Compliance & Ethics Professional - Society of Corporate ...

2012BasicCompliance& EthicsdoN’t miSSyour CHANCEto AttENdAN ACAdEmyiN 2012AcademiesBecome a Certifi edCompliance & Ethicsprofessional (CCEp) ®following this intensivetraining sessionJune 11–14Scottsdale, aZJuly 9–12Shanghai, Chinaaugust 13–16Boston, manovember 12–15orlando, Fldecember 10–13San diego, CaSPACE iS limitEd.rEgiStEr EArly!Learn more & register atwww.corporatecompliance.org/academies

Letter from the CEOby Roy SnellWhat does your complianceofficer know that you,the CEO…don’t?SnellThis is not to imply that complianceofficers are smarter than anyone else.It’s just that compliance officers have aunique seat in your house. Your other advisorsmight have a predilection for finding thingsthat “make your day.” The compliance andethics officer has been asked to prevent,find, and fix problems that maynot “make your day.” Dealing withthe problems when they are small is,of course, preferable. However, dealingwith problems even when theyare small can be stressful. Your otheradvisors may not know how importantit is to deal with the issue early.They may not always tell you what you needto know.It’s not that your compliance officer doesn’twant you to smile. In fact, I am sure they livefor those moments. We published the firstevercompliance professional stress surveyreport just yesterday. About 60% of complianceprofessionals have awakened in the middleof the night and/or wanted to quit in the lasttwelve months, all due to job-related stress.And it’s pretty clear from the results that theCEO’s support and interest in what they knowaffects their stress level. So asking them whatthey know might just help on two fronts. Youwill be more aware of current issues, and youmight help their stress level by being involved.They know about more problems becausethey are looking. They know about more problemsbecause employees trust them or believethey might do something about the problem.As a CEO myself, I know I have to work atdrawing things out of some of my advisors.Some advisors are reluctant to tell you badnews. If you want to know where ethical orregulatory trouble lurks, there is no one else inyour organization with more information thanyour compliance officer.Most of all, they know which problemswon’t go away or get better with age. Theyknow the price you pay when your advisorssuggest you choose to deny and defend orlook the other way. They know the benefitsof preventing, finding, and fixing problems.They know the damage that legal and ethicalproblems can cause. No one cares more aboutthis. No one knows more about preventing,finding, and fixing problems than the complianceofficer. What do they know that you don’tknow? They know just what you are payingthem to know. ✵Contact Roy Snell at roy.snell@corporatecompliance.orgCompliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 3

“ ”You tell the truth, youdon’t lie; you comeforward when you seesomething that’s wrong.See page 17Compliance & EthicsProfessionalEditor-in-ChiefJoseph Murphy, Esq., CCEP, Of Counsel, CSLG, Haddonfield, NJ,jemurphy@cslg.comExecutive EditorRoy Snell, CCEP, CHC, CEO, roy.snell@corporatecompliance.orgArticles40 Powerful witness preparation:The most important personBy Dan Small and Robert F. RoachThe second in a series of articles about preparing to give testimonyin court or during a deposition.44 Nuts & bolts for boards: What ethicsoversight really means [CEU]By Frank J. NavranAn in-depth look at the roles and responsibilities of individual board members,the ethics committee, and the board as a whole.55 Multinationals and due diligence:What are the red flags?By Charles ThomasSix key principles to prevent bribery and seven warning signs to considerwhen performing due diligence on vendors and suppliers.59 Computers and copyrights:A continuing source ofavoidable liability [CEU]By Thomas W. KirbySeemingly innocent sharing by employees can expose employersto stiff penalties.63 Is your ethics and compliance trainingreally preparing your employees? [CEU]By Charles RuthfordEffective compliance training helps stressed employees think clearlyand develop good habits that lead to good performance.Advisory BoardCharles Elson, JD, Edgar S. Woolard, Jr. Chair in CorporateGovernance, Director of the John L. Weinberg Center forCorporate Governance at University of Delaware.Jay Cohen, Compliance Consultant, Assurant Inc.John Dienhart, PhD, The Frank Shrontz Chairfor Business Ethics, Seattle University; Director,Northwest Ethics Network; Director, Albers BusinessEthics Initiative; Fellow, Ethics Resource CenterOdell Guyton, JD, CCEP, Senior Corporate Attorney,Director of Compliance, U.S. Legal–Finance & Operations,Microsoft CorporationRebecca Walker, JD, Partner, Kaplan & Walker LLPRick Kulevich, JD, Senior Director, Ethics and Compliance,CDW CorporationSteve LeFar, President, Sg2Stephen A. Morreale, DPA, CHC, CCEP, Principal,Compliance and Risk DynamicsMarcia Narine, JD, Vice President Global Complianceand Business Standards, Deputy General Counsel,Ryder System, Inc.Ann L. Straw, General Counsel US, Votorantim CimentosNorth America, Inc.Greg Triguba, JD, CCEP, Principal,Compliance Integrity Solutions, LLCStory Editor/AdvertisingLiz Hergert, +1 952 933 4977 or 888 277 4977liz.hergert@corporatecompliance.orgCopy EditorPatricia Mees, CCEP, CHC, +1 952 933 4977 or 888 277 4977patricia.mees@corporatecompliance.orgDesign & LayoutSarah Anondson, +1 952 933 4977 or 888 277 4977sarah.anondson@corporatecompliance.orgCompliance & Ethics Professional (CEP) (ISSN 1523-8466)is published by the Society of Corporate Compliance and Ethics(SCCE), 6500 Barrie Road, Suite 250, Minneapolis, MN 55435.Subscriptions are free to members. Periodicals postage‐paid atMinneapolis, MN 55435. Postmaster: Send address changes toCompliance & Ethics Professional Magazine, 6500 Barrie Road,Suite 250, Minneapolis, MN 55435. Copyright © 2012 Societyof Corporate Compliance and Ethics. All rights reserved. Printedin the USA. Except where specifically encouraged, no part of thispublication may be reproduced, in any form or by any means,without prior written consent from SCCE. For subscriptioninformation and advertising rates, call +1 952 933 4977or 888 277 4977. Send press releases to SCCE CEP PressReleases, 6500 Barrie Road, Suite 250, Minneapolis, MN55435. Opinions expressed are those of the writers and not ofthis publication or SCCE. Mention of products and services doesnot constitute endorsement. Neither SCCE nor CEP is engaged inrendering legal or other professional services. If such assistanceis needed, readers should consult professional counsel or otherprofessional advisors for specific legal or ethical questions.Volume 9, Issue 2Compliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 5

NewsCompliance & Ethics Professional March/April 2012Almost half of US workershave observed misconductThe Ethics Resource Centerannounced in Januarythe results of its NationalBusiness Ethics Survey. Inits January 5 press release,it stated “Over the past twoyears, 45 percent of U.S.employees observed a violationof the law or ethicsstandards at their places ofemployment. Reporting ofthis wrongdoing was at an alltimehigh—65 percent—butso too was retaliation againstemployees who blew thewhistle: more than one in fiveemployees who reported misconductthey saw experiencedsome form of retaliation inreturn.” To download thecomplete survey results, visitwww.ethics.org/nbes ✵OECD criticizes corruptionenforcement in three nationsThe Organization forEconomic Development’sWorking Group on Briberyreleased three reports inJanuary to chastise threenations for poor corruptionenforcement. The internationalgroup urged Japan,Italy, and Switzerland todo more to implementthe OECD’s Conventionof Combating Bribery ofForeign Public Officials, anagreement that all threecountries had previouslysigned. The group assertedthat Japan and Switzerlandeach had only completed twoprosecutions since signingthe convention, and Italy hadonly sanctioned three companiesand nine individuals,after bringing 60 defendantsto trial. ✵“‘Over the past two years, 45 percentof U.S. employees observed a violationof the law or ethics standards at theirplaces of employment…more thanone in five employees who reportedmisconduct they saw experiencedsome form of retaliation in return.’”Read the latest news online · www.corporatecompliance.org/newsEx-SECofficial finedfor taking jobwith allegedPonzi schemerThe complex fraud caseof Robert Allen Stanfordis far from resolution, butone segment of the casehas concluded. The JusticeDepartment reported inJanuary that a formerSecurities and ExchangeCommission official hasagreed to pay a $50,000 finefor working with the allegedPonzi schemer after allegedlytaking part in SEC decisionsnot to investigate him.Spencer C. Barasch, alawyer who was head ofenforcement in the SEC’sFort Worth regional office,left the SEC in 2005 andwent on to briefly representStanford in an agencyprobe. According to theSEC’s Inspector General, thatwas after Barasch had beeninvolved in SEC decisions notto pursue warnings aboutStanford. Barasch has deniedany allegations of wrongdoing,the Justice Departmenthas reported. However, undera civil settlement, he agreedto pay the maximum fine fora violation of the statute. ✵6 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

NewsSEC changes policy onadmission of guiltThe US Securities andExchange Commissionannounced a fundamentalpolicy shift in Januaryregarding its practice ofallowing defendants to settlefraud charges with only afine payment. In a January 6announcement, Securitiesand Exchange CommissionEnforcement DirectorRobert Khuzami stated thatUK fraud increases50 percent to $3.25BAn analysis of publiclyreported cases of fraud in theUnited Kingdom reveals thatit rose to £2.1 billion ($3.25billion) in 2011, a 50 percentincrease over 2010. The 2011FraudTrack report, producedby the accounting firm BDOLLP, based its analysis oncases of fraud of more than£50,000 in publicly availablecorporations and individualswill no longer be able toassert that they “neither admitnor deny” civil fraud charges,if they have also admitted toor were convicted of a criminalviolation in a parallelcriminal case. The policy willalso apply to defendants whoenter deferred prosecutionagreements with criminalauthorities. ✵reports, including the UK’snational, regional, and localpress.Tax fraud, which accountsfor 36 percent of the total,was significantly higher thanother forms. Employee fraudaccounted for 10 percent,management fraud for 5 percent,and corruption for lessthan 1 percent.” ✵RegulatorsapproveDodd-FrankinvestorprotectionsThe Commodity FuturesTrading Commissionapproved in January new rulesdesigned to rein in banksand their derivatives tradingefforts. The new regulationsinclude requirements that customerfunds must be storedin separate accounts from aninstitutions’ own collateral.The rule targets brokeragefirms and derivative clearingorganizations. “Segregationof customer funds is the corefoundation of customer protectionin the commodityfutures and swaps markets,”said agency Chairman GaryGensler. The change occurredshortly after the collapse of MFGlobal, in which $1.2 billion incustomer money disappeared,and nearly a third has still notbeen located. ✵Thankyou!Has someone done something great for you,for the compliance profession, or for SCCE? Ifyou would like to give recognition by submittinga public “Thank You,” please send it toliz.hergert@corporatecompliance.org.Entries should be 50 words or fewer.Read the latest news online · www.corporatecompliance.org/newsCompliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 7

SCCE NewsSCCE conference NewsNational conferencesCompliance & Ethics Institute, October14–17, Las Vegas at Aria: New to the agendathis year is the Multinational/Internationaltrack to go along with tracks in Risk, Ethics,Case Studies, General/Hot Topics, andAdvanced Discussion Group. View topics andspeakers, along with other information:www.complianceethicsinstitute.orgHigher Education Compliance Conference,June 3–6, Austin, Texas: Make sure to registerbefore Wednesday, April 25 to save $250.www.highereducationcompliance.orgAcademiesAcademies address methods for implementingand managing compliance programs basedon the Seven Element Approach. Courseswill address subject matter in each of theseareas and better prepare interested parties forthe CCEP exam. The Academy is designedfor participants with a general knowledge ofcompliance concepts and anyone working in acompliance function.www.corporatecompliance.org/academiesRegional conferencesSCCE’s regional conferences are one-dayprograms designed to provide the hot topicsand practical information that complianceprofessionals need to create and maintaincompliance programs in a variety of industries.The 2012 regional conferences include:··Chicago, April 27··New York, May 18··Anchorage, June 15··San Francisco, June 22··Atlanta, October 12··Houston, Nov 2www.corporatecompliance.org/regionalWeb conferencesSCCE members save $850 by purchasing asubscription. Select ten individual session foronly $900 vs. $1,750 if purchased separately.www.corporatecompliance.org/webconferencesThankyou!“Thank you to all the SCCE staff, but especially themeeting planners for their continued hard workand dedication to delivering the best complianceand ethics programs available anywhere!”—Art WeissFind the latest conference information online · www.corporatecompliance.org/eventsCompliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 9

SCCE NewsSCCE website NewsContact Tracey Page at 952-405-7936 or email her at tracey.page@corporatecompliance.org with any questions about SCCE’s website.Compliance & Ethics Professional March/April 2012Corporate Compliance and Ethics WeekMay 6–12 marks the 8th annual CorporateCompliance and Ethics Week! This is a greattime for your office to set up a new compliancetraining program, raise awareness,and thank employees fortheir dedication to compliance andethics. SCCE has a complimentaryweb conference and downloadableposters, and you can also purchaseproducts online and get greatideas to educate your office on compliance andethics. For more information visit:www.corporatecompliance.org/candeweekUsing incentives in your compliance andethics programA new addition to SCCE’s resource centeris Joe Murphy’s paper on using incentivesin your compliance and ethics program. Itprovides a road map for organizations thatunderstand, yet struggle with, adequate controlof incentives. To download a free copy,check out the Issues & Answer’s section underthe Resources tab.www.hcca-info.org/incentivesThird-party essentialsDo you know the risks posed by your agentsand contractors? Third Party Essentials:A Reputation/Liability Checkup When UsingThird Parties Globally, written by MarjorieW. Doyle, is now available for download onSCCE’s website. This complimentary bookletincludes a checklist to test the health of yourorganization’s third-party controls.www.corporatecompliance.org/compliancebasicsWeb conferencesSeveral web conferences covering many differenttopics are coming up soon. You canregister online for upcoming live webinars.Can’t make the time commitment? Pastweb conferences can be viewed instantlyby streaming the recorded session to yourcomputer. It’s a great way to earn 1.2 CEUstowards your certifications and catch up onthe latest compliance issues.www.corporatecompliance.org/webconferencesFind the latest SCCE website updates online · www.corporatecompliance.orgViewing your CEUs onlineDon’t get stressed out about your certificationrenewal date at the last minute. To stay on topof your CEU credits, make sure they are alllisted in your account. View them under the“Member” tab by clicking on “My Account,”then click on “Activities” and “CEUs.”www.corporatecompliance.orgSCCE’s stress survey results now availableA new survey sponsoredjointly by SCCE and the HealthCare Compliance Associationreveals that the stress levels forcompliance and ethics professionalsare very high. Overall,58% of survey respondentsreported that they often wakeup during the middle of the night worryingabout job-related stress and 60% report havingconsidered leaving their job in the last 12months due to job-related stress. Download acomplimentary PDF of the survey results fromSCCE’s website.www.corporatecompliance.org/surveys10 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

SCCE NewsNewsContact Eric Newman at 952-405-7938 or email him at eric.newman@hcca-info.org with any questions about SCCEnet.SCCEnet (www.corporatecompliance.org /sccenet) is thecomprehensive social network for compliance and ethicsprofessionals. Subscribe to dozens of discussion groupsand get your compliance questions answered. Share yourexperience with your colleagues. Offer your resources andpolicies in the libraries.Download the SCCEnet Mobile App··The SCCEnet mobile app runs on Apple,Android, and Blackberry Devices. Youcan read and post new discussions, searchand download compliancedocuments fromour libraries, and searchthrough the 9,000 SCCEnetmembers in the directory.www.corporatecompliance.org/mobileUpdate your SCCEnet profile using yourLinkedIn ® account··Now you can update your SCCEnet profilewith the information you have on yourLinkedIn profile. This includes your profilepicture, work history, and your LinkedIn ®contacts that are also on SCCEnet.Instructions at http://bit.ly/scceprofileSCCE is now on Google+··Add SCCE to your circles:www.corporatecompliance.org/googleSubscribe to the following SCCEnet compliancediscussion groups:··Go to www.corporatecompliance.org/groups and click“My Subscriptions” to subscribe to discussiongroups and participate.––2012 SCCE Compliance and Ethics Institute––Auditing and Monitoring Compliance Network––Chief Compliance Ethics Officer Network––Communication Training and Curriculum Development––Competition Law and Antitrust Network––Compliance Diversity Forum––Compliance Risk Management––Ethics Forum––European Compliance and Ethics––FCPA: Foreign Corrupt Practices Act Forum––Financial Institutions Network––Global Compliance and Ethics Community––Higher Education Forum––Investment Management Forum––SCCE Compliance Academies––Social Media Compliance––Social Responsibility Forum––Utilities and Energy NetworkPopular resource: Exiting EmployeeCompliance Considerations··Outline of considerations when employeesleave, including trade secrets, recordsmanagement, compliance functions.Available at http://corporatecompliance.org/exitWatch compliance videos on YouTube··Subscribe to SCCE’s YouTube channel:www.youtube.com/compliancevideosPopular discussions··2011 National Business Ethics Survey:http://corporatecompliance.org/NBES··Handbook vs. Policies vs. Code:http://corporatecompliance.org/HPCFind the latest SCCEnet updates online · www.corporatecompliance.org/sccenetCompliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 11

People on the MoveCompliance & Ethics Professional March/April 2012· Scott Killingsworth hasjoined the Board of Governorsof the Center for Ethics andCorporate Responsibility atGeorgia State University. Aunit of the J. Mack RobinsonCollege of Business at GeorgiaState University, the Centerintegrates the best insightsof scholars and businesspeople to develop strategiesfor addressing the complexethical challenges faced byorganizations. Formerlythe Southern Institute forBusiness and ProfessionalEthics, the Center was establishedin 1993 and became apart of the Robinson Collegein 2007.· Chris DePippo has beenappointed Vice President,Chief Ethics and ComplianceOfficer at CSC, a leadingglobal IT services companyin Falls Church, Virginia.DePippo will report to theAudit Committee of the CSCBoard of Directors and, foradministrative purposes,to William Deckelman, thecompany’s Vice President,General Counsel. MichaelW. Laphen, CSC Chairman,President and CEO said, “TheBoard of Directors and ourexecutive management havebeen very impressed with hispassion and capabilities in thedisciplines of ethics and compliance,and we are confidenthe will provide extraordinaryleadership as we continue tostrengthen our commitmentto building and maintaininga culture of integritythroughout CSC.” DePippojoined CSC in 2008 and holdsan undergraduate degreefrom Cornell Universityand an MBA from GeorgeWashington University.Peopleon theMove· The Board of Directors ofEli Lilly and Company haselected Katherine Baicker,PhD as a new member,effective December 12,2011. Baicker is Professorof Health Economics in theDepartment of Health Policyand Management at theHarvard School of PublicHealth. She is also a ResearchAssociate at the NationalBureau of Economic Researchand an elected member ofthe Institute of Medicine. Asa member of Lilly’s board,Professor Baicker will serveon the Public Policy andCompliance committee. Shewill serve under interimelection and will stand forelection by Lilly shareholdersat the company’s annualmeeting in April 2012.· DCG, a leading providerof corporate services, hasmade two new appointmentsto strengthen its realestate and compliance teams.Andrew McNulty has beenappointed Senior Managerin DCG Real Estate. Andrewis a member of the RoyalInstitution of CharteredSurveyors and is also a directoron a number of Jerseycompanies with exposureto commercial real estate inthe UK. Paul Martlew hasbeen appointed ComplianceManager. His role includesmonitoring and reportingon internal procedures andregulation across DCG’s threebusiness units, CorporateServices and Capital Markets,Real Estate, and Fund Services,as well as internal audit forDCG’s Luxembourg office.Paul joined DCG in 2009 asassistant compliance managerand has over 8 years’ experiencein compliance, includingthe prevention of moneylaundering and combatingthe financing of terrorism.Paul holds the InternationalDiploma in Compliance and12 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

