The government standard.

Thomson Reuter

Before the Enron scandal, many companies did not consider an ethics and compliance department. Since then the Department of Justice has made considerable modifications to investigations. To properly charge and evaluate companies during lawsuits, the Department of Justice issued the McNulty memo in 2006.  During criminal prosecutions of corporate entities, prosecutors must determine, among other things, whether a compliance program is just a "paper program" or whether it is truly an "effective" one. 

There are three key takeaways from the memo:

1. The existence and adequacy of the pre-existing compliance program.
2. Remedial actions, including any efforts to implement an effective corporate compliance program or to improve an existing one, to replace responsible management, to discipline or terminate wrongdoers, to pay restitution, and to cooperate with the relevant government agencies.
3. As part of their analysis, prosecutors should determine whether the corporation has provided adequate resources to the compliance program, the visibility of the program to employees, and the employees' impression of the corporation's commitment to the program.

But how can a company avoid such charges and make sure that their messages are properly relayed to their employees? Flash forward to 2018 and almost every company now has an ethics and compliance department and a system to send complaints or ethical concerns. There are strict compliance programs, but how can we be sure that it is really effective?

Take Wells Fargo - they have been undergoing a new compliance program - or rather, trying to implement an effective one. The past few years they have had to redesign multiple programs that continue to not meet government standards. The OCC says that Wells Fargo did not execute a comprehensive plan to address compliance risk management deficiencies, fill mission-critical staffing positions, implement a reliable risk assessment and testing program and report compliance concerns adequately to the board. Many of their problems cam from internal audits within the company that inconsistently applied its policy and charged borrowers extension fees they should not have. This year they received a $1 billion fine with an additional $800 million accrual in the first quarter.

The success of a compliance program really depends on the measurements they use. It has to be scalable, understandable, and easily implemented. A company has to get out of hot water - or prevent it- by following the expectations and guidelines of the McNulty memo. With that in mind - there must be an effective tone from the top and culture that the company's leaders must demonstrate. That’s easier said than done, especially in an international and multicultural environment.

Avoid the headlines.

Written by Caitlin Schmit - Strategic Brand Manager

Neztec Solutions Inc.

For more information, email at caitlin.schmit@neztecs.com

Compliance Fettuccine!

Foodcollection/Getty Images

Could the culture of ethics and integrity be delicious like pasta cooked by Lidia Bastianich?  

Lidia is one of the most recognizable Emmy award-winning TV host chefs in the world, author of a best-selling cookbook, and renowned restaurateur. She travels the world doing guest appearances on other famous chef shows, like Julia Child: Cooking with Master Chef’s, speaking at events, cooking for charities and fundraisers, sharing her experience with young audiences at schools and universities to spread her delectable and deliberate recipes. What better way to spread the love! 

Last week I had the delightful honor of sitting down with Lidia. Her love of cooking must be contagious because she gave me some great food for thought -- If Lidia can cook her pasta for people around the world to enjoy, perhaps companies could combine their ethics and compliance ingredients into building a culture of integrity so all employees across an organization can love compliance too! Inspired by Lidia's renown Fettuccine with Mafalda Sauce recipe, my corporate compliance recipe would look something like this: 

1          cup of ethics
1 1/2    cups of compliance
2          dashes of integrity
1          pinch of professionalism
2          cups of refined culture
1          handful of happiness

Baked well and served on a visual communications platform, rather than the old traditional pasta bowl of trainings. Now employees can learn and embrace for best visibility, repetition, and behavioral change. Mmmmm :) Viola! A culture of compliance served...I think we are onto something.

