• How To Survive A Corporate Social Media Disaster
    Sep 7 2021
    It's just a typical day as CCO. You're sitting at your desk having lunch and checking your email and social media. You notice that your company name is trending on Twitter, and you think it strange that there aren't any new company announcements or products launching. You go to Twitter and realize that you are trending for all the wrong reasons – someone on your corporate social media team has made a big mistake.  How do you survive a corporate social media disaster?  Key points discussed in the episode: ✔️ The first step is talking the CEO off a ledge. While social media disasters are…disasters… they are also fleeting. Unless we made the world's biggest social media mistake, we are likely to be replaced in the news cycle with someone else making a similar mistake in days, not weeks. ✔️ Connect with the Comms and Marketing team - whichever runs our social media. Work to determine next steps like removing the post or print retraction or apology, mea culpa etc. ✔️ Once the urgency subsides, it is time for a root cause analysis – what happened (or didn't happen) that allowed this situation?  ✔️ Do we have a social media policy? Is that policy written to apply to the departments using social media on behalf of the organization, or does it only apply to employees who may use social media personally? ✔️ As CCO, ensure that the policy speaks to the right audience and use concrete examples of what is okay and what isn't. Your efforts all go out the window if the organization isn't training how to make the choices people need to make and do the things they need to do. ✔️ Part of the training should include who to call for help. The social media comms/marketing team should have proactively reached out for help or advice.  ✔️ Social media is entertaining, but it needs to be taken seriously, particularly at a corporate level. As the adage goes, an ounce of prevention is worth a pound of cure— so must your goal be in keeping social media disasters at bay for your company. Teach your organization your expectations of how social media interaction should work and what their responsibilities are.  ---------------------------------------------------------------------------- Welcome to SURVIVE AND THRIVE, this is a podcast where we unpack compliance, crisis disasters and walk you through all the red flags which appear, and give you some lessons learned going forward. This show is hosted by Compliance Evangelist Thomas Fox and Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, Deluxe Corporation.  Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.
    Show More Show Less
    24 mins
  • Gifts, Travel, and Entertainment
    Aug 31 2021
    The FCPA world is littered with enforcement actions against companies for the most basic compliance failures – those around gifts, travel, and entertainment (GTE). Many compliance professionals struggle with issues from GTE: Violations can arise out of anything, from discrepancies between outbound and inbound reporting to simply relying too heavily on the manual process of maintaining spreadsheets. As your company is considering RTW sometime in fall 2021, you know you will need to remind everyone about why GTE is so critical to compliance. How do you add in an analysis of more efficient business travel, time use, and even whether you need to travel for meetings? Key points discussed in the episode: ✔️The Gifts, Travel, and Entertainment (GTE) Policy is foundational to a company's values. GTE touches so many other pieces in a compliance program – COI, anti-corruption, anti-fraud, government contracting, donations/corporate giving, marketing in the healthcare space, etc. Small numbers are essential, and telling the truth about GTE reimbursement is critical to an ethical culture.    ✔️Each company has different GTE rules in place – first, you have to take stock of what rules apply to your company and your sales force.  ✔️ Look at who you do business with? If your customers are all state governments, that makes it easy – no gifts or entertainment, ever—however, companies operating in several markets may have varying customers. Be aware of what your customers can and cannot accept re: GTE. ✔️ In your organization, build a policy that speaks to your specific obligations. Make it clear that every single gift or entertainment expense must be documented and submitted, and nothing is off-books.  ✔️ Include as many examples as possible in your policy – call out specific things that are not allowed (aka DO NOT GIVE ANYONE A FERRARI OR A HOUSE IN THE HAMPTONS…OR A CONGRESSIONAL SEAT).  ✔️ Make things much more concrete and give people an idea of what's appropriate and not appropriate. It is essential to call out cash and cash equivalents to explain better why It is NEVER okay to give cash or equivalents as GTE.  ✔️ Train the heck out of the policy – both the broad workforce and the finance team that will be reviewing the invoices and the sales team that will be incurring the expenses. Walk them through expectations and what to watch out for as red flags. ✔️ Use checklists – give the team reviewing invoices a list of what to look for (good and bad) and have them do it (formally or informally) for each invoice.  ---------------------------------------------------------------------------- Welcome to SURVIVE AND THRIVE, the newest addition to the Compliance Podcast Network. This is a podcast where we unpack compliance, crisis disasters and walk you through all the red flags which appear, and give you some lessons learned going forward. This show is hosted by Compliance Evangelist Thomas Fox and Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, Deluxe Corporation.  Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.