People on the Movethe International Diploma inAnti-Money Laundering. Heis a Fellow of the InternationalCompliance Associationand a Member of theJersey Compliance OfficersAssociation.· Maggie Wetzell has beenappointed Vice President ofContracts and Compliance atOasis Systems in Lexington,Massachusetts, a leader inInformation Technology,Systems Engineering,Enterprise Applications,and Program ManagementServices to the Departmentof Defense. Maggie will beresponsible for supportingall aspects of new proposalgeneration, including contracts,sub-contracts andpricing, as well as post awardcontract compliance. She isa retired senior executive,GS-15 with 38 years of experiencein Contracting andProgram Management withthe Department of the AirForce and 7 years of ProgramManagement/Contracting inthe private sector.Received a promotion? Have anew hire in your department? ·If you’ve received a promotion, award, or degree;accepted a new position; or added a new staffmember to your Compliance department, please letus know. It’s a great way to keep the compliancecommunity up-to-date. Send your updates toliz.hergert@corporatecompliance.org.Get the executive trainingDVDs that workThe Ethics Serieswith Dr. MarianneJenningsProduced by DuPont Sustainable Solutions• “Ethics Is a CompetitiveAdvantage” lists five keyreasons why ethics matter. Thisprogram explores why workingin the gray areas is risky.(20 min.)• “Speaking Up WithoutFear” discusses howorganizations can draw outwrongdoing and help create aculture where employees feelempowered. (15 min.)• “Ethical Leadership: Tone at All Levels”explores how employees can handle the tensionbetween increasing an organization’s bottom lineand protecting its good reputation. (20 min.)SCCE members:$450 per segment,or $1,175 for the seriesNon-members:$495 per segment,or $1,295 for the seriesEach segmentis availableindividually,or all togetheron one DVD.Learn more and purchase online atwww.corporatecompliance.orgCompliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 13

FeatureQ & Apictured from right to leftDavid C. HumphreysPresident and CEOArt WeissChief Complianceand Ethics OfficerRobert BradleyVice President andGeneral Counselan interview by Art WeissMeet David C. Humphreysand Robert BradleyCompliance & Ethics Professional March/April 2012AW: David, please tell us a bit aboutTAMKO and yourself.DCH: At the age of 69, my grandfatherE.L. Craig started TAMKO in 1944 with asingle roofing line, housed in a former streetcarbarn in Joplin, Missouri. Eight years later,he suffered a stroke and my grandmother tookover the leadership of the company. Later, mymother managed the company until she leftto raise her family, so that my father becamepresident in 1960. He led the company’sgrowth for the next 33 years, until his deathin 1993. I succeeded him the next year. Mymother continues today to serve as Chairmanof the Board.Over the course of TAMKO’s 68 years, wehave continued to grow both in the numberof manufacturing facilities and in our productlines. In addition to asphalt roofing products,such as shingles and rolls, we also producewaterproofing, window and door wraps,composite decking and railing systems, andcements and coatings. In addition, we are veryvertically integrated as we manufacture anumber of our raw materials, such as recycledfelt paper, polyester and fiberglass mats, and14 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

Q & AFeaturefiberglass fibers, and we process our ownasphalt and ground limestone.My professional background is as botha trial defense and corporate tax lawyer.Complex regulatory and statutory constructionwas part of that career. Understandingthat there need to be clearly defined black-andwhiteboundaries, but recognizing that thereare shades of gray, is important in being successfulin attaining compliance. Our “betweenthe hash marks” compliance metaphor reflectsthe need for clearly defined boundaries inorder for employees without legal training tosucceed at real world compliance, as we wantto stay in the center“As a lawyer, I had beenprogrammed to avoid allrisk possible. In the worldof business, risk is part ofthe daily challenge andI had to learn to acceptsome risk of failure.”of the field where thelights are bright andthe rules are mostclear, and away fromthe sidelines wherethe visibility is not asgood and the opportunityfor bias on thepart of regulatory refereesis more likely tofind us out of bounds.Taking on the top job at TAMKO was avery real change in responsibility and necessitatedan adjustment in my risk tolerance. Asa lawyer, I had been programmed to avoid allrisk possible. In the world of business, risk ispart of the daily challenge and I had to learnto accept some risk of failure. And as “theclient” instead of the lawyer, I had to learn tolive with some risk. Compliance is one aspectof risk that must be managed.AW: TAMKO believes in a free marketeconomy, continuous improvement, Six Sigma,and follows the Deming principles. How dothese principles mesh with compliance?DCH: If you look at compliance from thetotal quality management perspective—we’llcall it a Deming or Six Sigma perspective(because Six Sigma is an extrapolation ofDeming with enhanced tools and people withhigh-level skill sets)—you will understandthat all processes are subject to variation fromat least five different sources, including people,and that it is critical as to what that variationis, how wide it is, and where it comes from.Then you have to learn how to figure out howto minimize the variation.So in the context of compliance, we alsofocus on people and our processes. For example,in the environmental compliance, variationcan come from machines from normal wearand tear, from breakdown, from defects inthe machines themselves, or in the manner inwhich they are operated,installed, or maintained.As such, environmentalcontrol equipment can failor even just quit workingas the result of a poweroutage. We try to avoidthose failures by understandingour processthat affect environmentalequipment and try to addbackstops to our processesto avoid failures. When those failures happen,environmental noncompliance can be avoideddespite equipment failure. If the environmentalcontrols fail, production automatically shutsdown, which maintains compliance. As wehave come to map out and understand our processesbetter, we can now see the possibility ofimplementing failsafe controls.It’s the same thing in terms of personalcompliance: Understanding the existence ofvariation in human behavior led us to rethinkhow we manage issues, like avoidance ofsexual harassment. We now see training asproviding bright–line boundaries as to whatbehavior is not acceptable. Knowing thatpeople are variable, we accept that trainingalone is not sufficient, because there are toomany opportunities for miscommunicationsCompliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 15

FeatureQ & ACompliance & Ethics Professional March/April 2012between the trainer and the trainee; traineesdon’t understand all of what they are hearingand they certainly don’t retain all they hear.And, whatever they did learn will erode overtime. More training helps, but it never getsyou to 100% understanding. That tells you acouple of things: One is that training has to bevery simple in providing very bright lines forpeople, so they don’t have to make judgmentcalls, so they know what’s good and what’sbad. I think the other is to provide all sorts ofmitigation mechanisms, so that bad behavior,if it happens, is reported quickly and handledquickly. You have to expect and trust peopleto do what they should do, but when they fail,you need to act quickly to mitigate the failure.AW: What does it mean to place people intoa state of self-control and how does that benefitcompliance?DCH: The state of self-control meansknowing what you’re doing and what you’resupposed to do. The training really does that;it puts people in a state of self-control. Butagain, I think there would need to be verybright lines given. You can’t expect to trainpeople to all be experts. We don’t want ouremployees playing outside the hash marks,near nebulous boundaries that may turn outto be shifting around. So, to me, self-controlcomes through training continuous improvementby example of the failures.AW: How would you describe TAMKO’sculture to someone outside the company?DCH: I would say our culture is one wherepeople feel that they’re given the responsibilityto do their jobs, the freedom to do theirjobs, and they’re held accountable for that.But, I think in large part, if I had to say, it’sa cultural trust where we trust people to dotheir jobs and they trust us to take care ofthem in return. And it’s also one where weexpect people to take the initiative to come towork, get their jobs done well, and perform aswell as they’re expected to, or better. It’s nota culture where people who need proddingor people who feel entitled do well. It’s verymuch a culture where the expectations arehigh for performance.AW: TAMKO is privately held, and doesn’tdo business in foreign countries. TAMKO isnot subject to many of the government regulationsand laws that others are, and yet youdecided to have a compliance officer. Whatdrove that decision?“You have to expect andtrust people to do what theyshould do, but when theyfail, you need to act quicklyto mitigate the failure.“DCH: It had nothing to do with being apotential target or not. I think it had everythingto do with having an additional resourceto focus on compliance, as contrasted with theLegal department, which has a whole otherrange of responsibilities. So, focusing on complianceis a broad spectrum in itself, but I thinkit’s a better way to attack. I think it’s a betterway to make compliance an important aspectof how we do business, separate in its ownright, separate from the Legal department. Andeven though we’re relatively small and we’reprivately held (so we don’t have SEC reportingobligations or FCPA issues to deal with sincewe don’t operate in foreign countries), still therisks of non-compliance in a variety of areaswe do operate in are significant, not in termsof how many laws or regulations we may besubject to, but just because the severity of thepenalties for non-compliance have an evenlarger proportional effect on a smaller firm.If we do an outstanding job in environmentalcompliance and employment law–related compliance,and I think we do, then the risks thatwe do face are minimized.16 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

Q & AFeatureAW: TAMKO has a saying, “100% compliance,100% of the time.” That’s more than justa goal or a slogan, isn’t it?DCH: That’s the minimum, so yeah. I mean,if we’re going to have compliance, we need tobe compliant. You can’t be partially complaint.AW: Can you explain the concept of operating“between the hash marks?”DCH: As I mentioned before, the concept ofoperating between the hash marks is a footballmetaphor based on the fact that if you playbetween the hash marks, that’s where the lightsare the brightest. Not only the referees, buteveryone in the stands can see where you are,and you know where you are as a team. Thecloser you get to the sidelines outside the hashmarks, the closer you come to the boundaries.And in football, if you step on the line, you’reout of bounds. In the world of compliance, if youstep on the line, you may have severe penalties.The other thing is that, in the businessworld, you can be running down the field ona breakaway for great success (a touchdownin football), but then find that, retroactively,the boundaries have been moved. Where youthought you’d been doing a great job, you’vebeen out of bounds the past 60 yards. And so,operating in a world where the boundaries canmove against you, it’s much safer to stay in themiddle of the field.In addition, in the world of business andregulatory compliance, you’re operating in aworld where the referees have a vested interest,in effect, a bias toward seeing you step outof bounds. It’s probably best to play where thelights are brightest and where everyone elsecan see where you are, so that if the referee callsyou out of bounds, it will ultimately be overturnedas a bad call, because everyone can seethat you were right in the middle of the field.AW: Can you explain TAMKO’s Rule ofBasic Honesty?DCH: The Rule of Basic Honesty is whatit says. We expect people to be honest in thenormal context of what honesty means, whichis: You tell the truth, you don’t lie; you comeforward when you see something that’s wrong.I would say it can be summed up as: You dothe right thing. Bob, can you add to that?RB: It means, along with complying withboth the letter and spirit of the law, it formsthe backbone of all our policies. It means morethan simply telling the truth. It includes doingyour job the way it should be done, not takingshort cuts that may save time but do notproduce the right result. It means that everyTAMKO employee has the right to rely onevery other employee to do their jobs. It meansour customers and vendors can rely on us.“The Rule of Basic Honesty iswhat it says. We expect people tobe honest in the normal contextof what honesty means, which is:You tell the truth, you don’t lie;you come forward when you seesomething that’s wrong.”AW: Bob, even though TAMKO has independentCompliance and Legal functions, wework together almost daily.RB: That’s true. Many of TAMKO’s policieswere in place before we had a ChiefCompliance and Ethics Officer. Since you cameon board, many of TAMKO’s policies havegone through revisions to clarify the messageand remove the “legalese.” The Legaldepartment has primary responsibility forinvestigating potential policy violations, butwe work with Compliance to apply our policiesto the facts and recommend responses.AW: David, you mentioned coming forwardin your discussion of the Rule of BasicHonesty. The Federal Sentencing Guidelinesrequire an anonymous system for reportingCompliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 17

FeatureQ & ACompliance & Ethics Professional March/April 2012violations of law. Do you remember what youtold me when we first talked about creatingwhat most people call a “hotline”?DCH: I recall that I was not excited aboutit, because I saw people using it as a place tocomplain anonymously about whatever isbugging them that day, rather than for anyvaluable purpose.AW: Your direction was to design a systemwhere employees could report violations ofTAMKO policy or culture, through the abilityto anonymously offer feedback to seniormanagement through questions, comments,concerns, or requests for guidance, in additionto having the required mechanism to reportsuspected violations of law. The vendor wechose used the name Silent Whistle.DCH: Yeah, I really did not like the term.It sounded like a whistleblowing system, andI really didn’t see that that was the right wayto approach any of these issues, if you wantcompliance. You’ll have people complaining,but they won’t give you ideas or suggestions,so the fact that we changed it into the TAMKOEmployee Feedback System turned it awayfrom an “us against them” concept, a whistleblowerconcept, and into a way to give bothnegative and positive feedback, which I thinkis important.AW: In the three years that we’ve had ourformal feedback system, we’ve received over300 entries; 87% are from employees asking aquestion, seeking guidance, offering a suggestion,or giving an opinion. Our vendor’s datashows that, among all of its clients, 75% of allentries are reports of violations. We have theexact opposite side of the universe for that.What does that tell you about TAMKO employeesand their willingness to offer feedback?DCH: We’re special. Seriously!RB: You know, I think it’s important tonote in those statistics the portion of TAMKOemployees who aren’t reporting a violationof law. We have not received a single reportof an employee violating any law or regulation.Instead, they are reporting violationsof TAMKO’s own policies, which keep ourconduct between the hash marks, and keep usfrom getting to a violation of law.DCH: I think what it tells us is that wehave, for the most part, a group of people whobelieve in doing the right thing, who acceptour Rule of Basic Honesty, and that there arevery limited instances of behavior that may benon-compliant. And as a result of that, I thinkthat’s why we don’t have a lot of reports ofnon-compliance or any illegal activity.AW: On another note that speaks toTAMKO’s culture and philosophy, TAMKOrecently came to the aid of employees and thecommunity, because you felt it was the rightthing to do. Can you talk about the April andMay tornados and what drove TAMKO’s decisionto go above and beyond?DCH: When the Tuscaloosa (Alabama) tornadohit, I think we had five people who hadhomes affected, and a lot of people who hadcars that were damaged or destroyed. And sothat caused me to think about what can we doto help these people, because I’m sure they’resitting there—although they may have insurance—they’rein a period of time in their liveswhere they don’t have the insurance proceeds,they don’t have a place to live, and they probablydon’t have a lot of money in the bank.I wouldn’t be surprised if many live frompaycheck to paycheck, so it seemed like theyprobably needed some assistance.And then when the tornado hit Joplin,it brought that thinking home even more,because we had, I think, another 20–25 peoplewho lost homes and some who lost cars. It wasreally a function of just trying to help peoplewho were in a situation that had to be verydifficult. They lost a place to live, probably hadno place to live, and lost not only their house,18 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

Q & AFeaturebut everything in it. I don’t know what I’d doif I lost everything and found myself doingwithout. I guess our impulse was to try to helpfolks get through the period of time whiletheir insurance was being sorted out, and tohelp them (to some extent) cover the loss ontheir deductible for their house and for theircar, because those are large out-of-pockets forthe average person, which are usually verydifficult to absorb. So we thought we’d at leasttry to help on that front, in terms of helpingour employees. So I think, at the end of theday, we helped our employees and if they hadimmediate family who lost houses, we tried tohelp them as well.In terms of contributions to the community,TAMKO as a company has given to the RedCross, and I have personally to the SalvationArmy and some other groups. We did that tosome extent in Tuscaloosa, but on a much largerscale here in Joplin, because it’s our hometownand because we felt that immediately afterthe storm, it was important to immediatelymake some contributions and set an examplefor others in the area to do the same. I thinkwhen TAMKO gave a million dollars to theRed Cross, I think it set a very high bar locally,which was met by at least one other local companyand a couple of national companies thathad a presence. I think that it at least led theway for a significant amount of contributions.AW: What’s the most important thing thatyou look for when you hire somebody to joinTAMKO?DCH: I didn’t know what that was until afew years ago, when I was getting ready tohire a chief financial officer and I brought in asearch firm to help. We spent a day and a halftalking about the position and, at the end ofthe day, the representative said, “I know whatyou’re looking for.” I said, “Really? What’sthat?” And he said, “You’re looking for someoneyou can trust.” That probably sums upwhat I look for in people I hire myself or forthe company. I look for someone I can trust,which basically means I’m looking for someonewho is honest, who is humble, and whomI can depend on.AW: We also hear about the concept of “gettingthe right person on the bus.” What doesthat mean?DCH: It means hiring people you can trust,number one. You can hire talented people thatyou can’t trust, and then you have a bunchof people with a lot of talent, but you end upnot knowing whether you can get anythingdone. Hiring attitude over talent is extremelyimportant. You get the right people, the rightattitudes, presumably with the right skills, andyou get them to the right place where they canmake a difference.“Hiring attitude over talentis extremely important. Youget the right people, the rightattitudes, presumably withthe right skills, and you getthem to the right place wherethey can make a difference.”AW: What advice would you have for otherCEOs as they attempt to build a compliant andethical culture in their organizations?”DCH: Understand that any compliancefailure puts the organization at significantrisk (financial, operational, and reputation)such that 100% compliance, 100% of the timerequires an appreciation of that risk and leadershipfrom the top to establish a compliantand ethical culture.AW: Thank you, gentlemen. ✵Art Weiss is Chief Compliance and Ethics Officer for TAMKO BuildingProducts in Joplin, MO. He may be reached at art_weiss@tamko.com.Compliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 19

SCCE welcomes New MembersAlabamaGeorgiaMichigan··Susan Cotten, Health InformationDesigns, LLC··Deborah Key, Southern Nuclear··Barbara A. Stephens, Poarch CreekIndians··Jeffery Davis, Southern Company··Blair Marks, Lockheed Martin··Elaine Neely, Kaplan Higher Education··Mark Snyderman, Laureate Education, Inc··Earl Blackburn III, Terumo CardiovascularSystems··Frederick Hoffman, NHBP GamingCommission··Rick Hrivnak, Auto Club GroupArizona··Jennifer McAleer, Northern ArizonaRegional Behavioral Health Authority··James Rough, Navigant Consulting, Inc··Shirley Stang, DMB Associates, IncArkansas··Patricia C. Calderon, Tyson Foods, IncCalifornia··Robert Bragaw, Liquidity Services, Inc··Otto Sanchez Cocino, MAAC··Glenda Estioko, Asian Americans forCommunity Involvement (AACI)··Patrick Hamblin, Gemological Institute ofAmerica··Jeff Hecht, The Word & Brown CompaniesIllinois··Garin Bergman, IDEX Corporation··Rolf Christiansen, Jr, Caesar’sEnterainment, Inc··Kirk Dobbins, CVS Caremark··Ann Kafer, GROWMARK··Tracie Wilcox, Fidelis SeniorCareIndiana··Lori Cochrane··Sherry Davis, Eli Lilly & Company··Joel Gibbons, National FFA Organization··Jeffery Maxwell, Eli Lilly and CoIowa··Karen Steggerda, Brighton ConsultingGroup··Rochelle J. Hunter, Johnson Controls, Inc··Cris Mattoon, The Auto Club GroupMinnesota··Mary E. Gale, William MitchellCollege of Law··Cheryl Hayne, 3M··Kathleen Panciera, William MitchellCollege of Law··Michelle D. Rovang Burke, University of StThomas, Veritas Institute··JoAnn Thompson, Otter Tail PowerCompanyMissouri··Gregory Billhartz, Ralcorp Holdings, Inc··Kent Swagler, Bi-State DevelopmentAgency (d/b/a Metro St Louis)Compliance & Ethics Professional March/April 2012··Kelly Hoevelkamp, Allergan··Megan Janis, PG&E··Janie Mah, Cisco Systems··Avi Moscowitz, Corinthian Colleges, Inc··Diana Olin, Adobe Systems Incorporated··Annemarie O’Shea··Sammy Pen, Unity Care Group Inc··John Sega, Northrop GrummanCorporationColorado··Kristin Zompa, Gartner IncFlorida··Karen Clapsaddle, Lockheed Martin··Salem Flores Alatorre, Sr., SFA··Laura M. Paredes, Ingram Micro Inc··Nancy Stephenson, The Nemours Foundation··Teresa Wong, Physicians United PlanKansas··Margaret VoorheesKentucky··Susan Reinach-Lannan, RecoverCare LLCMaryland··Jessica Hoffman, Lockheed Martin··Leo Mackay, Jr, Lockheed Martin··James D. Massey, MedImmune, LLC··Laurin Mathson, Lockheed Martin··Rielle Miller Gabriel, Lockheed Martin··Mike Mulleavey, Lockheed Martin··Julia Pallozzi-Ruhm, US Government··Mark Shaffer, Barnes Group Inc··Michaela Wheeler, AerotekMassachusetts··Patricia Moks, PricewaterhouseCoopers LLPNew Jersey··Meghan Davis, Johnson & Johnson··Dean Forbes, Johnson & Johnson··Thomas Hardin, Johnson & Johnson··Deborah Lake, Johnson & Johnson··Chris Matteson, Johnson & Johnson··Sheila O’Rourke, Caldwell College··Chris Petersen, Johnson & Johnson··Iskah C. Singh, Unilever United States, Inc··Nancy Waltermire, AvetaNew Mexico··Brandt Graham, URENCO, USA··Perry Robinson, URENCO, USA20 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