I felt a connection to Lidia upon learning that her passion for food is her connection to her grandmother. I have a similar connection to compliance and ethics through my grandfather, Harry J. Hurley. He was the Chairman of the Board of Ethics of Medicine in America and I remember when I learned that, I felt like I was carrying on his legacy in a way. He was motivated to serve a higher purpose for the well-being of society, and through my work at Neztec I feel like I'm also able to fight the fight for the good guys. My grandfather had strong integrity, and his medical practice was his life’s devotion. These people, Lidia, her grandmother, my grandfather, and many, many others are people we have to look up to as role models. It is incredible to see the spirited growth in a person when that someone devotes their life to becoming expert in a chosen path to dignified work, following passion down an interconnected road of success and happiness. This is the difference between a career and a profession. Through compliance and ethics, we welcome all to join in on that greater mission.

As Lidia always says to all of her pasta lovers, “Tutti a tavola a mangiare!” (Everyone to the table to eat!). So I will invite all compliance lovers to step up to the table, “Bon appetit and cheers to doing it right!"


Written by Charlotte Whiteman - Defense Mitigation & Remediation Advisor
Neztec Solutions Inc.

For more information, email at charlotte.whiteman@neztecs.com

Every single day you get caught in the grey.

Cryptocurrency World

It seems like the Bitcoin frenzy has died down a bit, and now the real system behind it - blockchain - is under fire. Or rather, how to audit blockchain and similar platforms to match the evolving responsibilities.

Many organizations have decided to accept and use cyber transactions but have not explicitly designated specific roles to process the information, audit the system, and oversee its security. The fear of fraud and criminal activities continues to grow and seems to constantly come up in our news feed. Regulatory challenges are slowly emerging and companies are trying to figure out how to best perform customer due diligence on virtual currency transfers. The Facebook scandal has opened a flood of questions and demands that companies may not be prepared to answer, and what sort of new regulations and penalties will surface. As cyber-responsibilities continue to evolve, the pressure on internal auditors continues to increase. That includes ensuring that their efforts align with the companies' overall cyber-security approach and effectively transmitting messages to their employees. 

Rise of the Machines: The Internet of Things

It is important now more than ever for companies to behave ethically. The question is, how can you guarantee your employees will behave that way? According to Brian Brown, the Principal and Cybersecurity Practice Leader at Mazars USA said that there are three lines of cyber-security defense that must improve together: business units and cyber-security teams, risk management, and internal audit. Brown said the key to help many internal audit departments would be "external help when it comes to cyber-security because it's typically not a core skill set that they are going to maintain as part of their department". A survey conducted by Compliance Week and Mazars USA found that 31 percent of respondents felt that their cyber-security efforts were "managed", aka their processes were being properly monitored and performance measured. Apparently, only 25 percent of respondents do not track the maturity of their cyber-risk programs, to which Brown responded, "If you do not have a framework in place, you are going to be haphazard in your approach to managing your cyber-risk, and your results are going to show that." Essentially, is it worth it for your company to ignore the impending costs and damages we can, and should, expect in the future?

As we have seen in the past, it only takes one person to make the wrong decision that could upend a company. Don't let that be you.

Written by Caitlin Schmit - Strategic Brand Manager

Neztec Solutions Inc.

For more information, email at caitlin.schmit@neztecs.com

References:

https://www.complianceweek.com/news/news-article/internal-audit’s-cyber-responsibilities-continue-to-evolve#.Ws4hOkxFxPZ
https://www.complianceweek.com/news/news-article/auditors-develop-early-plans-for-how-to-audit-blockchain#.Ws4hFExFzeJ
https://www.complianceweek.com/news/news-article/as-cryptocurrency-creeps-into-mainstream-aml-risks-multiply#.Ws4kYUxFzeJ

Talk about Data Protection is EVERYWHERE. Best thing to do...get educated, ASAP.

Last Wednesday we posted a blog about Data Protection (AKA Data Privacy as we say here in America). Whether you are talking about Facebook’s latest and greatest scandal or talking about the EU’s recent General Data Protection Regulation (GDPR) going into effect on May 25 (DON’T PANIC), you’d better understand what people are talking about. The buzz about data security is everywhere, and whether you acknowledge it or not, it directly affects us all.