    Show More Show Less
    28 mins
  • Creating and Maintaining a Speak Up Culture
    Aug 24 2021
    Companies with more internal reports and complaints benefit from lesser problems occurring inside. In his paper, Dr. Kyle Welch shared that overall litigation settlements of non-material matters dropped almost 20% over three years as well. It is, therefore, made clear that speak up culture is not simply about compliance and violations but building up the trust that it is safe to raise your hand and express concerns and give feedback. Key points discussed in the episode: ✔️ Speak up culture is built on trust. Employees must trust that when they report wrongdoing, or potential misconduct, that those reports will be investigated and, if needed, actions will be taken. Without this trust, speak up culture is a pipe dream.  ✔️ There is a disconnect between the employees on the front line and the senior management in most organizations; therefore, trust is part of the psychological safety that we all must work to create. Whistleblower policies and generic communications about hotlines are not good enough.  ✔️ The middle managers are going to be the most influential culture builders in your organization. Create a model of engagement with middle managers – and engage with them. Hold town hall sessions, encourage transparency, and listen regularly. Remember, the flow of information and cadence is important.  ✔️ Include as many ways as possible for people to reach out and speak up – formally and informally. Hotlines tend to be a "last resort," and employees use them when they've exhausted other options. Let's create opportunities to have concerns addressed faster and possibly less formally.  ✔️ Be proactive – ask for feedback, concerns, and complaints. Open the lines of communication, so when there is something to report, it is already second nature for employees to report it. ✔️ Take concerns seriously and have a high say-do ratio. The basis for speak up culture is that we want employees to raise concerns. That means when they raise those concerns, we must do our part and act on them. Employees need to see things change as a result of their speaking up.  ✔️ Make sure you have a clear anti-retaliation policy and that employees reporting concerns in good faith are not retaliated against.  ---------------------------------------------------------------------------- Welcome to SURVIVE AND THRIVE, the newest addition to the Compliance Podcast Network. This is a podcast where we unpack compliance, crisis disasters and walk you through all the red flags which appear, and give you some lessons learned going forward. This show is hosted by Compliance Evangelist Thomas Fox and Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, Deluxe Corporation.  Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.
    Show More Show Less
    17 mins
  • How to Perform A Root Cause Analysis
    Aug 10 2021
    Scenario: After an ongoing investigation closes on a typical day in a CCO's life, you wonder if there is anything else to do. After reading Tom Fox's The Compliance Handbook - 2nd Edition, you learn that a root cause analysis is now one of the hallmarks of an effective compliance program. What steps do you take, and how do you perform a root cause analysis (RCA)? Key points discussed in the episode: ✔️ Investigations are often the trigger for a root cause analysis, but they're not the same thing. In an investigation, you're trying to prove or disprove an allegation. If you uncover wrongdoing, it is crucial to continue to seek the root of the problem.  ✔️ Root cause analysis lets us figure out and find the source of the problem instead of only looking at the symptoms. Think of it like going to the doctor if you're sick. You tell the doctor all of your symptoms, they ask questions and run tests and then, hopefully, find the source of why you're sick, and then attack that. The same principle applies to compliance.  ✔️ When looking at the root cause, look for circumstances that contribute to the compliance issue – and ask these questions!  What led to this issue? What conditions allowed this to happen? What needs to happen to keep this from happening again?  ✔️ Find the problem and fix the problem. Remediate and document your changes per the DOJ Guidance.  We're constantly growing and building our compliance programs, but addressing the root cause includes developing a measure of success – how will we know if the remediations we put into place worked? How will we measure progress? Use the results of your RCA to remediate any issues you've found. Carry the RCA findings forward in any related risk assessments – monitor that your remediations are working/and adjust if they aren't  Update programs and processes to reflect the remediations – and don't forget to TRAIN on anything new (including the context for the changes – tell employees WHY they should care, not that they should "just care." Once fully remediated (if possible), document the remediation and how that connects to improved processes moving forward.  ✔️ Root cause analysis is fundamental. Since we know the DOJ wants compliance programs to be proactive instead of reactive, root cause analysis is one of the ways we can do that. If we know people are doing things they shouldn't do – we need to know why? Is it a problem with our hiring? A lack of controls? Not enough training? Or do we have a culture issue? We need to look under the proverbial rug to find out why things are happening, not just how they happened.  ---------------------------------------------------------------------------- Welcome to SURVIVE AND THRIVE, the newest addition to the Compliance Podcast Network. This is a podcast where we unpack compliance, crisis disasters and walk you through all the red flags which appear, and give you some lessons learned going forward. This show is hosted by Compliance Evangelist Thomas Fox and Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, Deluxe Corporation.  Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.
