Compliance & Ethics Institute - Society of Corporate Compliance ...

Compliance & Ethics Institute - Society of Corporate Compliance ...

Compliance & Ethics Institute - Society of Corporate Compliance ...

  • No tags were found...

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

Build a Culture <strong>of</strong> Business Integrity –By Reaching One Employee at a TimeWith over 27 years <strong>of</strong> experience, Global <strong>Compliance</strong> has built a foundation <strong>of</strong> ethics and compliance expertiseacross diverse industries and sectors. Through our consultative and comprehensive approach, we help youreach every employee with a message <strong>of</strong> integrity, accountability, and ethical responsibility.And, only Global <strong>Compliance</strong> can boast a complete portfolio <strong>of</strong> products and services delivered on our owned andoperated platform to provide integrated functionality, streamlined workflow, and reduced cost.Awareness & Education• Code <strong>of</strong> Conduct• Communication Campaigns• Brightline SM Online Training• Instructor-Led Training• Spotlight SMBusiness Conduct VignettesInformation Intake & Management• AlertLine ® Hotlines and Websites• Case Management• Analytics and Benchmarking• Investigative ServicesEvaluation & Validation• <strong>Ethics</strong>/<strong>Compliance</strong> Risk Assessments• <strong>Ethics</strong>/<strong>Compliance</strong> Program Evaluations• Mystery Shopping• <strong>Compliance</strong> Site Evaluations• Inventories and AuditsWhether you require a program renovation or a new blue print, Global <strong>Compliance</strong> can help you build aneffective ethics and compliance program. Contact us today.13950 Ballantyne <strong>Corporate</strong> Place | Charlotte, NC, USA 28277 | 800-876-5998 | contactus@globalcompliance.com | www.globalcompliance.com© 2008 Global <strong>Compliance</strong>. All Rights Reserved.

Advisory BoardPublisher:<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong>,+1 952 933 4977, or 888 277 4977Editor-in-Chief:Rory Jaffe, MD, MBA, CHCExecutive Director, California Hospital Patient Safety Organization(CHPSO) Sacramento, CA, rsjaffe@gmail.comExecutive Editor:Roy Snell, CCEP, CHC, CEOroy.snell@corporatecompliance.orgAdvisory Board:Charles Elson, JDEdgar S. Woolard, Jr. Chair in <strong>Corporate</strong> Governance, Director <strong>of</strong> the JohnL. Weinberg Center for <strong>Corporate</strong> Governance at University <strong>of</strong> Delaware.Jay CohenPresident, J.M.Cohen, LLC.John Dienhart, PhDThe Frank Shrontz Chair for Business <strong>Ethics</strong>, Seattle University;Director, Northwest <strong>Ethics</strong> Network; Director, Albers Business <strong>Ethics</strong>Initiative; Fellow, <strong>Ethics</strong> Resource CenterOdell Guyton, JDSenior <strong>Corporate</strong> Attorney, Director <strong>of</strong> <strong>Compliance</strong>,U.S. Legal–Finance & Operations, Micros<strong>of</strong>t CorporationRebecca Walker, JDPartner, Kaplan & Walker LLPRick Kulevich, JDSenior Director, <strong>Ethics</strong> and <strong>Compliance</strong>, CDW CorporationSteve LeFarGeneral Manager, Mediregs, Wolters Kluwer Law and BusinessStephen A. Morreale, DPA, CHC, CCEPPrincipal, <strong>Compliance</strong> and Risk DynamicsMarcia Narine, JDVice President Global <strong>Compliance</strong> and Business Standards,Deputy General Counsel, Ryder System, Inc.Ann L. Straw, CCEPGlobal <strong>Compliance</strong> Program ConsultantCNH America, LLCJosé A. Tabuena, JD, CFE, CHCVP Integrity and <strong>Compliance</strong>/<strong>Corporate</strong> SecretaryMedicalEdge Healthcare Group, Inc.Greg Triguba, JD, CCEPPrincipal, <strong>Compliance</strong> Integrity Solutions, LLCRachel Beth Evans, CCEP<strong>Ethics</strong> & <strong>Compliance</strong> Program Counsel& Legal Department Policy Coordinator, AccentureStory Editor/Advertising:Marlene Robinson, SCCE, +1 952 933 4977, or 888 277 4977marlene.robinson@corporatecompliance.orgCopy Editor:Patricia Mees, CCEP, CHC+1 952 933 4977, or 888 277 4977patricia.mees@corporatecompliance.orgLayout:Gary DeVaan, SCCE, +1 952 933 4977, or 888 277 4977gary.devaan@corporatecompliance.org<strong>Compliance</strong> & <strong>Ethics</strong> (C&E) (ISSN 1523-8466) is published by the <strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong>and <strong>Ethics</strong> (SCCE), 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Subscription rate is $195 a yearfor non-members. Periodicals postage-paid at Minneapolis, MN 55436. Postmaster: Send address changes to<strong>Compliance</strong> & <strong>Ethics</strong>, 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Copyright © 2009 the <strong>Society</strong><strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong>. All rights reserved. Printed in the USA. Except where specificallyencouraged, no part <strong>of</strong> this publication may be reproduced, in any form or by any means without priorwritten consent <strong>of</strong> the SCCE. For subscription information and advertising rates, call SCCE at +1 952 9334977, or 888 277 4977. Send press releases to SCCE C&E Press Releases Department, 6500 Barrie Road,Suite 250, Minneapolis, MN 55435. Opinions expressed are those <strong>of</strong> the writers and not <strong>of</strong> this publication orSCCE. Mention <strong>of</strong> products and services does not constitute endorsement. Neither SCCE nor C&E is engagedin rendering legal or other pr<strong>of</strong>essional services. If such assistance is needed, readers should consult pr<strong>of</strong>essionalcounsel or other pr<strong>of</strong>essional advisors for specific legal or ethical questions.INSIDE4 Why we do what we do — By Joe Murphy<strong>Compliance</strong> activities impact the lives <strong>of</strong> many people who maynever be aware <strong>of</strong> your efforts to help them.6 Managing risk – an ancient problem. AskPenelope... — By Patricia A. McKeown and Gonzalo SanchezWhat a Greek heroine can teach us about risk management andrestoring faith in our financial systems.10 Social networking: Cornerstone for your“new” compliance program — By David ChildersGetting your feet wet in the interactive information sharing world<strong>of</strong> Web 2.0 and social media.13 Letter from the CEO — By Roy SnellHow to get into the “Good Old Boys Club”14 Meet Michael Samonas, <strong>Compliance</strong> SolutionsSpecialist for LexisNexis and SCCE’s 1,500thmemberan interview by Steve McGraw, CEO <strong>of</strong> <strong>Compliance</strong> 36018 CEU: Business partner due diligence: Selectingand managing agents, joint ventures, andconsultants — By Thomas FoxA step-by-step guide for forming successful relationshipsbetween US companies and their foreign partners.22 The buck doesn’t stop here: Little connectionbetween compliance and corporatecompensation — By Adam TurteltaubResults <strong>of</strong> a survey on ethical conduct and executive pay andbonuses.24 CEU: The Fraud Enforcement and RecoveryAct <strong>of</strong> 2009: Legislative changes and newchallenges — By Cheryl Wagonhurst and Rick RifenbarkFERA contains several amendments that expand who can beheld accountable for fraudulent activity.27 Newly Certified CCEPs28 A risk-based approach to ethics andcompliance — By Greg TrigubaRisk management and setting priorities are more important than everduring tough economic times.32 CEU: In-house attorney-client privilege: Whendoes it exist? — By Gordon OwnbyA look at five categories and how confidentiality and nonprivilegedcommunications are affected.42 Why should a not-for-pr<strong>of</strong>it organizationchoose to develop a compliance program? Isit really necessary? — By Marcella Henry48 New SCCE Members<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.org3August 2009

Why we do what we doEditor’s note: Joe Murphy is the Director<strong>of</strong> Public Policy for SCCE and author <strong>of</strong>501 Ideas for Your <strong>Compliance</strong> & <strong>Ethics</strong>Program (published by SCCE in 2008).He is the co-editor <strong>of</strong> ethikos. Joe may becontacted by e-mail at jemurphy@csig.com.You are a compliance and ethicspr<strong>of</strong>essional. Maybe youare a chief compliance andethics <strong>of</strong>ficer, or perhaps an internalinvestigator, or a trainer on harassmentand discrimination. You could be anoutside consultant helping to improvecompany programs. Your title couldbe one <strong>of</strong> the more than 800 differenttitles found in this field. 1 The <strong>Society</strong><strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong>’Code <strong>of</strong> Pr<strong>of</strong>essional <strong>Ethics</strong> says you“take such steps as are necessary toprevent misconduct by [your] employingorganization. 2 ” You help stop businesscrime and misconduct like pricefixing,corrupt payments, employmentdiscrimination, and environmentalpollution.As compliance and ethics pr<strong>of</strong>essionals,how do we do this? We help our clients,whether from inside or out. We helpstructure compliance and ethics programs,assess risk, develop codes, train employees,conduct investigations, and challengemisaligned incentive systems. We handlethese and other organizational and,sometimes, technical issues. We are pr<strong>of</strong>essionalexperts on things like designingeffective systems, implementing all <strong>of</strong> theFederal Sentencing Guidelines elements,and measuring program effectiveness.But what is it we are really about? Whydo we do this, sometimes, thankless work?Joe Murphy, CCEPI want to challenge you to step back fromthe mundane, the structural, even thepr<strong>of</strong>essional, and think about what wereally do.I think <strong>of</strong> the individuals I have dealtwith in the 30-plus years I have donecompliance and ethics work. I hear thevoice <strong>of</strong> a conscientious, but very nervouscompany middle manager, who was worriedthat his two bosses were up to somethingwrong. A few anxious minutes onthe phone, some follow-up questions,and a day later, I heard a greatly relievedloyal company manager, conscienceunburdened and career preserved.I see the edgy, careful, but angry youngwoman in a remote sales <strong>of</strong>fice, sitting ina chair across from me, finally having achance to express her frustration aboutthe discrimination and mistreatment byher all-male colleagues. I see a companymoved to take steps to change the workenvironment without anyone ever knowingthat she had raised the issue.I picture the dedicated junior manager,willing to stand up to senior executiveswho are questioning his judgment, becausehe is so dedicated to protecting thecompetitors’ information entrusted to hiscare. I hear his voice on the phone, gettingthe legal assurance he needs to standhis ground with his career intact.Think <strong>of</strong> the individuals you may havehelped, the careers you may have saved,the disruption <strong>of</strong> entire families thatyour hard work prevented. And think <strong>of</strong>those you may never see, but are therenevertheless. There is the workplacesafety program you may have insistedon, and the elevator maintenance personwhose life you saved, because he checkedhis safety equipment per the training hehad just received. There is the young,idealistic African American woman, inher first year at work, who is treated withrespect instead <strong>of</strong> condescension, because<strong>of</strong> improvements you made in the mutualrespect training. There is also the 25-yearveteran employee who finally felt thatjustice was done as a result <strong>of</strong> the phonecall to the helpline you helped install.Picture, too, the salesperson whose auditinterview convinced him not to agree tocollusion in a phone call with a competitor,and saved his career and possiblyyears in prison. Or, picture the toddlerwho will continue to play merrily to thedelight <strong>of</strong> his proud parents, because <strong>of</strong>the due diligence you insisted on thatcaused your company to reject a componentsupplier who would have used leadin toy materials. Maybe there is an investorwhose hard-earned savings will not belost to fraudulent schemes.Most people never save a life, prevent achild from being poisoned, or even savesomeone’s career; but that, in very realterms, is what we do for a living. Yes, wemust focus on meetings and policies. Weinsist on discipline and re-writing articlesfor the company e-newsletter. We investigatecalls from unhappy employees. Butas you do this day-to-day work, everynow and then, lift your eyes from thepapers on your desk. Step away from thecomputer. Pause before you make yournext call. Picture for just one minute thereal lives and real people you are protecting.Think about why we really do whatwe do.Continued on page 8August 20094<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.org

Managing risk – anancient problem.Ask Penelope...By Patricia A. McKeown and Gonzalo SanchezEditor’s note: Patricia A. McKeown, isManaging Director for Daylight Forensic &Advisory in its Washington, DC Office. Shehas more than 20 years <strong>of</strong> retail bankingexperience, having worked for both RiggsBank NA in Washington DC, Londonand Berlin, and Central Fidelity Bank inNorthern Virginia. She can be contacted atpmckeown@daylightforensic.com.Gonzalo Sanchez is a Director with DaylightForensic & Advisory in its Miami <strong>of</strong>fice. Hehas 27 years <strong>of</strong> international banking experiencein Europe, Latin America, and the U.S.in the fields <strong>of</strong> regulatory and operationalrisk management, fraud management, andinternal audit. He may be contacted atgsanchez@daylightforensic.com.Remember Penelope, the mythicHomerian heroine who was marriedto Ulysses, King <strong>of</strong> Ithaca?Arguably, her story is one <strong>of</strong> the earliestexamples <strong>of</strong> poor risk management resultingin significant reputational damage.Her husband had gone to fight the TrojanWar, years passed, and the noblemen fromIthaca started courting her under theassumption that the brave Ulysses wouldnever return from war. To discourage theavid suitors, and hoping to gain time forthe return <strong>of</strong> her husband, she convincedthem that she would make her choice,once she finished a robe she was knitting.During the day, she worked at the robebut in the night, she undid the work <strong>of</strong>the day. In fact, the robe project wouldnever end and the men from Ithaca madetheir mark in history as anxious and naïvesuitors who were morally scammed bycharm and good manners. The revengethey exacted once they found out aboutthe scam was bad for Penelope—but that’sanother story.The suitors’ reputations would probablybe different today had they spent moretime questioning Penelope about whenshe expected to finish the robe, had theydesignated somebody to visit her occasionallyto monitor her progress, andhad they requested her to deposit therobe overnight under double custody.But those events took place in a differenttime and age when mankind had notdiscovered the discipline <strong>of</strong> risk managementand the implications (financial andreputational) for not managing thoserisks intelligently.Annus horribilisMore than 20 centuries have passed sincethe days <strong>of</strong> Homer. Risk managementpractices have experienced phenomenalgrowth. Yet, recent events have shownhow ineffective risk management toolshave been in preventing the 2008 economiccatastrophe. Ironically, disasterstruck some <strong>of</strong> the very institutions thatspent millions <strong>of</strong> dollars in creatingsophisticated risk management systemsthat applied complex models to assessand manage risk to preserve capital andshareholder value.The year 2008 will certainly be rememberedas an annus horribilis (a horribleyear), with all the trappings <strong>of</strong> a Greektragedy. In early January 2008, SociétéGénérale, a symbol <strong>of</strong> traditional Europeanbest banking practices, disclosed tothe world that a mid-level rogue traderhad perpetrated a 4.9 billion Euro fraud,circumventing what was considered a “robust”control environment and negativelyimpacting Société Générale’s reputation.Summer saw credit woes that broughtdown Bear Sterns, Lehman Brothers, andMerrill Lynch. By the end <strong>of</strong> the summer,giant banks in the U.S. and abroad beganto falter, and government assistance soonfollowed. In mid-December, investor confidencewas further shaken by the discovery<strong>of</strong> a widespread fraud by a storied WallStreet name, Bernard Mad<strong>of</strong>f, and thedisastrous consequences to individuals andcharitable and non-pr<strong>of</strong>it organizations.Risk management principlesIt is ironic that the worst financial crisissince the Great Depression has occurredduring a time <strong>of</strong> an elaborate andcomplex risk management culture thattrumpeted the Basel II Capital Accordand Sarbanes-Oxley (SOX) as the meansto ensure capital preservation in financialinstitutions. Given the millions <strong>of</strong> dollarsspent in risk management in general,and in SOX compliance in particular, thefailures are stunning. The same industrythat complained as recently as 2006 thatthe U.S. was regulating itself out <strong>of</strong> theworld economy has turned to its regulatorsfor funding and guarantees. Today,most people blame at least part <strong>of</strong> thecrisis on regulatory gaps, and many callfor a significant overhaul in the regulationand oversight <strong>of</strong> our financial systemto restore public confidence.Bouncing back – a return to thebasicsSo where do we go from here? BanksAugust 20096<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.org

Managing risk – an ancient problem. Ask Penelope... ...continued from page 7Why we do what we do...continued from page 4contributed to a higher degree <strong>of</strong> pr<strong>of</strong>essionalismin the risk management arena.However, a frequent and unintendedconsequence <strong>of</strong> this phenomenon is thatthe front <strong>of</strong>fice has abdicated its riskmanagement responsibilities, leavingthose responsibilities to dedicated riskmanagement personnel who do notgenerally have the necessary clout to pushback against traders, deal-makers, andproduct developers. New guidelines andtraining programs must be implementedto ensure that front <strong>of</strong>fice staff once againassumes a pivotal role in managing risk.By the same token, risk managementmust be freed from internal financialpressures in considering whether to approvea complex new product.n Complex organizations andmultiple reporting linesSome financial institutions have becomealmost too complicated to manage from arisk management standpoint. In additionto managing complex products and doingbusiness across various geographies, legalvehicles, and jurisdictions, organizationshave multiple reporting lines. Managersmust <strong>of</strong>ten deal with the expectations<strong>of</strong> multiple business heads that havecompeting or simply different objectives.“I have more than three bosses” hasbecome a frequent complaint from manyfrustrated managers.An effective risk management processrequires strong leadership that is independentas well as accountable. Boards<strong>of</strong> directors and upper managementhave critical roles to play. Boards need toexercise good governance and oversightto ensure a more linear and simpler organizationalstructure. Management mustbe aware <strong>of</strong> and resolve conflicting goalsand reporting lines and ensure that thefirm’s expectations are clearly communicatedto employees.n Internal Audit needs fresh bloodThe <strong>Institute</strong> <strong>of</strong> Internal Auditorsadvises that an internal audit programhas a significant role to play in helpingorganizations evaluate the effectivenessand efficiency <strong>of</strong> their controls, as well asby promoting continuous improvement.The economic meltdown has raised thequestion as to whether the audit functionfailed to adequately assess high riskactivities. It is possible that the auditorsrelied on tested methodologies that werenot adequate to the task <strong>of</strong> assessingcomplex products and business strategies.In some institutions, Internal Audit hasfailed to attract talent from the businessranks <strong>of</strong> the organization; as a consequence,auditors may be technicallypr<strong>of</strong>icient but lack understanding <strong>of</strong>the business and its key risks. Effectiveinternal audit organizations, particularlyin financial institutions, need to combinepr<strong>of</strong>essional auditing skills with therealities <strong>of</strong> a business that can best beobtained from working in the trenches.The future and risk managementAlthough regulatory reform may be onthe horizon, risk management is withinthe control <strong>of</strong> the financial services industry.Restoring confidence in the financialsystem must come, ultimately, fromfinancial institutions. The public musttrust that financial institutions both understandand are dedicated to controllingtheir risks. Until sound risk managementprinciples are balanced with financialmotives, stability in the financial systemwill continue to elude us. nYou will probably never hear from thesepeople. Most will not even know thatyou helped them. The customer who isnot overcharged, the patient not giventhe wrong prescription, the companyemployee whose career is not destroyedby a near-lapse in judgment. They do notknow. They do not need to know.But you should know. And if no oneelse ever says this to you, let me say it:Thank you for what you do. Rememberevery now and then to picture thoseindividuals you have helped. On a toughday it may help you get through. n1 Joseph E. Murphy, Joshua Leet: Working forIntegrity. SCCE; 2006. Available at http://www.corporatecompliance.org/AM/Template.cfm?Section=Books&CONTENTID=3339&TEMPLATE=/CM/ContentDisplay.cfm2 Code <strong>of</strong> <strong>Ethics</strong> for <strong>Compliance</strong> and <strong>Ethics</strong>Pr<strong>of</strong>essionals Rule 1.2. Available at http://www.corporatecompliance.org/Content/NavigationMenu/Resources/Pr<strong>of</strong>essionalCode/default.htm.<strong>Compliance</strong> & <strong>Ethics</strong>Advertising RatesPer insertionFull-page full-color:Back Cover | Inside Back Cover | Inside Front Cover1 $1,7253 $1,5754–6 $1,500Full page B/W:1–2 $9053 $7354 $605Half page B/W:1–2 $6303 $5354 $455Quarter page B/W:1–2 $3753 $3354 $320Two color ads are availablein Black and PMS 5115 for anadditional charge <strong>of</strong> $435 perinsertion.August 20098<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.org