Even just last week, I had an opportunity to attend a major Data Protection Conference in Washington D.C.’s Marriott Hotel. I sat in on the 4-hour discussion about the implementation of GDPR. One of the attendees was a member of British Parliament herself. The basic discussion went a little something like this:

What is GDPR? Adopted April, 27 2016, and enforceable May 25, 2018 GDPR is the European Union’s regulation on protection and free flow of personal data.

What is “Data Protection”? The process of safeguarding important/personal information from corruption, compromise, or loss. 120 countries have data protection laws and 30 more have bills in place...the United States is not one of them.

Why is Data Protection relevant to today? The importance of data protection increases as more information is collected on tech platforms and transferred through the internet. That information is then categorized into data and stored. Complexity arises in the relationship between the transfer and dissemination of that information to and amongst businesses (controllers and processors) and public perception/expectation of privacy or transparency with the usage of that information, which up until now has been lacking due to the political and legal underpinnings of that information.

Who does GDPR affect? GDPR will directly affect all 28 EU member states plus 3 EEA member states. Local implementation will also take place for members who are late to the party. In a global scope, GDPR sets a precedent that affects us all.

Is GDPR possible to implement in the U.S.? The key thing to understand here is that when laws are enacted in the EU they are quicker to pass through legislation. EU parliament implements regulation as a framework among all member states so it applies to all business and industries across the board, as opposed to the United States where we mandate regulation sectorally. Why? We’ll for one, complexity. We have a large and highly diverse country consisting of 50 states all abiding by different local laws and regulations, coincidentally tailored around industry clusters. Second, touching on “coincidence”...thinking about the amount of money that is passed around from big business to government, it sure makes things “coincidentally” convenient for those business clusters of major US conglomerates to not have to abide by certain regulatory standards. One time at a speech about the problem of bribery in Russia, I raised the question, “If bribes are called gifts in Russia and they are considered a problem, what is the difference of that and lobbying in the United States?” The speaker gave no answer.

The underlying matter of what we are all talking about here is risk and exposure. On the consumer side, if your data is not protected YOU are at risk. Risk of being hacked, risk of having your identity stolen, risk of being blackmailed...to name a few. The exposure is the dire outcome of that threat. You go from having $100,000 in your account to having $0 (hack), you found out your suddenly existent other persona just got caught smuggling drugs across the Mexican border (identity theft), or someone has proof of your affair and they’re asking for 1 million dollars in return for their silence (blackmail).

So what is the overlap between Neztec and data protection? How does advanced visual communication help with defense mitigation? How can the dissemination of information in the area of compliance and regulation help create awareness? Well, that’s your answer right there. If the root of exposure comes from a lack of awareness, the solution is to educate the individual. Dissemination of messages in the form of visual communication is more effective for creating an aware group of people. And if we want to defend companies against the threat of exposure, in this case repercussions from leaked information, we need to ensure that their employees are informed effectively; just like the everyday person needs to be aware in order to defend themself against getting hacked. Educate, create awareness, heighten your defense. The approach is the same. The end result is in the way you play the game.

Written by Charlotte Whiteman - Defense Mitigation & Remediation Advisor
Neztec Solutions Inc.

For more information, email at charlotte.whiteman@neztecs.com

Hackers Wanted.

The amount of data breaches and cyber attacks we see in the news is ridiculous. And those are just the ones we know about! In March, the Atlanta city government systems were shut down due to a cyber attack. There were also data breaches in healthcare facilities, pharmaceutical companies, Saks fifth Avenue, MyFitnessPal, public schools and universities, etc. What they all have in common: we don't know who did it. It makes one wonder, why didn't I learn how to be a hacker?

Not only that, but more and more companies are revealing that they have capitalized on our information and sold it to other companies. Considering how often people in America, and society overall, freely give out information it should not come as a surprise. But, how are we supposed to measure the limitations?

In Germany, a leading cyberwarfare specialist by the name of Sandro Gaycken said that the government can do little about hacking, being hacked, and that data is stolen from ministries all the time. This week the German federal network admitted that for up to a year they had been infiltrated by a major cyberattack.

