement• Single player• Corporate espionage• Offsite data storage• Technology implemented without testing• Data breach• Commercial bribery• Multinational vetting of own operations• IT Security• Soliciting vendors for charitable gifts• Investigation abuses• Negligent supervision• Breakdown of social contract between workers and the

company: I’ll be gone, you’ll be gone



APPeNdIx II

Solutions to Individual Compliance Issues

Notes from Team Write UpsAfter being assigned a potential issue to solve, each group was given form outlining areas of consideration. Below are the notes taken by the designated note taker on each team.

Please be aware that some issues were identified several times and, as a result, there may be more than one set of notes for a given issue.

Briefly State the Issue You Are SolvingPrivacy: understanding the data privacy risks for an organization.

How Would You Solve This?Controls

What aspect of this issue is likely to cause the greatest trouble for organizations?

Transparency: Where is the data being stored once collected?

What kind of changes in policies are needed by organizations?

Data collected, define storage, access to data, retention of data.

What would you need to do to change behaviors?Know the data owner and collector, and who can request access to the data. Then training.

What additional resources (physical and human) would you need?

Training, resources to manage people, systems, document reten-tion software, report writer—audit.



What kind of controls would be needed?Audit of processes: collection and identify system

Controller does audits

How you would audit those controls?Controller leads audits

Briefly State the Issue You Are SolvingTechnology crash

How Would You Solve This?


Daily operations come to a halt.


Backup plan

Systems security—instructions to keep hackers out.

Have resources on hand.

Identify alternative platform and contractor before crash hits

Communication plan—all stakeholders

What would you need to do to change behaviors?Security policies

Educate staff on need for patches, etc.

Getting management buy in to spend preventive resources.


Security systems, educated staff, qualified contractor in place.

Have a philosophy on how resources spent—first do no harm



What kind of controls would be needed?Annual health check and risk assessment.

Have contractor help design.

How you would audit those controls?See above—have IT security staffer monitor, “ethical hack” on a periodic basis to stress-test the IT system.

Briefly State the Issue You Are SolvingTechnology crash



Data information, consumer confidence, re-creating data, busi-ness interruption, couldn’t give government what it needs.


Back up policies

Crisis management policies

Record retention policies

What would you need to do to change behaviors?Quantify impact


IT

Back up data center

Third party



What kind of controls would be needed?Auditing

Testing

Crisis Management

How you would audit those controls?Testing

Briefly State the Issue You Are SolvingPrivacy compliance/security of personal information

How Would You Solve This?Technology/information security


Aspects involving human error

Technology: rapidly changing, and can’t keep up

Obsolescence of technology: control investment

Cost of compliance


Privacy: employee website and third party vendors

Data security

Special consideration: health, financial, children’s

What would you need to do to change behaviors?Raise awareness of reputational risk, fines, penalties, criminal prosecution, pr and government investigation




Technology: software, encryption, information management, record retention

What kind of controls would be needed?System capability to detect

Ongoing due diligence

How you would audit those controls?Spot audit

Hack/mock hack—physical and electronic

Technology, password protection cracker

Briefly State the Issue You Are SolvingPrivacy and personal information



Lawsuits for breaches in privacy.


Information security policy

Encryption

Internal controls



What would you need to do to change behaviors?Education

Mandatory disclosure of breaches

Enforcement, sanctions

Incentives for greater protection


IT

HR

Compliance

What kind of controls would be needed?Risk assessments

Intrusion detection

Lock-down removable media

Physical access security

How you would audit those controls?System tests

IT Audits

Compliance testing



Briefly State the Issue You Are SolvingThe Green Revolution



Establishing the standard. Identifying criteria to meet the stan-dard. Developing consistent standards.

The cost and realizing it will be different in each area.


Changes in procurement policy

Buying/selling energy credits

Changing the way you do business

Willingness to commit resources

Cost/benefit

What would you need to do to change behaviors?Give people incentives


More money

Third party resources

What kind of controls would be needed?Monitoring

Training

How you would audit those controls?Hire environmental engineers to review and assess



Briefly State the Issue You Are SolvingThe Green Revolution

How Would You Solve This?1. Panel: what can your business do to help?

2. Incentives: tax/economic credit, curb emissions

3. Marketing benefits: Baldridge type award

4. What do it mean to be green, no standard like Sentencing Guidelines

5. Behavior/education: make it palatable

Briefly State the Issue You Are SolvingGovernment issues regulations on the fly

How Would You Solve This?Values based rather than compliance based


Corporate buy in

Staying on top of issues

Training: policy development, implementation

Downstream to employees, vendors, monitoring

Self reporting—putting spotlight


Values based incentives and discipline: violate value rather than policy #3.

Proactive approach rather than reactive

Systematic approach, tracking.



What would you need to do to change behaviors?Values based rather than compliance


Internal resources: make team experts in their area

Trade associations: use as resources—join, become involved

Outside experts: ad hoc basis—in certain areas

Redeployment of internal experts

What kind of controls would be needed?How you would audit those controls?

