Compliance &Ethics - Society of Corporate Compliance and Ethics

NewsRegulatory NewsSupreme Court defines SEC’stime limits on civil casesIn a February decision, theSupreme Court rejected theSecurities and ExchangeCommission’s (SEC’s) bid formore time to pursue civilpenalties. In a unanimousdecision, the Court held thatthe SEC is allowed five yearsto file a civil case seeking penalties.That five-year time limitmust begin while the allegedcrime is occurring, not whenit is discovered.In a 2008 case, Gabelli v.SEC, the SEC had sued GabelliFunds and two executives forallowing one of its investors toengage in an improper tradingtactic known as markettiming. The SEC argued that,since its investigation wasn’tlaunched until 2003, the casecould be pursued. However,Gabelli argued that, becausethe alleged violations tookplace from 1999 to 2002, thestatute of limitations waslong past. Chief Justice JohnRoberts wrote that some privateplaintiffs can extend thestatute of limitations throughthe so-called “discovery rule,”but the SEC represents “adifferent kind of plaintiff,”because its purpose is touncover fraudulent activityand “has many legal tools toaid in that pursuit.”Report: Companies expectingmore litigation than everA recent survey of in-houseattorneys suggests that litigationand regulatory scrutinywill increase in the U.S. andU.K. in 2013. Conducted byFulbright & Jaworski, the“9 th Annual Litigation TrendsSurvey Report” representsthe views of 392 in-houseattorneys at public and privatecompanies. A full 92% anticipateeither the same or morelegal disputes in 2013, up from89% in 2012. Pending litigationmost frequently involves contracts(44% in U.S.; 57% in U.K.)labor and employment (44% inU.S.; 31% in U.K.) and personalinjury (27% U.S.; 16 percent,U.K.). Companies with regulatoryproceedings in 2013include 42%, up from 37%the previous year. The reportcan be reviewed by visitinghttp://bit.ly/FulbrightTrends.U.K. watchdog pressesfor auditor rotationThe U.K.’s CompetitionCommission recently proposedthat companies in Britain beforced to change auditors everyfive to seven years and changeaccounting firms every seven to14 years. The move is in responseto UK lawmakers’ view thatcozy relationships between the“Big Four” accounting firmsRead the latest news online · www.corporatecompliance.org/newsand their clients masked weaknessesthat contributed to thecountry’s latest financial crisis.The “Big Four” (i.e., KPMG,PwC, Ernst & Young, andDeloitte) check the books ofnearly all listed companiesin Britain and in many othernations, and they have oftenserved the same clients fordecades. The commission’srecommendations align withchanges being discussed bythe European Parliament’slegal affairs committee.US business seeks moreclarity on foreign bribery lawUS business groups inFebruary renewed their effortsto lobby the U.S. Departmentof Justice to amend the ForeignCorrupt Practices Act (FCPA).Led by the U.S. Chamber ofCommerce, the groups arerequesting that authoritiesgive companies additionaldefenses against criminalcharges. They have called foradditional provisions thatwould allow companies toescape criminal liability forthe misconduct of individualemployees, if they already havestrong safeguards and internalcompliance systems in place. AJustice Department spokesmanresponded that they would“welcome a continuing dialogueon these issues.”Compliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 7

Join us for SCCE’s 11th AnnualHigher EducationCompliance ConferenceJune 2–5, 2013 | Austin, TexasENJOY TIMELY & USEFUL SESSIONSShooting the Messengers:A Survival Guide for Audit andCompliance in Higher EdUrton Anderson, Professor, McCombsSchool of Business, University of Texasat AustinCharles G. Chaffin, (Retired)System-Wide Compliance Officer &Chief Audit Executive, University ofTexasMichael L. Somich, Executive Directorof Internal Audits, Duke UniversitySheryl Vacca, Senior Vice President/Chief Compliance & Audit Officer,University of CaliforniaPlus a keynote presentation byMichael Josephson, Presidentand Founder, Josephson InstituteFreeh: Implications forHigher EducationAnna Drummond, Chief ComplianceOfficer, Chief Privacy Officer, Universityof VermontRobert Roach, University ComplianceOfficer, New York UniversityLeyda L. Benitez, UniversityCompliance Officer, FloridaInternational UniversityRace to the Top: Issues Relatedto Rankings and External DataMisreporting in Higher EducationWilliam Jennings, Managing Director,Alvarez & Marsal Global Forensic andDispute Services, LLCRichard H. Deane Jr., Partner,Jones DayVIEW THE FULL AGENDA AND REGISTER ATwww.corporatecompliance.org/eventsRegister today and enjoy thefl exibility of two conferencesfor the price of one!Complimentary access to HCCA’s Research Compliance Conferenceis included with your registration to the Higher Education ComplianceConference. The parallel schedule gives you the freedom to attendsessions at either conference: two for the price of one.

SCCE NewsSCCE conference News12 th Annual Compliance & Ethics InstituteOctober 6–9 | Washington DCThe agenda is now available online atwww.complianceethicsinstitute.org.Higher Education Compliance ConferenceJune 2–5 | Austin, TXThis year, you’ll learn best practices and thelatest thinking on:··Shooting the Messengers:A Survival Guide for Auditand Compliance in Higher Ed··The Freeh Report at Penn:Implications for Higher Education··Internal Investigationsin the post-Penn State Era··NCAA Compliance:Surviving a NCAA Infractions Case andIdeas for Improving NCAA Compliance··Global Programs:University Employees Abroad··Ethics in the Age ofOnline Education & MOOCs··FISMA Compliance in Higher EducationWeb ConferencesGet the latest information on current hot topicsfor compliance professionals with instant andup-to‐date education from the convenienceof your own office. New conferences areannounced regularly, and prior sessions areavailable for purchase on CD-ROM. Visitwww.corporatecompliance.org/webconferences for thelatest updates.Basic Compliance AcademiesBasic Compliance Academies are three-and-ahalfday intensive training courses designed forparticipants who have a basic knowledge of complianceconcepts. The Academy covers specificsubject matter in depth and is a great preparationcourse for the CCEP or CCEP-I exam. Thetraining provides you with the 20 CCB CEUsrequired to sit for any of the CCB exams, whichare offered at the conclusion of the event. Visitwww.corporatecompliance.org/Events/AllEvents/Academies.aspxto find dates and locations that fit your schedule.Topics include:··Standards, Policies, and Procedures··Compliance and Ethics ProgramAdministration··Communications, Education, and Training··Monitoring, Auditing, and InternalReporting Systems··Response and Investigation, Disciplineand Incentives··Risk AssessmentRegional ConferencesNetwork locally and get the latest on thekey challenges facing your compliance community.SCCE Regional Conferences providea forum to interact with local complianceprofessionals, share information about yourcompliance successes and challenges, andcreate educational opportunities for complianceprofessionals to strengthen the industry.Visit www.corporatecompliance.org/regionals to seedates and locations.Find the latest conference information online · www.corporatecompliance.org/eventsCompliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 9

SCCE NewsSCCE website NewsContact Tracey Page at +1 952 405 7936 or email her at tracey.page @ corporatecompliance.org with any questions about SCCE’s website.Online membership renewalTo renew your membership online, first login toyour secure online SCCE account. Next, hoveryour mouse cursor over Membership in the mainnavigation bar and click on Renew Membership fromthe choices listed. Then, you can choose toeither Pay Now or Add to Cart (to print an invoicefor mailing later).Earn CEUs during the summerUse your summer down-time to catch up ongaining CCB continuing education units:··Take past Compliance and Ethics Professionalquizzes. Earn 1.0 non-live CCB CEU perpassed quiz. Quizzes are valid for 12 months.··Purchase and listen to recorded SCCEweb conferences on CD. Earn 1.2 non-liveCCB CEUs per 90-minute conference.··Listen to SCCE’s Compliance and EthicsInstitute audio recording, which is availablefor purchase on the SCCE website—a greatway to earn non-live CCB CEUs.··Take and pass quizzes from SCCE productssuch as Compliance 101 (2.0 non-live CCB CEUs)or The Complete Compliance Professional’sManual (10.0 non-live CCB CEUs).Save time with breadcrumb trail navigationEasily get back to subsections of the SCCE websiteusing the “breadcrumb trail” bar beneaththe main navigation bar. (Think Hansel andGretel, where Hansel leaves a trail of breadcrumbsto follow so they can find their wayback home—that’s similar to how an onlinebreadcrumb trail functions.)Clicking the Back button in your web browsertakes you backwards through each and everypage you’ve visited; but using the breadcrumbtrail allows you to jump directly to main subsectionsof the website, which can save time.In the example here, to view the 2012 Utilities& Energy conference handouts—after viewing the2013 handouts—simply click on Utilities & Energy to godirectly to the Utilities & Energy Conference Handouts page,then click on the link to the handouts from 2012.Compliance & Ethics Professional May/June 2013Upcoming SCCE Web Conferences5/155/23• Computer Forensics 101: Proactive ComplianceMichael McCartney• Data Governance and Electronic Discovery:Trends, Case Law, and Leading PracticesJohnny Leelearn more and register atwww.corporatecompliance.org/webconferencesFind the latest SCCE website updates online · www.corporatecompliance.org10 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

SCCE NewsNewsContact Eric Newman at +1 952 405 7938 or email him at eric.newman @ corporatecompliance.org with any questions about SCCEnet ®or other social media opportunities for compliance professionals.Join SCCEnet, ® the premier social network for compliance and ethicsprofessionals, now with more than 11,000 members! Share your insightand get your questions answered. Participate in 3 easy steps:1. Login with your SCCE username and password atwww.corporatecompliance.org/SCCEnet2. Click My Subscriptions to subscribe to discussion groups3. Click Post to participate in a group by posting a questionReply to these popular discussions··ERC Report on Communications and Ethicshttp://bit.ly/ercreport··“The Shredder Ate My Culture Report:Five Questions the Barclays Board ShouldHave Asked” http://bit.ly/cultureshredder··Leaders have got business relationshipswrong and it shows! http://bit.ly/businesswrong··Compliance, Risk Management and Captiveshttp://bit.ly/crmcaptives··CCEP Exam topics––Library Document http://bit.ly/examtopics––Group Discussion Threadhttp://bit.ly/ccepexamdiscuss··JPMorgan names new compliance chief,shifts reporting lines http://bit.ly/reportinglines··JPMorgan 129 Page Report HighlightsCECO Independence http://bit.ly/jpmind··S&P helped cause financial crisis with faultyratings, Feds allege http://bit.ly/poorstandards··Intranet page revisions http://bit.ly/intranetpages··Gift Policy http://bit.ly/giftpolicies··Fraud and Ethics: Never the twain shall meet!http://bit.ly/ethicsfraud··Mandatory Online Training CompletionMetrics http://bit.ly/trainonlineDownload the new SCCEnet Mobile App todaySign-up for SCCEnet onlineBEFORE downloading the App.1. Login & Accept the terms of use2. Update your profile information(add a picture)3. Subscribe to the DiscussionGroups that interest you(by clicking My Subscriptions)Find the latest SCCEnet updates online · www.corporatecompliance.org/sccenetApple App StoreiPhone/iPadhttp://bit.ly/membercentricappleGoogle Play StoreAndroidhttp://bit.ly/membercentricgoogleCompliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 11

People on the MoveCompliance & Ethics Professional May/June 2013· Troubled engineering giantSNC-Lavalin has hired aformer Siemens executive toguide the company on ethicsand matters of corporategovernance. SNC-Lavalinannounced that AndreasPohlmann began his dutiesas Chief Compliance Officeron March 1. Pohlmann hasmore than two decades ofexperience in compliance,governance, public andgovernmental affairs, andas corporate counsel in theUnited States and abroad.· The Alacer Group, dedicatedto helping businessleaders accelerate performance,quality, productivityand profitability, announcedin February the expansion ofits Anti-Money Laundering(AML) team to meet the financialsector’s increased needfor services and solutions.Joining the firm are industryveterans Steven Gorsline,most recently the vice president,BSA/AML Complianceat JP Morgan Chase, andNyron Davidson, formerdirector, head of AML andSanctions Compliance forTD Ameritrade Corporation.Together, Gorsline andDavidson bring decades ofdeep financial experience toAlacer and its clients.· American Systems, a leadingprovider of federal ITand engineering solutions,Peopleon theMoveannounced in Februarythe appointment of JoeKopfman as ExecutiveVice President, Contractsand Administration/ChiefCompliance Officer. In thisrole, Kopfman will lead thecompany’s Acquisitionsprogram and the Ethics andMergers program, and continueto oversee all contractand administration functions.· The Board of Directorsof Novopan Industries Ltd.recently appointed PriyaSharma to CompanySecretary and ComplianceOfficer. Novopan is part ofGVK Group, which sellsdecorative wood and particleboard products in India.· Chad N. Boudreauxhas been named to thenewly created position ofChief Compliance Officer atHuntington Ingalls Industries(HII) in Newport News, VA.Boudreaux will report to BruceN. Hawthorne, CorporateVice President, GeneralCounsel and Secretary; andto the Audit Committee of theHII Board of Directors. HIIdesigns, builds, and maintainsnuclear and non-nuclearships for the U.S. Navy andCoast Guard and providesafter-market services for militaryships around the globe.· The Timken Companyrecently announced thepromotion of Michele K.Abraham to the position ofGeneral Manager for Ethicsand Compliance. In this role,Abraham leads the design,implementation, and oversightof the company’s globalethics and compliance program.She joined Timken in2008 as a corporate attorney,after working in both privatepractice and the bankingindustry in legal, auditing,and compliance roles.Received a promotion?Have a new hire inyour department?· If you’ve received a promotion,award, or degree; accepted anew position; or added a newstaff member to your Compliancedepartment, please let usknow. It’s a great way to keepthe Compliance communityup-to-date. Send your updates toliz.hergert @corporatecompliance.org.12 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

Help Keep YourCompliance ProgramFully StaffedList Your Job OpeningsOnline with SCCEIt’s hard to have an effective compliance and ethicsprogram when you have openings on your team.Help fill those openings quickly—list your compliancejob opportunities with the Society of CorporateCompliance and Ethics.Benefits include:• Listing is posted for 90 days to maximize exposure• Targeted audience• Your ad is also included in our bi-weekly SCCE JobsNewsletter, which reaches more than 16,000 emailsDon’t leave your compliance positions open any longerthan necessary. Post your job listings with SCCE today.www.corporatecompliance.org/newjobsor call +1 952 933 4977 or 888 277 4977

FeatureMichael Miller, CCEPExecutive Director for Ethicsand Compliance, Aerojet,Sacramento, CAan interview by Art Weiss, JD, CCEP, CCEP-IMeet Michael MillerCompliance & Ethics Professional May/June 2013This interview with Michael Miller (michael.miller@aerojet.com)was conducted by Art Weiss (art_weiss@tamko.com), ChiefCompliance and Ethics Officer for TAMKO Building Productsin Joplin, MO.AW: Thank you for agreeing to share yourthoughts with us. Please tell us a little aboutyourself and your background. Can you tell ushow you got into Compliance and what rolesyou have had?MM: Since joining Aerojet in 2006, I’vemanaged contracts and led a team of contractmanagers in support of both the SpaceLaunch Systems and Strategic Defense businessunits. I am also a Lieutenant Colonel inthe US Air Force Reserves. I have spent thelast 25 years serving—10 years on Active Duty,and the last 15 years in the Reserves—in variousContracting Officer roles. When I returnedfrom a recent deployment to Afghanistan,I learned that my predecessor planned toretire in December 2011. In conjunction withhis retirement, our leadership decided theExecutive Director for Ethics and Compliancerole should be singularly focused withoutmultiple hats—unlike my predecessor. I waspromoted into the role. I think my contractingbackground, familiarity with the FederalAcquisition Regulations, as well as the experienceI gained in the Air Force helped me14 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

Featurequickly grasp the requirements of the role andits importance to the company’s ethical culture.AW: Can you tell our readers a bit aboutAerojet?MM: Three thousand employees strong,Aerojet is a major technology-based manufacturingcompany headquartered in Sacramento,California. Our parent company, GenCorp,has two businesses, Aerojet and EastonDevelopment. For over 70 years, Aerojet hasbeen an industry leader and pioneer in thedevelopment of critical products and technologiesthat havestrengthened theU.S. military andenabled the explorationof space. Ourdedicated employeeshave developedquality products thatserve the war fighter,have powered majorachievements in spaceflight, and supportour nation’s commitmentto freedom and exploration. Aerojetpropulsion systems have powered mannedand unmanned missions for NASA since theinception of the U.S. Space Program, and sinceits founding in the 1940s, Aerojet has been amajor supplier of propulsion products to theDepartment of Defense. The company’s firstproduct—Jet Assist Take Off (JATO) rocketmotors—provided extra boosting power forU.S. military planes during World War II.At GenCorp and Aerojet, we pride ourselveson our legacy of exceptional service toour country. We also are equally committed tothe communities in which we live and do business.In 2012, The GenCorp Foundation, servingas the philanthropic arm of Aerojet, distributed$604,345 in grants, scholarships, and matchinggifts in 12 communities across the UnitedI was determined to get asmuch as I could out of theAcademy.… I left [it] withconfidence, conviction, andclarity about what neededto be done to make ourprogram more robust.States. And Aerojet employees themselveslogged more than 11,000 hours volunteering at52 nonprofit organizations and schools.AW: We first met when you attended anSCCE Basic Compliance and Ethics Academy.Can you share your thoughts and impressionsof your Academy experience?MM: Certainly. I was determined to get asmuch as I could out of the Academy I attendedin June 2012. By then, I had been ramping upin my Aerojet role for 6 months; I refer to thatperiod as being in “sponge mode.” I absorbedeverything I couldabout implementingan effectiveethics and complianceprogram.When I arrivedat the Academy,I was saturated withinformation—lotsof it. The Academywas the key ingredientthat helped metranslate the informationinto practical usable knowledge. I leftthe Academy with confidence, conviction, andclarity about what needed to be done to makeour program more robust.AW: Aside from the instructional aspect ofattending the Academy, were you able to engagein networking with other compliance professionalsand share ideas and best practices?MM: Definitely. Networking comes naturallyto me because I enjoy people—meetingthem and learning about their experiences.I often pick up a nugget or two of valuableinformation, or gain a resource for a futureneed. I found the Academy program agendaand its logistics conducive to networking.For example, having lunch provided (versushaving to scatter and fend for ourselves) madeCompliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 15

FeatureCompliance & Ethics Professional May/June 2013it possible to sit with different folks each dayand share a meal, as well as our experiences.AW: Did the Academy meet yourexpectations?MM: The Academy exceeded my expectations.I did not anticipate the Academy tobe instrumental in “bringing it all together”for me, but that’s what happened. I literallyarrived with a mish-mash of informationin my brain, and left at the end of the weekwith clarity! I nowhad a clear visionof what needed tobe done to have aneffective ethics andcompliance programas expected andenumerated by theFederal SentencingGuidelines forOrganizations.AW: At the conclusionof the Academy,you sat for the Certified Compliance & EthicsProfessional (CCEP) examination. What wereyour thoughts as you were taking the exam?MM: I’ve got to pass… I can’t fail. Wow,there sure are a lot of questions!AW: Did the Academy adequately prepareyou for the exam?MM: Seriously, all kidding aside, I waswell-equipped for the exam at the conclusionof the Academy. Based on the instruction andthe content, additional preparation was notrequired. I did well on the exam, and attributemy high score to the quality of the instructionand the comprehensiveness of the material.AW: You passed the exam and now hold thedesignation of CCEP. Has your experience inattending the Academy and your certificationThe potential benefitsare great; the potentialcompliance risks arealso great. Suffice it to say,change is constant, andour program must be robustand adaptive to remaineffective and relevant.changed anything about your view of thecompliance profession?MM: Certainly, it has expanded my awarenessof the myriad of industries and areasin which compliance professionals can findthemselves. Until entering the profession,I was oblivious. Now I have a reverence forwhat it takes to be effective and to makean impact. In partnership with our workforce,I strive to make meaningful incrementalprogress each day to strengthen our programand its influence onour ethical culture.AW: Has itchanged anythingfor you and provenuseful in your professionallife?MM: Are you kidding,is it useful?The Academy coursework binder, and TheComplete Complianceand Ethics Manualare getting a “serious workout” in our offices.Everyone on my team has attended an Academy.We often have conversations that start or end with“based on what I learned at the Academy” or“according to the Manual.” The informationfrom the Academy continues to be extremelyuseful in achieving our program objectives.AW: What advice would you have for complianceprofessionals considering attendingan Academy or sitting for the certificationexamination?MM: Do it. You won’t regret the decision!AW: What are some of the key compliancechallenges you face at Aerojet?MM: I suspect Aerojet’s challenges are sharedby most companies—ensuring that you respondappropriately to change, whether the source is16 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