Register online at www.corporatecompliance.org<strong>Compliance</strong> Web conferences from SCCEGuide to Industry Initiatives in CSR: Your Guide to Selecting the RightMultistakeholder Initiative for Your CompanyAugust 11, 2009 | 12:00 pm Central | 90 minutesDeborah Leipziger, Report Author, Ethical Corporation <strong>Institute</strong>, London, EnglandPamela Muckosy, Research Manager, Ethical Corporation <strong>Institute</strong>, London, EnglandAntitrust Update: Recent Enforcement Actions and What You Should DoAbout ThemAugust 20, 2009 | 12:00 pm CT (90 minutes) | 1.2 CEUsExpert Speakers:David L. Meyer, Partner Morrison & FoersterChuck Samel, Partner, Latham & WatkinsWho’s Lying? How to Identify Untruthfulness in Internal InvestigationsSeptember 23, 2009 | 12:00 pm Central | 90 minutesMichael Johnson, Esq., Co-President, Brightline Learning Division, Global <strong>Compliance</strong>Past web conferences available on CDs available at www.corporatecompliance.org• The Economy, <strong>Compliance</strong> and <strong>Ethics</strong> - Five Leaders, Five Industries, Ideas for Your Program -• Creating <strong>Corporate</strong> Conscience: Instituting Ethical Conduct• Siemens: Cooperation and Remediation• Disability and Sickness: Understanding the New Amendments to the ADA and FMLAand the New FMLA Regulations — Effective January 2009• Creating <strong>Corporate</strong> Conscience: Instituting Ethical Conduct in Organizationswith SAIP• Siemens: Cooperation and Remediation• Partnering Effectively With Internal Audit• Foreign Corrupt Practices Act II• Data Privacy Security Enforcing Rules• An Insider’s Guide to Workplace Investigations• Red Flag Rules• <strong>Compliance</strong> 101• “Who’s Lying? How to Identify Untruthfulness in InternalInvestigations”• Leading Integrity: Is Your <strong>Compliance</strong> and <strong>Ethics</strong> FunctionPositioned for Success?• Tone at the Middle• Codes <strong>of</strong> Conduct Benchmarked: How Would You Be Graded?• Managing <strong>Ethics</strong> & <strong>Compliance</strong> Risks in the Supply Chain<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.org9August 2009

Social networking:Cornerstone for your“new” complianceprogramEditor’s Note: David is CEO and President<strong>of</strong> <strong>Ethics</strong> Point. He is a pioneer in the field <strong>of</strong>Governance, Risk and <strong>Compliance</strong>. David isa frequent lecturer on the subject <strong>of</strong> businessethics and was recently named one <strong>of</strong> the“100 Most Influential People in Finance”by Treasury & Risk Magazine. He may becontacted at childers@ethicspoint.com.We live in a new world <strong>of</strong> communicationand informationsharing. In the last 24 hours,over 900,000 new blog posts were written– a majority <strong>of</strong> them about productor service information, idle chatter, orpersonal experiences with companies andtheir employees. In fact, by the time youfinish this paragraph, two new blog siteswill be created.Blogs (short for web-log) are just one part<strong>of</strong> the 21st century’s online conversation.This conversation includes an array <strong>of</strong>networking tools, blogs, bookmarkingsites, and other social media resources.It is part <strong>of</strong> what’s known as “Web 2.0,”a term that describes new ways peoplelearn and interactively share informationthrough the Internet. These online conversationsare fast, expansive, and crucialto be a part <strong>of</strong>, and if you are like mostcompliance pr<strong>of</strong>essionals, you are neitheraware nor involved enough.<strong>Compliance</strong> pr<strong>of</strong>essionals need to recognizethe importance <strong>of</strong> social media, learnBy David Childershow employees are involved in the Web2.0 world, and become authorities in usingsocial media to shape the conversation.Understanding the importance <strong>of</strong>social mediaEvery survey and best-practice guidelineemphasizes effective communication ascentral to a successful compliance program.If you are part <strong>of</strong> a company with ayoung workforce, you already know that alot <strong>of</strong> communication takes place throughWeb 2.0 resources – and in order to bepart <strong>of</strong> the communication, a successfulcompliance program has to get involved.This is especially true in light <strong>of</strong> themajor demographic shift ahead. A largepercentage <strong>of</strong> the Baby Boomers will beeligible for retirement in the next fiveyears, and many will be replaced by some<strong>of</strong> the 75 million Generation Y “Millennials.”For many Millennials (peopleborn between 1979 and 1995), technologieslike computers and cell phones havebeen a normal part <strong>of</strong> growing up. Socialmedia is second nature to this group, andjust as the Boomers transformed society,so will the Millennials.As a result, many companies have startedtesting the social media waters. Socialnetworking sites similar to Facebook andLinkedIn, video sharing sites resemblingYouTube, and company knowledgeresources modeled after Wikipedia are startingto appear within companies, allowingtheir employees to easily share information.Many <strong>of</strong> these contain interesting ideas thatare useful to compliance pr<strong>of</strong>essionals.If these ideas have piqued your interestthe same way they did mine, you mightconsider starting where I did. Establisha presence on a networking site likeLinkedIn or the SCCE Social Network athttp://community.corporatecompliance.org. Try joining Technorati to get a bettersense for what pr<strong>of</strong>essionals are writingabout your company in blogs. Sign upfor Google Alerts so you receive e-mailsummaries <strong>of</strong> blog and web updates onany topic. Yahoo! Answers is an Internetreference site where users can ask andanswer questions, and the micro-bloggingsite Twitter can help you connect withother pr<strong>of</strong>essionals who are experimentingwith social media. Armed with abetter perspective, you can join the socialmedia conversation.Look before you leapYou need a strategy before beginning yourown social media experiments. Find outhow your employees are engaged online.Are they going outside <strong>of</strong> the companyfor advice on compliance issues? Do theyconsider your compliance team a readilyavailable resource? Conduct a survey, orfrankly, just ask around, to find out howyour employees are communicating inthe Web 2.0 world. Their conversationscould potentially concern ethics andcompliance topics. Once you understandwhere the conversation is happening, youcan get creative about helping make sureemployees are finding the right complianceknowledge when they need it.Don’t make the mistake <strong>of</strong> believing yourtitle automatically makes you an authorityAugust 200910<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.org

online. When you join the social mediaconversation, you cannot assume yourmessage will be heard simply because<strong>of</strong> your role in the organization – it isthe value <strong>of</strong> your content that is moreimportant. Employees are increasinglysuspicious <strong>of</strong> company authorities, andthe 2008 Edelman Trust Barometerconfirms that people trust their peersmore than traditional authorities. Becausesocial media revolves around peer-to-peerconversation, to get your message across,you must listen, communicate as a peer,and be an authority in fact, not just intitle.Using social media to instructVery few compliance <strong>of</strong>ficers are usingany social media resources to strengthentheir efforts. This area is largely unexplored,but here are some ideas that canhelp get you started.Deloitte has created an internal socialnetworking site, D Street, where all46,000 employees can share informationabout themselves, keep up to date withother employees, or search for peoplebased on keywords or interests. Throughthis online networking resource, Deloitteis trying to make a big company small; togain more communication, closeness, andcomfort in who employees are.Deloitte’s ethics and compliance groupis looking into the idea <strong>of</strong> creating avirtual compliance group on D Street.This could be a place for employees to askquestions on how to handle ethical dilemmasor find out which member <strong>of</strong> thecompliance team is best suited to answerspecific questions.Cisco uses an internal resource similar toYouTube that allows any Cisco employeeto post videos online, including trainingvideos. The company also uses an internalcompany wiki, inspired by Wikipedia,which allows employees to share knowledgeand search for information. <strong>Compliance</strong>pr<strong>of</strong>essionals could use these kinds<strong>of</strong> resources to distribute training videosand discuss compliance topics.You might also consider constructingcompliance training scenarios through amore interactive, gaming-style experience,where employees can complete activitiesto “level-up” their ethical decision-makingskills. FD Career has taken this idea in thedirection <strong>of</strong> personal pr<strong>of</strong>essional development,but the interactive style could alsobe adapted and applied in a very engagingway in a compliance program.The Web2.0 experience can provideother ideas, including using an onlinehelp desk, discussion forum, blog, or achat-style session for real-time compliancedilemmas or questions. Would youconsider creating a Facebook listing <strong>of</strong>your compliance team to better introducethem to your organization as “friendlyand accessible”?The concepts in this article only scratchthe surface <strong>of</strong> social media’s potential. Butmake no mistake about it; the conversationis happening whether or not compliancepr<strong>of</strong>essionals are part <strong>of</strong> it. Are youready to start listening? nBe Sureto Get YourCCEP CEUsComplete the <strong>Compliance</strong> &<strong>Ethics</strong> quiz related to the articlesbelow:n Business partner duediligence: Selecting andmanaging agents, jointventures, and consultants— By Thomas Fox, on page 18n The Fraud Enforcementand Recovery Act <strong>of</strong>2009: Legislative changesand new challenges—ByCheryl Wagonhurst and RickRifenbark, on page 24n In-house attorneyclientprivilege: When does itexist?—By Gordon Ownby, onpage 32New CEU Credit ProcedureTo obtain one CEU per quiz,visit www.corporatecompliance.org/quiz. Select a quiz, fillin your contact information,and answer the questions. Theonline quiz is self-scoring andyou will see your results almostimmediately. Or, you mayFAX or MAIL the completedquiz to Liz Hergert at SCCE.Questions? Please call LizHergert at 888/277-4977.<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.orgAugust 200911

Want to become certifiedin <strong>Compliance</strong> & <strong>Ethics</strong>?Demonstrate your expertiseRaise your understandingEarn your Certified<strong>Compliance</strong> & <strong>Ethics</strong>Pr<strong>of</strong>essional (CCEP)certification today,and be recognized foryour experience andknowledge.www.corporatecompliance.orgThe <strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and<strong>Ethics</strong> (SCCE) <strong>of</strong>fers you the opportunityto take the Certified <strong>Compliance</strong> and <strong>Ethics</strong>Pr<strong>of</strong>essional (CCEP) certification exam.The CCEP gives individuals from all industriesthe platform to demonstrate theirknowledge and expertise in complianceand ethics.In the U.S., the exam is available at anH&R Block near you. The exam is alsoavailable in more than 30 countries.qUaLifiCationsFind a link to download theCCEP Candidate Handbook atwww.corporatecompliance.org/CCEPCost: $250 for SCCE members$350 for non-membersCredits Required: 20You may obtain all twenty credits by:• attending SCCE-sponsored conferences• speaking at conferences regarding complianceand ethicsqUEstions?Please contact SCCE via phone at+1 952 933 4977 or 888 277 4977or e-mail ccb@corporatecompliance.orgOr visit our Web site:www.corporatecompliance.org/CCEP<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong><strong>Compliance</strong> & <strong>Ethics</strong>6500 Barrie Road, Suite 250Minneapolis, MN 55435, United Stateswww.corporatecompliance.orgCCEP CErtifiCation BEnEfits• attending conferences, seminars, or• Demonstrate pr<strong>of</strong>essional standards“We sought the assistance <strong>of</strong> a pr<strong>of</strong>essionalcertification consulting firm,workshops sponsored by other organizations(please fill out an Individualand status for compliance pr<strong>of</strong>essionals• Heighten the credibility <strong>of</strong> complianceApplied Measurement Pr<strong>of</strong>essionals,Accreditation Application for each)practitioners and enhance the credibility<strong>of</strong> compliance programs staffed by taKinG tHE EXaMcation. Many experienced compli-for the development <strong>of</strong> this certifi-these certified pr<strong>of</strong>essionalsance and ethics pr<strong>of</strong>essionals wereThere are several opportunities toinvolved in the 18-month process.• Ensure that each certified practitioner take the CCEP exam:We had more than 100 people sit forhas the knowledge base necessary to • At SCCE’s <strong>Compliance</strong> and <strong>Ethics</strong> the first exam. I couldn’t be moreperform the compliance function<strong>Institute</strong>, SCCE’s Academies, or SCCE’s pleased with the effort and response.• Facilitate communication with other Conference for Effective <strong>Compliance</strong> This is a big step in the maturationindustry pr<strong>of</strong>essionals, such as governmentSystems in Higher Educationprocess for the compliance and eth-<strong>of</strong>ficials and attorneys• At an H & R Block near you:ics pr<strong>of</strong>ession.”• Demonstrate the hard work and dedica- visit www.goAMP.com to register— Roy Snell, CEO, SCCEtion necessary in the compliance field • In more than 30 countries: visitwww.corporatecompliance.org/August 2009*All rates listed in U.S. dollars.*Examination 12only <strong>of</strong>fered in English <strong>Society</strong> at this <strong>of</strong> time. <strong>Corporate</strong> <strong>Compliance</strong>CCEPandfor<strong>Ethics</strong>more• +1information952 933 4977 or 888 277 4977 • www.corporatecompliance.org

How to get into the“Good Old Boys Club”Before I share the secret, I need to give you a little backgroundon the pr<strong>of</strong>ession. After we leave the formal education system,anyone who takes their pr<strong>of</strong>ession seriously seeks two things tobecome more effective in their job: pr<strong>of</strong>essional education andnetworking. Ongoing pr<strong>of</strong>essional education has not changedmuch. Most still attend conferences and workshops. Thereis easier access to ongoing education and training via onlinetraining and web conferences. Online training is good forbasic training; however, it’s difficult to stay current via onlinetraining. Web conferences are a great way to stay current onnew developments, but they are almost devoid <strong>of</strong> networking.Where the real advances have come is in pr<strong>of</strong>essional networking.There is also a new trend in three-dimensional onlineconferencing. It is an interesting 3D simulated conference environmentin which all attendees get a full-body avatar and theywalk around from meeting room to meeting room, listening topresenters, talking to vendors, and networking. It’s not readyfor prime time, but it’s getting there fast.The real advance has come in the area <strong>of</strong> online pr<strong>of</strong>essionalnetworking. Online pr<strong>of</strong>essional networking is so critical that ifyou do not make use <strong>of</strong> it, you are going to be at a real disadvantage.Those who use it are going to run circles around thosewho don’t. Those who use it are going to stay more current,save an enormous amount <strong>of</strong> effort when developing new policies,and get help with their specific problems. There is a catch.For those <strong>of</strong> you who think social networking is just for childrenand malcontents, I have a piece <strong>of</strong> advice, “Get over it.”The early adaptors <strong>of</strong> most technology are experimenters. Theyuse it for strange things. New technology sometimes gets usedby malcontents for nefarious purposes. Then the technologyimproves or people think <strong>of</strong> new applications for it. Somemove quickly to take advantage <strong>of</strong> thetechnology for pr<strong>of</strong>essional applications;others continue to write it <strong>of</strong>fas junk or a waste <strong>of</strong> time. Fallinginto that trap is going to leave you farbehind.ROY sNELLFirst <strong>of</strong> all, social networks allowpeople to set up special interest groups for people who sharesomething in common. No more general groupings in whichyou receive lots <strong>of</strong> communication about topics that don’t applyto you. Now, groups can be set up in 5 minutes that cater toany segment <strong>of</strong> the pr<strong>of</strong>ession, based on an organization’s size,segment <strong>of</strong> the pr<strong>of</strong>ession, or type <strong>of</strong> organization. A group canbe based on a single regulation, such as the Foreign CorruptPractices Act, or subspecialty areas, such as social responsibility,ethics, auditing, education, etc. Every group gets their ownlistserve. With the ability to set up a subspecialty group in asocial network, you are able to minimize the number <strong>of</strong> e-mailsor topics that don’t apply to you.If you are not on a listserve, it’s probably for one <strong>of</strong> two reasons.Either you can’t find one in your area <strong>of</strong> interest, or you aremissing the point. Given that you can set up any listserve youwant, the area-<strong>of</strong>-interest problem and irrelevant e-mails thatcome with it is solved. You just need to recruit people withinterest in that subject.The most valuable part <strong>of</strong> any presentation at a conference isthe Q&A session. In Q&A, people get to refine their understanding,get the expertise <strong>of</strong> the rest <strong>of</strong> the audience involved,clarify misunderstandings, or drill down into a specific part <strong>of</strong>the topic. That is what a listserve does all day long. Any dayyou have a question about any topic, you can hit one <strong>of</strong> the listserves.And you can do it for free from your desk, at the pointin time you need help.But listserves, my friends, are only the tip <strong>of</strong> the iceberg. Socialnetworking as it is implemented by organizations such as the<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> (SCCE) or theHealth Care <strong>Compliance</strong> Association (HCCA), have additionalfunctionality, such as document sharing (e.g., policies,procedures, presentations, etc.) Many listserves don’t allowattachments. If they do, it is a one-time event. If you set up aContinued on page 36<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.orgAugust 200913

feature articleMeet Michael Samonas, Esq.<strong>Compliance</strong> Solutions Specialist for LexisNexisand SCCE’s 1,500th MemberEditor’s Note: Steve McGraw, Presidentand Chief Executive Officer <strong>Compliance</strong>360 conducted this interview with MichaelSamonas, <strong>Compliance</strong> Solutions Specialistfor LexisNexis. Michael may be contactedat michael.samonas@lexisnexis.com.This past April when Michael sent in hisSCCE membership registration, he did notrealize what a response this would create.He was SCCE’s 1,500th member, andthis was a milestone that made him veryimportant. When Roy Snell, CEO, calledhim and congratulated him for becomingour 1,500th member and invited him to bethis month’s <strong>Compliance</strong> & <strong>Ethics</strong> interviewwith his photo on the front cover Michaelsaid, “I am honored and it would be mypleasure.”SM: Would you tell the memberssomething about your pr<strong>of</strong>essionalexperience?MS: I am a licensed attorney with aMaster’s degree in Management. I haveworked for LexisNexis for 22 years. Thepast several years, I have worked withour corporate legal and compliancecustomers. My current focus is to assistour customers in their efforts to mitigaterisk and build a culture <strong>of</strong> complianceusing LexisNexis enterprise compliancesolutions.SM: How did you learn about SCCEand what are your thoughts on becomingthe 1,500th member?MS: SCCE is a remarkable and prestigiousorganization, and I am honoredto become the 1,500th member. I firstbecame familiar with SCCE throughother members, and attended last year’s<strong>Compliance</strong> <strong>Institute</strong>. I look forwardto participating in its Social Network,interacting with other members, takingpart in SCCE events, and leveraging theassociation’s resources to keep abreast <strong>of</strong>emerging compliance and ethics issues.SM: What is the greatest area <strong>of</strong> concernor need for compliance practitioners?MS: In the past few years, compliancepractitioners have witnessed a more complexlegal and regulatory environment.With thousands <strong>of</strong> government laws andregulations being enacted every year, Iconstantly hear from customers aboutthe challenges they are presented whenmanaging these compliance activities. Intoday’s environment, there is a real concern<strong>of</strong> missing a critical law or regulationthat could give rise to regulatory riskand negatively impact their businesses.Globalization is another area <strong>of</strong> criticalconcern, which presents a myriad <strong>of</strong>challenges. Along with monitoring andvetting relevant global laws and regulations,there are challenges with creatingand managing the numerous policies andprocedures these bring. Foreign CorruptPractices Act (FCPA) compliance alsocontinues to be a concern – with theaggressive enforcement and record fineslevied against companies who violatethis Act. Additionally, many countriesare developing their own bribery-relatedrules and regulations.August 200914<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.org