Briefly State the Issue You Are SolvingWeb 2.0



IP, insider info leakage

“Mob” potential—beat up on an employee

Unintentional infringement on privacy


Treatment under likely already existing policy but special recog-nition of it.

What would you need to do to change behaviors?Communicate




What kind of controls would be needed?

How you would audit those controls?

Briefly State the Issue You Are SolvingStakeholder involvement/oversight

How Would You Solve This?Education


Loss of control


More marketing, disclosure internally/externally (consistent)

What would you need to do to change behaviors?Education internally and external controls


Benchmarking/surveying, investor relations team. Corporate compliance

What kind of controls would be needed?Internal (legal), testing, public disclosures

How you would audit those controls?Periodically testing, use internal auditing through corporate compliance.



Briefly State the Issue You Are SolvingSocial network



Corporate privacy—where does it start and end

Reputation/Branding

Work quality and production


No access at work/limit access

A protocol of what is good and bad activities on social sites

What would you need to do to change behaviors?Change in policy—a social network policy

Code of conduct

Communications/education and training


People to police social networks

Training of why this is good

What are the risks and rewards

What kind of controls would be needed?Publish results of findings of bad activities

Let them see sites but not upload



How you would audit those controls?Police and respond/posting

IT tracking of key strokes and websites

Enforcement committee with [unclear] and managers

Briefly State the Issue You Are SolvingPandemic and natural disasters as well as act of terrorism



Unknown magnitude, planning for unknown, failure to con-nect with emergency management resources, communicating to employees, financial resources, mobilizing people, contingency plans


Continuous review and update emergency plans and contacts

What would you need to do to change behaviors?Communicate

Contingency plans for contingency plans


Contracts, logistic support

What kind of controls would be needed?Train, train, train—drills—education

Mobilization to unaffected resources




Briefly State the Issue You Are SolvingOutsourcing risk to less-regulated markets

How Would You Solve This?Perform risk analysis

Set threshold for what we can and cannot outsource


Criteria for what can & cannot be outsourced


Thing through an outsourced scenario beyond profitability/rev-enue targets

Making sure profitability evaluations includes risk assessment

What would you need to do to change behaviors?Discipline






Briefly State the Issue You Are SolvingBreach of Privacy



Technology

Human behavior (losing computers, seeking info they should have)


What would you need to do to change behaviors?Enhance training and communications


What kind of controls would be needed?Stronger IT oversight




Briefly State the Issue You Are SolvingSocial networking



Disclosure of proprietary or damaging information


Updating confidentiality policy to include social networking

Include in risk assessment process

What would you need to do to change behaviors?




Briefly State the Issue You Are SolvingData breach



Reputational risk

Trade secret

Being source of information that leads to identity theft




Type of info stored and collected

Location of Info

Access

Retention policies

Centralized decision making and control

What would you need to do to change behaviors?Educate

Discipline

Tie into compensation

Incentivize reporting and remediation


Upgrades of systems

Security analyst

What kind of controls would be needed?Access controls and monitoring

Implementing policies above

Access cards

Access logs

How you would audit those controls?Ethical hackers/vulnerability audits

Counting number of breeches



Briefly State the Issue You Are SolvingSocial media

How Would You Solve This?Data loss prevention tools—monitors

[illegible] data, emails & ioncreases monitoring

Policies

Values based


Harm to brand

Insider trading

Law suits


Waiver if you refer to company xyz

Monitor website usage

What would you need to do to change behaviors?Awareness; training

Pop up policies with certain searches

Lead by example


Monitoring tools very expensive

Buy in





Briefly State the Issue You Are SolvingStrengthening the social contract. Develop behaviors that con-tribute to the long-term success of the company.



High turnover. Loss of knowledge transfer.


Implement long-term incentives

Recognize that different incentives work for different people

What would you need to do to change behaviors?Study loyalty, relationships

Case studies—ex: Sealy mattress


Esprit de corps efforts. Money. Creativity.

Communication, change management.

Engender trust by developing sound processes with effective con-trols. People need to be able to trust the system.

What kind of controls would be needed?Transparent controls

How you would audit those controls?Carefully and often.

Independently



Briefly State the Issue You Are SolvingDisparity between executives and the rest of the workforce, espe-cially in touch economic times.



Increased potential for misconduct/theft, physical violence, fraud


Policies alone will not solve these issues.

Walking the walk

Lead by example: deferring bonuses, other perks

What would you need to do to change behaviors?More communication.

Awareness of employee perceptions

Employee assessments

Lead by example

Board engaged—rubber stamp


More innovative use of existing tools

What kind of controls would be needed?More transparency

Improved communication


Documents

Anticipating and Planning for the Next Big Compliance Issue › Portals › 1 › ...Anticipating and Planning for the Next Big Compliance Issue: Results of the Society of Corporate