Featureinternal or external to the company. We mustkeep pace with the myriad of regulatory changethat affects our business, and respond appropriatelyto the heightened emphasis placed onenforcement of these changes. Internally, since2001, Aerojet has divested its Space Electronicsdivision, acquired General Dynamics’ SpaceSystems business and the propulsion businessof Atlantic Research Corporation to become amarket leader in the development of diversifiedpropulsion systems. If that weren’t enough,in the most recent 5 years, we’ve weatheredfinancial storms, changed key leadership, andrestructured our core organizational structure.Currently, we’re implementing the first phaseof “Project One” a single Enterprise ResourcePlanning (ERP) system that will deliver morecapability, and lead to common business processesacross the entire company. The potentialbenefits are great; the potential compliancerisks are also great. Suffice it to say, change isconstant, and our program must be robust andadaptive to remain effective and relevant.AW: Was there anything from the Academythat led to an immediate change in your complianceprogram?MM: I believe the Academy’s most immediateimpact was on me—my awareness. TheAcademy helped me better understand thekey elements of an effective ethics and complianceprogram as stipulated by the FederalSentencing Guidelines. We’ve worked anumber of initiatives, some on our own andpartnered with others, to mature our programand ensure that we’re living up to theGuidelines’ expectations. As an example, westepped up our communication and trainingefforts to ensure that we consistently promoteon-going awareness, not infrequently or ona reactionary basis. As I mentioned earlier,the knowledge gained from attending theAcademy empowered me to pursue implementingthe Aerojet Ethics and Complianceprogram with conviction and clarity.AW: Thank you for your time. ✵CCB certification made easyThe Compliance Certification board has released anupdated Candidate Handbook for its compliance and ethicsprofessional certification. The handbook now includes:CandidateHandbookCertified Compliance& Ethics Professional(CCEP) ® Enhances· Easy-to-understand stepsto become certified andto renew your certification· Information on how to addand track your CEUs online· Candidates’ FAQs· Resources to help preparefor the examination· All the forms you’ll needfor certification and renewal· Information about SCCE’sonline certificationstudy groupsView and download the new handbook on CCB’s website:www.compliancecertification.org/ccepCCB_NewHandbooksAnnounce_CCEP_halfpagead_4c_CEP1112.indd 1Scan the QR code at left with your mobile phoneto visit the CCEP section of the CCB websiteCCEPcertificationyourcredibilityDevelopsprofessionalstandardsDemonstratesknowledge &Dedication10/11/12 2:47 PMCompliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 17

SCCE welcomes New MembersAlaska··Sue Wood, Alyeska Pipeline Service CompanyArizona··Sheila Cade, Chicanos por la Causa, Inc··Nancy Lipman, Chicanos por la Causa, Inc··Marisa Montoya, Apollo Group··Susan Zohreh, HotChalkGeorgia··Hima Amin, Community Loans of America, Inc··David Dover, Alere··Christopher Elliott, The Network··John Friedline, LexisNexis Risk Solutions··Liza Fritchley, West Georgia Health··Joan Hudson, Wellington Healthcare··Raymond Wysmierski, UCB IncCompliance & Ethics Professional May/June 2013Arkansas··Michael Amory, Wal-Mart Corporate Office··Julie Hall, Entergy··David McNeill, Entergy··Bridget Steadman, Wal-Mart Stores, IncCalifornia··Kay Breeden, Breeden Consulting··Tim Cable, The Boeing Company··Stephen Cairns, PG&E Corporation··Kimberly Davis, Impax Laboratories Inc··Sheila Fischer Kiernan, McKesson Corporation··Gloria Hughes, Unity Care Group··Sallie Kennedy, Alere Home Monitoring··Erin King, Guggenheim Partners Investment Management, LLC··Veronica Kurata, State Compensation Insurance Fund··Susan Lee, Asian American Recovery Services, Inc··Randy Lisbin, Southern California Edison··Dexter Mason, Rite Aid Corporation··Tonya Okon, Stanford Hospital & Clinics··Jennifer Scott, State Compensation Insurance Fund··Vince Staub, KLA-Tencor··John Swenson, State Fund··Janine Watkins-Ivie, Southern California Edison··Janice Wong, Pacific Gas and Electric Company··Lydia Yomogida, Purple CommunicationsColorado··Shannon Fair, Colorado Springs Utilities··Crystal Garrett, Correctional Healthcare Companies, Inc··Elise Marylander, The Marylander Firm LLCConnecticut··Karyn Fryer, The Alzheimer’s Resource Center of Connecticut··Michael Markowicz, University of ConnecticutFlorida··June Adams, ADT Security Services··Douglas Belaire··Jennifer Brownell, Arriva Medical··Christiane Bustillo, Alcatel-Lucent··Peggy Cooley, Arthrex, Inc··Monica Moyer, Saint Leo University··Glorimar Schultz, ThyssenKrupp Elevator Americas··Stephen Uebelacker, Sarasota County GovernmentIdaho··Steven Larsen, ON SemiconductorIllinois··John Bannon, SunCoke Energy, Inc··Alexandre Besin, KONE Inc··Amy Carletti, Baxter International Inc··Amy Frazier, Rainbow Hospice and Palliative Care··Terrance Gainer, McDonald’s Corporation··Richard Hess, State Farm Insurance··Nicole Joyce, CNA Insurance··Sharon Lezama, Experian PLC··Thomas Loftus, State Farm Insurance··Shawn McGrath, Ernst & Young··Malinda McWherter, Zebra Technologies Corporation··Jan Minks Runion, Archer Daniels Midland Company··Richard Osborne, Metra··Joseph Tylutki, McDonald’s Corporation··Michael Weisman, U.S. FoodsIndiana··Charles Giesting, Integrity Leadership Partners, LLC··Heather Hurst, Cook Group··Kimberly Wesley, Indiana University-Purdue University IndianapolisKansas··Jennafer Watson, Layne Christensen CompanyKentucky··William Yarber, Passport Health PlanLouisiana··Laurel Levraea, Louisiana Worker’s Compensation Corporation··Michael Stiltner, Louisiana Worker’s Compensation CorporationMaryland··John DeLong, National Security Agency··Kate Linde-Kogan, The Center for Organizational Excellence··Steven Timmons, Department of Defense··Scarlett Wirt, Department of DefenseMassachusetts··Thomas Birmingham, EnerNOC Inc··Robert Cicero, Smith & Wesson··William Dauksewicz··Martha Durcan, PTC Inc··Charles Frizzell, Harvard Clinical Research Institute··Rebecca Kennedy, Brill Neumann Associates··Christopher MacKrell, PTC Inc··Brian Osowiecki, Smith & Wesson18 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

Michigan··Lisa Aragon, ITC Holdings Corp··Steve Luciw, ITC Holdings Corp··Tiffany Strychar, Con-way, Inc··Craig Wheeler, MeijerMinnesota··Kathryn Loija, ATK··Randi Nyholm, Minnesota PowerMississippi··Leslie Smith, Southern Farm Bureau Life Insurance CompanyMissouri··Katherine Brown, Heartland Kidney NetworkOhio··Joseph Heckendorn, Dana Holding Corporation··Kasey Ingram, Scotts Miracle-Gro··Vladimir Kapustin, Interkap Group LLC··Tammy King, Scotts Miracle Gro··Brian Stack, TremcoOklahoma··Reagan Bradford, Chesapeake Energy Corporation··Karie Mullins, ONEOK, IncOregon··Kelly Alwin, Con-way, Inc··Jennifer Ibnouf, Bonneville Power Administration··Stephen Marsh, SmarshNevada··Susan Carletta··Dana DegmonNew Hampshire··Daniel Fitzpatrick, City of RochesterNew Jersey··Evan Bartell, Optimer Pharmaceuticals, Inc··Kris Curry, Johnson & Johnson··Tena Garaffa, Selective Insurance Group, Inc··Asma Ghobriel, SAI Global··Rajalakshmi Govindaraj, Johnson & Johnson Health Care Systems··Sasha Lindsay, Solix Inc··Jon Poole, UCC··Amanda Tawfik, Tyco International··John Tompson, Johnson & JohnsonNew Mexico··Daniel Tanaka, New Mexico Securities DivisionNew York··Ted Becker, Legg Mason, Inc··Linda Borges, MVP Health Care··Lisa Gross, Lockheed Martin··Sharon Kurtz, Hospital for Special Surgery··Gregory Mahecha, Pfizer··Patricia Mapp, Columbia University School of Physican & Surgeons··Jorge Medina, Pernod Ricard··Tammy Murray-Vande Vusse, Creative Media Productions, Inc··Karen O’Brien, Lockheed Martin··Philip Racine, Georgia-Pacific··Tina Stinson-Da Cruz, Federal Reserve Bank of New York··Joanne Temmel, PepsiCo, IncNorth Carolina··Tomi Bryan, FedLinx, Inc··Ashleigh Johnson, United Therapeutics··Matthew Kanes, Piedmont Natural GasNorth Dakota··Amy Hornbacher, St. Alexius Medical CenterPennsylvania··Katherine Bandych, Seneca Resources Corporation··John Bereznay, Dick’s Sporting Goods··Kimberly Burke, Echo Therapeutics, Inc··Nicholas Cafardi, Tube City IMS, LLC··Frank Gorman, Project Management Institute··Ani Kechian, SunGard··Allan McLeod, Philadelphia College of Osteopathic Medicine··James Rogers, Thermo Fisher Scientific··Paula Slothower, Diversified Service OptionsSouth Carolina··Nancy Grigsby, Louis Berger Services, IncTennessee··William Faulhaber··Laird Jones, The Pictsweet Company··Christopher RocheTexas··Erin Anderson, Q’Max America··Cletus Andrew··John Burnett, Texas A&M University-Kingsville··Robert Camp··Julie Colasacco, Health Care Consulting Innovations, LLC··Charisse Coleman, American Bureau of Shipping··Angela Collins, C&J Energy Services··Joel Firestone, Direct Energy··Kevin Gollner, Rush Enterprises··B. Brett Holliday, Barbary Services LLC··Nina Kelley, Phillips 66··Suzanne Latimer, Texas Department of Transportation··Jennifer Lee-Sethi, Oncor Electric Delivery Company LLC··Phillip Mincemoyer, Direct Energy··Tim Morris, Xylem, Inc··Angela Muhammad, C&J Energy Services··Craig Nunn, Prairie View A&M University··Zandra Pulis, CPS Energy··Stephen Shelton, KBR··Robert Todd, Texas A&M Engineering Extension Service··Beverly West, Texas Department of Transportation··Nelson Wheatley, First National Bank··Erica Wills, PepsiCo, IncCompliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 19

Utah··Greg Bishop, Control4 CorporationVirginia··Mae Brown, Norfolk Southern Corporation··Richard Chira··Douglas Cole, Engineering Consulting Services, Ltd··Elizabeth Decker, VW Credit Inc··Kristen Galloway, PSI··Ashley Greene, Virginia Commonwealth University··Wayne Hamilton, Altria··Suzanne Hersh, Debarment Solutions Institute LLC··Jennifer Roberts, Analytic Services Inc··Baiba Simanich, VW Credit IncWashington··Parker Cann, BECU··Greg Dugas, CRISTA Ministries··John Heckel, Manson Construction Co··Beth Joffe, Stokes Lawrence, PSWisconsin··John Fisher, Ruder Ware··Susan Wagner, Integrys Energry GroupDistrict of Columbia··Matthew Nisinson, George Washington University··Courtney Sander, Smiths GroupCanada··Andrea Bosse, Alliance Pipeline··Cory Boyd, Rubin Thomlinson, LLP··David Charlton··Leah Fitzgerald, Enbridge Pipelines Inc··Martin Forget, Otsuka··Angela Giroux, Potash Corporation of Saskatchewan Inc··Ron Paquette, ClearView Strategic Partners Inc··Patricia Van de Sande, Credit Union Central AlbertaNetherlands··Walter Hendriks, FM Advisory··Ea VisserParaguay··Graciela Garay, Pacto Etico ComercialSingapore··Will Wong, HuntsmanSlovenia··Snezana Harnik, NLB Vita Insurance CompanySpain··Jose Maria Batista, Clariant··Juan Palacios, 3M EuropeThailand··Chaveeporn Chamsang, PTT Exploration and ProductionPublic Company Limited··Jutamat Choosutthinonchai, PTT Exploration and ProductionPublic Company Limited··Sopa Kattachan, PTT Exploration and ProductionPublic Company LimitedTurkey··Bulent Bozdogan, Sabanci HoldingUnited Arab Emirates··Syed Aley Jafri, Emirates National Oil Company LimitedUnited Kingdom··Samuel Briggs, KCI, Inc··Stuart Davies··Anne Fairbairn, Diageo PLC··Kristy Grant-Hart, Carlson Wagonlit Travel··Dominic Hall, Coca-Cola Enterprises··Lucy McCabe, KPMG··Stephen Parkinson, ClariantChina··Joab Meyer, Cisco Systems (China)Colombia··Ana Buitrago, Promigas SA ESPCompliance & Ethics Professional May/June 2013Greece··Zoi Drouga, ClariantIndia··S Srirangam Srinivas Nag, PrimeZmartItaly··Angelo Oniga, Clariant··Mauro Vecchiotti, Johnson & Johnson Spa20 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

ANY TIME.ANYWHERE.ANY MATTEROF RISK.Global Corporate Compliancewww.bakermckenzie.com©2011 Baker & McKenzie. All rights reserved. Baker & McKenzie Internationalis a Swiss Verein with member law firms around the world. In accordance withthe common terminology used in professional services organizations, referenceto a “partner” means a person who is a partner, or equivalent, in such a law firm.Similarly, reference to an “office” means an office of any such law firm.

Learn the Essentialsof Compliance &Ethics ManagementSCCE’s 2013 BasicCompliance & EthicsAcademiesWhether you’re new to compliance or an experienced compliancepractitioner looking to hone your skills and become a CertifiedCompliance & Ethics Professional (CCEP) ® , a Basic Compliance &Ethics Academy ® is the right choice for you.Each Academy provides three-and-a-half days of intensive,classroom-style training in the fundamentals of managing aneffective compliance and ethics program. The faculty is experiencedcompliance professionals who have “been there and done that” andcan help you take your compliance expertise and program to thenext level.And there’s no better preparation for the certification exam andearning your CCEP.To learn more about how the Society of Corporate Complianceand Ethics’ Basic Compliance & Ethics Academy can help you,visit www.corporatecompliance.org/academies. It’s the first step tomastering the essentials of compliance and ethics management.UPCOMINGACADEMIESIn the USNew York, NYAugust 5–8Las Vegas, NVSeptember 16–19Denver, COOctober 21–24Orlando, FLNovember 11–14San Diego, CADecember 2–5InternationalBrussels, BelgiumMay 13–16Shanghai, ChinaJuly 8 –11São Paulo, BrazilAugust 26–29Dubai, UAEDecember 16–19www.corporatecompliance.org • +1 952 933 4977 or 888 277 4977

Boehme of Contentionby Donna BoehmeKumbaya Complianceis not good enoughBoehmeWhen I was in Girl Scouts, we usedto sing “Kumbaya” around thecampfire. Fast forward to 2013,where Kumbaya is now defined in the UrbanDictionary as “blandly pious and naively optimistic.”Still, Kumbaya is what I flashback towhen I see some CEOs breathlesslyannouncing “new values” and othersbragging about their latest award for“most ethical company in the universe.”This is what I call “KumbayaCompliance.” The CEO issues an edict,maybe a press release, and everyonein the company holds hands in a sing–along to make the company ethicaland compliant, just like magic. If this works,why do we even need compliance officers andprograms? Shouldn’t the Federal SentencingGuidelines be shortened to just four elements?Let’s review: (1) management edict, (2) campfire,(3) marshmallows, and (4) Kumbaya.I am ever amazed at otherwise smart executiveswho know that anything worth doing inbusiness requires a strong leader, resources,mandate, monitoring, and incentives, butwhen it comes to compliance and ethics, thinkthat “tone from the top” means “tone frommy mouth.” Ethical leadership is not only animportant business endeavor; it’s the importantbusiness endeavor, because it’s the foundationof all enduring success.Which makes me wonder if CCOs arefalling down on the job with their CEOs andboards. Could it be we are overselling the successesof our hard-fought-for programs andforgetting to engage senior management inthe tough conversations about what’s reallyrequired of them? Until companies truly understandthat Compliance is the designer, overseer,and subject matter expert, but that the businessitself is the implementer and owner, progresswill continue to be excruciatingly slow.Sometimes I just wish CEOs would just shutup and “do.” What should they do? Imaginethat a CEO spoke at a town hall like this: “Heypeople, this is what I’ve done: I’ve appointed anindependent CCO who reports to me, and hasa seat at all important meetings, resources, aclear mandate, and unfiltered sessions with theboard. I’ve broken down all silos, so everyonedoing compliance is in the CCO’s line of sight.Your performance evaluations, promotions,and bonus compensation will be tied directlyto how well you support compliance. And yourbosses will be monitoring all of this.”Too ambitious? Well, then how about aCEO who makes a random phone call to allhis business heads to say, “How is your compliancetraining going?” or asking them toname a priority risk and report what they aredoing about it. How about a CEO who asksto see periodic metrics on ethical leadershipamong top leaders, or who makes an unannounced“safety visit” through the factoryfloor? Duplicate this through all the layers ofmanagement and imagine the ripple effect.Granted, all that stuff is hard work. It’smuch easier and less “disruptive” to just talkabout it. So this is where we are, CorporateAmerica. It’s time to “do.” Or, we can just singanother round of Kumbaya. ✵Donna Boehme (dboehme @ compliancestrategists.com) is Principal ofCompliance Strategists LLC and former Chief Compliance and Ethics Officerfor two leading multinationals. Follow Donna on Twitter @ DonnaCBoehme.Compliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 23

www.corporatecompliance.orgCALL FOR AUTHORSShare your expertise in Compliance & Ethics Professional,published bi-monthly by the Society of Corporate Compliance and Ethics (SCCE). For professionals in thefield, SCCE is the ultimate source of compliance and ethics information, providing the most current viewson the corporate regulatory environment, internal controls, and overall conduct of business. National andglobal experts write informative articles, share their knowledge, and provide professional support so thatreaders can make informed legal and cultural corporate decisions.To do this, we need your help!We welcome all who wish to propose corporate compliance topics and write articles.CERTIFICATION is a great means for revealing anindividual’s story of professional growth! Compliance &Ethics Professional wants to hear from anyone with aCCEP, CCEP-I, or CCEP-F certification who is willingto contribute an article on the benefits and professionalgrowth derived from certification. The articles submittedshould detail what certification has meant to theindividual and his or her organization.Topics to consider include· Anticipated enforcement trends· Developments in compliance and ethicsand program-related suggestions for riskmitigation· Fraud, bribery, and corruptionCompliance & EthicsMay/June2013 ProfessionalA PUBLICATION OF THE SOCIETY OF CORPORATE COMPLIANCE AND ETHICSPlease note the followingupcoming deadlines forarticle submissions:· Securities and corporate governance· Labor and employment law· Anti-money launderingMeetMichael MillerExecutive Director for Ethicsand Compliance, Aerojet,Sacramento, CASee page 1425Seven strategiesfor preventing usersfrom hoardingdocumentsMark Diamond33You’veidentified acorporate risk—what next?C. J. Rathbun41Mind the gap!Where corporatepolicy and socialmedia meetSteve Carr47Political activity compliance:A complex but necessarysubject for complianceprofessionalsScott Stetson· July 1, 2013· September 1, 2013· November 1, 2013· January 1, 2014Earn CEUs!The CCB awards 2 CEUs to authors of articles publishedin Compliance & Ethics Professional.· Government contracting· Global competition· Intellectual property· Records management and business ethics· Best practices· Information on new laws, regulations, andrules affecting international complianceand ethics governanceIf you are interested in submitting an article for publication in Compliance & Ethics Professional,email Liz Hergert at liz.hergert @ corporatecompliance.org