Third-party risk, such as suppliersecurity breaches, misuse <strong>of</strong> data, theft,and other misdeeds – which can resultin direct liability, damage to reputation,government investigations and penalties,and can even cripple business operations– is a growing concern for companies.Organizations with a number <strong>of</strong> globalsuppliers are finding it increasingly difficultto evaluate and monitor theirsuppliers at all times. Many are just nowbeginning to develop third-party riskmitigationinitiatives, including establishingscreening processes, implementingvendor codes <strong>of</strong> conduct, as well asextending their compliance programs totheir suppliers.Finally, mitigation <strong>of</strong> corporate riskduring the economic downturn is a hugeconcern for general counsels and chiefcompliance <strong>of</strong>ficers. Corporations are ingreater need <strong>of</strong> effective compliance andethics <strong>of</strong>fices when the economy is facinga downturn. We have repeatedly seen inthe past that when regulatory corners arecut, violations will occur.SM: You have been working in thelegal and risk areas for a lot <strong>of</strong> years.How have you seen it evolve, particularlyin the area <strong>of</strong> compliance and ethicsmanagement?MS: I have been working with corporatelegal and compliance practitionersfor the past 16 years and have seencompliance and ethics transform from anecessary task to a new source <strong>of</strong> valuefor companies. Studies have shown thatcompanies with stellar ethics, compliance,and governance programs outperformtheir competitors – includingacquiring and retaining top-notch talentand attracting new investors.The “tipping point” for the transformationwas the corporate scandals<strong>of</strong> the past decade and the subsequentpassage <strong>of</strong> the Sarbanes-Oxley Act, thelevying <strong>of</strong> record fines, and the exposure<strong>of</strong> the executives and directors to civiland criminal sanctions. By wanting tostay clear <strong>of</strong> trouble and recognizing thevalue <strong>of</strong> good corporate citizenship ontheir company’s’ bottom line, a number<strong>of</strong> enlightened leaders and boards haveinvested in the development <strong>of</strong> a qualitycompliance and ethics program. Thebeauty <strong>of</strong> this ethical “tone at the top”approach is that it trickles throughout theorganization and compels managementand employees to incorporate complianceand ethics into their business practices.Another interesting aspect <strong>of</strong> theevolution is the shift to an enterpriseapproach to compliance. Spearheaded bychief compliance <strong>of</strong>ficers, companies aretransitioning from a reactive and siloedapproach to compliance, to a more proactive,systemic infrastructure to mitigateproblems and demonstrate that complianceefforts are in place.A growing number <strong>of</strong> chief compliance<strong>of</strong>ficers are using governance, risk, andcompliance (GRC) technology to developtheir centralized compliance program andcreating a single system <strong>of</strong> record for theentire business in the areas <strong>of</strong> regulatoryintelligence, policy management, riskmanagement, incident management,and GRC reporting. LexisNexis, whichhas partnered with <strong>Compliance</strong> 360,Corpedia, and <strong>Ethics</strong>Point, provides agood example <strong>of</strong> a well-rounded GRCtechnology.SM: It used to be that lawyers dominatedcompliance, and in large measurethey still do, but there are more peoplein the pr<strong>of</strong>ession without a JD. How isthat changing the approach to complianceand ethics?<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.orgSteve McGrawMS: <strong>Compliance</strong> and ethics is emergingfrom disciplines outside legal (suchas the accounting, audit, operations andrisk management pr<strong>of</strong>essions) workingclosely with legal, compliance, andethics. These additions are helping toprovide a holistic approach that encompassesthe entire corporation and its suppliers.All employees, business managers,and suppliers are expected to embrace aculture <strong>of</strong> compliance.Company leaders are also expandingthe chief compliance <strong>of</strong>ficers’ role, givingthem more autonomy and oversight anda higher pr<strong>of</strong>ile. In many cases, especiallywithin heavily regulated industries, chiefcompliance <strong>of</strong>ficers are reporting directlyto the chief executive <strong>of</strong>ficer with liberalaccess to the board.SM: With the new Administration inplace, what changes do you anticipate inthe coming years for the compliance andethics pr<strong>of</strong>essional?MS: Given that regulatory reformis a central focus in President BarackObama’s administration, I expect anincrease in regulations and enhancedemphasis on enforcement, resulting inorganizations devoting more resources tocompliance and ethics, and in complianceContinued on page 16August 200915

Meet Michael Samonas...continued from page 15and ethics practitioners assuming moretasks/responsibilities.SM: What industries do you see asbeing the most impacted by the newAdministration?MS: I believe the banking and healthcareindustries are going to be impactedthe most. The government’s stake in thebanking sector will lead to a more extensiveregulatory oversight. The president’sStimulus Bill, which was signed into lawin February, contains significant reformsto the privacy and security regulations<strong>of</strong> the Health Insurance Portability andAccountability Act (HIPAA), and changesto COBRA. Medicare and Medicaidfraud oversight is another area <strong>of</strong> importance.Other examples <strong>of</strong> increased regulationand enforcement include the EnvironmentalProtection Agency (EPA), whichis aggressively pursuing a backlog <strong>of</strong> air,water, waste, and other enforcementsettlements and actions that stalled in thefinal months <strong>of</strong> former President GeorgeW. Bush’s administration. The Securitiesand Exchange Commission (SEC) hasalso unveiled a more aggressive enforcementprogram. Finally, I see the Obamaadministration pursuing a more aggressiveagenda regarding workplace safetyand related enforcement.SM: How has the economic recessionaffected approaches to spending by complianceand ethics pr<strong>of</strong>essionals?MS: The economic recession is requiringthat corporate legal, compliance, andethics pr<strong>of</strong>essionals do more with less.Some executives and members <strong>of</strong> theenforcement community have expressedconcern that corporate complianceefforts may be subject to cost-cuttingmeasures – leaving companies vulnerable<strong>Compliance</strong> & <strong>Ethics</strong><strong>Institute</strong> PreviewSession 401: A Practical Guide to Building and Maintaining an Anti-Corruption <strong>Compliance</strong> Program(Monday, September 14th 4:30 – 5:30 pm)“You don’t get it, that’s how business is done here.” Ifyou have, or are contemplating, an anti-corruptioncompliance program, you can expect objections <strong>of</strong> thissort from local personnel in high-risk countries. Designingthe elements <strong>of</strong> an anti-corruption complianceprogram is easy; effective implementation is hard. Thissession will <strong>of</strong>fer guidance based on real world experience.How do you respond to local objections? How do you get buy-in fromsenior management and local business personnel? What controls and programelements work, and which are a waste <strong>of</strong> time? What must you insist on, andwhat is negotiable? How do you deal with suppliers and other business partnerson these issues? How do you ensure that your program is working? And is itpossible to do any <strong>of</strong> this in a cost-effective manner? Mark will discuss these andother questions in his session.to an increase in unethical and illegalactivities, and resulting in investigationand prosecution, paralyzing monetarypenalties, and significant damage to corporatereputation.Some companies are looking to technologyto reduce cost. GRC technology,which is a great force multiplier, can helpcontrol costs and eliminate redundanciesand manual-process efforts by automatingand centralizing compliance applications.Beyond the hard costs savings, anenhanced centralized infrastructure generatedby GRC technology enables compliancepractitioners to remain laser focusedon mitigating risk and establishingand/ormaintaining a culture <strong>of</strong> compliance.Mark SnydermanMark SnydermanSenior Advisor on Anti-Corruption to the United Nations Global Compactand Former Chief <strong>Ethics</strong> & <strong>Compliance</strong> Officer, The Coca-Cola CompanyAttend SCCE’s 8th Annual <strong>Compliance</strong> & <strong>Ethics</strong> <strong>Institute</strong> in Las Vegas inSeptember to hear more! Visit www.complianceethicsinstitute for completeconference and registration information.SM: How does LexisNexis help corporationsbuild and maintain effectivecompliance programs?MS: LexisNexis is committed to helpingcompanies reduce risk and develop aculture <strong>of</strong> compliance. Through productdevelopment efforts and with help fromindustry leading alliance partners C360,Corpedia, and <strong>Ethics</strong>Point, LexisNexisnow provides companies with advancedtools to automate and manage their corporategovernance, risk, and compliancemanagement programs. nAugust 200916<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.org

SCCE’s 2009 ConferencesEducation and networkingopportunities for you in 2009Start planning now…National Conferences8th Annual<strong>Compliance</strong> & <strong>Ethics</strong><strong>Institute</strong>September 13 – 16 | Las Vegas, NVRegional ConferencesOctober 9 – Minneapolis, MNOctober 23 – Denver, CO<strong>Compliance</strong> AcademiesOctober 5 – 9Optional CCEP Exam October 10Orlando, FLNovember 2-5Optional CCEP Exam November 6Scottsdale, AZAcademy attendees will receive pre-printed binderscontaining conference handout materialsWeb ConferencesHot topics throughout the year.See page 41 for more or visitwww.corporatecompliance.org forup-to-date information on upcomingconferences and to register.SCCE is going greenSCCE conference attendees will NOT automatically receive conferencebinders. If you would like to purchase conference binders,please choose that option on your conference registration form.Attendees will receive electronic access to course materials priorto the conference as well as a CD onsite with all the conferencematerials.Continued on page 17www.corporatecompliance.org | +1 952 933 4977 | 888-277-4977

Business partner duediligence: Selecting andmanaging agents, jointventures, and consultantsEditor’s Note: Thomas Fox has practicedlaw in Houston for 25 years. He is nowassisting companies with FCPA compliance,risk management, and internationaltransactions. He was most recently theGeneral Counsel at Drilling Controls, Inc,a worldwide oilfield manufacturing andservice company He may be contacted attfox@tfoxlaw.com.US companies have long utilizedforeign business partnerrelationships to leverage theirglobal reach and assist in the growthand development <strong>of</strong> overseas businessrelationships. When a US companyenters into this type <strong>of</strong> businessrelationship, it enables the company toexpand their commercial reach in a costeffective manner. One key component<strong>of</strong> this foreign business relationship isthat the US company must managecompliance by the foreign businesspartner under the Foreign CorruptPractices Act (FCPA).Although the FCPA itself does not speakdirectly to the foreign business partner’sissue, the Federal Sentencing Guidelinesfor FCPA violations, and related USgovernment commentary, make clear thatUS-based companies bear the same legalresponsibility for the actions <strong>of</strong> foreignbusiness partners as they do for the actions<strong>of</strong> their own employees. The SecuritiesExchange Commission (SEC) andDepartment <strong>of</strong> Justice (DOJ) DeputyBy Thomas FoxAttorney General Paul McNulty eachconfirmed that the quality <strong>of</strong> a company’sdue diligence on foreign business partnerswill be considered when fashioningpenalties for companies whose businesspartners violate the FCPA. 1,2In spite <strong>of</strong> these clear statements by theSEC and DOJ, the relationships <strong>of</strong> UScompanies with foreign business partnersremains one <strong>of</strong> the greatest areas <strong>of</strong>consternation for US companies. In its“2008 Anti-Bribery and Anti-CorruptionSurvey,” KPMG Forensic reported, basedon responses from 103 US multinationalcompany executives, that 85% <strong>of</strong> therespondents said their company has aformal FCPA or anti-corruption complianceprogram; however, even with thishigh level <strong>of</strong> commitment to the FCPA,many respondents still feel uneasy aboutthird-party due diligence. The surveyreported:n 82% said the challenges they faced inperforming effective due diligence onbusiness partners, including foreignagents and other third parties, was“challenging”;n 76% <strong>of</strong> the companies responding saidthat auditing third parties for compliancewas “a significant challenge”;n 73% said their mergers and acquisitionsdue diligence is less thanadequate; andn 27% said the level <strong>of</strong> their mergersand acquisitions due diligence isminimal.Thomas FoxEstablishing the relationship—Duediligence, due diligence, and then,due diligenceIn view <strong>of</strong> the critical risks a US companymust manage when entering intoa relationship with a foreign businesspartner, the company should, beforeentering into such a relationship,start the risk management process byinitiating thorough due diligence onthe foreign business partner. The duediligence process should contain, at aminimum, inquiries into the followingareas:n Need for the relationship: Articulatethe business case for the relationshipwith the proposed foreign businesspartner.n Credentials: List the critical reasonsfor selection <strong>of</strong> the proposed foreignbusiness partner. This should includea discussion <strong>of</strong> the business partner’sbackground and experience.n Ownership structure: Describewhether the proposed foreign businesspartner is a government or stateownedentity, and the nature <strong>of</strong> itsrelationship(s) with local, regional,and governmental bodies. Are thereany members <strong>of</strong> the business partnerrelated, by blood, to governmental<strong>of</strong>ficials?August 200918<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.org

n Financial qualifications: Describe thefinancial stability <strong>of</strong>, and all capital to beprovided by, the proposed foreign businesspartner. Obtain financial records,audited for 3 to 5 years, if available.n Personnel: Determine whether theforeign business partner will be providingpersonnel, particularly whetherany <strong>of</strong> the employees are government<strong>of</strong>ficials. Obtain the names and titles<strong>of</strong> those who will provide services tothe US company.n Physical facilities: Describe whatphysical facilities will be provided bythe foreign business partner. Who willprovide the necessary capital for theirupkeep?n Reputation: Describe the businessreputation <strong>of</strong> the proposed foreignbusiness partner in its geographic andindustry-sector markets.These due diligence inquiries are requiredunder the Federal Sentencing Guidelines,the guidance <strong>of</strong>fered by DOJ OpinionReleases, and the publicly released PleaAgreements and Deferred ProsecutionAgreements (DPA) entered into by UScompanies that admit to violating theFCPA. This due diligence should berecorded and maintained by the USbasedcompany for review, if required, bya governmental agency.After this initial inquiry is concluded theUS company should move forward toperform a background check on a prospectiveforeign business partner by usingthe following resources:n References: Obtain and contact a list<strong>of</strong> business references.n Embassy check: Obtain informationregarding the intended business partnerfrom the local US Embassy, including anInternational Company Pr<strong>of</strong>ile Report.n <strong>Compliance</strong> verification: Determineif the foreign business partner, andthose persons within the foreign businesspartner who will be providing servicesto the US company, have reviewedor received training on the FCPA.n Foreign country check: Have anindependent third party, such as a lawfirm, investigate the business partnerin its home country to determinecompliance with its home country’slaws, licensing requirements, andregulations.n Cooperation and attitude: One <strong>of</strong>the most important inquiries is notsimply a legal issue, and might bemore <strong>of</strong> an ‘attitude’ issue, because it isbased upon the response and cooperation<strong>of</strong> the foreign business partner.Did the business partner object to anyportion <strong>of</strong> the due diligence process?Did it object to the scope, coverage, orpurpose <strong>of</strong> the FCPA? In short, is thebusiness partner a person or entity thatthe US company is willing to stand upwith under the FCPA?After a company completes thesedue diligence steps, there should be athorough review by the board, or otherdedicated management committee, onthe qualifications <strong>of</strong> the proposed foreignbusiness partner. It is critical that thereviewing committee is not subordinateto the US company’s business unit that isresponsible for the business transactionswith the foreign business partner. This reviewshould examine the adequacy <strong>of</strong> duediligence performed in connection withthe selection <strong>of</strong> overseas partners, as wellas the foreign business partner’s selection<strong>of</strong> agents, subcontractors, and consultantswho will be used for business developmenton behalf <strong>of</strong> the US company.Formalizing the relationship—<strong>Compliance</strong>, compliance, and then,complianceAfter completing the due diligence review,the committee should conduct a review<strong>of</strong> the proposed contract with the foreignbusiness partner. The contract must havecompliance obligations stated in the formationdocuments, whether it is a simpleagency or consulting agreement or a jointventure with several formation documents.All formation agreements should includerepresentations that in all undertakingsthe foreign business partner will make nopayments <strong>of</strong> money or anything <strong>of</strong> value,nor will such be <strong>of</strong>fered, promised, orpaid, directly or indirectly, to any foreign<strong>of</strong>ficials, political parties, party <strong>of</strong>ficials,or candidates for public or political party<strong>of</strong>fice to influence the acts <strong>of</strong> such <strong>of</strong>ficials,political parties, party <strong>of</strong>ficials, or candidatesin their <strong>of</strong>ficial capacity, to inducethem to use their influence with a governmentto obtain or retain business or gainan improper advantage in connection withany business venture or contract in whichthe company is a participant. There mustalso be periodic re-certifications confirmingthat there have been no actions whichviolate any <strong>of</strong> these obligations.Additional key elements <strong>of</strong> a contract betweena US company and a foreign businesspartner include the retention <strong>of</strong> auditrights. These audit rights must exceed thesimple audit rights associated with thefinancial relationship between the partiesand must allow a full review <strong>of</strong> all FCPArelatedcompliance procedures, such asthose for meeting with foreign governmental<strong>of</strong>ficials and compliance-relatedtraining. The foreign business partnermust agree that it will not hire an agent,subcontractor, or consultant without theContinued on page 20<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.orgAugust 200919

Business partner due diligence: Selecting and managing agents, joint ventures, and consultants ...continued from page 19company’s prior written consent (to bebased on adequate due diligence). The UScompany must retain a right to terminatethe contract, in an immediate and unfetteredmanner, if there is evidence <strong>of</strong> anybreach <strong>of</strong> compliance-related obligations.After the contract is signed—Monitor, monitor, and then, monitorIn addition to the due diligence andcontract guidelines above, a US companymust implement a procedure to monitorthe actions <strong>of</strong> the foreign business relationshipgoing forward. In its DPA with theMonsanto Company for their FCPA violations,the DOJ provided some guidanceon the continuing obligation to monitorforeign business partners. In the MonsantoDPA, the DOJ agreed, after the initialdue diligence and appropriate review werecompleted on foreign business partners,for Monsanto to implement certain postcontractprocedures. These requirementsto Monsanto can be used as guidelines asto what the DOJ will look for from otherUS companies that are entering into relationshipswith foreign business partners,especially in the area <strong>of</strong> ongoing monitoring<strong>of</strong> the foreign business partner.A US company should, on a periodicbasis <strong>of</strong> not less than every three years,conduct rigorous compliance audits <strong>of</strong> itsoperations with foreign business partners.These audits would include, but not belimited to, detailed audits <strong>of</strong> the foreignbusiness partner unit’s books and records,with specific attention to payments andcommissions to agents, consultants,contractors, and subcontractors who haveresponsibilities that include interactionswith foreign <strong>of</strong>ficials and contributionsto joint ventures. The compliance auditshould include interviews with employees,consultants, agents, contractors, subcontractors,and joint venture partners.Lastly, a review <strong>of</strong> the FCPA compliancetraining provided to the foreign businesspartner should be included.ConclusionManaging the risk <strong>of</strong> a relationship witha foreign business partner is one <strong>of</strong> themost critical aspects <strong>of</strong> an FCPA complianceprogram. The documented risk to aUS company is quite high for a foreignbusiness relationship’s violation <strong>of</strong> theFCPA. To engage a foreign business partner,in a manner that properly assessesand manages the risk for a US company,requires a commitment <strong>of</strong> time, money,and substantial effort. However, with acompliance-based risk management procedurein place, the risk can be properlymanaged and a foreign business relationshipcan be successful for all parties. n1 Report <strong>of</strong> Investigation Pursuant to Section 21(a) <strong>of</strong>the Securities Exchange Act <strong>of</strong> 1934 and CommissionStatement on the Relationship <strong>of</strong> Cooperation toAgency Enforcement Decisions, Release No. 34-44969 (Oct. 23, 2001) ; available at http://www.sec.gov/litigation/investreport/34-44969.htm [commonlyknown as the “Seaboard Report”].2 Paul J. McNulty, Deputy Attorney General, ,Principles<strong>of</strong> Federal Prosecution <strong>of</strong> Business Organizations(Dec. 12, 2006); available at http://www.usdoj.gov/dag/speeches/2006/mcnulty_memo.pdf.Contact Us! www.corporatecompliance.orgservice@corporatecompliance.orgFax: 952/988-0146SCCE6500 Barrie Road, Suite 250Minneapolis, MN 55435Phone: 888/277-4977To learn how to place an advertismentin <strong>Compliance</strong> & <strong>Ethics</strong>, contactJodi Erickson Hernandez:e-mail: jodi.ericksonhernandez@corporatecompliance.orgphone: 888/277-4977Video TrainingThat WorksSCCE has partnered with QualityMedia Resources (QMR) to <strong>of</strong>fertheir award-winning compliancetraining videos. All are availablein DVD, VHS, and Web streamformats:<strong>Compliance</strong> Is Just theBeginningHow doyou makebetter ethicaldecisions atwork? Thistwo-programvideo setintroduces a three-step processfor handling tough ethical choices.PATTERNS Training SeriesSexualharassment isfundamentallya behavioralproblem. Thisthree-programset armsemployees with the informationthey need to prevent situationsand the tools to help themrespond to incidents.FULL Online Previews Available!Visit the SCCE Web Site:www.corporatecompliance.org.August 200920<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.org