New York··James Dixon, ConEdison Energy··Ann M. Florkowski, ACE Group Holdings··Paul M. Holstein, FBI··Emile Kattan, DZ BANK AG··Josh Leicht, FJL Associates, LLC··Tara Mancinelli, Lockheed Martin··Susan McCormack, Long Island Center forIndependent Living, Inc··Ana Taras, William F. Ryan CommunityHealth Center··Sonya Tennell, MetroPlus Health Plan. Inc··Melinda Ward, Rochester Institute ofTechnologyNorth Carolina··Heather Adams, Family Dollar··Michael LeClair, Alliance One InternationalOregon··Edward Boehmer, Acumed LLC··Eva Kripalani, Eva Kripalani Legal andConsulting ServicesPennsylvania··Holly L. Belton, P.H. Glatfelter Company··Scott Caulfield, Capital Principles, LLC··Tom Cornely, Johnson & Johnson··Rob McBryde, GSI Commerce··Leonard Swantek, Victaulic CompanySouth Carolina··John L. Miller, Fluor Government GroupTennessee··Donna Champ, Bechtel National, Inc··Kim Davenport··Sharleen Robinson, Chattanooga GoodwillIndustries, IncTexas··Edwin Buckingham, III, Solvay NorthAmerica, LLC··Alexandria Falls, CPS Energy··Patricia MacGibbon, Dresser, Inc··Robert Vander Lugt, Northrop GrummanCorpUtah··Anthony Joy, AusencoVirginia··Eva Bishop, Raytheon Company··Thomas Donovan, Northrop GrummanCorp··Alison Jameson, Department of Justice··Beth Mersch, Northrop Grumman Corp··Rebecca Osowski, Morgan, Lewis &Bockius LLPWashington··Jennifer Badgley, Premera Blue Cross··Jasbinder Dhoot, JSJ Consulting··Phillip Downes··Don Ellis, Northshore Utility District··Evelyn Hager, Seattle City Light··Jane Maring, Costco Wholesale Corp··Dan Shea, MicrosoftWisconsin··Veronica W. Robinson, Milwaukee CountyWashington, DC··Joy Dorsey, Pepco Holdings, Inc··Steven Lawrence, Williams Lea··Sarah Sims, AARP ServicesPuerto Rico··Manuel Sevilla, Sr., Johnson & JohnsonAustralia··Neville Tiffen, Rio Tinto LimitedBarbados··Mark Taitt, Caribbean Development BankBrazil··Fabio Moreno, Sr., Alexandre De MoraesLaw FirmCanada··Jakub Ficner, I-SightMalaysia··Kanakaraja Muthusamy, ARCompliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 21

Featureby Cynthia Scavelli, Esq., CCEPRecipe for a Compliance Dayin 2012»»Reach out to SCCE and other compliance professionals for valuable ideas.»»Events should reflect your company’s culture and stay on budget.»»Contact different company departments for their expertise and suggestions.»»Initiate a Planning Committee early. Things always take longer than you think!»»Plan a simple event for your first year. You can always add more later.»»Engage your employees with fun contests and creative prizes.Compliance & Ethics Professional March/April 2012ScavelliAt FIS, the world’s largest providerof banking and payments technology,we put our Compliance Day“recipe” together to promote ethical behaviorthrough education and awareness. Our firstCompliance Day—Spotlight on Ethics—washeld in August 2011. The goal was toencourage internal reporting of ethicalissues and raise awareness of theFIS ethics hotline/website as a toolfor reporting potential ethics violations.We chose to put the spotlighton ethics because honesty and ethicalbehavior are integral parts of our corporateculture and the foundation ofour company’s five Guiding Principles.Another selection consideration, in the ageof the new Dodd-Frank Wall Street Reformand Consumer Protection Act, was the benefitto the company of making our internal reportingmechanisms more visible to employees.FIS’s online Compliance Day enabled us tosatisfy our employees’ hunger for awarenessregarding the company’s Code of BusinessConduct and Ethics, other policies, and ethicaldilemmas (such as conflict of interest), as wellas the tools used to report misconduct. Thepositive feedback we received from our annualEthics Awareness Survey in December 2011confirmed our goal was achieved.Ingredients—Ideas from SCCESCCE’s website 1 gave us the inspiration andresources to put together our first ComplianceDay. The website provides a tutorial Web conference,awareness ideas, promotional posters,and articles from other companies documentingtheir various compliance celebrations.As a relatively new member, I found SCCE’sCompliance and Ethics Academy was also avaluable resource, providing relevant trainingclasses on topics and material which enhancedour vision of Compliance Day. Attending theAcademy was especially beneficial because ofthe opportunity to meet other compliance professionalsand swap “recipes.” One ingredientfor our recipe came from a fellow attendeewho suggested an electronic scavenger hunt.This activity was challenging, educational,and a lot of fun for the employees. Details concerningthis activity will be discussed later on.Know the shopping budget—Get creativeEach year, Corporate Compliance & EthicsWeek is celebrated in May. Because FIS’sannual client conference is also in May, we22 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

Featurechose to hold our compliance event in Augustso that we could draw upon internal FISresources, such as Marketing, ProfessionalDevelopment Training, and CorporateCommunications. We knew that our large andgeographically dispersed employee base madeit difficult to host an onsite event. Instead, wedecided to have an online celebration. Ourinitial rollout was targeted to U.S. employeesand featured our inaugural FIS CorporateCompliance “Walk the Talk” newsletter andnew online ethics awareness training. FIS’sinternational locations are scheduled to havetheir own Compliance Days throughout2012 with the appropriate customization andtranslations.To garner attention and excitement surroundingthe upcoming day, we announcedan essay contest with a prize. Employees wereencouraged to submitan essay, in 500 wordsor less, on what complianceand ethics meansto them and describehow adherence to theseconcepts influences theday-to-day decisionsthey encounter on thejob. The top three winners won a coveted (and“budget low-cal” item)—an extra vacation day.The first place essay winner was featured inour newsletter. Utilizing our budget low-calapproach, we tried to keep costs to a minimumand relied on internal resources to promoteand host the event.We advertised the event through an e-mailblast and a customized electronic banner onthe FIS Intranet. The banner, featuring an eyecatchinganimation, was created free of chargeby our Marketing department and conspicuouslyposted where most employees wouldsee it during the weeks leading up to the day.We also mentioned the event in other online“When trying to createan event that aligns withyour company’s culture,you need to ask someinsightful questions.”communications. Our Marketing departmentalso assisted with the format, branding, andcustomization of our newsletter. Fortunately,our customized new ethics awareness trainingwas done in-house by our subsidiary, FISCompliance Solutions, 2 which kept costs downas well. In keeping with our theme of a spotlight,the main expense was green (FIS’s mainbrand color) mini-flashlight prizes imprintedwith the FIS Ethics website address.Event recipeCombine department input and add a dash ofyour company’s culture.When trying to create an event that alignswith your company’s culture, you need toask some insightful questions. Are you aninformal or formal company? What issues areimportant to your business and why? Who isyour audience? Whattime of the year is bestfor an event of thisnature? What is yourbudget? What is yourcompany’s culture andcommunications tone?By using your company’sdepartmentalresources, you will be able to spice up yourCompliance Day. By combining input from differentinternal resources and the answers to theabove questions, you can create your perfectsignature dish using the following quick recipe:1. Start a Planning Committee with executivesupport to achieve the best collaborationpossible. As we learned, tone from the topis very important for success.2. Stir in representatives from Marketing,Professional Development Training,Human Resources (HR), Legal, InformationSecurity, Risk, Internal Audit, and management.Every area has a differentperspective and can be helpful in servingCompliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 23

FeatureCompliance & Ethics Professional March/April 2012up your creation. The FIS Marketing teamassisted with the customization and layoutof the newsletter, editing, and onlineadvertising, and, together with HR, offeredvaluable insight into past successes (andfailures) in organizing and conductingcompany-wide events. FIS’s InformationSecurity team contributed an article aboutthe importance of data security and how toreport a security incident.3. Combine the expertise of these groups tosuggest topics, write content for the ethicsawareness training, and be part of the pilotgroup to provide feedback on the training.Our signature dish—FIS Compliance Day 2011:Spotlight on EthicsSeveral months prior to the event, we plannedan initiative to have employees renew theiracknowledgement of the Code of BusinessConduct and Ethics. By doing so, employeesrefreshed their understanding of the company’sethics expectations and were primed tobe receptive to our message about ComplianceDay. We then mentioned the upcoming eventin an Ethics Essentials article featured in ourquarterly HR newsletter. Three weeks prior tothe online event, we sent out a communicationannouncing the essay contest and explainingthat Compliance Day would feature brandnew ethics awareness training. We also sentan inaugural FIS Corporate Compliance “Walkthe Talk” newsletter.On the actual Compliance Day, we sentout an electronic communication with a linkto our newsletter and the online training linkthrough FIS Compliance Solutions. Our trainingtopics included:··Conflict of interest··Gift policy··Fair dealing··Compliance with laws··Handling confidential information··Security awareness··Security incident reporting··Privacy··Open door policy··Reporting to our ethics hotline/websiteMini-quizzes after each topic assistedemployees in staying focused on the training.At the end of the training, each employeehad to pass an eight-question test and printtheir completion certificate. FIS ComplianceSolutions’ training platform enabled us tokeep track of the completion rate of employeesfor auditing purposes and gave us the abilityto send out reminders.“Many employees came forwardwith suggested topics for futurearticles and ways to improveawareness of our complianceprogram…We hoped thatCompliance Day would opennew lines of communication andwere pleased that is what it did.”The newsletter featured an introductionwith the purpose of the event, a ComplianceQuick Reference section, the winning essay, anarticle about the importance of data securityand how to report a security incident, the ethicalquote of the day, an electronic scavengerhunt, and “Compliance Talk.” The ComplianceQuick Reference section provided an overviewof company’s expectation of its employees.Each subsequent newsletter will have thissection with different information and willeventually be combined for concise employeeguidance on multiple issues. The electronicscavenger hunt asked employees questionsabout FIS policies and directed them to useour Intranet to find the answers. This funexercise was not only educational, but it droveemployees to our Intranet to find the policies24 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

Featureand become more savvy about the location ofitems housed on the Intranet. “ComplianceTalk” featured a Q&A-style format in whichour Chief Compliance Officer (CCO) answeredfrequently asked ethics-related questions andprovided additional information about how toreport suspected misconduct.Many employees came forward with suggestedtopics for future articles and ways toimprove awareness of our compliance program.Employees who participated in theelectronic scavenger hunt or essay contest,proactively made suggestions, or were the firstto complete the training were awarded a miniflashlightas a prize with a special note fromour CCO thanking them for their participation.We hoped that Compliance Day wouldopen new lines of communication and werepleased that is what it did.Think to the future…What’s next on yourmenu?Corporate Compliance & Ethics Week for 2012is scheduled for May 6−12. Now that you havea basic recipe, your Compliance and Ethicsdepartment can capitalize on this by servingup a different theme and message each year.At FIS, we are already planning ComplianceDay 2012: Spotlight on Privacy.Bon appetite! ✵1. SCCE’s website, www.corporatecompliance.org, Resources section:Corporate Compliance and Ethics Week.2. FIS Compliance Solutions is FIS’s regulatory compliance softwareand consulting services arm that serves U.S. financial institutions. Itprovides risk assessment software, e-learning, instructor-led training,advisory services, regulatory reporting solutions, compliancetools and expert consulting services. For more information, pleasecall 866-355-5150 or email compliance.solutions@fisglobal.com.Cynthia Scavelli is the Corporate Compliance & Ethics Counsel at the FISheadquarters in Jacksonville, Florida. She is responsible for ethics hotlineinvestigations, FCPA third-party due diligence, and global anti-briberytraining, and she monitors legislative/regulatory changes for selectedbusiness units. Cynthia may be contacted at cynthia.scavelli@fisglobal.com.Don’t forget to earn your CCEP CEUs for this issueComplete the Compliance & Ethics Professional CEU quizfor the articles below from this issue:··Nuts & bolts for boards: What ethics oversightreally means by Frank J. Navran (page 44)··Computers and copyrights: A continuing sourceof avoidable liability by Thomas W. Kirby (page 59)··Is your ethics and compliance training reallypreparing your employees? by Charles Ruthford(page 63)To complete the quiz:Visit www.corporatecompliance.org/quiz, then selecta quiz, fill in your contact information, and answer thequestions. The online quiz is self-scoring and you will seeyour results immediately.You may also fax or mail the completed quiz to CCB:Fax: +1 952 988 0146mail:Compliance Certification Board6500 Barrie Road, Suite 250Minneapolis, MN 55435, United StatesQuestions? Call CCB at +1 952 933 4977 or888 277 4977.To receive one (1) CEU for successfully completing thequiz, you must answer at least three questions correctly.Quizzes received after the expiration date indicated on thequiz will not be accepted. Each quiz is valid for 12 months,starting with the month of issue. Only the first attempt ateach quiz will be accepted.Compliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 25

Feature Boehme of Contentionby Donna BoehmeMachiavelli and the 2011Person of the YearCompliance & Ethics Professional March/April 2012“There is nothing more difficult to take in hand, more perilous toconduct, or more uncertain in its success, than to take the leadin the introduction of a new order of things.”(Niccolo Machiavelli, 1532)BoehmeEverything old is new again. Machiavellimay have been the first to observe theperilous nature of the chief complianceofficer job (in my book, it’s right up there withcoal miner and deep sea fisherman), but nearlyfive centuries later, former federal prosecutorMichael Volkov has echoed thoseearly observations by naming theCCO the 2011 “Person of the Year.” 1CCOs are the “unsung heroes,” saysVolkov, noting “there are institutionalforces which hold them backfrom achieving their mission.” Towhich we can almost hear beaten butyet unbowed CCO’s everywhere responding“THANK YOU!”In many respects, 2011 has been a “perfectstorm” for compliance. Commentators havecited unprecedented levels of enforcementand new regulation, the controversial Dodd-Frank whistleblower regime, the Volckerrule and financial reform, UK Bribery Act,record-breaking FCPA and qui tam settlements,the rise of social power, and the entryof Generation Y into the workforce. 2011also marked the twentieth anniversary ofthe Federal Sentencing Guidelines, promptingthe Ethics Resource Center to assemblea committee to offer recommendations topolicymakers. Support for the role of theempowered CCO should be at the very top ofthe ERC agenda, because the unspoken truthwe must shout from the rooftops is that, alltoo often, CCOs are positioned for failure. 2According to a new SCCE/HCCA survey, 58%of compliance professionals surveyed felt isolatedand in an adversarial position, and 60%considered leaving their jobs in the last yeardue to stress. 3 What the Person of the Yearreally needs to be successful is empowerment,direct unfiltered reporting to the board,adequate autonomy from management, andsufficient resources. Earth to Boards: Try thatfor “tone from the top.”Volkov also predicts that the CCO willbe elevated to C-suite status within the nextfive years. This would be fast work, givenMachiavelli’s “institutional forces” underminingthe CCO mission. Will 2012 yield bettercompliance? Only to the extent boards, government,and policymakers create levers ofempowerment to position the Person of theYear for success instead of failure. ✵1. Michael Volkov: “The Person of the Year – The Chief ComplianceOfficer.” Corruption, Crime & Compliance online, December 15,2011. Available at http://corruptioncrimecompliance.com/2011/12/theperson-of-the-year-the-chief-compliance-officer.html2. See RAND Symposium Report “Perspectives of Chief Complianceand Ethics Officers on the Prevention and Detection of CorporateMisdeeds.” Available at http://www.rand.org/pubs/conf_proceedings/CF258.html3. HCCA and SCCE: “Stress, Compliance, and Ethics” survey, January2012. Available at http://www.corporatecompliance.org/staticcontent/StressSurvey_report.pdfSend comments to Donna Boehme at dboehme@compliancestrategists.com.26 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

COMPLIANCE PROGRAM ADVISOR Last Year’s Best Practices Are This Year’s Standards“Think about how you might tailor the Guidance to your organization. And know that, as you do, the Criminal Divisioncares about all the things you might be considering – “tone from the top” support, encouragement of a culture ofcompliance that rewards ethical behavior and establishes whistle-blowing mechanisms, senior-level oversight anddirect reporting lines, [and] periodic reviews and re-evaluations to test and ensure program effectiveness …— Assistant U.S. Attorney General Lanny Breuer,Prepared Remarks to Compliance Week 2010: 5th Annual Conference“Contact Ethisphere today to obtain additional information regarding Compliance Program Advisor subscription package optionsat info@ethisphere.com, 1.877.629.8724 and/or www.ethisphere.com/compliance-program-advisor/

Featureby Steve McGrawGRC focus: Keep youremployees close and yourauditors closer»»With regulatory attention continuing to focus on GRC results, corporations need to focus on ensuring compliance is up to par.»»Corporations need to show employees that all internally reported issues will be taken seriously.»»Sharing compliance self-assessments and mitigation programs with auditors can help corporations establish a strong reputation.»»GRC should be viewed as increasingly beneficial, especially when preparing for mergers and acquisitions.»»GRC systems can provide information to show trend lines and correlations to address root-cause issues before regulators ask.Compliance & Ethics Professional March/April 2012McGrawAs we continue through 2012, the focusof regulatory bodies continues to befirmly focused on Governance, Riskand Compliance (GRC) results. Corporationsand their boards of directors need to payincreasing attention to reducing compliancethreats. This task often falls on theshoulders of the compliance officer,along with the need to ensure thatcompliance programs adhere to themost current versions of ever-changinglaws and regulations.What many corporations havelearned already is that the best way toprotect a company’s interests is to ensure thatcompliance is up to par internally, before theregulators come calling. This said, there are afew areas that corporations should pay veryclose attention to as we move through the year.Bounty hunter threats are increasingPersonal greed has long been the primarymotivator behind fraud and abuse, and regulatorsare now increasingly using a varietyof greed-oriented rewards to help identifyand prosecute offenders. The Securities andExchange Commission (SEC) and CommoditiesFutures Trading Commission (CFTC) now haveformal whistleblower bounty hunter programs,using a percentage of the sanctions as rewards.As these and similar programs begin to hittheir strides, compliance officers and theirboards of directors will face increasing threatsto their internal compliance programs and,ultimately, their institutional brands.Corporations also need to show theiremployees that the Compliance departmentwill follow up on issues that are reported internally.For example, a corporation can removeidentifying facts from the reported claims, thenpost them on in-house blogs to show employeesexamples of what is being reported andthat each claim is being taken seriously.Demonstrating compliance effectiveness iscriticalHistorically, regulators have been satisfiedwith companies that have implemented complianceprograms, but now they want proofthat the programs are actually working. Moreregulatory authorities will begin to require aprocess that distills data and demonstrates theoverall effectiveness of a company’s complianceprogram.28 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