Featureby Mark DiamondSeven strategies for preventingusers from hoarding documents»»Employee hoarding of electronic documents is an information governance change management problem.»»Aggressive deletion often drives underground archiving, making the problem worse.»»Addressing underground archiving requires a cross-functional approach engaging policies, processes, tools, and technologies.»»Effective approaches create a “win” for employees by understanding the reasons for their behaviors.»»Ongoing auditing is critical to assess program effectiveness.DiamondHoarding of electronic information Many IT departments have found that justis a common problem that reduces devoting more storage to the problem is at bestemployee productivity, raises IT a temporary fix. It is true that the acquisition80% rate. 3 5% to 10% are deleters. Pilers tend to driveoperational expenses, and heightens the risksand costs of regulatory action and litigation.Organizations need to assert centralized controlof deletion in order to overcomethe consequences of informationhoarding. But such efforts can runinto resistance from employees.Most organizations let informationpile up. New information is likesnow, and legacy collections of datacost—but not the operating cost—of storage istrending downward. And “the cloud” offersmanageable costs and virtually unlimitedcapacity. Still, as the volume of informationgrows—and content repositories and managementsystems proliferate—problems crop up.Queries and searches can take longer, confidentialdata can fall into the wrong hands, andconsiderable effort may required to respond toeDiscovery requests or regulatory challenges.are like glaciers: each year, layers areadded, some melt away, but the accumulationkeeps growing.Why hoarding is an end-user problemSome people are “filers.” They classify information··The size of the digital universe in 2012is estimated at 2.7 zettabytes (2.7 trilliongigabytes), and is forecast to be 40zettabytes by 2020—a 50-fold growth sincethe beginning of 2010. 1(most often manually), and rely onfolder-based navigation to find what theyneed. Other people are “pilers.” They saveall of their documents on the desktop, inthe email inbox, or wherever they originally··Businesses sent and received 89 billionemails per day in 2012, which should growto over 143 billion by year-end 2016. 2reside, delete almost nothing, and relyon search to find important information.“Deleters” get rid of information as soon as it’s··Unstructured data (e.g., files, office productivitydocuments, SharePoint, and otherinformation generated by applications)in the enterprise is growing at up to andetermined to be of no use to them.We find that more than 50% of employeesin organizations of all sizes are pilers. A somewhatsmaller percentage are filers, and fromCompliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 25

Featurefilers crazy (and vice versa), but most sensibleorganizations don’t enforce uniformity. Peopleare people, and they’ll work in the way thatpromotes productivity and comfort.Some employees have sinister reasons forkeeping or deleting documents (e.g., to covertheir tracks, to help them avoid retribution,or to preserve information that may be usedagainst others). And deleters can cause problems,because they might permanently removeinformation that has business value or shouldbe retained for legal or regulatory purposes.But most filers, pilers, and deleters have goodintentions and believe that what they save hasbusiness value and/or is tied to a businessprocess. If they’re wrong, their behavior, inaddition to making themselves less productive,can drive up storage and managementcosts and the risk and expense of eDiscovery.Document hoarding is a change managementproblemKeeping the right stuff, and getting rid ofunneeded, low-value information requires acombination of effective policies, processes,and technology. Perhaps most important,The downside of aggressive deletionSome IT departments react to the growth of information by aggressively deleting it accordingto established rules. For example, if files have not been accessed, classified, or changed forsome period of time (e.g., 60 days), then the information is deemed to have little or no businessvalue and is automatically deleted. The rationalizations for such behavior are threefold:··Storage space can be freed up.··Information is expunged before the organization finds itself in trouble, and as long asdeletion policies are documented, the organization can feel confident if it is challengedin court.··All employees—from the CEO on down—are (or ought to be) aware of the policies sothere should not be any surprises.Compliance & Ethics Professional May/June 2013The trouble with this strategy is that the IT department cannot be certain that everythingis truly deleted. Information tends to have a long lifecycle, especially when:··the recycling of offsite backup tapes does not match the aggressive deletion schedule;··employees can forward email messages and attachments to colleagues or send blindcopies to their personal email addresses (e.g., Gmail); and··files can be saved on USB drives, laptop storage, and at remote office locations, incloud-based applications like Salesforce.com or Google Drive, or burned to DVD by®employees on their home systems.The last two scenarios are examples of what we call “underground archiving” when individualsmaintain private repositories of documents, keeping information outside of the controlof the organization. Underground archiving is often a reaction to the imposition of storagequotas or enforcement of harsh deletion rules. People will squirrel away what they deem to beimportant. We find that about 30% of Fortune 500 companies we’ve spoken with are plaguedby information that practically lives forever in underground archives. Such data and documentsare discoverable, and the costs of identifying it and recovering it can be onerous.26 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

Featurehoarding is an information governance behaviorchange management problem.Information governance change managementis similar to, but different than traditionalIT change management. IT change managementfocuses on the impact and adoption of new systemsand applications. Information governancechange management is about impacting andmeasuring the change in users’ behaviors. Theobjective of information governance changemanagement is, in effect, changing the cultureof employee document hoarding.Effective change management starts withunderstanding current behavior. Why are youremployees saving documents? In some cases,the answer is that they are driven simply by a“CYA” mentality of needing this informationlater. But in many cases, this may be a minoritydriver. In our interviews with clients, we havefound that employeesare often driven tohoard by a number ofseemingly legitimatebusiness reasons,such as “I was told bymy boss I had to savethis.” Or, they receivedconflicting messages,such as “Legal sayswe have to save allcontracts in an MSGfile.” Ongoing businessprocesses (e.g., “Thisare part of our troubleticket process”) may also be a factor. Theiranswers may surprise you.One of the keys in achieving the desiredbehaviors is to identify the reasons employeeshoard. During our engagements, we foundthat conducting employee interviews is muchbetter than simply sending out surveys, albeitinterviews may take longer. Surveys may tellyou the “what”; interviews tell you the “why.”Interviews uncover much better and moreCentralized control ofdeletion, as an elementof a broader informationgovernance program,is needed so thatorganizations can overcomethe consequences ofinformation hoarding.actionable information, as well as the real painboth employees and their business units areexperiencing (e.g., “We are drowning in email”or “I spend hours every week looking forinformation.”) By uncovering this information,we can guide employees to change behaviors,leading to better information management,which makes employees’ lives easier by allowingeasier searches, access, and collaboration.There’s a “win” for employees here, and wecan use this pain to drive our initiative.Stop hoarding: Seven keys to successCentralized control of deletion, as an elementof a broader information governance program,is needed so that organizations can overcomethe consequences of information hoarding. Butmaking it happen is often easier said than done.We encounter many customers who believethat they know justhow to implementan information governanceprogram.By analogy, wheninformation technologyinitiatives, suchas enterprise resourceplanning (ERP) areintroduced, a significantamount of effortsurrounds systemdeployment. Whathappens when a newtool is moved intoproduction? What are the effects on infrastructure,process, and user experience?The objective of an information governanceprogram, on the other hand, is to modify userand organizational behavior. Chances are thatnew software and tools are required, but atleast as much energy must be expended onpolicy and process development, articulatingthe benefits for the company and employees,monitoring and auditing of ongoing behavior,Compliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 27

FeatureCompliance & Ethics Professional May/June 2013and, in some cases, developing customizedapproaches for separate audiences.1. Create a cross-functional teamWe recommend that a cross-functional teambe formed to oversee an information governanceproject. It would include representativesfrom the Recordsand InformationManagement (RIM),Legal, and IT departments,as well asexecutives and endusers.Once eachgroup understandsthe severity of theissues at hand andthe “win” that’s in itfor them, they’ll bemore willing to participateor at least not sabotage the effort.2. Know what you haveStart by creating an information “map.”Automated tools can help, but some manualeffort will be required to determine the locationand the value of information. Employeesmake great use of unstructured data (e.g.,email, SharePoint, files, etc.) in daily work andin business processes. Such information is oftenhidden in underground archives, so be sure toinclude the data that resides on employees’ laptops,tablets, smartphones, and workstations,as well as in production systems. All of it carriespotential for exposure to regulatory, legal,or eDiscovery risk and the associated costs.3. Manage document retention anddeletion policiesUp-to-date retention schedules specify just howlong information should be retained. Early inthe process, strive for agreement among thecross-functional team members about retentionand deletion rules. Be sure that policies identifyThe objective ofan informationgovernance program,on the other hand,is to modify user andorganizational behavior.processes and the “authority” (e.g., a legal ruling,business practice, or regulatory mandate) whichjustifies retaining and deleting documents.4. Enforce consistent legal hold policiesand processesThe deletion process is often complicated byongoing litigation andlack of a process foridentifying which dataare and are not underlegal hold. Create aclear and consistentlegal hold process thatclearly delineates databeing held, preventsthe purging of datathat by policy mightotherwise be deleted,and allows the routinedeletion of data not under hold. The moreclear and unambiguous a legal hold process is,often the more aggressively older, non-relevantdata can be deleted.5. Keep it simple for end-usersOur surveys indicate that without clear direction,more than 90% of employees tend to savemore documents than they need. Their reasoningis that no one ever got in trouble for notdeleting a document. On the other hand, wefound that when given clear guidance, 80% ofemployees will follow a reasonable, intuitivepolicy.6. Apply psychology and technologyHelp employees accept and embrace changesto their current working environment. Whileintroducing the program:··Provide options: Let employees makedecisions within the boundaries of policy.··Keep documents accessible: The mereperception of “taking information away”encourages underground archiving.28 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

Feature··Programatically control deletion. Mostusers are filers and pilers; if regulatorycompliance is important, don’t rely onthem to delete information on their own.··Strive for invisibility: Nobody is any theworse off if information is deleted withoutend-user intervention… within the rules,of course!Of course, technology plays an importantrole in an effective program to stop hoarding.The best approaches enable consistent policygovernance across all repositories and reflect—rather than challenge—the way people work.7. Continue to audit and monitorOnce the elements of an information governanceprogram are in place, frequent evaluationand oversight are critical. Look for gapsbetween policy and practice. For example:··Are employees lazy, classifying informationonly according to the longest retentionperiod?··Is information still hidden in privaterepositories?··Is there too much emphasis on properlymanaging “big R” records to the detrimentof other valuable documents?Focus on employees who are not followingthe policies as the exception and not the rule.Going from a “big” problem, where hoardingis rampant and deletion is hardly defensible, toone where just a fraction of users still requiresome level of behavior modification is a bigwin for most organizations. Don’t let “perfect”be the enemy of “good enough.” ✵Mark Diamond (markdiamond@contoural.com) is the Founder and CEOof Contoural, Inc., in Los Altos, CA.1. IDC press release: IDC Predicts 2012 Will Be the Year of Mobile and CloudPlatform Wars as IT Vendors Vie for Leadership While the IndustryRedefines Itself. December 1, 2011. Available at http://www.idc.com/getdoc.jsp?containerId=prUS23177411#.UTnr7Bz_mSo2. Radicati Group: Email Market 2012-2016. October 2012. Available athttp://www.radicati.com/wp/wp-content/uploads/2012/10/Email-Market-2012-2016-Executive-Summary.pdf3. Ravi Kalakota: Big Data Infographic and Gartner 2012 Top 10 StrategicTech Trends. November 11, 2011. Available at http://practicalanalytics.wordpress.com/2011/11/11/big-data-infographic-and-gartner-2012-top-10-strategic-tech-trendsCompliance Is Just the BeginningHow do you make better ethical decisions at work? Just because aparticular choice is legal does not make it right. This two-program videoseries introduces a three-step process for handling tough ethical decisions.The first program, “3 Steps to Ethical Decisions,” introduces the threesteps we can take when faced with a tough ethical choice. The secondprogram, “Ethical Situations to Consider,” presents eight dramatizedscenarios to spark discussion about familiar ethical issues. All formatscome with a facilitator’s package including course outlines, trainingactivities, reproducible handouts, and optional PowerPoint slides.Program One: 3 Steps to Ethical Decisions (24 minutes)MEMBERS $625 | NON-MEMBERS $720Program Two: Ethical Situations to Consider (32 minutes)MEMBERS $625 | NON-MEMBERS $720Compliance Is Just the Beginning (two-program package)MEMBERS $1,062 | NON-MEMBERS $1,224FULL ONLINE PREVIEWAVAILABLE!Visit SCCE’s website:www.corporatecompliance.orgVideo training produced by QMR—The Respectful Workplace CompanyComplianceJust Beginning_halfpagead_horiz_2c_CEP0113.indd 111/28/12 12:17 PMCompliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 29

Learn the essentials of managingcompliance & ethics programsTake the exam andget certified afterthis intensive trainingBasic Compliance& Ethics Academies®in SOUTH AMERICA, EUROPE, ASIA, and UAEGlobal companies need to have an effective compliance programwherever they operate. But until recently, it’s been difficult toprovide compliance leaders outside the U.S. with the trainingthey need. SCCE’s Basic Compliance & Ethics Academies arechanging that equation.Now you and your international colleagues around the world canbenefit from the same invaluable, intensive training availablein the U.S. Our international Academies cover critical contentin-depth and are a great preparation course for the CCEP-I exam.Topics addressed include:• Standards, policies, and procedures• Compliance and ethics program administration• Communications, education, and training• Monitoring, auditing, and internal reporting systems• Response and investigation, discipline and incentives• Anti-corruption and bribery• Risk assessmentSo let your colleagues around the world know about SCCE’sAcademies in South America, Europe, Asia, and Dubai, and getyour entire compliance team on the same page.Brussels, Belgium13–16 May 2013Shanghai, China8–11 July 2013São Paulo, Brazil26–29 August 2013Dubai, UAE15–19 December 2013Learn more & register at corporatecompliance.org/academies

The Art of Complianceby Art Weiss, JD, CCEP, CCEP-IDon’t train your employees —your hotline calls will increase!WeissDon’t you hate it when the “businesstypes”’ (you know, those folks whothink we’re out to get them) complainthat the number of hotline calls is rising? Thisusually happens right after you complete around of training, particularly topics such asgifts, conflicts of interest, and preventionof harassment. These folks mustthink they will look bad if more ofthe employees in their departmentsreport illegal or unethical conduct.Obviously, if more hotline reports arecoming in, the place is going downthe drain, right? Wrong!Why do we do training in the firstplace? Is it because we like spending bucketsof money with outside vendors to put our logoonto their cut-and-paste videos? Is it becausewe like putting on the same class four timesa day with the first session at 5 a.m. and thelast at 8 p.m.? Maybe it’s because we like toshow off how smart we are and try to makethe employees think that we know all theanswers. Again—wrong, wrong, and wrong!Nope, we train because we want ouremployees to work safely, treat each otherrespectfully, build our corporate reputation,and oh yeah, stay out of jail. Some trainingis required by law; some is “required” by theFederal Sentencing Guidelines or similar internationalguidance. I’d like to think that wetrain so that our employees and our organizationcan prevent and detect violations of lawand foster an ethical culture. Now, where haveI heard those words before?In the SCCE Basic Compliance and EthicsAcademy, we have a class on training andeducation. As part of that class, attendees areasked to break into small groups and preparea presentation to their ”CEO” (an instructor)justifying their compliance training budget.It’s a very popular break-out session. Thethings they come up with to justify theirbudget range from “doing the right thing” tokeeping the CEO out of jail.…we train because we wantour employees to work safely,treat each other respectfully,build our corporate reputation,and oh yeah, stay out of jail.Take some time to think about why yourorganization conducts compliance training.Think about how you can improve your training,and think about how you can justify yourneed for training. After all, you are teachingyour employees to identify illegal andimproper conduct so they can drive the “businesstypes” crazy with more hotline calls. ✵Art Weiss (art_weiss @ tamko.com) is Chief Compliance and Ethics Officerat TAMKO Building Products in Joplin, MO.Compliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 31

RegisteR noW foR sCCe’s 2013Compliance & Ethicsregional ConferencesUpper NortheastNew York, NY • May 17Network locallyand get the latest on thekey challenges facing thecompliance communitySCCE Regional Compliance & Ethics Conferences provide aforum to interact with local compliance professionals, shareinformation about our compliance successes and challenges, andcreate educational opportunities for compliance professionalsto strengthen the industry.Attendees learn about current regulatory requirements, governmentenforcement initiatives, and the management of effective complianceprograms; and meet and network with other complianceprofessionals locally.Who should attend? Compliance officers, in‐house and outsidegeneral counsels, privacy and security officers, regulatory affairs,VPs and directors, government agency staff.Upper West CoastSan Francisco, CA • June 21alaskaAnchorage, AK • June 27–28soUtheastAtlanta, GA • November 1soUthWestDallas, TX • November 8NeW eNglaNdBoston, MA • November 15Learn more at www.corporatecompliance.org/regionals

Featureby C. J. Rathbun, CCEP, FLMI, HIA, AIRC, ACSYou’ve identified acorporate risk—what next?»»The company’s choices in response to an identified risk will depend on its risk tolerance.»»The CCO’s considerations should include how mitigating the risk will affect everyone from the board room to the mailroom.»»The CCO’s report should be carefully designed for its target audience.»»Internal procedures may need to be changed to prevent future risks.»»Proactive monitoring and/or auditing will help you catch problems before they become issues.RathbunThe scope of risk management extendsall the way from the boardroom to themailroom. The overall impact to theorganization, though, is first addressed at themanagement level by the chief complianceofficer (CCO). Once the board or chief executiveofficer has determined how thecompany will address any specificrisk, much of the planning and implementationresponsibility falls back onthe CCO’s shoulders.After your company identifies arisk, management will consider atleast these three dynamics beforemaking its choice of actions.1. The severity of the risk weighed againstthe company’s appetite for risk.2. How the company has performed in thepast on managing similar risks and if so,what the impact might be on the companyif the risk actually occurred.3. The probability or likelihood of the riskevent occurring.Shaping the compliance reportWhat considerations, then, should go intopreparing your compliance officer’s reportto the decision-making group on this newlyidentifiedrisk? The report should be shapedby answers to the following questions.··Who is the audience? Is it the board ofdirectors? The CEO? Or does it beginwith other C-suite executives? What isthe trust level that has been establishedwith that audience? Sometimes the audiencemay even be the regulatory bodythat previously examined your organizationand wants you to provide afollow-up report.··What is the organizational culture?How is a decision of this dimension usuallymade? How much detail does theaudience expect? What stories or exampleswill illustrate it best?··What reputational risk for the companyshould be anticipated? Would the companybe comfortable with this decisionbeing published in The Wall Street Journal,for instance?··What should be incorporated into thereport? What other business concerns,financial pressures, and legal liabilitieswill it include?··How should the report be presented?In what format or with what technology?Although this factor may seem a lessimportant consideration than the others,it will become increasingly more importantas generations in the board roomand C-suite change.Compliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 33

FeatureCompliance & Ethics Professional May/June 2013The compliance officer’s recommendationsfor action may rest, in large part, on what thecompany can bring to the table to successfullysupport the decision.This accountingshould permeate allimpacted stakeholdersof the company, fromthe CEO to mailroomemployees, and fromboard member tovendor representatives.Critical factorsto consider in thesepositions are acceptanceof or resistanceto change, necessaryskill sets, and the extent of employee buy-in tothe cultural norms and corporate values.Weighing the optionsAs a result of the compliance officer’s reportand recommendations, the ensuing discussionwill result in a decision outlining the desiredcourse of action.That course of action will fall into oneof four categories. First, if the company’sresponses to each of the three factors listedat the beginning (severity, performance, andprobability) result in a negative “score” (i.e,high risk/low tolerance, not well-managed,and high likelihood), the company may chooseavoidance—getting out of the risk-bearingactivity completely. For instance, if new legislationmakes a non-core product much morerisky in terms of required monitoring orincreased regulatory scrutiny, and the companyis historically conservative, the severityfactor is a “red light.”If the company does not already have astrong infrastructure for monitoring and/orfield supervision, or is simply too small tohave the resources for managing the risk, theimpact of an occurrence could spell trouble forThe compliance officer’srecommendations foraction may rest,in large part, on whatthe company can bring tothe table to successfullysupport the decision.the company—another red light. So the companymust also determine what the likelihoodis of that occurrence. If the perception thatthere is a high possibilityof an event,along with the redlights on the severityand performancefactors, the companymay well want towithdraw from themarket.Secondly, in thesame scenario of aregulatory changein a non-core lineof business, thecompany may determine to make changesto their field or internal monitoring that willpotentially: (a) reduce the severity of risk,(b) improve their performance score on thisrisk with careful management, and (c) hopethat the event will not happen on their watch.Another choice common in the insuranceindustry is that of allocating or transferringa portion of the financial risk to those whospecialize in accepting that transfer. And thefourth choice, of course, is to accept the riskand the potential for financial impact, believingthat current protection protocols will beadequate in the face of the newly-identifiedrisk. This choice is generally made becausethe company’s cost-benefit analysis supportsthe position that the potential gain, when balancedagainst potential problems or loss, isperceived to be worth the gamble.Implementing the company choiceThe second choice (making changes to addressor minimize the risk) is the one that involvesthe most effort and change, a large portionof which lies in revising your internal proceduresin order to help manage the risk best.Your current compliance structure should34 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