Take Your Careerto the Highest LevelCCEP-Fellow Certification AddedAdvanced Certification for <strong>Compliance</strong> and <strong>Ethics</strong> Pr<strong>of</strong>essionals• Build upon your CCEP certification• Demonstrate your advanced knowledge• Distinguish yourself from your peers• Expand the pr<strong>of</strong>ession’s knowledge base• Learn from a personal mentorThe importance <strong>of</strong> compliance and ethics keeps increasing,and with it the importance <strong>of</strong> having compliance leaderswho know how to solve the most complex compliance andethics challenges.The CCEP-Fellow certification demonstrates that you havethe experience, wisdom and investment in compliance andethics to lead the pr<strong>of</strong>ession.This certification was designed using the input and hands‐oninvolvement <strong>of</strong> a committee <strong>of</strong> highly experienced complianceand ethics pr<strong>of</strong>essionals. It tests your ability to reason throughcomplex issues, and calls upon candidates to expand theknowledge base <strong>of</strong> their peers through the creation <strong>of</strong> thesesthat others can learn from.To learn more about the CCEP-Fellow programand how you can set yourself apart, visit usonline at www.corporatecompliance.org/advancedcertification. It’s a simple step tomeeting the challenge <strong>of</strong> complex times.<strong>Compliance</strong> Certification Board6500 Barrie Road, Suite 250Minneapolis, MN 55435ccb@corporatecompliance.org+1 952 933 4977 or 888 277 4977 (p)+1 952 988 0146 (f)The rigorousrequirementsfor obtainingthis certificationinclude:• A minimum <strong>of</strong> five yearsexperience in the complianceand ethics pr<strong>of</strong>ession.• Holding the CCEP designationfor a minimum <strong>of</strong> three years• 40 hours <strong>of</strong> continuing educationcredits within the previous twoyears, including 20 hours in theprevious year• Successful completion <strong>of</strong> asimulation exam, designed to testthe candidate’s ability to respondeffectively to a wide range <strong>of</strong>challenging compliance and ethicschallenges• Successful completion andpresentation <strong>of</strong> a thesis on acompliance-related topic

The buck doesn’t stophere: Little connectionbetween compliance andcorporate compensationEditor’s note: Adam Turteltaub is the VicePresident, Membership Development,SCCE. He may be contacted atadam.turteltaub@corporatecompliance.org.Companies for years have soughtto align their compensation,incentive and performanceevaluations programs to encourage individualsto act in concert with corporategoals. Unfortunately, new survey datareveals that such is not the case for mostcompanies when it comes to complianceand ethics.In May 2009 the <strong>Society</strong> <strong>of</strong> <strong>Corporate</strong><strong>Compliance</strong> and <strong>Ethics</strong> (SCCE) and theHealth Care <strong>Compliance</strong> Association(HCCA) conducted a survey to determinethe role, if any, compliance andethics played in calculating compensation,bonuses and performance evaluations.The results indicated that whenit comes to ethics, compliance, and pay,most companies are not yet putting theirmoney where their mouths are.“The results were troubling,” said RoySnell, the CEO <strong>of</strong> the HCCA andSCCE. “Across the board we found thatcompanies are not yet tying pay to performancein this very important area.”Of the compliance and ethics pr<strong>of</strong>essionalssurveyed, 56% reported that theethics and compliance function had noor very little role in the compensationBy Adam Turteltaubprocess for executives at the organizationsin which they work. This suggests thatcompanies still are far more focused onschemes based on quarterly or annualnumbers than the methods leaders use toget to those numbers.In the critical area <strong>of</strong> bonuses, the numberspainted a starker picture. <strong>Compliance</strong>and ethics metrics have a significantimpact on bonus or incentives in just15% <strong>of</strong> organizations, according to surveyrespondents.The numbers were no less encouragingfor non-executive employees. Fifty ninepercent <strong>of</strong> survey respondents indicatedcompliance and ethics plays very little orno role in the compensation process.According to Kathy Ranek, the founder<strong>of</strong> KTR Group, an executive search firm,compliance and ethics are not even a part<strong>of</strong> the recruiting conversations. “[Companies]look at character and cultural fitwhen hiring and referencing, but theydon’t usually look at compliance andethics. It’s also not typically included inbonus compensation discussions.”But what about performance evaluations?Here, too, we see less correlation thanwould be ideal in the relationship betweenbusiness and compliance performance.Nearly 20% were not aware <strong>of</strong> the rolecompliance and ethics plays in executiveperformance evaluations. Of those whodid provide an answer, more than half(57%) reported that compliance and ethicsdid not play a role. For non-executiveemployees, the numbers were more evenlysplit between organizations with and withouta role for compliance and ethics.Tone at the top, middle, and bottomThe research data raises questionsabout the tone being set at the topand throughout the organization. Theabsence <strong>of</strong> goals in compliance and ethicscould undercut other messages sent outto emphasize it’s important.Not at all surprised by the absence <strong>of</strong>incentives for compliant behavior wasDonna Boehme, principal at <strong>Compliance</strong>Strategists, and a long-time compliance<strong>of</strong>ficer. “I think that probably 95% <strong>of</strong>companies will say that values are takeninto account in their performance reviewprocess. But that’s misleading. I’ve seenand read many HR performance reviewprocesses, and typically there might beone vague reference to the values or code,and there’s no way to drill down on that,so it’s meaningless.”Being able to drill down requires objectivemeasures, and the difficulties in tyingcompensation to ethics can seem dauntingand dangerous. “Coming up withgood, juicy goals that are concrete andaren’t simple is the challenge,” saidMarjorie Doyle, who was brought intoVetco International to head up its complianceand ethics program in the wake<strong>of</strong> an FCPA violation.And coming up with the wrong measures canbe dangerous. “Anything that is subjectivecan pose risk”’ said Don Samuels, who headsthe Employment Law Group for the Denverbasedlaw firm Holme, Roberts & Owen.August 200922<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.org

At Vetco International, as part <strong>of</strong> the effort to ensure that anotherFCPA violation would not occur, the company overcamethis risk.According to Ms. Doyle they set easily-measured goals foremployees, tailored to their responsibilities. For each person itwas different, based upon what their job was. For example, ifyou were a middle manager, it would be specific activities whereyou would show leadership in promoting ethics and compliance,such as what percentage <strong>of</strong> your group had completedtheir training. Then, each individual person with the companywould be responsible for completing their own educationalrequirements. Managers were required to keep a diary in whichthey recorded their compliance and ethics activity.Yet, even when the standards are there, a willingness to holdpeople responsible is not necessarily present. One long-timecompliance <strong>of</strong>ficer noted that her organization has a performanceevaluation form that alludes to ethical conduct. “In practice,however,” she reports, “my sense is that (except in cases <strong>of</strong>clear-cut impermissible/unethical behavior that would resultin termination or other formal discipline) most managers areuncomfortable judging an employee’s ethical standards.”Ms. Boehme recounts a time she worked with a company’sCEO to align compensation with compliance and ethics. Thecompany ultimately tied 25% <strong>of</strong> bonus to ethical leadershipmeasures. A set <strong>of</strong> behaviors was determined and employeeswere measured against them by managers, peers, and directreports.The rollout <strong>of</strong> the program came a few months into the year,which provided both challenges and a validation <strong>of</strong> the program.“I had managers coming to me with comments along the lines<strong>of</strong> ‘This is unfair. I should have been told about this. Had Iknown, I would have acted differently,’ but that’s how youknow it’s being taken seriously.”A copy <strong>of</strong> the full survey report can be found in the Resourcessection <strong>of</strong> the SCCE website: www.corporatecompliance.org/survey04 nHow much impact does the ethics and compliance function have in thecompensation process for the executives at your organization?Don’t knowA great dealSomeVery littleNone9%12%0% 5% 10% 15% 20% 25% 30%How much impact does the ethics and compliance function have in thecompensation process for non-executive employees?Don’t knowA great dealSomeVery littleNone6%8%0% 5% 10% 15% 20% 25% 30%Do compliance and/or ethics metrics have a significant impact on bonus orincentive compensation awards?Don’tKnow9%No76%Yes15%22%27%29%28%29%30%<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.orgAugust 200923

The Fraud Enforcementand Recovery Act <strong>of</strong>2009: Legislative changesand new challengesEditor’s Note: Cheryl Wagonhurst is aPartner at Foley & Lardner LLP in LosAngeles. She may be contacted by e-mail atcwagonhurst@foley.com.Rick Rifenbark is Senior Counsel, Foley &Lardner LLP in Los Angeles. He may becontacted at rrifenbark@foley.com.On May 20, 2009, PresidentObama signed into law theFraud Enforcement andRecovery Act <strong>of</strong> 2009 (FERA). Despitethe new political structure on CapitolHill, FERA crossed party lines and wasgenerously supported by both divisions<strong>of</strong> the legislative branch, with a Senateaffirmative vote <strong>of</strong> 92-4 at the end <strong>of</strong>April and a House approval vote <strong>of</strong> 338-52 one week later. The Senate sponsoredthe bill in order to strengthen the federalgovernment’s capacity to investigate andprosecute various types <strong>of</strong> fraud relatedto federal assistance and relief programs,including mortgage fraud, securitiesand commodities fraud, and financialinstitution fraud. FERA’s enactment hassubstantially increased the government’spower to regulate fraudulent activity byexpanding the scope <strong>of</strong> liability undervarious criminal statutes and by enactingnew amendments to the federal FalseClaims Act (FCA). 1Overview <strong>of</strong> FERAAt its essence, FERA is intended tocombat various forms <strong>of</strong> financial fraud.By: Cheryl Wagonhurst and Rick RifenbarkOne <strong>of</strong> the most significant changes FERAcreates is the authorization <strong>of</strong> increasedfunding for federal financial fraud enforcement.As part <strong>of</strong> a larger mortgage fraudlegislation that expands the reach <strong>of</strong> thecriminal mortgage fraud and money-launderingstatutes, FERA appropriates andallocates new funding in excess <strong>of</strong> $500million over the next two years to aidfederal law enforcement, the US Securitiesand Exchange Commission, and the USDepartment <strong>of</strong> Justice in investigating andprosecuting fraud cases. 2 President Obamasupported FERA and signed the bill intolaw two weeks after it passed in Congress,and less than four months after the billwas first introduced. The President justifiedthis budget increase, claiming that theadditional funding will help governmentalprograms identify fraudulent activity andprotect the innocent Americans who couldbe affected.FERA also amends sections <strong>of</strong> the UnitedStates Criminal Code related to fraudagainst the government by amplifyingthe number <strong>of</strong> individuals and companieswho can be held accountable for fraudulentactivity. For example, Section 2 <strong>of</strong>FERA alters the term “financial institution”in the Criminal Code (18 U.S.C.§ 20) to now include a mortgage lendingbusiness <strong>of</strong> any person or entity thatmakes, in whole or in part, a federally-relatedmortgage loan. FERA also amendsthe false statements in mortgage applicationsstatute (18 U.S.C. § 1014), theCheryl Wagonhurstmajor fraud statute (18 U.S.C. § 1031),the federal securities statute (18 U.S.C.§ 1348), and the federal money launderingstatutes (18 U.S.C. §§ 1956, 1957).The effect <strong>of</strong> these amendments will mostlikely be an increase in fraud prosecutionsunder these laws.One <strong>of</strong> the most significant changesimposed by FERA are the amendmentsto FCA, a civil fraud statute that imposescivil penalties <strong>of</strong> $5,500 to $11,000 perclaim, plus three times the amount <strong>of</strong>damages inflicted on the government.Among other important changes (discussedin more detail below), the scope <strong>of</strong>liability under the FCA is extended(1) from persons who make a false statementor claim, to virtually any recipient<strong>of</strong> federal funds, and (2) to anyone whoknowingly and improperly retains agovernment overpayment, regardless <strong>of</strong>whether the entity used a false statementor claim to do so.Specific changes to the FCAFERA makes a number <strong>of</strong> significantchanges to the FCA. Its FCA amendmentsare designed to increase the reach<strong>of</strong> the FCA and to protect the whistleblowerswho bring FCA actions againstcompanies, including:August 200924<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.org

n Applicability <strong>of</strong> FCA tosubcontractorsFERA revises former FCA Sections3729(a)(1) and (a)(2) in order to respondto certain case law and expand the applicability<strong>of</strong> the FCA. In former Section3729(a)(1) [now Section 3729(a)(1)(A)],FERA modified the FCA to remove therequirement that a false or fraudulentclaim be presented “to an <strong>of</strong>ficer or employee<strong>of</strong> the United States Governmentor a member <strong>of</strong> the Armed Forces <strong>of</strong> theUnited States.” FERA also modifies thedefinition <strong>of</strong> “claim” to include a requestor demand “for money or property andwhether or not the United States has titleto the money or property” to either “an<strong>of</strong>ficer, employee, or agent <strong>of</strong> the UnitedStates” or “a contractor, grantee, or otherrecipient, if the money or property is to bespent or used on the Government’s behalfor to advance a Government program orinterest….” The effect <strong>of</strong> these changes(and the changes discussed below) is toinclude within the purview <strong>of</strong> the FCAthose subcontractors that present claims,statements, or records to contractors butdo not directly submit such claims, statementsor records to the government.FERA also makes three changes to formerSection 3729(a)(2) [now Section 3729(a)(1)(B)]. The first change is the removal <strong>of</strong>the phrase “to get” from that subsection,which repudiates certain FCA case lawthat held that the phrase “to get” imposeda supplemental intent requirement. Thesecond change increases the potentialfor liability by replacing the phrase “paidor approved by the government” with“claim.” As discussed above, the reviseddefinition <strong>of</strong> “claim” reinforces the factthat the fraudulent claim need not bemade directly to the government, but cannow be made to any recipient <strong>of</strong> governmentfunding, as long as the money isused on the government’s behalf or toadvance a government interest. Lastly,FERA adds a materiality requirement(i.e., the false record or statement mustbe material to a false <strong>of</strong> fraudulent claim).In explaining its rationale for amendingthese provisions, Congress noted that theamendments were in response to “erroneousinterpretations <strong>of</strong> the law” 3 apparentin cases such as U.S. ex rel Totten v.Bombardier and Allison Engine Co. v. U.S.ex rel Sanders. These cases limited the reach<strong>of</strong> the FCA and reduced the scope <strong>of</strong> thegovernment’s authority to apply the FCAto subcontractors who did not directlysubmit claims to the government.In Totten, a former employee <strong>of</strong> NationalRailroad Passenger Corporation (Amtrak)filed suit under the FCA against certainAmtrak contractors, alleging that thecontractors had supplied parts to Amtrakthat did not meet contractual specifications.4 The Court affirmed the lowercourt’s dismissal <strong>of</strong> the claim, noting thatthe “presentment clause” <strong>of</strong> the FCAwas not satisfied because the contractorssubmitted their invoices to Amtrak(a government grantee) and not directlyto “an <strong>of</strong>ficer or employee <strong>of</strong> the UnitedStates Government.”Four years later, in Allison Engine, theSupreme Court emphasized the intentrequirement implied in former Sections3729(a)(2) and (a)(3) <strong>of</strong> the FCA. 5 InAllison Engine, the US Navy had contractedwith two shipbuilders to build destroyers.The shipbuilders in turn contracted withAllison Engine Company, which enteredinto subcontracts with two companies toassist in the assembly <strong>of</strong> generators for thedestroyers. Former employees <strong>of</strong> one <strong>of</strong> theRick Rifenbarksubcontractors filed suit under the FCA,alleging that Allison Engine Company andthe subcontractors had knowingly submittedinvoices for work that did not meetthe Navy’s requirements, and that AllisonEngine Company and the subcontractorshad issued false certificates <strong>of</strong> compliancewith those specifications. The SupremeCourt held that the FCA’s phrase “toget” in former Section 3729(a)(2)(i.e., “[any person who] knowingly makes,uses, or causes to be made or used, afalse record or statement to get a false orfraudulent claim paid or approved by thegovernment”) required an intent to makea false statement that is material to thegovernment’s decision to pay a false claim.Therefore, the relators would have toprove that the false claims were made withthe intent <strong>of</strong> encouraging the governmentto pay or approve payment <strong>of</strong> a false orfraudulent claim, as opposed to simply defraudinga contractor. The Supreme Courtinterpreted former Section 3729(a)(3) ashaving a similar intent requirement.In the legislative history <strong>of</strong> FERA, Congressexpressed that Totten and AllisonEngine were contrary to the congressionalintent <strong>of</strong> the FCA, because the holdingsexempted subcontractors who knowinglyContinued on page 26<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.orgAugust 200925

The Fraud Enforcement and Recovery Act <strong>of</strong> 2009: Legislative changes and new challenges ...continued from page 25submitted false claims to general contractorswho were then paid with governmentfunds. Noting the need for change,Congress drafted the FCA amendments;thus significantly narrowing, if not overruling,the related case law and increasingthe scope <strong>of</strong> federal power. As a result <strong>of</strong>these changes, subcontractors and otherentities who do business with recipients<strong>of</strong> federal funds now have increased exposureunder the FCA.n “Reverse” False ClaimsThe FCA amendments clarify that entitiesthat improperly retain overpaymentsfrom the government (referred to as “reverse”false claims) are liable under theFCA as well. Former Section 3729(a)(7)required that a false record or statementbe used to “conceal, avoid, or decreasean obligation to pay or transmit moneyor property to the Government” forFCA liability to attach. Section 3729(a)(7) has been replaced by Section 3729(a)(1)(G), which imposes liability if a falserecord or statement is “material to anobligation to pay or transmit money orproperty to the Government” or if a person“knowingly conceals or knowinglyand improperly avoids or decreases anobligation to pay or transmit money orproperty to the Government.” Although“improperly” is not defined, the FCAamendments add the following definition<strong>of</strong> “obligation” in Section 3729(b)(3): “an established duty, whether or notfixed, arising from an express or impliedcontractual, grantor-grantee, or licensorlicenseerelationship, from a fee-basedor similar relationship, from statute orregulation, or from the retention <strong>of</strong> anyoverpayment....”Under the revised Section 3729(a)(1)(G),FCA liability can exist even when there isno false claim, record, or statement submittedto the government (or a governmentcontractor or grantee). As Congressdiscussed in its Senate Report, “the violation<strong>of</strong> the FCA for receiving an overpaymentmay occur once an overpaymentis knowingly and improperly retained,without notice to the Government aboutthe overpayment.” 6Revised Section 3729(a)(1)(G) shouldbe <strong>of</strong> particular interest to health careproviders, because the retention <strong>of</strong>Medicare overpayments by providerscould, depending on the facts, be viewedas actionable under the FCA, if doneknowingly and otherwise in violation <strong>of</strong>the FCA. However, the Senate Reportissued in connection with FERA clarifiesthat retentions <strong>of</strong> overpayments thatare permitted by regulatory or statutoryprocesses for reconciliation do not violatethe FCA, provided that any such retentionis not based on any willful act <strong>of</strong> therecipient to increase its payments fromthe government when the recipient is notentitled to such increase. 7n Materiality standardsThe FCA amendments attempt to resolvea split in case law by inserting a materialityrequirement into two provisions<strong>of</strong> the FCA [Section 3729(a)(1)(B) andSection 3729(a)(1)(G)]. In each <strong>of</strong> thosesections, a person must submit a falserecord or statement that is material to theclaim or obligation. However, the FCAamendments broadly define “material” as“having a natural tendency to influence,or be capable or influencing, the paymentor receipt <strong>of</strong> money or property.” Thus,this materiality requirement may not<strong>of</strong>fer defendants as much protection asthey would have expected under certaincustomary materiality standards.n Expansion <strong>of</strong> Retaliation ProtectionFERA amended the FCA to protectagents and contractors, in addition toemployees, from retaliatory actions in theevent they bring an action to stop FCAviolations. As a result, contractors andagents now are entitled to reinstatementwith the same seniority status as theywould have had, but for any discriminationdue to their FCA action, two timesthe amount <strong>of</strong> back pay, interest on theback pay, and compensation for any specialdamages sustained as a result <strong>of</strong> thediscrimination, including litigation costsand reasonable attorneys’ fees.n Relation-back for governmentcomplaintsFERA added Section 3731(c) to theFCA, which provides that if the governmentintervenes in an FCA lawsuit andfiles its own complaint or amends thecomplaint <strong>of</strong> a whistleblower, the government’spleading will “relate back” for statute<strong>of</strong> limitations purposes to the originalfiling date <strong>of</strong> the complaint <strong>of</strong> the personwho originally filed the action. However,the government’s complaint must ariseout <strong>of</strong> the conduct or transactions thatwere set forth in the original complaint.Section 3731(c) may eliminate certainstatute-<strong>of</strong>-limitation arguments thatexisted under prior law.ConclusionGiven the amount <strong>of</strong> federal funds beinginfused into the United States’ economy,it is not surprising that the governmentis focused on combating various forms<strong>of</strong> financial fraud. FERA represents atargeted effort on the part <strong>of</strong> the governmentto deter fraud and to hold liablethose individuals who are responsiblefor committing fraud. As discussedabove, FERA’s amendments to the FCAAugust 200926<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.org