America is not alone in these attacks, nor should we assume that. Unfortunately, this is old news. What with the Russian Facebook scandal and poisoning of an ex-spy it is not surprising that many people believe that Russia is behind the breach in Germany as well. Of course, this is all speculation. Much of the news we are receiving now happened many months ago.

It is easy to imitate or copy Russian programs, but especially difficult to actually pinpoint who, what, where, and most importantly why. Shouldn't that be a top priority? Naturally, our President has tweeted about it, which has affected some stock options and lends a weary eye over trading with the United States. The question is, what can and will we actually do about it?

Moving back into Germany, a new hacker-soldier elite is being trained at the Bundeswehr University to serve as a solution. They are building a new digital forensic lab for software development to train IT experts to make it more difficult for hackers to break into the system. The agency plans to employ 13,500 soldiers and 1,500 civilians. The German Defense Minister Ursula von der Leyen said it best, "There are no outer or inner borders in cyberspace!"

We live in a complex and fast moving society, where everything can and will go wrong. How your company trains and recruits its employees is important, but are we teaching students effectively or reaching out to the right demographic? What can your company do to have its employees prepared to monitor, realize, and prevent information from getting into the wrong hands?

Written by Caitlin Schmit - Strategic Brand Manager

Neztec Solutions Inc.

For more information, email at caitlin.schmit@neztecs.com

In today's world, where does Human Capital rank against ROI?

When I think of ROI, my mind goes directly to thinking "financial gains". And, in business it’s this type of thinking that is carved into people’s minds. We constantly have to consider the bottom line. Around the workplace, people talk ideas. Ideas spark innovation. Innovation feeds business. And, business talks money. When a company makes any decision to invest in a new idea, the fundamental question decision-makers bounce back to is, “how much money will that generate for the business?” But, taking a step away from money talk for a moment, is there a way to reframe ROI more creatively to not only look at the financial return on investment, but also a more widespread benefit to the whole organization? In the spirit of today’s push for social responsibility, I want to bring up the term “human capital”. 

Human capital is defined by a person’s or population’s value defined by a specific set of skills, knowledge, and experiences which add to the collective wealth and productivity of a community or organization. In fact, this is nothing new. It’s Economics 101 and is light-years more antiquated than ROI, but it’s something we seem to have forgotten about when it comes to making (big) decisions in business. 

Adam Smith (1723-1790) was the first to really dig deep into human capital in his book, An Inquiry into the Nature and Causes of the Wealth of Nations. Smith believed, “improvements to human capital through training, education, and experience make the individual enterprise more profitable, but also add to the collective wealth of society.” 

In the context of business, that “human” element of capital would be the employees. When companies invest in their employees, they effectively engage this “tone from the top” mentality to influence a well-rounded culture. This is relevant to today because as systems move towards automation, we can’t forget humans still play a fundamental role in the decision making process. And, as seen in so many examples of good vs. bad business, when a company can effectively educate their employees and create a more engaging environment they’ve got a good thing going. 

To ensure employees are effective contributors to the organization, it is critical they remain content and are made to feel part of the company's culture using effective human capital strategies. An organization that values open communication should consider establishing common areas where employees can congregate and share ideas. Also, employees are motivated by feeling recognized by the organization and their peers. This can be as simple as issuing an employee with an achievement award or even announcing a birthday! 

Human capital strategies are critical to factor into daily operation. When employees automatically make the right decision, it minimizes friction in that decision making process and makes them more efficient in their job. This increases productivity and employee morale, while aligning behavior with the workplace policy and required regulatory standards. Thus, a happy employee is an employee who makes your business healthy, wealthy, and wise. So what is the link between human capital and ROI? Well, happy humans are better money makers. Simple as that!


Written by Charlotte Whiteman - Defense Mitigation & Remediation Advisor
Neztec Solutions Inc.

For more information, email at charlotte.whiteman@neztecs.com