Featureinclude the protocols you need in order toexplore the ripple effect within the companywhen it has made this decision. Once thepotentially affected departments, businessunits, operational functions, and outside stakeholdersare identified, the work of makingappropriate changes to policies, procedures,and actual behaviors begins.What behaviors will demonstrate compliancewith this decision? Each impactedemployee position should be considered,as well as actions of the officers, producers,vendors, and even possibly board members.What factors in that behavior are measurableand how are they quantifiable? Short-term,mid-term, and long-term behavior measurementsshould be incorporated into theanswers. Depending on the magnitude of therisk potential, what disciplinary actions oughtto be incorporated into the protocols? Whatdeterrent actions is the company legally andethically prepared to take across all stakeholderlevels?Designing thepolicies and procedureswill take time.The support neededto successfully navigatethis risk mayrequire significantchanges to someemployees’ dailyactions. Training andimplementation—ifyou truly imbed thenew procedures intothe workaday lives ofyour employees—could also take some time.Once that process is well on its way, compliancewith and effectiveness of the newactivities will need to be determined. Howwill the company help ensure that thosechanges to behaviors stay in place? Employeeengagement and accountability should beSome changes maycall for an even moreintensive structure,a combined approachof both ongoing andregular monitoring,and regular follow-upassessments.included in that oversight. How will the activitiesthemselves or the effectiveness of thoseactivities be checked after they are instituted?Confirming the changes in behaviorThe two basic ways to structure “checkback”functions on procedures, actions, andaccountability are ongoing monitoring oran after-the-fact audit (meaning operationalassessments, rather than financial). Somechanges may call for an even more intensivestructure, a combined approach of both ongoingand regular monitoring, and regularfollow-up assessments. The use of these toolsmay begin on a heightened schedule, but thefrequency can be lowered as consistent completionof procedures and the reliability of theiroutcomes builds more confidence internally.A note of caution, however. As familiaritywith the procedures grows, the effectivenessof monitoring and/or auditing may weaken.Two factors could be at work here. One is thatthe monitoring maybecome less rigorousbecause of the level ofconfidence reached.Second, as procedurescontinue to grow andchange, the assessmentsmay not stayin step with thosechanges and maybecome less effective.Which of the twoconfirmation methodsyou select candepend on those threeinitial factors mentioned above: the severity,management capability, and likelihood of therisk. It can also be influenced by the regulatoryand hierarchal structure of the company,the number of employees and resources available,and the methodologies already in use forsimilar risks. For instance, if regular, quarterlyCompliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 35

Effective Ethics Training Gives YourBusiness a Competitive EdgeGet the executive training DVD that worksThe Ethics Series withDr. Marianne JenningsProduced by DuPont Sustainable Solutions• “Ethics Is a Competitive Advantage” lists fivekey reasons why ethics matter. This program exploreswhy working in the gray areas is risky and a recipe fornon‐sustainable business. (20 min.)• “Speaking Up Without Fear” discusses workenvironments where employees keep silent and fearretaliation if ethical concerns are reported. This programexplores how organizations can draw out wrongdoing andhelp create a culture where employees feel empowered.(15 min.)• “Ethical Leadership: Tone at All Levels” explores howemployees can handle the tension between increasingan organization’s bottom line and protecting its goodreputation. This program discusses what every employeecan do to help build and sustain an ethical culture. (20 min.)Each segment is available individually,or all together on one DVD.SCCE members: $450 per segment, or $1,175 for the seriesNon-members: $495 per segment, or $1,295 for the seriesLearn more and purchase online atwww.corporatecompliance.org

Featurecompliance audits are already done in the areasimpacted by the new procedures, it is relativelysimple to add a new review section to the existingprocedure. However, if your staff is few innumber and typically works more with trendanalysis and measurement reporting, you aremore likely to use those monitoring methods.Other familiar monitoring tools includeaffirmation of training, attestation of complianceby vendors and producers, gaugingknowledge levels of employees and producers,quantifying completion and accuracy rates, andevaluating increases in complaints or hotlinecalls about an impacted area. Some less familiartools which appear to be gaining traction in theethics and compliance community are:··Monitoring and listening to communicationsof employees on social media blogs,Facebook, and Twitter. This should not bedone with punitive mind-set.··Early identification of “hot spot” eventsor statements.··Stakeholder teleconference calls, town hallmeetings, sales meetings.··Employee and consumer focus groups.The end goal of risk managementHaving accepted the challenge of an identifiedrisk, the company’s well-structured programlikely requires vigilance and encouragescontinuous improvement of both companyprocedures and of the monitoring and/orauditing of those procedures. One of theprime objectives of designing such a proactivesystem is to allow the company to identifya growing concern before it becomes anissue—and before consumers are harmed orregulators become concerned. Your goal is tohelp ensure that you and your company will“get the first crack” at addressing a problem,if one occurs. ✵C. J. Rathbun (cj.rathbun@firstconsulting.com) is Senior Consultantwith First Consulting & Administration, Inc. in Kansas City, MO.Call for SpeakersShare your expertise with others by presenting an SCCE Web ConferenceTopics to consider include··General compliance··Risk··Regulations··Policy & procedure··Ethics & privacy··Auditing & monitoringSCCE’s Web Conference attendees are always looking forcurrent, relevant information on the latest hot topics inthe compliance & ethics field.Conferences are held at 12:00 pm CT for 90 min.No Sales Pitches Please: Direct promotions ofproducts, services, or monetary self-interest are notappropriate educational sessions. SCCE members aretraditionally vocal in their displeasure with sessions thatappear to be sales presentations or promotions.To submit a proposal, email Liz Hergert atliz.hergert @ corporatecompliance.orgCompliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 37

Establish a career where you canMAKE A DIFFERENCE“This book is an immenselyvaluable contribution to the field.It will not only help guide a newgeneration of compliance andethics officers through the manyprofessional challenges thatawait them, but will also provideconsiderable useful insight andknow-how to their experiencedcounterparts.”— Jeffrey M. KaplanPartner, Kaplan & Walker LLP,a compliance law firm; former programdirector of the Conference Board’sBusiness Ethics ConferenceAn authoritative, step-by-step guide to enteringone of the fastest growing fields in the business worldwww.corporatecompliance.org • +1 952 933 4977 or 888 277 4977

Empirically Speakingby Leslie Altizer, of The CEB Research TeamTurn stressful corporate changeinto “integrity opportunities”AltizerMost compliance programs have lessthan five hours of employees’ timeeach year for dedicated complianceand ethics training (or barely a minute perday). So, how do you shape employee behaviorwhile allowing for the entrepreneurial spiritand on-the-job innovation that drivecorporate success? To create the rightconditions, compliance and ethicsofficers currently create a varietyof policies, trainings, controls, andincentives. Some of this effort isrequired, and much is helpful.But if we really want to drive theright behaviors, we should not start byasking what activities and inputs we provide.Instead, we should ask when and how we canmost inflect employee behavior. In the past twoyears, 84% of companies experienced a significantcompany-wide change, and this frequentchange presents an underappreciated risk—“change risk”—and a significant opportunity.To understand how employees experiencecorporate change, CEB Compliance and Ethicslaunched an exhaustive employee surveywhich tested 16 of these change risks (or as wetitled them, “career moments”) to understandtheir specific impact on employee misconduct,reporting, engagement, and receptivity totraining and communications. We found thatspecific career moments represent key timeswhen established patterns of employee behaviorare disrupted and subject to change.A failure to respond effectively at a careermoment leads to significantly higher rates of misconduct.For example, employees experiencing acorporate layoff observe 3 times as much bribery,3.5 times as much insider fraud, and 4 times asmuch insider trading as unaffected employees.However, we also found that all is not lost!Career moments also represent the times whencompliance and ethics can have maximumimpact on future employee behavior by utilizingeffective training and communication strategies.Taking a career moments-based approach can:··improve employee perceptions of integrityby 40%,··reduce observed misconduct by almost67%, and··increase employee engagement by 23%.Leading companies are already buildingcompliance systems more responsive to careermoments. Specifically, these companies areimplementing strategies such as:··Scheduling time with HR and linemanagement to share benefits of communicatingwith employees before key careermoments, with messages about integrityand organizational justice;··Identifying a communication plan to targetcareer moments across the company;··Understanding the compliance and ethicsrisks of specific corporate changes; and··Delivering targeted outreach before andduring employee onboarding to impart acommitment to integrity, before negativebehaviors set in. ✵Leslie Altizer (laltizer@executiveboard.com) is Director, CEB Complianceand Ethics in Arlington, VA.CEB is the leading member-based advisory company. By combining the bestpractices of thousands of member companies with our advanced researchmethodologies and human capital analytics, we equip senior leaders andtheir teams with insight and actionable solutions to transform operations.Compliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 39

THE PREMIER SOCIAL NETWORKfor compliance and ethics professionals®Why should you log on to SCCEnet ?• Get your questions answered in the communitydiscussion groups• Download compliance documents from our communitylibraries, or share your own• Stay informed on the latest compliance and ethicsnews and guidanceHow do I get started?• Visit SCCEnet at www.corporatecompliance.org/SCCEnet• Login using your SCCE username and password• Add a profile photo and ensure your profile informationis accurate• Go to My Subscriptions and subscribe to the groupsthat pertain to your compliance profession• Click Post to post a discussionPopular communities include:• Multi-Industry Chief Compliance Ethics Officers• Multi-Industry Auditing and Monitoring Compliance• Multi-Industry Ethics• Multi-Industry Global Compliance and Ethics• FCPA• Social Media ComplianceIf you have any questions about SCCEnet, contact Eric Newman, Esq., CCEPat +1 952 405 7938 or eric.newman@corporatecompliance.org

Featureby Steve CarrMind the gap!Where corporate policyand social media meet»»Social media offers opportunities for broader, timely communication in a fashion people appreciate more than staticPDF or email formats.»»The gap between liability concerns and potential benefits of adopting social media can often be bridged with policy andcompany-wide planning.»»New online tools to manage and archive social media, emails, and other electronic communications are widely availableand inexpensive.»»Each organization should view social media in its regulatory context, including Reg FD for publicly held US companies,the Dodd-Frank Act, Sarbanes Oxley, Solvency II, and Basel III.»»Properly adopted, social media offers the opportunity to improve compliance and corporate governance practices and evenmaintain or reduce costs.CarrPerched on the kitchen shelf where wekeep our coffee cups is a treasuredmemento from a family trip to London,a glass mug bearing the circular red and bluelogo of the London Underground and themotto “Mind the Gap!” It reminds us of theanonymous female voice that echoesthroughout the Tube and urges travelersto be aware of the treacherousspace between the station floor andthe train car. The gap presents us withdanger, but crossing it safely opens upnew opportunities for a savvy traveler.So it is with social media. Thetwo-way nature of interactive dataand communications is the most attractivefeature to users and the most vexing fromthe compliance and corporate governancestandpoint. For example, many publicly heldcompanies might be surprised to learn theyare already participating in social media,whether they know it or not, or want to ornot. A landmark date in the history of socialmedia was December 17, 2008, the day theSecurities & Exchange Commission made theuse of interactive data, the eXtensible BusinessReporting Language (XBRL), mandatory forUS public companies over a phase-in period.From a regulatory standpoint, the use ofsocial media in the form of interactive dataand information—financial material that canbe tagged, modeled, and managed by thirdparties—has been already mandated for UScompanies.One way to define the term “social media”is that it encompasses new ways in whichnew media technologies can help people communicatebetter and engage in dialogue. Newdigital technologies are constantly enhancingthe social and shared aspect of the Internet,so that it continues to become more of atwo-way system. Many organizations wantto take advantage of this in reaching theirstakeholders, who may be investors, donors,Compliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 41

FeatureCompliance & Ethics Professional May/June 2013regulators, employees, customers or financialand industry analysts. These aspects of socialmedia may include blogs, Facebook, LinkedIn,Twitter and other personalized social informationengines, electronic tagging, RSSFeeds, and new vehicles that may gather anddistribute contentacross the Internet.Simultaneously,many companies areadopting in-housesocial networksthrough systemssuch as Chatter,Jive, Connections,Yammer, SharePoint,and others with thegoals of sharingwork and informationinternally. Social media presents liabilityissues with unauthorized disclosure possibilitiesas well as HR and corporate policyinfractions, but also offers opportunities forbroader, timely communication in a fashionpeople appreciate more than static PDF oremail formats.Developing a policyGiven this chaotic backdrop, policy developmentfor the organization is a necessary butdifficult process. Policy is not only a benchmarkfor progress, a planning document, anda necessary human resources and legal reference,it’s a culture touchstone. “How do wedo business culturally?” is at the heart of thematter, whether the questioner is a non-profit,a small entrepreneurial company, or a largerpublic company. The organization needs tobe comfortable with the tone and content ofthese open exchanges. Furthermore, all communications—frompress releases, to investorpresentations, to jokes on internal email—need to be consistent with company valuesand codes of conduct. One source I highlyrecommend is the 12-point social media policyposted by IBM at its website. 1The IBM guidelines recognize the contributionthat social media makes to the sharingof ideas, and provide for referrals of questionsand issues to supervisors. Most notably, thesocial media guidelinesrefer usersto IBM’s businessconduct guidelinesas the platform forappropriate communication.Theadvice in thesesocial computingguidelines is easilydigestible and veryclear, dealing withthreshold issuessuch as authorized company representationin point 3, for example: “Identify yourself byname and, when relevant, role at IBM whenyou discuss IBM-related matters such as IBMproducts or services. You must make it clearthat you are speaking for yourself and not onbehalf of IBM.”As sidebar material, the website offers avideo on “best practices in social media” aswell as a copy of the written policy itself. Italso provides a link that users may accessto report inappropriate posts. The reportingfeature of the website is potentially a veryimportant model for other organizations,because it casts more of a “peer” approachover what could otherwise be a more traditionalcompliance enforcement approach. TheIBM model may not work for everyone, butit offers a good place to begin defining socialmedia policy in a more collegial way thanmany other efforts.Social media presentsliability issues… but alsooffers opportunities forbroader, timely communicationin a fashion people appreciatemore than static PDFor email…The backdrop of regulationThe burdens of communications and disclosureworldwide and the related costs will42 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

Featurecontinue to grow as the pace of regulationcontinues to grow, both in the U.S. and overseas.Social media costs, benefits, and risksmust be weighed in this global context. Evena quick overview of these large and complexregulatory schemes is mind-numbing.In fact, regulations have become so costlyand burdensome from a compliance standpointthat a recent law, the JOBS Act, includesprovisions that defer reporting regulationsand other regulations for certain kinds ofcompanies entering the on-ramp for initialpublic offerings.Otherwise, for SEC-reporting companies,Section 404 of Sarbanes-Oxley Act andRegulation FD, 2 which imposes certain disclosurerequirements on US-based companies(though not on foreign-owned companies),have an impact on disclosure and communications.In Europe,Solvency II isanother huge internationalregulatoryscheme designedto manage risksof insurer bankruptcy.It appearsthat implementationwill be delayedfrom the original2013 schedule, butthis is surely onlya reprieve, andaffects not onlycapital requirements, but financial reportingand disclosure. The Dodd Frank Act hasimposed new regulatory costs and requirements,and banks both large and small areconsidering the costs and impacts of Basel IIIregulation and reporting their assessmentsto the investing public. Timely, transparentcommunication of the kind enhanced bysocial media should be part of the solution tothese requirements.Like other forms ofelectronic communication,social media, including blogs,are of course discoverablelegally and are covered bySEC and FINRA rulesfor certain kindsof companies.Transparency is criticalMoreover, the organizations affected by theincreased regulation must communicate andbe transparent in a timely manner, accordingto commonly accepted reporting normsand these rapidly growing regulatory obligations.One reason, of course, is the informationdemands of sophisticated investors, donors,media, and third-party analysts, which mustbe met for an organization to be fairly valuedin the marketplace. The other reason is simplyto avoid the liabilities involved when publiccompany shareholders are not informed simultaneouslyof material information, or whenemployees are aware of serious misconduct.The value of a more interactive managementenvironment, which admittedly isemerging slowly, puts the cost burdens inperspective. For example, the true worth ofXBRL has yet to begrasped, but theoretically,taggeddata enables investorsto make betterdecisions, whichwould lower thecost for corporationsof obtainingcapital. That ofcourse would bea big plus for thebusiness community,includinginstitutional andretail investors. In addition, many userssimply may prefer interactive information to astatic PDF, table, or article.Also, powerful new platforms are loweringthe cost of social media monitoring. Systemupgrades (which are of course more expensive)can be handled as needs change. Corporateblogging technology configured for complianceand ease of use is available. So is accessto syndication services for many of the mostCompliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 43

Featureimportant search engines, social media monitoring,and XBRL conversion and distributiontools. Like other forms of electronic communication,social media, including blogs, are of coursediscoverable legally and are covered by SEC andFINRA rules for certain kinds of companies.Compliance, after all, has been the thorniestand most intimidating issue for early adopters.The newest tools for archiving social media anddocumenting critical content are cloud-basedsystems that capture social media activity fromemployees’ devices, while respecting users’privacy and complying with privacy laws.Simple opt-ins from users combined with usernames and passwords don’t detract from thesocial media experience with LinkedIn, Twitter,and other vehicles. These newer technologiesbecoming available, combined with improvedcooperation among legal, compliance, humanresources, and investor relations or public relationsofficers, should make social media easierto adopt. They also would reduce previouslyhidden costs such as legal fees.After all, many such questions for publiccompanies can be answered within the contextof Regulation FD disclosure guidance as theSecurities & Exchange Commission distills itspositions on legal disclosure and materialitystandards over time. Also, as better transparencyis achieved, social media processes canbe automatically streamlined to a point wherebetter compliance workflows are automatic.Both these factors offer improved speed andcost containment of disclosure and compliance.In short, corporate social media presentschallenges and opportunities, some of themself-imposed because of internal concernsand issues or a lack of full understanding.However, social media evolves rapidly, andso should our concept of it, both the problemsand the opportunities. The time to “mind thegap” and bridge it with careful preparation,planning, and policies is now. ✵Steve Carr (scarr@dresnerco.com) is Managing Director of internationalconsulting firm Dresner Corporate Services, and also serves as Chairman ofthe National Investor Relations Institute in Chicago.1. IBM social media policy. Available at http://www.ibm.com/blogs/zz/en/guidelines.html2. Security and Exchange Commission: Fact sheet: Regulation FairDisclosure and New Insider Trading Rules. August 10, 2000. Available athttp://www.sec.gov/news/extra/seldsfct.htmCompliance & Ethics Professional May/June 2013501 Ideas for YourCompliance and Ethics ProgramLessons from 30 Years of PracticeAuthor Joe Murphy has compiledthe most effective ideas he andother compliance professionalshave tried. Topics coveredin this collection include:• Identifying Compliance & Ethics Risks• Establishing and Enforcing A Program• Conducting Audits• Benchmarking Against Industry Practices• Preparing for Investigations• Evaluating Effectiveness• and Much More!To order, visit www.corporatecompliance.org/books or call 888-277-4977.44 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

View from the Front Linesby Meric Craig Bloch, CCEP, CFE, PCI, LPIYou need your organization’sleadership; they don’t reallyneed youBlochInvestigators are like dentists. People don’twant to call on us, although they might beglad to know we’re there, just in case. Andwhen they do need us, it’s only a question ofhow much it’s going to hurt to fix the problem.Investigators—and all compliance people—need company managers as alliesand advocates. An effective way tocultivate managers is to consider theirneeds and concerns in your strategicthinking. Then include their needsand concerns in your investigationgoals. Just because you are trying todetermine what went wrong does notprevent you from similarly identifyingwhat went right. Also, identifying wheresome business process needs to be improveddoes not require you to blame someone. Processgaps often arise because business processesare designed by honest people who limitedtheir focus to whether the crafted process willbe useful, efficient, and cost-effective. Processimprovements are frequently implicated in misconductinvestigations, not so much because ofour crackerjack investigative skills, but becausethe business people did not “think like crooks”and foresee the possibility of employee wrongdoing.Investigators learn through training andexperience to think like dishonest people.So influence how management values you.Critically ask yourself two questions: (1) Are theinvestigators aggressively taking a posture offinding misconduct (through training, awareness,and ensuring that reports are made), ratherthan passively waiting for a report to arrive?; and(2) Are the issues being investigated consequentialand meaningful, or are they inconsequentialin the scheme of your overall business interests?Everyone involved in the investigation processmust answer these questions.If you are dissatisfied with the answers,nothing stops you from exploring misconductproactively, before an incident occurs. You havesome control over whether you simply wait forthe phone to ring.Are you regularly helping businesspeople solve their business problems? If thewrongdoing affects a customer relationship,are you helping to repair it? If you make it apriority to stay business-focused and to be anadvisor, the business people will become yourallies. (And investigators need all the supporterswe can get.)The point here is that your organizationalways has choices. Just because the organizationhas to conduct some inquiry into possiblemisconduct does not mean they will do it aseffectively as you would like them to do it.The organization can conduct bare-bones,check-the-box investigations. Or they could justoutsource your function entirely.So never take your job security for granted.Use the quality of your efforts to show themhow smart they were to hire you. ✵Meric Craig Bloch is the Compliance Officer for the North Americandivisions of Adecco SA. He has conducted more than 300 workplaceinvestigations of fraud and serious workplace misconduct, and is an authorand a frequent public speaker on the workplace investigations process.Follow Meric on Twitter @ fraudinvestig8r.Compliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 45