significantly expand the types <strong>of</strong> individuals and entities whomay be subject to the FCA. In particular, subcontractors andgrantees in industries that receive federal funds (e.g., transportation,energy, defense, healthcare, and environmental industries)will certainly want to be mindful <strong>of</strong> the FCA’s changes and thelegislative intent to overturn relevant case law.Because the FCA amendments may lead to an increase in FCAenforcement activity, compliance <strong>of</strong>ficers and compliance committeesshould take several proactive steps to avoid unnecessaryliability, including:1. Communicating the changes and the relevant impact to theorganization’s board and management and ensuring that theorganization has the appropriate staffing and structure torespond to these new risks;2. Examining policies and procedures relevant to the changes(e.g., reporting policies, billing policies, HR policies);3. Providing training to relevant employees, which wouldinclude how to respond to allegations <strong>of</strong> misconduct;4. Investigating all allegations <strong>of</strong> misconduct and establishinga process <strong>of</strong> triaging the allegations in order to conduct theappropriate level <strong>of</strong> investigation;5. Evaluating the effectiveness <strong>of</strong> the hotline system;6. Monitoring financial relationships with government payments,contractors and subcontractors; and7. Monitoring the overall effectiveness <strong>of</strong> the organization’scompliance program on a bi-annual basis. nThe authors wish to thank Archana R. Acharya, our summerassociate, for her contributions to this article.1 31 U.S.C. §§ 3729-37332 Foley & Lardner LLP Legal News Alert, May 20, 2009.3 Fraud Enforcement and Recovery Act, Senate Report 111-10, Section 4, 111thCongress, 1st Sess., at 10. March 23, 2009.4 U.S. ex rel Totten v. Bombardier, 380 F.3d 488 (2004).5 Allison Engine Co. v. U.S. ex rel Sanders, 128 S. Ct. 2123 (2008).6 See fn. 4, at 15.7 Id.Congratulations toCCEP designees!The <strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong>and <strong>Ethics</strong> (SCCE) <strong>of</strong>fers you theopportunity to take the Certified<strong>Compliance</strong> and <strong>Ethics</strong> Pr<strong>of</strong>essional(CCEP) certification exam.Paul R. AllenKatsuko ArimaMary AuKelly Dawn BarbeeJames Charles BarryDonald B. BauerRobert BerrySusan A. BlairScott A. CarlsonBernard William CoerberJose ColondresNatalie Ann CorellaElena Isabel CrosbyKristine CrouchSandra DewberryRosalie S. FarinaPeter Joseph FazioAndrea M FlaniganCraig GeorgeJulian GomezDavid C. GouldDianne K. GreeneClaude D. GrimesOdell GuytonShaun D. HouseJohn P. KingMonique Michele LamiraultKevin LicciardiHaley G. LincourtJo-Anne M. LongoMark LukerMarilyn R. McVayRosalind MedleyMichael L. MillsDebbie A. MoralesJeffrey A. NormanAdebayo Olusola OyewoleGregory Allen PersingerJeffrey Neal PetersonGreg Scott RadinskyGlyn RogersAlysa Christmas RollockDavid RubinKatie Hunter SmithLori A. SpencePaul T. StoneErin Aileen StraitsCatherine TannerAndrew Jackson ToppsDeanne VarnerMark Joseph VolanskyJames H. WaltonJackie Lynn WardAchieving certification has required a diligent effort by these individuals.CCEP certification denotes a pr<strong>of</strong>essional with sufficientknowledge <strong>of</strong> relevant regulations and expertise in compliance processesto assist corporate industries in understanding and addressinglegal obligations. CCEPs promote organizational integrity throughthe development and operation <strong>of</strong> effective compliance programs.Questions? Please contact:Liz Hergert at +1 952 933 4977, 888 277 4977or CCEP@corporatecompliance.org.<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> & <strong>Ethics</strong>6500 Barrie Road, Suite 250, Minneapolis, MN 55435<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.orgAugust 200927

A risk-based approach toethics and complianceEditor’s note: Greg Triguba is a lawyer andconsultant whose background includes extensiveexperience developing and managing ethics,compliance and risk management programs inpublicly-held, corporate environments. Withprior in-house experience as an ethics andcompliance <strong>of</strong>ficer, his expertise includes buildingand implementing program frameworksand infrastructure from the ground up andmanaging key program components and initiatives.Greg can be contacted at greg.triguba@compliance-integrity.com.Abusiness colleague <strong>of</strong> minefrequently quotes the lyrics <strong>of</strong>an ex-Beatle, the late GeorgeHarrison: “If you don’t know where you’regoing, any road will take you there.”Rock and roll doesn’t usually play much<strong>of</strong> a role in the ethics and compliancefield, but I’m going to suggest that GeorgeHarrison <strong>of</strong>fers some ironic wisdom forethics and compliance pr<strong>of</strong>essionals thesedays as they grapple with the challenges <strong>of</strong>building and managing effective ethics andcompliance programs while also dealingwith reduced or frozen operating budgets.In simple terms, without direction and apath, there’s little chance you’ll get muchout <strong>of</strong> your program.By Greg Triguba, JD, CCEPAddressing the challenges head-on byadopting a “risk-based” approach tobuilding and managing your ethics andcompliance program will maximize youropportunity for success and enable aprogram with clear objectives, priorities,and a roadmap to get you there. In thesetough economic times, it has never beenmore important for ethics and compliancepr<strong>of</strong>essionals to be especially smartabout setting priorities and making themost <strong>of</strong> the resources available.Economic challengesIt’s an understatement to say that theseare especially challenging times for ethicsand compliance pr<strong>of</strong>essionals.Case in point: a front page New YorkTimes article recently contained a veryclear and direct warning to companieslarge and small. When asked to commenton the current outlook for prosecution<strong>of</strong> corporate fraud, US Justice Departmentspokesman Matthew A. Millerused carefully chosen language: “It will bea top priority <strong>of</strong> the Justice Departmentto hold accountable executives who haveengaged in fraudulent activities.”But even as regulators and law enforcementagencies step up the pace <strong>of</strong> new investigationsand prosecutions, the currenteconomic climate is putting enormouspressure on corporate budgets, to includethose allocated to ethics and complianceprograms. More than ever, corporateboards and CEOs are demanding areturn on investment from their ethicsand compliance budgets and expectingtangible and measurable results fromevery element <strong>of</strong> their ethics and complianceprogram. Often, these businesspressures and economic challenges creategreater risk situations when management(including ethics and compliance pr<strong>of</strong>essionals)are forced to pick and chooseamong needs for financial reasons. Toavoid this pitfall, finding and adaptingmore effective and efficient approaches,Greg Trigubarather than eliminating core elements <strong>of</strong>a program are key to success and a riskbasedapproach to design, planning, andimplementation will help you get there.It’s important to resist the temptationto use budget constraints as an excusefor not putting needed program infrastructuresin place. Rather, consider theincreased risk <strong>of</strong> the times and get startedon the most important and immediateneeds first. When those are in hand,then methodically plan and addressremaining risks in a thoughtful andtimely way. Along the path, don’t forgetto reach out and leverage all the resourcesavailable to you.Amidst all this discussion <strong>of</strong> budgetsand hard times, never lose sight <strong>of</strong> theoverarching argument on behalf <strong>of</strong> a solidethics and compliance framework, whichis, at its heart, a business case. The fact isthat strong ethics, compliance, and riskmanagement programs encourage andreinforce a sustainable culture <strong>of</strong> ethicalbehavior. This in turn helps prevent badthings from happening in the first placeand helps to facilitate the detection <strong>of</strong>wrongdoing early enough to minimizeserious harm to the organization.August 200928<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.org

So how does consideration and management<strong>of</strong> risk make a difference in yourprogram?Taking a risk-based approachIt’s generally accepted that sound andongoing risk management practices arean essential element <strong>of</strong> success for anyethics and compliance program and theorganization as a whole. Risk assessment,along with other fundamentals, such asrisk identification, prioritization, andmitigation efforts (including auditingand monitoring), drive great programsand healthy companies. Moreover, clearownership <strong>of</strong> risk management and itsprocesses throughout an organizationbrings great results and embeds processesinto the business for sustainable success.For context, “risk” can be defined as “thethreat or probability that an action orevent, will adversely or beneficially affectan organization’s ability to achieve itsobjectives.” “Risk management“ refers tothe identification, assessment, and prioritization<strong>of</strong> risks, followed by coordinatedand economical application <strong>of</strong> resourcesto minimize, monitor, and control theprobability and/or impact <strong>of</strong> unfortunateevents (See, www.Wikipedia).In many cases, traditional ethics andcompliance programs are developed andmanaged by establishing infrastructuresconsistent with applicable standards, butwithout primary considerations <strong>of</strong> riskor priority in planning and implementation.This approach is certainly not idealto a core objective <strong>of</strong> “prevention” in thatit <strong>of</strong>ten leaves companies vulnerable andexposed to their greatest and, perhaps,undiscovered risks. Among other things,this tends to create a more “reactive”environment with respect to risk andfurther, presents challenges with respectto the allocation <strong>of</strong> resources.Conversely and more effectively, takinga risk-based approach means the organizationis planning and implementingits ethics and compliance program in amore preventive and prioritized way (i.e.,taking into account and addressing itsmost important risks first—those withthe greatest likelihood <strong>of</strong> occurrence andimpact to the organization—and thenaddressing other risks in an ordered andthoughtful way). This methodologynot only helps establish priorities, clearobjectives, and mitigation planning/management,but also enables more effectiveallocation and use <strong>of</strong> resources.It’s important to remember that certainrisks exist regardless <strong>of</strong> the controls andefforts that are put in place to mitigatethem. It’s not all about eliminatingrisk, but rather, also about how youintelligently manage those risks. Riskmanagement and employing a risk-basedapproach to your ethics and complianceprogram is a living process, and organizationsshould continually review and assesstheir risks as part <strong>of</strong> an ongoing riskmanagement program and strategic plan.Risk management and programeffectivenessSo where is the synergy between riskmanagement and ethics and complianceprogram effectiveness?Effective ethics and compliance programshave common infrastructures: Ethicalcultures, oversight and accountability,clear and applicable standards andprocedures, comprehensive awarenessand communication strategies, effectivemonitoring, auditing and reportingsystems, incentive plans, fair and consistentenforcement procedures, periodicrisk assessment and on-going programevaluation and improvement.To help ensure that these infrastructures areeffective and firing on all cylinders, regularand meaningful risk assessment and riskmanagement are essential to keep yourprogram on track. Every program shouldstart with and be managed according to athoughtfully designed strategic plan thatis directly enabled by sound and effectiverisk management practices. Ongoing riskassessment helps facilitate plan developmentand implementation, which in turneffectively addresses and prioritizes risks facingthe organization and enables a roadmapthat is both scalable and sustainable.Regardless <strong>of</strong> whether your program is in thebeginning stages or more advanced, some keyrisk management takeaways to keep in mind:n Don’t try to do it all at once – Romewasn’t built in a day. Take a thoughtfuland risk-based approach to implementingand managing your program;n When focusing on the most importantrisks facing the organization (thosewith the greatest probability andimpact), don’t forget to address otherlow-hanging fruit along the way (i.e.,those quick wins that bring value anddemonstrate progress for your efforts);n Don’t try to fix what isn’t broken…yet!Leverage existing resources to the extentthat they already support programgoals and objectives and be creativein how they might help advance theprogram to the next level; andn Continually network and benchmarkwith others in your industry to stay intouch with emerging risks and challenges.Continued on page 30<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.orgAugust 200929

A Risk-based approach to ethics and compliance ...continued from page 29Risk-based approach: Primaryconsiderations and focusSetting priorities is essential when consideringrisks specific to your organizationand industry, and good risk managementhelps you get there. For example, if yourcompany markets heavily on a global basis,you might have an understandable riskfocus on the US Foreign Corrupt PracticesAct and other applicable anti-corruption/anti-bribery laws. As a result, you mightwant to look closely at your sales, marketing,and finance divisions, as well as thirdpartybusiness relationships that can be aparticularly high risk in this situation.If your company primarily marketsto global consumers directly over theInternet, you might want to place greaterrelative emphasis on issues <strong>of</strong> data protection– which can vary widely dependingon your industry, operating locations,and the differing laws and regulationsfrom jurisdiction to jurisdiction.For each risk area—whether corruptionand bribery overseas or privacy and dataprotection—you should inventory currentand planned global business operationsand organizational structures, with an eyetoward detail such as divisional budgets,employee headcounts, and projectionsfor growth and expansion. Doing so willhelp with more thoughtful and proactivemitigation planning and management.The key is to align the company’s ethicsand compliance initiatives proportionatelywith its businesses and develop ameaningful and prioritized approach. Itis also important to demonstrate that youhave a plan to align and integrate compliancerisks into other programs that addressoperational, financial, and strategicrisks. Leveraging existing resources inthis regard will be important and willhelp you get the buy-in and support fromsenior management that is so critical tosuccess. For example, consider partneringwith your company’s risk managementfunction and/or internal auditto establish and manage an enterpriseportfolio view <strong>of</strong> risks.Of course, just as the ethics and complianceprogram is being pressured bybudget constraints, other departmentswithin the organization are likely beingpressured in a similar way. All businessunits are finding ways to do more withless in these tough times. With budgetspressing on all organizational personnel,it’s more important than ever for businessunit leaders to know and own their riskissues and to be accountable for newventures or changes that could potentiallyintroduce new or unintended risks.<strong>Ethics</strong> and compliance leaders musthave strong relationships with operatingpersonnel to ensure that business unitchanges in staff, programs, and activitiesdon’t introduce any significant newand unidentified risks at the businessunit level and that clear ownership andon-going mitigation efforts are managed.Moreover, with budget pressures at hand,ethics and compliance resources can alsoserve the business by providing tools andsupport that will help reduce risk and lossand can positively affect the bottom line.A few additional and importantconsiderations:n Never let your handling <strong>of</strong> budget “priorities”be interpreted as meaning thatsome risk areas are not important tothe company. Don’t indefinitely ignorerisks that may be <strong>of</strong> lower priority;n Efforts to address and mitigateethics and compliance risks should beprimary considerations and should notbe compromised or prioritized belowassociated or competing business risks;n Set aside resources and the timeneeded to continually test, audit, andmonitor your initiatives as an ongoingpart <strong>of</strong> your risk management efforts;n Regardless <strong>of</strong> budgetary constraints,continually assess and determine ifyour risk management efforts areactually working and effective throughongoing review <strong>of</strong> controls and othermitigation efforts;n Invest and utilize tools and resourcesthat help streamline and drive efficienciesin your risk managementprogram. In the long-term, theseresources will positively impact yourbottom-line;n Partner with your internal team andleverage existing resources, enlisting,for example, the support <strong>of</strong> HumanResources, Internal Audit, IT, Legal,Communications, and/or <strong>Corporate</strong>Security;n Assure leadership engagement and supportat the “global” level <strong>of</strong> your businessas well as within individual businessunits. Include your board, senior leadership,and middle management; and,n Stay current on industry trends and issuesas well as new developments in thefields <strong>of</strong> ethics, compliance, and riskmanagement. This ongoing practicewill keep you constantly learning and“in the know.” It will also provideimportant tools, resources, and informationthat will help you and yourorganization manage risk moreeffectively and intelligently.ConclusionIn the end, a risk-based approach toethics and compliance does indeed focusAugust 200930<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.org

attention on the return-on-investmentbusiness ideal by, among other things,reducing risk exposures and the costsassociated with compliance failures. Inshort, it helps business operate better onmany levels. If executed properly, riskbasedthinking helps demonstrate that agood ethics and compliance program iswell worth the investment.In the spirit <strong>of</strong> George Harrison’s wisdom:A risk-based approach to your ethicsand compliance program helps definewhere you’re going and gives you a greatpath to get there! nThe information, opinions and/or commentarycontained in this article are notintended to serve as legal advice. It isrecommended that parties consult withlegal counsel when developing and managingtheir ethics, compliance and riskmanagement programs.<strong>Compliance</strong> & <strong>Ethics</strong><strong>Institute</strong> PreviewSession 105: Personality and Process: Navigating the Politics <strong>of</strong> Municipal<strong>Compliance</strong> (Monday, September 14th from 11:00 am – 12:00 pm)The application <strong>of</strong> best practices in corporate complianceand ethics from the private to the public sectorposes a unique set <strong>of</strong> challenges for compliance pr<strong>of</strong>essionals.In this session, the Executive Director, AnthonyO. Boswell, and the First Deputy Director, Dr. Mark E.Meaney, <strong>of</strong> Chicago’s new Office <strong>of</strong> <strong>Compliance</strong> discusssome <strong>of</strong> the challenges they have faced in the developmentand implementation <strong>of</strong> Chicago’s complianceprogram, the nation’s first program for a municipality.Anthony O. Boswell, Executive Director, Office <strong>of</strong><strong>Compliance</strong>, City <strong>of</strong> ChicagoMark Meaney, First Deputy Director, Office <strong>of</strong><strong>Compliance</strong>, City <strong>of</strong> ChicagoAttend SCCE’s 8th Annual <strong>Compliance</strong> & <strong>Ethics</strong><strong>Institute</strong> in Las Vegas in September to hear more!Visit www.complianceethicsinstitute for complete conference and registrationinformation.Anthony BoswellMark Meaney501 Ideas for Your <strong>Compliance</strong> and <strong>Ethics</strong> Program:Lessons from 30 Years <strong>of</strong> Practice<strong>Compliance</strong> expert Joe Murphy’s idea guide will help you jumpstartyour compliance and ethics program, covering key areas such as:u establishing and enforcing a programu identifying compliance & ethics risksu benchmarkingu evaluating effectivenessu and much more!“Joe Murphy has given us an invaluable gift, a compilation<strong>of</strong> his thoughts and ideas based on his lifelong learning.”Odell Guyton, Director <strong>of</strong> <strong>Compliance</strong>/Senior <strong>Corporate</strong> Attorney,Micros<strong>of</strong>t Corporation,U.S. Legal–Law and <strong>Corporate</strong> AffairsOrder your copy from SCCE today: $50 for SCCE members; $60 for nonmembers<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.orgAugust 200931