FeatureAs an offshoot of this growing requirement,progressive corporations are taking stepsto “keep their friends close and their auditorscloser.” By proactively sharing their complianceself-assessments and mitigation programs withauditors, companies can establish a strong reputationwith their auditors and regulators anduse that reputation to minimize the likelihoodand impact of potential compliance breakdownsand whistleblower allegations.Growing importance of the “G” in GRCBoards are more sophisticated than ever before,and many are demanding processes and tools tofacilitate and streamline their oversight responsibilities.For example, many board membersare now using iPads and related portal productsto review enterprise risk management (ERM)programs in much more timely detail to bettermonitor a broad range of risk indicators. Theyare also taking a more active role in confirmingmanagement’s assertions on the company’sethics and regulatory compliance posture.Viewing GRC as strategic tool can haveother benefits for a company, especially whenit comes to mergers and acquisitions. Whenbeing scrutinized by regulators before a mergeror acquisition, demonstrating that an effectivecompliance program is in place can makethe regulators more comfortable. An effectivecompliance program can also make a companymore attractive to a likely acquirer, thus puttingthe company a step ahead of competitors.“For example, a corporationcan remove identifying factsfrom the reported claims,then post them on in-houseblogs to show employeesexamples of what is beingreported and that each claimis being taken seriously.”The rise of analyticsGRC systems collect enormous amounts ofdata. From the board down, GRC users needto see trend lines and correlations to identifyand address root-cause issues beforeauditors come calling. As examples, theadditional insight corporations can glean bylinking training programs to the types ofissues received via a whistleblower hotline, ormining various systems to determine how tochange audit plans for the next cycle, can behighly valuable.The compliance landscape is changingfor many regulated industries. It’s criticalthat internal teams keep on top of changesin regulations and maintain their company’scompliance and ethics programs, becausewaiting until the regulators show up can oftenbe too late. ✵Steve McGraw is President and CEO of Compliance 360 out of Atlanta. Hemay be reached at steve.mcgraw@compliance360.com.Compliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 29

11 th AnnualSAVE THENEW DATEAND $575 WHENYOU REGISTER EARLY*Compliance & Ethics InstituteOctober 14–17, 2012 | Las Vegas, Nevada USA | Aria in Las VegasMore tracks and sessions than everbefore to meet the need for educationon the issues you are facing• Risk Track• Ethics Track• Multinational/International Track• Case Study Track• Advanced Discussion Groups• Investigations Workshop• Speed Networking, and moreKeynote presentation byJAMES B. STEWARTColumnist, The New York TimesAuthor, Tangled Webs: How FalseStatements Are UnderminingAmerica: From Martha Stewart toBernie MadoffOver 90 sessions and 130 speakersVisit www.complianceethicsinstitute.org to learn more, register,and find details on booking your hotel stay at Aria in Las Vegas.*Register on or before July 11, 2012, to save $575

The Art of Compliance Featureby Art Weiss, JD, CCEPThe consequences of EnronWeissYou can’t be around compliance professionalsmuch without hearing certainbuzz phrases—things like “tone at thetop” and “ethical culture.” One of my favoritecompliance phrases is “ethical culture.” I talkabout it all the time at my company and at SCCEgatherings. I may even mumble it inmy sleep. Just in case the Departmentof Justice has bugged my bedroom, Iwant them to know I’m ethical.But I think I insulted someone’sDad recently when I used the phraseduring a presentation. We were talkingabout the Federal SentencingGuidelines, what prosecutors look for whenmaking charging decisions, codes of conduct,hotlines…you know—compliance stuff. Thebuzz phrases were flying back and forth, andout of my mouth came a true story from whenI was hired to be my company’s first ChiefCompliance Officer. (We added “Ethics” tomy function later, after some compliance professionalI heard speak at an SCCE programstarting using the word in what seemed likeevery other sentence.)I told the group that when I first became acompliance officer, I looked on eBay for someEnron stuff for my office. I thought it wouldbe funny for the compliance guy…well, youget it. I told of finding a copy of Enron’s codeof conduct on eBay. The seller stated that thisparticular copy of Enron’s code was “Good AsNew…Never Been Opened!”I use this example when speaking aboutthings like not having a check-the-box complianceprogram and having meaningful policies.I went on to say that Enron’s code was actuallyquite comprehensive. The problem was thatno one ever opened it. This gets laughs everytime. It got laughs this time, too.“I told of finding a copy of Enron’scode of conduct on eBay. Theseller stated that this particularcopy of Enron’s code was ‘GoodAs New…Never Been Opened!’”Later I read a note from an attendeewhose father worked for Enron. The attendeeliked my presentation, but pointed out thatnot everyone at Enron was unethical. I can’timagine the personal and professional sufferingthat this attendee’s family endured. Thisillustrated to me the effect that a few culturallychallenged individuals, let loose in an environmentof looking the other way, can have on notjust a company and its shareholders, but itsemployees and their families. Ethical cultureis real. If it fails, it has far‐reaching results andconsequences that we need to keep in mind.No more Enron stories. Anyone have acopy of the WorldCom code? ✵Art Weiss is Chief Compliance and Ethics Officer at TAMKO Buildingproducts in Joplin, MO. He may be contacted at art_weiss@tamko.com.Compliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 31

Featureby Michele Abely, CCEPCompliance in a casino world»»Operate in a good faith manner and in the best interest of the company and its customers.»»Do the research to find the best answers and solutions.»»Document all decisions in a memo including the research done, the findings, and the outcome.»»Ensure all related procedures are written and/or updated regarding any decisions.»»Communicate decisions clearly and ensure that outcomes are executed consistently.Compliance & Ethics Professional March/April 2012AbelyThree years ago I stepped into therole of Casino Compliance Manager.I had spent the prior nine years atthe Mohegan Sun Casino in Uncasville,Connecticut working in Finance andMarketing. These departments’ functionstranslate to many different industries.There are responsibilitiesand programs I oversee in CasinoCompliance that would be familiarto most compliance professionals(e.g., instituting and maintaining anemployee hotline, Title 31 and antimoneylaundering programs, recordretention, policy and procedure management,etc.), but this was in addition to what reallywas a whole new world—The Indian GamingRegulatory Act (IGRA), National IndianGaming Commission (NIGC), MinimumInternal Control Standards (MICS), ClassIII gaming, State Compact, Tribal GamingCommission, Title 25, tribal sovereignty andmore. It is not uncommon to hit uncharteredterritory in the realm of compliance in acasino world.Indian gaming and legislation backgroundPer the National Indian Gaming Commissionwebsite, The Indian Gaming Regulatory Act(IGRA) was enacted by the United StatesCongress on October 17, 1988, to regulate theconduct of gaming on Indian lands. IGRA’spurpose is to provide a statutory basis for theoperation of gaming by tribes to promote tribaleconomic development, self-sufficiency, andstrong tribal governments. IGRA establishedthe National Indian Gaming Commission(NIGC). The primary mission of the NIGC isto regulate gaming activities on Indian landsfor the purposes of shielding Indian tribesfrom organized crime and other corruptinginfluences, ensuring that Indian tribes are theprimary beneficiaries of gaming revenues, andassuring that gaming is conducted fairly andhonestly by both operators and players.In 1999, NIGC instituted the MinimumInternal Control Standards (MICS). In 2006, afederal appeals court decision determined thatNIGC had exceeded its authority in issuingClass III MICS. (Class III refers to casino-stylegaming or games of chance such as blackjack,craps, roulette, or slots). However, many tribalcasinos continue to use the Class III MICSas a regulatory benchmark, some because ofrequirements in their tribal/state compactsor gaming ordinances and others by choice.As the Casino Compliance Manager, I ensureadherence to the MICS. The MICS provide aguideline of rules necessary to run the gamingoperation, but they are somewhat generic. As aresult, Mohegan Sun has established Standardsof Operation of Management (SOMs) whichare property-specific policies that must align tothe MICS. My Casino Compliance departmentis the gatekeeper of those SOMs and ensuresthey support the MICS.32 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

FeatureRole of compliance manager in a casino worldAs a Casino Compliance Manager who overseesa Compliance department, I must befamiliar with the laws that govern the casinooperation and understand what gaming regulatorsrequire. Many times it can be a worldof chaos where we are confronted with tryingto accommodate many layers of regulations.I frequently have to review if a particularactivity, game, or promotion is done properlyunder federal law. Yes? Okay, then whatabout state law? Yes? Okay, then what aboutthe MICS, the Tribal State Compact, the TribalOrdinance, and company policy? A lot ofchecking and double checking is done to seethat all the rules are followed and all the regulationsare satisfied.Communication skills to work successfullywith gaming regulators, inspectors, and theoperation are imperative, because I act as theliaison between the operation managementand the regulators. I must be able to coordinatecompliance across various departments,manage each department’s different internalcontrols, and ensure that they are kept up todate and in line with the many regulations.My Casino Compliance department investigatescompliance issues, ensuring that anyproblems with gaming compliance are rectifiedas quickly as possible. We also oversee therules of all casino promotions and contests toensure the integrity of each one.It’s not a perfect casino worldAs a new Compliance Manager, I frequentlyreferred to SCCE documentation and literature.Once I realized how useful and relevantthe information was, I became a member ofSCCE and then earned my CCEP to establishcredibility in this field. The one area I havetrouble finding information on is specificcasino-related topics in relation to compliance.The following three come to the forefront on aregular basis.“I frequently have to review ifa particular activity, game, orpromotion is done properly underfederal law. Yes? Okay, thenwhat about state law? Yes? Okay,then what about the MICS, theTribal State Compact, the TribalOrdinance, and company policy?”Bank Secrecy Act (BSA), Title 31.Casinos are considered financial institutions.Certifications, programs, seminars,and webinars in anti-money laundering areoften focused on the banking industry. Thebest source for casino compliance managersis directly from the Financial CrimesEnforcement Network (FinCEN) and the IRS.Networking with others in the industry isanother good resource.In a casino, the scenarios that arise forsuspicious activity reporting are not commonoutside of the gaming industry and, therefore,become a gray area when looking forcomparisons and points of reference. Issuessuch as patrons switching seats when hittinga jackpot or redeeming chips at several differentlocations are not identified in anti-moneylaundering sources.Another challenge involves the many positionsin the casino that require training in theBSA. As Compliance Manager, I am responsiblefor seeing that 86 different positions arebeing trained on how to recognize and reportmoney laundering. This is a daunting task,because it is not a one-size-fits-all program.Each position needs to know varying degreesof information. Extended training sessionswith too much information are costly in termsof the employees’ time, and employees tend tolose interest when the training is too lengthyor inapplicable to them.Compliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 33

View from the Front Linesby Meric Craig Bloch, CCEP, CFE, PCI, LPIDoes your boss listen to you?BlochBusiness leaders don’t always see the benefitsof a robust investigation to runninga business. This is unfortunate, but notsurprising. An investigation’s scope and findingsare not often made relevant to the worldin which business people operate. One way foryou to achieve relevance is to understandhow business people think.Compliance professionals arebusiness advisors. Of course, businessadvisors cannot be effective ifbusiness leaders are not listening, soit will never be enough to conduct aninvestigation and just report the facts.An investigator must consider how to capturethe attention of the decision-makers.The need to be relevant is a constantchallenge for any business advisor. JimLukaszewski tackles the issue and offers someguidance in his book Why Should the Boss Listento You? Lukaszewski describes how leadersthink and operate, and why this is importantto the trusted advisor. At the core of his book,he presents a seven discipline approach tobecoming a strategic trusted advisor:1. Be trustworthy: Trust is the first disciplineand the foundation for a relationshipbetween advisor and leader or boss.2. Become a verbal visionary: The leader’sgreatest skill is verbal skill, and theleader’s advisor must also have powerfulverbal skills.3. Develop a management perspective:To be a management advisor is to be ableto talk more about the boss’s goals andobjectives than about whatever your stafffunction happens to be.4. Think strategically: One of the great realitiesof management is that the leader’s jobis always about tomorrow, and almostnever about yesterday.5. Be a window to tomorrow: Understandand use the power of patterns. A sophisticatedadvisor is one who can forecasttomorrow with some level of accuracy.6. Advise constructively: Giving advice startswhere the boss is and where he/she has togo (where the advisor is or has been).7. Show the boss how to use advice: If youwant to see your recommendations comealive, teach the boss how to accept anduse advice.Who doesn’t want to be noticed? Whodoesn’t want to be part of the decision-makingprocess? The key is to look at the questions,issues, opportunities, and problems from theboss’ perspective first.Every compliance issue is, ultimately, abusiness issue. Whatever your compliancerole, you are working hard to improve theorganization by reducing unacceptable businessrisks. Ensuring that your contribution isrelevant and incorporated in decision-makingwill showcase your value to the organization.But only if your boss will listen to you. ✵Meric Craig Bloch is the Compliance Officer for the North Americandivisions of Adecco SA, a Fortune Global 500 company with over 8,000employees and $6 billion in annual revenue in North America. He hasconducted more than 300 workplace investigations of fraud and seriousworkplace misconduct. He is an author and a frequent public speaker on theworkplace investigations process. Follow Meric on Twitter @fraudinvestig8r.Compliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 35

Featureby Emil MoschellaDOJ review: FBI’s Integrityand Compliance Program»»The FBI implemented a corporate-style compliance program to allow for the early detection of internal control weaknesses.»»The DOJ OIG reported that the FBI’s program has been beneficial to its efforts to monitor and enhance compliance.»»The DOJ OIG suggested that other agencies may wish to consider implementing a similar kind of program.»»Remedial legislation, policies, and processes are inadequate.»»An integrated compliance and ethics program in government agencies is important.Compliance & Ethics Professional March/April 2012In March 2007, the Department of Justice(DOJ) Office of Inspector General (OIG)issued a highly critical report regardingthe Federal Bureau of Investigation’s (FBI)implementation of a statutorily authorizedinvestigative tool called “National SecurityLetters” (NSLs). These are demandletters provided to telephone companies,financial institutions, Internetservice providers, and consumercredit agencies for “transactional,” asopposed to “content,” information.The DOJ OIG found, among otherMoschella things:··that faulty recordkeeping understatedthe total number of NSLs issued by about20% less than the number that had beenreported to Congress.··failure to self-report non-compliance to thePresident’s Intelligence Oversight Board, asrequired by Section 4 of Executive Order12334. This section requires: “InspectorsGeneral and General Counsel of theIntelligence Community shall, to the extentpermitted by law, report to the Board concerningintelligence activities that theyhave reason to believe may be unlawful orcontrary to Executive order or Presidentialdirective.”The OIG report resulted in CongressionalOversight Committee hearings, 1 andnumerous press editorials critical of the FBIand calling for change. 2Of course, the FBI moved quickly to fix theproblems identified by the OIG. In addition,and without prompting from the DOJ OIG, theFBI notified the OIG that it would put in place acorporate-style compliance program that wouldallow for the early detection of internal controlweaknesses that could lead to non-compliantactivity in the future. The private sector generallyadapts the process suggested by FederalSentencing Guidelines for Organizations(FSGO), 3 and similarly, the FSGO formed thebasis for the FBI effort, together with corporatebest practices. The FBI effort was, and continuesto be, a pioneering experiment in managing thegovernment’s duty to comply with the law andan example of a functionally integrated complianceand ethics program.The DOJ’s reviewOIG, as part of its responsibility to follow-upwith the FBI on the NSL fixes, reviewed theFBI’s Integrity and Compliance program (ICP).Since there was no law, rule, or other mandaterequiring the FBI to internally adapt thecorporate-style compliance programs, and nomodel for it in government, it was a first of itskind in terms of FBI implementation and theOIG review. The questions for the DOJ OIG: Isit a worthwhile effort? Is it working?36 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

FeatureCompliance & Ethics Professional March/April 2012April 5, 2010 and claimed the lives of 29 ofthe 31 men working at this site. The articlereports that The Mine Safety and HealthAdministration (MSHA) issued a report thatputs the full blame for the horrific accident atthe Upper Big Branch Mine on PCC/Massey,the mine owner-operators. Clearly, the reportmakes a strong case for culpability and thereport details gross negligence in the company’sinspection process.Interestingly, five days prior to the catastrophe,the Department of Labor’s (DOL) OIG,through its Office of Audit, issued a report,titled Journeyman Mine Inspectors [in the MSHA]Do Not Receive Required Periodic Retraining,as required by the Federal Mine Safety andHealth Act of 1977 (Section 505). The reportnotes that “Journeyman [MSHA] inspectorsare required to receive one week of specifiedretraining each year, or two weeks everyother year.” In short, the DOL OIG found thatMSHA did not comply with the law. Further,the OIG described the effect of this non-complianceas follows:This increases the possibility that hazardousconditions may not be identified andcorrected during inspections which, inturn, could increase the risk of accidents,injuries, fatalities, and adverse health conditionsfor miners. 7Unfortunately, the recent MSHA reportdoes not deal with MSHA’s failure. However,the report does allude to the issuance of afurther report which will examine MSHA’sactions prior to the explosion and during therescue and recovery operation. The internalreview will evaluate the quality of MSHA’senforcement activities, “including any weaknesses,and the adequacy of regulations,policies and procedures.” Of course the issuanceof regulations, policies and procedures, aswell intentioned and needed as they may be, is“Of course the issuanceof regulations, policiesand procedures, as wellintentioned and neededas they may be, is aninadequate solution withouta management commitmentto enforce and complywith those rules that goesbeyond mere rhetoric.”an inadequate solution without a managementcommitment to enforce and comply with thoserules that goes beyond mere rhetoric.Let’s take a look at an example. H.R. 3697was introduced on December 16, 2011, about aweek after the issuance of the MSHA report. Itpurports to be a bill requiring improved minesafety practices. Sec. 604 of the bill mandatesthat the Secretary of Labor require “that eachmine inspector conducting inspections underthe Federal Mines Safety and Health Act of1977 receive a full additional week of training,in addition to the training that was provided toor required of such inspectors prior to the dateof enactment.” Inasmuch as DOL OIG previouslyfound that the MSHA did not complywith the requirements for training journeymaninspectors, what confidence should we havethat the DOL, through the MSHA, will complywith this requirement if enacted into law?The answer is found in the good will andintentions of the leadership and employees ofMSHA, which I do not doubt for an instant.The problem of course is that agency executives,both appointed and career, come and goand priorities shift. As a result, these requirementsrun the risk of simply being prioritizedoff of the agency’s radar screen through thepress of business, inadequate funding, etc.38 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