Compliance and EthicsExplainedCompliance and ethics programs have a clear goal:to prevent, detect, and respond to misconduct.Accomplishing that goal takes concerted effortthrough all levels of an organization.Compliance 101 provides the basic information youneed to build and maintain an effective complianceand ethics program in your organization. This bookis ideal for compliance professionals new to thefield, compliance committee members, complianceliaisons, and board members. Its coverage includes:• The importance of compliance and ethics• The seven essential elements of a compliance program• Organizational steps for an effective program• Tips for tailoring your compliance plan• Sample compliance materialsCompliance 101 is published by the Society ofCorporate Compliance and Ethics (SCCE), whichexists to champion ethical practice and compliancestandards in all organizations and to provide thenecessary resources for compliance professionals andothers who share these principles.www.corporatecompliance.org/Compliance101

Featureby Scott Stetson, Esq.Political activity compliance:A complex but necessary subjectfor compliance professionals»»Corporations have substantial political involvement, which may entangle gift and conflict of interest policies.»»Compliance requirements are continually changing with the passage of new legislation at local, state, and federal levels.»»The Government Affairs department and general counsel cannot do it alone.»»Non-compliance has serious organizational implications.»»Political compliance should be included in an organization’s compliance plan.StetsonWith the U.S. Supreme Court decisionin Citizens United, 1 corporateinvolvement in political issues andcampaigns is at an all-time high. Lobbying,procurement lobbying, campaign finance,political action committees (PACs), public giftlaw—collectively these areas make uppolitical activity compliance, a vitallyimportant area that all compliance professionalsshould be aware of. Politicalactivity compliance is a complex area,because compliance requirements arecontinually changing with the passageof new legislation at local, state, andfederal levels. A large part of politicalactivity compliance is tracking legislationon lobbying, campaign finance, procurement,ethics, and public gift law, so you are aware ofpossible changes in the law or administrativerules governing political activity. This can bedone internally or outsourced to a legislativetracking service. Staying current on proposedrule changes is fundamental to maintainingtotal compliance.In 2012 there were 12,374 registered federallobbyists. When you consider that there arealso registered lobbyists in all 50 states, thetotal number of registered lobbyists exceeds20,000. Total federal lobbying spending for2012 was $3.28 billion. 2 Spending by lobbyistsat the state level is also significant. Forexample, lobbyist spending in Florida for 2012was $123 million. 3 The vast majority of lobbyists,whether in-house or contract, are hired toadvocate the interests of corporations. Everystate, as well as Congress, requires lobbyiststo register and file some form of disclosurereports, but 35 states have no thresholdrequirement for registration. If you are lobbying,you need to be registered. One area ofparticular importance is procurement lobbying.An attempt to influence the award of agovernment contract is considered lobbyingin a number of states, and registration andreporting is required. Lastly, several cities andcounties have enacted some form of lobbyingregistration and reporting requirements.The majority of reporting revolves aroundlobbying expenditures made for the benefit ofpublic officials. Reporting may include itemizationof lobbying expenditures, the name ofthe public official for whom the expenditurewas made, and the subject matter, bill number,or issue lobbied on. A number of states alsoCompliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 47

www.corporatecompliance.orgFeaturerequire registered lobbyists to disclose theamount of compensation they have received forlobbying. Public officials include members ofboth the legislative and executive branches andin some cases, members of the judiciary as well.Disclosure reporting is an area in constantflux as states introduce new legislationor regulatory agencies promulgate new rulesaffecting expenditure amounts or definitionalchanges to the term “gift.” Lobbying expenditurereporting overlaps with ethics and publicgift law, and compliance professionals need tobe current in both areas.Keeping track of 51 separate reportingsystems is a daunting-but -necessary taskto insure compliance. Penalties for noncompliancewith registration and reportingrequirements range from administrative finesto criminal charges. Non-compliance also createsa public record and an unnecessary publicrelations problem. Some states post the namesof late filers on the Internet.Lobbying is only one facet of politicalactivity that corporations are engaged in. Inthe post-Citizens United world, spending bycorporate political action committees (PACs)and Super PACs has increased substantially.Additionally, 28 states allow direct corporatecontributions to candidates or candidate committees.4 Ironically, while some states allowdirect corporate contributions, 28 states prohibitregistered lobbyists from making campaigncontributions while the legislature is in session.In most corporations, the general counselor the Government Affairs departmentare responsible for compliance. Althoughthis would seem to make sense, because theGovernment Affairs department should knowwhat is necessary to maintain compliance,the corporate compliance officer needs to beincluded as the person who is responsible forthe overall compliance functions of the organization.If political compliance is too timeconsuming for the compliance officer and/orthe general counsel, then serious considerationshould be given to outsourcing the registrationand reporting requirements. ✵Scott Stetson (scott@lobbyistcompliance.com) is Principal with LobbyistCompliance Services, Inc. in Fairlawn, OH.1. Citizens United, Appellant v. Federal Election Commission. Supreme Court 558U.S. 310 2010. (Struck down a Montana law that limited outside spending bycorporations in elections)2. OpenSecrets.org. Lobbying Database. Available at http://www.opensecrets.org/lobby/index.php3. Travis Pillow: “ Legislative Lobbying Hits $123 Million Last Year.”Tallahassee.com February 19, 2013. Available at http://www.tallahassee.com/article/20130216/POLITICSPOLICY/302160029/Legislative-lobbying-hit-123-million-last-year?nclick_check=14. National Conference of State Legislatures. List of state limits available athttp://www.ncsl.org/print/legismgt/limits_candidates.pdfCompliance & Ethics Professional May/June 2013Advertise with us!Compliance & Ethics Professional is a trusted resource for complianceand ethics professionals. Advertise with us and reach decision-makers!For subscription information and advertising rates, contact Liz Hergert at+1 952 933 4977 or 888 277 4977 or liz.hergert @ corporatecompliance.org.Compliance & EthicsMay/June2013 ProfessionalA PUBLICATION OF THE SOCIETY OF CORPORATE COMPLIANCE AND ETHICSMeetMichael MillerExecutive Director for Ethicsand Compliance, Aerojet,Sacramento, CASee page 14SCCE’s magazine is published bimonthly and has a current distribution ofmore than 3,000 readers. Subscribers include executives and others responsible for compliance:chief compliance officers, risk/ethics officers, corporate CEOs and board members, chieffinancial officers, auditors, controllers, legal executives, general counsel, corporate secretaries,government agencies, and entrepreneurs in various industries.25Seven strategiesfor preventing usersfrom hoardingdocumentsMark Diamond33You’veidentified acorporate risk—what next?C. J. Rathbun41Mind the gap!Where corporatepolicy and socialmedia meetSteve Carr47Political activity compliance:A complex but necessarysubject for complianceprofessionalsScott Stetson48 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

Kaplan’s Courtby Jeffrey M. KaplanC&E programs forsubsidiaries and joint venturesJeffrey Kaplan will be speaking on this topic at SCCE’s Compliance& Ethics Institute, October 6–10, 2013, in Washington DC.KaplanThe intersection of corporate law andcompliance and ethics (C&E) programpractice can be challenging for allinvolved. Corporate lawyers will frequentlyadvise that a parent company adopt a “handsoff”approach when it comes to the C&Eprograms of the organizational “children,”such as subsidiaries and jointventures. C&E professionals often seethese boundaries are posing artificialand undesirable limits on the reach ofa program.Given my professional experience,I certainly understand the concernof the corporate lawyers, yet I alsoknow of several cases where a “cross-border”approach would likely have prevented C&Erelatedlosses to the parent. In the end, whenit comes to resolving this tension, sweepingprinciples tend to matter less than using ananalytic approach to determine what willwork best for any given organization (orfamily of organizations).The starting point for such an analysis isconsidering what the “gross” C&E risk is to therelated entity (i.e., the joint venture interest orsubsidiary). If, for instance, the entity operates inhigh-risk industries or locations, then the grossrisk should be considered significant, which, inthe absence of any other factors, argues in favorsignificant parent company involvement.The second part of the analysis seeks todetermine that entity’s “net” C&E risk (i.e.,how well it is currently mitigating its risks).The stronger such internal effort is, the lessthe need for the parent to help out.The third stage of this exercise considersthe risk of wrongdoing by the entity in questionto the parent itself, which combines consideringthe entity’s net risk with other factors, such asthe size of the investment the parent has in theentity, whether a violation by the entity wouldlikely cause harm to the parent’s brand, andwhether such a violation would disrupt the parent’sbusiness (e.g., where a joint venture servesas the marketing arm of the parent in a strategicallyimportant market). The final step inthe process is considering how well the parentcompany can mitigate the gross risks it faces.I certainly understand theconcern of the corporate lawyers,yet I also know of several caseswhere a “cross-border” approachwould likely have preventedC&E-related losses to the parent.Beyond using a framework for analyzingrisks in subsidiaries and joint ventures,a parent company should consider implementingvarious tools to help with whateverC&E governance framework is ultimatelyimplemented. One of these is a procedure forroutine reporting to the parent on C&E risksand plans. A second is an escalation procedurefor significant allegations of wrongdoing. ✵Jeffrey Kaplan (jkaplan @ kaplanwalker.com) is a Partner with Kaplan andWalker, LLP in Princeton, NJ.Compliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 49

CongratulationsNewly certified designees!Achieving certification required a diligent effort by these individuals. CCEP certification denotes a professionalwith sufficient knowledge of relevant regulations and expertise in compliance processes to assist corporateindustries in understanding and addressing legal obligations. Certified individuals promote organizationalintegrity through the development and operation of effective compliance programs.··Charles R. Blackburn··Patrick B. Cage··Samantha J. Castaneda··John C. Castellano··Michael Cepek··Carol L. Childress··Akcel Coss··Matthew Davies··Rajeev Devgan··Simi K. Dhaliwal··Joel Firestone··John P. Franz··Jason J. Garcia··Cheryl M. Garvin··Dadrion A. Gaston··Mary C. Graham··Jennifer W. Gray··Lisa W. Greene··Ellen J. Gribbin··Susan Gronsbell··Claudia N. Herbert··Richard D. Hess··ArDeanna B. Hicks··Robert Hoehn··B. Brett Holliday··Melissa A. Honohan··Cynthia Johnson··Erin E. King··Irene Levintov··Jeremy M. Livianu··Philip Lo Scalzo··Kathryn E. Loija··Christopher Lozier··Deborah C. Mack··Joanne Mascioli··Dexter D. Mason··Tamara B. Meyer··Phillip C. Mincemoyer··Kathleen S. O’Neill··Kathy Orf··Jennifer Oriel··Gary R. Pate··Hector J. Peredo··Deanna M. Phillips··Michele M. Pilibosian··Elizabeth L. Price··Mary Patrice Rhood··Dante W. Robinson··Delia M. Sanchez··Marianne T. Schmitt··Michael Schoeck··Stephen E. Shelton··Danielle E. Sherrod··Brenda Swearingen··Melinda Ward··Janine M. Watkins-Ivie··Carla Williams··Erica S. Wills··Janice Y. WongThe Compliance Certification Board offers opportunities totake the CCEP and CCEP-I certification exams. Please contactus at ccb @ compliancecertification.org, call +1 952 933 4977or 888 277 4977, or visit www.compliancecertification.org.CCB certification made easyThe Compliance Certification board has released a newCandidate Handbook for its newest compliance and ethicsprofessional certification. The handbook includes:CandidateHandbookCertified Compliance& Ethics Professional-International (CCEP-I)· Steps to becomecertified and to renewyour certification· Information aboutonline CEU tracking· Candidates’ FAQs· Resources to help preparefor the examination· All the forms you’ll needfor certification and renewal· Information about SCCE’sonline certificationstudy groupsCCEP-IcertificationScan the QR code at left with your mobile phoneto visi the CCEP-I section of the CCB websiteEnhancesyourcredibilityDevelopsprofessionalstandardsDemonstratesknowledge &DedicationView and download the new handbook on CCB’s website:www.compliancecertification.org/ccepi50CCB_NewHandbooksAnnounce_CCEP-I_halfpagead_4c_CEP1112.indd 110/11/12 3:53 PM

Become a CertifiedCompliance & EthicsProfessional (CCEP) ®• Broaden your professional qualifications• Increase your value to your employer• Gain expertise in the fast-evolvingcompliance fieldThere’s never been a tougher or better time to bea part of the compliance and ethics profession.Budgets are tight, governments around the worldare looking to add new regulations, public trustin business is low, and employees are tempted tocut corners.As a Certified Compliance and Ethics Professional(CCEP) you’ll be able to demonstrate your abilityto meet the challenges of these times and have theknowledge you need to help move your programand your career forward.Learn more about what it takes to earn the CCEP atwww.compliancecertification.org/ccepHear fromyour peersAnita Ruskey, CCEPManager, Corporate ComplianceDiversified Information Technologies, Inc.Scranton, Pennsylvania1) Why did you decide to get certified?I’m always looking for opportunities to learn andto help the organization I work for be the bestit can. The CCEP certification provides a criticalknowledge base to take our organization to thenext level and provides me an opportunity forcareer advancement.2) Has obtaining the CCEP certificationhelped you? If so, in what ways?Yes. The organization I work for is a leader inthe document management industry. Our clientstrust us to handle their critical and sensitiveinformation securely. By having this certification,I have the tools to keep our organization on thecutting edge of best practice in all aspects ofcompliance and ethics.3) Would you recommend that yourpeers get certified? If so, why?Yes. Becoming certified will give you theknowledge base and credibility to set yourselfapart and prepare your organization to be readyfor anything.

y Dan Small and Robert F. RoachPowerful witness preparation:Don’t volunteer»»Free-flowing conversations move through a series of connections to seemingly unrelated topics.»»Testimony should stick to the question at hand and stay on a narrow path.»»The questioner’s job is to ask clear questions, not lead the witness into volunteering information that is inadmissible, irrelevant,or just off track.»»Don’t fill the silence—use it to prepare for what lies ahead.»»Volunteer information only if it will clear up a misunderstanding or emphasize a key theme.Compliance & Ethics Professional May/June 2013In this series of articles, lead author and seasoned trial attorneyDan Small sets forth ten, time-tested rules to assist you in thecritical task of preparing witnesses. Robert F. Roach assistedDan in this series by providing additional “in-house” perspectiveand commentary. The first installment of this series waspublished in our January/February 2012 issue.Dan and Robert will be speaking about investigations atSCCE’s Higher Education Conference, June 2–5, in Austin, TX.Rule 8: Don’t volunteerpause, answer, stop.”That is the unnatural but essential“Question,rhythm of an effective witness.We’ve talked about each of thesefirst three steps, now we must talk about the“stop.” Don’t volunteer. Like so much of beinga witness, this is contrary to what we are usedto—and what our goal is—in a free-flowingconversation.The essence of conversation is connections.One thought leads to another, and the conversation“flows.” Depending on the setting andthe people, it can meander slowly for hoursor flow swiftly to a conclusion, but it alwayscontinues by means of connections. If youare chatting over lunch and your companionasks if you saw a recent movie, yourresponse will probably not be a simpleyes or no. Rather, you will go on to talkabout whatever interests you that’sconnected to the original question, orwhatever follows:Q: Did you see movie X withactor Smith?SmallA: Yes, but you know I really likedhim better in movie Y. Theacting was better. Of course,it may just be that the nightI saw that movie was reallymemorable, since Mark almostgot arrested on the way home.The movie went longer thanwe thought, so he was really Roachspeeding on the way home andsaw this police car just in time. He’s sucha crazy driver; I’m really worried he’sgoing to get in an accident someday.And so on. A conversation that started witha simple question about movie X has quicklyflowed along to Mark the dangerous driver,through a series of understandable connections,one subject to another. No one asked aboutMark, or even movie Y; but in a conversation,52 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

that kind of volunteering is all right. As a witness,it is not all right.In the unnatural world of being a witness,connections are not the goal. Your job as awitness is generally to insist on clear and fairquestions; answer carefully, briefly, and precisely;and then go home. “Question, pause,answer, stop.” The questioner’s job is to ask theright questions to get at the information he orshe wants. It should not be the questioner’s jobto put words in your mouth. Nor should it beyour job to volunteer information beyond thenarrow lines of the question.Connections mean you are volunteering.Don’t do it. You may think that it will somehowhelp or shorten your time as a witness,but it will not. Wait for a clear and simplequestion, keep your answer as short, simple,and narrow as possible, and then stop. If aquestioner does not follow up with more questions,and thereby misses other information,that’s not your problem. Your volunteeredaddition may be inadmissible, irrelevant, orjust off track.Think about what this same movie discussionmight look like with a careful witnesswho does not volunteer:Q: Did you see movie X with actor Smith?A: Yes.Q: Did you like it?A: Yes.Q: Have you seen any other movies withactor Smith?A: Yes.Q: Which ones?A: Movie Y.Q: Which movie did you like better, X or Y?A: I’m not sure.And so on. Each question is answeredtruthfully, but you have not done the questioner’sjob for him or her: You have notvolunteered. You have broken the chain of connections.“Question, pause, answer, stop.”There are no “shortcuts” here. Answer eachquestion at its most basic level. Do not try to helpthe process along or anticipate where it might begoing. Too often that means going off that straightand narrow path forward. Those kinds of sidestepscan take much more time in the long runand greatly add to the difficulty of being a witness.Your goal should be to give the questionernowhere to go but forward, toward the end.A case in pointSome time ago, author Dan Small representedan investment manager in testimony before theSecurities and Exchange Commission (SEC).Through a long day of questioning, he did anexcellent job of listening carefully and keepinghis answers precise and simple. Finally, late inthe afternoon, he faltered. He answered a question,stopped, and then thought of somethingconnected to his answer that he wanted to say.The SEC lawyer, tired of having to deal witha careful witness, picked up on his hesitationand pushed him to say more. Although it wasactually an insignificant point, the questionerwas so intent on pursuing something that cameout spontaneously, that testimony ended upgoing on and on about this new topic for half anhour, before it petered out and the questionergot back to the original line of questions.At the next break, Dan’s client lookedsheepishly and said, “You don’t have to sayanything, I know what I did wrong.” In aneffort to help things along, he had only addedto the process. His “shortcut” had wasted halfan hour that would have been saved by silence.The value of silenceNot volunteering means realizing that silence isokay. This is a hard adjustment. In our normallives, silence between people in a conversationmakes us uncomfortable, and we try to fill inthe gaps. We all know viscerally what “uncomfortablesilence” is. We don’t like it. Experiencedquestioners know this. They know that silenceCompliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 53

can be a very effective tool, by playing off thatnatural discomfort. A questioner may use silenceby simply waiting at the end of your answer, asif surely you cannot be finished, surely there ismore. Don’t play that game. Answer the questionsimply, then stop and wait for the next question.Use the silence to prepare for what is ahead, notto volunteer more of what has passed.Exceptions to the ruleThere are two general exceptions to “do notvolunteer” that a witness and his/her lawyermight want to discuss. The first is the “simplemisunderstanding” exception. If the questionerand you are not communicating and becomingbogged down because of a clear and simplemisunderstanding over a basic fact, it may beworthwhile to volunteer to correct the error.The second exception is for “core themes.”Every matter has a few key themes that youas a witness may wish to get across. The moreinvolved a witness is with the matter, particularlyas a party, the more important thesethemes become. If witness and lawyer agreeon these themes, the two of you may also wantto think about whether and when you want togo beyond the simple answer to a question andvolunteer information to support it.Testimony is serious business. Everyone inthe room has a job to do. Many of these rulesare aimed at disciplining the questioner to dohis job right—to make him/her ask clear andfair questions. “Don’t volunteer” is aimed atdisciplining witnesses to do their job right—answer the question, then stop. ✵Dan Small (dan.small @ hklaw.com) is a Partner with Holland & Knightin Boston and Miami. His practice focuses on complex civil litigation,government investigations, and witness preparation. He is the author of theABA’s manual, Preparing Witnesses (Third Edition, 2009). Robert F. Roach(robert.roach @ nyu.edu) is Chief Compliance Officer of New York University inNew York City and Chair of the ACC Corporate Compliance and Ethics Committee.Your Guide to Becomingan Effective InvestigatorThe First Information Is Almost Always Wrong:150 Things to Know AboutWorkplace InvestigationsBy Meric Craig Bloch, Esq., CCEP, PCI, CFECompliance & Ethics Professional May/June 2013Effective workplace investigationsare equal parts art and science.Meric Bloch has mastered bothaspects through years of hard-earnedexperience. In this book, he detailsthe strategies and tactics he knowswork best.Bloch_WorkplaceInvestigations_halfpage_CEPad_4c.indd 154 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977• Protect Your CareerHow to Think Like a Workplace Investigator• Protect Your CompanyHow to Integrate Your Investigationsinto Your Company’s Operations• Protect Your CaseHow to Conduct an EffectiveWorkplace InvestigationORDER ONLINE ATwww.corporatecompliance.org/FirstInformation3/22/13 3:32 PM

y Frank J. NavranYou can’t cure symptoms»»Finding the underlying problem first may avert a catastrophe later.»»Diagnostic interviews, focus groups, and surveys will help you uncover the root cause of organizational problems.»»Build a rapport and an atmosphere of trust before you start asking the tough questions.»»A document review will give you insights into what employees learn about the formally stated standards for employee conduct.»»Skills, knowledge, and conceptual models can only take us so far in solving the organizational problems we face.NavranIwas 16, and over the summer of 1959 hadmanaged to accumulate $150 (not bad consideringthat minimum wage was $.50/hr.that year). My dream was about to come true:a car of my own. I narrowed my choice downto two options. One was a drab, 1952 Plymouthfour-door sedan. It was owned by afamily friend and I knew it to be reliable—deadlydull, but reliable. Theother was a 1953 Dodge convertiblewith the first generation hemi V-8.Very cool! And, they were the sameprice, $100. Naturally, with teenagepassion overriding logic, I boughtthe Dodge.Two weeks into my ownership experience,my car was no longer able to go up hills.The push to the local garage and a compressiontest revealed burnt valves. My buddyDick and I decided to tackle the valve jobourselves. How hard could it be? For the nextthree months, we were fully occupied withdismantling the engine, having the valvesground and seated and reassembling my prideand joy. The ensuing satisfaction in a job welldone lasted approximately 18 miles beforethe engine gave up the ghost for good.It seems burnt valves are a symptom. Inthis case they were symptomatic of a failed oilpump. I’d “cured” the symptom but I had failedto recognize or address the underlying problem.The junkman gave me $12 for the car and lifetaught me one of the most important lessonsI would ever learn. It is a lesson every firstyearmedical student learns and continues torelearn. Prescription without diagnosis is malpractice.If you treat symptoms, you may mask theunderlying causes of the initial problem untilthey manifest themselves as a subsequent, andtypically more substantive, problem. If all youare doing is polishing the valves in an enginethat does not circulate oil, catastrophe awaits.As someone who has been consulting onorganizational ethics and leadership issuessince the late 1970s, I can tell you firsthandthat diagnosis remains the single most importantstep in addressing any problem in anyorganization. Period! Full stop!So, what does organizational diagnosislook like? How do we identify underlyingcauses behind observed problems? And,why ought this matter to you? How does thisimpact your role regarding ethical managementand leadership in your organization?Compliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 55