In-house attorney-clientprivilege: When does itexist?Editor’s note: Gordon Ownby is GeneralCounsel for Cooperative <strong>of</strong> AmericanPhysicians, Inc, in Los Angeles. He may becontacted at: gownby@cap-mpt.com.Although many companies havemade the decision to separatetheir ethics and compliancefunctions from their legal departments,the reality for most organizations is tobring in the general counsel when facedwith an ethical question. In such cases,the expectation <strong>of</strong> confidentiality isessential to a frank discussion on ethicalchoices. Counsel need to be vigilent,however, when the discussions stray fromlegal issues. Here’s one way your company’sgeneral counsel may face the issue:It’s mid-morning when the CEO tellsyou that you are to join her and someother executives for a lunch meeting atCa de Sole. The place has your favoriteNorthern Italian cuisine—and you’re s<strong>of</strong>ocused on what you’re going to orderthat you don’t even ask about the topic <strong>of</strong>the meeting.After some light conversation over theprosciutto and melon, the CEO and theVPs at the table finally get to the issue athand: a business venture that you had notpreviously known about. After a minuteor so, the CEO stops the meeting, turnsto you and says: “Oh, by the way, you’rehere so that this discussion stays confidential.”It’s just about then that yoursquid-ink risotto turns cold.By Gordon OwnbyDo you see anything unusual about thatscenario (other than the squid ink)?Do you think it could happen—or that ithappens <strong>of</strong>ten?As General Counsel (GC), we certainlylike to consider ourselves important tothe organization and to the other <strong>of</strong>ficers.But chances are, you aren’t invited tomeetings to talk about the effectiveness <strong>of</strong>the company’s specialty-media advertisingstrategy or your impressions <strong>of</strong> the colorpalette <strong>of</strong> the website redesign. You’rethere to give legal advice.So, even if you have to gently advise yourboss that your mere presence won’t keepthe entire discussion forever free fromprying depositions (and thereby riskbeing excused before the corso secondo),certainly whatever you say or are asked issafe territory, right?In researching this topic, I was surprisedto learn that “the attorney-client privilegeis the oldest <strong>of</strong> the privileges for confidentialcommunications known to thecommon law.” (8 J. Wigmore EvidenceSec. 2290). I guess that means that afterwe attorneys got our privilege, we feltOK in asking judges to extend similarrights to spouses, patients, and sinnersconfessing to their clergy.But up until just a few decades ago,the privilege <strong>of</strong> confidentiality enjoyedamong a corporation and its attorneywas somewhat limited. Under a conceptcalled the “control group test,” the confidentiality<strong>of</strong> communications with anattorney applied only to a corporation’s<strong>of</strong>ficers and agents who were responsiblefor directing the attorney’s actions inresponse to the legal advice. Put anotherway, only the senior management,guiding and integrating a corporation’soperations, was considered analogous tothe corporation as a whole.In 1981, though, the United StatesSupreme Court did away with the“control group test” via Upjohn v. UnitedStates (449 U.S. 383). The Upjohn casedealt with an investigation, announcedby the pharmaceutical company’s CEOand conducted by its GC, into possibleillegal payments to government <strong>of</strong>ficialsmade by some <strong>of</strong> the company’s foreign<strong>of</strong>fices. The investigation includedquestionnaires sent to the company’s farflungpersonnel, asking for informationon payments made through those foreign<strong>of</strong>fices. The materials were markedconfidential and were returned directly tothe GC. When the company eventuallyvoluntarily reported to the InternalRevenue Service on the matter, the IRSsought all the information provided tothe GC. Not satisfied with the companysupplying the names <strong>of</strong> those who wereinterviewed, the IRS sought the actualdocuments that had been sent to the GC.In reversing the lower court’s ruling toturn over the documents, the SupremeCourt explained how the “control grouptest” was bad public policy:The narrow scope given the attorneyclientprivilege by the court below notonly makes it difficult for corporateattorneys to formulate sound advicewhen their client is faced with a specif-August 200932<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.org

ic legal problem, but also threatens tolimit the valuable efforts <strong>of</strong> corporatecounsel to ensure their client’s compliancewith the law.And the court in Upjohn said somethingthat General Counsel know all too well:The attorney’s advice will als<strong>of</strong>requently be more significant to noncontrolgroup members than to thosewho <strong>of</strong>ficially sanction the advice. . . .Yes, if only those senior managers wouldfollow our advice as willingly as otheremployees do!OK, so Upjohn has been the law fornearly three decades. Are there situationsin which our regular activities—sometimesperformed over a tantalizing plate<strong>of</strong> osso bucco—are nevertheless open todiscovery?A useful case from Rhode Island <strong>of</strong>fers afive-part test for assessing the confidentiality<strong>of</strong> our day-to-day jobs. And it isso well organized that although it maynot be legally authoritative in your state,the judges’ reasoning can certainly helplawyers explain the facts <strong>of</strong> life to theirbosses.The case, Waltz v. Exxon Mobil Corporation(2007, C.A. No. P.C. 02-2436),deals with a request by the plaintiffs forthe defendants to produce documents.The defendants produced “hundreds <strong>of</strong>boxes <strong>of</strong> documents,” but also withhelda number <strong>of</strong> documents on the basis <strong>of</strong>attorney-client privilege, the joint defenseprivilege, and the work product privilege.The defendants provided several“privilege logs” and also, after a “meetand-confer,”some additional documents.Then they held firm.The plaintiffs (after first arguing thatthe documents listed in the defendants’privilege log are not privileged), claimedthat the documents they sought fell intoat least one <strong>of</strong> five categories which makethem non-privileged communications:1. Documents that do not show on theirface that an employee <strong>of</strong> the defendanthad the authority to obtain or act onlegal advice on behalf <strong>of</strong> the corporation;2. Memoranda between non-lawyercorporate employees, which have beencarbon-copied or forwarded to legalcounsel for screening purposes;3. Communications between counseland defendants’ employees that wereshared with third parties or used inprior litigation;4. Handwritten notes which simplyidentify an attorney, but that do notcontain confidential legal advice; and5. Communications where the dominentpurpose <strong>of</strong> the memoranda is not toprovide or obtain legal advice or assistance,but rather to provide businessadvice.Let’s look at each <strong>of</strong> these. (By the way,although this is a case out <strong>of</strong> RhodeIsland, the authorities cited by the courtare from many jurisdictions).n Communications with theattorney were not with thosewho have authority to act onbehalf <strong>of</strong> the corporation.Well, this was obviously an attempt bythe party seeking the information toresurrect the “control group test”—andthe court was not impressed. CitingUpjohn, the judge said that an “employeein a corporate setting no longer needs‘authority’ to seek or act upon legal advicefor a communication with counsel to beprivileged. Nice try.n Putting the attorney as a “cc” ina memo between non-lawyers.Like that ever happens! Actually, theRhode Island judge said this was a matter<strong>of</strong> first impression in the state and so herelied on what other federal courts havesaid. The weight <strong>of</strong> authority says thatmerely “carbon copying” communicationsbetween two non-attorneys tocorporate in-house counsel is “clearlyinsufficient to establish the privilege .. .” In one <strong>of</strong> the cases cited, a courtstated that “A letter carbon copied toan attorney fell beyond the scope <strong>of</strong> theattorney-client privilege because it wasnot primarily directed to an attorney, didnot seek legal advice, and merely servedto keep the attorney informed <strong>of</strong> the content<strong>of</strong> the letter.” (Royal Surplus Lines v.S<strong>of</strong>amor Danek Group, 1998, W.D. Tenn.190 F.R.D. 463, 475).But other cases say that it is also true thatcarbon copying a document to an attorneydoes not automatically disqualify it frombeing protected. (In re Avantel, 5th Circuit2003 342 F. 3d 311.) So, if the communication“was made for the purpose <strong>of</strong>securing primarily (1) an opinion on law;(2) legal services; or (3) assistance in somelegal proceeding,” it may be protected.“Conversely, a communication that wasmade for the purpose <strong>of</strong> securing businessadvice or public relations strategies, thatwas generated for informational purposes,or that consists <strong>of</strong> any incidental communicationsto an attorney should not beprotected by the attorney-client privilege,regardless <strong>of</strong> whether it was carbon copiedto corporate counsel.”Continued on page 34<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.orgAugust 200933

In-house attorney-client privilege: When does it exist? ...continued from page 33n Communications used in priorlitigation or shared with tradeassociationsThe court noted that these were two issuesand quickly said that any documentsthat had been disclosed in prior litigationshould be turned over. The court thenwent to the second issue: disclosure to athird party (in this case, allegedly, a tradeassociation). In doing so, the Rhode Islandcourt considered exceptions amongvarious jurisdictions to the well-establishedrule that disclosure <strong>of</strong> confidentialcommunications to a third party willgenerally result in a waiver <strong>of</strong> privilege.The most common way to keep sharedcommunications confidential is the“joint-defense” or “common-interest”rule. Communications between a lawyerand certain third parties can remainconfidential when an attorney representstwo or more clients or when separatelawyers represent two or more clients in asingle action. Sometimes, though, communicationsto a non-party (such as atrade association) can qualify for the jointdefense privilege.In considering whether the joint defenseprivilege can apply to communicationswith a non-party, a court will look atthe “actual or potential relationship <strong>of</strong>the parties” to see if there is a “sharedinterest in any potential litigation.” Thus,the “privilege protects the free flow <strong>of</strong>information for the purpose <strong>of</strong> receivinglegal advice, either in contemplation <strong>of</strong>litigation or in attempting to avoid it.The common defense, however, mustat least be foreseeable” (Royal SurplusLines). Importantly, “the privilege arisesout <strong>of</strong> a need for a common defense, asopposed merely to a common problem.”So, as the Rhode Island court distilled itfor us: “One relying on the joint defenseprivilege must establish that: (1) therewas an existing litigation or a strongpossibility <strong>of</strong> future litigation; and (2) thematerials were provided for the purpose<strong>of</strong> mounting a common defense to it.”In the Exxon Mobil case before it, theRhode Island court said that the defendantshad better present some facts about therelationship between Exxon and twopetroleum trade groups to meet such a test.n Hand-written notes identifyingan attorney, not containing legaladviceThe Rhode Island court noted that just aswith the use <strong>of</strong> a “cc”, simply placing anattorney’s name in a hand-written notedoes not meant that the document isprivileged. The court suggested using thesame analysis as the carbon-copied notes(i.e., looking into the meeting discussionfor information on its purpose to seeif there was a privilege and looking atthe participants attending the meetingto determine if any privilege had beenwaived).n Communications that may bebusiness advice or legal adviceNotwithstanding why anyone would turnto an attorney for business advice in thefirst place, the predominant view <strong>of</strong> thefederal courts is that “for a communicationto be privileged, it must have beenmade for the purpose <strong>of</strong> seeking legaladvice.” (In re Ford Motor Co., 110 F.3d954, 965; 3rd Cir. 1997). The “privilegedoes not protect an attorney’s businessadvice.” (U.S. v. Chevron 241 F. Supp 2d1065, 1076; N.D. Ca 2001).So, to protect something that might beconstrued as “business advice” involvingin-house counsel, the proponent <strong>of</strong> theprivilege “must make a ‘clear showing’that the ‘speaker’ made the communicationsfor the purpose <strong>of</strong> obtaining orproviding legal advice.” (Chevron TexacoCorp. 241 F. Supp. 2d at 1076). And ifthe legal and business advice are inextricablyintertwined, “the legal advice mustpredominate over the business advice,and not be merely incidental, for thecommunications to be protected by theattorney client privilege.” (Philip Morris,2004; U.S. Dist. LEXIS 27026 a *16)As the test, the Rhode Island court saidthat “if the predominant purpose <strong>of</strong> thecommunication . . . was to provide businessadvice, analysis, or strategy, it willnot be protected by the attorney-clientprivilege. Of course, if a communicationcontains both legal and non-legal advice,the burden is on the proponent <strong>of</strong> theprivilege to establish that it was made forthe purpose <strong>of</strong> obtaining legal advice.One <strong>of</strong> the ways that corporate legal departmentsadd value, (and stay strong inthe face <strong>of</strong> downsizing) is by making surethat in-house lawyers know the businessas well as anyone else. And many GCstrive for a role in which the CEO doesn’tfeel like she is coming just to see a lawyer,but instead to get another experiencedviewpoint on a business approach.That’s great, but it is the responsibility<strong>of</strong> the lawyer to remind and educatethe CEO that when those discussionsstray beyond the legal issues at hand, thebenefits <strong>of</strong> that advice may not includecomplete confidentiality.Chances are, you’ll still get invited backto lunch. nAugust 200934<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.org

Your <strong>Compliance</strong> and <strong>Ethics</strong>C o n n e c t i o nSCCE is the premier provider<strong>of</strong> compliance & ethicseducation and certificationJoin Us Today!Connect with an organizationdedicated to improvingthe quality <strong>of</strong> corporategovernance, compliance,and ethicswww.corporatecompliance.orginfo@corporatecompliance.org+1 952 933 4977 or 888 277 4977Continued on page 35<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.orgAugust 200935

Letter from the CEO ...continued from page 13special interest group and start sharingdocuments, the s<strong>of</strong>tware that SCCE andHCCA uses loads the group’s documentsinto your special interest group’sdocument library. The library builds overtime. Documents are stored with keywords. Key words can be added by anyonewho looks at the document, allowingeasier searching for those who follow.The document can be rated by viewers.Comments can be added, allowing othersto help make the document more applicableto others. The pr<strong>of</strong>ile (i.e., job tile,work place, education, experience etc.)<strong>of</strong> the person who added the documentcan be reviewed, giving you confidence(or not) that the document is well puttogether.Blogging is another area that has a badreputation, just because some peoplecover unacceptable topics or they dither.Like buying any good book, you justcan’t just grab anything <strong>of</strong>f the shelf. Youhave to look for well-written books ontopics <strong>of</strong> interest to you. Blogs are nodifferent. Some are full <strong>of</strong> pr<strong>of</strong>oundlyhelpful insights by incredibly knowledgeablepeople, and some are full <strong>of</strong> junk.And it costs you nothing—you can accessit from your desk, you can comment onthe blog, you can rate the blog, or youcan start your own blog. Therein lies anincredibly interesting additional benefitfew have realized. Social networks alsohave many other features that you willdiscover over time.People ask me all the time how they canbecome more involved in their industry.People sometimes even complainthat the same people get picked to writeor speak at conferences, because theyare a member <strong>of</strong> “the Good Old BoysClub.” I have a secret. The assumptionis primarily misguided. In the circles Irun in, there is no Good Old Boys Club.There are no members. There are nosecret meetings to pick Good Old Boys.I have never been asked to be in one. If Ihad been asked, I would have told themwhat Groucho Marks once said, “I refuseto join any club that would have me asa member.” The Good Old Boys Clubis a total myth. It doesn’t exist. Thereis no list. The reason some people getmore opportunities than others is becausethey try harder to become involved thanothers. Some don’t give up. Some arepersistent. Some people, when they aregiven an opportunity, make an extraeffort to do a great job. When they do,they get asked again and again. Theyget asked again, because people knowwho they are and that they can dependon them. Then, people looking on fromthe sidelines call them Good Old Boys.Good Old Boys get to be Good Old Boysand get opportunities again and again,because they were persistent, reliable,and easy to work with. Then they getso many <strong>of</strong>fers, they have to becomeselective about what opportunities theycan do. Those who are a part <strong>of</strong> theGood Old Boys Club are there becausethey volunteered <strong>of</strong>ten. And when theywere picked, they worked hard, met theirdeadlines, and were easy to work with(low maintenance.) Now, there maybe some exceptions, but the fact thatpeople can’t break into their pr<strong>of</strong>ession isprimarily because <strong>of</strong> effort and their followthrough—or lack there <strong>of</strong>. The goodnews is that because <strong>of</strong> Social Networking,there is no excuse. Everyone hasan equal chance to become a Good OldBoy. The bad news is, those looking onand accusing others <strong>of</strong> excluding themare toast. There will be no more excuses,because the Social Network and all <strong>of</strong> itselements, such as blogging, adding documents,asking and answering questionson a listserve, is open to anyone.If you want to be more involved in yourpr<strong>of</strong>ession, build your resume, makemore contacts, or become more respected.The ball is now in your court. Althoughthey exist, there are fewer GoodOld Boys than you think. And there isstill time to get into the social networkingworld while there is less competition.Some will build a name for themselvesbefore it gets too crowded and too competitive.They may not be able to do thatafter there is more competition.There are social networks related to ourpr<strong>of</strong>ession on LinkedIn. HCCA andSCCE are experimenting with Twitter toget breaking news to their constituency.In three weeks, 1,900 HCCA membersand 1,800 SCCE members have signedup for the news via Twitter. Blogs arespringing up everywhere. Donna Boehmhas an excellent e-newsletter on subjectsrelated to compliance and ethics.Facebook is another tool that some areexperimenting with, but the benefit atthis point escapes me. I am convincedthat somebody, somewhere, will be usingFacebook to share important complianceand ethics information and/or for pr<strong>of</strong>essionalnetworking.There is a lot out there. It can consumeyour time, if you let it. However, likeany tool used appropriately, it can supplementyour education and networking. nAugust 200936<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.org

DESIGN EFFECTIVE TACTICSfor avoiding and minimizing theimpact <strong>of</strong> fraud and corruptionwithCORPORATE RESILIENCY:Managing the Growing Risk <strong>of</strong>Fraud and CorruptionAuthors Toby J.F. Bishop and Frank E. Hydoski <strong>of</strong>fer clear techniques and practicalinsights and highlight traps to avoid when crafting a proactive fraud and corruptionrisk management process. This book is written for members <strong>of</strong> boards <strong>of</strong> directorsand audit committees, senior executives, those who advise or report to them, andthose responsible for managing fraud and corruption risks.ORDER YOUR COPY FROM SCCE TODAY:$44.95 for SCCE members / $49.95 for nonmembersGet started today on your careermaking powerful organizations safer and more ethicalEnron. WorldCom. Arthur Andersen. Tyco. If you’re wondering how a system fraught with criminaland ethical misbehavior could possibly be right for you, authors Joseph E. Murphy and Joshua H. Leethave the answer: Join what smartmoney.com calls one <strong>of</strong> America’s top ten fastest growing fields.Their book, Building a Career in <strong>Compliance</strong> and <strong>Ethics</strong>, is the first ever to give step-by-stepinstructions on how to establish a career making powerful organizations safer and more ethical.You’ll discover:• The wide range <strong>of</strong> compliance and ethics jobs• The skills and temperament needed for this field• Practical ways to prepare for and get ahead in your career• Steps for conducting an effective job search• Advice from seasoned compliance and ethics pr<strong>of</strong>essionals in the field• Tips for “selling” your compliance and ethics program to upper managementBuilding a Career in <strong>Compliance</strong> and <strong>Ethics</strong> is your guide to doing well by doing good!SCCE6500 Barrie Road, Suite 250Minneapolis, MN 55435Phone +1 952 933 4977, 888 277 4977FAX +1 952 988 0146info@corporatecompliance.orgwww.corporatecompliance.orgOnly $29.95. Visit www.corporatecompliance.org to order.August 200937

August 200938Are you protecting yourorganization againste-mail misuse? Abenchmarking surveyEditor’s note: Rebecca Walker is a partnerat the law firm <strong>of</strong> Kaplan & Walker LLP,located in Santa Monica, California andPrinceton, New Jersey. She is a member <strong>of</strong>the Advisory Board <strong>of</strong> the SCCE and is theauthor <strong>of</strong> Conflicts <strong>of</strong> Interest in Businessand the Pr<strong>of</strong>essions: Law and <strong>Compliance</strong>,published by Thomson West. She may becontacted by e-mail at rwalker@kaplanwalker.com.This is the third in a series <strong>of</strong> benchmarkingarticles in <strong>Compliance</strong> and <strong>Ethics</strong>.The first article was published in our April2009 issue and the second one appears inthe June 2009 issue.Electronic mail is fast, efficient,easy to organize and store, inexpensive,and environmentallyfriendly. Indeed, it seems impossible topicture life (business or personal) withoutit. However, as is common knowledgeby now, although e-mail createsenormousefficiencies for organizations, it alsoposes serious risks <strong>of</strong> legal liability andreputational harm. A review <strong>of</strong> theSecurity and Exchange Commission’s(SEC) complaint filed on June 4, 2009against Countrywide’s former CEO,Angelo Mozilo, serves as a stark reminder<strong>of</strong> the need to exercise caution in writinge-mails. It seems that much <strong>of</strong> theevidence against the former CEO inthat case was written by the defendanthimself. It also brings to mind Mozilo’sBy Rebecca Walker, Esq.e-mail gaffe in 2008, when he accidentallyhit “reply” instead <strong>of</strong> “forward” whennegatively commenting on an e-mailfrom a customer – sending the remarksto the customer, who sent them on tothe press.Countrywide’s woes are just one <strong>of</strong> manyrecent examples <strong>of</strong> e-mail getting organizationsinto serious trouble. There is theclassic story <strong>of</strong> the Micros<strong>of</strong>t antitrustcase, <strong>of</strong> course; the Boeing/Stonecipherlove letter e-mails; the Enron e-mails;the Arthur Andersen e-mails (the mostfamous being the e-mail from in-housecounsel reminding employees to complywith Andersen’s records management policy);the research analyst e-mails (trashingsome <strong>of</strong> the very stocks the analysts’ firmswere touting);and countlessothers. Thepotential riskscreated bybusiness e-mailare manifold:language thatwill later beused againstorganizations in47%PublicCompanyinvestigations or litigation, a mechanismfor harassment, copyright infringementor disclosing confidential informationregarding the company or its partners, orthe creation <strong>of</strong> material that later appearsin an adverse context in the press.How compliance and ethics canhelp mitigate riskAs with all areas <strong>of</strong> compliance risk,organizations can use several differenttypes <strong>of</strong> compliance “tools” to mitigatethe risks created by electronic mail,including written policies, certifications,training on appropriate use, auditing,and monitoring. The value <strong>of</strong> such toolsseems indisputable. As one commentatorhas opined, “There is no good reason tonot have” a policy in place governing use<strong>of</strong> corporate computer systems, includinge-mail. 1To gather valuable benchmarking data,SCCE disseminated to its members ashort (seven question) survey regardinge-mail policies, training, and othercompliance controls. The survey wasanswered by a total <strong>of</strong> 59 respondents.Nearly half (47%) were from publiclyheldorganizations, and 24% were fromprivately-held companies. The remainingrespondents were from non-pr<strong>of</strong>its(10%), educational institutions (10%),and government entities (8%).10% Educational24%Private Company8% Governmental10% Non-pr<strong>of</strong>itThe survey indicated that organizationsuse a variety <strong>of</strong> tools to attempt to controlfor the risks created by e-mail, includingwritten policies, certifications, training,auditing, and monitoring techniques.However, although nearly all organizationshave a written e-mail use policy, a large<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.org