    Show More Show Less
    21 mins
  • How to Survive a GDPR Data Breach in the USA
    Aug 3 2021
    Eventually, every company will deal with cybersecurity issues that include hacking that exploits security controls and technical, physical, or human-based elements. Such an emergency requires a robust internal incident response plan as soon as possible.  Compliance leader, attorney, and international public speaker Kortney Nordrum reminds you of these crucial situations; "You want to have a plan before you have to use a plan." Key points discussed in the episode: ✔️ Make sure there's an incident or a crisis plan and that you have a set you're going to call, who's going to get on the phone, and who will make decisions. These should be documented so that there's no time for guesswork when things are urgent. ✔️ Ensuring a solid system for awareness should start at the level of the customer service representative and the email help desk teams to preempt data breach issues. Have the right people be able to ring the right alarm bells early in your organization. ✔️ Evaluate the extent of the information security hack or breach on top of all other risk and regulatory assessments.  ✔️ Determine which are the impacted customers and employees and analyze the individual countries of residence. Figure out where reporting should happen as prescribed in the General Data Protection Regulation (GDPR) of the European Union. ✔️ Set up a toll-free number for questions and work with the core team on public notices or any public response. When we see organizations getting hacked, you'll see it on a blog before that organization says anything publicly. Make sure to direct the message rather than have gossip around what happened.  ✔️ Engage a forensic firm if needed if in-house knowledge is not enough to assess what happened, how the breach occurred, and set the steps necessary to prevent it from happening again.  ✔️ It is best for compliance professionals to remember what the adage says: "an ounce of prevention is worth a pound of cure." Getting ready for a hacking incident requires early planning on initiating incident response measures tested at least yearly and reducing or preventing adverse impacts should they happen. ---------------------------------------------------------------------------- Welcome to SURVIVE AND THRIVE, the newest addition to the Compliance Podcast Network. This is a podcast where we unpack compliance, crisis disasters and walk you through all the red flags which appear, and give you some lessons learned going forward. This show is hosted by Compliance Evangelist Thomas Fox and Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, Deluxe Corporation.  Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.
    Show More Show Less
    22 mins
  • The Compliance Budget Process
    Jul 20 2021
    How Do You Prepare An Annual Compliance Budget? (And Ask For More Money) Budgeting is one of the most important functions in any corporate discipline. Thought leaders do not often talk about this one in conferences and literature. Yet, it's something that every compliance officer, every CCO, has to do and everyone down the compliance chain. Whether it's a special project such as a Code of Conduct makeover, major tech upgrade or bringing in an external party to do a comprehensive risk assessment — explore the compliance budgeting process and learn how to plan for such expenses and understand the documentations needed to prepare.  Key points discussed in the episode: ✔️ Determine what your function is responsible for, as it varies at every organization. Identify what resides in your budget and what lives somewhere else?  ✔️ Review the guidance. The DOJ's most recent Evaluation of Corporate Compliance Programs guidance makes it clear that they expect compliance programs to be "adequately resourced and empowered to function effectively." That means you should budget for enough: People to run your program Tools to operate and maintain your program Resources to make continuous improvements  ✔️ Risk assess the program itself – what are the biggest needs? Where do we need more resources? Are we over-resourced in any areas?  Have internal operations changed?  Have laws or regs changed – or enforcement ramped up? Are there any new risks that we've never had before? ✔️Do we have any compliance "messes" or issues that need to be addressed or cleaned up? If so, what will those cost? ✔️ What special projects or improvements are we planning? What do we need to make those projects/improvements successful? ✔️ Benchmarking – look at surveys, talk to other compliance professionals ✔️ Build allies. Talk to anyone who may be able to support or influence your budget. Take the opportunity to explain why you need what you're asking for and why/how it will help the organization.  ✔️ There aren't any hard and fast rules about budgeting for compliance departments. If you're under-resourced, it is your job to make enough noise that the C-suite and the board realize what risks underfunding compliance brings to the organization. If nothing else works, use the big guns – worst-case scenarios and how much they could cost.  ---------------------------------------------------------------------------- Welcome to SURVIVE AND THRIVE, the newest addition to the Compliance Podcast Network. This is a podcast where we unpack compliance, crisis disasters and walk you through all the red flags which appear, and give you some lessons learned going forward. This show is hosted by Compliance Evangelist Thomas Fox and Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, Deluxe Corporation.  Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.