FeatureThe MSHA should take under considerationthe observation of the DOJ InspectorGeneral “to consider implementing a similarkind of [compliance] program.” An internalmanagement program to detect and preventviolations of the law in the future by theMSHA will provide for a systematic approachto identify risks of non-compliant behaviorand address those before they are found byan inspector general, Congressional oversight,watchdog group, and, more importantly,before the non-compliance possibly contributesto a tragic outcome.ConclusionThe DOJ OIG report focused its review on thequestion of whether the risk of non-compliancewill be avoided through the implementation ofa corporate-style compliance program. Whilethat is an important consideration, the effectof such a program on overall organizationalethics, the efficiency of operations by performinga task right the first time, and theenhancement of the overall public trust ingovernment institutions are anticipated but yetto be measured. There is both a strong philosophicand business case to be made on behalfof the notion of implementing corporatestylecompliance programs at all levels in thegovernment sector. The DOJ IG report is a welcomedendorsement of that case. ✵1. See “Senators Cite F.B.I. Failures as Chief Promises Change” by ScottShane, New York Times, 3/28/07.2. See “Make the FBI Follow the Law,” Boston Globe, 3/13/2007; “Breakup the FBI,” LA Times, Opinion by John Yoo (former DOJ official),3/21/2007; “Revise the Patriot (sic) Act,” Editorial, LA Times, 3/26/07.3. See United States Sentencing Guidelines, Chapter 8 et seq., particularlyUSSG § 8B2.1, for the elements of an effective compliance andethics program.4. Available at www.justice.gov/oig/reports/2011/e1201.pdf.5. In re Caremark International Inc. derivative litigation, Court of Chanceryof Delaware, Decided: Sept. 25, 1996.6. Available at http://rcgce.camlaw.rutgers.edu/sites/rcgce.camlaw.rutgers.edu/files/rcgce_whitepaper.pdf7. Report number 05-10-001-06-001, p. 3.Emil Moschella is Executive Director at Rutgers Center for GovernmentCompliance and Ethics in Ashburn, VA. He may be contacted atemoschella@camlaw.rutgers.edu.Help keep your program fully staffedList Your Job Openings with SCCEIt’s hard to have an effective compliance andethics program when you have openingsin your staff. To help ensure you fill thoseopenings quickly, list your compliance jobopportunities with the Society of CorporateCompliance and Ethics.Our online jobs board will put yourpositions on our website for 90 days andcosts just $400 per position. In addition,for each month you advertise with us, yourlisting is included in our monthly SCCEJobs Newsletter, which we send out to over13,000 email addresses.Don’t leave your compliancepositions open any longer thannecessary. Post your job listingswith SCCE today.Just visit us online atcorporatecompliance.org/newjobsor call us at +1 952 933 4977or 888 277 4977.Compliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 39

y Dan Small and Robert F. RoachPowerful witness preparation:The most important person»»The most important person in the room is the one who says nothing: the court reporter.»»Consider your words carefully—the reporter’s machine is cold, mechanical, and humorless.»»Words have different meanings: think about manager.»»Avoid using jargon that jurors may not understand or find confusing.»»If you are not sure what counsel is asking, ask for clarification rather than answering the question.Compliance & Ethics Professional March/April 2012In this series of articles, lead author and seasoned trial attorneyDan Small sets forth ten, time-tested rules to assist you in thecritical task of preparing witnesses. Robert F. Roach assistedDan in this series by providing additional “in-house” perspectiveand commentary. The first installment of this series was publishedin our January/February issue.Corporate officers and employeescommunicate all the time: duringmeetings, telephone calls, presentations,and conferences, to name a fewexamples. However, even a person who is askilled communicator in business settings mayfind testifying under oath challenging. As weexplain in Rule 2, it is critical to prepare yourwitness for the unique experience of answeringquestions under oath and having thetestimony transcribed word-for-word.Rule 2: Always remember that you aremaking a recordOne of the many unnatural things about beinga witness is that often the most importantperson in the room is the only one who doesn’tsay anything: the person making the transcriptor taking the notes. A witness cannot“unring the bell.” Once words come out ofyour mouth, they are committed to the coldwritten page, under oath. Even humor andsarcastic remarks read like factual statementsin a transcript. Every word is there, for all tosee, for all time.What is the answer?TimeFirst, slow down and be precise.Answer each question as if you weredictating the first and only draft ofan important document. (You are!)Consider each word carefully. This isextremely difficult to do. You cannotdictate a document this importantquickly, casually, or “off the cuff.”You need to be fully prepared, andthen approach it with the right senseof pace, care, and precision.SmallLanguageSecond, be aware of the power oflanguage. When every word is transcribedand under oath, languagetakes on an extraordinary importance,far beyond normal conversation. Then,Roachwhen two or more sides are fighting over whatthose words mean, and each is trying to usethem for their own purposes, the problemsmultiply. We must be aware of, and carefullyconsider, each word in the question. Most40 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

language issues come within three interlockingworlds: “English,” jargon, and “legalese.”“English”Open any dictionary at random, to any page,and you will see a basic truth: there are veryfew “simple” words. Most have more thanone meaning. In the heat of litigation, thosedifferences can be blown up in degree andsignificance. If the witness is not 100% clearabout how the questioner is using a word, theycannot answer the question. If they answer, thequestioner will assume their definition is theone in play.One common tactic is for questioners to tryto bully their way through language problems.Consider this exchange:Q: Who did you report to?A: Please rephrase the question.Q: What don’t you understand about myquestion?A: I’m not comfortable with “report.” Ihad consultants and investors, but“report” sounds like I’m in the Army.Q: You know what the word “report”means, don’t you?A: Well, yeah.The witness gave in to a question with theunspoken “you idiot!” at the end. Prepare thewitness by explaining that in such circumstances,the issue is not whether you’re toostupid to know what “report” means (which ishow the witness may feel); the issue is whetherthe questioner is too stupid to know that thedictionary has twenty-five different definitionsof the word, and you didn’t know which one shemeant! Be sure you know, before you answer.JargonEvery profession, industry, region, and endlessother categories, has its own language. Wecall it jargon. In Webster’s words, jargon is “thetechnical terminology or characteristic idiomof a special activity or group.” But like somany other words, jargon has multiple meanings.When Juror #6 hears jargon, it comesacross less as impressive technical know-how,and more like Webster’s next definition of theword: “obscure and often pretentious languagemarked by circumlocutions and longwords.” Witnesses need to work hard to stayaway from jargon, and to recognize when theyfall back into it, and stop to explain.“Jargon interferes withcommunication in so manyways. Jurors don’t understand it.They don’t like it and often feelit’s condescending. It can makethe witness seem cold anddistant, talking about humanissues in dehumanizing terms.”Jargon interferes with communicationin so many ways. Jurors don’t understand it.They don’t like it and often feel it’s condescending.It can make the witness seem coldand distant, talking about human issues indehumanizing terms. Lastly, its impact can gofar beyond the words themselves: Juror #6 maymiss the next several minutes of testimony,because he is still trying to figure out thejargon, and eventually may turn off entirely.Help your witness to understand what kind ofjargon he or she speaks, and how to avoid it.“Legalese”In every case there are legal standards andconcepts that have to be broken down fromtheir confusing language, and explained inclear and simple terms. Counsel must helpthe witness understand what they are, soCompliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 41

they don’t stumble upon them blindly—or getlured into them unsuspectingly. Then witnessand counsel must be ready to deal with themduring testimony.The greatest language challenges comewhen a word exists in the intersection of twoor three of these separate circles, when a wordhas different meanings in English, jargon,and/or legalese. Then, it is particularly importantfor the witness to be 100% sure whichmeaning the questioner intended, or he/shecannot answer the question.One quick example: the seemingly innocuousword “manage” or “manager.” In English itcan mean a range of things, from managing abaseball team (the boss), to managing a footballteam (picking up the towels, etc., the coach isthe boss), to managing a checkbook, to managingto escape a dull party. In the jargon of somebusinesses and industries, “manager” has aparticular meaning—which may or may notmean the real “boss.” In legalese, many statelegislatures, in their wisdom, gave the corporatesecretary of an LLC the name “manager,”even though such a statutory manager mayonly be there to sign documents and have littleor nothing to do with running the business.Which meaning does the questioner mean?Remember the most important person: thecourt reporter. He/she doesn’t know what theword means, unless either the questioner orthe witness makes it clear. Insist on the disciplineof clarity. ✵Dan Small (dan.small@hklaw.com) is Partner with Holland & Knightin Boston and Miami. His practice focuses on complex civil litigation,government investigations, and witness preparation. He is the authorof the ABA’s manual, Preparing Witnesses (Third Edition, 2009).Robert F. Roach (robert.roach@nyu.edu) is Chief Compliance Officerof New York University in New York City and Chair of the ACC CorporateCompliance and Ethics Committee.SCCE’s Compliance & EthicsRegional ConferencesCompliance & Ethics Professional March/April 2012Midwest • April 27 • Chicago, ILUpper Northeast • May 18 • New York, NYAlaska • June 15 • Anchorage, AKWest Coast • June 22 • San Francisco, CASoutheast • October 12 • Atlanta, GASouthwest • November 2 • Houston, TXwww.corporatecompliance.org/regionalSCCE Regional Conferencesprovide a forum to interactwith local complianceprofessionals, share informationabout our compliance successesand challenges, and createeducational opportunities forcompliance professionals tostrengthen the industry.42 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

Kaplan’s Courtby Jeffrey M. KaplanConflicts of interest:Where law and ethics meetKaplanIhave long been fascinated by the field ofconflicts of interest (COI) and last yeareven launched a blog devoted entirely tothe topic. What lies behind this interest in asubject that most “normal” individuals wouldfind depressing at best?To begin, COI is an area where,more than any other, law and ethicsmeet. Indeed, many legal fields withwhich compliance and ethics (C&E)professionals routinely deal are basedentirely on COI ethical principles(as in the case of anti-corruptionlaw) or largely on these principles(as is true for fraud and insider trading law).Additionally, the realm of fiduciary duty canbe seen as the legal embodiment of ethicalstandards, as reflected in Justice BenjaminCardozo’s justly celebrated words that “[a]trustee is held to something stricter than themorals of the marketplace. Not honesty alone,but the punctilio of an honor the most sensitive,is then the standard of behavior.” 1Studying COIs helps underscore theimportance of other areas of knowledge, too,for C&E professionals. One of these is psychology,and particularly, the large numberof recent studies showing how seeminglyirrational many ethics-related decisions are.Specifically, “behavioral ethics” research hasdemonstrated the counterintuitive fact thatdisclosing COIs actually increases the likelihoodof wrongful behavior. Yet anotherimportant area of knowledge for C&Eprofessionals is economics, and the conceptof “moral hazard” (which can be seen as a“cousin” of COIs) helps illuminate the manylinks between incentives and C&E risks.“COI is an area where,more than any other,law and ethics meet.”Finally, proper handling of COIs is essentialto a healthy ethical culture which, in turn,can be viewed as “business anthropology”(although this term has other meanings, too).This is because a failure to sufficiently addressCOIs—the most common C&E problem in manycompanies—can undermine employees’ senseof “organizational justice,” thereby contributingto an overall erosion of its culture. And, to bringus full circle, increasingly the law recognizes theimportance of culture to compliance.In short, COIs embrace a broad rangeof knowledge concerning law, psychology,economics, and anthropology that C&E professionalsneed for their work. In this sense,studying COIs provides an ongoing—andprofessionally relevant—liberal arts education,which is why I am so fascinated by the field.(More information about all of the abovetopics can be found on the Conflict of InterestBlog—www.conflictofinterestblog.com). ✵1. Meinhard v. Salmon, 164 N.E. 545 (N.Y. 1928)Jeffrey Kaplan is a Partner with Kaplan and Walker, LLP in Princeton, NJ.He can be contacted at jkaplan@kaplanwalker.com.Compliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 43

y Frank J. NavranNuts & bolts for boards: Whatethics oversight really means»»Total independence is an unattainable goal. The best we can hope for is to continually get closer to that goal.»»Perhaps the best we can ask of boards is a “good faith effort” toward being as independent as possible.»»The level of independence on the board informs the culture of the organization, and vice versa.»»Independence is more attainable when the board aims for a operating culture that values ethics over compliance.»»You get what you measure, and assessing the effectiveness of the organizational culture requires that one ask differentquestions and apply different standards than when assessing organizational compliance.Compliance & Ethics Professional March/April 2012NavranThe demands on boards of directorsare changing, after a spate of globalethics scandals, updates to the FederalSentencing Guidelines for Organizations(FSGO), requirements from Sarbanes-Oxley(SOX), and new standards of independence.These changes address both theindividual conduct of directors andincreased responsibilities for boards,including the oversight of organizationalethics and compliance, andthe understanding and practice ofwhat is expected and required ofdecision-makers if they are to meetthe organization’s standards for doingwhat is “right, fair and good.”To fulfill their new responsibilities inthe area of ethical oversight, many boardmembers find themselves directing a set ofactivities in an area where they have littlefamiliarity. These activities include seekingspecific information from Ethics andCompliance offices, interpreting that information,engaging independent ethics assessors,and knowing what to look for in an independentethics assessment. As a result, manyboard members can experience a sense ofexposure, uncertain if they are effectivelymeeting the requirements associated withoversight of organizational ethics.This article explores the current level ofunderstanding as to what ethics oversightentails and highlights areas of emerging consensusand differences of opinion.IndependenceLet’s begin with a discussion of the basicissue—independence. Both regulation andpublic opinion are advocating greater “independence”among board members. Thisis commonly understood as having twomeanings:1. Reducing the number of “executive” boardmembers (i.e., members of the board whoare also active members of the executiveleadership of the organization itself), and2. Reducing the conflicts of interest boardmembers might experience in the exerciseof their board duties and responsibilities.Independence is a “term of art” thattypically is used to indicate a freedom fromconflicts of interest. Conflicts of interest referto the real or perceived tension that decisionmakersexperience between what is in the bestinterest of the organization on whose behalfthey are making the decisions, and the interestsof the decision-makers themselves.In the first instance (reducing the numberof “executive” board members), the concernis that the board has responsibilities to hire,44 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

evaluate, compensate, and sometimes fire theCEO. Does a CEO’s presence on the board (orworse, a position as chairman of that body)conflict with the board’s obligations to acton behalf of the organization’s stakeholders,investors, and others? Does the CEO’s presenceon the board compromise the board’sintegrity or, equally legitimate, create anappearance of a compromise to the reasonableobserver?Independence is a special case of applyingthe principle of fairness. If I am to be fairin the exercise of my duties and obligations,then I ought not be influenced by the impactof my actions on my personal wants or needs.I ought to be able to make decisions as a boardmember independent of concern for WIIFM(What’s In It For Me?).Can independence be absolute?Can I ever make a decision without consideringwhat will happen to me as a result of thatdecision? In a word, no! Every business decisionany board member makes is conflicted,because it is subject to the external influenceof potential personal loss or gain. If I am aboard member and choose to do X—anythingat all—and my sole basis for choosing X is thatI truly believe it to be the very best thing to dofor the company, am I free from conflict or theappearances of conflict?Perhaps not. If it is good for the companyand I am board member, doesn’t that improvethe odds that it is good for me too? If the decisionmakes the company more profitable,safer, more efficient, better respected, or moresuccessful by any measure, then I may be recognizedas having contributed to that success.I get to keep my board position. I continue todeserve and earn the respect of my peers. Iam acknowledged as having contributed. Myshares increase in value. All of these outcomesaccrue to me and all of them are of value tome, thus I gain from my decision.Sanford Krolick suggested in his bookEthical Decision Making Style 1 that there arefour sets of criteria that are considered everytime any member of an organization at anylevel (up to and including members of theboard) considers a business action or makes abusiness decision. To paraphrase Krolick:··Pragmatic considerations: What are thebusiness consequences of this action ordecision?··Altruistic considerations: What impactwill this action or decision have on othersor my relationship with them?··Idealistic considerations: What is the rightthing to do, as defined by the values andprinciples that apply to this situation?··Individualistic considerations: What willhappen to me as a consequence of thisaction or decision?If we focus on the individualistic, wemay argue that it is difficult (perhaps impossible)to consider any decision as whollyindependent. The argument states that inevery decision, the person acting experiencessome individual consequences. Even a whollyunselfish act of doing for others may leave aresidue of satisfaction, joy, or comfort in theperson committing the act, or may result inothers noting the action and finding it admirableor praiseworthy. A similar claim couldbe made that there is an individualistic elementin any act of idealism or pragmatism.No matter what we do, there is a personalconsequence and there may be a personalbenefit, even if wholly “internal” to thedecision-maker.If this is an accurate description ofhuman psychology, and I believe it is, thenwe cannot escape the reality that everyaction and decision has the potential forpersonal impact. Therefore, absolute independence(e.g., 100% altruism, pragmatism,and/or idealism untainted by individualism)is a myth.Compliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 45

Compliance & Ethics Professional March/April 2012What do we really mean by independence?If we agree that absolute independence isunattainable, then what are we left with asan ideal? Perhaps we can merely hope thatthe preponderance of the influence will be forthe greater good and that we will consciouslywork to recognize and minimize the influenceof the individualistic considerations as wemake our decisions.We agree that boards of directors needto address the concern about the lack ofindependence of their members. If absoluteindependence is unattainable, what should wedemand of our boards? I suggest the best wecan ask is “good faith.”Is good faith the most we ought to aspireto? It is enough that the decision-maker merelysubordinates the individualistic considerations(What’s in it for me?) to the pragmatic (Whatis best for the company?), the altruistic (Whatis best for the company’s stakeholders, shareowners, employees, customers, suppliers, etc.?)and idealistic (What is the right thing to doaccording to the applicable values and principles?).Given the inability to ensure absoluteabsence of conflicted interests within a board,I suggest that good faith may truly be the bestwe can expect. Appropriate board structuresand the nurturing of an ethical culture withinthe organization and the board can reinforcegood faith.Board ethics structuresHow might the board structure itselfregarding organizational and board ethicsresponsibilities?··Who should be on the ethics committee?··What should that committee do?··Who oversees the ethics committee?··Where does the ethics committee go whenthey have a question?These questions do not lend themselves topat answers. Rather they present opportunitiesfor the board to engage in thoughtful refectionas to how this board might best address itsethics oversight obligations. In those deliberations,there are several things the board mightconsider.What can directors do to ensure an ethicalorganizational culture?Perhaps the most powerful tool available toboards is an independent ethics assessment.What is an ethics assessment? What are theoptions, and what are the advantages and disadvantagesof those options?Ethics assessments are perhaps the mostaccessible means of entry into the ethics consultingarena for those who wish to offerethics-related services to their clientele. This isespecially true for accounting firms that maysee an ethics assessment as a natural extensionof a financial audit, because many timesethical irregularities are unearthed whenconducting a routine audit of a client’s books.This interest in ethics assessments is peakingin light of recent changes to the FederalSentencing Guidelines for Organizations andthe continuing impact of Sarbanes-Oxley.The least comprehensive ethics assessmentis the compliance assessment. This is theprocess whereby the assessor determines thedegree to which one’s ethics program meetsthe standards set forth in applicable law, regulation,and policy, and the degree to whichorganizational and individual behavior satisfiesthe requirements of that program.Toward the middle of the spectrum, culturalassessments explore how employeesand other stakeholders perceive the standardsand behavior of the organization. They assessthe priorities and ethical effectiveness ofindividuals, groups, and units as well as theorganization as a whole.The other extreme of the assessment continuumis the systems assessment. In thisprocess, one assesses compliance and cultureas part of a bigger whole; the degree to46 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

highly individualized. Leaders may find thatthey have removed the specific actor, but havedone little to alter the forces which motivatedthe undesirable act.which the ethical principles, guidelines, andprocesses of the organization are integratedwithin the organizational system.There are innumerable variations inbetween the two extremes, and each type ofassessment is progressively more complex andoffers the client a set of data which is morecomprehensive. There is nothing wrong withany of them. Each serves a different purpose.What is wrong is when clients’ needs arenot served because they have received thewrong assessment for their desired outcomes.If, for example, the client organization has anexisting program to prevent and detect ethicsviolations and merely wishes to ensure that theprogram satisfies the requirements specifiedin the current iteration of Federal SentencingGuidelines for ethics violations, then a complianceassessment is an appropriate response.If the client suspects intentional orunintentional wrongdoing and wants tounderstand why it is occurring, then a culturalor systems assessment may be a better choice.One limitation of the compliance-orientedapproach is the difficulty managers may haverecognizing themselves in the findings andaccepting responsibility. Compliance assessmentsare narrowly focused and representa high degree of vulnerability to anyoneidentified as “out of compliance.” Thus,many leaders go to great lengths to distancethemselves from these types of findings.Interestingly, an organization’s first responseto negative findings is often punitive andGoing beyond complianceIf the organization wants to address the rootcauses of unethical behavior, then a systemsassessment may be the more effective alternative.For some, a compliance assessment maybe all that they know to ask for. These managersmay not appreciate what else might beaccomplished through a culture- or systemsfocusedethics assessment. Their assessor,especially if that service provider is a legalor financial professional, also may not knowwhat to offer, or have the wherewithal toprovide a more comprehensive and/or appropriateethics assessment alternative.There are two traditional ways to gobeyond a check on organizational and individualcompliance: the cultural assessment andthe systems assessment.Cultural assessments have been usedextensively by management consultants overthe years. They assess perceptions and identifyissues relating to how specific groupsof stakeholders view targeted aspects of anorganization, such as leader effectiveness,decision-making, and change management.Their inherent limitation is that they, like thecompliance assessment, do not identify underlyingcauses.Several years ago, some managementconsulting firms that had become involvedin ethics management, including NavranAssociates, saw the value of applying “systems”methodology to ethics questions (e.g.,employee perceptions of leader integrity, theeffectiveness of ethics policies, confidencein ethics systems, and the effectiveness ofemployee hotlines in informing and changingbehaviors) as a supplement to complianceassessments.Compliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 47