number <strong>of</strong> organizations do not use theother compliance tools at their disposal—despite the fact that the vast majority<strong>of</strong> respondents (60%) have suffered theconsequences <strong>of</strong> e-mail misuse.Harms sufferedTo understand the extent to whichorganizations have been subject to e-mailabuse, the SCCE survey asked whetherrespondents’ organizations have sufferedthe consequences <strong>of</strong> inappropriate orill-advised e-mail usage. A whopping60% <strong>of</strong> respondents reported that theyhave been harmed by e-mail misuse.About one third (30%) <strong>of</strong> respondentsindicated that their employees’ e-mailhas been used against their organizationsin litigation or investigations. Ahefty 9% responded that confidentialinformation has been inappropriatelydisclosed over their organization’s e-mailsystem, and 21% indicated that theyhave been harmed by employee e-mailusage in some other way. Only 40% <strong>of</strong>respondents answered that their organizationshave not been harmed by employeee-mail use.No, 40%The prevalence <strong>of</strong> e-mail misconduct andthe harm that befalls organizations thatare subject to it indicate the importance<strong>of</strong> adequate compliance controls in thisarea. The remaining survey questionssought to examine the types <strong>of</strong> controlsmost used by organizations to mitigatee-mail risks.E-mail policiesWritten policies areundoubtedly the 34%most basic – andmost prevalent –type <strong>of</strong> compliance 69%control utilized inmost areas <strong>of</strong> legalrisk. That certainly27%holds true in thearea <strong>of</strong> e-mail use.Only one organizationreported thatNo, 3%it does not have awritten policy governing employee use<strong>of</strong> electronic mail. More than a quarter(27%) <strong>of</strong> respondents indicated that theirorganization has a stand-alone policy onelectronic mail, and 69% stated that theire-mail policy is part <strong>of</strong> a broader computeruse or information technology policy.About one third (34%) <strong>of</strong> respondingorganizations also include their e-mailpolicy as one <strong>of</strong> the topics addressed intheir code <strong>of</strong> business conduct.The survey also asked respondentswhether they ask employees to certifyto their writtenYes, email has been used againstus in litigation or investigations, 30%Yes, confidentialinformationdisclosedoverYes, have been harmed byemail, 9%employee email in other way, 21%e-mail policy. Specifically,<strong>of</strong> thoserespondents whoindicated that theirorganization hasa computer use orinformation technologypolicy ora stand-alone electronic mail policy, thesurvey asked whether their organizationsrequire employees to certify to receiptand/or understanding <strong>of</strong> that policy.In other words, the survey sought toascertain whether employees are asked tocertify to receipt or understanding <strong>of</strong> thee-mail or information technology policy,Yes, e-mail policy in code <strong>of</strong> conductYes, part <strong>of</strong> broad computer use policyYes, stand-alone policy on e-mailseparate from any request to certify toreceipt or understanding <strong>of</strong> the code<strong>of</strong> business conduct more generally. Asurprisingly large number <strong>of</strong> respondentsindicated that employee certificationsare required at their organizations. Fortypercent (40%) <strong>of</strong> respondents stated thatemployees are asked to certify to receiptand/or understanding <strong>of</strong> the e-mail orcomputer use policy upon initial receipt<strong>of</strong> the policy, and 21% said that certificationis required on a periodic basis, suchas when the policy is re-disseminated.The remaining 39% do not require employeecertifications.The survey did not address what topicsare covered by organizations’ e-mailpolicies. However, based on an informalreview <strong>of</strong> several organizations’ policiesperformed by this author, those topicsthat are typically addressed include:n Company right to monitor use <strong>of</strong>e-mail on company systems, and noticethat employees should have no expectation<strong>of</strong> privacy when they use companye-mail (possibly with a caveat regardingapplicable local [non-U.S.] law);n Policy regarding personal use <strong>of</strong> companye-mail (whether and the extent<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.orgContinued on page 41August 200939

<strong>Compliance</strong> & <strong>Ethics</strong> AcademiesBecome a Certified <strong>Compliance</strong> & <strong>Ethics</strong> Pr<strong>of</strong>essionalAttend one <strong>of</strong> the SCCE 2009 Academiesand sit for the exam on the fifth dayfollowing a four-day intensive training session“This four-day course was the most robust theoretical support on the compliance &ethics discipline I could ever attend. And the caliber <strong>of</strong> the invited speakers was impressive,as well. The feedback to my colleagues was very short: a first-class course. I stronglyrecommend this course.” — Zaur Ahmadov, <strong>Compliance</strong> & <strong>Ethics</strong> Advisor, Group<strong>Compliance</strong> & <strong>Ethics</strong>, BP (British Petroleum)October 5-9Orlando, FLCCEP Exam October 10November 2-5Scottsdale, AZCCEP Exam November 6The <strong>Compliance</strong> & <strong>Ethics</strong> Academy is a four-day intensivetraining course designed for participants with a basic knowledge <strong>of</strong> compliance concepts.The Academy covers specific subject matter in depth and is a great preparation course for theCCEP exam. (The course provides you with sufficient credits required to sit for the exam.)Becoming CCEP certified demonstrates sufficient knowledge <strong>of</strong> government regulationsand compliance processes to understand and address legal obligations and promoteorganizational integrity through the operation <strong>of</strong> effective compliance programs.August 200940Register online at www.corporatecompliance.orgQuestions? Call +1 952 933 4977 or 888 277 4977<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.org

Are you protecting your organization againste-mail misuse? A benchmarking survey...continued from page 39Yes,certifyuponreceipt<strong>of</strong>policy,40%Yes,Certify onperiodicbasis,21%No,39%to which personal use is permitted, and information regardingno expectations <strong>of</strong> privacy, even where personal e-mail oncompany systems is concerned);n How to draft appropriate e-mails and what should not becontained in e-mail, including harassing, threatening,embarrassing, pornographic, false, abusive, <strong>of</strong>fensive, orindecent content;n Reminder that, while e-mail may seem temporary, it is easilyforwarded and retained;n Prohibition against sending confidential information withoutapproval;n Use <strong>of</strong> encryption technology, where appropriate;n Respect <strong>of</strong> copyright and trademark;n A reminder that the company’s non-harassment and non-discriminationpolicies apply to use <strong>of</strong> company e-mail systems;n Prevention <strong>of</strong> wasteful and inappropriate practices, such asforwarding jokes, chain e-mails, and junk e-mails;n Protecting computer security;n Retaining and deleting e-mail;n Language regarding at-will status <strong>of</strong> employees (where applicable);andn Discipline for violations <strong>of</strong> the policy.TrainingGiven that so many organizations (and certainly all those organizationsthat responded to the SCCE’s electronically-disseminatedsurvey) use e-mail, and given the number <strong>of</strong> organizations thathave experienced problems from e-mail misuse, it seems that someform <strong>of</strong> e-mail training would also be nearly universal, at leastamong survey respondents. However, in response to the question <strong>of</strong>whether their organization trains employees on its electronic mailContinued on page 43<strong>Compliance</strong> & <strong>Ethics</strong><strong>Institute</strong> PreviewSession 602: Conflict <strong>of</strong> Interest Case Studies: Gifts &Entertainment and Former Employees Calling Back onthe Organization(Tuesday, September 15th from 1:30 – 2:30 pm)This presentation will definegifts and entertainment (G&E)and discuss who gives andreceives them. We will look atsome well publicized cases <strong>of</strong>excessive G&E and examine thereasons that led to their abuse.Here are some questions thatwill be answered during thesession. How did key playersrespond to the abuse, and whatdid those organizations heldresponsible do to prevent arecurrence <strong>of</strong> violations? Howare regulators working nowto detect and curb abusivepractices?Mauri MyersPaula SaddlerDoes your organization have controls in place to preventcollusion between current and former employees? Wouldyou be able to identify and prevent a former employee,terminated for egregious violations against the organization,from calling back on your organization? Doesyour policy seek to remove the appearance <strong>of</strong> favoritismbetween your organization and vendors involving formeremployees? Join us and learn about these issues, and whatorganizations are doing to protect their business and theirreputations.Mauri Myers, CCEP<strong>Ethics</strong> Manager, Wal-Mart Store, Inc.Paula F. Saddler, CCEP, CIA, CISA, CFEConsultant (retired <strong>Ethics</strong> Officer, United NationsDevelopment Programme)Attend SCCE’s 8th Annual <strong>Compliance</strong> & <strong>Ethics</strong><strong>Institute</strong> in Las Vegas in September to hear more!Visit www.complianceethicsinstitute for completeconference and registration information.August 200941

August 200942Why should a notfor-pr<strong>of</strong>itorganizationchoose to develop acompliance program? Isit really necessary?Editor’s note: Marcella Henry is a <strong>Compliance</strong>Officer at Sunrise Community Inc. inMiami, Florida. She may be contacted bye-mail at MHenry@sunrisegroup.org.For many years, the focus has beenon the for-pr<strong>of</strong>it world with allthe established regulatory requirementsto ensure that sound and ethicalbusiness practices are being upheld andthat good controls exist. Businesses thatreceive financial funding from variousinstitutions, including governmental organizations,must have checks and balancesin place to ensure that they are operating“above board” and that shortcuts are notbeing created to try and “get around” therules and regulations. In every organization,there should be strong governance,oversight, and accountability.The focus by the regulators and governmentalentities has not been as stringenton the not-for-pr<strong>of</strong>it industry for a longwhile. Given all the negative exposurefrom a select few <strong>of</strong> the large for-pr<strong>of</strong>itcompanies that chose to perform unscrupulousacts (i.e., misuse and mismanagement<strong>of</strong> significant amounts <strong>of</strong> funds), allstones are being turned now to includethose in the not-for-pr<strong>of</strong>it world regardinggovernance, oversight, and accountability.By Marcella HenryWith all the governmental regulatoryrequirements, especially <strong>of</strong> not-for-pr<strong>of</strong>itsthat receive Medicaid and Medicarefunding, clearly the writing is on the wallfor not-for-pr<strong>of</strong>its that have not chosento set up a compliance program; the timeis coming!It has been clearly communicated at thefederal level, through the Health andHuman Services Office <strong>of</strong> the InspectorGeneral (OIG) and Centers for Medicareand Medicaid Services (CMS), that thereis a serious commitment to combatinghealth care fraud. This is evident from theestablishment <strong>of</strong> the Medicaid IntegrityContractors (MIC) as well as the RecoveryAudit Contractors (RACs), whose solemission is to audit providers to ensure thatthey are adhering to all regulatory requirementsand to determine if there is anyevidence <strong>of</strong> fraud, waste, and abuse.It is best for not-for-pr<strong>of</strong>its to “take theplunge” and do so voluntarily before it ismandated by the government, or causedby unethical business practices – whenthe government becomes involved andimposes a <strong>Corporate</strong> Integrity Agreementon the organization. It is no longer anoption to say “I will think about it.”The time has come, borrowing from theNike phrase to say, “Just Do It!” nCall For WebConferencePresentationsWeb Conferences areSCCE’s way <strong>of</strong> communicatingimportant “issuesand challenges” thataffect today’s corporatepr<strong>of</strong>essional. If you area compliance pr<strong>of</strong>essional/legal/consultant,we are looking for yourexpertise to help usdevelop new programs.These programs are90-minute sessions, with60 minutes for presentationand 30 minutes forQ&A.Web Conferences are anew way to do business.They are an excellent opportunityto bring peopletogether and to sharetheir pr<strong>of</strong>essional knowledge.If you or your organizationare interested inpresenting a Web Conferencefor SCCE pleasecontact:marlene.robinson@corporatecompliance.org1-888-277-4977

Are you protecting your organization against e-mail misuse? A benchmarking survey ...continued from page 41policy, 42% <strong>of</strong> respondents indicated thattheir organization does not provide trainingto employees on appropriate e-mail usage.Less than a quarter (24%) <strong>of</strong> respondentsindicated that they have a training coursedevoted to the topic <strong>of</strong> electronic mailusage, and 34% stated that they provideelectronic mail training as part <strong>of</strong> generalcompliance or code <strong>of</strong> conduct training.Most organizations that provide e-mailtraining to employees require either all employeesor all those employees with accessto company computer systems to undergoYes, generalcompliance orcode <strong>of</strong> conducttraining, 34%Yes, trainingcourse foremail usage,23%the training. Specifically, 50% <strong>of</strong> organizationsthat require some form <strong>of</strong> e-mailtraining require all employees with accessto company computer systems to take thetraining, and 42% <strong>of</strong> organizations requireall employees to undergo e-mail training.Only 6% <strong>of</strong> respondents extend the e-mailtraining requirement to management-levelemployees only, and in only one <strong>of</strong> the respondingcompanies is e-mailtraining optional.their organizations employs<strong>of</strong>tware to monitor andscreen electronic mail foruse <strong>of</strong> certain keywords, filetypes, or file sizes, and 29%perform periodic audits <strong>of</strong>e-mail usage. Thus, 70% <strong>of</strong>responding organizationsuse some form <strong>of</strong> monitoringor auditing employeee-mail use. None <strong>of</strong> the respondingorganizations reported that they employs<strong>of</strong>tware that captures key strokes or periodicscreen shots. The remaining 30% <strong>of</strong>respondents do notemploy auditingand monitoringtechniques.No, 43%ConclusionAlthough manyorganizations use a variety <strong>of</strong> complianceand ethics program tools to controlfor the risks created by e-mail usage,there nonetheless seems to be room forimprovement in this area. Although 60%<strong>of</strong> organizations reported being victims<strong>of</strong> e-mail misuse, 42% <strong>of</strong> respondingorganizations still do not provide trainingto employees on appropriate use <strong>of</strong>50%employeeswith access tocompanycomputersystems3%, training is optional42%, Allemployees6%, Management onlye-mail, and 30% do not employ auditingand monitoring tools. The one toolnearly universally used to control for risksis written policies; all but one respondingorganization reported having an e-mailcompliance policy.E-mail use will only continue to increase,and organizations must now alsoconfront the use <strong>of</strong> social media tools,such as Facebook, Twitter, and blogging,which in many ways amplify the risksposed by e-mail. This is an area whereorganizations are well-advised to be activein benchmarking and to continue toreview and revise the controls they havein place to ensure that the risks to the organizationare being addressed adequatelyand appropriately. n1 Russell J. McEwan & Frank A. Custode: “EmploymentLaw Counseling in the Age <strong>of</strong> E-Discovery:Understanding the Importance <strong>of</strong> Computer Useand Document Retention Policies” 255 New JerseyLawyer 15, 17 (December 2008).Auditing and monitoringAccording to the surveyresults, e-mail use is an area <strong>of</strong>compliance in which auditingand monitoring are morecommon than training. Thesurvey asked respondentswhether their organizationsmonitor employee use <strong>of</strong>company e-mail systems.Forty-one percent (41%)<strong>of</strong> respondents stated thatYes,s<strong>of</strong>twarecaptureskeystrokesor screenshots,0%Yes,audits<strong>of</strong>email,28%Yes,s<strong>of</strong>twarefor use <strong>of</strong>keywords,file types,& sizes40%No,32%<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.orgAugust 200943

SCCE Advisory BoardUrton AndersonChair, Department <strong>of</strong>Accounting and Clark W.Thompson Jr. Pr<strong>of</strong>essorin Accounting Education,McCombs School <strong>of</strong>Business, The University<strong>of</strong> Texas at AustinMarjorie Doyle<strong>Ethics</strong> & <strong>Compliance</strong>Advisor, JD, CCEP,Marjorie Doyle &Associates, LLC.Charles ElsonDirector <strong>of</strong> theJohn L. WeinbergCenter for <strong>Corporate</strong>Governance and EdgarS. Woolard, Jr. Chair in<strong>Corporate</strong> Governance,University <strong>of</strong> DelawareOdell GuytonSenior Counsel andDirector <strong>of</strong> <strong>Compliance</strong>,Micros<strong>of</strong>t CorporationSCCE Advisory BoardCo-ChairKeith HallelandEx-<strong>of</strong>ficio AdvisoryBoard MemberFounding partner <strong>of</strong>Halleland LewisNilan & Johnson, PADavid J. HellerIndustry ExecutiveGary HillVice President andChief <strong>Ethics</strong> OfficerWal-Mart Stores, Inc.RetiredMichael HorowitzLitigation partner,member <strong>of</strong> the BusinessFraud and ComplexLitigation Group,Cadwalader, Wickersham& Taft LLP, and formerCommissioner, U.S.Sentencing CommissionShin Jae Kim HongPartner,TozziniFreire AdvogadosSão Paulo, BrazilSean MartinVice President,Commercial Law,AmgenJoseph E. MurphyCo-Founder,Integrity InteractiveCo-Editor, ethikosF. Lisa MurthaPartnerSonnenschein Nath &Rosenthal, LLPDennis MuseIndustry ExecutiveHaydee OlingerVice President–Chief<strong>Compliance</strong> OfficerMcDonald’sCorporationMollie Painter-MorlandDePaul University AssociateDirector, The <strong>Institute</strong> forBusiness and Pr<strong>of</strong>essional<strong>Ethics</strong>; Director, Center forBusiness and Pr<strong>of</strong>essional<strong>Ethics</strong>, University <strong>of</strong> Pretoria,South AfricaDaniel RoachVice President<strong>Compliance</strong> & Audit,Catholic HealthcareWestSCCE AdvisoryBoard Co-ChairJames G. SheehanMedicaid InspectorGeneral, Office <strong>of</strong> theMedicaid InspectorGeneral, New York StateLeonard ShenSenior Vice President–Chief <strong>Ethics</strong> and<strong>Compliance</strong> Officer,American ExpressRoy SnellCEO, <strong>Society</strong> <strong>of</strong><strong>Corporate</strong> <strong>Compliance</strong>and <strong>Ethics</strong>Debbie TroklusAssistant Vice PresidentHealth Affairs/<strong>Compliance</strong>University <strong>of</strong> LouisvilleHealth Sciences CenterSheryl VaccaSenior Vice President/Chief <strong>Compliance</strong>and Audit Officer,University <strong>of</strong> CaliforniaCherylWagonhurstPartner, Foley &Lardner LLP,LA Office, RegulatedIndustries TeamRebecca WalkerPartner,Kaplan & Walker LLPPr<strong>of</strong>essionals representing a broad range <strong>of</strong> industries make up this board.The level <strong>of</strong> diverse experience and pr<strong>of</strong>essional accomplishment is impressive. These industry leaders areenthusiastic and poised to lead the <strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> into the future. SCCE promotesthe compliance pr<strong>of</strong>ession by <strong>of</strong>fering valuable programs and tools to enhance knowledge and expertise in thecompliance and ethics field.We are very excited to have such a diverse and experienced group <strong>of</strong> people leading this organization.Roy Snell, CEOAugust 200944<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.org

Get great exposure foryour employment ads!200 words90 daysonly $400!<strong>Compliance</strong> and ethics pr<strong>of</strong>essionalsbelong to a highly specialized field. SCCE can matchqualified individuals with your staffing needs. Takeadvantage <strong>of</strong> SCCE’s Web site to advertise your uniquecareer opportunities.It’s easy and cost effective. List up to 200 words for 90 daysfor only $400. Get worldwide exposure for your classified adto a targeted audience!To post a job:Visit www.corporatecompliance.organd click on Advertising: CareerOpportunities in the left-hand menuwww.corporatecompliance.org+1 952 933 4977 or 888 277 4977The Complete<strong>Compliance</strong>and <strong>Ethics</strong> ManualAn accurate, comprehensive, andauthoritative reference source!Save time by improving the efficiency<strong>of</strong> your compliance program.The manual comes with the full-version CD.Member rate $315.00Non-Member rate $349.00The Complete <strong>Compliance</strong> and <strong>Ethics</strong> Manualincludes more than 400 double-sided pages filledwith up-to-date, valuable information on currentcompliance issues. Large, attractive three-ringbinder with color front, spine, and back cover.Th r e e w a y s t o o r d e r:Mail to: SCCEVisit: www.corporatecompliance.org 6500 BarrieRoad Suite 250Fax: +1 952 988 0146 Minneapolis, MN 55435For more details call+1 952 933 4977, or 888 277 4977<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.orgContinued on page 45August 200945

