Recently, we held a live webinar with special guest Susan Divers from LRN to get her take on the expanded guidance released 30 April, 2019. We thought we’d pick her brain further on this guidance and on high-performing compliance programs.
MCO: Susan, in the webinar, you mention a communications program for employees. Do you have an example of one you feel has been particularly effective?
Susan: Yes, I think of many but one that sticks out because it is recent is with a company that does work in the defense space. They launched a campaign on safe talk which was an effort to get people to speak up more. As part of that, they had a little hexagon on a website that opened up and had different aspects of what safe talk meant. They used posters that had the same logo to get the message across. They also incorporate messages from leadership on what safe talk meant and how it worked. Having the CEO communicate directly and simply that employee input is welcome, whether it is on an issue, a compliance problem, or ways to improve things sends a powerful message. They orchestrated an entire campaign around safe talk. It’s an effective way to talk to employees and get them to engage.
MCO: Do you have insight to whether regulators support training tests to comply with legislation that specifically requires employee training, for example, ALM, HIPPA, harassment and so on?
Susan: It depends. The State of California is quite explicit on sexual harassment in that both employees and managers have to take an hour course. But the question is, can that training be taken in segments or do you make employees sit at their desks for an hour. In some cases, companies must do that based on the rule, regulation or the state. In others, you don’t have to do that. I always recommend making training easy to understand, relevant and in sections if you can.
MCO: What is the egregious lack of compliance you’ve ever seen?
Susan: I’ve seen instances where people have said, “I don’t care how we do it, let’s just it done.” And that is really saying they don’t care. In that context it was clear that it was basically an invitation to engage in practices that were clearly not ethical and transparent. I’ve also seen third-party vendors, who are promising to bring in huge amounts of business, really being an empty lot of goats tethered in it. When we took a picture of it and sent it to the third-party, their response was, yes… but they can still get us business… True story.
MCO: Other than employee surveys, how can you measure the effectiveness of the E&C program, showing concrete results?
Susan: I’m not a fan of checklists and I’m not a fan of hotlines because it’s usually a small segment of the employee population that use them. So, some companies have gone to what’s called open reporting, where they work hard to capture all of the concerns, issues and suggestions, and those are typically raised to managers. If businesses capture this information, they will get much better data on where people are coming from, and from that data, you can do analytics that will give you a clear idea of the impact the program is making.
Training is always a key element of any compliance program, and not surprisingly, something that even government oversight agencies talk about in depth. In fact, the most recent Department of Justice (DOJ) guidelines phrase training this way - “Is the training in the form and language appropriate for the intended audience?” Craft language that is straightforward and accessible to everyone.
MCO: What about Artificial Intelligence (AI)? Are you seeing that a lot in your research or the companies you work with?
Susan: Yes; this is what I mean by data analytics. We’re seeing companies develop some of their own internal processes that are really tailored to their risk and are predictive rather than reactive. AI, if it’s used properly, can identify high risk transactions in real time and impose additional layers of scrutiny or approvals on those.
MCO: What are your recommendations for organizations around corporate compliance? If you were going to give three, what would they be?
Susan: Centers of excellence work well, where you have someone on the team who is in charge of that area. It’s not just enough to have rules and policies, you need a program. And I’ve seen companies do very good work in terms of setting up things like data protection, an easy-to-use website, as well as resources to discuss with their teams.
MCO: What do you recommend as elements for a successful performance review around ethics and compliance?
Susan: To begin, this really needs to be discussed at the highest level of the company, along with the compliance and HR team as to what it means and that it gets socialized to the employees. Otherwise, it becomes a check-the-box, where your boss isn’t going to say that you’re unethical.