Compliance & Ethics Professional March/April 2012Systems assessments uncovered wholenew sets of data, very different from thatavailable through compliance assessments.Managers, accustomed to other culture assessments,were comfortable with the way the datawere presented and understood their responsibilityfor addressing the issues raised. Thesedata were often viewed as less threateningthan the findings of compliance assessments.They often pointed to widespread patterns ofbehavior within the organization and raisedbroader issues of how the cause of the behaviormight be identified and altered to changefuture results. Thus, systems-oriented ethicsassessments were more likely to produce thedesired change over the long run.Where other assessments were oftenlimited and narrowly focused, systems assessmentsviewed the organization as a whole andexamined the interconnectedness of the ethicsissues within that system, and between thatsystem and critical elements of the environmentwithin which it operates. Systems-basedethics assessments, at a minimum, typicallyexamine the relationships within and betweenthese thirteen components:··Mission—the perceived purpose of theorganization. What is its reason for being?··Vision—the perceived ultimate futurestate of the organization. What will theworld look like if the organization successfullyfulfills its purpose?··Values—the underlying principles and theoperating definition of what is right, fair,and good as it applies to this organization.··Environment—the ethical alignmentbetween the organization and stakeholdersexisting outside the organization: customers,suppliers, competitors, unions, regulators—every external entity that has a stake in theorganization or effects its operations.··Resources—how tangible and intangibleresources enable or limit the organization’sability to pursue its mission within its predefinedethical boundaries.··History—how the organization’s historyshapes or limits its ability to operate,per its stated values, in the pursuit of itsgoals.··Strategic goals—the ethical issues associatedwith setting and attaining strategicgoals and how congruent those goals arewith the organization’s vision and values.··Strategic plans—how the organizationgoes about attaining its strategic goals andthe ethics issues raised by those plans.··Task definition—how the organizationdefines its work and the ethical implicationsof both preparing employees to dothe work and the inherent rewards theyderive from doing it.··Formal systems—any ethical issuesinherent in conformance to the formalorganizational systems, such as policies,procedures, rules, and regulations.··Informal systems—any ethical issuesinherent in conformance to the informal,especially leader-based or peer groupbasedsystems.··Individuals—the values and principlesmotivating individuals within the workforceand how well those values match thestated values of the organization.··Feedback—how the organization learnsfrom its experience and the impact oflearning (or not learning) on the ethicalgrowth and maturity of the organizationand its employees.As we examine traditional rules-orientedassessments and more systemic ethics-focusedassessments, we can note some significantdifferences.48 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

Table 1: Differences between traditional assessments and ethics assessments.Assessment Characteristic Traditional (Regulatory) Assessment Ethics AssessmentObjectives Compliance with required standards Compliance status as well as insights into values/principles‐based culture and norms.Assessor qualifications Qualified assessor with content expertise(e.g., laws, rules, regulations)Qualified assessor with content expertise and supplemental“process” expertise (e.g. OD*, OE*, Change Management)Assessment approachAssessment observationsFollow-up requirementsChecklist of items that correspond toregulatory requirementsNon-compliance observations (i.e.,deficiencies)Ensure corrective actions are taken toaddress identified deficienciesChecklist of items as well as open-ended questions thatinvestigate context and how that context was created/maintainedNoncompliance issues as well as OD/OE observations of“ethics” process effectiveness, employee perceptions, andrelated concernsEnsure corrective actions are taken to address identifieddeficiencies, as well as collaboration to ensure that the clientknows how to address the noncompliance observations (e.g.,assistance in drafting RFPs* if external assistance is beingsought, because bad RFPs lead to bad projects)*OD=Organizational Development; OE=Organizational Effectiveness; RFP=Request for ProposalIt should also be noted that not all “ethics assessments” are created equal. There is a continuumof sorts between a minimal ethics assessment and a truly comprehensive ethics assessment. Thefollowing table illustrates what some of those differences might look like. It is not a question of themore comprehensive one being inherently “better.” Rather, the operating question is, “What level ofdetail best fit the needs of the organization?” with “fit” being very much a “systems” concept.Table 2: Differences between types of ethics assessmentsLess comprehensive ethics assessmentThe goal is typically to gain insight into the ethical status quo andgauge potential support for or resistance to any contemplatedchange.The questions being addressed are typically defined, at least inpart, by the leadership of the organization, and can be used tosimply paint a picture of the current state, provide baseline datauseful in creating a new ethics initiative, or assess progress of anexisting initiative.The methodologies would characteristically include key personinterviews, focus groups, some form of employee/stakeholdersurvey, and a review of organizational documents.The criteria are adapted to the goals of the organization (e.g.,compliance with external standards and perhaps a narrow focuson one element of an organization’s current ethical culture).The output is a written report of findings, conclusions, andrecommendations supplemented with an executive briefing.The recommendations, with rare exceptions, are non-binding.More comprehensive ethics assessmentThe goal is to provide a defensible evaluation of the organization’scurrent effectiveness in meeting certain previously agreed-to ethicsand compliance standards, as well as the presence of certainobservable structural elements, their perceived effectiveness, andtheir impact on the organizations continuing development.The questions being answered are both standardized(e.g., presence and impact of the various components of an“effective” program as defined within the FSGO), supplementedwith organization-specific questions regarding ethics systemseffectiveness and utility.The methodologies are the same as in an assessment (key personinterviews, focus groups, some form of employee/stakeholdersurvey, and a review of organizational documents). Both the depthand breadth of the components are greater.The criteria against which the organization is measured far exceedcompliance issues. One example is inclusion of questions related tostandardized instruments (e.g., ERC’s NBES*) that explore attitudesregarding elements of the ethical culture.The output is a written report of findings, conclusions, andrecommendations supplemented with an executive briefing.The recommendations, with rare exceptions, are at leastsomewhat binding. Rejection of a finding would be for cause, notjust managerial prerogative. Organizations would need a defensiblejustification for ignoring the findings and/or recommendations.*ERC’s NBES = Ethics Resource Center’s National Business Ethics SurveyCompliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 49

Compliance & Ethics Professional March/April 2012Possible oversight roles for an ethics committeeIf we assume that there is an effective ethicsmanagement function within the organization,then the Ethics Committee of the Board wouldhave oversight responsibility to ensure compliancewith the organization’s standards andprocedures. Some oversight roles might be:1. Contribute to the continuing definition ofthe organization’s ethics and compliancestandards and procedures.2. Oversee responsibility for overall compliancewith those standards and procedures.3. Oversee the use of due care in delegatingdiscretionary responsibility.4. Oversee communication of the organization’sethics and compliance standards andprocedures, ensuring the effectiveness ofthat communication.5. Monitor and oversee the regular assessmentof the impact of the ethics andcompliance function on the organization’sethical culture.6. Oversee enforcement, including the assurancethat standards are uniformly appliedand discipline is uniformly utilized.7. Take the steps necessary to ensure that theorganization learns from its experiences.8. Ensure that the above are regularlyassessed by an “independent” assessor.But an ethics committee, whether operatingat the board level or as an operational committeereporting to the board, can do much more.The committee can be charged to ensure thatthe organization exceeds the requirements foran effective ethics management process. Foreach of the above arenas of responsibility, theremay be several specific roles.Contribute to the continuing definition ofthe organization’s ethics and compliancestandards and procedures.··Determine which areas of operationrequire standards and procedures.··Review existing standards and proceduresfor completeness and utility.··Use information gleaned from employeeand member reporting and clarificationprocesses (e.g., employee hotlines, independentethics audits) to stimulate standardsand procedures revisions.··Review employee and member surveydata to determine where revisions toorganizational standards and proceduresare called for.··Assign responsible functions the task ofredefining the organization’s positionvia a new or revised set of standards andprocedures.··Recommend methods for more effectivelycommunicating standards and proceduresto ensure they are understood andaccepted by employees and others.··Recommend the management behavior(s)needed to reinforce the standards andprocedures.Assume oversight responsibility for overallcompliance with those ethics and compliancestandards and procedures.··Take the position that the committee is theresponsible authority for ethics compliancein its area of jurisdiction.··Be the final voice concerning interpretationsregarding the organization’s ethicsand compliance standards and procedures.··Make recommendations on improving theexisting compliance mechanisms.··Oversee the use of due care in delegatingdiscretionary responsibility.Oversee the use of due care in delegatingdiscretionary responsibility.··Define how the organization will balancethe rights of the individual applicant/employee/member and the organization’sneed to avoid increasing the risk of a50 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

future violation that comes with placing aknown or suspected violator in a positionof discretionary responsibility.··Oversee the background investigations ofapplicants/employees/members who arebeing considered for positions of discretionaryresponsibility.Communicate the organization’s standardsand procedures, ensuring the effectivenessof that communication.··Determine the mechanisms for communicatingthe organization’s ethical standardsand procedures.··Develop and distribute appropriate documentsand/or underwrite training, toensure that all employees know andunderstand the standards and procedures.··Develop mechanisms, such as needs analyses,to identify employees’ or members’areas of concern or confusion.··Coordinate policies to ensure that the messagescontained in them are not in conflictwith one another.··Recognizing that communication is twoway,determine mechanisms for solicitingstakeholder input into how standards andprocedures are defined and enforced.··Develop certification mechanisms toensure that the organization has evidencethat each employee has received the appropriateinformation and understands thestandards and procedures they describe.··Create mechanisms (such as ombudsmanoffices or employee hotlines) tofacilitate employees receiving “safe”guidance and/or policy interpretationand to ensure each employee’s access to a“safe” mechanism for reporting suspectedwrongdoing.··Determine what training is necessary foroptimum compliance levels with the publishedstandards and procedures.Monitor and assess compliance.··Develop the internal control mechanismsnecessary to demonstrate individual andorganizational compliance with the publishedstandards and procedures.··Develop mechanisms to demonstrate theeffectiveness and reliability of the internalcontrols.··Develop mechanisms to assess the compliance-relatedrisks associated with theorganization’s strategic and operationalgoals, objectives, and plans.··Develop mechanisms to ensure that formalizedmeasurements and rewards donot motivate noncompliance with the organization’sstandards and procedures.··Develop and support whatever additionalreporting mechanisms are deemed necessaryto effectively monitor and assesscompliance with the organization’s standardsand procedures.Oversee enforcement, including the assurancethat discipline is uniformly applied.··Develop mechanisms to ensure consistentdisciplinary responses for essentially similarviolations (i.e., ensure that there are notdifferent standards applied for differentemployees based on position, performance,function, etc.).Compliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 51

Compliance & Ethics Professional March/April 2012··Ensure that disciplinary provisions existfor both those who violate the standardsand procedures and those who knowinglyignore such violations.Take the steps necessary to ensure that theorganization learns from its experiences.··Develop the mechanisms necessary toidentify why misunderstandings and/orviolations occur and to ensure that thelessons learned are systematically appliedto reduce the probability that similarquestions/actions would recur.··Follow-up on recommendations made toimprove compliance mechanisms.Other roles and responsibilitiesThe use of ethics committees for executiveand/or administrative oversight of the variousethics effectiveness and ethics managementprocesses is widespread but, in some cases, theethics committee is also being required to performfunctions that are at odds with the areasof responsibility shown above.Ethics committees rightly serve an executiveoversight and leadership role. That roleshould not be compromised by having thecommittee responsible for the investigationof alleged wrongdoing or the definition ofspecific disciplinary responses in individualcases. This confuses the issue. Responsibilityfor oversight should be free from the prejudicesassociated with operations. The ethicscommittee should be the advocate for effectiveethics management processes, nothingmore. It best represents the organization’sand employees’ interests by ensuring that theethics management systems are effective andmeet the requirements of applicable law andguidelines.It would be inappropriate for an ethicscommittee to be involved in fact findingand/or discipline regarding alleged or provenethics violations. That role puts them in the“Ethics managementprocesses work best whenemployees/membersbelieve that thoseprocesses are neutral,and the fairness andimpartiality in the processis not compromised.”position of being the facilitators of policy, theinvestigators of specific circumstances, and thedispensers of punishment.The biggest concern is not the committeeemployees’ or members’ ability to handlethe multiplicity of functions. Rather, it is theimpact that such a multiplicity may have onthe perceptions of employees or members whomight shy away from using available ethicsresources because of a perceived conflict ofinterest between the roles of executive oversight,policy interpretation, advocacy for theemployee or member, and advocacy for theorganization.Ethics management processes work bestwhen employees/members believe that thoseprocesses are neutral, and the fairness andimpartiality in the process is not compromised.Active participation in the day-to-daymanagement and implementation of ethicsprocesses takes the ethics committee out ofthe role of overseer and makes them the managersof the ethics functions. This is akin tohaving the comptroller also be the auditor.There is too great a potential for independenceand impartiality to be sacrificed for it to beendorsed as a preferred practice.Although the ideal may be to distance theethics committee from day-to-day operations,that may not be feasible. If the ethics committeeis to provide oversight and operationalmanagement, that becomes a strong argument52 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

for regular ethics effectiveness assessmentsfrom an independent third party. Assessmentscome in all shapes and sizes. The closer theethics committee is to daily operations, themore comprehensive the independent assessmentshould be.In summary, ethics committees can meetthe requirements of the Federal SentencingGuidelines for high-level responsibility foreffective ethics oversight. They can serve amultitude of roles and responsibilities, butspecial care must be taken when those roleinclude the day-to-day operation of the ethicsmanagement processes. Such care will ensureemployee/member confidence in the organization’scommitment to independence andimpartiality in decision making.ConclusionNot every ethics assessment should be a systemsassessment. There is a time and placefor compliance and culture assessments, butwe should never forget that organizations arecomplex systems made up of interconnectedparts and are themselves part of larger, morecomplex systems, industries, and society.Often, to understand systems requires a systemicapproach.When the issue is change—fundamentaland ethically consistent change—the systemsassessment provides the decision-makers andchange leaders with the breadth and depthof information needed to make that changehappen and endure. The systems assessmentis the tool for today, when organizations areundergoing fundamental change in what theydo and how they do it, but are choosing tohold on to their core values, principles, andethics, and where the ultimate goal is the moreethical organization.As more and more vendors get into thisfield, it may be useful to the reader to recognizethat not every assessment measures thesame things or provides the same value tothose who read its results. An effective assessmentought to define:1. What data ought the Ethics office/functionbe required to provide to the board?2. What do those data mean? (e.g., How manycalls to the ethics line is a “good” number?)a. Where possible, current practices willbe identified and critiqued.b. Available options, including emerging“best practices” (where such exist) willbe discussed.c. An approach will be described thatguides board members in the determinationof how best to address theirspecific ethics oversight issues andneeds.d. Based on this presentation, it isexpected that board members can beincreasingly confident that they willmeet mandated requirements for ethicsoversight. Furthermore, they can beassured that they are reducing theirpersonal exposure while contributingto the realization of higher levels oforganizational ethics.This document and the recommendationsit presents are but a beginning to buildingboard member confidence, reducing a board’ssense of exposure, and providing individualboard members with the confidence that theyare meeting the requirements associated withthe oversight of organizational ethics. It representsa start of what is truly needed for boardsto effectively fulfill their fiduciary and legalobligations regarding organizational ethicsby providing a conceptual framework anda shared vocabulary necessary for ongoingdialog. ✵1. Sanford Krolick: Ethical Decision-Making Style, Survey andInterpretative Notes. 1987, Addison Wesley. ISBN 0-201-16412-4Frank J. Navran is the Founder and Principal Consultant of NavranAssociates. Frank has worked with clients in more than twenty countriesand has authored five books and more than two hundred articles andbook chapters. He may be contacted at frank@navran.com, or for moreinformation, www.navran.com.Compliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 53

CongratulationsNew CCEP © designeesAchieving certification required a diligent effort by these individuals.CCEP © certification denotes a professional with sufficient knowledgeof relevant regulations and expertise in compliance processes to assistcorporate industries in understanding and addressing legal obligations.Certified individuals promote organizational integrity through thedevelopment and operation of effective compliance programs.Compliance & Ethics Professional March/April 2012··Keyhan Afaghi··Kevin Anderson··Rachel Batykefer··La Tricia Blackburn··Tiffani Bragg··Ellen Brandt··Sabrina Brutus··Diane Burger··Susana Caballero··Joseph Campbell··Lori Coffman··Pamela Deboer··Olufemi Dekalu-Thomas··Dave Dixon··Vu Do··David Douglass··Thomas Flint··Robert Frisbee··Elizabeth Gilbert··Carrissa Gonzales··Steven Gregory··Joseph Guagliardo··Thomas Hardin··Lucy Hernandez Delgado··Gregory Hodge··Patrick Hogenbirk··Bill Jones··Jim Kern··Debora Kohan··John Kotlarczyk Jr.··Gerilyn Kusnierek··Robert Leblanc··Sabrina Leite··Roxanne Loomis··John Lossing··Vicki Marsee··Krista Mathews··Steve McFarlane··James McKillop··John Monzone··Ellis Murtha··Juan Musso··Krista Muszak··Felipe Pereira··Gabriela Perez··Louis Perold··Anna Peterson··Susan Pierce··Giovanni Porcelli··Melissa Pretlow··Virginia Ramirez··Catherine Ruster··Michael Sachs··Gordon Scott··Makisa Sherry··Bradley Siciliano··Sarah Sims··Naraiana Souza··Barbara Stein··Tina Stinson-Dacruz··Barbara Stockman··Ana Carolina Szytman··Dee Taylor··Jackie Thomas··Tina Tolliver··Carlos Ubieto Quan··Randy Watanabe··Douglas Webb··John Williamson··Shawn Wilson··Eric Wilson··Cheryl Winter··Russell Woods··Monty Wu··Deborah Ziegler··John ZinkThe Compliance Certification Board offers you theopportunity to take the Certified Compliance andEthics Professional (CCEP) © certification exam.Please contact us at ccb@corporatecompliance.org,call +1 952 933 4977 or 888 277 4977, or visitwww.corporatecompliance.org/ccep54 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

y Charles ThomasMultinationalsand due diligence:What are the red flags?»»Failure to comply with regulations like FCPA can cost companies millions.»»Due diligence processes help companies avoid risk and make informed decisions.»»Due diligence is about building trust and strong relationships.»»As companies implement due diligence processes, they will encounter “red flags.”»»It’s important to examine red flags carefully—they may be false positives.ThomasDue diligence is supposed to inspiretrust in the business relationshipsthat companies rely on. And yet,nearly half of companies with due diligenceprograms in place also report they lack confidencein the process, according to Dow Jones’State of Anti-Corruption ComplianceSurvey 2011. 1 That’s no way to dobusiness—not in a global economywhere international operations representboth opportunity and risk.The UK Bribery Act, which cameinto effect in July 2011, adds a new layerof complexity to an already confusingminefield of regulation and jurisdiction.Failure to comply with it or with the USForeign Corrupt Practices Act (FCPA) could costcompanies millions of dollars and could evenland senior executives in jail. On the reverseside, proper due diligence allows a company toavoid risk. According to the Dow Jones survey,more than half of companies have delayed oravoided working with global business partnersbecause of concerns about corruption.Due diligence and the prevention of briberyDue diligence is a term used for a number of conceptsinvolving the investigation of a person orentity prior to the signing of a contract or a specificact. Due diligence programs should be morethan just impressions formed in internal conferencerooms. Due diligence should be a dedicatedprocess that allows companies to make decisionsbased upon reliable, actionable information.The Bribery Act Guidance issued by theUK Ministry of Justice in 2011 outlines six keyprinciples 2 that companies need to refer towhen undertaking procedures to prevent bribery,both within their organization and by thepeople who operate on their behalf. In brief,the principles are:··Proportionality. Companies need to assessthe bribery risks they face and the size oftheir business. This will help to influencewhat steps are taken, including in the fieldof due diligence.··Top-level commitment. Companies needto show through their actions that theywill not tolerate infractions of any kind.··Risk assessment. Any company that isat risk from corruption needs to researchthe markets it operates in and the peopleinvolved with the company.··Due diligence. This includes any investigationcovering agents, employees,partners, or others associated with a deal.Compliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 55