    Show More Show Less
    28 mins
  • How Do You Solve A Problem Like Elon Musk
    Jul 13 2021
    How do you deal with having a leader who runs a public corporation?  Scenario: So you have a superstar CEO who is hyper-intelligent, dynamic, disruptive, and indeed uber-famous, and that person can bend the wind to his will, or so he thinks. Unfortunately, he also thinks rules and regulations like the SEC, disclosure, and financial statements are only for mere mortals, of which he is not one. He routinely makes questionable statements that drive his share price up and down. He also threatens employees with termination on the spot for those who don't meet his rigorous work standards, even though the company has a written due process policy that H.R. has implemented.   As a compliance professional, how can you create a structure and work with a CEO who has an over-the-top personality and protect the company and work with that going forward? How do you utilize your Board of Directors? And other than perhaps giving your resignation or not taking the job to start with, — where might you start?  Key takeaways in the episode: ✔️ Why some great founders of disruptive companies struggle to transition into becoming mature corporate leaders. We run through several scenarios of a cult of personality with CEOs that started long before the technology boom and how leaders sometimes have destructive impulses that hurt their corporation? ✔️ Visionaries need practical people who know the rules, controls, and laws to run a company successfully. Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, states that a company will crumble without both. As compliance professionals, it is our job to rein it when all creative people don't necessarily understand the rules they have to live by. ✔️ The Board of Directors' job is to protect the company. If the CEO is a liability or presents insurmountable risks, that will ultimately fall on the board's shoulders. Leverage your independent directors because, at the end of the day, the Board is the boss of the CEO.   ✔️ Assess who is under the spell of the CEO? Is it internal, or is it external? If people are so bought into the person that they agree to whatever he says, it's an internal culture issue. Ensure that some people are keeping perspective and monitoring controls are being enforced.  ✔️ Why startups should institute internal controls early. As soon as you start employing people and go through hiring and payroll processes, that's when you have to start caring about compliance and ensuring you have internal control structures to support what you're building.  ✔️ Culture trumps everything. Whether you're working for a very charismatic disruptor CEO or a conservative CEO, the company's culture should be one of compliance. If it's not, then as a compliance professional, it's your job to try to establish that. ✔️Even if you work for a disruptive leader, a high-flying, uber technologically savvy person, if they still respect you and your work, that's key in leadership. In business, there are many negotiables, but it is imperative not to lose sight of being a decent human being and respecting others — that's the one non-negotiable.  ---------------------------------------------------------------------------- Welcome to SURVIVE AND THRIVE, the newest addition to the Compliance Podcast Network. This is a podcast where we unpack compliance, crisis disasters and walk you through all the red flags which appear, and give you some lessons learned going forward. This show is hosted by Compliance Evangelist Thomas Fox and Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, Deluxe Corporation.  Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.
    Show More Show Less
    22 mins
  • Conflict of Interest
    Jun 29 2021
    Scenario: It's Friday, July 3, and the General Counsel is on holiday. At 4 PM, you get a call from someone who tells you he has a deal with the CEO to be put on the Board of Directors. He further says he's held up his end of the agreement to loan the CEO $5MM for a Board seat. He says he has the email traffic and will file a suit unless he is named to the Board within three days. He says the GC has approved this deal and is on the email trail.  What can you do? You review the code of conduct and believe it's a Conflict of Interest (COI). There are four new Board members. Did they have similar arrangements?  In this episode, Compliance Evangelist Thomas Fox and Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, Deluxe Corporation, thresh out what to do if you are in a similar scenario and assess the best approach and manage corruption within your organization. Key takeaways in the episode: ✔️ Make your first call with outside counsel. If members of the BOD are suspect, you wouldn't want to tip them off by calling the Audit Committee chair – especially if that individual may be part of the problem.  ✔️ Push to have outside counsel perform the special investigation instead of the BOD. That way, the results are above reproach.  ✔️ Board membership should be vetted by counsel, especially when it comes to COI. ✔️ Reiterate that disclosing a conflict of interest is required, but that doesn't mean that the conflict will cause a problem. Conflicts have to be managed. Some of them will result in the Board, the CEO, executive leadership, or members of the workforce not being able to take the actions they want to take.  ✔️ Use COI incidents as an opportunity to retrain, reeducate and build awareness with the rest of the workforce on conflicts of interest and the code of conduct.   ✔️ Train people in person on conflicts of interest and use real-life examples. COIs can be much broader, and ensure you name those. It can be sending business to a relative, a wife, or a child on the payroll can be a wide variety of things.  ✔️ When you're appointing so much of the Board and looking for people to help run your company, full diligence is really important.  ---------------------------------------------------------------------------- Welcome to SURVIVE AND THRIVE, the newest addition to the Compliance Podcast Network. This is a podcast where we unpack compliance, crisis disasters and walk you through all the red flags which appear, and give you some lessons learned going forward. This show is hosted by Compliance Evangelist Thomas Fox and Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, Deluxe Corporation.  Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.
    Show More Show Less
    25 mins