Compliance & Ethics Professional May/June 2013Defining organizational problemsThere are four proven techniques which, whentaken together, are an effective process fordefining organizational problems and surfacingtheir causes: interviews, focus groups,document reviews, and surveys. Let’s examineeach in turn and in detail.Diagnostic interviews and focus groupsThe questions asked and techniques employedin diagnostic interviews and focus groups areessentially the same. The primary differenceis that an interviewis a one-on-one conversationand a focusgroup is one-on-several(usually 6–12).The diagnosticinterviews I conductin organizational settingstypically involvesenior leadership.They may also includecritical non-leadershippersonnel, such asexecutive-level administrativeassistants andany staff assigned to the Ethics/ComplianceOffice. I also interview any key personnel theclient suggests. The list of interviewees caninclude union leadership, when a union is asignificant “player” in the overall scheme ofthe organization, as well as any other “informal”influencers of how the organizationfunctions. Interviews with those members ofthe board of directors who have ethics and/orleadership oversight responsibilities may alsobe appropriate.Interviews and focus groups follow thesame format and are built around the sameset of questions. I start the process with abrief monologue. I introduce myself (and mysecondary note taker, if I am using one) anddescribe the purpose of the session, what IThere are four proventechniques which,when taken together,are an effective processfor defining organizationalproblems and surfacingtheir causes…am trying to learn, and the ground rules Iwill follow. It is important to stress the commitmentto confidentiality and the promisesof non-attribution (with the exception ofsituations of imminent danger to person orproperty), non-retaliation, and the assurancethat only findings obtained from multiplesources will be considered.I go on to note that I do not have a rosterof those scheduled to attend a given sessionand do not ask for introductions or providenametags for focus group attendees. I knowfrom the schedule thetype of group (e.g.,line employees, salesmanagers, executiveassistants, line supervisors,union shopstewards) and pointout that they areafforded a degree ofanonymity, becauseI do not know whosays what in thesesettings. I alsoremind them thatboth the questionsI ask and the answers they give are not to bediscussed outside the focus group itself. Theyhave an affirmative obligation of confidentiality,just as I do. I then ask if there are anyquestions or concerns before we begin.You will note in the sample question setshown below that we start ”gently” and worksteadily towards more challenging aspectsof the dialog. As is always the case, the interviewer/facilitatorneeds to be absolutelyobjective and non-judgmental. That appliesto both their verbal and non-verbal mien. It isideal if the interviewer/facilitator is an “outsider”—someonewho brings no baggage tothe process.Neutrality and objectivity are necessarypreconditions for effective interviews or focus56 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

groups. If they are being done “internally” itis best to bring in a colleague from anotherdepartment, division, or location to increasethe emotional distance between interviewerand interviewee. Interviews and focus groupsare less likely to yield the needed informationand/or insights if the interviewer is believedto have any vested interests and/or personalrelationship with the “client.”And, as in all interviews, follow-up tosome responses may be appropriate. My favoritefollow-up probe is: “What else can you tellme about that?” I have been known to “whatelse” a subject two or three times regarding asingle question, if the subject matter warrants.The question is neutral and non-threatening,if asked “flatly” without any judgment implied.Typically, I use the same set of questionsin interviews and focus groups. The differenceis that interviews are usually preferredfor higher-level individuals and others wherethere is a degree of “uniqueness” about theirpositions. Focus groups are better suited forlevels/functions that have numerous “incumbents”from which a representative sample canbe pulled.Questions for a management/executiveinterviewee might include variations on thefollowing.1. Ice breaker··Introductions; identify roles of consultants··Explain the purpose of the interview··Explore the prior experiences of the interviewee.How did he/she get to his/herpresent position?··Identify the current roles and responsibilitiesof the interviewee··Informal “chit-chat” if appropriate to buildrapport2. Culture··Identify the written standards of behavior.Do they reflect reality?··Identify any unwritten standards. Do theyreflect reality?··Why do employees come to this company?Why do they stay? Why do they leave?··How has the company changed in the past5 years?3. Strategy··Is there a formal strategy?··Is the strategy written or published?··What was the process for developing theexisting strategy?··Did the interviewee have a role in shapingthat strategy?··What external forces influenced the companyto adopt the current strategy?··Other than financial performance, whatconstitutes “strategic success”?4. Leadership··How would you characterize the CEO’sleadership/management style?··Is the CEO’s style representative of seniormanagement’s leadership/managementstyle?··Who are the key decision-makers?5. Decision-making··What types of decisions do front-lineemployees make?··Do decision-makers have the appropriatelevel of responsibility, authority, experienceand training to make the requireddecisions?··How does the company resolve dilemmas?··What happens to employees who makeincorrect decisions?6. Employees··Why do most employees come here to work?··Why do they stay?··Why do they leave?··What constitutes success from the employees’point of view?Compliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 57

Compliance Certification Board®donates to its accredited universitiesCCB has donated $10,000 to each ofits accredited universities’ complianceand ethics programs to use at theirdiscretion to support complianceprogram students.CCB-accredited universities span the United States,and offer Juris Doctorate, Masters, and certificateprograms in compliance and ethics.CCB-accredited universities include:· George Washington University, Washington DC· Hamline University, St. Paul, MN· Loyola University, Chicago, IL· Pacific University, Hillsboro, OR· Quinnipiac University, Hamden, CT· Widener Law School, Wilmington, DEFor more information regarding the complianceprograms offered, please contact the university directly.“CCB’s scholarship program will assist universities thatpartner with CCB, HCCA, and SCCE to provide learningopportunities and resources to students who are interestedin pursuing compliance careers.”— Debbie Troklus, CCB President and Managing Partner at AegisCompliance & Ethics Center, LLP, CCEP-F, CCEP-I, CHC-F, CHPC, and CHRCCompliance Certification Board6500 Barrie Road, Suite 250, Minneapolis, MN 55435www.compliancecertification.org888-580-8373 | ccb@compliancecertification.org

··What are the barriers to success?··What pressures do employees feel?7. Emotions··How would you characterize the degreeto which the employees experience negativeemotions on the job? (e.g., fear, anger,distrust)··How do employees handle these emotions?··What are the sources of these emotions?··What type of misconduct might theseemotions generate?At this point, recap the interview. Replaythe drivers of organizational and institutionalsuccess.8. Measures··From the employees’ point of view, whatare the three to five most significantmeasured results used to address theirindividual success?··To what extent do employees “abuse” (game)the system to attain the desired results?··How do they do that? What type of abusesare you aware of?10. Values··What would you say are the company’score values?··Are there differences between the written(formally stated) values and values thatyou have deduced from observed behaviorat the company?··To what extent do the company’s valuesdrive decision-making?··How are those values communicated tothe employee population?··What types of issues does your code ofbusiness conduct (or equivalent document)address?11. Risks··What troubles you most about thiscompany?··What are the greatest threats or risks fromexternal sources?··What are the greatest threats or risks frominternal sources?12. Catchall··You are CEO for a day. If you could changeone thing, what would it be?9. Training··What types of training does the companyprovide, both content (e.g., ethics training)and process (e.g., computer-basedtraining)?··What types of training are available exclusivelyto executives and managers?··Does the company provide leadershiptraining?··What is the overall level of interest intraining?··Rate the overall quality of training youreceive.··How would your employees rate trainingquality?··How does the company determine whogets to attend training?13. Extra knowledge··Given the purpose of this interview process,what else do I need to know?14. Conclusion··Do you have any questions of me about theproject or the process?I do have a favorite question that I reservefor cases where I feel I might be missing somethingabout the culture of the organization: “If Iwere a new employee here, and you wanted tohelp me succeed, what one thing would youtell me that I need to know but won’t find writtendown anywhere?” This question has neverfailed to provide valuable insights that I mighthave never found otherwise.Compliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 59

Compliance & Ethics Professional May/June 2013In addition to a representative sample ofleadership and the general employee population,I will typically interview all members ofthe Ethics Office staff and anyone responsiblefor developing and/or delivering ethics-relatedtraining within the organization.Document reviewThis is a bit more obvious than some of thequestions shown above. In assessing the ethicalculture of the organization, it is essentialto know what is “formally” stated as the standardsfor employee conduct. The documentreview also explores aspects of the organization’shistory, key decisions, and actions thatmay help explainsome of what theorganization is/doestoday. Typically, thisrequires a review of:··Relevant policies,procedures··Codes ofconduct/ethics··In-housenewsletters··Press releases,annual reports,and PR materials·· Summaries from previous company surveys,with an emphasis on any employeesatisfaction survey data··Website content—both “public” and “limitedaccess” (company confidential) content··New employee orientation materials··Ethics, management, and leadership trainingmaterials··Employee evaluation and salary administrationpolicies··Recent/pending union grievances (ifapplicable)··Legal and Ethics Office data regardingthe nature and frequency of internal andexternal cases with an “ethics” componentThe document reviewalso explores aspects ofthe organization’s history,key decisions, and actionsthat may help explain someof what the organizationis/does today.(which, by definition, is just about everycase that the corporate Legal departmentand the Ethics Office address)··Ethics Office call logs and case files··HR data regarding employee disciplinaryissues and patterns, including specific HRdisciplinary case files, as appropriateIt can also be useful to do a “Google”search of the company name and see what isbeing said, both by and about the organization.Other social media may also be explored,if deemed appropriate.Obviously, as an outsider, a consultantsuch as myself, must sign all the appropriatenon-disclosure agreementsand respect theproprietary nature ofthe specific cases.SurveysSurveys provideobjective data thatsupplement andinform the subjectivedata gathered throughinterviews, focusgroups, and documentreviews. When thatkind of data serves the client, I typically subcontractwith a specialty survey provider if acustom survey is called for, or use a standard,commercially available survey. In addition togathering client-specific data, I find surveyscan be invaluable in generating client datathat can then be evaluated against publishedindustry or national norms.My preferred source of data regardingthe generalized state of organizational ethicscomes from a series of reports published bythe Ethics Resource Center, which describesitself on their website (www.ethics.org) as“…a private, nonprofit organization devoted toindependent research and the advancement of60 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

high ethical standards and practices in publicand private institutions. For 89 years ERC hasbeen a resource for institutions committed to astrong ethical culture.”As a non-governmental organization(NGO), they have a responsibility to contributeto the public good.They do that, inpart, by makingmany of theirresearch findingspublic. For example,The NationalBusiness EthicsSurvey ® of Fortune500 ® Employees: AnInvestigation intothe State of Ethicsat America’s MostPowerful Companies 1indicates that, compared to all companies inthe U.S., the highest revenue companies show ahigher incidence of misconduct. Major findingsfrom the study included:··Just over half of workers (52%) at the highestrevenue companies had observedmisconduct in the previous 12 months,compared to 45 % at all companies inthe U.S.··Almost three quarters (74%) of employees atthe Fortune 500 ® businesses reported misconductwhen they saw it, compared to 65%on average for all businesses in the U.S.··About one in six (16%) of workers at theFortune 500 ® companies felt pressure tobreak the rules, compared to 13% at allcompanies in the U.S.··Whistleblowers were slightly more likelyto experience retaliation at Fortune 500 ®companies than at companies in the U.S.overall.Based on those published findings andthe needs of my client, I can then compareDiagnosis is thefirst step. Withoutsystematic and effectivediagnosis, we are reducedto relying on “magic”as the solution toour problem.what I learned in interviews and focus groups,and what I learned in a client-specific surveyagainst national and/or industry norms fromthe ERC database.As the former Director of AdvisoryServices for ERC (1996–2003) I believe theyare the leaders in thisarea. They are notalone. Other reputableorganizationspublish independentethics-orientedresearch. But, in myopinion, ERC has setthe “gold standard”in organizationalethics, survey–basedresearch. For thosewanting more information,ERC providesfree downloads of many of their full reportsvia the ERC website, www.ethics.org.Why diagnosis mattersDiagnosis is the first step. Without systematicand effective diagnosis, we are reducedto relying on “magic” as the solution to ourproblem. Absent a clear understanding of thecauses behind the problem we are experiencing,we might as rely on “…eye of newt, andtoe of frog, wool of bat, and tongue of dog.”Logical, rational problem solving beginswith accurate diagnosis. Unless and untilwe have accurately identified why a problemexists, the best we can hope for is to amelioratethe symptoms and ease the pain. But that isnot a solution. That is akin to placing a bandaidon a deep, festering wound so you don’thave to see it anymore. It is a cosmetic “fix” atbest and a source of distraction and delay inseeking and finding a real solution, at worst.That is the real downside of misdiagnosis:it creates false confidence that the problemis resolved and almost always results in theCompliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 61

Compliance & Ethics Professional May/June 2013problem worsening and becoming more difficultand expensive to solve once the ruseis uncovered.Fast forward 50 yearsIt was more than 50 years ago that I learnedthe lessons of diagnosis while under the hoodof a ’53 Dodge. However, knowing and doingare not the same. As a consultant, I am limitedin what I can do. My role is “Recommenderin Chief.” I typically have the opportunityto try and persuade, but lack any authorityto compel. For example, in one recent projectI had the opportunity to work with a globalcorporation’s headquarters team. This company’sname and reputation had been smeared all overthe headlines, and I was asked to comment onwhether the corrective actions they had takenwere appropriate and adequate.Having spent some time talking to thepeople in their Ethics and Compliance Officeand senior members of their line managementteam, I shared my observations andconclusions with them. We shook hands andcalled it a day. On my way home that evening,I reflected on what had just happened. Theyhad asked me to address very specific andvery narrowly defined questions. I had providedspecific answers. And, in the end, I feltas though we had accomplished nothing. I haddone what was asked of me. I confirmed theirsuspicions, but had failed to actually servethis client in a way that would significantlyhelp them in their recovery from the recentissue or reduce their risk of future failures. Itis not that my answers to their questions wereinaccurate or inappropriate. Rather, they hadasked the wrong questions and resisted anyefforts to redirect or broaden the inquiry.During our conversation I had suggestedthat their questions were too narrow and thatthe answers provided might, in fact, be givingthem a false sense of confidence. I suggestedthat they were asking me to evaluate theirresponse to a set of symptoms—the equivalentof asking a doctor whether or not the calaminelotion one applied to a rash was an appropriateway to soothe the itch.I thought they should have been askingabout what had caused the rash and whetheror not the rash was symptomatic of somethingmore significant. We should not simply havebeen exploring how to calm the existing situation.We should have been learning from theexperience. How might they, and other organizationslike theirs, prevent future circumstancesthat could produce future problems? Howmight they go beyond masking the symptomsand address the deeper, underlying malady?I had raised my concerns about the cultureaspect of the problem. My clients then went onto explain that they knew that “issues” withintheir executive management team had causedthe problem and addressing those issues was“off limits.” They knew full well what wascausing the rash. They simply felt powerlessto do anything about it. They believed that thebest they could hope for was to ensure thattheir office was doing what it was required todo. Anything more was above their pay grade.They did not see it as their responsibilityto make the case to their management or theirboard that the unresolved issue was certain toerupt again and, perhaps, cause even greaterdifficulties. As internal staff, they felt powerlessto do what was required. As an externalresource, I lacked access to those who had thepower to address the causes. I pressed andthey made the “not my job” argument. I lostthat battle.That company was yesterday’s headline.As I flipped through a newspaper while waitingfor my flight home, I saw today’s headlines.The headline in the “Business” section wasabout yet another company with unanticipatedand unnecessary ethics troubles. I wonderedabout tomorrow’s headlines. Which wellrespected,well-managed organization was62 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

about to become a headline? And, given theopportunity, what might I suggest they do toanticipate and/or prevent that eventuality?The fourth elementIn the time since that meeting, I’ve continuedto ponder the question of how an organizationcan avoid becoming tomorrow’s headline.It seems to boil down to three obvious, criticalelements and one less than obvious element.It is the fourth element that so many of thosewe read about failed to address. The elementsI thought about include:1. Ensuring that all of your policies, procedures,and practices satisfy the myriadapplicable laws and regulations thatare externally imposed upon yourorganization.2. Ensuring that all of your leadership practicesand operational standards satisfy allof the internally imposed rules, standards,policies, and procedures.3. Ensuring that there is a culture withinthe organization that understands thatadherence to all regulations, practices,and operational standards is the minimumrequirement for success.4. Ensuring that there is a corporate culturethat reaches for the highest ethicalstandards—one that does not settle forconformance to minimal standards.But how can a company that is striving tosucceed in a highly competitive environment,in the midst of an economic downturn, andfighting for market share compete with companieswho do only what the law requires?Doesn’t doing more cost more? Yes, it does,in the short run. But how many of us are in itfor the short run? How many of us work forcompanies that have a self-imposed expirationdate? How many of us work for boardsthat are only concerned that the organization’sinevitable failures not occur on their watch?If the fourth element can be understood asthe difference between short-term and longtermviability, then there is an argument to bemade that boards and others might accept. Butcan we make that argument?In dealing with the client noted above Iconcluded that they had bought into the “compliance”model. They were “hooked” on theopiates of compliance and best practices. Theysaw no merit in the “ethics” model. After all,the law did not require more of them thanthey were already doing.Sadly, they were three quarters of the waythere. They had successfully met the first threeof the four elements needed to avoid becominga headline. To borrow a baseball metaphor,they had reached third base. Their ethics andcompliance program was a model of “bestpractices.” But you get no points for stranding arunner on third. Hitting a triple may look greatin your individual statistics, but it doesn’t countfor much if the team loses because you failed toget the runner home. They seemed willing toaccept that crossing the t’s and dotting the i’s ofcompliance was their goal.How might I have argued for the fourthelement? What might I have said or doneto better communicate the critical value ofensuring that there is a corporate culture thatreaches for the highest ethical standards—one that does not settle for conformance tominimal standards? How might I have bettercommunicated that diagnosis is not a solution?Diagnosis is not enoughDiagnosis helps us understand what is goingon, but it may not always lead us to why it isgoing on—the causes behind the outcomeswe are experiencing. Absent that “why” data,management is forced to rely on guessworkregarding causes. Unless you can access thatdata and then act on it, you have minimalcertainty that the solution at hand is, in fact,going to solve anything.Compliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 63