Compliance & Ethics Professional March/April 2012··Communication. Companies need toexplain policies and procedures to staffand others.··Monitoring and review. Policies, procedures,assessments, and due diligenceshould be kept up to date and checked onperiodically.Red flagsAs companies implement their due diligenceprocesses, they’ll likely encounter one or more“red flags” that might divert their attention oreven impede their progress. Below are some ofthe common issues and suggested techniquesto address them.··Too much information on the Web.Consider adapting your search parameters,getting a team involved, or contracting theresearch to a firm with specialist researchcapabilities.··Too many people with the same name.Again, adapt the search strategy, get extraidentifiers, or use a professional firm. Adatabase that allows for name variations isalso very useful.··No results. There are a few possibleoptions here: (1) The person has left a verylow public profile and there are no negativeissues relating to him/her; (2) The individualhas altered or concealed his/heridentity; and (3) You have incorrect details.Ask the individual under examination toconfirm personal and business information.It could be a major red flag if searchresults don’t produce anything of value.··Similar name with a red flag. If the nameis common, this may or may not indicate aproblem. Consult with an expert to checkthe identifiers you have in place.··The subject is on a sanctions list, or hascommitted a crime, or there are allegationsof a crime. A red flag might be abig issue or it might be an error—a false“It’s important to takeaway that, on furtherexamination, these redflags may turn out to befalse positives. Reportsmay relate to anotherperson, for example.”positive. Have the result reviewed andconsider further checks.··The subject has a long, complex history.A high-profile individual or firm mayhave many red flags, some of which canbe explained by media errors or politics.If you want to proceed, you will almostcertainly have to use a higher level of duediligence and possibly make some difficultjudgment calls.··The subject has no significant problems,but has a history with colleagues/partners.Often, a subject will claim (or a publicrecord will indicate) that an individual orfirm was linked to someone who encounteredan issue, but held no blame. This willprobably require more in-depth investigationand assessment. Dealing with red flagsrequires discretion, diplomacy, legal compliance,and business sense.It’s important to take away that, on furtherexamination, these red flags may turnout to be false positives. Reports may relate toanother person, for example. In other cases,results will be correct, but the information canbe set aside for further investigation, if necessary.For example, if the subject was the clientof a financial institution that had fraud problems,but there is no suggestion the subjectwas anything but a victim.Last, sometimes the evidence maybe strong enough to justify ending the56 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

Become a CertifiedCompliance & EthicsProfessional (CCEP) ®Broaden your professional qualificationsIncrease your value to your employerGain expertise in the fast-evolvingcompliance fieldThere’s never been a tougher or better time to bea part of the compliance and ethics profession.Budgets are tight, governments around the worldare looking to add new regulations, public trust inbusiness is low, and employees are tempted to cutcorners.As a Certified Compliance and Ethics Professional(CCEP) ® you’ll be able to demonstrate your abilityto meet the challenges of these times and have theknowledge you need to help move your programand your career forward.Learn more about what it takes to earn the CCEP ®at www.corporatecompliance.org/ccepHear from your peersGayle L. Macias, MBA, CCEP, CGMS, SeniorDirector, Corporate Compliance, Office ofAccountability, Compliance and Ethics (ACE),Audit & Risk Management/SST1) Why did you decide to get certified?Nearly two years ago, our board and senior leadershipdecided to develop a formal corporate complianceprogram and asked if I had any interest inassisting in the design and implementation phasefor a 6 to 18 month “secondment.” I was asked toconsider the assignment, given my background inthe Legal department supporting government grantcompliance. Our VP of Audit and Risk ManagementServices recommended the SCCE CCEP as a wayto gather the information and skills necessary to besuccessful. The organization supported me in thecertification process in November 2009, and as theysay, the rest is history! Within the first 6 monthsof the secondment, I was “hooked” and when theactual position was posted, I applied. I am currentlythe Senior Director of The Office of Accountability,Compliance, and Ethics for World Vision, Inc.2) Has obtaining the CCEP certificationhelped you? If so, in what ways?Yes, very much so. The materials, information(e.g. The Complete Compliance and Ethics Manual,books, and other resources) as well as the excellentinstruction provided at the Academy have assistedme in the customization of a corporate complianceand ethics program for my organization. Certificationshows a true commitment to the profession anda way to embrace a specific body of knowledge.In addition, the CCEP certification provides a wayof showing a level of expertise and respect fromcolleagues, as well as other professionals in theprofession. In addition, in order to retain certification,professional development is a must—it keepsyou up to date and knowledgeable by meeting thebiannual CPE requirements.3) Would you recommend that your peersget certified?Certainly! I don’t know how anyone can design, develop,implement, and keep such a program currentand relevant without a strong foundation and networkof other professionals to draw from. In today’sworld, professional certification is a valuable asset,both for the individual, as well as their organization!

y Thomas W. KirbyComputers and copyrights:A continuing source ofavoidable liability»»When employees share copyrighted materials, employers can take a huge hit—sometimes millions of dollarsfor something as simple as passing around an electronic newsletter to a few colleagues.»»Not all copyright cases settle.»»Under the “statutory damages” provision of the Copyright Act, a court is not limited by actual damages,but may award up to $150,000 in statutory damages for each work the defendant has willfully infringed.»»Courts are not shy about using the power of imposing statutory damages.»»Relatively simple best practices can greatly diminish your exposure.KirbyKindergarten teaches us to share, andcomputers make sharing quick andeasy. But when employees sharecopyrighted materials, employers can take ahuge hit—sometimes millions of dollars forsomething as simple as passing around anelectronic newsletter to a few colleagues.Let me give a few examplesfrom my recent experience representingelectronic newsletter publishers.The names are confidential (at leastin part because of the embarrassmentthat can be caused by companies’ violationsof the law and of the rights ofothers), but here are the basic facts:··Specialized lawyers in a national firm gotimpatient passing along a single paper copyof a newsletter and began forwarding theelectronic version simultaneously to thegroup. The firm settled quickly for well overa million dollars.··The founder of a modest family businessstarted grooming his two adult childrento take over. As part of their education, hebegan emailing them copies of his industrynewsletter. The firm settled for almost half amillion dollars.··A communications executive began forwardingan electronic newsletter to othersenior executives. The firm settled for a milliondollars.··Employees in a large real estate firm foundseveral newsletters useful and beganforwarding them to colleagues. The firmsettled for almost two million dollars.··The manager of a small consumer sales divisionforwarded a specialty newsletter to thepresidents of the division and the parent companyto help them understand how the fieldwas developing. After paying an estimatedmillion dollars in defense costs to its lawyers,the company also paid a $500,000 settlement.Of course not all copyright cases settle.Legg Mason 1 elected to litigate in defense of theactivities of research employees who had posteda subscription to Lowry’s Financial Reportson the firm Intranet and otherwise passed itaround. Legg Mason claimed my client’s actuallosses were tiny, but the jury awarded nearly$20 million in statutory damages.Compliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 59

Compliance & Ethics Professional March/April 2012“It is important toremember that eachissue of a publication isa separate work entitledto a separate award ofstatutory damages.”My practice mainly involves representingelectronic newsletters, but a wide variety ofworks can give rise to serious copyright liability.For example, in one recent case an insurancebroker was found to have secretly copied a rival’sbusiness materials to make a series of successfulbusiness proposals. Instead of statutory damages,the plaintiff demanded the profits earnedby this infringement, plus interest covering thedecades before the infringement was discovered.Tens of millions of dollars were awarded.Another case involved copies of instructionsand advertising for storm windows. Theinfringers were former authorized distributors.Their failure to make a defense resultedin a default that was held to establish willfulinfringement. The court held that two registeredworks had been infringed and awarded$31,000 per work in statutory damages.These numbers are high because of a specialremedy in the law to implement the strongpublic policy in support of copyright compliance.Under the “statutory damages” provisionof the Copyright Act, a court is not limited byactual damages, but may award up to $150,000in statutory damages for each work the defendanthas willfully infringed. For non-willfulinfringement, the law identifies a range ofstatutory damages, depending on the circumstances,of up to $30,000 per work (with a floorof $750 per work in most circumstances).In addition, a winning plaintiff may alsobe awarded its legal fees in bringing thecase. The public policy underlying statutorydamages reflects the reality that it is extremelydifficult for a plaintiff to see copyrightinfringements in most cases, because theyhappen behind closed doors; thus, when aninfringement is discovered (sometimes by accident,sometimes through whistleblowers, andsometimes in other ways), through this seriousremedy the law wants to ensure that copyrightholders do not lose the incentive provided bycopyright to create and distribute new worksmerely because of infringers’ secrecy.Courts are not shy about using the powerof imposing statutory damages. I recentlydid a simple computer search for 2008–2011cases reporting copyright statutory damagesawarded by juries. I found about a dozensuch cases, involving all sorts of copyrightedworks. In two cases the juries had awardedthe maximum of $150,000 per work, and in athird the jury had awarded $140,000. The averageacross the dozen cases was about $75,000per work. Willfulness was found in almost allcases. The lowest award was $15,000 per work,and that was in unusual circumstances wherethe employer could not have known that anindependent contractor had been infringing.The news recently has focused on recordingindustry lawsuits against two individualswho were alleged to have posted thousands ofsongs for others to copy through peer-to-peersoftware; for purposes of keeping the trialsmanageable, each case focused on only 20–30songs. One infringer was a single mom; theother was a college student. The songs theyposted for free download were on sale overthe Internet for under $1 each. One case wastried three times, the other once. In each trial,the juries awarded tens of thousands of dollarsin statutory damages per song. The trialjudges have held that, for individuals actingfor personal pleasure completely outsideany business context, the awards should bereduced to $2,250 per song. For employers, the60 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

important message is the size of the awardsjuries are willing to make, even against defendantsof limited means.In one of the file sharing cases (SonyEntertainment et al v. Tenenbaum), 2 the U.S.Court of Appeals just issued its opinion. Thecourt reinstated the large jury award, holdingthat the trial judge should not have rushed tomake a constitutional ruling (that the damagesawards were unconstitutionally large) withoutfirst using its common law power to issue a“remittitur,” an order allowing a plaintiff tochoose between a reduced award and a newtrial on damages. The opinion is lengthy, butkey points for business and other institutionalinfringers include:··The right of copyright owners to demandthat a jury set statutory damages isreaffirmed.··Because statutory damages are intended todeter and punish as well as to compensate,it is error for a judge to tell the jury thatthe total amount of a statutory damagesaward needs in any way to be related tothe amount of actual damage (such as lostprofits) suffered by the copyright holder.··Presumably because of the differentpublic policies underlying copyright law,Supreme Court precedents limiting punitivedamages seem not to apply to statutorydamages. (The court avoided a directruling, but made its views pretty clear).Individual infringers may take someconsolation from the possibility of a remittitur.But that remedy offers little solace forbusinesses and other institutions, because nomodern U.S. court has ever granted a remittiturto such an infringer. Indeed, in the LeggMason case mentioned above, the trial courtdeclined to reduce a $20 million award forcopying a financial newsletter.It is important to remember that each issueof a publication is a separate work entitled to aseparate award of statutory damages. Thus, abusiness whose employees have been forwardingor otherwise infringing a daily newsletterfor a year faces a worst-case liability of almost$40 million. For infringement of a weekly, theexposure is nearly $8 million. So multi-milliondollar settlements often make sense.Your business doesn’t have to accept suchrisks. Relatively simple best practices can greatlydiminish your exposure. I discussed thosebest practices in an article I wrote in 2007, 3 andthe advice I give there still holds. Meaningfulemployee education, periodic polling ofemployees about copying, realistic evaluationof subscription needs, and taking out anappropriate license from Copyright ClearanceCenter, all taken together, will work. But effectiveprotection requires someone to take charge,whether it is corporate counsel, an informationprofessional, or an alert executive. So long asemployers’ heads remain planted in the sand,unpleasant surprises will arrive from behind.I represent publishers in addressinginfringements. But, those publishers muchprefer to make their livings from selling subscriptionsto the publications they create, andthey actively warn against infringement andencourage me to do likewise. However, astechnology has made copying easier, they havebeen increasingly victimized, and they are notgoing to take it anymore. Employers who providecomputer systems to their employees andreap the benefits of those wonderful devicesmust effectively prevent employee infringementand obtain proper licenses, or accept theconsequences. ✵1. Lowry Reports Inc. v. Legg Mason et al. 271 F.Supp.2d 737 (2003) UnitedStates District Court, D. Maryland, Northern Division. July 10, 2003.2. See Sony BMG Music Entertainment v. Tenenbaum, 721 F. Supp. 2d 85(D. Mass. 2010).3. Thomas W. Kirby: “Managing Copyright Liability in the ComputerAge.” Copyright Clearance Center, Inside Counsel, November 16,2007. Available at www.copyright.com/media/pdfs/article-inside-counselthomas-kirby.pdfThomas W. Kirby is a senior litigation partner at Wiley Rein LLP. He can bereached at tkirby@wileyrein.com.Compliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 61

DON’T GOHALFWAY.GO 360.COMPLIANCE PROGRAM EFFECTIVENESS: You’ve established a complianceprogram – but can you prove that it’s working? Regulators now look beyond the presence of a compliance program,demanding concrete evidence that that your program is effective. Partial compliance is non-compliance. You need acomprehensive, unified solution that helps you identify and fix the gaps… before something falls through them.Learn more at the Compliance Effectiveness Resource Center: visit www.compliance360.com/EffectiveCompliance.GET THE 360° VIEW.www.compliance360.com

y Charles RuthfordIs your ethics and compliancetraining really preparingyour employees?»»Our current web-based ethics and compliance training may leave us unprepared for people having to deal with risks.»»We cannot assume that people under stress will first consider a rational, step-by-step process to deal with a risk.»»When facing a difficult situation that has personal consequences, the human mind bases its choices on intuition andemotion rather than rational reasoning.»»Interactive, collaborative, transformative, management-led learning activities can influence values, intuition, behaviors,decision-making, and ultimately bottom-line performance.»»Leadership and involvement by front-line managers is crucial to the success of training and change activities.RuthfordIhave good news and bad news. First letme give you the good news: Over the pastfew decades, the technology for onlineweb-based training has evolved significantly.Today’s courses are readily available, scalable,efficient, and reasonably good at conveyinginformation.The bad news? Online trainingdoesn’t typically prepare people toreact properly when faced with anethics challenge or compliance risk.In this article, I will show why onlinetraining comes up short. I also willdescribe how interactive, collaborative,transformative, management-led learningactivities can prepare people for thosedifficult situations.HistoryWhen we developed ethics and compliancetraining in the early 1980s, we used a fairlysimple approach. We explained the rules andexpectations, and made the consequences formisconduct clear. We provided the learnerwith tools such as an ethical decision-makingmodel that, if applied correctly, wouldlead people to the proper decision. And wedirected them to their management or anethics hotline for advice and help.These courses were designed and built byskilled training developers. They used stateof-the-artprocesses and were delivered byexperienced trainers. We started in the classroomand, over the years, transitioned to thepresent-day web-based delivery. The premisefor our design approach was simple: Becausepeople want to avoid the pain that couldresult from a misstep, they would recognizethe issue, pause before acting, and then gothrough an objective, step-by-step decisionmakingprocess. They then would respondappropriately to the questionable situation,and the sun would rise over our untarnishedreputation yet another day.Making choicesOur previous assumptions about how peoplereact under stress—and how this affects theirethical decision-making—may not be correct.Nobel Laureate Professor Daniel Kahnemanshows that people facing difficult situationsreact quickly. Their split-second choicesCompliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 63

Compliance & Ethics Professional March/April 2012are controlled by intuition and emotionrather than objectivity. Professor Kahnemandescribes two systems present in the mind inhis 2011 book Thinking Fast and Slow. 1 System 1operates automatically and quickly, with littleor no effort. There is no sense of voluntarycontrol. Examples of automatic activities associatedwith System 1 might include locatingthe source of a sudden sound, completing thephrase “bread and …,” or detecting hostilityin a voice. System 1 continuously assesses theenvironment around us. It creates heuristics,or “rules,” based on our observations, experiences,beliefs, and intuition. System 1 wants toknow how everything is going. If a threat orrisk is present, System 1 reacts quickly, first,and takes control.“If people react quickly anddepend on intuition and emotionrather than cognition in makingtheir choices, is it possible toinfluence those choices?I believe the answer is yes.“System 2 allocates attention to the mentalactivities that demand it. System 2 operateswhen you look for a particular person in acrowd, tell someone your phone number, parkyour car in a narrow space, or compare twoproducts for overall value. System 2 wouldrationally handle a six-step ethics decisionmakingprocess.Imagine a situation where you don’t meetexpectations or keep your promise. What’syour first reaction? If you’re like most people,you probably feel guilt, embarrassment, orshame. How can you face your colleagues,friends, or family? What if they find out thatyou’re a fraud or haven’t been completelyhonest? System 1 perceives this as a realthreat and snaps into action. Your mind reactsquickly, intuitively, and maybe even irrationallyto avoid exposure. System 1 applies thepreviously developed heuristics to figure outwhat to do. If you think the more rational,problem-solving System 2 is going to get anyairtime, think again. System 1 has control, andthis is when people start looking for shortcutsto avoid embarrassment. This is the time whengood people with honest intentions are mostlikely to have an ethics or compliance lapse.If people react quickly and depend onintuition and emotion rather than cognitionin making their choices, is it possible to influencethose choices? I believe the answer is yes.System 1 is influenced by a person’s underlyingvalues, beliefs, and experiences which, inturn, influence behaviors. Can personal valuesand intuition be influenced? Again, I believeresearch supports a “yes” answer.In the book Influence: The Psychology ofPersuasion, 2 Dr. Robert Cialdini describes sixinfluencers:··Reciprocity. If I do something for you, it’svery likely you will return the favor.··Liking. We want to be like the peoplearound us. Be it a fashion trend, languagestyle, or food choices, we as humans havean innate desire to fit in.··Social norms. “This is the way things aredone around here.”··Commitment and consistency. These aresubtle influencers. If we make a decision ortake a particular action, we will expend allkinds of effort and resources to make ourchoice or direction successful. This happenseven when the obvious course of action is todrop the project and cut our losses. To dropthe project is to say that our original decisionwas wrong. The mind has a hard timewith “being wrong.” It will make the casethat the original decision was the right oneand set out to prove it. This also is knownas throwing good money after bad.64 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

··Scarcity and Authority. The influence ofthese two is straightforward and obvious.I’m not going to say much more aboutthem because, over the long term, the firstfour influencers have a far greater effect onbehaviors. I’ll come back to Cialdini’s workin a bit.Scaling the learning approachA key step in any training design is to set yourachievement goals. The standard I like to useis Donald Kirkpatrick’s four-level learningassessment model: 3··Level 1 is Reaction. This measures whatstudents thought of the course. They alsomay recognize when they have encounteredan ethics or compliance issue.··Level 2 is Learning. Here the students cantell others, in their own words, about thematerial presented in the course. Learners“know” the material, but there is no guaranteethey would apply it.··Level 3 is Behavior. The students incorporatethe concepts of the course into theirpersonal values and intuition. They act inalignment with stated learning objectives.When Level 3 achievers encounter challengingsituations, their values, beliefs, andintuition have a chance of guiding theirSystem 1 responses in the proper direction.··Level 4 is Performance. The learners’actions have a measurable effect on theoutcomes of the organization. These outcomescould be reduced cost, improvedquality, or timelier delivery.Most of today’s ethics and compliancetraining efforts only achieve Level 1 or Level 2results. And although we wish all of ourcourses could lead to Level 3 or Level 4 results,unfortunately, most training budgets andresource allocations for ethics and compliancekeep us firmly grounded at Level 1 orLevel 2. Basically, the annual training is done,and we can tell the regulators that we are incompliance. However, if we could achieve atleast Level 3 results, we have the potential tosignificantly reduce organizational risk andassociated reputational and cost impacts.Good ethics and compliance habits alsobecome good performance habits.Here is a choice point. If Level 1 or Level 2learning and the associated risks are acceptable,then online web-based training isprobably your best choice. It’s scalable andefficient. However, if you wish to be better preparedand reduce your risks, then a differentlearning approach is needed.In the early 2000s, I was involved with adesign team that was trying to develop anonline learning activity for newly mintedfirst-line managers. Our promotion rate wasfairly low, and it took several months to filla classroom with 24 to 30 managers. Somepeople had to wait as long as six months toattend their first management class. The lackof knowledge and skills caused by the delaypresented unacceptable risks. This wasn’t anethics or compliance course, but the lessonslearned are applicable.The first thing we did was focus onthe attributes of highly successful learningexperiences. Not surprisingly, interactive,collaborative, and transformative learningactivities were more likely to achievea Kirkpatrick Level 3 or Level 4. When thelearner was able to influence the learning outcomes,the activity was even more effective.Yes, people can learn individually; however,the most effective learning occurs when peopleare learning together in a co-creative fashion.The resulting hybrid online learningexperience was a success. Students participatedin the class from their “home” locationsaround the world. A facilitator convened four90-minute conference calls with a “pod” of 10 to15 managers over a 45-day class term. Duringthe conference calls, the facilitator presentedtopics of interest. Managers were directed toCompliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 65