SCCE <strong>Corporate</strong> MembersAlfaro-AbogadosContact: Liliana ArauzPartnerlilianaarauz@alfarolaw.comwww.alfarolaw.comAllstate Insurance CompanyLyn ScrineDirector <strong>of</strong> <strong>Ethics</strong> Integrationlscrine@allstate.comwww.allstate.comAmerican Life Insurance CompanyContact: Christine MullenChief <strong>Compliance</strong> OfficerALICOWilm.<strong>Compliance</strong>@aig.com.www.aig.comAmgen IncContact: Maureen MacFarlaneSenior Executive Associatemaumacfa@amgen.comwww.amgen.comAxentisDaylight Forensic & AdvisoryContact: Gloria GeresteinMarketing Managerggerstein@daylightforensic.comwww.daylightforensic.comDellContact: Jeannie McCarterJeannie_mccarter@dell.comwww.dell.comEl Paso CorporationContact: Christina DeLeonchristina.deleon@elpaso.comwww.elpaso.comEnbridge Energy Partners LPContact: Laura RichardsonSr. Legal Administrative Assistantlaura.richardson@enbridge.comwww.enbridge.comEpcorContact: Kelly JuhaskiAdministrative Assistantkjuhaski@epcor.cawww.epcor.caErnst & YoungContact: Chris IdekerGlobal Solutions Leaderchris.ideker@ey.comwww.ey.comFoley & Lardner LLPContact: Cheryl WagonhurstPartnercwagonhurst@foley.comwww.foley.comGlobal <strong>Compliance</strong>Contact: Karen KistenmacherDirector Marketing Communicationskaren.kistenmacherf@globalcompliance.comwww.globalcompliance.comHolland & Knight LLPContact: Christopher A. Myers,Partnerchris.myers@hklaw.comwww.hklaw.comIFCO Systems NA Inc.Contact: Steve WorsterVP <strong>Compliance</strong>steve.worster@ifcosystems.comwww.ifcosystems.com/america/na/en/index.phpIntegrity Interactive CorporationContact: Michael R. Levin, EsqVice Presidentmlevin@i2c.comwww.integrity-interactive.comKaplan EduNeeringContact: Antoinette TaylorMarketing Directorataylor@kaplan.comwww.kaplaneduneering.com/redhawkLRNContact: Donna CulverRegional Directordculver@lrn.comwww.lrn.comMicros<strong>of</strong>t CorporationContact: Odell GuytonSenior <strong>Corporate</strong> Attorney& Director <strong>of</strong> <strong>Compliance</strong>odellg@micros<strong>of</strong>t.orgwww.micros<strong>of</strong>t.comNortelContact: Robert J. BartzokasChief <strong>Compliance</strong> Officerrbartzok@nortel.comwww. nortel.comPNM ResourcesContact: Jim Acosta<strong>Ethics</strong> & Governance Directorjim.acosta@pnmresources.comwww.pnmresources.comPricewaterhouseCoopers LLPContact: Christopher MichaelsonDirectorchristopher.michaelson@us.pwc.comwww.pwc.comQwest CommunicationsContact: Stefan SteinSr Vice Presidentstefan.stein@qwest.comwww.qwest.comSAI GlobalContact: Tia SmallwoodDirector Marketing, Americaswww.saiglobal.comtia.smallwood@saiglobal.comwww.saiglobal.comShook, Hardy & Bacon LLPContact: Carol A. PoindexterPartnercpoindexter@shb.comwww.shb.comSmartPros Legal & <strong>Ethics</strong> LtdCatherine Finamore HenryVP Business Development & <strong>Ethics</strong> Officercfinamorehenry@Smartpros.comwww.Smartpros.comSmith & NephewSyrus GlobalContact: Tia SmallwoodVP Marketing and Product Managementtia.smallwood@saiglobal.comwww.syrusglobal.comThe NetworkContact: Angella DavisMarketing Managerangelladavis@tnwinc.comwww.tnwinc.comThe Steele FoundationToyotaContact: Charlotte A. Neal, MA, CCEP<strong>Corporate</strong> <strong>Compliance</strong> Officercharlotte.neal@tema.toyota.comwww.toyota.comTozzini, Freire, Teixeira, E SilvaContact: Shin Jae Kim HongPartnerskim@tozzinifreire.com.brwww.tozzinifreire.com.brWal-Mart StoresContact: Diane Burgerdiane.burger@wal-mart.comwww.wal-mart.comAugust 200946

<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong><strong>Compliance</strong> & <strong>Ethics</strong> Magazine Advertising Order Form<strong>Compliance</strong> & <strong>Ethics</strong> MagazineThe <strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and<strong>Ethics</strong> (SCCE) publishes <strong>Compliance</strong> &<strong>Ethics</strong> Magazine bimonthly. SCCE is anorganization dedicated to enhancing the role<strong>of</strong> compliance pr<strong>of</strong>essionals and advancingcorporate governance,compliance, and ethics.Purpose<strong>Compliance</strong> & <strong>Ethics</strong>Magazine provides currentcompliance regulations,topics, and issues thataffect today’s complianceindustry.Pr<strong>of</strong>essionals in thecompliance field are attracted to <strong>Compliance</strong> & <strong>Ethics</strong> Magazinebecause it is the ultimate source <strong>of</strong> compliance and ethicsinformation, providing organizations with the most current viewson the corporate regulatory environment. National and globalexperts provide informative articles, sharing their knowledge andproviding pr<strong>of</strong>essional support so readers can make informed legaland cultural corporate decisions.Please fill out the following information for your advertisement:Audience Pr<strong>of</strong>ile<strong>Compliance</strong> & <strong>Ethics</strong> Magazine has grown to become one <strong>of</strong> the leadingpublications for compliance pr<strong>of</strong>essionals. <strong>Compliance</strong> & <strong>Ethics</strong> Magazinehas a current distribution <strong>of</strong> over 2,500 readers and is distributed atall SCCE conferences, academies, and workshops. Recipients <strong>of</strong> thisnational magazine are executives and others responsible for compliance:chief compliance <strong>of</strong>ficers, risk/ethics <strong>of</strong>ficers, corporate CEOs and boardmembers, chief financial <strong>of</strong>ficers, auditors, controllers, legal executives,general counsel, corporate secretaries, government agencies, andentrepreneurs in various industries.Why Advertise With SCCE?The wealth <strong>of</strong> news and resources provided by SCCE attractsa desirable business market <strong>of</strong> compliance pr<strong>of</strong>essionals. Webelieve public relations are a great way to build your business, and<strong>Compliance</strong> & <strong>Ethics</strong> Magazine <strong>of</strong>fers you the opportunity to createawareness and access a targeted audience.Rapid GrowthSCCE has grown significantly over the past 5 years, and we lookforward to continuing our expansion with your support.visit www.corporatecompliance.org/CEfor a rate sheet and insertion order formContact Person:Name <strong>of</strong> Company Placing AdvertisementDates <strong>of</strong> Insertion (please check all insertions on the line below):AD DEADLINES 45 days before publication datepublication dates February June October April August DecemberSize <strong>of</strong> Advertisement (please check one): Full-page: trim size 8.5" x 11" (include additional ⅛" bleed) ½ page horizontal: 7" wide x 4.5" high (no bleed) ½ page vertical: 3.5" wide x 9.5" high (no bleed) ¼ page: 4.625" wide x 3.5" high (no bleed)*Note: all ads are black-and-white except for cover ads, which are full-color.If purchasing a color cover, please check below: Inside front cover Back cover Inside back cover<strong>Compliance</strong> & <strong>Ethics</strong> Ad PricesFull-Page Black-&-White AdCost Per Insertion1-2 insertions………$905.003-4 insertions………$735.005-6 insertions………$605.00½ Page Black & White AdCost Per Insertion1-2 insertions ……..$630.003-4 insertions ……..$535.005-6 insertions ……..$455.00¼ Page Black & White AdCost per insertion1-2 insertions…… $375.003-4 insertions…… $335.005-6 insertions…… $320.00Full-Page Full-Color Ad:Cost Per Insertion1-2 insertion …………$1,7253-4 insertions……….. $1,5755-6 insertions……….. $1,500First Name M.I. Last Name<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.orgTitlePlace <strong>of</strong> EmploymentAddressCity State ZipPhoneFaxE-mailTotal CostCheck enclosed (please make your check payable to SCCE).Invoice me PO #Charge my credit card: Visa MasterCard AmExAccount No.Exp. DateName on CardSignatureFax to: +1 952 988 0146 (ATTN: Marlene Robinson)Mail to: SCCE | 6500 Barrie Road, Suite 250 | Minneapolis, MN 55435, USAAugust 200947

August 200948New SCCE MembersThe <strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong>and <strong>Ethics</strong> welcomes the followingnew members and organizations.All member contact information isavailable on the SCCE website in theMembers-Only section:www.corporatecompliance.org.New Jerseyn James Breeding, Rutgers StateUniversity <strong>of</strong> NJn Valerie D. Crossland, South JerseyHealthcaren Garineh Dovletian, Porzio, Bromberg& Newman, PCn Lauren Ferrari, Alcatel-Lucentn Nancy H. Haig, Eisai Corp <strong>of</strong> NAn Kevin Licciardi, Rutgers StateUniversity <strong>of</strong> NJn Haley G. Lincourt, Rutgers StateUniversity <strong>of</strong> NJn Catalina McHale, The CBT Group,LLCn Dawn Stithn David Tomarchio, Munich Re American James Walton, Alcatel-LucentNew Mexicon Carol S. Arneson, Virchow Krause &CompanyNevedan Shari L. Morrison, National SecurityTechnologies LLCNew Yorkn Christina Ament, Federal ReserveBank <strong>of</strong> NYn Jonathan Cohen, Weill CornellMedical Collegen Robert DeCarlo, Slocum DicksonMedical Group, PLLCn Michael T. Donohue, LIM Collegen Rosalie Farina, Bechtel - BMPC -Knolls Atomic Laboratoryn Peter Fazion Maria Garces, Fed Reserve Bank <strong>of</strong> NYn Gloria Gerstein, Daylight Forensic &Advisoryn Michael Luca, Omgeon Rick Rabideau, LRNn Greg Radinsky, Northshore LongIsland Jewish Health Sysn Jay E. Russ, Russ & Russ PCn Michelle Whitlock, LRNOhion Myrna E. Boggioni, Toledo SurgicalSpecialists, Incn Kathleen Gammon, Clear Sight<strong>Compliance</strong>n Linda M. Jeanmougin, Duke Energyn Todd A. Lacksonen, Eisai, Incn Michael Samonas, LexisNexisOregonn David R. Childers, <strong>Ethics</strong>Point Incn Helen Goodwin, Bonneville PowerAdminn David C. Rubin, Bonneville PowerAdminPennsylvanian Donald Bauer, Rothschild SpecialServices, LLCn Julie Colettin Marjorie Doylen Frank I. Fusaro, Pentec Health Incn Theresa Gamble, Erie InsuranceGroupn Janet Himmelreich, BTn Barbara G. Jones, AmeriHealth MercyFamily <strong>of</strong> Companiesn Dorothy C. Sellers, Geisinger HealthSystemn Steven J. Sheinfeld, Rite Aid Corpn Karen Skarupski, Erie Insurance GroupPuerto Ricon Evaluz Cotto, Univ <strong>of</strong> Puerto RicoTennesseen Robert H. Oss<strong>of</strong>f, Vanderbilt UnivMedical Centern Sharon L. Post, St Jude Children’sResearch Hospitaln Michael W. Sheridan, Ceridian CorpTexasn Gary Billions, First Support Services, Incn Lydia A. Cavanaugh, Prairie ViewA&M Universityn Jose Colondres, Jr., BPn Debra S. Fincher, Texas A&M SystemInternal Auditn Joni Gilton, ProComply, LLCn Don F. Guyton, University <strong>of</strong> Houstonn Mary Lee Hodge, Prairie View A&MUniversityn Robert M. Hopkins, Univ <strong>of</strong> TX atDallasn Shaun House, Radioshack Corpn Monique Land-Sedeh, Shell EnergyNorth American Nancy Leverett, Shook, Hardy &Bacon LLPn Mark Luker, Univ <strong>of</strong> TexasIntercollegiate Athleticsn William Parker, Global GeophysicalServices, Inc.n Ronald Phillips, Texas Tech Univ.n Tasmina A. Quddus, Prairie ViewA&M Universityn Glyn Rogers, Univ <strong>of</strong> TexasIntercollegiate Athleticsn Lori Smith, Univ <strong>of</strong> TexasIntercollegiate Athleticsn Faye L. Stallings, El Paso Corporationn Rajan Subramanian, Textert Incn Kay Tanner, Dell Incn Robert W. Tomlin, TransoceanOffshore Deepwater Drilling Inc.n Deanne Varner, Texas GuaranteedStudent Loan Corpn Max Wardrup, Prairie View A&MUniversityn Linda White, BPn Terra Williams, Prairie View A&MUniversityn Todd Witherington, Oil StatesInternational Incn Rene Zayas, Univ <strong>of</strong> Texas Brownsville<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.org

Utahn Jenni DeBartoloViriginan Chad Bailey, Alpha Natural Resourcesn Karen Bryant, Altria Client Services Incn Frank M. Geovannello, Altria ClientServices Incn Michael Hippchen, IntelligentDecisionsn Ted H<strong>of</strong>fman, Agility DGSn Melissa Nealon-Newton, W.F. MagannCorporationn Josephine Pendleton, Eastern VirginiaMedical Schooln Gregory A. Persinger, ITT Night Visionn Jose Soto, STG, Inc.n Andrew Topps, IV, Dechert LLPWashingtonn Andrew Gallo, Seattle City Lightn Robert E. Neate, Puget Sound Energyn Mindy Taylor, Providence Health &ServicesWisconsinn Melissa Haberman, Univ <strong>of</strong> WisconsinCollegesn Timothy Hollar, Alliant EnergyAlberta, Canadan Cheryl A. Persson, EPCOR Utilities Incn Elizabeth Soria, ENMAX CorporationOntario, Canadan Hazel De Burgh, Marsh & McLennanCompanies Incn Ann D. Fraser, Canadian FoodInspection Agencyn Derek Khan, Eli Lilly CanadaBraziln Expedito Luz, GerdauJapann Kazuko Nishida, US Naval ShipRepair FacilityLebanonn Samir Faddoul, Arabia InsuranceC o r p o r a t e Co m p l i a n c e & Et h i c s :G u i d a n c e f o r En g a g i n g Yo u r Bo a r dThis video training kitserves as a call to action for board members, detailing whythey must get involved and stay current on compliance andethics issues.Resources included in the kit:• 12½-minute video in DVD format• Sarbanes-Oxley Act• Federal Sentencing Guidelines• Powers Report on Enron Investigation• Additional white papersOrder online at www.corporatecompliance.orgOrder Today!Non-Members $395 SCCE/HCCA Members $34549<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> and <strong>Ethics</strong> • +1 952 933 4977 or 888 277 4977 • www.corporatecompliance.orgAugust 2009

<strong>Compliance</strong> 101How to Build and Maintain an Effective<strong>Compliance</strong> and <strong>Ethics</strong> ProgramBy Debbie Troklus, Greg Warner, and Emma Wollschlager Schwartz<strong>Compliance</strong> and ethics programs have a clear goal: to prevent, detect and respond to misconduct.Accomplishing that goal takes concerted effort through all levels <strong>of</strong> an organization.In 106 pages, <strong>Compliance</strong> 101 provides the basic information you need to build andmaintain an effective compliance and ethics program in your organization. Its coverageincludes:u The Importance <strong>of</strong> <strong>Compliance</strong> and <strong>Ethics</strong>u The Seven Essential Elements <strong>of</strong> a <strong>Compliance</strong> Programu Organizational Steps for an Effective Programu Tips for Tailoring Your <strong>Compliance</strong> Planu Sample <strong>Compliance</strong> MaterialsThis book is ideal for compliance pr<strong>of</strong>essionals new to the field, compliance committeemembers, compliance liaisons, and board members.Order your copy from SCCE today: $50 for SCCE members; $60 for nonmembersYour SCCE Staff888 277 4977 | +1 952 988 0141 | fax +1 952 988 0146 | www.corporatecompliance.orgSarah AnondsonGraphic Artistsarah.anondson@corporatecompliance.orgLizza CatalanoConference Plannerlizza.catalano@corporatecompliance.orgGary DeVaanGraphic Artistgary.devaan@corporatecompliance.orgMargaret DragonDirector <strong>of</strong> Communicationsmargaret.dragon@corporatecompliance.orgDarin DvorakWilma EisenmanDirector <strong>of</strong> Conferences & Exhibits HR Director/Office Manager/darin.dvorak@corporatecompliance.org<strong>Compliance</strong> Officerwilma.eisenman@corporatecompliance.orgJodi Erickson Hernandez Nancy G. GordonConference PlannerManaging Editorjodi.erickson@corporatecompliance.org nancy.gordon@corporatecompliance.orgLiz HergertCertification Coordinatorliz.hergert@corporatecompliance.orgMelanie GrossMarketing Coordinatormelanie.gross@corporatecompliance.orgKarrie HakensonMember Serviceskarrie.hakenson@corporatecompliance.orgPatti HoskinDatabase Associatepatti.hoskin@corporatecompliance.orgApril KielDatabase Administratorapril.kiel@corporatecompliance.orgCaroline Lee BivonaMegan KowsowskiProject SpecialistAdministrative Assistantcaroline.leebivona@corporatecompliance.org meg.kosowski@corporatecompliance.orgShawn LeonardWebmaster/Privacy Officershawn.leonard@corporatecompliance.orgKatie LuitjensConference Plannerkatie.luitjens@corporatecompliance.orgAmy MaciasMember Servicesamy.macias@corporatecompliance.orgPatricia MeesJennifer PowerCommunications EditorConference Plannerpatricia.mees@corporatecompliance.org jennifer.power@corporatecompliance.orgMarlene RobinsonEditor <strong>Compliance</strong> & <strong>Ethics</strong>Audio/Web Conference Plannermarlene.robinson@corporatecompliance.orgBeckie SmithConference Plannerbeckie.smith@corporatecompliance.orgRoy SnellChief Executive Officerroy.snell@corporatecompliance.orgAugust 200950Charlie ThiemChief Financial Officercharlie.thiem@corporatecompliance.orgAdam TurteltaubVP Member Relationsadam.turteltaub@corporatecompliance.Alison WillfordAccountantallison.willford@corporatecompliance.orgJulie WolbersAccountantjulie.wolbers@corporatecompliance.org

Has Your Company Stalled on theRoute to Sustainable Success?You know where your organization should be.We can help you get there.Destination: A Values-Driven, Performance Culture.The next generation <strong>of</strong> ethics and complianceprograms must focus on fully engagingemployees so that they understand and act inaccordance with the company’s guiding principles.The <strong>Compliance</strong>, <strong>Ethics</strong>, and EngagementQuotient (CEEQ SM ) encompasses three levels <strong>of</strong>program development based on an enterprise-wideapproach to business that integrates and servesthe interests <strong>of</strong> ALL stakeholders.CEEQ is a best principles and best practices benchmarkbased on the latest research and industrystandards in a range <strong>of</strong> disciplines, including:Organizational Development, <strong>Compliance</strong>, <strong>Ethics</strong>,Human Resources, Risk Management and InternalAudit.CEEQ evaluates the following nine elements <strong>of</strong> acompliance and ethics program:>> Values, Culture & Reputation>> Organizational Learning & Pr<strong>of</strong>essionalDevelopment>> Communication>> Measuring, Monitoring, Auditing and Reporting>> Risk Awareness>> <strong>Compliance</strong> & <strong>Ethics</strong> Standards & Procedures>> Personnel Screening and Access Control>> Incentives and Enforcement>> Authority, Responsibility & AccountabilityThe CEEQ methodology culminates in a detailedroadmap for building a values-driven culture thatunleashes employee innovation, performance andproductivity.For more information about CEEQ, please contact:69 Milk Street, Suite 201Westborough, MA 01581Phone: 904.302.5785

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!