Compliance & Ethics Professional May/June 2013Every symptom suggests the need foraction. The danger is that, unless we systematicallyand systemically develop “causal” data,we risk develop a string of serial actions thatare unconnected and will lack the impact weneed on the root problem.Systems Theory helps us understand andemploy our understanding of the interconnectednessof thevarious aspects oforganizations andthus the inherentinterrelatedness ofthe data we gatherabout those organizations.Systems Theoryspeaks to root causes.Diagnosis basedon a “systemic”understanding ofyour organization isjust as critical for youas it was for me to understand the connectionbetween oil pressure and valve wear. Systemicthinking allows us to understand the “why”behind the “what.” It shines a light on thecauses behind the symptoms.Perhaps the most powerful systems modelof organizational inter-relatedness was publishedin 1982, by David Nadler, 2 who referredto his Organization Performance Model (OPM)as a framework for organizational behavior.My first exposure to the OPM was as part of a45-person team of internal consultants formedin 1982 to help guide what was then knownas the Bell System through the largest organizationalrestructuring in modern history: thedismantling of the one-million employee BellSystem and the simultaneous creation of sevenBell Operating Companies, along with anindependent AT&T and Western Electric. Oneobserver of that day (January 1, 1984) characterizedit as the equivalent of disassembling afully loaded 747, in flight, and creating sevenDiagnosis provides data.Models… provide systemicconstructs that allow us toanalyze the inter-relatednesswithin and between the dataelements and understandwhat they mean.707s from the parts, with each and every passengerarriving at their designated destination,on time, with their luggage in hand.Nadler’s OPM suggested that the key toorganizational success was “congruence,” the“fit” within and between the various componentsof an organization and the contextwithin which the organization operates. Hetalked about environment,resources,history, strategy,mission, vision,values, the taskspeople performed,and the people performingthem. Allof this was donein the context ofboth the formal andinformal organizationalsystems.And it producedorganizational outcomes, group outcomes andindividual outcomes. Finally, the system wasinformed by feedback mechanisms within andbetween all of the above.Diagnosis provides data. Models, suchas the OPM, provide systemic constructsthat allow us to analyze the inter-relatednesswithin and between the data elements andunderstand what they mean. Absent such acoherent model, the data can be just an overwhelmingmass of information, lacking utility.ConclusionYou can solve only the problems you knowyou are facing. The most visible aspect of anyproblem is what medicine refers to as the “presenting”symptom(s). But symptoms are justthat—“…a departure from normal function orfeeling which is noticed by a patient, indicatingthe presence of disease or abnormality.A symptom is subjective, observed by thepatient, and cannot be measured directly.” 364 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

For the past 35 years, my experience andtraining have empowered me to pay attentionto symptoms of organizational dysfunction.My training has also equipped me to analyzeand interpret the data by using a specific set oftools, and those tools have served me well. ButI do not have a monopoly on that ability. Everysuccessful manager I know has their ownapproach for how they apply their own skillsand knowledge to the organizational dysfunctionsthey face. But skills, knowledge, andconceptual models can only take us so far insolving the organizational problems we face.Above all, we need to recognize the fundamentaldifference between a problem, with itsidentifiable causes, and a symptom. Symptomsare indirect indicators of a problem. They areguideposts and mile markers. But we cannotsolve symptoms. We can only solve problems.And we can only solve the problems we facewhen we have accurately identified the causesbehind the symptoms.For years I have been crediting the medicalprofession with “turning me on” to diagnosis,as a first step in any ethics initiative, whetherit is a start-up or an ongoing, successful effort.It comes from an old adage in the profession,“Prescription without diagnosis is malpractice.”And medicine is a universal experience. Wehave all been ill or injured and sought medicalattention, so it is a phrase we all can relate to.But, in reality, I learned that lesson yearsearlier in my garage. Not everyone has spent acouple of months tearing down a “sick” motorand rebuilding it. Most have not invested thetime and resources to “fix” burnt valves, only torealize that the real problem was the oil pump.Back in 1959, had I done a proper diagnosis,I would have still had to do the valve jobas well as spend the extra $20–$30 for a newoil pump. But the outcome would have been areliable (and very cool) first car. As it turnedout, the lesson I learned has proven to be evenmore valuable. That failure became the basis ofa foundational insight that informed my overallapproach to my life’s work.Not being able to climb a hill was a symptomof burnt valves. Burnt valves were asymptom of a more significant “cause.” You don’tsolve problems by attacking symptoms. Yousearch for and address the underlying problems.The underlying problem in my ’53 Dodge wasa lack of oil reaching moving parts that eventuallyburned. A faulty oil pump caused that lack.The solution to the problem was to replace theoil pump. I missed that and spent the rest of mytime in high school using Mom’s very “uncool”car when I could have been “cruising the strip”in a Dodge convertible with a Hemi under thehood. Systems Theory may sound “geeky”but if I had been a bit more of a geek, I mighthave been “cool”! Solving problems instead ofmasking symptoms is cool. ✵Frank J. Navran (frank@navran.com) is the Founder and PrincipalConsultant of Navran Associates in Palm Coast, FL.1. Ethics Resource Center: The National Business Ethics Survey ® ofFortune 500 ® Employees: An Investigation into the State of Ethicsat America’s Most Powerful Companies. July 24, 2012. Available athttp://www.ethics.org/nbes2. Nadler/Tushman/Hatvany: Managing Organizations: Readings andCases. 1982, Little, Brown and Co.3. WikipediaCompliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 65

y Laura Serra NovaEthics in the workplace:The Dominican Republicperspective»»In addition to the concerns and conflicts that arise during the hiring process, companies may overlook compliance management.»»Current laws in the Dominican Republic allow companies to establish internal manuals and procedures, as well as codes of ethics.»»Procedural justice has played an important role in establishing ethical standards, however, the perception required to implementsuch standards needs to be shifted in the right direction.»»State must set an example in order to mitigate the “produce-at-all-cost” mentality in the country.»»Great efforts have been made by the public and private sector to have an ethical business environment.Compliance & Ethics Professional May/June 2013Compliance is an untapped concept inthe Dominican Republic, mainly dueto the confusion this innovative areaof expertise supposes. Companies usuallyinterlink the legal functions with the tasks thatought to be the responsibility of a complianceprofessional, thus resulting in theincorrect allocation of positions andresources, and overlooking those withexperience in the field.The concerns and conflicts withinthe hiring process are one thing;another is the infrequently discussedSerra Nova area of compliance management andhow it affects employment ethics ineveryday life. The Labor Code and regulationsrelating to the rights of employees are usedto reflect some sort of corporate environmentthat eludes the written values and ethics manuals,previously considered almost a norm.Intrinsically linked are the failed nationalefforts of a few to amend and built a strongerchange to ignite a growing society towardsadapting to a globalized economic crisis ofhuman values. It is evident in the internalchallenges faced both by employees whomanage their personal assets and employers inthe management of their assets.The current legislation in the DominicanRepublic allows companies to establish internalmanuals and procedures or a code of ethicswhere ethical values are promoted to employees.The manuals can be registered with theMinistry of Labor for its approval (under articles129 to 134 of the Dominican Code of Labor)before the Institutional Ethics Committee thatfunctions under the supervision of the DirecciónGeneral de Ética e Integridad Gubernamental(General Directorate of Ethics and GovernmentIntegrity). As respectable as this is, the future ofcompliance in the Domincan Republic shouldinclude a set of rules that make it mandatoryto establish a code of compliance and ethics,approved by the Ministry, that furthers realconsequences for violations.So far, procedural justice would step in toestablish the ethical standards that guide thepractice of everyday tasks, but it is people’sperception of what is to be considered thecorrect approach for a given situation thattends to prevail. When the questionable activityby an employer or employee involves66 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

www.corporatecompliance.orgprofessional incompetence that affects performance,it directly affects the company andmay constitute a serious risk that cannot beleft for tribunes to resolve after the businesshas demised. The most important aspect ofconflict resolution, aside from protecting theparties’ rights, is respecting dignity and valuingthe individual in the process of aiming fora preventive method, as opposed to a defensemechanism, that preserves dignity and createsan atmosphere of trust and mutual respect.The key inference here is respect towardsthe parties involved and the role that theState plays when establishing the rulesthat must be followed. I would say that thesame values that are presented there shouldencourage employers in their interactionwith their employees. I can proudly say thatthe President elected has taken matters inhis own hands to set an example, making itmandatory for all ministers to sign a Codeof Ethics and Conduct in August this year(for further information refer to http://www.listin.com.do/la-republica/2012/8/23/244585/Presidente-y-la-Vice-firman-Codigo-Etica).Further analysis must be made in orderto have a more accurate data in this regard,nonetheless experience states that whether acompany acts in an ethical manner or not is nota significant factor at the moment for the averageDominican’s willingness to work for anemployer. Jobseekers have other priorities, suchas the need to work and provide for their families.Hopefully, this is about to change with thenew measures being held at all levels. There is aconsiderable percentage of people who aspire togain experience from a leading provider of governance,ethics, and compliance managementand have conducted themselves in such a waythroughout their professional life.Regardless of the challenges that we face,great efforts have been made by both publicand private entities to move towards a greaterethical “well being.” And despite the cultureimbalance of roles and duties, privileges,and responsibilities latent in what is sociallyapproved, (described in Robert Lowie’s bookCulture and Ethnology 1 ) it is my opinion that ourethical future is bright. ✵Laura Serra Nova (info@legauxinternational.co.uk) is a Registered Consultantfor MMRN, Legal Consultant – Compliance Professional and JudiciaryInterpreter with Legaux International in Santo Domingo, Dominican Republic.1. Robert H. Lowie: Culture and Ethnology. Basic Books Inc., 1967.Advertise with us!Compliance & Ethics Professional is a trusted resource for complianceand ethics professionals. Advertise with us and reach decision-makers!For subscription information and advertising rates, contact Liz Hergert at+1 952 933 4977 or 888 277 4977 or liz.hergert @ corporatecompliance.org.Compliance & EthicsMay/June2013 ProfessionalA PUBLICATION OF THE SOCIETY OF CORPORATE COMPLIANCE AND ETHICSMeetMichael MillerExecutive Director for Ethicsand Compliance, Aerojet,Sacramento, CASee page 14SCCE’s magazine is published bimonthly and has a current distribution ofmore than 3,000 readers. Subscribers include executives and others responsible for compliance:chief compliance officers, risk/ethics officers, corporate CEOs and board members, chieffinancial officers, auditors, controllers, legal executives, general counsel, corporate secretaries,government agencies, and entrepreneurs in various industries.25Seven strategiesfor preventing usersfrom hoardingdocumentsMark Diamond33You’veidentified acorporate risk—what next?C. J. Rathbun41Mind the gap!Where corporatepolicy and socialmedia meetSteve Carr47Political activity compliance:A complex but necessarysubject for complianceprofessionalsScott StetsonCompliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 67

www.corporatecompliance.org/LinkedinOver 9,500 SCCELinkedin GroupMembers discussthe latest corporate complianceand ethics topics.Also, you can follow the newSCCE Linkedin Company pagefor compliance and ethicsnews and SCCE updates.www.corporatecompliance.org/Li: Whatever happened to beinghonorable? http://bit.ly/honorconcept: How Does Your Organization TreatWhistleblowers? http://bit.ly/treatingwb: Life Lessons to keep you morallyaware! http://bit.ly/morallyaware: How would you know if your leadersare ethical? http://bit.ly/ethicalleaders: If you can’t change the culture,what should you do if your valuesconflict with the company values?http://bit.ly/changecultures: The Lance Armstrong’s of theworld; Implications for Society,the Workplace, Family andSelf. Livestrong? LieStrong?http://bit.ly/liestrong: The 4 “T’s” of building ethicalrelationships http://bit.ly/4ethics: Can anyone tell me how many highrisks your organization mitigatesannually? We are trying to benchmarkour goals. http://bit.ly/benchmarkrisks cializewww.facebook.com/SCCEJoin 7,000 fans on the SCCEFacebook page. Get the latestcompliance and ethics news in yourfeed. Share your thoughts in the photo comments.www.twitter.com/SCCEFollow @SCCE on Twitter for thelatest #compliance and #ethicsnews. You can also ask SCCEquestions by mentioning @SCCE in your tweet.www.YouTube.com/ComplianceVideosWatch compliance videos on our YouTube Channel

y Cris Mattoon, JD, CCEPAn invitation to connect:The FFIEC embraces socialmedia regulation»»Social media usage requires corporate governance.»»Enterprise risk management must encompass social media risks.»»Federal regulators will expect organizations to actively manage social media risks.»»Compliance officers can leverage current federal action to enhance governance.»»Failure to proactively address social media may impact future safety and soundness ratings.MattoonFinancial Institutions in the United Stateshave a new “friend” to contend with intheir social media circle.Given the exponential increase in theinfluence social media has had on the financialinstitution landscape in recent years,compliance professionals could haveanticipated a recent Federal Registernotice. On January 23, 2013 the FederalFinancial Institutions ExaminationCouncil (FFIEC) 1 jointly issued proposedguidance for public commentsto be received by March 25, 2013.This broad-based guidance proposesto address the applicability offederal consumer protection and compliancelaws, regulations, and policies to activitiesconducted via social media by banks, savingsassociations, and credit unions, as well as bynonbank entities supervised by the ConsumerFinancial Protection Bureau. 2 Viewed in thebroader context of enterprise risk management,the FFIEC agencies are seeking toensure that all supervised financial institutionsare effectively assessing and managingrisks associated with activities conductedvia social media. Specifically, the financialinstitutions will be expected to incorporateconsumer compliance and legal risks, as wellas reputation and operational risks associatedwith social media activities.The FFIEC’s entry into social media regulationwill likely be met with mixed reviewsby financial industry compliance professionals.While many organizations have soughtto craft policies and procedures to addressthis multifaceted communication phenomenon,other organizations have struggledwith developing a consensus around how toapproach social media governance. For organizationsthat have yet to create or adequatelyrevise social media policies and proceduresto encompass its growing importance tocommerce, the FFIEC action may providethe impetus that chief compliance officerscan leverage to guide corporate boards andC-suite executives to create a social mediagovernance structure.I read the proposed guidance with greatinterest. I had expected the FFIEC to provideguidance regarding a financial institution’sactive use of social media in its business andby its employees, both in their capacity asemployees as well as off-duty. The proposedCompliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 69

Compliance & Ethics Professional May/June 2013guidance directly addresses the complianceand legal risks posed by social media withregard to deposit and lending products, paymentsystems, anti-money laundering, andfinancial privacy. The regulation of an activesocial media presence clearly reflects theconsumer protection best practices that anorganization would apply to its other outboundchannels, including print, television,and radio marketing, as well as authorizedcorporate communications.Reputational risksThe portion of the proposed guidance that Ifound even more insightful was the reputationrisk topics the FFIEC chose to explicitlyconsider. Some executivesoffer the opinionthat if their organizationsdon’t activelyfoster a social mediaidentity, then theneed for social mediagovernance is eliminated.The FFIECinstead acknowledgesthat even an organizationthat chooses for forgo promoting anactive social media presence is subject to therisks that can be thrust upon an organizationby the public. Noting that reputationalrisk arises from negative public opinion, theproposed guidance delves into the realm ofdissatisfied consumers and negative publicitythat can cause significant harm to a lawabidingfinancial institution. In addition tofraud and brand identity and third-party concerns,the FFIEC directly addresses a financialinstitution’s affirmative obligation to monitorconsumer complaints and inquiries initiatedvia social media.In an economy overflowing with consumersclamoring to ensure that “there’s an appfor that,” financial institutions have workedThis proposed guidance…is going to eventuallybecome part of yourprudential regulator’sexamination process.actively to develop social media channelsto harness consumer demand to varyingdegrees. Additionally, those same consumerswho routinely update their social networks(both personal and professional) from theirsmartphones while waiting for the train orpurchasing a latte, will also launch a Twitterrant or a scathing and aptly-named blogpost about your organization before they’veleft your premises. This proposed guidance,which will likely receive many commentsbefore being issued in its final form, is goingto eventually become part of your prudentialregulator’s examination process. A “prudentialregulator” refers to the respective financialinstitution regulators for each category ofentity (i.e., NCUAfor credit unions,OCC for federalbanks). The FFIEC iscomposed of the prudentialregulators.I would proposethat now is the time toaddress your organization’ssocial mediagovernance process.Working with your board of directors and yoursenior leadership colleagues, you can assess thecurrent status of your policies and procedures,identify and address perceived gaps, and provideappropriate guidance to your employeesbefore the regulators arrive to test your practices.Action now will likely ensure that yourregulator hits the “Like” button later. ✵Cris Mattoon (CQMattoon@aaamichigan.com) is Corporate ComplianceProgram Manager with The Auto Club Group in Dearborn, MI.1. The FFIEC is composed of the Office of the Comptroller of theCurrency (OCC), the Federal Reserve Board of Governors, theFederal Deposit Insurance Corp (FDIC), the National Credit UnionAdministration (NCUA), the Consumer Financial Protection Bureau(CFPB) and the State Liaison Committee. Together, these are knownas “the Agencies.”2. Federal Financial Institutions Examination Council [Docket No.FFIEC-2013-0001]: “Social Media: Consumer Compliance RiskManagement Guidance” Available at http://www.ffiec.gov/press/Doc/FFIEC%20social%20media%20guidelines%20FR%20Notice.pdf70 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

y Peter FazioConflict of interest:It’s not so bad if I don’t getany benefit out of it. Right?»»Familial relationships among employees can create real conflicts of interest.»»Conflicts of interest related to employee interactions have a tangible cost to the organization.»»Conflict of interest risk management should be addressed as a component of the organization’s overall anti-fraud program.»»Disclosure of conflicts of interest to a higher level tends to increase the trust of the discloser without the intended increase in the levelof professional skepticism for the integrity of the transaction.»»The real challenge with conflicts of interest is the manner in which we react to them or ignore their impact on the integrity of our work.FazioThe title of the article is an excerpt froma discussion that I had with a client.The discussion focused on brandingprofessional interactions between two employeeswith a familial relationship as creating aconflict of interest. Let me just say upfront thatthe nature of the working relationshipbetween the two parties has neverbeen associated with any wrongdoing.My client’s comments created areal dilemma for me. I wondered if apotential conflict of interest is reallyanything to worry about. Hopefullyin the next few paragraphs, I can providesome insight into why the typicaldismissal line “No harm, no foul” does notapply to a conflict of interest.The Society of Corporate Compliance andEthics (SCCE) defines a conflict of interest asexisting “…when one’s personal interest competeswith the interests of another to whomone owes some duty.” In a business setting, theduty owed is to the employer, and that dutywould most typically take the form of loyaltyto the employer, abiding by the employer’scode of conduct, safeguarding the employer’sproperty or sensitive information, and ensuringthe integrity of business communications.Determining if a conflict exists is difficult, dueto the large number of personal interactionsthat (given a certain context) could constituteboth a conflict and the absence of one.One example of a conflict of interest thatI have encountered multiple times is a familialrelationship between two employees whowork for the same company. If the employeeswork in two different departments with notransactional interactions on a professionallevel, then it would be highly unlikely that aconflict of interest would arise in the workplace.When there is a transactional interactionbetween the two related employees, such as inthe example below, the potential for the existenceof a conflict of interest rises.ExampleBrian in Marketing creates a purchase orderfor marketing materials from a new vendorthat his friend recommended as having verycompetitive prices. Brian’s cousin Harold is thepurchasing manager for the same company.Harold reviews the purchase order from BrianCompliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 71