Compliance & Ethics Professional March/April 2012an online forum for their assignments andworked in three- or four-person study teamsto complete them. A portion of each call wasreserved for questions and answers. The onlineforum allowed managers to share ideas andask questions of their “pod mates.” An onlineassessment tool identified strengths and weaknesses.A website provided convenient access toresource and reference materials. The facilitatormonitored and contributed to the forum. Thestudy schedule was flexible, with the exceptionof the four calls.Finally, each participantwas required todevelop his or her ownpersonal learning planwith a set of learningobjectives. The scalabledesign allowed newclasses to start weekly,if needed.The managementtraining describedabove was successfulbecause it was interactive,collaborative, andtransformative. Thecourse had a leader,and the managerscould learn from each other. The managerscontrolled the learning pace. I’m not sayingthat all ethics and compliance courses shouldbe as elaborate as this one. We’d be run out oftown by senior management. I’m simply usingthis example to highlight the underlying attributesof the design.Let’s go back to the first four of Cialdini’sinfluencers: reciprocity, being like others,meeting the social norms of the group, andcommitment and consistency. I think you cansee how they meld together with the attributesof the successful management class. Thisapproach can influence values, behaviors, andthe all-important intuition.“The trust of managementis generally low, butemployees trust theirfirst-line manager themost. Why is this findingimportant? Because ittells us that if you want tochange things, first-linemanagers must beinvolved, and they need tohave a major role.”There is one more piece to this puzzle, andthen I’ll pull it all together. T.J. and SandarLarkin published some groundbreakingfindings in their 1994 book CommunicatingChange: How to Win Employee Support for NewBusiness Directions. 4 The authors found thatfirst-line managers are the most trusted membersof leadership. The trust of managementis generally low, but employees trust theirfirst-line manager the most. Why is this findingimportant? Because it tells us that if youwant to change things,first-line managersmust be involved, andthey need to have amajor role. This findingcan be applied toethics and compliancetraining.Managers can provideleadership withthe deployment oftraining activities. Toolssuch as the Internet,company Intranets,and streaming videoservers are usefulfor delivering trainingmaterials into thehands of first-line managers, who need to havean active role. The training must include interactiveactivities that require participants to talkand solve problems with each other. At the endof an exercise, a manager-led discussion aboutthe results helps crystallize the learning. If themanager’s only role is to get everyone into theroom and push the start button for participantsto sit and listen, then you are back to traditionalweb-based information transfer.To have effective ethics and compliancelearning experiences, we need to embrace anew model and approach. Gone are the dayswhere a single employee is interacting withhis/her computer. This includes apps on our66 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

smartphones. Although the phone is cool, it’sstill one employee interacting with the onlinecourse. We need to be using learning activitieswhere first-line managers gather team memberstogether and lead them through the coursework.In the course, they need to solve real-lifescenarios, deal with case studies that arerelevant to the employees’ organization, andengage in role-playing. This learning approachhas been shown to achieve Level 3 behaviorchange and, in some cases, Level 4 performanceimprovements. When we achieve Level3 results, people’s intuition is influenced, andtheir automatic System 1 responses are morelikely to be aimed in the desired direction.The bottom lineWe shouldn’t be asking, “How inexpensivelycan we do ethics and compliance training?”and then checking the box. We should beasking what kind of investment we are willingto make in order to minimize risk and, moreimportant, improve bottom-line performance.The good habits employees develop in thisapproach to ethics and compliance translateinto better performance in everything they do.People want to be known for good ethics, goodcompliance, good integrity, and good performance.It’s a matter of pride. Let’s give them achance to show us what they can do. ✵1. Kahneman, Daniel: Thinking Fast and Slow. New York: Farrar, Strausand Giroux, 2011.2. Cialdini, Robert B: Influence: The Psychology of Persuasion. New York:William Morrow and Company, Inc., 1984, 1993.3. Kirkpatrick, DL, and Kirkpatrick JD: Evaluating Training Programs(3rd ed.). San Francisco: Berrett-Koehler, 2006.4. Larkin, TJ, and Larkin, Sandar: Communicating Change: How to WinEmployee Support for New Business Directions. New York: McGrawHill, Inc., 1994.Charles Ruthford is a Principal in the Ethics and ComplianceConsulting practice of Solutions House in Seattle. He can be reachedat charlesr@solutionshouse.com or at www.solutionshouse.com/ethics-and-compliance-practice.Advertise inCompliance & EthicsProfessional magazineSCCE’s magazine is a trusted resourcefor compliance and ethics professionals.Advertise with us and reach decision makers!For subscription information and advertisingrates, contact Liz Hergert at +1 952 933 4977 or888 277 4977 or liz.hergert@corporatecompliance.org.Compliance & EthicsJanuary/February201220Why risk it?The motivations ofthe whistleblowerMarlowe DomanProfessionalA PUBLICATION OF THE SOCIETY OF CORPORATE COMPLIANCE AND ETHICSMeetVernitaHaynesSCCE and HCCAinterview their 10,000thmember: Vernita Haynes,Compliance & PrivacyAnalyst for the Universityof Virginia Health System26Rock in the pondethicsFrank C. Bucaro28The simplestpossible codeof conduct foremployeesAlexandre da Cunha Serpawww.corporatecompliance.orgSCCE & HCCA reach 10,000th member35An ethicalcorporate culturegoes beyondthe codeDawn LomerSCCE’s magazine is published bimonthly and has a current distribution of over 2,700 readers.Subscribers include executives and others responsible for compliance: chief complianceofficers, risk/ethics officers, corporate CEOs and board members, chief financial officers,auditors, controllers, legal executives, general counsel, corporate secretaries, governmentagencies, and entrepreneurs in various industries.See page 14Compliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 67

Feature The last wordby Joe Murphy, CCEPSure, it’s ethical, but is it legal?Compliance & Ethics Professional March/April 2012MurphyHow many times have you heard “Itmay be legal, but is it ethical?” or thestatement, “We’ve moved beyondethics to compliance.” But our field is complianceand ethics. Why not just ethics?Ethics purports to be about values, andto be above merely obeying the law. Soundsgood, until you look at history and experiencea bit closer. The problem with“values” is that there are quite afew values, and they often conflict.Loyalty is certainly a popular value,but is loyalty to family always good?If you are making a hiring decision,would your values tell you to rewardyour family out of loyalty and hireyour brother for that open position in the company?Loyalty to country is good, but if yourcountry is a fascist dictatorship, is loyalty theright value? We make choices among valuesall the time.What is law? Law is society’s assessment ofthe order of values, based on the community’sexperience. So, if your loyalty and honor tellyou to do something (e.g., an act of revenge),but the law says otherwise, this sets the priorityfor your values.Here is an example: Your long-term friendworks for a competitor. The competitor is a disadvantagedbusiness struggling to survive. Itis also devoted to saving the environment. Youknow there is plenty of business available foryour company to survive, but you and this onecompetitor have been shortlisted as the twobidders for a contract. So, out of loyalty, friendship,concern for disadvantaged businesses,and respect for the environment, you callthe competitor and agree to let him win. Youhave certainly been very ethical, with valuesprevailing over profit, but you have committeda crime. Why? Because society, in weighingcompeting values, has decided that competitionbrings the best value to all of society.“The problem with ‘values’ isthat there are quite a few values,and they often conflict. Loyalty iscertainly a popular value, but isloyalty to family always good? Ifyou are making a hiring decision,would your values tell you toreward your family out of loyaltyand hire your brother for thatopen position in the company?”Another example: People are suffering in aparticular dictatorship. In an exercise of compassionand courage, you go there to see foryourself and to see if you can help people. Ofcourse, you need to spend money there to survive.You are certainly following values andbeing ethical, but you have committed a criminalviolation of a U.S. boycott law. Society hasdecided that limiting this dictatorship is apriority value. Yes, you have been true to yoursense of values, but you broke the law.So before we proclaim the battle to preventcriminal conduct “done,” and decide it istime to “move on to ethics,” remember that inaddressing compliance with laws, you havenever left the issue of values. ✵Joe Murphy is Of Counsel to Compliance Systems Legal Group andEditor-in-Chief of Compliance & Ethics Professional Magazine. He may becontacted at jemurphy@voicenet.com.68 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

sTakeawaysMarch/April 2012Compliance & EthicsProfessionalTear out this page and keep for reference, or share with a colleague. Visit www.corporatecompliance.org for more information.Recipe for a Compliance Dayin 2012Cynthia Scavelli (page 22)»»Reach out to SCCE and other complianceprofessionals for valuable ideas.»»Events should reflect your company’sculture and stay on budget.»»Contact different company departments fortheir expertise and suggestions.»»Initiate a Planning Committee early.Things always take longer than you think!»»Plan a simple event for your first year.You can always add more later.»»Engage your employees with fun contestsand creative prizes.GRC focus: Keep youremployees close and yourauditors closerSteve McGraw (page 28)»»With regulatory attention continuing tofocus on GRC results, corporations need tofocus on ensuring compliance is up to par.»»Corporations need to show employeesthat all internally reported issues will betaken seriously.»»Sharing compliance self-assessments andmitigation programs with auditors can helpcorporations establish a strong reputation.»»GRC should be viewed as increasinglybeneficial, especially when preparing formergers and acquisitions.»»GRC systems can provide information toshow trend lines and correlations to addressroot-cause issues before regulators ask.Compliance in a casino worldMichele Abely (page 32)»»Operate in a good faith manner and inthe best interest of the company andits customers.»»Do the research to find the best answersand solutions.»»Document all decisions in a memoincluding the research done, the findings,and the outcome.»»Ensure all related procedures are writtenand/or updated regarding any decisions.»»Communicate decisions clearly and ensurethat outcomes are executed consistently.DOJ review: FBI’s Integrity andCompliance ProgramEmil Moschella (page 36)»»The FBI implemented a corporate-stylecompliance program to allow for the earlydetection of internal control weaknesses.»»The DOJ OIG reported that the FBI’sprogram has been beneficial to its effortsto monitor and enhance compliance.»»The DOJ OIG suggested that other agenciesmay wish to consider implementing asimilar kind of program.»»Remedial legislation, policies,and processes are inadequate.»»An integrated compliance and ethicsprogram in government agencies isimportant.Powerful witness preparation:The most important personDan Small and Robert F. Roach (page 40)»»The most important person in theroom is the one who says nothing:the court reporter.»»Consider your words carefully—thereporter’s machine is cold, mechanical,and humorless.»»Words have different meanings:think about manager.»»Avoid using jargon that jurors may notunderstand or find confusing.»»If you are not sure what counsel is asking,ask for clarification rather than answeringthe question.Nuts & bolts for boards: Whatethics oversight really meansFrank J. Navran (page 44)»»Total independence is an unattainable goal.The best we can hope for is to continuallyget closer to that goal.»»Perhaps the best we can ask of boardsis a “good faith effort” toward being asindependent as possible.»»The level of independence on the boardinforms the culture of the organization,and vice versa.»»Independence is more attainable whenthe board aims for a operating culture thatvalues ethics over compliance.»»You get what you measure, and assessingthe effectiveness of the organizationalculture requires that one ask differentquestions and apply different standardsthan when assessing organizationalcompliance.Multinationals and duediligence: What are thered flags?Charles Thomas (page 55)»»Failure to comply with regulations like FCPAcan cost companies millions.»»Due diligence processes help companiesavoid risk and make informed decisions.»»Due diligence is about building trust andstrong relationships.»»As companies implement due diligenceprocesses, they will encounter “red flags.”»»It’s important to examine red flagscarefully—they may be false positives.Computers and copyrights:A continuing source ofavoidable liabilityThomas W. Kirby (page 59)»»When employees share copyrightedmaterials, employers can take a huge hit—sometimes millions of dollars for somethingas simple as passing around an electronicnewsletter to a few colleagues.»»Not all copyright cases settle.»»Under the “statutory damages” provisionof the Copyright Act, a court is not limitedby actual damages, but may award up to$150,000 in statutory damages for eachwork the defendant has willfully infringed.»»Courts are not shy about using the power ofimposing statutory damages.»»Relatively simple best practices can greatlydiminish your exposure.Is your ethics and compliancetraining really preparing youremployees?Charles Ruthford (page 63)»»Our current web-based ethics and compliancetraining may leave us unprepared for peoplehaving to deal with risks.»»We cannot assume that people under stresswill first consider a rational, step-by-stepprocess to deal with a risk.»»When facing a difficult situation that haspersonal consequences, the human mindbases its choices on intuition and emotionrather than rational reasoning.»»Interactive, collaborative, transformative,management-led learning activities caninfluence values, intuition, behaviors,decision-making, and ultimately bottomlineperformance.»»Leadership and involvement by front-linemanagers is crucial to the success oftraining and change activities.Compliance & Ethics Professional March/April 2012+1 952 933 4977 or 888 277 4977 | www.corporatecompliance.org 69

SCCE’s 2012 Upcoming EventsLearn more about SCCE’s educational opportunities at www.corporatecompliance.org/eventsMarch 2012Sunday Monday Tuesday Wednesday Thursday Friday SaturdayDaylight Saving Time BeginsFirst Day of Spring1 2 34 5 6 7 8 9 1011 12 13 14 15 16 1718 19 20 21 22 23 2425 26 27 28 29 30 31April 2012Palm SundayApril Fool’s DayEasterTax DayPurim beginsSt. Patrick’s Day1 2 3 4 5 6 78 9 10 11 12 13 1415 16 17 18 19 20 2122 23 24 25 26 27 2829 30WEB CONFERENCE:How to Use Incentivesin Your Compliance andEthics ProgramSunday Monday Tuesday Wednesday Thursday Friday SaturdayBasic Compliance & Ethics Academy (SOLD OUT)Chicago, ILWEB CONFERENCE:Corporate FraudInvestigationsCCEP ® ExamPassover beginsMidwestRegional ConferenceChicago, ILAll Upcoming EventsBasic Compliance & EthicsAcademiesApril 16–19 • Chicago, IL (SOLD OUT)May 7–10 • São Paulo, BrazilMay 21–24 • Brussels, BelgiumJune 11–14 • Scottsdale, AZJuly 9–12 • Shanghai, ChinaAugust 13–16 • Boston, MANovember 12–15 • Orlando, FLDecember 10–13 • San Diego, CARegional ConferencesMidwest • April 27 • Chicago, ILUpper Northeast • May 18 • New York, NYAlaska • June 15 • Anchorage, AKWest Coast • June 22 • San Francisco, CASoutheast • October 12 • Atlanta, GASouthwest • November 2 • Houston, TXHigher EducationCompliance ConferenceJune 3–6 • Austin, Texas11th AnnualCompliance & Ethics InstituteOctober 14–17 • Las Vegas, NevadaAria in Las VegasMay 2012Sunday Monday Tuesday Wednesday Thursday Friday Saturday1 2 3 4 5Mother’s Day6 7 8 9 10 11 12Basic Compliance &Ethics AcademySão Paulo, BrazilMay DayCorporate Compliance & Ethics WeekMay 6–12, 2012CCEP ® Exam13 14 15 16 17 18 19Upper Northeast RegionalConferenceNew York, NY20 21 22 23 24 25 26Basic Compliance & Ethics AcademyBrussels, BelgiumCCEP ® Exam27 28 29 30 31Shavuot beginsSCCE OFFICE CLOSEDMemorial DayDates and locations are subject to change.

Your Guide to Becoming an Effective InvestigatorThe First Information Is Almost Always Wrong:150 Things to Know AboutWorkplace InvestigationsBy Meric Craig Bloch, Esq., CCEP, PCI, CFEEffective workplace investigations are equal parts art and science. Meric Blochhas mastered both aspects through years of hard-earned experience. In this book,he details the strategies and tactics he knows work best. His practical guidancewill help readers learn to plan and conduct thorough investigations and turn theresults into valuable knowledge for their organizations. His insightful approach ismapped out in three sections:• Protect Your Career—How to Think Like a Workplace Investigator• Protect Your Company—How to Integrate Your Investigations into Your Company’s Operations• Protect Your Case—How to Conduct an Effective Workplace InvestigationWith this tutorial, readers will learn not only how to uncover the truth about misconduct or fraud,but also how to ensure that the results can help an organization resolve issues and move forward.ORDER NOWThe First Information Is Almost Always WrongQtyCostSCCE Members..................................................................................................................................................................$95Non-members ..................................................................................................................................................................$105Join SCCE! Add $200 and pay the member price for your order ........................$200(New members only. Regular dues $295/year.)Sales tax for MN (6.875%) or PA (8%)..........................................................................................$Contact Information (PLEASE TYPE OR PRINT)Mr. Mrs. Ms. Dr.SCCE Member IDTOTAL $Payment OptionsMake check payable to SCCE and mail to:SCCE, 6500 Barrie Road, Suite 250Minneapolis, MN 55435, United StatesOr FAX order to: +1 952 988 0146Check enclosed (payable to SCCE)My organization is tax exemptInvoice me | Purchase Order #I authorize SCCE to charge my credit card (choose below)CREDIT CARD: AmericanExpress Diners Club MasterCard VisaCredit Card Account NumberFirst Name M.I. Last NameCredit Card Expiration DateTitleCardholder’s NamePlace of EmploymentStreet Address (NO PO BOX NUMBERS)City State ZipCardholder’s SignaturePrices subject to change without notice. SCCE will charge your credit card the correct amount if the total aboveis incorrect. SCCE is required to charge sales tax on purchases from Minnesota (6.875% ) and Pennsylvania(8%). Please calculate this in the cost of your order. Additional charge apply for international orders: pleasecontact SCCE for more information. All purchases within the continental U.S. receive free FedEx Ground shipping.(Federal Tax ID: 23-2882664)TelephoneE-mailFax6500 Barrie Road, Suite 250, Minneapolis, MN 55435+1 952 933 4977 or 888 277 4977 (P) • +1 952 988 0146 (F)www.corporatecompliance.org • helpteam@corporatecompliance.org

10th AnnualHigher EducationCompliance ConferenceJune 3–6, 2012 | Austin, TexasAT&T Executive Education Conference CenterCome to Austin, Texas, for the primary networking event for complianceand ethics professionals within higher education. Don’t miss theoppportunity to gather with your peers and discussemerging issues, share best practices, and buildvaluable relationships.Join us in June to hear the following hot topics!• Program Integrity: Juggling and Jeopardy• Maximum Efficiency on a Shoestring Budget:Making the Most of What You Have• Engaging the University Community in ERMRegister byApril 11 andSAVE$250!• How to Handle Whistleblower Complaints in Higher Education:What Happens after the Whistle Blows• Compliance & Ethics Programming for Small Campuses: LeveragingResources through Effective Communication across Risk DisciplinesVIEW THE FULL AGENDA & REGISTER ATwww.highereducationcompliance.orgRegister today and enjoy the flexibilityof two conferences for the price of one!Complimentary access to HCCA’s ResearchCompliance Conference is included with yourHigher Education Compliance Conferenceregistration. The parallel schedule gives youthe freedom to attend sessions at eitherconference—two for the price of one.