Compliance & Ethics Professional May/June 2013and approves it, even though he should beusing one of three preferred vendors.The conflict of interest in this scenariolies with Harold, the purchasing manager.The company had three approved preferredvendors prior to Brian’s new vendor request.The company most likely was trying to keepthe number of vendors down so they coulddrive their purchasing volume to the preferredchoices and position themselves to negotiatelower prices for thefuture. The companymay also have had anannual volume rebatenegotiated with thepreferred vendorsthat could havereduced future paymentsto the vendors.All of the applicableincentives, discounts,and the preferred terms and conditionswould have been known to Harold; however,he chose to subordinate these benefits to thecompany so that he could serve the specificinterests of his cousin Brian in the Marketingdepartment.The existence of a potential conflict ofinterest in this scenario is not inherentlywrong. The real damage done to the organizationis the way in which the purchasingmanager reacted to or ignored the conflict. IfHarold had been provided documented guidanceon how to deal with pre-existing businessand familial relationships that impact businesstransactions, his selection of a vendor wouldmost likely have produced a different result.Many people, left to their own devices in sucha situation, will seek to make a choice that createsthe least amount of personal conflict.One additional course of action for Haroldcould have been to simply disclose his familialrelationship to his supervisor and allowthat person to decide how to proceed with the“…instead of the disclosureserving as a warning,it can actually placea burden on those it wassupposed to protect.”processing of Brian’s purchase order. On thesurface, it seems reasonable and prudent toinvolve an objective decision-maker to absolveHarold of any potential conflict of interest.However, recent research on the disclosure ofconflicts of interest would indicate otherwise.In a research paper, 1 the authors demonstratethrough various experiments that“…increased pressure results from advicerecipients feeling obliged to help satisfy theiradvisors’ personalinterests when thoseinterests have beendisclosed.” If we wereto apply the results ofthis research to ourscenario with Harold,his disclosure of aconflict to a supervisordoes not relievehim of the conflict butrather, “…instead of the disclosure serving asa warning, it can actually place a burden onthose it was supposed to protect.” The studygoes on to show that such a disclosure wouldmost likely cause the supervisor to haveincreased trust in Harold’s recommendation.So where can Harold go to gain relief fromhis conflict of interest? The prudent coursewould be to disclose the conflict and refrainfrom influencing the processing of his cousinBrian’s purchase order. This would ensure theintegrity of the purchasing process and set thestandard for future interactions that present aconflict of interest.No harm, no foulAnd what of the application of my client’sclaim “no harm, no foul”? I would offer thatthe harm could be defined as several addedcosts to the company for allowing the conflictof interest to remain, such as added processingtime to disclose the conflict and re-assign thetransaction to another purchasing manager,72 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

additional internal controls to ensure appropriatemanagement review of transactionsthat present conflicts, and finally, additionalannual audit procedures to mitigate the riskpresented by a conflict of interest.Personal conflicts of interest, such asthe one illustrated above, are often the mostdifficult types of conflicts to identify. Mostorganizations rely on self-disclosure toidentify these relationships. I maintain thatmost familial relationships are well knownthroughout an organization, because it wasmost likely the recommendation of a familymember already employed by the companythat initiated the consideration of other familymembers for employment. Managementshould approach these familial relationshipswithin a company the same way they addresstypical segregation of duties (SOD) risk.Segregation of dutiesA typical SOD analysis involves the creationof a process matrix with one group of sensitivetransactions across the X axis and anothergroup across the Y axis. The SOD analystwould look for the intersection of the samename across two transactions that are consideredto be too high of a risk to be covered byone individual. In much the same way, the analystcould look for the intersection of employeeswith familial relationships and design proceduralchanges or mitigating controls to reducethe risk of the conflict of interest.There are multiple approaches to mitigatingor eliminating the risk of a conflict ofinterest arising from employee familial relationships.The first step towards that goal is torecognize that these types of conflicts do havea tangible cost to the organization and need tobe assessed as process-level fraud risks. ✵Peter Fazio (peter.fazio@ymail.com) is a Manager in the Advisory Servicespractice of Ernst & Young LLP in New York City.1. Sunita Sah, George Loewenstein, Daylian M. Cain: “The Burdenof Disclosure: Increased Compliance with Distrusted Advice.” December 2011. Available at http://www.econ.upf.edu/docs/seminars/sah.pdf.Don’t forget to earn your CCB CEUs for this issueComplete the Compliance & Ethics Professional CEU quizfor the articles below from this issue:··You’ve identified a corporate risk—what next?by C. J. Rathbun (page 33)··Conflict of interest: It’s not so bad ifI don’t get any benefit out of it. Right?by Peter Fazio (page 71)··Gray areas: When ethics problems arenot exactly black or whiteby Frank C. Bucaro (page 74)To complete the quiz:Visit www.corporatecompliance.org/quiz,log in withyour username and password, select a quiz, and answerthe questions. The online quiz is self-scoring and you willsee your results immediately.You may also fax or mail the completed quiz to CCB:Fax: +1 952 988 0146mail: Compliance Certification Board6500 Barrie Road, Suite 250Minneapolis, MN 55435, United StatesQuestions? Call CCB at +1 952 933 4977 or 888 277 4977.To receive 1.0 non-live Compliance Certification Board (CCB) CEU for the quiz, at least three questions must be answered correctly.Only the first attempt at each quiz will be accepted. Compliance & Ethics Professional quizzes are valid for 12 months, beginning onthe first day of the month of issue. Quizzes received after the expiration date indicated on the quiz will not be accepted.Compliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 73

y Frank C. BucaroGray areas: When ethicsproblems are not exactlyblack or white»»Not all ethics problems fit neatly into a black-or-white category; some problems fall into a “gray area.”»»Gray area issues can provide an opportunity to deal proactively, before issues becomes a full-blown ethics problems.»»Gray area issues can help point the way to gaps in ethics education or training.»»Ethics resources for employees must be known, accessible, and consistently communicated to be effective.»»Gray area issues may not be right vs. wrong situations, but could possibly be a right vs. right situation, or even right vs. “more” right.Compliance & Ethics Professional May/June 2013BucaroEthics problems are not always transgressionsthat are either black or white.Detailed codes of conduct that are targetedat what is acceptable and what is not canmake life easier when it comes to enforcement.But what about potential ethics problemsthat land on our doorstep, but arenot covered by the code, not obviouslyblack or white, but more likegray? Situations that do not fall neatlyinto one category or the other I call“gray area” problems.The way forward with such situationsmay not be immediately clear,and can require time and effort forsatisfactory resolution. The good news isthat gray area problems can provide valuableinformation and may also help to avoid biggerproblems down the road.I came face to face with a gray area issuesome years ago, when I found myself beingsuggested as the keynote speaker for a largecorporate event by two different representativesof two different organizations. For those whodo speaking presentations, it is not uncommonto work with a variety of bureaus, meetingplanners, or talent agencies on a regular basis.In my experience, most are ethical and adhereto commonly accepted industry practices.On my end everything initially lookedgood, although a bit unusual, with two differentreps in the mix trying to pin down a speakerfor the same program. Both confirmed the samefee with my office, which was my current feefor a keynote. I would not have become awarethat something was a little off at that point,but one of the representatives called, obviouslyupset, and asked if I had allowed the other repto quote a different fee, which I had not. I wasconfused about what was going on. Bottom line,even though I had no contact with the client atthat preliminary stage, I was in the middle of amessy situation that I did not cause, and it didnot cast me in a positive light with the client.I tried to probe further about the situationwith the rep in question, but things ended unsatisfactorily.His behavior may not have seemedunethical from his perspective, but I could notsay that it was fair or in line with accepted practices.We did not work together and I am sure itcost me that booking with the client. The experiencehad a benefit however. We soon initiateda more comprehensive policy in my office tohelp avoid a similar situation in the future.74 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

Heading off potential gray area headachesWhat are the situations that employeesencounter in your industry that might lead toa gray area? Once possible situations are identified,you can take a proactive approach.TIP: Highlight situations in training sessionsor ethics meetings where there could bea potential problem and work through possibleoptions in these sessions for the best resolution.Being proactive might prevent development ofan all-out ethics problem down the road.When ethics problems surface in a publicway, we sometimes hear in media interviewswith a former or current employeethat “everybody knew what was going on.”Ideally, everyone in the organization shouldknow what the process is, and who the “go to”person, department, or committee is for questions,raising concerns, or reporting problems.If there is an elephant in the room, it is good ifeveryone at least knows what to do about it.Don’t assume everyone understands theprocess or the path for raising concerns justbecause they read the employee handbookonce. Periodically I get calls or emails fromsomeone dealing with an ethics issue that is areal concern in their workplace. I try to offersome general ideas about what they might do,what resources might be available to them atwork, etc. Sometimes I find myself wonderingwhy they can’t or don’t feel comfortable workingthis through with someone on the inside.If you have an ethics officer, ombudsperson,Thank You!Has someone done something great for you,for the Compliance profession, or for SCCE?If you would like to give recognition by submitting a public “Thank You”to be printed in Compliance & Ethics Professional, please send it toliz.hergert @ corporatecompliance.org. Entries should be 50 words or fewer.or ethics committee, let employees know whatresources are available for them and how toaccess theses resources.Don’t assume everyone possesses a highlydeveloped sense of ethics. (Let’s hope, yes, butdon’t assume.) Educate, restate, and reiterateon a regular basis the importance of integrity,values, and ethical behavior to reduce risk.Gray areas can be a testing ground, andcan also provide opportunities for interventionand education before things get too far along.They can also be a resource to identify gaps intraining programs. Gray area situations canalso be a great opportunity for leaders to dowhat they do best—lead!Is it always right vs. wrong?All of us come face to face with gray areaissues, and some are close to home. Gray areaissues can be a testing ground for our ownvalues. The issue might not always be right vs.wrong; maybe it will be right vs. right, or possibly,right vs. “more right.”Therefore, in learning to recognize,analyze, and resolve these gray areas,what changes do you need to make to yourapproach to these areas? This means examiningthe specific type of training, techniques,or tools that focus on gray areas, and thenfinding the indicators of how effective theresolution of these areas has been. ✵Frank C. Bucaro (frank@frankbucaro.com) is President of Frank C. Bucaro& Associates, Inc. in Bartlett, IL.Compliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 75

The last wordby Joe Murphy, CCEP, CCEP-IDiscipline for “failure to takereasonable steps”: Could youfind even one example inyour company?Compliance & Ethics Professional May/June 2013MurphyThere are certain parts of the FederalSentencing Guidelines standards mostfolks seem comfortable with (e.g., codesof conduct, training, helplines). And then thereare topics that it seems almost no one is comfortablewith. One example is discipline—notmany articles or presentations on that.So here is an issue I just don’tsee discussed. The Guidelines veryclearly call for:“(B) appropriate disciplinary measuresfor… failing to take reasonable stepsto prevent or detect criminal conduct.”(emphasis added)It is right there, in black andwhite, clear as day. Our Canadian friends, intheir Competition Bureau’s guidance on complianceprograms, also say:“Proper disciplinary actions should alsobe taken against managers who fail to takereasonable steps to prevent or detect misconduct.”(emphasis added)Does your discipline meet this standard?If your company’s coverage of disciplineconsists of nothing more than routine codelanguage (“violations will result in discipline,up to and including termination”), and a recordof firing junior employees for petty theft fromthe company, then can you really argue thatyou have met the language of the guidelines?What is the message of this language?Think about it. Government believescompanies routinely engage in scapegoating.Punish the little guys so the big guys get away.The language quoted above means you can’thave an officer with subordinates runningamuck, and have that officer get off by saying“Gee, I didn’t know.” If that officer had nottaken real steps to address the risk, then theofficer must be disciplined. Taking preventivesteps is every supervisor’s job.But have you ever, in the entire life of yourprogram, done that? Do you have any exampleof a manager or officer, not directly involvedin a violation, who was nevertheless subjectto “on your watch” discipline? I suspect theseare very, very rare. And when you conductinvestigations of alleged misconduct, are yourinvestigators also looking at this issue? Do theyalways include the question, “What did theboss do to prevent this violation from happening?”Or do you routinely notify and bring intothe inner circle the boss of the person beinginvestigated, even though that person might besubject to discipline under this standard? Doesyour code warn managers and officers that thisstandard applies to them? Do line and staffmanagers know that their jobs include taking“reasonable steps to prevent or detect criminalconduct”? Perhaps we need a bit more disciplinedapproach to this topic of discipline. ✵Joe Murphy (jemurphy5730 @ gmail.com) is Of Counsel to ComplianceSystems Legal Group and Editor-in-Chief of Compliance & EthicsProfessional Magazine.76 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

sTakeawaysMay/June 2013Compliance & EthicsProfessionalTear out this page and keep for reference, or share with a colleague. Visit www.corporatecompliance.org for more information.Seven strategies for preventingusers from hoarding documentsMark Diamond (page 25)»»Employee hoarding of electronic documents isan information governance change managementproblem.»»Aggressive deletion often drives undergroundarchiving, making the problem worse.»»Addressing underground archiving requires across-functional approach engaging policies,processes, tools, and technologies.»»Effective approaches create a “win” for employeesby understanding the reasons for their behaviors.»»Ongoing auditing is critical to assess programeffectiveness.You’ve identified a corporate risk—what next?C. J. Rathbun (page 33)»»The company’s choices in response to anidentified risk will depend on its risk tolerance.»»The CCO’s considerations should include howmitigating the risk will affect everyone from theboard room to the mailroom.»»The CCO’s report should be carefully designed forits target audience.»»Internal procedures may need to be changed toprevent future risks.»»Proactive monitoring and/or auditing will help youcatch problems before they become issues.Mind the gap! Where corporatepolicy and social media meetSteve Carr (page 41)»»Social media offers opportunities for broader,timely communication in a fashion peopleappreciate more than static PDF or email formats.»»The gap between liability concerns and potentialbenefits of adopting social media can often bebridged with policy and company-wide planning.»»New online tools to manage and archivesocial media, emails, and other electroniccommunications are widely available andinexpensive.»»Each organization should view social mediain its regulatory context, including Reg FD forpublicly held US companies, the Dodd-Frank Act,Sarbanes Oxley, Solvency II, and Basel III.»»Properly adopted, social media offers theopportunity to improve compliance and corporategovernance practices and even maintain or reducecosts.Political activity compliance:A complex but necessary subjectfor compliance professionalsScott Stetson (page 47)»»Corporations have substantial politicalinvolvement, which may entangle gift and conflictof interest policies.»»Compliance requirements are continually changingwith the passage of new legislation at local, state,and federal levels.»»The Government Affairs department and generalcounsel cannot do it alone.»»Non-compliance has serious organizationalimplications.»»Political compliance should be included in anorganization’s compliance plan.Powerful witness preparation:Don’t volunteerDan Small and Robert F. Roach (page 52)»»Free-flowing conversations move through a seriesof connections to seemingly unrelated topics.»»Testimony should stick to the question at handand stay on a narrow path.»»The questioner’s job is to ask clear questions, notlead the witness into volunteering information thatis inadmissible, irrelevant, or just off track.»»Don’t fill the silence—use it to prepare for whatlies ahead.»»Volunteer information only if it will clear up amisunderstanding or emphasize a key theme.You can’t cure symptomsFrank J. Navran (page 55)»»Finding the underlying problem first may avert acatastrophe later.»»Diagnostic interviews, focus groups, andsurveys will help you uncover the root cause oforganizational problems.»»Build a rapport and an atmosphere of trust beforeyou start asking the tough questions.»»A document review will give you insights intowhat employees learn about the formally statedstandards for employee conduct.»»Skills, knowledge, and conceptual models canonly take us so far in solving the organizationalproblems we face.Ethics in the workplace: TheDominican Republic perspectiveLaura Serra Nova (page 66)»»In addition to the concerns and conflicts thatarise during the hiring process, companies mayoverlook compliance management.»»Current laws in the Dominican Republic allowcompanies to establish internal manuals andprocedures, as well as codes of ethics.»»Procedural justice has played an important rolein establishing ethical standards, however, theperception required to implement such standardsneeds to be shifted in the right direction.»»State must set an example in order to mitigate the“produce-at-all-cost” mentality in the country.»»Great efforts have been made by the public and privatesector to have an ethical business environment.An invitation to connect: The FFIECembraces social media regulationCris Mattoon (page 69)»»Social media usage requires corporategovernance.»»Enterprise risk management must encompasssocial media risks.»»Federal regulators will expect organizations toactively manage social media risks.»»Compliance officers can leverage current federalaction to enhance governance.»»Failure to proactively address social media mayimpact future safety and soundness ratings.Conflict of interest: It’s not so badif I don’t get any benefit out of it.Right?Peter Fazio (page 71)»»Familial relationships among employees cancreate real conflicts of interest.»»Conflicts of interest related to employeeinteractions have a tangible cost to theorganization.»»Conflict of interest risk management should beaddressed as a component of the organization’soverall anti-fraud program.»»Disclosure of conflicts of interest to a higher leveltends to increase the trust of the discloser withoutthe intended increase in the level of professionalskepticism for the integrity of the transaction.»»The real challenge with conflicts of interest is themanner in which we react to them or ignore theirimpact on the integrity of our work.Gray areas: When ethics problemsare not exactly black or whiteFrank C. Bucaro (page 74)»»Not all ethics problems fit neatly into a black-orwhitecategory; some problems fall into a “grayarea.”»»Gray area issues can provide an opportunity todeal proactively, before issues becomes a fullblownethics problems.»»Gray area issues can help point the way to gaps inethics education or training.»»Ethics resources for employees must be known,accessible, and consistently communicated to beeffective.»»Gray area issues may not be right vs. wrongsituations, but could possibly be a right vs. rightsituation, or even right vs. “more” right.Compliance & Ethics Professional May/June 2013+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 77

SCCE’s 2013 Upcoming EventsLearn more about SCCE’s educational opportunities at www.corporatecompliance.org/eventsMay 2013Sunday Monday Tuesday Wednesday Thursday Friday SaturdayMother’s Day1 2 3 45 6 7 8 9 10 11Corporate Compliance & Ethics Week: May 5–1112International13 14WEBCONFERENCE:15 16 17 18Basic Compliance& Ethics AcademyBrussels, BelgiumWEB19 20 21 22 CONFERENCE: 23 24 2526 27 28 29 30 31SCCE OFFICE CLOSEDMemorial DayJune 2013Higher EducationComplianceConferenceAustin, TXComputer Forensics 101:Proactive ComplianceCCEP-I ® ExamUpper NortheastRegional ConferenceNew York, NYArmed Forces DaySunday Monday Tuesday Wednesday Thursday Friday SaturdayFather’s DayBasic Compliance2 & Ethics Academy 3 4 5 6 7 89 Government 10 11 12 13 14 1516 17 18 19 20 Upper West Coast 21 2223 24 25 26 Alaska 27 28 2930Scottsdale, AZCompliance ConferenceWashington, DCJuly 2013CCEP ® ExamData Governance and ElectronicDiscovery: Trends, Case Law,and Leading PracticesCCEP ® ExamRegional ConferenceAnchorage, AKRegional ConferenceSan Francisco, CASunday Monday Tuesday Wednesday Thursday Friday Saturday1 2 3 4 5 6International7 8 9 10 11 12 13Basic Compliance& Ethics AcademyShanghai, ChinaRamadanSCCE OFFICE CLOSEDIndependence DayCCEP-I ® Exam14 15 16 17 18 19 20Flag DaySolstice12013 Upcoming EventsBasicCompliance & Ethics AcademiesScottsdale, AZ • June 3–6New York, NY • August 5–8Las Vegas, NV • September 16–19Denver, CO • October 21–24Orlando, FL • November 11–14San Diego, CA • December 2–5International BasicCompliance & Ethics AcademiesBrussels, Belgium • May 13–16Shanghai, China • July 8–11São Paulo, Brazil • August 26–29Dubai, UAE • December 15 –19RegionalCompliance & Ethics ConferencesUpper Northeast • New York, NY • May 17Upper West Coast • San Francisco, CA • June 21Alaska • Anchorage, AK • June 27–28Southeast • Atlanta, GA • November 1Southwest • Dallas, TX • November 8New England • Boston, MA • November 15Higher EducationCompliance ConferenceAustin, TX • June 2–5GovernmentCompliance ConferenceWashington, DC • June 10Compliance & Ethics InstituteWashington, DC • October 6–921 22 23 24 25 26 2728 29 30 31Dates and locations are subject to change.

Get expert guidance with:The Complete Complianceand Ethics Manual, Second EditionWritten by experienced compliance and ethics professionals, this continually updatedresource offers assistance for every area of the compliance and ethics world, including:• Compliance and Ethics: What It Is, Why It’s Needed• Essential Elements of an Effective Program• Strategies for Implementation• Measuring Effectiveness• Recent Regulatory Developments• Guidance for Specific Risk Areas, including:– Anti-Corruption and Anti-Bribery– Conflicts of Interest– Fraud Prevention– Government Contracting– Privacy Issues– Voluntary Disclosure– and much more!Inside the latest quarterly update:• Independent InvestigationsOverseen by Audit Committees• Third-Party Risk ManagementBook Price & Annual Subscription Rate:$359 for SCCE Members$399 for Non-MembersSubscription service allows continuous receiptof quarterly updates (the first four updates arefree with purchase of the manual)To order, visit SCCE’s websiteat www.corporatecompliance.org/booksor call +1 952 933 4977 or 888 277 4977

Bring home stuff for the kidsFind people who are interestedin what you have to sayGet your photo taken (and be sureto smile for the photographer)Roy Snell’stop 10 reasons to attendOctober 6–9, 2013Washington HiltonWashington DCSCCE’S 12 TH ANNUALCompliance & Ethics InstituteHave lunch with a thousandof your closest friendsShare your fish storiesCatch a short napwhile talking to meAsk Dan about Canada (andassume a comfortable position)Become bag modelsFind the solutionto your problemsTell people about howyou stopped fraudlearn more at www.complianceethicsinstitute.org